How to destroy rules in a Terraform managed default security group?

3
votes

When Terraform adopts ownership of the default security group in a VPC, it will delete all current rules and add any that are specified in the default_security_group resource. However, when you "destroy" the resource, it does not delete the rules it added to the default security group. I understand that it won't delete the default security group, but I expected it to delete the rules that it added. Is there a straightforward way to delete those rules?

My current workaround is to have a separate module that contains an empty default_security_group resource. I build that right before running destroy and that build removes the rules. Is there a better way?

2
terraformterraform-provider-aws

2 Answers

1
votes

What do you mean with "adopts the ownership"? Do you import the default security group into your state file?

If yes, maybe you should handle the default security group with a data source instead of a resource:

data "aws_security_group" "default" {
  name = "default"
}

You can get the ID of the default security group by using "${data.aws_security_group.default.vpc_id}". Now just add the rules, which could be destroyed without touching the security group itself.

0
votes

The docs don't currently state this, but you can import a default security group using:

terraform import aws_default_security_group.california sg-<id>

I discovered this when moving resources from one solution to another, and forgetting to use terraform state rm to remove the resource from the initial codebase :)

You should then be able to edit the resource as usual.