Skip to content

Add Cloud Identity display_name policy#292

Open
suraj01-don wants to merge 1 commit into
devfrom
gcp/service/cloud_identity
Open

Add Cloud Identity display_name policy#292
suraj01-don wants to merge 1 commit into
devfrom
gcp/service/cloud_identity

Conversation

@suraj01-don
Copy link
Copy Markdown

@suraj01-don suraj01-don commented Apr 5, 2026

Added PDE policy for GCP Cloud Identity group display_name validation.

Changes:

  • Added compliant and non-compliant Terraform examples
  • Added policy.rego
  • Added vars.rego
  • Added config.tf

@suraj01-don suraj01-don closed this Apr 5, 2026
@suraj01-don suraj01-don reopened this Apr 5, 2026
@Shani1116 Shani1116 self-assigned this Apr 20, 2026
Shani1116
Shani1116 requested changes Apr 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@Shani1116 Shani1116 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Documentation - resource_json file is missing

Only one policy is available and it does not follow the PDE policy format.

Please revise and update.

Comment thread policies/gcp/cloud_identity/google_cloud_identity_group/display_name/policy.rego
Comment thread docs/gcp/Blockchain_Node_Engine/blockchain_node_engine_blockchain_nodes.md Outdated
@@ -1,3 +1,9 @@
---
Copy link
Copy Markdown
Contributor

@Shani1116 Shani1116 Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove unrelated comments.

Copy link
Copy Markdown
Author

@suraj01-don suraj01-don Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

okay unrelated comments removed successfully

@suraj01-don
Copy link
Copy Markdown
Author

suraj01-don commented Apr 21, 2026

Hi @Shani1116 ,

I've updated the Cloud Identity policy to follow the PDE format, added the missing resource_json documentation, and removed the unrelated comment noise from the docs changes. The branch has been updated and the policy check is passing. Please take another look when you have a chance.

@suraj01-don suraj01-don requested a review from Shani1116 April 21, 2026 16:49
Shani1116
Shani1116 requested changes Apr 25, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@Shani1116 Shani1116 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not a completed PR. Please close this if you are not done with writing all policies.

If you need feedback from seniors, please share your branch name in the students chat without raising a PR.

Comment thread policies/gcp/cloud_identity/google_cloud_identity_group/display_name/policy.rego
@suraj01-don
Copy link
Copy Markdown
Author

suraj01-don commented Apr 29, 2026

Hi @Shani1116 ,

I've finished the Cloud Identity display_name policy! Here's what I did:

✅ Created the policy using the PDE format with conditions array and message rules
✅ Added compliant (c.tf) and non-compliant (nc.tf) test cases
✅ Removed all the unrelated documentation noise that got added by mistake
✅ Policy check is passing

The policy now correctly validates that Cloud Identity Groups have the required display_name attribute and generates proper violation messages.

Ready for your review whenever you get a chance. Thanks!

@Shani1116
Copy link
Copy Markdown
Contributor

Shani1116 commented May 1, 2026

Still not following the correct policy format. Please reach out to a senior or rewatch the upskilling - policy writing videos and resubmit with the correct format.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 3, 2026

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.cloud_identity.google_cloud_identity_group.display_name.message
Total Cloud Identity Group detected: 2 
['Situation 1: Cloud Identity Group is missing a display name.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set display_name on the google_cloud_identity_group resource.']
Unique resource names in plan (google_cloud_identity_group): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: cloud_identity
  Resource: google_cloud_identity_group
    Policy: display_name - ✅

@suraj01-don suraj01-don force-pushed the gcp/service/cloud_identity branch from b95b343 to a429a49 Compare May 3, 2026 06:09
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 3, 2026

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.cloud_identity.google_cloud_identity_group.display_name.message
Total Cloud Identity Group detected: 2 
['Situation 1: Cloud Identity Group is missing a display name.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set display_name on the google_cloud_identity_group resource.']
Unique resource names in plan (google_cloud_identity_group): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: cloud_identity
  Resource: google_cloud_identity_group
    Policy: display_name - ✅

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 12, 2026

🔍 Documentation Check Failed

Status: ❌ CHECKS FAILED

⚠️ Your PR does not include documentation updates:

❌ No documentation changes found - please update docs for your assigned service

Please add or update documentation in the docs/gcp/ folder for your changes before this PR can be reviewed.

@github-actions github-actions Bot added the CI-Review-Required PR requires review due to failed CI checks label May 12, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 12, 2026

🔍 Documentation Check Failed

Status: ❌ CHECKS FAILED

⚠️ Your PR does not include documentation updates:

❌ No documentation changes found - please update docs for your assigned service

Please add or update documentation in the docs/gcp/ folder for your changes before this PR can be reviewed.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 12, 2026

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

 No matching policy dir for: inputs/gcp/cloud_data_fusion/data_fusion_instance_iam_policy/project
 No matching policy dir for: inputs/gcp/cloud_data_fusion/data_fusion_instance_iam_binding/project
OPA check: data.terraform.gcp.security.cloud_data_fusion.data_fusion_instance.event_publish_config_enabled.message
Total Data Fusion Instance detected: 2 
['Situation 1: Cloud Data Fusion Event Publishing is disabled/misconfigured.', 'Non-Compliant Resources: nc', "Potential Remedies: Please ensure 'enabled' is set to true"]
Unique resource names in plan (google_data_fusion_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_data_fusion.data_fusion_instance.enable_rbac.message
Total Data Fusion Instance detected: 2 
['Situation 1: Granular Role-Based Access Control (RBAC) is disabled on the Data Fusion instance.', 'Non-Compliant Resources: nc', "Potential Remedies: Set the 'enable_rbac' attribute to true to allow for granular user permissions"]
Unique resource names in plan (google_data_fusion_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_data_fusion.data_fusion_instance.dataproc_service_account.message
Total Data Fusion Instance detected: 2 
['Situation 1: The Data Fusion instance is utilising a blacklisted default Google service account', 'Non-Compliant Resources: nc', 'Potential Remedies: Please replace the default compute service account with a custom, least-privileged IAM service account']
Unique resource names in plan (google_data_fusion_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_data_fusion.data_fusion_instance.enable_stackdriver_logging.message
Total Data Fusion Instance detected: 2 
['Situation 1: Stackdriver Logging is disabled on the Data Fusion instance.', 'Non-Compliant Resources: nc', "Potential Remedies: Set the 'enable_stackdriver_logging' attribute to true in your configuration"]
Unique resource names in plan (google_data_fusion_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_data_fusion.data_fusion_instance.event_publish_config_topic.message
Total Data Fusion Instance detected: 2 
['Situation 1: The Pub/Sub topic for Data Fusion events is invalid or is pointing to an unapproved project', 'Non-Compliant Resources: nc', "Potential Remedies: Ensure the topic follows the format: projects/{project_id}/topics/{topic_id}, The project must be 'hardhat-prod' and the topic must be 'certain-topic'"]
Unique resource names in plan (google_data_fusion_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_data_fusion.data_fusion_instance.type.message
Total Data Fusion Instance detected: 2 
['Situation 1: The Data Fusion instance is using an unapproved instance type (e.g., ENTERPRISE).', 'Non-Compliant Resources: nc', "Potential Remedies: Change the 'type' attribute to 'BASIC' or 'DEVELOPER' in your terraform configuration., Verify the cost implications before requesting an exemption for ENTERPRISE types."]
Unique resource names in plan (google_data_fusion_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_data_fusion.data_fusion_instance.private_instance.message
Total Data Fusion Instance detected: 2 
['Situation 1: The Data Fusion instance is not configured as a private instance', 'Non-Compliant Resources: nc', "Potential Remedies: Set the 'private_instance' attribute to true, Please ensure that a network_config block is provided to handle the private peering/PSC."]
Unique resource names in plan (google_data_fusion_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_data_fusion.data_fusion_instance.enable_stackdriver_monitoring.message
Total Data Fusion Instance detected: 2 
['Situation 1: Stackdriver Monitoring is disabled on the Data Fusion instance', 'Non-Compliant Resources: nc', "Potential Remedies: Please set the 'enable_stackdriver_monitoring' attribute to true in your configuration to ensure performance metrics are captured"]
Unique resource names in plan (google_data_fusion_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_data_fusion.data_fusion_instance_iam_policy.policy_data.message
Total Data Fusion Instance IAM Policy detected: 2 
['Situation 1: The authoritative policy data contains public access identifiers', 'Non-Compliant Resources: nc', "Potential Remedies: Please remove 'allUsers' or 'allAuthenticatedUsers' from the google_iam_policy data source."]
Unique resource names in plan (google_data_fusion_instance_iam_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_data_fusion.data_fusion_instance_iam_member.member.message
Total Data Fusion Instance IAM member detected: 2 
['Situation 1: Data Fusion access is being granted to the public.', 'Non-Compliant Resources: nc', "Potential Remedies: Ensure to remove 'allUsers' or 'allAuthenticatedUsers' and use a specific corporate email."]
Unique resource names in plan (google_data_fusion_instance_iam_member): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_data_fusion.data_fusion_instance_iam_member.region.message
Total Data Fusion Instance IAM member detected: 2 
['Situation 1: IAM configuration is targeting an unauthorized region', 'Non-Compliant Resources: nc', "Potential Remedies: Please ensure the region attribute is set to 'australia-southeast1'"]
Unique resource names in plan (google_data_fusion_instance_iam_member): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_data_fusion.data_fusion_instance_iam_member.role.message
Total Data Fusion Instance IAM member detected: 2 
['Situation 1: A high-privilege administrative role is being assigned.', 'Non-Compliant Resources: nc', "Potential Remedies: Downgrade the role to 'roles/datafusion.viewer' or a specific Data Fusion user role"]
Unique resource names in plan (google_data_fusion_instance_iam_member): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_data_fusion.data_fusion_instance_iam_binding.members.message
Total Data Fusion Instance IAM Binding detected: 2 
['Situation 1: Public access detected in an IAM binding list', 'Non-Compliant Resources: nc', "Potential Remedies: Please remove 'allUsers' or 'allAuthenticatedUsers' from the members array."]
Unique resource names in plan (google_data_fusion_instance_iam_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_data_fusion.data_fusion_instance_iam_binding.role.message
Total Data Fusion Instance IAM Binding detected: 2 
['Situation 1: An authoritative IAM binding is granting administrative power', 'Non-Compliant Resources: nc', "Potential Remedies: Use a more restrictive role such as 'roles/datafusion.viewer' or 'roles/datafusion.editor'."]
Unique resource names in plan (google_data_fusion_instance_iam_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_data_fusion.data_fusion_instance.connection_type.message
Total Data Fusion Instance detected: 2 
['Situation 1: The Data Fusion instance is using an unapproved connection type', 'Non-Compliant Resources: nc', "Potential Remedies: Ensure to set 'connection_type' within the 'network_config' block, Choose either 'VPC_PEERING' or 'PRIVATE_SERVICE_CONNECT_INTERFACES'"]
Unique resource names in plan (google_data_fusion_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_data_fusion.data_fusion_instance.key_reference.message
Total Data Fusion Instance detected: 2 
['Situation 1: The Data Fusion instance is not using an approved Hardhat KMS encryption key/the resource path is malformed', 'Non-Compliant Resources: nc', "Potential Remedies: Please Ensure the key_reference follows the format: projects/{project}/locations/{location}/keyRings/{ring}/cryptoKeys/{key}, The key must be located in 'hardhat-prod' within 'australia-southeast1' using the 'hardhat-ring'"]
Unique resource names in plan (google_data_fusion_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: cloud_data_fusion
  Resource: data_fusion_instance
    Policy: event_publish_config_enabled - ✅
    Policy: enable_rbac - ✅
    Policy: dataproc_service_account - ✅
    Policy: enable_stackdriver_logging - ✅
    Policy: event_publish_config_topic - ✅
    Policy: type - ✅
    Policy: private_instance - ✅
    Policy: enable_stackdriver_monitoring - ✅
  Resource: data_fusion_instance_iam_binding
    Policy: members - ✅
    Policy: role - ✅
  Resource: data_fusion_instance_iam_member
    Policy: member - ✅
    Policy: region - ✅
    Policy: role - ✅
  Resource: data_fusion_instance_iam_policy
    Policy: policy_data - ✅

Service: data_fusion_instance
  Resource: crypto_key_config
    Policy: key_reference - ✅
  Resource: network_config
    Policy: connection_type - ✅


OPA check: data.terraform.gcp.security.cloud_identity.google_cloud_identity_group.display_name.message
Total Cloud Identity Group detected: 2 
['Situation 1: Cloud Identity Group is missing a display name.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set display_name on the google_cloud_identity_group resource.']
Unique resource names in plan (google_cloud_identity_group): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: cloud_identity
  Resource: google_cloud_identity_group
    Policy: display_name - ✅


OPA check: data.terraform.gcp.security.cloud_pub_sub.google_pubsub_topic_iam_binding.no_public_principals.message
Total Pub/Sub Topic IAM Binding detected: 2 
['Situation 1: Pub/Sub Topic IAM Binding grants access to public principals (allUsers or allAuthenticatedUsers).', 'Non-Compliant Resources: nc', "Potential Remedies: Remove 'allUsers' and 'allAuthenticatedUsers' from the members list., Use specific service accounts, groups, or user identities instead., Apply the principle of least privilege — only grant access to known, authenticated identities."]
Unique resource names in plan (google_pubsub_topic_iam_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_pub_sub.google_pubsub_topic.kms_key_name.message
Total Pub/Sub Topic detected: 2 
['Situation 1: Pub/Sub Topic does not have a customer-managed encryption key (CMEK) configured.', 'Non-Compliant Resources: nc', "Potential Remedies: Set 'kms_key_name' to a valid Cloud KMS CryptoKey resource name., Ensure the Pub/Sub service account has 'roles/cloudkms.cryptoKeyEncrypterDecrypter' on the key., Use format: projects/{project}/locations/{location}/keyRings/{keyRing}/cryptoKeys/{cryptoKey}"]
Unique resource names in plan (google_pubsub_topic): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_pub_sub.google_pubsub_schema.type.message
Total Pub/Sub Schema detected: 2 
['Situation 1: Pub/Sub Schema type is unspecified or not set to an explicit format.', 'Non-Compliant Resources: nc', "Potential Remedies: Set 'type' to 'PROTOCOL_BUFFER' or 'AVRO' to enforce message structure validation., Avoid leaving type as 'TYPE_UNSPECIFIED' — this disables schema enforcement., Schema enforcement prevents malformed messages from being published to the topic."]
Unique resource names in plan (google_pubsub_schema): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_pub_sub.google_pubsub_subscription.enable_exactly_once_delivery.message
Total Pub/Sub Subscription detected: 2 
['Situation 1: Pub/Sub Subscription does not have exactly-once delivery enabled.', 'Non-Compliant Resources: nc', "Potential Remedies: Set 'enable_exactly_once_delivery' to true on the subscription., Exactly-once delivery prevents duplicate message processing and ensures data integrity., Review downstream consumers to ensure they support exactly-once semantics."]
Unique resource names in plan (google_pubsub_subscription): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_pub_sub.google_pubsub_subscription_iam_binding.no_public_principals.message
Total Pub/Sub Subscription IAM Binding detected: 2 
['Situation 1: Pub/Sub Subscription IAM Binding grants access to public principals (allUsers or allAuthenticatedUsers).', 'Non-Compliant Resources: nc', "Potential Remedies: Remove 'allUsers' and 'allAuthenticatedUsers' from the members list., Use specific service accounts, groups, or user identities instead., Apply the principle of least privilege — only authenticated identities should be able to pull or acknowledge messages."]
Unique resource names in plan (google_pubsub_subscription_iam_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: cloud_pub_sub
  Resource: google_pubsub_schema
    Policy: type - ✅
  Resource: google_pubsub_subscription
    Policy: enable_exactly_once_delivery - ✅
  Resource: google_pubsub_subscription_iam_binding
    Policy: no_public_principals - ✅
  Resource: google_pubsub_topic
    Policy: kms_key_name - ✅
  Resource: google_pubsub_topic_iam_binding
    Policy: no_public_principals - ✅

@github-actions github-actions Bot added CI-Approved PR approved by CI checks and removed CI-Review-Required PR requires review due to failed CI checks labels May 12, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 12, 2026

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.cloud_identity.google_cloud_identity_group.display_name.message
Total Cloud Identity Group detected: 2 
['Situation 1: Cloud Identity Group is missing a display name.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set display_name on the google_cloud_identity_group resource.']
Unique resource names in plan (google_cloud_identity_group): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: cloud_identity
  Resource: google_cloud_identity_group
    Policy: display_name - ✅

@suraj01-don suraj01-don force-pushed the gcp/service/cloud_identity branch from 94b3fa4 to 66218d2 Compare May 12, 2026 15:59
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 12, 2026

🔍 Policy Check Results

Status: ❌ CHECKS FAILED

⚠️ Your PR will not be reviewed until you fix all policy check failures below:

Test Output

 No matching policy dir for: inputs/gcp/cloud_data_fusion/data_fusion_instance_iam_policy/project
 No matching policy dir for: inputs/gcp/cloud_data_fusion/data_fusion_instance_iam_binding/project
OPA check: data.terraform.gcp.security.cloud_data_fusion.data_fusion_instance.event_publish_config_enabled.message
Total Data Fusion Instance detected: 2 
['Situation 1: Cloud Data Fusion Event Publishing is disabled/misconfigured.', 'Non-Compliant Resources: nc', "Potential Remedies: Please ensure 'enabled' is set to true"]
Unique resource names in plan (google_data_fusion_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_data_fusion.data_fusion_instance.enable_rbac.message
Total Data Fusion Instance detected: 2 
['Situation 1: Granular Role-Based Access Control (RBAC) is disabled on the Data Fusion instance.', 'Non-Compliant Resources: nc', "Potential Remedies: Set the 'enable_rbac' attribute to true to allow for granular user permissions"]
Unique resource names in plan (google_data_fusion_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_data_fusion.data_fusion_instance.dataproc_service_account.message
Total Data Fusion Instance detected: 2 
['Situation 1: The Data Fusion instance is utilising a blacklisted default Google service account', 'Non-Compliant Resources: nc', 'Potential Remedies: Please replace the default compute service account with a custom, least-privileged IAM service account']
Unique resource names in plan (google_data_fusion_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_data_fusion.data_fusion_instance.enable_stackdriver_logging.message
Total Data Fusion Instance detected: 2 
['Situation 1: Stackdriver Logging is disabled on the Data Fusion instance.', 'Non-Compliant Resources: nc', "Potential Remedies: Set the 'enable_stackdriver_logging' attribute to true in your configuration"]
Unique resource names in plan (google_data_fusion_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_data_fusion.data_fusion_instance.event_publish_config_topic.message
Total Data Fusion Instance detected: 2 
['Situation 1: The Pub/Sub topic for Data Fusion events is invalid or is pointing to an unapproved project', 'Non-Compliant Resources: nc', "Potential Remedies: Ensure the topic follows the format: projects/{project_id}/topics/{topic_id}, The project must be 'hardhat-prod' and the topic must be 'certain-topic'"]
Unique resource names in plan (google_data_fusion_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_data_fusion.data_fusion_instance.type.message
Total Data Fusion Instance detected: 2 
['Situation 1: The Data Fusion instance is using an unapproved instance type (e.g., ENTERPRISE).', 'Non-Compliant Resources: nc', "Potential Remedies: Change the 'type' attribute to 'BASIC' or 'DEVELOPER' in your terraform configuration., Verify the cost implications before requesting an exemption for ENTERPRISE types."]
Unique resource names in plan (google_data_fusion_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_data_fusion.data_fusion_instance.private_instance.message
Total Data Fusion Instance detected: 2 
['Situation 1: The Data Fusion instance is not configured as a private instance', 'Non-Compliant Resources: nc', "Potential Remedies: Set the 'private_instance' attribute to true, Please ensure that a network_config block is provided to handle the private peering/PSC."]
Unique resource names in plan (google_data_fusion_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_data_fusion.data_fusion_instance.enable_stackdriver_monitoring.message
Total Data Fusion Instance detected: 2 
['Situation 1: Stackdriver Monitoring is disabled on the Data Fusion instance', 'Non-Compliant Resources: nc', "Potential Remedies: Please set the 'enable_stackdriver_monitoring' attribute to true in your configuration to ensure performance metrics are captured"]
Unique resource names in plan (google_data_fusion_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_data_fusion.data_fusion_instance_iam_policy.policy_data.message
Total Data Fusion Instance IAM Policy detected: 2 
['Situation 1: The authoritative policy data contains public access identifiers', 'Non-Compliant Resources: nc', "Potential Remedies: Please remove 'allUsers' or 'allAuthenticatedUsers' from the google_iam_policy data source."]
Unique resource names in plan (google_data_fusion_instance_iam_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_data_fusion.data_fusion_instance_iam_member.member.message
Total Data Fusion Instance IAM member detected: 2 
['Situation 1: Data Fusion access is being granted to the public.', 'Non-Compliant Resources: nc', "Potential Remedies: Ensure to remove 'allUsers' or 'allAuthenticatedUsers' and use a specific corporate email."]
Unique resource names in plan (google_data_fusion_instance_iam_member): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_data_fusion.data_fusion_instance_iam_member.region.message
Total Data Fusion Instance IAM member detected: 2 
['Situation 1: IAM configuration is targeting an unauthorized region', 'Non-Compliant Resources: nc', "Potential Remedies: Please ensure the region attribute is set to 'australia-southeast1'"]
Unique resource names in plan (google_data_fusion_instance_iam_member): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_data_fusion.data_fusion_instance_iam_member.role.message
Total Data Fusion Instance IAM member detected: 2 
['Situation 1: A high-privilege administrative role is being assigned.', 'Non-Compliant Resources: nc', "Potential Remedies: Downgrade the role to 'roles/datafusion.viewer' or a specific Data Fusion user role"]
Unique resource names in plan (google_data_fusion_instance_iam_member): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_data_fusion.data_fusion_instance_iam_binding.members.message
Total Data Fusion Instance IAM Binding detected: 2 
['Situation 1: Public access detected in an IAM binding list', 'Non-Compliant Resources: nc', "Potential Remedies: Please remove 'allUsers' or 'allAuthenticatedUsers' from the members array."]
Unique resource names in plan (google_data_fusion_instance_iam_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_data_fusion.data_fusion_instance_iam_binding.role.message
Total Data Fusion Instance IAM Binding detected: 2 
['Situation 1: An authoritative IAM binding is granting administrative power', 'Non-Compliant Resources: nc', "Potential Remedies: Use a more restrictive role such as 'roles/datafusion.viewer' or 'roles/datafusion.editor'."]
Unique resource names in plan (google_data_fusion_instance_iam_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_data_fusion.data_fusion_instance.connection_type.message
Total Data Fusion Instance detected: 2 
['Situation 1: The Data Fusion instance is using an unapproved connection type', 'Non-Compliant Resources: nc', "Potential Remedies: Ensure to set 'connection_type' within the 'network_config' block, Choose either 'VPC_PEERING' or 'PRIVATE_SERVICE_CONNECT_INTERFACES'"]
Unique resource names in plan (google_data_fusion_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_data_fusion.data_fusion_instance.key_reference.message
Total Data Fusion Instance detected: 2 
['Situation 1: The Data Fusion instance is not using an approved Hardhat KMS encryption key/the resource path is malformed', 'Non-Compliant Resources: nc', "Potential Remedies: Please Ensure the key_reference follows the format: projects/{project}/locations/{location}/keyRings/{ring}/cryptoKeys/{key}, The key must be located in 'hardhat-prod' within 'australia-southeast1' using the 'hardhat-ring'"]
Unique resource names in plan (google_data_fusion_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: cloud_data_fusion
  Resource: data_fusion_instance
    Policy: event_publish_config_enabled - ✅
    Policy: enable_rbac - ✅
    Policy: dataproc_service_account - ✅
    Policy: enable_stackdriver_logging - ✅
    Policy: event_publish_config_topic - ✅
    Policy: type - ✅
    Policy: private_instance - ✅
    Policy: enable_stackdriver_monitoring - ✅
  Resource: data_fusion_instance_iam_binding
    Policy: members - ✅
    Policy: role - ✅
  Resource: data_fusion_instance_iam_member
    Policy: member - ✅
    Policy: region - ✅
    Policy: role - ✅
  Resource: data_fusion_instance_iam_policy
    Policy: policy_data - ✅

Service: data_fusion_instance
  Resource: crypto_key_config
    Policy: key_reference - ✅
  Resource: network_config
    Policy: connection_type - ✅


OPA check: data.terraform.gcp.security.cloud_identity.google_cloud_identity_group.display_name.message
Total Cloud Identity Group detected: 2 
['Situation 1: Cloud Identity Group is missing a display name.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set display_name on the google_cloud_identity_group resource.']
Unique resource names in plan (google_cloud_identity_group): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

❌ Command failed: terraform plan -refresh=false -lock=false -input=false -out=plan
--- stdout ---
::error::Terraform exited with code 1.

--- stderr ---
�[31m╷�[0m�[0m
�[31m│�[0m �[0m�[1m�[31mError: �[0m�[0m�[1mMissing required argument�[0m
�[31m│�[0m �[0m
�[31m│�[0m �[0m�[0m  on nc.tf line 1, in resource "google_cloud_identity_group" "nc":
�[31m│�[0m �[0m   1: resource "google_cloud_identity_group" "nc" �[4m{�[0m�[0m
�[31m│�[0m �[0m
�[31m│�[0m �[0mThe argument "labels" is required, but no definition was found.
�[31m╵�[0m�[0m


Summary of policy checks:
Service: cloud_identity
  Resource: google_cloud_identity_group
    Policy: display_name - ✅
    Policy: labels - ❌


Failures:
Service: cloud_identity | Resource: google_cloud_identity_group | Policy: labels
Terraform failed to compile!


