terraform.gcp.best-practice.gcp-dnssec-enabled.gcp-dnssec-enabled

profile photo of semgrepsemgrep
Author
unknown
Download Count*

Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC

Run Locally

Run in CI

Defintion

rules:
  - id: gcp-dnssec-enabled
    patterns:
      - pattern: resource
      - pattern-inside: |
          resource "google_dns_managed_zone" "..." {
          ...
          }
      - pattern-not-inside: |
          resource "google_dns_managed_zone" "..." {
          ...
          dnssec_config {
              state = on
          }
          ...
          }
    message: "Ensure that RSASHA1 is not used for the zone-signing and key-signing
      keys in Cloud DNS DNSSEC\t"
    metadata:
      category: best-practice
      technology:
        - terraform
        - gcp
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - hcl
    severity: WARNING

Examples

gcp-dnssec-enabled.tf

# fail
# ruleid: gcp-dnssec-enabled
resource "google_dns_managed_zone" "fail1" {
    name        = "example-zone"
    dns_name    = "example-de13he3.com."
    description = "Example DNS zone"
    dnssec_config {
        state = off
    }
}

# fail
# ruleid: gcp-dnssec-enabled
resource "google_dns_managed_zone" "fail2" {
    name        = "example-zone"
    dns_name    = "example-de13he3.com."
    description = "Example DNS zone"
}

# ok: gcp-dnssec-enabled
resource "google_dns_managed_zone" "success" {
    name        = "example-zone"
    dns_name    = "example-de13he3.com."
    description = "Example DNS zone"
    dnssec_config {
        state = on
    }
}