Skip to content

gcp/service/vector_search#422

Open
Om46-coder wants to merge 8 commits into
devfrom
gcp/service/vector_search
Open

gcp/service/vector_search#422
Om46-coder wants to merge 8 commits into
devfrom
gcp/service/vector_search

Conversation

@Om46-coder
Copy link
Copy Markdown

@Om46-coder Om46-coder commented May 21, 2026

Summary

Added security policies for google_vector_search_collection.

Implemented policies:

  • encryption_spec
  • crypto_key_region
  • approved_location
  • sensitive_collection_id
  • sensitive_data_schema

Documentation

Added documentation for policy inclusion and exclusion decisions:

docs/gcp/vector_search/google_vector_search_collection.md

Testing

Each policy includes:

  • compliant Terraform example: c.tf
  • non-compliant Terraform example: nc.tf
  • Terraform provider configuration: config.tf
  • generated Terraform plan JSON: plan.json

OPA eval was run for each policy and confirmed the non-compliant resource is reported as nc.

Notes

The policies focus on CMEK encryption, KMS key region validation, approved deployment location, and prevention of sensitive information exposure in collection identifiers and data schema.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 21, 2026

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.export_to_security_command_center.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Security scanner findings are not being exported to Security Command Center.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set export_to_security_command_center to ENABLED.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.blacklist_patterns.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Security scanner scan config does not exclude sensitive URL patterns.', 'Non-Compliant Resources: nc', 'Potential Remedies: Add blacklist_patterns for sensitive paths such as admin, logout, delete, payment, or account pages.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.max_qps.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Security scanner scan config has max_qps higher than the approved security limit.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set max_qps to 15 or lower.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.custom_account_login_url.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Custom account authentication is using an insecure login URL.', 'Non-Compliant Resources: nc', 'Potential Remedies: Use an HTTPS login_url inside authentication.custom_account.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_security_scanner.google_security_scanner_scan_config.starting_urls.message
Total Google Security Scanner Scan Config detected: 2 
['Situation 1: Security scanner scan config is using insecure HTTP starting URLs.', 'Non-Compliant Resources: nc', 'Potential Remedies: Use HTTPS URLs in starting_urls.']
Unique resource names in plan (google_security_scanner_scan_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: cloud_security_scanner
  Resource: google_security_scanner_scan_config
    Policy: export_to_security_command_center - ✅
    Policy: blacklist_patterns - ✅
    Policy: max_qps - ✅
    Policy: custom_account_login_url - ✅
    Policy: starting_urls - ✅


OPA check: data.terraform.gcp.security.vector_search.google_vector_search_collection.sensitive_collection_id.message
Total Vector Search Collection detected: 2 
['Situation 1: Vector Search Collection ID contains sensitive or risky words.', 'Non-Compliant Resources: nc', 'Potential Remedies: Remove sensitive words such as password, secret, token, credential, private, pii, or customer-data from collection_id.']
Unique resource names in plan (google_vector_search_collection): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.vector_search.google_vector_search_collection.encryption_spec.message
Total Vector Search Collection detected: 2 
['Situation 1: Vector Search Collection is not encrypted with a customer-managed encryption key.', 'Non-Compliant Resources: nc', 'Potential Remedies: Add encryption_spec with crypto_key_name using a Cloud KMS key.']
Unique resource names in plan (google_vector_search_collection): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.vector_search.google_vector_search_collection.crypto_key_region.message
Total Vector Search Collection detected: 2 
['Situation 1: Vector Search Collection uses a Cloud KMS key from an unapproved region.', 'Non-Compliant Resources: nc', 'Potential Remedies: Use a Cloud KMS key in an approved region such as australia-southeast1 or australia-southeast2.']
Unique resource names in plan (google_vector_search_collection): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.vector_search.google_vector_search_collection.sensitive_data_schema.message
Total Vector Search Collection detected: 2 
['Situation 1: Vector Search Collection data_schema contains sensitive field names.', 'Non-Compliant Resources: nc', 'Potential Remedies: Remove sensitive fields such as password, token, secret, ssn, credit_card, pii, api_key, or private_key from data_schema.']
Unique resource names in plan (google_vector_search_collection): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.vector_search.google_vector_search_collection.approved_location.message
Total Vector Search Collection detected: 2 
['Situation 1: Vector Search Collection is deployed in an unapproved location.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set location to an approved region such as australia-southeast1 or australia-southeast2.']
Unique resource names in plan (google_vector_search_collection): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: vector_search
  Resource: google_vector_search_collection
    Policy: sensitive_collection_id - ✅
    Policy: encryption_spec - ✅
    Policy: crypto_key_region - ✅
    Policy: sensitive_data_schema - ✅
    Policy: approved_location - ✅

@github-actions github-actions Bot added the CI-Approved PR approved by CI checks label May 21, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

CI-Approved PR approved by CI checks

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Om46-coder @Shani1116