From 5c3b1f53e83c35e588a225d2ec602cbe216cfa13 Mon Sep 17 00:00:00 2001
From: Guslington <guslington@gmail.com>
Date: Thu, 8 Jul 2021 11:32:51 +1000
Subject: [PATCH] add security group ingress rule cidr whitelist support

---
 fargate-v2.cfndsl.rb            |  6 +++++-
 spec/security_groups_spec.rb    | 16 ++++++++++++++++
 tests/security_groups.test.yaml |  4 ++++
 3 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/fargate-v2.cfndsl.rb b/fargate-v2.cfndsl.rb
index 4d485b8..768ed40 100644
--- a/fargate-v2.cfndsl.rb
+++ b/fargate-v2.cfndsl.rb
@@ -27,8 +27,12 @@
   ingress_rules.each_with_index do |ingress_rule, i|
     EC2_SecurityGroupIngress("IngressRule#{i+1}") do
       Description ingress_rule['desc'] if ingress_rule.has_key?('desc')
+      if ingress_rule.has_key?('cidr')
+        CidrIp FnSub(ingress_rule['cidr'])
+      else
+        SourceSecurityGroupId ingress_rule.has_key?('source_sg') ? ingress_rule['source_sg'] :  Ref(:SecurityGroup)
+      end
       GroupId ingress_rule.has_key?('dest_sg') ? ingress_rule['dest_sg'] : Ref(:SecurityGroup)
-      SourceSecurityGroupId ingress_rule.has_key?('source_sg') ? ingress_rule['source_sg'] :  Ref(:SecurityGroup)
       IpProtocol ingress_rule.has_key?('protocol') ? ingress_rule['protocol'] : 'tcp'
       FromPort ingress_rule['from']
       ToPort ingress_rule.has_key?('to') ? ingress_rule['to'] : ingress_rule['from']
diff --git a/spec/security_groups_spec.rb b/spec/security_groups_spec.rb
index 9a9ad06..3a72aca 100644
--- a/spec/security_groups_spec.rb
+++ b/spec/security_groups_spec.rb
@@ -61,4 +61,20 @@
 
   end
 
+  context 'Resource SecurityGroup Inbound SSH From CIDR' do
+
+    let(:ingress) { template["Resources"]["IngressRule4"]["Properties"] }
+  
+    it 'has property Properties' do
+      expect(ingress).to eq({
+        "Description"=>"allow inbound 22 access from cidr",
+        "FromPort"=>22, 
+        "CidrIp"=>{"Fn::Sub"=>"10.0.0.1/32"}, 
+        "IpProtocol"=>"tcp", 
+        "ToPort"=>22
+      })
+    end
+
+  end
+
 end
\ No newline at end of file
diff --git a/tests/security_groups.test.yaml b/tests/security_groups.test.yaml
index 0734fae..9bb8697 100644
--- a/tests/security_groups.test.yaml
+++ b/tests/security_groups.test.yaml
@@ -31,6 +31,10 @@ ingress_rules:
     dest_sg: 
       Ref: SecurityGroup
     desc: allows traffic from one SG to another
+  -
+    from: 22
+    cidr: 10.0.0.1/32
+    desc: allow inbound 22 access from cidr