AWS Security Group Terraform module

June 3, 2026 · View on GitHub

Terraform module which creates EC2 security group within VPC on AWS.

Usage

Root module

module "security_group" {
  source = "terraform-aws-modules/security-group/aws"

  name        = "example"
  description = "Example security group"
  vpc_id      = "vpc-12345678"

  ingress_rules = {
    https = {
      from_port   = 443
      ip_protocol = "tcp"
      cidr_ipv4   = "10.0.0.0/16"
      description = "HTTPS from internal"
    }
    self-all = {
      ip_protocol                  = "-1"
      referenced_security_group_id = "self"
      description                  = "All traffic from members of this SG"
    }
  }

  egress_rules = {
    all = {
      ip_protocol = "-1"
      cidr_ipv4   = "0.0.0.0/0"
    }
  }

  tags = {
    Environment = "dev"
  }
}

Preset submodule

Each preset submodule under modules/ ships a curated set of ingress rules for a specific service (PostgreSQL, Consul, Cassandra, etc.). Use one when a security group serves a single service.

module "postgresql_security_group" {
  source = "terraform-aws-modules/security-group/aws//modules/postgresql"

  name        = "postgresql"
  description = "PostgreSQL access"
  vpc_id      = "vpc-12345678"

  ingress_cidr_ipv4 = {
    vpc  = "10.0.0.0/16"
    peer = "172.16.0.0/12"
  }
}

Examples

Complete - Comprehensive example demonstrating the full module surface

To allow traffic between members of the security group created by this module, set referenced_security_group_id = "self" on the rule. The sentinel is rewritten to the security group's own id at apply time:

ingress_rules = {
  self-all = {
    ip_protocol                  = "-1"
    referenced_security_group_id = "self"
    description                  = "All traffic from members of this SG"
  }
}

`use_name_prefix` and the create-before-destroy lifecycle

The security group resource sets lifecycle { create_before_destroy = true } so replacements happen without dropping traffic. When use_name_prefix = false (i.e. you pin a static name), any change that forces replacement will fail because AWS cannot create a second security group with the same name in the same VPC. Either:

keep use_name_prefix = true (default), or
change name along with the replacement.

Requirements

Name	Version
terraform	>= 1.5.7
aws	>= 6.29

Providers

Name	Version
aws	>= 6.29

Modules

No modules.

Resources

Name	Type
aws_security_group.this	resource
aws_vpc_security_group_egress_rule.this	resource
aws_vpc_security_group_ingress_rule.this	resource
aws_vpc_security_group_rules_exclusive.this	resource
aws_vpc_security_group_vpc_association.this	resource

Inputs

Name	Description	Type	Default	Required
create	Controls if resources should be created (affects nearly all resources)	`bool`	`true`	no
description	Description of security group	`string`	`null`	no
egress_rules	Map of egress rules to add to the security group	map(object({ name = optional(string) cidr_ipv4 = optional(string) cidr_ipv6 = optional(string) description = optional(string) from_port = optional(number) ip_protocol = optional(string, "tcp") prefix_list_id = optional(string) referenced_security_group_id = optional(string) tags = optional(map(string), {}) to_port = optional(number) }))	`{}`	no
enable_exclusive_rules	Whether to enforce that only the rules declared by this module exist on the security group. When true, out-of-band rules added via the AWS console or other Terraform configurations will be reverted on next apply	`bool`	`true`	no
ingress_rules	Map of ingress rules to add to the security group	map(object({ name = optional(string) cidr_ipv4 = optional(string) cidr_ipv6 = optional(string) description = optional(string) from_port = optional(number) ip_protocol = optional(string, "tcp") prefix_list_id = optional(string) referenced_security_group_id = optional(string) tags = optional(map(string), {}) to_port = optional(number) }))	`{}`	no
name	Name of security group	`string`	`""`	no
putin_khuylo	Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo!	`bool`	`true`	no
region	Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration	`string`	`null`	no
revoke_rules_on_delete	Instruct Terraform to revoke all of the Security Groups attached ingress and egress rules before deleting the rule itself	`bool`	`false`	no
tags	A map of tags to add to all resources	`map(string)`	`{}`	no
timeouts	Create and delete timeout configurations for the security group	object({ create = optional(string) delete = optional(string) })	`null`	no
use_name_prefix	Whether to use the name (`name`) as a prefix, appending a random suffix	`bool`	`true`	no
vpc_associations	Map of VPC IDs to associate the security group to	map(object({ vpc_id = string }))	`{}`	no
vpc_id	ID of the VPC where the security group is created	`string`	`null`	no

Outputs

Name	Description
arn	The ARN of the security group
id	The ID of the security group
name	The name of the security group
owner_id	The owner ID
vpc_id	The VPC ID

Russia has illegally annexed Crimea in 2014 and brought the war in Donbas followed by full-scale invasion of Ukraine in 2022.
Russia has brought sorrow and devastations to millions of Ukrainians, killed hundreds of innocent people, damaged thousands of buildings, and forced several million people to flee.
Putin khuylo!