VPC Peering Route Table with Unrestricted CIDR
- Query id: b3a41501-f712-4c4f-81e5-db9a7dc0e34e
- Query name: VPC Peering Route Table with Unrestricted CIDR
- Platform: Terraform
- Severity: High
- Category: Networking and Firewall
- URL: Github
Description¶
VPC Peering Route Table should restrict CIDR
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "<= 3.49.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
variable vpc_1_cidr_block {
type = string
default = "10.0.0.0/16"
description = "vpc default CIDR block"
}
variable vpc_2_cidr_block {
type = string
default = "10.2.0.0/16"
description = "vpc default CIDR block"
}
variable vpc_cidr_public_block {
type = string
default = "10.0.1.0/24"
description = "public CIDR block"
}
variable vpc_cidr_private_block {
type = string
default = "10.0.2.0/24"
description = "private CIDR block"
}
resource "aws_vpc" "vpc1" {
cidr_block = var.vpc_1_cidr_block
tags = {
Name = "tf-test-vpc-1"
Project = "CIS Certification"
}
}
resource "aws_subnet" "public" {
vpc_id = aws_vpc.vpc1.id
cidr_block = var.vpc_cidr_public_block
availability_zone = "us-east-1a"
tags = {
Name = "public-subnet-1"
Project = "CIS Certification"
}
}
resource "aws_subnet" "private" {
vpc_id = aws_vpc.vpc1.id
cidr_block = var.vpc_cidr_private_block
availability_zone = "us-east-1a"
tags = {
Name = "private-subnet-1"
Project = "CIS Certification"
}
}
resource "aws_vpc" "vpc2" {
cidr_block = var.vpc_2_cidr_block
tags = {
Name = "tf-test-vpc-2"
Project = "CIS Certification"
}
}
resource "aws_internet_gateway" "igw" {
vpc_id = aws_vpc.vpc1.id
tags = {
Name = "igw"
Project = "CIS Certification"
}
}
resource "aws_eip" "nat" {}
resource "aws_nat_gateway" "nat" {
allocation_id = aws_eip.nat.id
subnet_id = aws_subnet.public.*.id[0]
tags = {
Name = "nat"
Project = "CIS Certification"
}
depends_on = [aws_internet_gateway.igw]
}
data "aws_caller_identity" "current" {}
resource "aws_vpc_peering_connection" "my_peering" {
peer_owner_id = data.aws_caller_identity.current.account_id
peer_vpc_id = aws_vpc.vpc1.id
vpc_id = aws_vpc.vpc2.id
auto_accept = true
tags = {
Name = "VPC Peering between vpc1 and vpc2"
Project = "CIS Certification"
}
}
resource "aws_route_table" "public_route_table" {
vpc_id = aws_vpc.vpc1.id
route {
cidr_block = "0.0.0.0/0"
vpc_peering_connection_id = aws_vpc_peering_connection.my_peering.id
}
tags = {
Name = "public_route_table"
Project = "CIS Certification"
}
}
resource "aws_route_table" "private_route_table" {
vpc_id = aws_vpc.vpc1.id
route {
cidr_block = aws_vpc.vpc2.cidr_block
vpc_peering_connection_id = aws_vpc_peering_connection.my_peering.id
}
tags = {
Name = "private_route_table"
Project = "CIS Certification"
}
}
resource "aws_route_table_association" "private_route_table_association" {
subnet_id = aws_subnet.private.id
route_table_id = aws_route_table.private_route_table.id
}
Positive test num. 2 - tf file
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "<= 3.49.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
variable vpc_1_cidr_block {
type = string
default = "10.0.0.0/16"
description = "vpc default CIDR block"
}
variable vpc_2_cidr_block {
type = string
default = "10.2.0.0/16"
description = "vpc default CIDR block"
}
variable vpc_cidr_public_block {
type = string