OPA check: data.terraform.gcp.security.cloud_pub_sub.google_pubsub_topic_iam_binding.no_public_principals.message
Total Pub/Sub Topic IAM Binding detected: 2 
['Situation 1: Pub/Sub Topic IAM Binding grants access to public principals (allUsers or allAuthenticatedUsers).', 'Non-Compliant Resources: nc', "Potential Remedies: Remove 'allUsers' and 'allAuthenticatedUsers' from the members list., Use specific service accounts, groups, or user identities instead., Apply the principle of least privilege — only grant access to known, authenticated identities."]
Unique resource names in plan (google_pubsub_topic_iam_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_pub_sub.google_pubsub_topic.kms_key_name.message
Total Pub/Sub Topic detected: 2 
['Situation 1: Pub/Sub Topic does not have a customer-managed encryption key (CMEK) configured.', 'Non-Compliant Resources: nc', "Potential Remedies: Set 'kms_key_name' to a valid Cloud KMS CryptoKey resource name., Ensure the Pub/Sub service account has 'roles/cloudkms.cryptoKeyEncrypterDecrypter' on the key., Use format: projects/{project}/locations/{location}/keyRings/{keyRing}/cryptoKeys/{cryptoKey}"]
Unique resource names in plan (google_pubsub_topic): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_pub_sub.google_pubsub_schema.type.message
Total Pub/Sub Schema detected: 2 
['Situation 1: Pub/Sub Schema type is unspecified or not set to an explicit format.', 'Non-Compliant Resources: nc', "Potential Remedies: Set 'type' to 'PROTOCOL_BUFFER' or 'AVRO' to enforce message structure validation., Avoid leaving type as 'TYPE_UNSPECIFIED' — this disables schema enforcement., Schema enforcement prevents malformed messages from being published to the topic."]
Unique resource names in plan (google_pubsub_schema): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_pub_sub.google_pubsub_subscription.enable_exactly_once_delivery.message
Total Pub/Sub Subscription detected: 2 
['Situation 1: Pub/Sub Subscription does not have exactly-once delivery enabled.', 'Non-Compliant Resources: nc', "Potential Remedies: Set 'enable_exactly_once_delivery' to true on the subscription., Exactly-once delivery prevents duplicate message processing and ensures data integrity., Review downstream consumers to ensure they support exactly-once semantics."]
Unique resource names in plan (google_pubsub_subscription): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_pub_sub.google_pubsub_subscription_iam_binding.no_public_principals.message
Total Pub/Sub Subscription IAM Binding detected: 2 
['Situation 1: Pub/Sub Subscription IAM Binding grants access to public principals (allUsers or allAuthenticatedUsers).', 'Non-Compliant Resources: nc', "Potential Remedies: Remove 'allUsers' and 'allAuthenticatedUsers' from the members list., Use specific service accounts, groups, or user identities instead., Apply the principle of least privilege — only authenticated identities should be able to pull or acknowledge messages."]
Unique resource names in plan (google_pubsub_subscription_iam_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: cloud_pub_sub
  Resource: google_pubsub_schema
    Policy: type - ✅
  Resource: google_pubsub_subscription
    Policy: enable_exactly_once_delivery - ✅
  Resource: google_pubsub_subscription_iam_binding
    Policy: no_public_principals - ✅
  Resource: google_pubsub_topic
    Policy: kms_key_name - ✅
  Resource: google_pubsub_topic_iam_binding
    Policy: no_public_principals - ✅

@github-actions github-actions Bot added CI-Review-Required PR requires review due to failed CI checks and removed CI-Approved PR approved by CI checks labels May 12, 2026
@suraj01-don suraj01-don force-pushed the gcp/service/cloud_identity branch from 66218d2 to 10e8e98 Compare May 12, 2026 16:13
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 12, 2026

🔍 Policy Check Results

Status: ❌ CHECKS FAILED

⚠️ Your PR will not be reviewed until you fix all policy check failures below:

Test Output

 No matching policy dir for: inputs/gcp/cloud_data_fusion/data_fusion_instance_iam_policy/project
 No matching policy dir for: inputs/gcp/cloud_data_fusion/data_fusion_instance_iam_binding/project
OPA check: data.terraform.gcp.security.cloud_data_fusion.data_fusion_instance.event_publish_config_enabled.message
Total Data Fusion Instance detected: 2 
['Situation 1: Cloud Data Fusion Event Publishing is disabled/misconfigured.', 'Non-Compliant Resources: nc', "Potential Remedies: Please ensure 'enabled' is set to true"]
Unique resource names in plan (google_data_fusion_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_data_fusion.data_fusion_instance.enable_rbac.message
Total Data Fusion Instance detected: 2 
['Situation 1: Granular Role-Based Access Control (RBAC) is disabled on the Data Fusion instance.', 'Non-Compliant Resources: nc', "Potential Remedies: Set the 'enable_rbac' attribute to true to allow for granular user permissions"]
Unique resource names in plan (google_data_fusion_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_data_fusion.data_fusion_instance.dataproc_service_account.message
Total Data Fusion Instance detected: 2 
['Situation 1: The Data Fusion instance is utilising a blacklisted default Google service account', 'Non-Compliant Resources: nc', 'Potential Remedies: Please replace the default compute service account with a custom, least-privileged IAM service account']
Unique resource names in plan (google_data_fusion_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_data_fusion.data_fusion_instance.enable_stackdriver_logging.message
Total Data Fusion Instance detected: 2 
['Situation 1: Stackdriver Logging is disabled on the Data Fusion instance.', 'Non-Compliant Resources: nc', "Potential Remedies: Set the 'enable_stackdriver_logging' attribute to true in your configuration"]
Unique resource names in plan (google_data_fusion_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_data_fusion.data_fusion_instance.event_publish_config_topic.message
Total Data Fusion Instance detected: 2 
['Situation 1: The Pub/Sub topic for Data Fusion events is invalid or is pointing to an unapproved project', 'Non-Compliant Resources: nc', "Potential Remedies: Ensure the topic follows the format: projects/{project_id}/topics/{topic_id}, The project must be 'hardhat-prod' and the topic must be 'certain-topic'"]
Unique resource names in plan (google_data_fusion_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_data_fusion.data_fusion_instance.type.message
Total Data Fusion Instance detected: 2 
['Situation 1: The Data Fusion instance is using an unapproved instance type (e.g., ENTERPRISE).', 'Non-Compliant Resources: nc', "Potential Remedies: Change the 'type' attribute to 'BASIC' or 'DEVELOPER' in your terraform configuration., Verify the cost implications before requesting an exemption for ENTERPRISE types."]
Unique resource names in plan (google_data_fusion_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_data_fusion.data_fusion_instance.private_instance.message
Total Data Fusion Instance detected: 2 
['Situation 1: The Data Fusion instance is not configured as a private instance', 'Non-Compliant Resources: nc', "Potential Remedies: Set the 'private_instance' attribute to true, Please ensure that a network_config block is provided to handle the private peering/PSC."]
Unique resource names in plan (google_data_fusion_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_data_fusion.data_fusion_instance.enable_stackdriver_monitoring.message
Total Data Fusion Instance detected: 2 
['Situation 1: Stackdriver Monitoring is disabled on the Data Fusion instance', 'Non-Compliant Resources: nc', "Potential Remedies: Please set the 'enable_stackdriver_monitoring' attribute to true in your configuration to ensure performance metrics are captured"]
Unique resource names in plan (google_data_fusion_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_data_fusion.data_fusion_instance_iam_policy.policy_data.message
Total Data Fusion Instance IAM Policy detected: 2 
['Situation 1: The authoritative policy data contains public access identifiers', 'Non-Compliant Resources: nc', "Potential Remedies: Please remove 'allUsers' or 'allAuthenticatedUsers' from the google_iam_policy data source."]
Unique resource names in plan (google_data_fusion_instance_iam_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_data_fusion.data_fusion_instance_iam_member.member.message
Total Data Fusion Instance IAM member detected: 2 
['Situation 1: Data Fusion access is being granted to the public.', 'Non-Compliant Resources: nc', "Potential Remedies: Ensure to remove 'allUsers' or 'allAuthenticatedUsers' and use a specific corporate email."]
Unique resource names in plan (google_data_fusion_instance_iam_member): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_data_fusion.data_fusion_instance_iam_member.region.message
Total Data Fusion Instance IAM member detected: 2 
['Situation 1: IAM configuration is targeting an unauthorized region', 'Non-Compliant Resources: nc', "Potential Remedies: Please ensure the region attribute is set to 'australia-southeast1'"]
Unique resource names in plan (google_data_fusion_instance_iam_member): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_data_fusion.data_fusion_instance_iam_member.role.message
Total Data Fusion Instance IAM member detected: 2 
['Situation 1: A high-privilege administrative role is being assigned.', 'Non-Compliant Resources: nc', "Potential Remedies: Downgrade the role to 'roles/datafusion.viewer' or a specific Data Fusion user role"]
Unique resource names in plan (google_data_fusion_instance_iam_member): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_data_fusion.data_fusion_instance_iam_binding.members.message
Total Data Fusion Instance IAM Binding detected: 2 
['Situation 1: Public access detected in an IAM binding list', 'Non-Compliant Resources: nc', "Potential Remedies: Please remove 'allUsers' or 'allAuthenticatedUsers' from the members array."]
Unique resource names in plan (google_data_fusion_instance_iam_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_data_fusion.data_fusion_instance_iam_binding.role.message
Total Data Fusion Instance IAM Binding detected: 2 
['Situation 1: An authoritative IAM binding is granting administrative power', 'Non-Compliant Resources: nc', "Potential Remedies: Use a more restrictive role such as 'roles/datafusion.viewer' or 'roles/datafusion.editor'."]
Unique resource names in plan (google_data_fusion_instance_iam_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_data_fusion.data_fusion_instance.connection_type.message
Total Data Fusion Instance detected: 2 
['Situation 1: The Data Fusion instance is using an unapproved connection type', 'Non-Compliant Resources: nc', "Potential Remedies: Ensure to set 'connection_type' within the 'network_config' block, Choose either 'VPC_PEERING' or 'PRIVATE_SERVICE_CONNECT_INTERFACES'"]
Unique resource names in plan (google_data_fusion_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_data_fusion.data_fusion_instance.key_reference.message
Total Data Fusion Instance detected: 2 
['Situation 1: The Data Fusion instance is not using an approved Hardhat KMS encryption key/the resource path is malformed', 'Non-Compliant Resources: nc', "Potential Remedies: Please Ensure the key_reference follows the format: projects/{project}/locations/{location}/keyRings/{ring}/cryptoKeys/{key}, The key must be located in 'hardhat-prod' within 'australia-southeast1' using the 'hardhat-ring'"]
Unique resource names in plan (google_data_fusion_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: cloud_data_fusion
  Resource: data_fusion_instance
    Policy: event_publish_config_enabled - ✅
    Policy: enable_rbac - ✅
    Policy: dataproc_service_account - ✅
    Policy: enable_stackdriver_logging - ✅
    Policy: event_publish_config_topic - ✅
    Policy: type - ✅
    Policy: private_instance - ✅
    Policy: enable_stackdriver_monitoring - ✅
  Resource: data_fusion_instance_iam_binding
    Policy: members - ✅
    Policy: role - ✅
  Resource: data_fusion_instance_iam_member
    Policy: member - ✅
    Policy: region - ✅
    Policy: role - ✅
  Resource: data_fusion_instance_iam_policy
    Policy: policy_data - ✅

Service: data_fusion_instance
  Resource: crypto_key_config
    Policy: key_reference - ✅
  Resource: network_config
    Policy: connection_type - ✅


OPA check: data.terraform.gcp.security.cloud_identity.google_cloud_identity_group.display_name.message
Total Cloud Identity Group detected: 2 
['Situation 1: Cloud Identity Group is missing a display name.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set display_name on the google_cloud_identity_group resource.']
Unique resource names in plan (google_cloud_identity_group): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

❌ Command failed: terraform plan -refresh=false -lock=false -input=false -out=plan
--- stdout ---
::error::Terraform exited with code 1.

--- stderr ---
�[31m╷�[0m�[0m
�[31m│�[0m �[0m�[1m�[31mError: �[0m�[0m�[1mMissing required argument�[0m
�[31m│�[0m �[0m
�[31m│�[0m �[0m�[0m  on nc.tf line 1, in resource "google_cloud_identity_group" "nc":
�[31m│�[0m �[0m   1: resource "google_cloud_identity_group" "nc" �[4m{�[0m�[0m
�[31m│�[0m �[0m
�[31m│�[0m �[0mThe argument "labels" is required, but no definition was found.
�[31m╵�[0m�[0m


Summary of policy checks:
Service: cloud_identity
  Resource: google_cloud_identity_group
    Policy: display_name - ✅
    Policy: labels - ❌


Failures:
Service: cloud_identity | Resource: google_cloud_identity_group | Policy: labels
Terraform failed to compile!


OPA check: data.terraform.gcp.security.cloud_pub_sub.google_pubsub_topic_iam_binding.no_public_principals.message
Total Pub/Sub Topic IAM Binding detected: 2 
['Situation 1: Pub/Sub Topic IAM Binding grants access to public principals (allUsers or allAuthenticatedUsers).', 'Non-Compliant Resources: nc', "Potential Remedies: Remove 'allUsers' and 'allAuthenticatedUsers' from the members list., Use specific service accounts, groups, or user identities instead., Apply the principle of least privilege — only grant access to known, authenticated identities."]
Unique resource names in plan (google_pubsub_topic_iam_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_pub_sub.google_pubsub_topic.kms_key_name.message
Total Pub/Sub Topic detected: 2 
['Situation 1: Pub/Sub Topic does not have a customer-managed encryption key (CMEK) configured.', 'Non-Compliant Resources: nc', "Potential Remedies: Set 'kms_key_name' to a valid Cloud KMS CryptoKey resource name., Ensure the Pub/Sub service account has 'roles/cloudkms.cryptoKeyEncrypterDecrypter' on the key., Use format: projects/{project}/locations/{location}/keyRings/{keyRing}/cryptoKeys/{cryptoKey}"]
Unique resource names in plan (google_pubsub_topic): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_pub_sub.google_pubsub_schema.type.message
Total Pub/Sub Schema detected: 2 
['Situation 1: Pub/Sub Schema type is unspecified or not set to an explicit format.', 'Non-Compliant Resources: nc', "Potential Remedies: Set 'type' to 'PROTOCOL_BUFFER' or 'AVRO' to enforce message structure validation., Avoid leaving type as 'TYPE_UNSPECIFIED' — this disables schema enforcement., Schema enforcement prevents malformed messages from being published to the topic."]
Unique resource names in plan (google_pubsub_schema): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_pub_sub.google_pubsub_subscription.enable_exactly_once_delivery.message
Total Pub/Sub Subscription detected: 2 
['Situation 1: Pub/Sub Subscription does not have exactly-once delivery enabled.', 'Non-Compliant Resources: nc', "Potential Remedies: Set 'enable_exactly_once_delivery' to true on the subscription., Exactly-once delivery prevents duplicate message processing and ensures data integrity., Review downstream consumers to ensure they support exactly-once semantics."]
Unique resource names in plan (google_pubsub_subscription): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_pub_sub.google_pubsub_subscription_iam_binding.no_public_principals.message
Total Pub/Sub Subscription IAM Binding detected: 2 
['Situation 1: Pub/Sub Subscription IAM Binding grants access to public principals (allUsers or allAuthenticatedUsers).', 'Non-Compliant Resources: nc', "Potential Remedies: Remove 'allUsers' and 'allAuthenticatedUsers' from the members list., Use specific service accounts, groups, or user identities instead., Apply the principle of least privilege — only authenticated identities should be able to pull or acknowledge messages."]
Unique resource names in plan (google_pubsub_subscription_iam_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: cloud_pub_sub
  Resource: google_pubsub_schema
    Policy: type - ✅
  Resource: google_pubsub_subscription
    Policy: enable_exactly_once_delivery - ✅
  Resource: google_pubsub_subscription_iam_binding
    Policy: no_public_principals - ✅
  Resource: google_pubsub_topic
    Policy: kms_key_name - ✅
  Resource: google_pubsub_topic_iam_binding
    Policy: no_public_principals - ✅

@suraj01-don suraj01-don force-pushed the gcp/service/cloud_identity branch from 10e8e98 to 8f27dfe Compare May 12, 2026 16:25
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 12, 2026

🔍 Policy Check Results

Status: ❌ CHECKS FAILED

⚠️ Your PR will not be reviewed until you fix all policy check failures below:

Test Output

OPA check: data.terraform.gcp.security.cloud_identity.google_cloud_identity_group.display_name.message
Total Cloud Identity Group detected: 2 
['Situation 1: Cloud Identity Group is missing a display name.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set display_name on the google_cloud_identity_group resource.']
Unique resource names in plan (google_cloud_identity_group): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

❌ Command failed: terraform plan -refresh=false -lock=false -input=false -out=plan
--- stdout ---
::error::Terraform exited with code 1.

--- stderr ---
�[31m╷�[0m�[0m
�[31m│�[0m �[0m�[1m�[31mError: �[0m�[0m�[1mMissing required argument�[0m
�[31m│�[0m �[0m
�[31m│�[0m �[0m�[0m  on nc.tf line 1, in resource "google_cloud_identity_group" "nc":
�[31m│�[0m �[0m   1: resource "google_cloud_identity_group" "nc" �[4m{�[0m�[0m
�[31m│�[0m �[0m
�[31m│�[0m �[0mThe argument "labels" is required, but no definition was found.
�[31m╵�[0m�[0m


Summary of policy checks:
Service: cloud_identity
  Resource: google_cloud_identity_group
    Policy: display_name - ✅
    Policy: labels - ❌


Failures:
Service: cloud_identity | Resource: google_cloud_identity_group | Policy: labels
Terraform failed to compile!

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 12, 2026

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.cloud_identity.google_cloud_identity_group.display_name.message
Total Cloud Identity Group detected: 2 
['Situation 1: Cloud Identity Group is missing a display name.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set display_name on the google_cloud_identity_group resource.']
Unique resource names in plan (google_cloud_identity_group): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_identity.google_cloud_identity_group.labels.message
Total Cloud Identity Group detected: 2 
["Situation 1: Cloud Identity Group must define the 'cloudidentity.googleapis.com/groups.discussion_forum' label with an empty value.", 'Non-Compliant Resources: nc', 'Potential Remedies: Set labels["cloudidentity.googleapis.com/groups.discussion_forum"] to an empty string.']
Unique resource names in plan (google_cloud_identity_group): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: cloud_identity
  Resource: google_cloud_identity_group
    Policy: display_name - ✅
    Policy: labels - ✅

@github-actions github-actions Bot added CI-Approved PR approved by CI checks and removed CI-Review-Required PR requires review due to failed CI checks labels May 12, 2026
@suraj01-don
Copy link
Copy Markdown
Author

suraj01-don commented May 12, 2026

Update: Cloud Identity Policy Work Completed

All requested Cloud Identity updates are now completed, and the PR checks are passing.

What was implemented

  1. Policy: display_name required

    • Added policy to flag google_cloud_identity_group resources where display_name is missing or empty.
    • Files:
      • policies/gcp/cloud_identity/google_cloud_identity_group/display_name/policy.rego
      • inputs/gcp/cloud_identity/google_cloud_identity_group/display_name/c.tf
      • inputs/gcp/cloud_identity/google_cloud_identity_group/display_name/nc.tf
      • inputs/gcp/cloud_identity/google_cloud_identity_group/display_name/config.tf

  2. New policy: required Cloud Identity group label format

    • Added policy to enforce:
      • labels["cloudidentity.googleapis.com/groups.discussion_forum"] == ""
    • Files:
      • policies/gcp/cloud_identity/google_cloud_identity_group/labels/policy.rego
      • inputs/gcp/cloud_identity/google_cloud_identity_group/labels/c.tf
      • inputs/gcp/cloud_identity/google_cloud_identity_group/labels/nc.tf
      • inputs/gcp/cloud_identity/google_cloud_identity_group/labels/config.tf

  3. Shared vars for Cloud Identity group policies

    • Added:
      • policies/gcp/cloud_identity/google_cloud_identity_group/vars.rego

  4. Documentation update

    • Updated Cloud Identity docs with policy details, rationale, and compliant/non-compliant examples:
      • docs/gcp/Cloud_Identity/cloud_identity_group.md

CI/Validation notes

  • Resolved failing PR checks by fixing the labels negative test case to keep Terraform valid while still policy-noncompliant.
  • Confirmed targeted local checks pass for both:
    • display_name
    • labels
  • Removed/avoided unintended artifacts and kept the PR focused to Cloud Identity scope.

Current status: PR checks are passing and ready for review/merge.

@suraj01-don suraj01-don requested a review from Shani1116 May 12, 2026 16:40
@github-actions github-actions Bot added CI-Review-Required PR requires review due to failed CI checks and removed CI-Approved PR approved by CI checks labels May 20, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 20, 2026

🔍 File Validation Failed

Status: ❌ VALIDATION FAILED

⚠️ Your PR contains changes outside of allowed folders:

❌ Service PRs can only modify files in: inputs/gcp/, policies/gcp/, and docs/gcp/
Invalid changes found:

  • templates/IAM_template/{resource}_iam_binding/no_primitive_or_public/policy.rego
  • templates/IAM_template/{resource}_iam_member/no_primitive_or_public/policy.rego
  • templates/IAM_template/{resource}_iam_policy/no_primitive_or_public/policy.rego
  • templates/location_template/by_location/policy.rego
  • templates/location_template/by_region/policy.rego
  • templates/location_template/by_zone/policy.rego
  • .github/workflows/policy_check_ALL.yaml
  • .github/workflows/policy_check_PR.yaml
  • .gitignore
  • scripts/auto_test/workflow_orchestrator.py
  • scripts/docgen_v2/lib/cli.py
  • scripts/docgen_v2/lib/orchestrator.py
  • scripts/docgen_v2/lib/parser.py
  • scripts/docgen_v2/lib/repository_manager.py
  • scripts/docgen_v2/lib/resource_file_manager.py
  • scripts/docgen_v2/lib/schema_extractor.py

Service PRs can only modify files in:

  • inputs/ - Service input configurations
  • policies/ - OPA/Rego policy files
  • docs/ - Service documentation

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 20, 2026

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.BigQuery.google_bigquery_routine.endpoint.message
Total BigQuery Dataset IAM Policy detected: 2 
['Situation 1: Check for valid endpoint', 'Non-Compliant Resources: nc', 'Potential Remedies: Add valid endpoint']
Unique resource names in plan (google_bigquery_routine): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.BigQuery.google_bigquery_routine.data_governance_type.message
Total BigQuery Dataset IAM Policy detected: 2 
['Situation 1: Check for valid data_governance_type', 'Non-Compliant Resources: nc', 'Potential Remedies: Add valid data_governance_type']
Unique resource names in plan (google_bigquery_routine): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.BigQuery.google_bigquery_routine.security_mode.message
Total BigQuery Dataset IAM Policy detected: 2 
['Situation 1: Check for valid security_mode', 'Non-Compliant Resources: nc', 'Potential Remedies: Add valid security_mode']
Unique resource names in plan (google_bigquery_routine): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.BigQuery.google_bigquery_routine.connections.message
Total BigQuery Dataset IAM Policy detected: 2 
['Situation 1: Check for valid connections', 'Non-Compliant Resources: nc', 'Potential Remedies: Add valid connections']
Unique resource names in plan (google_bigquery_routine): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.BigQuery.google_bigquery_connection.kms_key_name.message
Total BigQuery Connection detected: 2 
['Situation 1: kms_key_name is not set, leaving BigQuery Connection data unencrypted at rest', 'Non-Compliant Resources: nc', 'Potential Remedies: Set kms_key_name to a valid Cloud KMS key']
Unique resource names in plan (google_bigquery_connection): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.BigQuery.google_bigquery_connection.cloud_sql_password.message
Total BigQuery Connection detected: 2 
["Situation 1: cloud_sql credential password is set to a common weak value (e.g. 'password', '123456', 'admin'), which allows trivial unauthorised access to the Cloud SQL database", 'Non-Compliant Resources: nc', "Potential Remedies: Set cloud_sql.credential.password to a strong unique value of at least 12 characters, Avoid common weak passwords such as 'password', '123456', 'admin', 'root'"]
Unique resource names in plan (google_bigquery_connection): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.BigQuery.google_bigquery_connection.cloud_sql_username.message
Total BigQuery Connection detected: 2 
["Situation 1: cloud_sql credential username is set to a default or shared account name (e.g. 'root', 'admin'), which violates the principle of least privilege and increases blast radius if compromised", 'Non-Compliant Resources: nc', "Potential Remedies: Set cloud_sql.credential.username to a dedicated service account name, not a default like 'root' or 'admin', Use a least-privilege username scoped to only the operations BigQuery needs"]
Unique resource names in plan (google_bigquery_connection): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.BigQuery.google_bigquery_dataset_access.group_by_email.message
Total BigQuery Dataset Access detected: 2 
['Situation 1: Incorrect group_by_email', 'Non-Compliant Resources: nc', 'Potential Remedies: Change to valid email']
Unique resource names in plan (google_bigquery_dataset_access): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.BigQuery.google_bigquery_dataset_access.role.message
Total BigQuery Dataset Access detected: 2 
['Situation 1: Incorrect role', 'Non-Compliant Resources: nc', 'Potential Remedies: Change to OWNER']
Unique resource names in plan (google_bigquery_dataset_access): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.BigQuery.google_bigquery_dataset_access.domain.message
Total BigQuery Dataset Access detected: 2 
['Situation 1: Incorrect domain', 'Non-Compliant Resources: nc', 'Potential Remedies: Change to valid domain']
Unique resource names in plan (google_bigquery_dataset_access): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.BigQuery.google_bigquery_dataset_access.user_by_email.message
Total BigQuery Dataset Access detected: 2 
['Situation 1: Incorrect user_by_email', 'Non-Compliant Resources: nc', 'Potential Remedies: Change to valid email']
Unique resource names in plan (google_bigquery_dataset_access): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.BigQuery.google_bigquery_dataset_access.special_group.message
Total BigQuery Dataset Access detected: 2 
['Situation 1: Incorrect special_group', 'Non-Compliant Resources: nc', 'Potential Remedies: Change to correct special_group']
Unique resource names in plan (google_bigquery_dataset_access): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.BigQuery.google_bigquery_dataset.group_by_email.message
Total BigQuery Dataset detected: 2 
['Situation 1: Incorrect Email', 'Non-Compliant Resources: nc', 'Potential Remedies: Change to valid email address']
Unique resource names in plan (google_bigquery_dataset): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.BigQuery.google_bigquery_dataset.location.message
Total BigQuery Dataset detected: 2 
['Situation 1: Incorrect location', 'Non-Compliant Resources: nc', 'Potential Remedies: Change to australia-southeast1']
Unique resource names in plan (google_bigquery_dataset): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.BigQuery.google_bigquery_dataset.kms_key_name.message
Total BigQuery Dataset detected: 2 
['Situation 1: Incorrect key', 'Non-Compliant Resources: nc', 'Potential Remedies: Change to valid key name']
Unique resource names in plan (google_bigquery_dataset): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.BigQuery.google_bigquery_dataset.domain.message
Total BigQuery Dataset detected: 2 
['Situation 1: Incorrect domain', 'Non-Compliant Resources: nc', 'Potential Remedies: Change to example.com']
Unique resource names in plan (google_bigquery_dataset): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.BigQuery.google_bigquery_dataset.user_by_email.message
Total BigQuery Dataset detected: 2 
['Situation 1: Incorrect Email', 'Non-Compliant Resources: nc', 'Potential Remedies: Change to valid email address']
Unique resource names in plan (google_bigquery_dataset): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.BigQuery.google_bigquery_job.value.message
Total BigQuery Dataset IAM Policy detected: 2 
['Situation 1: Check for valid value', 'Non-Compliant Resources: nc', 'Potential Remedies: Add valid value']
Unique resource names in plan (google_bigquery_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.BigQuery.google_bigquery_job.source_uris.message
Total BigQuery Dataset IAM Policy detected: 2 
['Situation 1: Check for valid source_uris', 'Non-Compliant Resources: nc', 'Potential Remedies: Add valid source_uris']
Unique resource names in plan (google_bigquery_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.BigQuery.google_bigquery_job.location.message
Total BigQuery Dataset IAM Policy detected: 2 
['Situation 1: Check for valid location', 'Non-Compliant Resources: nc', 'Potential Remedies: Add valid location']
Unique resource names in plan (google_bigquery_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.BigQuery.google_bigquery_job.max_bad_records.message
Total BigQuery Dataset IAM Policy detected: 2 
['Situation 1: Check for valid max_bad_records', 'Non-Compliant Resources: nc', 'Potential Remedies: Add valid max_bad_records']
Unique resource names in plan (google_bigquery_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.BigQuery.google_bigquery_job.maximum_bytes_billed.message
Total BigQuery Dataset IAM Policy detected: 2 
['Situation 1: Check for valid maximum_bytes_billed', 'Non-Compliant Resources: nc', 'Potential Remedies: Add valid maximum_bytes_billed']
Unique resource names in plan (google_bigquery_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.BigQuery.google_bigquery_job.key.message
Total BigQuery Dataset IAM Policy detected: 2 
['Situation 1: Check for valid key', 'Non-Compliant Resources: nc', 'Potential Remedies: Add valid key']
Unique resource names in plan (google_bigquery_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.BigQuery.google_bigquery_table.connection_id.message
Total BigQuery Dataset IAM Policy detected: 2 
['Situation 1: Check for valid connection_id', 'Non-Compliant Resources: nc', 'Potential Remedies: Add valid connection_id']
Unique resource names in plan (google_bigquery_table): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.BigQuery.google_bigquery_table.deletion_protection.message
Total BigQuery Dataset IAM Policy detected: 2 
['Situation 1: Check for valid deletion_protection', 'Non-Compliant Resources: nc', 'Potential Remedies: Add valid deletion_protection']
Unique resource names in plan (google_bigquery_table): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.BigQuery.google_bigquery_table.kms_key_name.message
Total BigQuery Dataset IAM Policy detected: 2 
['Situation 1: Check for valid kms_key_name', 'Non-Compliant Resources: nc', 'Potential Remedies: Add valid kms_key_name']
Unique resource names in plan (google_bigquery_table): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.BigQuery.google_bigquery_table.require_partition_filter.message
Total BigQuery Dataset IAM Policy detected: 2 
['Situation 1: Check for valid require_partition_filter', 'Non-Compliant Resources: nc', 'Potential Remedies: Add valid require_partition_filter']
Unique resource names in plan (google_bigquery_table): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.BigQuery.google_bigquery_table.expiration_time.message
Total BigQuery Dataset IAM Policy detected: 2 
['Situation 1: Check for valid expiration_time', 'Non-Compliant Resources: nc', 'Potential Remedies: Add valid expiration_time']
Unique resource names in plan (google_bigquery_table): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.BigQuery.google_bigquery_dataset_iam_policy.role.message
Total BigQuery Dataset IAM Policy detected: 2 
['Situation 1: allUsers detected', 'Non-Compliant Resources: nc', 'Potential Remedies: Remove access from allUsers']
Unique resource names in plan (google_bigquery_dataset_iam_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.BigQuery.google_bigquery_dataset_iam_policy.members.message
Total BigQuery Dataset IAM Policy detected: 2 
['Situation 1: allUsers detected', 'Non-Compliant Resources: nc', 'Potential Remedies: Remove access from allUsers']
Unique resource names in plan (google_bigquery_dataset_iam_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.BigQuery.google_bigquery_table_iam.role.message
Total BigQuery Dataset IAM Policy detected: 2 
['Situation 1: Check for valid role', 'Non-Compliant Resources: nc', 'Potential Remedies: Add valid role']
Unique resource names in plan (google_bigquery_table_iam_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.BigQuery.google_bigquery_table_iam.members.message
Total BigQuery Dataset IAM Policy detected: 2 
['Situation 1: Check for valid members', 'Non-Compliant Resources: nc', 'Potential Remedies: Add valid members']
Unique resource names in plan (google_bigquery_table_iam_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.BigQuery.google_bigquery_row_access_policy.filter_predicate.message
Total BigQuery Dataset IAM Policy detected: 2 
['Situation 1: Check for valid filter_predicate', 'Non-Compliant Resources: nc', 'Potential Remedies: Add valid filter_predicate']
Unique resource names in plan (google_bigquery_row_access_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.BigQuery.google_bigquery_row_access_policy.table_id.message
Total BigQuery Dataset IAM Policy detected: 2 
['Situation 1: Check for valid table_id', 'Non-Compliant Resources: nc', 'Potential Remedies: Add valid table_id']
Unique resource names in plan (google_bigquery_row_access_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.BigQuery.google_bigquery_row_access_policy.grantees.message
Total BigQuery Dataset IAM Policy detected: 2 
['Situation 1: Check for valid grantees', 'Non-Compliant Resources: nc', 'Potential Remedies: Add valid grantees']
Unique resource names in plan (google_bigquery_row_access_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: BigQuery
  Resource: google_bigquery_connection
    Policy: kms_key_name - ✅
    Policy: cloud_sql_password - ✅
    Policy: cloud_sql_username - ✅
  Resource: google_bigquery_dataset
    Policy: group_by_email - ✅
    Policy: location - ✅
    Policy: kms_key_name - ✅
    Policy: domain - ✅
    Policy: user_by_email - ✅
  Resource: google_bigquery_dataset_access
    Policy: group_by_email - ✅
    Policy: role - ✅
    Policy: domain - ✅
    Policy: user_by_email - ✅
    Policy: special_group - ✅
  Resource: google_bigquery_dataset_iam_policy
    Policy: role - ✅
    Policy: members - ✅
  Resource: google_bigquery_job
    Policy: value - ✅
    Policy: source_uris - ✅
    Policy: location - ✅
    Policy: max_bad_records - ✅
    Policy: maximum_bytes_billed - ✅
    Policy: key - ✅
  Resource: google_bigquery_routine
    Policy: endpoint - ✅
    Policy: data_governance_type - ✅
    Policy: security_mode - ✅
    Policy: connections - ✅
  Resource: google_bigquery_row_access_policy
    Policy: filter_predicate - ✅
    Policy: table_id - ✅
    Policy: grantees - ✅
  Resource: google_bigquery_table
    Policy: connection_id - ✅
    Policy: deletion_protection - ✅
    Policy: kms_key_name - ✅
    Policy: require_partition_filter - ✅
    Policy: expiration_time - ✅
  Resource: google_bigquery_table_iam
    Policy: role - ✅
    Policy: members - ✅


OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.allowed_device_management_levels.message
Total access_level_condition detected: 2 
['Situation 1: A list of allowed device management levels.', 'Non-Compliant Resources: nc', "Potential Remedies: Update allowed_device_management_levels to ['COMPLETE']."]
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.required_access_levels.message
Total access_level_condition detected: 2 
['Situation 1: A list of required access levels.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update required_access_levels to match authorized base levels.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_screen_lock.message
Total access_level_condition detected: 2 
['Situation 1: EWhether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_screen_lock to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.region.message
Total access_level_condition detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_admin_approval.message
Total access_level_condition detected: 2 
['Situation 1: Whether the device needs to be approved by the customer admin.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_corp_owned.message
Total access_level_condition detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.allowed_encryption_statuses.message
Total access_level_condition detected: 2 
['Situation 1: Ensure Access Context Manager level condition requires device encryption.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_encryption_statuses to explicitly include only ENCRYPTED.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.os_type.message
Total access_level_condition detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.ip_subnetworks.message
Total access_level_condition detected: 2 
['Situation 1: Ensure Access Context Manager level condition restricts IP subnetworks and does not allow full internet access (0.0.0.0/0).', 'Non-Compliant Resources: nc', 'Potential Remedies: Update ip_subnetworks to only include specific and trusted CIDR blocks.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.negate.message
Total access_level_condition detected: 2 
['Situation 1: Whether to negate the Condition.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update negate to false.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.members.message
Total access_level_condition detected: 2 
['Situation 1: An allowed list of members.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update members to include authorized users only.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.minimum_version.message
Total access_level_condition detected: 2 
['Situation 1: The minimum allowed OS version constraint.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update minimum_version to 10.0.0.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.allowed_device_management_levels.message
Total access_levels detected: 2 
['Situation 1: A list of allowed device management levels.', 'Non-Compliant Resources: nc', "Potential Remedies: Update allowed_device_management_levels to ['COMPLETE']."]
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.required_access_levels.message
Total access_levels detected: 2 
['Situation 1: A list of required access levels.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update required_access_levels to match authorized base levels.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_screen_lock.message
Total access_levels detected: 2 
['Situation 1: EWhether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_screen_lock to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.region.message
Total access_levels detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_admin_approval.message
Total access_levels detected: 2 
['Situation 1: Whether administrator approval is required.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_corp_owned.message
Total access_levels detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.os_type.message
Total access_levels detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.ip_subnetworks.message
Total access_levels detected: 2 
['Situation 1: A list of allowed IP subnetworks.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update ip_subnetworks to allowed CIDR blocks.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.negate.message
Total access_levels detected: 2 
['Situation 1: Whether to negate the Condition.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update negate to false.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.members.message
Total access_levels detected: 2 
['Situation 1: An allowed list of members.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update members to include authorized users only.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.minimum_version.message
Total access_levels detected: 2 
['Situation 1: The minimum allowed OS version constraint.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update minimum_version to 10.0.0.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter_dry_run_resource.resource.message
Total service_perimeter_dry_run_resource detected: 2 
['Situation 1: Ensure only whitelisted projects are added as dry-run resources.', 'Non-Compliant Resources: nc', "Potential Remedies: Update resource to 'projects/123456789'."]
Unique resource names in plan (google_access_context_manager_service_perimeter_dry_run_resource): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter_dry_run_resource.perimeter_name.message
Total service_perimeter_dry_run_resource detected: 2 
['Situation 1: Ensure the dry-run resource is attached to the correct authorized service perimeter.', 'Non-Compliant Resources: nc', "Potential Remedies: Update perimeter_name to 'accessPolicies/123456/servicePerimeters/my_perimeter'."]
Unique resource names in plan (google_access_context_manager_service_perimeter_dry_run_resource): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter_resource.resource.message
Total service_perimeter_resource detected: 2 
['Situation 1: Ensure only whitelisted projects are added as resources to the perimeter.', 'Non-Compliant Resources: nc', "Potential Remedies: Update resource to 'projects/123456789'."]
Unique resource names in plan (google_access_context_manager_service_perimeter_resource): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter_resource.perimeter_name.message
Total service_perimeter_resource detected: 2 
['Situation 1: Ensure the resource is attached to the correct authorized service perimeter.', 'Non-Compliant Resources: nc', "Potential Remedies: Update perimeter_name to 'accessPolicies/123456/servicePerimeters/my_perimeter'."]
Unique resource names in plan (google_access_context_manager_service_perimeter_resource): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter.status.message
Total service_perimeter detected: 3 
['Situation 1: Ensure restricted services is not empty (no protection) or to general.', 'Non-Compliant Resources: nc1, nc2', 'Potential Remedies: Update status/restricted_services to explicitly include only required service calls.']
Unique resource names in plan (google_access_context_manager_service_perimeter): 3
Names mentioned in output: 2
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_ingress_policy.resource.message
Total ingress_policy detected: 2 
['Situation 1: Ensure only whitelisted project resources are associated with the ingress policy.', 'Non-Compliant Resources: nc', "Potential Remedies: Update resource to 'projects/123456789'."]
Unique resource names in plan (google_access_context_manager_ingress_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_ingress_policy.ingress_policy_name.message
Total ingress_policy detected: 2 
['Situation 1: Ensure the ingress policy is attached to the correct authorized service perimeter.', 'Non-Compliant Resources: nc', "Potential Remedies: Update ingress_policy_name to 'accessPolicies/123456/servicePerimeters/my_perimeter'."]
Unique resource names in plan (google_access_context_manager_ingress_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.allowed_device_management_levels.message
Total access_level detected: 2 
['Situation 1: A list of allowed device management levels. An empty list allows all management levels. Each value may be one of: MANAGEMENT_UNSPECIFIED, NONE, BASIC, COMPLETE', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_device_management_levels to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_screen_lock.message
Total access_level detected: 2 
['Situation 1: Whether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update screen lock requirement in device policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.region.message
Total access_level detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_admin_approval.message
Total access_level detected: 2 
['Situation 1: Whether the device needs to be approved by the customer admin.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_corp_owned.message
Total access_level detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.allowed_encryption_statuses.message
Total access_level detected: 2 
['Situation 1: A list of allowed encryptions statuses. An empty list allows all statuses. Each value may be one of: ENCRYPTION_UNSPECIFIED, ENCRYPTION_UNSUPPORTED, UNENCRYPTED, ENCRYPTED.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_encryption_statuses to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.os_type.message
Total access_level detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: access_context_manager_vpc_service_controls
  Resource: google_access_context_manager_access_level
    Policy: allowed_device_management_levels - ✅
    Policy: require_screen_lock - ✅
    Policy: region - ✅
    Policy: require_admin_approval - ✅
    Policy: require_corp_owned - ✅
    Policy: allowed_encryption_statuses - ✅
    Policy: os_type - ✅
  Resource: google_access_context_manager_access_level_condition
    Policy: allowed_device_management_levels - ✅
    Policy: required_access_levels - ✅
    Policy: require_screen_lock - ✅
    Policy: region - ✅
    Policy: require_admin_approval - ✅
    Policy: require_corp_owned - ✅
    Policy: allowed_encryption_statuses - ✅
    Policy: os_type - ✅
    Policy: ip_subnetworks - ✅
    Policy: negate - ✅
    Policy: members - ✅
    Policy: minimum_version - ✅
  Resource: google_access_context_manager_access_levels
    Policy: allowed_device_management_levels - ✅
    Policy: required_access_levels - ✅
    Policy: require_screen_lock - ✅
    Policy: region - ✅
    Policy: require_admin_approval - ✅
    Policy: require_corp_owned - ✅
    Policy: os_type - ✅
    Policy: ip_subnetworks - ✅
    Policy: negate - ✅
    Policy: members - ✅
    Policy: minimum_version - ✅
  Resource: google_access_context_manager_ingress_policy
    Policy: resource - ✅
    Policy: ingress_policy_name - ✅
  Resource: google_access_context_manager_service_perimeter
    Policy: status - ✅
  Resource: google_access_context_manager_service_perimeter_dry_run_resource
    Policy: resource - ✅
    Policy: perimeter_name - ✅
  Resource: google_access_context_manager_service_perimeter_resource
    Policy: resource - ✅
    Policy: perimeter_name - ✅


OPA check: data.terraform.gcp.security.artifact_registry.google_artifact_registry_repository_iam_member.member.message
Total Artifact Registry Repository IAM Member detected: 2 
['Situation 1: IAM member allows overly permissive access with allUsers or allAuthenticatedUsers', 'Non-Compliant Resources: nc', 'Potential Remedies: Remove allUsers and allAuthenticatedUsers, Use specific user accounts, service accounts, or groups instead, Apply principle of least privilege']
Unique resource names in plan (google_artifact_registry_repository_iam_member): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.artifact_registry.google_artifact_registry_repository_iam_member.role.message
Total Artifact Registry Repository IAM Member detected: 2 
['Situation 1: Artifact Registry Repository IAM member must not grant overly broad roles like Owner/Editor', 'Non-Compliant Resources: nc', 'Potential Remedies: Remove roles/owner, roles/editor, or other administrative roles from role attribute, Use Artifact Registry specific roles like roles/artifactregistry.reader, roles/artifactregistry.writer, or roles/artifactregistry.admin']
Unique resource names in plan (google_artifact_registry_repository_iam_member): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.artifact_registry.google_artifact_registry_repository.approved_cmek_keys.message
Total Artifact Registry Repository detected: 2 
['Situation 1: Artifact Registry repositories that use CMEK should reference only approved Cloud KMS keys from authorized projects, regions, key rings, and crypto keys.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set kms_key_name to a valid CMEK path: projects/my-project/locations/australia-southeast1/keyRings/kr/cryptoKeys/key, Use format: projects/{project}/locations/{location}/keyRings/{keyring}/cryptoKeys/{key}']
Unique resource names in plan (google_artifact_registry_repository): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.artifact_registry.google_artifact_registry_repository.maven_snapshot_overwrite_disallowed.message
Total Artifact Registry Repository detected: 2 
['Situation 1: Maven repositories should not allow snapshot overwrites because re-publishing the same snapshot can weaken artifact integrity and make builds less reproducible.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set maven_config.allow_snapshot_overwrites to false., Use immutable publishing practices for Maven snapshot artifacts.']
Unique resource names in plan (google_artifact_registry_repository): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.artifact_registry.google_artifact_registry_repository.docker_immutable_tags.message
Total Artifact Registry Repository detected: 2 
['Situation 1: Docker repositories should enable immutable tags to prevent tags from being modified, moved, or deleted after publication.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set docker_config.immutable_tags to true for Docker repositories.']
Unique resource names in plan (google_artifact_registry_repository): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.artifact_registry.google_artifact_registry_repository.cleanup_policy_guardrails.message
Total Artifact Registry Repository detected: 2 
['Situation 1: Cleanup policy dry run should be enabled so automated deletion rules can be reviewed safely before artifacts are removed.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set cleanup_policy_dry_run to true., Review cleanup policy behavior before allowing actual deletions.']
['Situation 2: Cleanup delete policies should not target tagged artifacts because tagged versions are usually intended to represent retained or promoted artifacts.', 'Non-Compliant Resources: nc', 'Potential Remedies: Do not use DELETE cleanup policies for TAGGED artifacts., Restrict deletion rules to UNTAGGED or carefully scoped artifact versions.']
['Situation 3: Keep cleanup policies should retain a minimum number of recent versions to reduce the risk of deleting important rollback or recovery artifacts.', 'Non-Compliant Resources: nc', 'Potential Remedies: Use KEEP policies with most_recent_versions.keep_count of at least 3., Increase the retained version count for critical repositories if needed.']
Unique resource names in plan (google_artifact_registry_repository): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.artifact_registry.google_artifact_registry_repository.remote_upstream_validation_required.message
Total Artifact Registry Repository detected: 2 
['Situation 1: Remote repositories should always validate their upstream source and credentials to reduce trust and supply-chain risks.', 'Non-Compliant Resources: nc', 'Potential Remedies: Do not set remote_repository_config.disable_upstream_validation to true., Allow upstream validation so remote source settings and credentials are checked.']
Unique resource names in plan (google_artifact_registry_repository): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.artifact_registry.google_artifact_registry_repository.approved_remote_upstreams.message
Total Artifact Registry Repository detected: 2 
['Situation 1: Remote repositories should use only approved upstream sources to reduce supply-chain and trust risks.', 'Non-Compliant Resources: nc', 'Potential Remedies: Use only approved upstream Artifact Registry repositories or approved external registry URIs., Update the remote upstream URI to an allowed value.']
Unique resource names in plan (google_artifact_registry_repository): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.artifact_registry.google_artifact_registry_repository.approved_locations.message
Total Artifact Registry Repository detected: 2 
['Situation 1: Artifact Registry VPC SC configuration is being applied in an unapproved location.', 'Non-Compliant Resources: nc', 'Potential Remedies: Change the location to an approved region.']
Unique resource names in plan (google_artifact_registry_repository): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.artifact_registry.google_artifact_registry_repository.virtual_upstream_priority_range.message
Total Artifact Registry Repository detected: 2 
['Situation 1: Virtual repositories should assign upstream priorities within an approved range to keep upstream resolution predictable and controlled.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set upstream priority to an approved numeric range., Review virtual_repository_config.upstream_policies.priority.']
Unique resource names in plan (google_artifact_registry_repository): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.artifact_registry.google_artifact_registry_repository.vulnerability_scanning_enabled.message
Total Artifact Registry Repository detected: 2 
['Situation 1: Artifact Registry repositories should not have vulnerability scanning explicitly disabled, as this reduces visibility into known package and image vulnerabilities.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set vulnerability_scanning_config.enablement_config to INHERITED., Do not set vulnerability scanning to DISABLED unless there is an approved exception.']
Unique resource names in plan (google_artifact_registry_repository): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.artifact_registry.google_artifact_registry_vpcsc_config.location.message
Total GCP Artfact Registry VPCSC Config detected: 2 
['Situation 1: Artifact Registry VPC SC configuration is being applied in an unapproved location.', 'Non-Compliant Resources: nc', 'Potential Remedies: Change the location to an approved region.']
Unique resource names in plan (google_artifact_registry_vpcsc_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.artifact_registry.google_artifact_registry_vpcsc_config.vpcsc_policy.message
Total GCP Artfact Registry VPCSC Config detected: 2 
['Situation 1: Artifact Registry VPC Service Controls policy is not set to DENY, reducing protection against data exfiltration from the registry.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set vpcsc_policy to DENY.']
Unique resource names in plan (google_artifact_registry_vpcsc_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.artifact_registry.google_artifact_registry_repository_iam_policy.policy_data.message
Total Artifact Registry Repository IAM Policy detected: 2 
['Situation 1: Artifact Registry IAM policy must not grant overly broad roles like Owner/Editor', 'Non-Compliant Resources: nc', 'Potential Remedies: Remove roles/owner, roles/editor, or other administrative roles from policy_data, Use Artifact Registry specific roles like roles/artifactregistry.reader, roles/artifactregistry.writer, or roles/artifactregistry.admin']
Unique resource names in plan (google_artifact_registry_repository_iam_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.artifact_registry.google_artifact_registry_repository_iam_binding.role.message
Total Artifact Registry Repository IAM Binding detected: 2 
['Situation 1: Artifact Registry Repository IAM binding must not grant overly broad roles like Owner/Editor', 'Non-Compliant Resources: nc', 'Potential Remedies: Remove roles/owner, roles/editor, or other administrative roles from role attribute, Use Artifact Registry specific roles like roles/artifactregistry.reader, roles/artifactregistry.writer, or roles/artifactregistry.admin']
Unique resource names in plan (google_artifact_registry_repository_iam_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.artifact_registry.google_artifact_registry_repository_iam_binding.members.message
Total Artifact Registry Repository IAM Binding detected: 2 
['Situation 1: IAM binding allows overly permissive access with allUsers or allAuthenticatedUsers', 'Non-Compliant Resources: nc', 'Potential Remedies: Remove allUsers and allAuthenticatedUsers from members list']
Unique resource names in plan (google_artifact_registry_repository_iam_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: artifact_registry
  Resource: google_artifact_registry_repository
    Policy: approved_cmek_keys - ✅
    Policy: maven_snapshot_overwrite_disallowed - ✅
    Policy: docker_immutable_tags - ✅
    Policy: cleanup_policy_guardrails - ✅
    Policy: remote_upstream_validation_required - ✅
    Policy: approved_remote_upstreams - ✅
    Policy: approved_locations - ✅
    Policy: virtual_upstream_priority_range - ✅
    Policy: vulnerability_scanning_enabled - ✅
  Resource: google_artifact_registry_repository_iam_binding
    Policy: role - ✅
    Policy: members - ✅
  Resource: google_artifact_registry_repository_iam_member
    Policy: member - ✅
    Policy: role - ✅
  Resource: google_artifact_registry_repository_iam_policy
    Policy: policy_data - ✅
  Resource: google_artifact_registry_vpcsc_config
    Policy: location - ✅
    Policy: vpcsc_policy - ✅


OPA check: data.terraform.gcp.security.assured_workloads.google_assured_workloads_workload.data_logs_viewer.message
Total GCP Assured Workloads Workload detected: 2 
['Situation 1: Data logs viewer is not enabled for the partner workload', 'Non-Compliant Resources: nc', 'Potential Remedies: Set partner_permissions.data_logs_viewer to true to allow partner to view inspectability logs']
Unique resource names in plan (google_assured_workloads_workload): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.assured_workloads.google_assured_workloads_workload.service_access_approver.message
Total GCP Assured Workloads Workload detected: 2 
['Situation 1: Service access approver is not enabled for the partner workload', 'Non-Compliant Resources: nc', 'Potential Remedies: Set partner_permissions.service_access_approver to true to allow partner to view access approval logs']
Unique resource names in plan (google_assured_workloads_workload): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.assured_workloads.google_assured_workloads_workload.location.message
Total GCP Assured Workloads Workload detected: 2 
['Situation 1: Workload is not deployed in an approved Australian region', 'Non-Compliant Resources: nc', 'Potential Remedies: Set location to an approved AU region such as australia-southeast1 or australia-southeast2']
Unique resource names in plan (google_assured_workloads_workload): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.assured_workloads.google_assured_workloads_workload.kms_settings.message
Total GCP Assured Workloads Workload detected: 2 
['Situation 1: KMS key rotation period exceeds 90 days', 'Non-Compliant Resources: nc', 'Potential Remedies: Set kms_settings.rotation_period to 7776000 (90 days) or less to ensure regular key rotation']
Unique resource names in plan (google_assured_workloads_workload): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.assured_workloads.google_assured_workloads_workload.violation_notifications_enabled.message
Total GCP Assured Workloads Workload detected: 2 
['Situation 1: Violation notifications are disabled on the workload', 'Non-Compliant Resources: nc', 'Potential Remedies: Set violation_notifications_enabled to true to receive alerts when compliance violations occur']
Unique resource names in plan (google_assured_workloads_workload): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.assured_workloads.google_assured_workloads_workload.assured_workloads_monitoring.message
Total GCP Assured Workloads Workload detected: 2 
['Situation 1: Assured Workloads monitoring is not enabled for partner workload', 'Non-Compliant Resources: nc', 'Potential Remedies: Set partner_permissions.assured_workloads_monitoring to true to enable compliance monitoring']
Unique resource names in plan (google_assured_workloads_workload): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.assured_workloads.google_assured_workloads_workload.enable_sovereign_controls.message
Total GCP Assured Workloads Workload detected: 2 
['Situation 1: Sovereign controls are not enabled on the workload', 'Non-Compliant Resources: nc', 'Potential Remedies: Set enable_sovereign_controls to true for workloads requiring data sovereignty']
Unique resource names in plan (google_assured_workloads_workload): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.assured_workloads.google_assured_workloads_workload.compliance_regime.message
Total GCP Assured Workloads Workload detected: 2 
['Situation 1: Workload is not using an approved compliance regime', 'Non-Compliant Resources: nc', 'Potential Remedies: Set compliance_regime to an approved value such as FEDRAMP_MODERATE, FEDRAMP_HIGH, IL4, IL5, or ITAR']
Unique resource names in plan (google_assured_workloads_workload): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: assured_workloads
  Resource: google_assured_workloads_workload
    Policy: data_logs_viewer - ✅
    Policy: service_access_approver - ✅
    Policy: location - ✅
    Policy: kms_settings - ✅
    Policy: violation_notifications_enabled - ✅
    Policy: assured_workloads_monitoring - ✅
    Policy: enable_sovereign_controls - ✅
    Policy: compliance_regime - ✅


OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.allowed_key_types.message
Total CA Pool detected: 2 
['Situation 1: CA Pool issuance policy must restrict elliptic curve signing algorithms to OS-approved types only.', 'Non-Compliant Resources: nc', "Potential Remedies: Set issuance_policy.allowed_key_types.elliptic_curve.signature_algorithm to 'ECDSA_P384' or 'ECDSA_P256'., Avoid 'EDDSA_25519' unless explicitly approved by the security team., Remove any unspecified or legacy key type entries."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.location.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must be deployed in an approved geographic region.', 'Non-Compliant Resources: nc', "Potential Remedies: Set the location field to an approved region such as 'australia-southeast1' or 'australia-southeast2'., Run 'gcloud privateca locations list' to see all available regions."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.publish_ca_cert.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must publish CA certificates to allow clients to establish trust with the CA hierarchy.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set publishing_options.publish_ca_cert to true., Publishing CA certificates is required for clients to validate the chain of trust.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.maximum_lifetime.message
Total CA Pool detected: 2 
["Situation 1: CA Pool maximum certificate lifetime must not be set to an excessively long duration. '999999999s' (~31.7 years) far exceeds the recommended maximum of '315360000s' (10 years) and unnecessarily extends exposure if a certificate is compromised.", 'Non-Compliant Resources: nc', "Potential Remedies: Set issuance_policy.maximum_lifetime to a value no greater than '315360000s' (87600h / 10 years)., Shorter lifetimes reduce the window of exposure if a certificate or its issuing CA is compromised."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.allow_csr_based_issuance.message
Total CA Pool detected: 2 
['Situation 1: CA Pool issuance policy must allow CSR-based certificate issuance to support standard certificate request workflows.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set issuance_policy.allowed_issuance_modes.allow_csr_based_issuance to true., CSR-based issuance is the standard method for certificate requests and must be enabled.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.publish_crl.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must publish certificate revocation lists to enable revocation checking by relying parties.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set publishing_options.publish_crl to true., Publishing CRLs is required to support certificate revocation and prevent use of compromised certificates.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.tier.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must use the ENTERPRISE tier to enforce admin approval controls and audit logging for all certificate operations.', 'Non-Compliant Resources: nc', "Potential Remedies: Set tier to 'ENTERPRISE'., The DEVOPS tier lacks HSM-backed keys and granular audit logging required by organisational policy."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_certificate_authority.deletion_protection.message
Total Certificate Authority detected: 2 
['Situation 1: Certificate Authority deletion protection must be enabled to prevent accidental or unauthorised deletion of the CA.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set deletion_protection to true., Deletion protection prevents accidental destruction of a CA which would invalidate all certificates it has issued.']
Unique resource names in plan (google_privateca_certificate_authority): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_certificate_authority.key_spec_algorithm.message
Total Certificate Authority detected: 2 
['Situation 1: Certificate Authority key algorithm must use an approved cryptographic standard to enforce encryption compliance.', 'Non-Compliant Resources: nc', "Potential Remedies: Set key_spec.algorithm to one of the approved values: 'EC_P384_SHA384', 'RSA_PSS_4096_SHA256', or 'RSA_PKCS1_4096_SHA256'., Avoid weaker algorithms such as 'RSA_PSS_2048_SHA256' or 'RSA_PKCS1_2048_SHA256'., When using a Cloud KMS key, ensure the underlying key version uses an approved algorithm."]
Unique resource names in plan (google_privateca_certificate_authority): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: certificate_authority_service
  Resource: google_privateca_ca_pool
    Policy: allowed_key_types - ✅
    Policy: location - ✅
    Policy: publish_ca_cert - ✅
    Policy: maximum_lifetime - ✅
    Policy: allow_csr_based_issuance - ✅
    Policy: publish_crl - ✅
    Policy: tier - ✅
  Resource: google_privateca_certificate_authority
    Policy: deletion_protection - ✅
    Policy: key_spec_algorithm - ✅


