forked from snyk-labs/nodejs-goof
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathvulnerable.tf
More file actions
54 lines (45 loc) · 1.49 KB
/
vulnerable.tf
File metadata and controls
54 lines (45 loc) · 1.49 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
# Vulnerable Terraform configuration
# WARNING: This contains security misconfigurations for demonstration purposes only
provider "aws" {
region = "us-west-2"
}
# Security group that allows SSH from anywhere (0.0.0.0/0)
# This is a security risk as it exposes SSH to the entire internet
resource "aws_security_group" "allow_ssh" {
name = "allow_ssh"
description = "Allow SSH from anywhere"
# Ingress rule allowing SSH from any IP
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"] # This is the security vulnerability
}
# Egress rule allowing all outbound traffic
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
# Example EC2 instance using the vulnerable security group
resource "aws_instance" "example" {
ami = "ami-0c55b159cbfafe1f0" # Amazon Linux 2 AMI (us-west-2)
instance_type = "t2.micro"
vpc_security_group_ids = [aws_security_group.allow_ssh.id]
# Intentionally not encrypting the root volume
root_block_device {
volume_size = 8
volume_type = "gp2"
# encrypted = true # This is intentionally commented out to create a vulnerability
}
tags = {
Name = "Vulnerable-Instance"
}
}
# Output the public IP of the instance (which would be publicly accessible via SSH)
output "instance_public_ip" {
value = aws_instance.example.public_ip
description = "The public IP of the instance (exposed to the internet)"
}