mondoo-terraform-gcp-security.mql.yaml

# Copyright (c) Mondoo, Inc.
# SPDX-License-Identifier: BUSL-1.1

policies:
  - uid: mondoo-terraform-gcp-security
    name: Terraform HCL Security Static Analysis for Google Cloud
    version: 1.2.1
    license: BUSL-1.1
    tags:
      mondoo.com/category: security
      mondoo.com/platform: gcp,cloud,terraform
    authors:
      - name: Mondoo, Inc
        email: hello@mondoo.com
    docs:
      desc: |
        ## Overview

        This checks for security misconfigurations in Terraform HCL for Google Cloud.

        ## Local scan

        Local scan refer to scans of files and operating systems where cnspec is installed.

        ### Scan a Terraform project

        Open a terminal and run this command:

        ```bash
        cnspec scan terraform /path/to/terraform/directory
        ```

        ## Join the community!

        Our goal is to build policies that are simple to deploy, accurate, and actionable.

        If you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions.
    groups:
      - title: GCP BigQuery
        filters: |
          asset.platform == "terraform" || asset.platform == "terraform-hcl"
          terraform.providers.any( nameLabel == "google" )
        checks:
          - uid: terraform-gcp-security-bigquery-no-public-access
      - title: GCP Identity and Access Management (IAM)
        filters: |
          asset.platform == "terraform" || asset.platform == "terraform-hcl"
          terraform.providers.any( nameLabel == "google" )
        checks:
          - uid: terraform-gcp-security-iam-no-folder-level-default-service-account-assignment
          - uid: terraform-gcp-security-iam-no-folder-level-service-account-impersonation
          - uid: terraform-gcp-security-iam-no-privileged-service-accounts
      - title: GCP Cloud Storage
        filters: |
          asset.platform == "terraform" || asset.platform == "terraform-hcl"
          terraform.providers.any( nameLabel == "google" )
        checks:
          - uid: terraform-gcp-security-storage-enable-ubla
          - uid: terraform-gcp-security-storage-no-public-access
      - title: GCP Compute
        filters: |
          asset.platform == "terraform" || asset.platform == "terraform-hcl"
          terraform.providers.any( nameLabel == "google" )
        checks:
          - uid: terraform-gcp-security-compute-disk-encryption-customer-key
          - uid: terraform-gcp-security-compute-disk-encryption-required
          - uid: terraform-gcp-security-compute-enable-shielded-vm
          - uid: terraform-gcp-security-compute-enable-vpc-flow-logs
          - uid: terraform-gcp-security-compute-no-default-service-account
          - uid: terraform-gcp-security-compute-no-ip-forwarding
          - uid: terraform-gcp-security-compute-no-plaintext-vm-disk-keys
          - uid: terraform-gcp-security-compute-no-public-ip
      - title: GCP DNS
        filters: |
          asset.platform == "terraform" || asset.platform == "terraform-hcl"
          terraform.providers.any( nameLabel == "google" )
        checks:
          - uid: terraform-gcp-security-dns-enable-dnssec
          - uid: terraform-gcp-security-dns-no-rsa-sha1
      - title: GCP Google Kubernetes Engine (GKE)
        filters: |
          asset.platform == "terraform" || asset.platform == "terraform-hcl"
          terraform.providers.any( nameLabel == "google" )
        checks:
          - uid: terraform-gcp-security-gke-enable-auto-repair
          - uid: terraform-gcp-security-gke-enable-auto-upgrade
          - uid: terraform-gcp-security-gke-enable-ip-aliasing
          - uid: terraform-gcp-security-gke-enable-master-networks
          - uid: terraform-gcp-security-gke-enable-network-policy
          - uid: terraform-gcp-security-gke-enable-private-cluster
          - uid: terraform-gcp-security-gke-enable-stackdriver-logging
          - uid: terraform-gcp-security-gke-enable-stackdriver-monitoring
          - uid: terraform-gcp-security-gke-metadata-endpoints-disabled
          - uid: terraform-gcp-security-gke-no-basic-authentication
          - uid: terraform-gcp-security-gke-no-client-cert-authentication
          - uid: terraform-gcp-security-gke-no-public-control-plane
          - uid: terraform-gcp-security-gke-node-metadata-security
          - uid: terraform-gcp-security-gke-node-pool-uses-cos
          - uid: terraform-gcp-security-gke-node-shielding-enabled
          - uid: terraform-gcp-security-gke-use-cluster-labels
          - uid: terraform-gcp-security-gke-use-rbac-permissions
          - uid: terraform-gcp-security-gke-use-service-account
queries:
  - uid: terraform-gcp-security-iam-no-folder-level-default-service-account-assignment
    title: Roles should not be assigned to default service accounts
    mql: |
      terraform.resources.where( nameLabel  == "google_folder_iam_member") {
        arguments['member'] != /.+@appspot\.gserviceaccount\.com/ &&
        arguments['member'] != /.+-compute@developer\.gserviceaccount\.com/ &&
        arguments['member'] != /data\.google_compute_default_account/
      }
    docs:
      desc: |
        Default service accounts should not be used when granting access to folders as this can violate least privilege. It is recommended to use specialized service accounts instead.

        Some Google Cloud services create default service accounts when you first enable the API in a Google Cloud project. By default, these service accounts are granted the Editor role (roles/editor) on the Cloud project, which allows them to read and modify all resources in the Cloud project. This amount of access isn't essential for the services to work: To access resources in your Cloud project, Google Cloud services use service agents, not the default service accounts.
      audit: |
        Check if `member` is configured to use default service accounts `compute@developer.gserviceaccount.com`, `appspot.gserviceaccount.com`, or if a `data.google_compute_default_service_account` is being used

        ```hcl
        resource "google_folder_iam_member" "folder-123" {
          folder = "folder-123"
          role    = "roles/my-role"
          member  = "123-compute@developer.gserviceaccount.com"
        }

        resource "google_folder_iam_member" "folder-456" {
          folder = "folder-456"
          role    = "roles/my-role"
          member  = "123@appspot.gserviceaccount.com"
        }

        data "google_compute_default_service_account" "default" {
        }

        resource "google_folder_iam_member" "folder-789" {
          folder = "folder-789"
          role    = "roles/my-role"
          member  = data.google_compute_default_service_account.default.id
        }
        ```
      remediation: |
        Define a service account with least privilege for the role

        ```hcl
        resource "google_service_account" "limited" {
          account_id   = "account123"
          display_name = "account123"
        }

        resource "google_folder_iam_member" "folder-123" {
          folder = "folder-123"
          role    = "roles/my-role"
          member  = "serviceAccount:${google_service_account.limited.email}"
        }
        ```
  - uid: terraform-gcp-security-iam-no-folder-level-service-account-impersonation
    title: Users should not be granted service account access at the folder level
    mql: |
      terraform.resources.where( nameLabel  == "google_folder_iam_binding") {
        arguments['role'] != /iam\.serviceAccountUser/
      }
    docs:
      desc: |
        Users with service account access at the folder level can impersonate any service account. Instead, they should be given access to particular service accounts as required.
      audit: |
        Check if `role` is configured with `roles/iam.serviceAccountUser`

        ```hcl
        resource "google_folder_iam_binding" "folder-123" {
          folder = "folder-123"
          role    = "roles/iam.serviceAccountUser"
        }
        ```
      remediation: |
        Define a custom role with least privilege

        ```hcl
          resource "google_folder_iam_binding" "folder-123" {
            folder = "folder-123"
            role    = "roles/custom-role"
          }
        ```
  - uid: terraform-gcp-security-iam-no-privileged-service-accounts
    title: Service accounts should not have roles assigned with excessive privileges
    mql: |
      terraform.resources.where( nameLabel  == "google_project_iam_member") {
        arguments['role'] != /roles\/owner/ &&
        arguments['role'] != /roles\/editor/
      }
    docs:
      desc: |
        Service accounts should have a minimal set of permissions assigned to accomplish their job. They should never have excessive access because if compromised, an attacker can escalate privileges and take over the entire account.
      audit: |
        Check if `role` is configured with basic roles: `roles/editor`, `roles/owner`

        ```hcl
        resource "google_service_account" "test" {
          account_id   = "account123"
          display_name = "account123"
        }

        resource "google_project_iam_member" "project" {
          project = "your-project-id"
          role    = "roles/owner"
          member  = "serviceAccount:${google_service_account.test.email}"
        }
        ```
      remediation: |
        Define a custom role with least privilege

