Skip to content

Storage Transfer Service policies#402

Open
Mohmaed-AA00 wants to merge 10 commits into
devfrom
gcp/service/storage-transfer-service
Open

Storage Transfer Service policies#402
Mohmaed-AA00 wants to merge 10 commits into
devfrom
gcp/service/storage-transfer-service

Conversation

@Mohmaed-AA00
Copy link
Copy Markdown
Contributor

@Mohmaed-AA00 Mohmaed-AA00 commented May 13, 2026

No description provided.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 13, 2026

🔍 Documentation Check Failed

Status: ❌ CHECKS FAILED

⚠️ Your PR does not include documentation updates:

❌ No documentation changes found - please update docs for your assigned service

Please add or update documentation in the docs/gcp/ folder for your changes before this PR can be reviewed.

@github-actions github-actions Bot added the CI-Review-Required PR requires review due to failed CI checks label May 13, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 13, 2026

🔍 Policy Check Results

Status: ❌ CHECKS FAILED

⚠️ Your PR will not be reviewed until you fix all policy check failures below:

Test Output

OPA check: data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_job.source_agent_pool_name.message
Total Storage Transfer job detected: 2 
['Situation 1: Storage Transfer job is not using an approved source agent pool.', 'Non-Compliant Resources: None - All passed']
Unique resource names in plan (google_storage_transfer_job): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_job.role_arn.message
Total Storage Transfer job detected: 2 
['Situation 1: Storage Transfer job uses an AWS S3 source without an approved IAM role ARN.', 'Non-Compliant Resources: None - All passed']
Unique resource names in plan (google_storage_transfer_job): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_job.delete_objects_from_source_after_transfer.message
Total Storage Transfer job detected: 2 
['Situation 1: Storage Transfer job deletes objects from the source after transfer.', 'Non-Compliant Resources: None - All passed']
Unique resource names in plan (google_storage_transfer_job): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_job.overwrite_when.message
Total Storage Transfer job detected: 2 
['Situation 1: Storage Transfer job is configured to always overwrite objects in the destination.', 'Non-Compliant Resources: None - All passed']
Unique resource names in plan (google_storage_transfer_job): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_agent_pool.Bandwidth_limit.message
Total Storage Transfer agent pool detected: 2 
['Situation 1: Storage Transfer agent pool is configured with an unsafe bandwidth limit.', 'Non-Compliant Resources: None - All passed']
Unique resource names in plan (google_storage_transfer_agent_pool): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_agent_pool.name.message
Total Storage Transfer agent pool detected: 2 
['Situation 1: Storage Transfer agent pool name does not follow the approved agent pool naming format.', 'Non-Compliant Resources: None - All passed']
Unique resource names in plan (google_storage_transfer_agent_pool): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc


Summary of policy checks:
Service: Storage_Transfer_Service
  Resource: google_storage_transfer_agent_pool
    Policy: Bandwidth_limit - ❌
    Policy: name - ❌
  Resource: google_storage_transfer_job
    Policy: source_agent_pool_name - ❌
    Policy: role_arn - ❌
    Policy: delete_objects_from_source_after_transfer - ❌
    Policy: overwrite_when - ❌


Failures:
Service: Storage_Transfer_Service | Resource: google_storage_transfer_agent_pool | Policy: Bandwidth_limit
Unmentioned resources other than 'c' found: nc

Service: Storage_Transfer_Service | Resource: google_storage_transfer_agent_pool | Policy: name
Unmentioned resources other than 'c' found: nc

Service: Storage_Transfer_Service | Resource: google_storage_transfer_job | Policy: source_agent_pool_name
Unmentioned resources other than 'c' found: nc

Service: Storage_Transfer_Service | Resource: google_storage_transfer_job | Policy: role_arn
Unmentioned resources other than 'c' found: nc

Service: Storage_Transfer_Service | Resource: google_storage_transfer_job | Policy: delete_objects_from_source_after_transfer
Unmentioned resources other than 'c' found: nc

