Beta - Cloud Asset Inventory Disabled

  • Query id: 4f60da73-190e-4048-8e1d-cc5a3974cd15
  • Query name: Beta - Cloud Asset Inventory Disabled
  • Platform: Terraform
  • Severity: Medium
  • Category: Observability
  • CWE: 778
  • Risk score: 3.0
  • URL: Github

Description

The 'google_project_service.service' field must include 'cloudasset.googleapis.com' to allow Cloud Asset Inventory
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "google_project_service" "positive1_1" {
  service            = "not_cloudasset.googleapis.com"
}

resource "google_project_service" "positive1_2" {
  service            = "not_cloudasset.googleapis.com_2"
}
Positive test num. 2 - tf file
resource "google_project_service" "positive_2" {
  for_each = toset([
    "compute.googleapis.com",
    "pubsub.googleapis.com",
  ])
  service            = each.value
}
Positive test num. 3 - tf file
resource "google_project_service" "positive_3" {
  for_each = {
    compute   = "compute.googleapis.com"
    pubsub    = "pubsub.googleapis.com"
  }
  service = each.value
}

Positive test num. 4 - tf file 
locals {
  api = "not_cloudasset.googleapis.com"
}

resource "google_project_service" "positive_4" {
  for_each = local.api
  service  = each.value
}
Positive test num. 5 - tf file 
locals {
  apis_toset = toset([
    "compute.googleapis.com",
    "pubsub.googleapis.com",
  ])
}

resource "google_project_service" "positive_5" {
  for_each = local.apis_toset
  service  = each.value
}
Positive test num. 6 - tf file 
locals {
  apis_set = {
    compute   = "compute.googleapis.com"
    pubsub    = "pubsub.googleapis.com"
  }
}

resource "google_project_service" "positive_6" {
  for_each = local.apis_set
  service  = each.value
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "google_project_service" "negative_1" {
  service            = "cloudasset.googleapis.com"
}
Negative test num. 2 - tf file
resource "google_project_service" "negative_2" {
  for_each = toset([
    "compute.googleapis.com",
    "cloudasset.googleapis.com",
    "pubsub.googleapis.com",
  ])
  service            = each.value       # using for_each on a "toset"
}
Negative test num. 3 - tf file
resource "google_project_service" "negative_3" {
  for_each = {
    compute   = "compute.googleapis.com"
    cloudasset = "cloudasset.googleapis.com"
  }
  service = each.value    # using for_each on a set
}

Negative test num. 4 - tf file 
locals {
  api = "cloudasset.googleapis.com"
}

resource "google_project_service" "negative_4" {
  for_each = local.api              # using the "api" from "locals" variables
  service  = each.value
}
Negative test num. 5 - tf file 
locals {
  apis_toset = toset([
    "compute.googleapis.com",
    "cloudasset.googleapis.com",
    "pubsub.googleapis.com",
  ])
}

resource "google_project_service" "negative_5" {
  for_each = local.apis_toset         # using apis_toset from "locals" variables
  service  = each.value
}
Negative test num. 6 - tf file 
locals {
  apis_set = {
    compute   = "compute.googleapis.com"
    cloudasset = "cloudasset.googleapis.com"
  }
}

resource "google_project_service" "negative_6" {
  for_each = local.apis_set         # using apis_set from "locals" variables
  service  = each.value
}