Beta - Ensure Essential Contacts Is Configured For Organization

  • Query id: 7bd9c6a8-3b1f-495c-9752-a4a9c4e1b29f
  • Query name: Beta - Ensure Essential Contacts Is Configured For Organization
  • Platform: Terraform
  • Severity: Low
  • Category: Access Control
  • CWE: 862
  • Risk score: 1.0
  • URL: Github

Description

It is advisable to set up Essential Contacts to specify email addresses that Google Cloud can use to send important technical or security notifications.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
data "google_organization" "org" {
  organization = "123456789012"
}

resource "google_essential_contacts_contact" "positive1" {
  parent = data.google_organization.org.name
  email  = "foo@bar.com"
  language_tag = "en-GB"

  notification_category_subscriptions = [
    "LEGAL",
    "SECURITY",
    "SUSPENSION",
  ]
}
Positive test num. 2 - tf file
data "google_organization" "org" {
  organization = "123456789012"
}

resource "google_essential_contacts_contact" "positive2" {
  parent = data.google_organization.org.name
  email  = "foo@bar.com"
  language_tag = "en-GB"

  notification_category_subscriptions = [
    "BILLING", 
    "PRODUCT_UPDATES",
  ]
}
Positive test num. 3 - tf file
resource "google_essential_contacts_contact" "positive3" {
  parent = "organizations/123456789012"
  email  = "foo@bar.com"
  language_tag = "en-GB"

  notification_category_subscriptions = [
    "LEGAL",
    "SECURITY",
    "SUSPENSION",
  ]
}

Positive test num. 4 - tf file 
resource "google_essential_contacts_contact" "positive4" {
  parent = "organizations/123456789012"
  email  = "foo@bar.com"
  language_tag = "en-GB"

  notification_category_subscriptions = [
    "BILLING", 
    "PRODUCT_UPDATES",
  ]
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
data "google_organization" "org" {
  organization = "123456789012"
}

resource "google_essential_contacts_contact" "negative1" {
  parent = data.google_organization.org.name
  email  = "foo@bar.com"
  language_tag = "en-GB"

  notification_category_subscriptions = [
    "LEGAL",
    "SECURITY",
    "SUSPENSION",
    "TECHNICAL"
  ]
}
Negative test num. 2 - tf file
data "google_organization" "org" {
  organization = "123456789012"
}

resource "google_essential_contacts_contact" "negative2" {
  parent = data.google_organization.org.name
  email  = "foo@bar.com"
  language_tag = "en-GB"

  notification_category_subscriptions = ["ALL"]
}
Negative test num. 3 - tf file
resource "google_essential_contacts_contact" "negative3" {
  parent = "organizations/123456789012"
  email = "foo@bar.com"
  language_tag = "en-GB"
  notification_category_subscriptions = [
    "LEGAL",
    "SECURITY",
    "SUSPENSION",
    "TECHNICAL"
  ]
}

Negative test num. 4 - tf file 
resource "google_essential_contacts_contact" "negative4" {
  parent = "organizations/123456789012"
  email = "foo@bar.com"
  language_tag = "en-GB"
  notification_category_subscriptions = ["ALL"]
}
Negative test num. 5 - tf file 
resource "google_essential_contacts_contact" "negative5" {
  parent = "folders/987654321"       # Not organization-level
  email  = "foo@bar.com"
  language_tag = "en-GB"

  notification_category_subscriptions = ["ALL"]
}
Negative test num. 6 - tf file 
resource "google_essential_contacts_contact" "negative6" {
  parent = "organizations/123456789012"
  email = "foo@bar.com"
  language_tag = "en-GB"
  notification_category_subscriptions = [
    "LEGAL",
    "SECURITY",
    "SUSPENSION",
    "BILLING",
    "TECHNICAL"
  ]
}
Negative test num. 7 - tf file 
data "google_organization" "org" {
  organization = "123456789012"
}

resource "google_essential_contacts_contact" "negative7" {
  parent = data.google_organization.org.name
  email  = "foo@bar.com"
  language_tag = "en-GB"

  notification_category_subscriptions = [
    "LEGAL",
    "SECURITY",
    "SUSPENSION",
    "ALL"
  ]
}