From 2bb3bd09baddeefdb9cfdf9d7e490a387b56cd30 Mon Sep 17 00:00:00 2001
From: Bryant Biggs <bryantbiggs@gmail.com>
Date: Sat, 11 Jan 2020 21:19:20 -0500
Subject: [PATCH 1/2] Feature / Manage Default Security Group

- Add ability to manage default security group as well as ability to add/remove default security group rules

Tested with complete example setup. Default values provided in variables for ingress/egress rules match what is created by default with VPC, example shows how to remove both the ingress and egress rules and block all traffic. Note - when removing the default security group control from terraform the default security group won't be destroyed and the ingress/egress rules at that time will be left as is and the resource will no longer be controlled by terraform.

Closes #256
---
 README.md                     | 97 ++++++++++++++++++-----------------
 examples/complete-vpc/main.tf |  5 ++
 main.tf                       | 43 +++++++++++++++-
 outputs.tf                    |  1 -
 variables.tf                  | 45 ++++++++++++++++
 5 files changed, 143 insertions(+), 48 deletions(-)

diff --git a/README.md b/README.md
index 957234d89..8f0a714ca 100644
--- a/README.md
+++ b/README.md
@@ -210,7 +210,7 @@ Sometimes it is handy to have public access to Redshift clusters (for example if
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
-| amazon\_side\_asn | The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN. | string | `"64512"` | no |
+| amazon\_side\_asn | The Autonomous System Number \(ASN\) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN. | string | `"64512"` | no |
 | apigw\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for API GW endpoint | bool | `"false"` | no |
 | apigw\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for API GW  endpoint | list(string) | `[]` | no |
 | apigw\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for API GW endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no |
@@ -220,7 +220,7 @@ Sometimes it is handy to have public access to Redshift clusters (for example if
 | appstream\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for AppStream endpoint | bool | `"false"` | no |
 | appstream\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for AppStream endpoint | list(string) | `[]` | no |
 | appstream\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for AppStream endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no |
-| assign\_ipv6\_address\_on\_creation | Assign IPv6 address on subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch | bool | `"false"` | no |
+| assign\_ipv6\_address\_on\_creation | Assign IPv6 address on subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | bool | `"false"` | no |
 | athena\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Athena endpoint | bool | `"false"` | no |
 | athena\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Athena endpoint | list(string) | `[]` | no |
 | athena\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Athena endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no |
@@ -255,17 +255,17 @@ Sometimes it is handy to have public access to Redshift clusters (for example if
 | create\_elasticache\_subnet\_route\_table | Controls if separate route table for elasticache should be created | bool | `"false"` | no |
 | create\_redshift\_subnet\_group | Controls if redshift subnet group should be created | bool | `"true"` | no |
 | create\_redshift\_subnet\_route\_table | Controls if separate route table for redshift should be created | bool | `"false"` | no |
-| create\_vpc | Controls if VPC should be created (it affects almost all resources) | bool | `"true"` | no |
+| create\_vpc | Controls if VPC should be created \(it affects almost all resources\) | bool | `"true"` | no |
 | customer\_gateway\_tags | Additional tags for the Customer Gateway | map(string) | `{}` | no |
-| customer\_gateways | Maps of Customer Gateway's attributes (BGP ASN and Gateway's Internet-routable external IP address) | map(map(any)) | `{}` | no |
+| customer\_gateways | Maps of Customer Gateway's attributes \(BGP ASN and Gateway's Internet-routable external IP address\) | map(map(any)) | `{}` | no |
 | database\_acl\_tags | Additional tags for the database subnets network ACL | map(string) | `{}` | no |
-| database\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for database subnets | bool | `"false"` | no |
+| database\_dedicated\_network\_acl | Whether to use dedicated network ACL \(not default\) and custom rules for database subnets | bool | `"false"` | no |
 | database\_inbound\_acl\_rules | Database subnets inbound network ACL rules | list(map(string)) | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no |
 | database\_outbound\_acl\_rules | Database subnets outbound network ACL rules | list(map(string)) | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no |
 | database\_route\_table\_tags | Additional tags for the database route tables | map(string) | `{}` | no |
-| database\_subnet\_assign\_ipv6\_address\_on\_creation | Assign IPv6 address on database subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch | bool | `"null"` | no |
+| database\_subnet\_assign\_ipv6\_address\_on\_creation | Assign IPv6 address on database subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | bool | `"null"` | no |
 | database\_subnet\_group\_tags | Additional tags for the database subnet group | map(string) | `{}` | no |
-| database\_subnet\_ipv6\_prefixes | Assigns IPv6 database subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list | list | `[]` | no |
+| database\_subnet\_ipv6\_prefixes | Assigns IPv6 database subnet id based on the Amazon provided /56 prefix base 10 integer \(0-256\). Must be of equal length to the corresponding IPv4 subnet list | list | `[]` | no |
 | database\_subnet\_suffix | Suffix to append to database subnets name | string | `"db"` | no |
 | database\_subnet\_tags | Additional tags for the database subnets | map(string) | `{}` | no |
 | database\_subnets | A list of database subnets | list(string) | `[]` | no |
