artifact_registry_repository_encrypted_with_kms_cmkartifact_registry_repository_not_publicly_accessiblebigquery_dataset_encrypted_with_cmkbigquery_dataset_not_publicly_accessiblebigquery_table_deletion_protection_enabledbigquery_table_encrypted_with_cmkbigquery_table_not_publicly_accessiblebigtable_instance_deletion_protection_enabledbigtable_instance_encrypted_with_kms_cmkcloudbuild_workers_use_private_ipcloudfunction_not_publicly_accessiblecloudrun_not_publicly_accessiblecompute_disk_encrypted_with_cskcompute_firewall_allow_ftp_port_20_ingresscompute_firewall_allow_ftp_port_21_ingresscompute_firewall_allow_http_port_80_ingresscompute_firewall_allow_mysql_port_3306_ingresscompute_firewall_allow_rdp_port_3389_ingresscompute_firewall_allow_ssh_port_22_ingresscompute_instance_block_project_wide_ssh_enabledcompute_instance_boot_disk_encryption_enabledcompute_instance_confidential_computing_enabledcompute_instance_ip_forwarding_disabledcompute_instance_oslogin_enabledcompute_instance_serial_port_connection_disabledcompute_instance_shielded_vm_enabledcompute_instance_with_no_default_service_accountcompute_instance_with_no_default_service_account_with_full_accesscompute_instance_with_no_public_ip_addressescompute_network_contains_no_default_networkcompute_network_contains_no_legacy_networkcompute_security_policy_prevent_message_lookupcompute_subnetwork_flow_log_enabledcompute_subnetwork_private_ip_google_accesscompute_subnetwork_private_ipv6_google_accessdataflow_encrypted_with_kms_cmkdataflow_job_not_publicly_accessibledatafusion_instance_not_publicly_accessibledatafusion_instance_stackdriver_logging_enableddatafusion_instance_stackdriver_monitoring_enableddataproc_cluster_encrypted_with_kms_cmkdataproc_cluster_not_publicly_accessibledataproc_cluster_public_ip_disableddns_managed_zone_dnssec_enableddns_managed_zone_key_signing_not_using_rsasha1dns_managed_zone_zone_signing_not_using_rsasha1iam_folder_impersonation_roleiam_folder_use_basic_roleiam_folder_use_default_service_roleiam_organization_impersonation_roleiam_organization_use_basic_roleiam_organization_use_default_service_roleiam_project_impersonation_roleiam_project_no_service_account_token_creator_roleiam_project_use_basic_roleiam_project_use_default_service_roleiam_service_account_gcp_managed_keyiam_service_account_no_admin_priviledgeiam_workload_identity_restrictedkms_key_not_publicly_accessiblekms_key_prevent_destroy_enabledkms_key_rotated_within_100_daykms_key_rotated_within_90_daykubernetes_cluster_alias_ip_range_enabledkubernetes_cluster_authenticator_group_configuredkubernetes_cluster_auto_repair_enabledkubernetes_cluster_auto_upgrade_enabledkubernetes_cluster_binary_auth_enabledkubernetes_cluster_client_certificate_authentication_disabledkubernetes_cluster_control_plane_restrict_public_accesskubernetes_cluster_cos_node_imagekubernetes_cluster_intranodal_visibility_enabledkubernetes_cluster_legacy_abac_enabledkubernetes_cluster_legacy_endpoints_disabledkubernetes_cluster_master_authorized_network_enabledkubernetes_cluster_metadata_server_enabledkubernetes_cluster_network_policy_installedkubernetes_cluster_no_cluster_level_node_poolkubernetes_cluster_node_config_image_cos_containerdkubernetes_cluster_private_cluster_config_enabledkubernetes_cluster_release_channel_configuredkubernetes_cluster_resource_label_configuredkubernetes_cluster_shielded_node_integrity_monitoring_enabledkubernetes_cluster_shielded_node_secure_boot_enabledkubernetes_cluster_shielded_nodes_enabledkubernetes_cluster_stackdriver_logging_enabledkubernetes_cluster_stackdriver_monitoring_enabledlogging_bucket_retention_policy_enabledpubsub_topic_encrypted_with_kms_cmkpubsub_topic_repository_not_publicly_accessibleredis_instance_auth_enabledredis_instance_encryption_in_transit_enabledspanner_database_deletion_protection_enabledspanner_database_drop_protection_enabledspanner_database_encrypted_with_kms_cmksql_instance_automated_backups_enabledsql_instance_mysql_local_infile_database_flag_offsql_instance_mysql_skip_show_database_flag_onsql_instance_postgresql_log_checkpoints_database_flag_onsql_instance_postgresql_log_connections_database_flag_onsql_instance_postgresql_log_disconnections_database_flag_onsql_instance_postgresql_log_duration_database_flag_onsql_instance_postgresql_log_executor_stats_database_flag_offsql_instance_postgresql_log_hostname_database_flag_configuredsql_instance_postgresql_log_lock_waits_database_flag_onsql_instance_postgresql_log_min_duration_statement_database_flag_disabledsql_instance_postgresql_log_min_error_statement_flag_setsql_instance_postgresql_log_min_messages_flag_setsql_instance_postgresql_log_parser_stats_database_flag_offsql_instance_postgresql_log_planner_stats_database_flag_offsql_instance_postgresql_log_statement_flag_setsql_instance_postgresql_log_statement_stats_database_flag_offsql_instance_postgresql_log_temp_files_database_flag_0sql_instance_postgresql_pgaudit_database_flag_onsql_instance_publicly_accessiblesql_instance_require_ssl_enabledsql_instance_sql_3625_trace_database_flag_offsql_instance_sql_contained_database_authentication_database_flag_offsql_instance_sql_cross_db_ownership_chaining_database_flag_offsql_instance_sql_external_scripts_enabled_database_flag_offsql_instance_sql_remote_access_database_flag_offsql_instance_sql_user_options_database_flag_not_configuredsql_instance_sql_with_no_public_ipsql_instance_using_latest_major_database_versionstorage_bucket_logging_enabledstorage_bucket_not_publicly_accessiblestorage_bucket_public_access_prevention_enforcedstorage_bucket_self_logging_disabledstorage_bucket_uniform_access_enabledstorage_bucket_versioning_enabledvertex_ai_dataset_encrypted_with_cmkvertex_ai_notebook_instance_restrict_public_access
Query: compute_firewall_allow_ssh_port_22_ingress
Usage
powerpipe query terraform_gcp_compliance.query.compute_firewall_allow_ssh_port_22_ingressSteampipe Tables
SQL
with rules as ( select distinct address from terraform_resource, jsonb_array_elements( case jsonb_typeof(attributes_std -> 'allow') when 'array' then (attributes_std -> 'allow') when 'object' then jsonb_build_array(attributes_std -> 'allow') else null end ) allow, jsonb_array_elements_text( case when ((allow -> 'ports') != 'null') and jsonb_array_length(allow -> 'ports') > 0 then (allow -> 'ports') else jsonb_build_array(allow -> 'ports') end) as port, jsonb_array_elements_text( case when ((attributes_std -> 'source_ranges') != 'null') and jsonb_array_length(attributes_std -> 'source_ranges') > 0 then (attributes_std -> 'source_ranges') else jsonb_build_array(attributes_std -> 'source_ranges') end) as sip where type = 'google_compute_firewall' and (attributes_std ->> 'direction' is null or lower(attributes_std ->> 'direction') = 'ingress') and lower(sip) in ('*', '0.0.0.0', '0.0.0.0/0', 'internet', 'any', '<nw>/0', '/0') and ( port in ('22', '*') or ( port like '%-%' and split_part(port, '-', 1) :: integer <= 22 and split_part(port, '-', 2) :: integer >= 22 ) ))select r.address as resource, case when g.address is null then 'ok' else 'alarm' end as status, split_part(r.address, '.', 2) || case when g.address is null then ' restricts FTP access from internet through port 22' else ' allows FTP access from internet through port 22' end || '.' reason , path || ':' || start_linefrom terraform_resource as r left join rules as g on g.address = r.addresswhere type = 'google_compute_firewall';
Controls
The query is being used by the following controls: