I am running a small terraform script to build a infra [Testing Purpose] and when I run the apply command, It created 2 different Security groups.
terraform { # Setting up with the provider as AWS
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
provider "aws" {
region = "ap-south-1" # Set your desired AWS region
shared_config_files = ["/home/terraform/.aws/config"] # IAM user access key
shared_credentials_files = ["/home/terraform/.aws/credentials"] # IAM user secret access key
}
resource "aws_vpc" "Terraform_VPC" { # Creating a new VPC and updating a CIDR block.
cidr_block = "10.0.0.0/16"
tags = {
Name = "Terraform_VPC"
}
}
# 4. Creating a Subnet # Creating a Subnet using the above VPC and updating a CIDR block.
resource "aws_subnet" "Subnet_Terraform_VPC" {
vpc_id = aws_vpc.Terraform_VPC.id
cidr_block = "10.0.0.0/16"
#availability_zone = "ap-south-1a"
tags = {
Name = "Subnet_Terraform_VPC"
}
}
# 6. Create a Security Group to Allow posrts : 22, 80, 443 # Creating a Security group with the baic Inbound rules.
resource "aws_security_group" "Security_grp" {
name = "MySecurityGroup"
description = "Allowing HTTP and HTTPS traffic rules only"
vpc_id = aws_vpc.Terraform_VPC.id
}
I do not want 2 different security groups to be created, so how can be avoid this or is the code or the script I have written needs to be altered. Please help.
This is the outcome of the apply command, just in case if you want this to be reviewed.
aws_vpc_security_group_egress_rule.allow_all_traffic_ipv4: Refreshing state... [id=sgr-0bc100ed982b45496]
aws_vpc.Terraform_VPC: Refreshing state... [id=vpc-0dfc04fc2d8387e2f]
aws_security_group.Security_grp: Refreshing state... [id=sg-04ceaa545798c4fe3]
aws_subnet.Subnet_Terraform_VPC: Refreshing state... [id=subnet-0c3a158bca10e1565]
Note: Objects have changed outside of Terraform
Terraform detected the following changes made outside of Terraform since the last "terraform apply" which may have affected this plan:
# aws_vpc.Terraform_VPC has been deleted
- resource "aws_vpc" "Terraform_VPC" {
- id = "vpc-0dfc04fc2d8387e2f" -> null
tags = {
"Name" = "Terraform_VPC"
}
# (15 unchanged attributes hidden)
}
Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo or respond to these
changes.
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# aws_security_group.Security_grp will be created
+ resource "aws_security_group" "Security_grp" {
+ arn = (known after apply)
+ description = "Allowing HTTP and HTTPS traffic rules only"
+ egress = (known after apply)
+ id = (known after apply)
+ ingress = (known after apply)
+ name = "MySecurityGroup"
+ name_prefix = (known after apply)
+ owner_id = (known after apply)
+ revoke_rules_on_delete = false
+ tags_all = (known after apply)
+ vpc_id = (known after apply)
}
# aws_subnet.Subnet_Terraform_VPC will be created
+ resource "aws_subnet" "Subnet_Terraform_VPC" {
+ arn = (known after apply)
+ assign_ipv6_address_on_creation = false
+ availability_zone = (known after apply)
+ availability_zone_id = (known after apply)
+ cidr_block = "10.0.0.0/24"
+ enable_dns64 = false
+ enable_resource_name_dns_a_record_on_launch = false
+ enable_resource_name_dns_aaaa_record_on_launch = false
+ id = (known after apply)
+ ipv6_cidr_block_association_id = (known after apply)
+ ipv6_native = false
+ map_public_ip_on_launch = false
+ owner_id = (known after apply)
+ private_dns_hostname_type_on_launch = (known after apply)
+ tags = {
+ "Name" = "Subnet_Terraform_VPC"
}
+ tags_all = {
+ "Name" = "Subnet_Terraform_VPC"
}
+ vpc_id = (known after apply)
}
# aws_vpc.Terraform_VPC will be created
+ resource "aws_vpc" "Terraform_VPC" {
+ arn = (known after apply)
+ cidr_block = "10.0.0.0/16"
+ default_network_acl_id = (known after apply)
+ default_route_table_id = (known after apply)
+ default_security_group_id = (known after apply)
+ dhcp_options_id = (known after apply)
+ enable_dns_hostnames = (known after apply)
+ enable_dns_support = true
+ enable_network_address_usage_metrics = (known after apply)
+ id = (known after apply)
+ instance_tenancy = "default"
+ ipv6_association_id = (known after apply)
+ ipv6_cidr_block = (known after apply)
+ ipv6_cidr_block_network_border_group = (known after apply)
+ main_route_table_id = (known after apply)
+ owner_id = (known after apply)
+ tags = {
+ "Name" = "Terraform_VPC"
}
+ tags_all = {
+ "Name" = "Terraform_VPC"
}
}
Plan: 3 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
aws_vpc.Terraform_VPC: Creating...
aws_vpc.Terraform_VPC: Creation complete after 1s [id=vpc-0d528d4b00fea8a9c]
aws_subnet.Subnet_Terraform_VPC: Creating...
aws_security_group.Security_grp: Creating...
aws_subnet.Subnet_Terraform_VPC: Creation complete after 1s [id=subnet-07d89893b462c9448]
aws_security_group.Security_grp: Creation complete after 2s [id=sg-019cfcfa02dd2d1ab]
Apply complete! Resources: 3 added, 0 changed, 0 destroyed.
That second security group, with the name "default" is the default security group that comes with your VPC as documented here. It was created when you created the new VPC.
Per the answers to this question, there isn't much you can do to prevent that from being created. You can however use the
aws_default_security_groupresource to remove all the rules from the default security group if you want to do that for security reasons.