Skip to content

tfsec

Instances should have Shielded VM VTPM enabled

aquasecurity/tfsec

Instances should have Shielded VM VTPM enabled

Default Severity: medium

Explanation

The virtual TPM provides numerous security measures to your VM.

Possible Impact

Unable to prevent unwanted system state modification

Suggested Resolution

Enable Shielded VM VTPM

Insecure Example

The following example will fail the google-compute-enable-shielded-vm-vtpm check.

 resource "google_compute_instance" "bad_example" {
   name         = "test"
   machine_type = "e2-medium"
   zone         = "us-central1-a"

   tags = ["foo", "bar"]

   boot_disk {
     initialize_params {
       image = "debian-cloud/debian-9"
     }
   }

   // Local SSD disk
   scratch_disk {
     interface = "SCSI"
   }

   shielded_instance_config {
     enable_vtpm = false
   }
 }

Secure Example

The following example will pass the google-compute-enable-shielded-vm-vtpm check.

 resource "google_compute_instance" "bad_example" {
   name         = "test"
   machine_type = "e2-medium"
   zone         = "us-central1-a"

   tags = ["foo", "bar"]

   boot_disk {
     initialize_params {
       image = "debian-cloud/debian-9"
     }
   }

   // Local SSD disk
   scratch_disk {
     interface = "SCSI"
   }

   shielded_instance_config {
     enable_vtpm = true
   }
 }

Links