terraform.gcp.security.gcp-gke-public-control-plane.gcp-gke-public-control-plane

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Ensure GKE Control Plane is not public

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: gcp-gke-public-control-plane
    patterns:
      - pattern: resource
      - pattern-inside: |
          resource "google_container_cluster" "..." {
          ...
          }
      - pattern-not-inside: |
          resource "google_container_cluster" "..." {
          ...
          master_authorized_networks_config {
            ...
            cidr_blocks {
                  ...
            }
            ...
          }
          ...
          }
    message: Ensure GKE Control Plane is not public
    metadata:
      owasp:
        - A05:2017 - Broken Access Control
        - A01:2021 - Broken Access Control
      cwe:
        - "CWE-284: Improper Access Control"
      category: security
      technology:
        - terraform
        - gcp
      references:
        - https://owasp.org/Top10/A01_2021-Broken_Access_Control
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Authorization
    languages:
      - hcl
    severity: WARNING

Examples

gcp-gke-public-control-plane.tf

# fail
# ruleid: gcp-gke-public-control-plane
resource "google_container_cluster" "fail" {
    name               = "marcellus-wallace"
    location           = "us-central1-a"
    initial_node_count = 3
}

# ok: gcp-gke-public-control-plane
resource "google_container_cluster" "success" {
    name               = "marcellus-wallace"
    location           = "us-central1-a"
    initial_node_count = 3
    master_authorized_networks_config {
        cidr_blocks {
            cidr_block   = "0.0.0.0/0"
        }
    }
}