Fugue.AWS.EC2.Compliance.Internal

Module Members

checkIngressRange

(Function)

Raise an error if there is an ingress rule that satisfies both the ipPermissionTargetPredicate and the portRangePredicate.

Type Signature

 fun { portRangePredicate: PortRangePredicate,
       message: Optional<String>,
       ipPermissionTargetPredicate: Optional<IpPermissionTargetPredicate>,
       references: Optional<List<String>> } -> fun (SecurityGroup) -> Validation
Argument: portRangePredicate
Type: PortRangePredicate
Argument: message
Type: Optional<String>
Argument: ipPermissionTargetPredicate
Type: Optional<IpPermissionTargetPredicate>
Argument: references
Type: Optional<List<String>>
Returns:
Type: fun ( SecurityGroup) -> Validation

checkIngressRangeUnlessELB

(Function)

Type Signature

 fun { portRangePredicate: PortRangePredicate,
       ipPermissionTargetPredicate: Optional<IpPermissionTargetPredicate>,
       message: Optional<String>,
       references: Optional<List<String>> } -> fun (NodeStream) -> Validation
Argument: portRangePredicate
Type: PortRangePredicate
Argument: ipPermissionTargetPredicate
Type: Optional<IpPermissionTargetPredicate>
Argument: message
Type: Optional<String>
Argument: references
Type: Optional<List<String>>
Returns:
Type: fun ( NodeStream) -> Validation

checkSGWithStackTrace

(Function)

Type Signature

 fun (fun (String, SecurityGroup) -> Validation, (SecurityGroup, a)) -> Validation
Argument: validFun
Type: fun ( String, SecurityGroup) -> Validation
Argument: sgval
Type: ( SecurityGroup, a)
Returns:
Type: Validation

checkValuesByTag

(Function)

Type Signature

 fun (fun (String, SecurityGroup) -> Validation, NodeStream, String, fun (a) -> List<SecurityGroup>) -> List<Validation>
Argument: validFun
Type: fun ( String, SecurityGroup) -> Validation
Argument: ns
Type: NodeStream
Argument: ty
Type: String
Argument: getSGs
Type: fun ( a) -> List<SecurityGroup>
Returns:
Type: List<Validation>

disallowPort

(Function)

Disallow a specific port.

Type Signature

 fun (Int) -> PortRangePredicate
Argument: port
Type: Int
Returns:
Type: PortRangePredicate

disallowPorts

(Function)

Disallow a list of ports.

Type Signature

 fun (List<Int>) -> PortRangePredicate
Argument: ports
Type: List<Int>
Returns:
Type: PortRangePredicate

getPairedSGValues

(Function)

Type Signature

 fun (NodeStream, String, fun (a) -> List<SecurityGroup>) -> List<(SecurityGroup, a)>
Argument: ns
Type: NodeStream
Argument: ty
Type: String
Argument: f
Type: fun ( a) -> List<SecurityGroup>
Returns:
Type: List<(SecurityGroup, a)>

subnetsInMultipleAZs

(Function)

Check that there are at least two distinct AZs in the list.

Type Signature

 fun (List<Subnet>) -> Bool
Argument: subnets
Type: List<Subnet>
Returns:
Type: Bool

whitelistPorts

(Function)

Whitelist only specific ports.

Type Signature

 fun (List<Int>) -> PortRangePredicate
Argument: whitelist
Type: List<Int>
Returns:
Type: PortRangePredicate

IpPermissionTargetPredicate

(Type)

type IpPermissionTargetPredicate:
  fun(IpPermissionTarget) -> Bool

Check if an IpPermissionTarget should be flagged. A return of True means that the target should be checked by the PortRangePredicate. IpPermissionTarget) -> Ludwig.Bool

PortRangePredicate

(Type)

type PortRangePredicate:
  fun{
       from: Int,
       to: Int
     } -> Bool

A PortRangePredicate checks whether or not a specific port range should be flagged. A return value of True means that an error should be raised. Ludwig.Int, to: Ludwig.Int} -> Ludwig.Bool

allowsTrafficFromAnywhere

(Value)

IpPermissionTargetPredicate allowsTrafficFromAnywhere:
  fun(tgt): cidrs:
              case tgt of | IpRanges list -> [l.IpRange.cidrIp for l in list]
                          | _ -> []
            or([member(c, ["0.0.0.0/0","::/0"]) for c in cidrs])

Check that the IpPermissionTarget allows traffic from anywhere (i.e. it contains “0.0.0.0/0” or ”::/0”).

Type Signature

 IpPermissionTargetPredicate

anyTarget

(Value)

IpPermissionTargetPredicate anyTarget:
  fun(_): True

Check any IpPermissionTarget

Type Signature

 IpPermissionTargetPredicate

disallowAnyPort

(Value)

PortRangePredicate disallowAnyPort:
  fun(_): True

Disallow any open port.

Type Signature

 PortRangePredicate

isOpenPortRange

(Value)

PortRangePredicate isOpenPortRange:
  fun(range): <(range.from, ||(1, <(range.to, 1)))

Special case: -1 signifies that all ports are allowed.

Type Signature

 PortRangePredicate