diff --git a/docs/gcp/AlloyDB/alloydb_backup.md b/docs/gcp/AlloyDB/alloydb_backup.md new file mode 100644 index 000000000..c7fc89341 --- /dev/null +++ b/docs/gcp/AlloyDB/alloydb_backup.md @@ -0,0 +1,28 @@ +## 🛡️ Policy Deployment Engine: `alloydb_backup` + +This section provides a concise policy evaluation for the `alloydb_backup` resource in GCP. + +Reference: [Terraform Registry – alloydb_backup](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/alloydb_backup) + +--- + +## Argument Reference + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `cluster_name` | The full resource name of the backup source cluster (e.g., projects/{project}/locations/{location}/clusters/{clusterId}). | true | false | None | None | None | +| `backup_id` | The ID of the alloydb backup. | true | false | None | None | None | +| `location` | The location where the alloydb backup should reside. | true | false | None | None | None | +| `display_name` | User-settable and human-readable display name for the Backup. | false | false | None | None | None | +| `labels` | User-defined labels for the alloydb backup. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }. **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field `effective_labels` for all of the labels present on the resource. | false | false | None | None | None | +| `type` | The backup type, which suggests the trigger for the backup. Possible values are: `TYPE_UNSPECIFIED`, `ON_DEMAND`, `AUTOMATED`, `CONTINUOUS`. | false | false | None | None | None | +| `description` | User-provided description of the backup. | false | false | None | None | None | +| `encryption_config` | EncryptionConfig describes the encryption config of a cluster or a backup that is encrypted with a CMEK (customer-managed encryption key). Structure is [documented below](#nested_encryption_config). | false | false | None | None | None | +| `annotations` | Annotations to allow client tools to store small amount of arbitrary data. This is distinct from labels. https://google.aip.dev/128 An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }. **Note**: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field `effective_annotations` for all of the annotations present on the resource. | false | true | None | None | None | +| `project` | If it is not provided, the provider project is used. | false | false | None | None | None | + +### encryption_config Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `kms_key_name` | The fully-qualified resource name of the KMS key. Each Cloud KMS key is regionalized and has the following format: projects/[PROJECT]/locations/[REGION]/keyRings/[RING]/cryptoKeys/[KEY_NAME]. | false | false | None | None | None | diff --git a/docs/gcp/AlloyDB/alloydb_cluster.md b/docs/gcp/AlloyDB/alloydb_cluster.md new file mode 100644 index 000000000..44f3ed9b4 --- /dev/null +++ b/docs/gcp/AlloyDB/alloydb_cluster.md @@ -0,0 +1,157 @@ +## 🛡️ Policy Deployment Engine: `alloydb_cluster` + +This section provides a concise policy evaluation for the `alloydb_cluster` resource in GCP. + +Reference: [Terraform Registry – alloydb_cluster](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/alloydb_cluster) + +--- + +## Argument Reference + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `cluster_id` | The ID of the alloydb cluster. | true | false | None | None | None | +| `location` | The location where the alloydb cluster should reside. | true | false | None | None | None | +| `labels` | User-defined labels for the alloydb cluster. **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field `effective_labels` for all of the labels present on the resource. | false | false | None | None | None | +| `encryption_config` | EncryptionConfig describes the encryption config of a cluster or a backup that is encrypted with a CMEK (customer-managed encryption key). Structure is [documented below](#nested_encryption_config). | false | false | None | None | None | +| `network_config` | Metadata related to network configuration. Structure is [documented below](#nested_network_config). | false | false | None | None | None | +| `display_name` | User-settable and human-readable display name for the Cluster. | false | false | None | None | None | +| `etag` | For Resource freshness validation (https://google.aip.dev/154) | false | false | None | None | None | +| `annotations` | Annotations to allow client tools to store small amount of arbitrary data. This is distinct from labels. https://google.aip.dev/128 An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }. **Note**: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field `effective_annotations` for all of the annotations present on the resource. | false | false | None | None | None | +| `database_version` | The database engine major version. This is an optional field and it's populated at the Cluster creation time. Note: Changing this field to a higer version results in upgrading the AlloyDB cluster which is an irreversible change. | false | false | None | None | None | +| `psc_config` | Configuration for Private Service Connect (PSC) for the cluster. Structure is [documented below](#nested_psc_config). | false | false | None | None | None | +| `initial_user` | Initial user to setup during cluster creation. Structure is [documented below](#nested_initial_user). | false | false | None | None | None | +| `restore_backup_source` | The source when restoring from a backup. Conflicts with 'restore_continuous_backup_source', both can't be set together. Structure is [documented below](#nested_restore_backup_source). | false | false | None | None | None | +| `restore_continuous_backup_source` | The source when restoring via point in time recovery (PITR). Conflicts with 'restore_backup_source', both can't be set together. Structure is [documented below](#nested_restore_continuous_backup_source). | false | false | None | None | None | +| `continuous_backup_config` | The continuous backup config for this cluster. If no policy is provided then the default policy will be used. The default policy takes one backup a day and retains backups for 14 days. Structure is [documented below](#nested_continuous_backup_config). | false | false | None | None | None | +| `automated_backup_policy` | The automated backup policy for this cluster. AutomatedBackupPolicy is disabled by default. Structure is [documented below](#nested_automated_backup_policy). | false | false | None | None | None | +| `cluster_type` | The type of cluster. If not set, defaults to PRIMARY. Default value is `PRIMARY`. Possible values are: `PRIMARY`, `SECONDARY`. | false | false | None | None | None | +| `secondary_config` | Configuration of the secondary cluster for Cross Region Replication. This should be set if and only if the cluster is of type SECONDARY. Structure is [documented below](#nested_secondary_config). | false | false | None | None | None | +| `maintenance_update_policy` | MaintenanceUpdatePolicy defines the policy for system updates. Structure is [documented below](#nested_maintenance_update_policy). | false | false | None | None | None | +| `subscription_type` | The subscrition type of cluster. Possible values are: `TRIAL`, `STANDARD`. | false | false | None | None | None | +| `project` | If it is not provided, the provider project is used. | false | false | None | None | None | +| `deletion_policy` | Deleting a cluster forcefully, deletes the cluster and all its associated instances within the cluster. Deleting a Secondary cluster with a secondary instance REQUIRES setting deletion_policy = "FORCE" otherwise an error is returned. This is needed as there is no support to delete just the secondary instance, and the only way to delete secondary instance is to delete the associated secondary cluster forcefully which also deletes the secondary instance. Possible values: DEFAULT, FORCE | false | false | None | None | None | +| `skip_await_major_version_upgrade` | Possible values: true, false Default value: "true" | false | false | None | None | None | +| `weekly_schedule` | | false | false | None | None | None | +| `start_times` | | false | false | None | None | None | +| `time_based_retention` | | false | false | None | None | None | +| `quantity_based_retention` | | false | false | None | None | None | +| `maintenance_windows` | | false | false | None | None | None | +| `start_time` | | false | false | None | None | None | + +### encryption_config Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `kms_key_name` | The fully-qualified resource name of the KMS key. Each Cloud KMS key is regionalized and has the following format: projects/[PROJECT]/locations/[REGION]/keyRings/[RING]/cryptoKeys/[KEY_NAME]. | false | false | None | None | None | + +### network_config Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `network` | The resource link for the VPC network in which cluster resources are created and from which they are accessible via Private IP. The network must belong to the same project as the cluster. It is specified in the form: "projects/{projectNumber}/global/networks/{network_id}". | false | false | None | None | None | +| `allocated_ip_range` | The name of the allocated IP range for the private IP AlloyDB cluster. For example: "google-managed-services-default". If set, the instance IPs for this cluster will be created in the allocated range. | false | false | None | None | None | + +### psc_config Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `psc_enabled` | Create an instance that allows connections from Private Service Connect endpoints to the instance. | false | false | None | None | None | +| `service_owned_project_number` | (Output) The project number that needs to be allowlisted on the network attachment to enable outbound connectivity, if the network attachment is configured to ACCEPT_MANUAL connections. In case the network attachment is configured to ACCEPT_AUTOMATIC, this project number does not need to be allowlisted explicitly. | false | false | None | None | None | + +### initial_user Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `user` | The database username. | false | false | None | None | None | +| `password` | The initial password for the user. **Note**: This property is sensitive and will not be displayed in the plan. | true | false | None | None | None | + +### restore_backup_source Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `backup_name` | The name of the backup that this cluster is restored from. | true | false | None | None | None | + +### restore_continuous_backup_source Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `cluster` | The name of the source cluster that this cluster is restored from. | true | false | None | None | None | +| `point_in_time` | The point in time that this cluster is restored to, in RFC 3339 format. | true | false | None | None | None | + +### continuous_backup_config Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `enabled` | Whether continuous backup recovery is enabled. If not set, defaults to true. | false | false | None | None | None | +| `recovery_window_days` | The numbers of days that are eligible to restore from using PITR. To support the entire recovery window, backups and logs are retained for one day more than the recovery window. If not set, defaults to 14 days. | false | false | None | None | None | +| `encryption_config` | EncryptionConfig describes the encryption config of a cluster or a backup that is encrypted with a CMEK (customer-managed encryption key). Structure is [documented below](#nested_continuous_backup_config_encryption_config). | false | false | None | None | None | + +### automated_backup_policy Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `backup_window` | The length of the time window during which a backup can be taken. If a backup does not succeed within this time window, it will be canceled and considered failed. The backup window must be at least 5 minutes long. There is no upper bound on the window. If not set, it will default to 1 hour. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s". | false | false | None | None | None | +| `location` | The location where the backup will be stored. Currently, the only supported option is to store the backup in the same region as the cluster. | false | false | None | None | None | +| `labels` | Labels to apply to backups created using this configuration. | false | false | None | None | None | +| `encryption_config` | EncryptionConfig describes the encryption config of a cluster or a backup that is encrypted with a CMEK (customer-managed encryption key). Structure is [documented below](#nested_automated_backup_policy_encryption_config). | false | false | None | None | None | +| `weekly_schedule` | Weekly schedule for the Backup. Structure is [documented below](#nested_automated_backup_policy_weekly_schedule). | false | false | None | None | None | +| `time_based_retention` | Time-based Backup retention policy. Conflicts with 'quantity_based_retention', both can't be set together. Structure is [documented below](#nested_automated_backup_policy_time_based_retention). | false | false | None | None | None | +| `quantity_based_retention` | Quantity-based Backup retention policy to retain recent backups. Conflicts with 'time_based_retention', both can't be set together. Structure is [documented below](#nested_automated_backup_policy_quantity_based_retention). | false | false | None | None | None | +| `enabled` | Whether automated backups are enabled. | false | false | None | None | None | + +### secondary_config Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `primary_cluster_name` | Name of the primary cluster must be in the format 'projects/{project}/locations/{location}/clusters/{cluster_id}' | true | false | None | None | None | + +### maintenance_update_policy Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `maintenance_windows` | Preferred windows to perform maintenance. Currently limited to 1. Structure is [documented below](#nested_maintenance_update_policy_maintenance_windows). | false | false | None | None | None | + +### weekly_schedule Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `days_of_week` | The days of the week to perform a backup. At least one day of the week must be provided. Each value may be one of: `MONDAY`, `TUESDAY`, `WEDNESDAY`, `THURSDAY`, `FRIDAY`, `SATURDAY`, `SUNDAY`. | false | false | None | None | None | +| `start_times` | The times during the day to start a backup. At least one start time must be provided. The start times are assumed to be in UTC and to be an exact hour (e.g., 04:00:00). Structure is [documented below](#nested_automated_backup_policy_weekly_schedule_start_times). | true | false | None | None | None | + +### start_times Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `hours` | Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. | false | false | None | None | None | +| `minutes` | Minutes of hour of day. Currently, only the value 0 is supported. | false | false | None | None | None | +| `seconds` | Seconds of minutes of the time. Currently, only the value 0 is supported. | false | false | None | None | None | +| `nanos` | Fractions of seconds in nanoseconds. Currently, only the value 0 is supported. | false | false | None | None | None | + +### time_based_retention Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `retention_period` | The retention period. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s". | false | false | None | None | None | + +### quantity_based_retention Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `count` | The number of backups to retain. | false | false | None | None | None | + +### maintenance_windows Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `day` | Preferred day of the week for maintenance, e.g. MONDAY, TUESDAY, etc. Possible values are: `MONDAY`, `TUESDAY`, `WEDNESDAY`, `THURSDAY`, `FRIDAY`, `SATURDAY`, `SUNDAY`. | true | false | None | None | None | +| `start_time` | Preferred time to start the maintenance operation on the specified day. Maintenance will start within 1 hour of this time. Structure is [documented below](#nested_maintenance_update_policy_maintenance_windows_maintenance_windows_start_time). | true | false | None | None | None | + +### start_time Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `hours` | Hours of day in 24 hour format. Should be from 0 to 23. | true | false | None | None | None | +| `minutes` | Minutes of hour of day. Currently, only the value 0 is supported. | false | false | None | None | None | +| `seconds` | Seconds of minutes of the time. Currently, only the value 0 is supported. | false | false | None | None | None | +| `nanos` | Fractions of seconds in nanoseconds. Currently, only the value 0 is supported. | false | false | None | None | None | diff --git a/docs/gcp/AlloyDB/alloydb_instance.md b/docs/gcp/AlloyDB/alloydb_instance.md new file mode 100644 index 000000000..fe0a243f1 --- /dev/null +++ b/docs/gcp/AlloyDB/alloydb_instance.md @@ -0,0 +1,123 @@ +## 🛡️ Policy Deployment Engine: `alloydb_instance` + +This section provides a concise policy evaluation for the `alloydb_instance` resource in GCP. + +Reference: [Terraform Registry – alloydb_instance](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/alloydb_instance) + +--- + +## Argument Reference + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `instance_type` | The type of the instance. If the instance type is READ_POOL, provide the associated PRIMARY/SECONDARY instance in the `depends_on` meta-data attribute. If the instance type is SECONDARY, point to the cluster_type of the associated secondary cluster instead of mentioning SECONDARY. Example: {instance_type = google_alloydb_cluster..cluster_type} instead of {instance_type = SECONDARY} If the instance type is SECONDARY, the terraform delete instance operation does not delete the secondary instance but abandons it instead. Use deletion_policy = "FORCE" in the associated secondary cluster and delete the cluster forcefully to delete the secondary cluster as well its associated secondary instance. Users can undo the delete secondary instance action by importing the deleted secondary instance by calling terraform import. Possible values are: `PRIMARY`, `READ_POOL`, `SECONDARY`. | true | false | None | None | None | +| `cluster` | Identifies the alloydb cluster. Must be in the format 'projects/{project}/locations/{location}/clusters/{cluster_id}' | true | false | None | None | None | +| `instance_id` | The ID of the alloydb instance. | true | false | None | None | None | +| `labels` | User-defined labels for the alloydb instance. **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field `effective_labels` for all of the labels present on the resource. | false | false | None | None | None | +| `annotations` | Annotations to allow client tools to store small amount of arbitrary data. This is distinct from labels. **Note**: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field `effective_annotations` for all of the annotations present on the resource. | false | false | None | None | None | +| `display_name` | User-settable and human-readable display name for the Instance. | false | false | None | None | None | +| `gce_zone` | The Compute Engine zone that the instance should serve from, per https://cloud.google.com/compute/docs/regions-zones This can ONLY be specified for ZONAL instances. If present for a REGIONAL instance, an error will be thrown. If this is absent for a ZONAL instance, instance is created in a random zone with available capacity. | false | false | None | None | None | +| `database_flags` | Database flags. Set at instance level. * They are copied from primary instance on read instance creation. * Read instances can set new or override existing flags that are relevant for reads, e.g. for enabling columnar cache on a read instance. Flags set on read instance may or may not be present on primary. | false | false | None | None | None | +| `availability_type` | 'Availability type of an Instance. Defaults to REGIONAL for both primary and read instances. Note that primary and read instances can have different availability types. Primary instances can be either ZONAL or REGIONAL. Read Pool instances can also be either ZONAL or REGIONAL. Read pools of size 1 can only have zonal availability. Read pools with a node count of 2 or more can have regional availability (nodes are present in 2 or more zones in a region). Possible values are: `AVAILABILITY_TYPE_UNSPECIFIED`, `ZONAL`, `REGIONAL`.' Possible values are: `AVAILABILITY_TYPE_UNSPECIFIED`, `ZONAL`, `REGIONAL`. | false | false | None | None | None | +| `activation_policy` | 'Specifies whether an instance needs to spin up. Once the instance is active, the activation policy can be updated to the `NEVER` to stop the instance. Likewise, the activation policy can be updated to `ALWAYS` to start the instance. There are restrictions around when an instance can/cannot be activated (for example, a read pool instance should be stopped before stopping primary etc.). Please refer to the API documentation for more details. Possible values are: `ACTIVATION_POLICY_UNSPECIFIED`, `ALWAYS`, `NEVER`.' Possible values are: `ACTIVATION_POLICY_UNSPECIFIED`, `ALWAYS`, `NEVER`. | false | false | None | None | None | +| `query_insights_config` | Configuration for query insights. Structure is [documented below](#nested_query_insights_config). | false | false | None | None | None | +| `observability_config` | , [Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html)) Configuration for enhanced query insights. Structure is [documented below](#nested_observability_config). | false | false | None | None | None | +| `read_pool_config` | Read pool specific config. If the instance type is READ_POOL, this configuration must be provided. Structure is [documented below](#nested_read_pool_config). | false | false | None | None | None | +| `machine_config` | Configurations for the machines that host the underlying database engine. Structure is [documented below](#nested_machine_config). | false | false | None | None | None | +| `client_connection_config` | Client connection specific configurations. Structure is [documented below](#nested_client_connection_config). | false | false | None | None | None | +| `psc_instance_config` | Configuration for Private Service Connect (PSC) for the instance. Structure is [documented below](#nested_psc_instance_config). | false | false | None | None | None | +| `network_config` | Instance level network configuration. Structure is [documented below](#nested_network_config). | false | false | None | None | None | +| `ssl_config` | | false | false | None | None | None | +| `psc_interface_configs` | | false | false | None | None | None | +| `psc_auto_connections` | | false | false | None | None | None | +| `authorized_external_networks` | | false | false | None | None | None | + +### query_insights_config Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `query_string_length` | Query string length. The default value is 1024. Any integer between 256 and 4500 is considered valid. | false | false | None | None | None | +| `record_application_tags` | Record application tags for an instance. This flag is turned "on" by default. | false | false | None | None | None | +| `record_client_address` | Record client address for an instance. Client address is PII information. This flag is turned "on" by default. | false | false | None | None | None | +| `query_plans_per_minute` | Number of query execution plans captured by Insights per minute for all queries combined. The default value is 5. Any integer between 0 and 20 is considered valid. | false | false | None | None | None | + +### observability_config Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `enabled` | Observability feature status for an instance. | false | false | None | None | None | +| `preserve_comments` | Preserve comments in the query string. | false | false | None | None | None | +| `track_wait_events` | Record wait events during query execution for an instance. | false | false | None | None | None | +| `track_wait_event_types` | Record wait event types during query execution for an instance. | false | false | None | None | None | +| `max_query_string_length` | Query string length. The default value is 10240. Any integer between 1024 and 100000 is considered valid. | false | false | None | None | None | +| `record_application_tags` | Record application tags for an instance. This flag is turned "on" by default. | false | false | None | None | None | +| `query_plans_per_minute` | Number of query execution plans captured by Insights per minute for all queries combined. The default value is 5. Any integer between 0 and 200 is considered valid. | false | false | None | None | None | +| `track_active_queries` | Track actively running queries. If not set, default value is "off". | false | false | None | None | None | +| `assistive_experiences_enabled` | Whether assistive experiences are enabled for this AlloyDB instance. | false | false | None | None | None | + +### read_pool_config Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `node_count` | Read capacity, i.e. number of nodes in a read pool instance. | false | false | None | None | None | + +### machine_config Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `cpu_count` | The number of CPU's in the VM instance. | false | false | None | None | None | +| `machine_type` | Machine type of the VM instance. E.g. "n2-highmem-4", "n2-highmem-8", "c4a-highmem-4-lssd". `cpu_count` must match the number of vCPUs in the machine type. | false | false | None | None | None | + +### client_connection_config Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `require_connectors` | Configuration to enforce connectors only (ex: AuthProxy) connections to the database. | false | false | None | None | None | +| `ssl_config` | SSL config option for this instance. Structure is [documented below](#nested_client_connection_config_ssl_config). | false | false | None | None | None | + +### psc_instance_config Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `service_attachment_link` | (Output) The service attachment created when Private Service Connect (PSC) is enabled for the instance. The name of the resource will be in the format of `projects//regions//serviceAttachments/` | false | false | None | None | None | +| `allowed_consumer_projects` | List of consumer projects that are allowed to create PSC endpoints to service-attachments to this instance. These should be specified as project numbers only. | false | false | None | None | None | +| `psc_dns_name` | (Output) The DNS name of the instance for PSC connectivity. Name convention: ...alloydb-psc.goog | false | false | None | None | None | +| `psc_interface_configs` | Configurations for setting up PSC interfaces attached to the instance which are used for outbound connectivity. Currently, AlloyDB supports only 0 or 1 PSC interface. Structure is [documented below](#nested_psc_instance_config_psc_interface_configs). | false | false | None | None | None | +| `psc_auto_connections` | Configurations for setting up PSC service automation. Structure is [documented below](#nested_psc_instance_config_psc_auto_connections). | false | false | None | None | None | + +### network_config Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `authorized_external_networks` | A list of external networks authorized to access this instance. This field is only allowed to be set when `enable_public_ip` is set to true. Structure is [documented below](#nested_network_config_authorized_external_networks). | false | false | None | None | None | +| `enable_public_ip` | Enabling public ip for the instance. If a user wishes to disable this, please also clear the list of the authorized external networks set on the same instance. | false | false | None | None | None | +| `enable_outbound_public_ip` | Enabling outbound public ip for the instance. | false | false | None | None | None | +| `allocated_ip_range_override` | Name of the allocated IP range for the private IP AlloyDB instance, for example: "google-managed-services-default". If set, the instance IPs will be created from this allocated range and will override the IP range used by the parent cluster. The range name must comply with RFC 1035. Specifically, the name must be 1-63 characters long and match the regular expression [a-z]([-a-z0-9]*[a-z0-9])?. | false | false | None | None | None | + +### ssl_config Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `ssl_mode` | SSL mode. Specifies client-server SSL/TLS connection behavior. Possible values are: `ENCRYPTED_ONLY`, `ALLOW_UNENCRYPTED_AND_ENCRYPTED`. | false | false | None | None | None | + +### psc_interface_configs Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `network_attachment_resource` | The network attachment resource created in the consumer project to which the PSC interface will be linked. This is of the format: "projects/${CONSUMER_PROJECT}/regions/${REGION}/networkAttachments/${NETWORK_ATTACHMENT_NAME}". The network attachment must be in the same region as the instance. | false | false | None | None | None | + +### psc_auto_connections Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `consumer_project` | The consumer project to which the PSC service automation endpoint will be created. The API expects the consumer project to be the project ID( and not the project number). | false | false | None | None | None | +| `consumer_network` | The consumer network for the PSC service automation, example: "projects/vpc-host-project/global/networks/default". The consumer network might be hosted a different project than the consumer project. The API expects the consumer project specified to be the project ID (and not the project number) | false | false | None | None | None | +| `ip_address` | (Output) The IP address of the PSC service automation endpoint. | false | false | None | None | None | +| `status` | (Output) The status of the PSC service automation connection. | false | false | None | None | None | +| `consumer_network_status` | (Output) The status of the service connection policy. | false | false | None | None | None | + +### authorized_external_networks Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `cidr_range` | CIDR range for one authorized network of the instance. | false | false | None | None | None | diff --git a/docs/gcp/AlloyDB/alloydb_user.md b/docs/gcp/AlloyDB/alloydb_user.md new file mode 100644 index 000000000..6665e21c1 --- /dev/null +++ b/docs/gcp/AlloyDB/alloydb_user.md @@ -0,0 +1,17 @@ +## 🛡️ Policy Deployment Engine: `alloydb_user` + +This section provides a concise policy evaluation for the `alloydb_user` resource in GCP. + +Reference: [Terraform Registry – alloydb_user](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/alloydb_user) + +--- + +## Argument Reference + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `cluster` | Identifies the alloydb cluster. Must be in the format 'projects/{project}/locations/{location}/clusters/{cluster_id}' | true | false | None | None | None | +| `user_id` | The database role name of the user. | true | false | None | None | None | +| `user_type` | The type of this user. Possible values are: `ALLOYDB_BUILT_IN`, `ALLOYDB_IAM_USER`. | true | false | None | None | None | +| `password` | Password for this database user. **Note**: This property is sensitive and will not be displayed in the plan. | false | false | None | None | None | +| `database_roles` | List of database roles this database user has. | false | false | None | None | None | diff --git a/inputs/gcp/alloyDB/Google_alloydb_cluster/automated_backup_policy/.terraform.lock.hcl b/inputs/gcp/alloyDB/Google_alloydb_cluster/automated_backup_policy/.terraform.lock.hcl new file mode 100644 index 000000000..1eb221211 --- /dev/null +++ b/inputs/gcp/alloyDB/Google_alloydb_cluster/automated_backup_policy/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.4.0" + hashes = [ + "h1:Kly25fXDRKIhgiID1+/+jcXPQbsCjrJ96vLISazArmY=", + "zh:05d16436e7e4895aaa0b6e9e5ff1f212f19d40462d039516e1d7835e1b0dbc82", + "zh:1256de55d4747227fa3011501934281e6c9b92af15f2d4dcecb0623ebac8986c", + "zh:1d3157a041d772a39491a25d752591b64e0f622767a670d5f529008683e25eac", + "zh:2c812ac0dea6817e2e6962743918aa9b100204f90f87b6d4523ba7b5c2024d55", + "zh:5c4a713106598a8fc3a6c28980fc492e39b26e3f1df2ed9d8f67706626db12e7", + "zh:6a77c8692a827521ff988d1d4e56d5c46de15f20c6189981162eb2b561e5b567", + "zh:6edd29a79516b0d11d5bc34cbb5e377174d21673b4ec1a0d1e7040dd7b195610", + "zh:828c8e956002c9e1d9321a631e2eccc64f9b1e1ff302098813e01280c5f1a17d", + "zh:8cb82ea8caf25d706bfd47f39d42c3fb7a98861e8f8322bb7d5eac233b03564c", + "zh:bfb4157ce153cb0c629ec7cc33ffa5b63714261b4789c8b70662bd862ad8f35d", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:f97d6303d8e3a822b708b2c454f9d28a981771977e6e8e3018436a3e31eff6e9", + ] +} diff --git a/inputs/gcp/alloyDB/Google_alloydb_cluster/automated_backup_policy/c.tf b/inputs/gcp/alloyDB/Google_alloydb_cluster/automated_backup_policy/c.tf new file mode 100644 index 000000000..6d2b66a5a --- /dev/null +++ b/inputs/gcp/alloyDB/Google_alloydb_cluster/automated_backup_policy/c.tf @@ -0,0 +1,21 @@ +resource "google_alloydb_cluster" "c" { + cluster_id = "c" + location = "us-central1" + project = "123" + + network_config { + network = "projects/pde-demo/global/networks/prod-vpc" + } + + initial_user { + user = "admin" + password = "StrongPassw0rd!" + } + + automated_backup_policy { + location = "us" + time_based_retention { + retention_period = "604800s" # 7 days + } + } +} diff --git a/inputs/gcp/alloyDB/Google_alloydb_cluster/automated_backup_policy/config.tf b/inputs/gcp/alloyDB/Google_alloydb_cluster/automated_backup_policy/config.tf new file mode 100644 index 000000000..7e27dca94 --- /dev/null +++ b/inputs/gcp/alloyDB/Google_alloydb_cluster/automated_backup_policy/config.tf @@ -0,0 +1,9 @@ +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/alloyDB/Google_alloydb_cluster/automated_backup_policy/nc.tf b/inputs/gcp/alloyDB/Google_alloydb_cluster/automated_backup_policy/nc.tf new file mode 100644 index 000000000..789de3a6b --- /dev/null +++ b/inputs/gcp/alloyDB/Google_alloydb_cluster/automated_backup_policy/nc.tf @@ -0,0 +1,22 @@ +resource "google_alloydb_cluster" "nc" { + cluster_id = "nc" + location = "us-central1" + project = "123" + + network_config { + network = "projects/pde-demo/global/networks/default" + } + + initial_user { + user = "admin" + password = "weak-pass" + } + + + automated_backup_policy { + location = "us" + time_based_retention { + retention_period = "86400s" + } + } +} diff --git a/inputs/gcp/alloyDB/Google_alloydb_cluster/continuous_backup_config/.terraform.lock.hcl b/inputs/gcp/alloyDB/Google_alloydb_cluster/continuous_backup_config/.terraform.lock.hcl new file mode 100644 index 000000000..151e79163 --- /dev/null +++ b/inputs/gcp/alloyDB/Google_alloydb_cluster/continuous_backup_config/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.3.0" + hashes = [ + "h1:1WxLeVFcyCHXxeujuSS2Alr72zMqDK4IaCQlGiROuD4=", + "zh:135c90b063f15c090ce82d99887032e495bbe6388764b666148ae78a776c4621", + "zh:47bb8721c29556b3b42f7c2ed73f8fdfb214609599ba819eebbe9ae33aab0e07", + "zh:532d385f6381eaee111d96296fcd9da7cdefb31b2afc81e36f390bd6ea1c5e99", + "zh:5c96018f5b722d2871ae2cf21dab9b05ec722270facd2e62393bcf89dc34852d", + "zh:703caf0829c30e3d166f61a7af208388840b384be1ec440b0955584856d22e30", + "zh:80b965cbe057eea5205c8bfd81fce642de7425dab86482f91bef136b3c1faaff", + "zh:a18b8178124d5dcd8a69bb6fc37206838f03699f2443e803142b1e2fde6f55d1", + "zh:bdddc969d92f5ecafbf762179e2291169a7e24214a52ff263aaf872b5cceb582", + "zh:e30f79beaf07618131a717734a58f7b5626c1c53d6cc14887c7098add73e0ccb", + "zh:e95fe5ec32e9eeff1d56379c84bee3fac0a7f12ea1b90f34ff7d88d469f56c23", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:fec21ae17d9d4e814d65ff377fbe1e2543636aaa3439a8a7a3447e7623044a4e", + ] +} diff --git a/inputs/gcp/alloyDB/Google_alloydb_cluster/continuous_backup_config/c.tf b/inputs/gcp/alloyDB/Google_alloydb_cluster/continuous_backup_config/c.tf new file mode 100644 index 000000000..9396f3cd5 --- /dev/null +++ b/inputs/gcp/alloyDB/Google_alloydb_cluster/continuous_backup_config/c.tf @@ -0,0 +1,16 @@ +resource "google_alloydb_cluster" "c" { + cluster_id = "c1" + location = "us-central1" + project = "123" + + network_config { + network = "projects/p/global/networks/prod-vpc" + } + + continuous_backup_config { + enabled = true + encryption_config { + kms_key_name = "projects/p/locations/us-central1/keyRings/kr/cryptoKeys/key" + } + } +} diff --git a/inputs/gcp/alloyDB/Google_alloydb_cluster/continuous_backup_config/config.tf b/inputs/gcp/alloyDB/Google_alloydb_cluster/continuous_backup_config/config.tf new file mode 100644 index 000000000..7e27dca94 --- /dev/null +++ b/inputs/gcp/alloyDB/Google_alloydb_cluster/continuous_backup_config/config.tf @@ -0,0 +1,9 @@ +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/alloyDB/Google_alloydb_cluster/continuous_backup_config/nc.tf b/inputs/gcp/alloyDB/Google_alloydb_cluster/continuous_backup_config/nc.tf new file mode 100644 index 000000000..73f1ee79b --- /dev/null +++ b/inputs/gcp/alloyDB/Google_alloydb_cluster/continuous_backup_config/nc.tf @@ -0,0 +1,14 @@ +resource "google_alloydb_cluster" "nc" { + location = "us-central1" + cluster_id = "cluster-cbk-off" + project = "123" + + network_config { + network = "projects/pde-demo/global/networks/default" + } + + continuous_backup_config { + enabled = false + + } +} diff --git a/inputs/gcp/alloyDB/Google_alloydb_cluster/deletion_policy/.terraform.lock.hcl b/inputs/gcp/alloyDB/Google_alloydb_cluster/deletion_policy/.terraform.lock.hcl new file mode 100644 index 000000000..1eb221211 --- /dev/null +++ b/inputs/gcp/alloyDB/Google_alloydb_cluster/deletion_policy/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.4.0" + hashes = [ + "h1:Kly25fXDRKIhgiID1+/+jcXPQbsCjrJ96vLISazArmY=", + "zh:05d16436e7e4895aaa0b6e9e5ff1f212f19d40462d039516e1d7835e1b0dbc82", + "zh:1256de55d4747227fa3011501934281e6c9b92af15f2d4dcecb0623ebac8986c", + "zh:1d3157a041d772a39491a25d752591b64e0f622767a670d5f529008683e25eac", + "zh:2c812ac0dea6817e2e6962743918aa9b100204f90f87b6d4523ba7b5c2024d55", + "zh:5c4a713106598a8fc3a6c28980fc492e39b26e3f1df2ed9d8f67706626db12e7", + "zh:6a77c8692a827521ff988d1d4e56d5c46de15f20c6189981162eb2b561e5b567", + "zh:6edd29a79516b0d11d5bc34cbb5e377174d21673b4ec1a0d1e7040dd7b195610", + "zh:828c8e956002c9e1d9321a631e2eccc64f9b1e1ff302098813e01280c5f1a17d", + "zh:8cb82ea8caf25d706bfd47f39d42c3fb7a98861e8f8322bb7d5eac233b03564c", + "zh:bfb4157ce153cb0c629ec7cc33ffa5b63714261b4789c8b70662bd862ad8f35d", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:f97d6303d8e3a822b708b2c454f9d28a981771977e6e8e3018436a3e31eff6e9", + ] +} diff --git a/inputs/gcp/alloyDB/Google_alloydb_cluster/deletion_policy/c.tf b/inputs/gcp/alloyDB/Google_alloydb_cluster/deletion_policy/c.tf new file mode 100644 index 000000000..40cc766e4 --- /dev/null +++ b/inputs/gcp/alloyDB/Google_alloydb_cluster/deletion_policy/c.tf @@ -0,0 +1,16 @@ +resource "google_alloydb_cluster" "c" { + cluster_id = "secure-cluster" + location = "us-central1" + project = "123" + + network_config { + network = "projects/pde-demo/global/networks/default" + } + + deletion_policy = "RETAIN" + + initial_user { + user = "admin" + password = "secure-password" + } +} diff --git a/inputs/gcp/alloyDB/Google_alloydb_cluster/deletion_policy/config.tf b/inputs/gcp/alloyDB/Google_alloydb_cluster/deletion_policy/config.tf new file mode 100644 index 000000000..7e27dca94 --- /dev/null +++ b/inputs/gcp/alloyDB/Google_alloydb_cluster/deletion_policy/config.tf @@ -0,0 +1,9 @@ +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/alloyDB/Google_alloydb_cluster/deletion_policy/nc.tf b/inputs/gcp/alloyDB/Google_alloydb_cluster/deletion_policy/nc.tf new file mode 100644 index 000000000..f5a0c6de0 --- /dev/null +++ b/inputs/gcp/alloyDB/Google_alloydb_cluster/deletion_policy/nc.tf @@ -0,0 +1,16 @@ +resource "google_alloydb_cluster" "nc" { + cluster_id = "dangerous-cluster" + location = "us-central1" + project = "123" + + network_config { + network = "projects/pde-demo/global/networks/default" + } + + deletion_policy = "DESTROY" + + initial_user { + user = "admin" + password = "weak-password" + } +} diff --git a/inputs/gcp/alloyDB/Google_alloydb_cluster/network_config/.terraform.lock.hcl b/inputs/gcp/alloyDB/Google_alloydb_cluster/network_config/.terraform.lock.hcl new file mode 100644 index 000000000..151e79163 --- /dev/null +++ b/inputs/gcp/alloyDB/Google_alloydb_cluster/network_config/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.3.0" + hashes = [ + "h1:1WxLeVFcyCHXxeujuSS2Alr72zMqDK4IaCQlGiROuD4=", + "zh:135c90b063f15c090ce82d99887032e495bbe6388764b666148ae78a776c4621", + "zh:47bb8721c29556b3b42f7c2ed73f8fdfb214609599ba819eebbe9ae33aab0e07", + "zh:532d385f6381eaee111d96296fcd9da7cdefb31b2afc81e36f390bd6ea1c5e99", + "zh:5c96018f5b722d2871ae2cf21dab9b05ec722270facd2e62393bcf89dc34852d", + "zh:703caf0829c30e3d166f61a7af208388840b384be1ec440b0955584856d22e30", + "zh:80b965cbe057eea5205c8bfd81fce642de7425dab86482f91bef136b3c1faaff", + "zh:a18b8178124d5dcd8a69bb6fc37206838f03699f2443e803142b1e2fde6f55d1", + "zh:bdddc969d92f5ecafbf762179e2291169a7e24214a52ff263aaf872b5cceb582", + "zh:e30f79beaf07618131a717734a58f7b5626c1c53d6cc14887c7098add73e0ccb", + "zh:e95fe5ec32e9eeff1d56379c84bee3fac0a7f12ea1b90f34ff7d88d469f56c23", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:fec21ae17d9d4e814d65ff377fbe1e2543636aaa3439a8a7a3447e7623044a4e", + ] +} diff --git a/inputs/gcp/alloyDB/Google_alloydb_cluster/network_config/c.tf b/inputs/gcp/alloyDB/Google_alloydb_cluster/network_config/c.tf new file mode 100644 index 000000000..ca9e02538 --- /dev/null +++ b/inputs/gcp/alloyDB/Google_alloydb_cluster/network_config/c.tf @@ -0,0 +1,8 @@ +resource "google_alloydb_instance" "c" { + cluster = "projects/pde-demo/locations/us-central1/clusters/cluster-c" + instance_id = "inst-no-public-ip" + instance_type = "PRIMARY" + gce_zone = "us-central1-a" + + network_config { enable_public_ip = false } +} diff --git a/inputs/gcp/alloyDB/Google_alloydb_cluster/network_config/config.tf b/inputs/gcp/alloyDB/Google_alloydb_cluster/network_config/config.tf new file mode 100644 index 000000000..7e27dca94 --- /dev/null +++ b/inputs/gcp/alloyDB/Google_alloydb_cluster/network_config/config.tf @@ -0,0 +1,9 @@ +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/alloyDB/Google_alloydb_cluster/network_config/nc.tf b/inputs/gcp/alloyDB/Google_alloydb_cluster/network_config/nc.tf new file mode 100644 index 000000000..45bd90dc2 --- /dev/null +++ b/inputs/gcp/alloyDB/Google_alloydb_cluster/network_config/nc.tf @@ -0,0 +1,8 @@ +resource "google_alloydb_instance" "nc" { + cluster = "projects/pde-demo/locations/us-central1/clusters/cluster-nc" + instance_id = "inst-public-ip" + instance_type = "PRIMARY" + gce_zone = "us-east1-b" + + network_config { enable_public_ip = true } +} diff --git a/inputs/gcp/alloyDB/Google_alloydb_cluster/network_config/plan.json b/inputs/gcp/alloyDB/Google_alloydb_cluster/network_config/plan.json new file mode 100644 index 000000000..29e9dd5ed Binary files /dev/null and b/inputs/gcp/alloyDB/Google_alloydb_cluster/network_config/plan.json differ diff --git a/inputs/gcp/alloyDB/Google_alloydb_cluster/network_policy/.terraform.lock.hcl b/inputs/gcp/alloyDB/Google_alloydb_cluster/network_policy/.terraform.lock.hcl new file mode 100644 index 000000000..1eb221211 --- /dev/null +++ b/inputs/gcp/alloyDB/Google_alloydb_cluster/network_policy/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.4.0" + hashes = [ + "h1:Kly25fXDRKIhgiID1+/+jcXPQbsCjrJ96vLISazArmY=", + "zh:05d16436e7e4895aaa0b6e9e5ff1f212f19d40462d039516e1d7835e1b0dbc82", + "zh:1256de55d4747227fa3011501934281e6c9b92af15f2d4dcecb0623ebac8986c", + "zh:1d3157a041d772a39491a25d752591b64e0f622767a670d5f529008683e25eac", + "zh:2c812ac0dea6817e2e6962743918aa9b100204f90f87b6d4523ba7b5c2024d55", + "zh:5c4a713106598a8fc3a6c28980fc492e39b26e3f1df2ed9d8f67706626db12e7", + "zh:6a77c8692a827521ff988d1d4e56d5c46de15f20c6189981162eb2b561e5b567", + "zh:6edd29a79516b0d11d5bc34cbb5e377174d21673b4ec1a0d1e7040dd7b195610", + "zh:828c8e956002c9e1d9321a631e2eccc64f9b1e1ff302098813e01280c5f1a17d", + "zh:8cb82ea8caf25d706bfd47f39d42c3fb7a98861e8f8322bb7d5eac233b03564c", + "zh:bfb4157ce153cb0c629ec7cc33ffa5b63714261b4789c8b70662bd862ad8f35d", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:f97d6303d8e3a822b708b2c454f9d28a981771977e6e8e3018436a3e31eff6e9", + ] +} diff --git a/inputs/gcp/alloyDB/Google_alloydb_cluster/network_policy/c.tf b/inputs/gcp/alloyDB/Google_alloydb_cluster/network_policy/c.tf new file mode 100644 index 000000000..6406e343b --- /dev/null +++ b/inputs/gcp/alloyDB/Google_alloydb_cluster/network_policy/c.tf @@ -0,0 +1,14 @@ +resource "google_alloydb_cluster" "c" { + cluster_id = "cluster-approved" + location = "us-central1" + project = "123" + + network_config { + network = "projects/pde-demo/global/networks/prod-vpc" + } + + initial_user { + user = "admin" + password = "StrongPass1!" + } +} diff --git a/inputs/gcp/alloyDB/Google_alloydb_cluster/network_policy/config.tf b/inputs/gcp/alloyDB/Google_alloydb_cluster/network_policy/config.tf new file mode 100644 index 000000000..7e27dca94 --- /dev/null +++ b/inputs/gcp/alloyDB/Google_alloydb_cluster/network_policy/config.tf @@ -0,0 +1,9 @@ +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/alloyDB/Google_alloydb_cluster/network_policy/nc.tf b/inputs/gcp/alloyDB/Google_alloydb_cluster/network_policy/nc.tf new file mode 100644 index 000000000..8293c797c --- /dev/null +++ b/inputs/gcp/alloyDB/Google_alloydb_cluster/network_policy/nc.tf @@ -0,0 +1,14 @@ +resource "google_alloydb_cluster" "nc" { + cluster_id = "cluster-default-vpc" + location = "us-central1" + project = "123" + + network_config { + network = "projects/pde-demo/global/networks/default" + } + + initial_user { + user = "admin" + password = "StrongPass1!" + } +} diff --git a/inputs/gcp/alloyDB/Google_alloydb_user/user_id/.terraform.lock.hcl b/inputs/gcp/alloyDB/Google_alloydb_user/user_id/.terraform.lock.hcl new file mode 100644 index 000000000..c8d895589 --- /dev/null +++ b/inputs/gcp/alloyDB/Google_alloydb_user/user_id/.terraform.lock.hcl @@ -0,0 +1,22 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.3.0" + constraints = ">= 5.0.0" + hashes = [ + "h1:1WxLeVFcyCHXxeujuSS2Alr72zMqDK4IaCQlGiROuD4=", + "zh:135c90b063f15c090ce82d99887032e495bbe6388764b666148ae78a776c4621", + "zh:47bb8721c29556b3b42f7c2ed73f8fdfb214609599ba819eebbe9ae33aab0e07", + "zh:532d385f6381eaee111d96296fcd9da7cdefb31b2afc81e36f390bd6ea1c5e99", + "zh:5c96018f5b722d2871ae2cf21dab9b05ec722270facd2e62393bcf89dc34852d", + "zh:703caf0829c30e3d166f61a7af208388840b384be1ec440b0955584856d22e30", + "zh:80b965cbe057eea5205c8bfd81fce642de7425dab86482f91bef136b3c1faaff", + "zh:a18b8178124d5dcd8a69bb6fc37206838f03699f2443e803142b1e2fde6f55d1", + "zh:bdddc969d92f5ecafbf762179e2291169a7e24214a52ff263aaf872b5cceb582", + "zh:e30f79beaf07618131a717734a58f7b5626c1c53d6cc14887c7098add73e0ccb", + "zh:e95fe5ec32e9eeff1d56379c84bee3fac0a7f12ea1b90f34ff7d88d469f56c23", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:fec21ae17d9d4e814d65ff377fbe1e2543636aaa3439a8a7a3447e7623044a4e", + ] +} diff --git a/inputs/gcp/alloyDB/Google_alloydb_user/user_id/c.tf b/inputs/gcp/alloyDB/Google_alloydb_user/user_id/c.tf new file mode 100644 index 000000000..5ee9406f6 --- /dev/null +++ b/inputs/gcp/alloyDB/Google_alloydb_user/user_id/c.tf @@ -0,0 +1,6 @@ + +resource "google_alloydb_user" "c" { + cluster = "projects/p/locations/us-central1/clusters/cluster-c" + user_id = "pde_allowed_user" + user_type = "ALLOYDB_BUILT_IN" +} diff --git a/inputs/gcp/alloyDB/Google_alloydb_user/user_id/config.tf b/inputs/gcp/alloyDB/Google_alloydb_user/user_id/config.tf new file mode 100644 index 000000000..7e27dca94 --- /dev/null +++ b/inputs/gcp/alloyDB/Google_alloydb_user/user_id/config.tf @@ -0,0 +1,9 @@ +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/alloyDB/Google_alloydb_user/user_id/nc.tf b/inputs/gcp/alloyDB/Google_alloydb_user/user_id/nc.tf new file mode 100644 index 000000000..6216a0a26 --- /dev/null +++ b/inputs/gcp/alloyDB/Google_alloydb_user/user_id/nc.tf @@ -0,0 +1,6 @@ + +resource "google_alloydb_user" "nc" { + cluster = "projects/p/locations/us-central1/clusters/cluster-nc" + user_id = "root" + user_type = "ALLOYDB_BUILT_IN" +} diff --git a/inputs/gcp/alloyDB/Google_alloydb_user/user_type/.terraform.lock.hcl b/inputs/gcp/alloyDB/Google_alloydb_user/user_type/.terraform.lock.hcl new file mode 100644 index 000000000..c8d895589 --- /dev/null +++ b/inputs/gcp/alloyDB/Google_alloydb_user/user_type/.terraform.lock.hcl @@ -0,0 +1,22 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.3.0" + constraints = ">= 5.0.0" + hashes = [ + "h1:1WxLeVFcyCHXxeujuSS2Alr72zMqDK4IaCQlGiROuD4=", + "zh:135c90b063f15c090ce82d99887032e495bbe6388764b666148ae78a776c4621", + "zh:47bb8721c29556b3b42f7c2ed73f8fdfb214609599ba819eebbe9ae33aab0e07", + "zh:532d385f6381eaee111d96296fcd9da7cdefb31b2afc81e36f390bd6ea1c5e99", + "zh:5c96018f5b722d2871ae2cf21dab9b05ec722270facd2e62393bcf89dc34852d", + "zh:703caf0829c30e3d166f61a7af208388840b384be1ec440b0955584856d22e30", + "zh:80b965cbe057eea5205c8bfd81fce642de7425dab86482f91bef136b3c1faaff", + "zh:a18b8178124d5dcd8a69bb6fc37206838f03699f2443e803142b1e2fde6f55d1", + "zh:bdddc969d92f5ecafbf762179e2291169a7e24214a52ff263aaf872b5cceb582", + "zh:e30f79beaf07618131a717734a58f7b5626c1c53d6cc14887c7098add73e0ccb", + "zh:e95fe5ec32e9eeff1d56379c84bee3fac0a7f12ea1b90f34ff7d88d469f56c23", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:fec21ae17d9d4e814d65ff377fbe1e2543636aaa3439a8a7a3447e7623044a4e", + ] +} diff --git a/inputs/gcp/alloyDB/Google_alloydb_user/user_type/c.tf b/inputs/gcp/alloyDB/Google_alloydb_user/user_type/c.tf new file mode 100644 index 000000000..ea1c25f04 --- /dev/null +++ b/inputs/gcp/alloyDB/Google_alloydb_user/user_type/c.tf @@ -0,0 +1,5 @@ +resource "google_alloydb_user" "c" { + cluster = "projects/p/locations/us-central1/clusters/cluster-c" + user_id = "analyst@example.com" + user_type = "ALLOYDB_IAM_USER" +} diff --git a/inputs/gcp/alloyDB/Google_alloydb_user/user_type/config.tf b/inputs/gcp/alloyDB/Google_alloydb_user/user_type/config.tf new file mode 100644 index 000000000..7e27dca94 --- /dev/null +++ b/inputs/gcp/alloyDB/Google_alloydb_user/user_type/config.tf @@ -0,0 +1,9 @@ +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/alloyDB/Google_alloydb_user/user_type/nc.tf b/inputs/gcp/alloyDB/Google_alloydb_user/user_type/nc.tf new file mode 100644 index 000000000..2067a5923 --- /dev/null +++ b/inputs/gcp/alloyDB/Google_alloydb_user/user_type/nc.tf @@ -0,0 +1,5 @@ +resource "google_alloydb_user" "nc" { + cluster = "projects/p/locations/us-central1/clusters/cluster-nc" + user_id = "dbapp_user" + user_type = "ALLOYDB_BUILT_IN" +} diff --git a/inputs/gcp/alloyDB/google_alloydb_backup/continuous_backup_encrypt_enable/.terraform.lock.hcl b/inputs/gcp/alloyDB/google_alloydb_backup/continuous_backup_encrypt_enable/.terraform.lock.hcl new file mode 100644 index 000000000..151e79163 --- /dev/null +++ b/inputs/gcp/alloyDB/google_alloydb_backup/continuous_backup_encrypt_enable/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.3.0" + hashes = [ + "h1:1WxLeVFcyCHXxeujuSS2Alr72zMqDK4IaCQlGiROuD4=", + "zh:135c90b063f15c090ce82d99887032e495bbe6388764b666148ae78a776c4621", + "zh:47bb8721c29556b3b42f7c2ed73f8fdfb214609599ba819eebbe9ae33aab0e07", + "zh:532d385f6381eaee111d96296fcd9da7cdefb31b2afc81e36f390bd6ea1c5e99", + "zh:5c96018f5b722d2871ae2cf21dab9b05ec722270facd2e62393bcf89dc34852d", + "zh:703caf0829c30e3d166f61a7af208388840b384be1ec440b0955584856d22e30", + "zh:80b965cbe057eea5205c8bfd81fce642de7425dab86482f91bef136b3c1faaff", + "zh:a18b8178124d5dcd8a69bb6fc37206838f03699f2443e803142b1e2fde6f55d1", + "zh:bdddc969d92f5ecafbf762179e2291169a7e24214a52ff263aaf872b5cceb582", + "zh:e30f79beaf07618131a717734a58f7b5626c1c53d6cc14887c7098add73e0ccb", + "zh:e95fe5ec32e9eeff1d56379c84bee3fac0a7f12ea1b90f34ff7d88d469f56c23", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:fec21ae17d9d4e814d65ff377fbe1e2543636aaa3439a8a7a3447e7623044a4e", + ] +} diff --git a/inputs/gcp/alloyDB/google_alloydb_backup/continuous_backup_encrypt_enable/c.tf b/inputs/gcp/alloyDB/google_alloydb_backup/continuous_backup_encrypt_enable/c.tf new file mode 100644 index 000000000..07e83b4c2 --- /dev/null +++ b/inputs/gcp/alloyDB/google_alloydb_backup/continuous_backup_encrypt_enable/c.tf @@ -0,0 +1,15 @@ + +resource "google_alloydb_backup" "c" { + location = "us-central1" + backup_id = "alloydb-backup" + cluster_name = "projects/p/locations/us-central1/clusters/cluster-c" + project = "123" + type = "ON_DEMAND" + + labels = { + label = "key" + } + + +} + diff --git a/inputs/gcp/alloyDB/google_alloydb_backup/continuous_backup_encrypt_enable/config.tf b/inputs/gcp/alloyDB/google_alloydb_backup/continuous_backup_encrypt_enable/config.tf new file mode 100644 index 000000000..7e27dca94 --- /dev/null +++ b/inputs/gcp/alloyDB/google_alloydb_backup/continuous_backup_encrypt_enable/config.tf @@ -0,0 +1,9 @@ +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/alloyDB/google_alloydb_backup/continuous_backup_encrypt_enable/nc.tf b/inputs/gcp/alloyDB/google_alloydb_backup/continuous_backup_encrypt_enable/nc.tf new file mode 100644 index 000000000..d0ae842e4 --- /dev/null +++ b/inputs/gcp/alloyDB/google_alloydb_backup/continuous_backup_encrypt_enable/nc.tf @@ -0,0 +1,12 @@ + +resource "google_alloydb_backup" "nc" { + location = "us-central1" + backup_id = "backup-cmek-off" + cluster_name = "projects/p/locations/us-central1/clusters/cluster-nc" + project = "123" + + + type = "ON_DEMAND" + + +} diff --git a/inputs/gcp/alloyDB/google_alloydb_backup/locations_policy/.terraform.lock.hcl b/inputs/gcp/alloyDB/google_alloydb_backup/locations_policy/.terraform.lock.hcl new file mode 100644 index 000000000..c8d895589 --- /dev/null +++ b/inputs/gcp/alloyDB/google_alloydb_backup/locations_policy/.terraform.lock.hcl @@ -0,0 +1,22 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.3.0" + constraints = ">= 5.0.0" + hashes = [ + "h1:1WxLeVFcyCHXxeujuSS2Alr72zMqDK4IaCQlGiROuD4=", + "zh:135c90b063f15c090ce82d99887032e495bbe6388764b666148ae78a776c4621", + "zh:47bb8721c29556b3b42f7c2ed73f8fdfb214609599ba819eebbe9ae33aab0e07", + "zh:532d385f6381eaee111d96296fcd9da7cdefb31b2afc81e36f390bd6ea1c5e99", + "zh:5c96018f5b722d2871ae2cf21dab9b05ec722270facd2e62393bcf89dc34852d", + "zh:703caf0829c30e3d166f61a7af208388840b384be1ec440b0955584856d22e30", + "zh:80b965cbe057eea5205c8bfd81fce642de7425dab86482f91bef136b3c1faaff", + "zh:a18b8178124d5dcd8a69bb6fc37206838f03699f2443e803142b1e2fde6f55d1", + "zh:bdddc969d92f5ecafbf762179e2291169a7e24214a52ff263aaf872b5cceb582", + "zh:e30f79beaf07618131a717734a58f7b5626c1c53d6cc14887c7098add73e0ccb", + "zh:e95fe5ec32e9eeff1d56379c84bee3fac0a7f12ea1b90f34ff7d88d469f56c23", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:fec21ae17d9d4e814d65ff377fbe1e2543636aaa3439a8a7a3447e7623044a4e", + ] +} diff --git a/inputs/gcp/alloyDB/google_alloydb_backup/locations_policy/c.tf b/inputs/gcp/alloyDB/google_alloydb_backup/locations_policy/c.tf new file mode 100644 index 000000000..65e5781f8 --- /dev/null +++ b/inputs/gcp/alloyDB/google_alloydb_backup/locations_policy/c.tf @@ -0,0 +1,7 @@ +resource "google_alloydb_backup" "c" { + location = "us-central1" + cluster_name = "projects/p/locations/us-central1/clusters/cluster-c" + backup_id = "backup-loc-allowed" + project = "123" + +} diff --git a/inputs/gcp/alloyDB/google_alloydb_backup/locations_policy/config.tf b/inputs/gcp/alloyDB/google_alloydb_backup/locations_policy/config.tf new file mode 100644 index 000000000..7e27dca94 --- /dev/null +++ b/inputs/gcp/alloyDB/google_alloydb_backup/locations_policy/config.tf @@ -0,0 +1,9 @@ +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/alloyDB/google_alloydb_backup/locations_policy/nc.tf b/inputs/gcp/alloyDB/google_alloydb_backup/locations_policy/nc.tf new file mode 100644 index 000000000..5fdff41f8 --- /dev/null +++ b/inputs/gcp/alloyDB/google_alloydb_backup/locations_policy/nc.tf @@ -0,0 +1,6 @@ +resource "google_alloydb_backup" "nc" { + location = "us-west2" + cluster_name = "projects/p/locations/us-central1/clusters/cluster-nc" + backup_id = "backup-loc-deny" + project = "123" +} diff --git a/inputs/gcp/alloyDB/google_alloydb_instance/client_connection_config/.terraform.lock.hcl b/inputs/gcp/alloyDB/google_alloydb_instance/client_connection_config/.terraform.lock.hcl new file mode 100644 index 000000000..c8d895589 --- /dev/null +++ b/inputs/gcp/alloyDB/google_alloydb_instance/client_connection_config/.terraform.lock.hcl @@ -0,0 +1,22 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.3.0" + constraints = ">= 5.0.0" + hashes = [ + "h1:1WxLeVFcyCHXxeujuSS2Alr72zMqDK4IaCQlGiROuD4=", + "zh:135c90b063f15c090ce82d99887032e495bbe6388764b666148ae78a776c4621", + "zh:47bb8721c29556b3b42f7c2ed73f8fdfb214609599ba819eebbe9ae33aab0e07", + "zh:532d385f6381eaee111d96296fcd9da7cdefb31b2afc81e36f390bd6ea1c5e99", + "zh:5c96018f5b722d2871ae2cf21dab9b05ec722270facd2e62393bcf89dc34852d", + "zh:703caf0829c30e3d166f61a7af208388840b384be1ec440b0955584856d22e30", + "zh:80b965cbe057eea5205c8bfd81fce642de7425dab86482f91bef136b3c1faaff", + "zh:a18b8178124d5dcd8a69bb6fc37206838f03699f2443e803142b1e2fde6f55d1", + "zh:bdddc969d92f5ecafbf762179e2291169a7e24214a52ff263aaf872b5cceb582", + "zh:e30f79beaf07618131a717734a58f7b5626c1c53d6cc14887c7098add73e0ccb", + "zh:e95fe5ec32e9eeff1d56379c84bee3fac0a7f12ea1b90f34ff7d88d469f56c23", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:fec21ae17d9d4e814d65ff377fbe1e2543636aaa3439a8a7a3447e7623044a4e", + ] +} diff --git a/inputs/gcp/alloyDB/google_alloydb_instance/client_connection_config/c.tf b/inputs/gcp/alloyDB/google_alloydb_instance/client_connection_config/c.tf new file mode 100644 index 000000000..0e9c04890 --- /dev/null +++ b/inputs/gcp/alloyDB/google_alloydb_instance/client_connection_config/c.tf @@ -0,0 +1,13 @@ +resource "google_alloydb_instance" "c" { + cluster = "projects/p/locations/us-central1/clusters/cluster-c" + instance_id = "inst-ssl-on" + instance_type = "PRIMARY" + gce_zone = "us-central1-a" + + client_connection_config { + ssl_config { + ssl_mode = "ENCRYPTED_ONLY" + } + + } +} diff --git a/inputs/gcp/alloyDB/google_alloydb_instance/client_connection_config/config.tf b/inputs/gcp/alloyDB/google_alloydb_instance/client_connection_config/config.tf new file mode 100644 index 000000000..7e27dca94 --- /dev/null +++ b/inputs/gcp/alloyDB/google_alloydb_instance/client_connection_config/config.tf @@ -0,0 +1,9 @@ +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/alloyDB/google_alloydb_instance/client_connection_config/nc.tf b/inputs/gcp/alloyDB/google_alloydb_instance/client_connection_config/nc.tf new file mode 100644 index 000000000..302308e0e --- /dev/null +++ b/inputs/gcp/alloyDB/google_alloydb_instance/client_connection_config/nc.tf @@ -0,0 +1,12 @@ +resource "google_alloydb_instance" "nc" { + cluster = "projects/p/locations/us-central1/clusters/cluster-nc" + instance_id = "inst-ssl-off" + instance_type = "PRIMARY" + gce_zone = "us-central1-a" + + client_connection_config { + ssl_config { + ssl_mode = "ALLOW_UNENCRYPTED_AND_ENCRYPTED" + } + } +} diff --git a/inputs/gcp/alloyDB/google_alloydb_instance/google_alloydb_instance_network_config_public_ip_disabled/.terraform.lock.hcl b/inputs/gcp/alloyDB/google_alloydb_instance/google_alloydb_instance_network_config_public_ip_disabled/.terraform.lock.hcl new file mode 100644 index 000000000..1eb221211 --- /dev/null +++ b/inputs/gcp/alloyDB/google_alloydb_instance/google_alloydb_instance_network_config_public_ip_disabled/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.4.0" + hashes = [ + "h1:Kly25fXDRKIhgiID1+/+jcXPQbsCjrJ96vLISazArmY=", + "zh:05d16436e7e4895aaa0b6e9e5ff1f212f19d40462d039516e1d7835e1b0dbc82", + "zh:1256de55d4747227fa3011501934281e6c9b92af15f2d4dcecb0623ebac8986c", + "zh:1d3157a041d772a39491a25d752591b64e0f622767a670d5f529008683e25eac", + "zh:2c812ac0dea6817e2e6962743918aa9b100204f90f87b6d4523ba7b5c2024d55", + "zh:5c4a713106598a8fc3a6c28980fc492e39b26e3f1df2ed9d8f67706626db12e7", + "zh:6a77c8692a827521ff988d1d4e56d5c46de15f20c6189981162eb2b561e5b567", + "zh:6edd29a79516b0d11d5bc34cbb5e377174d21673b4ec1a0d1e7040dd7b195610", + "zh:828c8e956002c9e1d9321a631e2eccc64f9b1e1ff302098813e01280c5f1a17d", + "zh:8cb82ea8caf25d706bfd47f39d42c3fb7a98861e8f8322bb7d5eac233b03564c", + "zh:bfb4157ce153cb0c629ec7cc33ffa5b63714261b4789c8b70662bd862ad8f35d", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:f97d6303d8e3a822b708b2c454f9d28a981771977e6e8e3018436a3e31eff6e9", + ] +} diff --git a/inputs/gcp/alloyDB/google_alloydb_instance/google_alloydb_instance_network_config_public_ip_disabled/c.tf b/inputs/gcp/alloyDB/google_alloydb_instance/google_alloydb_instance_network_config_public_ip_disabled/c.tf new file mode 100644 index 000000000..ca9e02538 --- /dev/null +++ b/inputs/gcp/alloyDB/google_alloydb_instance/google_alloydb_instance_network_config_public_ip_disabled/c.tf @@ -0,0 +1,8 @@ +resource "google_alloydb_instance" "c" { + cluster = "projects/pde-demo/locations/us-central1/clusters/cluster-c" + instance_id = "inst-no-public-ip" + instance_type = "PRIMARY" + gce_zone = "us-central1-a" + + network_config { enable_public_ip = false } +} diff --git a/inputs/gcp/alloyDB/google_alloydb_instance/google_alloydb_instance_network_config_public_ip_disabled/config.tf b/inputs/gcp/alloyDB/google_alloydb_instance/google_alloydb_instance_network_config_public_ip_disabled/config.tf new file mode 100644 index 000000000..7e27dca94 --- /dev/null +++ b/inputs/gcp/alloyDB/google_alloydb_instance/google_alloydb_instance_network_config_public_ip_disabled/config.tf @@ -0,0 +1,9 @@ +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/alloyDB/google_alloydb_instance/google_alloydb_instance_network_config_public_ip_disabled/nc.tf b/inputs/gcp/alloyDB/google_alloydb_instance/google_alloydb_instance_network_config_public_ip_disabled/nc.tf new file mode 100644 index 000000000..45bd90dc2 --- /dev/null +++ b/inputs/gcp/alloyDB/google_alloydb_instance/google_alloydb_instance_network_config_public_ip_disabled/nc.tf @@ -0,0 +1,8 @@ +resource "google_alloydb_instance" "nc" { + cluster = "projects/pde-demo/locations/us-central1/clusters/cluster-nc" + instance_id = "inst-public-ip" + instance_type = "PRIMARY" + gce_zone = "us-east1-b" + + network_config { enable_public_ip = true } +} diff --git a/policies/gcp/alloydb/Google_alloydb_Instance/client_connection_config/policy.rego b/policies/gcp/alloydb/Google_alloydb_Instance/client_connection_config/policy.rego new file mode 100644 index 000000000..179ccbcab --- /dev/null +++ b/policies/gcp/alloydb/Google_alloydb_Instance/client_connection_config/policy.rego @@ -0,0 +1,21 @@ +package terraform.gcp.security.alloydb.google_alloydb_instance.client_connection_config + +import data.terraform.helpers +import data.terraform.gcp.security.alloydb.google_alloydb_instance.vars + +conditions := [[ + { + "situation_description": "Instance must require SSL/TLS for client connections.", + "remedies": ["Set client_connection_config.ssl_config.ssl_mode to ENCRYPTED_ONLY."], + }, + { + "condition": "SSL mode must be ENCRYPTED_ONLY.", + "attribute_path": ["client_connection_config", "ssl_config", "ssl_mode"], + "values": ["ENCRYPTED_ONLY"], + "policy_type": "whitelist", + }, +]] + +message := helpers.get_multi_summary(conditions, vars.variables).message + +details := helpers.get_multi_summary(conditions, vars.variables).details diff --git a/policies/gcp/alloydb/Google_alloydb_Instance/google_alloydb_instance_network_config_public_ip_disabled/policy.rego b/policies/gcp/alloydb/Google_alloydb_Instance/google_alloydb_instance_network_config_public_ip_disabled/policy.rego new file mode 100644 index 000000000..1dc2bee68 --- /dev/null +++ b/policies/gcp/alloydb/Google_alloydb_Instance/google_alloydb_instance_network_config_public_ip_disabled/policy.rego @@ -0,0 +1,20 @@ +package terraform.gcp.security.alloydb.google_alloydb_instance.network_config_public_ip_disabled + +import data.terraform.helpers as helpers +import data.terraform.gcp.security.alloydb.google_alloydb_instance.vars as vars + +conditions := [[ + { + "situation_description": "Public IP must be disabled on the AlloyDB instance.", + "remedies": ["Set network_config.enable_public_ip = false."], + }, + { + "condition": "Public IP must be disabled.", + "attribute_path": ["network_config", 0, "enable_public_ip"], + "values": [false], + "policy_type": "whitelist", + }, +]] + +message := helpers.get_multi_summary(conditions, vars.variables).message +details := helpers.get_multi_summary(conditions, vars.variables).details diff --git a/policies/gcp/alloydb/Google_alloydb_Instance/vars.rego b/policies/gcp/alloydb/Google_alloydb_Instance/vars.rego new file mode 100644 index 000000000..d1145a579 --- /dev/null +++ b/policies/gcp/alloydb/Google_alloydb_Instance/vars.rego @@ -0,0 +1,7 @@ +package terraform.gcp.security.alloydb.google_alloydb_instance.vars + +variables := { + "friendly_resource_name": "AlloyDB Instance", + "resource_type": "google_alloydb_instance", + "resource_value_name": "instance_id", +} diff --git a/policies/gcp/alloydb/Google_alloydb_cluster/automated_backup_policy/policy.rego b/policies/gcp/alloydb/Google_alloydb_cluster/automated_backup_policy/policy.rego new file mode 100644 index 000000000..a691e595f --- /dev/null +++ b/policies/gcp/alloydb/Google_alloydb_cluster/automated_backup_policy/policy.rego @@ -0,0 +1,22 @@ +package terraform.gcp.security.alloydb.google_alloydb_cluster.automated_backup_policy + +import data.terraform.helpers as helpers +import data.terraform.gcp.security.alloydb.google_alloydb_cluster.vars as vars + +conditions := [ + [ + { + "situation_description": "Automated backups must use a minimum time-based retention.", + "remedies": ["Set automated_backup_policy.time_based_retention.retention_period to at least 7 days."], + }, + { + "condition": "Retention period must be at least 7 days.", + "attribute_path": ["automated_backup_policy", "time_based_retention", "retention_period"], + "values": [604800], + "policy_type": "min", + }, + ], +] + +message := helpers.get_multi_summary(conditions, vars.variables).message +details := helpers.get_multi_summary(conditions, vars.variables).details diff --git a/policies/gcp/alloydb/Google_alloydb_cluster/continuous_backup_config/policy.rego b/policies/gcp/alloydb/Google_alloydb_cluster/continuous_backup_config/policy.rego new file mode 100644 index 000000000..a3472625e --- /dev/null +++ b/policies/gcp/alloydb/Google_alloydb_cluster/continuous_backup_config/policy.rego @@ -0,0 +1,20 @@ +package terraform.gcp.security.alloydb.google_alloydb_cluster.continuous_backup_config + +import data.terraform.helpers as helpers +import data.terraform.gcp.security.alloydb.google_alloydb_cluster.vars as vars + +conditions := [[ + { + "situation_description": "Continuous