From 7f1478838fdbed2b2ca9258f7d30901277d4aea1 Mon Sep 17 00:00:00 2001 From: LegendaryMercury Date: Sun, 23 Nov 2025 20:10:55 +1100 Subject: [PATCH 01/20] Added Templates Added Templates --- templates/gcp/c.tf | 6 ++ templates/gcp/config.tf | 11 ++++ templates/gcp/nc.tf | 6 ++ templates/gcp/policy.rego | 121 ++++++++++++++++++++++++++++++++++++++ templates/gcp/vars.rego | 8 +++ 5 files changed, 152 insertions(+) create mode 100644 templates/gcp/c.tf create mode 100644 templates/gcp/config.tf create mode 100644 templates/gcp/nc.tf create mode 100644 templates/gcp/policy.rego create mode 100644 templates/gcp/vars.rego diff --git a/templates/gcp/c.tf b/templates/gcp/c.tf new file mode 100644 index 000000000..6adf2edcd --- /dev/null +++ b/templates/gcp/c.tf @@ -0,0 +1,6 @@ +# Describe your resource type here +# Keep "c" as the name to indicate that this resource and its attributes are compliant + +resource "RESOURCE TYPE" "c" { + +} \ No newline at end of file diff --git a/templates/gcp/config.tf b/templates/gcp/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/templates/gcp/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/templates/gcp/nc.tf b/templates/gcp/nc.tf new file mode 100644 index 000000000..76e41151f --- /dev/null +++ b/templates/gcp/nc.tf @@ -0,0 +1,6 @@ +# Describe your resource type here +# Keep "nc" as the name to indicate that this resource and its attributes are non-compliant + +resource "RESOURCE TYPE" "nc" { + +} \ No newline at end of file diff --git a/templates/gcp/policy.rego b/templates/gcp/policy.rego new file mode 100644 index 000000000..86198ff34 --- /dev/null +++ b/templates/gcp/policy.rego @@ -0,0 +1,121 @@ +package terraform.gcp.security... # Edit here +import data.terraform.gcp.helpers +import data.terraform.gcp.security...vars + +# STEP 1: STUDY YOUR RESOURCE AND ITS ATTRIBUTES, THEN FILL IN THE VARS FILE + +# STEP 2: CREATE SCENARIOS (can be simple (one condition) or complex (multiple linked conditions) ) +conditions := [ + [ + {"situation_description" : "A self documenting message about the conditions within", + "remedies":[ "Something that fixes the issues in this situation","You can have multiple items in the array"]}, + { + "condition": "A message about what the condition does", + "attribute_path" : [], # An array of strings and indicies eg. ["rsa",0,"key"] + "values" : [], # Values to compare against + "policy_type" : "" # Policy type eg. 'whitelist', 'blacklist', 'range', 'pattern whitelist', 'pattern blacklist' + } + ] +] + """ + Examples + Remove this in actual policies + + Whitelist like previous policies + [ + {"situation_description" : "Resource is not using Linux", + "remedies":[ "Change the OS to linux"]}, + { + "condition": "Test if an OS is not Linux", + "attribute_path" : ["parent"], + "values" : ["Linux"], + "policy_type" : "whitelist" + } + ] + + Blacklist - Disallow the use of specific values + + [ + {"situation_description" : "Resource is using Linux", + "remedies":[ "Change the OS from linux"]}, + { + "condition": "Test if an OS is Linux", + "attribute_path" : ["parent"], + "values" : ["Linux"], + "policy_type" : "blacklist" + } + ] + + Range - Use with numeric data to set a minimum, maximum or range + + Minimum + [ + {"situation_description" : "Check if key is over 1000 bits", + "remedies":[ "Enforce a key over 1000 bits"]}, + { + "condition": "Test if key size is over 1000 bits", + "attribute_path" : ["rsa",0,"key"], + "values" : [1000,null], + "policy_type" : "range" + } + ] + + Maximum + [ + {"situation_description" : "Check if key is under 1000 bits", + "remedies":[ "Enforce a key under 1000 bits"]}, + { + "condition": "Test if key size is under 1000 bits", + "attribute_path" : ["rsa",0,"key"], + "values" : [null,1000], + "policy_type" : "range" + } + ] + + Range + [ + {"situation_description" : "Check if key is between 1000 and 2000 bits", + "remedies":[ "Ensure key is 1000 to 2000 bits"]}, + { + "condition": "Test if key size is within 1000 to 2000 bits", + "attribute_path" : ["rsa",0,"key"], + "values" : [1000,2000], + "policy_type" : "range" + } + ] + + Patterns + + Whitelist + [ + {"situation_description" : "Check description fits a defined pattern", + "remedies":[ "Fix description to fit pattern"]}, + { + "condition": "Wrong description pattern", + "attribute_path" : ["description"], + "values" : ["project/*/gcp/*", [["a","c","d"],["b","d"]]], # Value to be compared + "policy_type" : "pattern whitelist" # First value must be one of a,c,d. Second value must be one of b,d. + } + ] + + Blacklist + [ + {"situation_description" : "Check description fits a defined pattern", + "remedies":[ "Fix description to fit pattern"]}, + { + "condition": "Wrong description pattern", + "attribute_path" : ["description"], + "values" : ["project/*", [["root"]], # Value to be compared + "policy_type" : "pattern blacklist" # Can be any value but root + } + ] + """ + +# Displays a general message about policy compliance +# Use 'opa eval ... "data.terraform.gcp.security....message" +message := helpers.get_multi_summary(conditions, vars.variables).message + +# Displays a detailed summary of each resources compliance to every condition and situation +# Useful for debugging +# Use 'opa eval ... "data.terraform.gcp.security....details" +details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file diff --git a/templates/gcp/vars.rego b/templates/gcp/vars.rego new file mode 100644 index 000000000..e52c6c328 --- /dev/null +++ b/templates/gcp/vars.rego @@ -0,0 +1,8 @@ +package terraform.gcp.security...vars + + +variables := { + "friendly_resource_name": "", # eg., "GCS Bucket", + "resource_type": "", # eg., "google_storage_bucket" + "resource_value_name" : "" # eg., "name" +} From ee3b99f9da9aff24c7dfb1df0460d9de140fa1ae Mon Sep 17 00:00:00 2001 From: LegendaryMercury Date: Sun, 30 Nov 2025 21:48:30 +1100 Subject: [PATCH 02/20] First Policy First one down --- .../acl_config/acl_config_idp_type/c.tf | 13 +++++ .../acl_config/acl_config_idp_type/config.tf | 11 +++++ .../acl_config/acl_config_idp_type/nc.tf | 13 +++++ .../.terraform.lock.hcl | 21 ++++++++ .../engine_assistant_location/c.tf | 46 ++++++++++++++++++ .../engine_assistant_location/config.tf | 11 +++++ .../engine_assistant_location/nc.tf | 46 ++++++++++++++++++ .../engine_assistant_location/plan.json | Bin 0 -> 64710 bytes .../gcp/discovery_engine/acl_config/vars.rego | 9 ++++ .../chat_engine_location/policy.rego | 2 +- .../engine_assistant_location/policy.rego | 25 ++++++++++ .../engine_assistant/vars.rego | 9 ++++ 12 files changed, 205 insertions(+), 1 deletion(-) create mode 100644 inputs/gcp/discovery_engine/acl_config/acl_config_idp_type/c.tf create mode 100644 inputs/gcp/discovery_engine/acl_config/acl_config_idp_type/config.tf create mode 100644 inputs/gcp/discovery_engine/acl_config/acl_config_idp_type/nc.tf create mode 100644 inputs/gcp/discovery_engine/engine_assistant/engine_assistant_location/.terraform.lock.hcl create mode 100644 inputs/gcp/discovery_engine/engine_assistant/engine_assistant_location/c.tf create mode 100644 inputs/gcp/discovery_engine/engine_assistant/engine_assistant_location/config.tf create mode 100644 inputs/gcp/discovery_engine/engine_assistant/engine_assistant_location/nc.tf create mode 100644 inputs/gcp/discovery_engine/engine_assistant/engine_assistant_location/plan.json create mode 100644 policies/gcp/discovery_engine/acl_config/vars.rego create mode 100644 policies/gcp/discovery_engine/engine_assistant/engine_assistant_location/policy.rego create mode 100644 policies/gcp/discovery_engine/engine_assistant/vars.rego diff --git a/inputs/gcp/discovery_engine/acl_config/acl_config_idp_type/c.tf b/inputs/gcp/discovery_engine/acl_config/acl_config_idp_type/c.tf new file mode 100644 index 000000000..3a669d294 --- /dev/null +++ b/inputs/gcp/discovery_engine/acl_config/acl_config_idp_type/c.tf @@ -0,0 +1,13 @@ +# Describe your resource type here +# Keep "c" as the name to indicate that this resource and its attributes are compliant + +resource "google_discovery_engine_acl_config" "c" { + location = "eu" + id = "1" + idp_config { + idp_type = "THIRD_PARTY" + external_idp_config { + workforce_pool_name = "locations/global/workforcePools/cloud-console-pool-manual" + } + } +} \ No newline at end of file diff --git a/inputs/gcp/discovery_engine/acl_config/acl_config_idp_type/config.tf b/inputs/gcp/discovery_engine/acl_config/acl_config_idp_type/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/discovery_engine/acl_config/acl_config_idp_type/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/discovery_engine/acl_config/acl_config_idp_type/nc.tf b/inputs/gcp/discovery_engine/acl_config/acl_config_idp_type/nc.tf new file mode 100644 index 000000000..4a035caf7 --- /dev/null +++ b/inputs/gcp/discovery_engine/acl_config/acl_config_idp_type/nc.tf @@ -0,0 +1,13 @@ +# Describe your resource type here +# Keep "nc" as the name to indicate that this resource and its attributes are non-compliant + +resource "google_discovery_engine_acl_config" "nc" { + location = "eu" + id = "1" + idp_config { + idp_type = "THIRD_PARTY" + external_idp_config { + workforce_pool_name = "locations/global/workforcePools/cloud-console-pool-manual" + } + } +} \ No newline at end of file diff --git a/inputs/gcp/discovery_engine/engine_assistant/engine_assistant_location/.terraform.lock.hcl b/inputs/gcp/discovery_engine/engine_assistant/engine_assistant_location/.terraform.lock.hcl new file mode 100644 index 000000000..894abb857 --- /dev/null +++ b/inputs/gcp/discovery_engine/engine_assistant/engine_assistant_location/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.12.0" + hashes = [ + "h1:vd1110nYSvbUdAM3MDtQD97ikZvuyDgKExlzTwutYqw=", + "zh:38722ec7777543c23e22e02695e53dd5c94644022647c3c79e11e587063d4d2b", + "zh:417b12b69c91c12e3fcefee38744b7a37bae73b706e3071c714151a623a6b0e9", + "zh:4902cea92c78b462beaf053de03d0d55fb2241d41ca3379b4568ba247f667fa9", + "zh:50ccce39d403ba477943e6652ccb6913092d9dcce1d55533b00b66062888db3d", + "zh:56dccfe5df28cfe368d93c37ad6c46a16e76da61482fd0bfc83676b1423cecf5", + "zh:7265fca2921e5e300da5d8de7e28b658c0863fdda9da696c5b97dbd3122c17c2", + "zh:8317467e828178a6db9ddabe431bb13935c00bfb5e4b4d9760bd56f7ae596eca", + "zh:84cc9d9277422a0d6c80d2bd204642d8776ddbba23feb94cf2760bb5f15410bc", + "zh:8f79d72e7ed4e36d01560ce5fc944dc7e0387fa0f8272a4345fc6ae896e8f575", + "zh:98c3d756beca036f84e7840e2099ff7359e9a246cd9a35386e03ce65032b3f5f", + "zh:a07e3ca19673d28da9289ca28dfb83204fa6636f642b8cf46de8caaf526b7dde", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/discovery_engine/engine_assistant/engine_assistant_location/c.tf b/inputs/gcp/discovery_engine/engine_assistant/engine_assistant_location/c.tf new file mode 100644 index 000000000..d64a76609 --- /dev/null +++ b/inputs/gcp/discovery_engine/engine_assistant/engine_assistant_location/c.tf @@ -0,0 +1,46 @@ +# Describe your resource type here + +resource "google_discovery_engine_data_store" "c" { +project = "735927692082" + location = "eu" + data_store_id = "example-data-store-id" + display_name = "tf-test-structured-datastore" + industry_vertical = "GENERIC" + content_config = "NO_CONTENT" + solution_types = ["SOLUTION_TYPE_SEARCH"] + create_advanced_site_search = false +} + +resource "google_discovery_engine_search_engine" "c" { +project = "735927692082" + location = "eu" + collection_id = "default_collection" + engine_id = "example-engine-id" + display_name = "Example Display Name" + data_store_ids = [google_discovery_engine_data_store.c.data_store_id] + search_engine_config { + } +} +resource "google_discovery_engine_assistant" "c" { + project = "735927692082" + location = "eu" + collection_id = "default_collection" + engine_id = google_discovery_engine_search_engine.c.engine_id + assistant_id = "c" + display_name = "updated-tf-test-Assistant" + description = "Assistant Description" + generation_config { + system_instruction { + additional_system_instruction = "foobar" + } + default_language = "en" + } + customer_policy { + banned_phrases { + phrase = "foo" + match_type = "SIMPLE_STRING_MATCH" + ignore_diacritics = false + } + } + web_grounding_type = "WEB_GROUNDING_TYPE_GOOGLE_SEARCH" +} \ No newline at end of file diff --git a/inputs/gcp/discovery_engine/engine_assistant/engine_assistant_location/config.tf b/inputs/gcp/discovery_engine/engine_assistant/engine_assistant_location/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/discovery_engine/engine_assistant/engine_assistant_location/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/discovery_engine/engine_assistant/engine_assistant_location/nc.tf b/inputs/gcp/discovery_engine/engine_assistant/engine_assistant_location/nc.tf new file mode 100644 index 000000000..5889289d7 --- /dev/null +++ b/inputs/gcp/discovery_engine/engine_assistant/engine_assistant_location/nc.tf @@ -0,0 +1,46 @@ +# Describe your resource type here + +resource "google_discovery_engine_data_store" "nc" { +project = "735927692082" + location = "eu" + data_store_id = "example-data-store-id" + display_name = "tf-test-structured-datastore" + industry_vertical = "GENERIC" + content_config = "NO_CONTENT" + solution_types = ["SOLUTION_TYPE_SEARCH"] + create_advanced_site_search = false +} + +resource "google_discovery_engine_search_engine" "nc" { +project = "735927692082" + location = "eu" + collection_id = "default_collection" + engine_id = "example-engine-id" + display_name = "Example Display Name" + data_store_ids = [google_discovery_engine_data_store.nc.data_store_id] + search_engine_config { + } +} +resource "google_discovery_engine_assistant" "nc" { + project = "735927692082" + location = "us" + collection_id = "default_collection" + engine_id = google_discovery_engine_search_engine.nc.engine_id + assistant_id = "nc" + display_name = "updated-tf-test-Assistant" + description = "Assistant Description" + generation_config { + system_instruction { + additional_system_instruction = "foobar" + } + default_language = "en" + } + customer_policy { + banned_phrases { + phrase = "foo" + match_type = "SIMPLE_STRING_MATCH" + ignore_diacritics = false + } + } + web_grounding_type = "WEB_GROUNDING_TYPE_GOOGLE_SEARCH" +} \ No newline at end of file diff --git a/inputs/gcp/discovery_engine/engine_assistant/engine_assistant_location/plan.json b/inputs/gcp/discovery_engine/engine_assistant/engine_assistant_location/plan.json new file mode 100644 index 0000000000000000000000000000000000000000..34af6c1d09fba985b01f014902b4056037c93cc4 GIT binary patch literal 64710 zcmeHQS#KOS66SM&{SQJvNAeLkj{WA?f?^=H0v`ynf+5Jdtc@;=q;-tIe?7bPu~g>K zWH;IDp3z8zVR3p6Hd!pz@l~<=smk9wOvKcW%s(tErPUx*g_M3qB&AGFz~UM}b#zICZ7c1aZ7ZLN%dcmKMf z^#-+sQn&{Fcj!)70e_|a-}~1MjpmCwxB4reSN<3<{u65qL+El&D+KBvY3j^~;(o7K zL97Q>U`DfEqZWI{-UVy)`I)+>KGBFS=@qaDXjrvG5FtYTV_yxRqLDUhsQ#MYy zleFWETY8hWp*23Fc|bcs@)Y-=)aIKm-MPV#^G|; zwSSJz4W8+9p<``S^u{C{2 znvg9zLowL&!?;3dBW*)#{Y9@gtPyD9Q++j~yBZBGJ8(t)tvw00f?0xNpF(nPXY|DW z%9+-2Gn&ha`bz(oYkwb;gxa<9T^1L3aA9Z_Q z{S@%!WL5iGSo%lW0)pRkNh`;9I@MO!@j%{c)Mpy^N8*G-J&P;i49FmOK5dQrJ89aV z>HQ7Tw43TZ>Dm|HH10d~2kByH;tl$2lm3ccUMH#a=2{o$?AfoGbHcuW?0}30t>DSQ zQXk94-X%&y%H9q;6mo%g@K{nwJlor67o_VXk+!)Knpa|oOiiI! zIp^_d+B7&YaZ$>mrGcI6Hq_=ZoW;$QtD6w~WllwBf6=r!Chj9bscmV8oR36Tyod6C0QN&?|B$ zd47oabN(Uc*&uQyNcM*2yLFx8^1Q&7{*z{SLHGHSXxPp$D2*n@?Eih5kavPSa3|E=I&p5Zx zzLaw-(k#0u-p()6B(7`1yE+GL_2-v|sQJH^YqmE{6pqi6ZEHz14v)&6r1kFzR2=65 z1y{3?ZXn<<3Hg3QQV}PCpV97rp>gmR^!*a*rJVI>n2pMp`TxuAA7g+;B23>dJVGr)oW_3jfKXk7V5QB*o|RvJ%*CYp*I4?Jc2Tt*ao?$G>EuyWC?Rdy z$*wNxDLwVIW#jaFUwqBRn^;KzGHu!#jjmSoSEcXzLt;*BtRJJBrmGZ?H^bZ+@%ipW zR0P1C?ReoLYAw#U0zl3w%OMi3OrkL-0HK#E!c(5~hdsXBH58}bmt&sf5!-UA8i{>p zRq`S|H?bz7?{CF5g0V8UX(yf1i6&HX{!D*!Y-s6!*)28WMd$H=%wO8uplRn_#W0WJ zuwbRaFzWl`85FraxYd%SmlR!=zQ1fgkWVJN6-RlOnMiZm9Bl6}-fNzQt$UYuZ{54V z3HoY8=T{)@wm`z4#`ak^XHSU$rsN?Q4&vR7>zt>y+zbpbZKgLX>liYuqJUzB;M7MO z#dcA^lvOtUiG&PgDZBknk=MNJ8Y;!I@M-N|cS}D1+kMv+2MkfD;(+DPWC`o@5Vi4M z#Q}3 zFIM7W326wJ8DGT#IZLGCfL!ml?p?Dt=8fT}Sh3v}Nchv39_#jo$HD>S?16pKc{y?c zLnH4yX;iZTZ)Y~(JZpggsYA_y>Fea;PV=vi3$Jr=b#eQ1k>*to7bC$F9OhF87ii^t z>fbh$2Qhx#+i}kmP468qroJt5trlOit1m|=&C*HpWybfu=Ua`-m%&n#fTN$1SCK{w zW4rnhB)6t=xz{&u$u&*3N-kB?_Lj*=8ytV0cywD{bm&e0PiH$El*CS+!=KFYQbFJAPA{*MRE7@50 zl0=NYiA(S=Gy%`Y9*X%j0OxBA#MWy}a_X7S+oWSs82RZBdtd zrQtIPxte1-%RX%+t}Rr(Jexn~&6Csd!m@dJ@#=fa5zUK_Ki}W$ul^wTa;@-T?_PQB zO1MRNd*f9fg zNVA~I_}G=|W7oLsmZsrPWBk#rzc^03cU{v`EKFq1pV7ZVdIAu*mg`3$V#3et#?!Rj zImhXdR{wtSvB>xg@;%fVkz7$+3*F9eT)rxl)khWWW4F~utv;&F53$!ZM#(YCJWDgh z7W66Jt>gV~``5nbSbbDbsQRb}l(T+#T}y9k06lEoAMq;gxr1kd0*^W(ud}!yNOyf?Y%yd3BLhlsNn_@x)nNvB+Ccx)jN4Dq z5bR+q_)HENi?rRVDc_QIER>^Nkt`+pE~AjP6zh15kJ)v{*(@^@^mC4u-Ua>DV%mWyjCBRrVLU1t1k{;(^{afJz%OxVjfn}NN9QyRy# z`(@`q4gxEQ?K`<&tYtac6%S7ziGPv_qxX9*9qUxj#}N7qTTS`3w8)ykik;Fr?a`{) z&sz|_Nt0dDV_!SYxc$4N*Ud}i65C1{%Cr6`{cEm6dPzIu6Vcv%(tYYU8+u;yOZ7_q zrhcX8C-c*j-_Sd+)dpR?QqSmV%Fop=MSIU5w|@;8=Rc<-ef-e&XV>FPvC;gy$F9SA zKlbg|`yY}tckI{0#^BqKvEKdn;YmXB!$&=$HSz6CvHQ7}a9mP9yVf2?p0Ci;xWhe{ zNc8R}c%*ZX9gW;mt2FNe{TCy?q*v|vlu36tN@P519x=2p@^8>0W`a?$cHh#Tmu*Rx zMxl1eMh=bU`w8v@ntdqJ;OW(GO60&e8iw~0v_SXsOwzd&>r}#b?cKhJXP~6dm*qO_ zi`n(OAuGT`C96Aci5jk-m`;U#;-8XL7yrS{H%q_&WA%f2q@JjU>aqG!xA)agbX7K{ z&m?s|l6`SVYm4k9Q~^OPki!By=6AARex~1Vs5fd;y(bIi#Wy?Vo%(|;9N0Hq6&S%^ zIlPr?*CD0=TWw$0kB5%~DKCB&%lP|ABS^h-o-CUZ5lD&twiOtGnOs&$W?V zZ#hMmwtd-DEKA1H#sr2@rhRhTM)&RxD!|k$u_8m>`!Ix};sS=tD=rYmu_`VgJksA* zTp&iHJUc~tski{gU{Z06yNe4ztIi7<5Di|j0mOHA$OjU8H{DCC*uY)H2KX5aCAKen z5fvM#*nrpwv34wMAao98jkHa^AAQrXfzZtIXXWR)457@jV*`w2bk&+p*Nm?T3*4p% z<|g5R?+5|J-!kmd&EQO}*(3QsX}0GWUSd~XXx?a$+5Z<=CMOgVL@v`Rp|yM}a#csj z&UCD5l@MIiL@m)rV@34*2p(sNU6Gu*BpVBnHN^R37WkCsP&WG1YS!u8yP-LDoe=Gp z#KUEytC5JdZcC|JmbzM7#QDgk*rZH~_atRrYMHZ5uO#;HmR9o_t)=8su*Xv)4&^5; zWhc8&^kC02HwW%+*cHQQQ!NYe%^R{Ls%2sCw_!1pYFV_klK)P61)Wq~)leK9ws5s9 zptGmRapy$yrYGy4i8K*3v#?D9$ z-50xQ?VCp)vMYw=q{i+AU%D*fG!|BoUNf)+SqWwN=0!t&OU>?a4D6@k6Kz@JS0S)z zKE`=fxnpWRp?v?YWHQFJV_F3#p_jBb@04SFhUNPI?qUr7X~1E=@$~tGA?>(03jq8w zKO2C#vswYw3J~dx_GX@!h)e0)Vg+Xg5g>Uh*t9R{&1!oF-ttX@`%o! zT+u80WL@a~-H1cGS_4N_^G_9oq%i!UJ`IeV41Y#E21blR{fZ`voul&UD0^dGw1{(h zn#I*e6W4;4h;@v^!m*=y(IT{d<4_^g^D=Wr`CiH63tL+FS=HuA!+ic3SrZ}|9;*9v zcJ2}79z39btMvK_#fNdC?x}wLl-~VO{kygE!PTg{c}$f)c1U`eiZbD+@iGo2`5KUP ZJc8J_aSjb9@i;SrziV<(Fk6 Date: Wed, 3 Dec 2025 17:23:28 +1100 Subject: [PATCH 03/20] New Policys New policy's done --- .../.terraform.lock.hcl | 21 +++++++++ .../engine_control_filter_action/c.tf | 41 ++++++++++++++++ .../engine_control_filter_action/config.tf | 11 +++++ .../engine_control_filter_action/nc.tf | 41 ++++++++++++++++ .../engine_control_filter_action/plan.json | Bin 0 -> 31212 bytes .../.terraform.lock.hcl | 21 +++++++++ .../engine_control_location/c.tf | 42 +++++++++++++++++ .../engine_control_location/config.tf | 11 +++++ .../engine_control_location/nc.tf | 44 ++++++++++++++++++ .../engine_control_location/plan.json | Bin 0 -> 31150 bytes .../.terraform.lock.hcl | 21 +++++++++ .../engine_control_redirect_action/c.tf | 42 +++++++++++++++++ .../engine_control_redirect_action/config.tf | 11 +++++ .../engine_control_redirect_action/nc.tf | 42 +++++++++++++++++ .../engine_control_redirect_action/plan.json | Bin 0 -> 58884 bytes .../engine_control_filter_action/policy.rego | 38 +++++++++++++++ .../engine_control_location/policy.rego | 25 ++++++++++ .../policy.rego | 25 ++++++++++ .../discovery_engine/engine_control/vars.rego | 9 ++++ 19 files changed, 445 insertions(+) create mode 100644 inputs/gcp/discovery_engine/engine_control/engine_control_filter_action/.terraform.lock.hcl create mode 100644 inputs/gcp/discovery_engine/engine_control/engine_control_filter_action/c.tf create mode 100644 inputs/gcp/discovery_engine/engine_control/engine_control_filter_action/config.tf create mode 100644 inputs/gcp/discovery_engine/engine_control/engine_control_filter_action/nc.tf create mode 100644 inputs/gcp/discovery_engine/engine_control/engine_control_filter_action/plan.json create mode 100644 inputs/gcp/discovery_engine/engine_control/engine_control_location/.terraform.lock.hcl create mode 100644 inputs/gcp/discovery_engine/engine_control/engine_control_location/c.tf create mode 100644 inputs/gcp/discovery_engine/engine_control/engine_control_location/config.tf create mode 100644 inputs/gcp/discovery_engine/engine_control/engine_control_location/nc.tf create mode 100644 inputs/gcp/discovery_engine/engine_control/engine_control_location/plan.json create mode 100644 inputs/gcp/discovery_engine/engine_control/engine_control_redirect_action/.terraform.lock.hcl create mode 100644 inputs/gcp/discovery_engine/engine_control/engine_control_redirect_action/c.tf create mode 100644 inputs/gcp/discovery_engine/engine_control/engine_control_redirect_action/config.tf create mode 100644 inputs/gcp/discovery_engine/engine_control/engine_control_redirect_action/nc.tf create mode 100644 inputs/gcp/discovery_engine/engine_control/engine_control_redirect_action/plan.json create mode 100644 policies/gcp/discovery_engine/engine_control/engine_control_filter_action/policy.rego create mode 100644 policies/gcp/discovery_engine/engine_control/engine_control_location/policy.rego create mode 100644 policies/gcp/discovery_engine/engine_control/engine_control_redirect_action/policy.rego create mode 100644 policies/gcp/discovery_engine/engine_control/vars.rego diff --git a/inputs/gcp/discovery_engine/engine_control/engine_control_filter_action/.terraform.lock.hcl b/inputs/gcp/discovery_engine/engine_control/engine_control_filter_action/.terraform.lock.hcl new file mode 100644 index 000000000..894abb857 --- /dev/null +++ b/inputs/gcp/discovery_engine/engine_control/engine_control_filter_action/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.12.0" + hashes = [ + "h1:vd1110nYSvbUdAM3MDtQD97ikZvuyDgKExlzTwutYqw=", + "zh:38722ec7777543c23e22e02695e53dd5c94644022647c3c79e11e587063d4d2b", + "zh:417b12b69c91c12e3fcefee38744b7a37bae73b706e3071c714151a623a6b0e9", + "zh:4902cea92c78b462beaf053de03d0d55fb2241d41ca3379b4568ba247f667fa9", + "zh:50ccce39d403ba477943e6652ccb6913092d9dcce1d55533b00b66062888db3d", + "zh:56dccfe5df28cfe368d93c37ad6c46a16e76da61482fd0bfc83676b1423cecf5", + "zh:7265fca2921e5e300da5d8de7e28b658c0863fdda9da696c5b97dbd3122c17c2", + "zh:8317467e828178a6db9ddabe431bb13935c00bfb5e4b4d9760bd56f7ae596eca", + "zh:84cc9d9277422a0d6c80d2bd204642d8776ddbba23feb94cf2760bb5f15410bc", + "zh:8f79d72e7ed4e36d01560ce5fc944dc7e0387fa0f8272a4345fc6ae896e8f575", + "zh:98c3d756beca036f84e7840e2099ff7359e9a246cd9a35386e03ce65032b3f5f", + "zh:a07e3ca19673d28da9289ca28dfb83204fa6636f642b8cf46de8caaf526b7dde", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/discovery_engine/engine_control/engine_control_filter_action/c.tf b/inputs/gcp/discovery_engine/engine_control/engine_control_filter_action/c.tf new file mode 100644 index 000000000..03e81186a --- /dev/null +++ b/inputs/gcp/discovery_engine/engine_control/engine_control_filter_action/c.tf @@ -0,0 +1,41 @@ +# Describe your resource type here + +resource "google_discovery_engine_data_store" "c" { +project = "735927692082" + location = "global" + data_store_id = "c-data-store-id" + display_name = "tf-test-datastore" + industry_vertical = "GENERIC" + content_config = "NO_CONTENT" + solution_types = ["SOLUTION_TYPE_SEARCH"] + create_advanced_site_search = false +} + +resource "google_discovery_engine_search_engine" "c" { +project = "735927692082" + engine_id = "engine-id" + collection_id = "default_collection" + location = google_discovery_engine_data_store.c.location + display_name = "tf-test-engine" + data_store_ids = [google_discovery_engine_data_store.c.data_store_id] + industry_vertical = "GENERIC" + app_type = "APP_TYPE_INTRANET" + search_engine_config { + } +} + +resource "google_discovery_engine_control" "c" { +project = "735927692082" + location = google_discovery_engine_search_engine.c.location + engine_id = google_discovery_engine_search_engine.c.engine_id + control_id = "c" + display_name = "c-control" + solution_type = "SOLUTION_TYPE_SEARCH" + use_cases = ["SEARCH_USE_CASE_SEARCH"] + + #synonyms_action + filter_action { + filter = "documentType = 'public'" + data_store = google_discovery_engine_data_store.c.data_store_id + } + } \ No newline at end of file diff --git a/inputs/gcp/discovery_engine/engine_control/engine_control_filter_action/config.tf b/inputs/gcp/discovery_engine/engine_control/engine_control_filter_action/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/discovery_engine/engine_control/engine_control_filter_action/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/discovery_engine/engine_control/engine_control_filter_action/nc.tf b/inputs/gcp/discovery_engine/engine_control/engine_control_filter_action/nc.tf new file mode 100644 index 000000000..259ea6f51 --- /dev/null +++ b/inputs/gcp/discovery_engine/engine_control/engine_control_filter_action/nc.tf @@ -0,0 +1,41 @@ +# Describe your resource type here + +resource "google_discovery_engine_data_store" "nc" { +project = "735927692082" + location = "global" + data_store_id = "nc-data-store-id" + display_name = "tf-test-datastore" + industry_vertical = "GENERIC" + content_config = "NO_CONTENT" + solution_types = ["SOLUTION_TYPE_SEARCH"] + create_advanced_site_search = false +} + +resource "google_discovery_engine_search_engine" "nc" { +project = "735927692082" + engine_id = "engine-id" + collection_id = "default_collection" + location = google_discovery_engine_data_store.nc.location + display_name = "tf-test-engine" + data_store_ids = [google_discovery_engine_data_store.nc.data_store_id] + industry_vertical = "GENERIC" + app_type = "APP_TYPE_INTRANET" + search_engine_config { + } +} + +resource "google_discovery_engine_control" "nc" { +project = "735927692082" + location = google_discovery_engine_search_engine.nc.location + engine_id = google_discovery_engine_search_engine.nc.engine_id + control_id = "nc" + display_name = "nc_control" + solution_type = "SOLUTION_TYPE_SEARCH" + use_cases = ["SEARCH_USE_CASE_SEARCH"] + + #synonyms_action + filter_action { + filter = "documentType = 'private'" + data_store = google_discovery_engine_data_store.nc.data_store_id + } + } \ No newline at end of file diff --git a/inputs/gcp/discovery_engine/engine_control/engine_control_filter_action/plan.json b/inputs/gcp/discovery_engine/engine_control/engine_control_filter_action/plan.json new file mode 100644 index 0000000000000000000000000000000000000000..a00286c53b3cbb3375bc883ab17dd0f180f90247 GIT binary patch literal 31212 zcmeHQO>Y}F5aqc*|3lzQF16#dO_LhvAxMJOK#>HAduWY7@ORwEvf+=kL6E=R_C1cr zBzMVO%GzB?E@8-$mb>I|IGlMi98&-O^VzJJLvw1*&57ADmu6%>nge{hFvqw$LFoow z56znS7VqESb!p4bakoB~e&!*ba!;O_F`k;>@4)QamUeLE3g0elJEY|tt)5ysPVl~u z(lN?Og_QE%Q(QeadpFN*+p-L+V>GN4B;jTgM2c$0*suHR59P`ybB6E2ui4s_8rj0hO^r&)nWgO`DBefe zIcN^=WB=Ko3)_oN=tF(H)=++G9+>xN;R64UZNJY!|AT;ILI*ka9<{R9v5{W49QugT z>R9et?vs)cO84;YWNO>Iv(Irf#&&#M`3U!suarFY@(@o`4p>j@exZ{k6Wo7%(~d}i z-;x_!zYXQB$cIQNWh3P5o>{f6yE>%ZP=Xxg{`J-C9#NJK@tJ**(W~=?a=woqU*a{g zo=E?e5ox_=elqvWeT@8-*#%XUg!^d!%k}7t!P7lU ziyJx4Dqi2k^)c>cpF}GE1eF{`Y4fr9&O9YpZq!b*1R&mn%~g(O?-NZnzqdE=Cyf&PjB)6sd;0bnP0AZbb)6l zsBwb#6Yx3RF5BZgrB=Gco$UPtpDESk%@wYRZsBZGUAK)Azts^a5I)E7mCdwva9FsFh_x>IsETss>N435T6Ah6>N@c(1sxF?5iRXtJm|xyKBj~oK~gtN)i)rrQZHj- zC0XuU0bYEC=bu^RxCNZ{66jHF39+f@L88PwTG+b7C!9C25emJOc0Jx~lP=NXs@2!@ z$y{yxrap#H5_$`xYkV&rH+f5+In7O$({ooJRJ}$bWqK21%lj4cv*qIp;O}M&XF2Jreay=>z0?CE_nPc^lLD z2f31(9_M{Xjqg=XD<|#zas2EW!N+FXn$;j8hkfJtSo_j)sE?`B8tDuyxVN zvqy`HPR>O#%dC?_tmem0hr`Kf8e-acId$`yMK@t|^eG~tuYq}7Omx#?+&73uz64Hl zXty3y@lk3OGd0KSPk{CqV{O71^+>q1=P*=TghP>p{5F1OzUBj6rQP`0k{d&wiyqB1lKDDeX_)&4n>n5c04J7C-K2uho z+erR%+^wA6xgaLl_7QA1Z6SoJV7SHj#Bjsi0*7%NlzUour(Mhp4XZKjIPZ(;>m?R9x2 zK4Nq+Tdu6r2JeC%$!L;X3m>a7*GV!qwBC~2qFGZR<}JA`nhjHOTQs94Kexrrvk}%0 zCWyo{2j?&RpLX7LlhvZxT+9e$o+9;xAD{KFFMbA0Rm(|CDa<7zpPg;w6aJVGbJXvr zp3T*V-HglP^SWE_OmZ7tUaIqa`d+69TV6CTtXO=>RQBUhPBxk&Uc65|1(mGZM!IIP z`t9B$wUD1xLLJ5R@^JOBp3_<~l$Ix})weRm^5kH>%b(8Q?wZ%#TK-rhW9=p< zpl|CRYdwYm=C=+uBm$T{V@A;wQFO^Ot6K1B^M{sw1#P+W%-St>7xTr%>A0UqcG?jC z`JQ)m%{k1|i}~=gOP=gc^QlP11*Xk%>(f@xJ|eSnZdz^(VNIRKv?%t}Q8awkU$Lmo zS>*KySqvprJ#v?Ao!Yh8?5&sFZSne>ca<)Co?x-5p=B>Nm1h~W?YEe(O-<(^4Ckk& zY4|^Tt9LEWsN{M2`q0l$=yNyJUCQ%px375_o^J0K_ZX)A(ze`Xx6&#(C^28vA9LT| zOzS*d)$#W^e!j_uy+Zc4Al4M^UuyX};W7ea*XO4;dwB_A5oJOy^np+2^-i4=y_&bbtAx?|dj0ktZ}2i^$Am-BqIdW@NQW zPy}}|g?rs8+4bn8{|qBGyvsigPp|o?rh13ud&mh|)l=BI%^DW#Urrt5p1$ckWq+JU z$kXI$4HBUXN1J1LVE(p}!Yp`3Gq~eVP#mR0YSIiO7dLffJV%0g^jtA@C!I-aTzM9} z+GOQ&>#CpdCw2QaF{F_4c!(F@X^&l|e<;;Cr%yJa$32|n7^8yx^*KI!JMN@8Kj$iz zKS8d>aJtU%E_oAchw-JgCVVASbfh$Y9P>|Xkv8KQS~>mM#u$gYU31Qe)Sl9} zYC5%*_mK+OiA!1P?%Z5zLa`@(uc(IBBWA-KEzM|Uo>oj~l#!d=jg= z*tOVPTpP@`#afS9IJLDy*f-jbSmtUDo=KgeD0VMgQ_0O#%hgtHwLqzNPBFerSeZ_ z)L2rOeOmuDjrC4foMJj+$hD?e`!O9Qc91?}(Nbxd>qASC^F>ePYxSb1WVd~{da5n* zL(R~4tRPK8Ok)j!s&=3adD5_d7GIuq&N;77Y%DEv`WJTcTC47`h}EePhL}YV|JB*v zE+dz*_K4Bv5gDF6c2mWAe!NCG>|fK!KrRaNpVgCF=8YYPk%l^Qy-fr=C2d2*uBXey zlhs`Iaacr}*0Mw5(liw@T|W#uE!v*iXSOxc`21t7L+N{w6^$wvjZb7<|1F2+XhHuP zUnHVWogd0Uf02wnwLYa-Mv5cCU)q%4QDKCS@iDF*9ph{#{<59RY#?Uj{aj7eU*Z%g zm^Kq3KARPJ*C}8tjLXEHQzRrabN)2eWp5bDL@sIf)BIax+J+q4G)nNX$~^hlL}B|p z@zH)?^P`Ev99f(Hym`@t-H$8#!~Y9?eu1maeerwl<1TyWxtigwIsP5015IgyBbWHK)O5(p0#wg5AE)>{ zz}XqjlM6Y^YtL|Wp{6(Y?dfw9Tz!D!yh7UBQpdWrW8KCWXHRfuieu8pEAVg#ZjN!B zJdO3aIjED1891MUGW#sN2p{~#UQBQw`(dPVrOxqN^vTH>XQ%kII<=?X>-#twGd(``{213!uGBpC@(6cR57O&YSM?kEyo+xy(b7BhyLzo&;M-gLeWu>1pVTkcJzC=4xz?mB zNNZU^m-IM4X^k#$C3`=|cWN_bbBSYOQ#i|vjoZT+m+Bat@%I=!JiGqpp5MYqeAex; zjX7Ep{iX%uZ2abVuOjJiqa||o=R23rv;wlqc%r!oj>$ZRv zUuk4U-1rVCjem_NAu=UOC%sf&NZq0n&W6wk`LRho-mmsZ7ofPU`D7$!TjMViSqLY7 zj4-}N_Y!AQwv3eH(&Tx@>n8Fvu_CP=V+eWxMsz=GIlchu-Ua3rX@0!M+8-g!V&vsw z>iqG@Qhfw}=jc~4()8orsg6WA-Zm2QM=~CVm^hTkKQ$JS=(x&bG>ZySH8eiH2hbKb zhHR=I_42Xu%#GVavuva-hv;9|=siSVDEoGpwoHz%6NYcETavq>EnQtpoQ9}3-4^FS z{DVzSMKJ4ZlYNZlW=s3S$8jD))_FZ`^SMSheopim@}IAPd2A+hS7X~Z$U(jYKC>vd zoJn!fX%RD3XXj6W@|dHq!WiYex6rc~sxAXA$f=nfcC}AN-aX>>*gfv&+$9>|%9P3V zy2y21(XksxxqT0fA+xOhj3P4NN*_nPoFVtGCD!Gdh(rl)4xDba3g*U)-yiBxY~2dwmA4+nl{c}1tnJ$B z5f>@i94*(;>4W#dkJK$mMTLveSkWYP8K&K#g2mKE`B- z4(1t`)t7bNsLW))P1UK5c)DJf@F}la^fh>T(FiyHWObuD!zIyLXng&=gRz0E>a>;6 z`MiC7)JQAj)*I4Bab4VBZERPunj;eH!YU1ZU+{as{>A9L>)!{z?^YJy4j$`bhUKmd zW7S2jYT{7-Vsujh(6#RmQ4b-2+gtVO)BkTq4MW}98GUgzt{AGxs-A9H_sRt~8VpD1 zIp&GY%JEqpd5VS}$Mwg>m1VygFXX|Ch_PvXTByw!Drj2E)@5woeni?zuBkNgM$aKX z*5_(wh`BZ`_oX@F?!l*~JjpQl)SUV5 zP4}tss)PRG(>Mep6PR2PvBHAQ|+QJcLN;xlR;Yl-S()wDWJ`(ziNT~&0pSv=XS&eqhtUZS>JkZO!~<}3ZGmz;hwO~P?3ZEAIjvTLfTrcyR%b~esK zpV4KUi;x%GoEYUeVSguW-t6I(X3yTuxQ#tEzQe8b=ox$Dy45m|q1J)+nR zsRWTd5crIe|0FwCG|O2@_a3t%?Cxx5j=5QKf6qPfQAZdR?uu31Q7vz6uw<2o9RyiZ z62b=Y2-zLyF{(1T2Ls18G?s_zZ>=e;b!WwZeX@%>BrS0rhg{fvsXfQtAy_TX{Wk3G zWkQV{3SO7H*-9vY(jKIDxouNq!Vh7l)`c`eHAUP($wOLS$%byiP%Cr zm{9gP_5|*vhSnm zDcA3+c3|ao^M-xeR@6&uK4_=MBwLV@gG!sX?dA1Pskbg6t zwh!;d7$>yrVG5dw?Tjea*ebS&aJVN7f*vmHzFZtQn>Bd{1NU^c@#X2Fb5AEx!+AN23sO zkOOarY(t+bOd{Gfm_g97nJC(;yRcDp@$q>YO2wAK? z(9{Ihkh=%F`|G9nrY-DWR=)?I=q^2S{2e)I)QZnjgxa*(_ZXtGzBgySGUS1X%}2qE zbpH6+%?G#7*c36IyWU_V>>e}yNk?Dh=d?vnZVxl|qYY)m`Xzbmn6}w9f$lJEvuXob z!(|`)MWk^n+b1rKa}l!j{h-sq+P7aB4bMN0UtjiKbj9S72a8W+U4Acv_>{8E6+hLz z#TShz)6Zw~eLYxDt4}SKk>ZH(U77Mu6nSIb1#syCRT}%Kz~RnzrrwsAk=Jt#)x1kn zw4iDIL3}ogl_rw(c_5uV&=1{du#n8nd|bwT$q06*j?)lY>yty#Q|f(On&o+to5Rp} zrARMyUsvNCqLsp9_tI;pf!*^LmfUJ+UX|=pIE>BT_j)baJn(bzaQi8L%iYij~na3JirWj V&$=_#&CxE)+i%@m;^*?4J(^&uj literal 0 HcmV?d00001 diff --git a/inputs/gcp/discovery_engine/engine_control/engine_control_redirect_action/.terraform.lock.hcl b/inputs/gcp/discovery_engine/engine_control/engine_control_redirect_action/.terraform.lock.hcl new file mode 100644 index 000000000..894abb857 --- /dev/null +++ b/inputs/gcp/discovery_engine/engine_control/engine_control_redirect_action/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.12.0" + hashes = [ + "h1:vd1110nYSvbUdAM3MDtQD97ikZvuyDgKExlzTwutYqw=", + "zh:38722ec7777543c23e22e02695e53dd5c94644022647c3c79e11e587063d4d2b", + "zh:417b12b69c91c12e3fcefee38744b7a37bae73b706e3071c714151a623a6b0e9", + "zh:4902cea92c78b462beaf053de03d0d55fb2241d41ca3379b4568ba247f667fa9", + "zh:50ccce39d403ba477943e6652ccb6913092d9dcce1d55533b00b66062888db3d", + "zh:56dccfe5df28cfe368d93c37ad6c46a16e76da61482fd0bfc83676b1423cecf5", + "zh:7265fca2921e5e300da5d8de7e28b658c0863fdda9da696c5b97dbd3122c17c2", + "zh:8317467e828178a6db9ddabe431bb13935c00bfb5e4b4d9760bd56f7ae596eca", + "zh:84cc9d9277422a0d6c80d2bd204642d8776ddbba23feb94cf2760bb5f15410bc", + "zh:8f79d72e7ed4e36d01560ce5fc944dc7e0387fa0f8272a4345fc6ae896e8f575", + "zh:98c3d756beca036f84e7840e2099ff7359e9a246cd9a35386e03ce65032b3f5f", + "zh:a07e3ca19673d28da9289ca28dfb83204fa6636f642b8cf46de8caaf526b7dde", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/discovery_engine/engine_control/engine_control_redirect_action/c.tf b/inputs/gcp/discovery_engine/engine_control/engine_control_redirect_action/c.tf new file mode 100644 index 000000000..19540b094 --- /dev/null +++ b/inputs/gcp/discovery_engine/engine_control/engine_control_redirect_action/c.tf @@ -0,0 +1,42 @@ +# Describe your resource type here +# engine_control_redirect + + +resource "google_discovery_engine_data_store" "c" { +project = "735927692082" + location = "global" + data_store_id = "c-data-store-id" + display_name = "tf-test-datastore" + industry_vertical = "GENERIC" + content_config = "NO_CONTENT" + solution_types = ["SOLUTION_TYPE_SEARCH"] + create_advanced_site_search = false +} + +resource "google_discovery_engine_search_engine" "c" { +project = "735927692082" + engine_id = "engine-id" + collection_id = "default_collection" + location = google_discovery_engine_data_store.c.location + display_name = "tf-test-engine" + data_store_ids = [google_discovery_engine_data_store.c.data_store_id] + industry_vertical = "GENERIC" + app_type = "APP_TYPE_INTRANET" + search_engine_config { + } +} + +resource "google_discovery_engine_control" "c" { +project = "735927692082" + location = google_discovery_engine_search_engine.c.location + engine_id = google_discovery_engine_search_engine.c.engine_id + control_id = "c" + display_name = "c-control" + solution_type = "SOLUTION_TYPE_SEARCH" + use_cases = ["SEARCH_USE_CASE_SEARCH"] + + #synonyms_action + redirect_action { + redirect_uri = "https://goodexample.com/special-landing-page" + } + } \ No newline at end of file diff --git a/inputs/gcp/discovery_engine/engine_control/engine_control_redirect_action/config.tf b/inputs/gcp/discovery_engine/engine_control/engine_control_redirect_action/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/discovery_engine/engine_control/engine_control_redirect_action/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/discovery_engine/engine_control/engine_control_redirect_action/nc.tf b/inputs/gcp/discovery_engine/engine_control/engine_control_redirect_action/nc.tf new file mode 100644 index 000000000..5387349c9 --- /dev/null +++ b/inputs/gcp/discovery_engine/engine_control/engine_control_redirect_action/nc.tf @@ -0,0 +1,42 @@ +# Describe your resource type here +# engine_control_redirect + +resource "google_discovery_engine_data_store" "nc" { +project = "735927692082" + location = "global" + data_store_id = "nc-data-store-id" + display_name = "tf-test-datastore" + industry_vertical = "GENERIC" + content_config = "NO_CONTENT" + solution_types = ["SOLUTION_TYPE_SEARCH"] + create_advanced_site_search = false +} + +resource "google_discovery_engine_search_engine" "nc" { +project = "735927692082" + engine_id = "engine-id" + collection_id = "default_collection" + location = google_discovery_engine_data_store.nc.location + display_name = "tf-test-engine" + data_store_ids = [google_discovery_engine_data_store.nc.data_store_id] + industry_vertical = "GENERIC" + app_type = "APP_TYPE_INTRANET" + search_engine_config { + } +} + +resource "google_discovery_engine_control" "nc" { +project = "735927692082" + location = google_discovery_engine_search_engine.nc.location + engine_id = google_discovery_engine_search_engine.nc.engine_id + control_id = "nc" + display_name = "nc_control" + solution_type = "SOLUTION_TYPE_SEARCH" + use_cases = ["SEARCH_USE_CASE_SEARCH"] + + #synonyms_action + + redirect_action { + redirect_uri = "https://badexample.com/special-landing-page" + } + } \ No newline at end of file diff --git a/inputs/gcp/discovery_engine/engine_control/engine_control_redirect_action/plan.json b/inputs/gcp/discovery_engine/engine_control/engine_control_redirect_action/plan.json new file mode 100644 index 0000000000000000000000000000000000000000..15181937063e21c455df0afd983d5ca80a07dad7 GIT binary patch literal 58884 zcmeHQTTdN1687^-`yZly9u6c?CNuMfvS=1*m5E69VHTky0)()E0|GKTQIx;FyY;!K z_|oofyW8F8f`vHlb7^17b+2;u|Ni?`{Z;)%J$d-6)CYB~Zq=1KR`+VI{!nN1?oM6M zrwdi7U+8z0da7pX8MQxn_ulJY-_pI(OIr_5sgH0!H|mo5SkT{@I@Pl{rcXZ8ySs-u zxU)91zomIz>zQ9sdrJ3Q(p^07@ICgu=>MATxm73DSclFk<@bKu-n;+niq>~Zf46!Z zSyiRZ_59EEtmpLo1_xM@sVbLy$aLVjz^vTKKbt}!m&6i z^Y8TESL!{j`dUL~PJNybWNiL%sE!inCL>fDewUg$Os{k59eB#T3H$YdMg`@AgMoVd zJ5u58j=!MMF21ixXm{wU3>CZUNylC@Tjn3kO~E^S96nK78a`(1{*ZC`lD#ALH(L*T z#vvb75`@_j|T1+oA<9sDRa{ekNNtI%Q{;r^efuUb#2{~EIO;`{19QV;hu z<2$0=?e9Dh6#OSa`-;AS^oCT!ini%@kSizD131+d{XxHQ>DJB;rwfJo;^{j@avmiN;DvdYa*69b8V(q|oNW*KPo?`6?B;s1O;f%%MT04F4SH`Wh zCI}r7dSS@kLGQlLB$bDl(QLcMU4{Kkv3QEb(`@m;sx0;nXbQUcxVlxbcZ$6u+?z43 z*gG~n>eu7bWU+UeB0Hxf8Sd$SPJHp6d^GT-%{Id339T$u3#-U0R-!yl)H0(y&|Kgv zgI3LPTK1#ChX&8zG2twtRHAW%+nzso8FNHSpk+&hXQ3kl(tAbz*xzW}SK2fCj(m)- z$vc~hW5N$%v4HwOk62smy4jy&C$io!ar{;S|^$4U(vdL^on% zLPKIx?RHFzr&l;ztjAY=Keqi4%UN?%{c?Cs999|ZeT-gzk!r3M+{a6}dcObA+EV36 zT@UUDn-T#S5&>8i-$GslbR*G__`R)XKQ>Jm*l+aEq6-hPvx+V(dQW#Nc~|4-cNJaO z>;`g;+j5wSE^J^GcZC@0GVJc63$w2U61>SH?E2K~81syzUb^PEYI*<7>q}o-@eV_u zU9NZdMtf}hyxCpKk$pp+9Fr}(uf4Melmq&jd}_n|wDnwn*Hh~Ik3esEPX}C)KMz`Y zeji0W9>i;NeNbKc?-0*Zsz2D~QK>X6@~YC-jXCi&-pK;?@FPRrWGxT%zZM-@_OZL2 zQiryqQ#O`{sWwHA^w-%htI+R-J+CIB29EHcCfKzFyb%+0qMy1nMbYOuM5T;n`) zu^I##O>IRM_9mRHZkDHE%_ByGXo6Xq#?aJDu^O5n6Z*VZ4L(%(tX8oae7H2dkF!?W ze-%FQ?%w0u9o2)+%G53bM?%#ZKlG_jfmwaf88YIz zid&6YRqk3w%v1fC!}t~lkDIGzg!Cr#?9RU%?*+cncAwoHUaM%_NWvJkiN?{Kh3AZw zt0Mj9twF>x4iPBCXEv|)5Onor)f~duW1PM1%Fjvj0ayB522SAMBnGT8SIW2%iCndX zd|gX8mfzZvW==C*(3u5PZ~70trpQt0H-B9T;n|=eM04!eQF@->IQ-7|-5^;|@iP@i z+{}-@y^K+0oBz=D2Z+pQqO5jY20e^Xi#R66xc)YN+$vY=d<`^#V&x0fp!Q6$@(nc1 zm1vA%D?bMFO<#P~ZRev`iKoc8skwv2(idnm-zk>9U1j*amUqjlFzRBqBL;JGmpAWSe!rZk{R{D3olfNa#k_LX<>>Y!OPtVhBPAip2nBVn{JNsu%-1>&YqvKO^FnKOtUwF8> zSKnTmGiz+xDi$tin4^Ky)%BfPs*Z;XZQOAcPb~VFF!a?D%xC=9-`I8iT*ZnnNA6zII2k=4_hx z&&TzJ>UbJ_Z2s^%B@~KaWzM%rj{r7XhQW3RHmyk@HnUO|`U>ifO$zF4U1Um5C{I5(b2I{p(b9;b!c z9cApJDNgwei}BB)=BqwiY*f)g?Y7vc@Kd?6uh^)-kYc0S883ZKsude`m_6=NWr~ea zY}8xQ+W@~Dm7j`@YD-MH4qKt^-@5ns9G11<1=VxCpsL1rP8a-9_F4I`Eh{qI&fvtJ zNl#3L;d^Di6^(dJf9F)o9yM&^pB7!W{@kA8Xc6&<&-zJqbDH-tMU7+@TvZOwN4q0v z+)^FK8MSy)6X3(ObFb(#z-e1o{kfyp3mtp9CHrODTUkEO0%iu7;k+9^YZ5Dvd3V8^ zpTcG;S{vU?+YDvD+IyE@Nt?^d!B~Y|Ks+%f?k+Qsc4%g`^ds%mHLzt|Y3tbE?fH;< zrR}2MIh|iSBfMv-^eHutzRXyt3xnJMR2RK_;4XrDX;@|Ybn(KDRemK+QurF^7Zuw< zFF1d3sq0_LssOhq^dzga^_V%d+r26C*wVZM^JF|9HZNCiG5&v^5%vMkSV0SafM4^~ z=B0D;qk{_q+WnrPJJX~1&zk%}?@`{7xC;7^{R}@-WjRo*&t)}X7Rok`$NZP-xq6{~ zR?pN+^`mZg)KBzo82$sZfwyRfR<({_%SWPKyCxQ6H?my*)Y`?3mei17$WYlPs=Cqh zyU=`Ti@pV?!o2Z>i7oo}m|CvxkE)z~DsviM)tuEQnpZ5>e5>M5%l7B3P4#hO_v27= znDqM9fOCvCB#=#AAv`~*6nRECaIB>gII&1Y-iw{68N`m9CSk|Y+aPJWqB;UoX*XYU z>j#y3o+WETY{fke-HjnPMB3-l-Y^r%VAwSM4Qrc9gOeRS8l;og^(OW!K)Ow-`7-3{ zv&pZ;<$+t#oXMN_-lT3jfvYqk-ZTxezK`l;_X?xW*w ziZ%ytQn(IVtj$)b*JNAH)hl{^t=_3U{W{DS;6_AaPwu7J#CCpeEIs@DpzV}N+H7LZ zp$wTN{DJUg9Fu?8kDSEsbWAO|A=-UxZGiY0|ElqEPaUXz!q8z@S=S4VmddtVyXP7) zvuk?70zBHoX0nQUU$d{uL=ED+RpJGT_gJy@k)rLS($Zt`0EHxMTxN2eH*%~~;+*gc z!B@)uQJii_i{K28;Dy$fJ_}!aU`sA_Ek%DYcv18R_>>_#`1!v5;-bLAu9K{(Tu*4a z>qKk3JT4jpp4sVV>%_@LMD&XW5tAiQGzd`ca$-o$*_fN*gJ@pga9!dtdLqK7hvFs5 zu6jd%bMid=PVF9D?Q0Ljf!d{Zk3Jt}Yr(Q>drE!$Oyg>246&a>8m@bylV_VdrV<(# z)IK90eA8KJPz&T1d$t zH(E8!Urm2f-^v5U4|J-d=E&QX_-HDZZPs!&#T(ST!r^)xZ1MD7*4-ymG&#;(m6JF_ z-2QSAMSz;mjW63wuJ~-Elms6k1gZ)LL6W?`L zn=`W4rgBbF*^f9Y$j_lcrUvY3WUO9LBpEf{?2|yD@!P$CJOX03I7fe`tfna0=NJNaUcD_2Cxd;zSA@Y>9g0W$BnFW3pv(MOlTS zF+5W{bPDtZWg$GJc8lIUr|8QLeew%kJ*U?f^v%C&o)J(sD#%?@ZsIX%HKsNK^qkM6 jlepP690A72_$4$To Date: Sun, 7 Dec 2025 21:10:30 +1100 Subject: [PATCH 04/20] New Files Setup Setup new files --- .../data_connector/data_connector_data_source/c.tf | 6 ++++++ .../data_connector_data_source/config.tf | 11 +++++++++++ .../data_connector/data_connector_data_source/nc.tf | 6 ++++++ .../data_connector/data_connector_json_prams/c.tf | 6 ++++++ .../data_connector_json_prams/config.tf | 11 +++++++++++ .../data_connector/data_connector_json_prams/nc.tf | 6 ++++++ .../data_connector/data_connector_location/c.tf | 6 ++++++ .../data_connector/data_connector_location/config.tf | 11 +++++++++++ .../data_connector/data_connector_location/nc.tf | 6 ++++++ .../data_connector/data_connector_prams/c.tf | 6 ++++++ .../data_connector/data_connector_prams/config.tf | 11 +++++++++++ .../data_connector/data_connector_prams/nc.tf | 6 ++++++ 12 files changed, 92 insertions(+) create mode 100644 inputs/gcp/discovery_engine/data_connector/data_connector_data_source/c.tf create mode 100644 inputs/gcp/discovery_engine/data_connector/data_connector_data_source/config.tf create mode 100644 inputs/gcp/discovery_engine/data_connector/data_connector_data_source/nc.tf create mode 100644 inputs/gcp/discovery_engine/data_connector/data_connector_json_prams/c.tf create mode 100644 inputs/gcp/discovery_engine/data_connector/data_connector_json_prams/config.tf create mode 100644 inputs/gcp/discovery_engine/data_connector/data_connector_json_prams/nc.tf create mode 100644 inputs/gcp/discovery_engine/data_connector/data_connector_location/c.tf create mode 100644 inputs/gcp/discovery_engine/data_connector/data_connector_location/config.tf create mode 100644 inputs/gcp/discovery_engine/data_connector/data_connector_location/nc.tf create mode 100644 inputs/gcp/discovery_engine/data_connector/data_connector_prams/c.tf create mode 100644 inputs/gcp/discovery_engine/data_connector/data_connector_prams/config.tf create mode 100644 inputs/gcp/discovery_engine/data_connector/data_connector_prams/nc.tf diff --git a/inputs/gcp/discovery_engine/data_connector/data_connector_data_source/c.tf b/inputs/gcp/discovery_engine/data_connector/data_connector_data_source/c.tf new file mode 100644 index 000000000..6adf2edcd --- /dev/null +++ b/inputs/gcp/discovery_engine/data_connector/data_connector_data_source/c.tf @@ -0,0 +1,6 @@ +# Describe your resource type here +# Keep "c" as the name to indicate that this resource and its attributes are compliant + +resource "RESOURCE TYPE" "c" { + +} \ No newline at end of file diff --git a/inputs/gcp/discovery_engine/data_connector/data_connector_data_source/config.tf b/inputs/gcp/discovery_engine/data_connector/data_connector_data_source/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/discovery_engine/data_connector/data_connector_data_source/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/discovery_engine/data_connector/data_connector_data_source/nc.tf b/inputs/gcp/discovery_engine/data_connector/data_connector_data_source/nc.tf new file mode 100644 index 000000000..76e41151f --- /dev/null +++ b/inputs/gcp/discovery_engine/data_connector/data_connector_data_source/nc.tf @@ -0,0 +1,6 @@ +# Describe your resource type here +# Keep "nc" as the name to indicate that this resource and its attributes are non-compliant + +resource "RESOURCE TYPE" "nc" { + +} \ No newline at end of file diff --git a/inputs/gcp/discovery_engine/data_connector/data_connector_json_prams/c.tf b/inputs/gcp/discovery_engine/data_connector/data_connector_json_prams/c.tf new file mode 100644 index 000000000..6adf2edcd --- /dev/null +++ b/inputs/gcp/discovery_engine/data_connector/data_connector_json_prams/c.tf @@ -0,0 +1,6 @@ +# Describe your resource type here +# Keep "c" as the name to indicate that this resource and its attributes are compliant + +resource "RESOURCE TYPE" "c" { + +} \ No newline at end of file diff --git a/inputs/gcp/discovery_engine/data_connector/data_connector_json_prams/config.tf b/inputs/gcp/discovery_engine/data_connector/data_connector_json_prams/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/discovery_engine/data_connector/data_connector_json_prams/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/discovery_engine/data_connector/data_connector_json_prams/nc.tf b/inputs/gcp/discovery_engine/data_connector/data_connector_json_prams/nc.tf new file mode 100644 index 000000000..76e41151f --- /dev/null +++ b/inputs/gcp/discovery_engine/data_connector/data_connector_json_prams/nc.tf @@ -0,0 +1,6 @@ +# Describe your resource type here +# Keep "nc" as the name to indicate that this resource and its attributes are non-compliant + +resource "RESOURCE TYPE" "nc" { + +} \ No newline at end of file diff --git a/inputs/gcp/discovery_engine/data_connector/data_connector_location/c.tf b/inputs/gcp/discovery_engine/data_connector/data_connector_location/c.tf new file mode 100644 index 000000000..6adf2edcd --- /dev/null +++ b/inputs/gcp/discovery_engine/data_connector/data_connector_location/c.tf @@ -0,0 +1,6 @@ +# Describe your resource type here +# Keep "c" as the name to indicate that this resource and its attributes are compliant + +resource "RESOURCE TYPE" "c" { + +} \ No newline at end of file diff --git a/inputs/gcp/discovery_engine/data_connector/data_connector_location/config.tf b/inputs/gcp/discovery_engine/data_connector/data_connector_location/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/discovery_engine/data_connector/data_connector_location/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/discovery_engine/data_connector/data_connector_location/nc.tf b/inputs/gcp/discovery_engine/data_connector/data_connector_location/nc.tf new file mode 100644 index 000000000..76e41151f --- /dev/null +++ b/inputs/gcp/discovery_engine/data_connector/data_connector_location/nc.tf @@ -0,0 +1,6 @@ +# Describe your resource type here +# Keep "nc" as the name to indicate that this resource and its attributes are non-compliant + +resource "RESOURCE TYPE" "nc" { + +} \ No newline at end of file diff --git a/inputs/gcp/discovery_engine/data_connector/data_connector_prams/c.tf b/inputs/gcp/discovery_engine/data_connector/data_connector_prams/c.tf new file mode 100644 index 000000000..6adf2edcd --- /dev/null +++ b/inputs/gcp/discovery_engine/data_connector/data_connector_prams/c.tf @@ -0,0 +1,6 @@ +# Describe your resource type here +# Keep "c" as the name to indicate that this resource and its attributes are compliant + +resource "RESOURCE TYPE" "c" { + +} \ No newline at end of file diff --git a/inputs/gcp/discovery_engine/data_connector/data_connector_prams/config.tf b/inputs/gcp/discovery_engine/data_connector/data_connector_prams/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/discovery_engine/data_connector/data_connector_prams/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/discovery_engine/data_connector/data_connector_prams/nc.tf b/inputs/gcp/discovery_engine/data_connector/data_connector_prams/nc.tf new file mode 100644 index 000000000..76e41151f --- /dev/null +++ b/inputs/gcp/discovery_engine/data_connector/data_connector_prams/nc.tf @@ -0,0 +1,6 @@ +# Describe your resource type here +# Keep "nc" as the name to indicate that this resource and its attributes are non-compliant + +resource "RESOURCE TYPE" "nc" { + +} \ No newline at end of file From 5981ee52c9e71dfe5dac171cad49439dd125991f Mon Sep 17 00:00:00 2001 From: LegendaryMercury Date: Mon, 8 Dec 2025 18:13:35 +1100 Subject: [PATCH 05/20] 3 ready, 1 testing Fix the last one --- .../.terraform.lock.hcl | 21 ++++++++++ .../data_connector_data_source/c.tf | 18 +++++++-- .../data_connector_data_source/nc.tf | 15 +++++-- .../data_connector_data_source/plan.json | Bin 0 -> 20458 bytes .../.terraform.lock.hcl | 21 ++++++++++ .../data_connector_json_params/c.tf | 14 +++++++ .../config.tf | 0 .../data_connector_json_params/nc.tf | 14 +++++++ .../data_connector_json_params/plan.json | Bin 0 -> 20606 bytes .../data_connector_json_prams/c.tf | 6 --- .../data_connector_json_prams/nc.tf | 6 --- .../.terraform.lock.hcl | 21 ++++++++++ .../data_connector_location/c.tf | 15 +++++-- .../data_connector_location/nc.tf | 15 +++++-- .../data_connector_location/plan.json | Bin 0 -> 10256 bytes .../data_connector_params/.terraform.lock.hcl | 21 ++++++++++ .../data_connector/data_connector_params/c.tf | 22 +++++++++++ .../config.tf | 0 .../data_connector_params/nc.tf | 22 +++++++++++ .../data_connector_params/plan.json | Bin 0 -> 26728 bytes .../data_connector/data_connector_prams/c.tf | 6 --- .../data_connector/data_connector_prams/nc.tf | 6 --- .../data_connector_data_source/policy.rego | 24 ++++++++++++ .../data_connector_json_params/policy.rego | 24 ++++++++++++ .../data_connector_location/policy.rego | 24 ++++++++++++ .../data_connector_params/policy.rego | 37 ++++++++++++++++++ .../discovery_engine/data_connector/vars.rego | 9 +++++ 27 files changed, 325 insertions(+), 36 deletions(-) create mode 100644 inputs/gcp/discovery_engine/data_connector/data_connector_data_source/.terraform.lock.hcl create mode 100644 inputs/gcp/discovery_engine/data_connector/data_connector_data_source/plan.json create mode 100644 inputs/gcp/discovery_engine/data_connector/data_connector_json_params/.terraform.lock.hcl create mode 100644 inputs/gcp/discovery_engine/data_connector/data_connector_json_params/c.tf rename inputs/gcp/discovery_engine/data_connector/{data_connector_json_prams => data_connector_json_params}/config.tf (100%) create mode 100644 inputs/gcp/discovery_engine/data_connector/data_connector_json_params/nc.tf create mode 100644 inputs/gcp/discovery_engine/data_connector/data_connector_json_params/plan.json delete mode 100644 inputs/gcp/discovery_engine/data_connector/data_connector_json_prams/c.tf delete mode 100644 inputs/gcp/discovery_engine/data_connector/data_connector_json_prams/nc.tf create mode 100644 inputs/gcp/discovery_engine/data_connector/data_connector_location/.terraform.lock.hcl create mode 100644 inputs/gcp/discovery_engine/data_connector/data_connector_location/plan.json create mode 100644 inputs/gcp/discovery_engine/data_connector/data_connector_params/.terraform.lock.hcl create mode 100644 inputs/gcp/discovery_engine/data_connector/data_connector_params/c.tf rename inputs/gcp/discovery_engine/data_connector/{data_connector_prams => data_connector_params}/config.tf (100%) create mode 100644 inputs/gcp/discovery_engine/data_connector/data_connector_params/nc.tf create mode 100644 inputs/gcp/discovery_engine/data_connector/data_connector_params/plan.json delete mode 100644 inputs/gcp/discovery_engine/data_connector/data_connector_prams/c.tf delete mode 100644 inputs/gcp/discovery_engine/data_connector/data_connector_prams/nc.tf create mode 100644 policies/gcp/discovery_engine/data_connector/data_connector_data_source/policy.rego create mode 100644 policies/gcp/discovery_engine/data_connector/data_connector_json_params/policy.rego create mode 100644 policies/gcp/discovery_engine/data_connector/data_connector_location/policy.rego create mode 100644 policies/gcp/discovery_engine/data_connector/data_connector_params/policy.rego create mode 100644 policies/gcp/discovery_engine/data_connector/vars.rego diff --git a/inputs/gcp/discovery_engine/data_connector/data_connector_data_source/.terraform.lock.hcl b/inputs/gcp/discovery_engine/data_connector/data_connector_data_source/.terraform.lock.hcl new file mode 100644 index 000000000..894abb857 --- /dev/null +++ b/inputs/gcp/discovery_engine/data_connector/data_connector_data_source/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.12.0" + hashes = [ + "h1:vd1110nYSvbUdAM3MDtQD97ikZvuyDgKExlzTwutYqw=", + "zh:38722ec7777543c23e22e02695e53dd5c94644022647c3c79e11e587063d4d2b", + "zh:417b12b69c91c12e3fcefee38744b7a37bae73b706e3071c714151a623a6b0e9", + "zh:4902cea92c78b462beaf053de03d0d55fb2241d41ca3379b4568ba247f667fa9", + "zh:50ccce39d403ba477943e6652ccb6913092d9dcce1d55533b00b66062888db3d", + "zh:56dccfe5df28cfe368d93c37ad6c46a16e76da61482fd0bfc83676b1423cecf5", + "zh:7265fca2921e5e300da5d8de7e28b658c0863fdda9da696c5b97dbd3122c17c2", + "zh:8317467e828178a6db9ddabe431bb13935c00bfb5e4b4d9760bd56f7ae596eca", + "zh:84cc9d9277422a0d6c80d2bd204642d8776ddbba23feb94cf2760bb5f15410bc", + "zh:8f79d72e7ed4e36d01560ce5fc944dc7e0387fa0f8272a4345fc6ae896e8f575", + "zh:98c3d756beca036f84e7840e2099ff7359e9a246cd9a35386e03ce65032b3f5f", + "zh:a07e3ca19673d28da9289ca28dfb83204fa6636f642b8cf46de8caaf526b7dde", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/discovery_engine/data_connector/data_connector_data_source/c.tf b/inputs/gcp/discovery_engine/data_connector/data_connector_data_source/c.tf index 6adf2edcd..8021f66be 100644 --- a/inputs/gcp/discovery_engine/data_connector/data_connector_data_source/c.tf +++ b/inputs/gcp/discovery_engine/data_connector/data_connector_data_source/c.tf @@ -1,6 +1,18 @@ # Describe your resource type here -# Keep "c" as the name to indicate that this resource and its attributes are compliant +# Data connector +# Data source -resource "RESOURCE TYPE" "c" { - +# Maybe change the data source to one of the valid formats, whatever that might be. + + +resource "google_discovery_engine_data_connector" "c" { + project = "735927692082" + location = "eu" + collection_id = "c" + collection_display_name = "tf-c-dataconnector" + data_source = "c-datasource" + params = { + } + refresh_interval = "86400s" + incremental_refresh_interval = "21600s" } \ No newline at end of file diff --git a/inputs/gcp/discovery_engine/data_connector/data_connector_data_source/nc.tf b/inputs/gcp/discovery_engine/data_connector/data_connector_data_source/nc.tf index 76e41151f..9a5df422d 100644 --- a/inputs/gcp/discovery_engine/data_connector/data_connector_data_source/nc.tf +++ b/inputs/gcp/discovery_engine/data_connector/data_connector_data_source/nc.tf @@ -1,6 +1,15 @@ # Describe your resource type here -# Keep "nc" as the name to indicate that this resource and its attributes are non-compliant +# Data connector +# Data source -resource "RESOURCE TYPE" "nc" { - +resource "google_discovery_engine_data_connector" "nc" { + project = "735927692082" + location = "eu" + collection_id = "nc" + collection_display_name = "tf-c-dataconnector" + data_source = "nc-datasource" + params = { + } + refresh_interval = "86400s" + incremental_refresh_interval = "21600s" } \ No newline at end of file diff --git a/inputs/gcp/discovery_engine/data_connector/data_connector_data_source/plan.json b/inputs/gcp/discovery_engine/data_connector/data_connector_data_source/plan.json new file mode 100644 index 0000000000000000000000000000000000000000..0b0f0fed60c6d23edbe24c8ef0e538a37d10cf18 GIT binary patch literal 20458 zcmeHPS#KLR5ax4%{s&{98z**?Ce82YQv*X#eaG?v*=`#c`Ri@JkK-|qJw$RT*G&ll zqIR`A9L~i#NdEoTgZbWkXLcSxojEbrW^FFb(%hMa`Q04j>eig&?v?4xM?BY=J+o`} z(f$yqwwPa{J;FOH zyd`)KzvI74_}6%6Z4SM@J_V!H=i_!7di->U@g3o_w*Ba+I&*6AKebpd@c%h5I>bHU z!xzxv7*sjMebRFB zNg?XR=cTv>?J2eDt;m)I9-Q_Q(LSgu!i_tleT_4O*3Bb#ud9I0i^ zm&Xu#XaN>a+N>64E>)eq@hzpp-q9`mKb$EP=S^(~DZaAYBL|)J|6~q|<${*;5VA-8 z5a^U_O5-tjFZTEh*L+U2R%BntxR2TIC-Vj$(zJA3V_4k6S`a^#)Y@9{8CY|kSisIK zFXXrx{3wm;#m21tXoHeN#7l2LAP%IgJ3hKG)_8f~@-v)~> zL?5*VenYYude`C1k;mDyjtBBC-h?%KTar- zNJra#O!M540`YILf^uZ4?d-fh6tOs8N%BOseX$lR_Y3) zh`s;4Iz$If?;?Iy62-5fMzZ3xlbqM3En~ix zIRvd$<>iQo)rswQ{g|ao8;w7zZB{Z~QUzlS7e68?$s%ko4(XoiHw&8y)0(d4V{1hp z^(qwOe*SY*CdPYrURKR0qcioRiw-$ZRx|2WAiBr=YMshMy(mKGhiz3Fo~OdV?D#e- z3xux~wHi?Z{fN1hgxG)686|H08ERo`H7(ER%7q+n-#J;@I$}5bo}(hS-DeL31yQ1u(rpVcbL&(rBv5;l=dw$x_Y8V zJ-w}^{|bjIn6x%L7E_l};U1KgwI}1UF%;dZ?b9~h_WJP!X&%>bMea`^6D#{~n$-+# z`WV#QNMu_z;F{iT-=5{yq=&tQFy}kv zp1Rih&6ZUelCqXniK)`EDvlyGXM=teQW}xYkL+7krDau|l!w3aBHdCMZdsL(>i$)# z1un^AY%@z-f=^BcZ@XC)KNE8hRU$ODIYCzS6nSFqUSgKm?MxodzG$V)-?1qfT!EBQ zO9^-8ro5rD)L;AI?|@BRdCz^>+{?_JYGF=WJj!~zO??jN7_`mHg%Pv18@uhsR_Te` zzGjrHA?fGzeBIWy0HU$67N_Ox6>s{Xf7%KU>s5Ltg05#8wmtgpSUZ*nlC>6N`;;H- zDGV}BvEAIO>hCJk@uuajc1&trBp$~Y{?0p2$CcclgUQt1a(Ow6Wc{#fsG z?FHkR&8JeNV368#o;`j!mARPGb1QXyc;V`qa8A^72ROHsoH>)~&ni}ZAE2!2(Yyez z<@y%90O9`}OIgPcn5t&Y!LE4%s{5(!(3;uQd9HZ^atg$hb@=ak0#p9N@YJrhOMp8VnWglm_yu$fE`}pShEx+LV9Zsv_sV*OJ|E>8I&xcVZJ&PNBR#;o0 mJ9Gu+aMo5LD)!8i>ttUH_tB3%?J62_J{zBPtI|jz8S_7D4CQlY`VXFcuASIz<22vVr)E4F)%RGwjAXaXWb*56&mjyg$-Rg-*=n<+ zv8i3{VnGl90UUDw`TL9c-h5~FoLg2pau#9?SwX?(jJ`XO@dO&OG60^~{6Mb<6z{eBN8mZ_%FN zo(1j_zWeWS?6b%Xw$;j^^Q(Oxy?((-?4xt`(oYjAXm zb21K}A&YZJD;gq{>m{7_Bf8OZ5K$E$zs)j060BZ{CPmr8y z`P}?&wVpagFLP&Ycag}cKCiLTTv&><2k~F}Eb%Y2rf}pQ;kov4@BZ4dx^|U1BAa-k z9;s(d*GHea?*V3OYgP|aD%IBCxSmqEUs)}uWzc`#LBIb@_84t{NP#2Azt;1AG$+|Q zL9clVy`yaib!s&=@f_nWzW55qyiP1u^j`aSgqiQ1d5aI_>Cb-3_olY7)cd$t!Bdbw z)zaD)@d;dWj+nv6%+XtVLe&ekaO&bd&eCsD3YP`_ys`9W<_6O3+FGe5F3^`#^g(S~ z$LJh>BY$kVk}2g=W{Xdd0sWA2d2D_(Kbv0=0Ubl5*uFLIdt$0h+N8fX(K`Gd&-CA!rw>g)eTja*s_2;Q6 ze;CdmC>x1lrW_*7t~9R9)#NFMp!ds_-jqYAr;lqJTZx-;h%mo>=^SD#(>UqHB))oQ z!z@H<1n%5Q)PVJ8=80}j)c54^xNTSPjM7Y`K~Da9ctwMeNW~`_)LwQ8k6`7!)hVfW zjq8qjCF)RHt8Xg-L>#4FN{b{iwHI9jrY~b{m$e1Ow9;l{a&=*!yL_(R#r4MR)ix22 zT|zpBcyTk8oa(~%@{?wb^UQ38OtD|B)7C&V8fab}Bx4vmcnJh!_~~tgC5UyMDsW?7 z2C-;RD#%hY3VQiES%uCQ+d?E>28m!5eVYgb=_?vn19@OvQHnT(@tn>u zVe8IVGmEj`!2b}7)fGJHGgvz>(@%=zbv`9l$hA3X`B`k1kxRXA&hTTqe9H8;5{t~% z<0>;oF3ox~L>EiR<*A*ub185Y7qx{tqt>K$P$n-@W-KVw=^LN$ok&_8`hFaq+kZyp zMEF!!e4XSk!~ltn`xPD{s=6j5_t~POi?uxJ*=;TRS2|oRq8Rc}j-4xoCrDP-tPJZ$ zU$z_i)Og?P<{OkbE!)LU`YSB`bu1%rwWVeZ?~N)ER03E>)ROd*I!E-Q(=kG z>2Mr{?sis>ZmO}=!+vYdJFkiL?pmd#Cbm0OTUgJowf=LewuGLH$5XW>l*&|XX(du~ zmgr_DxtVHt#y?eCrfN&8<^H#{3^-SZr)rBYb@wRN1LssXwpl&S;U}fCx7})sTcJ4# z5DLwCE>LZ~ME#gMqF6oV8b_(p^;cySL34M2N@Z6ljoqsn;qUZ~xud<)uT6)PV(W<) z=rLE-b@xEBa$IlssyhPO2W``8WQ=vE-Q7gurrq7DL2jF~ddj_@-#6K|t`QK6&9gmy zCgae*Eb>DfOW(1e>z?|3kKQ}f4%LTbUB=M9=P$PB;={yubG?eYD^2?wSJT=vLv`*U zzV-YN|7~;}&ns6Nm2fh)*Eybx{uM+ee3ezE;yL$sJC|@gwvH#BpW)pFCA{_TBaY`v z_8XUQ;A6iU3&^TR*|W*@7DE;}TuCb7DQ-Pkyp;T1$K-4*E>LfvZK^k6wzK&i7%?2g zJ~_=>?+%`)64tg9-%~o;zV3QzP_1=7KMtp%l~e?FcwwxuPgFnp)lfTu`J2VZjmu+ zHpaKc9N|4O`*<(W5&rWXGQZ;gJG?>b5O0|IfZvYIZ@AvC3Nik8z-NJV3%XWcX!cir gB`f2T`8GY-gTuZ2Lsz$`h`ck7*S0I(C?Vn{cr%o0z|| zL%YEaGkgx5B&OizFp;L{pfqoQgSJy-1;@@}9xSVBgfmd1o4gM2O+LiRR zXA39!#E$Ud3E^oj!#9I{aHs8hxdkqsl?*o01_iWCoxfNTLpPe)5On7C6vK^xs{`Y@ik^|QqjL@5rPcKd)LpFGdhlXTD!_3nTUP-YJaq^P0Y~3GVzkjivk^d~~3!_R??XrGu1T&rcI) zxIa=qP7k{21eJN$YJO*5z4e3h7nDuyt@qJeU&3SS#!);G;%&yoj0_nw2Oqy1-~L`b zyQgdSem&L&Z&T?ZM92QtZa`~_02mQAmXYKYek+4ho)X6*%B(Zm*WoMH<{(Bs**pg8E#Ew6*`a1(ODbeJz6EAkKv1=pSUKG!Uo@vfdXYA zJohowrYI+$C&cS~1|5&F3PfJXvClHg_9ZMmk>D9mFuGvoQ???m0K~h}KM!2KM11)Q z4`-NHF*i-~NalB{0>s!Pv(bu*P1-BhtDj*Fz~_-^mgH~Qc<%>LsLDc_9CUlf9-j2& zvq$Rq8WJ73IoerlvBmJT+A7w#+x)W5FdI?sTSp@49aUW0Q#JVQD~EMXDoK~u#&%Ib ztaH-5e`nRbjz|<=)e(u0H0y|j9mtngycf$XTaoxRV#q!sS9V7jxBAX1qp9`VI$q=R z@3>Cx$Kpsg?RBbGa*Z9?G0WFm8N0q-A28I4>dtNG_pN7O(n+eb^4d{s1HNlUy%*`Z zXTO{kF<0?FpWCecx?x2jB}mLAp zm?XD}a%MK`l^o%INyWYzA8A!zyB1YZs$o-SR9N!W_9_^jSGC?W>-9cnyEMx?tfGqE zW?N^v3Z)J7ZR0+y_dDC4K_DI6AVUvK+;c20bm z%i11KvW3x#crP>d@wxe&&u7fP|9ntisxQ>7%U7jdsx!4vC+a}0)I|NQj__%zX8870 zRq6q*tJJRAR(oi_3hrI$s~5Oedg!&?}>V-epk=bPx$Ruynl+k-{|!U^DvR(Q}sxFkJ&vcGB?^K*HlI%^e_|1 ze}Os5Xvg?%1?^s9^c}s9PVuSk!5P2$zG@3S(pxcRI)g6n6p#e35X!&5 z91Krr9rPYE%-O_=p$B1fPmjmB_aF7*l7|!YIn{jQdTwR^T#rQ!lqiaORsK@x{mXyno(&zre`s+26HXO&7~q<#R8&-;)(0Q z1h{gh`u@)i70Bb!hzl_0OVfF4)gvxIq|(JI+}J%wBQ0<15%6^*1Ek+#Dn53Qn@5*l z^+tSP#0RX^G({~j(Sh_3wwsO*JO%F;0k7YriURH-S)DRCY`5-+)>DUU25XT+dTz5b zMBI*%#jWUF+zNF8Tp@`?N>z%W!f}}+sd}l$U0~#Nj6&k}GmYGquUXinT7@=RTr6U} z4U0ZVYkD1~Hlf1)lGH%Co>BG${e8Z?nuH3PSEd%BefR%5Y7p8-x4Sx~<}BPfOtUyE z_wqFd74}hBw@|j$pt{_nDN|!Wj~-T7#CcHRoV4P5Zlb1uRy%YpK{&=xH3UZUH@$Yi z=*^Hd1I@c<^lqWWm#7t}u6F+05P)H_|1fSAYiesH0voC(;CgBS;$@rb&Fv~tV(-61 zHXkc#HwI+Y&?#0C6AMUHdzyb{e>T#cTS^Z{eIZOlQu6RK z+uZp#MMkk!Z0&>@^Gw(1aK_=&5B!C-Jgh|ZtG(Qc$lMtiO`l(Bc{%Hs%9g%fMEY^- z0oy8Ma=CB;&YH}N{BPFaCKO6!C~d6leH?&1r+;v3wv4y26^?Pf*IyahdQDv&;{14e z%~#1xwC)vi=qY2*DH=;E<20-5Dj#WGr;Xk6rw$GOG*?Uw$ft&$#?5)ePep(0t?xID zk4%gIT@PvQ@3w}J2Hrp9Ghc0(r9rZ;_gSwtT5R0N9fJQCf?BS2tK{l+leJnSjvCsy zd>(OB;e>5NjMMc6C2Ow2aYih4*ypd}@irn|{c5V#BdNpHQpILyqVXe|DxBzQsXc=K zjA-hJrdnO0A0N?F%a8VVj5bCz)qj%zgUa*QBbwT*XU(g;kN4QhJ6Y%Butyn@tNVzi z3OB+wc2_J1y&Q6nDTkg<4NY|s*!`e#*n0XVdf) zgHib>ZN=OnT3N5~bWgO3eP)8y6+D}ar_cENYNl48-04xS1Y{1`1HG*Q}hwk=hE#$rP&PF;16)H}UD%=KH&IFzd8X5S-pwzbBmrJg(XL7%E< ze3;n@GpG01Gbm)fap#lWN{#_#K5g_{%qpH%qTGEb>8k6Er-CThLe~ShXOi`ys~_?l zPq}~ESRaa;&(Dgd#GJF$hk~ZKrfX#qeQawbcIdK}JPQs-l-;YFsKBk$GJHkux-o}B zmFwfu&P2YOe%hB%&-H6q)LBN7wmCl?s-jm$m3BQYJxqnKj4y3-BrCtRwW&yn^dnJ< zUoRZ*PutHL>*HhNo*;>*(tqNZl%;s=RNhjL*PmM(LqY7wY3sx0)cA-NO53;QNBWWW zW}l!GDx|IF+j;d9^%@};GZ^!Vm~)T&cqekZo)_ih6-NGjXepCfbk)W5p>E7C#P(xb z6Lp3AATeu2+X!QR5uP4gvQj1FI=SsWX*lK>A&1=0o1J6G4p=M_?#`^~{rU`JxXPE1 zp0o&9?v9N|<$7tyEJHZa-lp=lWR}sjzU(*VO1}PtwA<$)4eD_MEJ1Kzo<_Zg^QpJ+ zKM?HUFVCiahQD`lp2Zz}_duT?{U@&XF>q!r=XlLgYa~zjnm)x&!|NHRab%uGY0m24 Xi5YEI+h<73{|>`z?GrfUkeTy;kMBPK literal 0 HcmV?d00001 diff --git a/inputs/gcp/discovery_engine/data_connector/data_connector_prams/c.tf b/inputs/gcp/discovery_engine/data_connector/data_connector_prams/c.tf deleted file mode 100644 index 6adf2edcd..000000000 --- a/inputs/gcp/discovery_engine/data_connector/data_connector_prams/c.tf +++ /dev/null @@ -1,6 +0,0 @@ -# Describe your resource type here -# Keep "c" as the name to indicate that this resource and its attributes are compliant - -resource "RESOURCE TYPE" "c" { - -} \ No newline at end of file diff --git a/inputs/gcp/discovery_engine/data_connector/data_connector_prams/nc.tf b/inputs/gcp/discovery_engine/data_connector/data_connector_prams/nc.tf deleted file mode 100644 index 76e41151f..000000000 --- a/inputs/gcp/discovery_engine/data_connector/data_connector_prams/nc.tf +++ /dev/null @@ -1,6 +0,0 @@ -# Describe your resource type here -# Keep "nc" as the name to indicate that this resource and its attributes are non-compliant - -resource "RESOURCE TYPE" "nc" { - -} \ No newline at end of file diff --git a/policies/gcp/discovery_engine/data_connector/data_connector_data_source/policy.rego b/policies/gcp/discovery_engine/data_connector/data_connector_data_source/policy.rego new file mode 100644 index 000000000..aaf59ffce --- /dev/null +++ b/policies/gcp/discovery_engine/data_connector/data_connector_data_source/policy.rego @@ -0,0 +1,24 @@ +package terraform.gcp.security.discovery_engine.data_connector.data_connector_data_source +import data.terraform.gcp.helpers +import data.terraform.gcp.security.discovery_engine.data_connector.vars + +#Data_connector + +conditions := [ + [ + { + "situation_description": "Is the data connector set correctly", + "remedies": ["Ensure that it is set to the correct source"] + }, + { + "condition": "data source is set to c-datasource", + "attribute_path": ["data_source"], + "values": ["c-datasource"], + "policy_type": "whitelist" + } + ] +] + +message := helpers.get_multi_summary(conditions, vars.variables).message + +details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file diff --git a/policies/gcp/discovery_engine/data_connector/data_connector_json_params/policy.rego b/policies/gcp/discovery_engine/data_connector/data_connector_json_params/policy.rego new file mode 100644 index 000000000..af6337e16 --- /dev/null +++ b/policies/gcp/discovery_engine/data_connector/data_connector_json_params/policy.rego @@ -0,0 +1,24 @@ +package terraform.gcp.security.discovery_engine.data_connector.data_connector_json_params +import data.terraform.gcp.helpers +import data.terraform.gcp.security.discovery_engine.data_connector.vars + +#Data_connector_json + +conditions := [ + [ + { + "situation_description": "Is the data json set correctly", + "remedies": ["Ensure that it is set to the correct json"] + }, + { + "condition": "data source is set to valid-string", + "attribute_path": ["json_params"], + "values": ["valid-string"], + "policy_type": "whitelist" + } + ] +] + +message := helpers.get_multi_summary(conditions, vars.variables).message + +details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file diff --git a/policies/gcp/discovery_engine/data_connector/data_connector_location/policy.rego b/policies/gcp/discovery_engine/data_connector/data_connector_location/policy.rego new file mode 100644 index 000000000..c5c2f70fd --- /dev/null +++ b/policies/gcp/discovery_engine/data_connector/data_connector_location/policy.rego @@ -0,0 +1,24 @@ +package terraform.gcp.security.discovery_engine.data_connector.data_connector_location +import data.terraform.gcp.helpers +import data.terraform.gcp.security.discovery_engine.data_connector.vars + +#Data_connector + +conditions := [ + [ + { + "situation_description": "Is the location set correctly", + "remedies": ["Ensure that it is set to the correct location"] + }, + { + "condition": "location is set to eu", + "attribute_path": ["location"], + "values": ["eu"], + "policy_type": "whitelist" + } + ] +] + +message := helpers.get_multi_summary(conditions, vars.variables).message + +details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file diff --git a/policies/gcp/discovery_engine/data_connector/data_connector_params/policy.rego b/policies/gcp/discovery_engine/data_connector/data_connector_params/policy.rego new file mode 100644 index 000000000..bc6729ed7 --- /dev/null +++ b/policies/gcp/discovery_engine/data_connector/data_connector_params/policy.rego @@ -0,0 +1,37 @@ +package terraform.gcp.security.discovery_engine.data_connector.data_connector_params +import data.terraform.gcp.helpers +import data.terraform.gcp.security.discovery_engine.data_connector.vars + +#Data_connector + +conditions := [ + [ + { + "situation_description": "Is the data prams set correctly", + "remedies": ["Ensure that it is set to the correct paramiters"] + }, + { + "condition": "parms is misconfigured", + "attribute_path": ["params", 0, "auth_type"], + "values": ["OAUTH_PASSWORD_GRANT"], + "policy_type": "whitelist" + } + ], + [ + { + "situation_description": "Is the data prams set correctly", + "remedies": ["Ensure that it is set to the correct paramiters"] + }, + { + "condition": "parms is misconfigured", + "attribute_path": ["params", 0, "client_id"], + "values": ["VALID-ID"], + "policy_type": "whitelist" + } + ] + +] + +message := helpers.get_multi_summary(conditions, vars.variables).message + +details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file diff --git a/policies/gcp/discovery_engine/data_connector/vars.rego b/policies/gcp/discovery_engine/data_connector/vars.rego new file mode 100644 index 000000000..43fd21c21 --- /dev/null +++ b/policies/gcp/discovery_engine/data_connector/vars.rego @@ -0,0 +1,9 @@ +package terraform.gcp.security.discovery_engine.data_connector.vars + +#This is for the data_connector + +variables := { + "friendly_resource_name": "data_connector", + "resource_type": "google_discovery_engine_data_connector", + "resource_value_name" : "collection_id" +} From 760768306f6681121e19ed9e63c431f39efc6194 Mon Sep 17 00:00:00 2001 From: LegendaryMercury Date: Wed, 10 Dec 2025 17:07:23 +1100 Subject: [PATCH 06/20] Spelling fix --- .../data_connector_params/policy.rego | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/policies/gcp/discovery_engine/data_connector/data_connector_params/policy.rego b/policies/gcp/discovery_engine/data_connector/data_connector_params/policy.rego index bc6729ed7..eeca74d2a 100644 --- a/policies/gcp/discovery_engine/data_connector/data_connector_params/policy.rego +++ b/policies/gcp/discovery_engine/data_connector/data_connector_params/policy.rego @@ -19,15 +19,27 @@ conditions := [ ], [ { - "situation_description": "Is the data prams set correctly", - "remedies": ["Ensure that it is set to the correct paramiters"] + "situation_description": "Is the client_id set correctly", + "remedies": ["Ensure that it is set to the correct client_id"] }, { - "condition": "parms is misconfigured", + "condition": "client_id is misconfigured", "attribute_path": ["params", 0, "client_id"], "values": ["VALID-ID"], "policy_type": "whitelist" } + ], + [ + { + "situation_description": "Is the user_account set correctly", + "remedies": ["Ensure that it is set to the correct user_account"] + }, + { + "condition": "parms is misconfigured", + "attribute_path": ["params", 0, "user_account"], + "values": ["Validuser@google.com"], + "policy_type": "whitelist" + } ] ] From 2660c26054639973b0a08318775fc450258f1668 Mon Sep 17 00:00:00 2001 From: LegendaryMercury Date: Wed, 10 Dec 2025 17:27:28 +1100 Subject: [PATCH 07/20] Revert "Merge remote-tracking branch 'origin/dev' into discovery_engine" This reverts commit b467d8476c49832ebfd24e83f43f63eb2e6e0eab, reversing changes made to 760768306f6681121e19ed9e63c431f39efc6194. --- .github/ISSUE_TEMPLATE/config.yml | 5 - .github/ISSUE_TEMPLATE/task.yml | 86 --- docs/gcp/API_Gateway/api_gateway_api.md | 17 - .../gcp/API_Gateway/api_gateway_api_config.md | 71 -- .../API_Gateway/api_gateway_api_config_iam.md | 18 - docs/gcp/API_Gateway/api_gateway_api_iam.md | 17 - docs/gcp/API_Gateway/api_gateway_gateway.md | 18 - .../API_Gateway/api_gateway_gateway_iam.md | 18 - docs/gcp/API_Hub/apihub_api_hub_instance.md | 4 +- docs/gcp/API_Hub/apihub_curation.md | 5 +- .../apihub_host_project_registration.md | 3 +- docs/gcp/API_Hub/apihub_plugin.md | 12 +- docs/gcp/API_Hub/apihub_plugin_instance.md | 14 +- .../folder_access_approval_settings.md | 4 +- .../organization_access_approval_settings.md | 4 +- .../project_access_approval_settings.md | 4 +- .../integrations_auth_config.md | 17 +- .../integrations_client.md | 4 +- .../bigquery_datapolicy_data_policy.md | 4 +- .../bigquery_datapolicy_data_policy_iam.md | 3 +- .../Chronicle/chronicle_data_access_label.md | 3 +- .../Chronicle/chronicle_data_access_scope.md | 6 +- .../gcp/Chronicle/chronicle_reference_list.md | 4 +- docs/gcp/Chronicle/chronicle_retrohunt.md | 4 +- docs/gcp/Chronicle/chronicle_rule.md | 3 +- .../Chronicle/chronicle_rule_deployment.md | 3 +- docs/gcp/Chronicle/chronicle_watchlist.md | 5 +- .../Cloud_Deploy/clouddeploy_automation.md | 13 +- .../clouddeploy_custom_target_type.md | 8 +- .../clouddeploy_custom_target_type_iam.md | 3 +- .../clouddeploy_delivery_pipeline.md | 20 +- .../clouddeploy_delivery_pipeline_iam.md | 3 +- .../Cloud_Deploy/clouddeploy_deploy_policy.md | 15 +- docs/gcp/Cloud_Deploy/clouddeploy_target.md | 12 +- .../Cloud_Deploy/clouddeploy_target_iam.md | 3 +- .../deployment_manager_deployment.md | 7 +- .../Cloud_Platform/folder_service_identity.md | 3 +- .../google_billing_subaccount.md | 3 +- docs/gcp/Cloud_Platform/google_folder.md | 3 +- docs/gcp/Cloud_Platform/google_folder_iam.md | 5 +- .../google_folder_organization_policy.md | 6 +- .../Cloud_Platform/google_organization_iam.md | 5 +- .../google_organization_iam_custom_role.md | 3 +- .../google_organization_policy.md | 6 +- docs/gcp/Cloud_Platform/google_project.md | 3 +- ...google_project_default_service_accounts.md | 3 +- docs/gcp/Cloud_Platform/google_project_iam.md | 5 +- .../google_project_iam_custom_role.md | 3 +- .../google_project_iam_member_remove.md | 3 +- .../google_project_organization_policy.md | 6 +- .../Cloud_Platform/google_project_service.md | 3 +- .../Cloud_Platform/google_service_account.md | 3 +- .../google_service_account_iam.md | 4 +- .../google_service_account_key.md | 3 +- .../project_service_identity.md | 3 +- .../Cloud_Storage/storage_anywhere_cache.md | 3 +- docs/gcp/Cloud_Storage/storage_bucket.md | 16 +- .../storage_bucket_access_control.md | 3 +- docs/gcp/Cloud_Storage/storage_bucket_acl.md | 3 +- docs/gcp/Cloud_Storage/storage_bucket_iam.md | 3 +- .../Cloud_Storage/storage_bucket_object.md | 5 +- .../storage_default_object_access_control.md | 3 +- .../storage_default_object_acl.md | 3 +- docs/gcp/Cloud_Storage/storage_folder.md | 3 +- docs/gcp/Cloud_Storage/storage_hmac_key.md | 3 +- .../Cloud_Storage/storage_managed_folder.md | 3 +- .../storage_managed_folder_iam.md | 4 +- .../gcp/Cloud_Storage/storage_notification.md | 3 +- .../storage_object_access_control.md | 3 +- docs/gcp/Cloud_Storage/storage_object_acl.md | 3 +- .../google_storage_batch_operations_job.md | 11 +- .../storage_batch_operations_job.md | 80 --- ...se_migration_service_connection_profile.md | 17 +- ...atabase_migration_service_migration_job.md | 7 +- ...se_migration_service_private_connection.md | 4 +- docs/gcp/Dataform/dataform_repository.md | 6 +- docs/gcp/Dataform/dataform_repository_iam.md | 3 +- .../dataform_repository_release_config.md | 4 +- .../dataform_repository_workflow_config.md | 5 +- .../discovery_engine_chat_engine.md | 6 +- .../discovery_engine_cmek_config.md | 4 +- .../discovery_engine_data_store.md | 11 +- .../discovery_engine_recommendation_engine.md | 9 +- .../discovery_engine_schema.md | 3 +- .../discovery_engine_search_engine.md | 5 +- .../discovery_engine_sitemap.md | 3 +- .../discovery_engine_target_site.md | 3 +- docs/gcp/Firebase/firebase_android_app.md | 3 +- docs/gcp/Firebase/firebase_apple_app.md | 3 +- docs/gcp/Firebase/firebase_project.md | 3 +- docs/gcp/Firebase/firebase_web_app.md | 3 +- .../firebase_app_hosting_backend.md | 4 +- .../firebase_app_hosting_build.md | 6 +- .../firebase_app_hosting_default_domain.md | 3 +- .../firebase_app_hosting_domain.md | 5 +- .../firebase_app_hosting_traffic.md | 6 +- .../firebase_data_connect_service.md | 3 +- .../Firestore/firestore_backup_schedule.md | 4 +- docs/gcp/Firestore/firestore_database.md | 4 +- docs/gcp/Firestore/firestore_document.md | 3 +- docs/gcp/Firestore/firestore_field.md | 6 +- docs/gcp/Firestore/firestore_index.md | 5 +- .../lustre_instance.md | 3 +- .../netapp_active_directory.md | 3 +- .../netapp_backup.md | 3 +- .../netapp_backup_policy.md | 3 +- .../netapp_backup_vault.md | 4 +- .../netapp_kmsconfig.md | 3 +- .../netapp_storage_pool.md | 3 +- .../netapp_volume.md | 14 +- .../netapp_volume_quota_rule.md | 3 +- .../netapp_volume_replication.md | 5 +- .../netapp_volume_snapshot.md | 3 +- .../edgecontainer_cluster.md | 22 +- .../edgecontainer_node_pool.md | 5 +- .../edgecontainer_vpn_connection.md | 4 +- .../iap_app_engine_service_iam.md | 4 +- .../iap_app_engine_version_iam.md | 4 +- docs/gcp/Identity-Aware_Proxy/iap_brand.md | 3 +- docs/gcp/Identity-Aware_Proxy/iap_client.md | 3 +- docs/gcp/Identity-Aware_Proxy/iap_settings.md | 16 +- .../iap_tunnel_dest_group.md | 3 +- .../iap_tunnel_dest_group_iam.md | 4 +- .../Identity-Aware_Proxy/iap_tunnel_iam.md | 4 +- .../iap_tunnel_instance_iam.md | 4 +- .../iap_web_backend_service_iam.md | 4 +- .../iap_web_cloud_run_service_iam.md | 4 +- docs/gcp/Identity-Aware_Proxy/iap_web_iam.md | 4 +- .../iap_web_region_backend_service_iam.md | 4 +- .../iap_web_type_app_engine_iam.md | 4 +- .../iap_web_type_compute_iam.md | 4 +- docs/gcp/Managed_Kafka/managed_kafka_acl.md | 4 +- .../Managed_Kafka/managed_kafka_cluster.md | 7 +- .../managed_kafka_connect_cluster.md | 7 +- .../Managed_Kafka/managed_kafka_connector.md | 4 +- docs/gcp/Managed_Kafka/managed_kafka_topic.md | 3 +- docs/gcp/Memcache/memcache_instance.md | 20 +- docs/gcp/Memorystore/memorystore_instance.md | 17 +- ...instance_desired_user_created_endpoints.md | 6 +- .../Model_Armor/model_armor_floorsetting.md | 14 +- docs/gcp/Model_Armor/model_armor_template.md | 13 +- .../os_config_v2_policy_orchestrator.md | 37 +- ...onfig_v2_policy_orchestrator_for_folder.md | 36 +- ...v2_policy_orchestrator_for_organization.md | 36 +- .../recaptcha_enterprise_key.md | 8 +- index.html | 23 +- policies/_helpers/README.md | 665 ------------------ policies/_helpers/helpers.rego | 249 ------- policies/_helpers/policies/blacklist.rego | 81 --- .../_helpers/policies/element_blacklist.rego | 109 --- .../_helpers/policies/pattern_blacklist.rego | 91 --- .../_helpers/policies/pattern_whitelist.rego | 92 --- policies/_helpers/policies/range.rego | 88 --- policies/_helpers/policies/whitelist.rego | 72 -- policies/_helpers/shared.rego | 165 ----- policies/gcp/_helpers/helpers.rego | 590 +++++++++++++++- scripts/docgen/create_markdown.py | 5 +- tests/_helpers/README.md | 175 ----- tests/_helpers/blacklist_test.rego | 315 --------- tests/_helpers/check_ux.sh | 82 --- tests/_helpers/element_blacklist_test.rego | 412 ----------- .../fixtures/gcp_access_level/plan.json | 507 ------------- tests/_helpers/fixtures/gcp_project/plan.json | 606 ---------------- .../fixtures/gcp_storage_bucket/plan.json | 368 ---------- tests/_helpers/pattern_blacklist_test.rego | 430 ----------- tests/_helpers/pattern_whitelist_test.rego | 428 ----------- tests/_helpers/policy_debug.sh | 136 ---- tests/_helpers/range_test.rego | 234 ------ tests/_helpers/shared_test.rego | 326 --------- tests/_helpers/smoke_test_helpers.sh | 122 ---- tests/_helpers/unit_test_helpers.sh | 103 --- tests/_helpers/whitelist_test.rego | 345 --------- 172 files changed, 735 insertions(+), 7259 deletions(-) delete mode 100644 .github/ISSUE_TEMPLATE/config.yml delete mode 100644 .github/ISSUE_TEMPLATE/task.yml delete mode 100644 docs/gcp/API_Gateway/api_gateway_api.md delete mode 100644 docs/gcp/API_Gateway/api_gateway_api_config.md delete mode 100644 docs/gcp/API_Gateway/api_gateway_api_config_iam.md delete mode 100644 docs/gcp/API_Gateway/api_gateway_api_iam.md delete mode 100644 docs/gcp/API_Gateway/api_gateway_gateway.md delete mode 100644 docs/gcp/API_Gateway/api_gateway_gateway_iam.md delete mode 100644 docs/gcp/Cloud_Storage_Batch_Operations/storage_batch_operations_job.md delete mode 100644 policies/_helpers/README.md delete mode 100644 policies/_helpers/helpers.rego delete mode 100644 policies/_helpers/policies/blacklist.rego delete mode 100644 policies/_helpers/policies/element_blacklist.rego delete mode 100644 policies/_helpers/policies/pattern_blacklist.rego delete mode 100644 policies/_helpers/policies/pattern_whitelist.rego delete mode 100644 policies/_helpers/policies/range.rego delete mode 100644 policies/_helpers/policies/whitelist.rego delete mode 100644 policies/_helpers/shared.rego delete mode 100644 tests/_helpers/README.md delete mode 100644 tests/_helpers/blacklist_test.rego delete mode 100755 tests/_helpers/check_ux.sh delete mode 100644 tests/_helpers/element_blacklist_test.rego delete mode 100644 tests/_helpers/fixtures/gcp_access_level/plan.json delete mode 100644 tests/_helpers/fixtures/gcp_project/plan.json delete mode 100644 tests/_helpers/fixtures/gcp_storage_bucket/plan.json delete mode 100644 tests/_helpers/pattern_blacklist_test.rego delete mode 100644 tests/_helpers/pattern_whitelist_test.rego delete mode 100755 tests/_helpers/policy_debug.sh delete mode 100644 tests/_helpers/range_test.rego delete mode 100644 tests/_helpers/shared_test.rego delete mode 100755 tests/_helpers/smoke_test_helpers.sh delete mode 100755 tests/_helpers/unit_test_helpers.sh delete mode 100644 tests/_helpers/whitelist_test.rego diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml deleted file mode 100644 index e74d18a43..000000000 --- a/.github/ISSUE_TEMPLATE/config.yml +++ /dev/null @@ -1,5 +0,0 @@ -blank_issues_enabled: false -contact_links: - - name: GitHub Community Support - url: https://github.com/orgs/community/discussions - about: Please ask and answer questions here. diff --git a/.github/ISSUE_TEMPLATE/task.yml b/.github/ISSUE_TEMPLATE/task.yml deleted file mode 100644 index 970080c24..000000000 --- a/.github/ISSUE_TEMPLATE/task.yml +++ /dev/null @@ -1,86 +0,0 @@ -name: "PDE Task" -description: "Create a new task for PDE (non-policy work: scripts, tooling, initiatives, improvements)" -title: "[PDE] " -labels: - - task - - feature - - help wanted -body: - - type: input - id: assignee - attributes: - label: Assignee - description: "GitHub username of the person responsible" - placeholder: "@username" - validations: - required: true - - - type: input - id: start_date - attributes: - label: Start Date - description: "Format: YYYY-MM-DD" - placeholder: "2025-01-01" - validations: - required: true - - - type: input - id: end_date - attributes: - label: End Date (Target) - description: "Format: YYYY-MM-DD" - placeholder: "2025-01-15" - validations: - required: false - - - type: textarea - id: description - attributes: - label: Description - description: "Explain the task, context, purpose, and impact" - placeholder: "What is this task about?" - validations: - required: true - - - type: textarea - id: objectives - attributes: - label: Objectives / Expected Outcome - description: "Define what success looks like" - placeholder: "- Improve script reliability\n- Produce documentation\n- Resolve workflow errors" - - - type: textarea - id: steps - attributes: - label: Steps / Action Items - description: "List the steps required to complete the task" - placeholder: | - 1. - 2. - 3. - - - type: textarea - id: dependencies - attributes: - label: Dependencies - description: "Other tasks, PRs, or teams this depends on" - placeholder: "- PR #123\n- Waiting on external review" - - - type: textarea - id: links - attributes: - label: Related Links - description: "PRs, docs, Slack threads, references" - placeholder: "- https://..." - - - type: dropdown - id: status - attributes: - label: Status - options: - - Not started - - In progress - - Blocked - - Completed - validations: - required: true diff --git a/docs/gcp/API_Gateway/api_gateway_api.md b/docs/gcp/API_Gateway/api_gateway_api.md deleted file mode 100644 index 6c097cb47..000000000 --- a/docs/gcp/API_Gateway/api_gateway_api.md +++ /dev/null @@ -1,17 +0,0 @@ -## 🛡️ Policy Deployment Engine: `api_gateway_api` - -This section provides a concise policy evaluation for the `api_gateway_api` resource in GCP. - -Reference: [Terraform Registry – api_gateway_api](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/api_gateway_api) - ---- - -## Argument Reference - -| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | -|----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `api_id` | Identifier to assign to the API. Must be unique within scope of the parent resource(project) | true | false | None | None | None | -| `display_name` | A user-visible name for the API. | false | false | None | None | None | -| `managed_service` | Immutable. The name of a Google Managed Service ( https://cloud.google.com/service-infrastructure/docs/glossary#managed). If not specified, a new Service will automatically be created in the same project as this API. | false | false | None | None | None | -| `labels` | Resource labels to represent user-provided metadata. **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field `effective_labels` for all of the labels present on the resource. | false | false | None | None | None | -| `project` | If it is not provided, the provider project is used. | false | false | None | None | None | diff --git a/docs/gcp/API_Gateway/api_gateway_api_config.md b/docs/gcp/API_Gateway/api_gateway_api_config.md deleted file mode 100644 index 62f4f562e..000000000 --- a/docs/gcp/API_Gateway/api_gateway_api_config.md +++ /dev/null @@ -1,71 +0,0 @@ -## 🛡️ Policy Deployment Engine: `api_gateway_api_config` - -This section provides a concise policy evaluation for the `api_gateway_api_config` resource in GCP. - -Reference: [Terraform Registry – api_gateway_api_config](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/api_gateway_api_config) - ---- - -## Argument Reference - -| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | -|----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `api` | The API to attach the config to. | true | false | None | None | None | -| `display_name` | A user-visible name for the API. | false | false | None | None | None | -| `labels` | Resource labels to represent user-provided metadata. **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field `effective_labels` for all of the labels present on the resource. | false | false | None | None | None | -| `gateway_config` | Immutable. Gateway specific configuration. If not specified, backend authentication will be set to use OIDC authentication using the default compute service account Structure is [documented below](#nested_gateway_config). | false | false | None | None | None | -| `openapi_documents` | OpenAPI specification documents. If specified, grpcServices and managedServiceConfigs must not be included. Structure is [documented below](#nested_openapi_documents). | false | false | None | None | None | -| `grpc_services` | gRPC service definition files. If specified, openapiDocuments must not be included. Structure is [documented below](#nested_grpc_services). | false | false | None | None | None | -| `managed_service_configs` | Optional. Service Configuration files. At least one must be included when using gRPC service definitions. See https://cloud.google.com/endpoints/docs/grpc/grpc-service-config#service_configuration_overview for the expected file contents. If multiple files are specified, the files are merged with the following rules: * All singular scalar fields are merged using "last one wins" semantics in the order of the files uploaded. * Repeated fields are concatenated. * Singular embedded messages are merged using these rules for nested fields. Structure is [documented below](#nested_managed_service_configs). | false | false | None | None | None | -| `api_config_id` | Identifier to assign to the API Config. Must be unique within scope of the parent resource(api). | false | false | None | None | None | -| `project` | If it is not provided, the provider project is used. | false | false | None | None | None | -| `api_config_id_prefix` | specified prefix. If this and api_config_id are unspecified, a random value is chosen for the name. | false | false | None | None | None | -| `backend_config` | | false | false | None | None | None | -| `document` | | false | false | None | None | None | -| `file_descriptor_set` | | false | false | None | None | None | -| `source` | | false | false | None | None | None | - -### gateway_config Block -| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | -|----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `backend_config` | Backend settings that are applied to all backends of the Gateway. Structure is [documented below](#nested_gateway_config_backend_config). | true | false | None | None | None | - -### openapi_documents Block -| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | -|----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `document` | The OpenAPI Specification document file. Structure is [documented below](#nested_openapi_documents_openapi_documents_document). | true | false | None | None | None | - -### grpc_services Block -| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | -|----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `file_descriptor_set` | Input only. File descriptor set, generated by protoc. To generate, use protoc with imports and source info included. For an example test.proto file, the following command would put the value in a new file named out.pb. $ protoc --include_imports --include_source_info test.proto -o out.pb Structure is [documented below](#nested_grpc_services_grpc_services_file_descriptor_set). | true | false | None | None | None | -| `source` | Uncompiled proto files associated with the descriptor set, used for display purposes (server-side compilation is not supported). These should match the inputs to 'protoc' command used to generate fileDescriptorSet. Structure is [documented below](#nested_grpc_services_grpc_services_source). | false | false | None | None | None | - -### managed_service_configs Block -| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | -|----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `path` | The file path (full or relative path). This is typically the path of the file when it is uploaded. | true | false | None | None | None | -| `contents` | Base64 encoded content of the file. | true | false | None | None | None | - -### backend_config Block -| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | -|----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `google_service_account` | Google Cloud IAM service account used to sign OIDC tokens for backends that have authentication configured (https://cloud.google.com/service-infrastructure/docs/service-management/reference/rest/v1/services.configs#backend). | true | false | None | None | None | - -### document Block -| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | -|----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `path` | The file path (full or relative path). This is typically the path of the file when it is uploaded. | true | false | None | None | None | -| `contents` | Base64 encoded content of the file. | true | false | None | None | None | - -### file_descriptor_set Block -| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | -|----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `path` | The file path (full or relative path). This is typically the path of the file when it is uploaded. | true | false | None | None | None | -| `contents` | Base64 encoded content of the file. | true | false | None | None | None | - -### source Block -| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | -|----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `path` | The file path (full or relative path). This is typically the path of the file when it is uploaded. | true | false | None | None | None | -| `contents` | Base64 encoded content of the file. | true | false | None | None | None | diff --git a/docs/gcp/API_Gateway/api_gateway_api_config_iam.md b/docs/gcp/API_Gateway/api_gateway_api_config_iam.md deleted file mode 100644 index 3e6c4f672..000000000 --- a/docs/gcp/API_Gateway/api_gateway_api_config_iam.md +++ /dev/null @@ -1,18 +0,0 @@ -## 🛡️ Policy Deployment Engine: `api_gateway_api_config_iam` - -This section provides a concise policy evaluation for the `api_gateway_api_config_iam` resource in GCP. - -Reference: [Terraform Registry – api_gateway_api_config_iam](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/api_gateway_api_config_iam) - ---- - -## Argument Reference - -| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | -|----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `api` | Used to find the parent resource to bind the IAM policy to | false | false | None | None | None | -| `api_config` | | false | false | None | None | None | -| `project` | If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. | false | false | None | None | None | -| `member/members` | Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project" | false | false | None | None | None | -| `role` | `google_api_gateway_api_config_iam_binding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`. | false | false | None | None | None | -| `policy_data` | a `google_iam_policy` data source. | false | false | None | None | None | diff --git a/docs/gcp/API_Gateway/api_gateway_api_iam.md b/docs/gcp/API_Gateway/api_gateway_api_iam.md deleted file mode 100644 index ff825df6f..000000000 --- a/docs/gcp/API_Gateway/api_gateway_api_iam.md +++ /dev/null @@ -1,17 +0,0 @@ -## 🛡️ Policy Deployment Engine: `api_gateway_api_iam` - -This section provides a concise policy evaluation for the `api_gateway_api_iam` resource in GCP. - -Reference: [Terraform Registry – api_gateway_api_iam](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/api_gateway_api_iam) - ---- - -## Argument Reference - -| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | -|----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `api` | | false | false | None | None | None | -| `project` | If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. | false | false | None | None | None | -| `member/members` | Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project" | false | false | None | None | None | -| `role` | `google_api_gateway_api_iam_binding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`. | false | false | None | None | None | -| `policy_data` | a `google_iam_policy` data source. | false | false | None | None | None | diff --git a/docs/gcp/API_Gateway/api_gateway_gateway.md b/docs/gcp/API_Gateway/api_gateway_gateway.md deleted file mode 100644 index 0fff855ae..000000000 --- a/docs/gcp/API_Gateway/api_gateway_gateway.md +++ /dev/null @@ -1,18 +0,0 @@ -## 🛡️ Policy Deployment Engine: `api_gateway_gateway` - -This section provides a concise policy evaluation for the `api_gateway_gateway` resource in GCP. - -Reference: [Terraform Registry – api_gateway_gateway](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/api_gateway_gateway) - ---- - -## Argument Reference - -| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | -|----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `api_config` | Resource name of the API Config for this Gateway. Format: projects/{project}/locations/global/apis/{api}/configs/{apiConfig}. When changing api configs please ensure the new config is a new resource and the [lifecycle](https://developer.hashicorp.com/terraform/language/meta-arguments/lifecycle) rule `create_before_destroy` is set. | true | false | None | None | None | -| `gateway_id` | Identifier to assign to the Gateway. Must be unique within scope of the parent resource(project). | true | false | None | None | None | -| `display_name` | A user-visible name for the API. | false | false | None | None | None | -| `labels` | Resource labels to represent user-provided metadata. **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field `effective_labels` for all of the labels present on the resource. | false | false | None | None | None | -| `region` | The region of the gateway for the API. | false | false | None | None | None | -| `project` | If it is not provided, the provider project is used. | false | false | None | None | None | diff --git a/docs/gcp/API_Gateway/api_gateway_gateway_iam.md b/docs/gcp/API_Gateway/api_gateway_gateway_iam.md deleted file mode 100644 index 7a6e0c851..000000000 --- a/docs/gcp/API_Gateway/api_gateway_gateway_iam.md +++ /dev/null @@ -1,18 +0,0 @@ -## 🛡️ Policy Deployment Engine: `api_gateway_gateway_iam` - -This section provides a concise policy evaluation for the `api_gateway_gateway_iam` resource in GCP. - -Reference: [Terraform Registry – api_gateway_gateway_iam](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/api_gateway_gateway_iam) - ---- - -## Argument Reference - -| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | -|----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `region` | Used to find the parent resource to bind the IAM policy to. If not specified, the value will be parsed from the identifier of the parent resource. If no region is provided in the parent identifier and no region is specified, it is taken from the provider configuration. | false | false | None | None | None | -| `gateway` | | false | false | None | None | None | -| `project` | If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. | false | false | None | None | None | -| `member/members` | Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project" | false | false | None | None | None | -| `role` | `google_api_gateway_gateway_iam_binding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`. | false | false | None | None | None | -| `policy_data` | a `google_iam_policy` data source. | false | false | None | None | None | diff --git a/docs/gcp/API_Hub/apihub_api_hub_instance.md b/docs/gcp/API_Hub/apihub_api_hub_instance.md index 624bf7f87..c3c4366f5 100644 --- a/docs/gcp/API_Hub/apihub_api_hub_instance.md +++ b/docs/gcp/API_Hub/apihub_api_hub_instance.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – apihub_api_hub_instance](https://registry.ter --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `config` | Available configurations to provision an ApiHub Instance. Structure is [documented below](#nested_config). | true | false | Config block is required but security impact depends on its nested arguments. | None | None | @@ -18,7 +17,6 @@ Reference: [Terraform Registry – apihub_api_hub_instance](https://registry.ter | `project` | If it is not provided, the provider project is used. | true | false | Required for terraform files to operate correctly | ['PDE'] | ['anything else'] | ### config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `encryption_type` | Optional. Encryption type for the region. If the encryption type is CMEK, the cmek_key_name must be provided. If no encryption type is provided, GMEK will be used. Possible values: ENCRYPTION_TYPE_UNSPECIFIED GMEK CMEK | false | true | Encryption type directly impacts data confidentiality. CMEK should be enforced to ensure org-controlled keys are used. | ['CMEK'] | ['GMEK', 'ENCRYPTION_TYPE_UNSPECIFIED'] | diff --git a/docs/gcp/API_Hub/apihub_curation.md b/docs/gcp/API_Hub/apihub_curation.md index d5be98fa6..d0274ec73 100644 --- a/docs/gcp/API_Hub/apihub_curation.md +++ b/docs/gcp/API_Hub/apihub_curation.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – apihub_curation](https://registry.terraform.i --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `display_name` | The display name of the curation. | true | false | None | None | None | @@ -19,13 +18,11 @@ Reference: [Terraform Registry – apihub_curation](https://registry.terraform.i | `application_integration_endpoint_details` | | true | false | Arguments inside may impact security | None | None | ### endpoint Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `application_integration_endpoint_details` | The details of the Application Integration endpoint to be triggered for curation. Structure is [documented below](#nested_endpoint_application_integration_endpoint_details). | true | false | Controls workflow routing for API metadata. | None | None | ### application_integration_endpoint_details Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `trigger_id` | The API trigger ID of the Application Integration workflow. | true | true | Trigger IDs must follow strict naming conventions to prevent routing to unauthorized workflows. | ['api_trigger/curation_API_PDE_1', 'api_trigger/curation_API_PDE_2', 'api_trigger/curation_API_PDE_3'] | ['RANDOM_9999', 'api_trigger/aaaa', ''] | diff --git a/docs/gcp/API_Hub/apihub_host_project_registration.md b/docs/gcp/API_Hub/apihub_host_project_registration.md index 9b6210334..872d48ab8 100644 --- a/docs/gcp/API_Hub/apihub_host_project_registration.md +++ b/docs/gcp/API_Hub/apihub_host_project_registration.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – apihub_host_project_registration](https://reg --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `gcp_project` | Required. Immutable. Google cloud project name in the format: "projects/abc" or "projects/123". As input, project name with either project id or number are accepted. As output, this field will contain project number. | true | false | None | None | None | diff --git a/docs/gcp/API_Hub/apihub_plugin.md b/docs/gcp/API_Hub/apihub_plugin.md index 5abef6490..faeedc022 100644 --- a/docs/gcp/API_Hub/apihub_plugin.md +++ b/docs/gcp/API_Hub/apihub_plugin.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – apihub_plugin](https://registry.terraform.io/ --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `display_name` | The display name of the plugin. Max length is 50 characters (Unicode code points). | true | false | Display name. No security relevance. | None | None | @@ -27,7 +26,6 @@ Reference: [Terraform Registry – apihub_plugin](https://registry.terraform.io/ | `multi_select_options` | | false | false | Option metadata only. Not security relevant. | None | None | ### actions_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `id` | The id of the action. | true | false | Identifier only. Not sensitive. | None | None | @@ -36,39 +34,33 @@ Reference: [Terraform Registry – apihub_plugin](https://registry.terraform.io/ | `trigger_mode` | The trigger mode supported by the action. Possible values: TRIGGER_MODE_UNSPECIFIED API_HUB_ON_DEMAND_TRIGGER API_HUB_SCHEDULE_TRIGGER NON_API_HUB_MANAGED | true | false | Configuration setting. Not a secret. | None | None | ### documentation Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `external_uri` | The uri of the externally hosted documentation. | false | false | Points to external docs. No secret values. | None | None | ### config_template Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `auth_config_template` | AuthConfigTemplate represents the authentication template for a plugin. Structure is [documented below](#nested_config_template_auth_config_template). | false | false | Container for auth config. Not directly sensitive. | None | None | | `additional_config_template` | The list of additional configuration variables for the plugin's configuration. Structure is [documented below](#nested_config_template_additional_config_template). | false | false | Additional metadata. Security depends on nested values. | None | None | ### hosting_service Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `service_uri` | The URI of the service implemented by the plugin developer, used to invoke the plugin's functionality. This information is only required for user defined plugins. | false | false | Public endpoint reference. Not secret. | None | None | ### auth_config_template Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `supported_auth_types` | The list of authentication types supported by the plugin. | true | false | Lists allowed auth mechanisms. Not a secret but security-relevant in configuration enforcement. | None | None | | `service_account` | Config for Google service account authentication. Structure is [documented below](#nested_config_template_auth_config_template_service_account). | false | false | Container for service account settings. Secret risk exists at child level. | None | None | ### service_account Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `service_account` | The service account to be used for authenticating request. The `iam.serviceAccounts.getAccessToken` permission should be granted on this service account to the impersonator service account. | true | true | Directly references a service account used for authentication. Exposure could compromise system access. | None | None | ### additional_config_template Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `required` | Flag represents that this `ConfigVariable` must be provided for a PluginInstance. | false | false | Boolean flag. Not sensitive. | None | None | @@ -80,7 +72,6 @@ Reference: [Terraform Registry – apihub_plugin](https://registry.terraform.io/ | `validation_regex` | Regular expression in RE2 syntax used for validating the `value` of a `ConfigVariable`. | false | false | Validation expression. Not sensitive. | None | None | ### enum_options Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `id` | Id of the option. | true | false | Identifier only. Not sensitive. | None | None | @@ -88,7 +79,6 @@ Reference: [Terraform Registry – apihub_plugin](https://registry.terraform.io/ | `description` | Description of the option. | false | false | Metadata only. Not sensitive. | None | None | ### multi_select_options Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `id` | Id of the option. | true | false | Identifier only. Not sensitive. | None | None | diff --git a/docs/gcp/API_Hub/apihub_plugin_instance.md b/docs/gcp/API_Hub/apihub_plugin_instance.md index b56cf333b..b18d29c99 100644 --- a/docs/gcp/API_Hub/apihub_plugin_instance.md +++ b/docs/gcp/API_Hub/apihub_plugin_instance.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – apihub_plugin_instance](https://registry.terr --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `display_name` | The display name for this plugin instance. Max length is 255 characters. | true | false | Display name. No security relevance. | None | None | @@ -29,7 +28,6 @@ Reference: [Terraform Registry – apihub_plugin_instance](https://registry.terr | `client_secret` | | true | false | Parent | None | None | ### actions Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `hub_instance_action` | (Output) The execution status for the plugin instance. Structure is [documented below](#nested_actions_actions_hub_instance_action). | true | false | Arguments inside could be security relevant however. | None | None | @@ -46,7 +44,6 @@ Reference: [Terraform Registry – apihub_plugin_instance](https://registry.terr | `end_time` | (Output) The last execution end time of the plugin instance. | false | false | None | None | None | ### auth_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `google_service_account_config` | Config for Google service account authentication. Structure is [documented below](#nested_auth_config_google_service_account_config). | false | false | Parameter, not security related. | None | None | @@ -56,39 +53,33 @@ Reference: [Terraform Registry – apihub_plugin_instance](https://registry.terr | `auth_type` | Possible values: AUTH_TYPE_UNSPECIFIED NO_AUTH GOOGLE_SERVICE_ACCOUNT USER_PASSWORD API_KEY OAUTH2_CLIENT_CREDENTIALS | true | true | Controls authentication methods. | ['USER_PASSWORD', 'OAUTH2_CLIENT_CREDENTIALS'] | ['NO_AUTH', 'Anything else'] | ### curation_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `custom_curation` | Custom curation information for this plugin instance. Structure is [documented below](#nested_actions_actions_curation_config_custom_curation). | false | false | Configuration settings. Not security relevant. | None | None | | `curation_type` | Possible values: CURATION_TYPE_UNSPECIFIED DEFAULT_CURATION_FOR_API_METADATA CUSTOM_CURATION_FOR_API_METADATA | true | false | Configuration settings. Not security relevant. | None | None | ### custom_curation Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `curation` | The unique name of the curation resource. This will be the name of the curation resource in the format: `projects/{project}/locations/{location}/curations/{curation}` | true | false | Unique name. Not security relevant. | None | None | ### google_service_account_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `service_account` | The service account to be used for authenticating request. The `iam.serviceAccounts.getAccessToken` permission should be granted on this service account to the impersonator service account. | true | true | Misconfigured or over-privileged service accounts are a major security risk. | None | None | ### user_password_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `username` | Username. | true | true | Potentially security relevant. Credentials-relevant. | None | None | | `password` | Secret provides a reference to entries in Secret Manager. Structure is [documented below](#nested_auth_config_user_password_config_password). | true | true | Potentially security relevant. Credentials-relevant and related to secrets manager. | None | None | ### password Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `secret_version` | The resource name of the secret version in the format, format as: `projects/*/secrets/*/versions/*`. | true | true | Potentiall security relevant, points to the location where secrets are stored. | None | None | ### api_key_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | The parameter name of the API key. E.g. If the API request is "https://example.com/act?api_key=", "api_key" would be the parameter name. | true | false | Name of API key. Not security relevant. | None | None | @@ -96,20 +87,17 @@ Reference: [Terraform Registry – apihub_plugin_instance](https://registry.terr | `http_element_location` | The location of the API key. The default value is QUERY. Possible values: HTTP_ELEMENT_LOCATION_UNSPECIFIED QUERY HEADER PATH BODY COOKIE | true | false | Not a secret, just a config. | None | None | ### api_key Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `secret_version` | The resource name of the secret version in the format, format as: `projects/*/secrets/*/versions/*`. | true | true | Potentially security relevant, points to the location where secrets are stored. | None | None | ### oauth2_client_credentials_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `client_secret` | Secret provides a reference to entries in Secret Manager. Structure is [documented below](#nested_auth_config_oauth2_client_credentials_config_client_secret). | true | true | Potentially security relevant, points to the location where secrets are stored. | None | None | | `client_id` | The client identifier. | true | true | Could be used to pair with secrets in auth if compromised. Potentially security relevant. | None | None | ### client_secret Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `secret_version` | The resource name of the secret version in the format, format as: `projects/*/secrets/*/versions/*`. | true | true | Could be security relevant. Points to secrets. | None | None | diff --git a/docs/gcp/Access_Approval/folder_access_approval_settings.md b/docs/gcp/Access_Approval/folder_access_approval_settings.md index e1bb46076..c41741146 100644 --- a/docs/gcp/Access_Approval/folder_access_approval_settings.md +++ b/docs/gcp/Access_Approval/folder_access_approval_settings.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – folder_access_approval_settings](https://regi --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `enrolled_services` | A list of Google Cloud Services for which the given resource has Access Approval enrolled. Access requests for the resource given by name against any of these services contained here will be required to have explicit approval. Enrollment can only be done on an all or nothing basis. A maximum of 10 enrolled services will be enforced, to be expanded as the set of supported services is expanded. Structure is [documented below](#nested_enrolled_services). | true | false | None | None | None | @@ -16,7 +15,6 @@ Reference: [Terraform Registry – folder_access_approval_settings](https://regi | `active_key_version` | The asymmetric crypto key version to use for signing approval requests. Empty active_key_version indicates that a Google-managed key should be used for signing. This property will be ignored if set by an ancestor of the resource, and new non-empty values may not be set. | false | false | Active key version has no impact on the security of the resource. | None | None | ### enrolled_services Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `cloud_product` | The product for which Access Approval will be enrolled. Allowed values are listed (case-sensitive): * all * App Engine * BigQuery * Cloud Bigtable * Cloud Key Management Service * Compute Engine * Cloud Dataflow * Cloud Identity and Access Management * Cloud Pub/Sub * Cloud Storage * Persistent Disk Note: These values are supported as input, but considered a legacy format: * all * appengine.googleapis.com * bigquery.googleapis.com * bigtable.googleapis.com * cloudkms.googleapis.com * compute.googleapis.com * dataflow.googleapis.com * iam.googleapis.com * pubsub.googleapis.com * storage.googleapis.com | true | false | Allow access to Google services | Set cloud_product to all | Other cloud product types are invalidated | diff --git a/docs/gcp/Access_Approval/organization_access_approval_settings.md b/docs/gcp/Access_Approval/organization_access_approval_settings.md index 8d610af49..5a33a8081 100644 --- a/docs/gcp/Access_Approval/organization_access_approval_settings.md +++ b/docs/gcp/Access_Approval/organization_access_approval_settings.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – organization_access_approval_settings](https: --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `enrolled_services` | A list of Google Cloud Services for which the given resource has Access Approval enrolled. Access requests for the resource given by name against any of these services contained here will be required to have explicit approval. Enrollment can be done for individual services. A maximum of 10 enrolled services will be enforced, to be expanded as the set of supported services is expanded. Structure is [documented below](#nested_enrolled_services). | true | false | None | None | None | @@ -16,7 +15,6 @@ Reference: [Terraform Registry – organization_access_approval_settings](https: | `active_key_version` | The asymmetric crypto key version to use for signing approval requests. Empty active_key_version indicates that a Google-managed key should be used for signing. | false | false | None | None | None | ### enrolled_services Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `cloud_product` | The product for which Access Approval will be enrolled. Allowed values are listed (case-sensitive): all appengine.googleapis.com bigquery.googleapis.com bigtable.googleapis.com cloudkms.googleapis.com compute.googleapis.com dataflow.googleapis.com iam.googleapis.com pubsub.googleapis.com storage.googleapis.com | true | false | Allow access to Google services depending on the organization. | Set cloud_product to all | Other cloud product types are invalidated. | diff --git a/docs/gcp/Access_Approval/project_access_approval_settings.md b/docs/gcp/Access_Approval/project_access_approval_settings.md index 2100f902a..23e6a0b31 100644 --- a/docs/gcp/Access_Approval/project_access_approval_settings.md +++ b/docs/gcp/Access_Approval/project_access_approval_settings.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – project_access_approval_settings](https://reg --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `enrolled_services` | A list of Google Cloud Services for which the given resource has Access Approval enrolled. Access requests for the resource given by name against any of these services contained here will be required to have explicit approval. Enrollment can only be done on an all or nothing basis. A maximum of 10 enrolled services will be enforced, to be expanded as the set of supported services is expanded. Structure is [documented below](#nested_enrolled_services). | true | false | None | None | None | @@ -17,7 +16,6 @@ Reference: [Terraform Registry – project_access_approval_settings](https://reg | `project` | , Deprecated) Project id. ~> **Warning:** `project` is deprecated and will be removed in a future major release. Use `project_id` instead. | false | false | None | None | None | ### enrolled_services Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `cloud_product` | The product for which Access Approval will be enrolled. Allowed values are listed (case-sensitive): all appengine.googleapis.com bigquery.googleapis.com bigtable.googleapis.com cloudkms.googleapis.com compute.googleapis.com dataflow.googleapis.com iam.googleapis.com pubsub.googleapis.com storage.googleapis.com | true | false | Allow access to Google services depending on the project. | Set cloud_product to all | Other cloud product types are invalidated. | diff --git a/docs/gcp/Application_Integration/integrations_auth_config.md b/docs/gcp/Application_Integration/integrations_auth_config.md index 02549a194..472b8782f 100644 --- a/docs/gcp/Application_Integration/integrations_auth_config.md +++ b/docs/gcp/Application_Integration/integrations_auth_config.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – integrations_auth_config](https://registry.te --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `display_name` | The name of the auth config. | true | false | None | None | None | @@ -33,7 +32,6 @@ Reference: [Terraform Registry – integrations_auth_config](https://registry.te | `oidc_token` | | false | false | None | None | None | ### decrypted_credential Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `credential_type` | Credential type associated with auth configs. | true | true | Only approved credential types are allowed to ensure strong, secure, and supported authentication methods | oauth2_client_credentials | basic_auth | @@ -46,7 +44,6 @@ Reference: [Terraform Registry – integrations_auth_config](https://registry.te | `oidc_token` | Google OIDC ID Token. Structure is [documented below](#nested_decrypted_credential_oidc_token). | false | false | None | None | None | ### client_certificate Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `ssl_certificate` | The ssl certificate encoded in PEM format. This string must include the begin header and end footer lines. | true | false | None | None | None | @@ -54,14 +51,12 @@ Reference: [Terraform Registry – integrations_auth_config](https://registry.te | `passphrase` | 'passphrase' should be left unset if private key is not encrypted. Note that 'passphrase' is not the password for web server, but an extra layer of security to protected private key. | false | false | None | None | None | ### username_and_password Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `username` | Username to be used. | false | false | None | None | None | | `password` | Password to be used. | false | false | None | None | None | ### oauth2_authorization_code Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `client_id` | The client's id. | false | false | None | None | None | @@ -71,7 +66,6 @@ Reference: [Terraform Registry – integrations_auth_config](https://registry.te | `token_endpoint` | The token url endpoint to send the token request to. | false | false | None | None | None | ### oauth2_client_credentials Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `client_id` | The client's ID. | false | false | None | None | None | @@ -82,38 +76,32 @@ Reference: [Terraform Registry – integrations_auth_config](https://registry.te | `request_type` | Represent how to pass parameters to fetch access token Possible values are: `REQUEST_TYPE_UNSPECIFIED`, `REQUEST_BODY`, `QUERY_PARAMETERS`, `ENCODED_HEADER`. | false | true | Only secure request types should be used to transmit credentials. Types like 'ENCODED_HEADER' or 'REQUEST_BODY' ensures safer handling of credentials. | ENCODED_HEADER | QUERY_PARAMETERS | ### token_params Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `entries` | A list of parameter map entries. Structure is [documented below](#nested_decrypted_credential_oauth2_client_credentials_token_params_entries). | false | false | None | None | None | ### entries Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `key` | Key of the map entry. Structure is [documented below](#nested_decrypted_credential_oauth2_client_credentials_token_params_entries_entries_key). | false | false | None | None | None | | `value` | Value of the map entry. Structure is [documented below](#nested_decrypted_credential_oauth2_client_credentials_token_params_entries_entries_value). | false | false | None | None | None | ### key Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `literal_value` | Passing a literal value Structure is [documented below](#nested_decrypted_credential_oauth2_client_credentials_token_params_entries_entries_key_literal_value). | false | false | None | None | None | ### literal_value Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `string_value` | String. | false | false | None | None | None | ### value Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `literal_value` | Passing a literal value Structure is [documented below](#nested_decrypted_credential_oauth2_client_credentials_token_params_entries_entries_value_literal_value). | false | false | None | None | None | ### jwt Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `jwt_header` | Identifies which algorithm is used to generate the signature. | false | true | Using secure JWT headers ensures proper validation. The 'HS256' algorithm should be used to prevent weak or insecure cryptographic signing, and the type must be set to 'JWT' to maintain standardization and avoid parsing errors or misuse. | {"alg": "HS256", "typ": "JWT"} | {"alg": "RS256", "typ": "JWS"} | @@ -122,21 +110,18 @@ Reference: [Terraform Registry – integrations_auth_config](https://registry.te | `jwt` | (Output) The token calculated by the header, payload and signature. | false | false | None | None | None | ### auth_token Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `type` | Authentication type must be set, e.g. "Basic", "Bearer", etc. | false | true | Using secure authentication token types ensures proper authorization standards are enforced. | Bearer | Basic | | `token` | The token for the auth type. | false | true | Providing a token value is critical for secure authentication. Empty tokens can result in unauthorized access, increasing the risk of security breaches. | secure-value-token | | ### service_account_credentials Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `service_account` | Name of the service account that has the permission to make the request. | false | false | None | None | None | | `scope` | A space-delimited list of requested scope permissions. | false | false | None | None | None | ### oidc_token Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `service_account_email` | The service account email to be used as the identity for the token. | false | false | None | None | None | diff --git a/docs/gcp/Application_Integration/integrations_client.md b/docs/gcp/Application_Integration/integrations_client.md index 322a0de92..ee026d715 100644 --- a/docs/gcp/Application_Integration/integrations_client.md +++ b/docs/gcp/Application_Integration/integrations_client.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – integrations_client](https://registry.terrafo --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `location` | Location in which client needs to be provisioned. | true | true | Enforcing location restrictions to Australian regions helps maintain data compliance and reduces the risk of unauthorized data access. | australia-southeast1 | us-east1 | @@ -17,7 +16,6 @@ Reference: [Terraform Registry – integrations_client](https://registry.terrafo | `project` | If it is not provided, the provider project is used. | false | false | None | None | None | ### cloud_kms_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `kms_location` | Location name of the key ring | true | true | Enforcing Cloud KMS keys to reside in Australian regions ensures data residency compliance and minimizes exposure risks. | australia-southeast1 | us-central1 | diff --git a/docs/gcp/BigQuery_Data_Policy/bigquery_datapolicy_data_policy.md b/docs/gcp/BigQuery_Data_Policy/bigquery_datapolicy_data_policy.md index 233043e57..84d968182 100644 --- a/docs/gcp/BigQuery_Data_Policy/bigquery_datapolicy_data_policy.md +++ b/docs/gcp/BigQuery_Data_Policy/bigquery_datapolicy_data_policy.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – bigquery_datapolicy_data_policy](https://regi --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `data_policy_id` | User-assigned (human readable) ID of the data policy that needs to be unique within a project. Used as {dataPolicyId} in part of the resource name. | false | false | Display policy id has no impact on the security of the resource. | None | None | @@ -18,7 +17,6 @@ Reference: [Terraform Registry – bigquery_datapolicy_data_policy](https://regi | `project` | If it is not provided, the provider project is used. | false | false | Display policy id has no impact on the security of the resource. | None | None | ### data_masking_policy Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `predefined_expression` | The available masking rules. Learn more here: https://cloud.google.com/bigquery/docs/column-data-masking-intro#masking_options. Possible values are: `SHA256`, `ALWAYS_NULL`, `DEFAULT_MASKING_VALUE`, `LAST_FOUR_CHARACTERS`, `FIRST_FOUR_CHARACTERS`, `EMAIL_MASK`, `DATE_YEAR_MASK`. | true | false | Ensure predefined expression is setting to SHA256 because it will be | Set predefined_expression to SHA256 | Other predefined expressions are invalidated | diff --git a/docs/gcp/BigQuery_Data_Policy/bigquery_datapolicy_data_policy_iam.md b/docs/gcp/BigQuery_Data_Policy/bigquery_datapolicy_data_policy_iam.md index 6c1d793f0..02b6dbbd5 100644 --- a/docs/gcp/BigQuery_Data_Policy/bigquery_datapolicy_data_policy_iam.md +++ b/docs/gcp/BigQuery_Data_Policy/bigquery_datapolicy_data_policy_iam.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – bigquery_datapolicy_data_policy_iam](https:// --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `location` | Used to find the parent resource to bind the IAM policy to. If not specified, the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no location is specified, it is taken from the provider configuration. | true | false | Ensure the location must be configured to correct location | Set location to Australia. | Other locations are not valid. | diff --git a/docs/gcp/Chronicle/chronicle_data_access_label.md b/docs/gcp/Chronicle/chronicle_data_access_label.md index 87e01a516..3aecb1468 100644 --- a/docs/gcp/Chronicle/chronicle_data_access_label.md +++ b/docs/gcp/Chronicle/chronicle_data_access_label.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – chronicle_data_access_label](https://registry --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `udm_query` | A UDM query over event data. | false | true | Improper UDM queries may include disallowed or malicious values, potentially leading to incorrect data access labeling or security misinterpretations. | principal.hostname="example.com" | principal.hostname="malicious.com" | diff --git a/docs/gcp/Chronicle/chronicle_data_access_scope.md b/docs/gcp/Chronicle/chronicle_data_access_scope.md index eb4275645..28988e167 100644 --- a/docs/gcp/Chronicle/chronicle_data_access_scope.md +++ b/docs/gcp/Chronicle/chronicle_data_access_scope.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – chronicle_data_access_scope](https://registry --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `location` | The location of the resource. This is the geographical region where the Chronicle instance resides, such as "us" or "europe-west2". | true | true | Restricting to allowed locations ensures compliance with regional data residency, privacy regulations, and service availability. | australia-southeast1 | Any location not in the approved list, e.g., europe-west3, us-central1, asia-northeast1 | @@ -21,7 +20,6 @@ Reference: [Terraform Registry – chronicle_data_access_scope](https://registry | `ingestion_label` | | false | false | None | None | None | ### allowed_data_access_labels Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `data_access_label` | The name of the data access label. | false | false | None | None | None | @@ -31,7 +29,6 @@ Reference: [Terraform Registry – chronicle_data_access_scope](https://registry | `display_name` | (Output) Output only. The display name of the label. Data access label and log types's name will match the display name of the resource. The asset namespace will match the namespace itself. The ingestion key value pair will match the key of the tuple. | false | false | None | None | None | ### denied_data_access_labels Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `display_name` | (Output) Output only. The display name of the label. Data access label and log types's name will match the display name of the resource. The asset namespace will match the namespace itself. The ingestion key value pair will match the key of the tuple. | false | false | None | None | None | @@ -41,7 +38,6 @@ Reference: [Terraform Registry – chronicle_data_access_scope](https://registry | `ingestion_label` | Representation of an ingestion label type. Structure is [documented below](#nested_denied_data_access_labels_denied_data_access_labels_ingestion_label). | false | false | None | None | None | ### ingestion_label Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `ingestion_label_key` | Required. The key of the ingestion label. Always required. | true | false | None | None | None | diff --git a/docs/gcp/Chronicle/chronicle_reference_list.md b/docs/gcp/Chronicle/chronicle_reference_list.md index 8a530db2c..1fb98f66f 100644 --- a/docs/gcp/Chronicle/chronicle_reference_list.md +++ b/docs/gcp/Chronicle/chronicle_reference_list.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – chronicle_reference_list](https://registry.te --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `description` | Required. A user-provided description of the reference list. | true | false | None | None | None | @@ -19,7 +18,6 @@ Reference: [Terraform Registry – chronicle_reference_list](https://registry.te | `project` | If it is not provided, the provider project is used. | false | false | None | None | None | ### entries Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `value` | Required. The value of the entry. Maximum length is 512 characters. | true | false | None | None | None | diff --git a/docs/gcp/Chronicle/chronicle_retrohunt.md b/docs/gcp/Chronicle/chronicle_retrohunt.md index c36883a3d..d8be897c7 100644 --- a/docs/gcp/Chronicle/chronicle_retrohunt.md +++ b/docs/gcp/Chronicle/chronicle_retrohunt.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – chronicle_retrohunt](https://registry.terrafo --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `process_interval` | Represents a time interval, encoded as a Timestamp start (inclusive) and a Timestamp end (exclusive). The start must be less than or equal to the end. When the start equals the end, the interval is empty (matches no time). When both start and end are unspecified, the interval matches any time. Structure is [documented below](#nested_process_interval). | true | false | None | None | None | @@ -18,7 +17,6 @@ Reference: [Terraform Registry – chronicle_retrohunt](https://registry.terrafo | `project` | If it is not provided, the provider project is used. | false | false | None | None | None | ### process_interval Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `start_time` | Inclusive start of the interval. | true | false | None | None | None | diff --git a/docs/gcp/Chronicle/chronicle_rule.md b/docs/gcp/Chronicle/chronicle_rule.md index e9b4e48f5..1153ec790 100644 --- a/docs/gcp/Chronicle/chronicle_rule.md +++ b/docs/gcp/Chronicle/chronicle_rule.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – chronicle_rule](https://registry.terraform.io --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `location` | The location of the resource. This is the geographical region where the Chronicle instance resides, such as "us" or "europe-west2". | true | true | Restricting Chronicle resources to approved regions ensures compliance with data residency and service availability requirements. | australia-southeast1 | Any location other than 'australia-southeast1', such as 'europe-west3', is considered non-compliant. | diff --git a/docs/gcp/Chronicle/chronicle_rule_deployment.md b/docs/gcp/Chronicle/chronicle_rule_deployment.md index 87b42786c..fcabb9b02 100644 --- a/docs/gcp/Chronicle/chronicle_rule_deployment.md +++ b/docs/gcp/Chronicle/chronicle_rule_deployment.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – chronicle_rule_deployment](https://registry.t --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `location` | The location of the resource. This is the geographical region where the Chronicle instance resides, such as "us" or "europe-west2". | true | true | Restricting Chronicle resources to approved regions ensures compliance with data residency and service availability requirements. | australia-southeast1 | Any location other than 'australia-southeast1', such as 'europe-west3', is considered non-compliant. | diff --git a/docs/gcp/Chronicle/chronicle_watchlist.md b/docs/gcp/Chronicle/chronicle_watchlist.md index f4e3a0128..0ce0f5668 100644 --- a/docs/gcp/Chronicle/chronicle_watchlist.md +++ b/docs/gcp/Chronicle/chronicle_watchlist.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – chronicle_watchlist](https://registry.terrafo --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `display_name` | Required. Display name of the watchlist. Note that it must be at least one character and less than 63 characters (https://google.aip.dev/148). | true | false | None | None | None | @@ -21,13 +20,11 @@ Reference: [Terraform Registry – chronicle_watchlist](https://registry.terrafo | `project` | If it is not provided, the provider project is used. | false | false | None | None | None | ### entity_population_mechanism Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `manual` | Entities are added manually. | false | true | Manual entry is error-prone and may miss timely threat intelligence, reducing the reliability of the watchlist. | None | Using only manual entity population without automation. | ### watchlist_user_preferences Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `pinned` | Optional. Whether the watchlist is pinned on the dashboard. | false | false | None | None | None | diff --git a/docs/gcp/Cloud_Deploy/clouddeploy_automation.md b/docs/gcp/Cloud_Deploy/clouddeploy_automation.md index 5610cf3ad..343aa9c16 100644 --- a/docs/gcp/Cloud_Deploy/clouddeploy_automation.md +++ b/docs/gcp/Cloud_Deploy/clouddeploy_automation.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – clouddeploy_automation](https://registry.terr --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | Name of the `Automation`. | true | false | Display name has no impact on the security of the resource or data contained. | None | None | @@ -31,13 +30,11 @@ Reference: [Terraform Registry – clouddeploy_automation](https://registry.terr | `timed_promote_release_rule` | Optional. The `TimedPromoteReleaseRule` will automatically promote a release from the current target(s) to the specified target(s) on a configured schedule. | false | false | Defines a schedule for automatic promotions but cannot execute them without the permissions granted to the service_account. The security impact is contingent on that principal's rights. | None | None | ### selector Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `targets` | Contains attributes about a target. Structure is [documented below](#nested_selector_targets). | true | false | None | None | None | ### rules Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `promote_release_rule` | Optional. `PromoteReleaseRule` will automatically promote a release from the current target to a specified target. Structure is [documented below](#nested_rules_rules_promote_release_rule). | false | false | Defines the conditions for a promotion but cannot execute it without the permissions granted to the service_account. The security impact is contingent on that principal's rights. | None | None | @@ -46,14 +43,12 @@ Reference: [Terraform Registry – clouddeploy_automation](https://registry.terr | `timed_promote_release_rule` | Optional. The `TimedPromoteReleaseRule` will automatically promote a release from the current target(s) to the specified target(s) on a configured schedule. Structure is [documented below](#nested_rules_rules_timed_promote_release_rule). | false | false | Defines a schedule for automatic promotions but cannot execute them without the permissions granted to the service_account. The security impact is contingent on that principal's rights. | None | None | ### targets Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `id` | ID of the `Target`. The value of this field could be one of the following: * The last segment of a target name. It only needs the ID to determine which target is being referred to * "*", all targets in a location. | false | false | Specifies which target(s) to act upon. Using "*" broadens scope but does not grant new permissions; the service_account must already have access to all targets for any action to succeed. | None | None | | `labels` | Target labels. | false | false | Used to select targets based on metadata labels. This is a filtering operation and does not bypass IAM checks performed against the service_account when actions are executed on those targets. | None | None | ### promote_release_rule Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `id` | Required. ID of the rule. This id must be unique in the `Automation` resource to which this rule belongs. The format is `a-z{0,62}`. | true | false | None | None | None | @@ -62,7 +57,6 @@ Reference: [Terraform Registry – clouddeploy_automation](https://registry.terr | `destination_phase` | Optional. The starting phase of the rollout created by this operation. Default to the first phase. | false | false | None | None | None | ### advance_rollout_rule Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `id` | Required. ID of the rule. This id must be unique in the `Automation` resource to which this rule belongs. The format is `a-z{0,62}`. | true | false | None | None | None | @@ -70,7 +64,6 @@ Reference: [Terraform Registry – clouddeploy_automation](https://registry.terr | `source_phases` | Optional. Proceeds only after phase name matched any one in the list. This value must consist of lower-case letters, numbers, and hyphens, start with a letter and end with a letter or a number, and have a max length of 63 characters. In other words, it must match the following regex: `^[a-z]([a-z0-9-]{0,61}[a-z0-9])?$`. | false | false | None | None | None | ### repair_rollout_rule Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `id` | Required. ID of the rule. This id must be unique in the `Automation` resource to which this rule belongs. The format is `a-z{0,62}`. | true | false | None | None | None | @@ -79,14 +72,12 @@ Reference: [Terraform Registry – clouddeploy_automation](https://registry.terr | `repair_phases` | Optional. Proceeds only after phase name matched any one in the list. This value must consist of lower-case letters, numbers, and hyphens, start with a letter and end with a letter or a number, and have a max length of 63 characters. In other words, it must match the following regex: `^[a-z]([a-z0-9-]{0,61}[a-z0-9])?$`. Structure is [documented below](#nested_rules_rules_repair_rollout_rule_repair_phases). | false | false | None | None | None | ### repair_phases Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `retry` | Optional. Retries a failed job. Structure is [documented below](#nested_rules_rules_repair_rollout_rule_repair_phases_repair_phases_retry). | false | false | None | None | None | | `rollback` | Optional. Rolls back a Rollout. Structure is [documented below](#nested_rules_rules_repair_rollout_rule_repair_phases_repair_phases_rollback). | false | false | None | None | None | ### retry Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `attempts` | Required. Total number of retries. Retry is skipped if set to 0; The minimum value is 1, and the maximum value is 10. | true | false | None | None | None | @@ -94,14 +85,12 @@ Reference: [Terraform Registry – clouddeploy_automation](https://registry.terr | `backoff_mode` | Optional. The pattern of how wait time will be increased. Default is linear. Backoff mode will be ignored if wait is 0. Possible values are: `BACKOFF_MODE_UNSPECIFIED`, `BACKOFF_MODE_LINEAR`, `BACKOFF_MODE_EXPONENTIAL`. | false | false | None | None | None | ### rollback Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `destination_phase` | Optional. The starting phase ID for the Rollout. If unspecified, the Rollout will start in the stable phase. | false | false | None | None | None | | `disable_rollback_if_rollout_pending` | Optional. If pending rollout exists on the target, the rollback operation will be aborted. | false | false | None | None | None | ### timed_promote_release_rule Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `id` | Required. ID of the rule. This id must be unique in the `Automation` resource to which this rule belongs. The format is `a-z{0,62}`. | true | false | None | None | None | diff --git a/docs/gcp/Cloud_Deploy/clouddeploy_custom_target_type.md b/docs/gcp/Cloud_Deploy/clouddeploy_custom_target_type.md index dd8bd509a..009ce655a 100644 --- a/docs/gcp/Cloud_Deploy/clouddeploy_custom_target_type.md +++ b/docs/gcp/Cloud_Deploy/clouddeploy_custom_target_type.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – clouddeploy_custom_target_type](https://regis --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | Name of the `CustomTargetType`. | true | false | Simple string identifier with no security implications. Cannot be used to access resources or execute code. | None | None | @@ -23,7 +22,6 @@ Reference: [Terraform Registry – clouddeploy_custom_target_type](https://regis | `google_cloud_build_repo` | | false | false | None | None | None | ### custom_actions Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `render_action` | The Skaffold custom action responsible for render operations. If not provided then Cloud Deploy will perform the render operations via `skaffold render`. | false | true | Can execute arbitrary code during render phase. Should be restricted to approved render actions only. | render-action | unauthorized-render | @@ -31,7 +29,6 @@ Reference: [Terraform Registry – clouddeploy_custom_target_type](https://regis | `include_skaffold_modules` | List of Skaffold modules Cloud Deploy will include in the Skaffold Config as required before performing diagnose. Structure is [documented below](#nested_custom_actions_include_skaffold_modules). | false | true | Can include external Skaffold configurations that may contain malicious code or reference untrusted sources. | None | None | ### include_skaffold_modules Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `configs` | The Skaffold Config modules to use from the specified source. | false | false | Simple list of configuration names - no direct security impact as it doesn't specify sources. | None | None | @@ -40,7 +37,6 @@ Reference: [Terraform Registry – clouddeploy_custom_target_type](https://regis | `google_cloud_build_repo` | Cloud Build 2nd gen repository containing the Skaffold Config modules. Structure is [documented below](#nested_custom_actions_include_skaffold_modules_include_skaffold_modules_google_cloud_build_repo). | false | true | References external Cloud Build repositories which could contain malicious configurations or be compromised. | approved-cloud-build-repos | unauthorized-cloud-build-repos | ### git Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `repo` | Git repository the package should be cloned from. | true | false | None | None | None | @@ -48,14 +44,12 @@ Reference: [Terraform Registry – clouddeploy_custom_target_type](https://regis | `ref` | Git ref the package should be cloned from. | false | false | None | None | None | ### google_cloud_storage Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `source` | Cloud Storage source paths to copy recursively. For example, providing `gs://my-bucket/dir/configs/*` will result in Skaffold copying all files within the `dir/configs` directory in the bucket `my-bucket`. | true | false | None | None | None | | `path` | Relative path from the source to the Skaffold file. | false | false | None | None | None | ### google_cloud_build_repo Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `repository` | Cloud Build 2nd gen repository in the format of 'projects//locations//connections//repositories/'. | true | false | None | None | None | diff --git a/docs/gcp/Cloud_Deploy/clouddeploy_custom_target_type_iam.md b/docs/gcp/Cloud_Deploy/clouddeploy_custom_target_type_iam.md index 2eaae4dde..e561eb4d0 100644 --- a/docs/gcp/Cloud_Deploy/clouddeploy_custom_target_type_iam.md +++ b/docs/gcp/Cloud_Deploy/clouddeploy_custom_target_type_iam.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – clouddeploy_custom_target_type_iam](https://r --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `location` | the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no location is specified, it is taken from the provider configuration. | false | false | Geographic/regional identifier only. Used for resource location but has no direct access control implications. | None | None | diff --git a/docs/gcp/Cloud_Deploy/clouddeploy_delivery_pipeline.md b/docs/gcp/Cloud_Deploy/clouddeploy_delivery_pipeline.md index 16454fafc..838c1204c 100644 --- a/docs/gcp/Cloud_Deploy/clouddeploy_delivery_pipeline.md +++ b/docs/gcp/Cloud_Deploy/clouddeploy_delivery_pipeline.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – clouddeploy_delivery_pipeline](https://regist --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `location` | The location for the resource | true | false | Geographic/regional identifier only. Determines where the resource is stored but has no access control implications. | None | None | @@ -36,13 +35,11 @@ Reference: [Terraform Registry – clouddeploy_delivery_pipeline](https://regist | `standard` | | false | false | None | None | None | ### serial_pipeline Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `stages` | Each stage specifies configuration for a `Target`. The ordering of this list defines the promotion flow. | false | false | Defines deployment stage sequence - organizational configuration with no direct security impact. | None | None | ### stages Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `deploy_parameters` | Optional. The deploy parameters to use for the target in this stage. | false | true | Can pass arbitrary parameters to deployment processes. Could be used to inject malicious configuration or override security settings. | validated-parameters-only | arbitrary-parameters, security-override-parameters | @@ -51,21 +48,18 @@ Reference: [Terraform Registry – clouddeploy_delivery_pipeline](https://regist | `target_id` | The target_id to which this stage points. This field refers exclusively to the last segment of a target name. | false | false | References existing targets within the same location - doesn't create new access paths or execute code. | None | None | ### deploy_parameters Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `match_target_labels` | Optional. Deploy parameters are applied to targets with match labels. If unspecified, deploy parameters are applied to all targets (including child targets of a multi-target). | false | false | Label matching for parameter application - organizational feature with no direct security impact. | None | None | | `values` | Required. Values are deploy parameters in key-value pairs. | true | false | Arbitrary key-value pairs passed to deployment processes | None | None | ### strategy Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `canary` | Canary deployment strategy provides progressive percentage based deployments to a Target. | false | false | Canary strategy configuration - affects rollout behavior but inherits security concerns from nested actions. | None | None | | `standard` | Standard deployment strategy executes a single deploy and allows verifying the deployment. | false | false | Standard strategy configuration - affects rollout behavior but inherits security concerns from nested actions. | None | None | ### canary Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `canary_deployment` | Configures the progressive based deployment for a Target. | false | false | None | None | None | @@ -73,7 +67,6 @@ Reference: [Terraform Registry – clouddeploy_delivery_pipeline](https://regist | `runtime_config` | Optional. Runtime specific configurations for the deployment strategy. The runtime configuration is used to determine how Cloud Deploy will split traffic to enable a progressive deployment. | false | false | None | None | None | ### canary_deployment Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `percentages` | Required. The percentage based deployments that will occur as a part of a `Rollout`. List is expected in ascending order and each integer n is 0 <= n < 100. | true | false | None | None | None | @@ -82,25 +75,21 @@ Reference: [Terraform Registry – clouddeploy_delivery_pipeline](https://regist | `verify` | Whether to run verify tests after each percentage deployment. | false | false | None | None | None | ### postdeploy Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `actions` | Optional. A sequence of skaffold custom actions to invoke during execution of the postdeploy job. | false | false | None | None | None | ### predeploy Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `actions` | Optional. A sequence of skaffold custom actions to invoke during execution of the predeploy job. | false | false | None | None | None | ### custom_canary_deployment Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `phase_configs` | Required. Configuration for each phase in the canary deployment in the order executed. | true | false | None | None | None | ### phase_configs Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `percentage` | Required. Percentage deployment for the phase. | true | false | None | None | None | @@ -111,14 +100,12 @@ Reference: [Terraform Registry – clouddeploy_delivery_pipeline](https://regist | `verify` | Whether to run verify tests after the deployment. | false | false | None | None | None | ### runtime_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `cloud_run` | Cloud Run runtime configuration. | false | false | None | None | None | | `kubernetes` | Kubernetes runtime configuration. | false | false | None | None | None | ### cloud_run Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `automatic_traffic_control` | Whether Cloud Deploy should update the traffic stanza in a Cloud Run Service on the user's behalf to facilitate traffic splitting. This is required to be true for CanaryDeployments, but optional for CustomCanaryDeployments. | false | false | None | None | None | @@ -127,14 +114,12 @@ Reference: [Terraform Registry – clouddeploy_delivery_pipeline](https://regist | `stable_revision_tags` | Optional. A list of tags that are added to the final stable revision when the stable phase is applied. | false | false | None | None | None | ### kubernetes Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `gateway_service_mesh` | Kubernetes Gateway API service mesh configuration. | false | false | None | None | None | | `service_networking` | Kubernetes Service networking configuration. | false | false | None | None | None | ### gateway_service_mesh Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `deployment` | Required. Name of the Kubernetes Deployment whose traffic is managed by the specified HTTPRoute and Service. | true | false | None | None | None | @@ -146,14 +131,12 @@ Reference: [Terraform Registry – clouddeploy_delivery_pipeline](https://regist | `stable_cutback_duration` | Optional. The amount of time to migrate traffic back from the canary Service to the original Service during the stable phase deployment. If specified, must be between 15s and 3600s. If unspecified, there is no cutback time. | false | false | None | None | None | ### route_destinations Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `destination_ids` | Required. The clusters where the Gateway API HTTPRoute resource will be deployed to. Valid entries include the associated entities IDs configured in the Target resource and "@self" to include the Target cluster. | true | false | None | None | None | | `propagate_service` | Optional. Whether to propagate the Kubernetes Service to the route destination clusters. The Service will always be deployed to the Target cluster even if the HTTPRoute is not. This option may be used to facilitiate successful DNS lookup in the route destination clusters. Can only be set to true if destinations are specified. | false | false | None | None | None | ### service_networking Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `deployment` | Required. Name of the Kubernetes Deployment whose traffic is managed by the specified Service. | true | false | None | None | None | @@ -162,7 +145,6 @@ Reference: [Terraform Registry – clouddeploy_delivery_pipeline](https://regist | `service` | Required. Name of the Kubernetes Service. | true | false | None | None | None | ### standard Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `postdeploy` | Optional. Configuration for the postdeploy job. If this is not configured, postdeploy job will not be present. | false | false | None | None | None | diff --git a/docs/gcp/Cloud_Deploy/clouddeploy_delivery_pipeline_iam.md b/docs/gcp/Cloud_Deploy/clouddeploy_delivery_pipeline_iam.md index b724f3642..ac35feaca 100644 --- a/docs/gcp/Cloud_Deploy/clouddeploy_delivery_pipeline_iam.md +++ b/docs/gcp/Cloud_Deploy/clouddeploy_delivery_pipeline_iam.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – clouddeploy_delivery_pipeline_iam](https://re --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `location` | the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no location is specified, it is taken from the provider configuration. | false | false | Geographic/regional identifier only. Used for resource location but has no direct access control implications. | None | None | diff --git a/docs/gcp/Cloud_Deploy/clouddeploy_deploy_policy.md b/docs/gcp/Cloud_Deploy/clouddeploy_deploy_policy.md index c82bf4ee4..409746374 100644 --- a/docs/gcp/Cloud_Deploy/clouddeploy_deploy_policy.md +++ b/docs/gcp/Cloud_Deploy/clouddeploy_deploy_policy.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – clouddeploy_deploy_policy](https://registry.t --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | Name of the `DeployPolicy`. | true | false | Just a resource identifier. No security implications. | None | None | @@ -31,34 +30,29 @@ Reference: [Terraform Registry – clouddeploy_deploy_policy](https://registry.t | `weekly_windows` | | false | false | None | None | None | ### selectors Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `target` | Contains attributes about a target. Structure is [documented below](#nested_selectors_selectors_target). | false | false | None | None | None | | `delivery_pipeline` | Contains attributes about a delivery pipeline. Structure is [documented below](#nested_selectors_selectors_delivery_pipeline). | false | false | None | None | None | ### rules Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `rollout_restriction` | Optional. Rollout restrictions. Structure is [documented below](#nested_rules_rules_rollout_restriction). | false | false | None | None | None | ### target Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `id` | ID of the `Target`. The value of this field could be one of the following: * The last segment of a target name. It only needs the ID to determine which target is being referred to * "*", all targets in a location. | false | false | None | None | None | | `labels` | Target labels. | false | false | None | None | None | ### delivery_pipeline Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `id` | Optional. ID of the DeliveryPipeline. The value of this field could be one of the following: - The last segment of a pipeline name - "*", all delivery pipelines in a location | false | false | None | None | None | | `labels` | DeliveryPipeline labels. | false | false | None | None | None | ### rollout_restriction Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `id` | Required. ID of the rule. This id must be unique in the `DeployPolicy` resource to which this rule belongs. The format is `a-z{0,62}`. | true | false | None | None | None | @@ -67,7 +61,6 @@ Reference: [Terraform Registry – clouddeploy_deploy_policy](https://registry.t | `time_windows` | Required. Time window within which actions are restricted. Structure is [documented below](#nested_rules_rules_rollout_restriction_time_windows). | false | false | None | None | None | ### time_windows Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `time_zone` | Required. The time zone in IANA format IANA Time Zone Database (e.g. America/New_York). | true | false | None | None | None | @@ -75,7 +68,6 @@ Reference: [Terraform Registry – clouddeploy_deploy_policy](https://registry.t | `weekly_windows` | Optional. Recurring weekly windows within which actions are restricted. Structure is [documented below](#nested_rules_rules_rollout_restriction_time_windows_weekly_windows). | false | false | None | None | None | ### one_time_windows Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `start_date` | Required. Start date. Structure is [documented below](#nested_rules_rules_rollout_restriction_time_windows_one_time_windows_one_time_windows_start_date). | true | false | None | None | None | @@ -84,7 +76,6 @@ Reference: [Terraform Registry – clouddeploy_deploy_policy](https://registry.t | `end_time` | Required. End time (exclusive). You may use 24:00 for the end of the day. Structure is [documented below](#nested_rules_rules_rollout_restriction_time_windows_one_time_windows_one_time_windows_end_time). | true | false | None | None | None | ### start_date Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `year` | Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. | false | false | None | None | None | @@ -92,7 +83,6 @@ Reference: [Terraform Registry – clouddeploy_deploy_policy](https://registry.t | `day` | Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. | false | false | None | None | None | ### end_date Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `year` | Year of the date. Must be from 1 to 9999. | false | false | None | None | None | @@ -100,7 +90,6 @@ Reference: [Terraform Registry – clouddeploy_deploy_policy](https://registry.t | `day` | Day of a month. Must be from 1 to 31 and valid for the year and month. | false | false | None | None | None | ### start_time Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `hours` | Hours of a day in 24 hour format. Must be greater than or equal to 0 and typically must be less than or equal to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. | false | false | None | None | None | @@ -109,7 +98,6 @@ Reference: [Terraform Registry – clouddeploy_deploy_policy](https://registry.t | `nanos` | Fractions of seconds, in nanoseconds. Must be greater than or equal to 0 and less than or equal to 999,999,999. | false | false | None | None | None | ### end_time Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `hours` | Hours of a day in 24 hour format. Must be greater than or equal to 0 and typically must be less than or equal to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. | false | false | None | None | None | @@ -118,7 +106,6 @@ Reference: [Terraform Registry – clouddeploy_deploy_policy](https://registry.t | `nanos` | Fractions of seconds, in nanoseconds. Must be greater than or equal to 0 and less than or equal to 999,999,999. | false | false | None | None | None | ### weekly_windows Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `days_of_week` | Optional. Days of week. If left empty, all days of the week will be included. Each value may be one of: `MONDAY`, `TUESDAY`, `WEDNESDAY`, `THURSDAY`, `FRIDAY`, `SATURDAY`, `SUNDAY`. | false | false | None | None | None | diff --git a/docs/gcp/Cloud_Deploy/clouddeploy_target.md b/docs/gcp/Cloud_Deploy/clouddeploy_target.md index cd98163aa..d5782b2f3 100644 --- a/docs/gcp/Cloud_Deploy/clouddeploy_target.md +++ b/docs/gcp/Cloud_Deploy/clouddeploy_target.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – clouddeploy_target](https://registry.terrafor --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `location` | The location for the resource | true | false | A geographic identifier for resource placement. It does not affect the security of the target or its connectivity. | None | None | @@ -29,13 +28,11 @@ Reference: [Terraform Registry – clouddeploy_target](https://registry.terrafor | `gke_clusters` | | false | false | None | None | None | ### anthos_cluster Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `membership` | Membership of the GKE Hub-registered cluster to which to apply the Skaffold configuration. Format is `projects/{project}/locations/{location}/memberships/{membership_name}`. | false | false | None | None | None | ### associated_entities Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `anthos_clusters` | Optional. Information specifying Anthos clusters as associated entities. | false | false | None | None | None | @@ -43,13 +40,11 @@ Reference: [Terraform Registry – clouddeploy_target](https://registry.terrafor | `gke_clusters` | Optional. Information specifying GKE clusters as associated entities. | false | false | None | None | None | ### custom_target Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `custom_target_type` | Required. The name of the CustomTargetType. Format must be `projects/{project}/locations/{location}/customTargetTypes/{custom_target_type}`. | true | false | None | None | None | ### execution_configs Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `artifact_storage` | Optional. Cloud Storage location in which to store execution outputs. This can either be a bucket ("gs://my-bucket") or a path within a bucket ("gs://my-bucket/my-dir"). If unspecified, a default bucket located in the same region will be used. | false | false | None | None | None | @@ -60,7 +55,6 @@ Reference: [Terraform Registry – clouddeploy_target](https://registry.terrafor | `worker_pool` | Optional. The resource name of the `WorkerPool`, with the format `projects/{project}/locations/{location}/workerPools/{worker_pool}`. If this optional field is unspecified, the default Cloud Build pool will be used. | false | false | None | None | None | ### gke Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `cluster` | Information specifying a GKE Cluster. Format is `projects/{project_id}/locations/{location_id}/clusters/{cluster_id}. | false | false | None | None | None | @@ -69,25 +63,21 @@ Reference: [Terraform Registry – clouddeploy_target](https://registry.terrafor | `proxy_url` | Optional. If set, used to configure a [proxy](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/#proxy) to the Kubernetes server. | false | false | None | None | None | ### multi_target Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `target_ids` | Required. The target_ids of this multiTarget. | true | false | None | None | None | ### run Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `location` | Required. The location where the Cloud Run Service should be located. Format is `projects/{project}/locations/{location}`. | true | true | The physical location of the Cloud Run service has implications for data sovereignty, compliance, and latency. Deploying to unapproved regions may violate organizational policy or regulatory requirements. | Must be set to an approved region - projects/my-project-name/locations/us-central1, us-east1, europe-west1, asia-southeast1 | Deploying to a region that is not on the approved list - projects/my-project-name/locations/us-west2 | ### anthos_clusters Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `membership` | Optional. Membership of the GKE Hub-registered cluster to which to apply the Skaffold configuration. Format is `projects/{project}/locations/{location}/memberships/{membership_name}`. | false | false | None | None | None | ### gke_clusters Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `cluster` | Optional. Information specifying a GKE Cluster. Format is `projects/{project_id}/locations/{location_id}/clusters/{cluster_id}`. | false | false | None | None | None | diff --git a/docs/gcp/Cloud_Deploy/clouddeploy_target_iam.md b/docs/gcp/Cloud_Deploy/clouddeploy_target_iam.md index ed1767615..c654d57dc 100644 --- a/docs/gcp/Cloud_Deploy/clouddeploy_target_iam.md +++ b/docs/gcp/Cloud_Deploy/clouddeploy_target_iam.