feat(terraform): test checks for any port access (#3882)

Allows any port access
bridgecrewio · Nov 15, 2022 · 18f30de · 18f30de
1 parent 23a33af
commit 18f30de
Show file tree

Hide file tree

Showing 3 changed files with 113 additions and 0 deletions.
diff --git a/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngressAny.py b/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngressAny.py
@@ -0,0 +1,10 @@
+from checkov.terraform.checks.resource.aws.AbsSecurityGroupUnrestrictedIngress import\
+    AbsSecurityGroupUnrestrictedIngress
+
+
+class SecurityGroupUnrestrictedIngressAll(AbsSecurityGroupUnrestrictedIngress):
+    def __init__(self):
+        super().__init__(check_id="CKV_AWS_277", port=-1)
+
+
+check = SecurityGroupUnrestrictedIngressAll()
diff --git a/tests/terraform/checks/resource/aws/example_SecurityGroupUnrestrictedIngressAny/main.tf b/tests/terraform/checks/resource/aws/example_SecurityGroupUnrestrictedIngressAny/main.tf
@@ -0,0 +1,60 @@
+# pass
+
+resource "aws_security_group" "pass" {
+  name   = "example"
+  vpc_id = "aws_vpc.example.id"
+
+  ingress {
+    cidr_blocks = ["0.0.0.0/0"]
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+  }
+  ingress {
+    cidr_blocks = ["0.0.0.0/0"]
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+  }
+  egress {
+    cidr_blocks = ["0.0.0.0/0"]
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+  }
+}
+
+resource "aws_security_group_rule" "pass" {
+  cidr_blocks       = ["0.0.0.0/0"]
+  from_port         = 80
+  to_port           = 80
+  protocol          = "tcp"
+  security_group_id = "sg-12345"
+  type              = "ingress"
+}
+
+# fail
+resource "aws_security_group" "fail" {
+  name        = "allow-all-ingress"
+  description = "unfettered access"
+  vpc_id      = "test_vpc"
+
+  ingress {
+    from_port   = -1
+    to_port     = -1
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+    description = "Test unfettered access"
+  }
+}
+
+
+resource "aws_security_group_rule" "fail" {
+  cidr_blocks       = ["0.0.0.0/0"]
+  from_port         = -1
+  to_port           = -1
+  protocol          = "tcp"
+  security_group_id = "sg-12345"
+  description = "Test unfettered access"
+  type              = "ingress"
+}
diff --git a/tests/terraform/checks/resource/aws/test_SecurityGroupUnrestrictedIngressAny.py b/tests/terraform/checks/resource/aws/test_SecurityGroupUnrestrictedIngressAny.py
@@ -0,0 +1,43 @@
+import unittest
+from pathlib import Path
+
+from checkov.runner_filter import RunnerFilter
+from checkov.terraform.checks.resource.aws.SecurityGroupUnrestrictedIngressAny import check
+from checkov.terraform.runner import Runner
+
+
+class TestSecurityGroupUnrestrictedIngressAny(unittest.TestCase):
+    def test(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_SecurityGroupUnrestrictedIngressAny"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "aws_security_group.pass",
+            "aws_security_group_rule.pass",
+        }
+
+        failing_resources = {
+            "aws_security_group.fail",
+            "aws_security_group_rule.fail",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], 2)
+        self.assertEqual(summary["failed"], 2)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()