Alloydb Service

docs/gcp/AlloyDB/alloydb_backup.md

@@ -0,0 +1,28 @@
+## 🛡️ Policy Deployment Engine: `alloydb_backup`
+
+This section provides a concise policy evaluation for the `alloydb_backup` resource in GCP.
+
+Reference: [Terraform Registry – alloydb_backup](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/alloydb_backup)
+
+---
+
+## Argument Reference  
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `cluster_name` | The full resource name of the backup source cluster (e.g., projects/{project}/locations/{location}/clusters/{clusterId}). | true | false | None | None | None |
+| `backup_id` | The ID of the alloydb backup. | true | false | None | None | None |
+| `location` | The location where the alloydb backup should reside. | true | false | None | None | None |
+| `display_name` | User-settable and human-readable display name for the Backup. | false | false | None | None | None |
+| `labels` | User-defined labels for the alloydb backup. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }. **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field `effective_labels` for all of the labels present on the resource. | false | false | None | None | None |
+| `type` | The backup type, which suggests the trigger for the backup. Possible values are: `TYPE_UNSPECIFIED`, `ON_DEMAND`, `AUTOMATED`, `CONTINUOUS`. | false | false | None | None | None |
+| `description` | User-provided description of the backup. | false | false | None | None | None |
+| `encryption_config` | EncryptionConfig describes the encryption config of a cluster or a backup that is encrypted with a CMEK (customer-managed encryption key). Structure is [documented below](#nested_encryption_config). | false | false | None | None | None |
+| `annotations` | Annotations to allow client tools to store small amount of arbitrary data. This is distinct from labels. https://google.aip.dev/128 An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }. **Note**: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field `effective_annotations` for all of the annotations present on the resource. | false | true | None | None | None |
+| `project` | If it is not provided, the provider project is used. | false | false | None | None | None |
+
+### encryption_config Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `kms_key_name` | The fully-qualified resource name of the KMS key. Each Cloud KMS key is regionalized and has the following format: projects/[PROJECT]/locations/[REGION]/keyRings/[RING]/cryptoKeys/[KEY_NAME]. | false | false | None | None | None |

