Skip to content

feat: expose egress_enabled to tighten security group egress#98

Merged
aknysh merged 5 commits into
mainfrom
aknysh/update-egress
May 21, 2026
Merged

feat: expose egress_enabled to tighten security group egress#98
aknysh merged 5 commits into
mainfrom
aknysh/update-egress

Conversation

@aknysh

@aknysh aknysh commented May 21, 2026

Copy link
Copy Markdown
Contributor

what

  • Expose new egress_enabled input on the aurora-postgres component (default: true, preserves current behavior).
  • Pass it through to the underlying cloudposse/rds-cluster/aws module so consumers can opt into restricted outbound traffic on the cluster's security group.
  • Add test coverage in TestBasic: deploys with egress_enabled = false and asserts the resulting security group has zero egress rules.
  • Bump test dependencies in test/go.mod to the latest available versions (including test-helpers v1.0.0, terratest v1.0.0, testify v1.11.1, full AWS SDK v2 family, and the Go directive to 1.26.3).
  • Regenerate README.md / src/README.md inputs tables.

why

  • Tighten security group egress rules across our infrastructure. Mirrors the allow_all_egress pattern already exposed in the elasticache-redis component, applied here using the upstream module's native variable name (egress_enabled).
  • Defaulting to true keeps every existing stack unchanged — consumers opt in to restricted egress by setting egress_enabled: false.
  • The test bump aligns this component with the rest of the fleet's tooling and keeps CI on currently supported library versions.

Summary by CodeRabbit

  • New Features

    • Added egress_enabled option (default: true) to control outbound traffic behavior.
  • Documentation

    • README tables reformatted and docs updated for the new option.
  • Chores

    • Bumped Aurora PostgreSQL cluster module to v2.6.0 and referenced remote-state modules to v2.0.0.
    • Updated test toolchain/dependencies and test fixtures to target PostgreSQL 17.9.

Review Change Stack

@aknysh aknysh added the minor New features that do not break anything label May 21, 2026
@coderabbitai

coderabbitai Bot commented May 21, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: bbc45bc3-9397-493b-b8fa-bc9e94725eef

📥 Commits

Reviewing files that changed from the base of the PR and between 9b22b65 and 69c8caf.

📒 Files selected for processing (5)
  • README.md
  • src/README.md
  • src/remote-state.tf
  • test/fixtures/stacks/catalog/usecase/serverless.yaml
  • test/fixtures/vendor.yaml
✅ Files skipped from review due to trivial changes (1)
  • src/README.md

📝 Walkthrough

Walkthrough

This pull request introduces an egress_enabled input variable to control whether the Aurora PostgreSQL module creates outbound security group rules. The upstream module version is upgraded from 2.4.0 to 2.6.0, the variable is wired through cluster configuration, documentation is regenerated, and tests verify egress behavior using EC2 API calls.

Changes

Egress control and module upgrade

Layer / File(s) Summary
Variable definition and module configuration
src/variables.tf, src/cluster-regional.tf
Added egress_enabled boolean input variable (default true) and upgraded the aurora_postgres_cluster module from 2.4.0 to 2.6.0, wiring the new variable to the upstream module.
Remote-state module upgrades
src/remote-state.tf
Bumped cloudposse/stack-config/yaml//modules/remote-state to 2.0.0 for vpc, vpc_ingress, eks, and converted dns_gbl_delegated instantiation to a single component instance with environment wiring.
Documentation updates
README.md, src/README.md
Regenerated Markdown table formatting in Requirements, Providers, Resources, Inputs, and Outputs; documented the new egress_enabled input and updated module version references to 2.6.0 across README files.
Test updates and dependency upgrades
test/component_test.go, test/go.mod
Updated component tests to set egress_enabled=false and verify security group egress is empty via EC2 DescribeSecurityGroups; added context and require imports; upgraded Go toolchain to 1.26.3 and refreshed test dependencies (AWS SDK v2 additions).
Fixtures and vendor manifest
test/fixtures/stacks/catalog/usecase/serverless.yaml, test/fixtures/vendor.yaml
Updated Aurora engine/family to 17.9/aurora-postgresql17 in fixtures; refreshed Atmos vendor manifest entries and removed a duplicate vpc block.

🎯 3 (Moderate) | ⏱️ ~20 minutes

Sequence Diagram

sequenceDiagram
  participant TestRunner
  participant TerraformModule as aurora_postgres_cluster
  participant AWS_EC2 as EC2
  TestRunner->>TerraformModule: terraform apply (egress_enabled = false)
  TerraformModule->>AWS_EC2: create SecurityGroup (no egress rules)
  TestRunner->>AWS_EC2: DescribeSecurityGroups(security_group_id)
  AWS_EC2-->>TestRunner: security group (egress_permissions = empty)
Loading

Possibly related PRs

Suggested reviewers

  • RoseSecurity
  • goruha

Poem

🐰 A rabbit hops through egress rules so clear,
Where traffic flows—or stops—without a fear!
Version bumped, tests now verify the way,
Security groups dance, egress controlled each day. ✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the primary change: exposing an egress_enabled variable to control security group egress rules.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch aknysh/update-egress

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@aknysh aknysh self-assigned this May 21, 2026
@mergify mergify Bot requested review from a team May 21, 2026 03:22
@mergify

mergify Bot commented May 21, 2026

Copy link
Copy Markdown

Important

Do not edit the README.md directly. It's auto-generated from the README.yaml

Please update the README.yaml file instead.

Could you fix it @aknysh? 🙏

The aws-account-map repo (cloned by CI for the iam-roles relative-path
module) was recently updated to stack-config/yaml v2, which requires
cloudposse/utils >= 2.0.0. This component still pinned stack-config 1.8.0,
which requires utils < 2.0.0, making the provider graph unsatisfiable.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@mergify mergify Bot added the needs-test Needs testing label May 21, 2026
@aknysh aknysh added major Breaking changes (or first stable release) and removed minor New features that do not break anything labels May 21, 2026
@aknysh

aknysh commented May 21, 2026

Copy link
Copy Markdown
Contributor Author

/terratest

…onfig v2

The vendored account-map came from cloudposse/terraform-aws-components
1.520.0, which uses cloudposse/stack-config/yaml v1.5.0 (constraint
utils >= 1.7.1, != 1.4.0, < 2.0.0). After bumping the component's own
remote-state to stack-config v2 (utils >= 2.0.0), this old account-map
made the resolved utils graph unsatisfiable during atmos deploys.

Switch to the standalone aws-account-map@v1.537.2 (uses stack-config v2)
and bring vpc + dns-delegated up to the versions used by elasticache-redis.
Drop dns-primary; the test suite only depends on vpc and dns-delegated.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@aknysh

aknysh commented May 21, 2026

Copy link
Copy Markdown
Contributor Author

/terratest

AWS no longer offers Aurora Postgres 13.21 (the version the fixture was
pinned to), so cluster creation fails with InvalidParameterCombination.
Bump to 17.9, the current latest Aurora Postgres release, and update
cluster_family to aurora-postgresql17 to match.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@aknysh

aknysh commented May 21, 2026

Copy link
Copy Markdown
Contributor Author

/terratest

@aknysh aknysh added this pull request to the merge queue May 21, 2026
Merged via the queue into main with commit e27a78d May 21, 2026
19 checks passed
@aknysh aknysh deleted the aknysh/update-egress branch May 21, 2026 14:45
@github-actions

Copy link
Copy Markdown

These changes were released in v2.0.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

major Breaking changes (or first stable release) needs-test Needs testing

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants