GCP001

Unencrypted compute disk.

Explanation

By default, Compute Engine encrypts all data at rest. Compute Engine handles and manages this encryption for you without any additional actions on your part.

If the disk_encryption_key block is included in the resource declaration then it must include a raw_key or kms_key_self_link.

To use the default offering of Google managed keys, do not include a disk_encryption_key block at all.

Insecure Example

The following example will fail the GCP001 check.

resource "google_compute_disk" "my-disk" {
	# ... 
	disk_encryption_key {}
	# ...
}

Secure Example

The following example will pass the GCP001 check.

resource "google_compute_disk" "my-disk" {
	disk_encryption_key {
		kms_key_self_link = "something"
	}
}

resource "google_compute_disk" "another-my-disk" {
	disk_encryption_key {
		raw_key = "something"
	}
}

https://cloud.google.com/compute/docs/disks/customer-supplied-encryption
https://www.terraform.io/docs/providers/google/r/compute_disk.html

Unencrypted compute disk.

Explanation

Insecure Example

Secure Example

Related Links