Skip to content

CKV_GCP_93 false positive when using multi-key configuration #7402

New issue
New issue
Open
#7403
Open
CKV_GCP_93 false positive when using multi-key configuration#7402
#7403
Labels
checksCheck additions or changes
@lonemeow

Description

@lonemeow
lonemeow
opened on Dec 16, 2025

Describe the issue

When using multiple KMS keys for Spanner database encryption, CKV_GCP_93 check fails even when the database is properly configured with CMEK encryption.

Looking at the check implementation, it makes no effort to even try to check for the multi-key configuration.

Examples

This fails the check, even though the database is clearly configured with encryption:

resource "google_spanner_database" "multikey_pass" {
  instance = google_spanner_instance.example.name
  name     = "my-database"
  ddl = [
    "CREATE TABLE t1 (t1 INT64 NOT NULL,) PRIMARY KEY(t1)",
    "CREATE TABLE t2 (t2 INT64 NOT NULL,) PRIMARY KEY(t2)",
  ]
  deletion_protection = false
  encryption_config {
    kms_key_names = [google_kms_crypto_key.example.name]
  }
}

Version (please complete the following information):

  • 3.2.351

Additional context
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/spanner_database#nested_encryption_config

Metadata

Metadata

Assignees

No one assigned

    Labels

    checksCheck additions or changes

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions