diff --git a/docs/gcp/Storage_Transfer_Service/resource_json/storage_transfer_agent_pool.json b/docs/gcp/Storage_Transfer_Service/resource_json/storage_transfer_agent_pool.json index ceed546b6..80b0488ee 100644 --- a/docs/gcp/Storage_Transfer_Service/resource_json/storage_transfer_agent_pool.json +++ b/docs/gcp/Storage_Transfer_Service/resource_json/storage_transfer_agent_pool.json @@ -5,49 +5,40 @@ "name": { "description": "The ID of the agent pool to create. The agentPoolId must meet the following requirements: * Length of 128 characters or less. * Not start with the string goog. * Start with a lowercase ASCII character, followed by: * Zero or more: lowercase Latin alphabet characters, numerals, hyphens (-), periods (.), underscores (_), or tildes (~). * One or more numerals or lowercase ASCII characters. As expressed by the regular expression: ^(?!goog)[a-z]([a-z0-9-._~]*[a-z0-9])?$.", "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "The agent pool name is security relevant because a policy has been implemented to enforce approved naming requirements and prevent reserved or unapproved agent pool identifiers.", + "compliant": "agent-pool-example", + "non-compliant": "goog-agent-pool", "parent": null }, "display_name": { "description": "Specifies the client-specified AgentPool description.", "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, + "security_impact": false, + "rationale": "The display name is descriptive metadata only and does not enforce access control, encryption, networking, or transfer behavior.", + "compliant": "Example transfer agent pool", "non-compliant": null, "parent": null }, "bandwidth_limit": { - "description": "Specifies the bandwidth limit details. If this field is unspecified, the default value is set as 'No Limit'. Structure is [documented below](#nested_bandwidth_limit).", + "description": "Specifies the bandwidth limit details. If this field is unspecified, the default value is set as 'No Limit'. Structure is documented below (#nested_bandwidth_limit).", "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "Bandwidth controls can reduce the risk of excessive transfer throughput, network saturation, and unintentional resource impact.", + "compliant": "Refer to child argument.", + "non-compliant": "Refer to child argument.", "parent": null, "arguments": { "limit_mbps": { "description": "Bandwidth rate in megabytes per second, distributed across all the agents in the pool.", "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "A defined bandwidth limit helps constrain transfer throughput and supports controlled data movement.", + "compliant": "120", + "non-compliant": "Unlimited or an out-of-policy value.", "parent": "bandwidth_limit" } } - }, - "project": { - "description": "If it is not provided, the provider project is used.", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": null } } } \ No newline at end of file diff --git a/docs/gcp/Storage_Transfer_Service/resource_json/storage_transfer_job.json b/docs/gcp/Storage_Transfer_Service/resource_json/storage_transfer_job.json index 0e9f23bb1..b589bf8dc 100644 --- a/docs/gcp/Storage_Transfer_Service/resource_json/storage_transfer_job.json +++ b/docs/gcp/Storage_Transfer_Service/resource_json/storage_transfer_job.json @@ -2,858 +2,99 @@ "resource_name": "storage_transfer_job", "subcategory": "Storage Transfer Service", "arguments": { - "name": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, + "description": { + "description": "A description for the Storage Transfer job.", + "required": false, + "security_impact": false, + "rationale": "The description is informational and does not directly affect the security posture of the transfer job.", + "compliant": "daily-secure-transfer-job", "non-compliant": null, "parent": null }, - "description": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "status": { + "description": "The status of the transfer job.", + "required": false, + "security_impact": true, + "rationale": "Transfer jobs should be intentionally enabled or disabled to match operational and governance requirements.", + "compliant": "ENABLED", + "non-compliant": "Unexpectedly disabled or unmanaged status.", + "parent": null + }, + "schedule": { + "description": "Defines when the Storage Transfer job runs.", + "required": false, + "security_impact": true, + "rationale": "A defined schedule supports controlled and expected execution of data transfers.", + "compliant": "A schedule with an approved start date and run time.", + "non-compliant": "No defined schedule where one is required by policy.", "parent": null }, "transfer_spec": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "description": "Defines the source, sink, and transfer behavior for the Storage Transfer job.", + "required": true, + "security_impact": true, + "rationale": "The transfer specification controls what data is moved, from where, and under what restrictions.", + "compliant": "A transfer_spec with approved source settings, approved agent pool usage, and safe transfer options.", + "non-compliant": "A transfer_spec that omits required restrictions or uses unsafe transfer options.", "parent": null, "arguments": { "source_agent_pool_name": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "transfer_spec" - }, - "sink_agent_pool_name": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "transfer_spec" - }, - "gcs_data_sink": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "transfer_spec" - }, - "posix_data_sink": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "transfer_spec" - }, - "object_conditions": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "transfer_spec" - }, - "transfer_options": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "transfer_spec" - }, - "gcs_data_source": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "transfer_spec" - }, - "posix_data_source": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "description": "Specifies the agent pool used for agent-based source transfers.", + "required": false, + "security_impact": true, + "rationale": "Agent pools control where transfer agents run and should reference approved managed pools only.", + "compliant": "source_agent_pool_name = \"transferJobs/agentPools/approved-pool\"", + "non-compliant": "source_agent_pool_name = \"transferJobs/agentPools/unapproved-pool\"", "parent": "transfer_spec" }, "aws_s3_data_source": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "transfer_spec" - }, - "http_data_source": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "transfer_spec" - }, - "azure_blob_storage_data_source": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "transfer_spec" - }, - "hdfs_data_source": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "transfer_spec" - } - } - }, - "replication_spec": { - "description": "- - -", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": null, - "arguments": { - "gcs_data_sink": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "replication_spec" - }, - "gcs_data_source": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "replication_spec" - }, - "object_conditions": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "replication_spec" + "description": "Specifies an Amazon S3 bucket as the source for the transfer job.", + "required": false, + "security_impact": true, + "rationale": "Using an S3 source introduces external data into the transfer job and should be restricted to approved buckets and approved AWS access settings.", + "compliant": "aws_s3_data_source using an approved bucket and approved role ARN.", + "non-compliant": "aws_s3_data_source using an unapproved bucket or missing/unapproved role ARN.", + "parent": "transfer_spec", + "arguments": { + "role_arn": { + "description": "The AWS IAM role ARN used to access the Amazon S3 source.", + "required": false, + "security_impact": true, + "rationale": "The role ARN controls what AWS permissions are used to read from the source bucket. Using the wrong role can grant excessive access or allow use of an unapproved source identity.", + "compliant": "arn:aws:iam::123456789012:role/approved-storage-transfer-role", + "non-compliant": "arn:aws:iam::123456789012:role/admin or a missing/unapproved role ARN.", + "parent": "aws_s3_data_source" + } + } }, "transfer_options": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "replication_spec" - } - } - }, - "schedule": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": null, - "arguments": { - "schedule_start_date": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "schedule" - }, - "schedule_end_date": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "schedule" - }, - "start_time_of_day": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "schedule" - }, - "repeat_interval": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "schedule" - } - } - }, - "event_stream": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": null, - "arguments": { - "name": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "event_stream" - }, - "event_stream_start_time": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "event_stream" - }, - "event_stream_expiration_time": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "event_stream" - } - } - }, - "project": { - "description": "is not provided, the provider project is used.", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": null - }, - "status": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": null - }, - "notification_config": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": null, - "arguments": { - "pubsub_topic": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "notification_config" - }, - "event_types": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "notification_config" - }, - "payload_format": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "notification_config" - } - } - }, - "logging_config": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": null - }, - "object_conditions": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": null, - "arguments": { - "max_time_elapsed_since_last_modification": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "object_conditions" - }, - "min_time_elapsed_since_last_modification": { - "description": "A duration in seconds with up to nine fractional digits, terminated by 's'. Example: \"3.5s\".", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "object_conditions" - }, - "include_prefixes": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "object_conditions" - }, - "exclude_prefixes": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "object_conditions" - }, - "last_modified_since": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "object_conditions" - }, - "last_modified_before": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "object_conditions" - } - } - }, - "transfer_options": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": null, - "arguments": { - "overwrite_objects_already_existing_in_sink": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "transfer_options" - }, - "delete_objects_unique_in_sink": { - "description": "`delete_objects_from_source_after_transfer` are mutually exclusive.", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "transfer_options" - }, - "delete_objects_from_source_after_transfer": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "transfer_options" - }, - "overwrite_when": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "transfer_options" - } - } - }, - "gcs_data_sink": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": null, - "arguments": { - "bucket_name": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "gcs_data_sink" - }, - "path": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "gcs_data_sink" - } - } - }, - "gcs_data_source": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": null, - "arguments": { - "bucket_name": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "gcs_data_source" - }, - "path": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "gcs_data_source" - } - } - }, - "posix_data_sink": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": null, - "arguments": { - "root_directory": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "posix_data_sink" - } - } - }, - "posix_data_source": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": null, - "arguments": { - "root_directory": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "posix_data_source" - } - } - }, - "hdfs_data_source": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": null, - "arguments": { - "path": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "hdfs_data_source" - } - } - }, - "aws_s3_data_source": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": null, - "arguments": { - "bucket_name": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "aws_s3_data_source" - }, - "path": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "aws_s3_data_source" - }, - "aws_access_key": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "aws_s3_data_source" - }, - "role_arn": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "aws_s3_data_source" - }, - "managed_private_network": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "aws_s3_data_source" - }, - "cloudfront_domain": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "aws_s3_data_source" - } - } - }, - "aws_access_key": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": null, - "arguments": { - "access_key_id": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "aws_access_key" - }, - "secret_access_key": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "aws_access_key" - } - } - }, - "http_data_source": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": null, - "arguments": { - "list_url": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "http_data_source" - } - } - }, - "azure_blob_storage_data_source": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": null, - "arguments": { - "storage_account": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "azure_blob_storage_data_source" - }, - "container": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "azure_blob_storage_data_source" - }, - "path": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "azure_blob_storage_data_source" - }, - "credentials_secret": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "azure_blob_storage_data_source" - }, - "azure_credentials": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "azure_blob_storage_data_source" - } - } - }, - "azure_credentials": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": null, - "arguments": { - "sas_token": { - "description": "The `schedule_start_date` and `schedule_end_date` blocks support:", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "azure_credentials" - }, - "year": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "azure_credentials" - }, - "month": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "azure_credentials" - }, - "day": { - "description": "The `start_time_of_day` blocks support:", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "azure_credentials" - }, - "hours": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "azure_credentials" - }, - "minutes": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "azure_credentials" - }, - "seconds": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "azure_credentials" - }, - "nanos": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "azure_credentials" - } - } - }, - "loggin_config": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": null, - "arguments": { - "log_actions": { - "description": "Each action may be one of `FIND`, `DELETE`, and `COPY`.", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "loggin_config" - }, - "log_action_states": { - "description": "Each action state may be one of `SUCCEEDED`, and `FAILED`.", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "loggin_config" - }, - "enable_on_prem_gcs_transfer": { - "description": "Defaults to false.", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "loggin_config" + "description": "Defines transfer behavior options such as overwrite and deletion behavior.", + "required": false, + "security_impact": true, + "rationale": "Transfer options can directly affect data integrity and source data preservation during transfers.", + "compliant": "transfer_options with safe overwrite behavior and without destructive source deletion.", + "non-compliant": "transfer_options that overwrite unsafely or delete source objects after transfer.", + "parent": "transfer_spec", + "arguments": { + "delete_objects_from_source_after_transfer": { + "description": "Whether objects are deleted from the source after they are transferred.", + "required": false, + "security_impact": true, + "rationale": "Deleting source objects after transfer is destructive and can create data loss or recovery risks if used inappropriately.", + "compliant": "delete_objects_from_source_after_transfer = false", + "non-compliant": "delete_objects_from_source_after_transfer = true", + "parent": "transfer_options" + }, + "overwrite_when": { + "description": "Specifies when objects at the destination may be overwritten during transfer.", + "required": false, + "security_impact": true, + "rationale": "Overwrite behavior affects destination data integrity and should be limited to approved settings to prevent unintended replacement of data.", + "compliant": "overwrite_when set to the approved policy value.", + "non-compliant": "overwrite_when set to an unapproved or overly permissive value.", + "parent": "transfer_options" + } + } } } } diff --git a/docs/gcp/Storage_Transfer_Service/storage_transfer_agent_pool.md b/docs/gcp/Storage_Transfer_Service/storage_transfer_agent_pool.md new file mode 100644 index 000000000..b2941513b --- /dev/null +++ b/docs/gcp/Storage_Transfer_Service/storage_transfer_agent_pool.md @@ -0,0 +1,21 @@ +## 🛡️ Policy Deployment Engine: `storage_transfer_agent_pool` + +This section provides a concise policy evaluation for the `storage_transfer_agent_pool` resource in GCP. + +Reference: [Terraform Registry – storage_transfer_agent_pool](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_transfer_agent_pool) + +--- + +## Argument Reference + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `name` | The ID of the agent pool to create. The agentPoolId must meet the following requirements: * Length of 128 characters or less. * Not start with the string goog. * Start with a lowercase ASCII character, followed by: * Zero or more: lowercase Latin alphabet characters, numerals, hyphens (-), periods (.), underscores (_), or tildes (~). * One or more numerals or lowercase ASCII characters. As expressed by the regular expression: ^(?!goog)[a-z]([a-z0-9-._~]*[a-z0-9])?$. | true | true | The agent pool name is security relevant because a policy has been implemented to enforce approved naming requirements and prevent reserved or unapproved agent pool identifiers. | agent-pool-example | goog-agent-pool | +| `display_name` | Specifies the client-specified AgentPool description. | false | false | The display name is descriptive metadata only and does not enforce access control, encryption, networking, or transfer behavior. | Example transfer agent pool | None | +| `bandwidth_limit` | Specifies the bandwidth limit details. If this field is unspecified, the default value is set as 'No Limit'. Structure is documented below (#nested_bandwidth_limit). | false | true | Bandwidth controls can reduce the risk of excessive transfer throughput, network saturation, and unintentional resource impact. | Refer to child argument. | Refer to child argument. | + +### bandwidth_limit Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `limit_mbps` | Bandwidth rate in megabytes per second, distributed across all the agents in the pool. | true | true | A defined bandwidth limit helps constrain transfer throughput and supports controlled data movement. | 120 | Unlimited or an out-of-policy value. | diff --git a/docs/gcp/Storage_Transfer_Service/storage_transfer_job.md b/docs/gcp/Storage_Transfer_Service/storage_transfer_job.md new file mode 100644 index 000000000..7adfce8d7 --- /dev/null +++ b/docs/gcp/Storage_Transfer_Service/storage_transfer_job.md @@ -0,0 +1,37 @@ +## 🛡️ Policy Deployment Engine: `storage_transfer_job` + +This section provides a concise policy evaluation for the `storage_transfer_job` resource in GCP. + +Reference: [Terraform Registry – storage_transfer_job](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_transfer_job) + +--- + +## Argument Reference + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `description` | A description for the Storage Transfer job. | false | false | The description is informational and does not directly affect the security posture of the transfer job. | daily-secure-transfer-job | None | +| `status` | The status of the transfer job. | false | true | Transfer jobs should be intentionally enabled or disabled to match operational and governance requirements. | ENABLED | Unexpectedly disabled or unmanaged status. | +| `schedule` | Defines when the Storage Transfer job runs. | false | true | A defined schedule supports controlled and expected execution of data transfers. | A schedule with an approved start date and run time. | No defined schedule where one is required by policy. | +| `transfer_spec` | Defines the source, sink, and transfer behavior for the Storage Transfer job. | true | true | The transfer specification controls what data is moved, from where, and under what restrictions. | A transfer_spec with approved source settings, approved agent pool usage, and safe transfer options. | A transfer_spec that omits required restrictions or uses unsafe transfer options. | + +### transfer_spec Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `source_agent_pool_name` | Specifies the agent pool used for agent-based source transfers. | false | true | Agent pools control where transfer agents run and should reference approved managed pools only. | source_agent_pool_name = "transferJobs/agentPools/approved-pool" | source_agent_pool_name = "transferJobs/agentPools/unapproved-pool" | +| `aws_s3_data_source` | Specifies an Amazon S3 bucket as the source for the transfer job. | false | true | Using an S3 source introduces external data into the transfer job and should be restricted to approved buckets and approved AWS access settings. | aws_s3_data_source using an approved bucket and approved role ARN. | aws_s3_data_source using an unapproved bucket or missing/unapproved role ARN. | +| `transfer_options` | Defines transfer behavior options such as overwrite and deletion behavior. | false | true | Transfer options can directly affect data integrity and source data preservation during transfers. | transfer_options with safe overwrite behavior and without destructive source deletion. | transfer_options that overwrite unsafely or delete source objects after transfer. | + +### aws_s3_data_source Block + + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | + |----------|-------------|----------|-----------------|-----------|-----------|---------------| + | `role_arn` | The AWS IAM role ARN used to access the Amazon S3 source. | false | true | The role ARN controls what AWS permissions are used to read from the source bucket. Using the wrong role can grant excessive access or allow use of an unapproved source identity. | arn:aws:iam::123456789012:role/approved-storage-transfer-role | arn:aws:iam::123456789012:role/admin or a missing/unapproved role ARN. | + +### transfer_options Block + + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | + |----------|-------------|----------|-----------------|-----------|-----------|---------------| + | `delete_objects_from_source_after_transfer` | Whether objects are deleted from the source after they are transferred. | false | true | Deleting source objects after transfer is destructive and can create data loss or recovery risks if used inappropriately. | delete_objects_from_source_after_transfer = false | delete_objects_from_source_after_transfer = true | + | `overwrite_when` | Specifies when objects at the destination may be overwritten during transfer. | false | true | Overwrite behavior affects destination data integrity and should be limited to approved settings to prevent unintended replacement of data. | overwrite_when set to the approved policy value. | overwrite_when set to an unapproved or overly permissive value. | diff --git a/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_agent_pool/Bandwidth_limit/.terraform.lock.hcl b/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_agent_pool/Bandwidth_limit/.terraform.lock.hcl new file mode 100644 index 000000000..7aab94476 --- /dev/null +++ b/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_agent_pool/Bandwidth_limit/.terraform.lock.hcl @@ -0,0 +1,22 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.28.0" + constraints = "7.28.0" + hashes = [ + "h1:PSXGQ1KdRjfeCvb6K85dqZiC6AfyB5OWw6vm5I+iop8=", + "zh:078c16b9c5e9067e72070367846976b58f906d8efab6fc4fc1325661717dc9cc", + "zh:08b839014b428233a3a83d15045e7559b07fc035c7f73cc1ee2694c50c4dea54", + "zh:0c76ea69f75633bdfc67a0cd6ea510332c0cb0f2d4968b8a070e546fb47e444e", + "zh:3a308492ad4c153583f7b8ecc3c80bf0bbc15a32c62b5b3794efb27db01ff26b", + "zh:6754f51373994470f78937856982b0a39648ac302713d07205d320a13ad41d82", + "zh:79d387214f55df16c795f11988a0285a4bfa846c447faa85008b953b77081eb1", + "zh:8de432482d77d1a1077b2dc3db764b8ba6d1b07a4b991a07c960855adc0b031b", + "zh:900daa2435de1928a9868aa4c17d8b7b109ab363c97f7fe274466193af1412b0", + "zh:96c25183a7f13b3de9a5631aa2a13ed1a4285b8393df90c2380c2fe74f350ab5", + "zh:971121626be01245acd9a4520a63e1405e4f528d3c83f39a28f8caaeac235b45", + "zh:e90d5e7d7bf47c8cf5bbf2e5d0bf855ed10350ad3584795a6911f85fdb5c0c3c", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_agent_pool/Bandwidth_limit/c.tf b/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_agent_pool/Bandwidth_limit/c.tf new file mode 100644 index 000000000..40f8a412c --- /dev/null +++ b/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_agent_pool/Bandwidth_limit/c.tf @@ -0,0 +1,8 @@ +resource "google_storage_transfer_agent_pool" "c" { + name = "c" + display_name = "approved-bandwidth-pool" + + bandwidth_limit { + limit_mbps = "250" + } +} \ No newline at end of file diff --git a/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_agent_pool/Bandwidth_limit/config.tf b/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_agent_pool/Bandwidth_limit/config.tf