Связаться с намиПодключиться

yandex_vpc_security_group (Resource)

Статья создана
Обновлена 9 октября 2025 г.

Manages a Default Security Group within the Yandex Cloud. For more information, see the official documentation of security group or default security group.

Важно

This resource is not intended for managing security group in general case. To manage normal security group use yandex_vpc_security_group

When network is created, a non-removable security group, called a default security group, is automatically attached to it. Life time of default security group cannot be controlled, so in fact the resource yandex_vpc_default_security_group does not create or delete any security groups, instead it simply takes or releases control of the default security group.

Важно

When Terraform takes over management of the default security group, it deletes all info in it (including security group rules) and replace it with specified configuration. When Terraform drops the management (i.e. when resource is deleted from statefile and management), the state of the security group remains the same as it was before the deletion.

Важно

Duplicating a resource (specifying same network_id for two different default security groups) will cause errors in the apply stage of your's configuration.

Example Usage

//
// Create a new VPC Security Group.
//
resource "yandex_vpc_security_group" "sg1" {
  name        = "My security group"
  description = "description for my security group"
  network_id  = yandex_vpc_network.lab-net.id

  labels = {
    my-label = "my-label-value"
  }

  ingress {
    protocol       = "TCP"
    description    = "rule1 description"
    v4_cidr_blocks = ["10.0.1.0/24", "10.0.2.0/24"]
    port           = 8080
  }

  egress {
    protocol       = "ANY"
    description    = "rule2 description"
    v4_cidr_blocks = ["10.0.1.0/24", "10.0.2.0/24"]
    from_port      = 8090
    to_port        = 8099
  }

  egress {
    protocol       = "UDP"
    description    = "rule3 description"
    v4_cidr_blocks = ["10.0.1.0/24"]
    from_port      = 8090
    to_port        = 8099
  }
}

// Auxiliary resources
resource "yandex_vpc_network" "lab-net" {
  name = "lab-network"
}

Schema

Required

  • network_id (String) ID of the network this security group belongs to.

Optional

  • description (String) The resource description.
  • egress (Block Set) A list of egress rules. (see below for nested schema)
  • folder_id (String) The folder identifier that resource belongs to. If it is not provided, the default provider folder-id is used.
  • ingress (Block Set) A list of ingress rules. (see below for nested schema)
  • labels (Map of String) A set of key/value label pairs which assigned to resource.
  • name (String) The resource name.
  • timeouts (Block, Optional) (see below for nested schema)

Read-Only

  • created_at (String) The creation timestamp of the resource.
  • id (String) The ID of this resource.
  • status (String) Status of this security group.

Nested Schema for egress

Required:

  • protocol (String) One of ANY, TCP, UDP, ICMP, IPV6_ICMP.

Optional:

  • description (String) Description of the rule.
  • from_port (Number) Minimum port number.
  • labels (Map of String) Labels to assign to this rule.
  • port (Number) Port number (if applied to a single port).
  • predefined_target (String) Special-purpose targets. self_security_group refers to this particular security group. loadbalancer_healthchecks represents loadbalancer health check nodes.
  • security_group_id (String) Target security group ID for this rule.
  • to_port (Number) Maximum port number.
  • v4_cidr_blocks (List of String) The blocks of IPv4 addresses for this rule.
  • v6_cidr_blocks (List of String) The blocks of IPv6 addresses for this rule. v6_cidr_blocks argument is currently not supported. It will be available in the future.

Read-Only:

  • id (String) The resource identifier.

Nested Schema for ingress

Required:

  • protocol (String) One of ANY, TCP, UDP, ICMP, IPV6_ICMP.

Optional:

  • description (String) Description of the rule.
  • from_port (Number) Minimum port number.
  • labels (Map of String) Labels to assign to this rule.
  • port (Number) Port number (if applied to a single port).
  • predefined_target (String) Special-purpose targets. self_security_group refers to this particular security group. loadbalancer_healthchecks represents loadbalancer health check nodes.
  • security_group_id (String) Target security group ID for this rule.
  • to_port (Number) Maximum port number.
  • v4_cidr_blocks (List of String) The blocks of IPv4 addresses for this rule.
  • v6_cidr_blocks (List of String) The blocks of IPv6 addresses for this rule. v6_cidr_blocks argument is currently not supported. It will be available in the future.

Read-Only:

  • id (String) The resource identifier.

Nested Schema for timeouts

Optional:

  • create (String) A string that can be parsed as a duration consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
  • delete (String) A string that can be parsed as a duration consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs.
  • update (String) A string that can be parsed as a duration consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).

Import

The resource can be imported by using their resource ID. For getting the resource ID you can use Yandex Cloud Web Console or YC CLI.

# terraform import yandex_vpc_security_group.<resource Name> <resource Id>
terraform import yandex_vpc_security_group.sg1 enphq**********cjsw4
Предыдущая
vpc_route_table
Следующая
vpc_security_group_rule