DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
Terraform

Terraform

By DeepSource

Use Analyzer

Instances use default Compute Engine service account TF-S2030

Security

The default Compute Engine service account has an Editor role on the project, allowing read and write access to most Google Cloud Services. It is recommended to configure the instance not to use the default Compute Engine service account. One should create a new service account and assign only the minimum permissions needed by their instance, as it helps defend against compromised VM privilege escalations and prevent an attacker from gaining access to all your projects.

Bad practice

resource "google_compute_instance" "default" {
  name         = "test"
  machine_type = "n1-standard-1"
  zone         = "us-central1-a"
  service_account {
    scopes = ["userinfo-email", "compute-ro", "storage-ro"]
    email  = "[PROJECT_NUMBER][email protected]"
  }
}

Recommended

resource "google_compute_instance" "default" {
  name         = "test"
  machine_type = "n1-standard-1"
  zone         = "us-central1-a"
  service_account {
    scopes = ["userinfo-email", "compute-ro", "storage-ro"]
    email  = "<your-email-address>"
  }
}