For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/terraform-gcp-stackdriver-monitoring-disabled.md. A documentation index is available at /llms.txt.

Stackdriver Monitoring disabled

This product is not supported for your selected Datadog site. ().

Metadata

Id: terraform-gcp-stackdriver-monitoring-disabled

Provider: GCP

Platform: Terraform

Severity: Medium

Category: Observability

Learn More

Description

Kubernetes Engine clusters must have Stackdriver Monitoring enabled by setting the monitoring_service attribute to "monitoring.googleapis.com/kubernetes" or leaving it undefined to use the default monitoring. Disabling monitoring by setting monitoring_service = "none" removes visibility into cluster performance, health, and security events, increasing the risk of undetected failures or malicious activity.

A secure configuration should include:

resource "google_container_cluster" "example" {
  name               = "secure-cluster"
  location           = "us-central1-a"
  initial_node_count = 3
  monitoring_service = "monitoring.googleapis.com/kubernetes"
}

If left unaddressed, this misconfiguration can prevent prompt detection and remediation of operational or security incidents, potentially leading to service outages or breaches.

Compliant Code Examples

#this code is a correct code for which the query should not find any result
resource "google_container_cluster" "negative1" {
  name               = "marcellus-wallace"
  location           = "us-central1-a"
  initial_node_count = 3
  monitoring_service = "monitoring.googleapis.com/kubernetes"

  timeouts {
    create = "30m"
    update = "40m"
  }
}

# Monitoring service defaults to Stackdriver, so it's okay to be undefined
resource "google_container_cluster" "negative2" {
  name               = "marcellus-wallace"
  location           = "us-central1-a"
  initial_node_count = 3
  
  timeouts {
    create = "30m"
    update = "40m"
  }
}

Non-Compliant Code Examples

#this is a problematic code where the query should report a result(s)
resource "google_container_cluster" "positive1" {
  name               = "marcellus-wallace"
  location           = "us-central1-a"
  initial_node_count = 3
  monitoring_service = "none"

  timeouts {
    create = "30m"
    update = "40m"
  }
}

resource "google_container_cluster" "positive2" {
  name               = "marcellus-wallace"
  location           = "us-central1-a"
  initial_node_count = 3
  monitoring_service = "monitoring.googleapis.com"

  timeouts {
    create = "30m"
    update = "40m"
  }
}