        ```hcl
        resource "google_service_account" "test" {
          account_id   = "account123"
          display_name = "account123"
        }

        resource "google_project_iam_member" "project" {
          project = "your-project-id"
          role    = "roles/logging.logWriter"
          member  = "serviceAccount:${google_service_account.test.email}"
        }
        ```
  - uid: terraform-gcp-security-storage-no-public-access
    title: Ensure that Cloud Storage bucket is not publicly accessible
    mql: |
      terraform.resources.where( nameLabel  == "google_storage_bucket_iam_binding") {
        attributes['members']['value'] { _ != /allUsers/ && _ != /allAuthenticatedUsers/}
      }
    docs:
      desc: |
        Google Cloud Storage buckets that define 'allUsers' or 'allAuthenticatedUsers' as members in an IAM member/binding causes data to be exposed outside of the organization. This can lead to exposure of sensitive data. The recommended approach is to restrict public access.
      audit: |
        Check if `members` is configured with `allAuthenticatedUsers` or `allUsers`

        ```hcl
        resource "google_storage_bucket_iam_binding" "allAuthenticatedUsers" {
          bucket = google_storage_bucket.default.name
          role = "roles/storage.admin"
          members = [
            "allAuthenticatedUsers",
          ]
        }

        resource "google_storage_bucket_iam_binding" "allUsers" {
          bucket = google_storage_bucket.default.name
          role = "roles/storage.admin"
          members = [
            "allUsers",
          ]
        }
        ```
      remediation: |
        Restrict public access to the bucket.

        ```hcl
        resource "google_storage_bucket_iam_binding" "binding" {
          bucket = google_storage_bucket.default.name
          role = "roles/storage.admin"
          members = [
            "user:jane@example.com",
          ]
        }
        ```
  - uid: terraform-gcp-security-storage-enable-ubla
    title: Ensure that Cloud Storage buckets have uniform bucket-level access enabled
    mql: |
      terraform.resources.where( nameLabel  == "google_storage_bucket") {
         arguments['uniform_bucket_level_access'] == true
      }
    docs:
      desc: |
        Google Cloud Storage buckets should be configured with uniform bucket-level access.

        When you enable uniform bucket-level access on a bucket, Access Control Lists (ACLs) are disabled, and only bucket-level Identity and Access Management (IAM) permissions grant access to that bucket and the objects it contains. You revoke all access granted by object ACLs and the ability to administrate permissions using bucket ACLs.
      audit: |
        Check if `uniform_bucket_level_access` is set to `true`

        ```hcl
        resource "google_storage_bucket" "static-site" {
          name          = "image-store.com"
          location      = "EU"
          force_destroy = true

          uniform_bucket_level_access = false

          website {
            main_page_suffix = "index.html"
            not_found_page   = "404.html"
          }
          cors {
            origin          = ["http://image-store.com"]
            method          = ["GET", "HEAD", "PUT", "POST", "DELETE"]
            response_header = ["*"]
            max_age_seconds = 3600
          }
        }
        ```
      remediation: |
        Configure `uniform_bucket_level_access` to `true`

        ```hcl
        resource "google_storage_bucket" "static-site" {
          name          = "image-store.com"
          location      = "EU"
          force_destroy = true

          uniform_bucket_level_access = true

          website {
            main_page_suffix = "index.html"
            not_found_page   = "404.html"
          }
          cors {
            origin          = ["http://image-store.com"]
            method          = ["GET", "HEAD", "PUT", "POST", "DELETE"]
            response_header = ["*"]
            max_age_seconds = 3600
          }
        }
        ```
  - uid: terraform-gcp-security-compute-no-public-ip
    title: Compute instances should not be publicly exposed to the internet
    mql: |
      terraform.resources.where( nameLabel  == "google_compute_instance") {
        blocks.where( type == "network_interface") {
          blocks.where( type == "access_config") {
            arguments.values.length != 0
          }
        }
      }
    docs:
      desc: |
        Google Cloud compute instances that have a public IP address are exposed on the internet and are at risk to attack.
      audit: |
        Check if the `access_config` is empty.

        ```hcl
        resource "google_compute_instance" "bad_example" {
          name         = "test"
          machine_type = "e2-medium"
          zone         = "us-central1-a"

          tags = ["foo", "bar"]

          boot_disk {
            initialize_params {
              image = "debian-cloud/debian-9"
            }
          }

          // Local SSD disk
          scratch_disk {
            interface = "SCSI"
          }

          network_interface {
            network = "default"

            access_config {
              // Ephemeral IP
            }
          }
        }
        ```
      remediation: |
        Configure compute instance without empty `access_config`

        ```hcl
        resource "google_compute_instance" "good_example" {
          name         = "test"
          machine_type = "e2-medium"
          zone         = "us-central1-a"

          tags = ["foo", "bar"]

          boot_disk {
            initialize_params {
              image = "debian-cloud/debian-9"
            }
          }

          // Local SSD disk
          scratch_disk {
            interface = "SCSI"
          }

          network_interface {
            network = "default"
          }
        }
        ```
  - uid: terraform-gcp-security-compute-disk-encryption-customer-key
    title: Disks should be encrypted with Customer Supplied Encryption Keys
    mql: |
      terraform.resources.where( nameLabel  == "google_compute_disk" ) {
        blocks.one( type == "disk_encryption_key")
      }
      terraform.resources.where( nameLabel  == "google_compute_disk" && blocks.one( type == "disk_encryption_key") ) {
        blocks.where( type == "disk_encryption_key") {
          arguments != ""
        }
      }
    docs:
      desc: |
        Google Cloud compute instances should use disk encryption using a customer-supplied encryption key. If you do not provide an encryption key when creating the disk, then the disk will be encrypted using an automatically generated key, and you do not need to provide the key to use the disk later.
      audit: |
        Check if `disk_encryption_key` key is defined and that the arguments are not empty strings.

        ```hcl
        resource "google_compute_disk" "bad_example" {
          name  = "test-disk"
          type  = "pd-ssd"
          zone  = "us-central1-a"
          image = "debian-9-stretch-v20200805"
          labels = {
            environment = "dev"
          }
          physical_block_size_bytes = 4096
        }
        ```
      remediation: |
        Configure compute instance with `disk_encryption_key` and `kms_key_self_link` defined.

        ```hcl
        resource "google_compute_disk" "good_example" {
          name  = "test-disk"
          type  = "pd-ssd"
          zone  = "us-central1-a"
          image = "debian-9-stretch-v20200805"
          labels = {
            environment = "dev"
          }
          physical_block_size_bytes = 4096
          disk_encryption_key {
            kms_key_self_link = "something"
          }
        }
        ```
  - uid: terraform-gcp-security-compute-disk-encryption-required
    title: Disk encryption Keys should not be passed as plaintext
    mql: |
      terraform.resources.where( nameLabel  == "google_compute_disk" && blocks.one( type == "disk_encryption_key") ) {
        blocks.where( type == "disk_encryption_key") {
          arguments.keys[0] != "raw_key"
        }
      }
    docs:
      desc: |
        Google Cloud compute instances should use disk encryption using a customer-supplied encryption key. One of the options is for the `disk_encryption_key` is `raw_key`, which is the key in plaintext.

        Sensitive values such as raw encryption keys should not be included in your Terraform code and should be stored securely by a secrets manager.
      audit: |
        Check if the `access_config` is empty

        ```hcl
        resource "google_compute_disk" "good_example" {
          disk_encryption_key {
            raw_key="b2ggbm8gdGhpcyBpcyBiYWQ="
          }
        }
        ```
      remediation: |
        Configure compute instance with `disk_encryption_key` and `kms_key_self_link` defined

        ```hcl
        resource "google_compute_disk" "good_example" {
          disk_encryption_key {
            kms_key_self_link = google_kms_crypto_key.my_crypto_key.id
          }
        }
        ```
  - uid: terraform-gcp-security-compute-enable-shielded-vm
    title: Verify shielded VM is enabled on compute instances
    mql: |
      terraform.resources.where( nameLabel  == "google_compute_instance" ) {
        blocks.one( type == "shielded_instance_config" )
      }
      terraform.resources.where( nameLabel  == "google_compute_instance" && blocks.one( type == "shielded_instance_config" )) {
        blocks.where( type == "shielded_instance_config") {
          attributes['enable_vtpm'] == null || attributes['enable_vtpm']['value'] == true
        }
      }
      terraform.resources.where( nameLabel  == "google_compute_instance" && blocks.one( type == "shielded_instance_config" )) {
        blocks.where( type == "shielded_instance_config") {
          attributes['enable_integrity_monitoring'] == null || attributes['enable_integrity_monitoring']['value'] == true
        }
      }
    docs:
      desc: |
        Shielded VMs are virtual machines (VMs) on Google Cloud hardened by a set of security controls that help defend against rootkits and bootkits. Using Shielded VMs helps protect enterprise workloads from threats like remote attacks, privilege escalation, and malicious insiders. Shielded VMs leverage advanced platform security capabilities such as secure and measured boot, a virtual trusted platform module (vTPM), UEFI firmware, and integrity monitoring.

        **Secure Boot** helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails.

        **Integrity monitoring** helps you understand and make decisions about the state of your VM instances. Integrity monitoring compares the most recent boot measurements to the integrity policy baseline and returns a pair of pass/fail results depending on whether they match or not, one for the early boot sequence and one for the late boot sequence.
      audit: |
        Check if the `shielded_instance_config` is configured on the instance, and if `enable_vtpm` and `enable_integrity_monitoring` are set to `false`

        ```hcl
        resource "google_compute_instance" "bad_example" {
          name         = "test"
          machine_type = "e2-medium"
          zone         = "us-central1-a"

          tags = ["foo", "bar"]

          boot_disk {
            initialize_params {
              image = "debian-cloud/debian-9"
            }
          }

          // Local SSD disk
          scratch_disk {
            interface = "SCSI"
          }

          shielded_instance_config {
            enable_vtpm = false
            enable_integrity_monitoring = false
          }
        }
        ```
      remediation: |
        Configure `shielded_instance_config` without `enable_vtpm` and `enable_integrity_monitoring`, or configure `enable_vtpm` and `enable_integrity_monitoring` explicitly to `true`

        ```hcl
        resource "google_compute_instance" "good_example" {
          name         = "test"
          machine_type = "e2-medium"
          zone         = "us-central1-a"

          tags = ["foo", "bar"]

          boot_disk {
            initialize_params {
              image = "debian-cloud/debian-9"
            }
          }

          // Local SSD disk
          scratch_disk {
            interface = "SCSI"
          }

          shielded_instance_config {
            enable_vtpm = true
            enable_integrity_monitoring = true
          }
        }
        ```
  - uid: terraform-gcp-security-compute-enable-vpc-flow-logs
    title: Verify VPC flow logs enabled on compute instances
    mql: |
      terraform.resources.where( nameLabel  == "google_compute_subnetwork" && arguments['purpose'] != "INTERNAL_HTTPS_LOAD_BALANCER" ) {
        blocks.one( type == "log_config")
      }
    docs:
      desc: |
        VPC flow logs record information about all traffic, which is a vital tool in reviewing anomalous traffic. Google Compute Engine subnetworks that do not have VPC flow logs enabled have limited information for auditing and awareness.

        Note: Google Compute Engine subnets configured as INTERNAL_HTTPS_LOAD_BALANCER do not support VPC flow logs. Compute subnetworks with `purpose INTERNAL_HTTPS_LOAD_BALANCER` attribute will not be evaluated.
      audit: |
        The following example will fail:

        ```hcl
        resource "google_compute_subnetwork" "bad_example" {
          name          = "test-subnetwork"
          ip_cidr_range = "10.2.0.0/16"
          region        = "us-central1"
          network       = google_compute_network.custom-test.id
          secondary_ip_range {
            range_name    = "tf-test-secondary-range-update1"
            ip_cidr_range = "192.168.10.0/24"
          }
        }

        resource "google_compute_network" "custom-test" {
          name                    = "test-network"
          auto_create_subnetworks = false
        }
        ```
      remediation: |
        The following example will pass:

        ```hcl
        resource "google_compute_subnetwork" "good_example" {
          name          = "test-subnetwork"
          ip_cidr_range = "10.2.0.0/16"
          region        = "us-central1"
          network       = google_compute_network.custom-test.id
          secondary_ip_range {
            range_name    = "tf-test-secondary-range-update1"
            ip_cidr_range = "192.168.10.0/24"
          }
          log_config {
            aggregation_interval = "INTERVAL_10_MIN"
            flow_sampling        = 0.5
            metadata             = "INCLUDE_ALL_METADATA"
          }
        }

        resource "google_compute_network" "custom-test" {
          name                    = "test-network"
          auto_create_subnetworks = false
        }
        ```
  - uid: terraform-gcp-security-compute-no-default-service-account
    title: Compute instances should not use the default service account
    mql: |
      terraform.resources.where( nameLabel  == "google_compute_instance" && blocks.one( type == "service_account") ) {
        blocks.where( type == "service_account" ) {
          attributes['email'] != empty
        }
      }
      terraform.resources.where( nameLabel  == "google_compute_instance" && blocks.one( type == "service_account") ) {
        blocks.where( type == "service_account" ) {
          attributes['email'] != /.+-compute@developer\.gserviceaccount.com/
        }
      }
    docs:
      desc: |
        The default service account has full project access. Provisioning instances using the default service account gives the instance full access to the project. Compute instances should instead be assigned the minimal access they need.
      audit: |
        The following example will fail:

        ```hcl
        resource "google_compute_instance" "default" {
          name         = "test"
          machine_type = "e2-medium"
          zone         = "us-central1-a"

          tags = ["foo", "bar"]

          boot_disk {
            initialize_params {
              image = "debian-cloud/debian-9"
            }
          }

          // Local SSD disk
          scratch_disk {
            interface = "SCSI"
          }

          service_account {
            # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
            email  = "1234567890-compute@developer.gserviceaccount.com"
            scopes = ["cloud-platform"]
          }
        }
        ```
      remediation: |
        The following example will pass:

        ```hcl
        resource "google_service_account" "default" {
          account_id   = "service_account_id"
          display_name = "Service Account"
        }

        resource "google_compute_instance" "default" {
          name         = "test"
          machine_type = "e2-medium"
          zone         = "us-central1-a"

          tags = ["foo", "bar"]

          boot_disk {
            initialize_params {
              image = "debian-cloud/debian-9"
            }
          }

          // Local SSD disk
          scratch_disk {
            interface = "SCSI"
          }

          network_interface {
            network = "default"

            access_config {
              // Ephemeral IP
            }
          }

          metadata = {
            foo = "bar"
          }

          metadata_startup_script = "echo hi > /test.txt"

          service_account {
            # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
            email  = google_service_account.default.email
            scopes = ["cloud-platform"]
          }
        }
        ```
  - uid: terraform-gcp-security-compute-no-ip-forwarding
    title: Compute instances should be configured with IP forwarding
    mql: |
      terraform.resources.where( nameLabel  == "google_compute_instance" && attributes['can_ip_forward']) {
        attributes['can_ip_forward']['value'] == false
      }
    docs:
      desc: |
        Disabling IP forwarding ensures the instance can only receive packets addressed to the instance and can only send packets with a source address of the instance.

        The attribute `can_ip_forward` is optional on `google_compute_instance` and defaults to `false`. Instances with `can_ip_forward = true` will fail.
      audit: |
        The following example will fail:

        ```hcl
        resource "google_compute_instance" "bad_example" {
          name         = "test"
          machine_type = "e2-medium"
          zone         = "us-central1-a"

          boot_disk {
            initialize_params {
              image = "debian-cloud/debian-9"
            }
          }

          // Local SSD disk
          scratch_disk {
            interface = "SCSI"
          }

          can_ip_forward = false
        }
        ```
      remediation: |
        The following example will pass:

        ```hcl
        resource "google_compute_instance" "bad_example" {
          name         = "test"
          machine_type = "e2-medium"
          zone         = "us-central1-a"

          boot_disk {
            initialize_params {
              image = "debian-cloud/debian-9"
            }
          }

          // Local SSD disk
          scratch_disk {
            interface = "SCSI"
          }

          can_ip_forward = false
        }
        ```
  - uid: terraform-gcp-security-compute-no-plaintext-vm-disk-keys
    title: VM disk encryption keys should not be provided in plaintext
    mql: |
      terraform.resources.where( nameLabel  == "google_compute_instance" ) {
        blocks { arguments.keys { _ != 'disk_encryption_key_raw' } }
      }
    docs:
      desc: |
        Providing your encryption key in plaintext format means anyone with access to the source code also has access to the key.

