Query: network_policy_blocked_list_set

Usage

powerpipe query snowflake_compliance.query.network_policy_blocked_list_set

Steampipe Tables

snowflake_account_parameter

snowflake_network_policy

SQL

with applied_network_policy as (
  select
    name,
    coalesce(blocked_ip_list, '') as blocked_ip_list,
    -- blocked_ip_list is optional therefore can be null
    account
  from
    snowflake_network_policy
  where
    name = (
      select
        value
      from
        snowflake_account_parameter
      where
        key = 'NETWORK_POLICY'
    )
),
analysis as (
  select
    name,
    to_jsonb ($1 :: text [ ]) < @ array_to_json(string_to_array(blocked_ip_list, ',')) :: jsonb as has_blocked_ips,
    to_jsonb ($1) - string_to_array(blocked_ip_list, ',', '') as missing_ips,
    account
  from
    applied_network_policy
)
select
  coalesce(analysis.name, sap.account) as resource,
  case
    when (
      select
        count(*)
      from
        applied_network_policy
      group by
        name
    ) is null then 'alarm'
    when has_blocked_ips then 'ok'
    else 'alarm'
  end as status,
  case
    when (
      select
        count(*)
      from
        applied_network_policy
      group by
        name
    ) is null then 'No network policy activated in the account.'
    when has_blocked_ips then name || ' has all blocked IPs.'
    else name || ' is missing blocked IPs: ' || array_to_string(
      array (
        select
          jsonb_array_elements_text(missing_ips)
      ),
      ', '
    ) || '.'
  end as reason,
  sap.account
from
  snowflake_account_parameter as sap
  left join analysis on sap.account = analysis.account
where
  key = 'NETWORK_POLICY';

Controls

The query is being used by the following controls:

Use network policies blocked list to deny access to specific list of IPv4 addresses