backup must be enabled.", + "remedies": ["Set continuous_backup_config.enabled = true."], + }, + { + "condition": "enabled must be true.", + "attribute_path": ["continuous_backup_config", "enabled"], + "values": [true], + "policy_type": "whitelist", + }, +]] + +message := helpers.get_multi_summary(conditions, vars.variables).message +details := helpers.get_multi_summary(conditions, vars.variables).details diff --git a/policies/gcp/alloydb/Google_alloydb_cluster/deletion_policy/policy.rego b/policies/gcp/alloydb/Google_alloydb_cluster/deletion_policy/policy.rego new file mode 100644 index 000000000..5d678ae78 --- /dev/null +++ b/policies/gcp/alloydb/Google_alloydb_cluster/deletion_policy/policy.rego @@ -0,0 +1,20 @@ +package terraform.gcp.security.alloydb.google_alloydb_cluster.deletion_policy + +import data.terraform.helpers as helpers +import data.terraform.gcp.security.alloydb.google_alloydb_cluster.vars as vars + +conditions := [[ + { + "situation_description": "AlloyDB Cluster must be protected from accidental deletion.", + "remedies": ["Set deletion_policy = RETAIN (recommended)."], + }, + { + "condition": "deletion_policy must be RETAIN.", + "attribute_path": ["deletion_policy"], + "values": ["RETAIN"], + "policy_type": "whitelist", + }, +]] + +message := helpers.get_multi_summary(conditions, vars.variables).message +details := helpers.get_multi_summary(conditions, vars.variables).details diff --git a/policies/gcp/alloydb/Google_alloydb_cluster/network_config/policy.rego b/policies/gcp/alloydb/Google_alloydb_cluster/network_config/policy.rego new file mode 100644 index 000000000..b6478d2c4 --- /dev/null +++ b/policies/gcp/alloydb/Google_alloydb_cluster/network_config/policy.rego @@ -0,0 +1,23 @@ +package terraform.gcp.security.alloydb.google_alloydb_cluster.network_config + +import data.terraform.helpers as helpers +import data.terraform.gcp.security.alloydb.google_alloydb_cluster.vars as vars + +conditions := [[ + { + "situation_description": "AlloyDB cluster must use an approved VPC network.", + "remedies": ["Set the top-level network field to one of the approved VPC self_links (projects/

/global/networks/)."], + }, + { + "condition": "VPC network must be on the allowlist.", + "attribute_path": ["network_config", 0, "network" ], + "values": [ + "projects/pde-demo/global/networks/prod-vpc", + "projects/shared-host-project/global/networks/shared-vpc" + ], + "policy_type": "whitelist", + }, +]] + +message := helpers.get_multi_summary(conditions, vars.variables).message +details := helpers.get_multi_summary(conditions, vars.variables).details diff --git a/policies/gcp/alloydb/Google_alloydb_cluster/network_policy/policy.rego b/policies/gcp/alloydb/Google_alloydb_cluster/network_policy/policy.rego new file mode 100644 index 000000000..5c0b89d84 --- /dev/null +++ b/policies/gcp/alloydb/Google_alloydb_cluster/network_policy/policy.rego @@ -0,0 +1,23 @@ +package terraform.gcp.security.alloydb.google_alloydb_cluster.network_policy + +import data.terraform.helpers as helpers +import data.terraform.gcp.security.alloydb.google_alloydb_cluster.vars as vars + +conditions := [[ + { + "situation_description": "AlloyDB Cluster must use an approved VPC network.", + "remedies": ["Set network_config.network to one of the approved VPC self-links."], + }, + { + "condition": "network must be on the allowlist.", + "attribute_path": ["network_config", 0, "network"], + "values": [ + "projects/pde-demo/global/networks/prod-vpc", + "projects/shared-host-project/global/networks/shared-vpc" + ], + "policy_type": "whitelist", + }, +]] + +message := helpers.get_multi_summary(conditions, vars.variables).message +details := helpers.get_multi_summary(conditions, vars.variables).details diff --git a/policies/gcp/alloydb/Google_alloydb_cluster/vars.rego b/policies/gcp/alloydb/Google_alloydb_cluster/vars.rego new file mode 100644 index 000000000..8adc1300e --- /dev/null +++ b/policies/gcp/alloydb/Google_alloydb_cluster/vars.rego @@ -0,0 +1,7 @@ +package terraform.gcp.security.alloydb.google_alloydb_cluster.vars + +variables := { + "friendly_resource_name": "AlloyDB Cluster", + "resource_type": "google_alloydb_cluster", + "resource_value_name": "cluster_id" +} diff --git a/policies/gcp/alloydb/Google_alloydb_user/user_id/policy.rego b/policies/gcp/alloydb/Google_alloydb_user/user_id/policy.rego new file mode 100644 index 000000000..5bb4dd425 --- /dev/null +++ b/policies/gcp/alloydb/Google_alloydb_user/user_id/policy.rego @@ -0,0 +1,25 @@ +package terraform.gcp.security.alloydb.google_alloydb_user.user_id + +import data.terraform.helpers as helpers +import data.terraform.gcp.security.alloydb.google_alloydb_user.vars as vars + +conditions := [ + [ + { + "situation_description": "Reserved or privileged usernames are not allowed.", + "remedies": [ + "Choose a non-privileged username (e.g., team/project prefix).", + "Avoid reserved names like postgres, root, admin." + ], + }, + { + "condition": "user_id must not be a reserved name.", + "attribute_path": ["user_id"], + "values": ["postgres", "root", "admin"], + "policy_type": "blacklist", + }, + ], +] + +message := helpers.get_multi_summary(conditions, vars.variables).message +details := helpers.get_multi_summary(conditions, vars.variables).details diff --git a/policies/gcp/alloydb/Google_alloydb_user/user_type/policy.rego b/policies/gcp/alloydb/Google_alloydb_user/user_type/policy.rego new file mode 100644 index 000000000..b005bb09d --- /dev/null +++ b/policies/gcp/alloydb/Google_alloydb_user/user_type/policy.rego @@ -0,0 +1,25 @@ +package terraform.gcp.security.alloydb.google_alloydb_user.user_type + +import data.terraform.helpers as helpers +import data.terraform.gcp.security.alloydb.google_alloydb_user.vars as vars + +conditions := [ + [ + { + "situation_description": "AlloyDB database users must use IAM-based authentication (avoid password-based built-in users).", + "remedies": [ + "Set user_type to ALLOYDB_IAM_USER.", + "Enable IAM authentication on the instance and grant the required IAM roles for database access." + ], + }, + { + "condition": "user_type must be ALLOYDB_IAM_USER.", + "attribute_path": ["user_type"], + "values": ["ALLOYDB_IAM_USER"], + "policy_type": "whitelist", + }, + ], +] + +message := helpers.get_multi_summary(conditions, vars.variables).message +details := helpers.get_multi_summary(conditions, vars.variables).details diff --git a/policies/gcp/alloydb/Google_alloydb_user/vars.rego b/policies/gcp/alloydb/Google_alloydb_user/vars.rego new file mode 100644 index 000000000..76bbfc9ed --- /dev/null +++ b/policies/gcp/alloydb/Google_alloydb_user/vars.rego @@ -0,0 +1,7 @@ +package terraform.gcp.security.alloydb.google_alloydb_user.vars + +variables := { + "friendly_resource_name": "AlloyDB User", + "resource_type": "google_alloydb_user", + "resource_value_name": "user_id", +} diff --git a/policies/gcp/alloydb/google_alloydb_backup/continuous_backup_encrypt_enable/policy.rego b/policies/gcp/alloydb/google_alloydb_backup/continuous_backup_encrypt_enable/policy.rego new file mode 100644 index 000000000..07b0cea2b --- /dev/null +++ b/policies/gcp/alloydb/google_alloydb_backup/continuous_backup_encrypt_enable/policy.rego @@ -0,0 +1,23 @@ +package terraform.gcp.security.alloydb.google_alloydb_backup.continuous_backup_encrypt_enable + +import data.terraform.helpers as helpers +import data.terraform.gcp.security.alloydb.google_alloydb_backup.vars as vars + +conditions := [[ + { + "situation_description": "Backup created without CMEK.", + "remedies": [ + "Set encryption_config.kms_key_name to a valid KMS key self-link.", + "Ensure the key is in a compatible region and IAM grants allow AlloyDB to use it." + ], + }, + { + "condition": "CMEK must be specified.", + "attribute_path": ["encryption_config", "kms_key_name"], + "values": [null, ""], + "policy_type": "blacklist", + }, +]] + +message := helpers.get_multi_summary(conditions, vars.variables).message +details := helpers.get_multi_summary(conditions, vars.variables).details diff --git a/policies/gcp/alloydb/google_alloydb_backup/locations_policy/policy.rego b/policies/gcp/alloydb/google_alloydb_backup/locations_policy/policy.rego new file mode 100644 index 000000000..52cfebbc3 --- /dev/null +++ b/policies/gcp/alloydb/google_alloydb_backup/locations_policy/policy.rego @@ -0,0 +1,24 @@ +package terraform.gcp.security.alloydb.google_alloydb_backup.locations_policy + +import data.terraform.helpers as helpers +import data.terraform.gcp.security.alloydb.google_alloydb_backup.vars as vars + +conditions := [ + [ + { + "situation_description": "Backup location must be in an approved Australia region allowlist.", + "remedies": ["Use one of: australia-southeast1, australia-southeast2."], + }, + { + "condition": "Location must be on the allowlist.", + "attribute_path": ["location"], + "values": ["australia-southeast1", "australia-southeast2"], + "policy_type": "whitelist", + }, + ], +] + +summary := { + "message": helpers.get_multi_summary(conditions, vars.variables).message, + "details": helpers.get_multi_summary(conditions, vars.variables).details, +} \ No newline at end of file diff --git a/policies/gcp/alloydb/google_alloydb_backup/vars.rego b/policies/gcp/alloydb/google_alloydb_backup/vars.rego new file mode 100644 index 000000000..50148fc11 --- /dev/null +++ b/policies/gcp/alloydb/google_alloydb_backup/vars.rego @@ -0,0 +1,7 @@ +package terraform.gcp.security.alloydb.google_alloydb_backup.vars + +variables := { + "friendly_resource_name": "AlloyDB Backup", + "resource_type": "google_alloydb_backup", + "resource_value_name": "name", +}