github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/avd_docs/google/compute/AVD-GCP-0033/Terraform.md

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/avd_docs/google/compute/AVD-GCP-0033/Terraform.md (about)

     1  
     2  Use managed keys 
     3  
     4  ```hcl
     5   resource "google_service_account" "default" {
     6     account_id   = "service_account_id"
     7     display_name = "Service Account"
     8   }
     9   
    10   resource "google_compute_instance" "good_example" {
    11     name         = "test"
    12     machine_type = "e2-medium"
    13     zone         = "us-central1-a"
    14   
    15     tags = ["foo", "bar"]
    16   
    17     boot_disk {
    18       initialize_params {
    19         image = "debian-cloud/debian-9"
    20       }
    21       kms_key_self_link = "something"
    22     }
    23   
    24     // Local SSD disk
    25     scratch_disk {
    26       interface = "SCSI"
    27     }
    28   
    29     network_interface {
    30       network = "default"
    31   
    32       access_config {
    33         // Ephemeral IP
    34       }
    35     }
    36   
    37     metadata = {
    38       foo = "bar"
    39     }
    40   
    41     metadata_startup_script = "echo hi > /test.txt"
    42   
    43     service_account {
    44       # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
    45       email  = google_service_account.default.email
    46       scopes = ["cloud-platform"]
    47     }
    48   }
    49   
    50  ```
    51  
    52  #### Remediation Links
    53   - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#kms_key_self_link
    54