Class: Terracop::Cop::Aws::OpenIngress

Inherits:

SecurityGroupRuleCop

• Object
• Base
• SecurityGroupRuleCop
• Terracop::Cop::Aws::OpenIngress

Defined in:

lib/terracop/cop/aws/open_ingress.rb

Overview

This cop warns against an ingress rule from 0.0.0.0/0. With a couple of specific exceptions, you don’t want to allow traffic from anywhere in the world to most of your infrastructure. A common exception is the external Load Balancer receiving traffic for a website. Use the ‘Except` configuration to whitelist that specific rule.

Examples:

# bad
resource "aws_security_group_rule" "ingress" {
  type        = "ingress"
  cidr_blocks = ["0.0.0.0/0"]
}

# good
resource "aws_security_group_rule" "ingress" {
  type        = "ingress"
  cidr_blocks = ["10.4.0.0/16"]
}

# better
resource "aws_security_group_rule" "ingress" {
  type              = "ingress"
  security_group_id = aws_security_group.source.id
}

Instance Attribute Summary

Attributes inherited from Base

#attributes, #index, #name, #offenses, #type

Instance Method Summary

• #check ⇒ Object

Methods inherited from Base

config, cop_name, #human_name, #initialize, #offense, run

Constructor Details

This class inherits a constructor from Terracop::Cop::Base

Instance Method Details

#check ⇒ Object

# File 'lib/terracop/cop/aws/open_ingress.rb', line 36

def check
  return unless ingress? && any_ip?

  offense('Avoid allowing ingress traffic from 0.0.0.0/0.', :security)
end