        When encrypting a `boot_disk`, it is not recommended to use the `disk_encryption_key_raw` argument as this passes the key in plaintext, which is not secure. Consider using `kms_key_self_link` or a secrets manager instead.
      audit: |
        The following example will fail:

        ```hcl
        resource "google_compute_instance" "bad_example" {
          name         = "test"
          machine_type = "e2-medium"
          zone         = "us-central1-a"

          tags = ["foo", "bar"]

          boot_disk {
            initialize_params {
              image = "debian-cloud/debian-9"
            }
            disk_encryption_key_raw = "something"
          }

        }
        ```
      remediation: |
        The following example will pass:

        ```hcl
         resource "google_compute_instance" "bad_example" {
          name         = "test"
          machine_type = "e2-medium"
          zone         = "us-central1-a"

          tags = ["foo", "bar"]

          boot_disk {
            initialize_params {
              image = "debian-cloud/debian-9"
            }
            kms_key_self_link = "kmsKeyName"
          }

        }
        ```
  - uid: terraform-gcp-security-bigquery-no-public-access
    title: BigQuery datasets should only be accessible within the organization
    mql: |
      terraform.resources.where( nameLabel  == "google_bigquery_dataset" ) {
        blocks { arguments.values.none("allAuthenticatedUsers") }
      }
    docs:
      desc: |
        BigQuery datasets should not be configured to provide access to `allAuthenticatedUsers` as this provides any authenticated GCP user, even those outside of your organization, access to your BigQuery dataset. This can lead to exposure of sensitive data to the public internet.

        Configure access permissions with higher granularity and least privilege principles.
      audit: |
        The following example will fail:

        ```hcl
        resource "google_bigquery_dataset" "bad_example" {
          dataset_id                  = "example_dataset"
          friendly_name               = "test"
          description                 = "This is a test description"
          location                    = "EU"
          default_table_expiration_ms = 3600000

          labels = {
            env = "default"
          }

          access {
            role          = "OWNER"
            special_group = "allAuthenticatedUsers"
          }

          access {
            role   = "READER"
            domain = "hashicorp.com"
          }
        }
        ```
      remediation: |
        The following example will pass:

        ```hcl
        resource "google_bigquery_dataset" "good_example" {
          dataset_id                  = "example_dataset"
          friendly_name               = "test"
          description                 = "This is a test description"
          location                    = "EU"
          default_table_expiration_ms = 3600000

          labels = {
            env = "default"
          }

          access {
            role          = "OWNER"
            user_by_email = google_service_account.bqowner.email
          }

          access {
            role   = "READER"
            domain = "hashicorp.com"
          }
        }

        resource "google_service_account" "bqowner" {
          account_id = "bqowner"
        }
        ```
  - uid: terraform-gcp-security-dns-enable-dnssec
    title: Cloud DNS should use DNSSEC
    mql: |
      terraform.resources.where( nameLabel  == "google_dns_managed_zone" ) {
        blocks.where( type == "dnssec_config" ) {
          attributes['state']['value'] != "off"
        }
      }
    docs:
      desc: |
        DNSSEC authenticates DNS responses, preventing MITM attacks and impersonation. Unverified DNS responses could lead to man-in-the-middle attacks.
      audit: |
        The following example will fail:

        ```hcl
        resource "google_dns_managed_zone" "bad_example" {
          name        = "example-zone"
          dns_name    = "example-${random_id.rnd.hex}.com."
          description = "Example DNS zone"
          labels = {
            foo = "bar"
          }
          dnssec_config {
            state = "off"
          }
        }

        resource "random_id" "rnd" {
          byte_length = 4
        }

        ```
      remediation: |
        The following example will pass:

        ```hcl
        resource "google_dns_managed_zone" "good_example" {
          name        = "example-zone"
          dns_name    = "example-${random_id.rnd.hex}.com."
          description = "Example DNS zone"
          labels = {
            foo = "bar"
          }
          dnssec_config {
            state = "on"
          }
        }

        resource "random_id" "rnd" {
          byte_length = 4
        }
        ```
  - uid: terraform-gcp-security-dns-no-rsa-sha1
    title: Zone signing should not use RSA SHA1
    mql: |
      terraform.datasources.where( nameLabel  == "google_dns_keys" ) {
        blocks { attributes['algorithm']['value'] != "rsasha1" }
      }
    docs:
      desc: |
        RSA SHA1 is a weaker algorithm than SHA2-based algorithms such as RSA SHA256/512.
      audit: |
        The following example will fail:

        ```hcl
        resource "google_dns_managed_zone" "foo" {
          name     = "foobar"
          dns_name = "foo.bar."

          dnssec_config {
            state         = "on"
            non_existence = "nsec3"
          }
        }

        data "google_dns_keys" "foo_dns_keys" {
          managed_zone = google_dns_managed_zone.foo.id
          zone_signing_keys {
            algorithm = "rsasha1"
          }
        }

        output "foo_dns_ds_record" {
          description = "DS record of the foo subdomain."
          value       = data.google_dns_keys.foo_dns_keys.key_signing_keys[0].ds_record
        }
        ```
      remediation: |
        The following example will pass:

        ```hcl
        resource "google_dns_managed_zone" "foo" {
          name     = "foobar"
          dns_name = "foo.bar."

          dnssec_config {
            state         = "on"
            non_existence = "nsec3"
          }
        }

        data "google_dns_keys" "foo_dns_keys" {
          managed_zone = google_dns_managed_zone.foo.id
          zone_signing_keys {
            algorithm = "rsasha512"
          }
        }

        output "foo_dns_ds_record" {
          description = "DS record of the foo subdomain."
          value       = data.google_dns_keys.foo_dns_keys.key_signing_keys[0].ds_record
        }
        ```
  - uid: terraform-gcp-security-gke-enable-auto-repair
    title: Kubernetes should have 'Automatic repair' enabled
    mql: |
      terraform.resources.where( nameLabel == "google_container_node_pool" ) {
        blocks.where( type == "management") {
          arguments['auto_repair'] != false
        }
      }
    docs:
      desc: |
        Automatic repair will monitor nodes and attempt repair when a node fails multiple subsequent health checks. Failing nodes will require manual repair.
      audit: |
        The following example will fail:

        ```hcl
        resource "google_container_node_pool" "bad_example" {
          name       = "my-node-pool"
          cluster    = google_container_cluster.primary.id
          node_count = 1

          node_config {
            preemptible  = true
            machine_type = "e2-medium"

            # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
            service_account = google_service_account.default.email
            oauth_scopes = [
              "https://www.googleapis.com/auth/cloud-platform"
            ]
          }
          management {
            auto_repair = false
          }
        }
        ```
      remediation: |
        The following example will pass:

        ```hcl
        resource "google_service_account" "default" {
          account_id   = "service-account-id"
          display_name = "Service Account"
        }

        resource "google_container_cluster" "primary" {
          name     = "my-gke-cluster"
          location = "us-central1"

          # We can't create a cluster with no node pool defined, but we want to only use
          # separately managed node pools. So we create the smallest possible default
          # node pool and immediately delete it.
          remove_default_node_pool = true
          initial_node_count       = 1
        }

        resource "google_container_node_pool" "good_example" {
          name       = "my-node-pool"
          cluster    = google_container_cluster.primary.id
          node_count = 1

          node_config {
            preemptible  = true
            machine_type = "e2-medium"

            # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
            service_account = google_service_account.default.email
            oauth_scopes = [
              "https://www.googleapis.com/auth/cloud-platform"
            ]
          }
          management {
            auto_repair = true
          }
        }
        ```
  - uid: terraform-gcp-security-gke-enable-auto-upgrade
    title: Kubernetes should have 'Automatic upgrade' enabled
    mql: |
      terraform.resources.where( nameLabel == "google_container_node_pool" ) {
        blocks.where( type == "management") {
          arguments['auto_upgrade'] != false
        }
      }
    docs:
      desc: |
        Automatic updates keep nodes updated with the latest cluster master version.
      audit: |
        The following example will fail:

        ```hcl
        resource "google_service_account" "default" {
          account_id   = "service-account-id"
          display_name = "Service Account"
        }

        resource "google_container_cluster" "primary" {
          name     = "my-gke-cluster"
          location = "us-central1"