OPA check: data.terraform.gcp.security.certificate_manager.google_certificate_manager_certificate.approved_certificate_scope.message
Total certificate detected: 2 
["Situation 1: When a certificate uses a non-approved scope, it may be served or used outside the organisation's intended certificate deployment boundary.", 'Non-Compliant Resources: nc']
Unique resource names in plan (google_certificate_manager_certificate): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_manager.google_certificate_manager_certificate.self_managed_private_key.message
Total certificate detected: 2 
['Situation 1: When the PEM private key is directly defined in Terraform, self-managed certificates may reveal critical key information.', 'Non-Compliant Resources: nc', 'Potential Remedies: Remove the private key from the Terraform configuration and store/manage it using a secure secret management process.']
Unique resource names in plan (google_certificate_manager_certificate): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_manager.google_certificate_manager_certificate.approved_issuance_config.message
Total certificate detected: 2 
['Situation 1: When a certificate uses a non-approved issuance config, it may be issued from an unapproved certificate authority configuration and weaken certificate governance.', 'Non-Compliant Resources: nc']
Unique resource names in plan (google_certificate_manager_certificate): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_manager.google_certificate_manager_certificate.approved_certificate_location.message
Total certificate detected: 2 
["Situation 1: When a certificate is created outside an approved location, certificate deployment may not align with the organisation's certificate management and governance requirements.", 'Non-Compliant Resources: nc']
Unique resource names in plan (google_certificate_manager_certificate): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_manager.google_certificate_manager_certificate_map_entry.approved_hostname.message
Total certificate map entry detected: 2 
['Situation 1: When a certificate map entry uses a non-approved hostname, it may attach certificates to hostnames outside the approved organisation domain list.', 'Non-Compliant Resources: nc']
Unique resource names in plan (google_certificate_manager_certificate_map_entry): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_manager.google_certificate_manager_certificate_map_entry.approved_matcher.message
Total certificate map entry detected: 2 
['Situation 1: When a certificate map entry uses a non-approved matcher value, certificate map routing may not follow the expected matching configuration.', 'Non-Compliant Resources: nc']
Unique resource names in plan (google_certificate_manager_certificate_map_entry): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_manager.google_certificate_manager_certificate_map_entry.approved_environment_label.message
Total certificate map entry detected: 2 
['Situation 1: When a certificate map entry does not use an approved environment label, it may be harder to identify which environment the certificate routing configuration belongs to.', 'Non-Compliant Resources: nc']
Unique resource names in plan (google_certificate_manager_certificate_map_entry): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_manager.google_certificate_manager_certificate_issuance_config.allowed_key_algorithm.message
Total certificate issuance config detected: 2 
["Situation 1: When a certificate issuance config uses a non-approved key algorithm, the generated private key may not align with the organisation's certificate security standard.", 'Non-Compliant Resources: nc', 'Potential Remedies: Use an approved key algorithm for certificate issuance configuration.']
Unique resource names in plan (google_certificate_manager_certificate_issuance_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_manager.google_certificate_manager_certificate_issuance_config.approved_ca_pool.message
Total certificate issuance config detected: 2 
["Situation 1: When a certificate issuance config uses a non-approved CA pool, certificates may be issued by an authority that does not meet the organisation's certificate governance requirements.", 'Non-Compliant Resources: nc']
Unique resource names in plan (google_certificate_manager_certificate_issuance_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_manager.google_certificate_manager_certificate_issuance_config.approved_certificate_lifetime.message
Total certificate issuance config detected: 2 
["Situation 1: When a certificate issuance config uses a non-approved certificate lifetime, certificates may remain valid for longer than the organisation's intended security standard.", 'Non-Compliant Resources: nc', 'Potential Remedies: Use the approved certificate lifetime for certificate issuance configuration.']
Unique resource names in plan (google_certificate_manager_certificate_issuance_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_manager.google_certificate_manager_certificate_issuance_config.approved_rotation_window_percentage.message
Total certificate issuance config detected: 2 
["Situation 1: When a certificate issuance config uses a non-approved rotation window percentage, certificate renewal timing may not align with the organisation's certificate lifecycle standard.", 'Non-Compliant Resources: nc', 'Potential Remedies: Use the approved rotation window percentage for certificate issuance configuration.']
Unique resource names in plan (google_certificate_manager_certificate_issuance_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_manager.google_certificate_manager_dns_authorization.approved_domain.message
Total DNS authorization detected: 2 
["Situation 1: When a DNS authorization uses a non-approved domain, certificates may be authorised for domains outside the organisation's controlled domain list.", 'Non-Compliant Resources: nc']
Unique resource names in plan (google_certificate_manager_dns_authorization): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_manager.google_certificate_manager_dns_authorization.allowed_authorization_type.message
Total DNS authorization detected: 2 
['Situation 1: When a DNS authorization uses a non-approved authorization type, certificate validation records may be managed in a way that does not align with project-level separation requirements.', 'Non-Compliant Resources: nc', 'Potential Remedies: Use the approved DNS authorization type for Certificate Manager DNS authorization resources.']
Unique resource names in plan (google_certificate_manager_dns_authorization): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_manager.google_certificate_manager_trust_config.no_allowlisted_certificates.message
Total trust config detected: 2 
['Situation 1: When a Certificate Manager trust config defines allowlisted certificates, those certificates may be treated as trusted exceptions during certificate validation.', 'Non-Compliant Resources: nc']
Unique resource names in plan (google_certificate_manager_trust_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_manager.google_certificate_manager_trust_config.approved_location.message
Total trust config detected: 2 
['Situation 1: When a Certificate Manager trust config is created outside the approved location, trust configuration for mutual TLS may be deployed in an unapproved region.', 'Non-Compliant Resources: nc']
Unique resource names in plan (google_certificate_manager_trust_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_manager.google_certificate_manager_certificate_map.approved_environment_label.message
Total certificate map detected: 2 
['Situation 1: When a certificate map does not use an approved environment label, it may be harder to identify which environment the map belongs to and apply the correct certificate governance controls.', 'Non-Compliant Resources: nc']
Unique resource names in plan (google_certificate_manager_certificate_map): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: certificate_manager
  Resource: google_certificate_manager_certificate
    Policy: approved_certificate_scope - ✅
    Policy: self_managed_private_key - ✅
    Policy: approved_issuance_config - ✅
    Policy: approved_certificate_location - ✅
  Resource: google_certificate_manager_certificate_issuance_config
    Policy: allowed_key_algorithm - ✅
    Policy: approved_ca_pool - ✅
    Policy: approved_certificate_lifetime - ✅
    Policy: approved_rotation_window_percentage - ✅
  Resource: google_certificate_manager_certificate_map
    Policy: approved_environment_label - ✅
  Resource: google_certificate_manager_certificate_map_entry
    Policy: approved_hostname - ✅
    Policy: approved_matcher - ✅
    Policy: approved_environment_label - ✅
  Resource: google_certificate_manager_dns_authorization
    Policy: approved_domain - ✅
    Policy: allowed_authorization_type - ✅
  Resource: google_certificate_manager_trust_config
    Policy: no_allowlisted_certificates - ✅
    Policy: approved_location - ✅


OPA check: data.terraform.gcp.security.cloud_dns.google_dns_record_set.ttl.message
Total Cloud DNS Record Set detected: 2 
['Situation 1: The DNS record set TTL is too low. A TTL below 300 seconds increases the risk of DNS cache poisoning attacks.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set ttl to at least 300 seconds in the google_dns_record_set resource., A higher TTL reduces DNS query frequency and improves security., Consult Google Cloud DNS documentation for recommended TTL values.']
Unique resource names in plan (google_dns_record_set): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_dns.google_dns_policy.forwarding_path.message
Total Cloud DNS Policy detected: 2 
['Situation 1: The DNS policy forwarding path is not set to private. When set to default, Cloud DNS may forward queries to the public internet for non-RFC1918 addresses, exposing internal DNS queries to external name servers.', 'Non-Compliant Resources: nc', "Potential Remedies: Set forwarding_path to 'private' in the target_name_servers block., Using private forwarding ensures all DNS queries are routed through the VPC regardless of IP address range., Consult Google Cloud DNS documentation for forwarding path configuration."]
Unique resource names in plan (google_dns_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_dns.google_dns_policy.enable_logging.message
Total Cloud DNS Policy detected: 2 
['Situation 1: DNS logging is not enabled for this policy. Without logging, DNS queries cannot be audited or monitored for security threats.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set enable_logging to true in the google_dns_policy resource., Consult Google Cloud DNS documentation for enabling DNS query logging.']
Unique resource names in plan (google_dns_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_dns.google_dns_managed_zone_iam_policy.role.message
Total Cloud DNS Managed Zone IAM Policy detected: 2 
['Situation 1: The IAM role assigned is not in the allowed list. Overly permissive roles like owner or editor must not be granted on DNS managed zones.', 'Non-Compliant Resources: nc', "Potential Remedies: Use only approved roles that follow the 'roles/dns.*' pattern., Remove overly permissive roles like 'roles/owner' or 'roles/editor'., Consult Google Cloud DNS IAM documentation for recommended roles."]
Unique resource names in plan (google_dns_managed_zone_iam_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_dns.google_dns_managed_zone.visibility.message
Total Cloud DNS Managed Zone detected: 2 
['Situation 1: The DNS managed zone visibility is not in the allowed list. Public zones expose DNS records to the entire internet.', 'Non-Compliant Resources: nc', "Potential Remedies: Set visibility to 'private' to restrict zone access to authorised VPC networks only., Add a private_visibility_config block listing the approved VPC networks., Consult Google Cloud DNS documentation on zone visibility settings."]
Unique resource names in plan (google_dns_managed_zone): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_dns.google_dns_managed_zone.state.message
Total Cloud DNS Managed Zone detected: 2 
['Situation 1: DNSSEC is not enabled for this DNS managed zone. Without DNSSEC, DNS responses cannot be authenticated, making the zone vulnerable to DNS spoofing and cache poisoning attacks.', 'Non-Compliant Resources: nc', "Potential Remedies: Set dnssec_config state to 'on' in the google_dns_managed_zone resource., Enabling DNSSEC ensures DNS responses are cryptographically signed and verified., Consult Google Cloud DNS documentation for enabling DNSSEC on managed zones."]
Unique resource names in plan (google_dns_managed_zone): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_dns.google_dns_response_policy_rule.ttl.message
Total Cloud DNS Response Policy Rule detected: 2 
['Situation 1: The DNS response policy rule TTL is too low. A TTL below 300 seconds increases the risk of DNS cache poisoning attacks.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set ttl to at least 300 seconds in the local_datas block., A higher TTL reduces DNS query frequency and improves security., Consult Google Cloud DNS documentation for recommended TTL values.']
Unique resource names in plan (google_dns_response_policy_rule): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: cloud_dns
  Resource: google_dns_managed_zone
    Policy: visibility - ✅
    Policy: state - ✅
  Resource: google_dns_managed_zone_iam_policy
    Policy: role - ✅
  Resource: google_dns_policy
    Policy: forwarding_path - ✅
    Policy: enable_logging - ✅
  Resource: google_dns_record_set
    Policy: ttl - ✅
  Resource: google_dns_response_policy_rule
    Policy: ttl - ✅


OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_hl7_v2_store.notification_config.message
Total Healthcare HL7 V2 Store detected: 2 
['Situation 1: HL7 V2 Store does not have a notification_configs Pub/Sub topic configured — store changes cannot be audited', 'Non-Compliant Resources: nc', 'Potential Remedies: Add a notification_configs block with a valid Pub/Sub topic, Example: notification_configs { pubsub_topic = "projects/PROJECT/topics/TOPIC" }']
Unique resource names in plan (google_healthcare_hl7_v2_store): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_hl7_v2_store.reject_duplicate_message.message
Total Healthcare HL7 V2 Store detected: 2 
['Situation 1: HL7 V2 Store does not reject duplicate messages — may cause duplicate clinical events and data integrity issues', 'Non-Compliant Resources: nc', 'Potential Remedies: Set reject_duplicate_message to true, This ensures duplicate HL7 V2 messages are rejected, preventing duplicate clinical events']
Unique resource names in plan (google_healthcare_hl7_v2_store): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_hl7_v2_store.labels.message
Total Healthcare HL7 V2 Store detected: 2 
["Situation 1: HL7 V2 Store 'environment' label is missing or not an approved value", 'Non-Compliant Resources: nc', "Potential Remedies: Set the 'environment' label to one of: dev, test, staging, prod"]
["Situation 2: HL7 V2 Store 'owner' label is missing or empty", 'Non-Compliant Resources: nc', "Potential Remedies: Set the 'owner' label to identify the team responsible for this resource"]
Unique resource names in plan (google_healthcare_hl7_v2_store): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_dicom_store.notification_config.message
Total Healthcare DICOM Store detected: 2 
['Situation 1: DICOM Store does not have a notification_config Pub/Sub topic configured — medical imaging operations cannot be audited', 'Non-Compliant Resources: nc', 'Potential Remedies: Add a notification_config block with a valid Pub/Sub topic, Example: notification_config { pubsub_topic = "projects/PROJECT/topics/TOPIC" }']
Unique resource names in plan (google_healthcare_dicom_store): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_dicom_store.labels.message
Total Healthcare DICOM Store detected: 2 
["Situation 1: DICOM Store 'environment' label is missing or not an approved value", 'Non-Compliant Resources: nc', "Potential Remedies: Set the 'environment' label to one of: dev, test, staging, prod"]
["Situation 2: DICOM Store 'owner' label is missing or empty", 'Non-Compliant Resources: nc', "Potential Remedies: Set the 'owner' label to identify the team responsible for this resource"]
Unique resource names in plan (google_healthcare_dicom_store): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_fhir_store.disable_resource_versioning.message
Total Healthcare FHIR Store detected: 2 
['Situation 1: FHIR Store has resource versioning disabled — historical versions not retained, breaking audit trail', 'Non-Compliant Resources: nc', 'Potential Remedies: Set disable_resource_versioning to false, This ensures all write operations retain historical versions for audit and compliance']
Unique resource names in plan (google_healthcare_fhir_store): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_fhir_store.enable_update_create.message
Total Healthcare FHIR Store detected: 2 
['Situation 1: FHIR Store has enable_update_create set to true — allows client-specified IDs that may contain sensitive patient identifiers', 'Non-Compliant Resources: nc', 'Potential Remedies: Set enable_update_create to false, This ensures all IDs are server-assigned, preventing patient identifiers from appearing in audit logs and Pub/Sub notifications']
Unique resource names in plan (google_healthcare_fhir_store): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_fhir_store.version.message
Total Healthcare FHIR Store detected: 2 
['Situation 1: FHIR Store is not using an approved FHIR version — DSTU2 is deprecated and not approved for production', 'Non-Compliant Resources: nc', 'Potential Remedies: Set version to an approved FHIR version: R4 or STU3, Example: version = "R4"']
Unique resource names in plan (google_healthcare_fhir_store): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_fhir_store.labels.message
Total Healthcare FHIR Store detected: 2 
["Situation 1: FHIR Store 'environment' label is missing or not an approved value", 'Non-Compliant Resources: nc', "Potential Remedies: Set the 'environment' label to one of: dev, test, staging, prod"]
["Situation 2: FHIR Store 'owner' label is missing or empty", 'Non-Compliant Resources: nc', "Potential Remedies: Set the 'owner' label to identify the team responsible for this resource"]
Unique resource names in plan (google_healthcare_fhir_store): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_pipeline_job.disable_lineage.message
Total Healthcare Pipeline Job detected: 2 
['Situation 1: Healthcare Pipeline Job has lineage tracking disabled — data provenance cannot be audited', 'Non-Compliant Resources: nc', 'Potential Remedies: Set disable_lineage to false, This ensures lineage tracking is enabled, maintaining data provenance for audit and compliance']
Unique resource names in plan (google_healthcare_pipeline_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_pipeline_job.labels.message
Total Healthcare Pipeline Job detected: 2 
["Situation 1: Healthcare Pipeline Job 'environment' label is missing or not an approved value", 'Non-Compliant Resources: nc', "Potential Remedies: Set the 'environment' label to one of: dev, test, staging, prod"]
["Situation 2: Healthcare Pipeline Job 'owner' label is missing or empty", 'Non-Compliant Resources: nc', "Potential Remedies: Set the 'owner' label to identify the team responsible for this resource"]
Unique resource names in plan (google_healthcare_pipeline_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_workspace.labels.message
Total Healthcare Workspace detected: 2 
["Situation 1: Healthcare Workspace 'environment' label is missing or not an approved value", 'Non-Compliant Resources: nc', "Potential Remedies: Set the 'environment' label to one of: dev, test, staging, prod"]
["Situation 2: Healthcare Workspace 'owner' label is missing or empty", 'Non-Compliant Resources: nc', "Potential Remedies: Set the 'owner' label to identify the team responsible for this resource"]
Unique resource names in plan (google_healthcare_workspace): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_fhir_store_iam.member.message
Total Healthcare FHIR Store IAM detected: 2 
['Situation 1: FHIR Store IAM member must not be allUsers or allAuthenticatedUsers — grants public access to patient health records', 'Non-Compliant Resources: nc', "Potential Remedies: Replace 'allUsers' or 'allAuthenticatedUsers' with a specific service account, user, or group, Example: serviceAccount:my-sa@my-project.iam.gserviceaccount.com"]
Unique resource names in plan (google_healthcare_fhir_store_iam_member): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_fhir_store_iam.role.message
Total Healthcare FHIR Store IAM detected: 2 
['Situation 1: FHIR Store IAM role must not be a primitive role — violates least privilege for patient health record access', 'Non-Compliant Resources: nc', 'Potential Remedies: Replace primitive roles with a specific FHIR store role, Approved roles: roles/healthcare.fhirResourceViewer, roles/healthcare.fhirResourceEditor, roles/healthcare.fhirStoreAdmin']
Unique resource names in plan (google_healthcare_fhir_store_iam_member): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_dataset_iam.member.message
Total Healthcare Dataset IAM detected: 2 
['Situation 1: Dataset IAM member must not be allUsers or allAuthenticatedUsers — exposes all stores (FHIR, DICOM, HL7v2, Consent) to public access', 'Non-Compliant Resources: nc', "Potential Remedies: Replace 'allUsers' or 'allAuthenticatedUsers' with a specific service account, user, or group, Example: serviceAccount:my-sa@my-project.iam.gserviceaccount.com"]
Unique resource names in plan (google_healthcare_dataset_iam_member): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_dataset_iam.role.message
Total Healthcare Dataset IAM detected: 2 
['Situation 1: Dataset IAM role must not be a primitive role — grants overly broad access across ALL stores in the dataset', 'Non-Compliant Resources: nc', 'Potential Remedies: Replace primitive roles with a specific healthcare dataset role, Approved roles: roles/healthcare.datasetViewer, roles/healthcare.datasetAdmin']
Unique resource names in plan (google_healthcare_dataset_iam_member): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_hl7_v2_store_iam.member.message
Total Healthcare HL7 V2 Store IAM detected: 2 
['Situation 1: HL7 V2 Store IAM member must not be allUsers or allAuthenticatedUsers — grants public access to clinical messaging data', 'Non-Compliant Resources: nc', "Potential Remedies: Replace 'allUsers' or 'allAuthenticatedUsers' with a specific service account, user, or group, Example: serviceAccount:my-sa@my-project.iam.gserviceaccount.com"]
Unique resource names in plan (google_healthcare_hl7_v2_store_iam_member): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_hl7_v2_store_iam.role.message
Total Healthcare HL7 V2 Store IAM detected: 2 
['Situation 1: HL7 V2 Store IAM role must not be a primitive role — violates least privilege for clinical messaging data access', 'Non-Compliant Resources: nc', 'Potential Remedies: Replace primitive roles with a specific HL7 V2 store role, Approved roles: roles/healthcare.hl7V2StoreViewer, roles/healthcare.hl7V2Ingest, roles/healthcare.hl7V2StoreAdmin']
Unique resource names in plan (google_healthcare_hl7_v2_store_iam_member): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_consent_store_iam.member.message
Total Healthcare Consent Store IAM detected: 2 
['Situation 1: Consent Store IAM member must not be allUsers or allAuthenticatedUsers — grants public access to PHI', 'Non-Compliant Resources: nc', "Potential Remedies: Replace 'allUsers' or 'allAuthenticatedUsers' with a specific service account, user, or group, Example: serviceAccount:my-sa@my-project.iam.gserviceaccount.com"]
Unique resource names in plan (google_healthcare_consent_store_iam_member): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_consent_store_iam.role.message
Total Healthcare Consent Store IAM detected: 2 
['Situation 1: Consent Store IAM role must not be a primitive role — violates least privilege for PHI access', 'Non-Compliant Resources: nc', 'Potential Remedies: Replace primitive roles with a specific healthcare role, Approved roles: roles/healthcare.consentStoreViewer, roles/healthcare.consentStoreEditor, roles/healthcare.consentStoreAdmin']
Unique resource names in plan (google_healthcare_consent_store_iam_member): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_consent_store.default_consent_ttl.message
Total Healthcare Consent Store detected: 2 
['Situation 1: Consent store does not have a default_consent_ttl configured — consents will never expire', 'Non-Compliant Resources: nc', 'Potential Remedies: Set default_consent_ttl to a duration string of at least 86400s (24 hours), Example: default_consent_ttl = "31536000s" (1 year)']
Unique resource names in plan (google_healthcare_consent_store): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_consent_store.enable_consent_create_on_update.message
Total Healthcare Consent Store detected: 2 
['Situation 1: Consent store has enable_consent_create_on_update set to true — PATCH becomes upsert breaking audit trail', 'Non-Compliant Resources: nc', 'Potential Remedies: Set enable_consent_create_on_update to false, This ensures PATCH requests only update existing consents, preserving the create/update audit trail']
Unique resource names in plan (google_healthcare_consent_store): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_consent_store.labels.message
Total Healthcare Consent Store detected: 2 
["Situation 1: Consent store 'environment' label is missing or not an approved value", 'Non-Compliant Resources: nc', "Potential Remedies: Set the 'environment' label to one of: dev, test, staging, prod"]
["Situation 2: Consent store 'owner' label is missing or empty", 'Non-Compliant Resources: nc', "Potential Remedies: Set the 'owner' label to identify the team responsible for this resource"]
Unique resource names in plan (google_healthcare_consent_store): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_dicom_store_iam.member.message
Total Healthcare DICOM Store IAM detected: 2 
['Situation 1: DICOM Store IAM member must not be allUsers or allAuthenticatedUsers — grants public access to medical imaging data', 'Non-Compliant Resources: nc', "Potential Remedies: Replace 'allUsers' or 'allAuthenticatedUsers' with a specific service account, user, or group, Example: serviceAccount:my-sa@my-project.iam.gserviceaccount.com"]
Unique resource names in plan (google_healthcare_dicom_store_iam_member): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_dicom_store_iam.role.message
Total Healthcare DICOM Store IAM detected: 2 
['Situation 1: DICOM Store IAM role must not be a primitive role — violates least privilege for medical imaging data access', 'Non-Compliant Resources: nc', 'Potential Remedies: Replace primitive roles with a specific DICOM store role, Approved roles: roles/healthcare.dicomStoreViewer, roles/healthcare.dicomEditor, roles/healthcare.dicomStoreAdmin']
Unique resource names in plan (google_healthcare_dicom_store_iam_member): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_dataset.location.message
Total Healthcare Dataset detected: 2 
['Situation 1: Healthcare Dataset is not deployed in an approved location — PHI data residency requirement violated', 'Non-Compliant Resources: nc', 'Potential Remedies: Set location to one of the approved regions: us-central1, us-east1, us-east4, australia-southeast1, australia-southeast2']
Unique resource names in plan (google_healthcare_dataset): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_healthcare.google_healthcare_dataset.encryption_spec.message
Total Healthcare Dataset detected: 2 
['Situation 1: Healthcare Dataset does not have CMEK encryption configured — uses Google-managed keys only', 'Non-Compliant Resources: nc', 'Potential Remedies: Add an encryption_spec block with a valid KMS key name, Example: encryption_spec { kms_key_name = "projects/PROJECT/locations/REGION/keyRings/RING/cryptoKeys/KEY" }']
Unique resource names in plan (google_healthcare_dataset): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: cloud_healthcare
  Resource: google_healthcare_consent_store
    Policy: default_consent_ttl - ✅
    Policy: enable_consent_create_on_update - ✅
    Policy: labels - ✅
  Resource: google_healthcare_consent_store_iam
    Policy: member - ✅
    Policy: role - ✅
  Resource: google_healthcare_dataset
    Policy: location - ✅
    Policy: encryption_spec - ✅
  Resource: google_healthcare_dataset_iam
    Policy: member - ✅
    Policy: role - ✅
  Resource: google_healthcare_dicom_store
    Policy: notification_config - ✅
    Policy: labels - ✅
  Resource: google_healthcare_dicom_store_iam
    Policy: member - ✅
    Policy: role - ✅
  Resource: google_healthcare_fhir_store
    Policy: disable_resource_versioning - ✅
    Policy: enable_update_create - ✅
    Policy: version - ✅
    Policy: labels - ✅
  Resource: google_healthcare_fhir_store_iam
    Policy: member - ✅
    Policy: role - ✅
  Resource: google_healthcare_hl7_v2_store
    Policy: notification_config - ✅
    Policy: reject_duplicate_message - ✅
    Policy: labels - ✅
  Resource: google_healthcare_hl7_v2_store_iam
    Policy: member - ✅
    Policy: role - ✅
  Resource: google_healthcare_pipeline_job
    Policy: disable_lineage - ✅
    Policy: labels - ✅
  Resource: google_healthcare_workspace
    Policy: labels - ✅


OPA check: data.terraform.gcp.security.cloud_identity.google_cloud_identity_group.display_name.message
Total Cloud Identity Group detected: 2 
['Situation 1: Cloud Identity Group is missing a display name.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set display_name on the google_cloud_identity_group resource.']
Unique resource names in plan (google_cloud_identity_group): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_identity.google_cloud_identity_group.mandatory_labels.message
Total Cloud Identity Group detected: 2 
["Situation 1: Cloud Identity Group is missing mandatory label 'env'.", 'Non-Compliant Resources: nc', "Potential Remedies: Add the 'env' label to the group's labels block."]
Unique resource names in plan (google_cloud_identity_group): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_identity.google_cloud_identity_group.labels.message
Total Cloud Identity Group detected: 2 
["Situation 1: Cloud Identity Group must define the 'cloudidentity.googleapis.com/groups.discussion_forum' label with an empty value.", 'Non-Compliant Resources: nc', 'Potential Remedies: Set labels["cloudidentity.googleapis.com/groups.discussion_forum"] to an empty string.']
Unique resource names in plan (google_cloud_identity_group): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: cloud_identity
  Resource: google_cloud_identity_group
    Policy: display_name - ✅
    Policy: mandatory_labels - ✅
    Policy: labels - ✅


