Excessively broad EC2 security group configuration
This module uses the same collection of subnets and security group for both the manager instance (known in comments here as the "bastion") and the runner instance(s). The security group includes a self rule that allows any ingress that originates on instances that share the same security group, thereby ensuring that the manager can reach ports 22 and 2376 on runner instances as required by Docker Machine. The security group also includes a rule allowing egress to any destination address and port, thereby ensuring that the security group will not prevent the manager from connecting to the GitLab instance to register itself as an available runner. No other security group entries are required for successful operation of the runner.
The default configuration of the amazonec2
driver for Docker Machine modifies the configured security group to add ingress entries allowing tcp 22 and 2376 from any source IP address. This is unnecessary, and if the manager or runner instances were deliberately or inadvertently given public IP addresses, this security group configuration poses a significant risk. Because of the self entry in the security group, these additions are unnecessary and should be disabled using the --amazonec2-security-group-readonly
option for the amazonec2
Docker Machine driver.
Additionally, the security group configured by the module allows any ingress traffic from any "Virginia Tech" subnet. As this isn't necessary for successful operation of the manager/runner, any such additions to the security group should be optional. There may be users of the module who want to be able to access the manager from Virginia Tech subnets, but that need is not universal. If there is a need/desire for such additions, they should be placed in a separate security group applied only to the manager node.