From f373bfe4940d23efc07fa01725188abf4fec0291 Mon Sep 17 00:00:00 2001 From: lirshindalman Date: Thu, 28 Nov 2024 17:29:46 +0200 Subject: [PATCH 1/2] . --- .../GCPNetworkDoesNotUseDefaultFirewall.yaml | 282 +++++++++++++++++- .../checks/test_yaml_policies.py | 26 +- 2 files changed, 282 insertions(+), 26 deletions(-) diff --git a/checkov/terraform/checks/graph_checks/gcp/GCPNetworkDoesNotUseDefaultFirewall.yaml b/checkov/terraform/checks/graph_checks/gcp/GCPNetworkDoesNotUseDefaultFirewall.yaml index 033b7c63583..318dfc801c2 100644 --- a/checkov/terraform/checks/graph_checks/gcp/GCPNetworkDoesNotUseDefaultFirewall.yaml +++ b/checkov/terraform/checks/graph_checks/gcp/GCPNetworkDoesNotUseDefaultFirewall.yaml @@ -1,17 +1,273 @@ metadata: id: "CKV2_GCP_18" - name: "Ensure GCP network defines a firewall and does not use the default firewall" - category: "NETWORKING" + name: "Mayo Build - SP149 - User accounts are forbidden from directly binding to resources; the user must be a member of a group and bound through the group" + severity: "medium" + guidelines: "Do not bind with user: type members. Add users to group and member(s) with group: account type. https://docs.mcc.mayo.edu/docs/mcc/infrastructure-as-code/sentinel#sp149-block-end-user-principle-iam-binding" + category: "iam" +scope: + provider: gcp definition: - and: - - cond_type: filter - value: - - google_compute_network - operator: within - attribute: resource_type - - cond_type: connection - operator: exists + or: + - cond_type: "attribute" resource_types: - - google_compute_network - connected_resource_types: - - google_compute_firewall \ No newline at end of file + - google_access_context_manager_access_policy_iam_policy + - google_apigee_environment_iam_policy + - google_artifact_registry_repository_iam_policy + - google_bigquery_analytics_hub_data_exchange_iam_policy + - google_bigquery_analytics_hub_listing_iam_policy + - google_bigquery_connection_iam_policy + - google_bigquery_datapolicy_data_policy_iam_policy + - google_bigquery_dataset_iam_policy + - google_bigquery_table_iam_policy + - google_bigtable_instance_iam_policy + - google_bigtable_table_iam_policy + - google_billing_account_iam_policy + - google_binary_authorization_attestor_iam_policy + - google_cloud_run_service_iam_policy + - google_cloud_run_v2_job_iam_policy + - google_cloud_run_v2_service_iam_policy + - google_cloud_tasks_queue_iam_policy + - google_cloudbuildv2_connection_iam_policy + - google_cloudfunctions_function_iam_policy + - google_cloudfunctions2_function_iam_policy + - google_compute_disk_iam_policy + - google_compute_image_iam_policy + - google_compute_instance_iam_policy + - google_compute_region_disk_iam_policy + - google_compute_snapshot_iam_policy + - google_compute_subnetwork_iam_policy + - google_container_analysis_note_iam_policy + - google_data_catalog_entry_group_iam_policy + - google_data_catalog_policy_tag_iam_policy + - google_data_catalog_tag_template_iam_policy + - google_data_catalog_taxonomy_iam_policy + - google_data_fusion_instance_iam_policy + - google_dataplex_asset_iam_policy + - google_dataplex_datascan_iam_policy + - google_dataplex_lake_iam_policy + - google_dataplex_task_iam_policy + - google_dataplex_zone_iam_policy + - google_dataproc_autoscaling_policy_iam_policy + - google_dataproc_cluster_iam_policy + - google_dataproc_job_iam_policy + - google_dataproc_metastore_service_iam_policy + - google_dns_managed_zone_iam_policy + - google_endpoints_service_consumers_iam_policy + - google_endpoints_service_iam_policy + - google_folder_iam_policy + - google_gke_backup_backup_plan_iam_policy + - google_gke_backup_restore_plan_iam_policy + - google_gke_hub_feature_iam_policy + - google_gke_hub_membership_iam_policy + - google_gke_hub_scope_iam_policy + - google_healthcare_consent_store_iam_policy + - google_healthcare_dataset_iam_policy + - google_healthcare_dicom_store_iam_policy + - google_healthcare_fhir_store_iam_policy + - google_healthcare_hl7_v2_store_iam_policy + - google_iap_app_engine_service_iam_policy + - google_iap_app_engine_version_iam_policy + - google_iap_tunnel_iam_policy + - google_iap_tunnel_instance_iam_policy + - google_iap_web_backend_service_iam_policy + - google_iap_web_iam_policy + - google_iap_web_region_backend_service_iam_policy + - google_iap_web_type_app_engine_iam_policy + - google_iap_web_type_compute_iam_policy + - google_kms_crypto_key_iam_policy + - google_kms_key_ring_iam_policy + - google_notebooks_instance_iam_policy + - google_notebooks_runtime_iam_policy + - google_organization_iam_policy + - google_privateca_ca_pool_iam_policy + - google_privateca_certificate_template_iam_policy + - google_project_iam_policy + - google_pubsub_subscription_iam_policy + - google_pubsub_topic_iam_policy + - google_scc_source_iam_policy + - google_secret_manager_secret_iam_policy + - google_service_account_iam_policy + - google_sourcerepo_repository_iam_policy + - google_spanner_database_iam_policy + - google_spanner_instance_iam_policy + - google_storage_bucket_iam_policy + - google_tags_tag_key_iam_policy + - google_tags_tag_value_iam_policy + attribute: "policy_data" + operator: "not_regex_match" + value: ".*user:.*" + - cond_type: "attribute" + resource_types: + - google_access_context_manager_access_policy_iam_member + - google_apigee_environment_iam_member + - google_artifact_registry_repository_iam_member + - google_bigquery_analytics_hub_data_exchange_iam_member + - google_bigquery_analytics_hub_listing_iam_member + - google_bigquery_connection_iam_member + - google_bigquery_datapolicy_data_policy_iam_member + - google_bigquery_dataset_iam_member + - google_bigquery_table_iam_member + - google_bigtable_instance_iam_member + - google_bigtable_table_iam_member + - google_billing_account_iam_member + - google_binary_authorization_attestor_iam_member + - google_cloud_run_service_iam_member + - google_cloud_run_v2_job_iam_member + - google_cloud_run_v2_service_iam_member + - google_cloud_tasks_queue_iam_member + - google_cloudbuildv2_connection_iam_member + - google_cloudfunctions_function_iam_member + - google_cloudfunctions2_function_iam_member + - google_compute_disk_iam_member + - google_compute_image_iam_member + - google_compute_instance_iam_member + - google_compute_region_disk_iam_member + - google_compute_snapshot_iam_member + - google_compute_subnetwork_iam_member + - google_container_analysis_note_iam_member + - google_data_catalog_entry_group_iam_member + - google_data_catalog_policy_tag_iam_member + - google_data_catalog_tag_template_iam_member + - google_data_catalog_taxonomy_iam_member + - google_data_fusion_instance_iam_member + - google_dataplex_asset_iam_member + - google_dataplex_datascan_iam_member + - google_dataplex_lake_iam_member + - google_dataplex_task_iam_member + - google_dataplex_zone_iam_member + - google_dataproc_autoscaling_policy_iam_member + - google_dataproc_cluster_iam_member + - google_dataproc_job_iam_member + - google_dataproc_metastore_service_iam_member + - google_dns_managed_zone_iam_member + - google_endpoints_service_consumers_iam_member + - google_endpoints_service_iam_member + - google_folder_iam_member + - google_gke_backup_backup_plan_iam_member + - google_gke_backup_restore_plan_iam_member + - google_gke_hub_feature_iam_member + - google_gke_hub_membership_iam_member + - google_gke_hub_scope_iam_member + - google_healthcare_consent_store_iam_member + - google_healthcare_dataset_iam_member + - google_healthcare_dicom_store_iam_member + - google_healthcare_fhir_store_iam_member + - google_healthcare_hl7_v2_store_iam_member + - google_iap_app_engine_service_iam_member + - google_iap_app_engine_version_iam_member + - google_iap_tunnel_iam_member + - google_iap_tunnel_instance_iam_member + - google_iap_web_backend_service_iam_member + - google_iap_web_iam_member + - google_iap_web_region_backend_service_iam_member + - google_iap_web_type_app_engine_iam_member + - google_iap_web_type_compute_iam_member + - google_kms_crypto_key_iam_member + - google_kms_key_ring_iam_member + - google_notebooks_instance_iam_member + - google_notebooks_runtime_iam_member + - google_organization_iam_member + - google_privateca_ca_pool_iam_member + - google_privateca_certificate_template_iam_member + - google_project_iam_member + - google_pubsub_subscription_iam_member + - google_pubsub_topic_iam_member + - google_scc_source_iam_member + - google_secret_manager_secret_iam_member + - google_service_account_iam_member + - google_sourcerepo_repository_iam_member + - google_spanner_database_iam_member + - google_spanner_instance_iam_member + - google_storage_bucket_iam_member + - google_tags_tag_key_iam_member + - google_tags_tag_value_iam_member + attribute: "member" + operator: "not_starting_with" + value: "user:" + - cond_type: "attribute" + resource_types: + - google_access_context_manager_access_policy_iam_binding + - google_apigee_environment_iam_binding + - google_artifact_registry_repository_iam_binding + - google_bigquery_analytics_hub_data_exchange_iam_binding + - google_bigquery_analytics_hub_listing_iam_binding + - google_bigquery_connection_iam_binding + - google_bigquery_datapolicy_data_policy_iam_binding + - google_bigquery_dataset_iam_binding + - google_bigquery_table_iam_binding + - google_bigtable_instance_iam_binding + - google_bigtable_table_iam_binding + - google_billing_account_iam_binding + - google_binary_authorization_attestor_iam_binding + - google_cloud_run_service_iam_binding + - google_cloud_run_v2_job_iam_binding + - google_cloud_run_v2_service_iam_binding + - google_cloud_tasks_queue_iam_binding + - google_cloudbuildv2_connection_iam_binding + - google_cloudfunctions_function_iam_binding + - google_cloudfunctions2_function_iam_binding + - google_compute_disk_iam_binding + - google_compute_image_iam_binding + - google_compute_instance_iam_binding + - google_compute_region_disk_iam_binding + - google_compute_snapshot_iam_binding + - google_compute_subnetwork_iam_binding + - google_container_analysis_note_iam_binding + - google_data_catalog_entry_group_iam_binding + - google_data_catalog_policy_tag_iam_binding + - google_data_catalog_tag_template_iam_binding + - google_data_catalog_taxonomy_iam_binding + - google_data_fusion_instance_iam_binding + - google_dataplex_asset_iam_binding + - google_dataplex_datascan_iam_binding + - google_dataplex_lake_iam_binding + - google_dataplex_task_iam_binding + - google_dataplex_zone_iam_binding + - google_dataproc_autoscaling_policy_iam_binding + - google_dataproc_cluster_iam_binding + - google_dataproc_job_iam_binding + - google_dataproc_metastore_service_iam_binding + - google_dns_managed_zone_iam_binding + - google_endpoints_service_consumers_iam_binding + - google_endpoints_service_iam_binding + - google_folder_iam_binding + - google_gke_backup_backup_plan_iam_binding + - google_gke_backup_restore_plan_iam_binding + - google_gke_hub_feature_iam_binding + - google_gke_hub_membership_iam_binding + - google_gke_hub_scope_iam_binding + - google_healthcare_consent_store_iam_binding + - google_healthcare_dataset_iam_binding + - google_healthcare_dicom_store_iam_binding + - google_healthcare_fhir_store_iam_binding + - google_healthcare_hl7_v2_store_iam_binding + - google_iap_app_engine_service_iam_binding + - google_iap_app_engine_version_iam_binding + - google_iap_tunnel_iam_binding + - google_iap_tunnel_instance_iam_binding + - google_iap_web_backend_service_iam_binding + - google_iap_web_iam_binding + - google_iap_web_region_backend_service_iam_binding + - google_iap_web_type_app_engine_iam_binding + - google_iap_web_type_compute_iam_binding + - google_kms_crypto_key_iam_binding + - google_kms_key_ring_iam_binding + - google_notebooks_instance_iam_binding + - google_notebooks_runtime_iam_binding + - google_organization_iam_binding + - google_privateca_ca_pool_iam_binding + - google_privateca_certificate_template_iam_binding + - google_project_iam_binding + - google_pubsub_subscription_iam_binding + - google_pubsub_topic_iam_binding + - google_scc_source_iam_binding + - google_secret_manager_secret_iam_binding + - google_service_account_iam_binding + - google_sourcerepo_repository_iam_binding + - google_spanner_database_iam_binding + - google_spanner_instance_iam_binding + - google_storage_bucket_iam_binding + - google_tags_tag_key_iam_binding + - google_tags_tag_value_iam_binding + attribute: "members[?(@ =~ '(?i)^user:')]" + operator: "jsonpath_not_exists" \ No newline at end of file diff --git a/tests/arm/graph_builder/checks/test_yaml_policies.py b/tests/arm/graph_builder/checks/test_yaml_policies.py index b29fc8fd526..bc2068e9f99 100644 --- a/tests/arm/graph_builder/checks/test_yaml_policies.py +++ b/tests/arm/graph_builder/checks/test_yaml_policies.py @@ -37,23 +37,23 @@ def setUp(self) -> None: warnings.filterwarnings("ignore", category=ResourceWarning) warnings.filterwarnings("ignore", category=DeprecationWarning) - # def test_AzureSpringCloudConfigWithVnet(self): - # self.go("AzureSpringCloudConfigWithVnet") - # - # def test_AzureMLWorkspacePublicNetwork(self): - # self.go("AzureMLWorkspacePublicNetwork") - # - # def test_SynapseLogMonitoringEnabledForSQLPool(self): - # self.go("SynapseLogMonitoringEnabledForSQLPool") + def test_AzureSpringCloudConfigWithVnet(self): + self.go("AzureSpringCloudConfigWithVnet") + + def test_AzureMLWorkspacePublicNetwork(self): + self.go("AzureMLWorkspacePublicNetwork") + + def test_SynapseLogMonitoringEnabledForSQLPool(self): + self.go("SynapseLogMonitoringEnabledForSQLPool") def test_SynapseSQLPoolHasSecurityAlertPolicy(self): self.go("SynapseSQLPoolHasSecurityAlertPolicy") - # def test_SynapseSQLPoolHasVulnerabilityAssessment(self): - # self.go("SynapseSQLPoolHasVulnerabilityAssessment") - # - # def test_SynapseWorkspaceHasExtendedAuditLogs(self): - # self.go("SynapseWorkspaceHasExtendedAuditLogs") + def test_SynapseSQLPoolHasVulnerabilityAssessment(self): + self.go("SynapseSQLPoolHasVulnerabilityAssessment") + + def test_SynapseWorkspaceHasExtendedAuditLogs(self): + self.go("SynapseWorkspaceHasExtendedAuditLogs") def test_registry_load(self): registry = self.get_checks_registry() From 208d7c428e37005316626b29a689a7cf69322f8f Mon Sep 17 00:00:00 2001 From: lirshindalman Date: Thu, 28 Nov 2024 17:31:58 +0200 Subject: [PATCH 2/2] . --- .../GCPNetworkDoesNotUseDefaultFirewall.yaml | 282 +----------------- 1 file changed, 13 insertions(+), 269 deletions(-) diff --git a/checkov/terraform/checks/graph_checks/gcp/GCPNetworkDoesNotUseDefaultFirewall.yaml b/checkov/terraform/checks/graph_checks/gcp/GCPNetworkDoesNotUseDefaultFirewall.yaml index 318dfc801c2..033b7c63583 100644 --- a/checkov/terraform/checks/graph_checks/gcp/GCPNetworkDoesNotUseDefaultFirewall.yaml +++ b/checkov/terraform/checks/graph_checks/gcp/GCPNetworkDoesNotUseDefaultFirewall.yaml @@ -1,273 +1,17 @@ metadata: id: "CKV2_GCP_18" - name: "Mayo Build - SP149 - User accounts are forbidden from directly binding to resources; the user must be a member of a group and bound through the group" - severity: "medium" - guidelines: "Do not bind with user: type members. Add users to group and member(s) with group: account