Turbot Guardrails Hub 
Hub
  • Mods
  • Policy Packs
  • Docs
  • Home
ModsPolicy PacksDocsHome
Policy Packs
GCP CIS v2.0.0 - Section 3 - Networking
  • GCP > DNS > Managed Zone > Approved
  • GCP > DNS > Managed Zone > Approved > Custom
  • GCP > DNS > Managed Zone > DNSSEC Configuration
  • GCP > Network > Firewall > Approved
  • GCP > Network > Firewall > Approved > Custom
  • GCP > Network > Firewall > Ingress Rules > Approved
  • GCP > Network > Firewall > Ingress Rules > Approved > Rules
  • GCP > Network > Network > Approved
  • GCP > Network > Network > Approved > Custom
  • GCP > Network > SSL Policy > Minimum TLS Version
  • GCP > Network > SSL Policy > Profile
  • GCP > Network > Subnetwork > Flow Log
Get Involved
Discuss on Slack

Policy Setting: GCP > DNS > Managed Zone > Approved > Custom

Policies

This policy setting is dependent on the following policy types:

  • GCP > DNS > Managed Zone > Approved > Custom

Source

resource "turbot_policy_setting" "gcp_dns_managed_zone_approved_custom" {
  resource       = turbot_policy_pack.main.id
  type           = "tmod:@turbot/gcp-dns#/policy/types/managedZoneApprovedCustom"
  note           = "GCP CIS v2.0.0 - Control: 3.4 and 3.5"
  template_input = <<-EOT
    {
      managedZone {
        dnssecConfigDefaultKeySpecs: get(path: "dnssecConfig.defaultKeySpecs")
      }
    }
  EOT
  template       = <<-EOT
    {% set results = [] -%}


    {%- if $.managedZone.dnssecConfigDefaultKeySpecs -%}


      {%- set dnssecConfigDefaultKeySpecs = $.managedZone.dnssecConfigDefaultKeySpecs -%}


      {%- set zoneSigningRsasha1 = false -%}


      {%- set keySigningRsasha1 = false -%}


      {%- for keySpec in dnssecConfigDefaultKeySpecs -%}


        {%- if keySpec.keyType == 'zoneSigning' and keySpec.algorithm == 'rsasha1' -%}


          {%- set zoneSigningRsasha1 = true -%}


        {%- elif keySpec.keyType == 'keySigning' and keySpec.algorithm == 'rsasha1' -%}


          {%- set keySigningRsasha1 = true -%}


        {%- endif -%}


      {%- endfor -%}


      {%- if zoneSigningRsasha1 -%}


        {%- set data = {
            "title": "Zone-Signing Key",
            "result": "Not approved",
            "message": "RSASHA1 is used for the Zone-Signing key"
        } -%}


      {%- else -%}


        {%- set data = {
            "title": "Zone-Signing Key",
            "result": "Approved",
            "message": "RSASHA1 is not used for the Zone-Signing key"
        } -%}


      {%- endif -%}


      {% set results = results.concat(data) -%}


      {%- if keySigningRsasha1 -%}


        {%- set data = {
            "title": "Key-Signing Key",
            "result": "Not approved",
            "message": "RSASHA1 is used for the Key-Signing key"
        } -%}


      {%- else -%}


        {%- set data = {
            "title": "Key-Signing Key",
            "result": "Approved",
            "message": "RSASHA1 is not used for the Key-Signing key"
        } -%}


      {%- endif -%}


      {% set results = results.concat(data) -%}


    {%- else -%}


      {%- set data = {
          "title": "DNSSEC Configuration",
          "result": "Skip",
          "message": "No data for DNSSEC configuration yet"
      } -%}


      {% set results = results.concat(data) -%}


    {%- endif -%}


    {{ results | json }}
  EOT
}
Guardrails
Guardrails Hub
  • Hub
  • Docs
  • Blog
  • Changelog
Products
  • GuardrailsGuardrails
  • PipesPipes
  • SteampipeSteampipe
  • PowerpipePowerpipe
  • FlowpipeFlowpipe
  • TailpipeTailpipe
Turbot
  • Home
  • About us
  • We're hiring!
  • Contact us
Community

Our community of practitioners love to discuss cloud governance & security.

Slack logoJoin us on Slack →

System StatusLegalSecurity
Terms of UseSecurityPrivacy