UPD: hardened default vpc security group

2021-01-29 11:45:09 +08:00 · 2021-01-29 11:45:09 +08:00 · d98ecfc1ec
commit d98ecfc1ec
parent 93e9670539
2 changed files with 28 additions and 1 deletions
--- a/layers/networking/base-network/.terraform.lock.hcl
+++ b/layers/networking/base-network/.terraform.lock.hcl
@ -3,7 +3,7 @@

 provider "registry.terraform.io/hashicorp/aws" {
  version     = "3.25.0"
-  constraints = ">= 2.68.0, >= 3.25.0"
+  constraints = ">= 3.25.0"
  hashes = [
    "h1:9bXU5cFO/2DX8z5whaGMA7wcCalKQJZrBm89AuePuEM=",
    "zh:2d3c65461bc63ec39bce7b5afdbed9a3b4dd5c2c8ee94616ad1866e24cf9b8f0",
--- a/modules/networking/vpc_subnets/vpc.tf
+++ b/modules/networking/vpc_subnets/vpc.tf
@ -132,3 +132,30 @@ resource "aws_route_table_association" "private_route_association" {
  route_table_id = aws_route_table.private-route-table[0].id
  subnet_id      = each.value
 }
+
+/*
+harden default security group. the default sg created by aws allows all egress.
+this resource limits ingress and egress from and to itself
+*/
+
+resource "aws_default_security_group" default-sg {
+  vpc_id = aws_vpc.vpc.id
+  ingress {
+    protocol = -1
+    self = true
+    from_port = 0
+    to_port = 0
+  }
+  egress {
+    from_port = 0
+    protocol = -1
+    to_port = 0
+    self = true
+  }
+  tags = merge(
+  var.default-tags,
+  {
+    Name = "${local.resource-prefix}-defaultsg"
+  },
+  )
+}