steampipe plugin install gcp

Table: gcp_compute_firewall - Query Google Cloud Compute Engine Firewalls using SQL

Google Cloud Compute Engine Firewalls are a networking security feature that allows you to control the traffic to your virtual machine instances. They provide a flexible and robust tool for securing your instances by defining what traffic is allowed to and from your instances. Firewalls are implemented at the network level and apply to all traffic that crosses the perimeter of the network.

Table Usage Guide

The gcp_compute_firewall table can be used to gain insights into firewall rules within Google Cloud Compute Engine. As a network security administrator or a DevOps engineer, you can explore details about each firewall rule, including allowed and denied configurations, network associations, and priority. Utilize it to identify firewall rules that may be overly permissive or misconfigured, enhancing your network security posture.

Examples

Firewall rules basic info

Explore which firewall rules are in place for your Google Cloud Platform (GCP) compute instances. This allows you to understand the direction of traffic flow and assess the overall security configuration.

select
name,
id,
description,
direction
from
gcp_compute_firewall;
select
name,
id,
description,
direction
from
gcp_compute_firewall;

List of rules which are applied to TCP protocol

Explore which firewall rules are applied specifically to the TCP protocol in your Google Cloud Platform. This will help in assessing network security and identifying potential vulnerabilities.

select
name,
id,
p ->> 'IPProtocol' as ip_protocol,
p ->> 'ports' as ports
from
gcp_compute_firewall,
jsonb_array_elements(allowed) as p
where
p ->> 'IPProtocol' = 'tcp';
select
f.name,
f.id,
json_extract(p.value, '$.IPProtocol') as ip_protocol,
json_extract(p.value, '$.ports') as ports
from
gcp_compute_firewall as f,
json_each(allowed) as p
where
json_extract(p.value, '$.IPProtocol') = 'tcp';

List of disabled rules

Determine the areas in which firewall rules are disabled to strengthen your security posture in Google Cloud Platform. This can assist in identifying potential vulnerabilities and maintaining robust network security.

select
name,
id,
description,
disabled
from
gcp_compute_firewall
where
disabled;
select
name,
id,
description,
disabled
from
gcp_compute_firewall
where
disabled = 1;

List of Egress rules

Explore which firewall rules in your Google Cloud Platform are set to allow outbound traffic. This can help understand your network's security posture and identify potential vulnerabilities.

select
name,
id,
direction,
allowed,
denied
from
gcp_compute_firewall
where
direction = 'EGRESS';
select
name,
id,
direction,
allowed,
denied
from
gcp_compute_firewall
where
direction = 'EGRESS';

Control examples

Schema for gcp_compute_firewall

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
actiontextDescribes the type action specified by the rule.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
allowedjsonbThe list of ALLOW rules specified by this firewall.
creation_timestamptimestamp with time zoneThe creation timestamp of the resource.
deniedjsonbThe list of DENY rules specified by this firewall.
descriptiontextA user-specified, human-readable description of the firewall.
destination_rangesjsonbA list of CIDR ranges. The firewall rule applies only to traffic that has destination IP address in these ranges.
directiontext!=, =Direction of traffic to which this firewall applies.
disabledboolean!=, =Indicates whether the firewall rule is disabled, or not.
idbigintThe unique identifier for the resource.
kindtextSpecifies the type of the resource.
locationtextThe GCP multi-region, region, or zone in which the resource is located.
log_config_enablebooleanSpecifies whether to enable logging for a particular firewall rule, or not.
log_config_metadatatextSpecifies whether to include or exclude metadata for firewall logs.
nametext=A friendly name that identifies the resource.
networktextThe URL of the network resource for this firewall rule.
prioritybigintSpecifies the priority for this rule. Relative priorities determine which rule takes effect if multiple rules apply. Lower values indicate higher priority.
projecttext=, !=, ~~, ~~*, !~~, !~~*The GCP Project in which the resource is located.
self_linktextThe server-defined URL for the resource.
source_rangesjsonbA list of CIDR ranges. The firewall rule applies only to traffic originating from an instance with a service account in this list.
source_service_accountsjsonbA list of service account. The firewall rule applies only to traffic that has a source IP address in these ranges.
source_tagsjsonbA list of tags. The firewall rule applies only to traffic with source IPs that match the primary network interfaces of VM instances that have the tag and are in the same VPC network.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
target_service_accountsjsonbA list of service accounts indicating sets of instances located in the network that may make network connections as specified in Allowed
target_tagsjsonbA list of tags that controls which instances the firewall rule applies to.
titletextTitle of the resource.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- gcp

You can pass the configuration to the command with the --config argument:

steampipe_export_gcp --config '<your_config>' gcp_compute_firewall