@@ -273,17 +273,21 @@ Sometimes it is handy to have public access to Redshift clusters (for example if
 | default\_network\_acl\_ingress | List of maps of ingress rules to set on the Default Network ACL | list(map(string)) | `[ { "action": "allow", "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_no": 100, "to_port": 0 }, { "action": "allow", "from_port": 0, "ipv6_cidr_block": "::/0", "protocol": "-1", "rule_no": 101, "to_port": 0 } ]` | no |
 | default\_network\_acl\_name | Name to be used on the Default Network ACL | string | `""` | no |
 | default\_network\_acl\_tags | Additional tags for the Default Network ACL | map(string) | `{}` | no |
+| default\_security\_group\_egress | List of maps of egress rules to set on the default security group | list(map(string)) | `[ { "cidr_blocks": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "to_port": 0 } ]` | no |
+| default\_security\_group\_ingress | List of maps of ingress rules to set on the default security group | list(map(string)) | `[ { "from_port": 0, "protocol": "-1", "self": true, "to_port": 0 } ]` | no |
+| default\_security\_group\_name | Name to be used on the default security group | string | `""` | no |
+| default\_security\_group\_tags | Additional tags for the default security group | map(string) | `{}` | no |
 | default\_vpc\_enable\_classiclink | Should be true to enable ClassicLink in the Default VPC | bool | `"false"` | no |
 | default\_vpc\_enable\_dns\_hostnames | Should be true to enable DNS hostnames in the Default VPC | bool | `"false"` | no |
 | default\_vpc\_enable\_dns\_support | Should be true to enable DNS support in the Default VPC | bool | `"true"` | no |
 | default\_vpc\_name | Name to be used on the Default VPC | string | `""` | no |
 | default\_vpc\_tags | Additional tags for the Default VPC | map(string) | `{}` | no |
-| dhcp\_options\_domain\_name | Specifies DNS name for DHCP options set (requires enable_dhcp_options set to true) | string | `""` | no |
-| dhcp\_options\_domain\_name\_servers | Specify a list of DNS server addresses for DHCP options set, default to AWS provided (requires enable_dhcp_options set to true) | list(string) | `[ "AmazonProvidedDNS" ]` | no |
-| dhcp\_options\_netbios\_name\_servers | Specify a list of netbios servers for DHCP options set (requires enable_dhcp_options set to true) | list(string) | `[]` | no |
-| dhcp\_options\_netbios\_node\_type | Specify netbios node_type for DHCP options set (requires enable_dhcp_options set to true) | string | `""` | no |
-| dhcp\_options\_ntp\_servers | Specify a list of NTP servers for DHCP options set (requires enable_dhcp_options set to true) | list(string) | `[]` | no |
-| dhcp\_options\_tags | Additional tags for the DHCP option set (requires enable_dhcp_options set to true) | map(string) | `{}` | no |
+| dhcp\_options\_domain\_name | Specifies DNS name for DHCP options set \(requires enable\_dhcp\_options set to true\) | string | `""` | no |
+| dhcp\_options\_domain\_name\_servers | Specify a list of DNS server addresses for DHCP options set, default to AWS provided \(requires enable\_dhcp\_options set to true\) | list(string) | `[ "AmazonProvidedDNS" ]` | no |
+| dhcp\_options\_netbios\_name\_servers | Specify a list of netbios servers for DHCP options set \(requires enable\_dhcp\_options set to true\) | list(string) | `[]` | no |
+| dhcp\_options\_netbios\_node\_type | Specify netbios node\_type for DHCP options set \(requires enable\_dhcp\_options set to true\) | string | `""` | no |
+| dhcp\_options\_ntp\_servers | Specify a list of NTP servers for DHCP options set \(requires enable\_dhcp\_options set to true\) | list(string) | `[]` | no |
+| dhcp\_options\_tags | Additional tags for the DHCP option set \(requires enable\_dhcp\_options set to true\) | map(string) | `{}` | no |
 | ec2\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for EC2 endpoint | bool | `"false"` | no |
 | ec2\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for EC2 endpoint | list(string) | `[]` | no |
 | ec2\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for EC2 endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no |
@@ -309,12 +313,12 @@ Sometimes it is handy to have public access to Redshift clusters (for example if
 | efs\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for EFS endpoint | list(string) | `[]` | no |
 | efs\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for EFS endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. | list(string) | `[]` | no |
 | elasticache\_acl\_tags | Additional tags for the elasticache subnets network ACL | map(string) | `{}` | no |
-| elasticache\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for elasticache subnets | bool | `"false"` | no |
+| elasticache\_dedicated\_network\_acl | Whether to use dedicated network ACL \(not default\) and custom rules for elasticache subnets | bool | `"false"` | no |
 | elasticache\_inbound\_acl\_rules | Elasticache subnets inbound network ACL rules | list(map(string)) | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no |
 | elasticache\_outbound\_acl\_rules | Elasticache subnets outbound network ACL rules | list(map(string)) | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no |
 | elasticache\_route\_table\_tags | Additional tags for the elasticache route tables | map(string) | `{}` | no |
-| elasticache\_subnet\_assign\_ipv6\_address\_on\_creation | Assign IPv6 address on elasticache subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch | bool | `"null"` | no |
-| elasticache\_subnet\_ipv6\_prefixes | Assigns IPv6 elasticache subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list | list | `[]` | no |
+| elasticache\_subnet\_assign\_ipv6\_address\_on\_creation | Assign IPv6 address on elasticache subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | bool | `"null"` | no |
+| elasticache\_subnet\_ipv6\_prefixes | Assigns IPv6 elasticache subnet id based on the Amazon provided /56 prefix base 10 integer \(0-256\). Must be of equal length to the corresponding IPv4 subnet list | list | `[]` | no |
 | elasticache\_subnet\_suffix | Suffix to append to elasticache subnets name | string | `"elasticache"` | no |
 | elasticache\_subnet\_tags | Additional tags for the elasticache subnets | map(string) | `{}` | no |
 | elasticache\_subnets | A list of elasticache subnets | list(string) | `[]` | no |
@@ -377,7 +381,7 @@ Sometimes it is handy to have public access to Redshift clusters (for example if
 | events\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Events endpoint | bool | `"false"` | no |
 | events\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for CloudWatch Events endpoint | list(string) | `[]` | no |
 | events\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for CloudWatch Events endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no |
-| external\_nat\_ip\_ids | List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse_nat_ips) | list(string) | `[]` | no |
+| external\_nat\_ip\_ids | List of EIP IDs to be assigned to the NAT Gateways \(used in combination with reuse\_nat\_ips\) | list(string) | `[]` | no |
 | git\_codecommit\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Git Codecommit endpoint | string | `"false"` | no |
 | git\_codecommit\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Git Codecommit endpoint | list | `[]` | no |
 | git\_codecommit\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Git Codecommit endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no |
@@ -387,12 +391,12 @@ Sometimes it is handy to have public access to Redshift clusters (for example if
 | igw\_tags | Additional tags for the internet gateway | map(string) | `{}` | no |
 | instance\_tenancy | A tenancy option for instances launched into the VPC | string | `"default"` | no |
 | intra\_acl\_tags | Additional tags for the intra subnets network ACL | map(string) | `{}` | no |
-| intra\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for intra subnets | bool | `"false"` | no |
+| intra\_dedicated\_network\_acl | Whether to use dedicated network ACL \(not default\) and custom rules for intra subnets | bool | `"false"` | no |
 | intra\_inbound\_acl\_rules | Intra subnets inbound network ACLs | list(map(string)) | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no |
 | intra\_outbound\_acl\_rules | Intra subnets outbound network ACLs | list(map(string)) | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no |
 | intra\_route\_table\_tags | Additional tags for the intra route tables | map(string) | `{}` | no |
-| intra\_subnet\_assign\_ipv6\_address\_on\_creation | Assign IPv6 address on intra subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch | bool | `"null"` | no |
-| intra\_subnet\_ipv6\_prefixes | Assigns IPv6 intra subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list | list | `[]` | no |
+| intra\_subnet\_assign\_ipv6\_address\_on\_creation | Assign IPv6 address on intra subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | bool | `"null"` | no |
+| intra\_subnet\_ipv6\_prefixes | Assigns IPv6 intra subnet id based on the Amazon provided /56 prefix base 10 integer \(0-256\). Must be of equal length to the corresponding IPv4 subnet list | list | `[]` | no |
 | intra\_subnet\_suffix | Suffix to append to intra subnets name | string | `"intra"` | no |
 | intra\_subnet\_tags | Additional tags for the intra subnets | map(string) | `{}` | no |
 | intra\_subnets | A list of intra subnets | list(string) | `[]` | no |
@@ -409,6 +413,7 @@ Sometimes it is handy to have public access to Redshift clusters (for example if
 | logs\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for CloudWatch Logs endpoint | list(string) | `[]` | no |
 | logs\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for CloudWatch Logs endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no |
 | manage\_default\_network\_acl | Should be true to adopt and manage Default Network ACL | bool | `"false"` | no |
+| manage\_default\_security\_group | Should be true to adopt and manage default security group | bool | `"false"` | no |
 | manage\_default\_vpc | Should be true to adopt and manage Default VPC | bool | `"false"` | no |
 | map\_public\_ip\_on\_launch | Should be false if you do not want to auto-assign public IP on launch | bool | `"true"` | no |
 | monitoring\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Monitoring endpoint | bool | `"false"` | no |
@@ -417,44 +422,44 @@ Sometimes it is handy to have public access to Redshift clusters (for example if
 | name | Name to be used on all the resources as identifier | string | `""` | no |
 | nat\_eip\_tags | Additional tags for the NAT EIP | map(string) | `{}` | no |
 | nat\_gateway\_tags | Additional tags for the NAT gateways | map(string) | `{}` | no |
-| one\_nat\_gateway\_per\_az | Should be true if you want only one NAT Gateway per availability zone. Requires `var.azs` to be set, and the number of `public_subnets` created to be greater than or equal to the number of availability zones specified in `var.azs`. | bool | `"false"` | no |
+| one\_nat\_gateway\_per\_az | Should be true if you want only one NAT Gateway per availability zone. Requires `var.azs` to be set, and the number of `public\_subnets` created to be greater than or equal to the number of availability zones specified in `var.azs`. | bool | `"false"` | no |
 | private\_acl\_tags | Additional tags for the private subnets network ACL | map(string) | `{}` | no |
-| private\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for private subnets | bool | `"false"` | no |
+| private\_dedicated\_network\_acl | Whether to use dedicated network ACL \(not default\) and custom rules for private subnets | bool | `"false"` | no |
 | private\_inbound\_acl\_rules | Private subnets inbound network ACLs | list(map(string)) | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no |
 | private\_outbound\_acl\_rules | Private subnets outbound network ACLs | list(map(string)) | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no |
