-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SECURITY RISK: Google Compute Regional Security Policy doesn't implement default deny #18427
Comments
Hi @cyber-francis! To replicate this issue it is necessary to have the next:
|
Yes, the resource is: google_compute_region_security_policy |
You miss sharing the terraform code. After executing a
|
This is not the issue I am referring to. I am referring to the "default" rule created when a security policy is created. When you checked your cloud armor policy via gcp console did you see a default deny or default allow? |
@cyber-francis yes, the policy rule was created successfully according to the terraform code. Did you try to run it with the provided guide, or the shared example? |
When I created mine, DEFAULT ALLOW was created, so I had to explicitly add a RULE FOR DENY ALL. |
@cyber-francis in the steps to reproduce you specified just a
Please be more specific because from the beginning unfortunately you aren't sharing all the necessary information to reproduce the issue. |
This is the issue I have in my org, so I can't copy and paste (cos I am reporting it via my pc). This is the scenario:
|
You can share just the code of the affected resource without sensitive information like:
Due to the lack of code and information, so far with the code that we have shared with you, after some attempts the result is the same, successful and without errors. Also you could create a separate project with just the involved resource to test it. |
@ggtisc When I use
DEFAULT DENY is automatically created even though there is no rule. When I use this
DEFAULT ALLOW is created even though there is no rule The REGIONAL SECURITY POLICY IS PROBLEMATIC |
@ggtisc Please, can you confirm this statement below. I think it has something to do with it:
|
@cyber-francis after create both resources The unique thing that doesn't match is the |
@ggtisc does creating DEFAULT ALLOW not go against the SECURITY BY DESIGN principles? So, for someone who doesn't know what they are doing, once they create this construct, they open the app to the whole internet. This is such an anti-security pattern. Please, what is the process to get this fixed or addressed? |
@cyber-francis for this reason the documentation exists, both in Terraform registry and Google Cloud documentation. I suggest you to read the documentation is a good practice before starting to use any technology. Remember that you can report any bug you find, for now this topic will be closed since it is normal behavior in accordance with everything that has been demonstrated based on the documentation |
Community Note
Terraform Version & Provider Version(s)
Terraform vX.X.X
on
Affected Resource(s)
GOOGLE COMPUTE REGIONAL SECURITY POLICY POLICY
Terraform Configuration
Debug Output
No response
Expected Behavior
GOOGLE COMPUTE REGIONAL SECURITY POLICY POLICY doesn't implement default deny, instead it implements default allow which is a security risk
Actual Behavior
No response
Steps to reproduce
terraform apply
Important Factoids
No response
References
No response
The text was updated successfully, but these errors were encountered: