When its property seems to be broken

[melcloud]

Description :
The following when condition doesn't seem to work

When its property is true
When its property is int

To Reproduce

1. <Either a sample terraform code, or your terraform plan file if it doesn't have any confidential information>

resource "aws_security_group" "ecs_task" {
  name        = "ecs-tasks"
  description = "Allow ECS Fargate tasks to communicate with each other"
  vpc_id      = var.vpc_id

  timeouts {
    create = "5m"
    delete = "5m"
  }
}

resource "aws_security_group_rule" "ecs_task_ingress_self" {
  type              = "ingress"
  description       = "Allow ECS task to communicate with itself (ingress)"
  security_group_id = aws_security_group.ecs_task.id
  protocol          = "tcp"
  from_port         = 0
  to_port           = 65535
  self              = true
}

resource "aws_security_group_rule" "ecs_task_egress_self" {
  type              = "egress"
  description       = "Allow ECS task to communicate with itself (egress)"
  security_group_id = aws_security_group.ecs_task.id
  protocol          = "tcp"
  from_port         = 0
  to_port           = 65535
  self              = true
}

resource "aws_security_group_rule" "ecs_task_egress_to_internet_443" {
  type              = "egress"
  description       = "Allow ECS task to communicate with Internet on 443"
  security_group_id = aws_security_group.ecs_task.id
  protocol          = "tcp"
  from_port         = 443
  to_port           = 443
  #tfsec:ignore:AWS007
  cidr_blocks = ["0.0.0.0/0"]
}

resource "aws_security_group_rule" "ecs_task_egress_to_mssql" {
  type              = "egress"
  description       = "Allow ECS task to communicate with MSSQL"
  security_group_id = aws_security_group.ecs_task.id
  protocol          = "tcp"
  from_port         = 1433
  to_port           = 1433
  cidr_blocks       = ["10.0.0.0/16"]
}

2. -f features
3. docker
4. See below

Feature: Security group(s) attached to ECS task must restrict inbound and outbound traffic  # /opt/app/test/ecs-sg.feature

    Scenario Outline: ECS security group allows communication with itself
        Given I have aws_security_group_rule defined
        When its security_group_id reference is "aws_security_group.ecs_task"
        And its self is true
        Then its protocol must be tcp
        And its from_port must be 0
        And its to_port must be 65535
        And its type must be <type>

    Examples:
        | type    |
        💡 SKIPPING: Can not find true self in aws_security_group_rule.ecs_task_egress_self, aws_security_group_rule.ecs_task_egress_to_internet_443, aws_security_group_rule.ecs_task_egress_to_mssql, aws_security_group_rule.ecs_task_ingress_self.
        | ingress |
        💡 SKIPPING: Can not find true self in aws_security_group_rule.ecs_task_egress_self, aws_security_group_rule.ecs_task_egress_to_internet_443, aws_security_group_rule.ecs_task_egress_to_mssql, aws_security_group_rule.ecs_task_ingress_self.
        | egress  |

    Scenario: ECS task security group allows egress to Internet on port 443
        Given I have aws_security_group_rule defined
        When its security_group_id reference is "aws_security_group.ecs_task"
        💡 SKIPPING: Can not find 443 from_port in aws_security_group_rule.ecs_task_egress_self, aws_security_group_rule.ecs_task_egress_to_internet_443, aws_security_group_rule.ecs_task_egress_to_mssql, aws_security_group_rule.ecs_task_ingress_self.
        And its from_port is 443
        Then its protocol must be tcp
        And its to_port must be 443
        And it must contain cidr_block
        And its value must contain 0.0.0.0/0

5. <Your feature/scenario/steps>

Feature: Security group(s) attached to ECS task must restrict inbound and outbound traffic

  Scenario Outline: ECS security group allows communication with itself
    Given I have aws_security_group_rule defined
    When its security_group_id reference is "aws_security_group.ecs_task"
    And its self is true
    Then its protocol must be tcp
    And its from_port must be 0
    And its to_port must be 65535
    And its type must be <type>

    Examples:
      | type    |
      | ingress |
      | egress  |

  Scenario: ECS task security group allows egress to Internet on port 443
    Given I have aws_security_group_rule defined
    When its security_group_id reference is "aws_security_group.ecs_task"
    And its from_port is 443
    Then its protocol must be tcp
    And its to_port must be 443
    And it must contain cidr_block
    And its value must contain 0.0.0.0/0

Expected behavior :
All above tests passed

Tested versions :

• 1.1.15
• 0.12.24

Additional context
Add any other context about the problem here.

[eerkunt]

Thanks for the issue 🎉 . Fixed the problem.

It looks like we also need to extend the Security Group step (e.g. Then it must have tcp protocol and port 443 for 0.0.0.0/0') to Security Group Rules. Since your Scenario could be much shorter and effective.

[eerkunt]

Just enabled Security Group related step to process Security Group Rules also.

    Scenario: Ensure ECS Task SGR has tcp/443 defined for public network
        Given I have aws_security_group_rule defined
        When its security_group_id reference is "aws_security_group.ecs_task"
        And its type is egress
        And its from_port is 443
        Then it must have tcp protocol and port 443 for 0.0.0.0/0'

even, you can check your all egress traffic for that specific ecs_task like ;

    Scenario: Ensure ECS Task SGR has only tcp/443 for public network
        Given I have aws_security_group_rule defined
        When its security_group_id reference is "aws_security_group.ecs_task"
        And its type is egress
        Then it must have tcp protocol and port 443 for 0.0.0.0/0'

will release this today.

[ghost]

This issue's conversation is now locked. If you want to continue this discussion please open a new issue.