Service: Storage_Transfer_Service | Resource: google_storage_transfer_job | Policy: overwrite_when
Unmentioned resources other than 'c' found: nc

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 13, 2026

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_job.source_agent_pool_name.message
Total Storage Transfer job detected: 2 
['Situation 1: Storage Transfer job is not using an approved source agent pool.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set transfer_spec.source_agent_pool_name to an approved agent pool., Use a controlled agent pool for transfer jobs.']
Unique resource names in plan (google_storage_transfer_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_job.role_arn.message
Total Storage Transfer job detected: 2 
['Situation 1: Storage Transfer job uses an unapproved AWS IAM role ARN.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set transfer_spec.aws_s3_data_source.role_arn to an approved IAM role ARN., Avoid using unapproved AWS IAM roles for Storage Transfer jobs.']
Unique resource names in plan (google_storage_transfer_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_job.delete_objects_from_source_after_transfer.message
Total Storage Transfer job detected: 2 
['Situation 1: Storage Transfer job deletes objects from the source after transfer.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set transfer_spec.transfer_options.delete_objects_from_source_after_transfer to false., Use a copy-based transfer instead of deleting source data automatically.']
Unique resource names in plan (google_storage_transfer_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_job.overwrite_when.message
Total Storage Transfer job detected: 2 
['Situation 1: Storage Transfer job is configured to always overwrite objects in the destination.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set overwrite_when to a safer value., Avoid unconditional overwriting of destination objects.']
Unique resource names in plan (google_storage_transfer_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_agent_pool.Bandwidth_limit.message
Total Storage Transfer agent pool detected: 2 
['Situation 1: Storage Transfer agent pool is configured with an unsafe bandwidth limit.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set bandwidth_limit.limit_mbps to an approved lower value., Avoid excessive bandwidth allocations on transfer agent pools.']
Unique resource names in plan (google_storage_transfer_agent_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_agent_pool.name.message
Total Storage Transfer agent pool detected: 2 
['Situation 1: Storage Transfer agent pool uses a disallowed name.', 'Non-Compliant Resources: nc', 'Potential Remedies: Use an approved Storage Transfer agent pool name., Do not use disallowed agent pool identifiers.']
Unique resource names in plan (google_storage_transfer_agent_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: Storage_Transfer_Service
  Resource: google_storage_transfer_agent_pool
    Policy: Bandwidth_limit - ✅
    Policy: name - ✅
  Resource: google_storage_transfer_job
    Policy: source_agent_pool_name - ✅
    Policy: role_arn - ✅
    Policy: delete_objects_from_source_after_transfer - ✅
    Policy: overwrite_when - ✅

@github-actions github-actions Bot added CI-Approved PR approved by CI checks and removed CI-Review-Required PR requires review due to failed CI checks labels May 13, 2026
jinglong857
jinglong857 reviewed May 16, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@jinglong857 jinglong857 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @Mohmaed-AA00, rosource_json is missing in your documentation. Please ensure to include them. Example for reference:
Image

@jinglong857 jinglong857 self-assigned this May 16, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 21, 2026

🔍 Policy Check Results

Status: ❌ CHECKS FAILED

⚠️ Your PR will not be reviewed until you fix all policy check failures below:

Test Output

OPA check: data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_agent_pool.Bandwidth_limit.message
Total Storage Transfer agent pool detected: 2 
['Situation 1: Storage Transfer agent pool is configured with an unsafe bandwidth limit.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set bandwidth_limit.limit_mbps to an approved lower value., Avoid excessive bandwidth allocations on transfer agent pools.']
Unique resource names in plan (google_storage_transfer_agent_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_agent_pool.name.message
Total Storage Transfer agent pool detected: 2 
['Situation 1: Storage Transfer agent pool uses a disallowed name.', 'Non-Compliant Resources: nc', 'Potential Remedies: Use an approved Storage Transfer agent pool name., Do not use disallowed agent pool identifiers.']
Unique resource names in plan (google_storage_transfer_agent_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_job.delete_objects_from_source_after_transfer.message
Total Storage Transfer job detected: 2 
['Situation 1: Storage Transfer job deletes objects from the source after transfer.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set transfer_spec.transfer_options.delete_objects_from_source_after_transfer to false., Use a copy-based transfer instead of deleting source data automatically.']
Unique resource names in plan (google_storage_transfer_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_job.role_arn.message
Total Storage Transfer job detected: 2 
['Situation 1: Storage Transfer job uses an unapproved AWS IAM role ARN.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set transfer_spec.aws_s3_data_source.role_arn to an approved IAM role ARN., Avoid using unapproved AWS IAM roles for Storage Transfer jobs.']
Unique resource names in plan (google_storage_transfer_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_job.include_prefixes_required.message
Total Storage Transfer job detected: 2 
['Situation 1: Storage Transfer job does not restrict transfer scope with include_prefixes.', 'Non-Compliant Resources: noncompliant-transfer-job', 'Potential Remedies: Set object_conditions.include_prefixes to limit which objects are transferred.']
Unique resource names in plan (google_storage_transfer_job): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_job.source_agent_pool_name.message
Total Storage Transfer job detected: 2 
['Situation 1: Storage Transfer job is not using an approved source agent pool.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set transfer_spec.source_agent_pool_name to an approved agent pool., Use a controlled agent pool for transfer jobs.']
Unique resource names in plan (google_storage_transfer_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_job.overwrite_when.message
Total Storage Transfer job detected: 2 
['Situation 1: Storage Transfer job is configured to always overwrite objects in the destination.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set overwrite_when to a safer value., Avoid unconditional overwriting of destination objects.']
Unique resource names in plan (google_storage_transfer_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: Storage_Transfer_Service
  Resource: google_storage_transfer_agent_pool
    Policy: Bandwidth_limit - ✅
    Policy: name - ✅
  Resource: google_storage_transfer_job
    Policy: delete_objects_from_source_after_transfer - ✅
    Policy: role_arn - ✅
    Policy: include_prefixes_required - ❌
    Policy: source_agent_pool_name - ✅
    Policy: overwrite_when - ✅


Failures:
Service: Storage_Transfer_Service | Resource: google_storage_transfer_job | Policy: include_prefixes_required
Unmentioned resources other than 'c' found: nc

@github-actions github-actions Bot added CI-Review-Required PR requires review due to failed CI checks and removed CI-Approved PR approved by CI checks labels May 21, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 21, 2026

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_agent_pool.Bandwidth_limit.message
Total Storage Transfer agent pool detected: 2 
['Situation 1: Storage Transfer agent pool is configured with an unsafe bandwidth limit.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set bandwidth_limit.limit_mbps to an approved lower value., Avoid excessive bandwidth allocations on transfer agent pools.']
Unique resource names in plan (google_storage_transfer_agent_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_agent_pool.name.message
Total Storage Transfer agent pool detected: 2 
['Situation 1: Storage Transfer agent pool uses a disallowed name.', 'Non-Compliant Resources: nc', 'Potential Remedies: Use an approved Storage Transfer agent pool name., Do not use disallowed agent pool identifiers.']
Unique resource names in plan (google_storage_transfer_agent_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_job.delete_objects_from_source_after_transfer.message
Total Storage Transfer job detected: 2 
['Situation 1: Storage Transfer job deletes objects from the source after transfer.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set transfer_spec.transfer_options.delete_objects_from_source_after_transfer to false., Use a copy-based transfer instead of deleting source data automatically.']
Unique resource names in plan (google_storage_transfer_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_job.role_arn.message
Total Storage Transfer job detected: 2 
['Situation 1: Storage Transfer job uses an unapproved AWS IAM role ARN.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set transfer_spec.aws_s3_data_source.role_arn to an approved IAM role ARN., Avoid using unapproved AWS IAM roles for Storage Transfer jobs.']
Unique resource names in plan (google_storage_transfer_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_job.source_agent_pool_name.message
Total Storage Transfer job detected: 2 
['Situation 1: Storage Transfer job is not using an approved source agent pool.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set transfer_spec.source_agent_pool_name to an approved agent pool., Use a controlled agent pool for transfer jobs.']
Unique resource names in plan (google_storage_transfer_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_job.overwrite_when.message
Total Storage Transfer job detected: 2 
['Situation 1: Storage Transfer job is configured to always overwrite objects in the destination.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set overwrite_when to a safer value., Avoid unconditional overwriting of destination objects.']
Unique resource names in plan (google_storage_transfer_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: Storage_Transfer_Service
  Resource: google_storage_transfer_agent_pool
    Policy: Bandwidth_limit - ✅
    Policy: name - ✅
  Resource: google_storage_transfer_job
    Policy: delete_objects_from_source_after_transfer - ✅
    Policy: role_arn - ✅
    Policy: source_agent_pool_name - ✅
    Policy: overwrite_when - ✅

