For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/ansible-gcp-google-compute-network-using-default-firewall-rule.md. A documentation index is available at /llms.txt.

Google Compute network using default firewall rule

This product is not supported for your selected Datadog site. ().

Metadata

Id: ansible-gcp-google-compute-network-using-default-firewall-rule

Provider: GCP

Platform: Ansible

Severity: Medium

Category: Networking and Firewall

Learn More

Description

Using a default firewall rule named “default” can expose a Compute Network to overly permissive ingress or egress, violating least-privilege network segmentation and increasing the risk of unauthorized access and lateral movement.

This rule flags Ansible tasks using the google.cloud.gcp_compute_firewall or gcp_compute_firewall module where the firewall name contains “default” and the network property attaches to a network created or registered by a prior google.cloud.gcp_compute_network or gcp_compute_network task. Specifically, firewall tasks with name including “default” and network set to the registered network value (for example, network: "{{ <compute_task.register> }}") are flagged.

Replace default rules with explicit, least-privilege firewall rules that specify precise allowed ports and source ranges, or reference the intended network and rule names explicitly rather than reusing the default.

Compliant Code Examples

- name: create a firewall
  google.cloud.gcp_compute_firewall:
    name: test_object
    allowed:
    - ip_protocol: tcp
      ports:
      - '22'
    target_tags:
    - test-ssh-server
    - staging-ssh-server
    source_tags:
    - test-ssh-clients
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
    network: "{{ my_network }}"
- name: create a network
  google.cloud.gcp_compute_network:
    name: test_object
    auto_create_subnetworks: 'true'
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
  register: my_network

Non-Compliant Code Examples

- name: create a firewall2
  google.cloud.gcp_compute_firewall:
    name: default
    allowed:
    - ip_protocol: tcp
      ports:
      - '22'
    state: present
    network: "{{ my_network2 }}"
- name: create a network2
  google.cloud.gcp_compute_network:
    name: test_object2
    auto_create_subnetworks: 'true'
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
  register: my_network2