Remove "allow-all-egress" security-group rule

dlacosteGFM commented 1 year ago

Describe the Feature

TL;DR

Add a new flag to make allow-all-egress optional

Detail

This is really simple: EFS doesn't do egress (logically) so the "allow egress to 0.0.0.0/0" rule is redundant.

On top of that, we got a question during a compliance audit about the rule: we aren't supposed to be doing "open to 0.0.0.0/0" rules if we can avoid it (see references below)

Therefore I made a PR to just "make that an additional parameter that defaults to true so nobody has to change anything, but you can change it to false if your PCI auditor is upset.

References

PR with proposed change: https://github.com/cloudposse/terraform-aws-efs/pull/126
PCI DSS 3.2.1 rule 1.1.7 - Requirement to review firewall and router rule sets every 6 months
PCI DSS 3.2.1 rule 1.2.1 - Restrict inbound and outbound traffic to that which is necessary for the environment

Expected Behavior

Expected behavior for existing users who make no change: no impact, same result.

Expected behavior for those who set the allow_all_egress parameter to false when they use this module: that one security group rule is not added.

Use Case

The use case is for anyone trying to keep PCI auditors happy (open to 0.0.0.0/0 rules are frowned upon).

Describe Ideal Solution

PR: https://github.com/cloudposse/terraform-aws-efs/pull/126

Alternatives Considered

We tried maintaining our own security-group instead but this is MUCH cleaner and easier (and more shareable!)

Additional Context

No response

dlacosteGFM commented 1 year ago

We applied the PR in both test and production with no impact: everything continued working with no issue (which makes sense, as EFS does not do egress :) )

ezeroti commented 1 year ago

i need the same! any alternative workaround?

dlacosteGFM commented 1 year ago

Hello @ezeroti (sorry for the delay but I went on vacation the day after you posted your comment)

I have made a public repo available with the change made: you could use that if you want (diff below) or you could make the same on your own (just fork this repo, apply the diff, and then refer to that from your terraform call)

  module "efs_api_cps" {
-   source = "git::https://github.com/cloudposse/terraform-aws-efs.git?ref=0.34.0"
+   source = "git::https://github.com/dlacosteGFM/terraform-aws-efs.git?ref=0.34.0%2Begress_flag"

cloudposse / terraform-aws-efs