in cartography/intel/gcp/compute.py [0:0]
def transform_gcp_firewall(fw_response):
"""
Adjust the firewall response objects into a format that is easy to write to Neo4j.
Also see _transform_fw_entry and _parse_port_string_to_rule().
:param fw_response: Firewall response object from the GCP API
:return: List of transformed firewall rule objects.
"""
fw_list = []
prefix = fw_response['id']
for fw in fw_response.get('items', []):
fw_partial_uri = f"{prefix}/{fw['name']}"
fw['id'] = fw_partial_uri
fw['vpc_partial_uri'] = _parse_compute_full_uri_to_partial_uri(fw['network'])
fw['transformed_allow_list'] = []
fw['transformed_deny_list'] = []
# Mark whether this FW is defined on a target service account.
# In future we will need to ingest GCP IAM objects but for now we simply mark the presence of svc accounts here.
fw['has_target_service_accounts'] = True if 'targetServiceAccounts' in fw else False
for allow_rule in fw.get('allowed', []):
transformed_allow_rules = _transform_fw_entry(allow_rule, fw_partial_uri, is_allow_rule=True)
fw['transformed_allow_list'].extend(transformed_allow_rules)
for deny_rule in fw.get('denied', []):
transformed_deny_rules = _transform_fw_entry(deny_rule, fw_partial_uri, is_allow_rule=False)
fw['transformed_deny_list'].extend(transformed_deny_rules)
fw_list.append(fw)
return fw_list