Skip to content

🐛 gcp: support cross-zone instance scanning via snapshot bridge#8441

Draft
tas50 wants to merge 1 commit into
mainfrom
fix/gcp-snapshot-cross-zone-clone
Draft

🐛 gcp: support cross-zone instance scanning via snapshot bridge#8441
tas50 wants to merge 1 commit into
mainfrom
fix/gcp-snapshot-cross-zone-clone

Conversation

@tas50

@tas50 tas50 commented Jun 14, 2026

Copy link
Copy Markdown
Member

Problem

GCP cross-zone instance scanning fails in the no-snapshot clone path. When the scanner runs in one zone (e.g. us-west1-a) but the target instance's boot disk lives in another (e.g. --zone us-central1-a), cloneDisk builds a compute.Disk{SourceDisk: ...} and calls Disks.Insert(projectID, zone, disk). GCP requires SourceDisk and the target disk to be in the same zone, so a direct cross-zone disk clone returns a 400. A zonal disk cannot be cloned directly across zones.

Fix — snapshot bridge

Snapshots are a global GCP resource, so a cross-zone clone can be bridged through one. cloneDisk now detects the zone mismatch (via parseDiskUrl on the source disk) and, when the source zone differs from the target zone, routes through a new cloneDiskViaSnapshot helper. The same-zone path is preserved exactly.

cloneDiskViaSnapshot does:

  1. Parse the source disk URL → srcProject, srcZone, srcDiskName.
  2. Derive a valid temporary snapshot name from the disk name (GCP rule [a-z]([-a-z0-9]{0,61}[a-z0-9])?, ≤63 chars; truncate + trim trailing hyphen). Apply sc.labels.
  3. Disks.CreateSnapshot(srcProject, srcZone, srcDiskName, &compute.Snapshot{...}) from the source disk, then wait on ZoneOperations.Get(srcProject, srcZone, op.Name) until DONE (mirrors the existing wait-loop + Operation.Error handling, factored into a shared waitForZoneOperation helper).
  4. Snapshots.Get(srcProject, snapName)snap.SelfLink.
  5. Create the scanner disk from that snapshot in the target project/zone by reusing the existing createSnapshotDisk(snap.SelfLink, projectID, zone, diskName).
  6. Best-effort cleanup: Snapshots.Delete(srcProject, snapName) — logs a warning on failure, does not fail the clone (the scanner disk no longer needs the snapshot once created).
  7. Return the created disk URL and any error from createSnapshotDisk.

⚠️ Needs live cross-zone verification before merge

This new path calls live GCP APIs (Disks.CreateSnapshot, Snapshots.Get, Snapshots.Delete) and cannot be verified without real cross-zone GCP infrastructure, which was unavailable. This PR is intentionally a draft until someone runs an actual cross-zone snapshot scan (scanner and target instance in different zones).

The unit test only covers the pure decision logic — that a source disk in zones/us-central1-a/... with target zone us-west1-a is detected as cross-zone, and same-zone is not. The live API calls are not mocked.

New runtime IAM permissions

The scanner service account now additionally needs, at runtime:

  • compute.disks.createSnapshot
  • compute.snapshots.create
  • compute.snapshots.delete

(plus the existing compute.snapshots.get already used elsewhere)

Fixes #8416

@github-actions

github-actions Bot commented Jun 14, 2026

Copy link
Copy Markdown
Contributor

Test Results

11 154 tests  +1   11 147 ✅ +1   5m 14s ⏱️ -4s
   545 suites ±0        7 💤 ±0 
    40 files   ±0        0 ❌ ±0 

Results for commit cec5779. ± Comparison against base commit a92a575.

♻️ This comment has been updated with latest results.

@tas50 tas50 force-pushed the fix/gcp-snapshot-cross-zone-clone branch 5 times, most recently from 5d4784a to 5e7ad70 Compare June 24, 2026 18:02
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@tas50 tas50 force-pushed the fix/gcp-snapshot-cross-zone-clone branch from 5e7ad70 to cec5779 Compare June 29, 2026 17:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

cnspec scan gcp instance scanning fails with cross instance scanning

2 participants