diff --git a/builtin/providers/aws/resource_aws_security_group.go b/builtin/providers/aws/resource_aws_security_group.go index 0b1434f84471..498efc1f9358 100644 --- a/builtin/providers/aws/resource_aws_security_group.go +++ b/builtin/providers/aws/resource_aws_security_group.go @@ -150,7 +150,7 @@ func resourceAwsSecurityGroupCreate(d *schema.ResourceData, meta interface{}) er if v := d.Get("vpc_id"); v != nil { if len(d.Get("egress").(*schema.Set).List()) == 0 { - return fmt.Errorf("Error creating Security Group: Security groups inside a VPC require an egress rule. See https://terraform.io/why.html") + return fmt.Errorf("Error creating Security Group: Security groups inside a VPC require an egress rule. See http://localhost:4567/docs/providers/aws/r/security_group.html for more information.") } securityGroupOpts.VPCID = aws.String(v.(string)) diff --git a/website/source/docs/providers/aws/r/security_group.html.markdown b/website/source/docs/providers/aws/r/security_group.html.markdown index e1db4b1d9dfc..f5ffb85855e0 100644 --- a/website/source/docs/providers/aws/r/security_group.html.markdown +++ b/website/source/docs/providers/aws/r/security_group.html.markdown @@ -63,9 +63,8 @@ The following arguments are supported: * `description` - (Required) The security group description. * `ingress` - (Optional) Can be specified multiple times for each ingress rule. Each ingress block supports fields documented below. -* `egress` - (Optional) Can be specified multiple times for each +* `egress` - (Required, VPC only) Can be specified multiple times for each egress rule. Each egress block supports fields documented below. - VPC only. * `vpc_id` - (Optional) The VPC ID. * `tags` - (Optional) A mapping of tags to assign to the resource. @@ -93,6 +92,20 @@ The `egress` block supports: a source to this egress rule. * `to_port` - (Required) The end range port. +~> **NOTE on Egress rules:** By default, AWS creates an `ALLOW ALL` egress rule when creating a +new Security Group inside of a VPC. When creating a new Security +Group inside a VPC, **Terraform will remove this default rule**, and require you +specifically re-create it if you desire that rule. We feel this leads to fewer +surprises in terms of controlling your egress rules. If you desire this rule to +be in place, you can use this `egress` block: + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + } + ## Attributes Reference The following attributes are exported: