Add a new rule to choose between close or open to all IPs for port 22 #15
Conversation
| default = "" | ||
| } | ||
|
|
||
| variable "open_sesame" { |
There was a problem hiding this comment.
I would give this variable a more descriptive name, e.g. "open_ssh_to_world" and update the comment, since it could be useful independent of open-sesame (e.g. if people want to add their own permanent specific rules).
There was a problem hiding this comment.
First it was called "open_to_world" but then we thought it might sound horrifying. But sure I can try to change it to a more descriptive name.
There was a problem hiding this comment.
I suggested the rename. On seeing it, I think you're right @kbarek, that is should not really have much reference to open sesame. It should just state that it needs other means of opening the security groups if this is set.
nsh-dmd
changed the title
|
Bastion host's main purpose is to provide SSH tunneling towards application servers. Why do we need an option to block port 22 to whole world? Maybe, it is best to create a new "Internal bastion" resource to lock this port 22.. |
|
@senthuran-td The default behaviour is as you say to open the access from outside. This PR is so that we can optionally control that access through other means. Having port 22 open to the world at all times means we're susceptible to such thing as zero-day attacks, etc. This does not mean that it won't be open. It just means that we're opening the ports through other means. In this case it's to open specific port ranges using the AWS access keys and MFA, providing an additional layer of security. |
|
introducing this change means that we change the role in a way that it is no longer usable by the rest of the world without further explanation. IMHO we should have created an internal bastion host module (in our internal terraform library) that is tied to the open_sesame project. Introducing this to the open-sourced module will make it harder to use for the outside world. |
|
The default is still open to the world. So whenever you create a new bastion instance without changing the default value of the open_sesame (open_ssh_to_world) which is false, so it creates a bastion which has port 22 open to world. |
|
We could make an internal module. I have no strong feelings about using this module specifically. |
|
@hoihrig This doesn't (well shouldn't) change any defaults and thus shouldn't be harder to use for others. I'd rather try to maintain one module (be it this or a fork) as long as we can do that. |
5 participants
If open_sesame variable is true a default bastion instance is created.
If false, port 22 is closed to all IPs but authorised ones.