GCP Dataflow jobs are not private
Description
Cloud Dataflow in GCP is a service used for streaming and batch data processing. A Dataflow job consists of at least one management node and one compute node (both are GCE VMs). By default, these nodes are configured with public IPs that allow them to communicate with the public internet, but this also means they increase your potential attack surface by being publicly accessible. We recommend you remove the public IPs for your Dataflow jobs. View the https://cloud.google.com/dataflow/docs/guides/routes-firewall#internet_access_for[official Google documentation] for the currently supported internet access configuration options.
Code Example
{
"# To cancel a Dataflow job
gcloud dataflow jobs cancel JOB_ID",
}Remediation
GCP Console Making Dataflow jobs private via the console is not currently supported.*
CLI Command*
Making * running* Dataflow jobs private via the `gcloud` CLI is not currently supported. Instead, you need to * drain* or * cancel* your job and then re-create with the correct flag configured.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0952 |
| Severity | HIGH |
| IaC Type | Terraform |
| Frameworks | Terraform |
| Checkov ID | CKV_GCP_94 |