feat!: add custom egress rules to worker security groups (#1222)

Add custom egress rules to docker-autoscaler security group and remove
condition to provision unused docker-machine security group.

## Description

1. By default, the module provisions a security group for Docker
Autoscaler workers with egress rules that allow ALL traffic. Unlike
ingress rules, egress rules are not customizable, which poses a
significant security concern. This PR introduces the ability to
customize egress rules for the Docker Autoscaler workers' security group
by declaring a separate variable for docker-autoscaler egress rules.
2. `var.runner_worker_docker_autoscaler_asg` becomes bulky and hard to
read. Considering the complexity of the ingress rules structure, it
makes sense to create a separate variable
`var.runner_worker_docker_autoscaler_ingress_rules` for ingress rules.
This way we will follow variable convention for existing security group
rules variables, i.e.
`var.runner_worker_docker_machine_extra_egress_rules`. In the result of
the change: `var.runner_worker_docker_autoscaler_asg.sg_ingresses` is
removed and its content should be moved to
`var.runner_worker_ingress_rules`.
3. Adding `var.runner_ingress_rules` to manage Ingress rules for
runner-manager security group.
4. Changed runner-manager egress rules' var name and its spec.
`var.runner_networking_egress_rules` has migrated to
`var.runner_egress_rules` with a new spec.
5. Additionally, PR removes the condition that provisions an unused
security group intended solely for Docker Machine setup.

## Migrations required

1. Move all docker-autoscaler ingress rules declaration from
`var.runner_worker_docker_autoscaler_asg.sg_ingresses` to
`var.runner_worker_ingress_rules`.
2. `var.runner_networking_egress_rules` migrated to
`var.runner_manager_egress_rules` with a new spec.
3. Move `var.runner_worker_docker_machine_extra_egress_rules` to
`var.runner_worker_egress_rules`. In case you used multiple cidr_blocks,
... you have to create multiple rules.

Attention: The default value for
`var.runner_worker_docker_machine_extra_egress_rules` allowing all
egress traffic has been replaced by a rule allowing traffic to port
22/443 only. Don't forget to add the rules you need to
`var.runner_worker_egress_rules`.

Attention: Due to the resource replacement you might see inconsistencies
and disappearing security group rules. In that case delete all rules
from the Runner and Runner Workers and apply the module again.

Sample egress rule:

```
runner_worker_egress_rules = [
     {
      cidr_block    = "0.0.0.0/0"
      from_port     = 443
      protocol        = "tcp"
      to_port          = 443
      description   = "Allow HTTPS egress traffic."
    },
   {
    ipv6_cidr_block = "::/0"
    description         = "Allow HTTPS Egress everywhere"
    from_port           = 443
    protocol              = "tcp"
    to_port                =  443
   }
]
```

---------

Signed-off-by: Yevgen Karlashov <[email protected]>
Co-authored-by: Matthias Kay <[email protected]>

Author: ikarlashov

.cspell.json

@@ -24,6 +24,7 @@
     "glrt",
     "glrunners",
     "hmarr",
+    "icmpv6",
     "instancelifecycle",
     "keyrings",
     "kics",
@@ -83,7 +84,7 @@
     "rebalance",
     "signoff",
     "typecheck",
-    "userdata",
+    "userdata"
   ],
   "flagWords": []
 }

docker_autoscaler.tf

@@ -3,12 +3,16 @@
 # outdated docker+machine driver. The docker+machine driver is a legacy driver that is no longer maintained by GitLab.
 #
 
-resource "aws_security_group" "docker_autoscaler" {
-  count = var.runner_worker.type == "docker-autoscaler" ? 1 : 0
+########################################
+###### Security Group and SG rules #####
+########################################
 