@github-actions github-actions Bot added CI-Approved PR approved by CI checks and removed CI-Review-Required PR requires review due to failed CI checks labels May 21, 2026
@Mohmaed-AA00 Mohmaed-AA00 requested a review from jinglong857 May 21, 2026 13:13
jinglong857
jinglong857 requested changes May 22, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@jinglong857 jinglong857 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @Mohmaed-AA00, please complete your documentation and include the resource_json file in docs. Even your markdown is incomplete.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 24, 2026

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_agent_pool.Bandwidth_limit.message
Total Storage Transfer agent pool detected: 2 
['Situation 1: Storage Transfer agent pool is configured with an unsafe bandwidth limit.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set bandwidth_limit.limit_mbps to an approved lower value., Avoid excessive bandwidth allocations on transfer agent pools.']
Unique resource names in plan (google_storage_transfer_agent_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_agent_pool.name.message
Total Storage Transfer agent pool detected: 2 
['Situation 1: Storage Transfer agent pool uses a disallowed name.', 'Non-Compliant Resources: nc', 'Potential Remedies: Use an approved Storage Transfer agent pool name., Do not use disallowed agent pool identifiers.']
Unique resource names in plan (google_storage_transfer_agent_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_job.delete_objects_from_source_after_transfer.message
Total Storage Transfer job detected: 2 
['Situation 1: Storage Transfer job deletes objects from the source after transfer.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set transfer_spec.transfer_options.delete_objects_from_source_after_transfer to false., Use a copy-based transfer instead of deleting source data automatically.']
Unique resource names in plan (google_storage_transfer_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_job.role_arn.message
Total Storage Transfer job detected: 2 
['Situation 1: Storage Transfer job uses an unapproved AWS IAM role ARN.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set transfer_spec.aws_s3_data_source.role_arn to an approved IAM role ARN., Avoid using unapproved AWS IAM roles for Storage Transfer jobs.']
Unique resource names in plan (google_storage_transfer_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_job.source_agent_pool_name.message
Total Storage Transfer job detected: 2 
['Situation 1: Storage Transfer job is not using an approved source agent pool.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set transfer_spec.source_agent_pool_name to an approved agent pool., Use a controlled agent pool for transfer jobs.']
Unique resource names in plan (google_storage_transfer_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_job.overwrite_when.message
Total Storage Transfer job detected: 2 
['Situation 1: Storage Transfer job is configured to always overwrite objects in the destination.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set overwrite_when to a safer value., Avoid unconditional overwriting of destination objects.']
Unique resource names in plan (google_storage_transfer_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: Storage_Transfer_Service
  Resource: google_storage_transfer_agent_pool
    Policy: Bandwidth_limit - ✅
    Policy: name - ✅
  Resource: google_storage_transfer_job
    Policy: delete_objects_from_source_after_transfer - ✅
    Policy: role_arn - ✅
    Policy: source_agent_pool_name - ✅
    Policy: overwrite_when - ✅

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 24, 2026

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_agent_pool.Bandwidth_limit.message
Total Storage Transfer agent pool detected: 2 
['Situation 1: Storage Transfer agent pool is configured with an unsafe bandwidth limit.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set bandwidth_limit.limit_mbps to an approved lower value., Avoid excessive bandwidth allocations on transfer agent pools.']
Unique resource names in plan (google_storage_transfer_agent_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_agent_pool.name.message
Total Storage Transfer agent pool detected: 2 
['Situation 1: Storage Transfer agent pool uses a disallowed name.', 'Non-Compliant Resources: nc', 'Potential Remedies: Use an approved Storage Transfer agent pool name., Do not use disallowed agent pool identifiers.']
Unique resource names in plan (google_storage_transfer_agent_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_job.delete_objects_from_source_after_transfer.message
Total Storage Transfer job detected: 2 
['Situation 1: Storage Transfer job deletes objects from the source after transfer.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set transfer_spec.transfer_options.delete_objects_from_source_after_transfer to false., Use a copy-based transfer instead of deleting source data automatically.']
Unique resource names in plan (google_storage_transfer_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_job.role_arn.message
Total Storage Transfer job detected: 2 
['Situation 1: Storage Transfer job uses an unapproved AWS IAM role ARN.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set transfer_spec.aws_s3_data_source.role_arn to an approved IAM role ARN., Avoid using unapproved AWS IAM roles for Storage Transfer jobs.']
Unique resource names in plan (google_storage_transfer_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_job.source_agent_pool_name.message
Total Storage Transfer job detected: 2 
['Situation 1: Storage Transfer job is not using an approved source agent pool.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set transfer_spec.source_agent_pool_name to an approved agent pool., Use a controlled agent pool for transfer jobs.']
Unique resource names in plan (google_storage_transfer_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_job.overwrite_when.message
Total Storage Transfer job detected: 2 
['Situation 1: Storage Transfer job is configured to always overwrite objects in the destination.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set overwrite_when to a safer value., Avoid unconditional overwriting of destination objects.']
Unique resource names in plan (google_storage_transfer_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: Storage_Transfer_Service
  Resource: google_storage_transfer_agent_pool
    Policy: Bandwidth_limit - ✅
    Policy: name - ✅
  Resource: google_storage_transfer_job
    Policy: delete_objects_from_source_after_transfer - ✅
    Policy: role_arn - ✅
    Policy: source_agent_pool_name - ✅
    Policy: overwrite_when - ✅

@Mohmaed-AA00 Mohmaed-AA00 requested a review from jinglong857 May 24, 2026 18:16
jinglong857
jinglong857 requested changes May 25, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@jinglong857 jinglong857 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @Mohmaed-AA00, Thank you for providing the documentation but the json files must document all resource arguments, not just security-relevant ones. For attributes with no security impact, include them with security_impact: false and a rationale explaining why no policy was implemented. Do not delete them. Look at how other resources in the project handle this Please also address feedback mentioned below.

Comment thread docs/gcp/Storage_Transfer_Service/resource_json/storage_transfer_agent_pool.json Outdated
Comment thread .../gcp/Storage_Transfer_Service/google_storage_transfer_job/source_agent_pool_name/policy.rego Outdated
Comment thread policies/gcp/Storage_Transfer_Service/google_storage_transfer_agent_pool/name/policy.rego Outdated
{
"condition": "Storage Transfer agent pool name must not use disallowed values.",
"attribute_path": ["name"],
"values": ["nc"],
Copy link
Copy Markdown
Contributor

@jinglong857 jinglong857 May 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The policy blacklists only the single value "nc". "nc" is the test resource label, not a meaningful unsafe pool name. A real name policy would enforce an approved naming convention, for example a pattern_blacklist for names starting with "goog" (which the Terraform docs explicitly prohibit), or a whitelist of approved name patterns.

