Disk Encryption No Plaintext Key

CRITICAL
Source
Trivy
ID
AVD-GCP-0037

The encryption key used to encrypt a compute disk has been specified in plaintext.

Sensitive values such as raw encryption keys should not be included in your Terraform code, and should be stored securely by a secrets manager.

Impact

Follow the appropriate remediation steps below to resolve the issue.

Reference a managed key rather than include the key in raw format.

1
2
3
4
5
resource "google_compute_disk" "good_example" {
  disk_encryption_key {
    kms_key_self_link = google_kms_crypto_key.my_crypto_key.id
  }
}
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
resource "google_compute_instance" "bad_example" {
  boot_disk {
    initialize_params {
      image = "debian-cloud/debian-11"
      source_snapshot_encryption_key {
        kms_key_self_link = google_kms_crypto_key.my_crypto_key.id
      }
    }
  }
}