Ensure GCP cloud build workers are private

Error: GCP cloud build workers are not private

Bridgecrew Policy ID: BC_GCP_GENERAL_36
Checkov Check ID: CKV_GCP_86
Severity: LOW

GCP cloud build workers are not private

Description

Google Cloud Build is a fully managed continuous integration and delivery platform that allows developers to build, test, and deploy applications on Google Cloud Platform. When you create a build using Cloud Build, the service automatically provisions a build worker to execute the build.

Build workers are virtual machines that are used to run the build steps defined in your build configuration. They are responsible for executing the commands specified in your build configuration, such as building a Docker image, running tests, or deploying an application.

Build workers can be either public or private. Public build workers have internet access and can access external resources or services, while private build workers do not have internet access and are isolated from external networks. You can choose which type of worker to use based on your build requirements and the level of security and isolation you need.

We recommend you remove the public IPs for your Data Fusion instance. By isolating your build workers from the internet, you can reduce the risk of external threats such as hackers or malware infiltrating your build environment.

Fix - Runtime

Fix - Buildtime

Terraform

resource "google_cloudbuild_worker_pool" "pass" {
  name = "my-pool"
  location = "europe-west1"
  worker_config {
    disk_size_gb = 100
    machine_type = "e2-standard-4"
    no_external_ip = true
  }
}