          # We can't create a cluster with no node pool defined, but we want to only use
          # separately managed node pools. So we create the smallest possible default
          # node pool and immediately delete it.
          remove_default_node_pool = true
          initial_node_count       = 1
        }

        resource "google_container_node_pool" "bad_example" {
          name       = "my-node-pool"
          cluster    = google_container_cluster.primary.id
          node_count = 1

          node_config {
            preemptible  = true
            machine_type = "e2-medium"

            # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
            service_account = google_service_account.default.email
            oauth_scopes = [
              "https://www.googleapis.com/auth/cloud-platform"
            ]
          }
          management {
            auto_upgrade = false
          }
        }

        ```
      remediation: |
        The following example will pass:

        ```hcl
        resource "google_service_account" "default" {
          account_id   = "service-account-id"
          display_name = "Service Account"
        }

        resource "google_container_cluster" "primary" {
          name     = "my-gke-cluster"
          location = "us-central1"

          # We can't create a cluster with no node pool defined, but we want to only use
          # separately managed node pools. So we create the smallest possible default
          # node pool and immediately delete it.
          remove_default_node_pool = true
          initial_node_count       = 1
        }

        resource "google_container_node_pool" "good_example" {
          name       = "my-node-pool"
          cluster    = google_container_cluster.primary.id
          node_count = 1

          node_config {
            preemptible  = true
            machine_type = "e2-medium"

            # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
            service_account = google_service_account.default.email
            oauth_scopes = [
              "https://www.googleapis.com/auth/cloud-platform"
            ]
          }
          management {
            auto_upgrade = true
          }
        }
        ```
  - uid: terraform-gcp-security-gke-enable-ip-aliasing
    title: Clusters should have IP aliasing enabled
    mql: |
      terraform.resources.where( nameLabel == "google_container_cluster" ) {
        blocks.one( type == "ip_allocation_policy" )
      }
    docs:
      desc: |
        IP aliasing allows the reuse of public IPs internally, removing the need for a NAT gateway.
      audit: |
        The following example will fail:

        ```hcl
        resource "google_service_account" "default" {
          account_id   = "service-account-id"
          display_name = "Service Account"
        }

        resource "google_container_cluster" "bad_example" {
          name     = "my-gke-cluster"
          location = "us-central1"

          # We can't create a cluster with no node pool defined, but we want to only use
          # separately managed node pools. So we create the smallest possible default
          # node pool and immediately delete it.
          remove_default_node_pool = true
          initial_node_count       = 1
        }

        resource "google_container_node_pool" "primary_preemptible_nodes" {
          name       = "my-node-pool"
          location   = "us-central1"
          cluster    = google_container_cluster.primary.name
          node_count = 1

          node_config {
            preemptible  = true
            machine_type = "e2-medium"

            # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
            service_account = google_service_account.default.email
            oauth_scopes    = [
              "https://www.googleapis.com/auth/cloud-platform"
            ]
          }
        }
        ```
      remediation: |
        The following example will pass:

        ```hcl
        resource "google_service_account" "default" {
          account_id   = "service-account-id"
          display_name = "Service Account"
        }

        resource "google_container_cluster" "good_example" {
          name     = "my-gke-cluster"
          location = "us-central1"

          # We can't create a cluster with no node pool defined, but we want to only use
          # separately managed node pools. So we create the smallest possible default
          # node pool and immediately delete it.
          remove_default_node_pool = true
          initial_node_count       = 1
          ip_allocation_policy = {}
        }

        resource "google_container_node_pool" "primary_preemptible_nodes" {
          name       = "my-node-pool"
          location   = "us-central1"
          cluster    = google_container_cluster.primary.name
          node_count = 1

          node_config {
            preemptible  = true
            machine_type = "e2-medium"

            # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
            service_account = google_service_account.default.email
            oauth_scopes    = [
              "https://www.googleapis.com/auth/cloud-platform"
            ]
          }
        }
        `,`
        resource "google_service_account" "default" {
          account_id   = "service-account-id"
          display_name = "Service Account"
        }

        resource "google_container_cluster" "good_example" {
          name     = "my-gke-cluster"
          location = "us-central1"

          # We can't create a cluster with no node pool defined, but we want to only use
          # separately managed node pools. So we create the smallest possible default
          # node pool and immediately delete it.
          remove_default_node_pool = true
          initial_node_count       = 1
          ip_allocation_policy     {
            cluster_secondary_range_name  = "some range name"
            services_secondary_range_name = "some range name"
          }
        }

        resource "google_container_node_pool" "primary_preemptible_nodes" {
          name       = "my-node-pool"
          location   = "us-central1"
          cluster    = google_container_cluster.primary.name
          node_count = 1

          node_config {
            preemptible  = true
            machine_type = "e2-medium"

            # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
            service_account = google_service_account.default.email
            oauth_scopes    = [
              "https://www.googleapis.com/auth/cloud-platform"
            ]
          }
        }
        ```
  - uid: terraform-gcp-security-gke-enable-master-networks
    title: Master authorized networks should be configured on GKE clusters
    mql: |
      terraform.resources.where( nameLabel == "google_container_cluster" ) {
        arguments.keys.contains("master_authorized_networks_config")
      }
    docs:
      desc: |
        Enabling authorized networks means you can restrict master access to a fixed set of CIDR ranges.
      audit: |
        The following example will fail:

        ```hcl
        resource "google_service_account" "default" {
          account_id   = "service-account-id"
          display_name = "Service Account"
        }

        resource "google_container_cluster" "primary" {
          name     = "my-gke-cluster"
          location = "us-central1"

          # We can't create a cluster with no node pool defined, but we want to only use
          # separately managed node pools. So we create the smallest possible default
          # node pool and immediately delete it.
          remove_default_node_pool = true
          initial_node_count       = 1
        }

        resource "google_container_node_pool" "primary_preemptible_nodes" {
          name       = "my-node-pool"
          location   = "us-central1"
          cluster    = google_container_cluster.primary.name
          node_count = 1

          node_config {
            preemptible  = true
            machine_type = "e2-medium"

            # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
            service_account = google_service_account.default.email
            oauth_scopes    = [
              "https://www.googleapis.com/auth/cloud-platform"
            ]
          }
        }
        ```
      remediation: |
        The following example will pass:

        ```hcl
        resource "google_service_account" "default" {
          account_id   = "service-account-id"
          display_name = "Service Account"
        }

        resource "google_container_cluster" "primary" {
          name     = "my-gke-cluster"
          location = "us-central1"

          # We can't create a cluster with no node pool defined, but we want to only use
          # separately managed node pools. So we create the smallest possible default
          # node pool and immediately delete it.
          remove_default_node_pool = true
          initial_node_count       = 1
          master_authorized_networks_config = [{
            cidr_blocks = [{
              cidr_block = "10.10.128.0/24"
              display_name = "internal"
            }]
          }]
        }

        resource "google_container_node_pool" "primary_preemptible_nodes" {
          name       = "my-node-pool"
          location   = "us-central1"
          cluster    = google_container_cluster.primary.name
          node_count = 1

          node_config {
            preemptible  = true
            machine_type = "e2-medium"

            # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
            service_account = google_service_account.default.email
            oauth_scopes    = [
              "https://www.googleapis.com/auth/cloud-platform"
            ]
          }
        }
        ```
  - uid: terraform-gcp-security-gke-enable-network-policy
    title: Network Policy should be enabled on GKE clusters
    mql: |
      terraform.resources.where( nameLabel == "google_container_cluster" ) {
        blocks.one( type == "network_policy" )
      }
    docs:
      desc: |
        Enabling a network policy allows the segregation of network traffic by namespace.
      audit: |
        The following example will fail:

        ```hcl
        resource "google_service_account" "default" {
          account_id   = "service-account-id"
          display_name = "Service Account"
        }

        resource "google_container_cluster" "bad_example" {
          name     = "my-gke-cluster"
          location = "us-central1"

          # We can't create a cluster with no node pool defined, but we want to only use
          # separately managed node pools. So we create the smallest possible default
          # node pool and immediately delete it.
          remove_default_node_pool = true
          initial_node_count       = 1
          network_policy {
            enabled = false
          }
        }

        resource "google_container_node_pool" "primary_preemptible_nodes" {
          name       = "my-node-pool"
          location   = "us-central1"
          cluster    = google_container_cluster.primary.name
          node_count = 1

          node_config {
            preemptible  = true
            machine_type = "e2-medium"

            # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
            service_account = google_service_account.default.email
            oauth_scopes    = [
              "https://www.googleapis.com/auth/cloud-platform"
            ]
          }
        }

