Google Compute Subnetwork with Private Google Access Disabled

  • Query id: 6a4080ae-79bd-42f6-a924-8f534c1c018b
  • Query name: Google Compute Subnetwork with Private Google Access Disabled
  • Platform: Ansible
  • Severity: Low
  • Category: Networking and Firewall
  • URL: Github

Description

Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to yes
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
- name: create a subnetwork
  google.cloud.gcp_compute_subnetwork:
    name: ansiblenet
    region: us-west1
    network: "{{ network }}"
    ip_cidr_range: 172.16.0.0/16
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
Positive test num. 2 - yaml file
- name: create a subnetwork2
  google.cloud.gcp_compute_subnetwork:
    name: ansiblenet
    region: us-west1
    network: "{{ network }}"
    ip_cidr_range: 172.16.0.0/16
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    private_ip_google_access: no
    state: present

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: create a subnetwork3
  google.cloud.gcp_compute_subnetwork:
    name: ansiblenet
    region: us-west1
    network: "{{ network }}"
    ip_cidr_range: 172.16.0.0/16
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    private_ip_google_access: yes
    state: present