Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-terraform-gcp-compliance
Overview
21Dashboards
132Benchmarks
132Queries
2Variables
GitHub

Control: Ensure that the default network does not exist in a project

Description

The default network is an auto mode network, which means that its subnets use the same predefined range of IP addresses, and as a result, it is not possible to use Cloud VPN or VPC Network Peering with the default network. The organization should create a new network based on the requirement and delete the default network.

Usage

Run the control in your terminal:

powerpipe control run terraform_gcp_compliance.control.compute_network_contains_no_default_network

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run terraform_gcp_compliance.control.compute_network_contains_no_default_network --share

SQL

This control uses a named query:

select
  address as resource,
  case
    when name not ilike 'default' then 'ok'
    else 'alarm'
  end status,
  split_part(address, '.', 2) || case
    when name not ilike 'default' and (attributes_std ->> 'project') is not null then ' ' || (attributes_std ->> 'project') || ' is not using default network'
    when name not ilike 'default' and (attributes_std ->> 'project') is null then ' provider project is not using default network'
    when name ilike 'default' and (attributes_std ->> 'project') is null then ' provider project is using default network'
    when name ilike 'default' and (attributes_std ->> 'project') is not null then ' ' || (attributes_std ->> 'project') || ' is using default network'
  end || '.' reason
  , path || ':' || start_line
from
  terraform_resource
where
  type = 'google_compute_network';

Tags

category = Compliance
cis = true
cis_item_id = 3.1
cis_level = 2
cis_type = automated
plugin = terraform
service = GCP/Compute