Google Compute Network Using Default Firewall Rule

  • Query id: 29b8224a-60e9-4011-8ac2-7916a659841f
  • Query name: Google Compute Network Using Default Firewall Rule
  • Platform: Ansible
  • Severity: Medium
  • Category: Networking and Firewall
  • CWE: 1188
  • URL: Github

Description

Google Compute Network should not use default firewall rule
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
- name: create a firewall2
  google.cloud.gcp_compute_firewall:
    name: default
    allowed:
    - ip_protocol: tcp
      ports:
      - '22'
    state: present
    network: "{{ my_network2 }}"
- name: create a network2
  google.cloud.gcp_compute_network:
    name: test_object2
    auto_create_subnetworks: 'true'
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
  register: my_network2

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: create a firewall
  google.cloud.gcp_compute_firewall:
    name: test_object
    allowed:
    - ip_protocol: tcp
      ports:
      - '22'
    target_tags:
    - test-ssh-server
    - staging-ssh-server
    source_tags:
    - test-ssh-clients
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
    network: "{{ my_network }}"
- name: create a network
  google.cloud.gcp_compute_network:
    name: test_object
    auto_create_subnetworks: 'true'
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
  register: my_network