search

cloudposse / terraform-aws-elasticsearch

Terraform module to provision an Elasticsearch cluster with built-in integrations with Kibana and Logstash.
https://cloudposse.com/accelerate
Apache License 2.0
216 stars 231 forks source link

Introduce Variable for Controlling Egress Rules Creation #175

Open joelgaria opened 7 months ago

joelgaria commented 7 months ago

Describe the Feature

The proposed feature introduces a new variable, manage_egress_rules, to the existing Terraform module. This variable allows users to control the creation or destruction of the aws_security_group_rule resource responsible for defining egress rules within the security group.

Expected Behavior

When the manage_egress_rules variable is set to true (default), the module will create the aws_security_group_rule for egress traffic. Conversely, when set to false, the module will omit the creation of the egress rule, offering users the flexibility to manage egress rules according to their specific requirements.

Use Case

Consider a scenario where an organization utilizes the Terraform module to deploy infrastructure. By default, egress rules are created to allow all outbound traffic. With the introduction of the manage_egress_rules variable, users can tailor the module to their security policies. For instance, if the organization follows a principle of least privilege, users may set manage_egress_rules to false to explicitly avoid creating default egress rules. This provides a more fine-grained control over the security posture of the deployed infrastructure.

Describe Ideal Solution

The ideal solution is to introduce a new variable, manage_egress_rules, to the Terraform module. This variable provides users with the ability to control the creation or exclusion of the aws_security_group_rule resource responsible for defining egress rules within the associated security group.

Key Objectives: Granular Control: The manage_egress_rules variable should allow users to specify whether the module should create egress rules by default or abstain from doing so.

Default Behavior: Setting manage_egress_rules to true ensures that, by default, the module continues to create egress rules, maintaining compatibility with existing deployments.

Flexibility: Users should have the flexibility to set manage_egress_rules to false if they wish to manage egress rules explicitly, aligning with specific security policies.

Expected Impact: Simplified Management: Users can tailor the module to their security requirements by choosing to either rely on default egress rules or manage them explicitly.

Improved Security Posture: Fine-grained control over egress rules allows for stricter security policies, adhering to the principle of least privilege.

Alternatives Considered

No response

Additional Context

Proposed Changes

resource "aws_security_group_rule" "egress" {
  count             = module.this.enabled && var.vpc_enabled && var.create_security_group && var.manage_egress_rules ? 1 : 0
  description       = "Allow all egress traffic"
  type              = "egress"
  from_port         = 0
  to_port           = 65535
  protocol          = "tcp"
  cidr_blocks       = ["0.0.0.0/0"]
  security_group_id = join("", aws_security_group.default[*].id)
}