Policy Setting: GCP > Compute Engine > Instance > Approved > Custom
Policies
This policy setting is dependent on the following policy types:
Source
resource "turbot_policy_setting" "gcp_computeengine_instance_approved_custom" { resource = turbot_policy_pack.main.id type = "tmod:@turbot/gcp-computeengine#/policy/types/instanceApprovedCustom" note = "GCP CIS v2.0.0 - Control: 4.1, 4.2 and 4.11" template_input = <<-EOT { item: instance { enableConfidentialCompute: get(path: "confidentialInstanceConfig.enableConfidentialCompute") labels: get(path: "labels") machineType: get(path: "machineType") instanceName: get(path: "name") serviceAccounts: get(path: "serviceAccounts") }
project: project { projectNumber: get(path: "projectNumber") } } EOT template = <<-EOT {%- set results = [] -%}
{%- set projectNumber = $.project.projectNumber -%}
{%- set enableConfidentialCompute = $.item.enableConfidentialCompute -%}
{%- set machineType = $.item.machineType -%}
{%- set type = machineType.split("/").pop() -%}
{%- if enableConfidentialCompute and machineType and type.startsWith("n2d-") -%}
{%- set data = { "title": "Confidential Computing", "result": "Approved", "message": "Confidential computing is enabled" } -%}
{%- elif not enableConfidentialCompute -%}
{%- set data = { "title": "Confidential Computing", "result": "Not approved", "message": "Confidential computing is not enabled" } -%}
{%- else -%}
{%- set data = { "title": "Confidential Computing", "result": "Skip", "message": "No data available for confidential computing yet" } -%}
{%- endif -%}
{%- set results = results.concat(data) -%}
{%- set instanceName = $.item.instanceName -%}
{%- set labels = $.item.labels -%}
{%- set serviceAccounts = $.item.serviceAccounts | default([]) -%}
{%- set defaultServiceAccount = projectNumber + "-compute@developer.gserviceaccount.com" -%}
{%- set hasDefaultSA = false -%}
{%- set hasFullAccess = false -%}
{%- set instanceWithDefaultSA = {} -%}
{%- set instanceWithFullAccess = {} -%}
{%- set flag = true -%}
{%- for item in serviceAccounts -%}
{%- if flag -%}
{%- set hasDefaultSA = item.email == defaultServiceAccount -%}
{%- if hasDefaultSA -%}
{%- set instanceWithDefaultSA = item -%}
{%- set flag = false -%}
{%- endif -%}
{%- endif -%}
{%- endfor -%}
{%- set flag = true -%}
{%- if instanceName.startsWith("gke-") and labels["goog-gke-node"] is not null -%}
{%- set data = { "title": "Default Service Account", "result": "Skip", "message": "Instance is GKE managed" } -%}
{%- elif instanceWithDefaultSA | length == 0 -%}
{%- set data = { "title": "Default Service Account", "result": "Approved", "message": "Instance is not configured to use default service account" } -%}
{%- elif instanceWithDefaultSA | length > 0 -%}
{%- set data = { "title": "Default Service Account", "result": "Not approved", "message": "Instance is configured to use default service account" } -%}
{%- else -%}
{%- set data = { "title": "Default Service Account", "result": "Skip", "message": "No data available for service account yet" } -%}
{%- endif -%}
{%- set results = results.concat(data) -%}
{%- for item in serviceAccounts -%}
{%- if flag -%}
{%- set hasDefaultSA = item.email == defaultServiceAccount -%}
{%- set hasFullAccess = item.scopes.indexOf("https://www.googleapis.com/auth/cloud-platform") != -1 -%}
{%- if hasDefaultSA and hasFullAccess -%}
{%- set instanceWithFullAccess = item -%}
{%- set flag = false -%}
{%- endif -%}
{%- endif -%}
{%- endfor -%}
{%- if instanceName.startsWith("gke-") and labels["goog-gke-node"] is not null -%}
{%- set data = { "title": "Default Service Account with full API access", "result": "Skip", "message": "Instance is GKE managed" } -%}
{%- elif instanceWithFullAccess | length == 0 -%}
{%- set data = { "title": "Default Service Account with full API access", "result": "Approved", "message": "Instance is not configured to use default service account with full access to all cloud APIs" } -%}
{%- elif instanceWithFullAccess | length > 0 -%}
{%- set data = { "title": "Default Service Account with full API access", "result": "Not approved", "message": "Instance is configured to use default service account with full access to all cloud APIs" } -%}
{%- else -%}
{%- set data = { "title": "Default Service Account with full API access", "result": "Skip", "message": "No data available for service account yet" } -%}
{%- endif -%}
{%- set results = results.concat(data) -%}
{{ results | json }} EOT}