 | private\_route\_table\_tags | Additional tags for the private route tables | map(string) | `{}` | no |
-| private\_subnet\_assign\_ipv6\_address\_on\_creation | Assign IPv6 address on private subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch | bool | `"null"` | no |
-| private\_subnet\_ipv6\_prefixes | Assigns IPv6 private subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list | list | `[]` | no |
+| private\_subnet\_assign\_ipv6\_address\_on\_creation | Assign IPv6 address on private subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | bool | `"null"` | no |
+| private\_subnet\_ipv6\_prefixes | Assigns IPv6 private subnet id based on the Amazon provided /56 prefix base 10 integer \(0-256\). Must be of equal length to the corresponding IPv4 subnet list | list | `[]` | no |
 | private\_subnet\_suffix | Suffix to append to private subnets name | string | `"private"` | no |
 | private\_subnet\_tags | Additional tags for the private subnets | map(string) | `{}` | no |
 | private\_subnets | A list of private subnets inside the VPC | list(string) | `[]` | no |
 | propagate\_private\_route\_tables\_vgw | Should be true if you want route table propagation | bool | `"false"` | no |
 | propagate\_public\_route\_tables\_vgw | Should be true if you want route table propagation | bool | `"false"` | no |
 | public\_acl\_tags | Additional tags for the public subnets network ACL | map(string) | `{}` | no |
-| public\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for public subnets | bool | `"false"` | no |
+| public\_dedicated\_network\_acl | Whether to use dedicated network ACL \(not default\) and custom rules for public subnets | bool | `"false"` | no |
 | public\_inbound\_acl\_rules | Public subnets inbound network ACLs | list(map(string)) | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no |
 | public\_outbound\_acl\_rules | Public subnets outbound network ACLs | list(map(string)) | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no |
 | public\_route\_table\_tags | Additional tags for the public route tables | map(string) | `{}` | no |
-| public\_subnet\_assign\_ipv6\_address\_on\_creation | Assign IPv6 address on public subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch | bool | `"null"` | no |
-| public\_subnet\_ipv6\_prefixes | Assigns IPv6 public subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list | list | `[]` | no |
+| public\_subnet\_assign\_ipv6\_address\_on\_creation | Assign IPv6 address on public subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | bool | `"null"` | no |
+| public\_subnet\_ipv6\_prefixes | Assigns IPv6 public subnet id based on the Amazon provided /56 prefix base 10 integer \(0-256\). Must be of equal length to the corresponding IPv4 subnet list | list | `[]` | no |
 | public\_subnet\_suffix | Suffix to append to public subnets name | string | `"public"` | no |
 | public\_subnet\_tags | Additional tags for the public subnets | map(string) | `{}` | no |
 | public\_subnets | A list of public subnets inside the VPC | list(string) | `[]` | no |
 | redshift\_acl\_tags | Additional tags for the redshift subnets network ACL | map(string) | `{}` | no |
-| redshift\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for redshift subnets | bool | `"false"` | no |
+| redshift\_dedicated\_network\_acl | Whether to use dedicated network ACL \(not default\) and custom rules for redshift subnets | bool | `"false"` | no |
 | redshift\_inbound\_acl\_rules | Redshift subnets inbound network ACL rules | list(map(string)) | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no |
 | redshift\_outbound\_acl\_rules | Redshift subnets outbound network ACL rules | list(map(string)) | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no |
 | redshift\_route\_table\_tags | Additional tags for the redshift route tables | map(string) | `{}` | no |
-| redshift\_subnet\_assign\_ipv6\_address\_on\_creation | Assign IPv6 address on redshift subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch | bool | `"null"` | no |
+| redshift\_subnet\_assign\_ipv6\_address\_on\_creation | Assign IPv6 address on redshift subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | bool | `"null"` | no |
 | redshift\_subnet\_group\_tags | Additional tags for the redshift subnet group | map(string) | `{}` | no |
-| redshift\_subnet\_ipv6\_prefixes | Assigns IPv6 redshift subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list | list | `[]` | no |
+| redshift\_subnet\_ipv6\_prefixes | Assigns IPv6 redshift subnet id based on the Amazon provided /56 prefix base 10 integer \(0-256\). Must be of equal length to the corresponding IPv4 subnet list | list | `[]` | no |
 | redshift\_subnet\_suffix | Suffix to append to redshift subnets name | string | `"redshift"` | no |
 | redshift\_subnet\_tags | Additional tags for the redshift subnets | map(string) | `{}` | no |
 | redshift\_subnets | A list of redshift subnets | list(string) | `[]` | no |
 | rekognition\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Rekognition endpoint | bool | `"false"` | no |
 | rekognition\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Rekognition endpoint | list(string) | `[]` | no |
 | rekognition\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Rekognition endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no |
-| reuse\_nat\_ips | Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external_nat_ip_ids' variable | bool | `"false"` | no |
+| reuse\_nat\_ips | Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external\_nat\_ip\_ids' variable | bool | `"false"` | no |
 | sagemaker\_api\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SageMaker API endpoint | bool | `"false"` | no |
 | sagemaker\_api\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SageMaker API endpoint | list(string) | `[]` | no |
 | sagemaker\_api\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SageMaker API endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no |
@@ -514,8 +519,8 @@ Sometimes it is handy to have public access to Redshift clusters (for example if
