Mods

turbot/terraform_oci_compliance

GitHub
Overview
8Dashboards
20Controls
20Queries
0Variables
GitHub
blockstorage_block_volume_encryption_enabledblockstorage_boot_volume_backup_encryption_enabledblockstorage_boot_volume_encryption_enabledcloudguard_enabledcompute_instance_metadata_service_disabledcompute_instance_monitoring_enableddatabase_db_encryption_enableddatabase_db_home_encryption_enableddatabase_db_system_encryption_enabledfile_storage_file_system_encryption_enabledidentity_authentication_password_policy_strong_min_length_14objectstorage_bucket_encryption_enabledobjectstorage_bucket_public_access_blockedobjectstorage_bucket_versioning_enabledvcn_default_security_group_allow_icmp_onlyvcn_network_security_group_restrict_ingress_rdp_allvcn_network_security_group_restrict_ingress_ssh_allvcn_security_list_restrict_ingress_rdp_allvcn_security_list_restrict_ingress_ssh_allvcn_subnet_public_access_blocked
On This Page
Usage
Plugins & Tables
SQL
Controls
Dashboards
Get Involved
Edit on GitHub
Discuss on Slack

Query: vcn_network_security_group_restrict_ingress_ssh_all

Usage

steampipe query terraform_oci_compliance.query.vcn_network_security_group_restrict_ingress_ssh_all

Plugins & Tables

terraform_resource
Terraform plugin

SQL

with all_sg_security_rule as (
  select
    *
  from
    terraform_resource
  where
    type = 'oci_core_network_security_group_security_rule'
),
all_sg as (
  select
    *
  from
    terraform_resource
  where
    type = 'oci_core_network_security_group'
),
non_complaint as (
  select
    arguments ->> 'network_security_group_id' as nsg_id,
    count(*) as count
  from
    all_sg_security_rule
  where
    arguments ->> 'direction' = 'INGRESS'
    and arguments ->> 'source_type' = 'CIDR_BLOCK'
    and arguments ->> 'source' = '0.0.0.0/0'
    and (
      arguments ->> 'protocol' = 'all'
      or (
        (
          arguments -> 'tcp_options' -> 'destination_port_range' ->> 'min'
        ) :: integer <= 22
        and (
          arguments -> 'tcp_options' -> 'destination_port_range' ->> 'max'
        ) :: integer >= 22
      )
    )
  group by
    nsg_id
)
select
  a.type || ' ' || a.name as resource,
  case
    when (split_part(b.nsg_id, '.', 2)) is null then 'ok'
    else 'alarm'
  end as status,
  a.name || case
    when (split_part(b.nsg_id, '.', 2)) is null then ' ingress restricted for SSH from 0.0.0.0/0'
    else ' ingress rule(s) allowing SSH from 0.0.0.0/0'
  end || '.' reason,
  path || ':' || start_line
from
  all_sg as a
  left join non_complaint as b on a.name = (split_part(b.nsg_id, '.', 2))

Controls

The query is being used by the following controls: