Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v1: possible false-positive for W3687 #3317

Closed
r-heimann opened this issue Jun 20, 2024 · 3 comments · Fixed by #3345
Closed

v1: possible false-positive for W3687 #3317

r-heimann opened this issue Jun 20, 2024 · 3 comments · Fixed by #3345

Comments

@r-heimann
Copy link

CloudFormation Lint Version

cfn-lint 1.3.0

What operating system are you using?

Windows 11

Describe the bug

After updating from v0.87.7 to v1.3.0 i noticed a new finding, which is possibly a false-positive:

  SecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: "Security Group"
      VpcId: !ImportValue VPC1-VPC-ID
      SecurityGroupIngress:
        - Description: "Test"
          IpProtocol: TCP
          FromPort: 443
          ToPort: 443
          CidrIp: 0.0.0.0/0
[cfn-lint] W3687: ['FromPort', 'ToPort'] are ignored when using 'IpProtocol' value 'TCP'

Expected behavior

Not entirely sure what the issue here is, but FromPort and ToPort are not ignored:

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-securitygroup-ingress.html

Reproduction template

AWSTemplateFormatVersion: 2010-09-09
Description: Test

Resources:
  SecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: "Security Group"
      VpcId: !ImportValue VPC1-VPC-ID
      SecurityGroupIngress:
        - Description: "Test"
          IpProtocol: TCP
          FromPort: 443
          ToPort: 443
          CidrIp: 0.0.0.0/0
@egut
Copy link

egut commented Jun 20, 2024

TCP should be in lowercase

IpProtocol
The IP protocol name (tcp, udp, icmp, icmpv6) or number (see Protocol Numbers).

Use -1 to specify all protocols. When authorizing security group rules, specifying -1 or a protocol number other than tcp, udp, icmp, or icmpv6 allows traffic on all ports, regardless of any port range you specify. For tcp, udp, and icmp, you must specify a port range. For icmpv6, the port range is optional; if you omit the port range, traffic for all types and codes is allowed.

But AWS accept uppercase

@r-heimann
Copy link
Author

TCP should be in lowercase

IpProtocol
The IP protocol name (tcp, udp, icmp, icmpv6) or number (see Protocol Numbers).
Use -1 to specify all protocols. When authorizing security group rules, specifying -1 or a protocol number other than tcp, udp, icmp, or icmpv6 allows traffic on all ports, regardless of any port range you specify. For tcp, udp, and icmp, you must specify a port range. For icmpv6, the port range is optional; if you omit the port range, traffic for all types and codes is allowed.

But AWS accept uppercase

Thank you, you are right. cfn-lint v1 doesn't like my uppercase TCP.

@egut
Copy link

egut commented Jun 20, 2024

@r-heimann Yes, I notice the same in one of our templates but not all so I got confused first, then I saw it :)

@kddejong kddejong mentioned this issue Jun 20, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow capital letters for rule W3687 kddejong/cfn-python-lint
2 participants
@egut @r-heimann