docs/gcp/AlloyDB/alloydb_instance.md

@@ -0,0 +1,123 @@
+## 🛡️ Policy Deployment Engine: `alloydb_instance`
+
+This section provides a concise policy evaluation for the `alloydb_instance` resource in GCP.
+
+Reference: [Terraform Registry – alloydb_instance](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/alloydb_instance)
+
+---
+
+## Argument Reference  
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `instance_type` | The type of the instance. If the instance type is READ_POOL, provide the associated PRIMARY/SECONDARY instance in the `depends_on` meta-data attribute. If the instance type is SECONDARY, point to the cluster_type of the associated secondary cluster instead of mentioning SECONDARY. Example: {instance_type = google_alloydb_cluster.<secondary_cluster_name>.cluster_type} instead of {instance_type = SECONDARY} If the instance type is SECONDARY, the terraform delete instance operation does not delete the secondary instance but abandons it instead. Use deletion_policy = "FORCE" in the associated secondary cluster and delete the cluster forcefully to delete the secondary cluster as well its associated secondary instance. Users can undo the delete secondary instance action by importing the deleted secondary instance by calling terraform import. Possible values are: `PRIMARY`, `READ_POOL`, `SECONDARY`. | true | false | None | None | None |
+| `cluster` | Identifies the alloydb cluster. Must be in the format 'projects/{project}/locations/{location}/clusters/{cluster_id}' | true | false | None | None | None |
+| `instance_id` | The ID of the alloydb instance. | true | false | None | None | None |
+| `labels` | User-defined labels for the alloydb instance. **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field `effective_labels` for all of the labels present on the resource. | false | false | None | None | None |
+| `annotations` | Annotations to allow client tools to store small amount of arbitrary data. This is distinct from labels. **Note**: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field `effective_annotations` for all of the annotations present on the resource. | false | false | None | None | None |
+| `display_name` | User-settable and human-readable display name for the Instance. | false | false | None | None | None |
+| `gce_zone` | The Compute Engine zone that the instance should serve from, per https://cloud.google.com/compute/docs/regions-zones This can ONLY be specified for ZONAL instances. If present for a REGIONAL instance, an error will be thrown. If this is absent for a ZONAL instance, instance is created in a random zone with available capacity. | false | false | None | None | None |
+| `database_flags` | Database flags. Set at instance level. * They are copied from primary instance on read instance creation. * Read instances can set new or override existing flags that are relevant for reads, e.g. for enabling columnar cache on a read instance. Flags set on read instance may or may not be present on primary. | false | false | None | None | None |
+| `availability_type` | 'Availability type of an Instance. Defaults to REGIONAL for both primary and read instances. Note that primary and read instances can have different availability types. Primary instances can be either ZONAL or REGIONAL. Read Pool instances can also be either ZONAL or REGIONAL. Read pools of size 1 can only have zonal availability. Read pools with a node count of 2 or more can have regional availability (nodes are present in 2 or more zones in a region). Possible values are: `AVAILABILITY_TYPE_UNSPECIFIED`, `ZONAL`, `REGIONAL`.' Possible values are: `AVAILABILITY_TYPE_UNSPECIFIED`, `ZONAL`, `REGIONAL`. | false | false | None | None | None |
+| `activation_policy` | 'Specifies whether an instance needs to spin up. Once the instance is active, the activation policy can be updated to the `NEVER` to stop the instance. Likewise, the activation policy can be updated to `ALWAYS` to start the instance. There are restrictions around when an instance can/cannot be activated (for example, a read pool instance should be stopped before stopping primary etc.). Please refer to the API documentation for more details. Possible values are: `ACTIVATION_POLICY_UNSPECIFIED`, `ALWAYS`, `NEVER`.' Possible values are: `ACTIVATION_POLICY_UNSPECIFIED`, `ALWAYS`, `NEVER`. | false | false | None | None | None |
+| `query_insights_config` | Configuration for query insights. Structure is [documented below](#nested_query_insights_config). | false | false | None | None | None |
+| `observability_config` | , [Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html)) Configuration for enhanced query insights. Structure is [documented below](#nested_observability_config). | false | false | None | None | None |
+| `read_pool_config` | Read pool specific config. If the instance type is READ_POOL, this configuration must be provided. Structure is [documented below](#nested_read_pool_config). | false | false | None | None | None |
+| `machine_config` | Configurations for the machines that host the underlying database engine. Structure is [documented below](#nested_machine_config). | false | false | None | None | None |
+| `client_connection_config` | Client connection specific configurations. Structure is [documented below](#nested_client_connection_config). | false | false | None | None | None |
+| `psc_instance_config` | Configuration for Private Service Connect (PSC) for the instance. Structure is [documented below](#nested_psc_instance_config). | false | false | None | None | None |
+| `network_config` | Instance level network configuration. Structure is [documented below](#nested_network_config). | false | false | None | None | None |
+| `ssl_config` |  | false | false | None | None | None |
+| `psc_interface_configs` |  | false | false | None | None | None |
+| `psc_auto_connections` |  | false | false | None | None | None |
+| `authorized_external_networks` |  | false | false | None | None | None |
+
+### query_insights_config Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `query_string_length` | Query string length. The default value is 1024. Any integer between 256 and 4500 is considered valid. | false | false | None | None | None |
+| `record_application_tags` | Record application tags for an instance. This flag is turned "on" by default. | false | false | None | None | None |
+| `record_client_address` | Record client address for an instance. Client address is PII information. This flag is turned "on" by default. | false | false | None | None | None |
+| `query_plans_per_minute` | Number of query execution plans captured by Insights per minute for all queries combined. The default value is 5. Any integer between 0 and 20 is considered valid. | false | false | None | None | None |
+
+### observability_config Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `enabled` | Observability feature status for an instance. | false | false | None | None | None |
+| `preserve_comments` | Preserve comments in the query string. | false | false | None | None | None |
+| `track_wait_events` | Record wait events during query execution for an instance. | false | false | None | None | None |
+| `track_wait_event_types` | Record wait event types during query execution for an instance. | false | false | None | None | None |
