Class: Terracop::Cop::Aws::OpenEgress

Inherits:

Object
Base
SecurityGroupRuleCop
Terracop::Cop::Aws::OpenEgress

show all

Defined in:: lib/terracop/cop/aws/open_egress.rb

Overview

This cop warns against an egress rule to 0.0.0.0/0. While very common, and not necessarily an offense, you may want to lock the outbound traffic to some specific addresses (or even other security groups), especially in highly regulated environments.

Examples:

# bad
resource "aws_security_group_rule" "egress" {
  type        = "egress"
  cidr_blocks = ["0.0.0.0/0"]
}

# good
resource "aws_security_group_rule" "egress" {
  type        = "egress"
  cidr_blocks = ["10.4.0.0/16"]
}

# better
resource "aws_security_group_rule" "egress" {
  type              = "egress"
  security_group_id = aws_security_group.destination.id
}

Instance Attribute Summary

Attributes inherited from Base

#attributes, #index, #name, #offenses, #type

Instance Method Summary collapse

#check ⇒ Object

Methods inherited from Base

config, cop_name, #human_name, #initialize, #offense, run

Constructor Details

This class inherits a constructor from Terracop::Cop::Base

Instance Method Details

#check ⇒ `Object`

# File 'lib/terracop/cop/aws/open_egress.rb', line 34

def check
  return unless egress? && any_ip?

  offense('Avoid allowing egress traffic to 0.0.0.0/0.', :security)
end