How to validate AWS Security Group rules with Terraform?

March 2021

Here I have to add my picture

In this article we will imagine that you received a wakeup call at 2 am from the “Chief” to inform you that your company is about to be in the headline news in the next coming hours and he needs your help.

Some pieces of information are given to you as you continue to wake up. They are:

Diagram 1: AWS-SG.

As time keeps running you realize that this incident can provide a big opportunity to test your baseline security control runbook.

You start by analyzing all the unusual activities in your AWS environments. You check the following log reports:

Secondly, you check your Terraform state file to see what changes have been made recently.

Terraform to the rescue!

As we all know from my previous articles Terraform allows us to describe, create, modify and delete our infrastructure as code (IaC).

Having this in mind you finally discover the source of the problem. Whoever was doing the test in the wrong environment changed some AWS security group (SG) port configurations accidentally.

The question now is how do you validate your AWS Security Group rules using Terraform to avoid this type of issue in the future?

Before we dig deeper let’s learn some statements about AWS-SG

more information here

"A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign up to five security groups to the instance."

The official AWS documentation

Conclusion

Now that we know the issue it is time to come to solution. Some possible ways to protect your projects in this type of situation are:

In this post I will show you how this works.

First create a variable.tf file and create custom variable validation as shown below

Custom variable validation and result example.

As you can see if someone try to use the wrong configuration, they will receive an error message.

Remember to continue improving your security daily to reduce real risk. I know this is only a simulation and incidents like this do not happen often in real life but better to be prepared or know where to start troubleshooting 😊

Functions, arguments and expressions of Terraform that were used in the above project:

Find the Terraform repo and directions for this project here

I would like to give a big shout out to my mentor Derek Morgan. Thank you for all of your support all these months and for the amazing course "More Than Certified in Terraform" the best course out there. Link to the course here. If you want to connect with him and ask questions about his course, contact him via LinkedIn Derek Morgan or you can join the TechStudySlack channel here.