 | database\_subnet\_arns | List of ARNs of database subnets |
 | database\_subnet\_group | ID of database subnet group |
 | database\_subnets | List of IDs of database subnets |
-| database\_subnets\_cidr\_blocks | List of cidr_blocks of database subnets |
-| database\_subnets\_ipv6\_cidr\_blocks | List of IPv6 cidr_blocks of database subnets in an IPv6 enabled VPC |
+| database\_subnets\_cidr\_blocks | List of cidr\_blocks of database subnets |
+| database\_subnets\_ipv6\_cidr\_blocks | List of IPv6 cidr\_blocks of database subnets in an IPv6 enabled VPC |
 | default\_network\_acl\_id | The ID of the default network ACL |
 | default\_route\_table\_id | The ID of the default route table |
 | default\_security\_group\_id | The ID of the security group created by default on VPC creation |
@@ -535,15 +540,15 @@ Sometimes it is handy to have public access to Redshift clusters (for example if
 | elasticache\_subnet\_group | ID of elasticache subnet group |
 | elasticache\_subnet\_group\_name | Name of elasticache subnet group |
 | elasticache\_subnets | List of IDs of elasticache subnets |
-| elasticache\_subnets\_cidr\_blocks | List of cidr_blocks of elasticache subnets |
-| elasticache\_subnets\_ipv6\_cidr\_blocks | List of IPv6 cidr_blocks of elasticache subnets in an IPv6 enabled VPC |
+| elasticache\_subnets\_cidr\_blocks | List of cidr\_blocks of elasticache subnets |
+| elasticache\_subnets\_ipv6\_cidr\_blocks | List of IPv6 cidr\_blocks of elasticache subnets in an IPv6 enabled VPC |
 | igw\_id | The ID of the Internet Gateway |
 | intra\_network\_acl\_id | ID of the intra network ACL |
 | intra\_route\_table\_ids | List of IDs of intra route tables |
 | intra\_subnet\_arns | List of ARNs of intra subnets |
 | intra\_subnets | List of IDs of intra subnets |
-| intra\_subnets\_cidr\_blocks | List of cidr_blocks of intra subnets |
-| intra\_subnets\_ipv6\_cidr\_blocks | List of IPv6 cidr_blocks of intra subnets in an IPv6 enabled VPC |
+| intra\_subnets\_cidr\_blocks | List of cidr\_blocks of intra subnets |
+| intra\_subnets\_ipv6\_cidr\_blocks | List of IPv6 cidr\_blocks of intra subnets in an IPv6 enabled VPC |
 | name | The name of the VPC specified as argument to this module |
 | nat\_ids | List of allocation ID of Elastic IPs created for AWS NAT Gateway |
 | nat\_public\_ips | List of public Elastic IPs created for AWS NAT Gateway |
@@ -552,21 +557,21 @@ Sometimes it is handy to have public access to Redshift clusters (for example if
 | private\_route\_table\_ids | List of IDs of private route tables |
 | private\_subnet\_arns | List of ARNs of private subnets |
 | private\_subnets | List of IDs of private subnets |
-| private\_subnets\_cidr\_blocks | List of cidr_blocks of private subnets |
-| private\_subnets\_ipv6\_cidr\_blocks | List of IPv6 cidr_blocks of private subnets in an IPv6 enabled VPC |
+| private\_subnets\_cidr\_blocks | List of cidr\_blocks of private subnets |
+| private\_subnets\_ipv6\_cidr\_blocks | List of IPv6 cidr\_blocks of private subnets in an IPv6 enabled VPC |
 | public\_network\_acl\_id | ID of the public network ACL |
 | public\_route\_table\_ids | List of IDs of public route tables |
 | public\_subnet\_arns | List of ARNs of public subnets |
 | public\_subnets | List of IDs of public subnets |
-| public\_subnets\_cidr\_blocks | List of cidr_blocks of public subnets |
-| public\_subnets\_ipv6\_cidr\_blocks | List of IPv6 cidr_blocks of public subnets in an IPv6 enabled VPC |
+| public\_subnets\_cidr\_blocks | List of cidr\_blocks of public subnets |
+| public\_subnets\_ipv6\_cidr\_blocks | List of IPv6 cidr\_blocks of public subnets in an IPv6 enabled VPC |
 | redshift\_network\_acl\_id | ID of the redshift network ACL |
 | redshift\_route\_table\_ids | List of IDs of redshift route tables |
 | redshift\_subnet\_arns | List of ARNs of redshift subnets |
 | redshift\_subnet\_group | ID of redshift subnet group |
 | redshift\_subnets | List of IDs of redshift subnets |
-| redshift\_subnets\_cidr\_blocks | List of cidr_blocks of redshift subnets |
-| redshift\_subnets\_ipv6\_cidr\_blocks | List of IPv6 cidr_blocks of redshift subnets in an IPv6 enabled VPC |
+| redshift\_subnets\_cidr\_blocks | List of cidr\_blocks of redshift subnets |
+| redshift\_subnets\_ipv6\_cidr\_blocks | List of IPv6 cidr\_blocks of redshift subnets in an IPv6 enabled VPC |
 | this\_customer\_gateway | Map of Customer Gateway attributes |
 | vgw\_id | The ID of the VPN Gateway |
 | vpc\_arn | The ARN of the VPC |
@@ -638,9 +643,9 @@ Sometimes it is handy to have public access to Redshift clusters (for example if
 | vpc\_endpoint\_events\_dns\_entry | The DNS entries for the VPC Endpoint for CloudWatch Events. |
 | vpc\_endpoint\_events\_id | The ID of VPC endpoint for CloudWatch Events |
 | vpc\_endpoint\_events\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for CloudWatch Events. |
-| vpc\_endpoint\_git\_codecommit\_dns\_entry | The DNS entries for the VPC Endpoint for git_codecommit. |
-| vpc\_endpoint\_git\_codecommit\_id | The ID of VPC endpoint for git_codecommit |
-| vpc\_endpoint\_git\_codecommit\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for git_codecommit. |
+| vpc\_endpoint\_git\_codecommit\_dns\_entry | The DNS entries for the VPC Endpoint for git\_codecommit. |
+| vpc\_endpoint\_git\_codecommit\_id | The ID of VPC endpoint for git\_codecommit |
+| vpc\_endpoint\_git\_codecommit\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for git\_codecommit. |
 | vpc\_endpoint\_glue\_dns\_entry | The DNS entries for the VPC Endpoint for Glue. |
 | vpc\_endpoint\_glue\_id | The ID of VPC endpoint for Glue |
 | vpc\_endpoint\_glue\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for Glue. |
diff --git a/examples/complete-vpc/main.tf b/examples/complete-vpc/main.tf
index e492f5c87..9334ead70 100644
--- a/examples/complete-vpc/main.tf
+++ b/examples/complete-vpc/main.tf
@@ -106,6 +106,11 @@ module "vpc" {
   sqs_endpoint_private_dns_enabled = true
   sqs_endpoint_security_group_ids  = [data.aws_security_group.default.id]
 
