From b4973276ae467ee78c7bcf429678128183b81121 Mon Sep 17 00:00:00 2001
From: Michael Holley <michael@michaelholley.us>
Date: Thu, 15 Aug 2019 10:15:13 -0600
Subject: [PATCH] Add rule to check for protocol -1, #37

Fix rule operator to limit false possitive
Switch cindr_block to string for sg_all_protocols
Fix spelling errors in all_protocols rules
Update test file to use correct spelled test name
---
 cli/assets/terraform.yml                      | 24 +++++++++++++++++++
 cli/builtin_terraform_test.go                 |  2 ++
 .../builtin/terraform/security-groups.tf      | 14 +++++++++++
 3 files changed, 40 insertions(+)

diff --git a/cli/assets/terraform.yml b/cli/assets/terraform.yml
index c6e7bb9..8959cf2 100644
--- a/cli/assets/terraform.yml
+++ b/cli/assets/terraform.yml
@@ -123,6 +123,30 @@ rules:
       - sg
       - ec2
 
+  - id: SG_INGRESS_ALL_PROTOCOLS
+    resource: aws_security_group
+    message: Best practices recommend not opening all protocols and ports to ingress traffic
+    assertions:
+      - not:
+        - key: "ingress[].protocol"
+          op: contains
+          value: "-1"
+    severity: WARNING
+    tags:
+      - sg
+
+  - id: SG_EGRESS_ALL_PROTOCOLS
+    resource: aws_security_group
+    message: Best practices recommend not opening all protocols and ports to egress traffic
+    assertions:
+      - not:
+        - key: "egress[].protocol"
+          op: contains
+          value: "-1"
+    severity: WARNING
+    tags:
+      - sg
+
   - id: CLOUDFRONT_DISTRIBUTION_LOGGING
     message: CloudFront Distribution must configure logging
     resource: aws_cloudfront_distribution
diff --git a/cli/builtin_terraform_test.go b/cli/builtin_terraform_test.go
index 1b60ea6..dcabc71 100644
--- a/cli/builtin_terraform_test.go
+++ b/cli/builtin_terraform_test.go
@@ -52,6 +52,8 @@ func TestTerraformBuiltInRules(t *testing.T) {
 		{"security-groups.tf", "SG_INGRESS_PORT_RANGE", 0, 0},
 		{"security-groups.tf", "SG_EGRESS_PORT_RANGE", 0, 0},
 		{"security-groups.tf", "SG_MISSING_EGRESS", 0, 0},
+		{"security-groups.tf", "SG_INGRESS_ALL_PROTOCOLS", 1, 0},
+		{"security-groups.tf", "SG_EGRESS_ALL_PROTOCOLS", 3, 0},
 		{"cloudfront.tf", "CLOUDFRONT_DISTRIBUTION_LOGGING", 0, 1},
 		{"cloudfront.tf", "CLOUDFRONT_DISTRIBUTION_ORIGIN_POLICY", 0, 0},
 		{"cloudfront.tf", "CLOUDFRONT_DISTRIBUTION_DISTRIBUTION_PROTOCOl", 0, 0},
diff --git a/cli/testdata/builtin/terraform/security-groups.tf b/cli/testdata/builtin/terraform/security-groups.tf
index 4994b7e..75d782e 100644
--- a/cli/testdata/builtin/terraform/security-groups.tf
+++ b/cli/testdata/builtin/terraform/security-groups.tf
@@ -31,3 +31,17 @@ resource "aws_security_group" "sg_ssh" {
     cidr_blocks     = ["0.0.0.0/0"]
   }
 }
+
+resource "aws_security_group" "sg_all_protocols" {
+  name = "all_all_protocols"
+  description = "Allow all protocols and ports"
+
+  ingress {
+    protocol    = "-1"
+    cidr_blocks = "1.2.3.4/32"
+  }
+  egress {
+    protocol    = "-1"
+    cidr_blocks = "1.2.3.4/32"
+  }
+}