Comment thread policies/gcp/Storage_Transfer_Service/google_storage_transfer_job/role_arn/policy.rego Outdated
{
"condition": "Storage Transfer job must not use an unapproved AWS IAM role ARN.",
"attribute_path": ["transfer_spec", 0, "aws_s3_data_source", 0, "role_arn"],
"values": ["arn:aws:iam::123456789012:role/unsafe-role"],
Copy link
Copy Markdown
Contributor

@jinglong857 jinglong857 May 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The blacklist contains only one specific ARN: "arn:aws:iam::123456789012:role/unsafe-role". Would be better to use a whitelist of approved ARN patterns

Comment thread docs/gcp/Storage_Transfer_Service/resource_json/storage_transfer_agent_pool.json Outdated
"security_impact": null,
"rationale": null,
"compliant": null,
"security_impact": false,
Copy link
Copy Markdown
Contributor

@jinglong857 jinglong857 May 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

name.security_impact: false contradicts an implemented policy. A policy was implemented for name, so security_impact should be true.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 26, 2026

🔍 Policy Check Results

Status: ❌ CHECKS FAILED

⚠️ Your PR will not be reviewed until you fix all policy check failures below:

Test Output

OPA check: data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_agent_pool.Bandwidth_limit.message
Total Storage Transfer agent pool detected: 2 
['Situation 1: Storage Transfer agent pool is configured with an unsafe bandwidth limit.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set bandwidth_limit.limit_mbps to an approved lower value., Avoid excessive bandwidth allocations on transfer agent pools.']
Unique resource names in plan (google_storage_transfer_agent_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_agent_pool.name.message
Total Storage Transfer agent pool detected: 2 
['Situation 1: Storage Transfer agent pool uses an unapproved name.', 'Non-Compliant Resources: goog-agent-pool', 'Potential Remedies: Use an approved Storage Transfer agent pool name., Do not use reserved or unapproved agent pool names such as names starting with goog.']
Unique resource names in plan (google_storage_transfer_agent_pool): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_job.delete_objects_from_source_after_transfer.message
Total Storage Transfer job detected: 2 
['Situation 1: Storage Transfer job deletes objects from the source after transfer.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set transfer_spec.transfer_options.delete_objects_from_source_after_transfer to false., Use a copy-based transfer instead of deleting source data automatically.']
Unique resource names in plan (google_storage_transfer_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_job.role_arn.message
Total Storage Transfer job detected: 2 
['Situation 1: Storage Transfer job uses an unapproved AWS IAM role ARN.', 'Non-Compliant Resources: nc', 'Potential Remedies: Use an approved AWS IAM role ARN for Storage Transfer jobs., Use a dedicated approved IAM role instead of an unapproved role.']
Unique resource names in plan (google_storage_transfer_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_job.source_agent_pool_name.message
Total Storage Transfer job detected: 2 
['Situation 1: Storage Transfer job is not using an approved source agent pool.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set transfer_spec.source_agent_pool_name to an approved agent pool., Use a controlled agent pool for transfer jobs.']
Unique resource names in plan (google_storage_transfer_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_job.overwrite_when.message
Total Storage Transfer job detected: 2 
['Situation 1: Storage Transfer job is configured to always overwrite objects in the destination.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set overwrite_when to a safer value., Avoid unconditional overwriting of destination objects.']
Unique resource names in plan (google_storage_transfer_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: Storage_Transfer_Service
  Resource: google_storage_transfer_agent_pool
    Policy: Bandwidth_limit - ✅
    Policy: name - ❌
  Resource: google_storage_transfer_job
    Policy: delete_objects_from_source_after_transfer - ✅
    Policy: role_arn - ✅
    Policy: source_agent_pool_name - ✅
    Policy: overwrite_when - ✅


Failures:
Service: Storage_Transfer_Service | Resource: google_storage_transfer_agent_pool | Policy: name
Unmentioned resources other than 'c' found: nc

@github-actions github-actions Bot added CI-Review-Required PR requires review due to failed CI checks and removed CI-Approved PR approved by CI checks labels May 26, 2026
@github-actions github-actions Bot added CI-Approved PR approved by CI checks and removed CI-Review-Required PR requires review due to failed CI checks labels May 26, 2026
@Mohmaed-AA00 Mohmaed-AA00 requested a review from jinglong857 May 26, 2026 08:37
jinglong857
jinglong857 requested changes May 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@jinglong857 jinglong857 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @Mohmaed-AA00 , the auto policy check failed. Please address it and address my earlier feedback regarding documentation. Do not delete arguments that are not security relevant, include them with security_impact: false and rationale explaining why no policy was implemented.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 28, 2026

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_agent_pool.Bandwidth_limit.message
Total Storage Transfer agent pool detected: 2 
['Situation 1: Storage Transfer agent pool is configured with an unsafe bandwidth limit.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set bandwidth_limit.limit_mbps to an approved lower value., Avoid excessive bandwidth allocations on transfer agent pools.']
Unique resource names in plan (google_storage_transfer_agent_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_agent_pool.name.message
Total Storage Transfer agent pool detected: 2 
['Situation 1: Storage Transfer agent pool uses an unapproved name.', 'Non-Compliant Resources: nc', 'Potential Remedies: Use an approved Storage Transfer agent pool name., Do not use reserved or unapproved agent pool names such as names starting with goog.']
Unique resource names in plan (google_storage_transfer_agent_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_job.delete_objects_from_source_after_transfer.message
Total Storage Transfer job detected: 2 
['Situation 1: Storage Transfer job deletes objects from the source after transfer.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set transfer_spec.transfer_options.delete_objects_from_source_after_transfer to false., Use a copy-based transfer instead of deleting source data automatically.']
Unique resource names in plan (google_storage_transfer_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_job.role_arn.message
Total Storage Transfer job detected: 2 
['Situation 1: Storage Transfer job uses an unapproved AWS IAM role ARN.', 'Non-Compliant Resources: nc', 'Potential Remedies: Use an approved AWS IAM role ARN for Storage Transfer jobs., Use a dedicated approved IAM role instead of an unapproved role.']
Unique resource names in plan (google_storage_transfer_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_job.source_agent_pool_name.message
Total Storage Transfer job detected: 2 
['Situation 1: Storage Transfer job is not using an approved source agent pool.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set transfer_spec.source_agent_pool_name to an approved agent pool., Use a controlled agent pool for transfer jobs.']
Unique resource names in plan (google_storage_transfer_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_job.overwrite_when.message
Total Storage Transfer job detected: 2 
['Situation 1: Storage Transfer job is configured to always overwrite objects in the destination.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set overwrite_when to a safer value., Avoid unconditional overwriting of destination objects.']
Unique resource names in plan (google_storage_transfer_job): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: Storage_Transfer_Service
  Resource: google_storage_transfer_agent_pool
    Policy: Bandwidth_limit - ✅
    Policy: name - ✅
  Resource: google_storage_transfer_job
    Policy: delete_objects_from_source_after_transfer - ✅
    Policy: role_arn - ✅
    Policy: source_agent_pool_name - ✅
    Policy: overwrite_when - ✅

@Mohmaed-AA00 Mohmaed-AA00 requested a review from jinglong857 May 28, 2026 07:27
jinglong857
jinglong857 requested changes May 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@jinglong857 jinglong857 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @Mohmaed-AA00 , you still haven't addressed my earlier feedback regarding your documentation. Include all arguments in your documentation, if they are not security relevant provide rationale why, do not omit them. Additionally, ensure your documentation matches your terraform configuration and policy implementation. If you're not sure how document is done, please refer to the upskilling guide.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jinglong857 jinglong857 jinglong857 requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@jinglong857 jinglong857

Labels

1st review 2nd review 3rd review CI-Approved PR approved by CI checks

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Mohmaed-AA00 @jinglong857