+  # Default security group - ingress/egress rules cleared to deny all
+  manage_default_security_group  = true
+  default_security_group_ingress = [{}]
+  default_security_group_egress  = [{}]
+
   tags = {
     Owner       = "user"
     Environment = "staging"
diff --git a/main.tf b/main.tf
index 396afb323..59dc600bb 100644
--- a/main.tf
+++ b/main.tf
@@ -54,6 +54,48 @@ resource "aws_vpc_ipv4_cidr_block_association" "this" {
   cidr_block = element(var.secondary_cidr_blocks, count.index)
 }
 
+resource "aws_default_security_group" "this" {
+  count = var.create_vpc && var.manage_default_security_group ? 1 : 0
+
+  vpc_id = element(concat(aws_vpc.this.*.id, [""]), 0)
+
+  dynamic "ingress" {
+    for_each = var.default_security_group_ingress
+    content {
+      self             = lookup(ingress.value, "self", null)
+      cidr_blocks      = compact(split(",", lookup(ingress.value, "cidr_blocks", "")))
+      ipv6_cidr_blocks = compact(split(",", lookup(ingress.value, "ipv6_cidr_blocks", "")))
+      prefix_list_ids  = compact(split(",", lookup(ingress.value, "prefix_list_ids", "")))
+      description      = lookup(ingress.value, "description", null)
+      from_port        = lookup(ingress.value, "from_port", 0)
+      to_port          = lookup(ingress.value, "to_port", 0)
+      protocol         = lookup(ingress.value, "protocol", "-1")
+    }
+  }
+
+  dynamic "egress" {
+    for_each = var.default_security_group_egress
+    content {
+      self             = lookup(egress.value, "self", null)
+      cidr_blocks      = compact(split(",", lookup(egress.value, "cidr_blocks", "")))
+      ipv6_cidr_blocks = compact(split(",", lookup(egress.value, "ipv6_cidr_blocks", "")))
+      prefix_list_ids  = compact(split(",", lookup(egress.value, "prefix_list_ids", "")))
+      description      = lookup(egress.value, "description", null)
+      from_port        = lookup(egress.value, "from_port", 0)
+      to_port          = lookup(egress.value, "to_port", 0)
+      protocol         = lookup(egress.value, "protocol", "-1")
+    }
+  }
+
+  tags = merge(
+    {
+      "Name" = format("%s", var.default_security_group_name)
+    },
+    var.tags,
+    var.default_security_group_tags,
+  )
+}
+
 ###################
 # DHCP Options Set
 ###################
@@ -1077,4 +1119,3 @@ resource "aws_default_vpc" "this" {
     var.default_vpc_tags,
   )
 }
-
diff --git a/outputs.tf b/outputs.tf
index 946d081e1..c6c35d640 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -1002,7 +1002,6 @@ output "vpc_endpoint_cloud_directory_dns_entry" {
   value       = flatten(aws_vpc_endpoint.cloud_directory.*.dns_entry)
 }
 