-  description = "Docker autoscaler security group"
+# Base security group
+resource "aws_security_group" "docker_autoscaler" {
+  count       = var.runner_worker.type == "docker-autoscaler" ? 1 : 0
+  name_prefix = "${local.name_sg}-docker-autoscaler"
   vpc_id      = var.vpc_id
-  name        = "${local.name_sg}-docker-autoscaler"
+  description = "Docker-autoscaler security group"
 
   tags = merge(
     local.tags,
@@ -18,40 +22,49 @@ resource "aws_security_group" "docker_autoscaler" {
   )
 }
 
-resource "aws_security_group_rule" "autoscaler_egress" {
-  count = var.runner_worker.type == "docker-autoscaler" ? 1 : 0
+# Ingress rules
+resource "aws_vpc_security_group_ingress_rule" "docker_autoscaler_ingress" {
+  for_each = var.runner_worker.type == "docker-autoscaler" ? var.runner_worker_ingress_rules : {}
 
-  description       = "All egress traffic docker autoscaler"
-  type              = "egress"
-  from_port         = 0
-  to_port           = 0
-  protocol          = "-1"
-  cidr_blocks       = ["0.0.0.0/0"]
-  security_group_id = join("", aws_security_group.docker_autoscaler[*].id)
+  security_group_id = aws_security_group.docker_autoscaler[0].id
+
+  from_port   = each.value.from_port
+  to_port     = each.value.to_port
+  ip_protocol = each.value.protocol
+
+  description                  = each.value.description
+  prefix_list_id               = each.value.prefix_list_id
+  referenced_security_group_id = each.value.security_group
+  cidr_ipv4                    = each.value.cidr_block
+  cidr_ipv6                    = each.value.ipv6_cidr_block
 }
 
-resource "aws_security_group_rule" "autoscaler_ingress" {
+resource "aws_vpc_security_group_ingress_rule" "docker_autoscaler_internal_traffic" {
   count = var.runner_worker.type == "docker-autoscaler" ? 1 : 0
 
-  description              = "All ingress traffic from runner security group"
-  type                     = "ingress"
-  from_port                = 0
-  to_port                  = 0
-  protocol                 = "-1"
-  source_security_group_id = aws_security_group.runner.id
-  security_group_id        = join("", aws_security_group.docker_autoscaler[*].id)
+  security_group_id            = aws_security_group.docker_autoscaler[0].id
+  from_port                    = -1
+  to_port                      = -1
+  ip_protocol                  = "-1"
+  description                  = "Allow ALL Ingress traffic between Runner Manager and Docker-autoscaler workers security group"
+  referenced_security_group_id = aws_security_group.runner.id
 }
 
-resource "aws_security_group_rule" "extra_autoscaler_ingress" {
-  count = var.runner_worker.type == "docker-autoscaler" ? length(var.runner_worker_docker_autoscaler_asg.sg_ingresses) : 0
+# Egress rules
+resource "aws_vpc_security_group_egress_rule" "docker_autoscaler_egress" {
+  for_each = var.runner_worker.type == "docker-autoscaler" ? var.runner_worker_egress_rules : {}
+
+  security_group_id = aws_security_group.docker_autoscaler[0].id
+
+  from_port   = each.value.from_port
+  to_port     = each.value.to_port
+  ip_protocol = each.value.protocol
 
-  description       = var.runner_worker_docker_autoscaler_asg.sg_ingresses[count.index].description
-  type              = "ingress"
-  from_port         = var.runner_worker_docker_autoscaler_asg.sg_ingresses[count.index].from_port
-  to_port           = var.runner_worker_docker_autoscaler_asg.sg_ingresses[count.index].to_port
-  protocol          = var.runner_worker_docker_autoscaler_asg.sg_ingresses[count.index].protocol
-  cidr_blocks       = var.runner_worker_docker_autoscaler_asg.sg_ingresses[count.index].cidr_blocks
-  security_group_id = join("", aws_security_group.docker_autoscaler[*].id)
+  description                  = each.value.description
+  prefix_list_id               = each.value.prefix_list_id
+  referenced_security_group_id = each.value.security_group
+  cidr_ipv4                    = each.value.cidr_block
+  cidr_ipv6                    = each.value.ipv6_cidr_block
 }
 
 ####################################