An inbound firewall rule allows traffic from /0.

Default Severity: critical

Explanation

Network security rules should not use very broad subnets.

Where possible, segments should be broken into smaller subnets and avoid using the /0 subnet.

Possible Impact

The port is exposed for ingress from the internet

Suggested Resolution

Set a more restrictive cidr range

Insecure Example

The following example will fail the google-compute-no-public-ingress check.

resource "google_compute_firewall" "bad_example" {
  source_ranges = ["0.0.0.0/0"]
  allow {
    protocol = "icmp"
  }
}

Secure Example

The following example will pass the google-compute-no-public-ingress check.

resource "google_compute_firewall" "good_example" {
  source_ranges = ["1.2.3.4/32"]
  allow {
    protocol = "icmp"
  }
}

Links

• https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall#source_ranges

• https://www.terraform.io/docs/providers/google/r/compute_firewall.html

• https://cloud.google.com/vpc/docs/using-firewalls