-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Model Not Parsing To/From Port when IpProtocol is specified as -1 #25
Comments
Hi. Sorry for the delay. Do you have an example template demonstrating this? There isn't much "pre-validation" of AWS::EC2::SecurityGroup going on in cfn-model and I believe From/To are required for the free-standing AWS::EC2::SecurityGroupEgress and AWS::EC2::SecurityGroupIngress |
I do have examples and I have patches I am hoping to submit this week. From/To are not actually required only when specifying a specific IPProtocol.
…Sent from my iPhone
On Mar 10, 2018, at 12:49 PM, Eric Kascic ***@***.***> wrote:
Hi. Sorry for the delay. Do you have an example template demonstrating this? There isn't much "pre-validation" of AWS::EC2::SecurityGroup going on in cfn-model and I believe From/To are required for the free-standing AWS::EC2::SecurityGroupEgress and AWS::EC2::SecurityGroupIngress
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
Sorry for the delay @erickascic, submitted #27 for this issue. If you need another example before accepting the request let me know. I would like to get this change built into the cfn-nag after, I can submit the updates there as needed. |
Per the AWS documentation
"IpProtocol
The IP protocol name (tcp, udp, icmp) or number (see Protocol Numbers). (VPC only) Use -1 to specify all protocols. If you specify -1, or a protocol number other than tcp, udp, icmp, or 58 (ICMPv6), traffic on all ports is allowed, regardless of any ports you specify. For tcp, udp, and icmp, you must specify a port range. For protocol 58 (ICMPv6), you can optionally specify a port range; if you don't, traffic for all types and codes is allowed."
When specifying the IpProtocol as -1 in a template, the parse will throw an exception stating to/from is required when it actually is not.
The text was updated successfully, but these errors were encountered: