Google Compute Subnetwork with Private Google Access Disabled
- Query id: ee7b93c1-b3f8-4a3b-9588-146d481814f5
- Query name: Google Compute Subnetwork with Private Google Access Disabled
- Platform: Terraform
- Severity: Low
- Category: Networking and Firewall
- CWE: Ongoing
- URL: Github
Description¶
Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "google_compute_subnetwork" "positive1" {
name = "test-subnetwork"
ip_cidr_range = "10.2.0.0/16"
region = "us-central1"
network = google_compute_network.custom-test.id
secondary_ip_range {
range_name = "tf-test-secondary-range-update1"
ip_cidr_range = "192.168.10.0/24"
}
}
resource "google_compute_network" "custom-test" {
name = "test-network"
auto_create_subnetworks = false
}
Positive test num. 2 - tf file
resource "google_compute_subnetwork" "positive2" {
name = "test-subnetwork"
ip_cidr_range = "10.2.0.0/16"
region = "us-central1"
network = google_compute_network.custom-test.id
secondary_ip_range {
range_name = "tf-test-secondary-range-update1"
ip_cidr_range = "192.168.10.0/24"
}
private_ip_google_access = false
}
resource "google_compute_network" "custom-test" {
name = "test-network"
auto_create_subnetworks = false
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "google_compute_subnetwork" "negative1" {
name = "test-subnetwork"
ip_cidr_range = "10.2.0.0/16"
region = "us-central1"
network = google_compute_network.custom-test.id
secondary_ip_range {
range_name = "tf-test-secondary-range-update1"
ip_cidr_range = "192.168.10.0/24"
}
private_ip_google_access = true
}
resource "google_compute_network" "custom-test" {
name = "test-network"
auto_create_subnetworks = false
}