Remove redundand security group rules

I wrongly assummed that they work like a firewall rules and I thought if we make a request to particular port from random port we need to allow connections back. It's not true. It seems security group rules are applied to connection creation not to literal data flow.
datarockets · Jan 18, 2022 · fa72d55 · fa72d55
1 parent 18d0c10
commit fa72d55
Show file tree

Hide file tree

Showing 3 changed files with 0 additions and 72 deletions.
diff --git a/aws/mysql/mysql.tf b/aws/mysql/mysql.tf
@@ -117,18 +117,6 @@ resource "aws_security_group_rule" "db_ingress" {
   source_security_group_id = each.value
 }
 
-resource "aws_security_group_rule" "db_egress" {
-  for_each = toset(var.allow_security_group_ids)
-
-  security_group_id = aws_security_group.database.id
-  description = "Egress from mysql"
-  type = "egress"
-  protocol = "tcp"
-  from_port = 0
-  to_port = 0
-  source_security_group_id = each.value
-}
-
 resource "aws_security_group_rule" "egress_to_db" {
   for_each = toset(var.allow_security_group_ids)
 
@@ -141,18 +129,6 @@ resource "aws_security_group_rule" "egress_to_db" {
   source_security_group_id = aws_security_group.database.id
 }
 
-resource "aws_security_group_rule" "ingress_from_db" {
-  for_each = toset(var.allow_security_group_ids)
-
-  security_group_id = each.value
-  description = "Ingress from mysql"
-  type = "ingress"
-  protocol = "tcp"
-  from_port = 0
-  to_port = 0
-  source_security_group_id = aws_security_group.database.id
-}
-
 resource "random_password" "database" {
   length = 20
   special = true

diff --git a/aws/postgresql/postgresql.tf b/aws/postgresql/postgresql.tf
@@ -117,18 +117,6 @@ resource "aws_security_group_rule" "db_ingress" {
   source_security_group_id = each.value
 }
 
-resource "aws_security_group_rule" "db_egress" {
-  for_each = toset(var.allow_security_group_ids)
-
-  security_group_id = aws_security_group.database.id
-  description = "Egress from PostgreSQL"
-  type = "egress"
-  protocol = "tcp"
-  from_port = 0
-  to_port = 0
-  source_security_group_id = each.value
-}
-
 resource "aws_security_group_rule" "egress_to_db" {
   for_each = toset(var.allow_security_group_ids)
 
@@ -141,18 +129,6 @@ resource "aws_security_group_rule" "egress_to_db" {
   source_security_group_id = aws_security_group.database.id
 }
 
-resource "aws_security_group_rule" "ingress_from_db" {
-  for_each = toset(var.allow_security_group_ids)
-
-  security_group_id = each.value
-  description = "Ingress from PostgreSQL"
-  type = "ingress"
-  protocol = "tcp"
-  from_port = 0
-  to_port = 0
-  source_security_group_id = aws_security_group.database.id
-}
-
 resource "random_password" "database" {
   length = 20
   special = true

diff --git a/aws/redis/redis.tf b/aws/redis/redis.tf
@@ -82,18 +82,6 @@ resource "aws_security_group_rule" "redis_ingress" {
   source_security_group_id = each.value
 }
 
-resource "aws_security_group_rule" "redis_egress" {
-  for_each = toset(var.allow_security_group_ids)
-
-  security_group_id = aws_security_group.redis.id
-  description = "Egress from redis"
-  type = "egress"
-  protocol = "tcp"
-  from_port = 0
-  to_port = 0
-  source_security_group_id = each.value
-}
-
 resource "aws_security_group_rule" "egress_to_redis" {
   for_each = toset(var.allow_security_group_ids)
 
@@ -106,18 +94,6 @@ resource "aws_security_group_rule" "egress_to_redis" {
   source_security_group_id = aws_security_group.redis.id
 }
 
-resource "aws_security_group_rule" "ingress_from_redis" {
-  for_each = toset(var.allow_security_group_ids)
-
-  security_group_id = each.value
-  description = "Ingress from redis"
-  type = "ingress"
-  protocol = "tcp"
-  from_port = 0
-  to_port = 0
-  source_security_group_id = aws_security_group.redis.id
-}
-
 output "host" {
   value = aws_elasticache_cluster.redis.cache_nodes.0.address
 }