default = "10.0.1.0/24"
description = "public CIDR block"
}
variable vpc_cidr_private_block {
type = string
default = "10.0.2.0/24"
description = "private CIDR block"
}
resource "aws_vpc" "vpc1" {
cidr_block = var.vpc_1_cidr_block
tags = {
Name = "tf-test-vpc-2"
Project = "CIS Certification"
}
}
resource "aws_subnet" "public" {
vpc_id = aws_vpc.vpc1.id
cidr_block = var.vpc_cidr_public_block
availability_zone = "us-east-1a"
tags = {
Name = "public-subnet-1"
Project = "CIS Certification"
}
}
resource "aws_subnet" "private" {
vpc_id = aws_vpc.vpc1.id
cidr_block = var.vpc_cidr_private_block
availability_zone = "us-east-1a"
tags = {
Name = "private-subnet-1"
Project = "CIS Certification"
}
}
resource "aws_vpc" "vpc2" {
cidr_block = var.vpc_2_cidr_block
tags = {
Name = "tf-test-vpc-2"
Project = "CIS Certification"
}
}
resource "aws_internet_gateway" "igw" {
vpc_id = aws_vpc.vpc1.id
tags = {
Name = "igw"
Project = "CIS Certification"
}
}
resource "aws_eip" "nat" {}
resource "aws_nat_gateway" "nat" {
allocation_id = aws_eip.nat.id
subnet_id = aws_subnet.public.*.id[0]
tags = {
Name = "nat"
Project = "CIS Certification"
}
depends_on = [aws_internet_gateway.igw]
}
data "aws_caller_identity" "current" {}
resource "aws_vpc_peering_connection" "my_peering" {
peer_owner_id = data.aws_caller_identity.current.account_id
peer_vpc_id = aws_vpc.vpc1.id
vpc_id = aws_vpc.vpc2.id
auto_accept = true
tags = {
Name = "VPC Peering between vpc1 and vpc2"
Project = "CIS Certification"
}
}
resource "aws_route_table" "public_route_table9" {
vpc_id = aws_vpc.vpc1.id
tags = {
Name = "public-route-table"
Project = "CIS Certification"
}
}
resource "aws_route_table" "private_route_table" {
vpc_id = aws_vpc.vpc1.id
tags = {
Project = "CIS Certification"
}
}
resource "aws_route" "private_route2" {
route_table_id = aws_route_table.public_route_table9.id
destination_cidr_block = "0.0.0.0/0"
vpc_peering_connection_id = aws_vpc_peering_connection.my_peering.id
depends_on = [aws_route_table.public_route_table9]
}
resource "aws_route_table_association" "private_route_table_association" {
subnet_id = aws_subnet.private.*.id[0]
route_table_id = aws_route_table.private_route_table.id
}
Positive test num. 3 - tf file
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.55.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
variable vpc_1_cidr_block {
type = string
default = "10.0.0.0/16"
description = "vpc default CIDR block"
}
variable vpc_2_cidr_block {
type = string
default = "10.2.0.0/16"
description = "vpc default CIDR block"
}
variable vpc_cidr_public_block {
type = string
default = "10.0.1.0/24"
description = "public CIDR block"
}
variable vpc_cidr_private_block {
type = string
default = "10.0.2.0/24"
description = "private CIDR block"
}
resource "aws_vpc" "vpc1" {
cidr_block = var.vpc_1_cidr_block
tags = {
Name = "tf-test-vpc-1"
Project = "CIS Certification"
}
}
resource "aws_subnet" "public" {
vpc_id = aws_vpc.vpc1.id
cidr_block = var.vpc_cidr_public_block
availability_zone = "us-east-1a"
tags = {
Name = "public-subnet-1"
Project = "CIS Certification"
}
}
resource "aws_subnet" "private" {
vpc_id = aws_vpc.vpc1.id
cidr_block = var.vpc_cidr_private_block
availability_zone = "us-east-1a"
tags = {
Name = "private-subnet-1"