-
 # Static values (arguments)
 output "azs" {
   description = "A list of availability zones specified as argument to this module"
diff --git a/variables.tf b/variables.tf
index 856e2a25c..fdd8608ce 100644
--- a/variables.tf
+++ b/variables.tf
@@ -1879,3 +1879,48 @@ variable "elasticache_outbound_acl_rules" {
   ]
 }
 
+variable "manage_default_security_group" {
+  description = "Should be true to adopt and manage default security group"
+  type        = bool
+  default     = false
+}
+
+variable "default_security_group_name" {
+  description = "Name to be used on the default security group"
+  type        = string
+  default     = ""
+}
+
+variable "default_security_group_ingress" {
+  description = "List of maps of ingress rules to set on the default security group"
+  type        = list(map(string))
+
+  default = [
+    {
+      self      = true
+      from_port = 0
+      to_port   = 0
+      protocol  = "-1"
+    }
+  ]
+}
+
+variable "default_security_group_egress" {
+  description = "List of maps of egress rules to set on the default security group"
+  type        = list(map(string))
+
+  default = [
+    {
+      cidr_blocks = "0.0.0.0/0"
+      from_port   = 0
+      to_port     = 0
+      protocol    = "-1"
+    }
+  ]
+}
+
+variable "default_security_group_tags" {
+  description = "Additional tags for the default security group"
+  type        = map(string)
+  default     = {}
+}

