add security group ingress rule cidr whitelist support

theonestack · Jul 8, 2021 · 5c3b1f5 · 5c3b1f5
1 parent 4fe7306
commit 5c3b1f5
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 1 deletion.
diff --git a/fargate-v2.cfndsl.rb b/fargate-v2.cfndsl.rb
@@ -27,8 +27,12 @@
   ingress_rules.each_with_index do |ingress_rule, i|
     EC2_SecurityGroupIngress("IngressRule#{i+1}") do
       Description ingress_rule['desc'] if ingress_rule.has_key?('desc')
+      if ingress_rule.has_key?('cidr')
+        CidrIp FnSub(ingress_rule['cidr'])
+      else
+        SourceSecurityGroupId ingress_rule.has_key?('source_sg') ? ingress_rule['source_sg'] :  Ref(:SecurityGroup)
+      end
       GroupId ingress_rule.has_key?('dest_sg') ? ingress_rule['dest_sg'] : Ref(:SecurityGroup)
-      SourceSecurityGroupId ingress_rule.has_key?('source_sg') ? ingress_rule['source_sg'] :  Ref(:SecurityGroup)
       IpProtocol ingress_rule.has_key?('protocol') ? ingress_rule['protocol'] : 'tcp'
       FromPort ingress_rule['from']
       ToPort ingress_rule.has_key?('to') ? ingress_rule['to'] : ingress_rule['from']

diff --git a/spec/security_groups_spec.rb b/spec/security_groups_spec.rb
@@ -61,4 +61,20 @@
 
   end
 
+  context 'Resource SecurityGroup Inbound SSH From CIDR' do
+
+    let(:ingress) { template["Resources"]["IngressRule4"]["Properties"] }
+
+    it 'has property Properties' do
+      expect(ingress).to eq({
+        "Description"=>"allow inbound 22 access from cidr",
+        "FromPort"=>22, 
+        "CidrIp"=>{"Fn::Sub"=>"10.0.0.1/32"}, 
+        "IpProtocol"=>"tcp", 
+        "ToPort"=>22
+      })
+    end
+
+  end
+
 end
diff --git a/tests/security_groups.test.yaml b/tests/security_groups.test.yaml
@@ -31,6 +31,10 @@ ingress_rules:
     dest_sg: 
       Ref: SecurityGroup
     desc: allows traffic from one SG to another
+  -
+    from: 22
+    cidr: 10.0.0.1/32
+    desc: allow inbound 22 access from cidr