Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

adding a feature to customize the egress rule #54

Merged
merged 1 commit into from
Jul 21, 2023
Merged

adding a feature to customize the egress rule #54

merged 1 commit into from
Jul 21, 2023

Conversation

haidargit
Copy link
Contributor

@haidargit haidargit commented May 4, 2023
edited
Loading

what

  • Added 4 new variables egress_source_port, egress_dest_port, egress_protocol, and allowed_egress_cidr_blocks for the "aws_security_group_rule" "egress" resource.
  • By default, the egress rule 0.0.0.0/0 will be created. If user is expected to restrict outbound traffic, they can specify the required values.

why

  • We propose this PR because there are scenarios where users may want to restrict outbound traffic from their DocDB instances.
  • if the DocDB cluster is only used internally and do not need to communicate with wide systems or network, users may want to customize the egress rule for 0.0.0.0/0. By providing the option to customize the egress rule, we are giving users a control over their security posture (compliance). For example, our docdb may only connected with internal applications inside the aws eks cluster, or users may integrate their cloud resources with a third party, such as Prisma Cloud or maybe use tfsec as their security scanner, which prompts users to kindly avoid 0.0.0.0/0 for security best practices.

references

Thank you

@haidargit haidargit requested review from a team as code owners May 4, 2023 12:01
@haidargit haidargit requested review from Gowiem and korenyoni May 4, 2023 12:01
@haidargit haidargit changed the title adding a feature to enable or disable the public egress rule adding a feature to customize the egress rule May 4, 2023
@haidargit haidargit force-pushed the enable-disable-egress branch 3 times, most recently from 09fc805 to 8d31280 Compare May 4, 2023 13:24
milldr
milldr reviewed May 4, 2023
View reviewed changes
main.tf Outdated Show resolved Hide resolved
@haidargit haidargit force-pushed the enable-disable-egress branch from 8d31280 to d487481 Compare May 4, 2023 22:53
@haidargit haidargit requested a review from milldr May 7, 2023 22:48
@haidargit haidargit force-pushed the enable-disable-egress branch 2 times, most recently from 9ba455e to 08bc652 Compare July 11, 2023 14:41
@haidargit haidargit force-pushed the enable-disable-egress branch from 08bc652 to bb77026 Compare July 14, 2023 18:15
@haidargit haidargit force-pushed the enable-disable-egress branch from bb77026 to fa49d32 Compare July 19, 2023 00:19
@milldr
Copy link
Member

milldr commented Jul 21, 2023

/terratest

milldr
milldr approved these changes Jul 21, 2023
View reviewed changes
Copy link
Member

@milldr milldr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thanks for the contribution

@milldr milldr merged commit 4cc97b3 into cloudposse:main Jul 21, 2023
@haidargit
Copy link
Contributor Author

@milldr thanks Pal!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@milldr milldr milldr approved these changes

@Gowiem Gowiem Awaiting requested review from Gowiem Gowiem is a code owner automatically assigned from cloudposse/contributors

@korenyoni korenyoni Awaiting requested review from korenyoni korenyoni is a code owner automatically assigned from cloudposse/contributors

@SebastianMCarreira SebastianMCarreira Awaiting requested review from SebastianMCarreira

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@haidargit @milldr @SebastianMCarreira