        ```
      remediation: |
        The following example will pass:

        ```hcl
        resource "google_service_account" "default" {
          account_id   = "service-account-id"
          display_name = "Service Account"
        }

        resource "google_container_cluster" "good_example" {
          name     = "my-gke-cluster"
          location = "us-central1"

          # We can't create a cluster with no node pool defined, but we want to only use
          # separately managed node pools. So we create the smallest possible default
          # node pool and immediately delete it.
          remove_default_node_pool = true
          initial_node_count       = 1
          network_policy {
            enabled = true
          }
        }

        resource "google_container_node_pool" "primary_preemptible_nodes" {
          name       = "my-node-pool"
          location   = "us-central1"
          cluster    = google_container_cluster.primary.name
          node_count = 1

          node_config {
            preemptible  = true
            machine_type = "e2-medium"

            # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
            service_account = google_service_account.default.email
            oauth_scopes    = [
              "https://www.googleapis.com/auth/cloud-platform"
            ]
          }
        }
        ```
  - uid: terraform-gcp-security-gke-enable-private-cluster
    title: Clusters should be set to private
    mql: |
      terraform.resources.where( nameLabel == "google_container_cluster" ) {
        blocks.one( type == "network_policy" )
      }
    docs:
      desc: |
        Enabling private nodes on a cluster ensures the nodes are only available internally as they will only be assigned internal addresses.
      audit: |
        The following example will fail:

        ```hcl
        resource "google_service_account" "default" {
          account_id   = "service-account-id"
          display_name = "Service Account"
        }

        resource "google_container_cluster" "bad_example" {
          name     = "my-gke-cluster"
          location = "us-central1"

          # We can't create a cluster with no node pool defined, but we want to only use
          # separately managed node pools. So we create the smallest possible default
          # node pool and immediately delete it.
          remove_default_node_pool = true
          initial_node_count       = 1
          network_policy {
            enabled = false
          }
        }

        resource "google_container_node_pool" "primary_preemptible_nodes" {
          name       = "my-node-pool"
          location   = "us-central1"
          cluster    = google_container_cluster.primary.name
          node_count = 1

          node_config {
            preemptible  = true
            machine_type = "e2-medium"

            # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
            service_account = google_service_account.default.email
            oauth_scopes    = [
              "https://www.googleapis.com/auth/cloud-platform"
            ]
          }
        }
        ```
      remediation: |
        The following example will pass:

        ```hcl
        resource "google_service_account" "default" {
          account_id   = "service-account-id"
          display_name = "Service Account"
        }

        resource "google_container_cluster" "good_example" {
          name     = "my-gke-cluster"
          location = "us-central1"

          # We can't create a cluster with no node pool defined, but we want to only use
          # separately managed node pools. So we create the smallest possible default
          # node pool and immediately delete it.
          remove_default_node_pool = true
          initial_node_count       = 1
          network_policy {
            enabled = true
          }
        }

        resource "google_container_node_pool" "primary_preemptible_nodes" {
          name       = "my-node-pool"
          location   = "us-central1"
          cluster    = google_container_cluster.primary.name
          node_count = 1

          node_config {
            preemptible  = true
            machine_type = "e2-medium"

            # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
            service_account = google_service_account.default.email
            oauth_scopes    = [
              "https://www.googleapis.com/auth/cloud-platform"
            ]
          }
        }
        ```
  - uid: terraform-gcp-security-gke-enable-stackdriver-logging
    title: Stackdriver Logging should be enabled
    mql: |
      terraform.resources.where( nameLabel == "google_container_cluster" ) {
        attributes.keys.contains( "logging_service" )
      }
      terraform.resources.where( nameLabel == "google_container_cluster" ) {
        attributes['logging_service']['value'] == 'logging.googleapis.com/kubernetes'
      }
    docs:
      desc: |
        StackDriver logging provides a useful interface to all of stdout/stderr for each container and should be enabled for monitoring, debugging, etc. Without Stackdriver, visibility to the cluster will be reduced.
      audit: |
        The following example will fail:

        ```hcl
        resource "google_service_account" "default" {
          account_id   = "service-account-id"
          display_name = "Service Account"
        }

        resource "google_container_cluster" "bad_example" {
          name     = "my-gke-cluster"
          location = "us-central1"

          # We can't create a cluster with no node pool defined, but we want to only use
          # separately managed node pools. So we create the smallest possible default
          # node pool and immediately delete it.
          remove_default_node_pool = true
          initial_node_count       = 1
          logging_service = "logging.googleapis.com"
        }

        resource "google_container_node_pool" "primary_preemptible_nodes" {
          name       = "my-node-pool"
          location   = "us-central1"
          cluster    = google_container_cluster.primary.name
          node_count = 1

          node_config {
            preemptible  = true
            machine_type = "e2-medium"

            # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
            service_account = google_service_account.default.email
            oauth_scopes    = [
              "https://www.googleapis.com/auth/cloud-platform"
            ]
          }
        }
        ```
      remediation: |
        The following example will pass:

        ```hcl
        resource "google_container_cluster" "good_example" {
          name     = "my-gke-cluster"
          location = "us-central1"

          # We can't create a cluster with no node pool defined, but we want to only use
          # separately managed node pools. So we create the smallest possible default
          # node pool and immediately delete it.
          remove_default_node_pool = true
          initial_node_count       = 1
          logging_service = "logging.googleapis.com/kubernetes"
        }

        resource "google_container_node_pool" "primary_preemptible_nodes" {
          name       = "my-node-pool"
          location   = "us-central1"
          cluster    = google_container_cluster.primary.name
          node_count = 1

          node_config {
            preemptible  = true
            machine_type = "e2-medium"

            # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
            service_account = google_service_account.default.email
            oauth_scopes    = [
              "https://www.googleapis.com/auth/cloud-platform"
            ]
          }
        }
        ```
  - uid: terraform-gcp-security-gke-enable-stackdriver-monitoring
    title: Stackdriver Monitoring should be enabled
    mql: |
      terraform.resources.where( nameLabel == "google_container_cluster" ) {
        attributes.keys.contains( "monitoring_service" )
      }
      terraform.resources.where( nameLabel == "google_container_cluster" ) {
        attributes['monitoring_service']['value'] == 'monitoring.googleapis.com/kubernetes'
      }
    docs:
      desc: |
        StackDriver monitoring aggregates logs, events, and metrics from your Kubernetes environment on GKE to help you understand your application's behavior in production.
      audit: |
        The following example will fail:

        ```hcl
        resource "google_service_account" "default" {
          account_id   = "service-account-id"
          display_name = "Service Account"
        }

        resource "google_container_cluster" "bad_example" {
          name     = "my-gke-cluster"
          location = "us-central1"

          # We can't create a cluster with no node pool defined, but we want to only use
          # separately managed node pools. So we create the smallest possible default
          # node pool and immediately delete it.
          remove_default_node_pool = true
          initial_node_count       = 1
          monitoring_service = "monitoring.googleapis.com"
        }

        resource "google_container_node_pool" "primary_preemptible_nodes" {
          name       = "my-node-pool"
          location   = "us-central1"
          cluster    = google_container_cluster.primary.name
          node_count = 1

          node_config {
            preemptible  = true
            machine_type = "e2-medium"

            # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
            service_account = google_service_account.default.email
            oauth_scopes    = [
              "https://www.googleapis.com/auth/cloud-platform"
            ]
          }
        }
        ```
      remediation: |
        The following example will pass:

        ```hcl
        resource "google_service_account" "default" {
          account_id   = "service-account-id"
          display_name = "Service Account"
        }

        resource "google_container_cluster" "good_example" {
          name     = "my-gke-cluster"
          location = "us-central1"

          # We can't create a cluster with no node pool defined, but we want to only use
          # separately managed node pools. So we create the smallest possible default
          # node pool and immediately delete it.
          remove_default_node_pool = true
          initial_node_count       = 1
          monitoring_service = "monitoring.googleapis.com/kubernetes"
        }

        resource "google_container_node_pool" "primary_preemptible_nodes" {
          name       = "my-node-pool"
          location   = "us-central1"
          cluster    = google_container_cluster.primary.name
          node_count = 1

          node_config {
            preemptible  = true
            machine_type = "e2-medium"

            # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
            service_account = google_service_account.default.email
            oauth_scopes    = [
              "https://www.googleapis.com/auth/cloud-platform"
            ]
          }
        }
        ```
  - uid: terraform-gcp-security-gke-metadata-endpoints-disabled
    title: Legacy metadata endpoints enabled
    mql: |
      terraform.resources.where( nameLabel == "google_container_cluster" ) {
        attributes['metadata']['value']['disable-legacy-endpoints'] != false
      }
    docs:
      desc: |
        The Compute Engine instance metadata server exposes legacy v0.1 and v1beta1 endpoints, which do not enforce metadata query headers. This is a feature in the v1 APIs that makes it more difficult for a potential attacker to retrieve instance metadata. Unless specifically required, we recommend you disable these legacy APIs. When setting the `metadata` block, the default value for `disable-legacy-endpoints` is set to `true`, they should not be explicitly enabled.
      audit: |
        The following example will fail:

        ```hcl
        resource "google_container_cluster" "bad_example" {
          metadata {
            disable-legacy-endpoints = false
          }
        }
        ```
      remediation: |
        The following example will pass:

        ```hcl
        resource "google_container_cluster" "good_example" {
          metadata {
            disable-legacy-endpoints = true
          }
        }
        ```
  - uid: terraform-gcp-security-gke-no-client-cert-authentication
    title: Clusters should not use client certificates for authentication
    mql: |
      terraform.resources.where( nameLabel == "google_container_cluster" ) {
        blocks.where( type == "master_auth" ) {
          blocks { attributes['issue_client_certificate']['value'] != true }
        }
      }
    docs:
      desc: |
        There are several methods of authenticating to the Kubernetes API server. In GKE, the supported methods are service account bearer tokens, OAuth tokens, and x509 client certificates. Prior to GKE's integration with OAuth, a one-time generated x509 certificate or static password were the only available authentication methods, but are now not recommended and should be disabled. These methods present a wider surface of attack for cluster compromise and have been disabled by default since GKE version 1.12. If you are using legacy authentication methods, we recommend that you turn them off. Authentication with a static password is deprecated and has been removed since GKE version 1.19.

        Existing clusters should move to OAuth.
      audit: |
        The following example will fail due to the `master_auth` block that includes the `issue_client_certificate = true` configuration which is set to `false` by default:

        ```hcl
        resource "google_container_cluster" "bad_example" {
          name     = "my-gke-cluster"
          location = "us-central1"

          # We can't create a cluster with no node pool defined, but we want to only use
          # separately managed node pools. So we create the smallest possible default
          # node pool and immediately delete it.
          remove_default_node_pool = true
          initial_node_count       = 1
          master_auth {
            client_certificate_config {
              issue_client_certificate = true
            }
          }
        }
        ```
      remediation: |
        The following example will pass since the `master_auth` block is not specified and secure defaults are used instead:

        ```hcl
        resource "google_container_cluster" "good_example" {
          name     = "my-gke-cluster"
          location = "us-central1"

          # We can't create a cluster with no node pool defined, but we want to only use
          # separately managed node pools. So we create the smallest possible default
          # node pool and immediately delete it.
          remove_default_node_pool = true
          initial_node_count       = 1
        }
        ```
        The following example will pass because the `master_auth` block is explicitly configuring `issue_client_certificate = false`:

        ```hcl
        resource "google_container_cluster" "good_example" {
          name     = "my-gke-cluster"
          location = "us-central1"

          # We can't create a cluster with no node pool defined, but we want to only use
          # separately managed node pools. So we create the smallest possible default
          # node pool and immediately delete it.
          remove_default_node_pool = true
          initial_node_count       = 1

          master_auth {
            client_certificate_config {
              issue_client_certificate = false
            }
        }
        ```
  - uid: terraform-gcp-security-gke-no-basic-authentication
    title: Clusters should not use basic authentication
    mql: |
      terraform.resources.where( nameLabel == "google_container_cluster" ) {
        blocks.where( type == "master_auth" ) { attributes['username']['value'] == null ||  attributes['username']['value'] == "" }
      }
      terraform.resources.where( nameLabel == "google_container_cluster" ) {
        blocks.where( type == "master_auth" ) { attributes['password']['value'] == null ||  attributes['password']['value'] == "" }
      }
    docs:
      desc: |
        There are several methods of authenticating to the Kubernetes API server. In GKE, the supported methods are service account bearer tokens, OAuth tokens, and x509 client certificates. Prior to GKE's integration with OAuth, a one-time generated x509 certificate or static password were the only available authentication methods, but are now not recommended and should be disabled. These methods present a wider surface of attack for cluster compromise and have been disabled by default since GKE version 1.12. If you are using legacy authentication methods, we recommend that you turn them off. Authentication with a static password is deprecated and has been removed since GKE version 1.19.

        Existing clusters should move to OAuth.
      audit: |
        The following example will fail due to the `master_auth` block that includes the `username` and `password` configuration which is set to a value other than `""`:

        ```hcl
        resource "google_container_cluster" "bad_example" {
          name     = "my-gke-cluster"
          location = "us-central1"

          # We can't create a cluster with no node pool defined, but we want to only use
          # separately managed node pools. So we create the smallest possible default
          # node pool and immediately delete it.
          remove_default_node_pool = true
          initial_node_count       = 1
          master_auth {
            username = "kubeadmin"
            password = var.cluster_password
          }
        }
        ```
      remediation: |
        The following example will pass since the `master_auth` block is not specified and secure defaults are used instead:

        ```hcl
        resource "google_container_cluster" "good_example" {
          name     = "my-gke-cluster"
          location = "us-central1"

          # We can't create a cluster with no node pool defined, but we want to only use
          # separately managed node pools. So we create the smallest possible default
          # node pool and immediately delete it.
          remove_default_node_pool = true
          initial_node_count       = 1
        }
        ```

        The following example will pass because the `master_auth` block is explicitly configuring basic auth to be disabled:

        ```hcl
        resource "google_container_cluster" "good_example" {
          name     = "my-gke-cluster"
          location = "us-central1"

          remove_default_node_pool = true
          initial_node_count       = 1

          master_auth {
            username = ""
            password = ""
            client_certificate_config {
              issue_client_certificate = false
            }
        }
        ```
  - uid: terraform-gcp-security-gke-no-public-control-plane
    title: GKE Control Plane should not be publicly accessible
    mql: |
      terraform.resources.where( nameLabel == "google_container_cluster" ) {
        arguments['master_authorized_networks_config'][0]['cidr_blocks'] { _['cidr_block'] != "0.0.0.0/0" }
      }
    docs:
      desc: |
        Authorized networks allow you to specify CIDR ranges and allow IP addresses in those ranges to access your cluster control plane endpoint using HTTPS. Exposing the Kubernetes control plane to the public internet by specifying a CIDR block of "0.0.0.0/0" is not recommended. Public clusters can have up to 50 authorized network CIDR ranges; private clusters can have up to 100.
      audit: |
        The following example will fail due to the `master_authorized_networks_config` block that specifies `cidr_block = "0.0.0.0/0"` which is publicly accessible:

        ```hcl
        resource "google_container_cluster" "primary" {
          name     = "my-gke-cluster"
          location = "us-central1"

          remove_default_node_pool = true
          initial_node_count       = 1
          master_authorized_networks_config = [{
            cidr_blocks = [{
              cidr_block = "0.0.0.0/0"
              display_name = "external"
            }]
          }]
        }
        ```
      remediation: |
        The following example will pass since the `master_authorized_networks_config` block configures an internal `cidr_block`:

        ```hcl
        resource "google_container_cluster" "primary" {
          name     = "my-gke-cluster"
          location = "us-central1"

          remove_default_node_pool = true
          initial_node_count       = 1
          master_authorized_networks_config = [{
            cidr_blocks = [{
              cidr_block = "10.10.128.0/24"
              display_name = "internal"
            }]
          }]
        }
        ```
  - uid: terraform-gcp-security-gke-node-metadata-security
    title: Node metadata value disables metadata concealment
    mql: |
      terraform.resources.where( nameLabel == "google_container_node_pool" ) {
        blocks.where( type == "node_config") {
          blocks { attributes['node_metadata']['value'] != "EXPOSE"  }
        }
      }
      terraform.resources.where( nameLabel == "google_container_node_pool" ) {
        blocks.where( type == "node_config") {
          blocks { attributes['node_metadata']['value'] != "UNSPECIFIED"  }
        }
      }
    docs:
      desc: |
        GKE metadata concealment protects some potentially sensitive system metadata from user workloads running on your cluster. Metadata concealment is scheduled to be deprecated in the future and Google recommends using Workload Identity instead of metadata concealment. This check is looking for configuration that exposes metadata completely.
      audit: |
        The following example will fail due to the `node_config` block that specifies `node_metadata = "EXPOSE"`:

