ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6329/javascript/rule.adoc
Fred Tingaud 16f6c0aecf
Inline adoc when include has no additional value (#1940) 
Inline adoc files when they are included exactly once.

Also fix language tags because this inlining gives us better information
on what language the code is written in.
2023-05-25 14:18:12 +02:00

196 lines
6.0 KiB
Plaintext
Raw Permalink Blame History

include::../description.adoc[]
include::../ask-yourself.adoc[]
include::../recommended.adoc[]
== Sensitive Code Example
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Instance.html[aws-cdk-lib.aws_ec2.Instance] and similar constructs:
[source,javascript]
----
import {aws_ec2 as ec2} from 'aws-cdk-lib'
new ec2.Instance(this, "example", {
instanceType: nanoT2,
machineImage: ec2.MachineImage.latestAmazonLinux(),
vpc: vpc,
vpcSubnets: {subnetType: ec2.SubnetType.PUBLIC} // Sensitive
})
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.CfnInstance.html[aws-cdk-lib.aws_ec2.CfnInstance]:
[source,javascript]
----
import {aws_ec2 as ec2} from 'aws-cdk-lib'
new ec2.CfnInstance(this, "example", {
instanceType: "t2.micro",
imageId: "ami-0ea0f26a6d50850c5",
networkInterfaces: [
{
deviceIndex: "0",
associatePublicIpAddress: true, // Sensitive
deleteOnTermination: true,
subnetId: vpc.selectSubnets({subnetType: ec2.SubnetType.PUBLIC}).subnetIds[0]
}
]
})
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dms.CfnReplicationInstance.html[aws-cdk-lib.aws_dms.CfnReplicationInstance]:
[source,javascript]
----
import {aws_ec2 as ec2} from 'aws-cdk-lib'
new dms.CfnReplicationInstance(
this, "example", {
replicationInstanceClass: "dms.t2.micro",
allocatedStorage: 5,
publiclyAccessible: true, // Sensitive
replicationSubnetGroupIdentifier: subnetGroup.replicationSubnetGroupIdentifier,
vpcSecurityGroupIds: [vpc.vpcDefaultSecurityGroup]
})
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.CfnDBInstance.html[aws-cdk-lib.aws_rds.CfnDBInstance]:
[source,javascript]
----
import {aws_ec2 as ec2} from 'aws-cdk-lib'
const rdsSubnetGroupPublic = new rds.CfnDBSubnetGroup(this, "publicSubnet", {
dbSubnetGroupDescription: "Subnets",
dbSubnetGroupName: "publicSn",
subnetIds: vpc.selectSubnets({
subnetType: ec2.SubnetType.PUBLIC
}).subnetIds
})
new rds.CfnDBInstance(this, "example", {
engine: "postgres",
masterUsername: "foobar",
masterUserPassword: "12345678",
dbInstanceClass: "db.r5.large",
allocatedStorage: "200",
iops: 1000,
dbSubnetGroupName: rdsSubnetGroupPublic.ref,
publiclyAccessible: true, // Sensitive
vpcSecurityGroups: [sg.securityGroupId]
})
----
== Compliant Solution
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Instance.html[aws-cdk-lib.aws_ec2.Instance] and similar constructs:
[source,javascript]
----
import {aws_ec2 as ec2} from 'aws-cdk-lib'
new ec2.Instance(
this,
"example", {
instanceType: nanoT2,
machineImage: ec2.MachineImage.latestAmazonLinux(),
vpc: vpc,
vpcSubnets: {subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS}
})
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.CfnInstance.html[aws-cdk-lib.aws_ec2.CfnInstance]:
[source,javascript]
----
import {aws_ec2 as ec2} from 'aws-cdk-lib'
new ec2.CfnInstance(this, "example", {
instanceType: "t2.micro",
imageId: "ami-0ea0f26a6d50850c5",
networkInterfaces: [
{
deviceIndex: "0",
associatePublicIpAddress: false,
deleteOnTermination: true,
subnetId: vpc.selectSubnets({subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS}).subnetIds[0]
}
]
})
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dms.CfnReplicationInstance.html[aws-cdk-lib.aws_dms.CfnReplicationInstance]:
[source,javascript]
----
import {aws_ec2 as ec2} from 'aws-cdk-lib'
new dms.CfnReplicationInstance(
this, "example", {
replicationInstanceClass: "dms.t2.micro",
allocatedStorage: 5,
publiclyAccessible: false,
replicationSubnetGroupIdentifier: subnetGroup.replicationSubnetGroupIdentifier,
vpcSecurityGroupIds: [vpc.vpcDefaultSecurityGroup]
})
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.CfnDBInstance.html[aws-cdk-lib.aws_rds.CfnDBInstance]:
[source,javascript]
----
import {aws_ec2 as ec2} from 'aws-cdk-lib'
const rdsSubnetGroupPrivate = new rds.CfnDBSubnetGroup(this, "example",{
dbSubnetGroupDescription: "Subnets",
dbSubnetGroupName: "privateSn",
subnetIds: vpc.selectSubnets({
subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS
}).subnetIds
})
new rds.CfnDBInstance(this, "example", {
engine: "postgres",
masterUsername: "foobar",
masterUserPassword: "12345678",
dbInstanceClass: "db.r5.large",
allocatedStorage: "200",
iops: 1000,
dbSubnetGroupName: rdsSubnetGroupPrivate.ref,
publiclyAccessible: false,
vpcSecurityGroups: [sg.securityGroupId]
})
----
include::../see.adoc[]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
* Make sure allowing public network access is safe here.
=== Highlight
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Instance.html[aws-cdk-lib.aws_ec2.Instances]:
* Highlight the `vpcSubnets` property when set to a selection of public subnets.
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.CfnInstance.html[aws-cdk-lib.aws_ec2.CfnInstance]
* Highlight the `associatePublicIpAddress` property when set to `true`
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dms.CfnReplicationInstance.html[aws-cdk-lib.aws_dms.CfnReplicationInstance]
* Highlight the `publiclyAccessible` property when set to `True`
* Highlight the constructor code when the `publiclyAccessible` property is
not set
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.DatabaseInstance.html[aws-cdk-lib.aws_rds.DatabaseInstance]
* Highlight the `publiclyAccessible` property when it's set
* Highlight the `vpcSubnets` attribute if the `publiclyAccessible` property if not set
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.CfnDBInstance.html[aws-cdk-lib.aws_rds.CfnDBInstance]
* Highlight the `publiclyAccessible` property
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink