== Why is this an issue?

include::../rationale.adoc[]

include::../impact.adoc[]

== How to fix it

include::../common/how-to-fix-it/intro.adoc[]

=== Code examples

==== Noncompliant code example

An ingress rule allowing all inbound SSH traffic for AWS:

[source,terraform,diff-id=1,diff-type=noncompliant]
----
resource "aws_security_group" "noncompliant" {
  name        = "allow_ssh_noncompliant"
  description = "allow_ssh_noncompliant"
  vpc_id      = aws_vpc.main.id

  ingress {
    description      = "SSH rule"
    from_port        = 22
    to_port          = 22
    protocol         = "tcp"
    cidr_blocks      = ["0.0.0.0/0"]  # Noncompliant
  }
}
----

A security rule allowing all inbound SSH traffic for Azure:

[source,terraform,diff-id=2,diff-type=noncompliant]
----
resource "azurerm_network_security_rule" "noncompliant" {
  priority                    = 100
  direction                   = "Inbound"
  access                      = "Allow"
  protocol                    = "Tcp"
  source_port_range           = "*"
  destination_port_range      = "22"
  source_address_prefix       = "*"  # Noncompliant
  destination_address_prefix  = "*"
}
----

A firewall rule allowing all inbound SSH traffic for GCP:

[source,terraform,diff-id=3,diff-type=noncompliant]
----
resource "google_compute_firewall" "noncompliant" {
  network = google_compute_network.default.name

  allow {
    protocol = "tcp"
    ports    = ["22"]
  }

  source_ranges = ["0.0.0.0/0"]  # Noncompliant
}
----

==== Compliant solution

An ingress rule allowing inbound SSH traffic from specific IP addresses for AWS:

[source,terraform,diff-id=1,diff-type=compliant]
----
resource "aws_security_group" "compliant" {
  name        = "allow_ssh_compliant"
  description = "allow_ssh_compliant"
  vpc_id      = aws_vpc.main.id

  ingress {
    description      = "SSH rule"
    from_port        = 22
    to_port          = 22
    protocol         = "tcp"
    cidr_blocks      = ["1.2.3.0/24"]
  }
}
----

A security rule allowing inbound SSH traffic from specific IP addresses for Azure:


[source,terraform,diff-id=2,diff-type=compliant]
----
resource "azurerm_network_security_rule" "compliant" {
  priority                    = 100
  direction                   = "Inbound"
  access                      = "Allow"
  protocol                    = "Tcp"
  source_port_range           = "*"
  destination_port_range      = "22"
  source_address_prefix       = "1.2.3.0"
  destination_address_prefix  = "*"
}
----

A firewall rule allowing inbound SSH traffic from specific IP addresses for GCP:

[source,terraform,diff-id=3,diff-type=compliant]
----
resource "google_compute_firewall" "compliant" {
  network = google_compute_network.default.name

  allow {
    protocol = "tcp"
    ports    = ["22"]
  }

  source_ranges = ["10.0.0.1/32"]
}
----

== Resources

include::../common/resources/docs.adoc[]

include::../common/resources/articles.adoc[]

include::../common/resources/presentations.adoc[]

include::../common/resources/standards.adoc[]


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

'''

endif::env-github,rspecator-view[]