feat!: add custom egress rules to docker-autoscaler security group

[ikarlashov]

Add custom egress rules to docker-autoscaler security group and remove condition to provision unused docker-machine security group.

Description

1. By default, the module provisions a security group for Docker Autoscaler workers with egress rules that allow ALL traffic. Unlike ingress rules, egress rules are not customizable, which poses a significant security concern. This PR introduces the ability to customize egress rules for the Docker Autoscaler workers' security group by declaring a separate variable for docker-autoscaler egress rules.

2. var.runner_worker_docker_autoscaler_asg becomes bulky and hard to read. Considering the complexity of the ingress rules structure, it makes sense to create a separate variable var.runner_worker_docker_autoscaler_ingress_rules for ingress rules. This way we will follow variable convention for existing security group rules variables, i.e. var.runner_worker_docker_machine_extra_egress_rules. In the result of the change: var.runner_worker_docker_autoscaler_asg.sg_ingresses is removed and its content should be moved to var.runner_worker_docker_autoscaler_ingress_rules.

3. Additionally, PR removes the condition that provisions an unused security group intended solely for Docker Machine setup.

Migrations required

Yes

Move all docker-autoscaler ingress rules declaration from var.runner_worker_docker_autoscaler_asg.sg_ingresses to var.runner_worker_docker_autoscaler_ingress_rules.

Verification

runner_worker_docker_autoscaler_ingress_rules =  [
    {
      cidr_block      = "10.0.0.0/8"  # Example CIDR block for a private network in Amazon
      from_port        = 22
      protocol         = "tcp"
      to_port          = 22
      description      = "Allow SSH Ingress traffic for private network."
    }
]

runner_worker_docker_autoscaler_egress_rules = [
     {
      cidr_block    = "0.0.0.0/0"
      from_port     = 443
      protocol        = "tcp"
      to_port          = 443
      description   = "Allow HTTPS egress traffic."
    },
   {
    ipv6_cidr_block = "::/0"
    description         = "Allow HTTPS Egress everywhere"
    from_port           = 443
    protocol              = "tcp"
    to_port                =  443
   }
]

[github-actions]

Hey @ikarlashov! 👋

Thank you for your contribution to the project. Please refer to the contribution rules for a quick overview of the process.

Make sure that this PR clearly explains:

• the problem being solved
• the best way a reviewer and you can test your changes

With submitting this PR you confirm that you hold the rights of the code added and agree that it will published under this LICENSE.

The following ChatOps commands are supported:

• /help: notifies a maintainer to help you out

Simply add a comment with the command in the first line. If you need to pass more information, separate it with a blank line from the command.

This message was generated automatically. You are welcome to improve it.

[kayman-mk]

Thanks for your work to improve this module. I noticed the major change, but I think we can go on as it is easy to handle for the users.

[kayman-mk]

issue: can we move this to an aws_vpc_security_group_egress_rule resource? See aws_security_group

[kayman-mk]

issue: can we move this to an aws_vpc_security_group_ingress_rule resource? See aws_security_group

[kayman-mk]

question: any specific reason for this default? As you already wrote, it might introduce a vulnerability.

suggestion: get rid of this default.

[ikarlashov]

I left it for lazy people who don't care about setting specific egresses and just want to have an ability to use the module right away. I.e. to pull docker images from Internet.
I can remove it, no problem.

[ikarlashov]

Maybe as a compromise solution we can set default to "Allow Egress to All for port 443 only"?

[kayman-mk]

praise: Good spot!

[ikarlashov]

Thanks! :)

[ikarlashov]

It would be nice to allow traffic within runner-manager ASG and Docker-autoscaler workers ASG. Basically add this to security_groups.tf:

resource "aws_vpc_security_group_egress_rule" "runner_manager_to_docker_autoscaler_egress" {
  count = var.runner_worker.type == "docker-autoscaler" ? 1 : 0

  security_group_id            = aws_security_group.runner.id
  from_port                    = 0
  to_port                      = 0
  ip_protocol                  = "-1"
  description                  = "Allow ALL Egress traffic between Runner Manager and Docker-autoscaler workers security group"
  referenced_security_group_id = aws_security_group.docker_autoscaler[0].id
}

But if I add it, terraform doesn't detect any changes for runner's SG.