Source: cloudskiff.medium.com
Security Group Rules : small changes, bitter consequencesCategory: Database, Security, Terraform, github
In this article, we’ll show how a simple manual change in an AWS Security Group using the AWS Web Console can have bitter security consequences. This one is based on many first-hand experiences and user feedback, in a production context with infrastructure-as-code.
This difference in models between the cloud provider and Terraform can sometimes be misleading for users and can have major consequences.
Fortunately, in this case, if you read Terraform’s documentation for the AWS provider (currently v3.36), you’ll find 2 options to configure Security Groups: In this case, using the first option would have been better for this team, from a more DevSecOps point of view. See how the next terraform apply in CI would have had the expected effect: Unfortunately, it’s often too late when you realize it, and this kind of option doesn’t exist for every resource out there.
This difference in models between the cloud provider and Terraform can sometimes be misleading for users and can have major consequences.
Fortunately, in this case, if you read Terraform’s documentation for the AWS provider (currently v3.36), you’ll find 2 options to configure Security Groups: In this case, using the first option would have been better for this team, from a more DevSecOps point of view. See how the next terraform apply in CI would have had the expected effect: Unfortunately, it’s often too late when you realize it, and this kind of option doesn’t exist for every resource out there.
Related Articles
Community Partners
DevOps Careers