class Terracop::Cop::Aws::OpenIngress

This cop warns against an ingress rule from 0.0.0.0/0. With a couple of specific exceptions, you don't want to allow traffic from anywhere in the world to most of your infrastructure. A common exception is the external Load Balancer receiving traffic for a website. Use the `Except` configuration to whitelist that specific rule.

@example

# bad
resource "aws_security_group_rule" "ingress" {
  type        = "ingress"
  cidr_blocks = ["0.0.0.0/0"]
}

# good
resource "aws_security_group_rule" "ingress" {
  type        = "ingress"
  cidr_blocks = ["10.4.0.0/16"]
}

# better
resource "aws_security_group_rule" "ingress" {
  type              = "ingress"
  security_group_id = aws_security_group.source.id
}

Public Instance Methods

check() click to toggle source
# File lib/terracop/cop/aws/open_ingress.rb, line 36
def check
  return unless ingress? && any_ip?

  offense('Avoid allowing ingress traffic from 0.0.0.0/0.', :security)
end