Project = "CIS Certification"
}
}
resource "aws_vpc" "vpc2" {
cidr_block = var.vpc_2_cidr_block
tags = {
Name = "tf-test-vpc-2"
Project = "CIS Certification"
}
}
resource "aws_internet_gateway" "igw" {
vpc_id = aws_vpc.vpc1.id
tags = {
Name = "igw"
Project = "CIS Certification"
}
}
resource "aws_eip" "nat" {}
resource "aws_nat_gateway" "nat" {
allocation_id = aws_eip.nat.id
subnet_id = aws_subnet.public.*.id[0]
tags = {
Name = "nat"
Project = "CIS Certification"
}
depends_on = [aws_internet_gateway.igw]
}
data "aws_caller_identity" "current" {}
resource "aws_vpc_peering_connection" "my_peering" {
peer_owner_id = data.aws_caller_identity.current.account_id
peer_vpc_id = aws_vpc.vpc1.id
vpc_id = aws_vpc.vpc2.id
auto_accept = true
tags = {
Name = "VPC Peering between vpc1 and vpc2"
Project = "CIS Certification"
}
}
resource "aws_route_table" "public_route_table" {
vpc_id = aws_vpc.vpc1.id
route = [
{
cidr_block = "0.0.0.0/0"
vpc_peering_connection_id = aws_vpc_peering_connection.my_peering.id
gateway_id = ""
instance_id = ""
ipv6_cidr_block = ""
egress_only_gateway_id = ""
nat_gateway_id = ""
network_interface_id = ""
transit_gateway_id = ""
carrier_gateway_id = ""
destination_prefix_list_id = ""
local_gateway_id = ""
vpc_endpoint_id = ""
}
]
tags = {
Name = "public_route_table"
Project = "CIS Certification"
}
}
resource "aws_route_table" "private_route_table" {
vpc_id = aws_vpc.vpc1.id
route {
cidr_block = aws_vpc.vpc2.cidr_block
vpc_peering_connection_id = aws_vpc_peering_connection.my_peering.id
}
tags = {
Name = "private_route_table"
Project = "CIS Certification"
}
}
resource "aws_route_table_association" "private_route_table_association" {
subnet_id = aws_subnet.private.id
route_table_id = aws_route_table.private_route_table.id
}
Positive test num. 4 - tf file
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "<= 3.49.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
variable vpc_1_cidr_block {
type = string
default = "10.0.0.0/16"
description = "vpc default CIDR block"
}
variable vpc_2_cidr_block {
type = string
default = "10.2.0.0/16"
description = "vpc default CIDR block"
}
variable vpc_cidr_public_block {
type = string
default = "10.0.1.0/24"
description = "public CIDR block"
}
variable vpc_cidr_private_block {
type = string
default = "10.0.2.0/24"
description = "private CIDR block"
}
resource "aws_vpc" "vpc1" {
cidr_block = var.vpc_1_cidr_block
tags = {
Name = "tf-test-vpc-1"
Project = "CIS Certification"
}
}
resource "aws_subnet" "public" {
vpc_id = aws_vpc.vpc1.id
cidr_block = var.vpc_cidr_public_block
availability_zone = "us-east-1a"
tags = {
Name = "public-subnet-1"
Project = "CIS Certification"
}
}
resource "aws_subnet" "private" {
vpc_id = aws_vpc.vpc1.id
cidr_block = var.vpc_cidr_private_block
availability_zone = "us-east-1a"
tags = {
Name = "private-subnet-1"
Project = "CIS Certification"
}
}
resource "aws_vpc" "vpc2" {
cidr_block = var.vpc_2_cidr_block
tags = {
Name = "tf-test-vpc-2"
Project = "CIS Certification"
}
}
resource "aws_internet_gateway" "igw" {
vpc_id = aws_vpc.vpc1.id
tags = {
Name = "igw"
Project = "CIS Certification"
}
}
resource "aws_eip" "nat" {}
resource "aws_nat_gateway" "nat" {
allocation_id = aws_eip.nat.id
subnet_id = aws_subnet.public.*.id[0]
tags = {