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – clouddeploy_target_iam](https://registry.terr --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `location` | the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no location is specified, it is taken from the provider configuration. | false | false | A geographic identifier used to locate the specific Target resource. It is part of the resource's address but does not confer any permissions or define access rules itself. | None | None | diff --git a/docs/gcp/Cloud_Deployment_Manager/deployment_manager_deployment.md b/docs/gcp/Cloud_Deployment_Manager/deployment_manager_deployment.md index 4ac5dfcd8..6a2918831 100644 --- a/docs/gcp/Cloud_Deployment_Manager/deployment_manager_deployment.md +++ b/docs/gcp/Cloud_Deployment_Manager/deployment_manager_deployment.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – deployment_manager_deployment](https://regist --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | Unique name for the deployment | true | false | Identifier only; does not change security posture. | Name is set and follows org/project naming standard. | Missing name or violates naming standard. | @@ -22,27 +21,23 @@ Reference: [Terraform Registry – deployment_manager_deployment](https://regist | `imports` | | false | false | None | None | None | ### target Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `config` | The root configuration file to use for this deployment. Structure is [documented below](#nested_target_config). | true | false | None | None | None | | `imports` | Specifies import files for this configuration. This can be used to import templates or other files. For example, you might import a text file in order to use the file in a template. Structure is [documented below](#nested_target_imports). | false | false | None | None | None | ### labels Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `key` | Key for label. | false | false | None | None | None | | `value` | Value of label. | false | false | None | None | None | ### config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `content` | The full YAML contents of your configuration file. | true | false | None | None | None | ### imports Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `content` | The full contents of the template that you want to import. | false | false | None | None | None | diff --git a/docs/gcp/Cloud_Platform/folder_service_identity.md b/docs/gcp/Cloud_Platform/folder_service_identity.md index 561568b1b..fdb9d1aad 100644 --- a/docs/gcp/Cloud_Platform/folder_service_identity.md +++ b/docs/gcp/Cloud_Platform/folder_service_identity.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – folder_service_identity](https://registry.ter --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `service` | The service to generate identity for. - - - | true | false | None | None | None | diff --git a/docs/gcp/Cloud_Platform/google_billing_subaccount.md b/docs/gcp/Cloud_Platform/google_billing_subaccount.md index f025fb326..8580f9773 100644 --- a/docs/gcp/Cloud_Platform/google_billing_subaccount.md +++ b/docs/gcp/Cloud_Platform/google_billing_subaccount.md @@ -6,7 +6,6 @@ Reference: [Terraform Registry – google_billing_subaccount](https://registry.t --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| diff --git a/docs/gcp/Cloud_Platform/google_folder.md b/docs/gcp/Cloud_Platform/google_folder.md index d6ecc2a1e..0c86fa297 100644 --- a/docs/gcp/Cloud_Platform/google_folder.md +++ b/docs/gcp/Cloud_Platform/google_folder.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – google_folder](https://registry.terraform.io/ --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `display_name` | A folder’s display name must be unique amongst its siblings, e.g. no two folders with the same parent can share the same display name. The display name must start and end with a letter or digit, may contain letters, digits, spaces, hyphens and underscores and can be no longer than 30 characters. | true | false | Display name is a label for identification, no impact on security. | None | None | diff --git a/docs/gcp/Cloud_Platform/google_folder_iam.md b/docs/gcp/Cloud_Platform/google_folder_iam.md index 99c280e51..dcd1514c8 100644 --- a/docs/gcp/Cloud_Platform/google_folder_iam.md +++ b/docs/gcp/Cloud_Platform/google_folder_iam.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – google_folder_iam](https://registry.terraform --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `member/members` | Each entry can have one of the following values: * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. | true | true | Improperly assigned members can cause unauthorised access or privilege escalation. | members = ["user:alice@example.com"] | members = ["domain:example.com"] # grants access to entire domain | @@ -19,14 +18,12 @@ Reference: [Terraform Registry – google_folder_iam](https://registry.terraform | `condition` | Structure is [documented below](#nested_condition). --- | false | true | To reduce risk by applying time- or context-based constraints to access. Misconfiguration can unintentionally allow or block access. | None | None | ### audit_log_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `log_type` | Permission type for which logging is to be configured. Must be one of DATA_READ, DATA_WRITE, or ADMIN_READ. | true | true | Ensures important access events are captured in logs. | log_type = "ADMIN_READ" | log_type = "" | | `exempted_members` | Identities that do not cause logging for this type of permission. The format is the same as that for members. | false | true | Members being excluded from records weakens control and creates blind spots. | exempted_members not set | exempted_members = ["user:admin@example.com"] | ### condition Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `expression` | Textual representation of an expression in Common Expression Language syntax. | true | true | Defines when the role is valid. Incorrect expressions may lead to overly permissive or broken access control. | expression = "request.time < timestamp('2025-12-31T00:00:00Z')" | expression = "" | diff --git a/docs/gcp/Cloud_Platform/google_folder_organization_policy.md b/docs/gcp/Cloud_Platform/google_folder_organization_policy.md index 3533400bc..3b9271112 100644 --- a/docs/gcp/Cloud_Platform/google_folder_organization_policy.md +++ b/docs/gcp/Cloud_Platform/google_folder_organization_policy.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – google_folder_organization_policy](https://re --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `folder` | The resource name of the folder to set the policy for. Its format is folders/{folder_id}. | true | false | identifier only, no security impact | None | None | @@ -18,13 +17,11 @@ Reference: [Terraform Registry – google_folder_organization_policy](https://re | `restore_policy` | ~> **Note:** If none of [`boolean_policy`, `list_policy`, `restore_policy`] are defined the policy for a given constraint will effectively be unset. This is represented in the UI as the constraint being 'Inherited'. - - - | false | true | Restoring defaults can weaken protections. | None | None | ### boolean_policy Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `enforced` | If true, then the Policy is enforced. If false, then any configuration is acceptable. | true | true | Enforcement ensures mandatory restrictions are applied. | enforced = true | enforced = false | ### list_policy Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `suggested_value` | The Google Cloud Console will try to default to a configuration that matches the value specified in this field. | false | false | Console-only suggestion, it does not enforce or weaken security. | None | None | @@ -33,7 +30,6 @@ Reference: [Terraform Registry – google_folder_organization_policy](https://re | `values` | The policy can define specific values that are allowed or denied. | false | true | Improper values may allow risky APIs or services. | deny.values = ["cloudresourcemanager.googleapis.com"] | allow.values = ["cloudresourcemanager.googleapis.com"] | ### restore_policy Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `default` | May only be set to true. If set, then the default Policy is restored. | true | false | Restoring default removes explicit protections. | default = false | default = true | diff --git a/docs/gcp/Cloud_Platform/google_organization_iam.md b/docs/gcp/Cloud_Platform/google_organization_iam.md index 9ae537cd3..f46254f12 100644 --- a/docs/gcp/Cloud_Platform/google_organization_iam.md +++ b/docs/gcp/Cloud_Platform/google_organization_iam.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – google_organization_iam](https://registry.ter --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `member/members` | Each entry can have one of the following values: * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. | false | false | None | None | None | @@ -19,14 +18,12 @@ Reference: [Terraform Registry – google_organization_iam](https://registry.ter | `condition` | Structure is [documented below](#nested_condition). --- | false | false | None | None | None | ### audit_log_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `log_type` | | false | false | None | None | None | | `exempted_members` | | false | false | None | None | None | ### condition Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `expression` | | false | false | None | None | None | diff --git a/docs/gcp/Cloud_Platform/google_organization_iam_custom_role.md b/docs/gcp/Cloud_Platform/google_organization_iam_custom_role.md index efa346626..c6443222c 100644 --- a/docs/gcp/Cloud_Platform/google_organization_iam_custom_role.md +++ b/docs/gcp/Cloud_Platform/google_organization_iam_custom_role.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – google_organization_iam_custom_role](https:// --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `role_id` | The role id to use for this role. | true | false | Identifier only and does not grant permissions by itself | None | None | diff --git a/docs/gcp/Cloud_Platform/google_organization_policy.md b/docs/gcp/Cloud_Platform/google_organization_policy.md index 6a127e27b..47b2c7495 100644 --- a/docs/gcp/Cloud_Platform/google_organization_policy.md +++ b/docs/gcp/Cloud_Platform/google_organization_policy.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – google_organization_policy](https://registry. --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `org_id` | | false | false | None | None | None | @@ -18,13 +17,11 @@ Reference: [Terraform Registry – google_organization_policy](https://registry. | `restore_policy` | ~> **Note:** If none of [`boolean_policy`, `list_policy`, `restore_policy`] are defined the policy for a given constraint will effectively be unset. This is represented in the UI as the constraint being 'Inherited'. - - - | false | false | None | None | None | ### boolean_policy Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `enforced` | | false | false | None | None | None | ### list_policy Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `suggested_value` | | false | false | None | None | None | @@ -33,7 +30,6 @@ Reference: [Terraform Registry – google_organization_policy](https://registry. | `values` | | false | false | None | None | None | ### restore_policy Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `default` | | false | false | None | None | None | diff --git a/docs/gcp/Cloud_Platform/google_project.md b/docs/gcp/Cloud_Platform/google_project.md index 6bf123e3a..87d8e6780 100644 --- a/docs/gcp/Cloud_Platform/google_project.md +++ b/docs/gcp/Cloud_Platform/google_project.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – google_project](https://registry.terraform.io --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | The display name of the project. | true | false | Label only and does not affect security | None | None | diff --git a/docs/gcp/Cloud_Platform/google_project_default_service_accounts.md b/docs/gcp/Cloud_Platform/google_project_default_service_accounts.md index 91401035f..d12f23df1 100644 --- a/docs/gcp/Cloud_Platform/google_project_default_service_accounts.md +++ b/docs/gcp/Cloud_Platform/google_project_default_service_accounts.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – google_project_default_service_accounts](http --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `project` | The project ID where service accounts are created. | true | false | Identifier only and does not affect security directly | None | None | diff --git a/docs/gcp/Cloud_Platform/google_project_iam.md b/docs/gcp/Cloud_Platform/google_project_iam.md index 6c798281b..56ead9b36 100644 --- a/docs/gcp/Cloud_Platform/google_project_iam.md +++ b/docs/gcp/Cloud_Platform/google_project_iam.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – google_project_iam](https://registry.terrafor --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `member/members` | Each entry can have one of the following values: * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. | false | false | None | None | None | @@ -19,14 +18,12 @@ Reference: [Terraform Registry – google_project_iam](https://registry.terrafor | `condition` | Structure is [documented below](#nested_condition). --- | false | false | None | None | None | ### audit_log_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `log_type` | | false | false | None | None | None | | `exempted_members` | | false | false | None | None | None | ### condition Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `expression` | | false | false | None | None | None | diff --git a/docs/gcp/Cloud_Platform/google_project_iam_custom_role.md b/docs/gcp/Cloud_Platform/google_project_iam_custom_role.md index 7db4a5e69..8defb5688 100644 --- a/docs/gcp/Cloud_Platform/google_project_iam_custom_role.md +++ b/docs/gcp/Cloud_Platform/google_project_iam_custom_role.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – google_project_iam_custom_role](https://regis --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `role_id` | | false | false | None | None | None | diff --git a/docs/gcp/Cloud_Platform/google_project_iam_member_remove.md b/docs/gcp/Cloud_Platform/google_project_iam_member_remove.md index 6f20942d0..bd6e3252a 100644 --- a/docs/gcp/Cloud_Platform/google_project_iam_member_remove.md +++ b/docs/gcp/Cloud_Platform/google_project_iam_member_remove.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – google_project_iam_member_remove](https://reg --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `project` | | false | false | None | None | None | diff --git a/docs/gcp/Cloud_Platform/google_project_organization_policy.md b/docs/gcp/Cloud_Platform/google_project_organization_policy.md index 91c5f8164..1a9a40513 100644 --- a/docs/gcp/Cloud_Platform/google_project_organization_policy.md +++ b/docs/gcp/Cloud_Platform/google_project_organization_policy.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – google_project_organization_policy](https://r --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `project` | | false | false | None | None | None | @@ -18,13 +17,11 @@ Reference: [Terraform Registry – google_project_organization_policy](https://r | `restore_policy` | ~> **Note:** If none of [`boolean_policy`, `list_policy`, `restore_policy`] are defined the policy for a given constraint will effectively be unset. This is represented in the UI as the constraint being 'Inherited'. - - - | false | false | None | None | None | ### boolean_policy Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `enforced` | | false | false | None | None | None | ### list_policy Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `suggested_value` | | false | false | None | None | None | @@ -33,7 +30,6 @@ Reference: [Terraform Registry – google_project_organization_policy](https://r | `values` | | false | false | None | None | None | ### restore_policy Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `default` | | false | false | None | None | None | diff --git a/docs/gcp/Cloud_Platform/google_project_service.md b/docs/gcp/Cloud_Platform/google_project_service.md index efef89e22..b0c48b6f6 100644 --- a/docs/gcp/Cloud_Platform/google_project_service.md +++ b/docs/gcp/Cloud_Platform/google_project_service.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – google_project_service](https://registry.terr --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `service` | The service to enable. | true | true | Enabling some APIs, like IAM, is necessary for safely managing access and credentials. Security measures are weakened when essential APIs are missed. | service = "iam.googleapis.com" | service = "storage.googleapis.com" # IAM missing | diff --git a/docs/gcp/Cloud_Platform/google_service_account.md b/docs/gcp/Cloud_Platform/google_service_account.md index 16c3acf50..9634bf2e5 100644 --- a/docs/gcp/Cloud_Platform/google_service_account.md +++ b/docs/gcp/Cloud_Platform/google_service_account.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – google_service_account](https://registry.terr --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `account_id` | account email address and a stable unique id. It is unique within a project, must be 6-30 characters long, and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])` to comply with RFC1035. Changing this forces a new service account to be created. | true | true | Risky names like admin, root, or owner give false sense of privilege and can confuse audits | account_id = "payments-batcher-prod" | account_id = "admin" | diff --git a/docs/gcp/Cloud_Platform/google_service_account_iam.md b/docs/gcp/Cloud_Platform/google_service_account_iam.md index fa30d85c5..ce3808730 100644 --- a/docs/gcp/Cloud_Platform/google_service_account_iam.md +++ b/docs/gcp/Cloud_Platform/google_service_account_iam.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – google_service_account_iam](https://registry. --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `service_account_id` | | false | false | None | None | None | @@ -17,7 +16,6 @@ Reference: [Terraform Registry – google_service_account_iam](https://registry. | `condition` | Structure is [documented below](#nested_condition). | false | false | None | None | None | ### condition Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `expression` | | false | false | None | None | None | diff --git a/docs/gcp/Cloud_Platform/google_service_account_key.md b/docs/gcp/Cloud_Platform/google_service_account_key.md index da110bfa3..31b6423dd 100644 --- a/docs/gcp/Cloud_Platform/google_service_account_key.md +++ b/docs/gcp/Cloud_Platform/google_service_account_key.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – google_service_account_key](https://registry. --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `service_account_id` | The service account ID for the key. Can be in the form {ACCOUNT} or projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. | true | false | This only identifies which service account the key belongs to. It does not affect the security of the key itself. | None | None | diff --git a/docs/gcp/Cloud_Platform/project_service_identity.md b/docs/gcp/Cloud_Platform/project_service_identity.md index 85dea28f0..d2faaf1fe 100644 --- a/docs/gcp/Cloud_Platform/project_service_identity.md +++ b/docs/gcp/Cloud_Platform/project_service_identity.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – project_service_identity](https://registry.te --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `service` | The service to generate identity for. - - - | true | false | None | None | None | diff --git a/docs/gcp/Cloud_Storage/storage_anywhere_cache.md b/docs/gcp/Cloud_Storage/storage_anywhere_cache.md index fb5f587cc..73b7c8af1 100644 --- a/docs/gcp/Cloud_Storage/storage_anywhere_cache.md +++ b/docs/gcp/Cloud_Storage/storage_anywhere_cache.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – storage_anywhere_cache](https://registry.terr --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `zone` | The zone in which the cache instance needs to be created. For example, `us-central1-a.` | true | true | Zone location need to be set in Aus regions for data sovereignty purposes | australia-southeast1-b | us-west-2 | diff --git a/docs/gcp/Cloud_Storage/storage_bucket.md b/docs/gcp/Cloud_Storage/storage_bucket.md index 997b96e66..19418a28f 100644 --- a/docs/gcp/Cloud_Storage/storage_bucket.md +++ b/docs/gcp/Cloud_Storage/storage_bucket.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – storage_bucket](https://registry.terraform.io --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | | false | false | None | None | None | @@ -41,21 +40,18 @@ Reference: [Terraform Registry – storage_bucket](https://registry.terraform.io | `vpc_network_sources` | | false | false | None | None | None | ### autoclass Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `enabled` | | false | false | None | None | None | | `terminal_storage_class` | | false | false | None | None | None | ### lifecycle_rule Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `action` | | false | false | None | None | None | | `condition` | | false | false | None | None | None | ### versioning Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `enabled` | The `website` block supports the following elements, and requires at least one to be defined: | false | false | None | None | None | @@ -63,7 +59,6 @@ Reference: [Terraform Registry – storage_bucket](https://registry.terraform.io | `not_found_page` | resource is not found. | false | false | None | None | None | ### cors Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `origin` | | false | false | None | None | None | @@ -72,40 +67,34 @@ Reference: [Terraform Registry – storage_bucket](https://registry.terraform.io | `max_age_seconds` | | false | false | None | None | None | ### retention_policy Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `is_locked` | | false | true | Should not be used because locking is irreversible ation | false/null | true | | `retention_period` | | false | true | Rentention period should be within specified timeline for compliance | 604800/7 days | 2692000 / > 30 days | ### logging Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `log_bucket` | | false | false | None | None | None | | `log_object_prefix` | by default GCS sets this to this bucket's name. | false | false | None | None | None | ### custom_placement_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `data_locations` | | false | false | None | None | None | ### soft_delete_policy Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `retention_duration_seconds` | | false | false | None | None | None | | `effective_time` | | false | false | None | None | None | ### hierarchical_namespace Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `enabled` | | false | false | None | None | None | ### ip_filter Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `mode` | | false | false | None | None | None | @@ -114,7 +103,6 @@ Reference: [Terraform Registry – storage_bucket](https://registry.terraform.io | `vpc_network_sources` | | false | false | None | None | None | ### action Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `type` | | false | false | None | None | None | @@ -136,13 +124,11 @@ Reference: [Terraform Registry – storage_bucket](https://registry.terraform.io | `noncurrent_time_before` | | false | false | None | None | None | ### public_network_source Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `allowed_ip_cidr_ranges` | | false | false | None | None | None | ### vpc_network_sources Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `network` | | false | false | None | None | None | diff --git a/docs/gcp/Cloud_Storage/storage_bucket_access_control.md b/docs/gcp/Cloud_Storage/storage_bucket_access_control.md index 04fcce2d9..f8d302996 100644 --- a/docs/gcp/Cloud_Storage/storage_bucket_access_control.md +++ b/docs/gcp/Cloud_Storage/storage_bucket_access_control.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – storage_bucket_access_control](https://regist --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `bucket` | The name of the bucket. | true | false | Naming bucket is not related to security | None | None | diff --git a/docs/gcp/Cloud_Storage/storage_bucket_acl.md b/docs/gcp/Cloud_Storage/storage_bucket_acl.md index 30bccf649..6d095eb97 100644 --- a/docs/gcp/Cloud_Storage/storage_bucket_acl.md +++ b/docs/gcp/Cloud_Storage/storage_bucket_acl.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – storage_bucket_acl](https://registry.terrafor --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `bucket` | The name of the bucket. | true | false | Naming of bucket is not security related | None | None | diff --git a/docs/gcp/Cloud_Storage/storage_bucket_iam.md b/docs/gcp/Cloud_Storage/storage_bucket_iam.md index ae6500171..e6a92660c 100644 --- a/docs/gcp/Cloud_Storage/storage_bucket_iam.md +++ b/docs/gcp/Cloud_Storage/storage_bucket_iam.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – storage_bucket_iam](https://registry.terrafor --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `bucket` | The storage bucket in GCP | true | false | References to the existing bucket | None | None | diff --git a/docs/gcp/Cloud_Storage/storage_bucket_object.md b/docs/gcp/Cloud_Storage/storage_bucket_object.md index 13958fbbb..ed64df365 100644 --- a/docs/gcp/Cloud_Storage/storage_bucket_object.md +++ b/docs/gcp/Cloud_Storage/storage_bucket_object.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – storage_bucket_object](https://registry.terra --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `bucket` | | false | false | None | None | None | @@ -32,14 +31,12 @@ Reference: [Terraform Registry – storage_bucket_object](https://registry.terra | `deletion_policy` | --- | false | false | None | None | None | ### customer_encryption Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `encryption_algorithm` | | false | false | None | None | None | | `encryption_key` | | false | false | None | None | None | ### retention Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `mode` | | false | false | None | None | None | diff --git a/docs/gcp/Cloud_Storage/storage_default_object_access_control.md b/docs/gcp/Cloud_Storage/storage_default_object_access_control.md index a6384161c..1ec8fbb61 100644 --- a/docs/gcp/Cloud_Storage/storage_default_object_access_control.md +++ b/docs/gcp/Cloud_Storage/storage_default_object_access_control.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – storage_default_object_access_control](https: --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `bucket` | The name of the bucket. | true | false | None | None | None | diff --git a/docs/gcp/Cloud_Storage/storage_default_object_acl.md b/docs/gcp/Cloud_Storage/storage_default_object_acl.md index b61d4a9e4..01215600d 100644 --- a/docs/gcp/Cloud_Storage/storage_default_object_acl.md +++ b/docs/gcp/Cloud_Storage/storage_default_object_acl.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – storage_default_object_acl](https://registry. --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `bucket` | --- | false | false | None | None | None | diff --git a/docs/gcp/Cloud_Storage/storage_folder.md b/docs/gcp/Cloud_Storage/storage_folder.md index a0800ad16..74a45b9b8 100644 --- a/docs/gcp/Cloud_Storage/storage_folder.md +++ b/docs/gcp/Cloud_Storage/storage_folder.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – storage_folder](https://registry.terraform.io --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `bucket` | The name of the bucket that contains the folder. | true | false | None | None | None | diff --git a/docs/gcp/Cloud_Storage/storage_hmac_key.md b/docs/gcp/Cloud_Storage/storage_hmac_key.md index f0ed33d90..4434a9fb4 100644 --- a/docs/gcp/Cloud_Storage/storage_hmac_key.md +++ b/docs/gcp/Cloud_Storage/storage_hmac_key.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – storage_hmac_key](https://registry.terraform. --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `service_account_email` | The email address of the key's associated service account. | true | false | None | None | None | diff --git a/docs/gcp/Cloud_Storage/storage_managed_folder.md b/docs/gcp/Cloud_Storage/storage_managed_folder.md index e3b07b076..cea8c364a 100644 --- a/docs/gcp/Cloud_Storage/storage_managed_folder.md +++ b/docs/gcp/Cloud_Storage/storage_managed_folder.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – storage_managed_folder](https://registry.terr --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `bucket` | The name of the bucket that contains the managed folder. | true | false | None | None | None | diff --git a/docs/gcp/Cloud_Storage/storage_managed_folder_iam.md b/docs/gcp/Cloud_Storage/storage_managed_folder_iam.md index e59b422a2..372f9ca36 100644 --- a/docs/gcp/Cloud_Storage/storage_managed_folder_iam.md +++ b/docs/gcp/Cloud_Storage/storage_managed_folder_iam.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – storage_managed_folder_iam](https://registry. --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `bucket` | | false | false | None | None | None | @@ -18,7 +17,6 @@ Reference: [Terraform Registry – storage_managed_folder_iam](https://registry. | `condition` | Structure is documented below. --- | false | false | None | None | None | ### condition Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `expression` | | false | false | None | None | None | diff --git a/docs/gcp/Cloud_Storage/storage_notification.md b/docs/gcp/Cloud_Storage/storage_notification.md index 1aeac8b1c..6245e75e0 100644 --- a/docs/gcp/Cloud_Storage/storage_notification.md +++ b/docs/gcp/Cloud_Storage/storage_notification.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – storage_notification](https://registry.terraf --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `bucket` | | false | false | None | None | None | diff --git a/docs/gcp/Cloud_Storage/storage_object_access_control.md b/docs/gcp/Cloud_Storage/storage_object_access_control.md index 4ce28bfc6..c2e05870e 100644 --- a/docs/gcp/Cloud_Storage/storage_object_access_control.md +++ b/docs/gcp/Cloud_Storage/storage_object_access_control.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – storage_object_access_control](https://regist --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `bucket` | The name of the bucket. | true | false | None | None | None | diff --git a/docs/gcp/Cloud_Storage/storage_object_acl.md b/docs/gcp/Cloud_Storage/storage_object_acl.md index 75fa2d2e9..f81441d29 100644 --- a/docs/gcp/Cloud_Storage/storage_object_acl.md +++ b/docs/gcp/Cloud_Storage/storage_object_acl.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – storage_object_acl](https://registry.terrafor --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `bucket` | | false | false | None | None | None | diff --git a/docs/gcp/Cloud_Storage_Batch_Operations/google_storage_batch_operations_job.md b/docs/gcp/Cloud_Storage_Batch_Operations/google_storage_batch_operations_job.md index ff453b757..6eb9855c8 100644 --- a/docs/gcp/Cloud_Storage_Batch_Operations/google_storage_batch_operations_job.md +++ b/docs/gcp/Cloud_Storage_Batch_Operations/google_storage_batch_operations_job.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – google_storage_batch_operations_job](https:// --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `job_id` | The ID of the job. | false | false | Job ID is an identifier and does not affect security; only identifies the operation. | None | None | @@ -19,13 +18,11 @@ Reference: [Terraform Registry – google_storage_batch_operations_job](https:// | `put_metadata` | Allows batch operations to update metadata for objects in bucket. | false | false | Metadata updates are generally safe operations that don't affect data integrity or security. | None | None | ### bucket_list Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `buckets` | List of buckets and their objects to be transformed. | true | false | Bucket configuration is required for batch operations but doesn't directly impact security. | None | None | ### buckets Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `bucket` | Bucket name for the objects to be transformed. | true | false | Bucket name is required for batch operations but doesn't directly impact security. | None | None | @@ -33,38 +30,32 @@ Reference: [Terraform Registry – google_storage_batch_operations_job](https:// | `manifest` | Contains the manifest source file that is a CSV file in a Google Cloud Storage bucket. | false | true | Manifest files provide explicit object lists, ensuring operations only affect intended objects. | manifest = [{ manifest_location = 'gs://bucket/manifest.csv' }] | manifest = [] or manifest_location = '' | ### prefix_list Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `included_object_prefixes` | List of object name prefixes to include in the batch operation. | true | true | Prefixes ensure operations are scoped to specific objects, preventing accidental mass operations. | included_object_prefixes = ['secure-data/', 'backup/'] | included_object_prefixes = [] or included_object_prefixes = [''] | ### manifest Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `manifest_location` | Specifies objects in a manifest file stored in Cloud Storage. | true | true | Valid manifest location ensures operations target only explicitly listed objects. | manifest_location = 'gs://secure-bucket/manifest.csv' | manifest_location = '' or manifest_location = null | ### delete_object Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `permanent_object_deletion_enabled` | Enable flag to permanently delete object and all object versions if versioning is enabled on bucket. | true | true | Permanent deletion removes recovery options and poses a major security risk for data loss. | permanent_object_deletion_enabled = false | permanent_object_deletion_enabled = true | ### rewrite_object Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `kms_key` | Valid KMS key for encryption during rewrite operations. | true | true | CMEK ensures encryption is customer-managed rather than default Google-managed keys. | kms_key = 'projects/my-project/locations/us-central1/keyRings/kr/cryptoKeys/key' | kms_key = null or kms_key = '' | ### put_object_hold Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `event_based_hold` | Set/unset to update event based hold for objects. | false | true | Unsetting event-based holds can allow premature deletion of objects that should be retained. | event_based_hold = 'SET' | event_based_hold = 'UNSET' | | `temporary_hold` | Set/unset to update temporary based hold for objects. | false | true | Unsetting temporary holds can allow premature deletion of objects that should be retained. | temporary_hold = 'SET' | temporary_hold = 'UNSET' | ### put_metadata Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `custom_time` | Updates the objects fixed custom time metadata. | false | false | Custom time metadata is informational and doesn't impact security. | None | None | diff --git a/docs/gcp/Cloud_Storage_Batch_Operations/storage_batch_operations_job.md b/docs/gcp/Cloud_Storage_Batch_Operations/storage_batch_operations_job.md deleted file mode 100644 index 8dcc424e1..000000000 --- a/docs/gcp/Cloud_Storage_Batch_Operations/storage_batch_operations_job.md +++ /dev/null @@ -1,80 +0,0 @@ -## 🛡️ Policy Deployment Engine: `storage_batch_operations_job` - -This section provides a concise policy evaluation for the `storage_batch_operations_job` resource in GCP. - -Reference: [Terraform Registry – storage_batch_operations_job](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_batch_operations_job) - ---- - -## Argument Reference - -| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | -|----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `bucket_list` | List of buckets and their objects to be transformed. Currently, only one bucket configuration is supported. If multiple buckets are specified, an error will be returned Structure is [documented below](#nested_bucket_list). | false | false | None | None | None | -| `delete_object` | allows batch operations to delete objects in bucket Structure is [documented below](#nested_delete_object). | false | false | None | None | None | -| `put_metadata` | allows batch operations to update metadata for objects in bucket Structure is [documented below](#nested_put_metadata). | false | false | None | None | None | -| `rewrite_object` | allows to update encryption key for objects in bucket. Structure is [documented below](#nested_rewrite_object). | false | false | None | None | None | -| `put_object_hold` | allows to update temporary hold or eventBased hold for objects in bucket. Structure is [documented below](#nested_put_object_hold). | false | false | None | None | None | -| `job_id` | The ID of the job. | false | false | None | None | None | -| `project` | If it is not provided, the provider project is used. | false | false | None | None | None | -| `delete_protection` | | false | false | None | None | None | -| `buckets` | | false | false | None | None | None | -| `prefix_list` | | false | false | None | None | None | -| `manifest` | | false | false | None | None | None | - -### bucket_list Block - -| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | -|----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `buckets` | List of buckets and their objects to be transformed. Structure is [documented below](#nested_bucket_list_buckets). | true | false | None | None | None | - -### delete_object Block - -| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | -|----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `permanent_object_deletion_enabled` | enable flag to permanently delete object and all object versions if versioning is enabled on bucket. | true | false | None | None | None | - -### put_metadata Block - -| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | -|----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `custom_time` | Updates the objects fixed custom time metadata. | false | false | None | None | None | -| `content_disposition` | Content-Disposition of the object data. | false | false | None | None | None | -| `content_encoding` | Content Encoding of the object data. | false | false | None | None | None | -| `content_type` | Content-Type of the object data. | false | false | None | None | None | -| `content_language` | Content-Language of the object data. | false | false | None | None | None | -| `cache_control` | Cache-Control directive to specify caching behavior of object data. If omitted and object is accessible to all anonymous users, the default will be public, max-age=3600 | false | false | None | None | None | -| `custom_metadata` | User-provided metadata, in key/value pairs. | false | false | None | None | None | - -### rewrite_object Block - -| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | -|----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `kms_key` | valid kms key | true | false | None | None | None | - -### put_object_hold Block - -| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | -|----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `event_based_hold` | set/unset to update event based hold for objects. | false | false | None | None | None | -| `temporary_hold` | set/unset to update temporary based hold for objects. | false | false | None | None | None | - -### buckets Block - -| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | -|----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `bucket` | Bucket name for the objects to be transformed. | true | false | None | None | None | -| `prefix_list` | Specifies objects matching a prefix set. Structure is [documented below](#nested_bucket_list_buckets_buckets_prefix_list). | false | false | None | None | None | -| `manifest` | contain the manifest source file that is a CSV file in a Google Cloud Storage bucket. Structure is [documented below](#nested_bucket_list_buckets_buckets_manifest). | false | false | None | None | None | - -### prefix_list Block - -| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | -|----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `included_object_prefixes` | | false | false | None | None | None | - -### manifest Block - -| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | -|----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `manifest_location` | Specifies objects in a manifest file. | false | false | None | None | None | diff --git a/docs/gcp/DatabaseMigrationService/database_migration_service_connection_profile.md b/docs/gcp/DatabaseMigrationService/database_migration_service_connection_profile.md index 4e5d15818..27107c153 100644 --- a/docs/gcp/DatabaseMigrationService/database_migration_service_connection_profile.md +++ b/docs/gcp/DatabaseMigrationService/database_migration_service_connection_profile.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – database_migration_service_connection_profile --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `connection_profile_id` | The ID of the connection profile. | true | false | Connection Profile ID has no impact on the security of the resource or data contained | None | None | @@ -31,7 +30,6 @@ Reference: [Terraform Registry – database_migration_service_connection_profile | `machine_config` | Configuration for the machines that host the underlying database engine. Structure is [documented below](#nested_alloydb_settings_primary_instance_settings_machine_config). | true | false | Not Security Related | None | None | ### mysql Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `host` | The IP or hostname of the source MySQL database. | false | false | host value itself does not impact security since networking and SSL enforcement are controlled by other parameters such as private_network and require_ssl. | None | None | @@ -43,7 +41,6 @@ Reference: [Terraform Registry – database_migration_service_connection_profile | `cloud_sql_id` | If the source is a Cloud SQL database, use this field to provide the Cloud SQL instance ID of the source. | false | false | cloud_sql_id has no impact on the security of the resource or data contained | None | None | ### postgresql Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `host` | The IP or hostname of the source postgresql database. | false | false | host value itself does not impact security since networking and SSL enforcement are controlled by other parameters such as private_network and require_ssl. | None | None | @@ -57,7 +54,6 @@ Reference: [Terraform Registry – database_migration_service_connection_profile | `network_architecture` | (Output) Output only. If the source is a Cloud SQL database, this field indicates the network architecture it's associated with. | false | false | This is the output | None | None | ### oracle Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `host` | Required. The IP or hostname of the source Oracle database. | true | false | host value itself does not impact security since networking and SSL enforcement are controlled by other parameters. | None | None | @@ -72,7 +68,6 @@ Reference: [Terraform Registry – database_migration_service_connection_profile | `private_connectivity` | Configuration for using a private network to communicate with the source database Structure is [documented below](#nested_oracle_private_connectivity). | false | true | Private connectivity prevents external access over public networks. | Configured | Not configured | ### cloudsql Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `cloud_sql_id` | (Output) Output only. The Cloud SQL instance ID that this connection profile is associated with. | false | false | This is the output | None | None | @@ -81,14 +76,12 @@ Reference: [Terraform Registry – database_migration_service_connection_profile | `public_ip` | (Output) Output only. The Cloud SQL database instance's public IP. | false | false | This is the output | None | None | ### alloydb Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `cluster_id` | Required. The AlloyDB cluster ID that this connection profile is associated with. | true | false | Not Security Related | None | None | | `settings` | Immutable. Metadata used to create the destination AlloyDB cluster. Structure is [documented below](#nested_alloydb_settings). | false | false | Not Security Related | None | None | ### ssl Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `type` | (Output) The current connection profile state. | false | true | The SSL type determines the level of encryption and whether client certificates are enforced. | 'SERVER_ONLY','SERVER_CLIENT','REQUIRED' | NONE | @@ -97,7 +90,6 @@ Reference: [Terraform Registry – database_migration_service_connection_profile | `ca_certificate` | Input only. The x509 PEM-encoded certificate of the CA that signed the source database server's certificate. The replica will use this certificate to verify it's connecting to the right host. **Note**: This property is sensitive and will not be displayed in the plan. | false | false | Depends on SSL Type | None | None | ### forward_ssh_connectivity Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `hostname` | Required. Hostname for the SSH tunnel. | true | false | None | None | None | @@ -107,13 +99,11 @@ Reference: [Terraform Registry – database_migration_service_connection_profile | `private_key` | Input only. SSH private key. Only one of `password` and `private_key` can be configured. **Note**: This property is sensitive and will not be displayed in the plan. | false | false | None | None | None | ### private_connectivity Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `private_connection` | Required. The resource name (URI) of the private connection. | true | true | Private connectivity prevents external access over public networks. | Compliant URI | Non-Compliant URI | ### settings Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `database_version` | The database engine type and version. Currently supported values located at https://cloud.google.com/database-migration/docs/reference/rest/v1/projects.locations.connectionProfiles#sqldatabaseversion | false | false | Not Security Related | None | None | @@ -139,7 +129,6 @@ Reference: [Terraform Registry – database_migration_service_connection_profile | `primary_instance_settings` | Settings for the cluster's primary instance Structure is [documented below](#nested_alloydb_settings_primary_instance_settings). | false | false | Not Security Related | None | None | ### ip_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `enable_ipv4` | Whether the instance should be assigned an IPv4 address or not. | false | false | Not Security Related | None | None | @@ -148,7 +137,6 @@ Reference: [Terraform Registry – database_migration_service_connection_profile | `authorized_networks` | The list of external networks that are allowed to connect to the instance using the IP. Structure is [documented below](#nested_cloudsql_settings_ip_config_authorized_networks). | false | true | Authorized networks define which external IPs can access the database. Better not configured | Not configured | Configured | ### authorized_networks Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `value` | The allowlisted value for the access control list. | true | false | None | None | None | @@ -157,7 +145,6 @@ Reference: [Terraform Registry – database_migration_service_connection_profile | `ttl` | Input only. The time-to-leave of this access control entry. | false | false | None | None | None | ### initial_user Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `user` | The database username. | true | false | None | None | None | @@ -165,7 +152,6 @@ Reference: [Terraform Registry – database_migration_service_connection_profile | `password_set` | (Output) Output only. Indicates if the initialUser.password field has been set. | false | false | None | None | None | ### primary_instance_settings Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `id` | The database username. | true | false | None | None | None | @@ -175,7 +161,6 @@ Reference: [Terraform Registry – database_migration_service_connection_profile | `private_ip` | (Output) Output only. The private IP address for the Instance. This is the connection endpoint for an end-user application. | false | false | None | None | None | ### machine_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `cpu_count` | The number of CPU's in the VM instance. | true | false | None | None | None | diff --git a/docs/gcp/DatabaseMigrationService/database_migration_service_migration_job.md b/docs/gcp/DatabaseMigrationService/database_migration_service_migration_job.md index e023aacad..61774363b 100644 --- a/docs/gcp/DatabaseMigrationService/database_migration_service_migration_job.md +++ b/docs/gcp/DatabaseMigrationService/database_migration_service_migration_job.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – database_migration_service_migration_job](htt --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `type` | The type of the migration job. Possible values are: `ONE_TIME`, `CONTINUOUS`. | true | true | Migration type impacts how long source databases are exposed. Continuous migrations may carry higher security and cost implications than one-time jobs. | ONE_TIME | CONTINUOUS | @@ -27,7 +26,6 @@ Reference: [Terraform Registry – database_migration_service_migration_job](htt | `project` | If it is not provided, the provider project is used. | false | false | Not Security Related | None | None | ### dump_flags Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `dump_flags` | A list of dump flags Structure is [documented below](#nested_dump_flags_dump_flags). | false | false | None | None | None | @@ -35,13 +33,11 @@ Reference: [Terraform Registry – database_migration_service_migration_job](htt | `value` | The vale of the flag | false | false | None | None | None | ### performance_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `dump_parallel_level` | Initial dump parallelism level. Possible values are: `MIN`, `OPTIMAL`, `MAX`. | false | false | None | None | None | ### reverse_ssh_connectivity Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `vm_ip` | The IP of the virtual machine (Compute Engine) used as the bastion server for the SSH tunnel. | false | false | Must be setup anyway when reverse_ssh_connectivity is chosen | None | None | @@ -50,7 +46,6 @@ Reference: [Terraform Registry – database_migration_service_migration_job](htt | `vpc` | The name of the VPC to peer with the Cloud SQL private network. | false | false | Must be setup anyway when reverse_ssh_connectivity is chosen | None | None | ### vpc_peering_connectivity Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `vpc` | The name of the VPC network to peer with the Cloud SQL private network. | false | true | VPC peering is the preferred secure method to connect source and destination over private networks, avoiding public exposure. | Valid VPC | Not Configured | diff --git a/docs/gcp/DatabaseMigrationService/database_migration_service_private_connection.md b/docs/gcp/DatabaseMigrationService/database_migration_service_private_connection.md index ce6b4705e..b664c2874 100644 --- a/docs/gcp/DatabaseMigrationService/database_migration_service_private_connection.md +++ b/docs/gcp/DatabaseMigrationService/database_migration_service_private_connection.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – database_migration_service_private_connection --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `vpc_peering_config` | The VPC Peering configuration is used to create VPC peering between databasemigrationservice and the consumer's VPC. Structure is [documented below](#nested_vpc_peering_config). | true | false | This is a required field and doesnot need a Rego policy | None | None | @@ -19,7 +18,6 @@ Reference: [Terraform Registry – database_migration_service_private_connection | `project` | If it is not provided, the provider project is used. | false | false | Not Security Related | None | None | ### vpc_peering_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `vpc_name` | Fully qualified name of the VPC that Database Migration Service will peer to. Format: projects/{project}/global/{networks}/{name} | true | false | None | None | None | diff --git a/docs/gcp/Dataform/dataform_repository.md b/docs/gcp/Dataform/dataform_repository.md index c73ec2753..456929c03 100644 --- a/docs/gcp/Dataform/dataform_repository.md +++ b/docs/gcp/Dataform/dataform_repository.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – dataform_repository](https://registry.terrafo --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | The repository's name. | true | false | None | None | None | @@ -24,7 +23,6 @@ Reference: [Terraform Registry – dataform_repository](https://registry.terrafo | `ssh_authentication_config` | | false | false | None | None | None | ### git_remote_settings Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `url` | The Git remote's URL. | true | false | None | None | None | @@ -34,7 +32,6 @@ Reference: [Terraform Registry – dataform_repository](https://registry.terrafo | `token_status` | (Output) Indicates the status of the Git access token. https://cloud.google.com/dataform/reference/rest/v1beta1/projects.locations.repositories#TokenStatus | false | false | None | None | None | ### workspace_compilation_overrides Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `default_database` | The default database (Google Cloud project ID). | false | false | None | None | None | @@ -42,7 +39,6 @@ Reference: [Terraform Registry – dataform_repository](https://registry.terrafo | `table_prefix` | The prefix that should be prepended to all table names. | false | false | None | None | None | ### ssh_authentication_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `user_private_key_secret_version` | The name of the Secret Manager secret version to use as a ssh private key for Git operations. Must be in the format projects/*/secrets/*/versions/*. | true | false | None | None | None | diff --git a/docs/gcp/Dataform/dataform_repository_iam.md b/docs/gcp/Dataform/dataform_repository_iam.md index cd5104a4c..3cb280a9c 100644 --- a/docs/gcp/Dataform/dataform_repository_iam.md +++ b/docs/gcp/Dataform/dataform_repository_iam.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – dataform_repository_iam](https://registry.ter --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `region` | the value will be parsed from the identifier of the parent resource. If no region is provided in the parent identifier and no region is specified, it is taken from the provider configuration. | false | false | None | None | None | diff --git a/docs/gcp/Dataform/dataform_repository_release_config.md b/docs/gcp/Dataform/dataform_repository_release_config.md index c564cb8a9..b47d3010f 100644 --- a/docs/gcp/Dataform/dataform_repository_release_config.md +++ b/docs/gcp/Dataform/dataform_repository_release_config.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – dataform_repository_release_config](https://r --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | The release's name. | true | false | None | None | None | @@ -20,7 +19,6 @@ Reference: [Terraform Registry – dataform_repository_release_config](https://r | `project` | If it is not provided, the provider project is used. | false | false | None | None | None | ### code_compilation_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `default_database` | Optional. The default database (Google Cloud project ID). | false | false | None | None | None | diff --git a/docs/gcp/Dataform/dataform_repository_workflow_config.md b/docs/gcp/Dataform/dataform_repository_workflow_config.md index 0cb9295fd..d42e0120f 100644 --- a/docs/gcp/Dataform/dataform_repository_workflow_config.md +++ b/docs/gcp/Dataform/dataform_repository_workflow_config.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – dataform_repository_workflow_config](https:// --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | The workflow's name. | true | false | None | None | None | @@ -21,7 +20,6 @@ Reference: [Terraform Registry – dataform_repository_workflow_config](https:// | `included_targets` | | false | false | None | None | None | ### invocation_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `included_targets` | Optional. The set of action identifiers to include. Structure is [documented below](#nested_invocation_config_included_targets). | false | false | None | None | None | @@ -32,7 +30,6 @@ Reference: [Terraform Registry – dataform_repository_workflow_config](https:// | `service_account` | Optional. The service account to run workflow invocations under. | false | false | None | None | None | ### included_targets Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `database` | The action's database (Google Cloud project ID). | false | false | None | None | None | diff --git a/docs/gcp/Discovery_Engine/discovery_engine_chat_engine.md b/docs/gcp/Discovery_Engine/discovery_engine_chat_engine.md index 4ff4dbdf3..04783137e 100644 --- a/docs/gcp/Discovery_Engine/discovery_engine_chat_engine.md +++ b/docs/gcp/Discovery_Engine/discovery_engine_chat_engine.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – discovery_engine_chat_engine](https://registr --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `display_name` | The display name of the engine. Should be human readable. UTF-8 encoded string with limit of 1024 characters. | true | false | Just the displayed name | None | None | @@ -22,7 +21,6 @@ Reference: [Terraform Registry – discovery_engine_chat_engine](https://registr | `agent_creation_config` | | false | false | This happens in the backgroud | None | None | ### chat_engine_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `agent_creation_config` | The configuration to generate the Dialogflow agent that is associated to this Engine. Exactly one of `agent_creation_config` or `dialogflow_agent_to_link` must be set. Structure is [documented below](#nested_chat_engine_config_agent_creation_config). | false | true | linking to other agents can be a risk | False | True | @@ -30,13 +28,11 @@ Reference: [Terraform Registry – discovery_engine_chat_engine](https://registr | `allow_cross_region` | If the flag set to true, we allow the agent and engine are in different locations, otherwise the agent and engine are required to be in the same location. The flag is set to false by default. Note that the `allow_cross_region` are one-time consumed by and passed to EngineService.CreateEngine. It means they cannot be retrieved using EngineService.GetEngine or EngineService.ListEngines API after engine creation. | false | true | data residency laws | false | true | ### common_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `company_name` | The name of the company, business or entity that is associated with the engine. Setting this may help improve LLM related features. | false | false | None | None | None | ### agent_creation_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `business` | Name of the company, organization or other entity that the agent represents. Used for knowledge connector LLM prompt and for knowledge search. | false | false | None | None | None | diff --git a/docs/gcp/Discovery_Engine/discovery_engine_cmek_config.md b/docs/gcp/Discovery_Engine/discovery_engine_cmek_config.md index 614a66603..d30ade48b 100644 --- a/docs/gcp/Discovery_Engine/discovery_engine_cmek_config.md +++ b/docs/gcp/Discovery_Engine/discovery_engine_cmek_config.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – discovery_engine_cmek_config](https://registr --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `kms_key` | KMS key resource name which will be used to encrypt resources `projects/{project}/locations/{location}/keyRings/{keyRing}/cryptoKeys/{keyId}`. | true | true | Encryption key related | my-crypto-key | nc-crypto-key | @@ -18,7 +17,6 @@ Reference: [Terraform Registry – discovery_engine_cmek_config](https://registr | `project` | If it is not provided, the provider project is used. | true | false | project ID | None | None | ### single_region_keys Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `kms_key` | Single-regional kms key resource name which will be used to encrypt resources `projects/{project}/locations/{location}/keyRings/{keyRing}/cryptoKeys/{keyId}`. | true | true | encryption | projects/735927692082/locations/europe-west1/keyRings/my-ring/cryptoKeys/my-eu1-key | | diff --git a/docs/gcp/Discovery_Engine/discovery_engine_data_store.md b/docs/gcp/Discovery_Engine/discovery_engine_data_store.md index 5d60eecc5..d7d19f942 100644 --- a/docs/gcp/Discovery_Engine/discovery_engine_data_store.md +++ b/docs/gcp/Discovery_Engine/discovery_engine_data_store.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – discovery_engine_data_store](https://registry --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `display_name` | The display name of the data store. This field must be a UTF-8 encoded string with a length limit of 128 characters. | true | false | Just the name | None | None | @@ -30,14 +29,12 @@ Reference: [Terraform Registry – discovery_engine_data_store](https://registry | `parsing_config_overrides` | | false | false | None | None | None | ### advanced_site_search_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `disable_initial_index` | If set true, initial indexing is disabled for the DataStore. | false | false | None | None | None | | `disable_automatic_refresh` | If set true, automatic refresh is disabled for the DataStore. | false | false | None | None | None | ### document_processing_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | (Output) The full resource name of the Document Processing Config. Format: `projects/{project}/locations/{location}/collections/{collection_id}/dataStores/{data_store_id}/documentProcessingConfig`. | false | false | None | None | None | @@ -46,20 +43,17 @@ Reference: [Terraform Registry – discovery_engine_data_store](https://registry | `parsing_config_overrides` | Map from file type to override the default parsing configuration based on the file type. Supported keys: * `pdf`: Override parsing config for PDF files, either digital parsing, ocr parsing or layout parsing is supported. * `html`: Override parsing config for HTML files, only digital parsing and or layout parsing are supported. * `docx`: Override parsing config for DOCX files, only digital parsing and or layout parsing are supported. Structure is [documented below](#nested_document_processing_config_parsing_config_overrides). | false | false | None | None | None | ### chunking_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `layout_based_chunking_config` | Configuration for the layout based chunking. Structure is [documented below](#nested_document_processing_config_chunking_config_layout_based_chunking_config). | false | false | None | None | None | ### layout_based_chunking_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `chunk_size` | The token size limit for each chunk. Supported values: 100-500 (inclusive). Default value: 500. | false | false | None | None | None | | `include_ancestor_headings` | Whether to include appending different levels of headings to chunks from the middle of the document to prevent context loss. Default value: False. | false | false | None | None | None | ### default_parsing_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `digital_parsing_config` | Configurations applied to digital parser. | false | false | None | None | None | @@ -67,13 +61,11 @@ Reference: [Terraform Registry – discovery_engine_data_store](https://registry | `layout_parsing_config` | Configurations applied to layout parser. Structure is [documented below](#nested_document_processing_config_default_parsing_config_layout_parsing_config). | false | false | None | None | None | ### ocr_parsing_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `use_native_text` | If true, will use native text instead of OCR text on pages containing native text. | false | true | can make private info public if set to false | True | False | ### layout_parsing_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `enable_table_annotation` | If true, the LLM based annotation is added to the table during parsing. | false | false | None | None | None | @@ -84,7 +76,6 @@ Reference: [Terraform Registry – discovery_engine_data_store](https://registry | `exclude_html_ids` | List of HTML ids to exclude from the parsed content. | false | false | None | None | None | ### parsing_config_overrides Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `file_type` | | false | false | None | None | None | diff --git a/docs/gcp/Discovery_Engine/discovery_engine_recommendation_engine.md b/docs/gcp/Discovery_Engine/discovery_engine_recommendation_engine.md index be5fafc7a..4ce7a7e77 100644 --- a/docs/gcp/Discovery_Engine/discovery_engine_recommendation_engine.md +++ b/docs/gcp/Discovery_Engine/discovery_engine_recommendation_engine.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – discovery_engine_recommendation_engine](https --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `display_name` | Required. The display name of the engine. Should be human readable. UTF-8 encoded string with limit of 1024 characters. | true | false | naming | None | None | @@ -24,7 +23,6 @@ Reference: [Terraform Registry – discovery_engine_recommendation_engine](https | `most_popular_config` | | false | false | None | None | None | ### media_recommendation_engine_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `type` | The type of engine. e.g., `recommended-for-you`. This field together with MediaRecommendationEngineConfig.optimizationObjective describes engine metadata to use to control engine training and serving. Currently supported values: `recommended-for-you`, `others-you-may-like`, `more-like-this`, `most-popular-items`. | false | false | None | None | None | @@ -34,33 +32,28 @@ Reference: [Terraform Registry – discovery_engine_recommendation_engine](https | `engine_features_config` | More feature configs of the selected engine type. Structure is [documented below](#nested_media_recommendation_engine_config_engine_features_config). | false | false | None | None | None | ### common_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `company_name` | The name of the company, business or entity that is associated with the engine. Setting this may help improve LLM related features.cd | false | false | None | None | None | ### optimization_objective_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `target_field` | The name of the field to target. Currently supported values: `watch-percentage`, `watch-time`. | false | false | None | None | None | | `target_field_value_float` | The threshold to be applied to the target (e.g., 0.5). | false | false | None | None | None | ### engine_features_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `recommended_for_you_config` | Additional feature configurations for creating a `recommended-for-you` engine. Structure is [documented below](#nested_media_recommendation_engine_config_engine_features_config_recommended_for_you_config). | false | false | None | None | None | | `most_popular_config` | Feature configurations that are required for creating a Most Popular engine. Structure is [documented below](#nested_media_recommendation_engine_config_engine_features_config_most_popular_config). | false | false | None | None | None | ### recommended_for_you_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `context_event_type` | The type of event with which the engine is queried at prediction time. If set to `generic`, only `view-item`, `media-play`,and `media-complete` will be used as `context-event` in engine training. If set to `view-home-page`, `view-home-page` will also be used as `context-events` in addition to `view-item`, `media-play`, and `media-complete`. Currently supported for the `recommended-for-you` engine. Currently supported values: `view-home-page`, `generic`. | false | false | None | None | None | ### most_popular_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `time_window_days` | The time window of which the engine is queried at training and prediction time. Positive integers only. The value translates to the last X days of events. Currently required for the `most-popular-items` engine. | false | false | None | None | None | diff --git a/docs/gcp/Discovery_Engine/discovery_engine_schema.md b/docs/gcp/Discovery_Engine/discovery_engine_schema.md index 626c4b326..95c73c72f 100644 --- a/docs/gcp/Discovery_Engine/discovery_engine_schema.md +++ b/docs/gcp/Discovery_Engine/discovery_engine_schema.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – discovery_engine_schema](https://registry.ter --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `location` | The geographic location where the data store should reside. The value can only be one of "global", "us" and "eu". | true | true | laws apply based on location | None | None | diff --git a/docs/gcp/Discovery_Engine/discovery_engine_search_engine.md b/docs/gcp/Discovery_Engine/discovery_engine_search_engine.md index a8ab190a1..f8213dd89 100644 --- a/docs/gcp/Discovery_Engine/discovery_engine_search_engine.md +++ b/docs/gcp/Discovery_Engine/discovery_engine_search_engine.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – discovery_engine_search_engine](https://regis --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `display_name` | Required. The display name of the engine. Should be human readable. UTF-8 encoded string with limit of 1024 characters. | true | false | Name | None | None | @@ -21,14 +20,12 @@ Reference: [Terraform Registry – discovery_engine_search_engine](https://regis | `project` | If it is not provided, the provider project is used. | true | false | Needed to work | None | None | ### search_engine_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `search_tier` | The search feature tier of this engine. Defaults to SearchTier.SEARCH_TIER_STANDARD if not specified. Default value is `SEARCH_TIER_STANDARD`. Possible values are: `SEARCH_TIER_STANDARD`, `SEARCH_TIER_ENTERPRISE`. | false | false | None | None | None | | `search_add_ons` | The add-on that this search engine enables. Each value may be one of: `SEARCH_ADD_ON_LLM`. | false | false | None | None | None | ### common_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `company_name` | The name of the company, business or entity that is associated with the engine. Setting this may help improve LLM related features.cd | false | false | None | None | None | diff --git a/docs/gcp/Discovery_Engine/discovery_engine_sitemap.md b/docs/gcp/Discovery_Engine/discovery_engine_sitemap.md index f7ded6ce8..cd3c084d9 100644 --- a/docs/gcp/Discovery_Engine/discovery_engine_sitemap.md +++ b/docs/gcp/Discovery_Engine/discovery_engine_sitemap.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – discovery_engine_sitemap](https://registry.te --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `location` | The geographic location where the data store should reside. The value can only be one of "global", "us" and "eu". | true | false | None | None | None | diff --git a/docs/gcp/Discovery_Engine/discovery_engine_target_site.md b/docs/gcp/Discovery_Engine/discovery_engine_target_site.md index 01cce5649..9ab390c77 100644 --- a/docs/gcp/Discovery_Engine/discovery_engine_target_site.md +++ b/docs/gcp/Discovery_Engine/discovery_engine_target_site.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – discovery_engine_target_site](https://registr --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `provided_uri_pattern` | The user provided URI pattern from which the `generated_uri_pattern` is generated. | true | false | None | None | None | diff --git a/docs/gcp/Firebase/firebase_android_app.md b/docs/gcp/Firebase/firebase_android_app.md index d11c750c5..23f67eae5 100644 --- a/docs/gcp/Firebase/firebase_android_app.md +++ b/docs/gcp/Firebase/firebase_android_app.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – firebase_android_app](https://registry.terraf --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `display_name` | The user-assigned display name of the AndroidApp. | true | false | Display Name has no impact on the security of the resource or data contained. | None | None | diff --git a/docs/gcp/Firebase/firebase_apple_app.md b/docs/gcp/Firebase/firebase_apple_app.md index 143cd2d1c..5e3437feb 100644 --- a/docs/gcp/Firebase/firebase_apple_app.md +++ b/docs/gcp/Firebase/firebase_apple_app.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – firebase_apple_app](https://registry.terrafor --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `display_name` | The user-assigned display name of the App. | true | false | Display name is only a user-friendly identifier and does not expose sensitive data or impact the security of the application or its resources. | None | None | diff --git a/docs/gcp/Firebase/firebase_project.md b/docs/gcp/Firebase/firebase_project.md index 530247fa5..fda4595f7 100644 --- a/docs/gcp/Firebase/firebase_project.md +++ b/docs/gcp/Firebase/firebase_project.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – firebase_project](https://registry.terraform. --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `project` | If it is not provided, the provider project is used. | false | false | The 'project' attribute is used to associate the Firebase resource with a specific Google Cloud project. It does not directly affect security or data protection since access and permissions are controlled through project-level IAM policies rather than this field itself. | None | None | diff --git a/docs/gcp/Firebase/firebase_web_app.md b/docs/gcp/Firebase/firebase_web_app.md index 5e0781b9f..1bb9e1f99 100644 --- a/docs/gcp/Firebase/firebase_web_app.md +++ b/docs/gcp/Firebase/firebase_web_app.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – firebase_web_app](https://registry.terraform. --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `display_name` | The user-assigned display name of the App. | true | false | The display name is only a user-friendly label to help identify the web application. It does not affect authentication, access control, or security posture. | None | None | diff --git a/docs/gcp/Firebase_App_Hosting/firebase_app_hosting_backend.md b/docs/gcp/Firebase_App_Hosting/firebase_app_hosting_backend.md index cf9e611da..5a891f64d 100644 --- a/docs/gcp/Firebase_App_Hosting/firebase_app_hosting_backend.md +++ b/docs/gcp/Firebase_App_Hosting/firebase_app_hosting_backend.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – firebase_app_hosting_backend](https://registr --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `serving_locality` | Immutable. Specifies how App Hosting will serve the content for this backend. It will either be contained to a single region (REGIONAL_STRICT) or allowed to use App Hosting's global-replicated serving infrastructure (GLOBAL_ACCESS). Possible values are: `REGIONAL_STRICT`, `GLOBAL_ACCESS`. | true | true | Serving locality must be set to REGIONAL_STRICT to ensure data residency compliance and maintain regional data sovereignty requirements. | REGIONAL_STRICT | GLOBAL_ACCESS | @@ -23,7 +22,6 @@ Reference: [Terraform Registry – firebase_app_hosting_backend](https://registr | `project` | If it is not provided, the provider project is used. | false | false | Project specification uses default provider project when not specified. | None | None | ### codebase Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `repository` | The resource name for the Developer Connect [`gitRepositoryLink`](https://cloud.google.com/developer-connect/docs/api/reference/rest/v1/projects.locations.connections.gitRepositoryLinks) connected to this backend, in the format: projects/{project}/locations/{location}/connections/{connection}/gitRepositoryLinks/{repositoryLink} | true | true | Repository must use the GCP Developer Connect format to ensure secure authentication and authorization through GCP's managed connections. | projects/my-project/locations/australia-southeast2/connections/github-connection/gitRepositoryLinks/my-repo-link | github.com/user/repo | diff --git a/docs/gcp/Firebase_App_Hosting/firebase_app_hosting_build.md b/docs/gcp/Firebase_App_Hosting/firebase_app_hosting_build.md index 73216ccb0..25be93389 100644 --- a/docs/gcp/Firebase_App_Hosting/firebase_app_hosting_build.md +++ b/docs/gcp/Firebase_App_Hosting/firebase_app_hosting_build.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – firebase_app_hosting_build](https://registry. --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `source` | The source for the build. Structure is [documented below](#nested_source). | true | true | Build source must use approved container registries to ensure secure and trusted container images. | Refer to child arguments | Refer to child arguments | @@ -22,20 +21,17 @@ Reference: [Terraform Registry – firebase_app_hosting_build](https://registry. | `codebase` | | false | false | Codebase fields are output-only or have no specific security policies. | None | None | ### source Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `container` | The URI of an Artifact Registry [container image](https://cloud.google.com/artifact-registry/docs/reference/rest/v1/projects.locations.repositories.dockerImages) to use as the build source. Structure is [documented below](#nested_source_container). | false | true | Container images must be sourced from approved registries to ensure security and compliance. | Refer to child arguments | Refer to child arguments | | `codebase` | A codebase source, representing the state of the codebase that the build will be created at. Structure is [documented below](#nested_source_codebase). | false | false | Codebase source has no specific security policy in place. | None | None | ### container Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `image` | A URI representing a container for the backend to use. | true | true | Container image must be sourced from approved Australian Artifact Registry to ensure security, compliance, and data residency requirements. | au-docker.pkg.dev | docker.io/nginx:latest | ### codebase Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `display_name` | (Output) The 'name' field in a Git user's git.config. Required by Git. | false | false | Output field with no security policy. | None | None | diff --git a/docs/gcp/Firebase_App_Hosting/firebase_app_hosting_default_domain.md b/docs/gcp/Firebase_App_Hosting/firebase_app_hosting_default_domain.md index 59f7fd013..2b11208bf 100644 --- a/docs/gcp/Firebase_App_Hosting/firebase_app_hosting_default_domain.md +++ b/docs/gcp/Firebase_App_Hosting/firebase_app_hosting_default_domain.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – firebase_app_hosting_default_domain](https:// --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `location` | The location of the Backend that this Domain is associated with | true | false | Location inherits from backend configuration and has no independent security policy. | australia-southeast2-a | us-east1 | diff --git a/docs/gcp/Firebase_App_Hosting/firebase_app_hosting_domain.md b/docs/gcp/Firebase_App_Hosting/firebase_app_hosting_domain.md index 5de220dae..83f352b76 100644 --- a/docs/gcp/Firebase_App_Hosting/firebase_app_hosting_domain.md +++ b/docs/gcp/Firebase_App_Hosting/firebase_app_hosting_domain.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – firebase_app_hosting_domain](https://registry --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `location` | The location of the Backend that this Domain is associated with | true | false | Location inherits from backend configuration and has no independent security policy. | australia-southeast2-a | us-east1 | @@ -18,13 +17,11 @@ Reference: [Terraform Registry – firebase_app_hosting_domain](https://registry | `redirect` | | false | false | Redirect configuration has no specific security policy. | None | None | ### serve Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `redirect` | Specifies redirect behavior for a domain. Structure is [documented below](#nested_serve_redirect). | false | false | Domain redirect configuration has no specific security policy. | None | None | ### redirect Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `uri` | The URI of the redirect's intended destination. This URI will be prepended to the original request path. URI without a scheme are assumed to be HTTPS. | true | false | Redirect URI has no specific security policy. | None | None | diff --git a/docs/gcp/Firebase_App_Hosting/firebase_app_hosting_traffic.md b/docs/gcp/Firebase_App_Hosting/firebase_app_hosting_traffic.md index ae8623dab..8b15c4331 100644 --- a/docs/gcp/Firebase_App_Hosting/firebase_app_hosting_traffic.md +++ b/docs/gcp/Firebase_App_Hosting/firebase_app_hosting_traffic.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – firebase_app_hosting_traffic](https://registr --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `location` | The location the Backend that this Traffic config applies to | true | false | Location inherits from backend configuration and has no independent security policy. | australia-southeast2-a | us-east1 | @@ -18,13 +17,11 @@ Reference: [Terraform Registry – firebase_app_hosting_traffic](https://registr | `splits` | | false | false | Traffic splits configuration has no specific security policy. | None | None | ### target Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `splits` | A list of traffic splits that together represent where traffic is being routed. Structure is [documented below](#nested_target_splits). | true | false | Traffic splits configuration has no specific security policy. | None | None | ### rollout_policy Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `disabled` | A flag that, if true, prevents rollouts from being created via this RolloutPolicy. | false | false | Rollout enable/disable flag has no specific security policy. | None | None | @@ -32,7 +29,6 @@ Reference: [Terraform Registry – firebase_app_hosting_traffic](https://registr | `codebase_branch` | Specifies a branch that triggers a new build to be started with this policy. If not set, no automatic rollouts will happen. | false | true | Codebase branch must be set to 'main' to ensure only stable, production-ready code triggers automatic deployments. | main | dev | ### splits Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `build` | The build that traffic is being routed to. | true | false | Build reference has no specific security policy. | None | None | diff --git a/docs/gcp/Firebase_Data_Connect/firebase_data_connect_service.md b/docs/gcp/Firebase_Data_Connect/firebase_data_connect_service.md index e1eae5a11..9fbf71d44 100644 --- a/docs/gcp/Firebase_Data_Connect/firebase_data_connect_service.md +++ b/docs/gcp/Firebase_Data_Connect/firebase_data_connect_service.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – firebase_data_connect_service](https://regist --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `location` | The region in which the service resides, e.g. "us-central1" or "asia-east1". | true | false | The location attribute determines the physical region where the service is deployed. It does not directly affect security, but it may have compliance or data residency implications depending on organizational and regulatory requirements. | None | None | diff --git a/docs/gcp/Firestore/firestore_backup_schedule.md b/docs/gcp/Firestore/firestore_backup_schedule.md index 65fd4a7e2..2608824d0 100644 --- a/docs/gcp/Firestore/firestore_backup_schedule.md +++ b/docs/gcp/Firestore/firestore_backup_schedule.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – firestore_backup_schedule](https://registry.t --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `retention` | Firestore backup schedules must retain backups for at least 7 days (604800 seconds). | true | false | None | None | None | @@ -17,7 +16,6 @@ Reference: [Terraform Registry – firestore_backup_schedule](https://registry.t | `project` | If it is not provided, the provider project is used. | false | false | None | None | None | ### weekly_recurrence Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `day` | The day of week to run. Possible values are: `DAY_OF_WEEK_UNSPECIFIED`, `MONDAY`, `TUESDAY`, `WEDNESDAY`, `THURSDAY`, `FRIDAY`, `SATURDAY`, `SUNDAY`. | false | false | None | None | None | diff --git a/docs/gcp/Firestore/firestore_database.md b/docs/gcp/Firestore/firestore_database.md index 670385a69..da854be41 100644 --- a/docs/gcp/Firestore/firestore_database.md +++ b/docs/gcp/Firestore/firestore_database.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – firestore_database](https://registry.terrafor --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | The ID to use for the database, which will become the final component of the database's resource name. This value should be 4-63 characters. Valid characters are /[a-z][0-9]-/ with first character a letter and the last a letter or a number. Must not be UUID-like /[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}/. "(default)" database id is also valid. | true | false | None | None | None | @@ -24,7 +23,6 @@ Reference: [Terraform Registry – firestore_database](https://registry.terrafor | `deletion_policy` | If the deletion policy is `ABANDON`, the database will be removed from Terraform state but not deleted from Google Cloud upon destruction. If the deletion policy is `DELETE`, the database will both be removed from Terraform state and deleted from Google Cloud upon destruction. The default value is `ABANDON`. See also `delete_protection`. | false | false | None | None | None | ### cmek_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `kms_key_name` | The resource ID of a Cloud KMS key. If set, the database created will be a Customer-managed Encryption Key (CMEK) database encrypted with this key. This feature is allowlist only in initial launch. Only keys in the same location as this database are allowed to be used for encryption. For Firestore's nam5 multi-region, this corresponds to Cloud KMS multi-region us. For Firestore's eur3 multi-region, this corresponds to Cloud KMS multi-region europe. See https://cloud.google.com/kms/docs/locations. This value should be the KMS key resource ID in the format of `projects/{project_id}/locations/{kms_location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}`. How to retrieve this resource ID is listed at https://cloud.google.com/kms/docs/getting-resource-ids#getting_the_id_for_a_key_and_version. | true | false | None | None | None | diff --git a/docs/gcp/Firestore/firestore_document.md b/docs/gcp/Firestore/firestore_document.md index 5360d64a9..aae845f0d 100644 --- a/docs/gcp/Firestore/firestore_document.md +++ b/docs/gcp/Firestore/firestore_document.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – firestore_document](https://registry.terrafor --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `fields` | The document's [fields](https://cloud.google.com/firestore/docs/reference/rest/v1/projects.databases.documents) formated as a json string.Firestore documents must include both 'field1' and 'field2' to satisfy mandatory data schema. | true | false | None | None | None | diff --git a/docs/gcp/Firestore/firestore_field.md b/docs/gcp/Firestore/firestore_field.md index d1ed4cbc2..98445e0bb 100644 --- a/docs/gcp/Firestore/firestore_field.md +++ b/docs/gcp/Firestore/firestore_field.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – firestore_field](https://registry.terraform.i --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `collection` | The id of the collection group to configure. | true | false | None | None | None | @@ -19,19 +18,16 @@ Reference: [Terraform Registry – firestore_field](https://registry.terraform.i | `indexes` | | false | false | None | None | None | ### index_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `indexes` | The indexes to configure on the field. Order or array contains must be specified. Structure is [documented below](#nested_index_config_indexes). | false | false | None | None | None | ### ttl_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `state` | (Output) The state of TTL (time-to-live) configuration for documents that have this Field set. | false | false | None | None | None | ### indexes Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `query_scope` | The scope at which a query is run. Collection scoped queries require you specify the collection at query time. Collection group scope allows queries across all collections with the same id. Default value is `COLLECTION`. Possible values are: `COLLECTION`, `COLLECTION_GROUP`. | false | false | None | None | None | diff --git a/docs/gcp/Firestore/firestore_index.md b/docs/gcp/Firestore/firestore_index.md index e5ef4d936..0dbbfa7c7 100644 --- a/docs/gcp/Firestore/firestore_index.md +++ b/docs/gcp/Firestore/firestore_index.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – firestore_index](https://registry.terraform.i --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `collection` | The collection being indexed. | true | false | None | None | None | @@ -21,7 +20,6 @@ Reference: [Terraform Registry – firestore_index](https://registry.terraform.i | `vector_config` | | false | false | None | None | None | ### fields Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `field_path` | Name of the field. | false | false | None | None | None | @@ -30,7 +28,6 @@ Reference: [Terraform Registry – firestore_index](https://registry.terraform.i | `vector_config` | Indicates that this field supports vector search operations. Only one of `order`, `arrayConfig`, and `vectorConfig` can be specified. Vector Fields should come after the field path `__name__`. Structure is [documented below](#nested_fields_fields_vector_config). | false | false | None | None | None | ### vector_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `dimension` | The resulting index will only include vectors of this dimension, and can be used for vector search with the same dimension. | false | false | None | None | None | diff --git a/docs/gcp/Google_Cloud_Managed_Lustre/lustre_instance.md b/docs/gcp/Google_Cloud_Managed_Lustre/lustre_instance.md index bd3bb4f62..608a31798 100644 --- a/docs/gcp/Google_Cloud_Managed_Lustre/lustre_instance.md +++ b/docs/gcp/Google_Cloud_Managed_Lustre/lustre_instance.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – lustre_instance](https://registry.terraform.i --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `capacity_gib` | The storage capacity of the instance in gibibytes (GiB). Allowed values are from `18000` to `954000`, in increments of 9000. | false | false | None | None | None | diff --git a/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_active_directory.md b/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_active_directory.md index b1d2b2805..d8f905e6a 100644 --- a/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_active_directory.md +++ b/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_active_directory.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – netapp_active_directory](https://registry.ter --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `domain` | Fully qualified domain name for the Active Directory domain. | true | true | Ensures join operations target the trusted domain. | deakin.internal | ad.internal | diff --git a/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_backup.md b/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_backup.md index bdf6d6fa7..b212c0016 100644 --- a/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_backup.md +++ b/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_backup.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – netapp_backup](https://registry.terraform.io/ --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `location` | Region of the backup resource. | true | true | Data residency and compliance. | australia-southeast2 | us-central1 | diff --git a/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_backup_policy.md b/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_backup_policy.md index 02a13e028..c5e3b4fdc 100644 --- a/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_backup_policy.md +++ b/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_backup_policy.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – netapp_backup_policy](https://registry.terraf --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `daily_backup_limit` | Number of daily backups to retain (minimum 2). | true | true | Defines baseline retention to support recovery objectives. | 7 | 1 | diff --git a/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_backup_vault.md b/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_backup_vault.md index 20de7e941..fb6351092 100644 --- a/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_backup_vault.md +++ b/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_backup_vault.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – netapp_backup_vault](https://registry.terrafo --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `location` | Region where the backup vault is created. | true | true | Controls data residency and compliance for where backups are stored. | australia-southeast2 | us-central1 | @@ -20,7 +19,6 @@ Reference: [Terraform Registry – netapp_backup_vault](https://registry.terrafo | `project` | If it is not provided, the provider project is used. | false | false | None | None | None | ### backup_retention_policy Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `backup_minimum_enforced_retention_days` | Minimum retention duration in days for backups in the backup vault. | true | false | None | None | None | diff --git a/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_kmsconfig.md b/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_kmsconfig.md index 7e66e40f8..7346ce840 100644 --- a/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_kmsconfig.md +++ b/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_kmsconfig.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – netapp_kmsconfig](https://registry.terraform. --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `crypto_key_name` | Resource name of the regional CMEK key. | true | true | Encrypts data with an approved customer-managed key. | projects/deakin-lab-123/locations/australia-southeast2/keyRings/netapp-kr/cryptoKeys/netapp-cmek | projects/other-proj/locations/us-central1/keyRings/kr/cryptoKeys/key | diff --git a/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_storage_pool.md b/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_storage_pool.md index fc47ab550..25040eb4b 100644 --- a/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_storage_pool.md +++ b/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_storage_pool.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – netapp_storage_pool](https://registry.terrafo --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `service_level` | Service level of the storage pool. Possible values are: `PREMIUM`, `EXTREME`, `STANDARD`, `FLEX`. | true | false | None | None | None | diff --git a/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_volume.md b/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_volume.md index 4a933c5d6..6b2d8d4fa 100644 --- a/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_volume.md +++ b/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_volume.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – netapp_volume](https://registry.terraform.io/ --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `share_name` | Share name (SMB) or export path (NFS) of the volume. Needs to be unique per location. | true | false | None | None | None | @@ -41,20 +40,17 @@ Reference: [Terraform Registry – netapp_volume](https://registry.terraform.io/ | `monthly_schedule` | | false | false | None | None | None | ### export_policy Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `rules` | Export rules (up to 5) control NFS volume access. Structure is [documented below](#nested_export_policy_rules). | true | false | None | None | None | ### restore_parameters Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `source_snapshot` | Full name of the snapshot to use for creating this volume. `source_snapshot` and `source_backup` cannot be used simultaneously. Format: `projects/{{project}}/locations/{{location}}/volumes/{{volume}}/snapshots/{{snapshot}}`. | false | false | None | None | None | | `source_backup` | Full name of the backup to use for creating this volume. `source_snapshot` and `source_backup` cannot be used simultaneously. Format: `projects/{{project}}/locations/{{location}}/backupVaults/{{backupVaultId}}/backups/{{backup}}`. | false | false | None | None | None | ### snapshot_policy Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `enabled` | Enables automated snapshot creation according to defined schedule. Default is false. To disable automatic snapshot creation you have to remove the whole snapshot_policy block. | false | false | None | None | None | @@ -64,7 +60,6 @@ Reference: [Terraform Registry – netapp_volume](https://registry.terraform.io/ | `monthly_schedule` | Monthly schedule policy. Structure is [documented below](#nested_snapshot_policy_monthly_schedule). | false | false | None | None | None | ### backup_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `backup_policies` | Specify a single backup policy ID for scheduled backups. Format: `projects/{{projectId}}/locations/{{location}}/backupPolicies/{{backupPolicyName}}` | false | false | None | None | None | @@ -72,7 +67,6 @@ Reference: [Terraform Registry – netapp_volume](https://registry.terraform.io/ | `scheduled_backup_enabled` | When set to true, scheduled backup is enabled on the volume. Omit if no backup_policy is specified. | false | false | None | None | None | ### tiering_policy Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `cooling_threshold_days` | Optional. Time in days to mark the volume's data block as cold and make it eligible for tiering, can be range from 2-183. Default is 31. | false | false | None | None | None | @@ -80,7 +74,6 @@ Reference: [Terraform Registry – netapp_volume](https://registry.terraform.io/ | `hot_tier_bypass_mode_enabled` | , [Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html)) Optional. Flag indicating that the hot tier bypass mode is enabled. Default is false. Only applicable to Flex service level. | false | false | None | None | None | ### hybrid_replication_parameters Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `replication` | Required. Desired name for the replication of this volume. | false | false | None | None | None | @@ -93,7 +86,6 @@ Reference: [Terraform Registry – netapp_volume](https://registry.terraform.io/ | `labels` | Optional. Labels to be added to the replication as the key value pairs. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }. | false | false | None | None | None | ### rules Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `allowed_clients` | Defines the client ingress specification (allowed clients) as a comma separated list with IPv4 CIDRs or IPv4 host addresses. | false | false | None | None | None | @@ -109,14 +101,12 @@ Reference: [Terraform Registry – netapp_volume](https://registry.terraform.io/ | `kerberos5p_read_write` | If enabled (true) the rule defines read and write access for clients matching the 'allowedClients' specification. It enables nfs clients to mount using 'privacy' kerberos security mode. The 'kerberos5pReadOnly' value is ignored if this is enabled. | false | false | None | None | None | ### hourly_schedule Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `snapshots_to_keep` | The maximum number of snapshots to keep for the hourly schedule. | true | false | None | None | None | | `minute` | Set the minute of the hour to create the snapshot (0-59), defaults to the top of the hour (0). | false | false | None | None | None | ### daily_schedule Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `snapshots_to_keep` | The maximum number of snapshots to keep for the daily schedule. | true | false | None | None | None | @@ -124,7 +114,6 @@ Reference: [Terraform Registry – netapp_volume](https://registry.terraform.io/ | `hour` | Set the hour to create the snapshot (0-23), defaults to midnight (0). | false | false | None | None | None | ### weekly_schedule Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `snapshots_to_keep` | The maximum number of snapshots to keep for the weekly schedule. | true | false | None | None | None | @@ -133,7 +122,6 @@ Reference: [Terraform Registry – netapp_volume](https://registry.terraform.io/ | `day` | Set the day or days of the week to make a snapshot. Accepts a comma separated days of the week. Defaults to 'Sunday'. | false | false | None | None | None | ### monthly_schedule Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `snapshots_to_keep` | The maximum number of snapshots to keep for the monthly schedule | true | false | None | None | None | diff --git a/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_volume_quota_rule.md b/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_volume_quota_rule.md index 05bddbb54..45e8266b8 100644 --- a/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_volume_quota_rule.md +++ b/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_volume_quota_rule.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – netapp_volume_quota_rule](https://registry.te --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `type` | Types of Quota Rule. Possible values are: `INDIVIDUAL_USER_QUOTA`, `INDIVIDUAL_GROUP_QUOTA`, `DEFAULT_USER_QUOTA`, `DEFAULT_GROUP_QUOTA`. | true | false | None | None | None | diff --git a/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_volume_replication.md b/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_volume_replication.md index dcc6fba49..90b3057c8 100644 --- a/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_volume_replication.md +++ b/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_volume_replication.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – netapp_volume_replication](https://registry.t --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `replication_schedule` | Replication interval. | true | true | Controls RPO to meet policy (e.g., ≥ hourly). | EVERY_10_MINUTES | DAILY | @@ -25,7 +24,6 @@ Reference: [Terraform Registry – netapp_volume_replication](https://registry.t | `tiering_policy` | | false | false | None | None | None | ### destination_volume_parameters Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `storage_pool` | Name of an existing storage pool for the destination volume with format: `projects/{{project}}/locations/{{location}}/storagePools/{{poolId}}` | true | false | None | None | None | @@ -35,7 +33,6 @@ Reference: [Terraform Registry – netapp_volume_replication](https://registry.t | `tiering_policy` | Tiering policy for the volume. Structure is [documented below](#nested_destination_volume_parameters_tiering_policy). | false | false | None | None | None | ### tiering_policy Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `cooling_threshold_days` | Optional. Time in days to mark the volume's data block as cold and make it eligible for tiering, can be range from 2-183. Default is 31. | false | false | None | None | None | diff --git a/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_volume_snapshot.md b/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_volume_snapshot.md index fd6675cef..56a8bfde0 100644 --- a/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_volume_snapshot.md +++ b/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_volume_snapshot.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – netapp_volume_snapshot](https://registry.terr --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `location` | Region where the snapshot is created. | true | true | Residency/compliance. | australia-southeast2 | us-central1 | diff --git a/docs/gcp/Google_Distributed_Cloud_Edge/edgecontainer_cluster.md b/docs/gcp/Google_Distributed_Cloud_Edge/edgecontainer_cluster.md index 08f035df0..b49ad3977 100644 --- a/docs/gcp/Google_Distributed_Cloud_Edge/edgecontainer_cluster.md +++ b/docs/gcp/Google_Distributed_Cloud_Edge/edgecontainer_cluster.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – edgecontainer_cluster](https://registry.terra --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `fleet` | Fleet related configuration. Fleets are a Google Cloud concept for logically organizing clusters, letting you use and manage multi-cluster capabilities and apply consistent policies across your systems. | true | true | Proper fleet configuration ensures clusters are organized in a secure and manageable way with consistent policy enforcement. | Properly formatted project reference using project number | Hardcoded project numbers or incorrect formatting | @@ -34,14 +33,12 @@ Reference: [Terraform Registry – edgecontainer_cluster](https://registry.terra | `ingress` | Ingress add-on configuration for external access to cluster services. | false | true | Ingress configuration controls external access to cluster services and significantly impacts the cluster's security posture. | Properly secured ingress configuration | Misconfigured or overly permissive ingress settings | ### fleet Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `project` | The name of the Fleet host project where this cluster will be registered. Project names are formatted as `projects/`. | true | true | Correct project reference format ensures proper cluster registration and management within the intended fleet. | projects/1234567890 | projects/gdce-dev (using project ID instead of number) | | `membership` | (Output) The name of the managed Hub Membership resource associated to this cluster. Membership names are formatted as `projects//locations/global/membership/`. | false | false | Output-only field used for tracking cluster membership, no security impact. | None | None | ### networking Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `cluster_ipv4_cidr_blocks` | All pods in the cluster are assigned an RFC1918 IPv4 address from these blocks. Only a single block is supported. This field cannot be changed after creation. | true | true | Properly scoped CIDR blocks prevent overly permissive network access between pods. | 10.0.0.0/16 | 0.0.0.0/0 | @@ -51,45 +48,38 @@ Reference: [Terraform Registry – edgecontainer_cluster](https://registry.terra | `network_type` | (Output) IP addressing type of this cluster i.e. SINGLESTACK_V4 vs DUALSTACK_V4_V6. | false | false | Output-only field indicating network configuration type, no security impact. | None | None | ### authorization Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `admin_users` | User that will be granted the cluster-admin role on the cluster, providing full access to the cluster. Currently, this is a singular field, but will be expanded to allow multiple admins in the future. | true | true | Admin users should be properly vetted and authorized individuals with valid organizational email addresses. | authorized.user@company.com | invalid@example.com | ### maintenance_policy Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `window` | Specifies the maintenance window in which maintenance may be performed. | true | true | Maintenance windows should be scheduled during low-usage periods with proper recurrence patterns. | Properly configured recurring window | Missing or improperly configured window | | `maintenance_exclusions` | Exclusions to automatic maintenance. Non-emergency maintenance should not occur in these windows. Each exclusion has a unique name and may be active or expired. The max number of maintenance exclusions allowed at a given time is 3. | false | true | Maintenance exclusions prevent updates during critical business periods but should be used judiciously. | Properly defined exclusions with unique IDs | Excessive or improperly configured exclusions | ### window Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `recurring_window` | Represents an arbitrary window of time that recurs. | true | true | Recurring windows provide predictable maintenance schedules that can be planned around. | Properly configured recurrence pattern | Missing or invalid recurrence pattern | ### maintenance_exclusions Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `id` | A unique (per cluster) id for the window. | false | true | Unique IDs ensure proper tracking and management of maintenance exclusions. | unique-exclusion-id-001 | Duplicate or missing IDs | ### control_plane Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `remote` | Remote control plane configuration. | false | true | Remote control plane location impacts latency, availability, and data residency. | Properly configured edge zone location | Unapproved or insecure locations | | `local` | Local control plane configuration. | false | true | Local control plane configuration impacts high availability, resource isolation, and deployment policies. | Proper node count (1 or 3) with appropriate machine filtering | Invalid node count or overly permissive machine filters | ### remote Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `node_location` | Name of the Google Distributed Cloud Edge zones where this node pool will be created. For example: `us-central1-edge-customer-a`. | false | true | Node location should be in approved zones that meet data residency and performance requirements. | us-central1-edge-customer-a | Unapproved or restricted locations | ### local Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `node_location` | Name of the Google Distributed Cloud Edge zones where this node pool will be created. For example: `us-central1-edge-customer-a`. | false | true | Node location should be in approved zones that meet data residency and performance requirements. | us-central1-edge-customer-a | Unapproved or restricted locations | @@ -98,20 +88,17 @@ Reference: [Terraform Registry – edgecontainer_cluster](https://registry.terra | `shared_deployment_policy` | Policy configuration about how user applications are deployed. Possible values are: `SHARED_DEPLOYMENT_POLICY_UNSPECIFIED`, `ALLOWED`, `DISALLOWED`. | false | true | Shared deployment policy controls whether user applications can run on control plane nodes, impacting security isolation. | DISALLOWED | ALLOWED (reduces security isolation) | ### system_addons_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `ingress` | Config for the Ingress add-on which allows customers to create an Ingress object to manage external access to the servers in a cluster. The add-on consists of istiod and istio-ingress. | false | true | Ingress configuration controls external access to cluster services and should be properly secured. | Properly configured ingress with secure VIP settings | Misconfigured or overly permissive ingress settings | ### ingress Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `disabled` | Whether Ingress is disabled. | false | true | Disabling ingress when not needed reduces attack surface. | true (when external access not required) | false (when external access not properly secured) | | `ipv4_vip` | Ingress VIP. | false | true | Ingress VIP should use properly scoped IP addresses to prevent unauthorized access. | 192.168.1.100 | 0.0.0.0 (overly permissive) | ### control_plane_encryption Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `kms_key` | The Cloud KMS CryptoKey e.g. projects/{project}/locations/{location}/keyRings/{keyRing}/cryptoKeys/{cryptoKey} to use for protecting control plane disks. If not specified, a Google-managed key will be used instead. | false | true | Customer-managed keys provide better control over encryption and access policies. | projects/my-project/locations/us-central1/keyRings/my-keyring/cryptoKeys/my-key | Missing or improperly formatted KMS key reference | @@ -120,39 +107,33 @@ Reference: [Terraform Registry – edgecontainer_cluster](https://registry.terra | `kms_status` | (Output) Error status returned by Cloud KMS when using this key. This field may be populated only if `kms_key_state` is not `KMS_KEY_STATE_KEY_AVAILABLE`. If populated, this field contains the error status reported by Cloud KMS. | false | false | Output-only field for KMS error status, no security impact. | None | None | ### admin_users Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `username` | An active Google username. | true | true | Admin usernames should be valid organizational accounts with proper authorization. | authorized.user@company.com | invalid@example.com | ### window Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `recurring_window` | Represents an arbitrary window of time that recurs. | true | true | Recurring windows provide predictable maintenance schedules that can be planned around. | Properly configured recurrence pattern | Missing or invalid recurrence pattern | ### recurring_window Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `window` | Represents an arbitrary window of time. | false | true | Window timing should align with business low-usage periods to minimize impact. | Proper start and end times during low-usage periods | Window during peak business hours | | `recurrence` | An RRULE (https://tools.ietf.org/html/rfc5545#section-3.8.5.3) for how this window recurs. They go on for the span of time between the start and end time. | false | true | Proper recurrence patterns ensure maintenance occurs at predictable intervals. | FREQ=WEEKLY;BYDAY=SA | Missing or invalid recurrence pattern | ### maintenance_exclusions Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `window` | Represents an arbitrary window of time. | false | true | Exclusion windows should be properly defined to prevent maintenance during critical periods. | Properly defined exclusion period | Overly broad exclusion windows | | `id` | A unique (per cluster) id for the window. | false | true | Unique IDs ensure proper tracking and management of maintenance exclusions. | unique-exclusion-id-001 | Duplicate or missing IDs | ### remote Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `node_location` | Name of the Google Distributed Cloud Edge zones where this node pool will be created. For example: `us-central1-edge-customer-a`. | false | true | Remote node location should be in approved zones that meet security and compliance requirements. | us-central1-edge-customer-a | Unapproved or restricted edge zones | ### local Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `node_location` | Name of the Google Distributed Cloud Edge zones where this node pool will be created. For example: `us-central1-edge-customer-a`. | false | true | Local node location should be in approved zones that meet security and compliance requirements. | us-central1-edge-customer-a | Unapproved or restricted edge zones | @@ -161,7 +142,6 @@ Reference: [Terraform Registry – edgecontainer_cluster](https://registry.terra | `shared_deployment_policy` | Policy configuration about how user applications are deployed. Possible values are: `SHARED_DEPLOYMENT_POLICY_UNSPECIFIED`, `ALLOWED`, `DISALLOWED`. | false | true | Shared deployment policy controls whether user applications can run on control plane nodes, impacting security isolation and attack surface. | DISALLOWED | ALLOWED (reduces security isolation) | ### ingress Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `disabled` | Whether Ingress is disabled. | false | true | Disabling ingress when not needed reduces the attack surface and prevents unauthorized external access. | true (when external access not required) | false (when external access is not properly secured) | diff --git a/docs/gcp/Google_Distributed_Cloud_Edge/edgecontainer_node_pool.md b/docs/gcp/Google_Distributed_Cloud_Edge/edgecontainer_node_pool.md index a7b518232..d9dcd0581 100644 --- a/docs/gcp/Google_Distributed_Cloud_Edge/edgecontainer_node_pool.md +++ b/docs/gcp/Google_Distributed_Cloud_Edge/edgecontainer_node_pool.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – edgecontainer_node_pool](https://registry.ter --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `node_location` | Name of the Google Distributed Cloud Edge zone where this node pool will be created. For example: `us-central1-edge-customer-a`. | true | true | Node location determines the physical and geographical placement of nodes, impacting data residency, latency, and compliance with regional regulations. | us-central1-edge-customer-a (approved zone) | Unapproved or restricted edge zones | @@ -22,7 +21,6 @@ Reference: [Terraform Registry – edgecontainer_node_pool](https://registry.ter | `project` | If it is not provided, the provider project is used. | false | true | Project selection impacts resource isolation, billing accountability, and access control boundaries. | Proper project reference | Incorrect or unauthorized project | ### local_disk_encryption Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `kms_key` | The Cloud KMS CryptoKey e.g. projects/{project}/locations/{location}/keyRings/{keyRing}/cryptoKeys/{cryptoKey} to use for protecting node local disks. If not specified, a Google-managed key will be used instead. | false | true | Customer-managed keys provide better control over encryption policies, access controls, and key rotation procedures. | projects/my-project/locations/us-central1/keyRings/my-keyring/cryptoKeys/my-key | Missing or improperly formatted KMS key reference | @@ -30,7 +28,6 @@ Reference: [Terraform Registry – edgecontainer_node_pool](https://registry.ter | `kms_key_state` | (Output) Availability of the Cloud KMS CryptoKey. If not KEY_AVAILABLE, then nodes may go offline as they cannot access their local data. This can be caused by a lack of permissions to use the key, or if the key is disabled or deleted. | false | false | Output-only field indicating key status, no security impact. | None | None | ### node_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `labels` | The Kubernetes node labels. | false | true | Node labels enable proper workload placement, security zoning, and resource management based on security requirements. | security-zone=restricted, environment=production | Missing security labels or incorrect labeling that could lead to improper workload placement | diff --git a/docs/gcp/Google_Distributed_Cloud_Edge/edgecontainer_vpn_connection.md b/docs/gcp/Google_Distributed_Cloud_Edge/edgecontainer_vpn_connection.md index 1621a6a71..5f83f5e42 100644 --- a/docs/gcp/Google_Distributed_Cloud_Edge/edgecontainer_vpn_connection.md +++ b/docs/gcp/Google_Distributed_Cloud_Edge/edgecontainer_vpn_connection.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – edgecontainer_vpn_connection](https://registr --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `cluster` | The canonical Cluster name to connect to. It is in the form of projects/{project}/locations/{location}/clusters/{cluster}. | true | true | Proper cluster reference ensures the VPN connection is established with the correct, authorized cluster with appropriate security controls. | projects/my-project/locations/us-central1/clusters/my-cluster | Incorrect or unauthorized cluster reference | @@ -22,7 +21,6 @@ Reference: [Terraform Registry – edgecontainer_vpn_connection](https://registr | `project` | If it is not provided, the provider project is used. | false | true | Project selection impacts resource isolation, billing accountability, and access control boundaries for the VPN connection. | Proper project reference | Incorrect or unauthorized project | ### vpc_project Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `project_id` | The project of the VPC to connect to. If not specified, it is the same as the cluster project. | false | true | Project ID must reference an authorized project with proper security controls and network policies. | authorized-vpc-project | Unauthorized or incorrect project reference | diff --git a/docs/gcp/Identity-Aware_Proxy/iap_app_engine_service_iam.md b/docs/gcp/Identity-Aware_Proxy/iap_app_engine_service_iam.md index 34602cb43..48d5b2347 100644 --- a/docs/gcp/Identity-Aware_Proxy/iap_app_engine_service_iam.md +++ b/docs/gcp/Identity-Aware_Proxy/iap_app_engine_service_iam.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – iap_app_engine_service_iam](https://registry. --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `app_id` | App Engine application ID used in the IAP resource path (typically the project ID). Identifies which App Engine app’s service IAM is being managed. | true | true | Must point to the correct application; mis-scoping could attach IAM to the wrong app. | app_id = "my-gcp-project" | app_id = "" | @@ -19,7 +18,6 @@ Reference: [Terraform Registry – iap_app_engine_service_iam](https://registry. | `condition` | Optional IAM Condition block to scope the binding (for example, by host/path/time/device). | false | true | Reduces blast radius by restricting when/where the binding applies. | condition { title = "OnlyProd" expression = "request.host == 'app.example.com'" description = "Limit to prod host" } | condition { } (missing required fields) or an empty expression | ### condition Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `expression` | CEL expression evaluated to determine if the binding applies. | true | true | A non-empty, precise expression is required for the condition to function. | expression = "request.host == 'app.example.com'" | expression = "" | diff --git a/docs/gcp/Identity-Aware_Proxy/iap_app_engine_version_iam.md b/docs/gcp/Identity-Aware_Proxy/iap_app_engine_version_iam.md index 69670c53b..048250b48 100644 --- a/docs/gcp/Identity-Aware_Proxy/iap_app_engine_version_iam.md +++ b/docs/gcp/Identity-Aware_Proxy/iap_app_engine_version_iam.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – iap_app_engine_version_iam](https://registry. --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `app_id` | App Engine application ID used in the IAP resource path (typically the project ID). Identifies which App Engine app’s **version** IAM is managed. | true | true | Must point to the correct application; mis-scoping could attach IAM to the wrong app. | app_id = "my-gcp-project" | app_id = "" | @@ -20,7 +19,6 @@ Reference: [Terraform Registry – iap_app_engine_version_iam](https://registry. | `condition` | Optional IAM Condition block to scope the binding (for example, by host/path/time/device). | false | true | Reduces blast radius by restricting when/where the binding applies. | condition { title = "OnlyProd" expression = "request.host == 'app.example.com'" description = "Limit to prod host" } | condition { } (missing required fields) or an empty expression | ### condition Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `expression` | CEL expression evaluated to determine if the binding applies. | true | true | A non-empty, precise expression is required for the condition to function. | expression = "request.host == 'app.example.com'" | expression = "" | diff --git a/docs/gcp/Identity-Aware_Proxy/iap_brand.md b/docs/gcp/Identity-Aware_Proxy/iap_brand.md index f6076b7ad..26eea520e 100644 --- a/docs/gcp/Identity-Aware_Proxy/iap_brand.md +++ b/docs/gcp/Identity-Aware_Proxy/iap_brand.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – iap_brand](https://registry.terraform.io/prov --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `support_email` | Support email displayed on the OAuth consent screen. Can be a user or group email. If a user email is specified, the caller must be that user. If a group email is specified, the caller can be a user or a service account that owns the group in Cloud Identity. | true | true | A corporate mailbox helps users reach the right owner and prevents phishing/confusion from public/vendor addresses. | support_email = "support@example.com" | support_email = "support@gmail.com" / "help@vendor.io" / "support@example.com " | diff --git a/docs/gcp/Identity-Aware_Proxy/iap_client.md b/docs/gcp/Identity-Aware_Proxy/iap_client.md index a9296c049..1af95fa46 100644 --- a/docs/gcp/Identity-Aware_Proxy/iap_client.md +++ b/docs/gcp/Identity-Aware_Proxy/iap_client.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – iap_client](https://registry.terraform.io/pro --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `display_name` | Human-friendly name shown for the OAuth client. | true | true | Clear, production-ready names reduce user confusion on the consent screen and avoid test/generic labels. | display_name = "Customer Portal OAuth Client" | display_name = "Test" / "Demo" / "App" / "Customer Portal OAuth Client " (trailing space) | diff --git a/docs/gcp/Identity-Aware_Proxy/iap_settings.md b/docs/gcp/Identity-Aware_Proxy/iap_settings.md index 1fc2e3be2..0b76eb61c 100644 --- a/docs/gcp/Identity-Aware_Proxy/iap_settings.md +++ b/docs/gcp/Identity-Aware_Proxy/iap_settings.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – iap_settings](https://registry.terraform.io/p --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | The resource name of the IAP protected resource. Name can have below resources: * organizations/{organization_id} * folders/{folder_id} * projects/{project_id} * projects/{project_id}/iap_web * projects/{project_id}/iap_web/compute * projects/{project_id}/iap_web/compute-{region} * projects/{project_id}/iap_web/compute/services/{service_id} * projects/{project_id}/iap_web/compute-{region}/services/{service_id} * projects/{project_id}/iap_web/appengine-{app_id} * projects/{project_id}/iap_web/appengine-{app_id}/services/{service_id} * projects/{project_id}/iap_web/appengine-{app_id}/services/{service_id}/version/{version_id} | true | true | This path defines which surface is protected by the settings. A wrong or malformed name applies settings to the wrong scope. | name = "projects/my-gcp-project/iap_web" or "projects/my-gcp-project/iap_web/appengine-myapp/services/default" | name = "projects/my-gcp-project" (missing iap_web segment) or "projects/my-gcp-project/iap_web/compute/services/" (empty service_id) | @@ -25,7 +24,6 @@ Reference: [Terraform Registry – iap_settings](https://registry.terraform.io/p | `attribute_propagation_settings` | | false | false | None | None | None | ### access_settings Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `gcip_settings` | GCIP claims and endpoint configurations for 3p identity providers. * Enabling gcipSetting significantly changes the way IAP authenticates users. Identity Platform does not support IAM, so IAP will not enforce any IAM policies for requests to your application. Structure is [documented below](#nested_access_settings_gcip_settings). | false | false | None | None | None | @@ -37,14 +35,12 @@ Reference: [Terraform Registry – iap_settings](https://registry.terraform.io/p | `identity_sources` | Identity sources that IAP can use to authenticate the end user. Only one identity source can be configured. The possible values are: * `WORKFORCE_IDENTITY_FEDERATION`: Use external identities set up on Google Cloud Workforce Identity Federation. Each value may be one of: `WORKFORCE_IDENTITY_FEDERATION`. | false | false | None | None | None | ### allowed_domains_settings Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `domains` | List of trusted domains. | false | true | Restrict sign-in to the corporate domain only. | domains = ["example.com"] | domains = ["*"], ["gmail.com"], ["yahoo.com"] | | `enable` | Configuration for customers to opt in for the feature. | false | true | Allowed Domains must be enabled to take effect. | enable = true | enable = false | ### application_settings Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `csm_settings` | Settings to configure IAP's behavior for a service mesh. Structure is [documented below](#nested_application_settings_csm_settings). | false | false | None | None | None | @@ -53,27 +49,23 @@ Reference: [Terraform Registry – iap_settings](https://registry.terraform.io/p | `attribute_propagation_settings` | Settings to configure attribute propagation. Structure is [documented below](#nested_application_settings_attribute_propagation_settings). | false | false | None | None | None | ### gcip_settings Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `tenant_ids` | GCIP tenant ids that are linked to the IAP resource. tenantIds could be a string beginning with a number character to indicate authenticating with GCIP tenant flow, or in the format of _ to indicate authenticating with GCIP agent flow. If agent flow is used, tenantIds should only contain one single element, while for tenant flow, tenantIds can contain multiple elements. | false | false | None | None | None | | `login_page_uri` | Login page URI associated with the GCIP tenants. Typically, all resources within the same project share the same login page, though it could be overridden at the sub resource level. | false | false | None | None | None | ### cors_settings Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `allow_http_options` | Configuration to allow HTTP OPTIONS calls to skip authorization. If undefined, IAP will not apply any special logic to OPTIONS requests. | false | false | None | None | None | ### oauth_settings Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `login_hint` | Domain hint to send as hd=? parameter in OAuth request flow. Enables redirect to primary IDP by skipping Google's login screen. (https://developers.google.com/identity/protocols/OpenIDConnect#hd-param) Note: IAP does not verify that the id token's hd claim matches this value since access behavior is managed by IAM policies. * loginHint setting is not a replacement for access control. Always enforce an appropriate access policy if you want to restrict access to users outside your domain. | false | false | None | None | None | | `programmatic_clients` | List of client ids allowed to use IAP programmatically. | false | false | None | None | None | ### reauth_settings Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `method` | Reauth method requested. The possible values are: * `LOGIN`: Prompts the user to log in again. * `SECURE_KEY`: User must use their secure key 2nd factor device. * `ENROLLED_SECOND_FACTORS`: User can use any enabled 2nd factor. Possible values are: `LOGIN`, `SECURE_KEY`, `ENROLLED_SECOND_FACTORS`. | true | false | None | None | None | @@ -81,21 +73,18 @@ Reference: [Terraform Registry – iap_settings](https://registry.terraform.io/p | `policy_type` | How IAP determines the effective policy in cases of hierarchical policies. Policies are merged from higher in the hierarchy to lower in the hierarchy. The possible values are: * `MINIMUM`: This policy acts as a minimum to other policies, lower in the hierarchy. Effective policy may only be the same or stricter. * `DEFAULT`: This policy acts as a default if no other reauth policy is set. Possible values are: `MINIMUM`, `DEFAULT`. | true | false | None | None | None | ### allowed_domains_settings Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `domains` | List of trusted domains. | false | true | Restrict sign-in to the corporate domain only. | domains = ["example.com"] | domains = ["*"], ["gmail.com"], ["yahoo.com"] | | `enable` | Configuration for customers to opt in for the feature. | false | true | Allowed Domains must be enabled to take effect. | enable = true | enable = false | ### workforce_identity_settings Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `workforce_pools` | The workforce pool resources. Only one workforce pool is accepted. | false | false | None | None | None | | `oauth2` | OAuth 2.0 settings for IAP to perform OIDC flow with workforce identity federation services. Structure is [documented below](#nested_access_settings_workforce_identity_settings_oauth2). | false | false | None | None | None | ### oauth2 Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `client_id` | The OAuth 2.0 client ID registered in the workforce identity federation OAuth 2.0 Server. | false | false | None | None | None | @@ -103,13 +92,11 @@ Reference: [Terraform Registry – iap_settings](https://registry.terraform.io/p | `client_secret_sha256` | (Output) Output only. SHA256 hash value for the client secret. This field is returned by IAP when the settings are retrieved. | false | false | None | None | None | ### csm_settings Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `rctoken_aud` | Audience claim set in the generated RCToken. This value is not validated by IAP. | false | false | None | None | None | ### access_denied_page_settings Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `access_denied_page_uri` | The URI to be redirected to when access is denied. | false | false | None | None | None | @@ -117,7 +104,6 @@ Reference: [Terraform Registry – iap_settings](https://registry.terraform.io/p | `remediation_token_generation_enabled` | Whether to generate remediation token on access denied events to this application. | false | false | None | None | None | ### attribute_propagation_settings Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `output_credentials` | Which output credentials attributes selected by the CEL expression should be propagated in. All attributes will be fully duplicated in each selected output credential. Possible values are: * `HEADER`: Propagate attributes in the headers with "x-goog-iap-attr-" prefix. * `JWT`: Propagate attributes in the JWT of the form: "additional_claims": { "my_attribute": ["value1", "value2"] } * `RCTOKEN`: Propagate attributes in the RCToken of the form: " additional_claims": { "my_attribute": ["value1", "value2"] } Each value may be one of: `HEADER`, `JWT`, `RCTOKEN`. | false | false | None | None | None | diff --git a/docs/gcp/Identity-Aware_Proxy/iap_tunnel_dest_group.md b/docs/gcp/Identity-Aware_Proxy/iap_tunnel_dest_group.md index 5c7a93b7e..c64f262e7 100644 --- a/docs/gcp/Identity-Aware_Proxy/iap_tunnel_dest_group.md +++ b/docs/gcp/Identity-Aware_Proxy/iap_tunnel_dest_group.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – iap_tunnel_dest_group](https://registry.terra --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `group_name` | Unique tunnel destination group name. | true | true | Clear, unique names avoid misrouting and make reviews/audits easier. | group_name = "corp-admin-tcp" | group_name = "test" / "" / "corp-admin-tcp " (trailing space) | diff --git a/docs/gcp/Identity-Aware_Proxy/iap_tunnel_dest_group_iam.md b/docs/gcp/Identity-Aware_Proxy/iap_tunnel_dest_group_iam.md index 052f716b4..ef4d0dc8c 100644 --- a/docs/gcp/Identity-Aware_Proxy/iap_tunnel_dest_group_iam.md +++ b/docs/gcp/Identity-Aware_Proxy/iap_tunnel_dest_group_iam.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – iap_tunnel_dest_group_iam](https://registry.t --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `region` | Region of the IAP TCP destination group. If omitted, it is parsed from the parent identifier or taken from the provider configuration. | false | true | Ensures the binding is applied in the intended location; a mismatch can grant access in the wrong region. | region = "australia-southeast1" | region = "" or a region that does not match the parent resource | @@ -19,7 +18,6 @@ Reference: [Terraform Registry – iap_tunnel_dest_group_iam](https://registry.t | `condition` | Optional IAM Condition block to scope the binding (for example, by source IP, time, or device attributes when evaluated by the proxy). | false | true | Reduces blast radius by restricting when/where the binding applies. | condition { title = "OfficeHours" expression = "request.time.getHours() >= 8 && request.time.getHours() < 18" description = "Limit tunnel use to office hours" } | condition { } (missing required fields) or an empty expression | ### condition Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `expression` | CEL expression evaluated to determine if the binding applies. | true | true | A non-empty, precise expression is required for the condition to function. | expression = "request.client_ip.startsWith('10.0.')" | expression = "" | diff --git a/docs/gcp/Identity-Aware_Proxy/iap_tunnel_iam.md b/docs/gcp/Identity-Aware_Proxy/iap_tunnel_iam.md index c8186b7c8..d88640c28 100644 --- a/docs/gcp/Identity-Aware_Proxy/iap_tunnel_iam.md +++ b/docs/gcp/Identity-Aware_Proxy/iap_tunnel_iam.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – iap_tunnel_iam](https://registry.terraform.io --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `project` | If not provided, the project is parsed from the parent identifier; if missing there too, the provider project is used. | false | true | Ensures the binding is applied to the intended tenant; mismatches can grant access in the wrong project. | project = "my-gcp-project" (matches provider/parent context) | project = "other-project" while parent/provider point elsewhere | @@ -17,7 +16,6 @@ Reference: [Terraform Registry – iap_tunnel_iam](https://registry.terraform.io | `condition` | Optional IAM Condition to scope the binding (e.g., by source IP, time, or device attributes when evaluated). | false | true | Reduces blast radius by restricting when/where the binding applies. | condition { title = "OfficeHours" expression = "request.time.getHours() >= 8 && request.time.getHours() < 18" description = "Restrict tunnel use to office hours" } | condition { } (missing required fields) or an empty expression | ### condition Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `expression` | CEL expression evaluated to determine if the binding applies. | true | true | A non-empty, precise expression is required for the condition to function. | expression = "request.client_ip.startsWith('10.0.')" | expression = "" | diff --git a/docs/gcp/Identity-Aware_Proxy/iap_tunnel_instance_iam.md b/docs/gcp/Identity-Aware_Proxy/iap_tunnel_instance_iam.md index 2f59a706e..b036b993b 100644 --- a/docs/gcp/Identity-Aware_Proxy/iap_tunnel_instance_iam.md +++ b/docs/gcp/Identity-Aware_Proxy/iap_tunnel_instance_iam.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – iap_tunnel_instance_iam](https://registry.ter --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `zone` | Zone of the Compute Engine instance. If omitted, parsed from the parent identifier; otherwise taken from the provider configuration. | false | true | Must match the instance’s actual zone so the binding targets the correct resource. | zone = "australia-southeast1-b" | zone = "us-central1-a" while the instance is in "australia-southeast1-b" | @@ -19,7 +18,6 @@ Reference: [Terraform Registry – iap_tunnel_instance_iam](https://registry.ter | `condition` | Optional IAM Condition to scope the binding (e.g., by source IP, time, or device attributes when evaluated). | false | true | Reduces blast radius by restricting when/where the binding applies. | condition { title = "OfficeHours" expression = "request.time.getHours() >= 8 && request.time.getHours() < 18" description = "Restrict tunnel use to office hours" } | condition { } (missing required fields) or an empty expression | ### condition Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `expression` | CEL expression evaluated to determine if the binding applies. | true | true | A non-empty, precise expression is required for the condition to function. | expression = "request.client_ip.startsWith('10.0.')" | expression = "" | diff --git a/docs/gcp/Identity-Aware_Proxy/iap_web_backend_service_iam.md b/docs/gcp/Identity-Aware_Proxy/iap_web_backend_service_iam.md index 5da81722d..3b2bbd414 100644 --- a/docs/gcp/Identity-Aware_Proxy/iap_web_backend_service_iam.md +++ b/docs/gcp/Identity-Aware_Proxy/iap_web_backend_service_iam.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – iap_web_backend_service_iam](https://registry --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `web_backend_service` | Name of the backend service to bind with IAP Web IAM. | true | true | Scopes the IAM binding to a specific HTTPS backend. Pointing at the wrong service can expose an unintended or sensitive admin surface. | web_backend_service = "orders-edge-iap" | web_backend_service = "grafana" / "kibana" (admin consoles) or empty/typo value | @@ -18,7 +17,6 @@ Reference: [Terraform Registry – iap_web_backend_service_iam](https://registry | `condition` | Structure is documented below. --- | false | true | IAM Conditions reduce blast radius by scoping access (time, path/host, device context). | condition { title = "OfficeHours" description = "Limit access to business hours" expression = "request.time.getHours() >= 8 && request.time.getHours() < 18" } | Empty condition block or empty expression | ### condition Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `expression` | CEL expression that decides when the binding applies. | true | true | Must be specific and non-empty to be effective. | expression = "request.host == 'app.example.com'" | expression = "" | diff --git a/docs/gcp/Identity-Aware_Proxy/iap_web_cloud_run_service_iam.md b/docs/gcp/Identity-Aware_Proxy/iap_web_cloud_run_service_iam.md index f721b4e65..fda9a9b42 100644 --- a/docs/gcp/Identity-Aware_Proxy/iap_web_cloud_run_service_iam.md +++ b/docs/gcp/Identity-Aware_Proxy/iap_web_cloud_run_service_iam.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – iap_web_cloud_run_service_iam](https://regist --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `location` | Region of the Cloud Run service. If omitted, it is parsed from the parent identifier; otherwise taken from the provider configuration. | false | true | Must match the Cloud Run service’s region so the binding targets the correct resource. | location = "australia-southeast1" | location = "us-east1" while the service is deployed in "australia-southeast1" | @@ -19,7 +18,6 @@ Reference: [Terraform Registry – iap_web_cloud_run_service_iam](https://regist | `condition` | Optional IAM Condition to scope the binding (e.g., by request host/path, time, or device context). | false | true | Reduces blast radius by restricting when/where the binding applies. | condition { title = "OfficeHours" description = "Limit access to business hours" expression = "request.time.getHours() >= 8 && request.time.getHours() < 18" } | Empty condition block or empty expression | ### condition Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `expression` | CEL expression that decides when the binding applies. | true | true | Must be specific and non-empty to be effective. | expression = "request.host == 'app.example.com'" | expression = "" | diff --git a/docs/gcp/Identity-Aware_Proxy/iap_web_iam.md b/docs/gcp/Identity-Aware_Proxy/iap_web_iam.md index a18ceda49..ebccf4a05 100644 --- a/docs/gcp/Identity-Aware_Proxy/iap_web_iam.md +++ b/docs/gcp/Identity-Aware_Proxy/iap_web_iam.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – iap_web_iam](https://registry.terraform.io/pr --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `project` | If not provided, the project is parsed from the parent identifier; if missing there too, the provider project is used. | false | true | Ensures the binding lands in the intended tenant; a mismatch can grant access in the wrong project. | project = "my-gcp-project" (aligned with provider/parent) | project = "other-project" while parent/provider point elsewhere | @@ -17,7 +16,6 @@ Reference: [Terraform Registry – iap_web_iam](https://registry.terraform.io/pr | `condition` | Optional IAM Condition to scope the binding (e.g., by request host/path, time, or device context). | false | true | Reduces blast radius by restricting when/where the binding applies. | condition { title = "OfficeHours" description = "Limit access to business hours" expression = "request.time.getHours() >= 8 && request.time.getHours() < 18" } | Empty condition block or empty expression | ### condition Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `expression` | CEL expression that decides when the binding applies. | true | true | Must be specific and non-empty to be effective. | expression = "request.host == 'app.example.com'" | expression = "" | diff --git a/docs/gcp/Identity-Aware_Proxy/iap_web_region_backend_service_iam.md b/docs/gcp/Identity-Aware_Proxy/iap_web_region_backend_service_iam.md index 065b54d49..b2a073d36 100644 --- a/docs/gcp/Identity-Aware_Proxy/iap_web_region_backend_service_iam.md +++ b/docs/gcp/Identity-Aware_Proxy/iap_web_region_backend_service_iam.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – iap_web_region_backend_service_iam](https://r --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `region` | Region of the regional backend service. If omitted, it is parsed from the parent identifier; otherwise taken from the provider configuration. | false | true | Must match the backend’s region so the IAM binding targets the correct regional service. | region = "australia-southeast1" | region = "us-east1" while the backend is in "australia-southeast1" | @@ -19,7 +18,6 @@ Reference: [Terraform Registry – iap_web_region_backend_service_iam](https://r | `condition` | Optional IAM Condition to scope the binding (e.g., by request host/path, time, or device context). | false | true | Reduces blast radius by restricting when/where the binding applies. | condition { title = "OfficeHours" description = "Limit access to business hours" expression = "request.time.getHours() >= 8 && request.time.getHours() < 18" } | Empty condition block or empty expression | ### condition Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `expression` | CEL expression that decides when the binding applies. | true | true | Must be specific and non-empty to be effective. | expression = "request.host == 'app.example.com'" | expression = "" | diff --git a/docs/gcp/Identity-Aware_Proxy/iap_web_type_app_engine_iam.md b/docs/gcp/Identity-Aware_Proxy/iap_web_type_app_engine_iam.md index 53ef85038..ca995e97a 100644 --- a/docs/gcp/Identity-Aware_Proxy/iap_web_type_app_engine_iam.md +++ b/docs/gcp/Identity-Aware_Proxy/iap_web_type_app_engine_iam.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – iap_web_type_app_engine_iam](https://registry --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `app_id` | App Engine application ID used in the IAP resource path (projects/{project}/iap_web/appengine-{app_id}). | true | true | Targets the correct App Engine application for the IAP Web IAM binding; a wrong ID can expose or fail to protect the intended app. | app_id = "my-app" | app_id = "" or an ID that does not exist in the project | @@ -18,7 +17,6 @@ Reference: [Terraform Registry – iap_web_type_app_engine_iam](https://registry | `condition` | Optional IAM Condition to scope the binding (e.g., by request host/path, time, or device context). | false | true | Reduces blast radius by restricting when/where the binding applies. | condition { title = "OfficeHours" description = "Limit access to business hours" expression = "request.time.getHours() >= 8 && request.time.getHours() < 18" } | Empty condition block or empty expression | ### condition Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `expression` | CEL expression that decides when the binding applies. | true | true | Must be specific and non-empty to be effective. | expression = "request.host == 'app.example.com'" | expression = "" | diff --git a/docs/gcp/Identity-Aware_Proxy/iap_web_type_compute_iam.md b/docs/gcp/Identity-Aware_Proxy/iap_web_type_compute_iam.md index ab8b7a1ef..c296fbaef 100644 --- a/docs/gcp/Identity-Aware_Proxy/iap_web_type_compute_iam.md +++ b/docs/gcp/Identity-Aware_Proxy/iap_web_type_compute_iam.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – iap_web_type_compute_iam](https://registry.te --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `project` | If not provided, the project is parsed from the parent identifier; if missing there too, the provider project is used. | false | true | Ensures the binding lands in the intended tenant; a mismatch can grant access in the wrong project. | project = "my-gcp-project" (aligned with provider/parent) | project = "other-project" while parent/provider point elsewhere | @@ -17,7 +16,6 @@ Reference: [Terraform Registry – iap_web_type_compute_iam](https://registry.te | `condition` | Optional IAM Condition to scope the binding (e.g., request host/path, time, or device context). | false | true | Reduces blast radius by restricting when/where the binding applies. | condition { title = "OfficeHours" description = "Limit access to business hours" expression = "request.time.getHours() >= 8 && request.time.getHours() < 18" } | Empty condition block or empty expression | ### condition Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `expression` | CEL expression that decides when the binding applies. | true | true | Must be specific and non-empty to be effective. | expression = "request.host == 'app.example.com'" | expression = "" | diff --git a/docs/gcp/Managed_Kafka/managed_kafka_acl.md b/docs/gcp/Managed_Kafka/managed_kafka_acl.md index a337e9eea..96ff4c70b 100644 --- a/docs/gcp/Managed_Kafka/managed_kafka_acl.md +++ b/docs/gcp/Managed_Kafka/managed_kafka_acl.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – managed_kafka_acl](https://registry.terraform --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `acl_entries` | The acl entries that apply to the resource pattern. The maximum number of allowed entries is 100. Structure is [documented below](#nested_acl_entries). | true | true | ACLs are used to control access to Kafka resources, ensuring that only authorized users can perform specific operations. Properly configured ACLs help maintain the security and integrity of the Kafka environment by preventing unauthorized access and potential data breaches. | ['User:specific-user@project.iam.gserviceaccount.com', 'permission_type: ALLOW', 'operation: READ or WRITE'] | ['User:*', 'permission_type: ALLOW', 'operation: ALL'] | @@ -17,7 +16,6 @@ Reference: [Terraform Registry – managed_kafka_acl](https://registry.terraform | `project` | If it is not provided, the provider project is used. | false | false | Project identifier used for resource scoping; does not define security posture of the resource. | none | none | ### acl_entries Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `principal` | The principal. Specified as Google Cloud account, with the Kafka StandardAuthorizer prefix User:". For example: "User:test-kafka-client@test-project.iam.gserviceaccount.com". Can be the wildcard "User:*" to refer to all users. | true | true | Specifying the principal is crucial for defining who has access to Kafka resources. Using specific user accounts enhances security by limiting access to authorized individuals, while using wildcards can expose resources to unauthorized access. | ['User:app-client@project.iam.gserviceaccount.com'] | ['User:*'] | diff --git a/docs/gcp/Managed_Kafka/managed_kafka_cluster.md b/docs/gcp/Managed_Kafka/managed_kafka_cluster.md index 2d79ec935..da323d531 100644 --- a/docs/gcp/Managed_Kafka/managed_kafka_cluster.md +++ b/docs/gcp/Managed_Kafka/managed_kafka_cluster.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – managed_kafka_cluster](https://registry.terra --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `gcp_config` | Configuration properties for a Kafka cluster deployed to Google Cloud Platform. | true | true | Defines networking and encryption aspects that directly affect cluster confidentiality and access controls. | ['Internal subnets defined', 'KMS key specified'] | ['Public access', 'Missing KMS key'] | @@ -16,28 +15,24 @@ Reference: [Terraform Registry – managed_kafka_cluster](https://registry.terra | `network_configs` | Defines the subnets where the Kafka cluster is accessible. | true | true | Improper subnet configuration can expose cluster externally. | ['Private subnet from secure VPC'] | ['Public subnet or undefined'] | ### gcp_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `access_config` | The configuration of access to the Kafka cluster. | true | true | Improper access can expose internal systems. | ['Restricts access to internal subnets'] | ['Open public access'] | | `kms_key` | The Cloud KMS Key name to use for encryption. | false | true | Ensures data-at-rest encryption compliance. | ['Valid CMK from same-region KMS'] | ['KMS not used or wrongly scoped'] | ### capacity_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `vcpu_count` | The number of vCPUs to provision for the cluster. The minimum is 3. | true | true | Low vCPU count may affect availability under load. | ['3 or more vCPUs'] | ['< 3 vCPUs'] | | `memory_bytes` | The memory to provision for the cluster in bytes (1 GiB to 8 GiB per vCPU). | true | true | Too little or too much memory allocation can destabilize workloads. | ['Between 1-8 GiB per vCPU'] | ['Outside supported range'] | ### tls_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `trust_config` | The configuration of the broker truststore. | false | true | Validates identities through certificate chains. | ['Defined with trusted CA pools'] | ['Omitted or invalid trust store'] | | `ssl_principal_mapping_rules` | Rules for mapping mTLS certificate DNs to principal names for Kafka ACLs. | false | true | Weak or default rules may allow identity spoofing. | ['Explicit mapping using regex'] | ['Defaults or overly broad patterns'] | ### network_configs Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `subnet` | Name of the VPC subnet. | true | true | Subnets influence traffic routing and access visibility. | ['Private subnet in isolated VPC'] | ['Untrusted or shared subnet'] | diff --git a/docs/gcp/Managed_Kafka/managed_kafka_connect_cluster.md b/docs/gcp/Managed_Kafka/managed_kafka_connect_cluster.md index c762048f7..3714136f7 100644 --- a/docs/gcp/Managed_Kafka/managed_kafka_connect_cluster.md +++ b/docs/gcp/Managed_Kafka/managed_kafka_connect_cluster.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – managed_kafka_connect_cluster](https://regist --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `kafka_cluster` | The name of the Kafka cluster this Kafka Connect cluster is attached to. Structured like: `projects/PROJECT_ID/locations/LOCATION/clusters/CLUSTER_ID`. | true | false | Used for attachment reference; does not directly impact access or data protection. | [] | [] | @@ -21,26 +20,22 @@ Reference: [Terraform Registry – managed_kafka_connect_cluster](https://regist | `network_configs` | | false | true | Defines networking for PSC interfaces, which affect secure access. | ['Primary and additional subnets from approved VPC'] | ['No subnet or misconfigured region/VPC'] | ### capacity_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `vcpu_count` | The number of vCPUs to provision for the cluster. The minimum is 3. | true | false | Affects performance but not confidentiality or integrity. | ['3 or more vCPUs'] | ['Less than 3 vCPUs'] | | `memory_bytes` | The memory to provision for the cluster. CPU:Memory ratio must be between 1:1 and 1:8. | true | false | Availability concern rather than access/security. | ['Ratio within 1:1 to 1:8'] | ['Outside defined ratio'] | ### gcp_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `access_config` | Access configuration for the Kafka Connect cluster. | true | true | Controls how the Connect cluster is accessed. Improper setup risks exposure. | ['Subnets from secure VPC only'] | ['Public or overly permissive settings'] | ### access_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `network_configs` | VPC subnets used for Kafka Connect cluster. | true | true | Defines network isolation. Insecure subnet increases exposure. | ['Private subnets with PSC'] | ['Public subnets'] | ### network_configs Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `primary_subnet` | Primary VPC subnet used for PSC interface. | true | true | Defines where traffic is routed from/to. Impacts exposure level. | ['Private RFC1918 subnet with /22 or larger'] | ['Shared or public subnets', 'CIDR < /22'] | diff --git a/docs/gcp/Managed_Kafka/managed_kafka_connector.md b/docs/gcp/Managed_Kafka/managed_kafka_connector.md index d0501d234..cfd94797b 100644 --- a/docs/gcp/Managed_Kafka/managed_kafka_connector.md +++ b/docs/gcp/Managed_Kafka/managed_kafka_connector.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – managed_kafka_connector](https://registry.ter --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `location` | ID of the location of the Kafka Connect resource. | true | false | Defines geographic location; does not affect access or data protection. | none | none | @@ -18,7 +17,6 @@ Reference: [Terraform Registry – managed_kafka_connector](https://registry.ter | `project` | If it is not provided, the provider project is used. | false | false | Resource scoping identifier; does not influence security directly. | none | none | ### task_restart_policy Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `minimum_backoff` | Minimum time to wait before retrying a failed task. Example: "3.5s". | false | false | Availability-related; does not directly influence security posture. | [] | [] | diff --git a/docs/gcp/Managed_Kafka/managed_kafka_topic.md b/docs/gcp/Managed_Kafka/managed_kafka_topic.md index 96300ff47..2a4a6d533 100644 --- a/docs/gcp/Managed_Kafka/managed_kafka_topic.md +++ b/docs/gcp/Managed_Kafka/managed_kafka_topic.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – managed_kafka_topic](https://registry.terrafo --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `replication_factor` | The number of replicas of each partition. A replication factor of 3 is recommended for high availability. | true | true | Ensures data availability and fault tolerance. Lower replication factors increase the risk of data loss during failures. | ['replication_factor: 3 or more'] | ['replication_factor: 1'] | diff --git a/docs/gcp/Memcache/memcache_instance.md b/docs/gcp/Memcache/memcache_instance.md index 92a5cf350..1cf70530a 100644 --- a/docs/gcp/Memcache/memcache_instance.md +++ b/docs/gcp/Memcache/memcache_instance.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – memcache_instance](https://registry.terraform --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | The resource name of the instance. | true | false | None | None | None | @@ -25,21 +24,18 @@ Reference: [Terraform Registry – memcache_instance](https://registry.terraform | `project` | If it is not provided, the provider project is used. | false | false | None | None | None | ### node_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `cpu_count` | Number of CPUs per node. | true | false | None | None | None | | `memory_size_mb` | Memory size in Mebibytes for each memcache node. | true | false | None | None | None | ### memcache_parameters Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `id` | (Output) This is a unique ID associated with this set of parameters. | false | false | None | None | None | | `params` | User-defined set of parameters to use in the memcache process. | false | false | None | None | None | ### maintenance_policy Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `create_time` | (Output) Output only. The time when the policy was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits | false | false | None | None | None | @@ -48,7 +44,6 @@ Reference: [Terraform Registry – memcache_instance](https://registry.terraform | `weekly_maintenance_window` | Required. Maintenance window that is applied to resources covered by this policy. Minimum 1. For the current version, the maximum number of weekly_maintenance_windows is expected to be one. Structure is [documented below](#nested_maintenance_policy_weekly_maintenance_window). | true | true | Setting a weekly maintenance window allows administrators to align system updates with low-traffic periods, minimizing operational impact and ensuring service stability. | None | None | ### weekly_maintenance_window Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `day` | Day of the week when the maintenance window starts (e.g., MONDAY, SUNDAY). | true | false | Selecting an appropriate day ensures maintenance does not disrupt peak traffic periods. | ['MONDAY', 'TUESDAY', 'WEDNESDAY', 'THURSDAY', 'FRIDAY', 'SATURDAY', 'SUNDAY'] | [None, '', 'DAY_OF_WEEK_UNSPECIFIED', 3] | @@ -56,10 +51,9 @@ Reference: [Terraform Registry – memcache_instance](https://registry.terraform | `duration` | Duration of the maintenance window in seconds. | true | false | Specifying the duration ensures that updates are completed within a controlled timeframe. | 10800s to 28800s | None | ### start_time Block - - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | - |----------|-------------|----------|-----------------|-----------|-----------|---------------| - | `hours` | Hour of the day (0-23). | false | false | Correct hour selection ensures updates align with expected downtime periods. | Integer between 0 - 23 | [-1, 24, 'non-integer values'] | - | `minutes` | Minute of the hour (0-59). | true | false | Precise minute specification helps align maintenance with exact scheduling needs. | Integer between 0 - 59 | [-1, 60, 'non-integer values'] | - | `seconds` | Second of the minute (0-59). | false | false | Seconds allow fine-grained control of the start time, but usually default to 0. | Integer between 0 - 59 | [-1, 60, 'non-integer values'] | - | `nanos` | Fractions of a second in nanoseconds (0-999,999,999). | false | false | Nanosecond precision is rarely required for maintenance windows but ensures full compatibility with GCP TimeOfDay format. | 0 | 999999999 | + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | + |----------|-------------|----------|-----------------|-----------|-----------|---------------| + | `hours` | Hour of the day (0-23). | false | false | Correct hour selection ensures updates align with expected downtime periods. | Integer between 0 - 23 | [-1, 24, 'non-integer values'] | + | `minutes` | Minute of the hour (0-59). | true | false | Precise minute specification helps align maintenance with exact scheduling needs. | Integer between 0 - 59 | [-1, 60, 'non-integer values'] | + | `seconds` | Second of the minute (0-59). | false | false | Seconds allow fine-grained control of the start time, but usually default to 0. | Integer between 0 - 59 | [-1, 60, 'non-integer values'] | + | `nanos` | Fractions of a second in nanoseconds (0-999,999,999). | false | false | Nanosecond precision is rarely required for maintenance windows but ensures full compatibility with GCP TimeOfDay format. | 0 | 999999999 | diff --git a/docs/gcp/Memorystore/memorystore_instance.md b/docs/gcp/Memorystore/memorystore_instance.md index fce01afc2..15792e8bf 100644 --- a/docs/gcp/Memorystore/memorystore_instance.md +++ b/docs/gcp/Memorystore/memorystore_instance.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – memorystore_instance](https://registry.terraf --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `shard_count` | Required. Number of shards for the instance. | true | false | None | None | None | @@ -43,14 +42,12 @@ Reference: [Terraform Registry – memorystore_instance](https://registry.terraf | `secondary_instances` | | false | false | None | None | None | ### automated_backup_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `fixed_frequency_schedule` | Trigger automated backups at a fixed frequency. Structure is [documented below](#nested_automated_backup_config_fixed_frequency_schedule). | true | false | None | None | None | | `retention` | How long to keep automated backups before the backups are deleted. The value should be between 1 day and 365 days. If not specified, the default value is 35 days. A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s". The default_value is "3024000s" | true | false | None | None | None | ### persistence_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `mode` | Optional. Current persistence mode. Possible values: DISABLED RDB AOF Possible values are: `DISABLED`, `RDB`, `AOF`. | false | false | None | None | None | @@ -58,7 +55,6 @@ Reference: [Terraform Registry – memorystore_instance](https://registry.terraf | `aof_config` | Configuration for AOF based persistence. Structure is [documented below](#nested_persistence_config_aof_config). | false | false | None | None | None | ### maintenance_policy Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `create_time` | (Output) The time when the policy was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. | false | false | None | None | None | @@ -66,14 +62,12 @@ Reference: [Terraform Registry – memorystore_instance](https://registry.terraf | `weekly_maintenance_window` | Optional. Maintenance window that is applied to resources covered by this policy. Minimum 1. For the current version, the maximum number of weekly_window is expected to be one. Structure is [documented below](#nested_maintenance_policy_weekly_maintenance_window). | false | false | None | None | None | ### zone_distribution_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `zone` | Optional. Defines zone where all resources will be allocated with SINGLE_ZONE mode. Ignored for MULTI_ZONE mode. | false | false | None | None | None | | `mode` | Optional. Current zone distribution mode. Defaults to MULTI_ZONE. Possible values: MULTI_ZONE SINGLE_ZONE Possible values are: `MULTI_ZONE`, `SINGLE_ZONE`. | false | false | None | None | None | ### cross_instance_replication_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `instance_role` | The instance role supports the following values: 1. `INSTANCE_ROLE_UNSPECIFIED`: This is an independent instance that has never participated in cross instance replication. It allows both reads and writes. 2. `NONE`: This is an independent instance that previously participated in cross instance replication(either as a `PRIMARY` or `SECONDARY` cluster). It allows both reads and writes. 3. `PRIMARY`: This instance serves as the replication source for secondary instance that are replicating from it. Any data written to it is automatically replicated to its secondary clusters. It allows both reads and writes. 4. `SECONDARY`: This instance replicates data from the primary instance. It allows only reads. Possible values are: `INSTANCE_ROLE_UNSPECIFIED`, `NONE`, `PRIMARY`, `SECONDARY`. | false | false | None | None | None | @@ -83,25 +77,21 @@ Reference: [Terraform Registry – memorystore_instance](https://registry.terraf | `update_time` | (Output) The last time cross instance replication config was updated. | false | false | None | None | None | ### gcs_source Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `uris` | URIs of the GCS objects to import. Example: gs://bucket1/object1, gs://bucket2/folder2/object2 | true | false | None | None | None | ### managed_backup_source Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `backup` | Example: `projects/{project}/locations/{location}/backupCollections/{collection}/backups/{backup}`. | true | false | None | None | None | ### fixed_frequency_schedule Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `start_time` | The start time of every automated backup in UTC. It must be set to the start of an hour. This field is required. Structure is [documented below](#nested_automated_backup_config_fixed_frequency_schedule_start_time). | true | false | None | None | None | ### start_time Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `hours` | Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. | false | false | None | None | None | @@ -110,20 +100,17 @@ Reference: [Terraform Registry – memorystore_instance](https://registry.terraf | `nanos` | Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. | false | false | None | None | None | ### rdb_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `rdb_snapshot_period` | Optional. Period between RDB snapshots. Possible values: ONE_HOUR SIX_HOURS TWELVE_HOURS TWENTY_FOUR_HOURS | false | false | None | None | None | | `rdb_snapshot_start_time` | Optional. Time that the first snapshot was/will be attempted, and to which future snapshots will be aligned. If not provided, the current time will be used. | false | false | None | None | None | ### aof_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `append_fsync` | Optional. The fsync mode. Possible values: NEVER EVERY_SEC ALWAYS | false | false | None | None | None | ### weekly_maintenance_window Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `day` | The day of week that maintenance updates occur. - DAY_OF_WEEK_UNSPECIFIED: The day of the week is unspecified. - MONDAY: Monday - TUESDAY: Tuesday - WEDNESDAY: Wednesday - THURSDAY: Thursday - FRIDAY: Friday - SATURDAY: Saturday - SUNDAY: Sunday Possible values are: `DAY_OF_WEEK_UNSPECIFIED`, `MONDAY`, `TUESDAY`, `WEDNESDAY`, `THURSDAY`, `FRIDAY`, `SATURDAY`, `SUNDAY`. | true | false | None | None | None | @@ -131,14 +118,12 @@ Reference: [Terraform Registry – memorystore_instance](https://registry.terraf | `start_time` | Start time of the window in UTC time. Structure is [documented below](#nested_maintenance_policy_weekly_maintenance_window_weekly_maintenance_window_start_time). | true | false | None | None | None | ### primary_instance Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `instance` | The full resource path of the primary instance in the format: projects/{project}/locations/{region}/instances/{instance-id} | false | false | None | None | None | | `uid` | (Output) The unique id of the primary instance. | false | false | None | None | None | ### secondary_instances Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `instance` | (Output) The full resource path of the secondary instance in the format: projects/{project}/locations/{region}/instance/{instance-id} | false | false | None | None | None | diff --git a/docs/gcp/Memorystore/memorystore_instance_desired_user_created_endpoints.md b/docs/gcp/Memorystore/memorystore_instance_desired_user_created_endpoints.md index fd1827bbb..4ed08c394 100644 --- a/docs/gcp/Memorystore/memorystore_instance_desired_user_created_endpoints.md +++ b/docs/gcp/Memorystore/memorystore_instance_desired_user_created_endpoints.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – memorystore_instance_desired_user_created_end --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | The name of the Memorystore instance these endpoints should be added to. | true | false | None | None | None | @@ -18,19 +17,16 @@ Reference: [Terraform Registry – memorystore_instance_desired_user_created_end | `psc_connection` | | false | false | None | None | None | ### desired_user_created_endpoints Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `connections` | Structure is [documented below](#nested_desired_user_created_endpoints_desired_user_created_endpoints_connections). | false | false | None | None | None | ### connections Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `psc_connection` | Detailed information of a PSC connection that is created by the customer who owns the cluster. Structure is [documented below](#nested_desired_user_created_endpoints_desired_user_created_endpoints_connections_connections_psc_connection). | false | false | None | None | None | ### psc_connection Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `psc_connection_id` | The PSC connection id of the forwarding rule connected to the service attachment. | true | false | None | None | None | diff --git a/docs/gcp/Model_Armor/model_armor_floorsetting.md b/docs/gcp/Model_Armor/model_armor_floorsetting.md index 8e0c5a04b..53f60ccb6 100644 --- a/docs/gcp/Model_Armor/model_armor_floorsetting.md +++ b/docs/gcp/Model_Armor/model_armor_floorsetting.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – model_armor_floorsetting](https://registry.te --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `filter_config` | Filters configuration. Structure is [documented below](#nested_filter_config). | true | true | Central configuration for malicious-URI, Responsible-AI, sensitive-data and prompt-injection filters. Misconfiguration may allow harmful or sensitive content to pass unchecked. | MEDIUM_AND_ABOVE | | @@ -27,7 +26,6 @@ Reference: [Terraform Registry – model_armor_floorsetting](https://registry.te | `multi_language_detection` | | false | false | None | None | None | ### filter_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `malicious_uri_filter_settings` | Malicious URI filter settings. Structure is [documented below](#nested_filter_config_malicious_uri_filter_settings). | false | true | Controls detection of malicious links to prevent data exfiltration and phishing. | filter_enforcement set to ENABLED | filter_enforcement set to DISABLED | @@ -36,7 +34,6 @@ Reference: [Terraform Registry – model_armor_floorsetting](https://registry.te | `pi_and_jailbreak_filter_settings` | Prompt injection and Jailbreak Filter settings. Structure is [documented below](#nested_filter_config_pi_and_jailbreak_filter_settings). | false | true | Blocks malicious attempts to override system instructions or leak data. | filter_enforcement set to ENABLED | filter_enforcement set to DISABLED | ### ai_platform_floor_setting Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `inspect_only` | If true, Model Armor filters will be run in inspect only mode. No action will be taken on the request. | false | false | None | None | None | @@ -44,59 +41,50 @@ Reference: [Terraform Registry – model_armor_floorsetting](https://registry.te | `enable_cloud_logging` | If true, log Model Armor filter results to Cloud Logging. | false | false | None | None | None | ### floor_setting_metadata Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `multi_language_detection` | Metadata for multi language detection. Structure is [documented below](#nested_floor_setting_metadata_multi_language_detection). | false | false | None | None | None | ### malicious_uri_filter_settings Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `filter_enforcement` | Tells whether the Malicious URI filter is enabled or disabled. Possible values: ENABLED DISABLED | false | false | None | None | None | ### rai_settings Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `rai_filters` | List of Responsible AI filters enabled for template. Structure is [documented below](#nested_filter_config_rai_settings_rai_filters). | true | false | None | None | None | ### rai_filters Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `filter_type` | Possible values: SEXUALLY_EXPLICIT HATE_SPEECH HARASSMENT DANGEROUS | true | true | Determines which harmful content is blocked. | SEXUAL | INVALID_TYPE | | `confidence_level` | Possible values: LOW_AND_ABOVE MEDIUM_AND_ABOVE HIGH | false | true | Higher thresholds reduce false positives but may allow harmful content if too low. | MEDIUM_AND_ABOVE | LOW_ONLY | ### sdp_settings Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `advanced_config` | Sensitive Data Protection Advanced configuration. Structure is [documented below](#nested_filter_config_sdp_settings_advanced_config). | false | false | None | None | None | | `basic_config` | Sensitive Data Protection basic configuration. Structure is [documented below](#nested_filter_config_sdp_settings_basic_config). | false | false | None | None | None | ### advanced_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `inspect_template` | Sensitive Data Protection inspect template resource name If only inspect template is provided (de-identify template not provided), then Sensitive Data Protection InspectContent action is performed during Sanitization. All Sensitive Data Protection findings identified during inspection will be returned as SdpFinding in SdpInsepctionResult. e.g:- `projects/{project}/locations/{location}/inspectTemplates/{inspect_template}` | false | false | None | None | None | | `deidentify_template` | Optional Sensitive Data Protection Deidentify template resource name. If provided then DeidentifyContent action is performed during Sanitization using this template and inspect template. The De-identified data will be returned in SdpDeidentifyResult. Note that all info-types present in the deidentify template must be present in inspect template. e.g. `projects/{project}/locations/{location}/deidentifyTemplates/{deidentify_template}` | false | false | None | None | None | ### basic_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `filter_enforcement` | Tells whether the Sensitive Data Protection basic config is enabled or disabled. Possible values: ENABLED DISABLED | false | false | None | None | None | ### pi_and_jailbreak_filter_settings Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `filter_enforcement` | Tells whether Prompt injection and Jailbreak filter is enabled or disabled. Possible values: ENABLED DISABLED | false | true | Disabling increases risk of prompt manipulation. | ENABLED | DISABLED | | `confidence_level` | Possible values: LOW_AND_ABOVE MEDIUM_AND_ABOVE HIGH | false | true | Determines sensitivity to possible prompt injection attempts. | MEDIUM_AND_ABOVE | HIGH | ### multi_language_detection Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `enable_multi_language_detection` | If true, multi language detection will be enabled. | true | false | None | None | None | diff --git a/docs/gcp/Model_Armor/model_armor_template.md b/docs/gcp/Model_Armor/model_armor_template.md index 945d0d65a..6705ac937 100644 --- a/docs/gcp/Model_Armor/model_armor_template.md +++ b/docs/gcp/Model_Armor/model_armor_template.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – model_armor_template](https://registry.terraf --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `filter_config` | Filters configuration. Structure is [documented below](#nested_filter_config). | true | true | Controls which filters (malicious URI, Responsible AI, sensitive data, prompt-injection) are active. Misconfiguration could allow harmful or sensitive data to pass unchecked. | Properly configured filters covering all required categories. | Filters disabled or missing critical protections. | @@ -26,7 +25,6 @@ Reference: [Terraform Registry – model_armor_template](https://registry.terraf | `multi_language_detection` | | false | false | None | None | None | ### filter_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `malicious_uri_filter_settings` | Malicious URI filter settings. Structure is [documented below](#nested_filter_config_malicious_uri_filter_settings). | false | true | Prevents injection of malicious URLs. Disabling increases phishing or malware risk. | filter_enforcement set to ENABLED. | filter_enforcement set to DISABLED. | @@ -35,7 +33,6 @@ Reference: [Terraform Registry – model_armor_template](https://registry.terraf | `pi_and_jailbreak_filter_settings` | Prompt injection and Jailbreak Filter settings. Structure is [documented below](#nested_filter_config_pi_and_jailbreak_filter_settings). | false | true | Blocks attempts to override safeguards or exfiltrate data via prompt injection. | filter_enforcement set to ENABLED. | filter_enforcement set to DISABLED. | ### template_metadata Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `log_template_operations` | If true, log template crud operations. | false | false | None | None | None | @@ -49,53 +46,45 @@ Reference: [Terraform Registry – model_armor_template](https://registry.terraf | `enforcement_type` | Possible values: INSPECT_ONLY INSPECT_AND_BLOCK | false | false | None | None | None | ### malicious_uri_filter_settings Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `filter_enforcement` | Tells whether the Malicious URI filter is enabled or disabled. Possible values: ENABLED DISABLED | false | false | None | None | None | ### rai_settings Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `rai_filters` | List of Responsible AI filters enabled for template. Structure is [documented below](#nested_filter_config_rai_settings_rai_filters). | true | false | None | None | None | ### rai_filters Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `filter_type` | Possible values: SEXUALLY_EXPLICIT HATE_SPEECH HARASSMENT DANGEROUS | true | true | Specifies which harmful content categories to filter. Omitting critical categories can allow unsafe output. | Includes all required categories (e.g., SEXUALLY_EXPLICIT, HATE_SPEECH, HARASSMENT, DANGEROUS). | Missing any mandated category or set incorrectly. | | `confidence_level` | Possible values: LOW_AND_ABOVE MEDIUM_AND_ABOVE HIGH | false | true | Determines sensitivity of detection. Too low can allow harmful content through; too high can overblock legitimate content. | Configured to MEDIUM_AND_ABOVE or higher per policy. | LOW_ONLY | ### sdp_settings Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `advanced_config` | Sensitive Data Protection Advanced configuration. Structure is [documented below](#nested_filter_config_sdp_settings_advanced_config). | false | false | None | None | None | | `basic_config` | Sensitive Data Protection basic configuration. Structure is [documented below](#nested_filter_config_sdp_settings_basic_config). | false | false | None | None | None | ### advanced_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `inspect_template` | Sensitive Data Protection inspect template resource name If only inspect template is provided (de-identify template not provided), then Sensitive Data Protection InspectContent action is performed during Sanitization. All Sensitive Data Protection findings identified during inspection will be returned as SdpFinding in SdpInsepctionResult. e.g:- `projects/{project}/locations/{location}/inspectTemplates/{inspect_template}` | false | false | None | None | None | | `deidentify_template` | Optional Sensitive Data Protection Deidentify template resource name. If provided then DeidentifyContent action is performed during Sanitization using this template and inspect template. The De-identified data will be returned in SdpDeidentifyResult. Note that all info-types present in the deidentify template must be present in inspect template. e.g. `projects/{project}/locations/{location}/deidentifyTemplates/{deidentify_template}` | false | false | None | None | None | ### basic_config Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `filter_enforcement` | Tells whether the Sensitive Data Protection basic config is enabled or disabled. Possible values: ENABLED DISABLED | false | false | None | None | None | ### pi_and_jailbreak_filter_settings Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `filter_enforcement` | Tells whether Prompt injection and Jailbreak filter is enabled or disabled. Possible values: ENABLED DISABLED | false | false | None | None | None | | `confidence_level` | Possible values: LOW_AND_ABOVE MEDIUM_AND_ABOVE HIGH | false | false | None | None | None | ### multi_language_detection Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `enable_multi_language_detection` | If true, multi language detection will be enabled. | true | false | None | None | None | diff --git a/docs/gcp/OS_Config_v2/os_config_v2_policy_orchestrator.md b/docs/gcp/OS_Config_v2/os_config_v2_policy_orchestrator.md index e77f7c78e..c766aa5dc 100644 --- a/docs/gcp/OS_Config_v2/os_config_v2_policy_orchestrator.md +++ b/docs/gcp/OS_Config_v2/os_config_v2_policy_orchestrator.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator](https://reg --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `action` | Required. Action to be done by the orchestrator in `projects/{project_id}/zones/{zone_id}` locations defined by the `orchestration_scope`. Allowed values: - `UPSERT` - Orchestrator will create or update target resources. - `DELETE` - Orchestrator will delete target resources, if they exist | true | true | Users cannot perform high-impact operations without escalated approval | ['UPSERT'] | ['DELETE'] | @@ -51,26 +50,22 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator](https://reg | `location_selector` | | false | false | None | None | None | ### orchestrated_resource Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `os_policy_assignment_v1_payload` | OS policy assignment is an API resource that is used to apply a set of OS policies to a dynamically targeted group of Compute Engine VM instances. An OS policy is used to define the desired state configuration for a Compute Engine VM instance through a set of configuration resources that provide capabilities such as installing or removing software packages, or executing a script. For more information about the OS policy resource definitions and examples, see [OS policy and OS policy assignment](https://cloud.google.com/compute/docs/os-configuration-management/working-with-os-policies). Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload). | false | true | Maintains security policy structure and prevents malformed configurations | None | None | | `id` | Optional. ID of the resource to be used while generating set of affected resources. For UPSERT action the value is auto-generated during PolicyOrchestrator creation when not set. When the value is set it should following next restrictions: * Must contain only lowercase letters, numbers, and hyphens. * Must start with a letter. * Must be between 1-63 characters. * Must end with a number or a letter. * Must be unique within the project. For DELETE action, ID must be specified explicitly during PolicyOrchestrator creation. | false | false | None | None | None | ### orchestration_scope Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `selectors` | Optional. Selectors of the orchestration scope. There is a logical AND between each selector defined. When there is no explicit `ResourceHierarchySelector` selector specified, the scope is by default bounded to the parent of the policy orchestrator resource. Structure is [documented below](#nested_orchestration_scope_selectors). | false | true | Provides security controls for determining which resources meet selection criteria. | None | None | ### labels Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `environment` | Optional. The environment label is a key that can be used to distinguish between different deployment environments such as 'development', 'staging', and 'production'. | false | true | Facilitates environment-specific security policies, ensuring that production environments have stricter controls compared to development or staging. | ['test'] | ['dev', 'prod'] | ### os_policy_assignment_v1_payload Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `uid` | (Output) Output only. Server generated unique id for the OS policy assignment resource. | false | false | None | None | None | @@ -87,7 +82,6 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator](https://reg | `reconciling` | (Output) Output only. Indicates that reconciliation is in progress for the revision. This value is `true` when the `rollout_state` is one of: * IN_PROGRESS * CANCELLING | false | false | None | None | None | ### os_policies Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `mode` | Required. Policy mode Possible values: MODE_UNSPECIFIED VALIDATION ENFORCEMENT | true | true | Ensures conscious decision-making about policy impact levels | ['VALIDATION', 'ENFORCEMENT'] | ['MODE_UNSPECIFIED'] | @@ -97,21 +91,18 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator](https://reg | `description` | Policy description. Length of the description is limited to 1024 characters. | false | false | None | None | None | ### resource_groups Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `inventory_filters` | List of inventory filters for the resource group. The resources in this resource group are applied to the target VM if it satisfies at least one of the following inventory filters. For example, to apply this resource group to VMs running either `RHEL` or `CentOS` operating systems, specify 2 items for the list with following values: inventory_filters[0].os_short_name='rhel' and inventory_filters[1].os_short_name='centos' If the list is empty, this resource group will be applied to the target VM unconditionally. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_inventory_filters). | false | false | None | None | None | | `resources` | Required. List of resources configured for this resource group. The resources are executed in the exact order specified here. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources). | true | true | Enables fine-grained security controls at the resource level | None | None | ### inventory_filters Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `os_short_name` | Required. The OS short name | true | false | None | None | None | | `os_version` | The OS version Prefix matches are supported if asterisk(*) is provided as the last character. For example, to match all versions with a major version of `7`, specify the following value for this field `7.*` An empty string matches all OS versions. | false | false | None | None | None | ### resources Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `repository` | A resource that manages a package repository. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_repository). | false | true | Maintains security through controlled software distribution channels | None | None | @@ -121,7 +112,6 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator](https://reg | `pkg` | A resource that manages a system package. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_pkg). | false | false | None | None | None | ### repository Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `yum` | Represents a single yum package repository. These are added to a repo file that is managed at `/etc/yum.repos.d/google_osconfig.repo`. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_repository_yum). | false | false | None | None | None | @@ -130,7 +120,6 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator](https://reg | `apt` | Represents a single apt package repository. These will be added to a repo file that will be managed at `/etc/apt/sources.list.d/google_osconfig.list`. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_repository_apt). | false | true | Enforces consistent package management across Debian systems. | None | None | ### yum Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `id` | Required. A one word, unique name for this repository. This is the `repo id` in the yum config file and also the `display_name` if `display_name` is omitted. This id is also used as the unique identifier when checking for resource conflicts. | true | false | None | None | None | @@ -140,7 +129,6 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator](https://reg | `name` | Required. Package name. | true | false | None | None | None | ### zypper Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `id` | Required. A one word, unique name for this repository. This is the `repo id` in the zypper config file and also the `display_name` if `display_name` is omitted. This id is also used as the unique identifier when checking for GuestPolicy conflicts. | true | false | None | None | None | @@ -150,14 +138,12 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator](https://reg | `name` | Required. Package name. | true | false | None | None | None | ### goo Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | Required. The name of the repository. | true | false | None | None | None | | `url` | Required. The url of the repository. | true | false | None | None | None | ### apt Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `uri` | Required. URI for this repository. | true | false | None | None | None | @@ -168,14 +154,12 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator](https://reg | `name` | Required. Package name. | true | false | None | None | None | ### exec Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `enforce` | A file or script to execute. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_exec_enforce). | false | false | None | None | None | | `validate` | A file or script to execute. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_exec_validate). | true | false | None | None | None | ### enforce Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `script` | An inline script. The size of the script is limited to 32KiB. | false | false | None | None | None | @@ -185,7 +169,6 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator](https://reg | `file` | A remote or local file. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_exec_enforce_file). | false | false | None | None | None | ### file Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `remote` | Specifies a file available via some URI. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_file_file_remote). | false | false | None | None | None | @@ -199,14 +182,12 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator](https://reg | `permissions` | Consists of three octal digits which represent, in order, the permissions of the owner, group, and other users for the file (similarly to the numeric mode used in the linux chmod utility). Each digit represents a three bit number with the 4 bit corresponding to the read permissions, the 2 bit corresponds to the write bit, and the one bit corresponds to the execute permission. Default behavior is 755. Below are some examples of permissions and their associated values: read, write, and execute: 7 read and execute: 5 read and write: 6 read only: 4 | false | false | None | None | None | ### remote Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `uri` | Required. URI from which to fetch the object. It should contain both the protocol and path following the format `{protocol}://{location}`. | true | false | None | None | None | | `sha256_checksum` | SHA256 checksum of the remote file. | false | false | None | None | None | ### gcs Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `bucket` | Required. Bucket of the Cloud Storage object. | true | false | None | None | None | @@ -214,7 +195,6 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator](https://reg | `generation` | Generation number of the Cloud Storage object. | false | false | None | None | None | ### validate Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `file` | A remote or local file. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_exec_validate_file). | false | false | None | None | None | @@ -224,7 +204,6 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator](https://reg | `output_file_path` | Only recorded for enforce Exec. Path to an output file (that is created by this Exec) whose content will be recorded in OSPolicyResourceCompliance after a successful run. Absence or failure to read this file will result in this ExecResource being non-compliant. Output file size is limited to 500K bytes. | false | false | None | None | None | ### pkg Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `msi` | An MSI package. MSI packages only support INSTALLED state. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_pkg_msi). | false | false | None | None | None | @@ -237,14 +216,12 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator](https://reg | `googet` | A package managed by GooGet. - install: `googet -noconfirm install package` - remove: `googet -noconfirm remove package` Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_pkg_googet). | false | false | None | None | None | ### msi Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `source` | A remote or local file. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_pkg_msi_source). | true | false | None | None | None | | `properties` | Additional properties to use during installation. This should be in the format of Property=Setting. Appended to the defaults of `ACTION=INSTALL REBOOT=ReallySuppress`. | false | false | None | None | None | ### source Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `gcs` | Specifies a file available as a Cloud Storage Object. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_pkg_rpm_source_gcs). | false | false | None | None | None | @@ -253,27 +230,23 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator](https://reg | `remote` | Specifies a file available via some URI. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_pkg_rpm_source_remote). | false | false | None | None | None | ### deb Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `source` | A remote or local file. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_pkg_deb_source). | true | false | None | None | None | | `pull_deps` | Whether dependencies should also be installed. - install when false: `dpkg -i package` - install when true: `apt-get update && apt-get -y install package.deb` | false | false | None | None | None | ### rpm Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `source` | A remote or local file. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_pkg_rpm_source). | true | false | None | None | None | | `pull_deps` | Whether dependencies should also be installed. - install when false: `rpm --upgrade --replacepkgs package.rpm` - install when true: `yum -y install package.rpm` or `zypper -y install package.rpm` | false | false | None | None | None | ### googet Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | Required. Package name. | true | false | None | None | None | ### instance_filter Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `inclusion_labels` | List of label sets used for VM inclusion. If the list has more than one `LabelSet`, the VM is included if any of the label sets are applicable for the VM. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_instance_filter_inclusion_labels). | false | false | None | None | None | @@ -282,54 +255,46 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator](https://reg | `all` | Target all VMs in the project. If true, no other criteria is permitted. | false | false | None | None | None | ### inclusion_labels Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `labels` | Labels are identified by key/value pairs in this map. A VM should contain all the key/value pairs specified in this map to be selected. | false | false | None | None | None | ### exclusion_labels Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `labels` | Labels are identified by key/value pairs in this map. A VM should contain all the key/value pairs specified in this map to be selected. | false | false | None | None | None | ### inventories Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `os_short_name` | Required. The OS short name | true | false | Enforces consistent OS platform security across all managed instances. | ['debian'] | ['windows'] | | `os_version` | The OS version Prefix matches are supported if asterisk(*) is provided as the last character. For example, to match all versions with a major version of `7`, specify the following value for this field `7.*` An empty string matches all OS versions. | false | false | None | None | None | ### rollout Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `disruption_budget` | Message encapsulating a value that can be either absolute ("fixed") or relative ("percent") to a value. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_rollout_disruption_budget). | true | false | None | None | None | | `min_wait_duration` | Required. This determines the minimum duration of time to wait after the configuration changes are applied through the current rollout. A VM continues to count towards the `disruption_budget` at least until this duration of time has passed after configuration changes are applied. | true | false | None | None | None | ### disruption_budget Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `fixed` | Specifies a fixed value. | false | false | None | None | None | | `percent` | Specifies the relative value defined as a percentage, which will be multiplied by a reference value. | false | false | None | None | None | ### selectors Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `resource_hierarchy_selector` | Selector containing Cloud Resource Manager resource hierarchy nodes. Structure is [documented below](#nested_orchestration_scope_selectors_selectors_resource_hierarchy_selector). | false | false | None | None | None | | `location_selector` | Selector containing locations in scope. Structure is [documented below](#nested_orchestration_scope_selectors_selectors_location_selector). | false | true | Manages security policies based on physical and logical location constraints. | None | None | ### resource_hierarchy_selector Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `included_projects` | Optional. Names of the projects in scope. Format: `projects/{project_number}` | false | false | None | None | None | | `included_folders` | Optional. Names of the folders in scope. Format: `folders/{folder_id}` | false | false | None | None | None | ### location_selector Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `included_locations` | Optional. Names of the locations in scope. | false | true | Defines precisely which geographic locations are approved for resource deployment, enhancing compliance with data residency regulations. | ['Sydney', 'Melbourne'] | ['Mumbai', 'Berlin'] | diff --git a/docs/gcp/OS_Config_v2/os_config_v2_policy_orchestrator_for_folder.md b/docs/gcp/OS_Config_v2/os_config_v2_policy_orchestrator_for_folder.md index f3fa1ba69..b21f9a065 100644 --- a/docs/gcp/OS_Config_v2/os_config_v2_policy_orchestrator_for_folder.md +++ b/docs/gcp/OS_Config_v2/os_config_v2_policy_orchestrator_for_folder.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_folder]( --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `action` | Action to be done by the orchestrator in `projects/{project_id}/zones/{zone_id}` locations defined by the `orchestration_scope`. Allowed values: - `UPSERT` - Orchestrator will create or update target resources. - `DELETE` - Orchestrator will delete target resources, if they exist | true | true | Action defines whether the orchestrator will create/update or delete resources in the scope. Incorrectly setting this value could result in unintended resource deletion. | ['UPSERT'] | ['DELETE'] | @@ -51,20 +50,17 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_folder]( | `location_selector` | | false | false | None | None | None | ### orchestrated_resource Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `os_policy_assignment_v1_payload` | OS policy assignment is an API resource that is used to apply a set of OS policies to a dynamically targeted group of Compute Engine VM instances. An OS policy is used to define the desired state configuration for a Compute Engine VM instance through a set of configuration resources that provide capabilities such as installing or removing software packages, or executing a script. For more information about the OS policy resource definitions and examples, see [OS policy and OS policy assignment](https://cloud.google.com/compute/docs/os-configuration-management/working-with-os-policies). Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload). | false | true | Ensures that the correct OS policies are applied to the targeted VM instances, maintaining compliance with organizational standards. | None | None | | `id` | ID of the resource to be used while generating set of affected resources. For UPSERT action the value is auto-generated during PolicyOrchestrator creation when not set. When the value is set it should following next restrictions: * Must contain only lowercase letters, numbers, and hyphens. * Must start with a letter. * Must be between 1-63 characters. * Must end with a number or a letter. * Must be unique within the project. For DELETE action, ID must be specified explicitly during PolicyOrchestrator creation. | false | false | None | None | None | ### orchestration_scope Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `selectors` | Selectors of the orchestration scope. There is a logical AND between each selector defined. When there is no explicit `ResourceHierarchySelector` selector specified, the scope is by default bounded to the parent of the policy orchestrator resource. Structure is [documented below](#nested_orchestration_scope_selectors). | false | true | Specifying the correct selectors is crucial for ensuring that the policy is applied to the intended resources. | None | None | ### os_policy_assignment_v1_payload Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | Resource name. Format: `projects/{project_number}/locations/{location}/osPolicyAssignments/{os_policy_assignment_id}` This field is ignored when you create an OS policy assignment. | false | false | None | None | None | @@ -82,7 +78,6 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_folder]( | `uid` | (Output) Server generated unique id for the OS policy assignment resource. | false | false | None | None | None | ### os_policies Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `id` | The id of the OS policy with the following restrictions: * Must contain only lowercase letters, numbers, and hyphens. * Must start with a letter. * Must be between 1-63 characters. * Must end with a number or a letter. * Must be unique within the assignment. | true | false | None | None | None | @@ -92,21 +87,18 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_folder]( | `allow_no_resource_group_match` | This flag determines the OS policy compliance status when none of the resource groups within the policy are applicable for a VM. Set this value to `true` if the policy needs to be reported as compliant even if the policy has nothing to validate or enforce. | false | false | None | None | None | ### resource_groups Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `inventory_filters` | List of inventory filters for the resource group. The resources in this resource group are applied to the target VM if it satisfies at least one of the following inventory filters. For example, to apply this resource group to VMs running either `RHEL` or `CentOS` operating systems, specify 2 items for the list with following values: inventory_filters[0].os_short_name='rhel' and inventory_filters[1].os_short_name='centos' If the list is empty, this resource group will be applied to the target VM unconditionally. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_inventory_filters). | false | false | None | None | None | | `resources` | List of resources configured for this resource group. The resources are executed in the exact order specified here. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources). | true | true | Defines the specific configurations and resources that will be managed on the target VMs, ensuring they meet organizational standards. | None | None | ### inventory_filters Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `os_short_name` | The OS short name | true | false | None | None | None | | `os_version` | The OS version Prefix matches are supported if asterisk(*) is provided as the last character. For example, to match all versions with a major version of `7`, specify the following value for this field `7.*` An empty string matches all OS versions. | false | false | None | None | None | ### resources Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `id` | The id of the resource with the following restrictions: * Must contain only lowercase letters, numbers, and hyphens. * Must start with a letter. * Must be between 1-63 characters. * Must end with a number or a letter. * Must be unique within the OS policy. | true | false | None | None | None | @@ -116,7 +108,6 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_folder]( | `file` | A resource that manages the state of a file. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_file). | false | false | None | None | None | ### pkg Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `googet` | A package managed by GooGet. - install: `googet -noconfirm install package` - remove: `googet -noconfirm remove package` Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_pkg_googet). | false | false | None | None | None | @@ -129,20 +120,17 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_folder]( | `rpm` | An RPM package file. RPM packages only support INSTALLED state. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_pkg_rpm). | false | false | None | None | None | ### googet Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | Package name. | true | false | None | None | None | ### msi Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `source` | A remote or local file. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_pkg_msi_source). | true | false | None | None | None | | `properties` | Additional properties to use during installation. This should be in the format of Property=Setting. Appended to the defaults of `ACTION=INSTALL REBOOT=ReallySuppress`. | false | false | None | None | None | ### source Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `remote` | Specifies a file available via some URI. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_pkg_rpm_source_remote). | false | false | None | None | None | @@ -151,14 +139,12 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_folder]( | `allow_insecure` | Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified. | false | false | None | None | None | ### remote Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `uri` | URI from which to fetch the object. It should contain both the protocol and path following the format `{protocol}://{location}`. | true | false | None | None | None | | `sha256_checksum` | SHA256 checksum of the remote file. | false | false | None | None | None | ### gcs Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `bucket` | Bucket of the Cloud Storage object. | true | false | None | None | None | @@ -166,7 +152,6 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_folder]( | `generation` | Generation number of the Cloud Storage object. | false | false | None | None | None | ### apt Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | Package name. | true | false | None | None | None | @@ -177,14 +162,12 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_folder]( | `distribution` | Distribution of this repository. | true | false | None | None | None | ### deb Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `source` | A remote or local file. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_pkg_deb_source). | true | false | None | None | None | | `pull_deps` | Whether dependencies should also be installed. - install when false: `dpkg -i package` - install when true: `apt-get update && apt-get -y install package.deb` | false | false | None | None | None | ### yum Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | Package name. | true | false | None | None | None | @@ -194,7 +177,6 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_folder]( | `id` | A one word, unique name for this repository. This is the `repo id` in the yum config file and also the `display_name` if `display_name` is omitted. This id is also used as the unique identifier when checking for resource conflicts. | true | false | None | None | None | ### zypper Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | Package name. | true | false | None | None | None | @@ -204,14 +186,12 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_folder]( | `display_name` | The display name of the repository. | false | false | None | None | None | ### rpm Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `pull_deps` | Whether dependencies should also be installed. - install when false: `rpm --upgrade --replacepkgs package.rpm` - install when true: `yum -y install package.rpm` or `zypper -y install package.rpm` | false | false | None | None | None | | `source` | A remote or local file. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_pkg_rpm_source). | true | false | None | None | None | ### repository Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `apt` | Represents a single apt package repository. These will be added to a repo file that will be managed at `/etc/apt/sources.list.d/google_osconfig.list`. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_repository_apt). | false | true | Ensures that only trusted package repositories are used for software installations. | None | None | @@ -220,21 +200,18 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_folder]( | `goo` | Represents a Goo package repository. These are added to a repo file that is managed at `C:/ProgramData/GooGet/repos/google_osconfig.repo`. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_repository_goo). | false | false | None | None | None | ### goo Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | The name of the repository. | true | false | None | None | None | | `url` | The url of the repository. | true | false | None | None | None | ### exec Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `validate` | A file or script to execute. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_exec_validate). | true | false | None | None | None | | `enforce` | A file or script to execute. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_exec_enforce). | false | false | None | None | None | ### validate Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `args` | Optional arguments to pass to the source during execution. | false | false | None | None | None | @@ -244,7 +221,6 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_folder]( | `script` | An inline script. The size of the script is limited to 32KiB. | false | false | None | None | None | ### file Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `allow_insecure` | Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified. | false | false | None | None | None | @@ -258,7 +234,6 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_folder]( | `permissions` | Consists of three octal digits which represent, in order, the permissions of the owner, group, and other users for the file (similarly to the numeric mode used in the linux chmod utility). Each digit represents a three bit number with the 4 bit corresponding to the read permissions, the 2 bit corresponds to the write bit, and the one bit corresponds to the execute permission. Default behavior is 755. Below are some examples of permissions and their associated values: read, write, and execute: 7 read and execute: 5 read and write: 6 read only: 4 | false | false | None | None | None | ### enforce Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `args` | Optional arguments to pass to the source during execution. | false | false | None | None | None | @@ -268,7 +243,6 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_folder]( | `script` | An inline script. The size of the script is limited to 32KiB. | false | false | None | None | None | ### instance_filter Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `inclusion_labels` | List of label sets used for VM inclusion. If the list has more than one `LabelSet`, the VM is included if any of the label sets are applicable for the VM. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_instance_filter_inclusion_labels). | false | false | None | None | None | @@ -277,54 +251,46 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_folder]( | `all` | Target all VMs in the project. If true, no other criteria is permitted. | false | false | None | None | None | ### inclusion_labels Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `labels` | Labels are identified by key/value pairs in this map. A VM should contain all the key/value pairs specified in this map to be selected. | false | false | None | None | None | ### exclusion_labels Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `labels` | Labels are identified by key/value pairs in this map. A VM should contain all the key/value pairs specified in this map to be selected. | false | false | None | None | None | ### inventories Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `os_short_name` | The OS short name | true | false | None | None | None | | `os_version` | The OS version Prefix matches are supported if asterisk(*) is provided as the last character. For example, to match all versions with a major version of `7`, specify the following value for this field `7.*` An empty string matches all OS versions. | false | false | None | None | None | ### rollout Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `disruption_budget` | Message encapsulating a value that can be either absolute ("fixed") or relative ("percent") to a value. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_rollout_disruption_budget). | true | false | None | None | None | | `min_wait_duration` | This determines the minimum duration of time to wait after the configuration changes are applied through the current rollout. A VM continues to count towards the `disruption_budget` at least until this duration of time has passed after configuration changes are applied. | true | false | None | None | None | ### disruption_budget Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `fixed` | Specifies a fixed value. | false | false | None | None | None | | `percent` | Specifies the relative value defined as a percentage, which will be multiplied by a reference value. | false | false | None | None | None | ### selectors Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `resource_hierarchy_selector` | Selector containing Cloud Resource Manager resource hierarchy nodes. Structure is [documented below](#nested_orchestration_scope_selectors_selectors_resource_hierarchy_selector). | false | false | None | None | None | | `location_selector` | Selector containing locations in scope. Structure is [documented below](#nested_orchestration_scope_selectors_selectors_location_selector). | false | true | Specifying the correct locations is crucial for ensuring that the policy is applied to the intended resources. | None | None | ### resource_hierarchy_selector Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `included_projects` | Names of the projects in scope. Format: `projects/{project_number}` | false | false | None | None | None | | `included_folders` | Names of the folders in scope. Format: `folders/{folder_id}` | false | false | None | None | None | ### location_selector Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `included_locations` | Names of the locations in scope. Format: `us-central1-a` | false | true | Specifying the correct locations is crucial for ensuring that the policy is applied to the intended resources. | ['Sydney', 'Melbourne'] | ['Mumbai', 'Berlin'] | diff --git a/docs/gcp/OS_Config_v2/os_config_v2_policy_orchestrator_for_organization.md b/docs/gcp/OS_Config_v2/os_config_v2_policy_orchestrator_for_organization.md index ded71dd83..cd94b8a25 100644 --- a/docs/gcp/OS_Config_v2/os_config_v2_policy_orchestrator_for_organization.md +++ b/docs/gcp/OS_Config_v2/os_config_v2_policy_orchestrator_for_organization.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_organiza --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `action` | Required. Action to be done by the orchestrator in `projects/{project_id}/zones/{zone_id}` locations defined by the `orchestration_scope`. Allowed values: - `UPSERT` - Orchestrator will create or update target resources. - `DELETE` - Orchestrator will delete target resources, if they exist | true | true | Defines the operational intent of the orchestrator, which is crucial for maintaining the desired state of security configurations. | ['UPSERT'] | ['DELETE'] | @@ -51,20 +50,17 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_organiza | `location_selector` | | false | false | None | None | None | ### orchestrated_resource Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `os_policy_assignment_v1_payload` | OS policy assignment is an API resource that is used to apply a set of OS policies to a dynamically targeted group of Compute Engine VM instances. An OS policy is used to define the desired state configuration for a Compute Engine VM instance through a set of configuration resources that provide capabilities such as installing or removing software packages, or executing a script. For more information about the OS policy resource definitions and examples, see [OS policy and OS policy assignment](https://cloud.google.com/compute/docs/os-configuration-management/working-with-os-policies). Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload). | false | true | Maintains the structural integrity of security policy configurations. | None | None | | `id` | Optional. ID of the resource to be used while generating set of affected resources. For UPSERT action the value is auto-generated during PolicyOrchestrator creation when not set. When the value is set it should following next restrictions: * Must contain only lowercase letters, numbers, and hyphens. * Must start with a letter. * Must be between 1-63 characters. * Must end with a number or a letter. * Must be unique within the project. For DELETE action, ID must be specified explicitly during PolicyOrchestrator creation. | false | false | None | None | None | ### orchestration_scope Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `selectors` | Optional. Selectors of the orchestration scope. There is a logical AND between each selector defined. When there is no explicit `ResourceHierarchySelector` selector specified, the scope is by default bounded to the parent of the policy orchestrator resource. Structure is [documented below](#nested_orchestration_scope_selectors). | false | false | None | None | None | ### os_policy_assignment_v1_payload Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `etag` | The etag for this OS policy assignment. If this is provided on update, it must match the server's etag. | false | false | None | None | None | @@ -82,7 +78,6 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_organiza | `revision_create_time` | (Output) Output only. The timestamp that the revision was created. | false | false | None | None | None | ### os_policies Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `id` | Required. The id of the OS policy with the following restrictions: * Must contain only lowercase letters, numbers, and hyphens. * Must start with a letter. * Must be between 1-63 characters. * Must end with a number or a letter. * Must be unique within the assignment. | true | false | None | None | None | @@ -92,21 +87,18 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_organiza | `allow_no_resource_group_match` | This flag determines the OS policy compliance status when none of the resource groups within the policy are applicable for a VM. Set this value to `true` if the policy needs to be reported as compliant even if the policy has nothing to validate or enforce. | false | false | None | None | None | ### resource_groups Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `inventory_filters` | List of inventory filters for the resource group. The resources in this resource group are applied to the target VM if it satisfies at least one of the following inventory filters. For example, to apply this resource group to VMs running either `RHEL` or `CentOS` operating systems, specify 2 items for the list with following values: inventory_filters[0].os_short_name='rhel' and inventory_filters[1].os_short_name='centos' If the list is empty, this resource group will be applied to the target VM unconditionally. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_inventory_filters). | false | false | None | None | None | | `resources` | Required. List of resources configured for this resource group. The resources are executed in the exact order specified here. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources). | true | true | Enables fine-grained security controls at the resource level, allowing for tailored configurations. | None | None | ### inventory_filters Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `os_short_name` | Required. The OS short name | true | false | None | None | None | | `os_version` | The OS version Prefix matches are supported if asterisk(*) is provided as the last character. For example, to match all versions with a major version of `7`, specify the following value for this field `7.*` An empty string matches all OS versions. | false | false | None | None | None | ### resources Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `exec` | A resource that allows executing scripts on the VM. The `ExecResource` has 2 stages: `validate` and `enforce` and both stages accept a script as an argument to execute. When the `ExecResource` is applied by the agent, it first executes the script in the `validate` stage. The `validate` stage can signal that the `ExecResource` is already in the desired state by returning an exit code of `100`. If the `ExecResource` is not in the desired state, it should return an exit code of `101`. Any other exit code returned by this stage is considered an error. If the `ExecResource` is not in the desired state based on the exit code from the `validate` stage, the agent proceeds to execute the script from the `enforce` stage. If the `ExecResource` is already in the desired state, the `enforce` stage will not be run. Similar to `validate` stage, the `enforce` stage should return an exit code of `100` to indicate that the resource in now in its desired state. Any other exit code is considered an error. NOTE: An exit code of `100` was chosen over `0` (and `101` vs `1`) to have an explicit indicator of `in desired state`, `not in desired state` and errors. Because, for example, Powershell will always return an exit code of `0` unless an `exit` statement is provided in the script. So, for reasons of consistency and being explicit, exit codes `100` and `101` were chosen. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_exec). | false | false | None | None | None | @@ -116,14 +108,12 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_organiza | `repository` | A resource that manages a package repository. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_repository). | false | true | Enforces consistent package management policies across all targeted virtual machines. | None | None | ### exec Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `validate` | A file or script to execute. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_exec_validate). | true | false | None | None | None | | `enforce` | A file or script to execute. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_exec_enforce). | false | false | None | None | None | ### validate Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `file` | A remote or local file. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_exec_validate_file). | false | false | None | None | None | @@ -133,7 +123,6 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_organiza | `output_file_path` | Only recorded for enforce Exec. Path to an output file (that is created by this Exec) whose content will be recorded in OSPolicyResourceCompliance after a successful run. Absence or failure to read this file will result in this ExecResource being non-compliant. Output file size is limited to 500K bytes. | false | false | None | None | None | ### file Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `gcs` | Specifies a file available as a Cloud Storage Object. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_file_file_gcs). | false | false | None | None | None | @@ -147,7 +136,6 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_organiza | `permissions` | Consists of three octal digits which represent, in order, the permissions of the owner, group, and other users for the file (similarly to the numeric mode used in the linux chmod utility). Each digit represents a three bit number with the 4 bit corresponding to the read permissions, the 2 bit corresponds to the write bit, and the one bit corresponds to the execute permission. Default behavior is 755. Below are some examples of permissions and their associated values: read, write, and execute: 7 read and execute: 5 read and write: 6 read only: 4 | false | false | None | None | None | ### gcs Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `bucket` | Required. Bucket of the Cloud Storage object. | true | false | None | None | None | @@ -155,14 +143,12 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_organiza | `generation` | Generation number of the Cloud Storage object. | false | false | None | None | None | ### remote Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `uri` | Required. URI from which to fetch the object. It should contain both the protocol and path following the format `{protocol}://{location}`. | true | false | None | None | None | | `sha256_checksum` | SHA256 checksum of the remote file. | false | false | None | None | None | ### enforce Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `file` | A remote or local file. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_exec_enforce_file). | false | false | None | None | None | @@ -172,7 +158,6 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_organiza | `output_file_path` | Only recorded for enforce Exec. Path to an output file (that is created by this Exec) whose content will be recorded in OSPolicyResourceCompliance after a successful run. Absence or failure to read this file will result in this ExecResource being non-compliant. Output file size is limited to 500K bytes. | false | false | None | None | None | ### pkg Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `msi` | An MSI package. MSI packages only support INSTALLED state. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_pkg_msi). | false | false | None | None | None | @@ -185,14 +170,12 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_organiza | `googet` | A package managed by GooGet. - install: `googet -noconfirm install package` - remove: `googet -noconfirm remove package` Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_pkg_googet). | false | false | None | None | None | ### msi Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `source` | A remote or local file. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_pkg_msi_source). | true | false | None | None | None | | `properties` | Additional properties to use during installation. This should be in the format of Property=Setting. Appended to the defaults of `ACTION=INSTALL REBOOT=ReallySuppress`. | false | false | None | None | None | ### source Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `local_path` | A local path within the VM to use. | false | false | None | None | None | @@ -201,7 +184,6 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_organiza | `gcs` | Specifies a file available as a Cloud Storage Object. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_pkg_rpm_source_gcs). | false | false | None | None | None | ### apt Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | Required. Package name. | true | false | None | None | None | @@ -212,14 +194,12 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_organiza | `gpg_key` | URI of the key file for this repository. The agent maintains a keyring at `/etc/apt/trusted.gpg.d/osconfig_agent_managed.gpg`. | false | false | None | None | None | ### deb Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `source` | A remote or local file. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_pkg_deb_source). | true | false | None | None | None | | `pull_deps` | Whether dependencies should also be installed. - install when false: `dpkg -i package` - install when true: `apt-get update && apt-get -y install package.deb` | false | false | None | None | None | ### yum Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | Required. Package name. | true | false | None | None | None | @@ -229,7 +209,6 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_organiza | `id` | Required. A one word, unique name for this repository. This is the `repo id` in the yum config file and also the `display_name` if `display_name` is omitted. This id is also used as the unique identifier when checking for resource conflicts. | true | false | None | None | None | ### zypper Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | Required. Package name. | true | false | None | None | None | @@ -239,20 +218,17 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_organiza | `gpg_keys` | URIs of GPG keys. | false | false | None | None | None | ### rpm Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `source` | A remote or local file. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_pkg_rpm_source). | true | false | None | None | None | | `pull_deps` | Whether dependencies should also be installed. - install when false: `rpm --upgrade --replacepkgs package.rpm` - install when true: `yum -y install package.rpm` or `zypper -y install package.rpm` | false | false | None | None | None | ### googet Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | Required. Package name. | true | false | None | None | None | ### repository Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `yum` | Represents a single yum package repository. These are added to a repo file that is managed at `/etc/yum.repos.d/google_osconfig.repo`. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_repository_yum). | false | false | None | None | None | @@ -261,14 +237,12 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_organiza | `apt` | Represents a single apt package repository. These will be added to a repo file that will be managed at `/etc/apt/sources.list.d/google_osconfig.list`. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_repository_apt). | false | true | Ensures that only approved package sources are used, reducing the risk of malicious software installation. | None | None | ### goo Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `url` | Required. The url of the repository. | true | false | None | None | None | | `name` | Required. The name of the repository. | true | false | None | None | None | ### instance_filter Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `all` | Target all VMs in the project. If true, no other criteria is permitted. | false | true | Ensures that all VMs are considered for policy application, preventing accidental exclusions. | None | None | @@ -277,54 +251,46 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_organiza | `inventories` | List of inventories to select VMs. A VM is selected if its inventory data matches at least one of the following inventories. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_instance_filter_inventories). | false | true | Ensures that only VMs with the specified inventory are targeted, reducing the risk of misconfiguration. | None | None | ### inclusion_labels Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `labels` | Labels are identified by key/value pairs in this map. A VM should contain all the key/value pairs specified in this map to be selected. | false | false | None | None | None | ### exclusion_labels Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `labels` | Labels are identified by key/value pairs in this map. A VM should contain all the key/value pairs specified in this map to be selected. | false | false | None | None | None | ### inventories Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `os_short_name` | Required. The OS short name | true | true | Specifying the OS short name ensures that policies are applied only to compatible operating systems, reducing the risk of misconfiguration. | ['debian'] | ['windows'] | | `os_version` | The OS version Prefix matches are supported if asterisk(*) is provided as the last character. For example, to match all versions with a major version of `7`, specify the following value for this field `7.*` An empty string matches all OS versions. | false | false | None | None | None | ### rollout Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `disruption_budget` | Message encapsulating a value that can be either absolute ("fixed") or relative ("percent") to a value. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_rollout_disruption_budget). | true | false | None | None | None | | `min_wait_duration` | Required. This determines the minimum duration of time to wait after the configuration changes are applied through the current rollout. A VM continues to count towards the `disruption_budget` at least until this duration of time has passed after configuration changes are applied. | true | false | None | None | None | ### disruption_budget Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `fixed` | Specifies a fixed value. | false | false | None | None | None | | `percent` | Specifies the relative value defined as a percentage, which will be multiplied by a reference value. | false | false | None | None | None | ### selectors Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `resource_hierarchy_selector` | Selector containing Cloud Resource Manager resource hierarchy nodes. Structure is [documented below](#nested_orchestration_scope_selectors_selectors_resource_hierarchy_selector). | false | false | None | None | None | | `location_selector` | Selector containing locations in scope. Structure is [documented below](#nested_orchestration_scope_selectors_selectors_location_selector). | false | false | None | None | None | ### resource_hierarchy_selector Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `included_projects` | Optional. Names of the projects in scope. Format: `projects/{project_number}` | false | false | None | None | None | | `included_folders` | Optional. Names of the folders in scope. Format: `folders/{folder_id}` | false | false | None | None | None | ### location_selector Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `included_locations` | Optional. Names of the locations in scope. Format: `us-central1-a` | false | false | None | None | None | diff --git a/docs/gcp/RecaptchaEnterprise/recaptcha_enterprise_key.md b/docs/gcp/RecaptchaEnterprise/recaptcha_enterprise_key.md index 20aa65a29..aac5f2466 100644 --- a/docs/gcp/RecaptchaEnterprise/recaptcha_enterprise_key.md +++ b/docs/gcp/RecaptchaEnterprise/recaptcha_enterprise_key.md @@ -6,8 +6,7 @@ Reference: [Terraform Registry – recaptcha_enterprise_key](https://registry.te --- -## Argument Reference - +## Argument Reference | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `display_name` | Human-readable display name of this key. Modifiable by user. - - - | true | false | None | None | None | @@ -20,35 +19,30 @@ Reference: [Terraform Registry – recaptcha_enterprise_key](https://registry.te | `web_settings` | Settings for keys that can be used by websites. | false | false | None | None | None | ### android_settings Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `allow_all_package_names` | If set to true, it means allowed_package_names will not be enforced. | false | false | None | None | None | | `allowed_package_names` | Android package names of apps allowed to use the key. Example: 'com.companyname.appname' | false | false | None | None | None | ### ios_settings Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `allow_all_bundle_ids` | If set to true, it means allowed_bundle_ids will not be enforced. | false | false | None | None | None | | `allowed_bundle_ids` | iOS bundle ids of apps allowed to use the key. Example: 'com.companyname.productname.appname' | false | false | None | None | None | ### testing_options Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `testing_challenge` | For challenge-based keys only (CHECKBOX, INVISIBLE), all challenge requests for this site will return nocaptcha if NOCAPTCHA, or an unsolvable challenge if UNSOLVABLE_CHALLENGE. Possible values: TESTING_CHALLENGE_UNSPECIFIED, NOCAPTCHA, UNSOLVABLE_CHALLENGE | false | false | None | None | None | | `testing_score` | All assessments for this Key will return this score. Must be between 0 (likely not legitimate) and 1 (likely legitimate) inclusive. | false | false | None | None | None | ### waf_settings Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `waf_feature` | Supported WAF features. For more information, see https://cloud.google.com/recaptcha-enterprise/docs/usecase#comparison_of_features. Possible values: CHALLENGE_PAGE, SESSION_TOKEN, ACTION_TOKEN, EXPRESS | true | false | None | None | None | | `waf_service` | The WAF service that uses this key. Possible values: CA, FASTLY | true | false | None | None | None | ### web_settings Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `allow_all_domains` | If set to true, it means allowed_domains will not be enforced. | false | true | Allowing all domains bypasses origin allowlisting and can expose the key to abuse. Restrict usage to trusted domains via allowed_domains. | false | true | diff --git a/index.html b/index.html index 711f3768c..3afc86258 100644 --- a/index.html +++ b/index.html @@ -1,10 +1,8 @@ - Policy Deployment Engine Wiki - -

Policy Deployment Engine Wiki

- ⚠️ This wiki uses GitHub Pages and only allows for 60 API calls per hour per ID. + ⚠️ This wiki uses GitHub Pages and only allows for 60 API calls per hour per ID. If you use this website often, you may need to try a different device or wait.

- +
@@ -100,16 +97,14 @@

Policy Deployment Engine Wiki

try { const branch = "dev"; // 👈 change this const url = `https://api.github.com/repos/Hardhat-Enterprises/Policy-Deployment-Engine/git/trees/${branch}?recursive=1`; - + const response = await fetch(url); if (!response.ok) throw new Error('Network response was not ok'); const data = await response.json(); - // Get only md files inside docs/gcp/ - const files = data.tree.filter(item => - item.path.startsWith("docs/gcp/") && - item.type === "blob" && - item.path.endsWith(".md") + // Get only files inside docs/gcp/ + const files = data.tree.filter(item => + item.path.startsWith("docs/gcp/") && item.type === "blob" ); let htmlString = ""; @@ -129,9 +124,8 @@

Policy Deployment Engine Wiki

let cleanPath = subFile.path.endsWith(".md") ? subFile.path.slice(0, -3) : subFile.path; - + const subItem = `
  • ${displayName}
    • `; - folderMap[folder].push(subItem); htmlString += subItem; } @@ -176,5 +170,4 @@

    Policy Deployment Engine Wiki

    })() - - \ No newline at end of file + diff --git a/policies/_helpers/README.md b/policies/_helpers/README.md deleted file mode 100644 index 9c8de2c8d..000000000 --- a/policies/_helpers/README.md +++ /dev/null @@ -1,665 +0,0 @@ -# Policy Helpers Framework - -## Overview - -The `_helpers` directory contains the core policy evaluation framework for the Policy Deployment Engine. This modular system evaluates Terraform plans against configurable security policies and returns structured violation reports. - -**Key Features:** -- Modular architecture with specialized policy modules -- Support for 6 policy types: Blacklist, Whitelist, Range, Pattern Blacklist, Pattern Whitelist, Element Blacklist -- AND logic for multi-condition situations -- Standardized interfaces across all policy modules -- Shared utility functions for common operations - -**Version Compatibility:** -- OPA: 1.2.0 -- Rego: v1 - ---- - -## Table of Contents - -- [Architecture](#architecture) - - [Directory Structure](#directory-structure) - - [Component Responsibilities](#component-responsibilities) -- [Policy Types](#policy-types) - - [1. Blacklist](#1-blacklist) - - [2. Whitelist](#2-whitelist) - - [3. Range](#3-range) - - [4. Pattern Blacklist](#4-pattern-blacklist) - - [5. Pattern Whitelist](#5-pattern-whitelist) - - [6. Element Blacklist](#6-element-blacklist) -- [Usage Guide](#usage-guide) - - [Input Format](#input-format) - - [Multi-Condition Example (AND Logic)](#multi-condition-example-and-logic) - - [Output Format](#output-format) -- [Testing](#testing) - - [Quick Smoke Tests](#quick-smoke-tests) - - [Detailed Verification](#detailed-verification) - - [Individual Policy Tests](#individual-policy-tests) - - [Creating Test Inputs](#creating-test-inputs) -- [Adding New Policy Types](#adding-new-policy-types) - - [Step 1: Create Policy Module](#step-1-create-policy-module) - - [Step 2: Update helpers.rego](#step-2-update-helpersrego) - - [Step 3: Create Tests](#step-3-create-tests) - - [Step 4: Document](#step-4-document) -- [Design Principles](#design-principles) - - [1. Standardized Interfaces](#1-standardized-interfaces) - - [2. Separation of Concerns](#2-separation-of-concerns) - - [3. Encapsulation](#3-encapsulation) - - [4. Defensive Programming](#4-defensive-programming) - - [5. No Circular Dependencies](#5-no-circular-dependencies) -- [Common Patterns](#common-patterns) - - [Accessing Resource Attributes](#accessing-resource-attributes) - - [Formatting Paths](#formatting-paths) - - [Array Normalization](#array-normalization) - - [Set Comprehensions](#set-comprehensions) -- [Troubleshooting](#troubleshooting) - - [Issue: Policy not detecting violations](#issue-policy-not-detecting-violations) - - [Issue: "resource attribute not found" error](#issue-resource-attribute-not-found-error) - - [Issue: Empty results when violations expected](#issue-empty-results-when-violations-expected) - - [Issue: Pattern matching not working](#issue-pattern-matching-not-working) -- [Performance Considerations](#performance-considerations) - - [Set Operations](#set-operations) - - [Resource Filtering](#resource-filtering) - - [Avoid Over-fetching](#avoid-over-fetching) -- [Migration Notes](#migration-notes) -- [Contributing](#contributing) - - [Before Submitting Changes](#before-submitting-changes) - - [Code Style](#code-style) - - [Adding Examples](#adding-examples) - ---- - -## Architecture - -### Directory Structure - -``` -policies/_helpers/ -├── README.md # This file -├── PLAN.md # Detailed refactoring plan and migration guide -├── helpers.rego # Main orchestration layer -├── shared.rego # Shared utility functions -└── policies/ # Policy-specific modules - ├── blacklist.rego - ├── whitelist.rego - ├── range.rego - ├── pattern_blacklist.rego - ├── pattern_whitelist.rego - └── element_blacklist.rego -``` - -### Component Responsibilities - -#### **helpers.rego** - Orchestration Layer -- **Package:** `terraform.helpers` -- **Role:** Main entry point and coordinator -- **Responsibilities:** - - Aggregate policy results across multiple conditions - - Route evaluation to appropriate policy modules - - Apply AND logic for multi-condition situations (resources must fail ALL conditions to be non-compliant) - - Format summary output for end users - -**Key Functions:** -- `get_multi_summary(conditions, tf_variables)` - Main entry point -- `select_policy_logic(...)` - Routes to correct policy module -- `set_intersection_all(sets)` - Implements AND logic via set intersection - -#### **shared.rego** - Utility Library -- **Package:** `terraform.helpers.shared` -- **Role:** Shared functions used by all modules -- **Responsibilities:** - - Resource attribute extraction - - Attribute path formatting - - Data normalization - - Empty value handling - - Pattern matching utilities - -**No imports** - Designed to avoid circular dependencies - -**Key Functions:** -- `get_resource_attribute(resource, key)` - Extract resource attributes safely -- `format_attribute_path(path)` - Convert paths to readable strings -- `ensure_array(values)` - Normalize to array format -- `get_target_list(resource, path, pattern)` - Extract wildcard matches - -#### **policies/*.rego** - Policy Modules -- **Packages:** `terraform.helpers.policies.` -- **Role:** Implement specific policy evaluation logic -- **Responsibilities:** - - Detect violations for their specific policy type - - Generate formatted violation messages - - Filter resources based on policy constraints - -**All modules follow the same interface:** -```rego -get_violations(tf_variables, attribute_path, values) = results -``` - ---- - -## Policy Types - -### 1. Blacklist -**Module:** `policies/blacklist.rego` -**Use Case:** Forbid specific values - -**Logic:** -- Scalar values: Direct match = violation -- Arrays: ANY element matching = violation (OR logic) -- Special: Empty array `[]` can be explicitly blacklisted - -**Example:** -```json -{ - "policy_type": "Blacklist", - "attribute_path": "enable_private_nodes", - "values": [false] -} -``` - -### 2. Whitelist -**Module:** `policies/whitelist.rego` -**Use Case:** Allow only specific values - -**Logic:** -- Scalar values: Not in allowed list = violation -- Arrays: ALL elements must be allowed (AND logic) - -**Example:** -```json -{ - "policy_type": "Whitelist", - "attribute_path": "config_encryption_type", - "values": ["CMEK"] -} -``` - -### 3. Range -**Module:** `policies/range.rego` -**Use Case:** Enforce numeric bounds - -**Logic:** -- Value must be between lower and upper bound (inclusive) -- Requires exactly 2 values: `[lower, upper]` - -**Example:** -```json -{ - "policy_type": "Range", - "attribute_path": "retention_period", - "values": [2592000, 31536000] -} -``` - -### 4. Pattern Blacklist -**Module:** `policies/pattern_blacklist.rego` -**Use Case:** Forbid patterns with wildcard matching - -**Logic:** -- Extract substrings using `*` wildcards in target pattern -- Check each position against position-specific blacklists -- ANY match = violation (OR logic) - -**Example:** -```json -{ - "policy_type": "Pattern Blacklist", - "attribute_path": "name", - "values": [ - "projects/*/locations/*", - [["test-project"], ["us-east1", "europe-west1"]] - ] -} -``` - -### 5. Pattern Whitelist -**Module:** `policies/pattern_whitelist.rego` -**Use Case:** Allow only specific patterns with wildcard matching - -**Logic:** -- Extract substrings using `*` wildcards in target pattern -- Check each position against position-specific whitelists -- ANY non-match = violation - -**Example:** -```json -{ - "policy_type": "Pattern Whitelist", - "attribute_path": "project_id", - "values": [ - "projects/*", - [["prod-", "staging-"]] - ] -} -``` - -### 6. Element Blacklist -**Module:** `policies/element_blacklist.rego` -**Use Case:** Forbid array elements containing substrings - -**Logic:** -- Array attribute must be checked -- ANY element containing ANY pattern = violation -- Uses simple substring matching (`contains`) - -**Example:** -```json -{ - "policy_type": "Element Blacklist", - "attribute_path": ["status", 0, "restricted_services"], - "values": ["*", "0.0.0.0"] -} -``` - ---- - -## Usage Guide - -### Input Format - -**tf_variables:** -```json -{ - "resource_type": "google_storage_bucket", - "friendly_resource_name": "Storage Bucket", - "resource_value_name": "name" -} -``` - -**conditions:** Array of situation objects -```json -[ - { - "situation_description": "Buckets must use CMEK encryption", - "remedies": ["Enable CMEK encryption", "Configure encryption key"], - "condition": "Encryption configuration", - "policy_type": "Whitelist", - "attribute_path": "encryption_type", - "values": ["CUSTOMER_MANAGED_ENCRYPTION"] - } -] -``` - -### Multi-Condition Example (AND Logic) - -Resources must violate ALL conditions in a situation to be non-compliant: - -```rego -conditions := [ - { - "situation_description": "Production buckets require strict settings", - "remedies": ["Update configuration"], - - # Condition 1: Name must start with "prod-" - "condition": "Production naming", - "policy_type": "Pattern Whitelist", - "attribute_path": "name", - "values": ["prod-*", [["prod-"]]] - }, - { - # Condition 2: Must use CMEK - "condition": "Encryption type", - "policy_type": "Whitelist", - "attribute_path": "encryption_type", - "values": ["CMEK"] - } -] -``` - -Only buckets that BOTH: -1. Don't match "prod-*" pattern, AND -2. Don't use CMEK encryption - -...will be flagged as non-compliant. - -### Output Format - -```json -{ - "message": [ - "Total Storage Bucket detected: 5", - [ - "Situation 1: Buckets must use CMEK encryption", - "Non-Compliant Resources: my-bucket-1, my-bucket-2", - "Potential Remedies: Enable CMEK encryption, Configure encryption key" - ] - ], - "details": [ - { - "situation": "Buckets must use CMEK encryption", - "remedies": ["Enable CMEK encryption", "Configure encryption key"], - "non_compliant_resources": ["my-bucket-1", "my-bucket-2"], - "conditions": [ - { - "Encryption configuration": [ - { - "name": "my-bucket-1", - "message": "Storage Bucket 'my-bucket-1' has 'encryption_type' set to 'GOOGLE_DEFAULT_ENCRYPTION'. It should be set to '[\"CUSTOMER_MANAGED_ENCRYPTION\"]'" - } - ] - } - ] - } - ] -} -``` - ---- - -## Testing - -### Quick Smoke Tests - -Run all policy types with pass/fail output: - -```bash -cd /path/to/Policy-Deployment-Engine -./tests/smoke_test_helpers.sh -``` - -### Detailed Verification - -View full output for debugging: - -```bash -./tests/verify_helpers.sh -``` - -### Individual Policy Tests - -Test specific policy modules: - -```bash -# Blacklist test -opa eval --data ./policies/_helpers --data ./policies/gcp \ - --input ./inputs/gcp/access_context_manager_vpc_service_controls/access_context_manager_service_perimeter/status/plan.json \ - "data.terraform.gcp.security.access_context_manager_vpc_service_controls.access_context_manager_service_perimeter.status.message" \ - --format pretty - -# Whitelist test -opa eval --data ./policies/_helpers --data ./policies/gcp \ - --input ./inputs/gcp/api_hub/google_apihub_api_hub_instance/config_encryption_type/plan.json \ - "data.terraform.gcp.security.api_hub.google_apihub_api_hub_instance.config_encryption_type.message" \ - --format pretty - -# Range test -opa eval --data ./policies/_helpers --data ./policies/gcp \ - --input ./inputs/gcp/cloud_storage/google_storage_bucket/retention_period/plan.json \ - "data.terraform.gcp.security.cloud_storage.google_storage_bucket.message" \ - --format pretty -``` - -### Creating Test Inputs - -Generate Terraform plan JSON for testing: - -```bash -terraform plan --out=plan -terraform show -json plan | cat > plan.json -``` - ---- - -## Adding New Policy Types - -### Step 1: Create Policy Module - -Create `policies/.rego`: - -```rego -package terraform.helpers.policies. - -import data.terraform.helpers.shared - -# Public API - must match this signature -get_violations(tf_variables, attribute_path, values) = results if { - nc_resources := _get_resources(tf_variables.resource_type, attribute_path, values) - results := { - _build_violation(tf_variables, attribute_path, values, resource) | - some resource in nc_resources - } -} - -# Private helper - filter non-compliant resources -_get_resources(resource_type, attribute_path, values) = resources if { - resources := { - resource | - resource := input.planned_values.root_module.resources[_] - resource.type == resource_type - # Your policy logic here - } -} - -# Private helper - format violation message -_build_violation(tf_variables, attribute_path, values, resource) = violation if { - violation := { - "name": shared.get_resource_attribute(resource, tf_variables.resource_value_name), - "message": _format_message(...) - } -} - -_format_message(...) = msg if { - msg := sprintf("...", [...]) -} -``` - -### Step 2: Update helpers.rego - -Add import: -```rego -import data.terraform.helpers.policies. -``` - -Add routing rule: -```rego -select_policy_logic(tf_variables, attribute_path, values_formatted, "") = results if { - results := .get_violations(tf_variables, attribute_path, values_formatted) -} -``` - -### Step 3: Create Tests - -Create test files following the pattern in `tests/_helpers/`. - -### Step 4: Document - -Update this README with: -- Policy type description -- Logic explanation -- Example usage - ---- - -## Design Principles - -### 1. Standardized Interfaces -All policy modules export the same public API: -```rego -get_violations(tf_variables, attribute_path, values) = results -``` - -This consistency enables: -- Easy addition of new policy types -- Predictable behavior -- Simple orchestration logic - -### 2. Separation of Concerns -- **helpers.rego** - Orchestration only, no policy logic -- **shared.rego** - Pure utility functions, no policy decisions -- **policies/*.rego** - Self-contained policy implementations - -### 3. Encapsulation -- Public functions: `get_violations()` -- Private functions: `_prefixed_with_underscore()` -- No cross-module dependencies between policy modules - -### 4. Defensive Programming -- Null-safe attribute access via `object.get(resource.values, path, null)` -- Type checking before operations -- Fallback values for missing data - -### 5. No Circular Dependencies -`shared.rego` has no imports to ensure it can be imported by all modules without circular dependency issues. - ---- - -## Common Patterns - -### Accessing Resource Attributes - -```rego -# Safe with fallback -attribute_value := shared.get_attribute_value(resource, attribute_path) - -# Get resource identifier -resource_name := shared.get_resource_attribute(resource, tf_variables.resource_value_name) -``` - -### Formatting Paths - -```rego -# ["status", 0, "restricted_services"] → "status.[0].restricted_services" -path_string := shared.format_attribute_path(attribute_path) -``` - -### Array Normalization - -```rego -# Ensure value is array (handles both single values and arrays) -values_array := shared.ensure_array(values) -``` - -### Set Comprehensions - -```rego -# Build set of non-compliant resources -nc_resources := { - resource | - resource := input.planned_values.root_module.resources[_] - resource.type == resource_type - # violation condition here -} -``` - ---- - -## Troubleshooting - -### Issue: Policy not detecting violations - -**Check:** -1. Is the `resource_type` correct in tf_variables? -2. Does the `attribute_path` match the actual resource structure? -3. Is the policy type string exactly correct (case-sensitive)? -4. Run with `--explain full` to see evaluation trace - -**Debug command:** -```bash -opa eval --explain full --data ./policies/_helpers --data ./policies/gcp \ - --input ./inputs/gcp/.../plan.json \ - "data.terraform.gcp.security..." \ - --format pretty -``` - -### Issue: "resource attribute not found" error - -**Cause:** The `resource_value_name` doesn't match the actual attribute in the resource. - -**Solution:** -1. Check the Terraform plan JSON structure -2. Common values: `"name"`, `"id"`, `"bucket"`, `"project"` -3. Update `resource_value_name` in tf_variables - -### Issue: Empty results when violations expected - -**Check:** -1. Is `--data ./policies/_helpers` included in the opa eval command? -2. Is the input JSON correctly formatted? -3. Are resources in `planned_values.root_module.resources`? - -### Issue: Pattern matching not working - -**For Pattern Whitelist/Blacklist:** -1. Verify target pattern has `*` wildcards -2. Ensure patterns array has one sub-array per wildcard -3. Check that attribute value matches target pattern structure - ---- - -## Performance Considerations - -### Set Operations -The framework uses Rego's native set operations for efficient intersections: -```rego -# Efficient AND logic via set intersection -failing_resources := set_intersection_all(resource_sets) -``` - -### Resource Filtering -Policy modules use set comprehensions for parallel evaluation: -```rego -resources := { - resource | - resource := input.planned_values.root_module.resources[_] - # filters applied in parallel -} -``` - -### Avoid Over-fetching -- Don't load full resource objects when only checking one attribute -- Use `object.get()` for safe, efficient attribute access - ---- - -## Migration Notes - -This framework was refactored from a monolithic `helpers.rego` into modular components. See `PLAN.md` for: -- Detailed migration checklist -- Rationale for architectural decisions -- Step-by-step refactoring guide - -**Key Changes:** -- Policy logic moved from helpers.rego to individual modules -- Shared utilities centralized in shared.rego -- Standardized interface across all policy types -- Improved testability and maintainability - ---- - -## Contributing - -### Before Submitting Changes - -1. **Run tests:** Ensure all smoke tests pass - ```bash - ./tests/smoke_test_helpers.sh - ``` - -2. **Test your specific changes:** Run relevant individual policy tests - -3. **Update documentation:** Add examples and update this README if adding features - -4. **Follow naming conventions:** - - Public functions: `get_violations()`, `format_message()` - - Private functions: `_get_resources()`, `_build_violation()` - -### Code Style - -- Use descriptive variable names -- Add comments for complex logic -- Include function docstrings explaining parameters and return values -- Keep functions focused and single-purpose - -### Adding Examples - -When adding new policy types or features, include: -1. Description of the use case -2. Example policy JSON -3. Expected behavior explanation -4. Test case with sample input/output - ---- - -**Last Updated:** December 2025 diff --git a/policies/_helpers/helpers.rego b/policies/_helpers/helpers.rego deleted file mode 100644 index df98d193e..000000000 --- a/policies/_helpers/helpers.rego +++ /dev/null @@ -1,249 +0,0 @@ -package terraform.helpers -# Tested on OPA Version: 1.2.0, Rego Version: v1 - -# Policy Orchestration Layer -# -# This module serves as the main entry point for all policy evaluation. -# It coordinates policy execution across multiple situations and conditions, -# aggregating results and formatting them for consumption. -# -# Architecture: -# - Delegates policy logic to specialized modules (blacklist, whitelist, range, etc.) -# - Uses set intersection for AND logic across conditions -# - Returns structured summaries with violation details - -import data.terraform.helpers.shared -import data.terraform.helpers.policies.blacklist -import data.terraform.helpers.policies.whitelist -import data.terraform.helpers.policies.range -import data.terraform.helpers.policies.pattern_blacklist -import data.terraform.helpers.policies.pattern_whitelist -import data.terraform.helpers.policies.element_blacklist - -################################################################################ -# Public API -################################################################################ - -# Main entry point for policy evaluation -# -# Evaluates a set of policy conditions against Terraform plan resources and -# returns a structured summary of compliant and non-compliant resources. -# -# Parameters: -# conditions - Array of condition groups, each containing: -# - situation_description: Human-readable scenario name -# - remedies: Array of suggested fixes -# - condition objects with policy_type, attribute_path, values -# tf_variables - Resource configuration containing: -# - resource_type: Terraform resource type (e.g., "google_storage_bucket") -# - friendly_resource_name: Display name for messages -# - value_name: Attribute key for resource identification -# -# Returns: -# Object with: -# - message: Array of formatted summary strings -# - details: Array of situation results with non_compliant_resources -# -# Logic: -# Resources must fail ALL conditions within a situation to be non-compliant (AND logic) -get_multi_summary(conditions, tf_variables) = summary if { - # Count resources without storing them - resource_count := count([r | - r := input.planned_values.root_module.resources[_] - r.type == tf_variables.resource_type - ]) - - # Build situation results using declarative approach - situation_results := build_situation_results(tf_variables, conditions) - - summary := { - "message": format_summary_messages( - tf_variables.friendly_resource_name, - resource_count, - situation_results - ), - "details": situation_results - } -} else := "Policy type not supported." - -################################################################################ -# Situation Processing -################################################################################ - -# Build all situation results in one pass -build_situation_results(tf_variables, conditions) = results if { - results := [ - build_single_situation(tf_variables, condition_group) | - some condition_group in conditions - ] -} - -# Process a single situation (metadata + conditions) -build_single_situation(tf_variables, condition_group) = situation_result if { - # Extract metadata - metadata := extract_situation_metadata(condition_group) - - # Evaluate all conditions for this situation - condition_results := evaluate_conditions(tf_variables, condition_group) - - # Find resources that fail ALL conditions (AND logic) - nc_resources := find_failing_resources(condition_results) - - situation_result := { - "situation": metadata.description, - "remedies": metadata.remedies, - "non_compliant_resources": nc_resources, - "conditions": condition_results - } -} - -# Extract metadata from condition group -extract_situation_metadata(condition_group) = metadata if { - # Find metadata entry - description := shared.get_value_from_array(condition_group, "situation_description") - remedies := shared.get_value_from_array(condition_group, "remedies") - - metadata := { - "description": description, - "remedies": remedies - } -} - -################################################################################ -# Condition Evaluation -################################################################################ - -# Evaluate all conditions, returning structured results -evaluate_conditions(tf_variables, condition_group) = results if { - results := [ - {condition_obj.condition: violations} | - some condition_entry in condition_group - condition_obj := condition_entry - condition_obj.policy_type # Skip metadata entries without policy_type - - # Get violations for this condition - values := shared.ensure_array(condition_obj.values) - policy_type := lower(condition_obj.policy_type) - violations := select_policy_logic( - tf_variables, - condition_obj.attribute_path, - values, - policy_type - ) - ] -} - -# Find resources failing ALL conditions using set intersection -find_failing_resources(condition_results) = failing_resources if { - # Extract resource names from each condition into sets - resource_sets := [ - {resource.name | - some _, violations in condition_results[_] - some resource in violations - } - ] - - # Apply intersection across all sets - count(resource_sets) > 0 - failing_resources := set_intersection_all(resource_sets) -} else = set() - -################################################################################ -# Policy Type Dispatch -################################################################################ -# Routes evaluation to appropriate policy module based on policy_type string -# Each policy type implements its own violation detection logic - -select_policy_logic(tf_variables, attribute_path, values_formatted, "blacklist") = results if { - results := blacklist.get_violations(tf_variables, attribute_path, values_formatted) -} - -select_policy_logic(tf_variables, attribute_path, values_formatted, "whitelist") = results if { - results := whitelist.get_violations(tf_variables, attribute_path, values_formatted) -} - -select_policy_logic(tf_variables, attribute_path, values_formatted, "range") = results if { - results := range.get_violations(tf_variables, attribute_path, values_formatted) -} - -select_policy_logic(tf_variables, attribute_path, values_formatted, "pattern blacklist") = results if { - results := pattern_blacklist.get_violations(tf_variables, attribute_path, values_formatted) -} - -select_policy_logic(tf_variables, attribute_path, values_formatted, "pattern whitelist") = results if { - results := pattern_whitelist.get_violations(tf_variables, attribute_path, values_formatted) -} - -select_policy_logic(tf_variables, attribute_path, values_formatted, "element blacklist") = results if { - results := element_blacklist.get_violations(tf_variables, attribute_path, values_formatted) -} - -# Fallback for unknown policy types -select_policy_logic(_, _, _, policy_type) = results if { - not policy_type in ["blacklist", "whitelist", "range", "pattern blacklist", "pattern whitelist", "element blacklist"] - results := { - {"error": sprintf("Unknown policy type: '%s'. Valid types: blacklist, whitelist, range, pattern blacklist, pattern whitelist, element blacklist", [policy_type])} - } -} - -################################################################################ -# Output Formatting -################################################################################ - -# Format messages using array comprehension -format_summary_messages(resource_name, total_count, situations) = messages if { - header := sprintf("Total %s detected: %d ", [resource_name, total_count]) - - situation_messages := [msg | - some i - sit := situations[i] - - # Convert set to array for formatting - nc_list := [r | some r in sit.non_compliant_resources] - - # Handle empty case: display "All passed" if no violations - display_list := _get_display_list(nc_list) - - msg := array.concat( - [ - sprintf("Situation %d: %s", [i+1, sit.situation]), - sprintf("Non-Compliant Resources: %s", [concat(", ", display_list)]) - ], - [sprintf("Potential Remedies: %s", [concat(", ", sit.remedies)]) | count(nc_list) > 0] - ) - ] - - messages := array.concat([header], situation_messages) -} - -# Helper to format non-compliant resources list -_get_display_list(nc_list) = ["None - All passed"] if { - count(nc_list) == 0 -} -_get_display_list(nc_list) = nc_list if { - count(nc_list) > 0 -} - -################################################################################ -# Set Utilities -################################################################################ - -# Improved set intersection using native Rego idioms -set_intersection_all(sets) = result if { - count(sets) == 0 - result := set() -} else = result if { - count(sets) == 1 - result := sets[0] -} else = result if { - # Find intersection of all sets using 'every' keyword - first_set := sets[0] - # Set comprehension: for each resource in first_set, include it in result - # only if it exists in every remaining set (intersection logic) - result := {resource | - some resource in first_set - every remaining_set in sets { - resource in remaining_set - } - } -} \ No newline at end of file diff --git a/policies/_helpers/policies/blacklist.rego b/policies/_helpers/policies/blacklist.rego deleted file mode 100644 index 8dc187174..000000000 --- a/policies/_helpers/policies/blacklist.rego +++ /dev/null @@ -1,81 +0,0 @@ -package terraform.helpers.policies.blacklist - -# Blacklist Policy -# -# Detects resources with attributes matching forbidden values. -# Supports both scalar values and arrays with OR logic (any match = violation). -# -# Special case: Empty array [] can be blacklisted explicitly. - -import data.terraform.helpers.shared - -# Identifies resources violating blacklist constraints -# -# Parameters: -# tf_variables - Resource metadata (resource_type, friendly_resource_name, value_name) -# attribute_path - Path to attribute being evaluated (array or string) -# blacklisted_values - Array of forbidden values -# -# Returns: -# Set of violation objects with {name, message} -get_violations(tf_variables, attribute_path, blacklisted_values) = results if { - nc_resources := _get_resources(tf_variables.resource_type, attribute_path, blacklisted_values) - results := { - _build_violation(tf_variables, attribute_path, blacklisted_values, resource) | - some resource in nc_resources - } -} - -_build_violation(tf_variables, attribute_path, blacklisted_values, resource) = violation if { - attribute_path_string := shared.format_attribute_path(attribute_path) - attribute_value := shared.get_attribute_value(resource, attribute_path) - - violation := { - "name": shared.get_resource_attribute(resource, tf_variables.resource_value_name), - "message": _format_message( - tf_variables.friendly_resource_name, - shared.get_resource_attribute(resource, tf_variables.resource_value_name), - attribute_path_string, - attribute_value, - shared.empty_message(attribute_value), - blacklisted_values - ) - } -} - -# Check if a value is blacklisted (handles both scalars and arrays) -_is_blacklisted(forbidden, value) if { - # Handle empty array blacklisting specifically - [] in forbidden - is_array(value) - count(value) == 0 -} - -_is_blacklisted(forbidden, value) if { - # Array case: ANY intersection means violation (OR logic) - is_array(value) - forbidden_set := {x | some x in forbidden} - value_set := {x | some x in value} - count(forbidden_set & value_set) > 0 -} - -_is_blacklisted(forbidden, value) if { - # Scalar case: direct membership check - shared.value_in_array(forbidden, value) -} - -_get_resources(resource_type, attribute_path, blacklisted_values) = resources if { - resources := { - resource | - resource := input.planned_values.root_module.resources[_] - resource.type == resource_type - _is_blacklisted(blacklisted_values, shared.get_attribute_value(resource, attribute_path)) - } -} - -_format_message(friendly_resource_name, resource_value_name, attribute_path_string, nc_value, empty, nc_values) = msg if { - msg := sprintf( - "%s '%s' has '%s' set to '%v'%s. This is blacklisted: %v", - [friendly_resource_name, resource_value_name, attribute_path_string, nc_value, empty, nc_values] - ) -} \ No newline at end of file diff --git a/policies/_helpers/policies/element_blacklist.rego b/policies/_helpers/policies/element_blacklist.rego deleted file mode 100644 index 795061b38..000000000 --- a/policies/_helpers/policies/element_blacklist.rego +++ /dev/null @@ -1,109 +0,0 @@ -package terraform.helpers.policies.element_blacklist - -# Element Blacklist Policy -# -# Detects array attributes containing elements with blacklisted substrings. -# Uses simple substring matching (contains) rather than regex patterns. -# -# Example: -# patterns: ["test", "staging"] -# Violates if any array element contains "test" or "staging" - -import data.terraform.helpers.shared - -# Identifies resources with array elements containing blacklisted substrings -# -# Parameters: -# tf_variables - Resource metadata -# attribute_path - Path to array attribute -# patterns - Array of substring patterns to match against -# -# Returns: -# Set of violation objects with {name, message} -get_violations(tf_variables, attribute_path, patterns) = results if { - nc_resources := _get_resources(tf_variables.resource_type, attribute_path, patterns) - results := { - _build_violation(tf_variables, attribute_path, patterns, resource) | - some resource in nc_resources - } -} - -_build_violation(tf_variables, attribute_path, patterns, resource) = violation if { - attribute_path_string := shared.format_attribute_path(attribute_path) - array_value := shared.get_attribute_value(resource, attribute_path) - violating_elements := [elem | - elem := array_value[_] - some pattern in patterns - contains(elem, pattern) - ] - - violation := { - "name": shared.get_resource_attribute(resource, tf_variables.resource_value_name), - "message": _format_message( - tf_variables.friendly_resource_name, - shared.get_resource_attribute(resource, tf_variables.resource_value_name), - attribute_path_string, - violating_elements, - patterns - ) - } -} - - -# get_resources() filters Terraform resources based on array element content violations. -# -# Parameters: -# resource_type - Terraform resource type (e.g., "google_access_context_manager_service_perimeter") -# attribute_path - Array path to target array attribute (e.g., ["status", 0, "restricted_services"]) -# patterns - Array of forbidden substrings (e.g., ["*", "0.0.0.0"]) -# -# Returns: -# An array of resources that violate the policy by having at least one array element -# containing at least one of the blacklisted patterns. Returns empty array if no violations found. -# -# Example: -# For a resource with restricted_services = ["*.googleapis.com", "storage.googleapis.com"] -# and patterns = ["*"], this function returns the resource because "*.googleapis.com" contains "*" -_get_resources(resource_type, attribute_path, patterns) = resources if { - resources := { - resource | - resource := input.planned_values.root_module.resources[_] - resource.type == resource_type - array_value := shared.get_attribute_value(resource, attribute_path) - is_array(array_value) - # Check if ANY element contains ANY pattern - collect matches - matches := [1 | - some element in array_value - some pattern in patterns - contains(element, pattern) - ] - count(matches) > 0 - } -} - - -# format_message() generates a human-readable error message for element blacklist violations. -# -# Parameters: -# friendly_resource_name - Human-readable resource type (e.g., "Service Perimeter", "Storage Bucket") -# resource_value_name - Specific resource identifier (e.g., "my-service-perimeter") -# attribute_path_string - Path to violating attribute (e.g., "status.[0].restricted_services") -# violating_elements - Array containing blacklisted patterns (e.g., ["*.googleapis.com"]) -# patterns - Array of forbidden substrings (e.g., ["*", "0.0.0.0"]) -# -# Returns: -# Formatted error message for and user feedback. -# -# Message Format: -# "{friendly_resource_name} '{resource_value_name}' has '{attribute_path_string}' containing blacklisted patterns -# {patterns} in elements: {violating_elements}" -# -# Example Output: -# "Service Perimeter 'my-perimeter' has 'status.[0].restricted_services' containing blacklisted patterns [\"*\"] in -# elements: [\"*.googleapis.com\"]" -_format_message(friendly_resource_name, resource_value_name, attribute_path_string, violating_elements, patterns) = msg if { - msg := sprintf( - "%s '%s' has '%s' containing blacklisted patterns %v in elements: %v", - [friendly_resource_name, resource_value_name, attribute_path_string, patterns, violating_elements] - ) -} diff --git a/policies/_helpers/policies/pattern_blacklist.rego b/policies/_helpers/policies/pattern_blacklist.rego deleted file mode 100644 index f7596760a..000000000 --- a/policies/_helpers/policies/pattern_blacklist.rego +++ /dev/null @@ -1,91 +0,0 @@ -package terraform.helpers.policies.pattern_blacklist - -# Pattern Blacklist Policy -# -# Detects resources where wildcard-extracted substrings match blacklisted patterns. -# Uses target pattern with * wildcards to extract substrings, then checks each -# against position-specific blacklists. -# -# Example: -# target: "projects/*/locations/*" -# patterns: [["test-project"], ["us-east1", "europe-west1"]] -# Matches if project is "test-project" OR location is blacklisted region - -import data.terraform.helpers.shared - -# Identifies resources matching pattern blacklist constraints -# -# Parameters: -# tf_variables - Resource metadata -# attribute_path - Path to attribute for pattern matching -# values_formatted - [target_pattern, patterns_array] where: -# - target_pattern: String with * wildcards -# - patterns_array: Array of arrays (one per wildcard position) -# -# Returns: -# Set of violation objects with {name, message} -get_violations(tf_variables, attribute_path, values_formatted) = results if { - nc_resources := _get_resources(tf_variables.resource_type, attribute_path, values_formatted) - results := { - _build_violation(tf_variables, attribute_path, values_formatted, resource) | - some resource in nc_resources - } -} - -_build_violation(tf_variables, attribute_path, values_formatted, resource) = violation if { - attribute_path_string := shared.format_attribute_path(attribute_path) - nc := _get_blacklist(resource, attribute_path, values_formatted[0], values_formatted[1]) - - violation := { - "name": shared.get_resource_attribute(resource, tf_variables.resource_value_name), - "message": _format_message( - tf_variables.friendly_resource_name, - shared.get_resource_attribute(resource, tf_variables.resource_value_name), - attribute_path_string, - shared.get_attribute_value(resource, attribute_path), - nc - ) - } -} - -# Check if a value matches blacklist patterns -_matches_blacklist(patterns, value) if { - shared.value_in_array(patterns, value) -} - -_get_blacklist(resource, attribute_path, target, patterns) = ncc if { - target_list = shared.get_target_list(resource, attribute_path, target) # list of targetted substrings - ncc := [ - {"value": target_list[i], "allowed": patterns[i]} | - some i - _matches_blacklist(patterns[i], target_list[i]) # direct mapping of positions of target * with its list of allowed patterns - ] -} - -_get_resources(resource_type, attribute_path, values) = resources if { - resources := { - resource | - target := values[0] # target val string - patterns := values[1] # allowed patterns (list) - resource := input.planned_values.root_module.resources[_] - resource.type == resource_type - count(_get_blacklist(resource, attribute_path, target, patterns)) > 0 # ok, there is a resource with at least one non-compliant - } -} - -_format_message(friendly_resource_name, resource_value_name, attribute_path_string, full_value, nc_list) = msg if { - count(nc_list) == 1 - this_nc := nc_list[0] - formatted_value := shared.final_formatter(full_value, this_nc.value) - msg := sprintf( - "%s '%s' has '%s' set to '%s'%s. This is blacklisted: %v", - [friendly_resource_name, resource_value_name, attribute_path_string, formatted_value, shared.empty_message(this_nc.value), this_nc.allowed] - ) -} else = msg if { - count(nc_list) > 1 - failures := concat(", ", [sprintf("position %d '%s' (blacklisted: %v)", [i, nc.value, nc.allowed]) | some i, nc in nc_list]) - msg := sprintf( - "%s '%s' has '%s' set to '%s'. Multiple positions matched blacklist: %s", - [friendly_resource_name, resource_value_name, attribute_path_string, full_value, failures] - ) -} \ No newline at end of file diff --git a/policies/_helpers/policies/pattern_whitelist.rego b/policies/_helpers/policies/pattern_whitelist.rego deleted file mode 100644 index 11dd9fada..000000000 --- a/policies/_helpers/policies/pattern_whitelist.rego +++ /dev/null @@ -1,92 +0,0 @@ -package terraform.helpers.policies.pattern_whitelist - -# Pattern Whitelist Policy -# -# Detects resources where wildcard-extracted substrings DON'T match allowed patterns. -# Uses target pattern with * wildcards to extract substrings, then validates each -# against position-specific whitelists. -# -# Example: -# target: "projects/*/locations/*" -# patterns: [["prod-project"], ["us-central1"]] -# Violates if project is NOT "prod-project" OR location is NOT "us-central1" - -import data.terraform.helpers.shared - -# Identifies resources violating pattern whitelist constraints -# -# Parameters: -# tf_variables - Resource metadata -# attribute_path - Path to attribute for pattern matching -# values_formatted - [target_pattern, patterns_array] where: -# - target_pattern: String with * wildcards -# - patterns_array: Array of arrays (one per wildcard position) -# -# Returns: -# Set of violation objects with {name, message} -get_violations(tf_variables, attribute_path, values_formatted) = results if { - nc_resources := _get_resources(tf_variables.resource_type, attribute_path, values_formatted) - results := { - _build_violation(tf_variables, attribute_path, values_formatted, resource) | - some resource in nc_resources - } -} - -_build_violation(tf_variables, attribute_path, values_formatted, resource) = violation if { - attribute_path_string := shared.format_attribute_path(attribute_path) - nc := _get_whitelist(resource, attribute_path, values_formatted[0], values_formatted[1]) - - violation := { - "name": shared.get_resource_attribute(resource, tf_variables.resource_value_name), - "message": _format_message( - tf_variables.friendly_resource_name, - shared.get_resource_attribute(resource, tf_variables.resource_value_name), - attribute_path_string, - shared.get_attribute_value(resource, attribute_path), - nc - ) - } -} - -# Check if a value matches whitelist patterns -_matches_whitelist(patterns, value) if { - shared.value_in_array(patterns, value) -} - -_get_whitelist(resource, attribute_path, target, patterns) = ncc if { - target_list = shared.get_target_list(resource, attribute_path, target) # list of targetted substrings - ncc := [ - {"value": target_list[i], "allowed": patterns[i]} | - some i - not _matches_whitelist(patterns[i], target_list[i]) # direct mapping of positions of target * with its list of allowed patterns - ] -} - -_get_resources(resource_type, attribute_path, values) = resources if { - resources := { - resource | - target := values[0] # target val string - patterns := values[1] # allowed patterns (list) - resource := input.planned_values.root_module.resources[_] - resource.type == resource_type - count(_get_whitelist(resource, attribute_path, target, patterns)) > 0 # ok, there is a resource with at least one non-compliant - } -} - -_format_message(friendly_resource_name, resource_value_name, attribute_path_string, full_value, nc_list) = msg if { - count(nc_list) == 1 - this_nc := nc_list[0] - formatted_value := shared.final_formatter(full_value, this_nc.value) - msg := sprintf( - "%s '%s' has '%s' set to '%s'%s. It should be set to one of: %v", - [friendly_resource_name, resource_value_name, attribute_path_string, formatted_value, shared.empty_message(this_nc.value), this_nc.allowed] - ) -} else = msg if { - count(nc_list) > 1 - failures := concat(", ", [sprintf("position %d '%s' (allowed: %v)", [i, nc.value, nc.allowed]) | some i, nc in nc_list]) - msg := sprintf( - "%s '%s' has '%s' set to '%s'. Multiple positions failed: %s", - [friendly_resource_name, resource_value_name, attribute_path_string, full_value, failures] - ) -} - diff --git a/policies/_helpers/policies/range.rego b/policies/_helpers/policies/range.rego deleted file mode 100644 index 93a8ceed3..000000000 --- a/policies/_helpers/policies/range.rego +++ /dev/null @@ -1,88 +0,0 @@ -package terraform.helpers.policies.range - -# Range Policy -# -# Detects resources with numeric attributes outside specified bounds. -# Both lower and upper bounds are required. -# -# Example: [10, 100] requires value between 10 and 100 (inclusive) - -import data.terraform.helpers.shared - -################################################################################ -# Range Validation Utilities -################################################################################ - -# Checks if a value is within the specified range (inclusive) -_test_value_range(value, lower_bound, upper_bound) if { - value >= lower_bound - value <= upper_bound -} - -################################################################################ -# Public API -################################################################################ - -# Identifies resources with numeric attributes outside specified range -# -# Parameters: -# tf_variables - Resource metadata -# attribute_path - Path to numeric attribute -# values_formatted - Two-element array [lower_bound, upper_bound] -# -# Returns: -# Set of violation objects with {name, message} -get_violations(tf_variables, attribute_path, values_formatted) = results if { - count(values_formatted) == 2 - lower_bound := values_formatted[0] - upper_bound := values_formatted[1] - - nc_resources := _get_resources(tf_variables.resource_type, attribute_path, lower_bound, upper_bound) - results := { - _build_violation(tf_variables, attribute_path, lower_bound, upper_bound, resource) | - some resource in nc_resources - } -} - -_build_violation(tf_variables, attribute_path, lower_bound, upper_bound, resource) = violation if { - attribute_path_string := shared.format_attribute_path(attribute_path) - attribute_value := shared.get_attribute_value(resource, attribute_path) - - violation := { - "name": shared.get_resource_attribute(resource, tf_variables.resource_value_name), - "message": _format_message( - tf_variables.friendly_resource_name, - shared.get_resource_attribute(resource, tf_variables.resource_value_name), - attribute_path_string, - attribute_value, - shared.empty_message(attribute_value), - lower_bound, - upper_bound - ) - } -} - -_get_resources(resource_type, attribute_path, lower_bound, upper_bound) = resources if { - resources := { - resource | - resource := input.planned_values.root_module.resources[_] - resource.type == resource_type - attribute_value := to_number(shared.get_attribute_value(resource, attribute_path)) - not _test_value_range(attribute_value, lower_bound, upper_bound) - } -} - -_format_message( - friendly_resource_name, - resource_value_name, - attribute_path_string, - nc_value, - empty, - lower_bound, - upper_bound -) = msg if { - msg := sprintf( - "%s '%s' has '%s' set to '%v'%s. It must be between %v and %v", - [friendly_resource_name, resource_value_name, attribute_path_string, nc_value, empty, lower_bound, upper_bound] - ) -} diff --git a/policies/_helpers/policies/whitelist.rego b/policies/_helpers/policies/whitelist.rego deleted file mode 100644 index 7e1442f5f..000000000 --- a/policies/_helpers/policies/whitelist.rego +++ /dev/null @@ -1,72 +0,0 @@ -package terraform.helpers.policies.whitelist - -# Whitelist Policy -# -# Detects resources with attributes NOT matching allowed values. -# Supports both scalar values and arrays with AND logic (all must be allowed). - -import data.terraform.helpers.shared - -# Identifies resources violating whitelist constraints -# -# Parameters: -# tf_variables - Resource metadata (resource_type, friendly_resource_name, value_name) -# attribute_path - Path to attribute being evaluated (array or string) -# compliant_values - Array of allowed values -# -# Returns: -# Set of violation objects with {name, message} -get_violations(tf_variables, attribute_path, compliant_values) = results if { - nc_resources := _get_resources(tf_variables.resource_type, attribute_path, compliant_values) - results := { - _build_violation(tf_variables, attribute_path, compliant_values, resource) | - some resource in nc_resources - } -} - -_build_violation(tf_variables, attribute_path, compliant_values, resource) = violation if { - attribute_path_string := shared.format_attribute_path(attribute_path) - attribute_value := shared.get_attribute_value(resource, attribute_path) - - violation := { - "name": shared.get_resource_attribute(resource, tf_variables.resource_value_name), - "message": _format_message( - tf_variables.friendly_resource_name, - shared.get_resource_attribute(resource, tf_variables.resource_value_name), - attribute_path_string, - attribute_value, - shared.empty_message(attribute_value), - compliant_values - ) - } -} - -# Check if a value is whitelisted (handles both scalars and arrays) -_is_whitelisted(allowed, value) if { - # Array case: ALL elements must be allowed (AND logic) - is_array(value) - allowed_set := {x | some x in allowed} - value_set := {x | some x in value} - object.subset(allowed_set, value_set) -} - -_is_whitelisted(allowed, value) if { - # Scalar case: direct membership check - shared.value_in_array(allowed, value) -} - -_get_resources(resource_type, attribute_path, compliant_values) = resources if { - resources := { - resource | - resource := input.planned_values.root_module.resources[_] - resource.type == resource_type - not _is_whitelisted(compliant_values, shared.get_attribute_value(resource, attribute_path)) - } -} - -_format_message(friendly_resource_name, resource_value_name, attribute_path_string, nc_value, empty, compliant_values) = msg if { - msg := sprintf( - "%s '%s' has '%s' set to '%v'%s. It should be set to '%v'", - [friendly_resource_name, resource_value_name, attribute_path_string, nc_value, empty, compliant_values] - ) -} diff --git a/policies/_helpers/shared.rego b/policies/_helpers/shared.rego deleted file mode 100644 index b62a7f4bd..000000000 --- a/policies/_helpers/shared.rego +++ /dev/null @@ -1,165 +0,0 @@ -package terraform.helpers.shared - -# Shared utility functions used by all policy modules -# No imports to avoid circular dependencies - -################################################################################ -# Resource Attribute Extraction -################################################################################ - -# Retrieves a resource's attribute value with defensive fallback logic -# -# This function handles variations in Terraform resource structure by attempting -# multiple lookup paths. Different resource types and states (planned vs existing) -# may store attributes in different locations within the resource object. -# -# Lookup sequence: -# 1. resource.values[attribute_key] - Primary path for planned resource values -# 2. resource[attribute_key] - Fallback for direct attribute access -# 3. null - Returns null and prints diagnostic error if both paths fail -# -# Parameters: -# tf_resource_object - A Terraform resource object from the plan -# attribute_key - The attribute name to extract (e.g., "name", "id", "bucket") -# -# Returns: -# Value of the specified attribute, or null if attribute doesn't exist -# -# Example: get_resource_attribute(s3_resource, "bucket") → "my-app-logs" -get_resource_attribute(tf_resource_object, attribute_key) = attribute_value if { - tf_resource_object.values[attribute_key] - attribute_value := tf_resource_object.values[attribute_key] -} else = attribute_value if { - attribute_value := tf_resource_object[attribute_key] -} else = null if { - print(sprintf("Resource attribute '%s' for resource type '%s' was not found! Your 'resource_value_name' in vars is wrong. Try 'resource_value_name': 'name'.", [attribute_key, tf_resource_object.type])) -} - -################################################################################ -# Attribute Path Formatting -################################################################################ -# This code is used by policies to convert error messages from: -# ["status", 0, "restricted_services"] → "status.[0].restricted_services"all this code -# Converts values from an int to a string but leaves strings as is - - -# Converts values from an int to a string but leaves strings as is -convert_value(x) = string if { - type_name(x) == "number" - string := sprintf("[%v]", [x]) -} - -convert_value(x) = x if { - type_name(x) == "string" -} - -# Converts each entry in attribute path into a string -get_attribute_path(attribute_path) = result if { - is_array(attribute_path) - result := [ val | - x := attribute_path[_] - val := convert_value(x) - ] -} - -# Returns a formatted string of any given attribute path -# Example: ["status", 0, "restricted_services"] → "status.[0].restricted_services" -format_attribute_path(attribute_path) = string_path if { - is_array(attribute_path) - string_path := concat(".", get_attribute_path(attribute_path)) -} - -format_attribute_path(attribute_path) = string_path if { - is_string(attribute_path) - string_path := replace(attribute_path, "_", " ") -} - -################################################################################ -# Data Normalization -################################################################################ - -# Normalizes input values into an array format -# Accepts either a single value or an array and ensures array output -# Used to handle flexible policy definition formats -ensure_array(values) = values if { - is_array(values) -} -ensure_array(values) = [values] if { - not is_array(values) -} - -# Get attribute value from a resource with null fallback -# Simplifies the common pattern of accessing nested resource attributes -# -# Enhanced: Array-of-Objects Field Extraction (Added 2025-12-04) -# When the attribute path ends with a string field name and leads to an array of objects, -# this function automatically extracts that field from each object in the array. -get_attribute_value(resource, attribute_path) := extracted_values if { - # Check if this might be an array-of-objects extraction pattern - count(attribute_path) > 1 - last_element := attribute_path[count(attribute_path) - 1] - is_string(last_element) - - # Get the path to the array (everything except the last element) - array_path := array.slice(attribute_path, 0, count(attribute_path) - 1) - array_value := object.get(resource.values, array_path, null) - - # If it's an array of objects, extract the field from each - is_array(array_value) - count(array_value) > 0 - is_object(array_value[0]) - - # Extract the field from each object in the array - extracted_values := [obj[last_element] | obj := array_value[_]; obj[last_element] != null] -} else := object.get(resource.values, attribute_path, null) - -# Searches an array of objects for a specific key and returns its value -# Used to extract metadata from condition groups -get_value_from_array(arr, key) = value if { - some i - obj := arr[i] - obj[key] != null - value := obj[key] -} - -################################################################################ -# Empty Value Handling -################################################################################ - -# Returns warning string for empty values, empty string otherwise -# Handles empty strings and null values gracefully -empty_message(value) = " (EMPTY!)" if { - value == "" -} - -empty_message(value) = "" if { - value != "" -} - -################################################################################ -# Array Membership Checking -################################################################################ - -# Generic helper: Check if a scalar value exists in an array -# Used by policy modules for simple membership testing -value_in_array(arr, value) if { - not is_array(value) - arr[_] == value -} - -################################################################################ -# Regex Pattern Utilities (for pattern policies) -################################################################################ - -# Gets the target * pattern - extracts substrings matching wildcard positions -get_target_list(resource, attribute_path, target) = target_list if { - p := regex.replace(target, "\\*", "([^/]+)") - target_value := object.get(resource.values, attribute_path, null) - matches := regex.find_all_string_submatch_n(p, target_value, 1)[0] # all matches, including main string - target_list := array.slice(matches, 1, count(matches)) # leaves every single * match except main string -} else := "Wrong pattern" - -# Formats pattern with quotes for display -final_formatter(target, sub_pattern) = final_format if { - final_format := regex.replace(target, sub_pattern, sprintf("'%s'", [sub_pattern])) -} \ No newline at end of file diff --git a/policies/gcp/_helpers/helpers.rego b/policies/gcp/_helpers/helpers.rego index bf811d45f..6b1b3949e 100644 --- a/policies/gcp/_helpers/helpers.rego +++ b/policies/gcp/_helpers/helpers.rego @@ -1,11 +1,587 @@ package terraform.gcp.helpers +# tested on OPA Version: 1.2.0, Rego Version: v1 -# Shim to redirect to common helpers at policies/_helpers/ -# This allows existing GCP policies to continue using terraform.gcp.helpers -# while the actual implementation has moved to terraform.helpers +# Defines the types of policies capable of being processed +policy_types := ["blacklist", "whitelist", "range", "pattern blacklist", "pattern whitelist"] -import data.terraform.helpers +#################################################### -# Re-export the function that policies actually use -# In Rego, we need to wrap the function call, not assign it -get_multi_summary(situations, variables) = helpers.get_multi_summary(situations, variables) +# NEW FUNCTIONS + +# Get resource's name; if not in values, take default "name". Checked! +get_resource_name(this_nc_resource, value_name) = resource_name if { + this_nc_resource.values[value_name] + resource_name := this_nc_resource.values[value_name] +} else = resource_name if { + resource_name := this_nc_resource[value_name] +} else = null if { + print(sprintf("Resource name for '%s' was not found! Your 'resource_value_name' in vars is wrong. Try 'resource_value_name': 'name'.", [this_nc_resource.type])) +} + +# Handle empty array blacklisting specifically +array_contains(arr, elem, pol) if { + pol == "blacklist" + [] in arr # Check if empty array is in blacklisted values + is_array(elem) + count(elem) == 0 # elem is empty +} + +# if elem is an array; checks if elem contains any blacklisted items. e.g., elem=[w, r, a], arr=[a] -> true +array_contains(arr, elem, pol) if { + is_array(elem) + pol == "blacklist" + #print(sprintf("%s", ["bb"])) + arr_to_set = {x | x := arr[_]} + elem_to_set = {x | x := elem[_]} + count(arr_to_set & elem_to_set) > 0 +} + +# if elem is an array; checks if elem is at least a subset of arr. e.g., elem=[write, read], arr=[read, write, eat] -> true +array_contains(arr, elem, pol) if { + is_array(elem) + pol == "whitelist" + #print(sprintf("%s", ["ww"])) + arr_to_set = {x | x := arr[_]} + elem_to_set = {x | x := elem[_]} + object.subset(arr_to_set, elem_to_set) +} + +# Generic helper functions: + +# Helper: Check if value exists in array +array_contains(arr, elem, pol) if { + not is_array(elem) + #print(sprintf("%s", ["a2"])) + arr[_] == elem +} + +# For resource filtering +resource_type_match(resource, resource_type) if { + resource.type == resource_type +} + +# Collect all relevant resources +get_all_resources(resource_type) = resources if +{ + resources := [ + resource | + resource := input.planned_values.root_module.resources[_] + resource_type_match(resource, resource_type) + ] +} +# Extract policy type +get_policy_type(chosen_type) = policy_type if { + policy_type := policy_types[_] + policy_type == chosen_type +} + +# Converts values from an int to a string but leaves strings as is +convert_value(x) = string if { + type_name(x) == "number" + string := sprintf("[%v]", [x]) +} + +convert_value(x) = x if { + type_name(x) == "string" +} +# Converts each entry in attribute path into a string +get_attribute_path(attribute_path) = result if { + is_array(attribute_path) + result := [ val | + x := attribute_path[_] + val := convert_value(x) + ] +} +# Returns a formatted string of any given attribute path +format_attribute_path(attribute_path) = string_path if { + is_array(attribute_path) + string_path := concat(".", get_attribute_path(attribute_path)) +} +format_attribute_path(attribute_path) = string_path if { + is_string(attribute_path) + string_path := replace(attribute_path, "_", " ") +} +array_check(values) = result if { + type := type_name(values) + type != "array" + result := [values] +} +array_check(values) = result if { + type := type_name(values) + type == "array" + result := values +} + +# Check if value is empty space +is_empty(value) if { + value == "" +} + +# empty_message: if empty, return fomratted warning +empty_message(value) = msg if { + is_empty(value) + msg = " (!!!EMPTY!!!)" +} + +# empty_message: if present, return nothing (space) +empty_message(value) = msg if { + not is_empty(value) + msg = "" +} + +#Checks a value sits between a given range of a passed object with keys upper_bound and lower_bound + +test_value_range(range_values, value) if { + test_lower_range(range_values, value) + test_upper_range(range_values, value) +} + +test_lower_range(range_values,value) = true if { + # Check value exists + not is_null(range_values.lower_bound) + value >= range_values.lower_bound +} + +# Null indicates no lower bound +test_lower_range(range_values,value) = true if { + is_null(range_values.lower_bound) +} + +test_upper_range(range_values,value) = true if { + # Check value exists + not is_null(range_values.upper_bound) + value <= range_values.upper_bound +} + +# Null indicates no higher bound +test_upper_range(range_values,value) = true if { + is_null(range_values.upper_bound) +} + +is_null_or_number(value) if { + is_null(value) # true if value is null +} + +is_null_or_number(value) if { + type_name(value) == "number" # true if value is a number +} + +# Search an array of objects for a specific key, return the value +get_value_from_array(arr, key) = value if { + some i + obj := arr[i] + obj[key] != null + value := obj[key] +} + +# Checks if a set is empty and returns a message if it is +check_empty_set(set,msg) = return if { + count(set) == 0 + return := [msg] +} +check_empty_set(set,msg) = return if { + count(set) != 0 + return := set +} + +#################################################### + +# Entry point for all policies +get_multi_summary(situations, variables) = summary if { # Samira , Patrick + # Unpack values from vars + resource_type := variables.resource_type + friendly_resource_name := variables.friendly_resource_name + value_name := variables.resource_value_name + all_resources := get_all_resources(resource_type) + violations := check_violations(resource_type, situations, friendly_resource_name, value_name) + violations_object := process_violations(violations) + formatted_message := format_violations(violations_object) + summary := { + "message": array.concat( + [sprintf("Total %s detected: %d ", [friendly_resource_name, count(all_resources)])], + formatted_message + ), + "details": violations_object + } +} else := "Policy type not supported." + +select_policy_logic(resource_type, attribute_path, values_formatted, friendly_resource_name, chosen_type, value_name) = results if { + chosen_type == policy_types[0] # Blacklist + results := get_blacklist_violations(resource_type, attribute_path, values_formatted, friendly_resource_name, value_name) +} + +select_policy_logic(resource_type, attribute_path, values_formatted, friendly_resource_name, chosen_type, value_name) = results if { + chosen_type == policy_types[1] # Whitelist + results := get_whitelist_violations(resource_type, attribute_path, values_formatted, friendly_resource_name, value_name) +} + +select_policy_logic(resource_type, attribute_path, values_formatted, friendly_resource_name, chosen_type, value_name) = results if { + chosen_type == policy_types[2] # Range (Upper and lower bounds) + values_formatted_range := format_range_input(values_formatted[0], values_formatted[1]) + results := get_range_violations(resource_type, attribute_path, values_formatted_range, friendly_resource_name, value_name) +} + +select_policy_logic(resource_type, attribute_path, values_formatted, friendly_resource_name, chosen_type, value_name) = results if { + chosen_type == policy_types[3] # Patterns (B) + results := get_pattern_blacklist_violations(resource_type, attribute_path, values_formatted, friendly_resource_name, value_name) +} + +select_policy_logic(resource_type, attribute_path, values_formatted, friendly_resource_name, chosen_type, value_name) = results if { + chosen_type == policy_types[4] # Patterns (W) + results := get_pattern_whitelist_violations(resource_type, attribute_path, values_formatted, friendly_resource_name, value_name) +} + +check_violations(resource_type, situations, friendly_resource_name, value_name) = violations if { + some i + violations := [ + msg | + msg := check_conditions(resource_type, situations[i], friendly_resource_name, value_name) + ] +} + +check_conditions(resource_type, situation, friendly_resource_name, value_name) = violations if { + messages := [ + msg | + condition := situation[_] # per cond + condition_name := condition.condition + attribute_path := condition.attribute_path + values := condition.values + pol := lower(condition.policy_type) + pol == get_policy_type(pol) # checks, leads to else + values_formatted = array_check(values) + msg := {condition_name : select_policy_logic(resource_type, attribute_path, values_formatted, friendly_resource_name, pol, value_name)} # all in + ] + sd := get_value_from_array(situation,"situation_description") + remedies := get_value_from_array(situation,"remedies") + violations := { + "situation_description": sd, + "remedies": remedies, + "all_conditions": messages #[{c1 : [{msg, nc}, {msg, nc}, ...]}, {c2 :[{msg, nc}, ...]}, ... : [...], ...