diff --git a/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngressAny.py b/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngressAny.py new file mode 100644 index 00000000000..d34dfa51d0c --- /dev/null +++ b/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngressAny.py @@ -0,0 +1,10 @@ +from checkov.terraform.checks.resource.aws.AbsSecurityGroupUnrestrictedIngress import\ + AbsSecurityGroupUnrestrictedIngress + + +class SecurityGroupUnrestrictedIngressAll(AbsSecurityGroupUnrestrictedIngress): + def __init__(self): + super().__init__(check_id="CKV_AWS_277", port=-1) + + +check = SecurityGroupUnrestrictedIngressAll() diff --git a/tests/terraform/checks/resource/aws/example_SecurityGroupUnrestrictedIngressAny/main.tf b/tests/terraform/checks/resource/aws/example_SecurityGroupUnrestrictedIngressAny/main.tf new file mode 100644 index 00000000000..3175de17557 --- /dev/null +++ b/tests/terraform/checks/resource/aws/example_SecurityGroupUnrestrictedIngressAny/main.tf @@ -0,0 +1,60 @@ +# pass + +resource "aws_security_group" "pass" { + name = "example" + vpc_id = "aws_vpc.example.id" + + ingress { + cidr_blocks = ["0.0.0.0/0"] + from_port = 80 + to_port = 80 + protocol = "tcp" + } + ingress { + cidr_blocks = ["0.0.0.0/0"] + from_port = 443 + to_port = 443 + protocol = "tcp" + } + egress { + cidr_blocks = ["0.0.0.0/0"] + from_port = 0 + to_port = 0 + protocol = "-1" + } +} + +resource "aws_security_group_rule" "pass" { + cidr_blocks = ["0.0.0.0/0"] + from_port = 80 + to_port = 80 + protocol = "tcp" + security_group_id = "sg-12345" + type = "ingress" +} + +# fail +resource "aws_security_group" "fail" { + name = "allow-all-ingress" + description = "unfettered access" + vpc_id = "test_vpc" + + ingress { + from_port = -1 + to_port = -1 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + description = "Test unfettered access" + } +} + + +resource "aws_security_group_rule" "fail" { + cidr_blocks = ["0.0.0.0/0"] + from_port = -1 + to_port = -1 + protocol = "tcp" + security_group_id = "sg-12345" + description = "Test unfettered access" + type = "ingress" +} \ No newline at end of file diff --git a/tests/terraform/checks/resource/aws/test_SecurityGroupUnrestrictedIngressAny.py b/tests/terraform/checks/resource/aws/test_SecurityGroupUnrestrictedIngressAny.py new file mode 100644 index 00000000000..4165a52904f --- /dev/null +++ b/tests/terraform/checks/resource/aws/test_SecurityGroupUnrestrictedIngressAny.py @@ -0,0 +1,43 @@ +import unittest +from pathlib import Path + +from checkov.runner_filter import RunnerFilter +from checkov.terraform.checks.resource.aws.SecurityGroupUnrestrictedIngressAny import check +from checkov.terraform.runner import Runner + + +class TestSecurityGroupUnrestrictedIngressAny(unittest.TestCase): + def test(self): + # given + test_files_dir = Path(__file__).parent / "example_SecurityGroupUnrestrictedIngressAny" + + # when + report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) + + # then + summary = report.get_summary() + + passing_resources = { + "aws_security_group.pass", + "aws_security_group_rule.pass", + } + + failing_resources = { + "aws_security_group.fail", + "aws_security_group_rule.fail", + } + + passed_check_resources = {c.resource for c in report.passed_checks} + failed_check_resources = {c.resource for c in report.failed_checks} + + self.assertEqual(summary["passed"], 2) + self.assertEqual(summary["failed"], 2) + self.assertEqual(summary["skipped"], 0) + self.assertEqual(summary["parsing_errors"], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == "__main__": + unittest.main()