From dca165ad47934a24a6ca7da7ed30c3d6fe2aae52 Mon Sep 17 00:00:00 2001
From: Bryant Biggs <bryantbiggs@gmail.com>
Date: Sat, 20 Jun 2020 17:58:15 -0400
Subject: [PATCH 2/2] - Use `null` as default to preserve current settings and
 when removing default control

---
 README.md    |  6 +++---
 main.tf      |  2 +-
 variables.tf | 22 +++-------------------
 3 files changed, 7 insertions(+), 23 deletions(-)

diff --git a/README.md b/README.md
index 7569a1e8a..0fefc3200 100644
--- a/README.md
+++ b/README.md
@@ -314,9 +314,9 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway
 | default\_network\_acl\_ingress | List of maps of ingress rules to set on the Default Network ACL | `list(map(string))` | <pre>[<br>  {<br>    "action": "allow",<br>    "cidr_block": "0.0.0.0/0",<br>    "from_port": 0,<br>    "protocol": "-1",<br>    "rule_no": 100,<br>    "to_port": 0<br>  },<br>  {<br>    "action": "allow",<br>    "from_port": 0,<br>    "ipv6_cidr_block": "::/0",<br>    "protocol": "-1",<br>    "rule_no": 101,<br>    "to_port": 0<br>  }<br>]</pre> | no |
 | default\_network\_acl\_name | Name to be used on the Default Network ACL | `string` | `""` | no |
 | default\_network\_acl\_tags | Additional tags for the Default Network ACL | `map(string)` | `{}` | no |
-| default\_security\_group\_egress | List of maps of egress rules to set on the default security group | `list(map(string))` | <pre>[<br>  {<br>    "cidr_blocks": "0.0.0.0/0",<br>    "from_port": 0,<br>    "protocol": "-1",<br>    "to_port": 0<br>  }<br>]</pre> | no |
-| default\_security\_group\_ingress | List of maps of ingress rules to set on the default security group | `list(map(string))` | <pre>[<br>  {<br>    "from_port": 0,<br>    "protocol": "-1",<br>    "self": true,<br>    "to_port": 0<br>  }<br>]</pre> | no |
-| default\_security\_group\_name | Name to be used on the default security group | `string` | `""` | no |
+| default\_security\_group\_egress | List of maps of egress rules to set on the default security group | `list(map(string))` | `null` | no |
+| default\_security\_group\_ingress | List of maps of ingress rules to set on the default security group | `list(map(string))` | `null` | no |
+| default\_security\_group\_name | Name to be used on the default security group | `string` | `"default"` | no |
 | default\_security\_group\_tags | Additional tags for the default security group | `map(string)` | `{}` | no |
 | default\_vpc\_enable\_classiclink | Should be true to enable ClassicLink in the Default VPC | `bool` | `false` | no |
 | default\_vpc\_enable\_dns\_hostnames | Should be true to enable DNS hostnames in the Default VPC | `bool` | `false` | no |
diff --git a/main.tf b/main.tf
index 9b78e4722..844d9c7fa 100644
--- a/main.tf
+++ b/main.tf
@@ -57,7 +57,7 @@ resource "aws_vpc_ipv4_cidr_block_association" "this" {
 resource "aws_default_security_group" "this" {
   count = var.create_vpc && var.manage_default_security_group ? 1 : 0
 
-  vpc_id = element(concat(aws_vpc.this.*.id, [""]), 0)
+  vpc_id = aws_vpc.this[0].id
 
   dynamic "ingress" {
     for_each = var.default_security_group_ingress
diff --git a/variables.tf b/variables.tf
index bcdaea069..bce63c9c4 100644
--- a/variables.tf
+++ b/variables.tf
@@ -2268,21 +2268,13 @@ variable "manage_default_security_group" {
 variable "default_security_group_name" {
   description = "Name to be used on the default security group"
   type        = string
-  default     = ""
+  default     = "default"
 }
 
 variable "default_security_group_ingress" {
   description = "List of maps of ingress rules to set on the default security group"
   type        = list(map(string))
-
-  default = [
-    {
-      self      = true
-      from_port = 0
-      to_port   = 0
-      protocol  = "-1"
-    }
-  ]
+  default     = null
 }
 
 variable "enable_flow_log" {
@@ -2294,15 +2286,7 @@ variable "enable_flow_log" {
 variable "default_security_group_egress" {
   description = "List of maps of egress rules to set on the default security group"
   type        = list(map(string))
-
-  default = [
-    {
-      cidr_blocks = "0.0.0.0/0"
-      from_port   = 0
-      to_port     = 0
-      protocol    = "-1"
-    }
-  ]
+  default     = null
 }
 
 variable "default_security_group_tags" {