For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/ansible-gcp-disk-encryption-disabled.md.
A documentation index is available at /llms.txt.
VM disks must be encrypted using customer-supplied (CSEK) or customer-managed (CMEK) keys. This ensures you retain control over key lifecycle and reduces the risk of cloud-managed keys being used to decrypt sensitive data without your authorization.
For Ansible resources using google.cloud.gcp_compute_disk (or gcp_compute_disk), the disk_encryption_key property must be defined and contain either a non-empty kms_key_name (CMEK) or a non-empty raw_key (CSEK). This rule flags disks where disk_encryption_key is missing or null, where both raw_key and kms_key_name are absent, or where either subproperty is an empty string.
Prefer using kms_key_name (a full KMS crypto key resource name, for example, projects/.../locations/.../keyRings/.../cryptoKeys/...) and avoid hardcoding raw_key in source code—store secrets in a secure secret manager.
Secure configuration examples:
- name:create disk with CMEKgoogle.cloud.gcp_compute_disk:name:my-diskzone:us-central1-asize_gb:100disk_encryption_key:kms_key_name:projects/my-project/locations/global/keyRings/my-kr/cryptoKeys/my-key
- name:create disk with CSEK (raw key stored securely, not in plaintext)google.cloud.gcp_compute_disk:name:my-diskzone:us-central1-asize_gb:100disk_encryption_key:raw_key:REDACTED_BASE64_KEY
Compliant Code Examples
#this code is a correct code for which the query should not find any result- name:create a diskgoogle.cloud.gcp_compute_disk:name:test_objectsize_gb:50disk_encryption_key:raw_key:SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0=zone:us-central1-aproject:test_projectauth_kind:serviceaccountservice_account_file:/tmp/auth.pemstate:present
#this code is a correct code for which the query should not find any result- name:create a diskgoogle.cloud.gcp_compute_disk:name:test_objectsize_gb:50disk_encryption_key:kms_key_name:disk-crypto-keyzone:us-central1-aproject:test_projectauth_kind:serviceaccountservice_account_file:/tmp/auth.pemstate:present
Non-Compliant Code Examples
#this is a problematic code where the query should report a result(s)- name:create a disk1google.cloud.gcp_compute_disk:name:test_object1size_gb:50zone:us-central1-aproject:test_projectauth_kind:serviceaccountservice_account_file:"/tmp/auth.pem"state:present- name:create a disk3google.cloud.gcp_compute_disk:name:test_object3size_gb:50disk_encryption_key:raw_key:zone:us-central1-aproject:test_projectauth_kind:serviceaccountservice_account_file:"/tmp/auth.pem"state:present- name:create a disk4google.cloud.gcp_compute_disk:name:test_object4size_gb:50disk_encryption_key:raw_key:""zone:us-central1-aproject:test_projectauth_kind:serviceaccountservice_account_file:"/tmp/auth.pem"state:present
- name:create a disk3google.cloud.gcp_compute_disk:name:test_object3size_gb:50disk_encryption_key:kms_key_name:zone:us-central1-aproject:test_projectauth_kind:serviceaccountservice_account_file:"/tmp/auth.pem"state:present- name:create a disk4google.cloud.gcp_compute_disk:name:test_object4size_gb:50disk_encryption_key:kms_key_name:""zone:us-central1-aproject:test_projectauth_kind:serviceaccountservice_account_file:"/tmp/auth.pem"state:present
1
2
rulesets:- Ansible / GCP # Rules to enforce / GCP.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
