From d98ecfc1ecfb205fb8cd79143a95abddc29c802e Mon Sep 17 00:00:00 2001
From: xpk <xpk@headdesk.me>
Date: Fri, 29 Jan 2021 11:45:09 +0800
Subject: [PATCH] UPD: hardened default vpc security group

---
 .../base-network/.terraform.lock.hcl          |  2 +-
 modules/networking/vpc_subnets/vpc.tf         | 27 +++++++++++++++++++
 2 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/layers/networking/base-network/.terraform.lock.hcl b/layers/networking/base-network/.terraform.lock.hcl
index 1360298..a1bd719 100644
--- a/layers/networking/base-network/.terraform.lock.hcl
+++ b/layers/networking/base-network/.terraform.lock.hcl
@@ -3,7 +3,7 @@
 
 provider "registry.terraform.io/hashicorp/aws" {
   version     = "3.25.0"
-  constraints = ">= 2.68.0, >= 3.25.0"
+  constraints = ">= 3.25.0"
   hashes = [
     "h1:9bXU5cFO/2DX8z5whaGMA7wcCalKQJZrBm89AuePuEM=",
     "zh:2d3c65461bc63ec39bce7b5afdbed9a3b4dd5c2c8ee94616ad1866e24cf9b8f0",
diff --git a/modules/networking/vpc_subnets/vpc.tf b/modules/networking/vpc_subnets/vpc.tf
index 61ee172..c7f4d85 100644
--- a/modules/networking/vpc_subnets/vpc.tf
+++ b/modules/networking/vpc_subnets/vpc.tf
@@ -132,3 +132,30 @@ resource "aws_route_table_association" "private_route_association" {
   route_table_id = aws_route_table.private-route-table[0].id
   subnet_id      = each.value
 }
+
+/*
+harden default security group. the default sg created by aws allows all egress.
+this resource limits ingress and egress from and to itself
+*/
+
+resource "aws_default_security_group" default-sg {
+  vpc_id = aws_vpc.vpc.id
+  ingress {
+    protocol = -1
+    self = true
+    from_port = 0
+    to_port = 0
+  }
+  egress {
+    from_port = 0
+    protocol = -1
+    to_port = 0
+    self = true
+  }
+  tags = merge(
+  var.default-tags,
+  {
+    Name = "${local.resource-prefix}-defaultsg"
+  },
+  )
+}
\ No newline at end of file