Skip to content

Introduce Variable for Controlling Egress Rules Creation #175

Open
@joelgaria

Description

@joelgaria

Describe the Feature

The proposed feature introduces a new variable, manage_egress_rules, to the existing Terraform module. This variable allows users to control the creation or destruction of the aws_security_group_rule resource responsible for defining egress rules within the security group.

Expected Behavior

When the manage_egress_rules variable is set to true (default), the module will create the aws_security_group_rule for egress traffic. Conversely, when set to false, the module will omit the creation of the egress rule, offering users the flexibility to manage egress rules according to their specific requirements.

Use Case

Consider a scenario where an organization utilizes the Terraform module to deploy infrastructure. By default, egress rules are created to allow all outbound traffic. With the introduction of the manage_egress_rules variable, users can tailor the module to their security policies. For instance, if the organization follows a principle of least privilege, users may set manage_egress_rules to false to explicitly avoid creating default egress rules. This provides a more fine-grained control over the security posture of the deployed infrastructure.

Describe Ideal Solution

The ideal solution is to introduce a new variable, manage_egress_rules, to the Terraform module. This variable provides users with the ability to control the creation or exclusion of the aws_security_group_rule resource responsible for defining egress rules within the associated security group.

Key Objectives:
Granular Control: The manage_egress_rules variable should allow users to specify whether the module should create egress rules by default or abstain from doing so.

Default Behavior: Setting manage_egress_rules to true ensures that, by default, the module continues to create egress rules, maintaining compatibility with existing deployments.

Flexibility: Users should have the flexibility to set manage_egress_rules to false if they wish to manage egress rules explicitly, aligning with specific security policies.

Expected Impact:
Simplified Management: Users can tailor the module to their security requirements by choosing to either rely on default egress rules or manage them explicitly.

Improved Security Posture: Fine-grained control over egress rules allows for stricter security policies, adhering to the principle of least privilege.

Alternatives Considered

No response

Additional Context

Proposed Changes

resource "aws_security_group_rule" "egress" {
  count             = module.this.enabled && var.vpc_enabled && var.create_security_group && var.manage_egress_rules ? 1 : 0
  description       = "Allow all egress traffic"
  type              = "egress"
  from_port         = 0
  to_port           = 65535
  protocol          = "tcp"
  cidr_blocks       = ["0.0.0.0/0"]
  security_group_id = join("", aws_security_group.default[*].id)
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions