Model Not Parsing To/From Port when IpProtocol is specified as -1

[bjsemrad]

Per the AWS documentation
"IpProtocol
The IP protocol name (tcp, udp, icmp) or number (see Protocol Numbers). (VPC only) Use -1 to specify all protocols. If you specify -1, or a protocol number other than tcp, udp, icmp, or 58 (ICMPv6), traffic on all ports is allowed, regardless of any ports you specify. For tcp, udp, and icmp, you must specify a port range. For protocol 58 (ICMPv6), you can optionally specify a port range; if you don't, traffic for all types and codes is allowed."

When specifying the IpProtocol as -1 in a template, the parse will throw an exception stating to/from is required when it actually is not.

[ghost]

Hi. Sorry for the delay. Do you have an example template demonstrating this? There isn't much "pre-validation" of AWS::EC2::SecurityGroup going on in cfn-model and I believe From/To are required for the free-standing AWS::EC2::SecurityGroupEgress and AWS::EC2::SecurityGroupIngress

[bjsemrad]

I do have examples and I have patches I am hoping to submit this week. From/To are not actually required only when specifying a specific IPProtocol.

…

Sent from my iPhone

On Mar 10, 2018, at 12:49 PM, Eric Kascic ***@***.***> wrote: Hi. Sorry for the delay. Do you have an example template demonstrating this? There isn't much "pre-validation" of AWS::EC2::SecurityGroup going on in cfn-model and I believe From/To are required for the free-standing AWS::EC2::SecurityGroupEgress and AWS::EC2::SecurityGroupIngress — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

[bjsemrad]

Sorry for the delay @erickascic, submitted #27 for this issue. If you need another example before accepting the request let me know. I would like to get this change built into the cfn-nag after, I can submit the updates there as needed.