AWS 和 Terraform - 安全组中的默认出口规则 [英] AWS and Terraform - Default egress rule in security group
问题描述
我在许多提供者是 AWS 的 Terraform 项目中看到了一个可重复的配置:配置出站(出口)规则以允许所有出站流量.
There is a repeatable configuration that I see in many Terraform projects where the provider is AWS: The configuration of an outbound (egress) rule to allow ALL outbound traffic.
据我了解,这是 AWS 用户指南:
默认情况下,安全组包含允许所有出站流量的出站规则.您可以删除规则并添加仅允许特定出站流量的出站规则.如果您的安全组没有出站规则,则不允许来自您的实例的出站流量.
By default, a security group includes an outbound rule that allows all outbound traffic. You can remove the rule and add outbound rules that allow specific outbound traffic only. If your security group has no outbound rules, no outbound traffic originating from your instance is allowed.
安全组的常见 Terraform 设置示例 - 我的问题的重点是出口块:
An example for a common Terraform setup for security group - The focus of my question is the egress block:
resource "aws_security_group" "my_sg" {
name = "my_sg"
description = "Some description"
vpc_id = "${aws_vpc.my_vpc.id}"
tags {
Name = "my_sg_tag"
}
#Not redundant - Because a new security group has no inbound rules.
ingress {
from_port = "80"
to_port = "80"
protocol = "TCP"
cidr_blocks = ["0.0.0.0/0"]
}
#Isn't this redundant?
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
这个配置是为了文档还是有技术原因?
Is this configuration being made for documentation or does it have a technical reason?
推荐答案
aws_security_group 资源的文档明确指出,默认情况下他们有意删除 AWS 的默认出口规则,并要求用户指定它以限制对用户的意外:
The documentation for the aws_security_group resource specifically states that they remove AWS' default egress rule intentionally by default and require users to specify it to limit surprises to users:
关于出口规则的注意事项:默认情况下,AWS 在 VPC 内创建新的安全组时会创建一个 ALLOW ALL 出口规则.在 VPC 中创建新的安全组时,Terraform 将删除此默认规则,并要求您在需要该规则时专门重新创建它.我们认为这会在控制您的出口规则方面减少意外.如果您希望此规则到位,您可以使用此出口块:
NOTE on Egress rules: By default, AWS creates an ALLOW ALL egress rule when creating a new Security Group inside of a VPC. When creating a new Security Group inside a VPC, Terraform will remove this default rule, and require you specifically re-create it if you desire that rule. We feel this leads to fewer surprises in terms of controlling your egress rules. If you desire this rule to be in place, you can use this egress block:
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
这里还有一个技术/用户体验原因,即让 Terraform 了解在对安全组进行更改时是否应该保留允许所有出口规则是很棘手的.除非指定了另一个出口规则,否则它是否应该始终提供允许所有出口规则,然后如果是这样删除默认值?这将如何与 aws_security_group_rule 的组合一起使用资源?
There's also a technical/UX reason here in that it would be tricky to make Terraform understand whether it should keep the allow all egress rule when making changes to the security group. Should it always provide the allow all egress rule unless another egress rule is specified and then if so remove the default? How would that work with the combination of the aws_security_group_rule resource?
AWS 已决定允许所有出口出站的默认规则是一个更好的用户体验,而不是没有它(并且让人们困惑为什么他们的实例无法出站通信)没有 too很大的安全影响(与入站的等效影响相比).即使他们现在改变主意,他们也无法做到这一点,而不会大规模破坏 AWS 非常不愿意这样做的很多人的设置/工作流程.
AWS have made the decision that a default rule to allow all egress outbound is a nicer user experience than not having it (and confusing people as to why their instance is unable to communicate outbound) without too much of a security impact (compared to the equivalent for inbound). Even if they were to change their mind on the benefit of this now they would be unable to do this without massively breaking a lot of people's setups/workflows which AWS is very reluctant to do.
另一方面,Terraform 以另一种方式做出了决定,这更适合该工具,并略微改善了该工具的安全状况,但代价是让人们在很多地方定义一个重复的出口块.
Terraform, on the other hand, has made the decision the other way and that suits the tool better as well as slightly improving the security posture of the tool at the expense of making people define a repeated egress block in a lot of places.
如果您特别关心重复并且您确实希望允许所有出口流量,那么您可能会发现使用自动包含允许所有出口规则的模块很有用.
If you particularly care about the repetition and you do always want to allow all egress traffic then you might find it useful to use a module instead that automatically includes an allow all egress rule.
这篇关于AWS 和 Terraform - 安全组中的默认出口规则的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
