github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/google/compute/vm_disk_encryption_customer_key.tf.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/google/compute/vm_disk_encryption_customer_key.tf.go (about)

     1  package compute
     2  
     3  var terraformVmDiskEncryptionCustomerKeyGoodExamples = []string{
     4  	`
     5   resource "google_service_account" "default" {
     6     account_id   = "service_account_id"
     7     display_name = "Service Account"
     8   }
     9   
    10   resource "google_compute_instance" "good_example" {
    11     name         = "test"
    12     machine_type = "e2-medium"
    13     zone         = "us-central1-a"
    14   
    15     tags = ["foo", "bar"]
    16   
    17     boot_disk {
    18       initialize_params {
    19         image = "debian-cloud/debian-9"
    20       }
    21       kms_key_self_link = "something"
    22     }
    23   
    24     // Local SSD disk
    25     scratch_disk {
    26       interface = "SCSI"
    27     }
    28   
    29     network_interface {
    30       network = "default"
    31   
    32       access_config {
    33         // Ephemeral IP
    34       }
    35     }
    36   
    37     metadata = {
    38       foo = "bar"
    39     }
    40   
    41     metadata_startup_script = "echo hi > /test.txt"
    42   
    43     service_account {
    44       # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
    45       email  = google_service_account.default.email
    46       scopes = ["cloud-platform"]
    47     }
    48   }
    49   `,
    50  }
    51  
    52  var terraformVmDiskEncryptionCustomerKeyBadExamples = []string{
    53  	`
    54   resource "google_service_account" "default" {
    55     account_id   = "service_account_id"
    56     display_name = "Service Account"
    57   }
    58   
    59   resource "google_compute_instance" "bad_example" {
    60     name         = "test"
    61     machine_type = "e2-medium"
    62     zone         = "us-central1-a"
    63   
    64     tags = ["foo", "bar"]
    65   
    66     boot_disk {
    67       initialize_params {
    68         image = "debian-cloud/debian-9"
    69       }
    70     }
    71   
    72     // Local SSD disk
    73     scratch_disk {
    74       interface = "SCSI"
    75     }
    76   
    77     network_interface {
    78       network = "default"
    79   
    80       access_config {
    81         // Ephemeral IP
    82       }
    83     }
    84   
    85     metadata = {
    86       foo = "bar"
    87     }
    88   
    89     metadata_startup_script = "echo hi > /test.txt"
    90   
    91     service_account {
    92       # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
    93       email  = google_service_account.default.email
    94       scopes = ["cloud-platform"]
    95     }
    96   }
    97   `,
    98  }
    99  
   100  var terraformVmDiskEncryptionCustomerKeyLinks = []string{
   101  	`https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#kms_key_self_link`,
   102  }
   103  
   104  var terraformVmDiskEncryptionCustomerKeyRemediationMarkdown = ``