type. https://docs.mcc.mayo.edu/docs/mcc/infrastructure-as-code/sentinel#sp149-block-end-user-principle-iam-binding" - category: "iam" -scope: - provider: gcp + name: "Ensure GCP network defines a firewall and does not use the default firewall" + category: "NETWORKING" definition: - or: - - cond_type: "attribute" + and: + - cond_type: filter + value: + - google_compute_network + operator: within + attribute: resource_type + - cond_type: connection + operator: exists resource_types: - - google_access_context_manager_access_policy_iam_policy - - google_apigee_environment_iam_policy - - google_artifact_registry_repository_iam_policy - - google_bigquery_analytics_hub_data_exchange_iam_policy - - google_bigquery_analytics_hub_listing_iam_policy - - google_bigquery_connection_iam_policy - - google_bigquery_datapolicy_data_policy_iam_policy - - google_bigquery_dataset_iam_policy - - google_bigquery_table_iam_policy - - google_bigtable_instance_iam_policy - - google_bigtable_table_iam_policy - - google_billing_account_iam_policy - - google_binary_authorization_attestor_iam_policy - - google_cloud_run_service_iam_policy - - google_cloud_run_v2_job_iam_policy - - google_cloud_run_v2_service_iam_policy - - google_cloud_tasks_queue_iam_policy - - google_cloudbuildv2_connection_iam_policy - - google_cloudfunctions_function_iam_policy - - google_cloudfunctions2_function_iam_policy - - google_compute_disk_iam_policy - - google_compute_image_iam_policy - - google_compute_instance_iam_policy - - google_compute_region_disk_iam_policy - - google_compute_snapshot_iam_policy - - google_compute_subnetwork_iam_policy - - google_container_analysis_note_iam_policy - - google_data_catalog_entry_group_iam_policy - - google_data_catalog_policy_tag_iam_policy - - google_data_catalog_tag_template_iam_policy - - google_data_catalog_taxonomy_iam_policy - - google_data_fusion_instance_iam_policy - - google_dataplex_asset_iam_policy - - google_dataplex_datascan_iam_policy - - google_dataplex_lake_iam_policy - - google_dataplex_task_iam_policy - - google_dataplex_zone_iam_policy - - google_dataproc_autoscaling_policy_iam_policy - - google_dataproc_cluster_iam_policy - - google_dataproc_job_iam_policy - - google_dataproc_metastore_service_iam_policy - - google_dns_managed_zone_iam_policy - - google_endpoints_service_consumers_iam_policy - - google_endpoints_service_iam_policy - - google_folder_iam_policy - - google_gke_backup_backup_plan_iam_policy - - google_gke_backup_restore_plan_iam_policy - - google_gke_hub_feature_iam_policy - - google_gke_hub_membership_iam_policy - - google_gke_hub_scope_iam_policy - - google_healthcare_consent_store_iam_policy - - google_healthcare_dataset_iam_policy - - google_healthcare_dicom_store_iam_policy - - google_healthcare_fhir_store_iam_policy - - google_healthcare_hl7_v2_store_iam_policy - - google_iap_app_engine_service_iam_policy - - google_iap_app_engine_version_iam_policy - - google_iap_tunnel_iam_policy - - google_iap_tunnel_instance_iam_policy - - google_iap_web_backend_service_iam_policy - - google_iap_web_iam_policy - - google_iap_web_region_backend_service_iam_policy - - google_iap_web_type_app_engine_iam_policy - - google_iap_web_type_compute_iam_policy - - google_kms_crypto_key_iam_policy - - google_kms_key_ring_iam_policy - - google_notebooks_instance_iam_policy - - google_notebooks_runtime_iam_policy - - google_organization_iam_policy - - google_privateca_ca_pool_iam_policy - - google_privateca_certificate_template_iam_policy - - google_project_iam_policy - - google_pubsub_subscription_iam_policy - - google_pubsub_topic_iam_policy - - google_scc_source_iam_policy - - google_secret_manager_secret_iam_policy - - google_service_account_iam_policy - - google_sourcerepo_repository_iam_policy - - google_spanner_database_iam_policy - - google_spanner_instance_iam_policy - - google_storage_bucket_iam_policy - - google_tags_tag_key_iam_policy - - google_tags_tag_value_iam_policy - attribute: "policy_data" - operator: "not_regex_match" - value: ".