new file mode 100644 index 000000000..dccf44a47 --- /dev/null +++ b/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_agent_pool/Bandwidth_limit/config.tf @@ -0,0 +1,12 @@ +terraform { + required_providers { + google = { + source = "hashicorp/google" + version = "7.28.0" + } + } +} + +provider "google" { + project = "my-project-123" +} \ No newline at end of file diff --git a/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_agent_pool/Bandwidth_limit/nc.tf b/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_agent_pool/Bandwidth_limit/nc.tf new file mode 100644 index 000000000..484d8e767 --- /dev/null +++ b/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_agent_pool/Bandwidth_limit/nc.tf @@ -0,0 +1,8 @@ +resource "google_storage_transfer_agent_pool" "nc" { + name = "nc" + display_name = "unsafe-bandwidth-pool" + + bandwidth_limit { + limit_mbps = "5000" + } +} \ No newline at end of file diff --git a/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_agent_pool/name/.terraform.lock.hcl b/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_agent_pool/name/.terraform.lock.hcl new file mode 100644 index 000000000..7aab94476 --- /dev/null +++ b/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_agent_pool/name/.terraform.lock.hcl @@ -0,0 +1,22 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.28.0" + constraints = "7.28.0" + hashes = [ + "h1:PSXGQ1KdRjfeCvb6K85dqZiC6AfyB5OWw6vm5I+iop8=", + "zh:078c16b9c5e9067e72070367846976b58f906d8efab6fc4fc1325661717dc9cc", + "zh:08b839014b428233a3a83d15045e7559b07fc035c7f73cc1ee2694c50c4dea54", + "zh:0c76ea69f75633bdfc67a0cd6ea510332c0cb0f2d4968b8a070e546fb47e444e", + "zh:3a308492ad4c153583f7b8ecc3c80bf0bbc15a32c62b5b3794efb27db01ff26b", + "zh:6754f51373994470f78937856982b0a39648ac302713d07205d320a13ad41d82", + "zh:79d387214f55df16c795f11988a0285a4bfa846c447faa85008b953b77081eb1", + "zh:8de432482d77d1a1077b2dc3db764b8ba6d1b07a4b991a07c960855adc0b031b", + "zh:900daa2435de1928a9868aa4c17d8b7b109ab363c97f7fe274466193af1412b0", + "zh:96c25183a7f13b3de9a5631aa2a13ed1a4285b8393df90c2380c2fe74f350ab5", + "zh:971121626be01245acd9a4520a63e1405e4f528d3c83f39a28f8caaeac235b45", + "zh:e90d5e7d7bf47c8cf5bbf2e5d0bf855ed10350ad3584795a6911f85fdb5c0c3c", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_agent_pool/name/c.tf b/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_agent_pool/name/c.tf new file mode 100644 index 000000000..95ccc85d1 --- /dev/null +++ b/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_agent_pool/name/c.tf @@ -0,0 +1,8 @@ +resource "google_storage_transfer_agent_pool" "c" { + name = "agent-pool-example" + display_name = "Compliant agent pool" + + bandwidth_limit { + limit_mbps = "250" + } +} \ No newline at end of file diff --git a/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_agent_pool/name/config.tf b/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_agent_pool/name/config.tf new file mode 100644 index 000000000..413a25f42 --- /dev/null +++ b/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_agent_pool/name/config.tf @@ -0,0 +1,12 @@ +terraform { + required_providers { + google = { + source = "hashicorp/google" + version = "7.28.0" + } + } +} + +provider "google" { + project = "my-project-123" +} \ No newline at end of file diff --git a/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_agent_pool/name/nc.tf b/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_agent_pool/name/nc.tf new file mode 100644 index 000000000..be57351fd --- /dev/null +++ b/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_agent_pool/name/nc.tf @@ -0,0 +1,8 @@ +resource "google_storage_transfer_agent_pool" "nc" { + name = "nc" + display_name = "Non-compliant agent pool" + + bandwidth_limit { + limit_mbps = "5000" + } +} \ No newline at end of file diff --git a/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_job/delete_objects_from_source_after_transfer/.terraform.lock.hcl b/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_job/delete_objects_from_source_after_transfer/.terraform.lock.hcl new file mode 100644 index 000000000..7aab94476 --- /dev/null +++ b/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_job/delete_objects_from_source_after_transfer/.terraform.lock.hcl @@ -0,0 +1,22 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.28.0" + constraints = "7.28.0" + hashes = [ + "h1:PSXGQ1KdRjfeCvb6K85dqZiC6AfyB5OWw6vm5I+iop8=", + "zh:078c16b9c5e9067e72070367846976b58f906d8efab6fc4fc1325661717dc9cc", + "zh:08b839014b428233a3a83d15045e7559b07fc035c7f73cc1ee2694c50c4dea54", + "zh:0c76ea69f75633bdfc67a0cd6ea510332c0cb0f2d4968b8a070e546fb47e444e", + "zh:3a308492ad4c153583f7b8ecc3c80bf0bbc15a32c62b5b3794efb27db01ff26b", + "zh:6754f51373994470f78937856982b0a39648ac302713d07205d320a13ad41d82", + "zh:79d387214f55df16c795f11988a0285a4bfa846c447faa85008b953b77081eb1", + "zh:8de432482d77d1a1077b2dc3db764b8ba6d1b07a4b991a07c960855adc0b031b", + "zh:900daa2435de1928a9868aa4c17d8b7b109ab363c97f7fe274466193af1412b0", + "zh:96c25183a7f13b3de9a5631aa2a13ed1a4285b8393df90c2380c2fe74f350ab5", + "zh:971121626be01245acd9a4520a63e1405e4f528d3c83f39a28f8caaeac235b45", + "zh:e90d5e7d7bf47c8cf5bbf2e5d0bf855ed10350ad3584795a6911f85fdb5c0c3c", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_job/delete_objects_from_source_after_transfer/c.tf b/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_job/delete_objects_from_source_after_transfer/c.tf new file mode 100644 index 000000000..4590d0820 --- /dev/null +++ b/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_job/delete_objects_from_source_after_transfer/c.tf @@ -0,0 +1,27 @@ +resource "google_storage_transfer_job" "c" { + description = "c" + project = "my-project-123" + status = "ENABLED" + + transfer_spec { + posix_data_source { + root_directory = "/source" + } + + gcs_data_sink { + bucket_name = "my-transfer-bucket" + } + + transfer_options { + delete_objects_from_source_after_transfer = false + } + } + + schedule { + schedule_start_date { + year = 2026 + month = 1 + day = 1 + } + } +} \ No newline at end of file diff --git a/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_job/delete_objects_from_source_after_transfer/config.tf b/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_job/delete_objects_from_source_after_transfer/config.tf new file mode 100644 index 000000000..413a25f42 --- /dev/null +++ b/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_job/delete_objects_from_source_after_transfer/config.tf @@ -0,0 +1,12 @@ +terraform { + required_providers { + google = { + source = "hashicorp/google" + version = "7.28.0" + } + } +} + +provider "google" { + project = "my-project-123" +} \ No newline at end of file diff --git a/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_job/delete_objects_from_source_after_transfer/nc.tf b/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_job/delete_objects_from_source_after_transfer/nc.tf new file mode 100644 index 000000000..9047931cf --- /dev/null +++ b/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_job/delete_objects_from_source_after_transfer/nc.tf @@ -0,0 +1,27 @@ +resource "google_storage_transfer_job" "nc" { + description = "nc" + project = "my-project-123" + status = "ENABLED" + + transfer_spec { + posix_data_source { + root_directory = "/source" + } + + gcs_data_sink { + bucket_name = "my-transfer-bucket" + } + + transfer_options { + delete_objects_from_source_after_transfer = true + } + } + + schedule { + schedule_start_date { + year = 2026 + month = 1 + day = 1 + } + } +} \ No newline at end of file diff --git a/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_job/overwrite_when/.terraform.lock.hcl b/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_job/overwrite_when/.terraform.lock.hcl new file mode 100644 index 000000000..7aab94476 --- /dev/null +++ b/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_job/overwrite_when/.terraform.lock.hcl @@ -0,0 +1,22 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.28.0" + constraints = "7.28.0" + hashes = [ + "h1:PSXGQ1KdRjfeCvb6K85dqZiC6AfyB5OWw6vm5I+iop8=", + "zh:078c16b9c5e9067e72070367846976b58f906d8efab6fc4fc1325661717dc9cc", + "zh:08b839014b428233a3a83d15045e7559b07fc035c7f73cc1ee2694c50c4dea54", + "zh:0c76ea69f75633bdfc67a0cd6ea510332c0cb0f2d4968b8a070e546fb47e444e", + "zh:3a308492ad4c153583f7b8ecc3c80bf0bbc15a32c62b5b3794efb27db01ff26b", + "zh:6754f51373994470f78937856982b0a39648ac302713d07205d320a13ad41d82", + "zh:79d387214f55df16c795f11988a0285a4bfa846c447faa85008b953b77081eb1", + "zh:8de432482d77d1a1077b2dc3db764b8ba6d1b07a4b991a07c960855adc0b031b", + "zh:900daa2435de1928a9868aa4c17d8b7b109ab363c97f7fe274466193af1412b0", + "zh:96c25183a7f13b3de9a5631aa2a13ed1a4285b8393df90c2380c2fe74f350ab5", + "zh:971121626be01245acd9a4520a63e1405e4f528d3c83f39a28f8caaeac235b45", + "zh:e90d5e7d7bf47c8cf5bbf2e5d0bf855ed10350ad3584795a6911f85fdb5c0c3c", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_job/overwrite_when/c.tf b/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_job/overwrite_when/c.tf new file mode 100644 index 000000000..6108112bb --- /dev/null +++ b/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_job/overwrite_when/c.tf @@ -0,0 +1,27 @@ +resource "google_storage_transfer_job" "c" { + description = "c" + project = "my-project-123" + status = "ENABLED" + + transfer_spec { + posix_data_source { + root_directory = "/source" + } + + gcs_data_sink { + bucket_name = "my-transfer-bucket" + } + + transfer_options { + overwrite_when = "DIFFERENT" + } + } + + schedule { + schedule_start_date { + year = 2026 + month = 1 + day = 1 + } + } +} \ No newline at end of file diff --git a/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_job/overwrite_when/config.tf b/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_job/overwrite_when/config.tf new file mode 100644 index 000000000..413a25f42 --- /dev/null +++ b/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_job/overwrite_when/config.tf @@ -0,0 +1,12 @@ +terraform { + required_providers { + google = { + source = "hashicorp/google" + version = "7.28.0" + } + } +} + +provider "google" { + project = "my-project-123" +} \ No newline at end of file diff --git a/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_job/overwrite_when/nc.tf b/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_job/overwrite_when/nc.tf new file mode 100644 index 000000000..142156f4f --- /dev/null +++ b/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_job/overwrite_when/nc.tf @@ -0,0 +1,27 @@ +resource "google_storage_transfer_job" "nc" { + description = "nc" + project = "my-project-123" + status = "ENABLED" + + transfer_spec { + posix_data_source { + root_directory = "/source" + } + + gcs_data_sink { + bucket_name = "my-transfer-bucket" + } + + transfer_options { + overwrite_when = "ALWAYS" + } + } + + schedule { + schedule_start_date { + year = 2026 + month = 1 + day = 1 + } + } +} \ No newline at end of file diff --git a/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_job/role_arn/.terraform.lock.hcl b/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_job/role_arn/.terraform.lock.hcl new file mode 100644 index 000000000..7aab94476 --- /dev/null +++ b/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_job/role_arn/.terraform.lock.hcl @@ -0,0 +1,22 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.28.0" + constraints = "7.28.0" + hashes = [ + "h1:PSXGQ1KdRjfeCvb6K85dqZiC6AfyB5OWw6vm5I+iop8=", + "zh:078c16b9c5e9067e72070367846976b58f906d8efab6fc4fc1325661717dc9cc", + "zh:08b839014b428233a3a83d15045e7559b07fc035c7f73cc1ee2694c50c4dea54", + "zh:0c76ea69f75633bdfc67a0cd6ea510332c0cb0f2d4968b8a070e546fb47e444e", + "zh:3a308492ad4c153583f7b8ecc3c80bf0bbc15a32c62b5b3794efb27db01ff26b", + "zh:6754f51373994470f78937856982b0a39648ac302713d07205d320a13ad41d82", + "zh:79d387214f55df16c795f11988a0285a4bfa846c447faa85008b953b77081eb1", + "zh:8de432482d77d1a1077b2dc3db764b8ba6d1b07a4b991a07c960855adc0b031b", + "zh:900daa2435de1928a9868aa4c17d8b7b109ab363c97f7fe274466193af1412b0", + "zh:96c25183a7f13b3de9a5631aa2a13ed1a4285b8393df90c2380c2fe74f350ab5", + "zh:971121626be01245acd9a4520a63e1405e4f528d3c83f39a28f8caaeac235b45", + "zh:e90d5e7d7bf47c8cf5bbf2e5d0bf855ed10350ad3584795a6911f85fdb5c0c3c", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_job/role_arn/c.tf b/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_job/role_arn/c.tf new file mode 100644 index 000000000..cf1c5a4ed --- /dev/null +++ b/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_job/role_arn/c.tf @@ -0,0 +1,24 @@ +resource "google_storage_transfer_job" "c" { + description = "c" + project = "my-project-123" + status = "ENABLED" + + transfer_spec { + aws_s3_data_source { + bucket_name = "my-source-bucket" + role_arn = "arn:aws:iam::123456789012:role/approved-storage-transfer-role" + } + + gcs_data_sink { + bucket_name = "my-transfer-bucket" + } + } + + schedule { + schedule_start_date { + year = 2026 + month = 1 + day = 1 + } + } +} \ No newline at end of file diff --git a/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_job/role_arn/config.tf b/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_job/role_arn/config.tf new file mode 100644 index 000000000..413a25f42 --- /dev/null +++ b/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_job/role_arn/config.tf @@ -0,0 +1,12 @@ +terraform { + required_providers { + google = { + source = "hashicorp/google" + version = "7.28.0" + } + } +} + +provider "google" { + project = "my-project-123" +} \ No newline at end of file diff --git a/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_job/role_arn/nc.tf b/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_job/role_arn/nc.tf new file mode 100644 index 000000000..c6c13972f --- /dev/null +++ b/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_job/role_arn/nc.tf @@ -0,0 +1,24 @@ +resource "google_storage_transfer_job" "nc" { + description = "nc" + project = "my-project-123" + status = "ENABLED" + + transfer_spec { + aws_s3_data_source { + bucket_name = "my-source-bucket" + role_arn = "arn:aws:iam::123456789012:role/unsafe-role" + } + + gcs_data_sink { + bucket_name = "my-transfer-bucket" + } + } + + schedule { + schedule_start_date { + year = 2026 + month = 1 + day = 1 + } + } +} \ No newline at end of file diff --git a/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_job/source_agent_pool_name/.terraform.lock.hcl b/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_job/source_agent_pool_name/.terraform.lock.hcl new file mode 100644 index 000000000..7aab94476 --- /dev/null +++ b/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_job/source_agent_pool_name/.terraform.lock.hcl @@ -0,0 +1,22 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.28.0" + constraints = "7.28.0" + hashes = [ + "h1:PSXGQ1KdRjfeCvb6K85dqZiC6AfyB5OWw6vm5I+iop8=", + "zh:078c16b9c5e9067e72070367846976b58f906d8efab6fc4fc1325661717dc9cc", + "zh:08b839014b428233a3a83d15045e7559b07fc035c7f73cc1ee2694c50c4dea54", + "zh:0c76ea69f75633bdfc67a0cd6ea510332c0cb0f2d4968b8a070e546fb47e444e", + "zh:3a308492ad4c153583f7b8ecc3c80bf0bbc15a32c62b5b3794efb27db01ff26b", + "zh:6754f51373994470f78937856982b0a39648ac302713d07205d320a13ad41d82", + "zh:79d387214f55df16c795f11988a0285a4bfa846c447faa85008b953b77081eb1", + "zh:8de432482d77d1a1077b2dc3db764b8ba6d1b07a4b991a07c960855adc0b031b", + "zh:900daa2435de1928a9868aa4c17d8b7b109ab363c97f7fe274466193af1412b0", + "zh:96c25183a7f13b3de9a5631aa2a13ed1a4285b8393df90c2380c2fe74f350ab5", + "zh:971121626be01245acd9a4520a63e1405e4f528d3c83f39a28f8caaeac235b45", + "zh:e90d5e7d7bf47c8cf5bbf2e5d0bf855ed10350ad3584795a6911f85fdb5c0c3c", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_job/source_agent_pool_name/c.tf b/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_job/source_agent_pool_name/c.tf new file mode 100644 index 000000000..a52fbf4bd --- /dev/null +++ b/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_job/source_agent_pool_name/c.tf @@ -0,0 +1,18 @@ +resource "google_storage_transfer_job" "c" { + name = "c" + description = "c" + project = "my-project-123" + status = "ENABLED" + + transfer_spec { + source_agent_pool_name = "projects/my-project-123/agentPools/approved-pool" + + gcs_data_source { + bucket_name = "source-bucket-c" + } + + gcs_data_sink { + bucket_name = "destination-bucket-c" + } + } +} \ No newline at end of file diff --git a/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_job/source_agent_pool_name/config.tf b/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_job/source_agent_pool_name/config.tf new file mode 100644 index 000000000..413a25f42 --- /dev/null +++ b/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_job/source_agent_pool_name/config.tf @@ -0,0 +1,12 @@ +terraform { + required_providers { + google = { + source = "hashicorp/google" + version = "7.28.0" + } + } +} + +provider "google" { + project = "my-project-123" +} \ No newline at end of file diff --git a/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_job/source_agent_pool_name/nc.tf b/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_job/source_agent_pool_name/nc.tf new file mode 100644 index 000000000..bfa3c6dbc --- /dev/null +++ b/inputs/gcp/Storage_Transfer_Service/google_storage_transfer_job/source_agent_pool_name/nc.tf @@ -0,0 +1,18 @@ +resource "google_storage_transfer_job" "nc" { + name = "nc" + description = "nc" + project = "my-project-123" + status = "ENABLED" + + transfer_spec { + source_agent_pool_name = "projects/my-project-123/agentPools/unapproved-pool" + + gcs_data_source { + bucket_name = "source-bucket-nc" + } + + gcs_data_sink { + bucket_name = "destination-bucket-nc" + } + } +} \ No newline at end of file diff --git a/policies/gcp/Storage_Transfer_Service/google_storage_transfer_agent_pool/Bandwidth_limit/policy.rego b/policies/gcp/Storage_Transfer_Service/google_storage_transfer_agent_pool/Bandwidth_limit/policy.rego new file mode 100644 index 000000000..97efeb685 --- /dev/null +++ b/policies/gcp/Storage_Transfer_Service/google_storage_transfer_agent_pool/Bandwidth_limit/policy.rego @@ -0,0 +1,27 @@ +package terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_agent_pool.Bandwidth_limit + +import data.terraform.helpers +import data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_agent_pool.vars + +conditions := [ + [ + { + "situation_description": "Storage Transfer agent pool is configured with an unsafe bandwidth limit.", + "remedies": [ + "Set bandwidth_limit.limit_mbps to an approved lower value.", + "Avoid excessive bandwidth allocations on transfer agent pools." + ] + }, + { + "condition": "Storage Transfer agent pool bandwidth limit must not use unsafe high Mbps values.", + "attribute_path": ["bandwidth_limit", 0, "limit_mbps"], + "values": [null, 1000], + "policy_type": "range" + } + ] +] + +result := helpers.get_multi_summary(conditions, vars.variables) +message := result.message +details := result.details + diff --git a/policies/gcp/Storage_Transfer_Service/google_storage_transfer_agent_pool/name/policy.rego b/policies/gcp/Storage_Transfer_Service/google_storage_transfer_agent_pool/name/policy.rego new file mode 100644 index 000000000..be2b6c1b1 --- /dev/null +++ b/policies/gcp/Storage_Transfer_Service/google_storage_transfer_agent_pool/name/policy.rego @@ -0,0 +1,28 @@ +package terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_agent_pool.name + +import data.terraform.helpers +import data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_agent_pool.vars + +conditions := [ + [ + { + "situation_description": "Storage Transfer agent pool uses an unapproved name.", + "remedies": [ + "Use an approved Storage Transfer agent pool name.", + "Do not use reserved or unapproved agent pool names such as names starting with goog." + ] + }, + { + "condition": "Storage Transfer agent pool name must be in the approved