Unencrypted compute disk.
Explanation
By default, Compute Engine encrypts all data at rest. Compute Engine handles and manages this encryption for you without any additional actions on your part.
If the disk_encryption_key
block is included in the resource declaration then it must include a raw_key
or kms_key_self_link
.
To use the default offering of Google managed keys, do not include a disk_encryption_key
block at all.
Insecure Example
The following example will fail the GCP001 check.
resource "google_compute_disk" "my-disk" {
# ...
disk_encryption_key {}
# ...
}
Secure Example
The following example will pass the GCP001 check.
resource "google_compute_disk" "my-disk" {
disk_encryption_key {
kms_key_self_link = "something"
}
}
resource "google_compute_disk" "another-my-disk" {
disk_encryption_key {
raw_key = "something"
}
}