Remove redundand security group rules

dzhlobo · dzhlobo · commit fa72d553343a · 2022-01-18T06:19:32.000+01:00
I wrongly assummed that they work like a firewall rules and I thought if
we make a request to particular port from random port we need to allow
connections back. It's not true. It seems security group rules are
applied to connection creation not to literal data flow.
diff --git a/aws/mysql/mysql.tf b/aws/mysql/mysql.tf
@@ -117,18 +117,6 @@ resource "aws_security_group_rule" "db_ingress" {
   source_security_group_id = each.value
 }
 
-resource "aws_security_group_rule" "db_egress" {
-  for_each = toset(var.allow_security_group_ids)
-
-  security_group_id = aws_security_group.database.id
-  description = "Egress from mysql"
-  type = "egress"
-  protocol = "tcp"
-  from_port = 0
-  to_port = 0
-  source_security_group_id = each.value
-}
-
 resource "aws_security_group_rule" "egress_to_db" {
   for_each = toset(var.allow_security_group_ids)
 
@@ -141,18 +129,6 @@ resource "aws_security_group_rule" "egress_to_db" {
   source_security_group_id = aws_security_group.database.id
 }
 
-resource "aws_security_group_rule" "ingress_from_db" {
-  for_each = toset(var.allow_security_group_ids)
-
-  security_group_id = each.value
-  description = "Ingress from mysql"
-  type = "ingress"
-  protocol = "tcp"
-  from_port = 0
-  to_port = 0
-  source_security_group_id = aws_security_group.database.id
-}
-
 resource "random_password" "database" {
   length = 20
   special = true
diff --git a/aws/postgresql/postgresql.tf b/aws/postgresql/postgresql.tf
@@ -117,18 +117,6 @@ resource "aws_security_group_rule" "db_ingress" {
   source_security_group_id = each.value
 }
 
-resource "aws_security_group_rule" "db_egress" {
-  for_each = toset(var.allow_security_group_ids)
-
-  security_group_id = aws_security_group.database.id
-  description = "Egress from PostgreSQL"
-  type = "egress"
-  protocol = "tcp"
-  from_port = 0
-  to_port = 0
-  source_security_group_id = each.value
-}
-
 resource "aws_security_group_rule" "egress_to_db" {
   for_each = toset(var.allow_security_group_ids)
 
@@ -141,18 +129,6 @@ resource "aws_security_group_rule" "egress_to_db" {
   source_security_group_id = aws_security_group.database.id
 }
 
-resource "aws_security_group_rule" "ingress_from_db" {
-  for_each = toset(var.allow_security_group_ids)
-
-  security_group_id = each.value
-  description = "Ingress from PostgreSQL"
-  type = "ingress"
-  protocol = "tcp"
-  from_port = 0
-  to_port = 0
-  source_security_group_id = aws_security_group.database.id
-}
-
 resource "random_password" "database" {
   length = 20
   special = true
diff --git a/aws/redis/redis.tf b/aws/redis/redis.tf
@@ -82,18 +82,6 @@ resource "aws_security_group_rule" "redis_ingress" {
   source_security_group_id = each.value
 }
 
-resource "aws_security_group_rule" "redis_egress" {
-  for_each = toset(var.allow_security_group_ids)
-
-  security_group_id = aws_security_group.redis.id
-  description = "Egress from redis"
-  type = "egress"
-  protocol = "tcp"
-  from_port = 0
-  to_port = 0
-  source_security_group_id = each.value
-}
-
 resource "aws_security_group_rule" "egress_to_redis" {
   for_each = toset(var.allow_security_group_ids)
 
@@ -106,18 +94,6 @@ resource "aws_security_group_rule" "egress_to_redis" {
   source_security_group_id = aws_security_group.redis.id
 }
 
-resource "aws_security_group_rule" "ingress_from_redis" {
-  for_each = toset(var.allow_security_group_ids)
-
-  security_group_id = each.value
-  description = "Ingress from redis"
-  type = "ingress"
-  protocol = "tcp"
-  from_port = 0
-  to_port = 0
-  source_security_group_id = aws_security_group.redis.id
-}
-
 output "host" {
   value = aws_elasticache_cluster.redis.cache_nodes.0.address
 }
