github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/google/compute/vm_disk_encryption_customer_key.go (about) 1 package compute 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/rules" 5 "github.com/khulnasoft-lab/defsec/pkg/providers" 6 "github.com/khulnasoft-lab/defsec/pkg/scan" 7 "github.com/khulnasoft-lab/defsec/pkg/severity" 8 "github.com/khulnasoft-lab/defsec/pkg/state" 9 ) 10 11 var CheckVmDiskEncryptionCustomerKey = rules.Register( 12 scan.Rule{ 13 AVDID: "AVD-GCP-0033", 14 Provider: providers.GoogleProvider, 15 Service: "compute", 16 ShortCode: "vm-disk-encryption-customer-key", 17 Summary: "VM disks should be encrypted with Customer Supplied Encryption Keys", 18 Impact: "Using unmanaged keys does not allow for proper management", 19 Resolution: "Use managed keys ", 20 Explanation: `Using unmanaged keys makes rotation and general management difficult.`, 21 Links: []string{}, 22 Terraform: &scan.EngineMetadata{ 23 GoodExamples: terraformVmDiskEncryptionCustomerKeyGoodExamples, 24 BadExamples: terraformVmDiskEncryptionCustomerKeyBadExamples, 25 Links: terraformVmDiskEncryptionCustomerKeyLinks, 26 RemediationMarkdown: terraformVmDiskEncryptionCustomerKeyRemediationMarkdown, 27 }, 28 Severity: severity.Low, 29 }, 30 func(s *state.State) (results scan.Results) { 31 for _, instance := range s.Google.Compute.Instances { 32 for _, disk := range append(instance.BootDisks, instance.AttachedDisks...) { 33 if disk.Encryption.KMSKeyLink.IsEmpty() { 34 results.Add( 35 "Instance disk encryption does not use a customer managed key.", 36 disk.Encryption.KMSKeyLink, 37 ) 38 } else { 39 results.AddPassed(&disk) 40 } 41 } 42 } 43 return 44 }, 45 )