        ```hcl
        resource "google_container_node_pool" "bad_example" {
          node_config {
            workload_metadata_config {
              node_metadata = "EXPOSE"
            }
          }
        }
        ```

        The following example will fail due to the `node_config` block that specifies `node_metadata = "UNSPECIFIED"`:

        ```hcl
        resource "google_container_node_pool" "bad_example" {
          node_config {
            workload_metadata_config {
              node_metadata = "UNSPECIFIED"
            }
          }
        }
        ```
      remediation: |
        The following example will pass due to the `node_config` block that specifies `node_metadata = "GKE_METADATA_SERVER"` (recommended):

        ```hcl
        resource "google_container_node_pool" "bad_example" {
          node_config {
            workload_metadata_config {
              node_metadata = "GKE_METADATA_SERVER"
            }
          }
        }
        ```

        The following example will pass due to the `node_config` block that specifies `node_metadata = "SECURE"`:

        ```hcl
        resource "google_container_node_pool" "bad_example" {
          node_config {
            workload_metadata_config {
              node_metadata = "SECURE"
            }
          }
        }
        ```
  - uid: terraform-gcp-security-gke-node-pool-uses-cos
    title: Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image
    mql: |
      terraform.resources.where( nameLabel == "google_container_node_pool" ) {
        blocks.where( type == "node_config") {
          attributes['image_type']['value'] == 'COS_CONTAINERD'
        }
      }
    docs:
      desc: |
        GKE supports several OS image types but COS_CONTAINERD is the recommended OS image to use on cluster nodes for enhanced security. COS_CONTAINERD is the recommended OS image to use on cluster nodes.
      audit: |
        The following example will fail due to the `node_config` block that specifies `image_type = "something"`:

        ```hcl
        resource "google_container_node_pool" "bad_example" {
          name       = "my-node-pool"
          cluster    = google_container_cluster.primary.id
          node_count = 1

          node_config {
            preemptible  = true
            machine_type = "e2-medium"

            # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
            service_account = google_service_account.default.email
            oauth_scopes = [
              "https://www.googleapis.com/auth/cloud-platform"
            ]
            image_type = "something"
          }
        }
        ```
      remediation: |
        The following example will pass due to the `node_config` block that specifies `image_type = "COS_CONTAINERD"` (recommended):

        ```hcl
        resource "google_container_node_pool" "good_example" {
          name       = "my-node-pool"
          cluster    = google_container_cluster.primary.id
          node_count = 1

          node_config {
            preemptible  = true
            machine_type = "e2-medium"

            # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
            service_account = google_service_account.default.email
            oauth_scopes = [
              "https://www.googleapis.com/auth/cloud-platform"
            ]
            image_type = "COS_CONTAINERD"
          }
        }
        ```
  - uid: terraform-gcp-security-gke-node-shielding-enabled
    title: Shielded GKE nodes not enabled
    mql: |
      terraform.resources.where( nameLabel == "google_container_cluster" ) {
        arguments['enable_shielded_nodes'] != false
      }
    docs:
      desc: |
        Node identity and integrity can't be verified without shielded GKE nodes. CIS GKE Benchmark Recommendation: 6.5.5. Shielded GKE Nodes provide strong, verifiable node identity and integrity to increase the security of GKE nodes and should be enabled on all GKE clusters.

        `enable_shielded_nodes` is an optional argument and is set to `true` by default, and should not be set to `false`.
      audit: |
        The following example will fail due to the `enable_shielded_nodes` is set to `false`:

        ```hcl
        resource "google_container_cluster" "bad_example" {
          enable_shielded_nodes = "false"
        }
        ```
      remediation: |
        The following example will pass due to the `enable_shielded_nodes` is set to `true`:

        ```hcl
        resource "google_container_cluster" "good_example" {
          enable_shielded_nodes = "true"
        }
        ```
  - uid: terraform-gcp-security-gke-use-cluster-labels
    title: Clusters should be configured with Labels
    mql: |
      terraform.resources.where( nameLabel == "google_container_cluster" ) {
        arguments.keys.contains( "resource_labels" )
      }
    docs:
      desc: |
        Cluster labels are key-value pairs that helps you organize your Google Cloud clusters. You can attach a label to each resource, then filter the resources based on their labels. Information about labels is forwarded to the billing system, so you can break down your billed charges by label.

        The `resource_labels` argument is optional when using the `google_container_cluster` resource.
      audit: |
        The following example will fail because the `resource_labels` argument is not defined for the cluster:

        ```hcl
        resource "google_container_cluster" "bad_example" {
          name     = "my-gke-cluster"
          location = "us-central1"

          remove_default_node_pool = true
          initial_node_count       = 1
        }
        ```
      remediation: |
        The following example will pass because the `resource_labels` argument is defined for the cluster:

        ```hcl
        resource "google_container_cluster" "good_example" {
          name     = "my-gke-cluster"
          location = "us-central1"

          # We can't create a cluster with no node pool defined, but we want to only use
          # separately managed node pools. So we create the smallest possible default
          # node pool and immediately delete it.
          remove_default_node_pool = true
          initial_node_count       = 1
          resource_labels = {
            "env" = "staging"
          }
        }
        ```
  - uid: terraform-gcp-security-gke-use-rbac-permissions
    title: Legacy ABAC permissions are enabled
    mql: |
      terraform.resources.where( nameLabel == "google_container_cluster" ) {
        arguments['enable_legacy_abac'] != true
      }
    docs:
      desc: |
        By default, ABAC is disabled for clusters created using GKE version 1.8 and later. In Kubernetes, RBAC is used to grant permissions to resources at the cluster and namespace level. RBAC allows you to define roles with rules containing a set of permissions. RBAC has significant security advantages over ABAC.

        The `enable_legacy_abac` is set to `false` by default.
      audit: |
        The following example will fail because the `enable_legacy_abac` argument is set to `true`:

        ```hcl

        resource "google_container_cluster" "bad_example" {
          enable_legacy_abac = true
        }

        ```
      remediation: |
        The following example will pass because the `enable_legacy_abac` argument is explicitly set to `false` (omitting the argument will also pass):

        ```hcl

        resource "google_container_cluster" "good_example" {
          name     = "my-gke-cluster"
          location = "us-central1"

          enable_legacy_abac = false
        }

        ```
  - uid: terraform-gcp-security-gke-use-service-account
    title: Checks for service account defined for GKE nodes
    mql: |-
      terraform.resources.where( nameLabel == "google_container_cluster" ) {
        blocks.where( type == "node_config" ) {
          arguments.keys.contains("service_account")
        }
      }
      terraform.resources.where( nameLabel == "google_container_node_pool" ) {
        blocks.where( type == "node_config" ) {
          arguments.keys.contains("service_account")
        }
      }
    docs:
      desc: |
        Each GKE node has an Identity and Access Management (IAM) Service Account associated with it. By default, nodes are given the Compute Engine default service account, which you can find by navigating to the IAM section of the Cloud Console. This account has broad access by default, making it useful to wide variety of applications, but it has more permissions than are required to run your Kubernetes Engine cluster. You should create and use a minimally privileged service account for your nodes to use instead of the Compute Engine default service account.
      audit: |
        The following example will fail because the `node_config` block does not contain a `service_account` argument:

        ```hcl

        resource "google_container_cluster" "bad_example" {
          name               = "marcellus-wallace"
          location           = "us-central1-a"
          initial_node_count = 3

          node_config {
            labels = {
              foo = "bar"
            }
            tags = ["foo", "bar"]
          }
          timeouts {
            create = "30m"
            update = "40m"
          }
        }

        ```
      remediation: |
        The following example will pass because the `node_config` block contains a `service_account` argument:

        ```hcl

        resource "google_container_cluster" "bad_example" {
          name               = "marcellus-wallace"
          location           = "us-central1-a"
          initial_node_count = 3

          node_config {
            # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
            service_account = google_service_account.default.email
            oauth_scopes = [
              "https://www.googleapis.com/auth/cloud-platform"

            labels = {
              foo = "bar"
            }
            tags = ["foo", "bar"]
          }
          timeouts {
            create = "30m"
            update = "40m"
          }
        }

        ```