Fix nil error in GameLift Fleet rule (#569)

* Resolve nil check in GameLift Fleet ip check, fixes #564 * Rubocop fixes * Review feedback
stelligent · Oct 7, 2021 · c2fdce7 · c2fdce7
1 parent 70947d4
commit c2fdce7
Show file tree

Hide file tree

Showing 4 changed files with 50 additions and 1 deletion.
diff --git a/lib/cfn-nag/custom_rules/GameLiftFleetInboundPortRangeRule.rb b/lib/cfn-nag/custom_rules/GameLiftFleetInboundPortRangeRule.rb
@@ -18,6 +18,8 @@ def rule_id
 
   def audit_impl(cfn_model)
     violating_gamelift_fleets = cfn_model.resources_by_type('AWS::GameLift::Fleet').select do |gamelift_fleet|
+      next false if gamelift_fleet.eC2InboundPermissions.nil?
+
       violating_permissions = gamelift_fleet.eC2InboundPermissions.select do |permission|
         # Cast to strings incase template provided mixed types
         permission['FromPort'].to_s != permission['ToPort'].to_s

diff --git a/lib/cfn-nag/violation_filtering.rb b/lib/cfn-nag/violation_filtering.rb
@@ -25,7 +25,7 @@ def filter_violations_by_deny_list(deny_list_definition:, rule_definitions:, vio
     unless deny_list_definition.nil?
       begin
         deny_list = DenyListLoader.new(rule_definitions)
-                                   .load(deny_list_definition: deny_list_definition)
+                                  .load(deny_list_definition: deny_list_definition)
       rescue StandardError => deny_list_load_error
         raise "Deny list loading error: #{deny_list_load_error}"
       end

diff --git a/spec/custom_rules/GameLiftFleetInboundPortRangeRule_spec.rb b/spec/custom_rules/GameLiftFleetInboundPortRangeRule_spec.rb
@@ -25,4 +25,14 @@
       expect(actual_logical_resource_ids).to eq []
     end
   end
+
+  context 'GameLift fleet without ip permissions' do
+    it 'does not return logical resource id' do
+      cfn_model = CfnParser.new.parse read_test_template('yaml/gamelift/fleet_without_ip_permissions.yml')
+
+      actual_logical_resource_ids = GameLiftFleetInboundPortRangeRule.new.audit_impl cfn_model
+
+      expect(actual_logical_resource_ids).to eq []
+    end
+  end
 end
diff --git a/spec/test_templates/yaml/gamelift/fleet_without_ip_permissions.yml b/spec/test_templates/yaml/gamelift/fleet_without_ip_permissions.yml
@@ -0,0 +1,37 @@
+---
+AWSTemplateFormatVersion: 2010-09-09
+Description: Create a GameLift Fleet with a port range open.
+
+Parameters:
+  Owner:
+    Type: String
+    Description: Owner of these resources.
+    # Default: pshelby
+  Project:
+    Type: String
+    Description: For what these resources were created.
+    # Default: gamelift-testing
+
+Resources:
+  # Instructions to SSH to GameLift fleet servers
+  # https://docs.aws.amazon.com/gamelift/latest/developerguide/fleets-remote-access.html
+  InsecureGameLiftFleet:
+    Type: AWS::GameLift::Fleet
+    Properties:
+      EC2InstanceType: t2.micro
+      Name: InsecureGameLiftFleet
+      RuntimeConfiguration:
+        ServerProcesses:
+          - ConcurrentExecutions: 2
+            LaunchPath: /local/game/rt_servers.js
+      ScriptId: !GetAtt RealTimeScript.Id
+
+  RealTimeScript:
+    Type: AWS::GameLift::Script
+    Properties:
+      StorageLocation:
+        Bucket:
+          Fn::ImportValue: !Sub ${Owner}-${Project}-GameLiftSourceCodeBucketName
+        Key: rt_servers.zip
+        RoleArn:
+          Fn::ImportValue: !Sub ${Owner}-${Project}-GameLiftSupportRoleArn