Using the aws_default_security_group resource

This message is extracted from a ticket originally emailed to Names and URLs have been removed where appropriate.


I am struggling to create a vpc with default security group with no
traffic. I check that the default security group for a vpc is not used
and wanted to limit all traffic on it. I am going in the following way:

I could not put "resource "aws_default_security_group" "default" {" from the link above into in infrastructure-modules/blob/master/networking/vpc-app/

* module 'vpc': unknown resource 'aws_vpc.main' referenced in variable 
    module vpc: resource is not a valid parameter

I can get the resource out of the module section:

module "vpc" {  .. .. .. }

resource "aws_default_security_group" "default" { .. .. }

in file infrastructure-modules/blob/master/networking/vpc-app/ but this shows that I use unspecified resource :

aws_default_security_group.default: [ERR] Error finding default security 
group: no matching group found .

How can I use this approach and specify security group id?


module "vpc" { 
  source = 

  vpc_name = "${var.vpc_name}" 
  aws_region = "${var.aws_region}" 
  num_availability_zones = "${var.num_availability_zones}" 
  tenancy = "${var.tenancy}"

  # The number of NAT Gateways to launch for this VPC. For production 
VPCs, a NAT Gateway should be placed in each 
  # Availability Zone (so likely 3 total), whereas for non-prod VPCs, 
just one Availability Zone (and hence 1 NAT 
  # Gateway) will suffice. Warning: You must have at least this number 
of Elastic IP's to spare. The default AWS limit 
  # is 5 per region, but you can request more. 
  num_nat_gateways = "${var.num_nat_gateways}"

  # The IP address range of the VPC in CIDR notation. A prefix of /18 
is recommended. Do not use a prefix higher 
  # than /27. 
  cidr_block = "${var.cidr_block}"

  # Some teams may want to explicitly define the exact CIDR blocks used 
by their subnets. If so, see the vpc-app 
  # docs at 
for additional detail.

  #From the v0.3.0 upgrade: 
  #If you are already using vpc-app or vpc-mgmt and want to preserve 
the CIDR blocks you were using before 
  #  (highly recommended!), you must set the new input variable 
subnet_spacing to 5 
  subnet_spacing = "${var.subnet_spacing}"


resource "aws_default_security_group" "default" { 
  vpc_id = "${aws_vpc.mainvpc.vpc}"  // How to point to the exact resource

  ingress { 
    protocol  = -1 
    self      = true 
    from_port = 0 
    to_port   = 0 

The aws_default_security_group resource requires a vpc_id parameter. Since the VPC is created inside the vpc-app module, you need to read that attribute as an output of that module (the output uses the same name, vpc_id). To read an output from a module, you use syntax of the form module.MODULE_NAME.OUTPUT_NAME (see the docs for more details).

So your code should probably look something like this:

resource "aws_default_security_group" "default" {
  vpc_id = "${module.vpc.vpc_id}"

Thank you very much. I did the the change. All is set up correctly now. Thank you