search

terraform-aws-modules / terraform-aws-security-group

Terraform module to create AWS Security Group resources πŸ‡ΊπŸ‡¦
https://registry.terraform.io/modules/terraform-aws-modules/security-group/aws
Other
562 stars 1.08k forks source link

default egress are too permissive #287

Closed joulaud closed 1 year ago

joulaud commented 1 year ago

Description

Simple usage of your modules whitelist by default "all-all" as egress. This makes it complicated to use for composition of Security Group.

In my opinion all egress_rules on rules.tf should be empty.

Versions

Reproduction Code [Required]

module "ssh_security_group" {
  source  = "terraform-aws-modules/security-group/aws//modules/ssh"
  version = "4.17.1"

  description = "Allow ssh traffic to this instance"
  name        = "ssh"
  vpc_id      = (sensitive)

  ingress_cidr_blocks = [
    "0.0.0.0/0"
  ]
}

Expected behavior

Only allow ingress ssh trafic when using this Security Group.

Actual behavior

Also allow all egress trafic.

Terminal Output Screenshot(s)

extract from terraform state show

resource "aws_security_group_rule" "egress_rules" {
    type              = "egress"
    description       = "All protocols"
    from_port         = 0
    to_port           = 0
    cidr_blocks       = [
        "0.0.0.0/0",
    ]
    ipv6_cidr_blocks  = [
        "::/0",
    ]
    protocol          = "-1"
}

Additional context

I want to use your modules to compose easily several security-groups on some instances.

antonbabenko commented 1 year ago

You can change the rules to process by setting them to an empty list like this:

module "ssh_security_group" {
  source  = "terraform-aws-modules/security-group/aws//modules/ssh"
  version = "4.17.1"

  description = "Allow ssh traffic to this instance"
  name        = "ssh"
  vpc_id      = (sensitive)

  ingress_cidr_blocks = [
    "0.0.0.0/0"
  ]

  egress_rules = []  # <- leave this empty
}
github-actions[bot] commented 1 year ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.