Description
Describe the Feature
The proposed feature introduces a new variable, manage_egress_rules
, to the existing Terraform module. This variable allows users to control the creation or destruction of the aws_security_group_rule
resource responsible for defining egress rules within the security group.
Expected Behavior
When the manage_egress_rules
variable is set to true
(default), the module will create the aws_security_group_rule
for egress traffic. Conversely, when set to false
, the module will omit the creation of the egress rule, offering users the flexibility to manage egress rules according to their specific requirements.
Use Case
Consider a scenario where an organization utilizes the Terraform module to deploy infrastructure. By default, egress rules are created to allow all outbound traffic. With the introduction of the manage_egress_rules
variable, users can tailor the module to their security policies. For instance, if the organization follows a principle of least privilege, users may set manage_egress_rules
to false
to explicitly avoid creating default egress rules. This provides a more fine-grained control over the security posture of the deployed infrastructure.
Describe Ideal Solution
The ideal solution is to introduce a new variable, manage_egress_rules, to the Terraform module. This variable provides users with the ability to control the creation or exclusion of the aws_security_group_rule resource responsible for defining egress rules within the associated security group.
Key Objectives:
Granular Control: The manage_egress_rules variable should allow users to specify whether the module should create egress rules by default or abstain from doing so.
Default Behavior: Setting manage_egress_rules to true ensures that, by default, the module continues to create egress rules, maintaining compatibility with existing deployments.
Flexibility: Users should have the flexibility to set manage_egress_rules to false if they wish to manage egress rules explicitly, aligning with specific security policies.
Expected Impact:
Simplified Management: Users can tailor the module to their security requirements by choosing to either rely on default egress rules or manage them explicitly.
Improved Security Posture: Fine-grained control over egress rules allows for stricter security policies, adhering to the principle of least privilege.
Alternatives Considered
No response
Additional Context
Proposed Changes
resource "aws_security_group_rule" "egress" {
count = module.this.enabled && var.vpc_enabled && var.create_security_group && var.manage_egress_rules ? 1 : 0
description = "Allow all egress traffic"
type = "egress"
from_port = 0
to_port = 65535
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = join("", aws_security_group.default[*].id)
}