github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/google/compute/no_project_wide_ssh_keys.tf.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/google/compute/no_project_wide_ssh_keys.tf.go (about)

     1  package compute
     2  
     3  var terraformNoProjectWideSshKeysGoodExamples = []string{
     4  	`
     5   resource "google_service_account" "default" {
     6     account_id   = "service_account_id"
     7     display_name = "Service Account"
     8   }
     9   
    10   resource "google_compute_instance" "default" {
    11     name         = "test"
    12     machine_type = "e2-medium"
    13     zone         = "us-central1-a"
    14   
    15     tags = ["foo", "bar"]
    16   
    17     boot_disk {
    18       initialize_params {
    19         image = "debian-cloud/debian-9"
    20       }
    21     }
    22   
    23     // Local SSD disk
    24     scratch_disk {
    25       interface = "SCSI"
    26     }
    27   
    28     network_interface {
    29       network = "default"
    30   
    31       access_config {
    32         // Ephemeral IP
    33       }
    34     }
    35   
    36     metadata = {
    37       block-project-ssh-keys = true
    38     }
    39   
    40     metadata_startup_script = "echo hi > /test.txt"
    41   
    42     service_account {
    43       # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
    44       email  = google_service_account.default.email
    45       scopes = ["cloud-platform"]
    46     }
    47   }
    48   `,
    49  }
    50  
    51  var terraformNoProjectWideSshKeysBadExamples = []string{
    52  	`
    53   resource "google_service_account" "default" {
    54     account_id   = "service_account_id"
    55     display_name = "Service Account"
    56   }
    57   
    58   resource "google_compute_instance" "default" {
    59     name         = "test"
    60     machine_type = "e2-medium"
    61     zone         = "us-central1-a"
    62   
    63     tags = ["foo", "bar"]
    64   
    65     boot_disk {
    66       initialize_params {
    67         image = "debian-cloud/debian-9"
    68       }
    69     }
    70   
    71     // Local SSD disk
    72     scratch_disk {
    73       interface = "SCSI"
    74     }
    75   
    76     network_interface {
    77       network = "default"
    78   
    79       access_config {
    80         // Ephemeral IP
    81       }
    82     }
    83   
    84     metadata = {
    85       block-project-ssh-keys = false
    86     }
    87   
    88     metadata_startup_script = "echo hi > /test.txt"
    89   
    90     service_account {
    91       # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
    92       email  = google_service_account.default.email
    93       scopes = ["cloud-platform"]
    94     }
    95   }
    96   `,
    97  }
    98  
    99  var terraformNoProjectWideSshKeysLinks = []string{
   100  	`https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#`,
   101  }
   102  
   103  var terraformNoProjectWideSshKeysRemediationMarkdown = ``