Google Compute network using firewall rule that allows port range

Documentos > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Google Compute network using firewall rule that allows port range

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Metadata

Id: ansible-gcp-google-compute-network-using-firewall-allows-port-range

Cloud Provider: GCP

Platform: Ansible

Severity: Low

Category: Networking and Firewall

Learn More

Provider Reference

Description

Compute network firewall rules must not permit ingress using broad port ranges because ranges increase attack surface, make it harder to apply least privilege, and can unintentionally expose multiple services.

This check inspects Ansible tasks using the google.cloud.gcp_compute_firewall or gcp_compute_firewall modules and flags ingress rules where allowed[].ports[] entries are numeric ranges matching the start-end pattern (for example, "8000-9000"). The rule does not match the literal "0-65535".

The check applies when the firewall’s network references a compute network task, meaning the firewall network equals the compute network’s registered name. To resolve, specify explicit single ports or a minimal list of ports and scope ingress with specific source ranges or target tags.

Secure example with explicit single ports:

- name: Create restricted firewall rule
  google.cloud.gcp_compute_firewall:
    name: allow-ssh
    network: "{{ my_network.registered_name }}"
    direction: INGRESS
    allowed:
      - IPProtocol: tcp
        ports:
          - "22"
    sourceRanges:
      - "203.0.113.0/24"

Compliant Code Examples

- name: create a firewall
  google.cloud.gcp_compute_firewall:
    name: test_object
    allowed:
    - ip_protocol: tcp
      ports:
      - '22'
    target_tags:
    - test-ssh-server
    - staging-ssh-server
    source_tags:
    - test-ssh-clients
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
    network: "{{ my_network }}"
- name: create a network
  google.cloud.gcp_compute_network:
    name: test_object
    auto_create_subnetworks: 'true'
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
  register: my_network

Non-Compliant Code Examples

- name: create a firewall2
  google.cloud.gcp_compute_firewall:
    name: test_object
    allowed:
    - ip_protocol: tcp
      ports:
      - '20-1000'
    target_tags:
    - test-ssh-server
    - staging-ssh-server
    source_tags:
    - test-ssh-clients
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
    network: "{{ my_network2 }}"
- name: create a network2
  google.cloud.gcp_compute_network:
    name: test_object
    auto_create_subnetworks: 'true'
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
  register: my_network2