Name = "nat"
Project = "CIS Certification"
}
depends_on = [aws_internet_gateway.igw]
}
data "aws_caller_identity" "current" {}
resource "aws_vpc_peering_connection" "my_peering" {
peer_owner_id = data.aws_caller_identity.current.account_id
peer_vpc_id = aws_vpc.vpc1.id
vpc_id = aws_vpc.vpc2.id
auto_accept = true
tags = {
Name = "VPC Peering between vpc1 and vpc2"
Project = "CIS Certification"
}
}
resource "aws_route_table" "public_route_table" {
vpc_id = aws_vpc.vpc1.id
route {
cidr_block = "10.0.0.0/8"
vpc_peering_connection_id = aws_vpc_peering_connection.my_peering.id
}
tags = {
Name = "public_route_table"
Project = "CIS Certification"
}
}
resource "aws_route_table" "private_route_table" {
vpc_id = aws_vpc.vpc1.id
route {
cidr_block = aws_vpc.vpc2.cidr_block
vpc_peering_connection_id = aws_vpc_peering_connection.my_peering.id
}
tags = {
Name = "private_route_table"
Project = "CIS Certification"
}
}
resource "aws_route_table_association" "private_route_table_association" {
subnet_id = aws_subnet.private.id
route_table_id = aws_route_table.private_route_table.id
}
Negative test num. 2 - tf file
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "<= 3.49.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
variable vpc_1_cidr_block {
type = string
default = "10.0.0.0/16"
description = "vpc default CIDR block"
}
variable vpc_2_cidr_block {
type = string
default = "10.2.0.0/16"
description = "vpc default CIDR block"
}
variable vpc_cidr_public_block {
type = string
default = "10.0.1.0/24"
description = "public CIDR block"
}
variable vpc_cidr_private_block {
type = string
default = "10.0.2.0/24"
description = "private CIDR block"
}
resource "aws_vpc" "vpc1" {
cidr_block = var.vpc_1_cidr_block
tags = {
Name = "tf-test-vpc-2"
Project = "CIS Certification"
}
}
resource "aws_subnet" "public" {
vpc_id = aws_vpc.vpc1.id
cidr_block = var.vpc_cidr_public_block
availability_zone = "us-east-1a"
tags = {
Name = "public-subnet-1"
Project = "CIS Certification"
}
}
resource "aws_subnet" "private" {
vpc_id = aws_vpc.vpc1.id
cidr_block = var.vpc_cidr_private_block
availability_zone = "us-east-1a"
tags = {
Name = "private-subnet-1"
Project = "CIS Certification"
}
}
resource "aws_vpc" "vpc2" {
cidr_block = var.vpc_2_cidr_block
tags = {
Name = "tf-test-vpc-2"
Project = "CIS Certification"
}
}
resource "aws_internet_gateway" "igw" {
vpc_id = aws_vpc.vpc1.id
tags = {
Name = "igw"
Project = "CIS Certification"
}
}
resource "aws_eip" "nat" {}
resource "aws_nat_gateway" "nat" {
allocation_id = aws_eip.nat.id
subnet_id = aws_subnet.public.*.id[0]
tags = {
Name = "nat"
Project = "CIS Certification"
}
depends_on = [aws_internet_gateway.igw]
}
data "aws_caller_identity" "current" {}
resource "aws_vpc_peering_connection" "my_peering" {
peer_owner_id = data.aws_caller_identity.current.account_id
peer_vpc_id = aws_vpc.vpc1.id
vpc_id = aws_vpc.vpc2.id
auto_accept = true
tags = {
Name = "VPC Peering between vpc1 and vpc2"
Project = "CIS Certification"
}
}
resource "aws_route_table" "public_route_table2" {
vpc_id = aws_vpc.vpc1.id
tags = {
Name = "public-route-table"
Project = "CIS Certification"
}
}
resource "aws_route_table" "private_route_table" {
vpc_id = aws_vpc.vpc1.id
tags = {
Project = "CIS Certification"
}
}
resource "aws_route" "private_route2" {
route_table_id = aws_route_table.public_route_table2.id
destination_cidr_block = "10.0.0.0/8"
vpc_peering_connection_id = aws_vpc_peering_connection.my_peering.id
depends_on = [aws_route_table.public_route_table2]
}
resource "aws_route_table_association" "private_route_table_association" {
subnet_id = aws_subnet.private.*.id[0]
route_table_id = aws_route_table.private_route_table.id
}
Negative test num. 3 - tf file
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.55.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
variable vpc_1_cidr_block {
type = string
default = "10.0.0.0/16"
description = "vpc default CIDR block"
}
variable vpc_2_cidr_block {
type = string
default = "10.2.0.0/16"
description = "vpc default CIDR block"
}
variable vpc_cidr_public_block {
type = string
default = "10.0.1.0/24"
description = "public CIDR block"
}
variable vpc_cidr_private_block {
type = string
default = "10.0.2.0/24"
description = "private CIDR block"
}
resource "aws_vpc" "vpc1" {
cidr_block = var.vpc_1_cidr_block
tags = {
Name = "tf-test-vpc-1"
Project = "CIS Certification"
}
}
resource "aws_subnet" "public" {
vpc_id = aws_vpc.vpc1.id
cidr_block = var.vpc_cidr_public_block
availability_zone = "us-east-1a"
tags = {
Name = "public-subnet-1"
Project = "CIS Certification"
}
}
resource "aws_subnet" "private" {
vpc_id = aws_vpc.vpc1.id
cidr_block = var.vpc_cidr_private_block
availability_zone = "us-east-1a"
tags = {
Name = "private-subnet-1"
Project = "CIS Certification"
}
}
resource "aws_vpc" "vpc2" {
cidr_block = var.vpc_2_cidr_block
tags = {
Name = "tf-test-vpc-2"
Project = "CIS Certification"
}
}
resource "aws_internet_gateway" "igw" {
vpc_id = aws_vpc.vpc1.id
tags = {
Name = "igw"
Project = "CIS Certification"
}
}
resource "aws_eip" "nat" {}
resource "aws_nat_gateway" "nat" {
allocation_id = aws_eip.nat.id
subnet_id = aws_subnet.public.*.id[0]
tags = {
Name = "nat"
Project = "CIS Certification"
}
depends_on = [aws_internet_gateway.igw]
}
data "aws_caller_identity" "current" {}
resource "aws_vpc_peering_connection" "my_peering" {
peer_owner_id = data.aws_caller_identity.current.account_id
peer_vpc_id = aws_vpc.vpc1.id
vpc_id = aws_vpc.vpc2.id
auto_accept = true
tags = {
Name = "VPC Peering between vpc1 and vpc2"
Project = "CIS Certification"
}
}
resource "aws_route_table" "public_route_table" {
vpc_id = aws_vpc.vpc1.id
route = [
{
cidr_block = "10.0.0.0/8"
vpc_peering_connection_id = aws_vpc_peering_connection.my_peering.id
gateway_id = ""
instance_id = ""
ipv6_cidr_block = ""
egress_only_gateway_id = ""
nat_gateway_id = ""
network_interface_id = ""
transit_gateway_id = ""
carrier_gateway_id = ""
destination_prefix_list_id = ""
local_gateway_id = ""
vpc_endpoint_id = ""
}
]
tags = {
Name = "public_route_table"
Project = "CIS Certification"
}
}
resource "aws_route_table" "private_route_table" {
vpc_id = aws_vpc.vpc1.id
route {
cidr_block = aws_vpc.vpc2.cidr_block
vpc_peering_connection_id = aws_vpc_peering_connection.my_peering.id
}
tags = {
Name = "private_route_table"
Project = "CIS Certification"
}
}
resource "aws_route_table_association" "private_route_table_association" {
subnet_id = aws_subnet.private.id
route_table_id = aws_route_table.private_route_table.id
}