-
Notifications
You must be signed in to change notification settings - Fork 109
FG_R00377 and FG_R00041 conflict with each other #222
Comments
Regula v1.5.0. I'm using the opa binary with the regula library of rules in a container. |
Hi, @alleynec! I agree that looking at these rules together is confusing. There is a condition in FG_R00041 that does allow traffic on port 80 if the the security group is only attached to a load balancer. So taken togther, those rules say that security groups can only allow traffic from 0.0.0.0/0 if:
From the configuration in your description, it does look like you intend to attach that security group to a load balancer. Is that the case? If so, I'm wondering the cause of the rule failure is the same as your other tickets #220 and #221. |
@jason-fugue Yes, it is the case I attempted to attach that security group to a load balancer: the code for that specific resource is below: resource "aws_alb" "main" { What was the cause of the failures in tickets #220 and #221? Also, FYI, I'm using opa version 0.28.0 |
This got closed automatically when I merged. |
Still failing on rule FG_R00041. Do these two rules together only allow traffic from port 443 from 0.0.0.0/0? |
I ended up using port 443 for http. |
The aws TF rule FG_R00377 allows for internet traffic (0.0.0.0/0) from ports 80 and 443. However, FG_R00041 disallows internet traffic from port 80. In my opinion, internet traffic from port 80 should be allowed for simple static sites. Here is the security group code that fails on FG_R00041. (var.port is defined as 80)
resource "aws_security_group" "lb" {
name = "tf-ecs-alb"
description = "controls access to the ALB"
vpc_id = aws_vpc.pavpc.id
ingress {
protocol = "tcp"
from_port = var.port
to_port = var.port
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = local.tag_name
Tier = local.tag_tier_public
}
}
The text was updated successfully, but these errors were encountered: