Control: Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS
Usage
Run the control in your terminal:
powerpipe control run terraform_gcp_compliance.control.dnssec_prevent_rsasha1_zsk
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run terraform_gcp_compliance.control.dnssec_prevent_rsasha1_zsk --share
SQL
This control uses a named query:
select address as resource, case when (attributes_std ->> 'visibility') = 'private' then 'skip' when (attributes_std -> 'dnssec_config') is null or coalesce((attributes_std -> 'dnssec_config' ->> 'state'), '') in ('', 'off') then 'alarm' when (attributes_std -> 'dnssec_config' -> 'default_key_specs' ->> 'algorithm') = 'rsasha1' and (attributes_std -> 'dnssec_config' -> 'default_key_specs' ->> 'key_type') = 'zoneSigning' then 'alarm' else 'ok' end as status, split_part(address, '.', 2) || case when (attributes_std -> 'dnssec_config') is null then ' ''dnssec_config'' is not defined' when coalesce((attributes_std -> 'dnssec_config' ->> 'state'), '') = '' then ' ''dnssec_config.state'' is not defined' when (attributes_std ->> 'visibility') = 'private' then ' is private' when coalesce((attributes_std -> 'dnssec_config' ->> 'state'), '') = 'off' then ' DNSSEC not enabled' when (attributes_std -> 'dnssec_config' -> 'default_key_specs' ->> 'algorithm') = 'rsasha1' and (attributes_std -> 'dnssec_config' -> 'default_key_specs' ->> 'key_type') = 'zoneSigning' then ' using RSASHA1 algorithm for zone-signing' else ' not using RSASHA1 algorithm for zone-signing' end || '.' reason , path || ':' || start_linefrom terraform_resourcewhere type = 'google_dns_managed_zone';