Skip to content
Closed
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions deployment/modules/networking/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,14 @@ resource "aws_security_group" "rds" {
cidr_blocks = module.vpc.public_subnets_cidr_blocks # Allow access from public subnets
}

# Allow access from anywhere (0.0.0.0/0)
ingress {
from_port = 5432
to_port = 5432
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
Comment on lines +74 to +80

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

⚠️ Potential issue

Critical security risk: Public RDS exposure
Allowing 0.0.0.0/0 ingress on your RDS security group opens your database to the entire internet, greatly increasing the risk of unauthorized access and data exfiltration. At minimum, you should restrict access to known IP ranges, a bastion host, or VPN. Better yet, parameterize public access so it can be safely disabled in production.

Example refactor to make public ingress optional via a variable:

@@ -74,7 +74,12 @@ resource "aws_security_group" "rds" {
-  ingress {
-    from_port   = 5432
-    to_port     = 5432
-    protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
+  # Public access controlled via variable
+  ingress {
+    from_port   = 5432
+    to_port     = 5432
+    protocol    = "tcp"
+    cidr_blocks = var.rds_public_cidr_blocks
+    description = "Optional public RDS access"
  }

Add to your variables file:

variable "rds_public_cidr_blocks" {
  type        = list(string)
  description = "CIDR blocks allowed to access RDS publicly; leave empty to disable public access"
  default     = []
}
🤖 Prompt for AI Agents
In deployment/modules/networking/main.tf lines 74 to 80, the security group rule
allows ingress from 0.0.0.0/0, exposing the RDS instance to the entire internet,
which is a major security risk. To fix this, replace the hardcoded cidr_blocks
value with a variable that controls public access, and set it to an empty list
by default to disable public ingress. Update your variable definitions
accordingly to make the access configurable and safer for production
environments.


egress {
from_port = 0
to_port = 0
Expand Down
2 changes: 1 addition & 1 deletion deployment/modules/storage/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ module "rds" {

maintenance_window = "Mon:00:00-Mon:03:00"

publicly_accessible = false
publicly_accessible = true

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Critical Security Concern: Exposing RDS to the public Internet
Setting publicly_accessible = true opens your database endpoint to the Internet. Combined with an ingress rule of 0.0.0.0/0 on port 5432, this exposes sensitive data to anyone and violates security best practices. Please consider reverting this change or scoping it behind a controlled variable and locking down CIDRs.

Suggested refactor:

-  publicly_accessible = true
+  publicly_accessible = var.rds_publicly_accessible

And in variables.tf:

+variable "rds_publicly_accessible" {
+  description = "Whether the RDS instance is publicly accessible"
+  type        = bool
+  default     = false
+}

Additionally, enforce tighter network controls (whitelisted CIDRs or VPN/bastion), and enable features like deletion_protection for extra safety.

Would you like help wiring up the variable or locking down the allowed CIDRs?

🤖 Prompt for AI Agents
In deployment/modules/storage/main.tf at line 26, the setting
publicly_accessible is set to true, which exposes the RDS instance to the public
internet. Change this value to false to restrict access, or make it configurable
via a variable that defaults to false. Additionally, review and update the
security group ingress rules to restrict access to trusted CIDRs, avoiding
0.0.0.0/0. Ensure that sensitive data is protected by limiting public exposure.


storage_encrypted = true

Expand Down