Skip to content
This repository has been archived by the owner on Sep 3, 2024. It is now read-only.

FG_R00377 and FG_R00041 conflict with each other #222

Closed
alleynec opened this issue Oct 12, 2021 · 6 comments · Fixed by #223
Closed

FG_R00377 and FG_R00041 conflict with each other #222

alleynec opened this issue Oct 12, 2021 · 6 comments · Fixed by #223

Comments

@alleynec
Copy link
Contributor

alleynec commented Oct 12, 2021

The aws TF rule FG_R00377 allows for internet traffic (0.0.0.0/0) from ports 80 and 443. However, FG_R00041 disallows internet traffic from port 80. In my opinion, internet traffic from port 80 should be allowed for simple static sites. Here is the security group code that fails on FG_R00041. (var.port is defined as 80)


resource "aws_security_group" "lb" {
name = "tf-ecs-alb"
description = "controls access to the ALB"
vpc_id = aws_vpc.pavpc.id

ingress {
protocol = "tcp"
from_port = var.port
to_port = var.port
cidr_blocks = ["0.0.0.0/0"]
}

egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}

tags = {
Name = local.tag_name
Tier = local.tag_tier_public
}
}

@alleynec
Copy link
Contributor Author

Regula v1.5.0. I'm using the opa binary with the regula library of rules in a container.

@jason-fugue
Copy link
Contributor

Hi, @alleynec! I agree that looking at these rules together is confusing. There is a condition in FG_R00041 that does allow traffic on port 80 if the the security group is only attached to a load balancer. So taken togther, those rules say that security groups can only allow traffic from 0.0.0.0/0 if:

  • The traffic is on port 443
  • The traffic is on port 80 and the only resource associated with this security group is a load balancer

From the configuration in your description, it does look like you intend to attach that security group to a load balancer. Is that the case? If so, I'm wondering the cause of the rule failure is the same as your other tickets #220 and #221.

@alleynec
Copy link
Contributor Author

alleynec commented Oct 12, 2021

@jason-fugue Yes, it is the case I attempted to attach that security group to a load balancer: the code for that specific resource is below:

resource "aws_alb" "main" {
name = "tf-ecs-pa"
subnets = data.aws_subnet_ids.public.ids
security_groups = [aws_security_group.lb.id]
depends_on = [aws_subnet.public]
}

What was the cause of the failures in tickets #220 and #221? Also, FYI, I'm using opa version 0.28.0

@jason-fugue
Copy link
Contributor

This got closed automatically when I merged.

@jason-fugue jason-fugue reopened this Oct 15, 2021
@alleynec
Copy link
Contributor Author

alleynec commented Oct 20, 2021

Still failing on rule FG_R00041. Do these two rules together only allow traffic from port 443 from 0.0.0.0/0?

@alleynec alleynec reopened this Oct 20, 2021
@alleynec
Copy link
Contributor Author

I ended up using port 443 for http.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants