fix: Fixed security recommendation

clouddrove · Aug 3, 2023 · 719de17 · 719de17
1 parent 581b9e2
commit 719de17
Show file tree

Hide file tree

Showing 5 changed files with 97 additions and 17 deletions.
diff --git a/README.yaml b/README.yaml
@@ -68,6 +68,24 @@ usage: |-
           description = "Allow Mongodb traffic."
         }
       ]
+
+        ## EGRESS Rules
+      new_sg_egress_rules_with_cidr_blocks = [{
+        rule_count  = 1
+        from_port   = 22
+        protocol    = "tcp"
+        to_port     = 22
+        cidr_blocks = [module.vpc.vpc_cidr_block, "172.16.0.0/16"]
+        description = "Allow ssh outbound traffic."
+        },
+        {
+          rule_count  = 2
+          from_port   = 27017
+          protocol    = "tcp"
+          to_port     = 27017
+          cidr_blocks = ["172.16.0.0/16"]
+          description = "Allow Mongodb outbound traffic."
+        }]
     }
   ```
 
@@ -209,10 +227,10 @@ usage: |-
       ## EGRESS Rules
       new_sg_egress_rules_with_prefix_list = [{
         rule_count  = 1
-        from_port   = 0
-        protocol    = "-1"
-        to_port     = 0
-        description = "Allow all outbound traffic."
+        from_port   = 3306
+        protocol    = "tcp"
+        to_port     = 3306
+        description = "Allow mysql/aurora outbound traffic."
         }
       ]
     }

diff --git a/_example/basic/example.tf b/_example/basic/example.tf
@@ -46,4 +46,22 @@ module "security_group" {
       description = "Allow Mongodb traffic."
     }
   ]
+
+  ## EGRESS Rules
+  new_sg_egress_rules_with_cidr_blocks = [{
+    rule_count  = 1
+    from_port   = 22
+    protocol    = "tcp"
+    to_port     = 22
+    cidr_blocks = [module.vpc.vpc_cidr_block, "172.16.0.0/16"]
+    description = "Allow ssh outbound traffic."
+    },
+    {
+      rule_count  = 2
+      from_port   = 27017
+      protocol    = "tcp"
+      to_port     = 27017
+      cidr_blocks = ["172.16.0.0/16"]
+      description = "Allow Mongodb outbound traffic."
+  }]
 }
diff --git a/_example/complete/example.tf b/_example/complete/example.tf
@@ -79,4 +79,55 @@ module "security_group" {
       source_security_group_id = "sg-xxxxxxxxx"
       description              = "Allow Mongodb traffic."
   }]
+
+  ## EGRESS Rules
+  new_sg_egress_rules_with_cidr_blocks = [{
+    rule_count  = 1
+    from_port   = 22
+    protocol    = "tcp"
+    to_port     = 22
+    cidr_blocks = [module.vpc.vpc_cidr_block, "172.16.0.0/16"]
+    description = "Allow ssh outbound traffic."
+    },
+    {
+      rule_count  = 2
+      from_port   = 27017
+      protocol    = "tcp"
+      to_port     = 27017
+      cidr_blocks = ["172.16.0.0/16"]
+      description = "Allow Mongodb outbound traffic."
+    }
+  ]
+
+  new_sg_egress_rules_with_self = [{
+    rule_count  = 1
+    from_port   = 22
+    protocol    = "tcp"
+    to_port     = 22
+    description = "Allow ssh outbound traffic."
+    },
+    {
+      rule_count  = 2
+      from_port   = 27017
+      protocol    = "tcp"
+      to_port     = 27017
+      description = "Allow Mongodb traffic."
+  }]
+
+  new_sg_egress_rules_with_source_sg_id = [{
+    rule_count               = 1
+    from_port                = 22
+    protocol                 = "tcp"
+    to_port                  = 22
+    source_security_group_id = "sg-xxxxxxxxx"
+    description              = "Allow ssh outbound traffic."
+    },
+    {
+      rule_count               = 2
+      from_port                = 27017
+      protocol                 = "tcp"
+      to_port                  = 27017
+      source_security_group_id = "sg-xxxxxxxxx"
+      description              = "Allow Mongodb traffic."
+  }]
 }
diff --git a/_example/prefix_list/example.tf b/_example/prefix_list/example.tf
@@ -44,10 +44,10 @@ module "security_group" {
   ## EGRESS Rules
   new_sg_egress_rules_with_prefix_list = [{
     rule_count  = 1
-    from_port   = 0
-    protocol    = "-1"
-    to_port     = 0
-    description = "Allow all outbound traffic."
+    from_port   = 3306
+    protocol    = "tcp"
+    to_port     = 3306
+    description = "Allow mysql/aurora outbound traffic."
     }
   ]
 }
diff --git a/variables.tf b/variables.tf
@@ -114,15 +114,8 @@ variable "existing_sg_ingress_rules_with_prefix_list" {
 }
 
 variable "new_sg_egress_rules_with_cidr_blocks" {
-  type = any
-  default = [{
-    rule_count  = 1
-    from_port   = 0
-    protocol    = "-1"
-    to_port     = 0
-    cidr_blocks = ["0.0.0.0/0"]
-    description = "Allow all outboud traffic."
-  }]
+  type        = any
+  default     = {}
   description = "Egress rules with only cidr_blockd. Should be used when new security group is been deployed."
 }