From bebb94c05feeedac310708f1e0a6e4828a8e1b21 Mon Sep 17 00:00:00 2001
From: Matt Godbolt <matt@godbolt.org>
Date: Sat, 29 Sep 2018 20:16:15 -0500
Subject: [PATCH] Update config now I've worked out what's going on. Egress to
 the world is needed for CE nodes

---
 terraform/security.tf | 27 +++++----------------------
 1 file changed, 5 insertions(+), 22 deletions(-)

diff --git a/terraform/security.tf b/terraform/security.tf
index 225099ca3..ccc5a5f09 100644
--- a/terraform/security.tf
+++ b/terraform/security.tf
@@ -8,7 +8,10 @@ resource "aws_security_group" "CompilerExplorer" {
   }
 }
 
-# Temporary bodge until I work out what's going on
+# Compiler explorer nodes do things like `git pull` and `docker pull` at startup,
+# so need to be able to talk to the outside world. Ideally they'd be locked down
+# completely (with access only to admin node and the ALB); but this would require
+# some work to remove the git/docker pull.
 resource "aws_security_group_rule" "CE_EgressToAll" {
   security_group_id = "${aws_security_group.CompilerExplorer.id}"
   type = "egress"
@@ -19,27 +22,7 @@ resource "aws_security_group_rule" "CE_EgressToAll" {
   ipv6_cidr_blocks = [
     "::/0"]
   protocol = "-1"
-  description = "Temporary hack to see if ALB works"
-}
-
-resource "aws_security_group_rule" "CE_EgressToAdminNode" {
-  security_group_id = "${aws_security_group.CompilerExplorer.id}"
-  type = "egress"
-  from_port = 0
-  to_port = 65535
-  source_security_group_id = "${aws_security_group.AdminNode.id}"
-  protocol = "-1"
-  description = "Allow egress to the admin node"
-}
-
-resource "aws_security_group_rule" "CE_EgressToAlb" {
-  security_group_id = "${aws_security_group.CompilerExplorer.id}"
-  type = "egress"
-  from_port = 0
-  to_port = 65535
-  source_security_group_id = "${aws_security_group.CompilerExplorerAlb.id}"
-  protocol = "-1"
-  description = "Allow egress to the ALB"
+  description = "Unfettered outbound access"
 }
 
 resource "aws_security_group_rule" "CE_SshFromAdminNode" {