list.", + "attribute_path": ["name"], + "values": ["agent-pool-example"], + "policy_type": "whitelist" + } + ] +] + +result := helpers.get_multi_summary(conditions, vars.variables) + +message := result.message + +details := result.details \ No newline at end of file diff --git a/policies/gcp/Storage_Transfer_Service/google_storage_transfer_agent_pool/vars.rego b/policies/gcp/Storage_Transfer_Service/google_storage_transfer_agent_pool/vars.rego new file mode 100644 index 000000000..1f992aea4 --- /dev/null +++ b/policies/gcp/Storage_Transfer_Service/google_storage_transfer_agent_pool/vars.rego @@ -0,0 +1,7 @@ +package terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_agent_pool.vars + +variables := { + "friendly_resource_name": "Storage Transfer agent pool", + "resource_type": "google_storage_transfer_agent_pool", + "resource_value_name": "name" +} \ No newline at end of file diff --git a/policies/gcp/Storage_Transfer_Service/google_storage_transfer_job/delete_objects_from_source_after_transfer/policy.rego b/policies/gcp/Storage_Transfer_Service/google_storage_transfer_job/delete_objects_from_source_after_transfer/policy.rego new file mode 100644 index 000000000..0a147453d --- /dev/null +++ b/policies/gcp/Storage_Transfer_Service/google_storage_transfer_job/delete_objects_from_source_after_transfer/policy.rego @@ -0,0 +1,28 @@ +package terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_job.delete_objects_from_source_after_transfer + +import data.terraform.helpers +import data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_job.vars + +conditions := [ + [ + { + "situation_description": "Storage Transfer job deletes objects from the source after transfer.", + "remedies": [ + "Set transfer_spec.transfer_options.delete_objects_from_source_after_transfer to false.", + "Use a copy-based transfer instead of deleting source data automatically." + ] + }, + { + "condition": "Storage Transfer job must not delete objects from the source after transfer.", + "attribute_path": ["transfer_spec", 0, "transfer_options", 0, "delete_objects_from_source_after_transfer"], + "values": [true], + "policy_type": "blacklist" + } + ] +] + +result := helpers.get_multi_summary(conditions, vars.variables) + +message := result.message + +details := result.details diff --git a/policies/gcp/Storage_Transfer_Service/google_storage_transfer_job/overwrite_when/policy.rego b/policies/gcp/Storage_Transfer_Service/google_storage_transfer_job/overwrite_when/policy.rego new file mode 100644 index 000000000..a44d8fe8b --- /dev/null +++ b/policies/gcp/Storage_Transfer_Service/google_storage_transfer_job/overwrite_when/policy.rego @@ -0,0 +1,28 @@ +package terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_job.overwrite_when + +import data.terraform.helpers +import data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_job.vars + +conditions := [ + [ + { + "situation_description": "Storage Transfer job is configured to always overwrite objects in the destination.", + "remedies": [ + "Set overwrite_when to a safer value.", + "Avoid unconditional overwriting of destination objects." + ] + }, + { + "condition": "Storage Transfer job must not always overwrite destination objects.", + "attribute_path": ["transfer_spec", 0, "transfer_options", 0, "overwrite_when"], + "values": ["ALWAYS"], + "policy_type": "blacklist" + } + ] +] + +result := helpers.get_multi_summary(conditions, vars.variables) + +message := result.message + +details := result.details diff --git a/policies/gcp/Storage_Transfer_Service/google_storage_transfer_job/role_arn/policy.rego b/policies/gcp/Storage_Transfer_Service/google_storage_transfer_job/role_arn/policy.rego new file mode 100644 index 000000000..273f3126f --- /dev/null +++ b/policies/gcp/Storage_Transfer_Service/google_storage_transfer_job/role_arn/policy.rego @@ -0,0 +1,28 @@ +package terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_job.role_arn + +import data.terraform.helpers +import data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_job.vars + +conditions := [ + [ + { + "situation_description": "Storage Transfer job uses an unapproved AWS IAM role ARN.", + "remedies": [ + "Use an approved AWS IAM role ARN for Storage Transfer jobs.", + "Use a dedicated approved IAM role instead of an unapproved role." + ] + }, + { + "condition": "Storage Transfer job must use an approved AWS IAM role ARN.", + "attribute_path": ["transfer_spec", 0, "aws_s3_data_source", 0, "role_arn"], + "values": ["arn:aws:iam::123456789012:role/approved-storage-transfer-role"], + "policy_type": "whitelist" + } + ] +] + +result := helpers.get_multi_summary(conditions, vars.variables) + +message := result.message + +details := result.details \ No newline at end of file diff --git a/policies/gcp/Storage_Transfer_Service/google_storage_transfer_job/source_agent_pool_name/policy.rego b/policies/gcp/Storage_Transfer_Service/google_storage_transfer_job/source_agent_pool_name/policy.rego new file mode 100644 index 000000000..16cb05663 --- /dev/null +++ b/policies/gcp/Storage_Transfer_Service/google_storage_transfer_job/source_agent_pool_name/policy.rego @@ -0,0 +1,28 @@ +package terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_job.source_agent_pool_name + +import data.terraform.helpers +import data.terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_job.vars + +conditions := [ + [ + { + "situation_description": "Storage Transfer job is not using an approved source agent pool.", + "remedies": [ + "Set transfer_spec.source_agent_pool_name to an approved agent pool.", + "Use a controlled agent pool for transfer jobs." + ] + }, + { + "condition": "Storage Transfer job must use an approved source agent pool.", + "attribute_path": ["transfer_spec", 0, "source_agent_pool_name"], + "values": ["projects/my-project-123/agentPools/approved-pool"], + "policy_type": "whitelist" + } + ] +] + +result := helpers.get_multi_summary(conditions, vars.variables) + +message := result.message + +details := result.details \ No newline at end of file diff --git a/policies/gcp/Storage_Transfer_Service/google_storage_transfer_job/vars.rego b/policies/gcp/Storage_Transfer_Service/google_storage_transfer_job/vars.rego new file mode 100644 index 000000000..c6dd4bbe8 --- /dev/null +++ b/policies/gcp/Storage_Transfer_Service/google_storage_transfer_job/vars.rego @@ -0,0 +1,7 @@ +package terraform.gcp.security.Storage_Transfer_Service.google_storage_transfer_job.vars + +variables := { + "friendly_resource_name": "Storage Transfer job", + "resource_type": "google_storage_transfer_job", + "resource_value_name": "description" +} \ No newline at end of file