no-public-ingress
Default Severity: critical
Explanation
Network security rules should not use very broad subnets.
Where possible, segments should be broken into smaller subnets and avoid using the /0
subnet.
Possible Impact
The port is exposed for ingress from the internet
Suggested Resolution
Set a more restrictive cidr range
Insecure Example
The following example will fail the google-compute-no-public-ingress check.
resource "google_compute_firewall" "bad_example" {
source_ranges = ["0.0.0.0/0"]
allow {
protocol = "icmp"
}
}
Secure Example
The following example will pass the google-compute-no-public-ingress check.
resource "google_compute_firewall" "good_example" {
source_ranges = ["1.2.3.4/32"]
allow {
protocol = "icmp"
}
}