allow optional / no egress security rule
wilkej opened this issue · 0 comments
wilkej commented
Describe the Feature
I would like the option to disable the egress security rule deployed by the module
resource "aws_security_group_rule" "egress" {
count = module.this.enabled ? 1 : 0
type = "egress"
description = "Allow all egress traffic"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = join("", aws_security_group.default.*.id)
}
Expected Behavior
Allow to disable (optional) to remove the security group. The outbound rule isn't required as security groups are statefull and the document db itself won't open a connection to the outside.
Use Case
Scanning the file with TF_SEC throws an error
Problem 1
[AWS007][WARNING] Resource 'module.docdb_cluster:aws_security_group_rule.egress' defines a fully open egress security group rule.
13 | from_port = 0
14 | to_port = 0
15 | protocol = "-1"
16 | cidr_blocks = ["0.0.0.0/0"]
17 | security_group_id = join("", aws_security_group.default.*.id)
18 | }
19 |
See https://tfsec.dev/docs/aws/AWS007/ for more information.
disk i/o 114.710197ms
parsing HCL 576.897µs
evaluating values 94.868063ms
running checks 996.996µs
files loaded 23
1 potential problems detected.
Describe Ideal Solution
Allow to disable (optional) to remove the security group. The outbound rule isn't required as security groups are statefull and the document db itself won't open a connection to the outside.