#409 from cfn_nag issues, add support for relationship between NACLs and egress and ingress entries. #74
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…and egress and ingress entries.
ghost
reviewed
Mar 26, 2020
| def ingress_network_acl_entries(cfn_model) | ||
| network_acl_entries = cfn_model.resources_by_type 'AWS::EC2::NetworkAclEntry' | ||
| network_acl_entries.select do |network_acl_entry| | ||
| network_acl_entry.egress.nil? || !network_acl_entry.egress |
There was a problem hiding this comment.
beware of "weak typing" in cfn. this could be "true", true, "false", false. there should be a truthy? util in the model you can use instead of a straight boolean op
There was a problem hiding this comment.
There isn't currently a truthy? util in cfn_model, just cfn_nag, but I can add one to model as part of this PR.
ghost
suggested changes
Mar 26, 2020
ghost
approved these changes
Apr 1, 2020
ghost
merged commit
ssteo
pushed a commit
to ssteo/cfn-model
that referenced
this pull request
Oct 16, 2020
…w SAM transforms templates (stelligent#64) * stelligent/cfn_nag#74 Reworking Serverless transform to more closely match how SAM transforms templates. 1. Generating an IAM role for each serverless function, if Role property not provided. 2. Parsing serverless function properties to correctly populate generated role. 3. Updating spec tests. * Updating array syntax to use ruby's %w[].
This pull request was closed.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In reference to stelligent/cfn_nag#409.
This adds a relationship to be parsed between EC2 Network ACLs and Network ACL Entries separated by egress and ingress. This is primarily because the items we are checking for in this issue affect ingress and egress separately, including repeating rule numbers and reusing ports.
Planned to be used in conjunction with: https://github.com/stelligent/cfn_nag/tree/feature/409_ineffective_nacl_rules
This also adds the truthy util to cfn-model, as previously used in cfn-nag.