Sha256: 86ad518ce215e30c8df6a2d5f4e638907374d0f4f82f2e52c0d68581edc9d884
Contents?: true
Size: 1.46 KB
Versions: 3
Compression:
Stored size: 1.46 KB
Contents
# frozen_string_literal: true
require 'terracop/cop/aws/security_group_rule_cop'
module Terracop
module Cop
module Aws
# This cop warns against ingress security group rules that allow very wide
# address ranges.
# This goes hand in hand with OpenIngress, but also warns against blocks
# like 10.0.0.0/8.
# Always pick the smallest possible choice of sources/destinations.
#
# @example
# # bad
# resource "aws_security_group_rule" "ingress" {
# type = "ingress"
# cidr_blocks = ["10.0.0.0/8"]
# }
#
# # good
# resource "aws_security_group_rule" "ingress" {
# type = "ingress"
# cidr_blocks = ["10.4.3.0/24"]
# }
#
# # better
# resource "aws_security_group_rule" "ingress" {
# type = "ingress"
# security_group_id = aws_security_group.destination.id
# }
class WideIngress < SecurityGroupRuleCop
register
MSG = 'Avoid allowing ingress traffic from wide address blocks ' \
'(%<cidr>s).'
def check
return unless ingress?
attributes['cidr_blocks'].each do |cidr|
# Handled by OpenIngress
next if cidr == '0.0.0.0/0'
_, bits = cidr.split('/')
offense(format(MSG, cidr: cidr), :security) if bits.to_i < 16
end
end
end
end
end
end
Version data entries
3 entries across 3 versions & 1 rubygems
| Version | Path |
|---|---|
| terracop-0.2.0 | lib/terracop/cop/aws/wide_ingress.rb |
| terracop-0.1.1 | lib/terracop/cop/aws/wide_ingress.rb |
| terracop-0.1.0 | lib/terracop/cop/aws/wide_ingress.rb |