Encrypted compute disk with unmanaged keys.

Explanation

By default, Compute Engine encrypts all data at rest. Compute Engine handles and manages this encryption for you without any additional actions on your part.

If the disk_encryption_key block is included in the resource declaration then it must include a raw_key or kms_key_self_link.

Possible Impact

Encryption of disk using unmanaged keys.

Suggested Resolution

Enable encryption using a customer-managed key.

Insecure Example

The following example will fail the google-compute-disk-encryption-customer-keys check.

resource "google_compute_disk" "bad_example" {
	# ...
}

Secure Example

The following example will pass the google-compute-disk-encryption-customer-keys check.

resource "google_compute_disk" "good_example" {
	disk_encryption_key {
		kms_key_self_link = "something"
	}
}

Getting Started
Provider Checks
Config
GitHub Actions