Google Compute subnetwork with Private Google Access disabled

이 제품은 선택한 Datadog 사이트에서 지원되지 않습니다. ().
이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: ansible-gcp-google-compute-subnetwork-with-private-google-access-disabled

Cloud Provider: GCP

Platform: Ansible

Severity: Low

Category: Networking and Firewall

Learn More

Description

Subnetworks must have Private Google Access enabled so VM instances with only internal IPs can reach Google APIs and services over Google’s internal network. Without Private Google Access, operators may assign external IPs or route traffic over the public internet, increasing attack surface and the risk of data exposure or network-based attacks.

For Ansible resources using the google.cloud.gcp_compute_subnetwork or gcp_compute_subnetwork modules, the private_ip_google_access property must be defined and set to yes. Tasks missing this property or with private_ip_google_access not equal to yes are flagged.

Secure Ansible example:

- name: Create subnetwork with Private Google Access enabled
  google.cloud.gcp_compute_subnetwork:
    name: my-subnet
    region: us-central1
    ip_cidr_range: 10.0.0.0/24
    network: my-vpc
    private_ip_google_access: yes

Compliant Code Examples

- name: create a subnetwork3
  google.cloud.gcp_compute_subnetwork:
    name: ansiblenet
    region: us-west1
    network: "{{ network }}"
    ip_cidr_range: 172.16.0.0/16
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    private_ip_google_access: yes
    state: present

Non-Compliant Code Examples

- name: create a subnetwork2
  google.cloud.gcp_compute_subnetwork:
    name: ansiblenet
    region: us-west1
    network: "{{ network }}"
    ip_cidr_range: 172.16.0.0/16
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    private_ip_google_access: no
    state: present

- name: create a subnetwork
  google.cloud.gcp_compute_subnetwork:
    name: ansiblenet
    region: us-west1
    network: "{{ network }}"
    ip_cidr_range: 172.16.0.0/16
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present