+| `max_query_string_length` | Query string length. The default value is 10240. Any integer between 1024 and 100000 is considered valid. | false | false | None | None | None |
+| `record_application_tags` | Record application tags for an instance. This flag is turned "on" by default. | false | false | None | None | None |
+| `query_plans_per_minute` | Number of query execution plans captured by Insights per minute for all queries combined. The default value is 5. Any integer between 0 and 200 is considered valid. | false | false | None | None | None |
+| `track_active_queries` | Track actively running queries. If not set, default value is "off". | false | false | None | None | None |
+| `assistive_experiences_enabled` | Whether assistive experiences are enabled for this AlloyDB instance. | false | false | None | None | None |
+
+### read_pool_config Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `node_count` | Read capacity, i.e. number of nodes in a read pool instance. | false | false | None | None | None |
+
+### machine_config Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `cpu_count` | The number of CPU's in the VM instance. | false | false | None | None | None |
+| `machine_type` | Machine type of the VM instance. E.g. "n2-highmem-4", "n2-highmem-8", "c4a-highmem-4-lssd". `cpu_count` must match the number of vCPUs in the machine type. | false | false | None | None | None |
+
+### client_connection_config Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `require_connectors` | Configuration to enforce connectors only (ex: AuthProxy) connections to the database. | false | false | None | None | None |
+| `ssl_config` | SSL config option for this instance. Structure is [documented below](#nested_client_connection_config_ssl_config). | false | false | None | None | None |
+
+### psc_instance_config Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `service_attachment_link` | (Output) The service attachment created when Private Service Connect (PSC) is enabled for the instance. The name of the resource will be in the format of `projects/<alloydb-tenant-project-number>/regions/<region-name>/serviceAttachments/<service-attachment-name>` | false | false | None | None | None |
+| `allowed_consumer_projects` | List of consumer projects that are allowed to create PSC endpoints to service-attachments to this instance. These should be specified as project numbers only. | false | false | None | None | None |
+| `psc_dns_name` | (Output) The DNS name of the instance for PSC connectivity. Name convention: <uid>.<uid>.<region>.alloydb-psc.goog | false | false | None | None | None |
+| `psc_interface_configs` | Configurations for setting up PSC interfaces attached to the instance which are used for outbound connectivity. Currently, AlloyDB supports only 0 or 1 PSC interface. Structure is [documented below](#nested_psc_instance_config_psc_interface_configs). | false | false | None | None | None |
+| `psc_auto_connections` | Configurations for setting up PSC service automation. Structure is [documented below](#nested_psc_instance_config_psc_auto_connections). | false | false | None | None | None |
+
+### network_config Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `authorized_external_networks` | A list of external networks authorized to access this instance. This field is only allowed to be set when `enable_public_ip` is set to true. Structure is [documented below](#nested_network_config_authorized_external_networks). | false | false | None | None | None |
+| `enable_public_ip` | Enabling public ip for the instance. If a user wishes to disable this, please also clear the list of the authorized external networks set on the same instance. | false | false | None | None | None |
+| `enable_outbound_public_ip` | Enabling outbound public ip for the instance. | false | false | None | None | None |
+| `allocated_ip_range_override` | Name of the allocated IP range for the private IP AlloyDB instance, for example: "google-managed-services-default". If set, the instance IPs will be created from this allocated range and will override the IP range used by the parent cluster. The range name must comply with RFC 1035. Specifically, the name must be 1-63 characters long and match the regular expression [a-z]([-a-z0-9]*[a-z0-9])?. | false | false | None | None | None |
+
+### ssl_config Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `ssl_mode` | SSL mode. Specifies client-server SSL/TLS connection behavior. Possible values are: `ENCRYPTED_ONLY`, `ALLOW_UNENCRYPTED_AND_ENCRYPTED`. | false | false | None | None | None |
+
+### psc_interface_configs Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `network_attachment_resource` | The network attachment resource created in the consumer project to which the PSC interface will be linked. This is of the format: "projects/${CONSUMER_PROJECT}/regions/${REGION}/networkAttachments/${NETWORK_ATTACHMENT_NAME}". The network attachment must be in the same region as the instance. | false | false | None | None | None |
+
+### psc_auto_connections Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `consumer_project` | The consumer project to which the PSC service automation endpoint will be created. The API expects the consumer project to be the project ID( and not the project number). | false | false | None | None | None |
+| `consumer_network` | The consumer network for the PSC service automation, example: "projects/vpc-host-project/global/networks/default". The consumer network might be hosted a different project than the consumer project. The API expects the consumer project specified to be the project ID (and not the project number) | false | false | None | None | None |
+| `ip_address` | (Output) The IP address of the PSC service automation endpoint. | false | false | None | None | None |
+| `status` | (Output) The status of the PSC service automation connection. | false | false | None | None | None |
+| `consumer_network_status` | (Output) The status of the service connection policy. | false | false | None | None | None |
+
+### authorized_external_networks Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `cidr_range` | CIDR range for one authorized network of the instance. | false | false | None | None | None |

docs/gcp/AlloyDB/alloydb_user.md

@@ -0,0 +1,17 @@
+## 🛡️ Policy Deployment Engine: `alloydb_user`
+
+This section provides a concise policy evaluation for the `alloydb_user` resource in GCP.
+
+Reference: [Terraform Registry – alloydb_user](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/alloydb_user)
+
+---
+
+## Argument Reference  
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `cluster` | Identifies the alloydb cluster. Must be in the format 'projects/{project}/locations/{location}/clusters/{cluster_id}' | true | false | None | None | None |
+| `user_id` | The database role name of the user. | true | false | None | None | None |
+| `user_type` | The type of this user. Possible values are: `ALLOYDB_BUILT_IN`, `ALLOYDB_IAM_USER`. | true | false | None | None | None |
+| `password` | Password for this database user. **Note**: This property is sensitive and will not be displayed in the plan. | false | false | None | None | None |
+| `database_roles` | List of database roles this database user has. | false | false | None | None | None |