How to destroy rules in a Terraform managed default security group?

Question

When Terraform adopts ownership of the default security group in a VPC, it will delete all current rules and add any that are specified in the default_security_group resource. However, when you "destroy" the resource, it does not delete the rules it added to the default security group. I understand that it won't delete the default security group, but I expected it to delete the rules that it added. Is there a straightforward way to delete those rules?

My current workaround is to have a separate module that contains an empty default_security_group resource. I build that right before running destroy and that build removes the rules. Is there a better way?

Answer 1

The docs don't currently state this, but you can import a default security group using:

terraform import aws_default_security_group.california sg-<id>

I discovered this when moving resources from one solution to another, and forgetting to use terraform state rm to remove the resource from the initial codebase :)

You should then be able to edit the resource as usual.

Answer 2

What do you mean with "adopts the ownership"? Do you import the default security group into your state file?

If yes, maybe you should handle the default security group with a data source instead of a resource:

data "aws_security_group" "default" {
  name = "default"
}

You can get the ID of the default security group by using "${data.aws_security_group.default.vpc_id}". Now just add the rules, which could be destroyed without touching the security group itself.