Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.rafftechnologies.com/llms.txt

Use this file to discover all available pages before exploring further.

Updated May 10, 2026 Manages a Raff security group — a named set of inbound/outbound rules that attach to VM NICs. A reboot is required for VMs to pick up rule changes inside the guest. Rules are nested blocks; updating the rule list replaces the entire set on the API side.

Example — built from scratch

resource "raff_security_group" "web" {
  name        = "web-public"
  description = "HTTP/HTTPS open to the world, SSH from office"

  rule {
    rule_type = "inbound"
    protocol  = "TCP"
    range     = "80"
  }

  rule {
    rule_type = "inbound"
    protocol  = "TCP"
    range     = "443"
  }

  rule {
    rule_type = "inbound"
    protocol  = "TCP"
    range     = "22"
    ip        = "203.0.113.0"
    size      = 24
  }

  # Default-allow outbound (all)
  rule {
    rule_type = "outbound"
    protocol  = "ALL"
  }
}

Example — seeded from a template

resource "raff_security_group" "web" {
  name        = "web-public"
  template_id = "<web-server-template-uuid>"
}
Templates copy a curated rule set at create time; you can then add explicit rule blocks to merge in extras. Get template IDs via raff security-group templates.

Argument reference

Required

ArgumentTypeDescription
namestringSecurity group name. Updates rename in place

Optional

ArgumentTypeDescription
descriptionstringFree-form description
template_idstring (UUID)Seed from a template at create time. Template rules are copied, then merged with any explicit rule blocks. ForceNew
rulelist of blocksInbound/outbound rules. Updates replace the entire set

rule block

ArgumentTypeDescription
rule_typestring (required)Direction — inbound or outbound
protocolstring (required)TCP, UDP, ICMP, ICMPV6, or ALL
rangestringPort or port range — single (80) or range (8000:9000). Empty for ICMP/ALL
ipstringSource/destination IP. Empty means any
sizeintCIDR block size paired with ip (e.g. 24 for /24)
icmp_typeintICMP message type (only for ICMP / ICMPV6)

Attribute reference (computed)

AttributeDescription
idSecurity group UUID
project_idOwning project UUID
vm_countNumber of VM NICs currently using this security group
created_at / updated_atRFC3339 timestamps

Lifecycle

OperationBehavior
terraform apply (create)Creates the security group
Change name, description, ruleIn-place update. Attached VMs need a reboot to apply rule changes inside the guest
Change template_idReplacement — destroy + recreate
terraform destroyDeletes the security group. Detach from VMs first

Importing existing security groups

terraform import raff_security_group.web <sg-uuid>

Permissions

The API key needs security_group.create, security_group.manage, and security_group.delete in the project. The system role Project Admin grants all of these.

Data sources

# Single security group by UUID
data "raff_security_group" "web" {
  id = raff_security_group.web.id
}

# All security groups in the current project
data "raff_security_groups" "all" {}

raff_vm

Attach security groups via the CLI or dashboard.

raff_vpc

Private networks the rules apply to.

CLI: raff security-group

Imperative equivalent (incl. templates).
Last modified on May 11, 2026