Turbot Guardrails Hub 
Hub
Policy Packs
GCP CIS v2.0.0 - Section 3 - Networking
Overview
12
Policy Settings
0
Variables
DevelopersGithub

Policy Setting: GCP > Network > Firewall > Approved > Custom

Policies

This policy setting is dependent on the following policy types:

Source

resource "turbot_policy_setting" "gcp_network_firewall_approved_custom" {
  resource       = turbot_policy_pack.main.id
  type           = "tmod:@turbot/gcp-network#/policy/types/firewallApprovedCustom"
  note           = "GCP CIS v2.0.0 - Control: 3.10"
  template_input = <<-EOT
    {
      firewall {
        sourceRanges: get(path: "sourceRanges")
        allowed: get(path: "allowed")
      }
    }
  EOT
  template       = <<-EOT
    {%- set results = [] -%}


    {%- if $.firewall.sourceRanges != null -%}


      {%- set allowedSourceIPRanges = ["35.235.240.0/20", "130.211.0.0/22", "35.191.0.0/16"] -%}


      {%- set allRequiredIpExist = true -%}


      {%- for ip in allowedSourceIPRanges -%}


        {%- if ip not in $.firewall.sourceRanges -%}


          {%- set allRequiredIpExist = false -%}


        {%- endif -%}


      {%- endfor -%}


      {%- if allRequiredIpExist -%}


        {%- set data = {
            "title": "Source Ranges",
            "result": "Approved",
            "message": "All required source ranges are defined"
        } -%}


      {%- else -%}


        {%- set data = {
            "title": "Source Ranges",
            "result": "Not approved",
            "message": "All required source ranges are not defined"
        } -%}


      {%- endif -%}


      {% set results = results.concat(data) -%}


    {%- else -%}


      {%- set data = {
          "title": "Source Ranges",
          "result": "Skip",
          "message": "No data for source ranges yet"
      } -%}


      {% set results = results.concat(data) -%}


    {%- endif -%}


    {%- if $.firewall.allowed != null -%}


      {%- set desiredPorts = ["22", "80", "443", "3389"] -%}


      {%- set allowProtocolsAndPorts = false -%}


      {%- for allow in $.firewall.allowed -%}


        {%- if allow.IPProtocol == "tcp" and allow.ports is defined -%}


          {%- for port in allow.ports -%}


            {%- if port in desiredPorts -%}


              {%- set allowProtocolsAndPorts = true -%}


            {%- endif -%}


          {%- endfor -%}


        {%- endif -%}


      {%- endfor -%}


      {%- if allowProtocolsAndPorts -%}


        {%- set data = {
            "title": "Allowed Ports",
            "result": "Approved",
            "message": "Required ports are allowed"
        } -%}


      {%- else -%}


        {%- set data = {
            "title": "Allowed Ports",
            "result": "Not approved",
            "message": "Required ports are not allowed"
        } -%}


      {%- endif -%}


      {% set results = results.concat(data) -%}


    {%- else -%}


      {%- set data = {
          "title": "Allowed Ports",
          "result": "Skip",
          "message": "No data for allowed ports yet"
      } -%}


      {% set results = results.concat(data) -%}


    {%- endif -%}


    {{ results | json }}
  EOT
}