OPA check: data.terraform.gcp.security.cloud_monitoring.google_monitoring_alert_policy.enabled.message
Total Google Monitoring Alert Policy detected: 2 
['Situation 1: enabled is set to false, which disables the alert policy and prevents it from triggering incidents or notifications', 'Non-Compliant Resources: nc', 'Potential Remedies: Set enabled to true to ensure the alert policy is active and can detect and respond to incidents']
Unique resource names in plan (google_monitoring_alert_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_monitoring.google_monitoring_uptime_check_config.mask_headers.message
Total Google Monitoring Uptime Check Config detected: 2 
['Situation 1: An Authorization header is configured while mask_headers is disabled, which may expose authentication data when retrieving the uptime check configuration', 'Non-Compliant Resources: nc', 'Potential Remedies: Set http_check.mask_headers to true when using authentication-related headers such as Authorization']
Unique resource names in plan (google_monitoring_uptime_check_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_monitoring.google_monitoring_uptime_check_config.validate_ssl.message
Total Google Monitoring Uptime Check Config detected: 2 
['Situation 1: http_check.validate_ssl is set to false on an HTTPS uptime_url check, which allows the check to run without SSL certificate validation', 'Non-Compliant Resources: nc', 'Potential Remedies: Set http_check.validate_ssl to true for HTTPS uptime_url checks']
Unique resource names in plan (google_monitoring_uptime_check_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_monitoring.google_monitoring_notification_channel.auth_token.message
Total Google Monitoring Notification Channel detected: 2 
['Situation 1: labels.auth_token is set directly, which may expose a sensitive token in plain labels', 'Non-Compliant Resources: nc', 'Potential Remedies: Move auth_token from labels to the sensitive_labels block']
Unique resource names in plan (google_monitoring_notification_channel): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_monitoring.google_monitoring_notification_channel.force_delete.message
Total Google Monitoring Notification Channel detected: 2 
['Situation 1: force_delete is set to true, which allows the notification channel to be deleted even if alert policies still reference it', 'Non-Compliant Resources: nc', 'Potential Remedies: Set force_delete to false or remove the attribute']
Unique resource names in plan (google_monitoring_notification_channel): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_monitoring.google_monitoring_notification_channel.service_key.message
Total Google Monitoring Notification Channel detected: 2 
['Situation 1: labels.service_key is set directly, which may expose a sensitive service key in plain labels', 'Non-Compliant Resources: nc', 'Potential Remedies: Move service_key from labels to the sensitive_labels block']
Unique resource names in plan (google_monitoring_notification_channel): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_monitoring.google_monitoring_notification_channel.password.message
Total Google Monitoring Notification Channel detected: 2 
['Situation 1: labels.password is set directly, which may expose a sensitive password in plain labels', 'Non-Compliant Resources: nc', 'Potential Remedies: Move password from labels to the sensitive_labels block']
Unique resource names in plan (google_monitoring_notification_channel): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: cloud_monitoring
  Resource: google_monitoring_alert_policy
    Policy: enabled - ✅
  Resource: google_monitoring_notification_channel
    Policy: auth_token - ✅
    Policy: force_delete - ✅
    Policy: service_key - ✅
    Policy: password - ✅
  Resource: google_monitoring_uptime_check_config
    Policy: mask_headers - ✅
    Policy: validate_ssl - ✅


OPA check: data.terraform.gcp.security.cloud_run.google_cloud_run_service_iam.location.message
Total Cloud Run Service IAM Member Type detected: 2 
['Situation 1: Cloud Run service IAM policy is applied outside an approved location', 'Non-Compliant Resources: nc', 'Potential Remedies: Use an approved Australian region, Change the location to australia-southeast1 or australia-southeast2']
Unique resource names in plan (google_cloud_run_service_iam_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run.google_cloud_run_service_iam.service.message
Total Cloud Run Service IAM Member Type detected: 2 
['Situation 1: Cloud Run service IAM policy is attached to an unapproved service', 'Non-Compliant Resources: nc', 'Potential Remedies: Attach the IAM policy only to approved Cloud Run services, Change the service field to cloudrun-srv']
Unique resource names in plan (google_cloud_run_service_iam_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run.google_cloud_run_service_iam.member_type.message
Total Cloud Run Service IAM Member Type detected: 2 
['Situation 1: Cloud Run service IAM policy grants access to a broad or risky member type', 'Non-Compliant Resources: nc', 'Potential Remedies: Use specific users, groups, or service accounts, Avoid broad identities such as allUsers, allAuthenticatedUsers, domain, projectOwner, or projectEditor']
Unique resource names in plan (google_cloud_run_service_iam_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run.google_cloud_run_service_iam.role.message
Total Cloud Run Service IAM Member Type detected: 2 
['Situation 1: Cloud Run service IAM policy grants an overly privileged role', 'Non-Compliant Resources: nc', 'Potential Remedies: Use a least-privilege role such as roles/viewer, Avoid granting roles/run.admin, roles/editor, or roles/owner unless strictly required']
Unique resource names in plan (google_cloud_run_service_iam_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run.google_cloud_run_service_iam.policy_data.message
Total Cloud Run Service IAM Member Type detected: 2 
['Situation 1: Cloud Run service IAM policy allows public access', 'Non-Compliant Resources: nc', 'Potential Remedies: Remove allUsers or allAuthenticatedUsers from the IAM policy, Grant access only to approved users, groups, or service accounts']
Unique resource names in plan (google_cloud_run_service_iam_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run.google_cloud_run_service_iam.project.message
Total Cloud Run Service IAM Member Type detected: 2 
['Situation 1: Cloud Run service IAM policy is applied to an unapproved GCP project', 'Non-Compliant Resources: nc', 'Potential Remedies: Use an approved GCP project, Change the project field to my-gcp-project']
Unique resource names in plan (google_cloud_run_service_iam_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run.google_cloud_run_service.template.spec.containers.resources.limits.message
Total Cloud Run Service detected: 2 
['Situation 1: Cloud Run service CPU limit is outside the approved range', 'Non-Compliant Resources: nc', 'Potential Remedies: Set CPU limits within the approved range, Avoid excessive CPU limits that can increase cost or resource abuse risk']
Unique resource names in plan (google_cloud_run_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run.google_cloud_run_service.template.spec.timeout_seconds.message
Total Cloud Run Service detected: 2 
['Situation 1: Cloud Run service timeout is outside the approved range', 'Non-Compliant Resources: nc', 'Potential Remedies: Set timeout_seconds between 1 and 300, Avoid excessive timeout values that can tie up resources for too long']
Unique resource names in plan (google_cloud_run_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run.google_cloud_run_service.metadata.namespace.message
Total Cloud Run Service detected: 2 
['Situation 1: Cloud Run service metadata namespace does not match the approved project', 'Non-Compliant Resources: nc', 'Potential Remedies: Set namespace to the approved project ID, Use my-gcp-project as the metadata namespace']
Unique resource names in plan (google_cloud_run_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run.google_cloud_run_service.metadata.annotations.run.googleapis.com.custom_audiences.message
Total Cloud Run Service detected: 2 
['Situation 1: Cloud Run service uses unapproved custom audiences', 'Non-Compliant Resources: nc', 'Potential Remedies: Use approved custom audiences only, Avoid wildcard custom audience values']
Unique resource names in plan (google_cloud_run_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run.google_cloud_run_service.template.spec.volumes.secret.default_mode.message
Total Cloud Run Service detected: 2 
['Situation 1: Cloud Run service secret volume uses overly permissive default file permissions', 'Non-Compliant Resources: nc', 'Potential Remedies: Use restrictive file permissions for mounted secrets, Set default_mode within the approved range']
Unique resource names in plan (google_cloud_run_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run.google_cloud_run_service.template.spec.containers.env.value_from.secret_key_ref.key.message
Total Cloud Run Service detected: 2 
['Situation 1: Cloud Run service uses an unapproved Secret Manager secret version', 'Non-Compliant Resources: nc', 'Potential Remedies: Use an approved Secret Manager secret version, Set secret_key_ref key to latest']
Unique resource names in plan (google_cloud_run_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run.google_cloud_run_service.location.message
Total Cloud Run Service detected: 2 
['Situation 1: Cloud Run service is deployed outside an approved location', 'Non-Compliant Resources: nc', 'Potential Remedies: Use an approved Australian region, Change the location to australia-southeast1 or australia-southeast2']
Unique resource names in plan (google_cloud_run_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run.google_cloud_run_service.template.spec.service_account_name.message
Total Cloud Run Service detected: 2 
['Situation 1: Cloud Run service is using an unapproved service account', 'Non-Compliant Resources: nc', 'Potential Remedies: Use an approved least-privilege service account, Set service_account_name to secure-sa@my-gcp-project.iam.gserviceaccount.com']
Unique resource names in plan (google_cloud_run_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run.google_cloud_run_service.metadata.annotations.run.googleapis.com.vpc_access_egress.message
Total Cloud Run Service detected: 2 
['Situation 1: Cloud Run service uses unapproved VPC egress routing', 'Non-Compliant Resources: nc', 'Potential Remedies: Use approved VPC egress routing, Set run.googleapis.com/vpc-access-egress to private-ranges-only']
Unique resource names in plan (google_cloud_run_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run.google_cloud_run_service.template.spec.containers.image.message
Total Cloud Run Service detected: 2 
['Situation 1: Cloud Run service container image is not from an approved registry path', 'Non-Compliant Resources: nc', 'Potential Remedies: Use an approved Artifact Registry image path, Use image paths beginning with us-docker.pkg.dev/cloudrun/container/']
Unique resource names in plan (google_cloud_run_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run.google_cloud_run_service.metadata.annotations.run.googleapis.com.binary_authorization_breakglass.message
Total Cloud Run Service detected: 2 
['Situation 1: Cloud Run service uses Binary Authorization breakglass override', 'Non-Compliant Resources: nc', 'Potential Remedies: Disable Binary Authorization breakglass usage, Remove run.googleapis.com/binary-authorization-breakglass annotation']
Unique resource names in plan (google_cloud_run_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run.google_cloud_run_service.metadata.annotations.run.googleapis.com.binary_authorization.message
Total Cloud Run Service detected: 2 
['Situation 1: Cloud Run service does not use approved binary authorization configuration', 'Non-Compliant Resources: nc', 'Potential Remedies: Enable binary authorization for Cloud Run, Set run.googleapis.com/binary-authorization to default']
Unique resource names in plan (google_cloud_run_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run.google_cloud_run_service.template.spec.volumes.secret.items.mode.message
Total Cloud Run Service detected: 2 
['Situation 1: Cloud Run service secret item uses overly permissive file permissions', 'Non-Compliant Resources: nc', 'Potential Remedies: Use restrictive file permissions for mounted secret items, Set secret item mode within the approved range']
Unique resource names in plan (google_cloud_run_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run.google_cloud_run_service.traffic.percent.message
Total Cloud Run Service detected: 2 
['Situation 1: Cloud Run service traffic percent is not set to the approved value', 'Non-Compliant Resources: nc', 'Potential Remedies: Set traffic percent to 100 for the approved revision, Avoid leaving traffic percent at 0 because it may prevent traffic from reaching the intended revision']
Unique resource names in plan (google_cloud_run_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run.google_cloud_run_service.metadata.annotations.autoscaling.knative.dev.maxScale.message
Total Cloud Run Service detected: 2 
['Situation 1: Cloud Run service max scale is outside the approved range', 'Non-Compliant Resources: nc', 'Potential Remedies: Set maxScale within the approved range, Avoid excessive scaling limits that can increase cost or abuse risk']
Unique resource names in plan (google_cloud_run_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run.google_cloud_run_service.traffic.latest_revision.message
Total Cloud Run Service detected: 2 
['Situation 1: Cloud Run service is not routing traffic to the latest revision', 'Non-Compliant Resources: nc', 'Potential Remedies: Set latest_revision to true, Ensure traffic is always directed to the latest approved deployment']
Unique resource names in plan (google_cloud_run_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run.google_cloud_run_service.metadata.annotations.run.googleapis.com.vpc_access_connector.message
Total Cloud Run Service detected: 2 
['Situation 1: Cloud Run service uses an unapproved VPC access connector', 'Non-Compliant Resources: nc', 'Potential Remedies: Use an approved VPC access connector, Set run.googleapis.com/vpc-access-connector to the approved production connector']
Unique resource names in plan (google_cloud_run_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run.google_cloud_run_service.template.spec.volumes.secret.secret_name.message
Total Cloud Run Service detected: 2 
['Situation 1: Cloud Run service mounts an unapproved secret', 'Non-Compliant Resources: nc', 'Potential Remedies: Use an approved Secret Manager secret, Set secret_name to prod-db-secret']
Unique resource names in plan (google_cloud_run_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run.google_cloud_run_service.metadata.annotations.message
Total Cloud Run Service detected: 2 
['Situation 1: Cloud Run service allows public ingress', 'Non-Compliant Resources: nc', 'Potential Remedies: Restrict ingress to internal only, Use run.googleapis.com/ingress = internal']
Unique resource names in plan (google_cloud_run_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run.google_cloud_run_service.template.spec.volumes.secret.items.key.message
Total Cloud Run Service detected: 2 
['Situation 1: Cloud Run service secret volume uses an unapproved secret item key', 'Non-Compliant Resources: nc', 'Potential Remedies: Use an approved secret item key, Set the secret item key to latest']
Unique resource names in plan (google_cloud_run_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run.google_cloud_run_service.template.spec.containers.env.value_from.secret_key_ref.name.message
Total Cloud Run Service detected: 2 
['Situation 1: Cloud Run service references an unapproved Secret Manager secret name', 'Non-Compliant Resources: nc', 'Potential Remedies: Use approved Secret Manager secret names, Use a secret name that follows the approved pattern such as prod-db-secret']
Unique resource names in plan (google_cloud_run_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run.google_cloud_run_service.template.spec.containers.resources.requests.message
Total Cloud Run Service detected: 2 
['Situation 1: Cloud Run service CPU request is outside the approved range', 'Non-Compliant Resources: nc', 'Potential Remedies: Set CPU requests within the approved range, Avoid excessive CPU requests that can increase cost or reduce scheduling efficiency']
Unique resource names in plan (google_cloud_run_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run.google_cloud_run_service.template.spec.containers.env.value.message
Total Cloud Run Service detected: 2 
['Situation 1: Cloud Run service contains sensitive plaintext environment variable values', 'Non-Compliant Resources: nc', 'Potential Remedies: Avoid storing secrets or passwords directly in environment variables, Use Secret Manager references instead of plaintext values']
Unique resource names in plan (google_cloud_run_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run.google_cloud_run_service.metadata.annotations.run.googleapis.com.encryption_key.message
Total Cloud Run Service detected: 2 
['Situation 1: Cloud Run service uses an unapproved encryption key', 'Non-Compliant Resources: nc', 'Potential Remedies: Use an approved Cloud KMS encryption key, Use a key from the approved project, region, key ring, and crypto key']
Unique resource names in plan (google_cloud_run_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run.google_cloud_run_service.template.metadata.labels.message
Total Cloud Run Service detected: 2 
['Situation 1: Cloud Run service template label does not use an approved environment value', 'Non-Compliant Resources: nc', 'Potential Remedies: Use approved environment labels such as prod, dev, or test']
Unique resource names in plan (google_cloud_run_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run.google_cloud_run_service.metadata.labels.message
Total Cloud Run Service detected: 2 
['Situation 1: Cloud Run service metadata label does not use an approved environment value', 'Non-Compliant Resources: nc', 'Potential Remedies: Add an env label to the resource, Use one of the approved env values: prod, dev, or test']
Unique resource names in plan (google_cloud_run_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run.google_cloud_run_service.template.metadata.annotations.message
Total Cloud Run Service detected: 2 
['Situation 1: Cloud Run service template allows public ingress', 'Non-Compliant Resources: nc', 'Potential Remedies: Restrict ingress to internal only, Use run.googleapis.com/ingress = internal']
Unique resource names in plan (google_cloud_run_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run.google_cloud_run_service.metadata.annotations.run.googleapis.com.cloudsql_instances.message
Total Cloud Run Service detected: 2 
['Situation 1: Cloud Run service connects to an unapproved Cloud SQL instance', 'Non-Compliant Resources: nc', 'Potential Remedies: Use only approved Cloud SQL instance connections, Set run.googleapis.com/cloudsql-instances to my-gcp-project:australia-southeast1:prod-db']
Unique resource names in plan (google_cloud_run_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run.google_cloud_run_service.project.message
Total Cloud Run Service detected: 2 
['Situation 1: Cloud Run service is deployed in an unapproved GCP project', 'Non-Compliant Resources: nc', 'Potential Remedies: Use an approved GCP project, Change the project field to my-gcp-project']
Unique resource names in plan (google_cloud_run_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run.google_cloud_run_service.template.spec.containers.ports.container_port.message
Total Cloud Run Service detected: 2 
['Situation 1: Cloud Run service uses an unapproved container port', 'Non-Compliant Resources: nc', 'Potential Remedies: Use the approved container port, Set container_port to 8080']
Unique resource names in plan (google_cloud_run_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run.google_cloud_run_service.template.spec.container_concurrency.message
Total Cloud Run Service detected: 2 
['Situation 1: Cloud Run service has container concurrency outside the approved range', 'Non-Compliant Resources: nc', 'Potential Remedies: Set container_concurrency within the approved range of 1 to 80, Avoid very high concurrency values that can impact performance and stability']
Unique resource names in plan (google_cloud_run_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run.google_cloud_run_service.template.spec.volumes.secret.items.path.message
Total Cloud Run Service detected: 2 
['Situation 1: Cloud Run service secret volume uses an unapproved secret item path', 'Non-Compliant Resources: nc', 'Potential Remedies: Use an approved secret item path, Set the secret item path to db-password']
Unique resource names in plan (google_cloud_run_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run.google_cloud_run_domain_mapping.spec.certificate_mode.message
Total Cloud Run Domain Mapping Location detected: 2 
['Situation 1: Cloud Run domain mapping certificate mode is not automatic', 'Non-Compliant Resources: nc', 'Potential Remedies: Set certificate_mode to AUTOMATIC, Avoid using NONE for certificate mode']
Unique resource names in plan (google_cloud_run_domain_mapping): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run.google_cloud_run_domain_mapping.metadata.namespace.message
Total Cloud Run Domain Mapping Location detected: 2 
['Situation 1: Cloud Run domain mapping namespace is not approved', 'Non-Compliant Resources: nc', 'Potential Remedies: Set namespace to the correct project ID or project number, Ensure the namespace matches the expected Cloud Run project namespace']
Unique resource names in plan (google_cloud_run_domain_mapping): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run.google_cloud_run_domain_mapping.location.message
Total Cloud Run Domain Mapping Location detected: 2 
['Situation 1: Cloud Run domain mapping is deployed in an unapproved location', 'Non-Compliant Resources: nc', 'Potential Remedies: Change the location to an approved region, Use australia-southeast1 for this resource']
Unique resource names in plan (google_cloud_run_domain_mapping): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run.google_cloud_run_domain_mapping.spec.force_override.message
Total Cloud Run Domain Mapping Location detected: 2 
['Situation 1: Cloud Run domain mapping uses force_override which may override existing mappings', 'Non-Compliant Resources: nc', 'Potential Remedies: Remove force_override unless absolutely necessary, Avoid setting force_override to true to prevent accidental overrides']
Unique resource names in plan (google_cloud_run_domain_mapping): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run.google_cloud_run_domain_mapping.metadata.annotations.message
Total Cloud Run Domain Mapping Location detected: 2 
['Situation 1: Cloud Run domain mapping annotation does not contain a valid security ticket reference', 'Non-Compliant Resources: nc', 'Potential Remedies: Add a valid ticket annotation to the resource, Use the approved ticket format such as SEC-123']
Unique resource names in plan (google_cloud_run_domain_mapping): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run.google_cloud_run_domain_mapping.metadata.labels.message
Total Cloud Run Domain Mapping Location detected: 2 
['Situation 1: Cloud Run domain mapping is missing required environment label or uses an invalid value', 'Non-Compliant Resources: nc', "Potential Remedies: Add a label 'env' to the resource, Use one of the approved values: prod, dev, test"]
Unique resource names in plan (google_cloud_run_domain_mapping): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run.google_cloud_run_domain_mapping.spec.route_name.message
Total Cloud Run Domain Mapping Location detected: 2 
['Situation 1: Cloud Run domain mapping routes traffic to an unapproved Cloud Run service', 'Non-Compliant Resources: nc', 'Potential Remedies: Update route_name to an approved Cloud Run service, Use the approved service name cloudrun-srv']
Unique resource names in plan (google_cloud_run_domain_mapping): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run.google_cloud_run_domain_mapping.project.message
Total Cloud Run Domain Mapping Location detected: 2 
['Situation 1: Cloud Run domain mapping is deployed in an unapproved GCP project', 'Non-Compliant Resources: nc', 'Potential Remedies: Use an approved GCP project, Update the project field to the correct project ID']
Unique resource names in plan (google_cloud_run_domain_mapping): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run.google_cloud_run_domain_mapping.name.message
Total Cloud Run Domain Mapping Location detected: 2 
['Situation 1: Cloud Run domain mapping name does not use an approved company domain', 'Non-Compliant Resources: nc', 'Potential Remedies: Change the domain name to an approved company domain, Use a domain that matches the required naming pattern']
Unique resource names in plan (google_cloud_run_domain_mapping): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: cloud_run
  Resource: google_cloud_run_domain_mapping
    Policy: spec.certificate_mode - ✅
    Policy: metadata.namespace - ✅
    Policy: location - ✅
    Policy: spec.force_override - ✅
    Policy: metadata.annotations - ✅
    Policy: metadata.labels - ✅
    Policy: spec.route_name - ✅
    Policy: project - ✅
    Policy: name - ✅
  Resource: google_cloud_run_service
    Policy: template.spec.containers.resources.limits - ✅
    Policy: template.spec.timeout_seconds - ✅
    Policy: metadata.namespace - ✅
    Policy: metadata.annotations.run.googleapis.com.custom-audiences - ✅
    Policy: template.spec.volumes.secret.default_mode - ✅
    Policy: template.spec.containers.env.value_from.secret_key_ref.key - ✅
    Policy: location - ✅
    Policy: template.spec.service_account_name - ✅
    Policy: metadata.annotations.run.googleapis.com.vpc-access-egress - ✅
    Policy: template.spec.containers.image - ✅
    Policy: metadata.annotations.run.googleapis.com.binary-authorization-breakglass - ✅
    Policy: metadata.annotations.run.googleapis.com.binary-authorization - ✅
    Policy: template.spec.volumes.secret.items.mode - ✅
    Policy: traffic.percent - ✅
    Policy: metadata.annotations.autoscaling.knative.dev.maxScale - ✅
    Policy: traffic.latest_revision - ✅
    Policy: metadata.annotations.run.googleapis.com.vpc-access-connector - ✅
    Policy: template.spec.volumes.secret.secret_name - ✅
    Policy: metadata.annotations - ✅
    Policy: template.spec.volumes.secret.items.key - ✅
    Policy: template.spec.containers.env.value_from.secret_key_ref.name - ✅
    Policy: template.spec.containers.resources.requests - ✅
    Policy: template.spec.containers.env.value - ✅
    Policy: metadata.annotations.run.googleapis.com.encryption-key - ✅
    Policy: template.metadata.labels - ✅
    Policy: metadata.labels - ✅
    Policy: template.metadata.annotations - ✅
    Policy: metadata.annotations.run.googleapis.com.cloudsql-instances - ✅
    Policy: project - ✅
    Policy: template.spec.containers.ports.container_port - ✅
    Policy: template.spec.container_concurrency - ✅
    Policy: template.spec.volumes.secret.items.path - ✅
  Resource: google_cloud_run_service_iam
    Policy: location - ✅
    Policy: service - ✅
    Policy: member_type - ✅
    Policy: role - ✅
    Policy: policy_data - ✅
    Policy: project - ✅


OPA check: data.terraform.gcp.security.cloud_run_v2_api.google_cloud_run_v2_worker_pool.approved_service_account.message
Total Google Cloud Run v2 Worker pool detected: 2 
['Situation 1: Default service account is being used which may have excessive permissions.', 'Non-Compliant Resources: nc', 'Potential Remedies: Use a dedicated least-privileged service account']
Unique resource names in plan (google_cloud_run_v2_worker_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run_v2_api.google_cloud_run_v2_worker_pool.approved_encryption_key.message
Total Google Cloud Run v2 Worker pool detected: 2 
['Situation 1: The job is using an encryption key that is not from the approved KMS key rings or locations. This could lead to security issues.', 'Non-Compliant Resources: nc', 'Potential Remedies: Use a CMEK from an approved key ring and location.']
Unique resource names in plan (google_cloud_run_v2_worker_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run_v2_api.google_cloud_run_v2_worker_pool.gcs_read_only.message
Total Google Cloud Run v2 Worker pool detected: 2 
['Situation 1: Cloud Run Worker pool is allowing writable access', 'Non-Compliant Resources: nc', 'Potential Remedies: Set read_only = true']
Unique resource names in plan (google_cloud_run_v2_worker_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run_v2_api.google_cloud_run_v2_worker_pool.allowed_image.message
Total Google Cloud Run v2 Worker pool detected: 2 
['Situation 1: Public container registries are not allowed due to security risks and lack of governance.', 'Non-Compliant Resources: nc', 'Potential Remedies: Move images to Artifact Registry under approved GCP project']
Unique resource names in plan (google_cloud_run_v2_worker_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run_v2_api.google_cloud_run_v2_worker_pool.deletion_protection.message
Total Google Cloud Run v2 Worker pool detected: 2 
['Situation 1: Deletion protection is disabled, meaning the job can be accidentally removed during Terraform destroy or apply operations.', 'Non-Compliant Resources: nc', 'Potential Remedies: Enable deletion protection by setting the value to true']
Unique resource names in plan (google_cloud_run_v2_worker_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run_v2_api.google_cloud_run_v2_worker_pool.allowed_location.message
Total Google Cloud Run v2 Worker pool detected: 2 
['Situation 1: Parameters should be in the Australian location', 'Non-Compliant Resources: nc', 'Potential Remedies: Change it to Australia location']
Unique resource names in plan (google_cloud_run_v2_worker_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run_v2_api.google_cloud_run_v2_worker_pool.secret_key_ref_secret.message
Total Google Cloud Run v2 Worker pool detected: 2 
['Situation 1: Environment variable is not using Secret Manager reference.', 'Non-Compliant Resources: nc', 'Potential Remedies: Use secret from secret_key_ref with value_source']
Unique resource names in plan (google_cloud_run_v2_worker_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run_v2_api.google_cloud_run_v2_worker_pool.required_use_default.message
Total Google Cloud Run v2 Worker pool detected: 2 
['Situation 1: Binary Authorization is not enabled, allowing unverified container images.', 'Non-Compliant Resources: nc', 'Potential Remedies: Enable Binary Authorization using use_default = true']
Unique resource names in plan (google_cloud_run_v2_worker_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run_v2_api.google_cloud_run_v2_worker_pool.nfs_read_only.message
Total Google Cloud Run v2 Worker pool detected: 2 
['Situation 1: Cloud Run Worker pool is allowing writable access', 'Non-Compliant Resources: nc', 'Potential Remedies: Set read_only = true']
Unique resource names in plan (google_cloud_run_v2_worker_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run_v2_api.google_cloud_run_v2_worker_pool.restricted_egress.message
Total Google Cloud Run v2 Worker pool detected: 2 
['Situation 1: All traffic egress is allowed', 'Non-Compliant Resources: nc', 'Potential Remedies: Restrict egress to PRIVATE_RANGES_ONLY']
Unique resource names in plan (google_cloud_run_v2_worker_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run_v2_api.google_cloud_run_v2_worker_pool.allowed_size_limit.message
Total Google Cloud Run v2 Worker pool detected: 2 
['Situation 1: EmptyDir size limit must be within approved limits', 'Non-Compliant Resources: nc', 'Potential Remedies: Set size_limit to an approved value, i.e, under 512Mi']
Unique resource names in plan (google_cloud_run_v2_worker_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run_v2_api.google_cloud_run_v2_worker_pool.allowed_volumes_secret.message
Total Google Cloud Run v2 Worker pool detected: 2 
['Situation 1: Only approved Secret Manager secrets should be mounted as volumes', 'Non-Compliant Resources: nc', 'Potential Remedies: Use secrets only from approved projects']
Unique resource names in plan (google_cloud_run_v2_worker_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run_v2_api.google_cloud_run_v2_worker_pool.encryption_key_revocation_action.message
Total Google Cloud Run v2 Worker pool detected: 2 
['Situation 1: Worker Pool must shut down instances if encryption key is revoked', 'Non-Compliant Resources: nc', 'Potential Remedies: Set encryption_key_revocation_action to SHUTDOWN']
Unique resource names in plan (google_cloud_run_v2_worker_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run_v2_api.google_cloud_run_v2_service_iam_member.restrict_privileged_roles.message
Total Google Cloud Run v2 Service IAM Member detected: 2 
['Situation 1: Only least-privilege Cloud Run roles should be assigned', 'Non-Compliant Resources: nc', 'Potential Remedies: Change the role to a least-privilege role']
Unique resource names in plan (google_cloud_run_v2_service_iam_member): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run_v2_api.google_cloud_run_v2_service_iam_member.restrict_unauthorized_members.message
Total Google Cloud Run v2 Service IAM Member detected: 2 
['Situation 1: Public access should not be allowed', 'Non-Compliant Resources: nc', 'Potential Remedies: Change it to members from the approve list']
Unique resource names in plan (google_cloud_run_v2_service_iam_member): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run_v2_api.google_cloud_run_v2_service_iam_member.allowed_location.message
Total Google Cloud Run v2 Service IAM Member detected: 2 
['Situation 1: Location must be in an Australian location', 'Non-Compliant Resources: nc', 'Potential Remedies: Change the location to an Australian region']
Unique resource names in plan (google_cloud_run_v2_service_iam_member): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run_v2_api.google_cloud_run_v2_worker_pool_iam_member.restrict_privileged_roles.message
Total Google Cloud Run v2 Worker Pool IAM Member detected: 2 
['Situation 1: Only least-privilege Cloud Run roles should be assigned', 'Non-Compliant Resources: nc', 'Potential Remedies: Change the role to a least-privilege role']
Unique resource names in plan (google_cloud_run_v2_worker_pool_iam_member): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run_v2_api.google_cloud_run_v2_worker_pool_iam_member.restrict_unauthorized_members.message
Total Google Cloud Run v2 Worker Pool IAM Member detected: 2 
['Situation 1: Public access should not be allowed', 'Non-Compliant Resources: nc', 'Potential Remedies: Change it to members from the approve list']
Unique resource names in plan (google_cloud_run_v2_worker_pool_iam_member): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run_v2_api.google_cloud_run_v2_worker_pool_iam_member.allowed_location.message
Total Google Cloud Run v2 Worker Pool IAM Member detected: 2 
['Situation 1: Location must be in an Australian location', 'Non-Compliant Resources: nc', 'Potential Remedies: Change the location to an Australian region']
Unique resource names in plan (google_cloud_run_v2_worker_pool_iam_member): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run_v2_api.google_cloud_run_v2_job.max_retries.message
Total Google Cloud Run v2 Job detected: 2 
['Situation 1: Excessive retries could overwhelm system resources, causing DoS-like behavior', 'Non-Compliant Resources: nc', 'Potential Remedies: Limit the max_retries to a reasonable number']
Unique resource names in plan (google_cloud_run_v2_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run_v2_api.google_cloud_run_v2_job.approved_service_account.message
Total Google Cloud Run v2 Job detected: 2 
['Situation 1: Default service account is being used which may have excessive permissions.', 'Non-Compliant Resources: nc', 'Potential Remedies: Use a dedicated least-privileged service account']
Unique resource names in plan (google_cloud_run_v2_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run_v2_api.google_cloud_run_v2_job.approved_encryption_key.message
Total Google Cloud Run v2 Job detected: 3 
['Situation 1: The job is using an encryption key that is not from the approved KMS key rings or locations. This could lead to security issues.', 'Non-Compliant Resources: nc1, nc2', 'Potential Remedies: Use a CMEK from an approved key ring and location.']
Unique resource names in plan (google_cloud_run_v2_job): 3
Names mentioned in output: 2
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run_v2_api.google_cloud_run_v2_job.gcs_read_only.message
Total Google Cloud Run v2 Job detected: 2 
['Situation 1: Cloud Run job is allowing writable access', 'Non-Compliant Resources: nc', 'Potential Remedies: Set read_only = true']
Unique resource names in plan (google_cloud_run_v2_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run_v2_api.google_cloud_run_v2_job.allowed_image.message
Total Google Cloud Run v2 Job detected: 2 
['Situation 1: Public container registries are not allowed due to security risks and lack of governance.', 'Non-Compliant Resources: nc', 'Potential Remedies: Move images to Artifact Registry under approved GCP project']
Unique resource names in plan (google_cloud_run_v2_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run_v2_api.google_cloud_run_v2_job.deletion_protection.message
Total Google Cloud Run v2 Job detected: 2 
['Situation 1: Deletion protection is disabled, meaning the job can be accidentally removed during Terraform destroy or apply operations.', 'Non-Compliant Resources: nc', 'Potential Remedies: Enable deletion protection by setting the value to true']
Unique resource names in plan (google_cloud_run_v2_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run_v2_api.google_cloud_run_v2_job.allowed_secret.message
Total Google Cloud Run v2 Job detected: 2 
['Situation 1: Environment variable is not using Secret Manager reference.', 'Non-Compliant Resources: nc', 'Potential Remedies: Use secret from secret_key_ref with value_source']
Unique resource names in plan (google_cloud_run_v2_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run_v2_api.google_cloud_run_v2_job.allowed_location.message
Total Google Cloud Run v2 Job detected: 2 
['Situation 1: Parameters should be in the Australian location', 'Non-Compliant Resources: nc', 'Potential Remedies: Change it to Australia location']
Unique resource names in plan (google_cloud_run_v2_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run_v2_api.google_cloud_run_v2_job.approved_value.message
Total Google Cloud Run v2 Job detected: 2 
['Situation 1: Plaintext environment variable value may expose sensitive data.', 'Non-Compliant Resources: nc', 'Potential Remedies: Use value_source with Secret Manager instead of value']
Unique resource names in plan (google_cloud_run_v2_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run_v2_api.google_cloud_run_v2_job.required_use_default.message
Total Google Cloud Run v2 Job detected: 3 
['Situation 1: Binary Authorization is not enabled, allowing unverified container images.', 'Non-Compliant Resources: nc1, nc2', 'Potential Remedies: Enable Binary Authorization using use_default = true']
Unique resource names in plan (google_cloud_run_v2_job): 3
Names mentioned in output: 2
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run_v2_api.google_cloud_run_v2_job.nfs_read_only.message
Total Google Cloud Run v2 Job detected: 2 
['Situation 1: Cloud Run job is allowing writable access', 'Non-Compliant Resources: nc', 'Potential Remedies: Set read_only = true']
Unique resource names in plan (google_cloud_run_v2_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run_v2_api.google_cloud_run_v2_job.restricted_egress.message
Total Google Cloud Run v2 Job detected: 2 
['Situation 1: All traffic egress is allowed', 'Non-Compliant Resources: nc', 'Potential Remedies: Restrict egress to PRIVATE_RANGES_ONLY']
Unique resource names in plan (google_cloud_run_v2_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run_v2_api.google_cloud_run_v2_job.allowed_launch_stage.message
Total Google Cloud Run v2 Job detected: 3 
['Situation 1: Launch stage is set to a non-production or preview value (ALPHA/BETA), which may introduce unstable features into the Cloud Run Job deployment.', 'Non-Compliant Resources: nc1, nc2', 'Potential Remedies: Set launch_stage to GA for production deployments']
Unique resource names in plan (google_cloud_run_v2_job): 3
Names mentioned in output: 2
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run_v2_api.google_cloud_run_v2_service.allowed_regions.message
Total Google Cloud Run v2 Service detected: 2 
['Situation 1: Cloud Run multi-region service must only use approved Australian regions to ensure data residency compliance.', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to australia-southeast1 or australia-southeast2 only']
Unique resource names in plan (google_cloud_run_v2_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run_v2_api.google_cloud_run_v2_service.approved_service_account.message
Total Google Cloud Run v2 Service detected: 2 
['Situation 1: Default service account is being used which may have excessive permissions.', 'Non-Compliant Resources: nc', 'Potential Remedies: Use a dedicated least-privileged service account']
Unique resource names in plan (google_cloud_run_v2_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run_v2_api.google_cloud_run_v2_service.approved_encryption_key.message
Total Google Cloud Run v2 Service detected: 2 
['Situation 1: The job is using an encryption key that is not from the approved KMS key rings or locations. This could lead to security issues.', 'Non-Compliant Resources: nc', 'Potential Remedies: Use a CMEK from an approved key ring and location.']
Unique resource names in plan (google_cloud_run_v2_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run_v2_api.google_cloud_run_v2_service.restricted_ingress.message
Total Google Cloud Run v2 Service detected: 2 
['Situation 1: Cloud Run service allows public ingress', 'Non-Compliant Resources: nc', 'Potential Remedies: Set ingress to INTERNAL_ONLY or INTERNAL_LOAD_BALANCER']
Unique resource names in plan (google_cloud_run_v2_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run_v2_api.google_cloud_run_v2_service.gcs_read_only.message
Total Google Cloud Run v2 Service detected: 2 
['Situation 1: Cloud Run service is allowing writable access', 'Non-Compliant Resources: nc', 'Potential Remedies: Set read_only = true']
Unique resource names in plan (google_cloud_run_v2_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run_v2_api.google_cloud_run_v2_service.allowed_image.message
Total Google Cloud Run v2 Service detected: 2 
['Situation 1: Public container registries are not allowed due to security risks and lack of governance.', 'Non-Compliant Resources: nc', 'Potential Remedies: Move images to Artifact Registry under approved GCP project']
Unique resource names in plan (google_cloud_run_v2_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run_v2_api.google_cloud_run_v2_service.deletion_protection.message
Total Google Cloud Run v2 Service detected: 2 
['Situation 1: Deletion protection is disabled, meaning the job can be accidentally removed during Terraform destroy or apply operations.', 'Non-Compliant Resources: nc', 'Potential Remedies: Enable deletion protection by setting the value to true']
Unique resource names in plan (google_cloud_run_v2_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run_v2_api.google_cloud_run_v2_service.allowed_secret.message
Total Google Cloud Run v2 Service detected: 2 
['Situation 1: Only approved Secret Manager secrets should be mounted as volumes', 'Non-Compliant Resources: nc', 'Potential Remedies: Use secrets only from approved projects']
Unique resource names in plan (google_cloud_run_v2_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run_v2_api.google_cloud_run_v2_service.allowed_location.message
Total Google Cloud Run v2 Service detected: 2 
['Situation 1: Parameters should be in the Australian location', 'Non-Compliant Resources: nc', 'Potential Remedies: Change it to Australia location']
Unique resource names in plan (google_cloud_run_v2_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run_v2_api.google_cloud_run_v2_service.secret_key_ref_secret.message
Total Google Cloud Run v2 Service detected: 2 
['Situation 1: Environment variable is not using Secret Manager reference.', 'Non-Compliant Resources: nc', 'Potential Remedies: Use secret from secret_key_ref with value_source']
Unique resource names in plan (google_cloud_run_v2_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run_v2_api.google_cloud_run_v2_service.invoker_iam_disabled.message
Total Google Cloud Run v2 Service detected: 2 
['Situation 1: Cloud Run service disables IAM authentication, making it publicly accessible', 'Non-Compliant Resources: nc', 'Potential Remedies: Re-enable IAM authentication by setting invoker_iam_disabled to false']
Unique resource names in plan (google_cloud_run_v2_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run_v2_api.google_cloud_run_v2_service.required_use_default.message
Total Google Cloud Run v2 Service detected: 2 
['Situation 1: Binary Authorization is not enabled, allowing unverified container images.', 'Non-Compliant Resources: nc', 'Potential Remedies: Enable Binary Authorization using use_default = true']
Unique resource names in plan (google_cloud_run_v2_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run_v2_api.google_cloud_run_v2_service.nfs_read_only.message
Total Google Cloud Run v2 Service detected: 2 
['Situation 1: Cloud Run service is allowing writable access', 'Non-Compliant Resources: nc', 'Potential Remedies: Set read_only = true']
Unique resource names in plan (google_cloud_run_v2_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run_v2_api.google_cloud_run_v2_service.restricted_egress.message
Total Google Cloud Run v2 Service detected: 2 
['Situation 1: All traffic egress is allowed', 'Non-Compliant Resources: nc', 'Potential Remedies: Restrict egress to PRIVATE_RANGES_ONLY']
Unique resource names in plan (google_cloud_run_v2_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run_v2_api.google_cloud_run_v2_job_iam_member.restrict_privileged_roles.message
Total Google Cloud Run v2 Job IAM Member detected: 2 
['Situation 1: Only least-privilege Cloud Run roles should be assigned', 'Non-Compliant Resources: nc', 'Potential Remedies: Change the role to a least-privilege role']
Unique resource names in plan (google_cloud_run_v2_job_iam_member): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run_v2_api.google_cloud_run_v2_job_iam_member.restrict_unauthorized_members.message
Total Google Cloud Run v2 Job IAM Member detected: 2 
['Situation 1: Public access should not be allowed', 'Non-Compliant Resources: nc', 'Potential Remedies: Change it to members from the approve list']
Unique resource names in plan (google_cloud_run_v2_job_iam_member): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_run_v2_api.google_cloud_run_v2_job_iam_member.allowed_location.message
Total Google Cloud Run v2 Job IAM Member detected: 2 
['Situation 1: Location must be in an Australian location', 'Non-Compliant Resources: nc', 'Potential Remedies: Change the location to an Australian region']
Unique resource names in plan (google_cloud_run_v2_job_iam_member): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: cloud_run_v2_api
  Resource: google_cloud_run_v2_job
    Policy: max_retries - ✅
    Policy: approved_service_account - ✅
    Policy: approved_encryption_key - ✅
    Policy: gcs_read_only - ✅
    Policy: allowed_image - ✅
    Policy: deletion_protection - ✅
    Policy: allowed_secret - ✅
    Policy: allowed_location - ✅
    Policy: approved_value - ✅
    Policy: required_use_default - ✅
    Policy: nfs_read_only - ✅
    Policy: restricted_egress - ✅
    Policy: allowed_launch_stage - ✅
  Resource: google_cloud_run_v2_job_iam_member
    Policy: restrict_privileged_roles - ✅
    Policy: restrict_unauthorized_members - ✅
    Policy: allowed_location - ✅
  Resource: google_cloud_run_v2_service
    Policy: allowed_regions - ✅
    Policy: approved_service_account - ✅
    Policy: approved_encryption_key - ✅
    Policy: restricted_ingress - ✅
    Policy: gcs_read_only - ✅
    Policy: allowed_image - ✅
    Policy: deletion_protection - ✅
    Policy: allowed_secret - ✅
    Policy: allowed_location - ✅
    Policy: secret_key_ref_secret - ✅
    Policy: invoker_iam_disabled - ✅
    Policy: required_use_default - ✅
    Policy: nfs_read_only - ✅
    Policy: restricted_egress - ✅
  Resource: google_cloud_run_v2_service_iam_member
    Policy: restrict_privileged_roles - ✅
    Policy: restrict_unauthorized_members - ✅
    Policy: allowed_location - ✅
  Resource: google_cloud_run_v2_worker_pool
    Policy: approved_service_account - ✅
    Policy: approved_encryption_key - ✅
    Policy: gcs_read_only - ✅
    Policy: allowed_image - ✅
    Policy: deletion_protection - ✅
    Policy: allowed_location - ✅
    Policy: secret_key_ref_secret - ✅
    Policy: required_use_default - ✅
    Policy: nfs_read_only - ✅
    Policy: restricted_egress - ✅
    Policy: allowed_size_limit - ✅
    Policy: allowed_volumes_secret - ✅
    Policy: encryption_key_revocation_action - ✅
  Resource: google_cloud_run_v2_worker_pool_iam_member
    Policy: restrict_privileged_roles - ✅
    Policy: restrict_unauthorized_members - ✅
    Policy: allowed_location - ✅


OPA check: data.terraform.gcp.security.cloud_source_repositories.google_sourcerepo_repository_iam_member.member.message
Total google_sourcerepo detected: 3 
['Situation 1: If the member/members attribute includes public identities such as allUsers or allAuthenticatedUsers, unauthorized users may gain access to the repository.', 'Non-Compliant Resources: nc1, nc2', 'Potential Remedies: Remove allUsers or allAuthenticatedUsers from the member/members attribute.']
Unique resource names in plan (google_sourcerepo_repository_iam_member): 3
Names mentioned in output: 2
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_source_repositories.google_sourcerepo_repository_iam_member.role.message
Total google_sourcerepo detected: 3 
['Situation 1: If the role attribute is not set to roles/source.reader or roles/source.writer, the repository may be exposed to unauthorized access or modification.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set the role attribute to roles/source.reader or roles/source.writer.']
Unique resource names in plan (google_sourcerepo_repository_iam_member): 3
Names mentioned in output: 1
 Missing mentions: c1, c2
Check passed

OPA check: data.terraform.gcp.security.cloud_source_repositories.google_sourcerepo_repository_iam_member.repository.message
Total google_sourcerepo detected: 2 
['Situation 1: The repository attribute is not configured with a valid parent repository.', 'Non-Compliant Resources: nc', 'Potential Remedies: Provide a valid repository reference for the repository attribute.']
Unique resource names in plan (google_sourcerepo_repository_iam_member): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_source_repositories.google_sourcerepo_repository.message_format.message
Total google_sourcerepo detected: 2 
['Situation 1: The format of the Cloud Pub/Sub messages is not set to JSON.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set the message_format attribute to JSON.']
Unique resource names in plan (google_sourcerepo_repository): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_source_repositories.google_sourcerepo_repository.create_ignore_already_exists.message
Total google_sourcerepo detected: 2 
['Situation 1: The create_ignore_already_exists attribute is not set to true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set the create_ignore_already_exists attribute to true.']
Unique resource names in plan (google_sourcerepo_repository): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_source_repositories.google_sourcerepo_repository.service_account_email.message
Total google_sourcerepo detected: 2 
['Situation 1: The service_account_email does not have a dedicated service account email provided.', 'Non-Compliant Resources: nc', 'Potential Remedies: Provide a dedicated service account email for the service_account_email attribute.']
Unique resource names in plan (google_sourcerepo_repository): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: cloud_source_repositories
  Resource: google_sourcerepo_repository
    Policy: message_format - ✅
    Policy: create_ignore_already_exists - ✅
    Policy: service_account_email - ✅
  Resource: google_sourcerepo_repository_iam_member
    Policy: member - ✅
    Policy: role - ✅
    Policy: repository - ✅


OPA check: data.terraform.gcp.security.cloud_stackdriver_logging.google_logging_log_scope.resource_names.message
Total Stackdriver Logging Log Scope detected: 2 
['Situation 1: Log scope includes unauthorized projects or excludes critical security projects', 'Non-Compliant Resources: nc', 'Potential Remedies: Only include production projects that require security monitoring, Exclude development, testing, and external projects, Ensure all critical audit projects are included, Maximum 50 projects and 100 total resources']
Unique resource names in plan (google_logging_log_scope): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_stackdriver_logging.google_logging_project_sink.unique_writer_identity.message
Total Stackdriver Logging Project Sink detected: 4 
['Situation 1: Log sink does not use unique writer identity - using default Logging service account', 'Non-Compliant Resources: nc1, nc2', 'Potential Remedies: Set unique_writer_identity = true to create a dedicated service account for this sink, Required for cross-project log exports and BigQuery options, Provides better security isolation and auditability']
Unique resource names in plan (google_logging_project_sink): 4
Names mentioned in output: 2
 Missing mentions: c1, c2
Check passed

OPA check: data.terraform.gcp.security.cloud_stackdriver_logging.google_logging_project_sink.destination.message
Total Stackdriver Logging Project Sink detected: 2 
["Situation 1: Stackdriver log sink destination is not within the organization's approved domains/buckets", 'Non-Compliant Resources: nc', "Potential Remedies: Use approved destination patterns: storage.googleapis.com/YOUR_BUCKET, bigquery.googleapis.com/projects/YOUR_PROJECT/datasets/YOUR_DATASET, or pubsub.googleapis.com/projects/YOUR_PROJECT/topics/YOUR_TOPIC, logging.googleapis.com/projects/YOUR_PROJECT/locations/global/buckets/YOUR_BUCKET, Ensure destination is within your organization's GCP project"]
Unique resource names in plan (google_logging_project_sink): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_stackdriver_logging.google_logging_log_view_iam_binding.role.message
Total Stackdriver Logging Log View IAM detected: 2 
['Situation 1: Log view IAM role is overly permissive - should use viewAccessor only', 'Non-Compliant Resources: nc', 'Potential Remedies: Use roles/logging.viewAccessor for read-only access, Avoid roles/logging.logWriter (allows log modification), Avoid roles/logging.privateLogViewer (may expose sensitive data)']
Unique resource names in plan (google_logging_log_view_iam_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_stackdriver_logging.google_logging_log_view_iam_binding.members.message
Total Stackdriver Logging Log View IAM detected: 2 
['Situation 1: Log view IAM includes public or authenticated users which exposes sensitive logs', 'Non-Compliant Resources: nc', 'Potential Remedies: Remove \'allUsers\' and \'allAuthenticatedUsers\' from members, Use specific service accounts or user emails instead, Example: ["serviceAccount:security-auditor@project.iam.gserviceaccount.com"]']
Unique resource names in plan (google_logging_log_view_iam_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_stackdriver_logging.google_logging_project_bucket_config.locked.message
Total Stackdriver Logging Bucket Config detected: 4 
['Situation 1: Log bucket is not locked - retention can be reduced or bucket can be deleted, compromising audit trail integrity', 'Non-Compliant Resources: nc1, nc2', 'Potential Remedies: Set locked = true to prevent retention reduction and bucket deletion, Note: This setting is permanent and cannot be undone once applied, Required for compliance with legal hold and audit log preservation']
Unique resource names in plan (google_logging_project_bucket_config): 4
Names mentioned in output: 2
 Missing mentions: c1, c2
Check passed

OPA check: data.terraform.gcp.security.cloud_stackdriver_logging.google_logging_project_bucket_config.retention_days.message
Total Stackdriver Logging Bucket Config detected: 2 
['Situation 1: Log retention period is insufficient for compliance requirements', 'Non-Compliant Resources: nc', 'Potential Remedies: Set retention_days to at least 30 days (minimum compliance requirement), Recommended: 90+ days for audit logs, Maximum: 3650 days']
['Situation 2: Audit log retention period is below recommended 90 days', 'Non-Compliant Resources: nc', 'Potential Remedies: Set retention_days to 90 days or higher for audit logs, CIS GCP Benchmark recommends 90+ days for audit log retention']
Unique resource names in plan (google_logging_project_bucket_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_stackdriver_logging.google_logging_project_bucket_config.cmek_encryption.message
Total Stackdriver Logging Bucket Config detected: 2 
['Situation 1: Log bucket is not encrypted with Customer-Managed Encryption Key (CMEK)', 'Non-Compliant Resources: nc', 'Potential Remedies: Add cmek_settings block with a valid KMS key name, Use format: projects/YOUR_PROJECT/locations/REGION/keyRings/KEYRING_NAME/cryptoKeys/KEY_NAME']
Unique resource names in plan (google_logging_project_bucket_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_stackdriver_logging.google_logging_metric.disabled.message
Total Stackdriver Logging Metric detected: 4 
['Situation 1: Security metric is disabled - critical security events will not be monitored', 'Non-Compliant Resources: nc1, nc2', 'Potential Remedies: Set disabled = false to enable the metric, Remove the disabled attribute entirely (default is false), Ensure all security metrics remain active for continuous monitoring']
Unique resource names in plan (google_logging_metric): 4
Names mentioned in output: 2
 Missing mentions: c1, c2
Check passed

OPA check: data.terraform.gcp.security.cloud_stackdriver_logging.google_logging_project_exclusion.filter.message
Total Stackdriver Logging Exclusion Filter detected: 3 
['Situation 1: Stackdriver log exclusion filter is blocking security-relevant audit events', 'Non-Compliant Resources: nc', 'Potential Remedies: Remove exclusions that block cloudaudit.googleapis.com logs, Remove exclusions that block high severity logs (ERROR, CRITICAL, ALERT, EMERGENCY), Only exclude non-security logs like health checks or debug logs from development']
Unique resource names in plan (google_logging_project_exclusion): 3
Names mentioned in output: 1
 Missing mentions: c1, c2
Check passed

OPA check: data.terraform.gcp.security.cloud_stackdriver_logging.google_logging_project_exclusion.disabled.message
Total Stackdriver Logging Exclusion Filter detected: 4 
['Situation 1: Log exclusion is disabled - not actively filtering logs', 'Non-Compliant Resources: nc1, nc2', 'Potential Remedies: Set disabled = false to activate the exclusion, Or remove the disabled attribute entirely (default is false), If the exclusion is no longer needed, consider removing it completely']
Unique resource names in plan (google_logging_project_exclusion): 4
Names mentioned in output: 2
 Missing mentions: c1, c2
Check passed

OPA check: data.terraform.gcp.security.cloud_stackdriver_logging.google_logging_organization_settings.cmek.message
Total Stackdriver Logging Organization Settings detected: 4 
['Situation 1: Organization logging settings do not use Customer-Managed Encryption Key (CMEK)', 'Non-Compliant Resources: nc1, nc2', 'Potential Remedies: Set kms_key_name to a valid CMEK key, Format: projects/KEY_PROJECT_ID/locations/LOCATION/keyRings/KEYRING_NAME/cryptoKeys/KEY_NAME, Ensure the key exists and the logging service account has permissions']
Unique resource names in plan (google_logging_organization_settings): 4
Names mentioned in output: 2
 Missing mentions: c1, c2
Check passed


Summary of policy checks:
Service: cloud_stackdriver_logging
  Resource: google_logging_log_scope
    Policy: resource_names - ✅
  Resource: google_logging_log_view_iam_binding
    Policy: role - ✅
    Policy: members - ✅
  Resource: google_logging_metric
    Policy: disabled - ✅
  Resource: google_logging_organization_settings
    Policy: cmek - ✅
  Resource: google_logging_project_bucket_config
    Policy: locked - ✅
    Policy: retention_days - ✅
    Policy: cmek_encryption - ✅
  Resource: google_logging_project_exclusion
    Policy: filter - ✅
    Policy: disabled - ✅
  Resource: google_logging_project_sink
    Policy: unique_writer_identity - ✅
    Policy: destination - ✅


OPA check: data.terraform.gcp.security.cloud_storage_insights.google_storage_insights_report_config.disable_force_destroy.message
Total google storage insights report config detected: 2 
['Situation 1: Force destroy should not be enabled because it may delete report details', 'Non-Compliant Resources: nc', 'Potential Remedies: Set force_destroy to false']
Unique resource names in plan (google_storage_insights_report_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_storage_insights.google_storage_insights_report_config.allowed_location.message
Total google storage insights report config detected: 2 
['Situation 1: Storage Insights ReportConfig should be created only in approved Australian regions', 'Non-Compliant Resources: nc', 'Potential Remedies: Use australia-southeast1 or australia-southeast2 as the report config location']
Unique resource names in plan (google_storage_insights_report_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_storage_insights.google_storage_insights_report_config.allowed_destination_bucket.message
Total google storage insights report config detected: 2 
['Situation 1: Inventory reports should be stored only in approved destination buckets', 'Non-Compliant Resources: nc', 'Potential Remedies: Use an approved secure destination bucket']
Unique resource names in plan (google_storage_insights_report_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_storage_insights.google_storage_insights_report_config.allowed_source_bucket.message
Total google storage insights report config detected: 2 
['Situation 1: Inventory reports should only be generated from approved source buckets', 'Non-Compliant Resources: nc', 'Potential Remedies: Use only approved source buckets in storage_filters.bucket, Avoid using unapproved or public buckets as data sources']
Unique resource names in plan (google_storage_insights_report_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_storage_insights.google_storage_insights_report_config.require_csv_headers.message
Total google storage insights report config detected: 2 
['Situation 1: CSV inventory reports should include headers for readability and auditability', 'Non-Compliant Resources: nc', 'Potential Remedies: Set csv_options.header_required to true']
Unique resource names in plan (google_storage_insights_report_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_storage_insights.google_storage_insights_report_config.allowed_report_frequency.message
Total google storage insights report config detected: 2 
['Situation 1: Inventory reports should not be generated too frequently unless approved', 'Non-Compliant Resources: nc', 'Potential Remedies: Use WEEKLY report frequency to reduce unnecessary report generation and data exposure']
Unique resource names in plan (google_storage_insights_report_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_storage_insights.google_storage_insights_report_config.approved_destination_path.message
Total google storage insights report config detected: 2 
['Situation 1: Inventory reports should be stored in an approved destination path', 'Non-Compliant Resources: nc', 'Potential Remedies: Use storage-insights-reports as the destination path']
Unique resource names in plan (google_storage_insights_report_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_storage_insights.google_storage_insights_report_config.allowed_metadata_fields.message
Total google storage insights report config detected: 2 
['Situation 1: Inventory reports should include only approved metadata fields', 'Non-Compliant Resources: nc', 'Potential Remedies: Use only approved metadata fields such as bucket, name, and project']
Unique resource names in plan (google_storage_insights_report_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_storage_insights.google_storage_insights_dataset_config.disable_organization_scope.message
Total google storage insights dataset config detected: 2 
['Situation 1: Organization-wide scope can collect data from too many projects', 'Non-Compliant Resources: nc', 'Potential Remedies: Set organization_scope to false unless organisation-wide monitoring is formally approved']
Unique resource names in plan (google_storage_insights_dataset_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_storage_insights.google_storage_insights_dataset_config.allowed_location.message
Total google storage insights dataset config detected: 2 
['Situation 1: Storage Insights DatasetConfig should be created only in approved Australian regions', 'Non-Compliant Resources: nc', 'Potential Remedies: Use australia-southeast1 or australia-southeast2 as the DatasetConfig location']
Unique resource names in plan (google_storage_insights_dataset_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_storage_insights.google_storage_insights_dataset_config.restrict_newly_created_buckets.message
Total google storage insights dataset config detected: 2 
['Situation 1: Newly created buckets should not be automatically included without review', 'Non-Compliant Resources: nc', 'Potential Remedies: Set include_newly_created_buckets to false, Manually review and approve buckets before including them']
Unique resource names in plan (google_storage_insights_dataset_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_storage_insights.google_storage_insights_dataset_config.prevent_auto_link_dataset.message
Total google storage insights dataset config detected: 2 
['Situation 1: Dataset should not be automatically linked without approval', 'Non-Compliant Resources: nc', 'Potential Remedies: Set link_dataset to false, Link datasets only after access and exposure risks are reviewed']
Unique resource names in plan (google_storage_insights_dataset_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_storage_insights.google_storage_insights_dataset_config.secure_identity_type.message
Total google storage insights dataset config detected: 2 
['Situation 1: DatasetConfig should use a dedicated per-config identity', 'Non-Compliant Resources: nc', 'Potential Remedies: Use IDENTITY_TYPE_PER_CONFIG to reduce shared identity risk']
Unique resource names in plan (google_storage_insights_dataset_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_storage_insights.google_storage_insights_dataset_config.allowed_cloud_storage_locations.message
Total google storage insights dataset config detected: 2 
['Situation 1: Only approved Cloud Storage locations should be included in the DatasetConfig', 'Non-Compliant Resources: nc', 'Potential Remedies: Use approved Australian Cloud Storage locations only']
Unique resource names in plan (google_storage_insights_dataset_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: cloud_storage_insights
  Resource: google_storage_insights_dataset_config
    Policy: disable_organization_scope - ✅
    Policy: allowed_location - ✅
    Policy: restrict_newly_created_buckets - ✅
    Policy: prevent_auto_link_dataset - ✅
    Policy: secure_identity_type - ✅
    Policy: allowed_cloud_storage_locations - ✅
  Resource: google_storage_insights_report_config
    Policy: disable_force_destroy - ✅
    Policy: allowed_location - ✅
    Policy: allowed_destination_bucket - ✅
    Policy: allowed_source_bucket - ✅
    Policy: require_csv_headers - ✅
    Policy: allowed_report_frequency - ✅
    Policy: approved_destination_path - ✅
    Policy: allowed_metadata_fields - ✅


OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_iam_policy.workstation_config_id.message
Total cloud workstation iam policy detected: 2 
['Situation 1: IAM policy must be in a correct workstation config', 'Non-Compliant Resources: nc', 'Potential Remedies: change workstation_config_id to workstation-config ']
Unique resource names in plan (google_workstations_workstation_iam_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_iam_policy.role.message
Total cloud workstation iam policy detected: 2 
['Situation 1: IAM policy must not grant overly broad roles like Owner or Editor', 'Non-Compliant Resources: nc', 'Potential Remedies: remove roles/owner and roles/editor from IAM policy ']
Unique resource names in plan (google_workstations_workstation_iam_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_iam_policy.workstation_cluster_id.message
Total cloud workstation iam policy detected: 2 
['Situation 1: IAM policy must be in a correct workstation cluster', 'Non-Compliant Resources: nc', 'Potential Remedies: change workstation_cluster_id to workstation-cluster ']
Unique resource names in plan (google_workstations_workstation_iam_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_config_iam_member.member.message
Total cloud workstation config iam member detected: 2 
['Situation 1: grants access to broad IAM principals', 'Non-Compliant Resources: nc', 'Potential Remedies: remove allUsers and allAuthenticatedUsers from member']
Unique resource names in plan (google_workstations_workstation_config_iam_member): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_config_iam_member.role.message
Total cloud workstation config iam member detected: 2 
['Situation 1:  grants access to broad IAM roles ', 'Non-Compliant Resources: nc', 'Potential Remedies: use least privilege role such as role/viewer']
Unique resource names in plan (google_workstations_workstation_config_iam_member): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_config.workstation_config_id.message
Total cloud workstation config detected: 2 
['Situation 1: is using an unapproved workstation config id ', 'Non-Compliant Resources: nc', 'Potential Remedies: change the workstation_config_id to workstation-config']
Unique resource names in plan (google_workstations_workstation_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_config.location.message
Total cloud workstation config detected: 2 
['Situation 1: is deployed in a location outside of the approved region ', 'Non-Compliant Resources: nc', 'Potential Remedies: change the location to us-central1']
Unique resource names in plan (google_workstations_workstation_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_config.machine_type.message
Total cloud workstation config detected: 2 
['Situation 1: is using an unapproved machine type ', 'Non-Compliant Resources: nc', 'Potential Remedies: change the machine_type to e2-standard-4']
Unique resource names in plan (google_workstations_workstation_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_config.workstation_cluster_id.message
Total cloud workstation config detected: 2 
['Situation 1: is linked to an unapproved workstation cluster id ', 'Non-Compliant Resources: nc', 'Potential Remedies: change the workstation_cluster_id to workstation-cluster']
Unique resource names in plan (google_workstations_workstation_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_config.disable_public_ip_addresses.message
Total cloud workstation config detected: 2 
['Situation 1: has public IP addresses enabled ', 'Non-Compliant Resources: nc', 'Potential Remedies: set disable_public_ip_addresses to true  ']
Unique resource names in plan (google_workstations_workstation_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_config_iam_policy.role.message
Total cloud workstation config iam policy detected: 2 
['Situation 1: policy_data grants access to broad IAM roles ', 'Non-Compliant Resources: nc', 'Potential Remedies: remove roles/owner and roles/editor from IAM policy ']
Unique resource names in plan (google_workstations_workstation_config_iam_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_config_iam_policy.policy_data.message
Total cloud workstation config iam policy detected: 2 
['Situation 1: policy_data grants access to broad IAM principals ', 'Non-Compliant Resources: nc', 'Potential Remedies: remove allUsers and allAuthenticatedUsers from policy_data']
Unique resource names in plan (google_workstations_workstation_config_iam_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_cluster.location.message
Total cloud workstation cluster detected: 2 
['Situation 1: is  deployed in a location outside of the approved region ', 'Non-Compliant Resources: nc', 'Potential Remedies: change the location to us-central1 ']
Unique resource names in plan (google_workstations_workstation_cluster): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_cluster.labels.message
Total cloud workstation cluster detected: 2 
['Situation 1: is missing or has an invalid label value  ', 'Non-Compliant Resources: nc', "Potential Remedies: set labels.label to 'key'  "]
Unique resource names in plan (google_workstations_workstation_cluster): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_cluster.network.message
Total cloud workstation cluster detected: 2 
['Situation 1: is  deployed in an unapproved network ', 'Non-Compliant Resources: nc', 'Potential Remedies: change the network to an approved vpc network ']
Unique resource names in plan (google_workstations_workstation_cluster): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_cluster.workstation_cluster_id.message
Total cloud workstation cluster detected: 2 
['Situation 1: is using an unapproved workstation cluster id ', 'Non-Compliant Resources: nc', 'Potential Remedies: change the workstation_cluster_id to workstation-cluster ']
Unique resource names in plan (google_workstations_workstation_cluster): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_cluster.project.message
Total cloud workstation cluster detected: 2 
['Situation 1: is deployed in an unapproved project ', 'Non-Compliant Resources: nc', 'Potential Remedies: change the project 925810350503']
Unique resource names in plan (google_workstations_workstation_cluster): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_config_iam_binding.member.message
Total cloud workstation config iam binding detected: 2 
['Situation 1: grants access to broad IAM principals', 'Non-Compliant Resources: nc', 'Potential Remedies: remove allUsers and allAuthenticatedUsers from member']
Unique resource names in plan (google_workstations_workstation_config_iam_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_config_iam_binding.role.message
Total cloud workstation config iam binding detected: 2 
['Situation 1: grants access using a role that is not approved for Workstation Config IAM binding', 'Non-Compliant Resources: nc', 'Potential Remedies: use least privilege role such as role/viewer']
Unique resource names in plan (google_workstations_workstation_config_iam_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation.workstation_config_id.message
Total cloud workstation detected: 2 
['Situation 1: is linked to an unapproved workstation config', 'Non-Compliant Resources: nc', 'Potential Remedies: change workstation_config_id to workstation-config ']
Unique resource names in plan (google_workstations_workstation): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation.location.message
Total cloud workstation detected: 2 
['Situation 1: is deployed in a location outside of the approved region', 'Non-Compliant Resources: nc', 'Potential Remedies: change the location to us-central1']
Unique resource names in plan (google_workstations_workstation): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation.workstation_id.message
Total cloud workstation detected: 2 
['Situation 1: is using an unapproved workstation_id', 'Non-Compliant Resources: nc', 'Potential Remedies: change workstation_id to work-station ']
Unique resource names in plan (google_workstations_workstation): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation.workstation_cluster_id.message
Total cloud workstation detected: 2 
['Situation 1: is in an unaproved workstation cluster', 'Non-Compliant Resources: nc', 'Potential Remedies: change workstation_cluster_id to workstation-cluster ']
Unique resource names in plan (google_workstations_workstation): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: cloud_workstations
  Resource: google_workstations_workstation
    Policy: workstation_config_id - ✅
    Policy: location - ✅
    Policy: workstation_id - ✅
    Policy: workstation_cluster_id - ✅
  Resource: google_workstations_workstation_cluster
    Policy: location - ✅
    Policy: labels - ✅
    Policy: network - ✅
    Policy: workstation_cluster_id - ✅
    Policy: project - ✅
  Resource: google_workstations_workstation_config
    Policy: workstation_config_id - ✅
    Policy: location - ✅
    Policy: machine_type - ✅
    Policy: workstation_cluster_id - ✅
    Policy: disable_public_ip_addresses - ✅
  Resource: google_workstations_workstation_config_iam_binding
    Policy: member - ✅
    Policy: role - ✅
  Resource: google_workstations_workstation_config_iam_member
    Policy: member - ✅
    Policy: role - ✅
  Resource: google_workstations_workstation_config_iam_policy
    Policy: role - ✅
    Policy: policy_data - ✅
  Resource: google_workstations_workstation_iam_policy
    Policy: workstation_config_id - ✅
    Policy: role - ✅
    Policy: workstation_cluster_id - ✅


OPA check: data.terraform.gcp.security.containeraws.google_container_aws_cluster.username.message
Total Google Container AWS Cluster detected: 2 
['Situation 1: Cluster admin access is assigned to an unapproved admin user.', 'Non-Compliant Resources: google_container_aws_cluster.nc', 'Potential Remedies: Use an approved organisation-managed user identity such as user@deakin.edu.au.']
Unique resource names in plan (google_container_aws_cluster): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.containeraws.google_container_aws_cluster.proxy_secret_arn.message
Total Google Container AWS Cluster detected: 2 
['Situation 1: Control plane proxy configuration references an unapproved AWS Secrets Manager secret.', 'Non-Compliant Resources: google_container_aws_cluster.nc', 'Potential Remedies: Use the approved proxy secret ARN.']
Unique resource names in plan (google_container_aws_cluster): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.containeraws.google_container_aws_cluster.security_group_ids.message
Total Google Container AWS Cluster detected: 2 
['Situation 1: Control plane replicas are using unapproved AWS security groups.', 'Non-Compliant Resources: google_container_aws_cluster.nc', 'Potential Remedies: Use only approved security group IDs for control plane replicas.']
Unique resource names in plan (google_container_aws_cluster): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.containeraws.google_container_aws_cluster.location.message
Total Google Container AWS Cluster detected: 2 
['Situation 1: Container AWS cluster metadata is stored outside an approved Australia Google Cloud region.', 'Non-Compliant Resources: google_container_aws_cluster.nc', 'Potential Remedies: Use australia-southeast1 for Google Cloud data residency.']
Unique resource names in plan (google_container_aws_cluster): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.containeraws.google_container_aws_cluster.evaluation_mode.message
Total Google Container AWS Cluster detected: 2 
['Situation 1: Binary Authorization is not enforcing the approved policy.', 'Non-Compliant Resources: google_container_aws_cluster.nc', 'Potential Remedies: Set binary_authorization evaluation_mode to PROJECT_SINGLETON_POLICY_ENFORCE.']
Unique resource names in plan (google_container_aws_cluster): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.containeraws.google_container_aws_cluster.version.message
Total Google Container AWS Cluster detected: 2 
['Situation 1: Control plane is running an unapproved Kubernetes version.', 'Non-Compliant Resources: google_container_aws_cluster.nc', 'Potential Remedies: Use an approved supported Kubernetes version.']
Unique resource names in plan (google_container_aws_cluster): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.containeraws.google_container_aws_cluster.main_kms_key_arn.message
Total Google Container AWS Cluster detected: 2 
['Situation 1: Control plane main volume is encrypted with an unapproved AWS KMS key.', 'Non-Compliant Resources: google_container_aws_cluster.nc', 'Potential Remedies: Use the approved customer-managed KMS key ARN for the main EBS volume.']
Unique resource names in plan (google_container_aws_cluster): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.containeraws.google_container_aws_cluster.aws_region.message
Total Google Container AWS Cluster detected: 2 
['Situation 1: Container AWS cluster is deployed outside an approved Australia AWS region.', 'Non-Compliant Resources: google_container_aws_cluster.nc', 'Potential Remedies: Use ap-southeast-2 for AWS data residency.']
Unique resource names in plan (google_container_aws_cluster): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.containeraws.google_container_aws_cluster.enable_components.message
Total Google Container AWS Cluster detected: 2 
['Situation 1: Cluster logging is using unapproved enabled components.', 'Non-Compliant Resources: google_container_aws_cluster.nc', 'Potential Remedies: Enable only SYSTEM_COMPONENTS and WORKLOADS in logging_config.component_config.enable_components.']
Unique resource names in plan (google_container_aws_cluster): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.containeraws.google_container_aws_cluster.vpc_id.message
Total Google Container AWS Cluster detected: 2 
['Situation 1: Cluster is associated with an unapproved AWS VPC.', 'Non-Compliant Resources: google_container_aws_cluster.nc', 'Potential Remedies: Use the approved VPC for cluster networking.']
Unique resource names in plan (google_container_aws_cluster): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.containeraws.google_container_aws_cluster.per_node_pool_sg_rules_disabled.message
Total Google Container AWS Cluster detected: 2 
['Situation 1: Managed per-node-pool security group rules are disabled.', 'Non-Compliant Resources: google_container_aws_cluster.nc', 'Potential Remedies: Keep per_node_pool_sg_rules_disabled set to false unless approved replacement rules are in place.']
Unique resource names in plan (google_container_aws_cluster): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.containeraws.google_container_aws_cluster.group.message
Total Google Container AWS Cluster detected: 2 
['Situation 1: Cluster admin access is assigned to an unapproved admin group.', 'Non-Compliant Resources: google_container_aws_cluster.nc', 'Potential Remedies: Use an approved Deakin admin group such as group@deakin.edu.au.']
Unique resource names in plan (google_container_aws_cluster): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.containeraws.google_container_aws_cluster.iam_instance_profile.message
Total Google Container AWS Cluster detected: 2 
['Situation 1: Control plane replicas are using an unapproved IAM instance profile.', 'Non-Compliant Resources: google_container_aws_cluster.nc', 'Potential Remedies: Use the approved least-privilege IAM instance profile for control plane replicas.']
Unique resource names in plan (google_container_aws_cluster): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.containeraws.google_container_aws_cluster.role_arn.message
Total Google Container AWS Cluster detected: 2 
['Situation 1: Anthos Multi-Cloud API is configured to assume an unapproved AWS IAM role.', 'Non-Compliant Resources: google_container_aws_cluster.nc', 'Potential Remedies: Use the approved AWS service role ARN.']
Unique resource names in plan (google_container_aws_cluster): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.containeraws.google_container_aws_cluster.subnet_ids.message
Total Google Container AWS Cluster detected: 2 
['Situation 1: Control plane replicas are placed in unapproved subnets.', 'Non-Compliant Resources: google_container_aws_cluster.nc', 'Potential Remedies: Use only approved private subnets for control plane replicas.']
Unique resource names in plan (google_container_aws_cluster): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.containeraws.google_container_aws_cluster.ec2_key_pair.message
Total Google Container AWS Cluster detected: 2 
['Situation 1: Control plane SSH access is configured with an unapproved EC2 key pair.', 'Non-Compliant Resources: google_container_aws_cluster.nc', 'Potential Remedies: Use an approved managed EC2 key pair for SSH access.']
Unique resource names in plan (google_container_aws_cluster): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.containeraws.google_container_aws_cluster.database_kms_key_arn.message
Total Google Container AWS Cluster detected: 2 
['Situation 1: Cluster secrets are encrypted with an unapproved AWS KMS key.', 'Non-Compliant Resources: google_container_aws_cluster.nc', 'Potential Remedies: Use the approved customer-managed KMS key ARN for database encryption.']
Unique resource names in plan (google_container_aws_cluster): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.containeraws.google_container_aws_cluster.root_kms_key_arn.message
Total Google Container AWS Cluster detected: 2 
['Situation 1: Control plane root volume is encrypted with an unapproved AWS KMS key.', 'Non-Compliant Resources: google_container_aws_cluster.nc', 'Potential Remedies: Use the approved customer-managed KMS key ARN for the root EBS volume.']
Unique resource names in plan (google_container_aws_cluster): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.containeraws.google_container_aws_cluster.config_kms_key_arn.message
Total Google Container AWS Cluster detected: 2 
['Situation 1: Cluster configuration is encrypted with an unapproved AWS KMS key.', 'Non-Compliant Resources: google_container_aws_cluster.nc', 'Potential Remedies: Use the approved customer-managed KMS key ARN for cluster configuration encryption.']
Unique resource names in plan (google_container_aws_cluster): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.containeraws.google_container_aws_node_pool.proxy_secret_arn.message
Total Google Container AWS Node Pool detected: 2 
['Situation 1: Node pool proxy configuration references an unapproved AWS Secrets Manager secret.', 'Non-Compliant Resources: google_container_aws_node_pool.nc', 'Potential Remedies: Use the approved proxy secret ARN.']
Unique resource names in plan (google_container_aws_node_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.containeraws.google_container_aws_node_pool.security_group_ids.message
Total Google Container AWS Node Pool detected: 2 
['Situation 1: Node pool instances are using unapproved AWS security groups.', 'Non-Compliant Resources: google_container_aws_node_pool.nc', 'Potential Remedies: Use only approved security group IDs for node pool instances.']
Unique resource names in plan (google_container_aws_node_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.containeraws.google_container_aws_node_pool.location.message
Total Google Container AWS Node Pool detected: 2 
['Situation 1: Container AWS node pool metadata is stored outside an approved Australia Google Cloud region.', 'Non-Compliant Resources: google_container_aws_node_pool.nc', 'Potential Remedies: Use australia-southeast1 for Google Cloud data residency.']
Unique resource names in plan (google_container_aws_node_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.containeraws.google_container_aws_node_pool.version.message
Total Google Container AWS Node Pool detected: 2 
['Situation 1: Node pool is running an unapproved Kubernetes version.', 'Non-Compliant Resources: google_container_aws_node_pool.nc', 'Potential Remedies: Use an approved supported Kubernetes version.']
Unique resource names in plan (google_container_aws_node_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.containeraws.google_container_aws_node_pool.subnet_id.message
Total Google Container AWS Node Pool detected: 2 
['Situation 1: Node pool is placed in an unapproved subnet.', 'Non-Compliant Resources: google_container_aws_node_pool.nc', 'Potential Remedies: Use an approved private subnet for node pool placement.']
Unique resource names in plan (google_container_aws_node_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.containeraws.google_container_aws_node_pool.iam_instance_profile.message
Total Google Container AWS Node Pool detected: 2 
['Situation 1: Node pool is using an unapproved IAM instance profile.', 'Non-Compliant Resources: google_container_aws_node_pool.nc', 'Potential Remedies: Use an approved IAM instance profile for node pools.']
Unique resource names in plan (google_container_aws_node_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.containeraws.google_container_aws_node_pool.ec2_key_pair.message
Total Google Container AWS Node Pool detected: 2 
['Situation 1: Node pool SSH access is configured with an unapproved EC2 key pair.', 'Non-Compliant Resources: google_container_aws_node_pool.nc', 'Potential Remedies: Use an approved managed EC2 key pair for SSH access.']
Unique resource names in plan (google_container_aws_node_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.containeraws.google_container_aws_node_pool.root_kms_key_arn.message
Total Google Container AWS Node Pool detected: 2 
['Situation 1: Node pool root volume is encrypted with an unapproved AWS KMS key.', 'Non-Compliant Resources: google_container_aws_node_pool.nc', 'Potential Remedies: Use the approved customer-managed KMS key ARN for the root EBS volume.']
Unique resource names in plan (google_container_aws_node_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.containeraws.google_container_aws_node_pool.config_kms_key_arn.message
Total Google Container AWS Node Pool detected: 2 
['Situation 1: Node pool configuration is encrypted with an unapproved AWS KMS key.', 'Non-Compliant Resources: google_container_aws_node_pool.nc', 'Potential Remedies: Use the approved customer-managed KMS key ARN for node pool configuration encryption.']
Unique resource names in plan (google_container_aws_node_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: containeraws
  Resource: google_container_aws_cluster
    Policy: username - ✅
    Policy: proxy_secret_arn - ✅
    Policy: security_group_ids - ✅
    Policy: location - ✅
    Policy: evaluation_mode - ✅
    Policy: version - ✅
    Policy: main_kms_key_arn - ✅
    Policy: aws_region - ✅
    Policy: enable_components - ✅
    Policy: vpc_id - ✅
    Policy: per_node_pool_sg_rules_disabled - ✅
    Policy: group - ✅
    Policy: iam_instance_profile - ✅
    Policy: role_arn - ✅
    Policy: subnet_ids - ✅
    Policy: ec2_key_pair - ✅
    Policy: database_kms_key_arn - ✅
    Policy: root_kms_key_arn - ✅
    Policy: config_kms_key_arn - ✅
  Resource: google_container_aws_node_pool
    Policy: proxy_secret_arn - ✅
    Policy: security_group_ids - ✅
    Policy: location - ✅
    Policy: version - ✅
    Policy: subnet_id - ✅
    Policy: iam_instance_profile - ✅
    Policy: ec2_key_pair - ✅
    Policy: root_kms_key_arn - ✅
    Policy: config_kms_key_arn - ✅


OPA check: data.terraform.gcp.security.dataflow.google_dataflow_job.kms_key_name.message
Total Dataflow Job detected: 2 
['Situation 1: Dataflow job does not use a customer-managed encryption key (CMEK) for data encryption.', 'Non-Compliant Resources: nc', "Potential Remedies: Set 'kms_key_name' to a valid Cloud KMS key in the format 'projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY'."]
Unique resource names in plan (google_dataflow_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.dataflow.google_dataflow_job.ip_configuration.message
Total Dataflow Job detected: 2 
['Situation 1: Dataflow job workers are assigned public IP addresses, increasing attack surface.', 'Non-Compliant Resources: nc', "Potential Remedies: Set 'ip_configuration' to 'WORKER_IP_PRIVATE' to ensure workers use private IPs only."]
Unique resource names in plan (google_dataflow_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.dataflow.google_dataflow_job.on_delete.message
Total Dataflow Job detected: 2 
["Situation 1: Dataflow job on_delete is set to 'cancel' which immediately terminates the job without processing in-flight data, risking data loss.", 'Non-Compliant Resources: nc', "Potential Remedies: Set 'on_delete' to 'drain' to ensure in-flight data is fully processed before job termination."]
Unique resource names in plan (google_dataflow_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.dataflow.google_dataflow_job.network.message
Total Dataflow Job detected: 2 
['Situation 1: Dataflow job uses the default VPC network which lacks proper firewall rules and network segmentation.', 'Non-Compliant Resources: nc', "Potential Remedies: Set 'network' to a dedicated VPC network with appropriate security controls."]
Unique resource names in plan (google_dataflow_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.dataflow.google_dataflow_job.service_account_email.message
Total Dataflow Job detected: 2 
['Situation 1: Dataflow job does not specify a dedicated service account, defaulting to the Compute Engine default SA which has overly broad permissions.', 'Non-Compliant Resources: nc', "Potential Remedies: Set 'service_account_email' to a dedicated service account with least-privilege permissions."]
Unique resource names in plan (google_dataflow_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.dataflow.google_dataflow_job.enable_streaming_engine.message
Total Dataflow Job detected: 2 
['Situation 1: Dataflow job does not have Streaming Engine enabled, increasing the number of worker VMs and persistent disks required.', 'Non-Compliant Resources: nc', "Potential Remedies: Set 'enable_streaming_engine' to 'true' to offload pipeline execution to the managed Dataflow service backend."]
Unique resource names in plan (google_dataflow_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.dataflow.google_dataflow_flex_template_job.kms_key_name.message
Total Dataflow Flex Template Job detected: 2 
['Situation 1: Dataflow Flex Template job does not use a customer-managed encryption key (CMEK) for data encryption.', 'Non-Compliant Resources: nc', "Potential Remedies: Set 'kms_key_name' to a valid Cloud KMS key in the format 'projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY'."]
Unique resource names in plan (google_dataflow_flex_template_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.dataflow.google_dataflow_flex_template_job.ip_configuration.message
Total Dataflow Flex Template Job detected: 2 
['Situation 1: Dataflow Flex Template job workers are assigned public IP addresses, increasing attack surface.', 'Non-Compliant Resources: nc', "Potential Remedies: Set 'ip_configuration' to 'WORKER_IP_PRIVATE' to ensure workers use private IPs only."]
Unique resource names in plan (google_dataflow_flex_template_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.dataflow.google_dataflow_flex_template_job.network.message
Total Dataflow Flex Template Job detected: 2 
['Situation 1: Dataflow Flex Template job uses the default VPC network which lacks proper firewall rules and network segmentation.', 'Non-Compliant Resources: nc', "Potential Remedies: Set 'network' to a dedicated VPC network with appropriate security controls."]
Unique resource names in plan (google_dataflow_flex_template_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.dataflow.google_dataflow_flex_template_job.service_account_email.message
Total Dataflow Flex Template Job detected: 2 
['Situation 1: Dataflow Flex Template job does not specify a dedicated service account, defaulting to the Compute Engine default SA which has overly broad permissions.', 'Non-Compliant Resources: nc', "Potential Remedies: Set 'service_account_email' to a dedicated service account with least-privilege permissions."]
Unique resource names in plan (google_dataflow_flex_template_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.dataflow.google_dataflow_flex_template_job.enable_streaming_engine.message
Total Dataflow Flex Template Job detected: 2 
['Situation 1: Dataflow Flex Template job does not have Streaming Engine enabled, increasing the number of worker VMs and persistent disks required.', 'Non-Compliant Resources: nc', "Potential Remedies: Set 'enable_streaming_engine' to 'true' to offload pipeline execution to the managed Dataflow service backend."]
Unique resource names in plan (google_dataflow_flex_template_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: dataflow
  Resource: google_dataflow_flex_template_job
    Policy: kms_key_name - ✅
    Policy: ip_configuration - ✅
    Policy: network - ✅
    Policy: service_account_email - ✅
    Policy: enable_streaming_engine - ✅
  Resource: google_dataflow_job
    Policy: kms_key_name - ✅
    Policy: ip_configuration - ✅
    Policy: on_delete - ✅
    Policy: network - ✅
    Policy: service_account_email - ✅
    Policy: enable_streaming_engine - ✅