*user:.*" - - cond_type: "attribute" - resource_types: - - google_access_context_manager_access_policy_iam_member - - google_apigee_environment_iam_member - - google_artifact_registry_repository_iam_member - - google_bigquery_analytics_hub_data_exchange_iam_member - - google_bigquery_analytics_hub_listing_iam_member - - google_bigquery_connection_iam_member - - google_bigquery_datapolicy_data_policy_iam_member - - google_bigquery_dataset_iam_member - - google_bigquery_table_iam_member - - google_bigtable_instance_iam_member - - google_bigtable_table_iam_member - - google_billing_account_iam_member - - google_binary_authorization_attestor_iam_member - - google_cloud_run_service_iam_member - - google_cloud_run_v2_job_iam_member - - google_cloud_run_v2_service_iam_member - - google_cloud_tasks_queue_iam_member - - google_cloudbuildv2_connection_iam_member - - google_cloudfunctions_function_iam_member - - google_cloudfunctions2_function_iam_member - - google_compute_disk_iam_member - - google_compute_image_iam_member - - google_compute_instance_iam_member - - google_compute_region_disk_iam_member - - google_compute_snapshot_iam_member - - google_compute_subnetwork_iam_member - - google_container_analysis_note_iam_member - - google_data_catalog_entry_group_iam_member - - google_data_catalog_policy_tag_iam_member - - google_data_catalog_tag_template_iam_member - - google_data_catalog_taxonomy_iam_member - - google_data_fusion_instance_iam_member - - google_dataplex_asset_iam_member - - google_dataplex_datascan_iam_member - - google_dataplex_lake_iam_member - - google_dataplex_task_iam_member - - google_dataplex_zone_iam_member - - google_dataproc_autoscaling_policy_iam_member - - google_dataproc_cluster_iam_member - - google_dataproc_job_iam_member - - google_dataproc_metastore_service_iam_member - - google_dns_managed_zone_iam_member - - google_endpoints_service_consumers_iam_member - - google_endpoints_service_iam_member - - google_folder_iam_member - - google_gke_backup_backup_plan_iam_member - - google_gke_backup_restore_plan_iam_member - - google_gke_hub_feature_iam_member - - google_gke_hub_membership_iam_member - - google_gke_hub_scope_iam_member - - google_healthcare_consent_store_iam_member - - google_healthcare_dataset_iam_member - - google_healthcare_dicom_store_iam_member - - google_healthcare_fhir_store_iam_member - - google_healthcare_hl7_v2_store_iam_member - - google_iap_app_engine_service_iam_member - - google_iap_app_engine_version_iam_member - - google_iap_tunnel_iam_member - - google_iap_tunnel_instance_iam_member - - google_iap_web_backend_service_iam_member - - google_iap_web_iam_member - - google_iap_web_region_backend_service_iam_member - - google_iap_web_type_app_engine_iam_member - - google_iap_web_type_compute_iam_member - - google_kms_crypto_key_iam_member - - google_kms_key_ring_iam_member - - google_notebooks_instance_iam_member - - google_notebooks_runtime_iam_member - - google_organization_iam_member - - google_privateca_ca_pool_iam_member - - google_privateca_certificate_template_iam_member - - google_project_iam_member - - google_pubsub_subscription_iam_member - - google_pubsub_topic_iam_member - - google_scc_source_iam_member - - google_secret_manager_secret_iam_member - - google_service_account_iam_member - - google_sourcerepo_repository_iam_member - - google_spanner_database_iam_member - - google_spanner_instance_iam_member - - google_storage_bucket_iam_member - - google_tags_tag_key_iam_member - - google_tags_tag_value_iam_member - attribute: "member" - operator: "not_starting_with" - value: "user:" - - cond_type: "attribute" - resource_types: - - google_access_context_manager_access_policy_iam_binding - - google_apigee_environment_iam_binding - - google_artifact_registry_repository_iam_binding - - google_bigquery_analytics_hub_data_exchange_iam_binding - - google_bigquery_analytics_hub_listing_iam_binding - - google_bigquery_connection_iam_binding - - google_bigquery_datapolicy_data_policy_iam_binding - - google_bigquery_dataset_iam_binding - - google_bigquery_table_iam_binding - - google_bigtable_instance_iam_binding - - google_bigtable_table_iam_binding - - google_billing_account_iam_binding - - google_binary_authorization_attestor_iam_binding - - google_cloud_run_service_iam_binding - - google_cloud_run_v2_job_iam_binding - - google_cloud_run_v2_service_iam_binding - - google_cloud_tasks_queue_iam_binding - - google_cloudbuildv2_connection_iam_binding - - google_cloudfunctions_function_iam_binding - - google_cloudfunctions2_function_iam_binding - - google_compute_disk_iam_binding - - google_compute_image_iam_binding - - google_compute_instance_iam_binding - - google_compute_region_disk_iam_binding - - google_compute_snapshot_iam_binding - - google_compute_subnetwork_iam_binding - - google_container_analysis_note_iam_binding - - google_data_catalog_entry_group_iam_binding - - google_data_catalog_policy_tag_iam_binding - - google_data_catalog_tag_template_iam_binding - - google_data_catalog_taxonomy_iam_binding - - google_data_fusion_instance_iam_binding - - google_dataplex_asset_iam_binding - - google_dataplex_datascan_iam_binding - - google_dataplex_lake_iam_binding - - google_dataplex_task_iam_binding - - google_dataplex_zone_iam_binding - - google_dataproc_autoscaling_policy_iam_binding - - google_dataproc_cluster_iam_binding - - google_dataproc_job_iam_binding - - google_dataproc_metastore_service_iam_binding - - google_dns_managed_zone_iam_binding - - google_endpoints_service_consumers_iam_binding - - google_endpoints_service_iam_binding - - google_folder_iam_binding - - google_gke_backup_backup_plan_iam_binding - - google_gke_backup_restore_plan_iam_binding - - google_gke_hub_feature_iam_binding - - google_gke_hub_membership_iam_binding - - google_gke_hub_scope_iam_binding - - google_healthcare_consent_store_iam_binding - - google_healthcare_dataset_iam_binding - - google_healthcare_dicom_store_iam_binding - - google_healthcare_fhir_store_iam_binding - - google_healthcare_hl7_v2_store_iam_binding - - google_iap_app_engine_service_iam_binding - - google_iap_app_engine_version_iam_binding - - google_iap_tunnel_iam_binding - - google_iap_tunnel_instance_iam_binding - - google_iap_web_backend_service_iam_binding - - google_iap_web_iam_binding - - google_iap_web_region_backend_service_iam_binding - - google_iap_web_type_app_engine_iam_binding - - google_iap_web_type_compute_iam_binding - - google_kms_crypto_key_iam_binding - - google_kms_key_ring_iam_binding - - google_notebooks_instance_iam_binding - - google_notebooks_runtime_iam_binding - - google_organization_iam_binding - - google_privateca_ca_pool_iam_binding - - google_privateca_certificate_template_iam_binding - - google_project_iam_binding - - google_pubsub_subscription_iam_binding - - google_pubsub_topic_iam_binding - - google_scc_source_iam_binding - - google_secret_manager_secret_iam_binding - - google_service_account_iam_binding - - google_sourcerepo_repository_iam_binding - - google_spanner_database_iam_binding - - google_spanner_instance_iam_binding - - google_storage_bucket_iam_binding - - google_tags_tag_key_iam_binding - - google_tags_tag_value_iam_binding - attribute: "members[?(@ =~ '(?i)^user:')]" - operator: "jsonpath_not_exists" \ No newline at end of file + - google_compute_network + connected_resource_types: + - google_compute_firewall \ No newline at end of file