rspec/rules/S6412/terraform/rule.adoc

When object versioning for Google Cloud Storage (GCS) buckets is enabled, different versions of an object are stored in the bucket, preventing accidental deletion. A specific version can always be deleted when the generation number of an object version is specified in the request.

Object versioning cannot be enabled on a bucket with a retention policy. A retention policy ensures that an object is retained for a specific period of time even if a request is made to delete or replace it. Thus, a retention policy locks the single current version of an object in the bucket, which differs from object versioning where different versions of an object are retained.


== Ask Yourself Whether

* The bucket stores information that require high availability.

There is a risk if you answered yes to this question.


== Recommended Secure Coding Practices

It's recommended to enable GCS bucket versioning and thus to have the possibility to retrieve and restore different versions of an object.


== Sensitive Code Example

Versioning is disabled by default:
[source,terraform]
----
resource "google_storage_bucket" "example" { # Sensitive
  name          = "example"
  location      = "US"
}
----

== Compliant Solution

Versioning is enabled:
[source,terraform]
----
resource "google_storage_bucket" "example" {
  name          = "example"
  location      = "US"

  versioning {
    enabled = "true"
  }
}
----

== See

* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration
* https://cloud.google.com/storage/docs/object-versioning?hl=en[GCP documentation] - Object Versioning
* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Make sure using an unversioned GCS bucket is safe here.


endif::env-github,rspecator-view[]