🧠 Google GCE Network allows unrestricted traffic to all ports - prod.logic.yaml🟢
- Contextual name: 🧠 prod.logic.yaml🟢
- ID:
/ce/ca/google/vpc/network-all-ports-access/prod.logic.yaml - Tags:
Uses
Test Results 🟢
Generated at: 2025-10-25T12:02:56.493007535Z Open
| Result | Id | Condition Index | Condition Text | Runtime Error |
|---|---|---|---|---|
| 🟢 | 001 | ✔️ 99 | ✔️ isDisappeared(CA10__disappearanceTime__c) | ✔️ null |
| 🟢 | 002 | ✔️ 199 | ✔️ CA10__Google_GCE_Firewall_Rules__r.has(INCOMPLIANT) | ✔️ null |
| 🟢 | 003 | ✔️ 200 | ✔️ otherwise | ✔️ null |
Generation Bundle
| File | MD5 | |
|---|---|---|
| Open | /ce/ca/google/vpc/network-all-ports-access/policy.yaml | ED13E176D06D683C7E202E3ADA8CEF41 |
| Open | /ce/ca/google/vpc/network-all-ports-access/prod.logic.yaml | 1E4ACB90FC4FCD2B5EA72CACDD31AF64 |
| Open | /ce/ca/google/vpc/network-all-ports-access/test-data.json | 6B119C3F0C48D3249C610D1DC9E6FD7D |
| Open | /types/CA10__CaGoogleGceFirewallRule__c/object.extracts.yaml | AE08F20196B487A130FB166DA77692D3 |
Available Commands
repo-manager policies generate FULL /ce/ca/google/vpc/network-all-ports-access/prod.logic.yaml
repo-manager policies generate DEBUG /ce/ca/google/vpc/network-all-ports-access/prod.logic.yaml
repo-manager policies generate CAPTURE_TEST_DATA /ce/ca/google/vpc/network-all-ports-access/prod.logic.yaml
repo-manager policies generate TESTS /ce/ca/google/vpc/network-all-ports-access/prod.logic.yaml
# Execute tests
repo-manager policies test /ce/ca/google/vpc/network-all-ports-access/prod.logic.yaml
Content
---
inputType: "CA10__CaGoogleGceNetwork__c"
testData:
- file: test-data.json
conditions:
- status: "INCOMPLIANT"
currentStateMessage: "The Network has GCE Firewall Rules which allow unrestricted access to all ports."
remediationMessage: "Modify the firewall rule to restrict access."
check:
RELATED_LIST_HAS:
status: "INCOMPLIANT"
relationshipName: "CA10__Google_GCE_Firewall_Rules__r"
otherwise:
status: "COMPLIANT"
currentStateMessage: "Unrestricted ingress traffic to all ports is not allowed by any firewall rule in this network."
relatedLists:
- relationshipName: "CA10__Google_GCE_Firewall_Rules__r"
importExtracts:
- file: /types/CA10__CaGoogleGceFirewallRule__c/object.extracts.yaml
conditions:
- status: "INAPPLICABLE"
currentStateMessage: "This is not an ingress security firewall rule."
check:
NOT_EQUAL:
left:
EXTRACT: "CA10__direction__c"
right:
TEXT: "INGRESS"
- status: "INAPPLICABLE"
currentStateMessage: "This security firewall rule does not allow unrestricted access."
check:
AND:
args:
- NOT_EQUAL:
left:
EXTRACT: "CA10__sourceRanges__c"
right:
TEXT: "0.0.0.0/0"
- NOT_EQUAL:
left:
EXTRACT: "CA10__sourceRanges__c"
right:
TEXT: "::/0"
- status: "INCOMPLIANT"
currentStateMessage: "This firewall rule allows traffic on all ports."
remediationMessage: "Modify the firewall rule to restrict port access."
check:
GREATER_THAN:
left:
JSON_QUERY_NUMBER:
arg:
EXTRACT: "caJsonFrom__allowedProtocolsPortsJson__c"
expression: "length(ports[?((protocol=='all') || (startPort=='null' && endPort=='null') || ((protocol=='tcp' || protocol=='udp') && (startPort=='1' && endPort=='65535')))])"
undeterminedIf:
evaluationError: "The JSON query failed."
resultTypeMismatch: "The JSON query did not return number type."
right:
NUMBER: 0.0
otherwise:
status: "COMPLIANT"
currentStateMessage: "This firewall rule does not allow unrestricted traffic to all ports."