Inputs for check_vpc_sg_open_only_to_authorized_ports rule

README.md

@@ -284,7 +284,7 @@ No modules.
 | check\_s3\_bucket\_server\_side\_encryption\_enabled | Enable s3-bucket-server-side-encryption-enabled rule | `bool` | `true` | no |
 | check\_s3\_bucket\_ssl\_requests\_only | Enable s3-bucket-ssl-requests-only rule | `bool` | `true` | no |
 | check\_vpc\_default\_security\_group\_closed | Enable vpc-default-security-group-closed rule | `bool` | `true` | no |
-| check\_vpc\_sg\_open\_only\_to\_authorized\_ports | Enable vpc-sg-open-only-to-authorized-ports rule | `bool` | `true` | no |
+| check\_vpc\_sg\_open\_only\_to\_authorized\_ports | Enable vpc-sg-open-only-to-authorized-ports rule | `bool` | `false` | no |
 | cloud\_trail\_cloud\_watch\_logs\_enabled | Enable cloud\_trail\_cloud\_watch\_logs\_enabled rule | `bool` | `true` | no |
 | config\_aggregator\_name | The name of the aggregator. | `string` | `"organization"` | no |
 | config\_delivery\_frequency | The frequency with which AWS Config delivers configuration snapshots. | `string` | `"Six_Hours"` | no |
@@ -318,6 +318,8 @@ No modules.
 | resource\_types | A list that specifies the types of AWS resources for which AWS Config records configuration changes (for example, AWS::EC2::Instance or AWS::CloudTrail::Trail). See relevant part of AWS Docs for available types. | `list(string)` | `[]` | no |
 | s3\_bucket\_public\_access\_prohibited\_exclusion | Comma-separated list of known allowed public Amazon S3 bucket names. | `string` | `"example,CSV"` | no |
 | tags | Tags to apply to AWS Config resources | `map(string)` | `{}` | no |
+| vpc\_sg\_authorized\_TCP\_ports | Comma-separated list of TCP ports authorized to be open to 0.0.0.0/0. Ranges are defined by dash. example, '443,1020-1025' | `string` | `"none"` | no |
+| vpc\_sg\_authorized\_UDP\_ports | Comma-separated list of UDP ports authorized to be open to 0.0.0.0/0. Ranges are defined by dash. example, '500,1020-1025' | `string` | `"none"` | no |
 
 ## Outputs
 

config-policies/vpc_sg_authorized_ports.tpl

@@ -0,0 +1,4 @@
+{
+    "authorizedTcpPorts": "${vpc_sg_authorized_TCP_ports}",
+    "authorizedUdpPorts": "${vpc_sg_authorized_UDP_ports}"
+}

config-rules.tf

@@ -82,6 +82,13 @@ locals {
       s3_bucket_public_access_prohibited_exclusion = var.s3_bucket_public_access_prohibited_exclusion
     }
   )
+
+  aws_config_vpc_sg_authorized_ports = templatefile("${path.module}/config-policies/vpc_sg_authorized_ports.tpl",
+    {
+      vpc_sg_authorized_TCP_ports = var.vpc_sg_authorized_TCP_ports
+      vpc_sg_authorized_UDP_ports = var.vpc_sg_authorized_UDP_ports
+    }
+  )
 }
 
 
@@ -936,9 +943,10 @@ resource "aws_config_config_rule" "s3-bucket-server-side-encryption-enabled" {
 }
 
 resource "aws_config_config_rule" "vpc-sg-open-only-to-authorized-ports" {
-  count       = var.check_vpc_sg_open_only_to_authorized_ports ? 1 : 0
-  name        = "vpc-sg-open-only-to-authorized-ports"
-  description = "Checks whether any security groups with inbound 0.0.0.0/0 have TCP or UDP ports accessible. The rule is NON_COMPLIANT when a security group with inbound 0.0.0.0/0 has a port accessible which is not specified in the rule parameters. "
+  count            = var.check_vpc_sg_open_only_to_authorized_ports ? 1 : 0
+  name             = "vpc-sg-open-only-to-authorized-ports"
+  description      = "Checks if security groups with inbound 0.0.0.0/0 have TCP or UDP ports accessible. NON_COMPLIANT if security group with inbound 0.0.0.0/0 has a port accessible which is not specified in rule parameters.(both Terraform inputs required if enabled)"
+  input_parameters = local.aws_config_vpc_sg_authorized_ports
 
   source {
     owner             = "AWS"

variables.tf

@@ -522,7 +522,21 @@ variable "check_s3_bucket_server_side_encryption_enabled" {
 variable "check_vpc_sg_open_only_to_authorized_ports" {
   description = "Enable vpc-sg-open-only-to-authorized-ports rule"
   type        = bool
-  default     = true
+  default     = false
+}
+
+variable "vpc_sg_authorized_TCP_ports" {
+  description = "Comma-separated list of TCP ports authorized to be open to 0.0.0.0/0. Ranges are defined by dash. example, '443,1020-1025'"
+  type        = string
+  #default value can't be blank
+  default = "none"
+}
+
+variable "vpc_sg_authorized_UDP_ports" {
+  description = "Comma-separated list of UDP ports authorized to be open to 0.0.0.0/0. Ranges are defined by dash. example, '500,1020-1025'"
+  type        = string
+  #default value can't be blank
+  default = "none"
 }
 
 variable "resource_types" {