diff --git a/README.md b/README.md
index 9814ab2ee..a5e492390 100644
--- a/README.md
+++ b/README.md
@@ -277,6 +277,7 @@ No modules.
| [aws_db_subnet_group.database](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_subnet_group) | resource |
| [aws_default_network_acl.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_network_acl) | resource |
| [aws_default_route_table.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_route_table) | resource |
+| [aws_default_security_group.empty](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group) | resource |
| [aws_default_security_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group) | resource |
| [aws_default_vpc.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_vpc) | resource |
| [aws_egress_only_internet_gateway.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/egress_only_internet_gateway) | resource |
@@ -406,8 +407,8 @@ No modules.
| [default\_route\_table\_propagating\_vgws](#input\_default\_route\_table\_propagating\_vgws) | List of virtual gateways for propagation | `list(string)` | `[]` | no |
| [default\_route\_table\_routes](#input\_default\_route\_table\_routes) | Configuration block of routes. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_route_table#route | `list(map(string))` | `[]` | no |
| [default\_route\_table\_tags](#input\_default\_route\_table\_tags) | Additional tags for the default route table | `map(string)` | `{}` | no |
-| [default\_security\_group\_egress](#input\_default\_security\_group\_egress) | List of maps of egress rules to set on the default security group | `list(map(string))` | `[]` | no |
-| [default\_security\_group\_ingress](#input\_default\_security\_group\_ingress) | List of maps of ingress rules to set on the default security group | `list(map(string))` | `[]` | no |
+| [default\_security\_group\_egress](#input\_default\_security\_group\_egress) | List of maps of egress rules to set on the default security group. Default is the AWS default egress rule. | `list(map(string))` | [
{
"cidr_blocks": "0.0.0.0/0",
"from_port": 0,
"ipv6_cidr_blocks": "::/0",
"protocol": "-1",
"to_port": 0
}
]
| no |
+| [default\_security\_group\_ingress](#input\_default\_security\_group\_ingress) | List of maps of ingress rules to set on the default security group. Default is AWS default ingress rule. | `list(map(string))` | [
{
"from_port": 0,
"protocol": -1,
"self": true,
"to_port": 0
}
]
| no |
| [default\_security\_group\_name](#input\_default\_security\_group\_name) | Name to be used on the default security group | `string` | `null` | no |
| [default\_security\_group\_tags](#input\_default\_security\_group\_tags) | Additional tags for the default security group | `map(string)` | `{}` | no |
| [default\_vpc\_enable\_dns\_hostnames](#input\_default\_vpc\_enable\_dns\_hostnames) | Should be true to enable DNS hostnames in the Default VPC | `bool` | `true` | no |
diff --git a/main.tf b/main.tf
index 05b4f5e22..e4934a5f9 100644
--- a/main.tf
+++ b/main.tf
@@ -15,6 +15,9 @@ locals {
local.len_redshift_subnets,
)
+ # True if both var.default_security_group_ingress and var.default_security_group_egress are empty lists
+ empty_default_security_group = length(var.default_security_group_ingress) < 1 && length(var.default_security_group_egress) < 1
+
# Use `local.vpc_id` to give a hint to Terraform that subnets should be deleted before secondary CIDR blocks can be free!
vpc_id = try(aws_vpc_ipv4_cidr_block_association.this[0].vpc_id, aws_vpc.this[0].id, "")
@@ -1229,8 +1232,29 @@ resource "aws_default_vpc" "this" {
)
}
+################################################################################
+# Default Security Group
+################################################################################
+
+# Default security group with no rules, per CIS Benchmark
+resource "aws_default_security_group" "empty" {
+ count = local.create_vpc && var.manage_default_security_group && local.empty_default_security_group ? 1 : 0
+
+ vpc_id = aws_vpc.this[0].id
+ ingress = []
+ egress = []
+
+ tags = merge(
+ { "Name" = coalesce(var.default_security_group_name, "${var.name}-default") },
+ var.tags,
+ var.default_security_group_tags,
+ )
+
+}
+
+# Default security group with user provided rules
resource "aws_default_security_group" "this" {
- count = local.create_vpc && var.manage_default_security_group ? 1 : 0
+ count = local.create_vpc && var.manage_default_security_group && !local.empty_default_security_group ? 1 : 0
vpc_id = aws_vpc.this[0].id
diff --git a/variables.tf b/variables.tf
index 8bfae5164..7904b95a4 100644
--- a/variables.tf
+++ b/variables.tf
@@ -1355,15 +1355,30 @@ variable "default_security_group_name" {
}
variable "default_security_group_ingress" {
- description = "List of maps of ingress rules to set on the default security group"
+ description = "List of maps of ingress rules to set on the default security group. Default is AWS default ingress rule."
type = list(map(string))
- default = []
+ default = [
+ {
+ protocol = -1
+ self = true
+ from_port = 0
+ to_port = 0
+ },
+ ]
}
variable "default_security_group_egress" {
- description = "List of maps of egress rules to set on the default security group"
+ description = "List of maps of egress rules to set on the default security group. Default is the AWS default egress rule."
type = list(map(string))
- default = []
+ default = [
+ {
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = "0.0.0.0/0"
+ ipv6_cidr_blocks = "::/0"
+ },
+ ]
}
variable "default_security_group_tags" {