Class: Terracop::Cop::Aws::WideEgress

Inherits:

Object
Base
SecurityGroupRuleCop
Terracop::Cop::Aws::WideEgress

show all

Defined in:: lib/terracop/cop/aws/wide_egress.rb

Overview

This cop warns against egress security group rules that allow very wide address ranges. This goes hand in hand with OpenEgress, but also warns against blocks like 10.0.0.0/8. Always pick the smallest possible choice of sources/destinations.

Examples:

# bad
resource "aws_security_group_rule" "egress" {
  type        = "egress"
  cidr_blocks = ["10.0.0.0/8"]
}

# good
resource "aws_security_group_rule" "egress" {
  type        = "egress"
  cidr_blocks = ["10.4.3.0/24"]
}

# better
resource "aws_security_group_rule" "egress" {
  type              = "egress"
  security_group_id = aws_security_group.destination.id
}

Constant Summary collapse

MSG =

'Avoid allowing egress traffic from wide address blocks ' \
'(%<cidr>s).'

Instance Attribute Summary

Attributes inherited from Base

#attributes, #index, #name, #offenses, #type

Instance Method Summary collapse

#check ⇒ Object

Methods inherited from Base

config, cop_name, #human_name, #initialize, #offense, run

Constructor Details

This class inherits a constructor from Terracop::Cop::Base

Instance Method Details

#check ⇒ `Object`

# File 'lib/terracop/cop/aws/wide_egress.rb', line 38

def check
  return unless egress?

  attributes['cidr_blocks'].each do |cidr|
    # Handled by OpenEgress
    next if cidr == '0.0.0.0/0'

    _, bits = cidr.split('/')

    offense(format(MSG, cidr: cidr), :security) if bits.to_i < 16
  end
end