-
Notifications
You must be signed in to change notification settings - Fork 5
chore: allow access to RDS from any source #122
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from 2 commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -23,7 +23,7 @@ module "rds" { | |
|
|
||
| maintenance_window = "Mon:00:00-Mon:03:00" | ||
|
|
||
| publicly_accessible = false | ||
| publicly_accessible = true | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Critical Security Concern: Exposing RDS to the public Internet Suggested refactor: - publicly_accessible = true
+ publicly_accessible = var.rds_publicly_accessibleAnd in +variable "rds_publicly_accessible" {
+ description = "Whether the RDS instance is publicly accessible"
+ type = bool
+ default = false
+}Additionally, enforce tighter network controls (whitelisted CIDRs or VPN/bastion), and enable features like Would you like help wiring up the variable or locking down the allowed CIDRs? 🤖 Prompt for AI Agents |
||
|
|
||
| storage_encrypted = true | ||
|
|
||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🛠️ Refactor suggestion
Critical security risk: Public RDS exposure
Allowing
0.0.0.0/0ingress on your RDS security group opens your database to the entire internet, greatly increasing the risk of unauthorized access and data exfiltration. At minimum, you should restrict access to known IP ranges, a bastion host, or VPN. Better yet, parameterize public access so it can be safely disabled in production.Example refactor to make public ingress optional via a variable:
Add to your variables file:
🤖 Prompt for AI Agents