AWS 和 Terraform - 安全组中的默认出口规则
AWS and Terraform - Default egress rule in security group
我在很多提供商为 AWS 的 Terraform 项目中看到了一个可重复的配置:
允许所有出站流量的出站(出站)规则配置。
据我了解,这是 AWS user guide:
中提到的 AWS 中的默认行为
By default, a security group includes an outbound rule that allows all outbound traffic. You can remove the rule and add outbound rules that allow specific outbound traffic only. If your security group has no outbound rules, no outbound traffic originating from your instance is allowed.
安全组的常见 Terraform 设置示例 - 我的问题的重点是出口块:
resource "aws_security_group" "my_sg" {
name = "my_sg"
description = "Some description"
vpc_id = "${aws_vpc.my_vpc.id}"
tags {
Name = "my_sg_tag"
}
#Not redundant - Because a new security group has no inbound rules.
ingress {
from_port = "80"
to_port = "80"
protocol = "TCP"
cidr_blocks = ["0.0.0.0/0"]
}
#Isn't this redundant?
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
此配置是为了文档还是有技术原因?
documentation for the aws_security_group resource特别指出他们默认有意移除AWS的默认出口规则,并要求用户指定它以限制用户的意外:
NOTE on Egress rules: By default, AWS creates an ALLOW ALL egress rule when creating a new Security Group inside of a VPC. When creating a new Security Group inside a VPC, Terraform will remove this default rule, and require you specifically re-create it if you desire that rule. We feel this leads to fewer surprises in terms of controlling your egress rules. If you desire this rule to be in place, you can use this egress block:
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
这里还有一个 technical/UX 原因,那就是让 Terraform 了解在对安全组进行更改时是否应该保留允许所有出口规则会很棘手。它是否应该始终提供允许所有出口规则,除非指定了另一个出口规则,然后如果是,则删除默认值?这将如何与 aws_security_group_rule resource?
的组合一起使用
AWS 已经做出决定,允许所有出口出站的默认规则比没有它(并且让人们困惑为什么他们的实例无法出站通信)没有 更好的用户体验 安全影响很大(与入站的同等影响相比)。即使他们现在为了这个的好处而改变主意,他们也无法在不大量破坏很多人的情况下做到这一点 setups/workflows,而 AWS 非常不愿意这样做。
另一方面,Terraform 以另一种方式做出了决定,它更适合该工具,并且稍微改善了该工具的安全状况,但代价是让人们定义了很多重复的出口块地点。
如果您特别关心重复,并且您总是希望允许所有出口流量,那么您可能会发现使用自动包含允许所有出口规则的模块会很有用。
我在很多提供商为 AWS 的 Terraform 项目中看到了一个可重复的配置: 允许所有出站流量的出站(出站)规则配置。
据我了解,这是 AWS user guide:
中提到的 AWS 中的默认行为By default, a security group includes an outbound rule that allows all outbound traffic. You can remove the rule and add outbound rules that allow specific outbound traffic only. If your security group has no outbound rules, no outbound traffic originating from your instance is allowed.
安全组的常见 Terraform 设置示例 - 我的问题的重点是出口块:
resource "aws_security_group" "my_sg" {
name = "my_sg"
description = "Some description"
vpc_id = "${aws_vpc.my_vpc.id}"
tags {
Name = "my_sg_tag"
}
#Not redundant - Because a new security group has no inbound rules.
ingress {
from_port = "80"
to_port = "80"
protocol = "TCP"
cidr_blocks = ["0.0.0.0/0"]
}
#Isn't this redundant?
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
此配置是为了文档还是有技术原因?
documentation for the aws_security_group resource特别指出他们默认有意移除AWS的默认出口规则,并要求用户指定它以限制用户的意外:
NOTE on Egress rules: By default, AWS creates an ALLOW ALL egress rule when creating a new Security Group inside of a VPC. When creating a new Security Group inside a VPC, Terraform will remove this default rule, and require you specifically re-create it if you desire that rule. We feel this leads to fewer surprises in terms of controlling your egress rules. If you desire this rule to be in place, you can use this egress block:
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
这里还有一个 technical/UX 原因,那就是让 Terraform 了解在对安全组进行更改时是否应该保留允许所有出口规则会很棘手。它是否应该始终提供允许所有出口规则,除非指定了另一个出口规则,然后如果是,则删除默认值?这将如何与 aws_security_group_rule resource?
AWS 已经做出决定,允许所有出口出站的默认规则比没有它(并且让人们困惑为什么他们的实例无法出站通信)没有 更好的用户体验 安全影响很大(与入站的同等影响相比)。即使他们现在为了这个的好处而改变主意,他们也无法在不大量破坏很多人的情况下做到这一点 setups/workflows,而 AWS 非常不愿意这样做。
另一方面,Terraform 以另一种方式做出了决定,它更适合该工具,并且稍微改善了该工具的安全状况,但代价是让人们定义了很多重复的出口块地点。
如果您特别关心重复,并且您总是希望允许所有出口流量,那么您可能会发现使用自动包含允许所有出口规则的模块会很有用。