yandex_vpc_default_security_group (Resource)
Manages a Default Security Group within the Yandex Cloud. For more information, see the official documentation of security group or default security group.
Warning
This resource is not intended for managing security group in general case. To manage normal security group use yandex_vpc_security_group
When network is created, a non-removable security group, called a default security group, is automatically attached to it. Life time of default security group cannot be controlled, so in fact the resource yandex_vpc_default_security_group does not create or delete any security groups, instead it simply takes or releases control of the default security group.
Warning
When Terraform takes over management of the default security group, it deletes all info in it (including security group rules) and replace it with specified configuration. When Terraform drops the management (i.e. when resource is deleted from statefile and management), the state of the security group remains the same as it was before the deletion.
Warning
Duplicating a resource (specifying same network_id for two different default security groups) will cause errors in the apply stage of your's configuration.
Example usage
//
// Update rules in Default Security Group.
//
resource "yandex_vpc_default_security_group" "default-sg" {
description = "description for default security group"
network_id = yandex_vpc_network.lab-net.id
labels = {
my-label = "my-label-value"
}
ingress {
protocol = "TCP"
description = "rule1 description"
v4_cidr_blocks = ["10.0.1.0/24", "10.0.2.0/24"]
port = 8080
}
egress {
protocol = "ANY"
description = "rule2 description"
v4_cidr_blocks = ["10.0.1.0/24", "10.0.2.0/24"]
from_port = 8090
to_port = 8099
}
egress {
protocol = "UDP"
description = "rule3 description"
v4_cidr_blocks = ["10.0.1.0/24"]
from_port = 8090
to_port = 8099
}
}
// Auxiliary resources
resource "yandex_vpc_network" "lab-net" {
name = "lab-network"
}
Schema
Required
network_id(String) ID of the network this security group belongs to.
Optional
description(String) The resource description.egress(Block Set) A list of egress rules. (see below for nested schema)folder_id(String) The folder identifier that resource belongs to. If it is not provided, the default providerfolder-idis used.ingress(Block Set) A list of ingress rules. (see below for nested schema)labels(Map of String) A set of key/value label pairs which assigned to resource.timeouts(Block, Optional) (see below for nested schema)
Read-Only
created_at(String) The creation timestamp of the resource.id(String) The ID of this resource.name(String) The resource name. Cannot be updated.status(String) Status of this security group.
Nested Schema for egress
Required:
protocol(String) One ofANY,TCP,UDP,ICMP,IPV6_ICMP.
Optional:
description(String) Description of the rule.from_port(Number) Minimum port number.labels(Map of String) Labels to assign to this rule.port(Number) Port number (if applied to a single port).predefined_target(String) Special-purpose targets.self_security_grouprefers to this particular security group.loadbalancer_healthchecksrepresents loadbalancer health check nodes.security_group_id(String) Target security group ID for this rule.to_port(Number) Maximum port number.v4_cidr_blocks(List of String) The blocks of IPv4 addresses for this rule.v6_cidr_blocks(List of String) The blocks of IPv6 addresses for this rule.v6_cidr_blocksargument is currently not supported. It will be available in the future.
Read-Only:
id(String) The resource identifier.
Nested Schema for ingress
Required:
protocol(String) One ofANY,TCP,UDP,ICMP,IPV6_ICMP.
Optional:
description(String) Description of the rule.from_port(Number) Minimum port number.labels(Map of String) Labels to assign to this rule.port(Number) Port number (if applied to a single port).predefined_target(String) Special-purpose targets.self_security_grouprefers to this particular security group.loadbalancer_healthchecksrepresents loadbalancer health check nodes.security_group_id(String) Target security group ID for this rule.to_port(Number) Maximum port number.v4_cidr_blocks(List of String) The blocks of IPv4 addresses for this rule.v6_cidr_blocks(List of String) The blocks of IPv6 addresses for this rule.v6_cidr_blocksargument is currently not supported. It will be available in the future.
Read-Only:
id(String) The resource identifier.
Nested Schema for timeouts
Optional:
create(String) A string that can be parsed as a duration consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).delete(String) A string that can be parsed as a duration consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs.read(String) A string that can be parsed as a duration consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Read operations occur during any refresh or planning operation when refresh is enabled.update(String) A string that can be parsed as a duration consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
Import
The resource can be imported by using their resource ID. For getting the resource ID you can use Yandex Cloud Web Console or YC CLI.
# terraform import yandex_vpc_default_security_group.<resource Name> <resource Id>
terraform import yandex_vpc_default_security_group.default-sg ...