github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/google/iam/no_default_network.go (about) 1 package iam 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/rules" 5 "github.com/khulnasoft-lab/defsec/pkg/providers" 6 "github.com/khulnasoft-lab/defsec/pkg/scan" 7 "github.com/khulnasoft-lab/defsec/pkg/severity" 8 "github.com/khulnasoft-lab/defsec/pkg/state" 9 ) 10 11 var CheckNoDefaultNetwork = rules.Register( 12 scan.Rule{ 13 AVDID: "AVD-GCP-0010", 14 Provider: providers.GoogleProvider, 15 Service: "iam", 16 ShortCode: "no-default-network", 17 Summary: "Default network should not be created at project level", 18 Impact: "Exposure of internal infrastructure/services to public internet", 19 Resolution: "Disable automatic default network creation", 20 Explanation: `The default network which is provided for a project contains multiple insecure firewall rules which allow ingress to the project's infrastructure. Creation of this network should therefore be disabled.`, 21 Links: []string{}, 22 Terraform: &scan.EngineMetadata{ 23 GoodExamples: terraformNoDefaultNetworkGoodExamples, 24 BadExamples: terraformNoDefaultNetworkBadExamples, 25 Links: terraformNoDefaultNetworkLinks, 26 RemediationMarkdown: terraformNoDefaultNetworkRemediationMarkdown, 27 }, 28 Severity: severity.High, 29 }, 30 func(s *state.State) (results scan.Results) { 31 // TODO: check constraints before auto_create_network 32 for _, project := range s.Google.IAM.AllProjects() { 33 if project.Metadata.IsUnmanaged() { 34 continue 35 } 36 if project.AutoCreateNetwork.IsTrue() { 37 results.Add( 38 "Project has automatic network creation enabled.", 39 project.AutoCreateNetwork, 40 ) 41 } else { 42 results.AddPassed(project) 43 } 44 } 45 return 46 }, 47 )