Google Compute Network Using Firewall Rule that Allows All Ports

• Query id: 3602d273-3290-47b2-80fa-720162b1a8af
• Query name: Google Compute Network Using Firewall Rule that Allows All Ports
• Platform: Ansible
• Severity: Medium
• Category: Networking and Firewall
• URL: Github

Description

Google Compute Network should not use a firewall rule that allows all ports
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file

- name: create a firewall2
  google.cloud.gcp_compute_firewall:
    name: test_object
    allowed:
    - ip_protocol: tcp
      ports:
      - '0-65535'
    target_tags:
    - test-ssh-server
    - staging-ssh-server
    source_tags:
    - test-ssh-clients
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
    network: "{{ my_network2 }}"
- name: create a network2
  google.cloud.gcp_compute_network:
    name: test_object
    auto_create_subnetworks: 'true'
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
  register: my_network2

Code samples without security vulnerabilities

Negative test num. 1 - yaml file

- name: create a firewall
  google.cloud.gcp_compute_firewall:
    name: test_object
    allowed:
    - ip_protocol: tcp
      ports:
      - '22'
    target_tags:
    - test-ssh-server
    - staging-ssh-server
    source_tags:
    - test-ssh-clients
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
    network: "{{ my_network }}"
- name: create a network
  google.cloud.gcp_compute_network:
    name: test_object
    auto_create_subnetworks: 'true'
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
  register: my_network