terraform.gcp.best-practice.gcp-dnssec-enabled.gcp-dnssec-enabled
semgrep
Author
unknown
Download Count*
License
Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC
Run Locally
Run in CI
Defintion
rules:
- id: gcp-dnssec-enabled
patterns:
- pattern: resource
- pattern-inside: |
resource "google_dns_managed_zone" "..." {
...
}
- pattern-not-inside: |
resource "google_dns_managed_zone" "..." {
...
dnssec_config {
state = on
}
...
}
message: "Ensure that RSASHA1 is not used for the zone-signing and key-signing
keys in Cloud DNS DNSSEC\t"
metadata:
category: best-practice
technology:
- terraform
- gcp
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
languages:
- hcl
severity: WARNING
Examples
gcp-dnssec-enabled.tf
# fail
# ruleid: gcp-dnssec-enabled
resource "google_dns_managed_zone" "fail1" {
name = "example-zone"
dns_name = "example-de13he3.com."
description = "Example DNS zone"
dnssec_config {
state = off
}
}
# fail
# ruleid: gcp-dnssec-enabled
resource "google_dns_managed_zone" "fail2" {
name = "example-zone"
dns_name = "example-de13he3.com."
description = "Example DNS zone"
}
# ok: gcp-dnssec-enabled
resource "google_dns_managed_zone" "success" {
name = "example-zone"
dns_name = "example-de13he3.com."
description = "Example DNS zone"
dnssec_config {
state = on
}
}
Short Link: https://sg.run/go10