Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

allow default egress rule for aws_security_group #9602

Closed
flypenguin opened this issue Oct 25, 2016 · 2 comments
Closed

allow default egress rule for aws_security_group #9602

flypenguin opened this issue Oct 25, 2016 · 2 comments
Labels
enhancement provider/aws

Comments

@flypenguin
Copy link

Terraform removes the default egress rule ("allow all") by default.

It would be nice to have a simple way to emulate the AWS default behavior, simply because it's the AWS default. For example ...

  • a flag default_egress = true that adds this rule and throws an error if any other egress rule is defined manually.
  • keeping the default rule unless an explicit egress block is given

Reason: This just cost me about 3 hours in total, becuase I really did not expect this behavior. Also I mainly control my network by using ingress rules, so now I have to add that egress block to every security rule I write. I personally find that highly inconvenient and I cannot imagine that I am the only one :) .

Terraform Version

0.7.7

Affected Resource(s)

  • aws_security_group
@catsby
Copy link
Contributor

catsby commented Oct 28, 2016

Hey @flypenguin thanks for writing in! I’m sorry to hear about the trouble caused here, unfortunately though I’m going to close this issue.

This change was made back in May 2015 (#1765) and after seeing this issue and reflecting on the reasoning there, I still stand by it.

Terraform configuration is, ultimately, declarative. It’s true we have other configuration attributes that are optional and also have a default which matches Amazon’s, we feel that Security Groups are particularly sensitive towards control and should be respected completely. This is one of the few instances where we go against the AWS defaults, but we felt strongly that if no ingress/egress rules were defined in your configuration, then there should be no ingress/egress rules in the security group.

For instance, before this change was made:

  • if users assumed it was totally declarative and thus no rules unless added, attempting to add this rule themselves led to an error
  • if users assumed it was totally declarative and thus no rules unless added, omitting this rule caused a false sense of security for instances in said SG, because the group received the default rule
  • if users wanted to remove this default rule, Terraform offered no way of doing so

We considered both a remove_default_egress_rule and similar ideas to your suggested default_egrees = true, however we felt that this was too “magical” for Terraform, as we mean to be a declarative system and ultimately those approaches hid what we were actually doing behind the scenes.

Thanks for writing in with the suggestions. Please let us know if there’s anything else I can do here.

@catsby catsby closed this as completed Oct 28, 2016
@ghost
Copy link

ghost commented Apr 21, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked and limited conversation to collaborators Apr 21, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement provider/aws
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@catsby @stack72 @flypenguin