Datadog stack restores Oracle’s default VCN security list (SSH open to 0.0.0.0/0) #85
Description
Summary
When the Datadog integration stack auto-creates networking (no subnet_ocids provided), it invokes oracle-terraform-modules/vcn/oci with lockdown_default_seclist = false. According to oracle-terraform-modules/terraform-oci-vcn#22, that value tells the Oracle module to recreate the default security-list rules (SSH/ICMP) on any new VCN. Because the Datadog stack hard-codes it and doesn’t surface the option, every new Datadog-created VCN inherits a public SSH ingress unexpectedly.
Steps to Reproduce
- Deploy the Datadog stack without existing subnets.
- Inspect the default security list on the generated VCN.
- Observe TCP 22 open from 0.0.0.0/0.
Impact
Any tenancy using the auto-networking option ends up with public SSH ingress, which may unexpected and potentially violate security policies.
Questions
- Is this behavior intentional? Perhaps the stack wanted to preserve Oracle’s default security list?
- If that was the goal, could we surface the flag (defaulting to true) so users who rely on the default rules can explicitly opt in?
Proposed Fix
Assuming this behavior is not intentional, add a surfaced variable (lockdown_vcn_default_seclist) across variables.tf, schema.yaml, and regional_stack.tf to control the flag, default it to true, and document the behavior. I've created a PR in case the team agrees.
Thank you!