Document Egress+VPC change, update link

hashicorp · May 1, 2015 · 48fc0cd · 48fc0cd
1 parent e66a5f8
commit 48fc0cd
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 3 deletions.
diff --git a/builtin/providers/aws/resource_aws_security_group.go b/builtin/providers/aws/resource_aws_security_group.go
@@ -150,7 +150,7 @@ func resourceAwsSecurityGroupCreate(d *schema.ResourceData, meta interface{}) er
 
  if v := d.Get("vpc_id"); v != nil {
  if len(d.Get("egress").(*schema.Set).List()) == 0 {
- return fmt.Errorf("Error creating Security Group: Security groups inside a VPC require an egress rule. See https://terraform.io/why.html")
+ return fmt.Errorf("Error creating Security Group: Security groups inside a VPC require an egress rule. See http://localhost:4567/docs/providers/aws/r/security_group.html for more information.")
  }
 
  securityGroupOpts.VPCID = aws.String(v.(string))

diff --git a/website/source/docs/providers/aws/r/security_group.html.markdown b/website/source/docs/providers/aws/r/security_group.html.markdown
@@ -63,9 +63,8 @@ The following arguments are supported:
 * `description` - (Required) The security group description.
 * `ingress` - (Optional) Can be specified multiple times for each
  ingress rule. Each ingress block supports fields documented below.
-* `egress` - (Optional) Can be specified multiple times for each
+* `egress` - (Required, VPC only) Can be specified multiple times for each
  egress rule. Each egress block supports fields documented below.
- VPC only.
 * `vpc_id` - (Optional) The VPC ID.
 * `tags` - (Optional) A mapping of tags to assign to the resource.
 
@@ -93,6 +92,20 @@ The `egress` block supports:
  a source to this egress rule.
 * `to_port` - (Required) The end range port.
 
+~> **NOTE on Egress rules:** By default, AWS creates an `ALLOW ALL` egress rule when creating a
+new Security Group inside of a VPC. When creating a new Security
+Group inside a VPC, **Terraform will remove this default rule**, and require you
+specifically re-create it if you desire that rule. We feel this leads to fewer
+surprises in terms of controlling your egress rules. If you desire this rule to
+be in place, you can use this `egress` block:
+
+ egress {
+  from_port = 0
+  to_port = 0
+  protocol = "-1"
+  cidr_block = "0.0.0.0/0"
+ }
+
 ## Attributes Reference
 
 The following attributes are exported: