Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Cloudformation NLB Listener Rules are incorrectly detected as ALB rules and fail the HTTPS expectation

See original GitHub issue

Describe the bug NLB listeners are evaluated as ALB listeners, and fail because they don’t use HTTPS

To Reproduce

  1. Create a Cloudformation template with NLB listeners (e.g. TCP)
  2. Run default tests
  3. Tests will fail with `"AWS::ElasticLoadBalancingV2::Listener.<listenername>" failed in check "Ensure ALB protocol is HTTPS"

Expected behavior NLB rules should pass.

Screenshots

Desktop (please complete the following information):

  • OS: Ubuntu 20.04
  • Checkov Version: 1.0.423

Additional context This resource:

    "ConsulDnsListener": {                                          
      "Type": "AWS::ElasticLoadBalancingV2::Listener",              
      "Properties": {                                               
        "DefaultActions": [                                         
          {                                                         
            "TargetGroupArn": {                                     
              "Ref": "ConsulDnsTargetGroup"                         
            },                                                      
            "Type": "forward"                                       
          }                                                         
        ],                                                          
        "LoadBalancerArn": {                                        
          "Ref": "LoadBalancerArn"                                  
        },                                                          
        "Port": 53,                                                 
        "Protocol": "TCP_UDP"                                       
      }                                                             
    },

Produces this error:

{
  "type": "failure",
  "message": "Resource \"AWS::ElasticLoadBalancingV2::Listener.ConsulDnsListener\" failed in check \"Ensure ALB protocol is HTTPS\""
}```

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Reactions:3
  • Comments:6 (1 by maintainers)

github_iconTop GitHub Comments

2reactions
matthiasrcommented, Jul 8, 2020

I agree with @luckymike – we run our own TLS terminators, fronted by NLBs. As it is, the test is both worded wrong (claims an ALB when it is an NLB) and flags valid use cases (non-TCP listeners, or cases where the connection is end-to-end encrypted).

#375 describes the solution, this issue describes the problem. It appears that I cannot reopen an issue that was opened by someone else?

2reactions
luckymikecommented, Jul 7, 2020

@nimrodkor I guess the confusion here is that the rule inaccurately identifies the listener as an ALB rule: https://github.com/bridgecrewio/checkov/blob/master/checkov/cloudformation/checks/resource/aws/ALBListenerHTTPS.py#L23

conf['Properties']['Protocol'] == 'TLS' is an NLB listener, not an ALB listener.

IMO, this check is overly broad and naive about the actual supported listener scenarios. For example, UDP or TCP_UDP are valid NLB listener types which don’t support load balancer terminated TLS.

At a minimum, this check should probably be reworded to correctly reflect the scope as being wider than ALB, but a better approach would likely be to split out ALB and NLB checks, b/c enforcing HTTPS for all ALBs is easy to justify as a standard, while NLBs have much broader use-cases.

Read more comments on GitHub >

github_iconTop Results From Across the Web

AWS::ElasticLoadBalancingV2::ListenerRule
Specifies a listener rule. The listener must be associated with an Application Load Balancer. Each rule consists of a priority, one or more...
Read more >
AWS::ElasticLoadBalancingV2::ListenerRule is ... - GitHub
Expected behavior: When trying to create a listener rule for weighted target groups with a network load balancer(ECS service with blue green deployment ......
Read more >
AWS ELB Listener creation fails with Validation exception
This is obviously incorrect, as ALB only supports HTTP and HTTPS protocols. For TCP you need network load balancer (NLB).
Read more >
ElasticLoadBalancingv2 — Boto3 Docs 1.26.34 documentation
For more information, see HTTPS listeners in the Application Load Balancers ... Indicates whether to use the existing client secret when modifying a...
Read more >
Architecture Considerations for Migrating Load Balancers to ...
the types of rules that can be configured on an ELB, see Listener Rules for ALB,. Listener Rules for NLB, and Listener Rules...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Have checkov be callable from Python

Next page

Change default behavior of the cloud integration: BcPlatformIntegration.get_guidelines()