Security Groups open to 0.0.0.0

Given this is creating public NLB and EC2 instances, SGs should default whitelisting to specific IPs

Also defaults are incredibly poor practice - creating a publicly accessible RDS instance, in public subnets, with a hardcoded default password. Compare to e.g. teleport's default terraform for their HA ref. arch most of which is best-prac, from Hashi this looks very bad.