Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Introduce Variable for Controlling Egress Rules Creation #175

Open
joelgaria opened this issue Jan 24, 2024 · 0 comments
Open

Introduce Variable for Controlling Egress Rules Creation #175

joelgaria opened this issue Jan 24, 2024 · 0 comments

Comments

@joelgaria
Copy link

Describe the Feature

The proposed feature introduces a new variable, manage_egress_rules, to the existing Terraform module. This variable allows users to control the creation or destruction of the aws_security_group_rule resource responsible for defining egress rules within the security group.

Expected Behavior

When the manage_egress_rules variable is set to true (default), the module will create the aws_security_group_rule for egress traffic. Conversely, when set to false, the module will omit the creation of the egress rule, offering users the flexibility to manage egress rules according to their specific requirements.

Use Case

Consider a scenario where an organization utilizes the Terraform module to deploy infrastructure. By default, egress rules are created to allow all outbound traffic. With the introduction of the manage_egress_rules variable, users can tailor the module to their security policies. For instance, if the organization follows a principle of least privilege, users may set manage_egress_rules to false to explicitly avoid creating default egress rules. This provides a more fine-grained control over the security posture of the deployed infrastructure.

Describe Ideal Solution

The ideal solution is to introduce a new variable, manage_egress_rules, to the Terraform module. This variable provides users with the ability to control the creation or exclusion of the aws_security_group_rule resource responsible for defining egress rules within the associated security group.

Key Objectives:
Granular Control: The manage_egress_rules variable should allow users to specify whether the module should create egress rules by default or abstain from doing so.

Default Behavior: Setting manage_egress_rules to true ensures that, by default, the module continues to create egress rules, maintaining compatibility with existing deployments.

Flexibility: Users should have the flexibility to set manage_egress_rules to false if they wish to manage egress rules explicitly, aligning with specific security policies.

Expected Impact:
Simplified Management: Users can tailor the module to their security requirements by choosing to either rely on default egress rules or manage them explicitly.

Improved Security Posture: Fine-grained control over egress rules allows for stricter security policies, adhering to the principle of least privilege.

Alternatives Considered

No response

Additional Context

Proposed Changes

resource "aws_security_group_rule" "egress" {
  count             = module.this.enabled && var.vpc_enabled && var.create_security_group && var.manage_egress_rules ? 1 : 0
  description       = "Allow all egress traffic"
  type              = "egress"
  from_port         = 0
  to_port           = 65535
  protocol          = "tcp"
  cidr_blocks       = ["0.0.0.0/0"]
  security_group_id = join("", aws_security_group.default[*].id)
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant