Disks should be encrypted with Customer Supplied Encryption Keys

Explanation

Using unmanaged keys makes rotation and general management difficult.

Possible Impact

Using unmanaged keys does not allow for proper management

Suggested Resolution

Use managed keys

Insecure Example

The following example will fail the google-compute-disk-encryption-customer-key check.

resource "google_compute_disk" "bad_example" {
  name  = "test-disk"
  type  = "pd-ssd"
  zone  = "us-central1-a"
  image = "debian-9-stretch-v20200805"
  labels = {
    environment = "dev"
  }
  physical_block_size_bytes = 4096
}

Secure Example

The following example will pass the google-compute-disk-encryption-customer-key check.

resource "google_compute_disk" "good_example" {
  name  = "test-disk"
  type  = "pd-ssd"
  zone  = "us-central1-a"
  image = "debian-9-stretch-v20200805"
  labels = {
    environment = "dev"
  }
  physical_block_size_bytes = 4096
  disk_encryption_key {
    kms_key_self_link = "something"
  }
}

Getting Started
Provider Checks
Config
GitHub Actions