github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/google/compute/no_default_service_account.tf.go (about) 1 package compute 2 3 var terraformNoDefaultServiceAccountGoodExamples = []string{ 4 ` 5 resource "google_service_account" "default" { 6 account_id = "service_account_id" 7 display_name = "Service Account" 8 } 9 10 resource "google_compute_instance" "default" { 11 name = "test" 12 machine_type = "e2-medium" 13 zone = "us-central1-a" 14 15 tags = ["foo", "bar"] 16 17 boot_disk { 18 initialize_params { 19 image = "debian-cloud/debian-9" 20 } 21 } 22 23 // Local SSD disk 24 scratch_disk { 25 interface = "SCSI" 26 } 27 28 network_interface { 29 network = "default" 30 31 access_config { 32 // Ephemeral IP 33 } 34 } 35 36 metadata = { 37 foo = "bar" 38 } 39 40 metadata_startup_script = "echo hi > /test.txt" 41 42 service_account { 43 # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles. 44 email = google_service_account.default.email 45 scopes = ["cloud-platform"] 46 } 47 } 48 `, 49 } 50 51 var terraformNoDefaultServiceAccountBadExamples = []string{ 52 ` 53 resource "google_compute_instance" "default" { 54 name = "test" 55 machine_type = "e2-medium" 56 zone = "us-central1-a" 57 58 tags = ["foo", "bar"] 59 60 boot_disk { 61 initialize_params { 62 image = "debian-cloud/debian-9" 63 } 64 } 65 66 // Local SSD disk 67 scratch_disk { 68 interface = "SCSI" 69 } 70 71 service_account { 72 # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles. 73 email = "1234567890-compute@developer.gserviceaccount.com" 74 scopes = ["cloud-platform"] 75 } 76 } 77 `, 78 } 79 80 var terraformNoDefaultServiceAccountLinks = []string{ 81 `https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#`, 82 } 83 84 var terraformNoDefaultServiceAccountRemediationMarkdown = ``