ServiceNow CMDB CI relationship sync: faster, more complete →
Turbot Guardrails Hub 
Hub
Policy Packs
GCP CIS v2.0.0 - Section 4 - Virtual Machines
Overview
12
Policy Settings
0
Variables
DevelopersGithub

Policy Setting: GCP > Compute Engine > Instance > Approved > Custom

Policies

This policy setting is dependent on the following policy types:

Source

resource "turbot_policy_setting" "gcp_computeengine_instance_approved_custom" {
  resource       = turbot_policy_pack.main.id
  type           = "tmod:@turbot/gcp-computeengine#/policy/types/instanceApprovedCustom"
  note           = "GCP CIS v2.0.0 - Control: 4.1, 4.2 and 4.11"
  template_input = <<-EOT
    {
      item: instance {
        enableConfidentialCompute: get(path: "confidentialInstanceConfig.enableConfidentialCompute")
        labels: get(path: "labels")
        machineType: get(path: "machineType")
        instanceName: get(path: "name")
        serviceAccounts: get(path: "serviceAccounts")
      }


      project: project {
        projectNumber: get(path: "projectNumber")
      }
    }
  EOT
  template       = <<-EOT
    {%- set results = [] -%}


    {%- set projectNumber = $.project.projectNumber -%}


    {%- set enableConfidentialCompute = $.item.enableConfidentialCompute -%}


    {%- set machineType = $.item.machineType -%}


    {%- set type = machineType.split("/").pop() -%}




    {%- if enableConfidentialCompute and machineType and type.startsWith("n2d-") -%}


      {%- set data = {
          "title": "Confidential Computing",
          "result": "Approved",
          "message": "Confidential computing is enabled"
      } -%}


    {%- elif not enableConfidentialCompute -%}


      {%- set data = {
          "title": "Confidential Computing",
          "result": "Not approved",
          "message": "Confidential computing is not enabled"
      } -%}


    {%- else -%}


      {%- set data = {
          "title": "Confidential Computing",
          "result": "Skip",
          "message": "No data available for confidential computing yet"
      } -%}


    {%- endif -%}


    {%- set results = results.concat(data) -%}


    {%- set instanceName = $.item.instanceName -%}


    {%- set labels = $.item.labels -%}


    {%- set serviceAccounts = $.item.serviceAccounts | default([]) -%}


    {%- set defaultServiceAccount = projectNumber + "-compute@developer.gserviceaccount.com" -%}


    {%- set hasDefaultSA = false -%}


    {%- set hasFullAccess = false -%}


    {%- set instanceWithDefaultSA = {} -%}


    {%- set instanceWithFullAccess = {} -%}


    {%- set flag = true -%}


    {%- for item in serviceAccounts -%}


      {%- if flag -%}


        {%- set hasDefaultSA = item.email == defaultServiceAccount -%}


        {%- if hasDefaultSA -%}


          {%- set instanceWithDefaultSA = item -%}


          {%- set flag = false -%}


        {%- endif -%}


      {%- endif -%}


    {%- endfor -%}


    {%- set flag = true -%}


    {%- if instanceName.startsWith("gke-") and labels["goog-gke-node"] is not null -%}


      {%- set data = {
          "title": "Default Service Account",
          "result": "Skip",
          "message": "Instance is GKE managed"
      } -%}


    {%- elif instanceWithDefaultSA | length == 0 -%}


      {%- set data = {
          "title": "Default Service Account",
          "result": "Approved",
          "message": "Instance is not configured to use default service account"
      } -%}


    {%- elif instanceWithDefaultSA | length > 0 -%}


      {%- set data = {
          "title": "Default Service Account",
          "result": "Not approved",
          "message": "Instance is configured to use default service account"
      } -%}


    {%- else -%}


      {%- set data = {
          "title": "Default Service Account",
          "result": "Skip",
          "message": "No data available for service account yet"
      } -%}


    {%- endif -%}


    {%- set results = results.concat(data) -%}


    {%- for item in serviceAccounts -%}


      {%- if flag -%}


        {%- set hasDefaultSA = item.email == defaultServiceAccount -%}


        {%- set hasFullAccess = item.scopes.indexOf("https://www.googleapis.com/auth/cloud-platform") != -1 -%}


        {%- if hasDefaultSA and hasFullAccess -%}


          {%- set instanceWithFullAccess = item -%}


          {%- set flag = false -%}


        {%- endif -%}


      {%- endif -%}


    {%- endfor -%}


    {%- if instanceName.startsWith("gke-") and labels["goog-gke-node"] is not null -%}


      {%- set data = {
          "title": "Default Service Account with full API access",
          "result": "Skip",
          "message": "Instance is GKE managed"
      } -%}


    {%- elif instanceWithFullAccess | length == 0 -%}


      {%- set data = {
          "title": "Default Service Account with full API access",
          "result": "Approved",
          "message": "Instance is not configured to use default service account with full access to all cloud APIs"
      } -%}


    {%- elif instanceWithFullAccess | length > 0 -%}


      {%- set data = {
          "title": "Default Service Account with full API access",
          "result": "Not approved",
          "message": "Instance is configured to use default service account with full access to all cloud APIs"
      } -%}


    {%- else -%}


      {%- set data = {
          "title": "Default Service Account with full API access",
          "result": "Skip",
          "message": "No data available for service account yet"
      } -%}


    {%- endif -%}


    {%- set results = results.concat(data) -%}


    {{ results | json }}
  EOT
}