OPA check: data.terraform.gcp.security.firebase_app_check.google_firebase_app_check_service_config.enforcement_mode.message
Total Firebase App Check Service Config detected: 2 
['Situation 1: Firebase App Check enforcement mode is not set to ENFORCED.', 'Non-Compliant Resources: nc', "Potential Remedies: Set enforcement_mode to 'ENFORCED' to actively reject unverified requests."]
Unique resource names in plan (google_firebase_app_check_service_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.firebase_app_check.google_firebase_app_check_recaptcha_v3_config.site_secret.message
Total Firebase App Check reCAPTCHA v3 Config detected: 4 
['Situation 1: Firebase reCAPTCHA v3 site_secret must be stored in Secret Manager, not left empty or null.', 'Non-Compliant Resources: nc, nc2', "Potential Remedies: Store the site secret in Secret Manager and reference it as 'projects/<project>/secrets/<secret>'."]
Unique resource names in plan (google_firebase_app_check_recaptcha_v3_config): 4
Names mentioned in output: 2
 Missing mentions: c, c2
Check passed

OPA check: data.terraform.gcp.security.firebase_app_check.google_firebase_app_check_device_check_config.token_ttl.message
Total Firebase App Check DeviceCheck Config detected: 2 
['Situation 1: Firebase DeviceCheck token_ttl must be between 1800s (30 min) and 86400s (24 hours) to balance usability and security.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set token_ttl to a value between 1800s and 86400s. Example: 3600s (1 hour).']
Unique resource names in plan (google_firebase_app_check_device_check_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.firebase_app_check.google_firebase_app_check_device_check_config.private_key.message
Total Firebase App Check DeviceCheck Config detected: 4 
['Situation 1: Firebase DeviceCheck private_key must be stored in Secret Manager, not left empty or null.', 'Non-Compliant Resources: nc, nc2', "Potential Remedies: Store the private key in Secret Manager and reference it as 'projects/<project>/secrets/<secret>'."]
Unique resource names in plan (google_firebase_app_check_device_check_config): 4
Names mentioned in output: 2
 Missing mentions: c, c2
Check passed

OPA check: data.terraform.gcp.security.firebase_app_check.google_firebase_app_check_app_attest_config.token_ttl.message
Total Firebase App Check App Attest Config detected: 2 
['Situation 1: Firebase App Attest token_ttl must be between 1800s (30 min) and 86400s (24 hours) to balance usability and security.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set token_ttl to a value between 1800s and 86400s. Example: 3600s (1 hour).']
Unique resource names in plan (google_firebase_app_check_app_attest_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: firebase_app_check
  Resource: google_firebase_app_check_app_attest_config
    Policy: token_ttl - ✅
  Resource: google_firebase_app_check_device_check_config
    Policy: token_ttl - ✅
    Policy: private_key - ✅
  Resource: google_firebase_app_check_recaptcha_v3_config
    Policy: site_secret - ✅
  Resource: google_firebase_app_check_service_config
    Policy: enforcement_mode - ✅


OPA check: data.terraform.gcp.security.google_endpoints.google_endpoints_consumers_iam.role.message
Total Google Cloud Endpoints consumers IAM binding detected: 2 
['Situation 1: Google Cloud Endpoints consumers IAM role is not set to the approved service consumer role.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set role to roles/servicemanagement.serviceConsumer.']
Unique resource names in plan (google_endpoints_service_consumers_iam_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.google_endpoints.google_endpoints_consumers_iam.members.message
Total Google Cloud Endpoints consumers IAM binding detected: 2 
['Situation 1: Google Cloud Endpoints consumers IAM members includes a principal outside the approved member types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Use only approved member types in members., Allow only user:, group:, or serviceAccount: principals.']
Unique resource names in plan (google_endpoints_service_consumers_iam_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.google_endpoints.google_endpoints_service_iam.role.message
Total Google Cloud Endpoints service IAM binding detected: 2 
['Situation 1: Google Cloud Endpoints service IAM role uses a forbidden service agent role.', 'Non-Compliant Resources: nc', 'Potential Remedies: Remove the service agent role from the IAM binding., Use a least-privilege non-service-agent role instead.']
Unique resource names in plan (google_endpoints_service_iam_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.google_endpoints.google_endpoints_service.openapi_config.message
Total Google Cloud Endpoints service detected: 2 
['Situation 1: Google Cloud Endpoints service openapi_config does not enforce HTTPS.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set openapi_config to use https., Do not allow http in openapi_config.']
Unique resource names in plan (google_endpoints_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.google_endpoints.google_endpoints_service.service_name.message
Total Google Cloud Endpoints service detected: 2 
['Situation 1: Google Cloud Endpoints service_name does not use an approved Cloud Endpoints domain.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set service_name to the approved Cloud Endpoints domain for this API., Use a Google-managed Cloud Endpoints domain such as api.endpoints.my-project-123.cloud.goog., Do not use generic or external domains such as api.example.com for service_name.']
Unique resource names in plan (google_endpoints_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: google_endpoints
  Resource: google_endpoints_consumers_iam
    Policy: role - ✅
    Policy: members - ✅
  Resource: google_endpoints_service
    Policy: openapi_config - ✅
    Policy: service_name - ✅
  Resource: google_endpoints_service_iam
    Policy: role - ✅


OPA check: data.terraform.gcp.security.transcoder.google_transcoder_job_template.allowed_project.message
Total Transcoder Job Template detected: 2 
['Situation 1: Transcoder job template is created in an unapproved Google Cloud project.', 'Non-Compliant Resources: google_transcoder_job_template.nc', "Potential Remedies: Set the transcoder job template project to 'my-project-name'., Create transcoder job templates only in approved and managed Google Cloud projects."]
Unique resource names in plan (google_transcoder_job_template): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.transcoder.google_transcoder_job_template.allowed_location.message
Total Transcoder Job Template detected: 2 
['Situation 1: Transcoder job template location is outside the approved Australian region.', 'Non-Compliant Resources: google_transcoder_job_template.nc', "Potential Remedies: Set the transcoder job template location to 'australia-southeast1'., Use approved Australian regions to support data residency and regional governance requirements."]
Unique resource names in plan (google_transcoder_job_template): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.transcoder.google_transcoder_job_template.mandatory_labels.message
Total Transcoder Job Template detected: 2 
['Situation 1: Transcoder job template is missing the required environment label.', 'Non-Compliant Resources: google_transcoder_job_template.nc', "Potential Remedies: Add the label 'environment' with the approved value 'dev'., Use environment labels to support auditing, ownership tracking, incident response, and dev/test/prod separation."]
Unique resource names in plan (google_transcoder_job_template): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.transcoder.google_transcoder_job.allowed_project.message
Total Transcoder Job detected: 2 
['Situation 1: Transcoder job is created in an unapproved Google Cloud project.', 'Non-Compliant Resources: google_transcoder_job.nc', "Potential Remedies: Set the transcoder job project to 'my-project-name'., Create transcoder jobs only in approved and managed Google Cloud projects."]
Unique resource names in plan (google_transcoder_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.transcoder.google_transcoder_job.allowed_template_id.message
Total Transcoder Job detected: 2 
['Situation 1: Transcoder job is using an unapproved template ID.', 'Non-Compliant Resources: google_transcoder_job.nc', "Potential Remedies: Set the transcoder job template_id to 'preset/web-hd'., Use only approved transcoder templates to avoid unsafe or unreviewed job configurations."]
Unique resource names in plan (google_transcoder_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.transcoder.google_transcoder_job.allowed_location.message
Total Transcoder Job detected: 2 
['Situation 1: Transcoder job location is outside the approved Australian region.', 'Non-Compliant Resources: google_transcoder_job.nc', "Potential Remedies: Set the transcoder job location to 'australia-southeast1'., Use approved Australian regions to support data residency and regional governance requirements."]
Unique resource names in plan (google_transcoder_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.transcoder.google_transcoder_job.mandatory_labels.message
Total Transcoder Job detected: 2 
['Situation 1: Transcoder job is missing the required environment label.', 'Non-Compliant Resources: google_transcoder_job.nc', "Potential Remedies: Add the label 'environment' with the approved value 'dev'., Use environment labels to support auditing, ownership tracking, incident response, and dev/test/prod separation."]
Unique resource names in plan (google_transcoder_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: transcoder
  Resource: google_transcoder_job
    Policy: allowed_project - ✅
    Policy: allowed_template_id - ✅
    Policy: allowed_location - ✅
    Policy: mandatory_labels - ✅
  Resource: google_transcoder_job_template
    Policy: allowed_project - ✅
    Policy: allowed_location - ✅
    Policy: mandatory_labels - ✅


OPA check: data.terraform.gcp.security.vertex_ai_workbench.google_workbench_instance_iam_binding.role.message
Total Vertex AI Workbench Instance IAM Binding detected: 2 
['Situation 1: Ensure overly permissive IAM roles are not granted on the Workbench instance. roles/owner and roles/editor grant excessive access beyond what is needed.', 'Non-Compliant Resources: nc', 'Potential Remedies: Use least-privilege roles such as roles/notebooks.viewer, roles/notebooks.runner, or roles/notebooks.admin instead of roles/owner or roles/editor.']
Unique resource names in plan (google_workbench_instance_iam_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.vertex_ai_workbench.google_workbench_instance_iam_binding.members.message
Total Vertex AI Workbench Instance IAM Binding detected: 2 
['Situation 1: Ensure IAM bindings do not grant public access. allUsers and allAuthenticatedUsers expose the notebook instance to anyone on the internet.', 'Non-Compliant Resources: nc', 'Potential Remedies: Remove allUsers and allAuthenticatedUsers from the members list. Grant access to specific users, groups, or service accounts only.']
Unique resource names in plan (google_workbench_instance_iam_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.vertex_ai_workbench.google_workbench_instance_iam_member.role.message
Total Vertex AI Workbench Instance IAM Member detected: 2 
['Situation 1: Ensure overly permissive IAM roles are not granted on the Workbench instance. roles/owner and roles/editor grant excessive access beyond what is needed.', 'Non-Compliant Resources: nc', 'Potential Remedies: Use least-privilege roles such as roles/notebooks.viewer, roles/notebooks.runner, or roles/notebooks.admin instead of roles/owner or roles/editor.']
Unique resource names in plan (google_workbench_instance_iam_member): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.vertex_ai_workbench.google_workbench_instance_iam_member.members.message
Total Vertex AI Workbench Instance IAM Member detected: 2 
['Situation 1: Ensure IAM member does not grant public access. allUsers and allAuthenticatedUsers expose the notebook instance to anyone on the internet.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set member to a specific user, group, or service account (e.g. user:name@example.com) instead of allUsers or allAuthenticatedUsers.']
Unique resource names in plan (google_workbench_instance_iam_member): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.vertex_ai_workbench.google_workbench_instance.block_project_ssh_keys.message
Total Vertex AI Workbench Instance detected: 2 
['Situation 1: Ensure project-wide SSH keys are blocked. Allowing them means any project member with SSH key access can reach the instance, bypassing IAM controls.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set gce_setup.metadata["block-project-ssh-keys"] to "true".']
Unique resource names in plan (google_workbench_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.vertex_ai_workbench.google_workbench_instance.tags.message
Total Vertex AI Workbench Instance detected: 2 
['Situation 1: Ensure network tags are applied. Tags are used to target VPC firewall rules. Without them, the instance may not be subject to the correct network security controls.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set gce_setup.tags to include approved network tags (e.g. ["notebook-restricted", "no-internet"]).']
Unique resource names in plan (google_workbench_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.vertex_ai_workbench.google_workbench_instance.notebook_disable_terminal.message
Total Vertex AI Workbench Instance detected: 2 
['Situation 1: Ensure terminal access is disabled via metadata. The JupyterLab terminal provides direct shell access to the VM, bypassing notebook-level controls.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set gce_setup.metadata["notebook-disable-terminal"] to "true".']
Unique resource names in plan (google_workbench_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.vertex_ai_workbench.google_workbench_instance.enable_third_party_identity.message
Total Vertex AI Workbench Instance detected: 2 
['Situation 1: Ensure third-party identity provider access is disabled. Enabling it broadens the trust boundary beyond Google Cloud IAM, introducing federated authentication risks.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set enable_third_party_identity to false or omit the field (defaults to false).']
Unique resource names in plan (google_workbench_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.vertex_ai_workbench.google_workbench_instance.enable_vtpm.message
Total Vertex AI Workbench Instance detected: 2 
['Situation 1: Ensure vTPM is enabled. vTPM provides measured boot integrity validation and supports disk encryption key protection.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set gce_setup.shielded_instance_config.enable_vtpm to true.']
Unique resource names in plan (google_workbench_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.vertex_ai_workbench.google_workbench_instance.boot_disk_kms_key.message
Total Vertex AI Workbench Instance detected: 2 
['Situation 1: Ensure a KMS key is specified for the boot disk. Without it, CMEK cannot be applied and encryption falls back to GMEK.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set gce_setup.boot_disk.kms_key to a valid Cloud KMS key path.']
Unique resource names in plan (google_workbench_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.vertex_ai_workbench.google_workbench_instance.notebook_disable_downloads.message
Total Vertex AI Workbench Instance detected: 2 
['Situation 1: Ensure file downloads are disabled via metadata. Unrestricted downloads can be used to exfiltrate data or introduce malicious files.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set gce_setup.metadata["notebook-disable-downloads"] to "true".']
Unique resource names in plan (google_workbench_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.vertex_ai_workbench.google_workbench_instance.email.message
Total Vertex AI Workbench Instance detected: 2 
['Situation 1: Ensure a custom service account is specified. If omitted, the VM uses the default Compute Engine SA which has the Editor role on the entire project.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set gce_setup.service_accounts.email to a dedicated, least-privilege service account.']
Unique resource names in plan (google_workbench_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.vertex_ai_workbench.google_workbench_instance.enable_ip_forwarding.message
Total Vertex AI Workbench Instance detected: 2 
['Situation 1: Ensure IP forwarding is disabled. A notebook has no legitimate need to route traffic. Enabling it allows lateral movement between networks.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set gce_setup.enable_ip_forwarding to false or omit the field (defaults to false).']
Unique resource names in plan (google_workbench_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.vertex_ai_workbench.google_workbench_instance.idle_timeout_seconds.message
Total Vertex AI Workbench Instance detected: 2 
['Situation 1: Ensure an idle timeout is configured. Without it, abandoned instances run indefinitely, increasing cost and attack surface.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set gce_setup.metadata["idle-timeout-seconds"] to a value (e.g. "3600" for 1 hour).']
Unique resource names in plan (google_workbench_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.vertex_ai_workbench.google_workbench_instance.confidential_instance_type.message
Total Vertex AI Workbench Instance detected: 2 
['Situation 1: Ensure Confidential VM is configured. Confidential VMs use AMD SEV to encrypt memory at runtime, protecting data-in-use from hypervisor-level attacks.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set gce_setup.confidential_instance_config.confidential_instance_type to SEV with a compatible machine type (e.g. n2d-standard-*).']
Unique resource names in plan (google_workbench_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.vertex_ai_workbench.google_workbench_instance.data_disk_kms_key.message
Total Vertex AI Workbench Instance detected: 2 
['Situation 1: Ensure a KMS key is specified for the data disk. Without it, CMEK cannot be applied and encryption falls back to GMEK.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set gce_setup.data_disks.kms_key to a valid Cloud KMS key path.']
Unique resource names in plan (google_workbench_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.vertex_ai_workbench.google_workbench_instance.subnet.message
Total Vertex AI Workbench Instance detected: 2 
['Situation 1: Ensure a subnet is explicitly specified. If omitted, GCP auto-selects a subnet which may place the instance in an uncontrolled network segment.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set gce_setup.network_interfaces.subnet to an approved subnet resource.']
Unique resource names in plan (google_workbench_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.vertex_ai_workbench.google_workbench_instance.instance_owners.message
Total Vertex AI Workbench Instance detected: 2 
['Situation 1: Ensure instance_owners is specified to enforce single-user access. If omitted, all service account users can access the notebook.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set instance_owners to a list containing the authorised user email (e.g. ["user@example.com"]).']
Unique resource names in plan (google_workbench_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.vertex_ai_workbench.google_workbench_instance.disable_public_ip.message
Total Vertex AI Workbench Instance detected: 2 
['Situation 1: Ensure the Workbench instance does not have a public IP assigned. Public IPs expose the notebook VM directly to the internet, creating an attack surface for unauthorised access, data exfiltration, and cryptojacking. This setting is immutable after instance creation and cannot be changed without destroying and recreating the instance.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set gce_setup.disable_public_ip to true to enforce private-only networking. Ensure the VPC subnet has Private Google Access enabled so the instance can still reach Google APIs. Use the Workbench proxy or Identity-Aware Proxy (IAP) for secure user access to JupyterLab.']
Unique resource names in plan (google_workbench_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.vertex_ai_workbench.google_workbench_instance.disable_proxy_access.message
Total Vertex AI Workbench Instance detected: 2 
['Situation 1: Ensure the Workbench proxy is not disabled. The proxy enforces IAM authentication to JupyterLab. Disabling it removes this access control layer.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set disable_proxy_access to false or omit the field (defaults to false).']
Unique resource names in plan (google_workbench_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.vertex_ai_workbench.google_workbench_instance.notebook_disable_root.message
Total Vertex AI Workbench Instance detected: 2 
['Situation 1: Ensure root access is disabled via metadata. Running notebooks as root increases the blast radius of any code execution vulnerability.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set gce_setup.metadata["notebook-disable-root"] to "true".']
Unique resource names in plan (google_workbench_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.vertex_ai_workbench.google_workbench_instance.enable_integrity_monitoring.message
Total Vertex AI Workbench Instance detected: 2 
['Situation 1: Ensure Integrity Monitoring is enabled. It detects runtime boot sequence tampering that may indicate rootkit or bootkit compromise.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set gce_setup.shielded_instance_config.enable_integrity_monitoring to true.']
Unique resource names in plan (google_workbench_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.vertex_ai_workbench.google_workbench_instance.boot_disk_disk_encryption.message
Total Vertex AI Workbench Instance detected: 2 
['Situation 1: Ensure the boot disk uses CMEK encryption. The default (GMEK) provides no key revocation capability during incidents. This setting is immutable after creation.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set gce_setup.boot_disk.disk_encryption to CMEK and provide a valid KMS key in gce_setup.boot_disk.kms_key.']
Unique resource names in plan (google_workbench_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.vertex_ai_workbench.google_workbench_instance.enable_managed_euc.message
Total Vertex AI Workbench Instance detected: 2 
['Situation 1: Ensure managed end-user credentials (EUC) are enabled. Without EUC, API calls use the VM service account identity and audit logs will not reflect the actual user.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set enable_managed_euc to true.']
Unique resource names in plan (google_workbench_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.vertex_ai_workbench.google_workbench_instance.network.message
Total Vertex AI Workbench Instance detected: 2 
['Situation 1: Ensure the instance is deployed into an approved VPC, not the default network. The default VPC has overly permissive firewall rules.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set gce_setup.network_interfaces.network to an approved VPC network resource.']
Unique resource names in plan (google_workbench_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.vertex_ai_workbench.google_workbench_instance.data_disk_disk_encryption.message
Total Vertex AI Workbench Instance detected: 2 
['Situation 1: Ensure the data disk uses CMEK encryption. Data disks store notebooks, datasets, and model outputs which may contain sensitive information.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set gce_setup.data_disks.disk_encryption to CMEK and provide a valid KMS key in gce_setup.data_disks.kms_key.']
Unique resource names in plan (google_workbench_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.vertex_ai_workbench.google_workbench_instance.enable_secure_boot.message
Total Vertex AI Workbench Instance detected: 2 
['Situation 1: Ensure Secure Boot is enabled. Disabled by default, without it the VM can execute unsigned boot code, enabling rootkits and bootkits.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set gce_setup.shielded_instance_config.enable_secure_boot to true.']
Unique resource names in plan (google_workbench_instance): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: vertex_ai_workbench
  Resource: google_workbench_instance
    Policy: block_project_ssh_keys - ✅
    Policy: tags - ✅
    Policy: notebook_disable_terminal - ✅
    Policy: enable_third_party_identity - ✅
    Policy: enable_vtpm - ✅
    Policy: boot_disk_kms_key - ✅
    Policy: notebook_disable_downloads - ✅
    Policy: email - ✅
    Policy: enable_ip_forwarding - ✅
    Policy: idle_timeout_seconds - ✅
    Policy: confidential_instance_type - ✅
    Policy: data_disk_kms_key - ✅
    Policy: subnet - ✅
    Policy: instance_owners - ✅
    Policy: disable_public_ip - ✅
    Policy: disable_proxy_access - ✅
    Policy: notebook_disable_root - ✅
    Policy: enable_integrity_monitoring - ✅
    Policy: boot_disk_disk_encryption - ✅
    Policy: enable_managed_euc - ✅
    Policy: network - ✅
    Policy: data_disk_disk_encryption - ✅
    Policy: enable_secure_boot - ✅
  Resource: google_workbench_instance_iam_binding
    Policy: role - ✅
    Policy: members - ✅
  Resource: google_workbench_instance_iam_member
    Policy: role - ✅
    Policy: members - ✅


OPA check: data.terraform.gcp.security.workflows.google_workflows_workflow.user_env_vars.message
Total Google Workflows Workflow detected: 2 
['Situation 1: User_env_vars is using a variable with hardcoded password or api_key', 'Non-Compliant Resources: nc', 'Potential Remedies: Store sensitive information using secret manager instead of in user_env_vars']
Unique resource names in plan (google_workflows_workflow): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.workflows.google_workflows_workflow.deletion_protection.message
Total Google Workflows Workflow detected: 2 
['Situation 1: Workflow does not have deletion protection or is set to false', 'Non-Compliant Resources: nc', 'Potential Remedies: Workflow should have deletion protection set to true']
Unique resource names in plan (google_workflows_workflow): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.workflows.google_workflows_workflow.service_account.message
Total Google Workflows Workflow detected: 2 
['Situation 1: Service_account is using default service account is in use', 'Non-Compliant Resources: nc', 'Potential Remedies: Configure and use a service account for the project']
Unique resource names in plan (google_workflows_workflow): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.workflows.google_workflows_workflow.region.message
Total Google Workflows Workflow detected: 2 
['Situation 1: Workflow is set from outside of australia', 'Non-Compliant Resources: nc', 'Potential Remedies: Workflow should be configured to a region in Australia']
Unique resource names in plan (google_workflows_workflow): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.workflows.google_workflows_workflow.call_log_level.message
Total Google Workflows Workflow detected: 2 
['Situation 1: Call_log_level is set to a highly priviledged level that may leak sensitive information', 'Non-Compliant Resources: nc', 'Potential Remedies: Call_log_level should be set to LOG_ERRORS_ONLY']
Unique resource names in plan (google_workflows_workflow): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.workflows.google_workflows_workflow.crypto_key_name.message
Total Google Workflows Workflow detected: 2 
['Situation 1: Crypto Key Name is not implemented', 'Non-Compliant Resources: None - All passed']
['Situation 2: Crypto Key Name is not configured with an allowed location', 'Non-Compliant Resources: nc', 'Potential Remedies: Crypto Key Name should be configured with the location set to a region from Australia']
Unique resource names in plan (google_workflows_workflow): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.workflows.google_workflows_workflow.execution_history_level.message
Total Google Workflows Workflow detected: 2 
['Situation 1: execution_history_level is set to a highly priviledged level that may leak sensitive information', 'Non-Compliant Resources: nc', 'Potential Remedies: Execution_history_level should be set to EXECUTION_HISTORY_BASIC']
Unique resource names in plan (google_workflows_workflow): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: workflows
  Resource: google_workflows_workflow
    Policy: user_env_vars - ✅
    Policy: deletion_protection - ✅
    Policy: service_account - ✅
    Policy: region - ✅
    Policy: call_log_level - ✅
    Policy: crypto_key_name - ✅
    Policy: execution_history_level - ✅

@github-actions github-actions Bot added CI-Approved PR approved by CI checks and removed CI-Review-Required PR requires review due to failed CI checks labels May 20, 2026
@JBarazani JBarazani assigned JBarazani and unassigned Shani1116 May 26, 2026
@JBarazani JBarazani requested review from JBarazani and removed request for Shani1116 May 26, 2026 05:36
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 28, 2026

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.cloud_identity.google_cloud_identity_group.labels.message
Total Cloud Identity Group detected: 2 
["Situation 1: Cloud Identity Group must define the 'cloudidentity.googleapis.com/groups.discussion_forum' label with an empty value.", 'Non-Compliant Resources: nc', 'Potential Remedies: Set labels["cloudidentity.googleapis.com/groups.discussion_forum"] to an empty string.']
Unique resource names in plan (google_cloud_identity_group): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_identity.google_cloud_identity_group.mandatory_labels.message
Total Cloud Identity Group detected: 2 
["Situation 1: Cloud Identity Group is missing mandatory label 'env'.", 'Non-Compliant Resources: nc', "Potential Remedies: Add the 'env' label to the group's labels block."]
Unique resource names in plan (google_cloud_identity_group): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_identity.google_cloud_identity_group.display_name.message
Total Cloud Identity Group detected: 2 
['Situation 1: Cloud Identity Group is missing a display name.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set display_name on the google_cloud_identity_group resource.']
Unique resource names in plan (google_cloud_identity_group): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: cloud_identity
  Resource: google_cloud_identity_group
    Policy: labels - ✅
    Policy: mandatory_labels - ✅
    Policy: display_name - ✅

@suraj01-don suraj01-don force-pushed the gcp/service/cloud_identity branch from 44f9f71 to 315bb6a Compare May 28, 2026 05:36
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 28, 2026

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.cloud_identity.google_cloud_identity_group.labels.message
Total Cloud Identity Group detected: 2 
["Situation 1: Cloud Identity Group must define the 'cloudidentity.googleapis.com/groups.discussion_forum' label with an empty value.", 'Non-Compliant Resources: nc', 'Potential Remedies: Set labels["cloudidentity.googleapis.com/groups.discussion_forum"] to an empty string.']
Unique resource names in plan (google_cloud_identity_group): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_identity.google_cloud_identity_group.mandatory_labels.message
Total Cloud Identity Group detected: 2 
["Situation 1: Cloud Identity Group is missing mandatory label 'env'.", 'Non-Compliant Resources: nc', "Potential Remedies: Add the 'env' label to the group's labels block."]
Unique resource names in plan (google_cloud_identity_group): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_identity.google_cloud_identity_group.display_name.message
Total Cloud Identity Group detected: 2 
['Situation 1: Cloud Identity Group is missing a display name.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set display_name on the google_cloud_identity_group resource.']
Unique resource names in plan (google_cloud_identity_group): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: cloud_identity
  Resource: google_cloud_identity_group
    Policy: labels - ✅
    Policy: mandatory_labels - ✅
    Policy: display_name - ✅

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Shani1116 Shani1116 Shani1116 requested changes

@JBarazani JBarazani Awaiting requested review from JBarazani

Requested changes must be addressed to merge this pull request.

Assignees

@JBarazani JBarazani

Labels

1st review 2nd review 3rd review CI-Approved PR approved by CI checks

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@suraj01-don @Shani1116 @JBarazani