Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

accurics.GCP.EKM.132 and accurics.GCP.EKM.131 wrong violation using disk_encryption_key #382

Closed
fredprod opened this issue Nov 13, 2020 · 1 comment · Fixed by #490
Closed

accurics.GCP.EKM.132 and accurics.GCP.EKM.131 wrong violation using disk_encryption_key #382

fredprod opened this issue Nov 13, 2020 · 1 comment · Fixed by #490
Assignees
@harkirat22
Labels
bug

Comments

@fredprod
Copy link

  • terrascan version: v1.1.0
  • Operating System: MacOS 10.15.7

Description

Terrascan wrongly reports a violation of accurics.GCP.EKM.132 and accurics.GCP.EKM.131
Wrong violation if we use disk_encryption_key in instance or disk.

In vmEncryptedwithCsek.rego, we have this in google_compute_disk regarding accurics.GCP.EKM.131

package accurics

vmEncryptedwithCsek[api.id]
{
     api := input.google_compute_disk[_]
     not api.config.disk_encryption_key == null
}

In encryptedwithCsek.rego, we have this in google_compute_instance regarding accurics.GCP.EKM.132

package accurics

encryptedwithCsek[api.id]
{
     api := input.google_compute_disk[_]
     not api.config.disk_encryption_key == null
}

What I Did

For both, I fixed replacing block in each .rego files like this:

{
     api := input.google_compute_disk[_]
     not api.config.disk_encryption_key
}
{
     api := input.google_compute_disk[_]
     api.config.disk_encryption_key == null
}

Don't know if it is the right way to fix that, but it fixed it on my side.
@amirbenv amirbenv added the bug label Jan 9, 2021
@harkirat22
Copy link
Contributor

@fredprod . Thank you for raising the issue. Absolutely, your approach to solving this is on point. Therefore, we have made changes. Along with adding another block, I have improved the policy for compute instances, now the policy relates the compute disk which is not encrypted to the instances with which it is attached.

@cesar-rodriguez cesar-rodriguez mentioned this issue Jan 18, 2021
Merged
cesar-rodriguez pushed a commit that referenced this issue Jan 18, 2021
Merge pull request #490 from harkirat22/harkirat22/382
4a05a56 
Fixes issue #382, and improves GCP policy to relate disk with the instance
cesar-rodriguez pushed a commit that referenced this issue Jan 19, 2021
@harkirat22
solves issue #382, and improved policy to relate disk with the instance
8fbe227
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@harkirat22 harkirat22

Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

solves issue #382, and improved policy to relate disk with the instance
3 participants
@fredprod @harkirat22 @amirbenv