no-public-ingress
Default Severity: critical
Explanation
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
Possible Impact
Your port is exposed to the internet
Suggested Resolution
Set a more restrictive CIRDR range
Insecure Example
The following example will fail the digitalocean-compute-no-public-ingress check.
resource "digitalocean_firewall" "bad_example" {
name = "only-22-80-and-443"
droplet_ids = [digitalocean_droplet.web.id]
inbound_rule {
protocol = "tcp"
port_range = "22"
source_addresses = ["0.0.0.0/0", "::/0"]
}
}
Secure Example
The following example will pass the digitalocean-compute-no-public-ingress check.
resource "digitalocean_firewall" "good_example" {
name = "only-22-80-and-443"
droplet_ids = [digitalocean_droplet.web.id]
inbound_rule {
protocol = "tcp"
port_range = "22"
source_addresses = ["192.168.1.0/24", "fc00::/7"]
}
}