}] + } +} + +process_violations(violations) = situation_summary if { + # In each set of rules, get each unique nc resource name and each violation message + situation := [ + {sit_desc : {"remedies": remedies, "conds": conds}} | + this_sit := violations[_] + sit_desc := this_sit.situation_description + remedies := this_sit.remedies + conds := this_sit.all_conditions + ] + + # There is an issue here if you use the same situation description however that shouldn't happen + + # Create a set containing only the nc resource for each situation + resource_sets := [ {sit_desc : resource_set} | + this_sit := situation[_] + some key, val in this_sit + sit_desc := key + this_condition := val.conds + resource_set := [nc | + some keyy, vall in this_condition[_] + nc := {x | x := vall[_].name}] + ] + + overall_nc_resources :=[ {sit_desc : intersec} | + this_set := resource_sets[_] + some key, val in this_set + sit_desc := key + intersec := intersection_all(val) + ] + + resource_message := [ {sit : msg} | # USE THIS + some key, val in overall_nc_resources[_] + sit := key + msg := check_empty_set(val, "All passed") + ] + # PER SITUATION + + situation_summary := [ summary | + this_sit := situation[_] + some key, val in this_sit + sit_name := key + details := val.conds + remedies := val.remedies + nc_all := object.get(resource_message[_], sit_name, null) + nc_all != null + + summary := { + "situation" : sit_name, + "remedies" : remedies, + "non_compliant_resources" : nc_all, + "details" : details + } + ] + +} + +format_violations(violations_object) = formatted_message if { + formatted_message := [ + [ sd, nc, remedies] | + some i + this_sit := violations_object[i] + sd := sprintf("Situation %d: %s",[i+1, this_sit.situation]) + resources_value := [value | + value := this_sit.non_compliant_resources[_] + ] + nc := sprintf("Non-Compliant Resources: %s", [concat(", ", resources_value)]) + remedies := sprintf("Potential Remedies: %s", [concat(", ", this_sit.remedies)]) + ] +} + +intersection_all(sets) = result if { + result = {x | + x = sets[0][_] + all_other := [s | s := sets[_]] + every s in all_other { x in s } + } +} +#################################################### + +# Policy type specific methods + +# Each policy type needs the following: +# 1. A method that formats the error message to be displayed for a non-compliant value +# 2. A method that obtains non-complaint resources +# 3. A method that calls method to obtain nc resources and for each calls the format method + +# Blacklist methods + +get_blacklisted_resources(resource_type, attribute_path, blacklisted_values) = resources if { + resources := [ + resource | + resource := input.planned_values.root_module.resources[_] + resource_type_match(resource, resource_type) + # Test array of array and deeply nested values + array_contains(blacklisted_values, object.get(resource.values, attribute_path, null), "blacklist") + ] +} + +get_blacklist_violations(resource_type, attribute_path, blacklisted_values, friendly_resource_name, value_name) = results if { + string_path := format_attribute_path(attribute_path) + results := + [ { "name": get_resource_name(this_nc_resource, value_name), + "message": msg + } | + nc_resources := get_blacklisted_resources(resource_type, attribute_path, blacklisted_values) + this_nc_resource = nc_resources[_] + this_nc_attribute = object.get(this_nc_resource.values, attribute_path, null) + msg := format_blacklist_message(friendly_resource_name, get_resource_name(this_nc_resource, value_name), string_path, this_nc_attribute, empty_message(this_nc_attribute), blacklisted_values) + ] +} + +format_blacklist_message(friendly_resource_name, resource_value_name, string_path, nc_value, empty, nc_values) = msg if { + msg := sprintf( + #Change message however we want it displayed + "%s '%s' has '%s' set to '%v'%s. This is blacklisted: %v", + [friendly_resource_name, resource_value_name, string_path, nc_value, empty, nc_values] + ) +} +#################################################### +# Whitelist methods + +format_whitelist_message(friendly_resource_name, resource_value_name, attribute_path_string, nc_value, empty, compliant_values) = msg if { + msg := sprintf( + "%s '%s' has '%s' set to '%v'%s. It should be set to '%v'", + [friendly_resource_name, resource_value_name, attribute_path_string, nc_value, empty, compliant_values] + ) +} + +get_nc_whitelisted_resources(resource_type, attribute_path, compliant_values) = resources if { + resources := [ + resource | + resource := input.planned_values.root_module.resources[_] + resource_type_match(resource, resource_type) + # Test array of array and deeply nested values + not array_contains(compliant_values, object.get(resource.values, attribute_path, null), "whitelist") + ] +} + +get_whitelist_violations(resource_type, attribute_path, compliant_values, friendly_resource_name, value_name) = results if { + string_path := format_attribute_path(attribute_path) + results := + [ { "name": get_resource_name(this_nc_resource, value_name), + "message": msg + } | + nc_resources := get_nc_whitelisted_resources(resource_type, attribute_path, compliant_values) + this_nc_resource = nc_resources[_] + this_nc_attribute = object.get(this_nc_resource.values, attribute_path, null) + msg := format_whitelist_message(friendly_resource_name, get_resource_name(this_nc_resource, value_name), string_path, this_nc_attribute, empty_message(this_nc_attribute), compliant_values) + ] +} + +#################################################### +# Range methods + +get_upper_bound(range_values) = bound if { + not is_null(range_values.upper_bound) + bound := sprintf("%v", [range_values.upper_bound]) +} +get_upper_bound(range_values) = "Inf" if { + is_null(range_values.upper_bound) +} + +get_lower_bound(range_values) = bound if { + not is_null(range_values.lower_bound) + bound := sprintf("%v", [range_values.lower_bound]) +} +get_lower_bound(range_values) = "-Inf" if { + is_null(range_values.lower_bound) +} + +format_range_validation_message(friendly_resource_name, resource_value_name, attribute_path_string, nc_value, empty, range_values) = msg if { + upper_bound := get_upper_bound(range_values) + lower_bound := get_lower_bound(range_values) + msg := sprintf( + "%s '%s' has '%s' set to '%s'%s. It should be set between '%s and %s'.", + [friendly_resource_name, resource_value_name, attribute_path_string, nc_value, empty, lower_bound, upper_bound] + ) +} + +get_nc_range_resources(resource_type, attribute_path, range_values) = resources if { + resources := [ + resource | + resource := input.planned_values.root_module.resources[_] + resource_type_match(resource, resource_type) + # Test array of array and deeply nested values + not test_value_range(range_values, to_number(object.get(resource.values, attribute_path, null))) + ] +} + +get_range_violations(resource_type, attribute_path, range_values, friendly_resource_name, value_name) = results if { + unpacked_range_values = range_values #[0] <===================================================================== removed [0] - Visal + string_path := format_attribute_path(attribute_path) + results := + [ { "name": get_resource_name(this_nc_resource, value_name), + "message": msg + } | + nc_resources := get_nc_range_resources(resource_type, attribute_path, unpacked_range_values) + this_nc_resource = nc_resources[_] + this_nc_attribute = object.get(this_nc_resource.values, attribute_path, null) + msg := format_range_validation_message(friendly_resource_name, get_resource_name(this_nc_resource, value_name), string_path, this_nc_attribute, empty_message(this_nc_attribute), unpacked_range_values) + ] +} + +format_range_input(lower,upper) = range_values if { + is_null_or_number(lower) + is_null_or_number(upper) + range_values := {"lower_bound":lower,"upper_bound":upper} +} + +format_range_validation_message( + friendly_resource_name, + resource_value_name, + attribute_path_string, + nc_value, + empty, + range_values +) = msg if { + lower := get_lower_bound(range_values) + upper := get_upper_bound(range_values) + + msg := sprintf( + "%s '%s' has '%s' set to '%v'%s. It must be between %v and %v", + [friendly_resource_name, resource_value_name, attribute_path_string, nc_value, empty, lower, upper] + ) +} + +############### REGEX + +# HELPER: gets the target * pattern +get_target_list(resource, attribute_path, target) = target_list if { + p := regex.replace(target, "\\*", "([^/]+)") + #print(sprintf("SSSSSSSSSSSSSSSSSSSSound %s", [p])) + target_value := object.get(resource.values, attribute_path, null) + matches := regex.find_all_string_submatch_n(p, target_value, 1)[0] # all matches, including main string + target_list := array.slice(matches, 1, count(matches)) # leaves every single * match except main string + #print(sprintf("SSSSSSSSSSSSSSSSSSSSound %s", [target_list])) +} else := "Wrong pattern" + +final_formatter(target, sub_pattern) = final_format if { + final_format := regex.replace(target, sub_pattern, sprintf("'%s'", [sub_pattern])) +} + +# PATTERN BLACKLIST +get_nc_pattern_blacklist(resource, attribute_path, target, patterns) = ncc if { + target_list = get_target_list(resource, attribute_path, target) # list of targetted substrings + ncc := [ + {"value": target_list[i], "allowed": patterns[i]} | + some i + array_contains(patterns[i], target_list[i], "blacklist") # direct mapping of positions of target * with its list of allowed patterns + ] +} + +get_nc_pattern_blacklist_resources(resource_type, attribute_path, values) = resources if { + resources := [ + resource | + target := values[0] # target val string + patterns := values[1] # allowed patterns (list) + resource := input.planned_values.root_module.resources[_] + resource_type_match(resource, resource_type) + count(get_nc_pattern_blacklist(resource, attribute_path, target, patterns)) > 0 # ok, there is a resource with at least one non-compliant + ] +} + +get_pattern_blacklist_violations(resource_type, attribute_path, values_formatted, friendly_resource_name, value_name) = results if { + string_path := format_attribute_path(attribute_path) + results := # and their patterns + [ { "name": get_resource_name(this_nc_resource, value_name), + "message": msg + } | + nc_resources := get_nc_pattern_blacklist_resources(resource_type, attribute_path, values_formatted) + this_nc_resource = nc_resources[_] + nc := get_nc_pattern_blacklist(this_nc_resource, attribute_path, values_formatted[0], values_formatted[1]) + this_nc := nc[_] + msg := format_pattern_blacklist_message(friendly_resource_name, get_resource_name(this_nc_resource, value_name), string_path, final_formatter(object.get(this_nc_resource.values, attribute_path, null), this_nc.value), empty_message(this_nc.value), this_nc.allowed) + ] +} + +format_pattern_blacklist_message(friendly_resource_name, resource_value_name, attribute_path_string, nc_value, empty, allowed_values) = msg if { + msg := sprintf( + "%s '%s' has '%s' set to '%s'%s. This is blacklisted: %s", + [friendly_resource_name, resource_value_name, attribute_path_string, nc_value, empty, allowed_values] + ) +} + +# PATTERN WHITELIST (clone of blacklist, but not array_contains() +get_nc_pattern_whitelist(resource, attribute_path, target, patterns) = ncc if { + target_list = get_target_list(resource, attribute_path, target) # list of targetted substrings + ncc := [ + {"value": target_list[i], "allowed": patterns[i]} | + some i + not array_contains(patterns[i], target_list[i], "whitelist") # direct mapping of positions of target * with its list of allowed patterns + ] +} + +get_nc_pattern_whitelist_resources(resource_type, attribute_path, values) = resources if { + resources := [ + resource | + target := values[0] # target val string + patterns := values[1] # allowed patterns (list) + resource := input.planned_values.root_module.resources[_] + resource_type_match(resource, resource_type) + count(get_nc_pattern_whitelist(resource, attribute_path, target, patterns)) > 0 # ok, there is a resource with at least one non-compliant + ] +} + +get_pattern_whitelist_violations(resource_type, attribute_path, values_formatted, friendly_resource_name, value_name) = results if { + string_path := format_attribute_path(attribute_path) + results := # and their patterns + [ { "name": get_resource_name(this_nc_resource, value_name), + "message": msg + } | + nc_resources := get_nc_pattern_whitelist_resources(resource_type, attribute_path, values_formatted) + this_nc_resource = nc_resources[_] + nc := get_nc_pattern_whitelist(this_nc_resource, attribute_path, values_formatted[0], values_formatted[1]) + this_nc := nc[_] + msg := format_pattern_whitelist_message(friendly_resource_name, get_resource_name(this_nc_resource, value_name), string_path, final_formatter(object.get(this_nc_resource.values, attribute_path, null), this_nc.value), empty_message(this_nc.value), this_nc.allowed) + ] +} + +format_pattern_whitelist_message(friendly_resource_name, resource_value_name, attribute_path_string, nc_value, empty, allowed_values) = msg if { + msg := sprintf( + "%s '%s' has '%s' set to '%s'%s. It should be set to one of: %s", + [friendly_resource_name, resource_value_name, attribute_path_string, nc_value, empty, allowed_values] + ) +} diff --git a/scripts/docgen/create_markdown.py b/scripts/docgen/create_markdown.py index 3b6a96204..8d7af4524 100644 --- a/scripts/docgen/create_markdown.py +++ b/scripts/docgen/create_markdown.py @@ -59,7 +59,7 @@ def generate_nested_blocks(args_dict, level=0, resource_name=None): for arg, details in args_dict.items(): if "arguments" in details and details["arguments"]: # Create a block header - md += f"\n### {indent}{arg} Block\n\n" + md += f"\n### {indent}{arg} Block\n" # Table header md += ( f"{indent}| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |\n" @@ -94,8 +94,7 @@ def generate_markdown_from_json(resource_json): --- -## Argument Reference - +## Argument Reference """ # 1️⃣ Top-level table diff --git a/tests/_helpers/README.md b/tests/_helpers/README.md deleted file mode 100644 index d8907db86..000000000 --- a/tests/_helpers/README.md +++ /dev/null @@ -1,175 +0,0 @@ -# Helper Policy Tests - -Unit tests for policy helper functions in `policies/_helpers/`. - -## Quick Start - -```bash -# Run all helper tests -./tests/_helpers/unit_test_helpers.sh - -# Quick integration check -./tests/_helpers/smoke_test_helpers.sh - -# Debug policy output -./tests/_helpers/policy_debug.sh - -# Review violation messages -./tests/_helpers/check_ux.sh -``` - -## Test Files - -| File | Tests | Coverage | -|------|-------|----------| -| `shared_test.rego` | 12 | Shared utilities (get_resource_attribute, format paths, etc.) | -| `blacklist_test.rego` | 10 | Blacklist policy (forbidden values) | -| `whitelist_test.rego` | 10 | Whitelist policy (required values) | -| `range_test.rego` | 8 | Range policy (numeric bounds, simplified) | -| `pattern_blacklist_test.rego` | 8 | Pattern blacklist (glob matching forbidden) | -| `pattern_whitelist_test.rego` | 8 | Pattern whitelist (glob matching required) | -| `element_blacklist_test.rego` | 8 | Element blacklist (array elements with substrings) | - -**Total:** 64 tests covering all 7 helper policies - -## Test Structure - -Each test file follows an 8-test pattern: -- **Unit tests (6):** Test individual helper functions with boundary cases -- **Integration test (1):** Realistic mocks with multiple resources -- **Reality check (1):** Uses real Terraform fixtures - -## Test Scripts - -### unit_test_helpers.sh -Runs all 7 test suites with fixtures. Use for comprehensive validation. - -### smoke_test_helpers.sh -Fast integration tests (5 policies at policy level). Use for quick feedback during development. - -### policy_debug.sh -Shows full policy output with `--format pretty`. Use when debugging failures. - -### check_ux.sh -Displays complete violation objects. Use to review user-facing error messages before merging. - -## Fixtures - -Real Terraform plans wrapped in unique keys to avoid OPA namespace conflicts. - -### Why Wrapper Structure? - -OPA loads all JSON files recursively and merges them into a single `data` namespace. When multiple files have identical top-level keys (like `format_version`, `terraform_version`), OPA throws merge conflicts. - -**Solution:** Wrap each Terraform plan in a unique outer key matching the directory name + `_plan` suffix. - -```json -{ - "gcp_storage_bucket_plan": { - "format_version": "1.2", - "terraform_version": "1.12.2", - "planned_values": { ... }, - "resource_changes": [ ... ] - } -} -``` - -### Available Fixtures - -| Fixture | Resource | Used By | Source | -|---------|----------|---------|--------| -| `gcp_storage_bucket_plan` | `google_storage_bucket` | blacklist, whitelist, range tests | `inputs/gcp/cloud_storage/google_storage_bucket/retention_period/` | -| `gcp_project_plan` | `google_project` | pattern blacklist/whitelist tests | `inputs/gcp/cloud_platform_service/google_project/project_id/` | -| `gcp_access_level_plan` | `google_access_context_manager_access_level` | shared tests (deep nesting) | `inputs/gcp/access_context_manager_vpc_service_controls/access_context_manager_access_level/device_policy/` | - -**Note:** `gcp_access_level_plan` has 5-level deep nesting, ideal for testing nested attribute extraction. - -### Using Fixtures - -```rego -test_with_fixture if { - plan := data.gcp_storage_bucket_plan # Wrapper key becomes data path - resource := plan.planned_values.root_module.resources[0] - # ... test logic -} -``` - -### Regenerating Fixtures - -When helper functions change or test cases need updates: - -```bash -# 1. Navigate to Terraform configuration -cd inputs/gcp/// - -# 2. Generate plan (if not already exists) -terraform init -terraform plan -out=plan.tfplan - -# 3. Export to JSON and wrap in unique namespace -terraform show -json plan.tfplan > plan.json -jq '{_plan: .}' plan.json > ../../../../tests/_helpers/fixtures//plan.json - -# 4. Cleanup -rm plan.json plan.tfplan -``` - -**Examples:** - -```bash -# Storage Bucket -cd inputs/gcp/cloud_storage/google_storage_bucket/retention_period -terraform show -json plan.tfplan > plan.json -jq '{gcp_storage_bucket_plan: .}' plan.json > ../../../../tests/_helpers/fixtures/gcp_storage_bucket/plan.json -rm plan.json - -# Project -cd inputs/gcp/cloud_platform_service/google_project/project_id -terraform show -json plan.tfplan > plan.json -jq '{gcp_project_plan: .}' plan.json > ../../../../tests/_helpers/fixtures/gcp_project/plan.json -rm plan.json - -# Access Level -cd inputs/gcp/access_context_manager_vpc_service_controls/access_context_manager_access_level/device_policy -terraform show -json plan.tfplan > plan.json -jq '{gcp_access_level_plan: .}' plan.json > ../../../../tests/_helpers/fixtures/gcp_access_level/plan.json -rm plan.json -``` - -### Creating New Fixtures - -Follow this pattern for new fixtures: - -```bash -# 1. Create fixture directory (name becomes data path prefix) -mkdir tests/_helpers/fixtures/gcp_compute_instance - -# 2. Navigate to relevant Terraform configuration -cd inputs/gcp//google_compute_instance/ - -# 3. Generate Terraform plan -terraform init -terraform plan -out=plan.tfplan -terraform show -json plan.tfplan > plan.json - -# 4. Wrap with unique key matching directory name + _plan -jq '{gcp_compute_instance_plan: .}' plan.json > ../../../../tests/_helpers/fixtures/gcp_compute_instance/plan.json - -# 5. Cleanup -rm plan.json plan.tfplan - -# 6. Access in tests as data.gcp_compute_instance_plan -``` - -**Key requirements:** -- Directory name must match wrapper key prefix (e.g., `gcp_compute_instance/` → `gcp_compute_instance_plan`) -- Always use `jq` to wrap the plan (prevents namespace conflicts) -- Source Terraform configs from `inputs/gcp/` directory - -## Adding New Tests - -1. Create `_test.rego` in `tests/_helpers/` -2. Follow 8-test pattern (6 unit + 1 integration + 1 reality check) -3. Use fixtures for reality checks: `data._plan` -4. Update `unit_test_helpers.sh` to include new test file -5. Run tests to verify: `./tests/_helpers/unit_test_helpers.sh` diff --git a/tests/_helpers/blacklist_test.rego b/tests/_helpers/blacklist_test.rego deleted file mode 100644 index a0d9954a7..000000000 --- a/tests/_helpers/blacklist_test.rego +++ /dev/null @@ -1,315 +0,0 @@ -package terraform.helpers.policies.blacklist_test - -# Blacklist Policy Test Suite -# -# Tests the blacklist policy module which detects resources with forbidden values. -# Covers scalar values, array OR logic, empty array special case, and message formatting. - -import data.terraform.helpers.policies.blacklist -import data.terraform.helpers.shared -import data.terraform.helpers.shared_test -import rego.v1 - -# ============================================================================== -# UNIT TESTS (6): Test _is_blacklisted helper function -# ============================================================================== - -# Test 1: Scalar value in blacklist (boundary: match) -test_is_blacklisted_scalar_match if { - blacklist._is_blacklisted(["forbidden", "banned"], "forbidden") -} - -# Test 2: Scalar value not in blacklist (boundary: no match) -test_is_blacklisted_scalar_no_match if { - not blacklist._is_blacklisted(["forbidden", "banned"], "allowed") -} - -# Test 3: Array with ANY blacklisted value (OR logic proof) -test_is_blacklisted_array_any_match if { - blacklist._is_blacklisted(["bad", "evil"], ["good", "bad", "ugly"]) -} - -# Test 4: Array with NO blacklisted values (OR logic negative) -test_is_blacklisted_array_no_match if { - not blacklist._is_blacklisted(["bad", "evil"], ["good", "ugly"]) -} - -# Test 5: Empty array blacklisting (critical edge case) -test_is_blacklisted_empty_array if { - blacklist._is_blacklisted([[]], []) -} - -# ============================================================================== -# MOCK DATA PROVENANCE -# ============================================================================== -# Minimal mocks in tests 6-10 are synthetic, designed to test specific logic paths. -# They represent simplified versions of real Terraform resources with controlled -# attributes to validate exact behavior (e.g., single violation, edge cases). -# -# Reality check (test 8) uses: tests/_helpers/fixtures/gcp_storage_bucket/plan.json -# Source: inputs/gcp/cloud_storage/google_storage_bucket/retention_period/ -# Purpose: Tests against actual Terraform plan structure with 2 buckets: -# - c123: retention_period=604800 (7 days), location=US, force_destroy=true -# - nc123: retention_period=2692000 (31 days), location=US, force_destroy=true -# ============================================================================== - -# Test 6: get_violations with minimal mock (happy path + structure validation) -test_get_violations_minimal if { - # Minimal mock with blacklisted location - mock_input := { - "planned_values": { - "root_module": { - "resources": [ - { - "type": "google_storage_bucket", - "values": { - "name": "test-bucket", - "location": "US", - }, - }, - ], - }, - }, - } - - tf_variables := { - "resource_type": "google_storage_bucket", - "friendly_resource_name": "Storage Bucket", - "resource_value_name": "name", - } - - violations := blacklist.get_violations( - tf_variables, - ["location"], - ["US"], - ) with input as mock_input - - count(violations) == 1 - some v in violations - v.name == "test-bucket" - shared_test._assert_valid_violation(v) - contains(v.message, "test-bucket") # Resource name - contains(v.message, "US") # Violating value - contains(v.message, "blacklisted") # Verdict -} - -# ============================================================================== -# INTEGRATION TEST (1): Realistic structure with edge cases -# ============================================================================== - -# Test 7: get_violations with realistic Terraform structures -test_get_violations_realistic if { - # Realistic mock including edge cases - mock_input := { - "planned_values": { - "root_module": { - "resources": [ - # Normal resource with blacklisted value - { - "type": "google_storage_bucket", - "values": { - "name": "violating-bucket", - "location": "US", - "storage_class": "STANDARD", - }, - }, - # Resource with allowed value - { - "type": "google_storage_bucket", - "values": { - "name": "compliant-bucket", - "location": "EU", - "storage_class": "STANDARD", - }, - }, - # Resource with null location (edge case) - { - "type": "google_storage_bucket", - "values": { - "name": "null-bucket", - "location": null, - "storage_class": "STANDARD", - }, - }, - # Different resource type (should be ignored) - { - "type": "google_project", - "values": { - "name": "test-project", - "location": "US", - }, - }, - ], - }, - }, - } - - tf_variables := { - "resource_type": "google_storage_bucket", - "friendly_resource_name": "Storage Bucket", - "resource_value_name": "name", - } - - violations := blacklist.get_violations( - tf_variables, - ["location"], - ["US"], - ) with input as mock_input - - # Should only flag the violating bucket - count(violations) == 1 - violation_names := {v.name | some v in violations} - violation_names == {"violating-bucket"} - - some v in violations - contains(v.message, "Storage Bucket") - contains(v.message, "location") - contains(v.message, "'US'") -} - -# ============================================================================== -# REALITY CHECK (1): Test with real Terraform plan structure -# ============================================================================== - -# Test 8: get_violations with real Terraform plan -test_real_plan_violations if { - # Use real fixture - gcp_storage_bucket from fixtures - tf_variables := { - "resource_type": "google_storage_bucket", - "friendly_resource_name": "Storage Bucket", - "resource_value_name": "name", - } - - # Test with real data - blacklist a location that might exist - violations := blacklist.get_violations( - tf_variables, - ["location"], - ["US", "EU"], - ) with input as data.gcp_storage_bucket_plan - - is_set(violations) - every v in violations { - shared_test._assert_valid_violation(v) - contains(v.message, "Storage Bucket") - contains(v.message, "location") - } -} - -# ============================================================================== -# ADDITIONAL TESTS (2): Real-world usage patterns -# ============================================================================== - -# Test 9: Boolean blacklisting (real-world use case - force_destroy) -test_get_violations_boolean_blacklist if { - # Mock matching real policy: force_destroy: true is blacklisted - mock_input := { - "planned_values": { - "root_module": { - "resources": [ - { - "type": "google_storage_bucket", - "values": { - "name": "unsafe-bucket", - "force_destroy": true, - "location": "US", - }, - }, - { - "type": "google_storage_bucket", - "values": { - "name": "safe-bucket", - "force_destroy": false, - "location": "US", - }, - }, - ], - }, - }, - } - - tf_variables := { - "resource_type": "google_storage_bucket", - "friendly_resource_name": "Storage Bucket", - "resource_value_name": "name", - } - - # Blacklist force_destroy: true (actual policy usage pattern) - violations := blacklist.get_violations( - tf_variables, - ["force_destroy"], - [true], - ) with input as mock_input - - # Should only flag unsafe-bucket - count(violations) == 1 - some v in violations - v.name == "unsafe-bucket" - contains(v.message, "force_destroy") - contains(v.message, "true") -} - -# Test 10: Array attribute with OR logic (tests helper's array intersection) -test_get_violations_array_attribute if { - # Mock with array attributes (e.g., labels, tags) - mock_input := { - "planned_values": { - "root_module": { - "resources": [ - { - "type": "google_storage_bucket", - "values": { - "name": "violating-bucket", - "labels": { - "env": "dev", - "team": "security", - }, - "uniform_bucket_level_access": [ - { - "enabled": false, - "locked": false, - }, - ], - }, - }, - { - "type": "google_storage_bucket", - "values": { - "name": "compliant-bucket", - "labels": { - "env": "prod", - "team": "security", - }, - "uniform_bucket_level_access": [ - { - "enabled": true, - "locked": true, - }, - ], - }, - }, - ], - }, - }, - } - - tf_variables := { - "resource_type": "google_storage_bucket", - "friendly_resource_name": "Storage Bucket", - "resource_value_name": "name", - } - - # Blacklist specific nested array attribute values (OR logic) - # If uniform_bucket_level_access array contains enabled: false, it violates - violations := blacklist.get_violations( - tf_variables, - ["uniform_bucket_level_access", 0, "enabled"], - [false], - ) with input as mock_input - - # Should flag bucket with enabled: false - count(violations) == 1 - some v in violations - v.name == "violating-bucket" - contains(v.message, "uniform_bucket_level_access") - contains(v.message, "false") -} diff --git a/tests/_helpers/check_ux.sh b/tests/_helpers/check_ux.sh deleted file mode 100755 index 775037ee2..000000000 --- a/tests/_helpers/check_ux.sh +++ /dev/null @@ -1,82 +0,0 @@ -#!/bin/bash -# UX Message Review Tool -# Displays actual violation messages to verify they are clear and actionable - -# Navigate to repository root -cd "$(git rev-parse --show-toplevel)" || exit 1 - -echo "🔍 UX Message Review" -echo "======================================" -echo "" - -inspect_policy() { - local name="$1" - local input="$2" - local query="$3" - - - echo "Policy: $name" - echo "======================================" - echo "" - - # Get message and details fields - message=$(opa eval \ - --data ./policies/_helpers \ - --data ./policies/gcp \ - --input "$input" \ - "${query}.message" \ - --format pretty 2>&1) - - details=$(opa eval \ - --data ./policies/_helpers \ - --data ./policies/gcp \ - --input "$input" \ - "${query}.details" \ - --format pretty 2>&1) - - if [ $? -eq 0 ]; then - echo "MESSAGE:" - echo "$message" - echo "" - echo "DETAILS:" - echo "$details" - else - echo "❌ Error evaluating policy:" - echo "$message" - fi - - echo "" - echo "" -} - -# Test all 6 policy types with their violations - -inspect_policy "Blacklist & Element Blacklist (Access Context Manager)" \ - "./inputs/gcp/access_context_manager_vpc_service_controls/access_context_manager_service_perimeter/status/plan.json" \ - "data.terraform.gcp.security.access_context_manager_vpc_service_controls.access_context_manager_service_perimeter.status" - -inspect_policy "Whitelist (API Hub Encryption)" \ - "./inputs/gcp/api_hub/google_apihub_api_hub_instance/config_encryption_type/plan.json" \ - "data.terraform.gcp.security.api_hub.google_apihub_api_hub_instance.config_encryption_type" - -inspect_policy "Range (Storage Bucket Retention Period)" \ - "./inputs/gcp/cloud_storage/google_storage_bucket/retention_period/plan.json" \ - "data.terraform.gcp.security.cloud_storage.google_storage_bucket.retention_period" - -inspect_policy "Pattern Blacklist (Storage Default Object ACL)" \ - "./inputs/gcp/cloud_storage/google_storage_default_object_acl/public_access_prevention/plan.json" \ - "data.terraform.gcp.security.cloud_storage.google_storage_default_object_acl.public_access_prevention" - -inspect_policy "Pattern Whitelist (Project ID)" \ - "./inputs/gcp/cloud_platform_service/google_project/project_id/plan.json" \ - "data.terraform.gcp.security.cloud_platform_service.google_project.project_id" - -echo "======================================" -echo "✅ Inspection complete" -echo "" -echo "Use this to verify:" -echo " - Violation messages are clear and actionable" -echo " - Resource names are displayed correctly" -echo " - Attribute paths are formatted properly" -echo " - Blacklist/whitelist values are shown" -echo " - Empty values show (EMPTY!) warning" diff --git a/tests/_helpers/element_blacklist_test.rego b/tests/_helpers/element_blacklist_test.rego deleted file mode 100644 index b72255067..000000000 --- a/tests/_helpers/element_blacklist_test.rego +++ /dev/null @@ -1,412 +0,0 @@ -package terraform.helpers.policies.element_blacklist_test - -# Element Blacklist Policy Test Suite -# -# Tests the element blacklist policy module which detects array elements containing -# forbidden substring patterns (e.g., wildcards "*" or template variables "${var.*}"). - -import data.terraform.helpers.policies.element_blacklist -import data.terraform.helpers.shared -import data.terraform.helpers.shared_test -import rego.v1 - -# ============================================================================== -# UNIT TESTS (6): Test _get_resources and get_violations with simple mocks -# ============================================================================== - -# Test 1: Single pattern match (wildcard detection) -test_get_resources_single_pattern if { - mock_input := { - "planned_values": { - "root_module": { - "resources": [ - { - "type": "google_access_context_manager_service_perimeter", - "name": "wildcard-perimeter", - "values": { - "title": "wildcard-perimeter", - "status": [{ - "restricted_services": [ - "*.googleapis.com", - "storage.googleapis.com", - ], - }], - }, - }, - { - "type": "google_access_context_manager_service_perimeter", - "name": "compliant-perimeter", - "values": { - "title": "compliant-perimeter", - "status": [{ - "restricted_services": [ - "storage.googleapis.com", - "bigquery.googleapis.com", - ], - }], - }, - }, - ], - }, - }, - } - - resources := element_blacklist._get_resources( - "google_access_context_manager_service_perimeter", - ["status", 0, "restricted_services"], - ["*"], - ) with input as mock_input - - # Only wildcard-perimeter should match - count(resources) == 1 - some r in resources - r.name == "wildcard-perimeter" -} - -# Test 2: Multiple patterns with OR logic -test_get_resources_multi_pattern_or_logic if { - mock_input := { - "planned_values": { - "root_module": { - "resources": [ - { - "type": "google_access_context_manager_service_perimeter", - "name": "wildcard-perimeter", - "values": { - "title": "wildcard-perimeter", - "status": [{ - "restricted_services": ["*.googleapis.com"], - }], - }, - }, - { - "type": "google_access_context_manager_service_perimeter", - "name": "variable-perimeter", - "values": { - "title": "variable-perimeter", - "status": [{ - "restricted_services": ["${var.service}.googleapis.com"], - }], - }, - }, - { - "type": "google_access_context_manager_service_perimeter", - "name": "compliant-perimeter", - "values": { - "title": "compliant-perimeter", - "status": [{ - "restricted_services": ["storage.googleapis.com"], - }], - }, - }, - ], - }, - }, - } - - resources := element_blacklist._get_resources( - "google_access_context_manager_service_perimeter", - ["status", 0, "restricted_services"], - ["*", "${"], - ) with input as mock_input - - # Both wildcard and variable perimeters should match (OR logic) - count(resources) == 2 - resource_names := {r.name | some r in resources} - resource_names == {"wildcard-perimeter", "variable-perimeter"} -} - -# Test 3: Non-matching pattern returns empty set -test_get_resources_no_match if { - mock_input := { - "planned_values": { - "root_module": { - "resources": [ - { - "type": "google_access_context_manager_service_perimeter", - "name": "compliant-perimeter", - "values": { - "title": "compliant-perimeter", - "status": [{ - "restricted_services": ["storage.googleapis.com"], - }], - }, - }, - ], - }, - }, - } - - resources := element_blacklist._get_resources( - "google_access_context_manager_service_perimeter", - ["status", 0, "restricted_services"], - ["forbidden-pattern"], - ) with input as mock_input - - count(resources) == 0 -} - -# Test 4: Resource type filter (only matches specified type) -test_get_resources_resource_type_filter if { - mock_input := { - "planned_values": { - "root_module": { - "resources": [ - { - "type": "google_access_context_manager_service_perimeter", - "name": "wildcard-perimeter", - "values": { - "title": "wildcard-perimeter", - "status": [{ - "restricted_services": ["*.googleapis.com"], - }], - }, - }, - { - "type": "google_access_context_manager_access_policy", - "name": "different-type", - "values": { - "title": "my-policy", - "services": ["*.googleapis.com"], - }, - }, - ], - }, - }, - } - - resources := element_blacklist._get_resources( - "google_access_context_manager_service_perimeter", - ["status", 0, "restricted_services"], - ["*"], - ) with input as mock_input - - # Only service_perimeter type should match - count(resources) == 1 - some r in resources - r.type == "google_access_context_manager_service_perimeter" -} - -# Test 5: Missing attribute path returns empty set -test_get_resources_missing_attribute if { - mock_input := { - "planned_values": { - "root_module": { - "resources": [ - { - "type": "google_access_context_manager_service_perimeter", - "name": "perimeter", - "values": { - "title": "perimeter", - }, - }, - ], - }, - }, - } - - resources := element_blacklist._get_resources( - "google_access_context_manager_service_perimeter", - ["nonexistent", 0, "field"], - ["*"], - ) with input as mock_input - - count(resources) == 0 -} - -# Test 6: get_violations minimal mock (structure validation) -test_get_violations_minimal if { - mock_input := { - "planned_values": { - "root_module": { - "resources": [ - { - "type": "google_access_context_manager_service_perimeter", - "name": "wildcard-perimeter", - "values": { - "title": "wildcard-perimeter", - "status": [{ - "restricted_services": ["*.googleapis.com"], - }], - }, - }, - ], - }, - }, - } - - tf_variables := { - "resource_type": "google_access_context_manager_service_perimeter", - "friendly_resource_name": "Service Perimeter", - "resource_value_name": "title", - } - - violations := element_blacklist.get_violations( - tf_variables, - ["status", 0, "restricted_services"], - ["*"], - ) with input as mock_input - - count(violations) == 1 - some v in violations - v.name == "wildcard-perimeter" - shared_test._assert_valid_violation(v) - contains(v.message, "wildcard-perimeter") # Resource name - contains(v.message, "*.googleapis.com") # Violating element - contains(v.message, "[\"*\"]") # Pattern matched -} - -# ============================================================================== -# INTEGRATION TEST (1): Realistic structure with edge cases -# ============================================================================== - -# Test 7: get_violations with realistic multi-resource scenario -test_get_violations_realistic if { - mock_input := { - "planned_values": { - "root_module": { - "resources": [ - # Wildcard violation - { - "type": "google_access_context_manager_service_perimeter", - "name": "wildcard-perimeter", - "values": { - "title": "wildcard-perimeter", - "status": [{ - "restricted_services": [ - "*.googleapis.com", - "storage.googleapis.com", - ], - }], - }, - }, - # Variable template violation - { - "type": "google_access_context_manager_service_perimeter", - "name": "variable-perimeter", - "values": { - "title": "variable-perimeter", - "status": [{ - "restricted_services": [ - "${var.service}.googleapis.com", - "compute.googleapis.com", - ], - }], - }, - }, - # Multiple violations in one resource - { - "type": "google_access_context_manager_service_perimeter", - "name": "multi-violation-perimeter", - "values": { - "title": "multi-violation-perimeter", - "status": [{ - "restricted_services": [ - "*.googleapis.com", - "${var.service}.googleapis.com", - "pubsub.googleapis.com", - ], - }], - }, - }, - # Compliant resource - { - "type": "google_access_context_manager_service_perimeter", - "name": "compliant-perimeter", - "values": { - "title": "compliant-perimeter", - "status": [{ - "restricted_services": [ - "storage.googleapis.com", - "bigquery.googleapis.com", - ], - }], - }, - }, - # Different resource type (should be ignored) - { - "type": "google_access_context_manager_access_policy", - "name": "different-type", - "values": { - "title": "my-policy", - "parent": "organizations/123456789", - }, - }, - ], - }, - }, - } - - tf_variables := { - "resource_type": "google_access_context_manager_service_perimeter", - "friendly_resource_name": "Service Perimeter", - "resource_value_name": "title", - } - - violations := element_blacklist.get_violations( - tf_variables, - ["status", 0, "restricted_services"], - ["*", "${"], - ) with input as mock_input - - # Should detect all three violating perimeters - count(violations) == 3 - violation_names := {v.name | some v in violations} - violation_names == {"wildcard-perimeter", "variable-perimeter", "multi-violation-perimeter"} - - every v in violations { - shared_test._assert_valid_violation(v) - contains(v.message, "Service Perimeter") - contains(v.message, "status.[0].restricted_services") - } - - # Verify multi-violation includes both patterns - some v in violations - v.name == "multi-violation-perimeter" - contains(v.message, "*") - contains(v.message, "${") -} - -# ============================================================================== -# REALITY CHECK (1): Test with real Terraform plan structure -# ============================================================================== - -# ============================================================================== -# REALITY CHECK (1): Test with real Terraform plan structure -# ============================================================================== -# ============================================================================ -# FIXTURE PROVENANCE -# ============================================================================ -# Source: inputs/gcp/access_context_manager_vpc_service_controls/ -# access_context_manager_access_level/device_policy/ -# Fixture: tests/_helpers/fixtures/gcp_access_level/plan.json -# Why this fixture: Contains actual array data (regions: ["CH", "IT", "US"]) -# for testing element blacklist on string arrays -# Alternative: gcp_storage_bucket has empty arrays (cors: [], lifecycle_rule: []) -# ============================================================================ - -# Test 8: get_violations with real Terraform plan (access level fixture) -test_real_plan_violations if { - # Use real fixture with actual array data from access level regions - tf_variables := { - "resource_type": "google_access_context_manager_access_level", - "friendly_resource_name": "Access Level", - "resource_value_name": "title", - } - - # Test regions array for any restricted regions - # Fixture has regions: ["CH", "IT", "US"] in nc resource - violations := element_blacklist.get_violations( - tf_variables, - ["basic", 0, "conditions", 0, "regions"], - ["US", "CN", "RU"], # Blacklist certain countries - ) with input as data.gcp_access_level_plan - - is_set(violations) - every v in violations { - shared_test._assert_valid_violation(v) - contains(v.message, "Access Level") - contains(v.message, "basic") - contains(v.message, "regions") - } -} diff --git a/tests/_helpers/fixtures/gcp_access_level/plan.json b/tests/_helpers/fixtures/gcp_access_level/plan.json deleted file mode 100644 index 4058c9911..000000000 --- a/tests/_helpers/fixtures/gcp_access_level/plan.json +++ /dev/null @@ -1,507 +0,0 @@ -{ - "gcp_access_level_plan": { - "format_version": "1.2", - "terraform_version": "1.12.2", - "planned_values": { - "root_module": { - "resources": [ - { - "address": "google_access_context_manager_access_level.c", - "mode": "managed", - "type": "google_access_context_manager_access_level", - "name": "c", - "provider_name": "registry.terraform.io/hashicorp/google", - "schema_version": 0, - "values": { - "basic": [ - { - "combining_function": "AND", - "conditions": [ - { - "device_policy": [ - { - "allowed_device_management_levels": null, - "allowed_encryption_statuses": null, - "os_constraints": [], - "require_admin_approval": null, - "require_corp_owned": null, - "require_screen_lock": true - } - ], - "ip_subnetworks": null, - "members": null, - "negate": null, - "regions": null, - "required_access_levels": null, - "vpc_network_sources": [] - } - ] - } - ], - "custom": [], - "description": null, - "timeouts": null, - "title": "chromeos_no_lock" - }, - "sensitive_values": { - "basic": [ - { - "conditions": [ - { - "device_policy": [ - { - "os_constraints": [] - } - ], - "vpc_network_sources": [] - } - ] - } - ], - "custom": [] - } - }, - { - "address": "google_access_context_manager_access_level.nc", - "mode": "managed", - "type": "google_access_context_manager_access_level", - "name": "nc", - "provider_name": "registry.terraform.io/hashicorp/google", - "schema_version": 0, - "values": { - "basic": [ - { - "combining_function": "AND", - "conditions": [ - { - "device_policy": [ - { - "allowed_device_management_levels": null, - "allowed_encryption_statuses": null, - "os_constraints": [ - { - "minimum_version": null, - "os_type": "DESKTOP_CHROME_OS", - "require_verified_chrome_os": null - } - ], - "require_admin_approval": null, - "require_corp_owned": null, - "require_screen_lock": true - } - ], - "ip_subnetworks": null, - "members": null, - "negate": null, - "regions": [ - "CH", - "IT", - "US" - ], - "required_access_levels": null, - "vpc_network_sources": [] - } - ] - } - ], - "custom": [], - "description": null, - "timeouts": null, - "title": "chromeos_no_lock" - }, - "sensitive_values": { - "basic": [ - { - "conditions": [ - { - "device_policy": [ - { - "os_constraints": [ - {} - ] - } - ], - "regions": [ - false, - false, - false - ], - "vpc_network_sources": [] - } - ] - } - ], - "custom": [] - } - }, - { - "address": "google_access_context_manager_access_policy.access-policy", - "mode": "managed", - "type": "google_access_context_manager_access_policy", - "name": "access-policy", - "provider_name": "registry.terraform.io/hashicorp/google", - "schema_version": 0, - "values": { - "parent": "organizations/123456789", - "scopes": null, - "timeouts": null, - "title": "my policy" - }, - "sensitive_values": {} - } - ] - } - }, - "resource_changes": [ - { - "address": "google_access_context_manager_access_level.c", - "mode": "managed", - "type": "google_access_context_manager_access_level", - "name": "c", - "provider_name": "registry.terraform.io/hashicorp/google", - "change": { - "actions": [ - "create" - ], - "before": null, - "after": { - "basic": [ - { - "combining_function": "AND", - "conditions": [ - { - "device_policy": [ - { - "allowed_device_management_levels": null, - "allowed_encryption_statuses": null, - "os_constraints": [], - "require_admin_approval": null, - "require_corp_owned": null, - "require_screen_lock": true - } - ], - "ip_subnetworks": null, - "members": null, - "negate": null, - "regions": null, - "required_access_levels": null, - "vpc_network_sources": [] - } - ] - } - ], - "custom": [], - "description": null, - "timeouts": null, - "title": "chromeos_no_lock" - }, - "after_unknown": { - "basic": [ - { - "conditions": [ - { - "device_policy": [ - { - "os_constraints": [] - } - ], - "vpc_network_sources": [] - } - ] - } - ], - "custom": [], - "id": true, - "name": true, - "parent": true - }, - "before_sensitive": false, - "after_sensitive": { - "basic": [ - { - "conditions": [ - { - "device_policy": [ - { - "os_constraints": [] - } - ], - "vpc_network_sources": [] - } - ] - } - ], - "custom": [] - } - } - }, - { - "address": "google_access_context_manager_access_level.nc", - "mode": "managed", - "type": "google_access_context_manager_access_level", - "name": "nc", - "provider_name": "registry.terraform.io/hashicorp/google", - "change": { - "actions": [ - "create" - ], - "before": null, - "after": { - "basic": [ - { - "combining_function": "AND", - "conditions": [ - { - "device_policy": [ - { - "allowed_device_management_levels": null, - "allowed_encryption_statuses": null, - "os_constraints": [ - { - "minimum_version": null, - "os_type": "DESKTOP_CHROME_OS", - "require_verified_chrome_os": null - } - ], - "require_admin_approval": null, - "require_corp_owned": null, - "require_screen_lock": true - } - ], - "ip_subnetworks": null, - "members": null, - "negate": null, - "regions": [ - "CH", - "IT", - "US" - ], - "required_access_levels": null, - "vpc_network_sources": [] - } - ] - } - ], - "custom": [], - "description": null, - "timeouts": null, - "title": "chromeos_no_lock" - }, - "after_unknown": { - "basic": [ - { - "conditions": [ - { - "device_policy": [ - { - "os_constraints": [ - {} - ] - } - ], - "regions": [ - false, - false, - false - ], - "vpc_network_sources": [] - } - ] - } - ], - "custom": [], - "id": true, - "name": true, - "parent": true - }, - "before_sensitive": false, - "after_sensitive": { - "basic": [ - { - "conditions": [ - { - "device_policy": [ - { - "os_constraints": [ - {} - ] - } - ], - "regions": [ - false, - false, - false - ], - "vpc_network_sources": [] - } - ] - } - ], - "custom": [] - } - } - }, - { - "address": "google_access_context_manager_access_policy.access-policy", - "mode": "managed", - "type": "google_access_context_manager_access_policy", - "name": "access-policy", - "provider_name": "registry.terraform.io/hashicorp/google", - "change": { - "actions": [ - "create" - ], - "before": null, - "after": { - "parent": "organizations/123456789", - "scopes": null, - "timeouts": null, - "title": "my policy" - }, - "after_unknown": { - "create_time": true, - "id": true, - "name": true, - "update_time": true - }, - "before_sensitive": false, - "after_sensitive": {} - } - } - ], - "configuration": { - "provider_config": { - "google": { - "name": "google", - "full_name": "registry.terraform.io/hashicorp/google" - } - }, - "root_module": { - "resources": [ - { - "address": "google_access_context_manager_access_level.c", - "mode": "managed", - "type": "google_access_context_manager_access_level", - "name": "c", - "provider_config_key": "google", - "expressions": { - "basic": [ - { - "conditions": [ - { - "device_policy": [ - { - "require_screen_lock": { - "constant_value": true - } - } - ] - } - ] - } - ], - "name": { - "references": [ - "google_access_context_manager_access_policy.access-policy.name", - "google_access_context_manager_access_policy.access-policy" - ] - }, - "parent": { - "references": [ - "google_access_context_manager_access_policy.access-policy.name", - "google_access_context_manager_access_policy.access-policy" - ] - }, - "title": { - "constant_value": "chromeos_no_lock" - } - }, - "schema_version": 0 - }, - { - "address": "google_access_context_manager_access_level.nc", - "mode": "managed", - "type": "google_access_context_manager_access_level", - "name": "nc", - "provider_config_key": "google", - "expressions": { - "basic": [ - { - "conditions": [ - { - "device_policy": [ - { - "os_constraints": [ - { - "os_type": { - "constant_value": "DESKTOP_CHROME_OS" - } - } - ], - "require_screen_lock": { - "constant_value": true - } - } - ], - "regions": { - "constant_value": [ - "CH", - "IT", - "US" - ] - } - } - ] - } - ], - "name": { - "references": [ - "google_access_context_manager_access_policy.access-policy.name", - "google_access_context_manager_access_policy.access-policy" - ] - }, - "parent": { - "references": [ - "google_access_context_manager_access_policy.access-policy.name", - "google_access_context_manager_access_policy.access-policy" - ] - }, - "title": { - "constant_value": "chromeos_no_lock" - } - }, - "schema_version": 0 - }, - { - "address": "google_access_context_manager_access_policy.access-policy", - "mode": "managed", - "type": "google_access_context_manager_access_policy", - "name": "access-policy", - "provider_config_key": "google", - "expressions": { - "parent": { - "constant_value": "organizations/123456789" - }, - "title": { - "constant_value": "my policy" - } - }, - "schema_version": 0 - } - ] - } - }, - "relevant_attributes": [ - { - "resource": "google_access_context_manager_access_policy.access-policy", - "attribute": [ - "name" - ] - } - ], - "timestamp": "2025-12-02T04:18:21Z", - "applyable": true, - "complete": true, - "errored": false - } -} diff --git a/tests/_helpers/fixtures/gcp_project/plan.json b/tests/_helpers/fixtures/gcp_project/plan.json deleted file mode 100644 index 5e05dfefd..000000000 --- a/tests/_helpers/fixtures/gcp_project/plan.json +++ /dev/null @@ -1,606 +0,0 @@ -{ - "gcp_project_plan": { - "format_version": "1.2", - "terraform_version": "1.12.2", - "planned_values": { - "root_module": { - "resources": [ - { - "address": "google_project.c123", - "mode": "managed", - "type": "google_project", - "name": "c123", - "provider_name": "registry.terraform.io/hashicorp/google", - "schema_version": 1, - "values": { - "auto_create_network": false, - "billing_account": null, - "deletion_policy": "PREVENT", - "effective_labels": { - "goog-terraform-provisioned": "true" - }, - "folder_id": null, - "labels": null, - "name": "c123", - "org_id": "123456789", - "project_id": "proj-app-dev", - "tags": null, - "terraform_labels": { - "goog-terraform-provisioned": "true" - }, - "timeouts": null - }, - "sensitive_values": { - "effective_labels": {}, - "terraform_labels": {} - } - }, - { - "address": "google_project.c223", - "mode": "managed", - "type": "google_project", - "name": "c223", - "provider_name": "registry.terraform.io/hashicorp/google", - "schema_version": 1, - "values": { - "auto_create_network": false, - "billing_account": null, - "deletion_policy": "PREVENT", - "effective_labels": { - "goog-terraform-provisioned": "true" - }, - "folder_id": null, - "labels": null, - "name": "c223", - "org_id": "123456789", - "project_id": "proj-sec-prod", - "tags": null, - "terraform_labels": { - "goog-terraform-provisioned": "true" - }, - "timeouts": null - }, - "sensitive_values": { - "effective_labels": {}, - "terraform_labels": {} - } - }, - { - "address": "google_project.c323", - "mode": "managed", - "type": "google_project", - "name": "c323", - "provider_name": "registry.terraform.io/hashicorp/google", - "schema_version": 1, - "values": { - "auto_create_network": false, - "billing_account": null, - "deletion_policy": "PREVENT", - "effective_labels": { - "goog-terraform-provisioned": "true" - }, - "folder_id": null, - "labels": null, - "name": "c323", - "org_id": "123456789", - "project_id": "proj-app-prod", - "tags": null, - "terraform_labels": { - "goog-terraform-provisioned": "true" - }, - "timeouts": null - }, - "sensitive_values": { - "effective_labels": {}, - "terraform_labels": {} - } - }, - { - "address": "google_project.nc123", - "mode": "managed", - "type": "google_project", - "name": "nc123", - "provider_name": "registry.terraform.io/hashicorp/google", - "schema_version": 1, - "values": { - "auto_create_network": false, - "billing_account": null, - "deletion_policy": "PREVENT", - "effective_labels": { - "goog-terraform-provisioned": "true" - }, - "folder_id": null, - "labels": null, - "name": "nc123", - "org_id": "123456789", - "project_id": "project-app-dev", - "tags": null, - "terraform_labels": { - "goog-terraform-provisioned": "true" - }, - "timeouts": null - }, - "sensitive_values": { - "effective_labels": {}, - "terraform_labels": {} - } - }, - { - "address": "google_project.nc223", - "mode": "managed", - "type": "google_project", - "name": "nc223", - "provider_name": "registry.terraform.io/hashicorp/google", - "schema_version": 1, - "values": { - "auto_create_network": false, - "billing_account": null, - "deletion_policy": "PREVENT", - "effective_labels": { - "goog-terraform-provisioned": "true" - }, - "folder_id": null, - "labels": null, - "name": "nc223", - "org_id": "123456789", - "project_id": "proj-ops-staging", - "tags": null, - "terraform_labels": { - "goog-terraform-provisioned": "true" - }, - "timeouts": null - }, - "sensitive_values": { - "effective_labels": {}, - "terraform_labels": {} - } - }, - { - "address": "google_project.nc323", - "mode": "managed", - "type": "google_project", - "name": "nc323", - "provider_name": "registry.terraform.io/hashicorp/google", - "schema_version": 1, - "values": { - "auto_create_network": false, - "billing_account": null, - "deletion_policy": "PREVENT", - "effective_labels": { - "goog-terraform-provisioned": "true" - }, - "folder_id": null, - "labels": null, - "name": "nc323", - "org_id": "123456789", - "project_id": "myproject-prod-01", - "tags": null, - "terraform_labels": { - "goog-terraform-provisioned": "true" - }, - "timeouts": null - }, - "sensitive_values": { - "effective_labels": {}, - "terraform_labels": {} - } - } - ] - } - }, - "resource_changes": [ - { - "address": "google_project.c123", - "mode": "managed", - "type": "google_project", - "name": "c123", - "provider_name": "registry.terraform.io/hashicorp/google", - "change": { - "actions": [ - "create" - ], - "before": null, - "after": { - "auto_create_network": false, - "billing_account": null, - "deletion_policy": "PREVENT", - "effective_labels": { - "goog-terraform-provisioned": "true" - }, - "folder_id": null, - "labels": null, - "name": "c123", - "org_id": "123456789", - "project_id": "proj-app-dev", - "tags": null, - "terraform_labels": { - "goog-terraform-provisioned": "true" - }, - "timeouts": null - }, - "after_unknown": { - "effective_labels": {}, - "id": true, - "number": true, - "terraform_labels": {} - }, - "before_sensitive": false, - "after_sensitive": { - "effective_labels": {}, - "terraform_labels": {} - } - } - }, - { - "address": "google_project.c223", - "mode": "managed", - "type": "google_project", - "name": "c223", - "provider_name": "registry.terraform.io/hashicorp/google", - "change": { - "actions": [ - "create" - ], - "before": null, - "after": { - "auto_create_network": false, - "billing_account": null, - "deletion_policy": "PREVENT", - "effective_labels": { - "goog-terraform-provisioned": "true" - }, - "folder_id": null, - "labels": null, - "name": "c223", - "org_id": "123456789", - "project_id": "proj-sec-prod", - "tags": null, - "terraform_labels": { - "goog-terraform-provisioned": "true" - }, - "timeouts": null - }, - "after_unknown": { - "effective_labels": {}, - "id": true, - "number": true, - "terraform_labels": {} - }, - "before_sensitive": false, - "after_sensitive": { - "effective_labels": {}, - "terraform_labels": {} - } - } - }, - { - "address": "google_project.c323", - "mode": "managed", - "type": "google_project", - "name": "c323", - "provider_name": "registry.terraform.io/hashicorp/google", - "change": { - "actions": [ - "create" - ], - "before": null, - "after": { - "auto_create_network": false, - "billing_account": null, - "deletion_policy": "PREVENT", - "effective_labels": { - "goog-terraform-provisioned": "true" - }, - "folder_id": null, - "labels": null, - "name": "c323", - "org_id": "123456789", - "project_id": "proj-app-prod", - "tags": null, - "terraform_labels": { - "goog-terraform-provisioned": "true" - }, - "timeouts": null - }, - "after_unknown": { - "effective_labels": {}, - "id": true, - "number": true, - "terraform_labels": {} - }, - "before_sensitive": false, - "after_sensitive": { - "effective_labels": {}, - "terraform_labels": {} - } - } - }, - { - "address": "google_project.nc123", - "mode": "managed", - "type": "google_project", - "name": "nc123", - "provider_name": "registry.terraform.io/hashicorp/google", - "change": { - "actions": [ - "create" - ], - "before": null, - "after": { - "auto_create_network": false, - "billing_account": null, - "deletion_policy": "PREVENT", - "effective_labels": { - "goog-terraform-provisioned": "true" - }, - "folder_id": null, - "labels": null, - "name": "nc123", - "org_id": "123456789", - "project_id": "project-app-dev", - "tags": null, - "terraform_labels": { - "goog-terraform-provisioned": "true" - }, - "timeouts": null - }, - "after_unknown": { - "effective_labels": {}, - "id": true, - "number": true, - "terraform_labels": {} - }, - "before_sensitive": false, - "after_sensitive": { - "effective_labels": {}, - "terraform_labels": {} - } - } - }, - { - "address": "google_project.nc223", - "mode": "managed", - "type": "google_project", - "name": "nc223", - "provider_name": "registry.terraform.io/hashicorp/google", - "change": { - "actions": [ - "create" - ], - "before": null, - "after": { - "auto_create_network": false, - "billing_account": null, - "deletion_policy": "PREVENT", - "effective_labels": { - "goog-terraform-provisioned": "true" - }, - "folder_id": null, - "labels": null, - "name": "nc223", - "org_id": "123456789", - "project_id": "proj-ops-staging", - "tags": null, - "terraform_labels": { - "goog-terraform-provisioned": "true" - }, - "timeouts": null - }, - "after_unknown": { - "effective_labels": {}, - "id": true, - "number": true, - "terraform_labels": {} - }, - "before_sensitive": false, - "after_sensitive": { - "effective_labels": {}, - "terraform_labels": {} - } - } - }, - { - "address": "google_project.nc323", - "mode": "managed", - "type": "google_project", - "name": "nc323", - "provider_name": "registry.terraform.io/hashicorp/google", - "change": { - "actions": [ - "create" - ], - "before": null, - "after": { - "auto_create_network": false, - "billing_account": null, - "deletion_policy": "PREVENT", - "effective_labels": { - "goog-terraform-provisioned": "true" - }, - "folder_id": null, - "labels": null, - "name": "nc323", - "org_id": "123456789", - "project_id": "myproject-prod-01", - "tags": null, - "terraform_labels": { - "goog-terraform-provisioned": "true" - }, - "timeouts": null - }, - "after_unknown": { - "effective_labels": {}, - "id": true, - "number": true, - "terraform_labels": {} - }, - "before_sensitive": false, - "after_sensitive": { - "effective_labels": {}, - "terraform_labels": {} - } - } - } - ], - "configuration": { - "provider_config": { - "google": { - "name": "google", - "full_name": "registry.terraform.io/hashicorp/google" - } - }, - "root_module": { - "resources": [ - { - "address": "google_project.c123", - "mode": "managed", - "type": "google_project", - "name": "c123", - "provider_config_key": "google", - "expressions": { - "auto_create_network": { - "constant_value": false - }, - "deletion_policy": { - "constant_value": "PREVENT" - }, - "name": { - "constant_value": "c123" - }, - "org_id": { - "constant_value": "123456789" - }, - "project_id": { - "constant_value": "proj-app-dev" - } - }, - "schema_version": 1 - }, - { - "address": "google_project.c223", - "mode": "managed", - "type": "google_project", - "name": "c223", - "provider_config_key": "google", - "expressions": { - "auto_create_network": { - "constant_value": false - }, - "deletion_policy": { - "constant_value": "PREVENT" - }, - "name": { - "constant_value": "c223" - }, - "org_id": { - "constant_value": "123456789" - }, - "project_id": { - "constant_value": "proj-sec-prod" - } - }, - "schema_version": 1 - }, - { - "address": "google_project.c323", - "mode": "managed", - "type": "google_project", - "name": "c323", - "provider_config_key": "google", - "expressions": { - "auto_create_network": { - "constant_value": false - }, - "name": { - "constant_value": "c323" - }, - "org_id": { - "constant_value": "123456789" - }, - "project_id": { - "constant_value": "proj-app-prod" - } - }, - "schema_version": 1 - }, - { - "address": "google_project.nc123", - "mode": "managed", - "type": "google_project", - "name": "nc123", - "provider_config_key": "google", - "expressions": { - "auto_create_network": { - "constant_value": false - }, - "deletion_policy": { - "constant_value": "PREVENT" - }, - "name": { - "constant_value": "nc123" - }, - "org_id": { - "constant_value": "123456789" - }, - "project_id": { - "constant_value": "project-app-dev" - } - }, - "schema_version": 1 - }, - { - "address": "google_project.nc223", - "mode": "managed", - "type": "google_project", - "name": "nc223", - "provider_config_key": "google", - "expressions": { - "auto_create_network": { - "constant_value": false - }, - "deletion_policy": { - "constant_value": "PREVENT" - }, - "name": { - "constant_value": "nc223" - }, - "org_id": { - "constant_value": "123456789" - }, - "project_id": { - "constant_value": "proj-ops-staging" - } - }, - "schema_version": 1 - }, - { - "address": "google_project.nc323", - "mode": "managed", - "type": "google_project", - "name": "nc323", - "provider_config_key": "google", - "expressions": { - "auto_create_network": { - "constant_value": false - }, - "name": { - "constant_value": "nc323" - }, - "org_id": { - "constant_value": "123456789" - }, - "project_id": { - "constant_value": "myproject-prod-01" - } - }, - "schema_version": 1 - } - ] - } - }, - "timestamp": "2025-11-27T04:15:45Z", - "applyable": true, - "complete": true, - "errored": false - } -} diff --git a/tests/_helpers/fixtures/gcp_storage_bucket/plan.json b/tests/_helpers/fixtures/gcp_storage_bucket/plan.json deleted file mode 100644 index cdacbc34b..000000000 --- a/tests/_helpers/fixtures/gcp_storage_bucket/plan.json +++ /dev/null @@ -1,368 +0,0 @@ -{ - "gcp_storage_bucket_plan": { - "format_version": "1.2", - "terraform_version": "1.12.2", - "planned_values": { - "root_module": { - "resources": [ - { - "address": "google_storage_bucket.c123", - "mode": "managed", - "type": "google_storage_bucket", - "name": "c123", - "provider_name": "registry.terraform.io/hashicorp/google", - "schema_version": 3, - "values": { - "autoclass": [], - "cors": [], - "custom_placement_config": [], - "default_event_based_hold": null, - "effective_labels": { - "goog-terraform-provisioned": "true" - }, - "enable_object_retention": null, - "encryption": [], - "force_destroy": true, - "hierarchical_namespace": [], - "labels": null, - "lifecycle_rule": [], - "location": "US", - "logging": [], - "name": "c123", - "requester_pays": null, - "retention_policy": [ - { - "is_locked": false, - "retention_period": 604800 - } - ], - "storage_class": "STANDARD", - "terraform_labels": { - "goog-terraform-provisioned": "true" - }, - "timeouts": null - }, - "sensitive_values": { - "autoclass": [], - "cors": [], - "custom_placement_config": [], - "effective_labels": {}, - "encryption": [], - "hierarchical_namespace": [], - "lifecycle_rule": [], - "logging": [], - "retention_policy": [ - {} - ], - "soft_delete_policy": [], - "terraform_labels": {}, - "versioning": [], - "website": [] - } - }, - { - "address": "google_storage_bucket.nc123", - "mode": "managed", - "type": "google_storage_bucket", - "name": "nc123", - "provider_name": "registry.terraform.io/hashicorp/google", - "schema_version": 3, - "values": { - "autoclass": [], - "cors": [], - "custom_placement_config": [], - "default_event_based_hold": null, - "effective_labels": { - "goog-terraform-provisioned": "true" - }, - "enable_object_retention": null, - "encryption": [], - "force_destroy": true, - "hierarchical_namespace": [], - "labels": null, - "lifecycle_rule": [], - "location": "US", - "logging": [], - "name": "nc123", - "requester_pays": null, - "retention_policy": [ - { - "is_locked": false, - "retention_period": 2692000 - } - ], - "storage_class": "STANDARD", - "terraform_labels": { - "goog-terraform-provisioned": "true" - }, - "timeouts": null - }, - "sensitive_values": { - "autoclass": [], - "cors": [], - "custom_placement_config": [], - "effective_labels": {}, - "encryption": [], - "hierarchical_namespace": [], - "lifecycle_rule": [], - "logging": [], - "retention_policy": [ - {} - ], - "soft_delete_policy": [], - "terraform_labels": {}, - "versioning": [], - "website": [] - } - } - ] - } - }, - "resource_changes": [ - { - "address": "google_storage_bucket.c123", - "mode": "managed", - "type": "google_storage_bucket", - "name": "c123", - "provider_name": "registry.terraform.io/hashicorp/google", - "change": { - "actions": [ - "create" - ], - "before": null, - "after": { - "autoclass": [], - "cors": [], - "custom_placement_config": [], - "default_event_based_hold": null, - "effective_labels": { - "goog-terraform-provisioned": "true" - }, - "enable_object_retention": null, - "encryption": [], - "force_destroy": true, - "hierarchical_namespace": [], - "labels": null, - "lifecycle_rule": [], - "location": "US", - "logging": [], - "name": "c123", - "requester_pays": null, - "retention_policy": [ - { - "is_locked": false, - "retention_period": 604800 - } - ], - "storage_class": "STANDARD", - "terraform_labels": { - "goog-terraform-provisioned": "true" - }, - "timeouts": null - }, - "after_unknown": { - "autoclass": [], - "cors": [], - "custom_placement_config": [], - "effective_labels": {}, - "encryption": [], - "hierarchical_namespace": [], - "id": true, - "lifecycle_rule": [], - "logging": [], - "project": true, - "project_number": true, - "public_access_prevention": true, - "retention_policy": [ - {} - ], - "rpo": true, - "self_link": true, - "soft_delete_policy": true, - "terraform_labels": {}, - "time_created": true, - "uniform_bucket_level_access": true, - "updated": true, - "url": true, - "versioning": true, - "website": true - }, - "before_sensitive": false, - "after_sensitive": { - "autoclass": [], - "cors": [], - "custom_placement_config": [], - "effective_labels": {}, - "encryption": [], - "hierarchical_namespace": [], - "lifecycle_rule": [], - "logging": [], - "retention_policy": [ - {} - ], - "soft_delete_policy": [], - "terraform_labels": {}, - "versioning": [], - "website": [] - } - } - }, - { - "address": "google_storage_bucket.nc123", - "mode": "managed", - "type": "google_storage_bucket", - "name": "nc123", - "provider_name": "registry.terraform.io/hashicorp/google", - "change": { - "actions": [ - "create" - ], - "before": null, - "after": { - "autoclass": [], - "cors": [], - "custom_placement_config": [], - "default_event_based_hold": null, - "effective_labels": { - "goog-terraform-provisioned": "true" - }, - "enable_object_retention": null, - "encryption": [], - "force_destroy": true, - "hierarchical_namespace": [], - "labels": null, - "lifecycle_rule": [], - "location": "US", - "logging": [], - "name": "nc123", - "requester_pays": null, - "retention_policy": [ - { - "is_locked": false, - "retention_period": 2692000 - } - ], - "storage_class": "STANDARD", - "terraform_labels": { - "goog-terraform-provisioned": "true" - }, - "timeouts": null - }, - "after_unknown": { - "autoclass": [], - "cors": [], - "custom_placement_config": [], - "effective_labels": {}, - "encryption": [], - "hierarchical_namespace": [], - "id": true, - "lifecycle_rule": [], - "logging": [], - "project": true, - "project_number": true, - "public_access_prevention": true, - "retention_policy": [ - {} - ], - "rpo": true, - "self_link": true, - "soft_delete_policy": true, - "terraform_labels": {}, - "time_created": true, - "uniform_bucket_level_access": true, - "updated": true, - "url": true, - "versioning": true, - "website": true - }, - "before_sensitive": false, - "after_sensitive": { - "autoclass": [], - "cors": [], - "custom_placement_config": [], - "effective_labels": {}, - "encryption": [], - "hierarchical_namespace": [], - "lifecycle_rule": [], - "logging": [], - "retention_policy": [ - {} - ], - "soft_delete_policy": [], - "terraform_labels": {}, - "versioning": [], - "website": [] - } - } - } - ], - "configuration": { - "provider_config": { - "google": { - "name": "google", - "full_name": "registry.terraform.io/hashicorp/google" - } - }, - "root_module": { - "resources": [ - { - "address": "google_storage_bucket.c123", - "mode": "managed", - "type": "google_storage_bucket", - "name": "c123", - "provider_config_key": "google", - "expressions": { - "force_destroy": { - "constant_value": true - }, - "location": { - "constant_value": "US" - }, - "name": { - "constant_value": "c123" - }, - "retention_policy": [ - { - "retention_period": { - "constant_value": 604800 - } - } - ] - }, - "schema_version": 3 - }, - { - "address": "google_storage_bucket.nc123", - "mode": "managed", - "type": "google_storage_bucket", - "name": "nc123", - "provider_config_key": "google", - "expressions": { - "force_destroy": { - "constant_value": true - }, - "location": { - "constant_value": "US" - }, - "name": { - "constant_value": "nc123" - }, - "retention_policy": [ - { - "retention_period": { - "constant_value": 2692000 - } - } - ] - }, - "schema_version": 3 - } - ] - } - }, - "timestamp": "2025-11-27T02:50:59Z", - "applyable": true, - "complete": true, - "errored": false - } -} diff --git a/tests/_helpers/pattern_blacklist_test.rego b/tests/_helpers/pattern_blacklist_test.rego deleted file mode 100644 index 98b1b5c71..000000000 --- a/tests/_helpers/pattern_blacklist_test.rego +++ /dev/null @@ -1,430 +0,0 @@ -package terraform.helpers.policies.pattern_blacklist_test - -# Pattern Blacklist Policy Test Suite -# -# Tests the pattern blacklist policy module which detects resources where -# wildcard-extracted substrings match forbidden patterns. -# Uses target patterns with * wildcards to extract values, then checks against -# position-specific blacklists. - -import data.terraform.helpers.policies.pattern_blacklist -import data.terraform.helpers.shared -import data.terraform.helpers.shared_test -import rego.v1 - -# ============================================================================== -# UNIT TESTS (6): Test pattern matching logic -# ============================================================================== - -# Test 1: Exact match in blacklist (boundary: match) -test_matches_blacklist_exact_match if { - pattern_blacklist._matches_blacklist(["forbidden", "banned"], "forbidden") -} - -# Test 2: No match in blacklist (boundary: no match) -test_matches_blacklist_no_match if { - not pattern_blacklist._matches_blacklist(["forbidden", "banned"], "allowed") -} - -# Test 3: Single wildcard pattern match -test_get_blacklist_single_wildcard_match if { - # Mock resource with hierarchical pattern - mock_resource := { - "type": "google_project", - "values": { - "name": "test-project", - "parent": "projects/test-project/locations/us-east1", - }, - } - - # Target pattern with 2 wildcards - target := "projects/*/locations/*" - # Blacklist patterns: first position ["test-project"], second position ["us-east1"] - patterns := [["test-project"], ["us-east1"]] - - blacklist := pattern_blacklist._get_blacklist(mock_resource, ["parent"], target, patterns) - - # Should find 2 matches (both positions blacklisted) - count(blacklist) == 2 - - # Verify both positions are flagged - values := {b.value | some b in blacklist} - values == {"test-project", "us-east1"} -} - -# Test 4: Single wildcard pattern no match -test_get_blacklist_single_wildcard_no_match if { - # Mock resource with different values - mock_resource := { - "type": "google_project", - "values": { - "name": "prod-project", - "parent": "projects/prod-project/locations/us-central1", - }, - } - - target := "projects/*/locations/*" - patterns := [["test-project"], ["us-east1"]] - - blacklist := pattern_blacklist._get_blacklist(mock_resource, ["parent"], target, patterns) - - # Should find no matches - count(blacklist) == 0 -} - -# Test 5: Multiple patterns with OR logic within position -test_get_blacklist_multiple_patterns_or_logic if { - # Mock with value matching one of multiple patterns at a position - mock_resource := { - "type": "google_project", - "values": { - "name": "dev-project", - "parent": "projects/dev-project/locations/us-east1", - }, - } - - target := "projects/*/locations/*" - # First position: ["test-project", "dev-project"] (OR logic - full extracted strings) - # Second position: ["us-east1"] - patterns := [["test-project", "dev-project"], ["us-east1"]] - - blacklist := pattern_blacklist._get_blacklist(mock_resource, ["parent"], target, patterns) - - # Should match both positions (dev-project matches first, us-east1 matches second) - count(blacklist) == 2 - values := {b.value | some b in blacklist} - values == {"dev-project", "us-east1"} -} - -# ============================================================================== -# MOCK DATA PROVENANCE -# ============================================================================== -# Minimal mocks in tests 6-7 are synthetic, designed to test specific logic paths. -# They represent simplified hierarchical patterns (organizations/*/folders/*). -# -# Reality check (test 8) uses: tests/_helpers/fixtures/gcp_project/plan.json -# Source: inputs/gcp/cloud_platform_service/google_project/project_id/ -# Purpose: Tests pattern extraction on actual project_id values: -# - c123: project_id="proj-app-dev" (pattern: proj-*-*) -# - c223: project_id="proj-sec-prod" (pattern: proj-*-*) -# ============================================================================== - -# Test 6: get_violations with minimal mock -test_get_violations_minimal if { - # Minimal mock with blacklisted pattern - mock_input := { - "planned_values": { - "root_module": { - "resources": [ - { - "type": "google_project", - "values": { - "name": "test-project", - "parent": "organizations/123456/folders/test-folder", - }, - }, - ], - }, - }, - } - - tf_variables := { - "resource_type": "google_project", - "friendly_resource_name": "Project", - "resource_value_name": "name", - } - - # Blacklist pattern: organizations/*/folders/* where folder is "test-folder" - violations := pattern_blacklist.get_violations( - tf_variables, - ["parent"], - ["organizations/*/folders/*", [[], ["test-folder"]]], - ) with input as mock_input - - # Property: Returns a set with no duplicate resource names - shared_test._assert_unique_violations(violations) - count(violations) == 1 - - some v in violations - v.name == "test-project" - shared_test._assert_valid_violation(v) - contains(v.message, "test-project") # Resource name - contains(v.message, "'test-folder'") # Violating value - contains(v.message, "blacklisted") # Verdict -} - -# ============================================================================== -# INTEGRATION TEST (1): Complex wildcard patterns -# ============================================================================== - -# Test 7: get_violations with realistic complex patterns -test_get_violations_realistic if { - # Realistic mock with multiple wildcards and edge cases - mock_input := { - "planned_values": { - "root_module": { - "resources": [ - # Resource with blacklisted pattern at one position - { - "type": "google_project", - "values": { - "name": "violating-project", - "parent": "organizations/12345/folders/dev-folder", - }, - }, - # Resource with multiple blacklisted positions (CRITICAL TEST CASE) - { - "type": "google_project", - "values": { - "name": "multi-fail-project", - "parent": "organizations/bad-org/folders/dev-folder", - }, - }, - # Resource with compliant pattern - { - "type": "google_project", - "values": { - "name": "compliant-project", - "parent": "organizations/12345/folders/prod-folder", - }, - }, - # Resource with null parent (edge case) - { - "type": "google_project", - "values": { - "name": "null-project", - "parent": null, - }, - }, - # Different resource type (should be ignored) - { - "type": "google_storage_bucket", - "values": { - "name": "test-bucket", - "parent": "organizations/12345/folders/dev-folder", - }, - }, - ], - }, - }, - } - - tf_variables := { - "resource_type": "google_project", - "friendly_resource_name": "Project", - "resource_value_name": "name", - } - - # Pattern with 2 wildcards: organizations/*/folders/* - # Blacklist: org "bad-org" and folder "dev-folder" - violations := pattern_blacklist.get_violations( - tf_variables, - ["parent"], - ["organizations/*/folders/*", [["bad-org"], ["dev-folder"]]], - ) with input as mock_input - - # Property: Returns a set with no duplicate resource names - shared_test._assert_unique_violations(violations) - - # Should flag 2 projects: violating-project (single position) and multi-fail-project (both positions) - count(violations) == 2 - violation_name_set := {v.name | some v in violations} - violation_name_set == {"violating-project", "multi-fail-project"} - - every violation in violations { - is_string(violation.name) - is_string(violation.message) - violation.name != "" - violation.message != "" - contains(violation.message, "Project") - contains(violation.message, "parent") - contains(violation.message, "blacklisted") - } - - # Verify single-failure message - some single_violation in violations - single_violation.name == "violating-project" - contains(single_violation.message, "'dev-folder'") - - # Verify multi-failure message mentions multiple positions - some multi_violation in violations - multi_violation.name == "multi-fail-project" - # Message should indicate multiple blacklist matches - contains(multi_violation.message, "Multiple positions matched blacklist") -} - -# ============================================================================== -# REALITY CHECK (1): Test with real Terraform plan structure -# ============================================================================== - -# Test 8: get_violations with real Terraform plan -test_get_violations_with_real_terraform_plan if { - # Use real fixture - gcp_project from fixtures - tf_variables := { - "resource_type": "google_project", - "friendly_resource_name": "Project", - "resource_value_name": "name", - } - - # Test with real data - blacklist a pattern that might exist - # If project has parent with hierarchical structure - violations := pattern_blacklist.get_violations( - tf_variables, - ["parent"], - ["organizations/*/folders/*", [[], ["test", "dev", "staging"]]], - ) with input as data.gcp_project_plan - - # Property: Returns a set with no duplicate resource names - shared_test._assert_unique_violations(violations) - - every v in violations { - shared_test._assert_valid_violation(v) - contains(v.message, "Project") - contains(v.message, "blacklisted") - } -} - -# ============================================================================== -# CRITICAL TESTS (2): Multiple failures and functional purity -# ============================================================================== - -# Test 9: Multiple position failures per resource (THE BUG THAT WAS MISSED) -test_get_violations_multiple_failures_per_resource if { - # This test validates the fix for eval_conflict_error - # When a resource matches multiple blacklist positions, _build_violation must - # return exactly ONE violation object (not multiple) - mock_input := { - "planned_values": { - "root_module": { - "resources": [ - # Resource matching ALL 3 blacklisted positions - { - "type": "google_project", - "values": { - "name": "bad-project", - "project_id": "test-dev-staging", - }, - }, - # Resource matching 2 blacklisted positions - { - "type": "google_project", - "values": { - "name": "partial-bad", - "project_id": "test-dev-prod", - }, - }, - # Compliant resource - { - "type": "google_project", - "values": { - "name": "good-project", - "project_id": "proj-app-prod", - }, - }, - ], - }, - }, - } - - tf_variables := { - "resource_type": "google_project", - "friendly_resource_name": "Project", - "resource_value_name": "name", - } - - # Pattern: *-*-* with blacklist on all positions - violations := pattern_blacklist.get_violations( - tf_variables, - ["project_id"], - ["*-*-*", [["test"], ["dev"], ["staging"]]], - ) with input as mock_input - - # Property: Returns a set with no duplicate resource names - shared_test._assert_unique_violations(violations) - - # CRITICAL: Must return exactly 1 violation per resource (not 3 for bad-project) - count(violations) == 2 - - some v1 in violations - v1.name == "bad-project" - is_string(v1.message) - # Message must mention multiple blacklist matches - contains(v1.message, "Multiple positions matched blacklist") - - some v2 in violations - v2.name == "partial-bad" - is_string(v2.message) -} - -# Test 10: Functional purity - _build_violation returns single output -test_build_violation_functional_purity if { - # This test ensures _build_violation never produces multiple outputs - # for the same inputs (Rego functional semantics requirement) - mock_resource := { - "type": "google_project", - "values": { - "name": "test-project", - "project_id": "bad-bad-bad", - }, - } - - tf_variables := { - "resource_type": "google_project", - "friendly_resource_name": "Project", - "resource_value_name": "name", - } - - # Call _build_violation with resource that matches all 3 blacklist positions - # This would have caused eval_conflict_error before the fix - violation := pattern_blacklist._build_violation( - tf_variables, - ["project_id"], - ["*-*-*", [["bad"], ["bad"], ["bad"]]], - mock_resource, - ) - - # Must return exactly ONE violation object - is_object(violation) - violation.name == "test-project" - is_string(violation.message) - violation.message != "" - - # Verify deterministic behavior - calling twice yields same result - violation2 := pattern_blacklist._build_violation( - tf_variables, - ["project_id"], - ["*-*-*", [["bad"], ["bad"], ["bad"]]], - mock_resource, - ) - violation == violation2 -} - -# Test 11: Utilize fixture attribute - project_id pattern from project -test_project_id_fixture if { - # Test using actual project_id patterns from gcp_project_plan - # Blacklist production projects matching pattern "proj-*-prod" - tf_variables := { - "resource_type": "google_project", - "friendly_resource_name": "Project", - "resource_value_name": "name", - } - - # Pattern "proj-*-prod" extracts middle segment - # Blacklist middle segments: "sec" and "app" - # Should match: proj-sec-prod (c223), proj-app-prod (c323) - violations := pattern_blacklist.get_violations( - tf_variables, - ["project_id"], - ["proj-*-prod", [["sec", "app"]]], - ) with input as data.gcp_project_plan - - # c223 has project_id "proj-sec-prod" and c323 has "proj-app-prod" - count(violations) == 2 - violation_names := {v.name | some v in violations} - violation_names == {"c223", "c323"} - - every v in violations { - contains(v.message, "project_id") - contains(v.message, "prod") - } -} diff --git a/tests/_helpers/pattern_whitelist_test.rego b/tests/_helpers/pattern_whitelist_test.rego deleted file mode 100644 index 9a4c952a2..000000000 --- a/tests/_helpers/pattern_whitelist_test.rego +++ /dev/null @@ -1,428 +0,0 @@ -package terraform.helpers.policies.pattern_whitelist_test - -# Pattern Whitelist Policy Test Suite -# -# Tests the pattern whitelist policy module which detects resources where -# wildcard-extracted substrings DON'T match allowed patterns. -# Uses target patterns with * wildcards to extract values, then validates each -# against position-specific whitelists (inverted logic from blacklist). - -import data.terraform.helpers.policies.pattern_whitelist -import data.terraform.helpers.shared -import data.terraform.helpers.shared_test -import rego.v1 - -# ============================================================================== -# UNIT TESTS (6): Test pattern matching logic -# ============================================================================== - -# Test 1: Exact match in whitelist (boundary: match - should pass) -test_matches_whitelist_exact_match if { - pattern_whitelist._matches_whitelist(["allowed", "permitted"], "allowed") -} - -# Test 2: No match in whitelist (boundary: no match - should fail) -test_matches_whitelist_no_match if { - not pattern_whitelist._matches_whitelist(["allowed", "permitted"], "forbidden") -} - -# Test 3: Single wildcard pattern - all positions whitelisted (no violation) -test_get_whitelist_single_wildcard_all_match if { - # Mock resource with values matching whitelist - mock_resource := { - "type": "google_project", - "values": { - "name": "prod-project", - "parent": "projects/prod-project/locations/us-central1", - }, - } - - # Target pattern with 2 wildcards - target := "projects/*/locations/*" - # Whitelist patterns: first position ["prod-project"], second position ["us-central1"] - patterns := [["prod-project"], ["us-central1"]] - - whitelist := pattern_whitelist._get_whitelist(mock_resource, ["parent"], target, patterns) - - # Should find 0 violations (all positions whitelisted) - count(whitelist) == 0 -} - -# Test 4: Single wildcard pattern - one position not whitelisted (violation) -test_get_whitelist_single_wildcard_violation if { - # Mock resource with non-whitelisted value - mock_resource := { - "type": "google_project", - "values": { - "name": "test-project", - "parent": "projects/test-project/locations/us-east1", - }, - } - - target := "projects/*/locations/*" - patterns := [["prod-project"], ["us-central1"]] - - whitelist := pattern_whitelist._get_whitelist(mock_resource, ["parent"], target, patterns) - - # Should find 2 violations (both positions not whitelisted) - count(whitelist) == 2 - values := {w.value | some w in whitelist} - values == {"test-project", "us-east1"} -} - -# Test 5: Multiple patterns with OR logic within position -test_get_whitelist_multiple_patterns_or_logic if { - # Mock with value matching one of multiple allowed patterns at a position - mock_resource := { - "type": "google_project", - "values": { - "name": "staging-project", - "parent": "projects/staging-project/locations/us-central1", - }, - } - - target := "projects/*/locations/*" - # First position: ["prod-project", "staging-project"] (OR logic) - # Second position: ["us-central1"] - patterns := [["prod-project", "staging-project"], ["us-central1"]] - - whitelist := pattern_whitelist._get_whitelist(mock_resource, ["parent"], target, patterns) - - # Should match both positions (staging-project matches first, us-central1 matches second) - # No violations - count(whitelist) == 0 -} - -# ============================================================================== -# MOCK DATA PROVENANCE -# ============================================================================== -# Minimal mocks in tests 6-7 are synthetic, designed to test specific logic paths. -# They represent simplified hierarchical patterns (folders/*/projects/*). -# -# Reality check (test 8) uses: tests/_helpers/fixtures/gcp_project/plan.json -# Source: inputs/gcp/cloud_platform_service/google_project/project_id/ -# Purpose: Tests pattern validation on actual project_id values (see pattern_blacklist_test.rego) -# ============================================================================== - -# Test 6: get_violations with minimal mock -test_get_violations_minimal if { - # Minimal mock with non-whitelisted pattern - mock_input := { - "planned_values": { - "root_module": { - "resources": [ - { - "type": "google_project", - "values": { - "name": "dev-project", - "parent": "folders/dev-folder/projects/test-app", - }, - }, - ], - }, - }, - } - - tf_variables := { - "resource_type": "google_project", - "friendly_resource_name": "Project", - "resource_value_name": "name", - } - - # Whitelist pattern: folders/*/projects/* where project is "prod-app" only - # First wildcard (folder) allows any value, second (project) restricted - violations := pattern_whitelist.get_violations( - tf_variables, - ["parent"], - ["folders/*/projects/*", [["dev-folder", "prod-folder"], ["prod-app"]]], - ) with input as mock_input - - # Property: Returns a set with no duplicate resource names - shared_test._assert_unique_violations(violations) - count(violations) == 1 - - # Verify violation structure (violates because project is "test-app" not "prod-app") - some v in violations - v.name == "dev-project" - shared_test._assert_valid_violation(v) - contains(v.message, "dev-project") # Resource name - contains(v.message, "'test-app'") # Violating value - contains(v.message, "should be set to one of") # Verdict -} - -# ============================================================================== -# INTEGRATION TEST (1): Complex whitelist patterns -# ============================================================================== - -# Test 7: get_violations with realistic complex patterns -test_get_violations_realistic if { - # Realistic mock with multiple wildcards and edge cases - mock_input := { - "planned_values": { - "root_module": { - "resources": [ - # Resource with non-whitelisted pattern (single position fails) - { - "type": "google_project", - "values": { - "name": "violating-project", - "parent": "organizations/12345/folders/dev-folder", - }, - }, - # Resource with multiple position failures (CRITICAL TEST CASE) - { - "type": "google_project", - "values": { - "name": "multi-fail-project", - "parent": "organizations/99999/folders/test-folder", - }, - }, - # Resource with whitelisted pattern - { - "type": "google_project", - "values": { - "name": "compliant-project", - "parent": "organizations/12345/folders/prod-folder", - }, - }, - # Resource with null parent (edge case) - { - "type": "google_project", - "values": { - "name": "null-project", - "parent": null, - }, - }, - # Different resource type (should be ignored) - { - "type": "google_storage_bucket", - "values": { - "name": "test-bucket", - "parent": "organizations/12345/folders/dev-folder", - }, - }, - ], - }, - }, - } - - tf_variables := { - "resource_type": "google_project", - "friendly_resource_name": "Project", - "resource_value_name": "name", - } - - # Pattern with 2 wildcards: organizations/*/folders/* - # Whitelist both positions to ensure only one violation per resource - # First position (org): allow "12345", second position (folder): ["prod-folder", "staging-folder"] - violations := pattern_whitelist.get_violations( - tf_variables, - ["parent"], - ["organizations/*/folders/*", [["12345"], ["prod-folder", "staging-folder"]]], - ) with input as mock_input - - # Property: Returns a set with no duplicate resource names - shared_test._assert_unique_violations(violations) - - # Should flag 2 projects: violating-project (single position) and multi-fail-project (both positions) - count(violations) == 2 - violation_name_set := {v.name | some v in violations} - violation_name_set == {"violating-project", "multi-fail-project"} - - every violation in violations { - shared_test._assert_valid_violation(violation) - contains(violation.message, "Project") - contains(violation.message, "parent") - } - - # Verify single-failure message - some single_violation in violations - single_violation.name == "violating-project" - contains(single_violation.message, "should be set to one of") - contains(single_violation.message, "'dev-folder'") - - # Verify multi-failure message mentions multiple positions - some multi_violation in violations - multi_violation.name == "multi-fail-project" - # Message should indicate multiple positions failed - contains(multi_violation.message, "Multiple positions failed") -} - -# ============================================================================== -# CRITICAL TESTS (2): Multiple failures and functional purity -# ============================================================================== - -# Test 9: Multiple position failures per resource (THE BUG THAT WAS MISSED) -test_get_violations_multiple_failures_per_resource if { - # This test validates the fix for eval_conflict_error - # When a resource fails multiple pattern positions, _build_violation must - # return exactly ONE violation object (not multiple) - mock_input := { - "planned_values": { - "root_module": { - "resources": [ - # Resource failing ALL 3 positions - { - "type": "google_project", - "values": { - "name": "bad-project", - "project_id": "bad-wrong-invalid", - }, - }, - # Resource failing 2 positions - { - "type": "google_project", - "values": { - "name": "partial-bad", - "project_id": "proj-bad-bad", - }, - }, - # Compliant resource - { - "type": "google_project", - "values": { - "name": "good-project", - "project_id": "proj-app-dev", - }, - }, - ], - }, - }, - } - - tf_variables := { - "resource_type": "google_project", - "friendly_resource_name": "Project", - "resource_value_name": "name", - } - - # Pattern: *-*-* with strict whitelist (most resources will fail) - violations := pattern_whitelist.get_violations( - tf_variables, - ["project_id"], - ["*-*-*", [["proj"], ["app", "sec"], ["dev", "prod"]]], - ) with input as mock_input - - # Property: Returns a set with no duplicate resource names - shared_test._assert_unique_violations(violations) - - # CRITICAL: Must return exactly 1 violation per resource (not 3 for bad-project) - count(violations) == 2 - - # Verify structure of resource with 3 position failures - some v1 in violations - v1.name == "bad-project" - is_string(v1.message) - # Message must mention multiple failures - contains(v1.message, "Multiple positions failed") - - # Verify structure of resource with 2 position failures - some v2 in violations - v2.name == "partial-bad" - is_string(v2.message) -} - -# Test 10: Functional purity - _build_violation returns single output -test_build_violation_functional_purity if { - # This test ensures _build_violation never produces multiple outputs - # for the same inputs (Rego functional semantics requirement) - mock_resource := { - "type": "google_project", - "values": { - "name": "test-project", - "project_id": "fail-fail-fail", - }, - } - - tf_variables := { - "resource_type": "google_project", - "friendly_resource_name": "Project", - "resource_value_name": "name", - } - - # Call _build_violation with resource that fails all 3 positions - # This would have caused eval_conflict_error before the fix - violation := pattern_whitelist._build_violation( - tf_variables, - ["project_id"], - ["*-*-*", [["good"], ["good"], ["good"]]], - mock_resource, - ) - - # Must return exactly ONE violation object - is_object(violation) - violation.name == "test-project" - is_string(violation.message) - violation.message != "" - - # Verify deterministic behavior - calling twice yields same result - violation2 := pattern_whitelist._build_violation( - tf_variables, - ["project_id"], - ["*-*-*", [["good"], ["good"], ["good"]]], - mock_resource, - ) - violation == violation2 -} - -# ============================================================================== -# REALITY CHECK (1): Test with real Terraform plan structure -# ============================================================================== - -# Test 8: get_violations with real Terraform plan -test_get_violations_with_real_terraform_plan if { - # Use real fixture - gcp_project from fixtures - tf_variables := { - "resource_type": "google_project", - "friendly_resource_name": "Project", - "resource_value_name": "name", - } - - # Test with real data - whitelist specific patterns - # If project has parent with hierarchical structure - violations := pattern_whitelist.get_violations( - tf_variables, - ["parent"], - ["organizations/*/folders/*", [[], ["prod", "production", "main"]]], - ) with input as data.gcp_project_plan - - # Property: Returns a set with no duplicate resource names - shared_test._assert_unique_violations(violations) - - # Verify no crashes and proper structure - every v in violations { - shared_test._assert_valid_violation(v) - contains(v.message, "Project") - contains(v.message, "should be set to one of") - } -} - -# Test 11: Utilize fixture attribute - project_id pattern from project -test_project_id_fixture if { - # Test using actual project_id patterns from gcp_project_plan - # Whitelist only dev projects with allowed teams - tf_variables := { - "resource_type": "google_project", - "resource_value_name": "name", - "friendly_resource_name": "Project", - } - - # Pattern "proj-*-*" matches: proj-app-dev, proj-sec-prod, proj-app-prod, proj-ops-staging - # Whitelist: first position can be "app", second position can be "dev" - # Only proj-app-dev (c123) matches both → compliant - # Violations: c223 (proj-sec-prod), c323 (proj-app-prod), nc223 (proj-ops-staging) - violations := pattern_whitelist.get_violations( - tf_variables, - ["project_id"], - ["proj-*-*", [["app"], ["dev"]]], - ) with input as data.gcp_project_plan - - # 3 projects match pattern but don't meet whitelist criteria - count(violations) == 3 - violation_names := {v.name | some v in violations} - violation_names == {"c223", "c323", "nc223"} - - every v in violations { - contains(v.message, "project_id") - } -} diff --git a/tests/_helpers/policy_debug.sh b/tests/_helpers/policy_debug.sh deleted file mode 100755 index 5d564e979..000000000 --- a/tests/_helpers/policy_debug.sh +++ /dev/null @@ -1,136 +0,0 @@ -#!/bin/bash -# Policy Debug Tool -# Shows full policy output for debugging and validation - -# Navigate to repository root -cd "$(git rev-parse --show-toplevel)" || exit 1 - -SUCCESS=0 -ERRORS=0 - -test_policy() { - local name="$1" - local input="$2" - local query="$3" - - echo "" - echo "Testing: $name" - echo "========================================" - - # Check if input file exists - if [[ ! -f "$input" ]]; then - echo "❌ ERROR: Input file not found" - echo " Path: $input" - ((ERRORS++)) - return - fi - - # Capture output and exit code - local output - local exit_code - output=$(opa eval \ - --data ./policies/_helpers \ - --data ./policies/gcp \ - --input "$input" \ - "$query" \ - --format raw 2>&1) - exit_code=$? - - # Check for errors - if [[ $exit_code -ne 0 ]]; then - echo "❌ ERROR: Policy evaluation failed" - echo "$output" - ((ERRORS++)) - return - fi - - # Parse and format the JSON output - if echo "$output" | jq -e . >/dev/null 2>&1; then - local header - local situations - - # Extract header (first element) - header=$(echo "$output" | jq -r '.[0] // empty') - - if [[ -z "$header" ]]; then - echo "❌ ERROR: Unexpected output format" - echo "$output" - ((ERRORS++)) - return - fi - - echo "$header" - - # Check if there are violations (array length > 1) - local violations_count - violations_count=$(echo "$output" | jq 'length - 1') - - if [[ $violations_count -eq 0 ]]; then - echo "Policy executed: All resources compliant" - ((SUCCESS++)) - else - echo "Policy executed: Found $violations_count violation(s)" - ((SUCCESS++)) - echo "" - - # Format each situation - echo "$output" | jq -r ' - .[] | - select(type == "array") | - to_entries | - map( - if .key == 0 then - " " + .value - else - " " + .value - end - ) | - join("\n") - ' - fi - else - # Handle non-JSON output (like "undefined") - if [[ "$output" == "undefined" ]]; then - echo "❌ ERROR: Query returned undefined (likely wrong query path)" - ((ERRORS++)) - else - echo "Output: $output" - ((SUCCESS++)) - fi - fi - - echo "" -} - -echo "Policy Debug Output" -echo "======================================" - -test_policy "Blacklist & Element Blacklist" \ - "./inputs/gcp/access_context_manager_vpc_service_controls/access_context_manager_service_perimeter/status/plan.json" \ - "data.terraform.gcp.security.access_context_manager_vpc_service_controls.access_context_manager_service_perimeter.status.message" - -test_policy "Whitelist" \ - "./inputs/gcp/api_hub/google_apihub_api_hub_instance/config_encryption_type/plan.json" \ - "data.terraform.gcp.security.api_hub.google_apihub_api_hub_instance.config_encryption_type.message" - -test_policy "Range" \ - "./inputs/gcp/cloud_storage/google_storage_bucket/retention_period/plan.json" \ - "data.terraform.gcp.security.cloud_storage.google_storage_bucket.retention_period.message" - -test_policy "Pattern Blacklist" \ - "./inputs/gcp/cloud_storage/google_storage_default_object_acl/public_access_prevention/plan.json" \ - "data.terraform.gcp.security.cloud_storage.google_storage_default_object_acl.public_access_prevention.message" - -test_policy "Pattern Whitelist" \ - "./inputs/gcp/cloud_platform_service/google_project/project_id/plan.json" \ - "data.terraform.gcp.security.cloud_platform_service.google_project.project_id.message" - -echo "" -echo "======================================" -echo "Summary" -echo "======================================" -echo "✅ Successful: $SUCCESS" -echo "❌ Errors: $ERRORS" -echo "======================================" - -exit $ERRORS diff --git a/tests/_helpers/range_test.rego b/tests/_helpers/range_test.rego deleted file mode 100644 index 8d80b3fa0..000000000 --- a/tests/_helpers/range_test.rego +++ /dev/null @@ -1,234 +0,0 @@ -package terraform.helpers.policies.range_test - -# Range Policy Test Suite -# -# Tests the range policy module which validates numeric attributes fall within bounds. -# Covers boundary values and numeric edge cases. Both bounds are required. - -import data.terraform.helpers.policies.range -import data.terraform.helpers.shared -import data.terraform.helpers.shared_test -import rego.v1 - -# ============================================================================== -# UNIT TESTS (6): Test _test_value_range helper function -# ============================================================================== - -# Test 1: Value within range (happy path) -test_value_range_within if { - range._test_value_range(50, 10, 100) -} - -# Test 2: Value below range (boundary: below) -test_value_range_below if { - not range._test_value_range(5, 10, 100) -} - -# Test 3: Value above range (boundary: above) -test_value_range_above if { - not range._test_value_range(150, 10, 100) -} - -# Test 4: Value at lower boundary (boundary: exact min) -test_value_range_lower_boundary if { - range._test_value_range(10, 10, 100) -} - -# Test 5: Value at upper boundary (boundary: exact max) -test_value_range_upper_boundary if { - range._test_value_range(100, 10, 100) -} - -# ============================================================================== -# MOCK DATA PROVENANCE -# ============================================================================== -# Minimal mocks in tests 6-7 are synthetic, designed to test specific logic paths. -# They represent simplified versions of real Terraform resources with controlled -# numeric values to validate boundary conditions. -# -# Reality check (test 8) uses: tests/_helpers/fixtures/gcp_storage_bucket/plan.json -# Source: inputs/gcp/cloud_storage/google_storage_bucket/retention_period/ -# Purpose: Tests numeric range validation on actual retention_period values: -# - c123: retention_period=604800 (7 days in seconds) -# - nc123: retention_period=2692000 (31 days in seconds) -# ============================================================================== - -# Test 6: get_violations with minimal mock (violation + compliant) -test_get_violations_minimal if { - # Mock with resources in and out of range - mock_input := { - "planned_values": { - "root_module": { - "resources": [ - { - "type": "google_storage_bucket", - "values": { - "name": "compliant-bucket", - "retention_policy": [ - { - "retention_period": 90, - }, - ], - }, - }, - { - "type": "google_storage_bucket", - "values": { - "name": "violating-bucket", - "retention_policy": [ - { - "retention_period": 400, - }, - ], - }, - }, - ], - }, - }, - } - - tf_variables := { - "resource_type": "google_storage_bucket", - "friendly_resource_name": "Storage Bucket", - "resource_value_name": "name", - } - - # Range: [30, 365] days - violations := range.get_violations( - tf_variables, - ["retention_policy", 0, "retention_period"], - [30, 365], - ) with input as mock_input - - count(violations) == 1 - some v in violations - v.name == "violating-bucket" - shared_test._assert_valid_violation(v) - contains(v.message, "violating-bucket") # Resource name - contains(v.message, "400") # Violating value - contains(v.message, "must be between") # Verdict -} - -# ============================================================================== -# INTEGRATION TEST (1): Numeric edge cases -# ============================================================================== - -# Test 7: get_violations with realistic numeric edge cases -test_get_violations_realistic if { - # Realistic mock with various numeric edge cases - mock_input := { - "planned_values": { - "root_module": { - "resources": [ - # Resource with value in range - { - "type": "google_storage_bucket", - "values": { - "name": "compliant-bucket", - "lifecycle_rule": [ - { - "action": [{"type": "Delete"}], - "condition": [{"age": 30}], - }, - ], - }, - }, - # Resource with value below range - { - "type": "google_storage_bucket", - "values": { - "name": "below-bucket", - "lifecycle_rule": [ - { - "action": [{"type": "Delete"}], - "condition": [{"age": -10}], - }, - ], - }, - }, - # Resource with large value (out of range) - { - "type": "google_storage_bucket", - "values": { - "name": "large-bucket", - "lifecycle_rule": [ - { - "action": [{"type": "Delete"}], - "condition": [{"age": 10000}], - }, - ], - }, - }, - # Different resource type (should be ignored) - { - "type": "google_project", - "values": { - "name": "test-project", - "lifecycle_rule": [ - { - "action": [{"type": "Delete"}], - "condition": [{"age": 5000}], - }, - ], - }, - }, - ], - }, - }, - } - - tf_variables := { - "resource_type": "google_storage_bucket", - "friendly_resource_name": "Storage Bucket", - "resource_value_name": "name", - } - - # Range: [0, 365] - zero is inclusive, negatives and large values violate - violations := range.get_violations( - tf_variables, - ["lifecycle_rule", 0, "condition", 0, "age"], - [0, 365], - ) with input as mock_input - - # Should flag below-bucket and large-bucket - count(violations) == 2 - violation_names := {v.name | some v in violations} - violation_names == {"below-bucket", "large-bucket"} - - # Verify messages include range information - every v in violations { - contains(v.message, "must be between") - contains(v.message, "0") - contains(v.message, "365") - } -} - -# ============================================================================== -# REALITY CHECK (1): Test with real Terraform plan structure -# ============================================================================== - -# Test 8: get_violations with real Terraform plan -test_real_plan_violations if { - # Use real fixture - gcp_storage_bucket from fixtures - tf_variables := { - "resource_type": "google_storage_bucket", - "friendly_resource_name": "Storage Bucket", - "resource_value_name": "name", - } - - # Test with real data - check retention_period attribute - # Range: 604800 to 2592000 seconds (7 to 30 days) - violations := range.get_violations( - tf_variables, - ["retention_policy", 0, "retention_period"], - [604800, 2592000], # 7 days to 30 days in seconds - ) with input as data.gcp_storage_bucket_plan - - # Verify no crashes and proper structure - is_set(violations) - every v in violations { - shared_test._assert_valid_violation(v) - contains(v.message, "Storage Bucket") - contains(v.message, "must be between") - } -} diff --git a/tests/_helpers/shared_test.rego b/tests/_helpers/shared_test.rego deleted file mode 100644 index 3bfe4901a..000000000 --- a/tests/_helpers/shared_test.rego +++ /dev/null @@ -1,326 +0,0 @@ -package terraform.helpers.shared_test - -# Shared Utilities Test Suite -# -# Tests the shared utility module which provides helper functions used by all policy types. -# Foundation tests - all other policy tests depend on these utilities working correctly. - -import rego.v1 - -import data.terraform.helpers.shared - -# ============================================================================== -# UNIT TESTS (10): Test individual utility functions -# ============================================================================== - -# Test 1: get_resource_attribute - Happy Path -test_get_resource_attribute_found if { - resource := {"values": {"name": "test-resource"}} - result := shared.get_resource_attribute(resource, "name") - result == "test-resource" -} - -# Test 2: get_resource_attribute - Not Found -test_get_resource_attribute_not_found if { - resource := {"values": {}} - result := shared.get_resource_attribute(resource, "missing_key") - result == null -} - -# Test 3: format_attribute_path - Array Path -test_format_attribute_path_array if { - path := ["status", 0, "restricted_services"] - result := shared.format_attribute_path(path) - result == "status.[0].restricted_services" -} - -# Test 4: format_attribute_path - String Path -test_format_attribute_path_string if { - path := "attribute_name" - result := shared.format_attribute_path(path) - result == "attribute name" -} - -# Test 5: ensure_array - Already Array -test_ensure_array_with_array if { - input_array := [1, 2, 3] - result := shared.ensure_array(input_array) - result == [1, 2, 3] -} - -# Test 6: ensure_array - Scalar to Array -test_ensure_array_with_scalar if { - input_scalar := "value" - result := shared.ensure_array(input_scalar) - result == ["value"] -} - -# Test 7: value_in_array - Exists -test_value_in_array_exists if { - array := [1, 2, 3] - value := 2 - shared.value_in_array(array, value) -} - -# Test 8: value_in_array - Not Exists -test_value_in_array_not_exists if { - array := [1, 2, 3] - value := 4 - not shared.value_in_array(array, value) -} - -# Test 9: get_target_list - Wildcard Extraction -test_get_target_list_wildcard_extraction if { - mock_resource := { - "values": { - "project_id": "projects/test-project/locations/us-east1", - }, - } - attribute_path := ["project_id"] - target := "projects/*/locations/*" - result := shared.get_target_list(mock_resource, attribute_path, target) - result == ["test-project", "us-east1"] -} - -# Test 10: final_formatter - Pattern Highlighting -test_final_formatter_highlight if { - target := "projects/test-project/locations/us" - sub_pattern := "test-project" - result := shared.final_formatter(target, sub_pattern) - result == "projects/'test-project'/locations/us" -} - -# ============================================================================== -# INTEGRATION TEST (1): Deep Nesting (Realistic Mock) -# ============================================================================== -# ============================================================================ -# MOCK DATA PROVENANCE -# ============================================================================ -# Source: tests/_helpers/fixtures/real_terraform_plans/gcp_access_level_plan.json -# Extracted: 2025-12-02 -# Terraform: v1.12.2 -# Provider: google (from plan file) -# -# Fields used in this mock: basic, basic.conditions, basic.conditions.device_policy -# Testing: Deep nested path access (5 levels) -# -# Fields intentionally omitted: custom, description, timeouts, title -# Reason: Not needed for nested attribute access testing -# -# Validation: See mock_validator_test.rego -# ============================================================================ - -# Test 11: Deep nesting with realistic mock -test_shared_utilities_with_deep_nesting if { - # Realistic mock with 5 levels of nesting from real Terraform plan - mock_resource := { - "type": "google_access_context_manager_access_level", - "values": { - "basic": [{ - "conditions": [{ - "device_policy": [{ - "require_screen_lock": true, - "os_constraints": [{"os_type": "DESKTOP_CHROME_OS"}], - }], - "regions": ["US", "EU"], - }], - }], - }, - } - - # Test get_attribute_value with deep path - screen_lock := shared.get_attribute_value( - mock_resource, - ["basic", 0, "conditions", 0, "device_policy", 0, "require_screen_lock"], - ) - screen_lock == true - - # Test format_attribute_path with complex array indices - formatted_path := shared.format_attribute_path([ - "basic", - 0, - "conditions", - 0, - "device_policy", - 0, - "require_screen_lock", - ]) - formatted_path == "basic.[0].conditions.[0].device_policy.[0].require_screen_lock" - - # Test ensure_array with nested array attribute - regions := shared.get_attribute_value(mock_resource, ["basic", 0, "conditions", 0, "regions"]) - ensured_regions := shared.ensure_array(regions) - ensured_regions == ["US", "EU"] -} - -# ============================================================================== -# ARRAY-OF-OBJECTS FIELD EXTRACTION (1): Test new enhancement -# ============================================================================== - -# Test 12: Array-of-objects field extraction (new enhancement) -test_get_attribute_value_array_of_objects_extraction if { - # Mock resource with array of objects (realistic os_constraints pattern) - mock_resource := { - "type": "google_access_context_manager_access_level", - "values": { - "basic": [{ - "conditions": [{ - "device_policy": [{ - "os_constraints": [ - {"os_type": "ANDROID", "minimum_version": "10"}, - {"os_type": "IOS", "minimum_version": "14"}, - {"os_type": "OS_UNSPECIFIED", "minimum_version": null}, - ], - }], - }], - }], - }, - } - - # Test: Extract os_type field from array of objects - os_types := shared.get_attribute_value( - mock_resource, - ["basic", 0, "conditions", 0, "device_policy", 0, "os_constraints", "os_type"], - ) - - # Should return array of extracted field values - trace(sprintf("Extracted os_types: %v", [os_types])) - is_array(os_types) - count(os_types) == 3 - os_types == ["ANDROID", "IOS", "OS_UNSPECIFIED"] - - # Test: Also works with other fields in the same array - versions := shared.get_attribute_value( - mock_resource, - ["basic", 0, "conditions", 0, "device_policy", 0, "os_constraints", "minimum_version"], - ) - trace(sprintf("Extracted versions: %v", [versions])) - is_array(versions) - count(versions) == 2 # null values are filtered out - versions == ["10", "14"] -} - -# Test 13: Array-of-objects extraction edge cases -test_get_attribute_value_array_of_objects_edge_cases if { - mock_resource := { - "type": "test_resource", - "values": { - "empty_array": [], - "scalar_value": "not-an-array", - "array_of_scalars": ["a", "b", "c"], - "nested": [{ - "items": [ - {"field": "value1"}, - {"field": "value2"}, - {"different": "ignored"}, # Missing 'field' key - ], - }], - }, - } - - # Empty array should return null (fallback to object.get) - empty_result := shared.get_attribute_value(mock_resource, ["empty_array", "field"]) - empty_result == null - - # Scalar value with field access should return null - scalar_result := shared.get_attribute_value(mock_resource, ["scalar_value", "field"]) - scalar_result == null - - # Array of scalars (not objects) should return null - scalar_array_result := shared.get_attribute_value(mock_resource, ["array_of_scalars", "field"]) - scalar_array_result == null - - # Extraction from nested array with missing field in some objects - nested_result := shared.get_attribute_value(mock_resource, ["nested", 0, "items", "field"]) - trace(sprintf("Nested extraction: %v", [nested_result])) - is_array(nested_result) - count(nested_result) == 2 # Only objects with 'field' key - nested_result == ["value1", "value2"] -} - -# ============================================================================== -# REALITY CHECK (1): Test with real Terraform plan structure -# ============================================================================== - -# Test 14: Reality check with actual fixture data -test_shared_utilities_with_real_structure if { - # Access real Terraform plan loaded by OPA from fixtures/gcp_access_level/ - # The wrapped file loads as data.gcp_access_level_plan (wrapper key becomes the path) - real_plan_data := data.gcp_access_level_plan - - trace(sprintf("Assertion 1: Plan data loaded = %v", [real_plan_data != null])) - real_plan_data != null - - real_resource := real_plan_data.planned_values.root_module.resources[0] - trace(sprintf("Assertion 2: Resource exists = %v", [real_resource != null])) - real_resource != null - - trace(sprintf("Assertion 3: Resource type = %v (expected google_access_context_manager_access_level)", [real_resource.type])) - real_resource.type == "google_access_context_manager_access_level" - - basic_config := shared.get_resource_attribute(real_resource, "basic") - trace(sprintf("Assertion 4: basic_config type = %v, is_array = %v", [type_name(basic_config), is_array(basic_config)])) - is_array(basic_config) - - trace(sprintf("Assertion 5: basic_config count = %v", [count(basic_config)])) - count(basic_config) > 0 - - require_screen_lock := shared.get_attribute_value( - real_resource, - ["basic", 0, "conditions", 0, "device_policy", 0, "require_screen_lock"], - ) - trace(sprintf("Assertion 6: require_screen_lock = %v, type = %v", [require_screen_lock, type_name(require_screen_lock)])) - require_screen_lock != null - - # Assertion 7: Should be boolean (validates deep path exists in real data) - trace(sprintf("Assertion 7: require_screen_lock is_boolean = %v", [is_boolean(require_screen_lock)])) - is_boolean(require_screen_lock) - - conditions := real_resource.values.basic[0].conditions - trace(sprintf("Assertion 8: conditions is_array = %v, type = %v", [is_array(conditions), type_name(conditions)])) - is_array(conditions) -} - -# ============================================================================== -# TEST ASSERTION HELPERS (4): Reusable validation functions -# ============================================================================== - -# Verifies violations is a set with no duplicate resource names -_assert_unique_violations(violations) if { - is_set(violations) - violation_names := [v.name | some v in violations] - count(violation_names) == count({n | some n in violation_names}) -} - -# Verifies a single violation has the required structure -_assert_valid_violation(v) if { - is_string(v.name) - is_string(v.message) - v.name != "" - v.message != "" -} - -# Test 13: Assertion helper - Unique violations -test_assert_unique_violations_pass if { - mock_violations := { - {"name": "resource-1", "message": "error 1"}, - {"name": "resource-2", "message": "error 2"}, - } - _assert_unique_violations(mock_violations) -} - -# Test 14: Assertion helper - Valid violation structure -test_assert_valid_violation_pass if { - mock_violation := {"name": "test-resource", "message": "Test violation message"} - _assert_valid_violation(mock_violation) -} - -test_assert_valid_violation_fails_empty_name if { - mock_violation := {"name": "", "message": "Test violation message"} - not _assert_valid_violation(mock_violation) -} - -test_assert_valid_violation_fails_empty_message if { - mock_violation := {"name": "test-resource", "message": ""} - not _assert_valid_violation(mock_violation) -} diff --git a/tests/_helpers/smoke_test_helpers.sh b/tests/_helpers/smoke_test_helpers.sh deleted file mode 100755 index 0b4af5f5a..000000000 --- a/tests/_helpers/smoke_test_helpers.sh +++ /dev/null @@ -1,122 +0,0 @@ -#!/bin/bash -# Smoke tests for helper refactoring -# Tests all 6 policy types with minimal output for quick verification - -# Navigate to repository root -cd "$(git rev-parse --show-toplevel)" || exit 1 - -echo "Helper Refactor Smoke Tests" -echo "================================" -echo "Testing against actual Terraform plans for:" -echo " • access_context_manager_service_perimeter.status" -echo " • google_apihub_api_hub_instance.config_encryption_type" -echo " • google_storage_bucket.retention_period" -echo " • google_storage_default_object_acl.public_access_prevention" -echo " • google_project.project_id" -echo "" - -FAILED=0 -PASSED=0 - -run_test() { - local name="$1" - local input="$2" - local query="$3" - local expected_violations="$4" - local expected_resource="$5" - - echo -n "Testing $name... " - - # Check if input file exists - if [[ ! -f "$input" ]]; then - echo "❌ FAIL (input file not found: $input)" - ((FAILED++)) - return - fi - - # Capture output and exit code - local output - local exit_code - output=$(opa eval \ - --data ./policies/_helpers \ - --data ./policies/gcp \ - --input "$input" \ - "$query" \ - --format raw 2>&1) - exit_code=$? - - # Check for OPA errors - if [[ $exit_code -ne 0 ]]; then - echo "❌ FAIL (policy error: $output)" - ((FAILED++)) - return - fi - - # Validate output is valid JSON - if ! echo "$output" | jq -e . >/dev/null 2>&1; then - echo "❌ FAIL (invalid JSON output)" - ((FAILED++)) - return - fi - - # Check expected violation count - local violation_count - violation_count=$(echo "$output" | jq 'length - 1') - - if [[ "$violation_count" != "$expected_violations" ]]; then - echo "❌ FAIL (expected $expected_violations violations, found $violation_count)" - ((FAILED++)) - return - fi - - # If expecting violations, check for expected resource in output - if [[ $expected_violations -gt 0 ]] && [[ -n "$expected_resource" ]]; then - if ! echo "$output" | grep -q "$expected_resource"; then - echo "❌ FAIL (expected resource '$expected_resource' not found in output)" - ((FAILED++)) - return - fi - fi - - echo "✅ PASS" - ((PASSED++)) -} - -# Test all 6 policy types -# Format: run_test "name" "input" "query" expected_violations expected_resource_in_output - -run_test "Blacklist & Element Blacklist" \ - "./inputs/gcp/access_context_manager_vpc_service_controls/access_context_manager_service_perimeter/status/plan.json" \ - "data.terraform.gcp.security.access_context_manager_vpc_service_controls.access_context_manager_service_perimeter.status.message" \ - 1 \ - "nc-null-restricted-services" - -run_test "Whitelist" \ - "./inputs/gcp/api_hub/google_apihub_api_hub_instance/config_encryption_type/plan.json" \ - "data.terraform.gcp.security.api_hub.google_apihub_api_hub_instance.config_encryption_type.message" \ - 0 \ - "" - -run_test "Range" \ - "./inputs/gcp/cloud_storage/google_storage_bucket/retention_period/plan.json" \ - "data.terraform.gcp.security.cloud_storage.google_storage_bucket.retention_period.message" \ - 1 \ - "nc123" - -run_test "Pattern Blacklist" \ - "./inputs/gcp/cloud_storage/google_storage_default_object_acl/public_access_prevention/plan.json" \ - "data.terraform.gcp.security.cloud_storage.google_storage_default_object_acl.public_access_prevention.message" \ - 1 \ - "nc123" - -run_test "Pattern Whitelist" \ - "./inputs/gcp/cloud_platform_service/google_project/project_id/plan.json" \ - "data.terraform.gcp.security.cloud_platform_service.google_project.project_id.message" \ - 1 \ - "nc123" - -echo "" -echo "================================" -echo "Results: $PASSED passed, $FAILED failed" - -exit $FAILED diff --git a/tests/_helpers/unit_test_helpers.sh b/tests/_helpers/unit_test_helpers.sh deleted file mode 100755 index 578e2ef65..000000000 --- a/tests/_helpers/unit_test_helpers.sh +++ /dev/null @@ -1,103 +0,0 @@ -#!/bin/bash -# Unit tests for policy helpers -# Runs comprehensive test suites for all helper modules with fixtures - -# Navigate to repository root -cd "$(git rev-parse --show-toplevel)" || exit 1 - -echo "Policy Helper Unit Tests" -echo "============================" - -# Common fixtures needed by all tests -FIXTURES=( - "tests/_helpers/fixtures/gcp_storage_bucket/plan.json" - "tests/_helpers/fixtures/gcp_project/plan.json" - "tests/_helpers/fixtures/gcp_access_level/plan.json" -) - -# Common helper modules -HELPERS=( - "policies/_helpers/shared.rego" -) - -# Test utilities (assertion helpers used by all test files) -TEST_HELPERS=( - "tests/_helpers/shared_test.rego" -) - -FAILED=0 -PASSED=0 -TOTAL_TESTS_PASSED=0 -TOTAL_TESTS_FAILED=0 - -run_test_suite() { - local name="$1" - local test_file="$2" - local policy_file="$3" - local include_test_helpers="${4:-true}" # Default to true - - echo "" - echo "Testing $name..." - echo "============================" - - # Build test command with optional test helpers - if [ "$include_test_helpers" = "true" ]; then - output=$(opa test "$test_file" "$policy_file" "${HELPERS[@]}" "${TEST_HELPERS[@]}" "${FIXTURES[@]}" -v 2>&1) - else - output=$(opa test "$test_file" "$policy_file" "${HELPERS[@]}" "${FIXTURES[@]}" -v 2>&1) - fi - exit_code=$? - - echo "$output" - - if [ $exit_code -eq 0 ]; then - ((PASSED++)) - # Count PASS occurrences in individual test lines (format: "data.package.test_name: PASS") - pass_count=$(echo "$output" | grep -c ": PASS") - ((TOTAL_TESTS_PASSED += pass_count)) - else - ((FAILED++)) - # Count both PASS and FAIL occurrences in individual test lines - pass_count=$(echo "$output" | grep -c ": PASS") - fail_count=$(echo "$output" | grep -c ": FAIL") - ((TOTAL_TESTS_PASSED += pass_count)) - ((TOTAL_TESTS_FAILED += fail_count)) - fi -} - -# Run all helper test suites -run_test_suite "Shared Helpers" \ - "tests/_helpers/shared_test.rego" \ - "policies/_helpers/shared.rego" \ - "false" # Don't include shared_test.rego when testing itself - -run_test_suite "Blacklist Policy" \ - "tests/_helpers/blacklist_test.rego" \ - "policies/_helpers/policies/blacklist.rego" - -run_test_suite "Whitelist Policy" \ - "tests/_helpers/whitelist_test.rego" \ - "policies/_helpers/policies/whitelist.rego" - -run_test_suite "Range Policy" \ - "tests/_helpers/range_test.rego" \ - "policies/_helpers/policies/range.rego" - -run_test_suite "Pattern Blacklist Policy" \ - "tests/_helpers/pattern_blacklist_test.rego" \ - "policies/_helpers/policies/pattern_blacklist.rego" - -run_test_suite "Pattern Whitelist Policy" \ - "tests/_helpers/pattern_whitelist_test.rego" \ - "policies/_helpers/policies/pattern_whitelist.rego" - -run_test_suite "Element Blacklist Policy" \ - "tests/_helpers/element_blacklist_test.rego" \ - "policies/_helpers/policies/element_blacklist.rego" - -echo "" -echo "================================" -echo "Test Suites: $PASSED passed, $FAILED failed" -echo "Total Tests: $TOTAL_TESTS_PASSED passed, $TOTAL_TESTS_FAILED failed" - -exit $FAILED diff --git a/tests/_helpers/whitelist_test.rego b/tests/_helpers/whitelist_test.rego deleted file mode 100644 index f6cbaee8e..000000000 --- a/tests/_helpers/whitelist_test.rego +++ /dev/null @@ -1,345 +0,0 @@ -package terraform.helpers.policies.whitelist_test - -# Whitelist Policy Test Suite -# -# Tests the whitelist policy module which detects resources with non-allowed values. -# Covers scalar values, array AND logic (all must be whitelisted), and message formatting. - -import data.terraform.helpers.policies.whitelist -import data.terraform.helpers.shared -import data.terraform.helpers.shared_test -import rego.v1 - -# ============================================================================== -# UNIT TESTS (6): Test _is_whitelisted helper function -# ============================================================================== - -# Test 1: Scalar value in whitelist (boundary: match) -test_is_whitelisted_scalar_match if { - whitelist._is_whitelisted(["allowed", "permitted"], "allowed") -} - -# Test 2: Scalar value not in whitelist (boundary: no match) -test_is_whitelisted_scalar_no_match if { - not whitelist._is_whitelisted(["allowed", "permitted"], "forbidden") -} - -# Test 3: Array with ALL whitelisted values (AND logic proof) -test_is_whitelisted_array_all_match if { - whitelist._is_whitelisted(["good", "better", "best"], ["good", "best"]) -} - -# Test 4: Array with SOME non-whitelisted values (AND logic negative) -test_is_whitelisted_array_partial_match if { - not whitelist._is_whitelisted(["good", "better"], ["good", "bad"]) -} - -# Test 5: Empty array whitelisting (edge case) -test_is_whitelisted_empty_array if { - whitelist._is_whitelisted(["allowed"], []) -} - -# ============================================================================== -# MOCK DATA PROVENANCE -# ============================================================================== -# Minimal mocks in tests 6-10 are synthetic, designed to test specific logic paths. -# They represent simplified versions of real Terraform resources with controlled -# attributes to validate exact behavior (e.g., AND logic, edge cases). -# -# Reality check (test 8) uses: tests/_helpers/fixtures/gcp_storage_bucket/plan.json -# Source: inputs/gcp/cloud_storage/google_storage_bucket/retention_period/ -# Purpose: Tests against actual Terraform plan structure (see blacklist_test.rego) -# ============================================================================== - -# Test 6: get_violations with minimal mock (happy path + structure validation) -test_get_violations_minimal if { - # Minimal mock with non-whitelisted location - mock_input := { - "planned_values": { - "root_module": { - "resources": [ - { - "type": "google_storage_bucket", - "values": { - "name": "test-bucket", - "location": "ASIA", - }, - }, - ], - }, - }, - } - - tf_variables := { - "resource_type": "google_storage_bucket", - "friendly_resource_name": "Storage Bucket", - "resource_value_name": "name", - } - - violations := whitelist.get_violations( - tf_variables, - ["location"], - ["US", "EU"], - ) with input as mock_input - - count(violations) == 1 - some v in violations - v.name == "test-bucket" - shared_test._assert_valid_violation(v) - contains(v.message, "test-bucket") # Resource name - contains(v.message, "ASIA") # Violating value - contains(v.message, "should be set to") # Verdict -} - -# ============================================================================== -# INTEGRATION TEST (1): Realistic structure with edge cases -# ============================================================================== - -# Test 7: get_violations with realistic Terraform structures -test_get_violations_realistic if { - # Realistic mock including edge cases - mock_input := { - "planned_values": { - "root_module": { - "resources": [ - # Resource with non-whitelisted value - { - "type": "google_storage_bucket", - "values": { - "name": "violating-bucket", - "location": "ASIA", - "storage_class": "STANDARD", - }, - }, - # Resource with whitelisted value - { - "type": "google_storage_bucket", - "values": { - "name": "compliant-bucket", - "location": "US", - "storage_class": "STANDARD", - }, - }, - # Resource with null location (edge case - should violate) - { - "type": "google_storage_bucket", - "values": { - "name": "null-bucket", - "location": null, - "storage_class": "STANDARD", - }, - }, - # Different resource type (should be ignored) - { - "type": "google_project", - "values": { - "name": "test-project", - "location": "ASIA", - }, - }, - ], - }, - }, - } - - tf_variables := { - "resource_type": "google_storage_bucket", - "friendly_resource_name": "Storage Bucket", - "resource_value_name": "name", - } - - violations := whitelist.get_violations( - tf_variables, - ["location"], - ["US", "EU"], - ) with input as mock_input - - # Should flag violating-bucket and null-bucket - count(violations) == 2 - violation_names := {v.name | some v in violations} - violation_names == {"violating-bucket", "null-bucket"} - - # Verify message format - some v in violations - v.name == "violating-bucket" - contains(v.message, "Storage Bucket") - contains(v.message, "location") - contains(v.message, "should be set to") -} - -# ============================================================================== -# REALITY CHECK (1): Test with real Terraform plan structure -# ============================================================================== - -# Test 8: get_violations with real Terraform plan -test_get_violations_with_real_terraform_plan if { - # Use real fixture - gcp_storage_bucket from fixtures - tf_variables := { - "resource_type": "google_storage_bucket", - "friendly_resource_name": "Storage Bucket", - "resource_value_name": "name", - } - - # Test with real data - whitelist specific locations - violations := whitelist.get_violations( - tf_variables, - ["location"], - ["US-CENTRAL1", "US-EAST1"], - ) with input as data.gcp_storage_bucket_plan - - is_set(violations) - every v in violations { - shared_test._assert_valid_violation(v) - contains(v.message, "Storage Bucket") - contains(v.message, "location") - contains(v.message, "should be set to") - } -} - -# Test 11: Utilize fixture attribute - storage_class whitelist -test_storage_class_fixture if { - # Test using actual storage_class attribute from gcp_storage_bucket_plan - # Fixture has storage_class: "STANDARD" for both buckets - tf_variables := { - "resource_type": "google_storage_bucket", - "friendly_resource_name": "Storage Bucket", - "resource_value_name": "name", - } - - # Whitelist only NEARLINE and COLDLINE (both buckets should violate) - violations := whitelist.get_violations( - tf_variables, - ["storage_class"], - ["NEARLINE", "COLDLINE"], - ) with input as data.gcp_storage_bucket_plan - - # Both c123 and nc123 have non-whitelisted storage_class: "STANDARD" - count(violations) == 2 - violation_names := {v.name | some v in violations} - violation_names == {"c123", "nc123"} - - every v in violations { - contains(v.message, "storage_class") - contains(v.message, "STANDARD") - contains(v.message, "should be set to") - } -} - -# ============================================================================== -# ADDITIONAL TESTS (2): Real-world usage patterns -# ============================================================================== - -# Test 9: Boolean whitelisting (real-world use case - versioning enabled) -test_get_violations_boolean_whitelist if { - # Mock matching real policy: versioning.enabled must be true - mock_input := { - "planned_values": { - "root_module": { - "resources": [ - { - "type": "google_storage_bucket", - "values": { - "name": "compliant-bucket", - "versioning": [ - { - "enabled": true, - }, - ], - "location": "US", - }, - }, - { - "type": "google_storage_bucket", - "values": { - "name": "non-compliant-bucket", - "versioning": [ - { - "enabled": false, - }, - ], - "location": "US", - }, - }, - ], - }, - }, - } - - tf_variables := { - "resource_type": "google_storage_bucket", - "friendly_resource_name": "Storage Bucket", - "resource_value_name": "name", - } - - # Whitelist versioning.enabled: true (actual policy usage pattern) - violations := whitelist.get_violations( - tf_variables, - ["versioning", 0, "enabled"], - [true], - ) with input as mock_input - - # Should only flag non-compliant-bucket - count(violations) == 1 - some v in violations - v.name == "non-compliant-bucket" - contains(v.message, "versioning") - contains(v.message, "false") - contains(v.message, "should be set to") -} - -# Test 10: Array attribute with AND logic (all elements must be whitelisted) -test_get_violations_array_attribute_and_logic if { - # Mock with array attributes testing AND logic - mock_input := { - "planned_values": { - "root_module": { - "resources": [ - { - "type": "google_storage_bucket", - "values": { - "name": "compliant-bucket", - "cors": [ - { - "method": ["GET", "POST"], - "origin": ["https://example.com"], - }, - ], - }, - }, - { - "type": "google_storage_bucket", - "values": { - "name": "violating-bucket", - "cors": [ - { - "method": ["GET", "DELETE"], - "origin": ["https://example.com"], - }, - ], - }, - }, - ], - }, - }, - } - - tf_variables := { - "resource_type": "google_storage_bucket", - "friendly_resource_name": "Storage Bucket", - "resource_value_name": "name", - } - - # Whitelist only safe HTTP methods (AND logic: ALL must be in whitelist) - violations := whitelist.get_violations( - tf_variables, - ["cors", 0, "method"], - ["GET", "POST", "HEAD"], - ) with input as mock_input - - # Should flag bucket with DELETE (not in whitelist) - count(violations) == 1 - some v in violations - v.name == "violating-bucket" - contains(v.message, "cors") - contains(v.message, "method") -} From 41e1e9316c639fadb69852cb6d56639e1f3f3739 Mon Sep 17 00:00:00 2001 From: LegendaryMercury Date: Wed, 10 Dec 2025 18:39:46 +1100 Subject: [PATCH 08/20] Up to date So you can look for issues --- .../.terraform.lock.hcl | 0 .../c.tf | 2 +- .../config.tf | 0 .../nc.tf | 2 +- .../plan.json | Bin 26728 -> 26728 bytes .../data_connector_params/policy.rego | 49 ------------------ .../policy.rego | 25 +++++++++ .../discovery_engine/data_connector/vars.rego | 2 +- 8 files changed, 28 insertions(+), 52 deletions(-) rename inputs/gcp/discovery_engine/data_connector/{data_connector_params => google_discovery_engine_data_connector}/.terraform.lock.hcl (100%) rename inputs/gcp/discovery_engine/data_connector/{data_connector_params => google_discovery_engine_data_connector}/c.tf (100%) rename inputs/gcp/discovery_engine/data_connector/{data_connector_params => google_discovery_engine_data_connector}/config.tf (100%) rename inputs/gcp/discovery_engine/data_connector/{data_connector_params => google_discovery_engine_data_connector}/nc.tf (100%) rename inputs/gcp/discovery_engine/data_connector/{data_connector_params => google_discovery_engine_data_connector}/plan.json (99%) delete mode 100644 policies/gcp/discovery_engine/data_connector/data_connector_params/policy.rego create mode 100644 policies/gcp/discovery_engine/data_connector/google_discovery_engine_data_connector/policy.rego diff --git a/inputs/gcp/discovery_engine/data_connector/data_connector_params/.terraform.lock.hcl b/inputs/gcp/discovery_engine/data_connector/google_discovery_engine_data_connector/.terraform.lock.hcl similarity index 100% rename from inputs/gcp/discovery_engine/data_connector/data_connector_params/.terraform.lock.hcl rename to inputs/gcp/discovery_engine/data_connector/google_discovery_engine_data_connector/.terraform.lock.hcl diff --git a/inputs/gcp/discovery_engine/data_connector/data_connector_params/c.tf b/inputs/gcp/discovery_engine/data_connector/google_discovery_engine_data_connector/c.tf similarity index 100% rename from inputs/gcp/discovery_engine/data_connector/data_connector_params/c.tf rename to inputs/gcp/discovery_engine/data_connector/google_discovery_engine_data_connector/c.tf index 83c6b05ae..bc529bb66 100644 --- a/inputs/gcp/discovery_engine/data_connector/data_connector_params/c.tf +++ b/inputs/gcp/discovery_engine/data_connector/google_discovery_engine_data_connector/c.tf @@ -3,9 +3,9 @@ # Data source resource "google_discovery_engine_data_connector" "c" { + collection_id = "c" project = "735927692082" location = "eu" - collection_id = "c" collection_display_name = "tf-c-dataconnector" data_source = "servicenow" params = { diff --git a/inputs/gcp/discovery_engine/data_connector/data_connector_params/config.tf b/inputs/gcp/discovery_engine/data_connector/google_discovery_engine_data_connector/config.tf similarity index 100% rename from inputs/gcp/discovery_engine/data_connector/data_connector_params/config.tf rename to inputs/gcp/discovery_engine/data_connector/google_discovery_engine_data_connector/config.tf diff --git a/inputs/gcp/discovery_engine/data_connector/data_connector_params/nc.tf b/inputs/gcp/discovery_engine/data_connector/google_discovery_engine_data_connector/nc.tf similarity index 100% rename from inputs/gcp/discovery_engine/data_connector/data_connector_params/nc.tf rename to inputs/gcp/discovery_engine/data_connector/google_discovery_engine_data_connector/nc.tf index 877ded89e..fcca47e00 100644 --- a/inputs/gcp/discovery_engine/data_connector/data_connector_params/nc.tf +++ b/inputs/gcp/discovery_engine/data_connector/google_discovery_engine_data_connector/nc.tf @@ -3,9 +3,9 @@ # Prams resource "google_discovery_engine_data_connector" "nc" { + collection_id = "nc" project = "735927692082" location = "eu" - collection_id = "nc" collection_display_name = "tf-c-dataconnector" data_source = "nc-datasource" params = { diff --git a/inputs/gcp/discovery_engine/data_connector/data_connector_params/plan.json b/inputs/gcp/discovery_engine/data_connector/google_discovery_engine_data_connector/plan.json similarity index 99% rename from inputs/gcp/discovery_engine/data_connector/data_connector_params/plan.json rename to inputs/gcp/discovery_engine/data_connector/google_discovery_engine_data_connector/plan.json index 24a5cc307dd4d6ba5d114509252afa658581e617..e7cb54d2451ca0dccf2ffaf2e3455812c3dae58c 100644 GIT binary patch delta 35 ocmaEHf$_x!#tl2tMGYAY7(#&9jKPY*l)(r{8Z%f-KAS!p0MPsj8UO$Q delta 35 pcmaEHf$_x!#tl2tMGY7%7(y5f7|a-~7)%)qfusS0!Q`{)vjNdl3KakV diff --git a/policies/gcp/discovery_engine/data_connector/data_connector_params/policy.rego b/policies/gcp/discovery_engine/data_connector/data_connector_params/policy.rego deleted file mode 100644 index eeca74d2a..000000000 --- a/policies/gcp/discovery_engine/data_connector/data_connector_params/policy.rego +++ /dev/null @@ -1,49 +0,0 @@ -package terraform.gcp.security.discovery_engine.data_connector.data_connector_params -import data.terraform.gcp.helpers -import data.terraform.gcp.security.discovery_engine.data_connector.vars - -#Data_connector - -conditions := [ - [ - { - "situation_description": "Is the data prams set correctly", - "remedies": ["Ensure that it is set to the correct paramiters"] - }, - { - "condition": "parms is misconfigured", - "attribute_path": ["params", 0, "auth_type"], - "values": ["OAUTH_PASSWORD_GRANT"], - "policy_type": "whitelist" - } - ], - [ - { - "situation_description": "Is the client_id set correctly", - "remedies": ["Ensure that it is set to the correct client_id"] - }, - { - "condition": "client_id is misconfigured", - "attribute_path": ["params", 0, "client_id"], - "values": ["VALID-ID"], - "policy_type": "whitelist" - } - ], - [ - { - "situation_description": "Is the user_account set correctly", - "remedies": ["Ensure that it is set to the correct user_account"] - }, - { - "condition": "parms is misconfigured", - "attribute_path": ["params", 0, "user_account"], - "values": ["Validuser@google.com"], - "policy_type": "whitelist" - } - ] - -] - -message := helpers.get_multi_summary(conditions, vars.variables).message - -details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file diff --git a/policies/gcp/discovery_engine/data_connector/google_discovery_engine_data_connector/policy.rego b/policies/gcp/discovery_engine/data_connector/google_discovery_engine_data_connector/policy.rego new file mode 100644 index 000000000..73ace6ef4 --- /dev/null +++ b/policies/gcp/discovery_engine/data_connector/google_discovery_engine_data_connector/policy.rego @@ -0,0 +1,25 @@ +package terraform.gcp.security.discovery_engine.data_connector.google_discovery_engine_data_connector +import data.terraform.gcp.helpers +import data.terraform.gcp.security.discovery_engine.data_connector.vars + +#Data_connector + +conditions := [ + [ + { + "situation_description": "Is the data prams set correctly", + "remedies": ["Ensure that it is set to the correct paramiters"] + }, + { + "condition": "parms is misconfigured", + "attribute_path": ["params",0, "auth_type"], + "values": ["OAUTH_PASSWORD_GRANT"], + "policy_type": "whitelist" + } + ] + +] + +message := helpers.get_multi_summary(conditions, vars.variables).message + +details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file diff --git a/policies/gcp/discovery_engine/data_connector/vars.rego b/policies/gcp/discovery_engine/data_connector/vars.rego index 43fd21c21..ee269e245 100644 --- a/policies/gcp/discovery_engine/data_connector/vars.rego +++ b/policies/gcp/discovery_engine/data_connector/vars.rego @@ -3,7 +3,7 @@ package terraform.gcp.security.discovery_engine.data_connector.vars #This is for the data_connector variables := { - "friendly_resource_name": "data_connector", + "friendly_resource_name": "google_discovery_engine_data_connector", "resource_type": "google_discovery_engine_data_connector", "resource_value_name" : "collection_id" } From 79dfb434d0da9fe3bdb5c0198bbbcf6844770e70 Mon Sep 17 00:00:00 2001 From: LegendaryMercury Date: Sun, 14 Dec 2025 15:36:19 +1100 Subject: [PATCH 09/20] license_config done --- .../.terraform.lock.hcl | 21 ++++++++++ .../license_config_auto_renew/c.tf | 26 +++++++++++++ .../license_config_auto_renew/config.tf | 11 ++++++ .../license_config_auto_renew/nc.tf | 26 +++++++++++++ .../license_config_auto_renew/plan.json | Bin 0 -> 21302 bytes .../.terraform.lock.hcl | 21 ++++++++++ .../license_config_location/c.tf | 23 +++++++++++ .../license_config_location/config.tf | 11 ++++++ .../license_config_location/nc.tf | 23 +++++++++++ .../license_config_location/plan.json | Bin 0 -> 21028 bytes .../.terraform.lock.hcl | 21 ++++++++++ .../license_config_subscription_tier/c.tf | 23 +++++++++++ .../config.tf | 11 ++++++ .../license_config_subscription_tier/nc.tf | 23 +++++++++++ .../plan.json | Bin 0 -> 20968 bytes .../policy.rego | 36 ++++++++++++++++++ .../license_config_auto_renew/policy.rego | 25 ++++++++++++ .../license_config_location/policy.rego | 25 ++++++++++++ .../policy.rego | 25 ++++++++++++ .../discovery_engine/license_config/vars.rego | 9 +++++ 20 files changed, 360 insertions(+) create mode 100644 inputs/gcp/discovery_engine/license_config/license_config_auto_renew/.terraform.lock.hcl create mode 100644 inputs/gcp/discovery_engine/license_config/license_config_auto_renew/c.tf create mode 100644 inputs/gcp/discovery_engine/license_config/license_config_auto_renew/config.tf create mode 100644 inputs/gcp/discovery_engine/license_config/license_config_auto_renew/nc.tf create mode 100644 inputs/gcp/discovery_engine/license_config/license_config_auto_renew/plan.json create mode 100644 inputs/gcp/discovery_engine/license_config/license_config_location/.terraform.lock.hcl create mode 100644 inputs/gcp/discovery_engine/license_config/license_config_location/c.tf create mode 100644 inputs/gcp/discovery_engine/license_config/license_config_location/config.tf create mode 100644 inputs/gcp/discovery_engine/license_config/license_config_location/nc.tf create mode 100644 inputs/gcp/discovery_engine/license_config/license_config_location/plan.json create mode 100644 inputs/gcp/discovery_engine/license_config/license_config_subscription_tier/.terraform.lock.hcl create mode 100644 inputs/gcp/discovery_engine/license_config/license_config_subscription_tier/c.tf create mode 100644 inputs/gcp/discovery_engine/license_config/license_config_subscription_tier/config.tf create mode 100644 inputs/gcp/discovery_engine/license_config/license_config_subscription_tier/nc.tf create mode 100644 inputs/gcp/discovery_engine/license_config/license_config_subscription_tier/plan.json create mode 100644 policies/gcp/discovery_engine/license_config/license_config_auto_renew/policy.rego create mode 100644 policies/gcp/discovery_engine/license_config/license_config_location/policy.rego create mode 100644 policies/gcp/discovery_engine/license_config/license_config_subscription_tier/policy.rego create mode 100644 policies/gcp/discovery_engine/license_config/vars.rego diff --git a/inputs/gcp/discovery_engine/license_config/license_config_auto_renew/.terraform.lock.hcl b/inputs/gcp/discovery_engine/license_config/license_config_auto_renew/.terraform.lock.hcl new file mode 100644 index 000000000..9813aa78c --- /dev/null +++ b/inputs/gcp/discovery_engine/license_config/license_config_auto_renew/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.13.0" + hashes = [ + "h1:b6SwI27s+SxY2+YBwYsc4ufKymznA7KjxouNMRX49nc=", + "zh:01d22b268d44f885add27ba87b3c0a1e3c9efa35131831ce4275b2a1bfd7e0df", + "zh:104efd3d66a818d9311c7ebd5d1886a7e17ef79562869aa39df9a5b57ec6c630", + "zh:116f0a1cf4db399c4ac2173f0b1fa9f08518bd20cade8d4370a0c5e1b99177be", + "zh:4384e66934dd866ae76dd6f73711b4d9eab8442754a969bb5b1ad6b20429665c", + "zh:595ef531359dcd95ebc52e10e4b94f5676039f336ede9caef95e7b46cd4b635b", + "zh:b0fa219a3339a28c8f450b55d272eeb44b86118b65989ac1f09d174d1fab9069", + "zh:d0119fb709d5e9d52220a545157a5310f31027999c411ec602b51c301aa2db6c", + "zh:d29b3104c9497c32f2479a88fcc741360eb3e3be3279f84086d9fdd3dca56777", + "zh:d5a4cee375237ca451f209b849b4993b288fc027ce2c1a3f4912b03f0f24537e", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:fa02aaf1210b55618a1fa909b8a722e79786ef315b889c35377a7ade9a0f7dbb", + "zh:ff339e275183e3b9bc2449102277b5abb63e2877f819e319ac6f0d8e06a5e7d3", + ] +} diff --git a/inputs/gcp/discovery_engine/license_config/license_config_auto_renew/c.tf b/inputs/gcp/discovery_engine/license_config/license_config_auto_renew/c.tf new file mode 100644 index 000000000..e6285f984 --- /dev/null +++ b/inputs/gcp/discovery_engine/license_config/license_config_auto_renew/c.tf @@ -0,0 +1,26 @@ +# Describe your resource type here + +#license_config_renew + +resource "google_discovery_engine_license_config" "c" { + project = "735927692082" + location = "eu" + license_config_id = "c" + license_count = 50 + subscription_tier = "SUBSCRIPTION_TIER_SEARCH_AND_ASSISTANT" + + # This setting will not cause the Rego policy to DENY the resource. + auto_renew = false + + start_date { + year = 2099 + month = 1 + day = 1 + } + end_date { + year = 2100 + month = 1 + day = 1 + } + subscription_term = "SUBSCRIPTION_TERM_ONE_YEAR" +} \ No newline at end of file diff --git a/inputs/gcp/discovery_engine/license_config/license_config_auto_renew/config.tf b/inputs/gcp/discovery_engine/license_config/license_config_auto_renew/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/discovery_engine/license_config/license_config_auto_renew/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/discovery_engine/license_config/license_config_auto_renew/nc.tf b/inputs/gcp/discovery_engine/license_config/license_config_auto_renew/nc.tf new file mode 100644 index 000000000..6a7f124f1 --- /dev/null +++ b/inputs/gcp/discovery_engine/license_config/license_config_auto_renew/nc.tf @@ -0,0 +1,26 @@ +# Describe your resource type here + +#license_config_renew + +resource "google_discovery_engine_license_config" "nc" { + project = "735927692082" + location = "eu" + license_config_id = "nc" + license_count = 50 + subscription_tier = "SUBSCRIPTION_TIER_SEARCH_AND_ASSISTANT" + + # This setting will cause the Rego policy to DENY the resource. + auto_renew = true + + start_date { + year = 2099 + month = 1 + day = 1 + } + end_date { + year = 2100 + month = 1 + day = 1 + } + subscription_term = "SUBSCRIPTION_TERM_ONE_YEAR" +} \ No newline at end of file diff --git a/inputs/gcp/discovery_engine/license_config/license_config_auto_renew/plan.json b/inputs/gcp/discovery_engine/license_config/license_config_auto_renew/plan.json new file mode 100644 index 0000000000000000000000000000000000000000..2c34ca52d5589dd9a8d572ba13f6ffdb0a1e37a5 GIT binary patch literal 21302 zcmeHP-%leq5T55s{U6Xiw-nM|>D}A)dQy4l4;|dY6`_bifV3fr0<=Ylf4%KDcIMW0 zY{&L49Cug|INt2ej>j|OnfccH-@mu?IekVO%TGh6G@}Jw&=FnHkp7|(dY3fD(J3|b z0_QcfO`9}8`-OAul{$NYYlTXT!Zv95>C9;Y8dH2mbfUO8!jWtAE|)ymT({gWz~@YH zeu4G`*GzDg=G%Xbc`ehQ;hF^<8}~Y}Mk(jJZJfG$c7ySq;ImNokx?~truaWoTo3X4 z7#tnrn4X6l$YKPkoZ&djW{C5~iq|R5<367|h4jZbXA?blj$A(6euJ53xrxlU&oglZ zdOR2T^seZJ<_5h!N0`qIkL1GOrbI$>%o@+gSjlMtsk>BpR(Xytp@|EOe-ka+k!cy5 z_Py-E_j`jC%C_|_%+m8BYn6LF zw5?x4Z-0kg94kwoLo>8qv+eWBd-2{P_vkHsPkZ!=-q0@nO8fZ#3;hgD+Nakz_7lEw z|25io`2P~e$}J+s*I02To+8HAuHtM6t~Ece=tpq(5?ubE+CBWTi@$w!Y`+7)EH{pi zI10XkJZ*oO+p(p_!rTgnw^Lw+_q*XI%e#z#!<7Anw_wfH7YNt*@^3MV*R)` zy5H<1wxS+-*IRoPcJrGC5txn8Fy6uSb4Em3Z0NvCJ02@NOxCkL=joc`u#J2;yrscR z9s7bJ7RyVLtOXNl_#m494ODlbt$f~X;dP;+R&h?HCm#nf@kDa zubHb;bziCFr;WxORo{qBzer8qcw}7C_M83mkI1Z6XUmZo+rNqgLTzq#(?8L2UgF>C98J#d4(NzHKpvJUl!i!kQLFXdVv|(npTr z#;qY+F<0gxq%);I@i)Ws5b~r|o;8J6)i%!0t6nyUWdzGEtADx?VJVgVFqZV$F(a>` z2c6QfVeV5a_N=dBUO5q`Xx4qqe4i4Jtt5Uw7@DQHMX+q||Eao^y6LBu$EA(AW^!VY ztL@{?;fG z8IUnZ8=5tLrHC=uy2DNoh)rm3eTr2yiCeec$M&5sq18HqY1>28Nk>4rwZ*zt?AKe9 zNAo*Z&i+vdG(SHe`&&RvhHtt#@fiFsoZ zp2AhZm_LxKLv5K%Txxc%vnEg{WSP*V~WVi|MKhYe<*bEW5hgi^Z^P6I)NWp4jfc@UFyemX(Ib_cMn4 z9gMj;ksB9qC1U-15>m7>_0D;b)8oN1S6A_;^^TA-M55*}f+=?KQhnl!qQ`l5C|9{{ z&0w@dTqGrRy{H+C)GxGu>0%|m_mR{bM&6T>s*$lbm2{b%n!~uh)9%+ChUHOn7+WjW z_tKH*bPo{A!#?dCCYI?Odb4v|W8EyMeUe)HzYA2^WyKqyRyM#pp}xdh#RlsCH+Xjq zAA5l#JNQ4qJEMNX`F7=-bD}vu6IB0?ursQCx1+?G?)i)x@SXY07WWLDt>4kdZ{gGL PI^;J=w3T?4kRJ2@#SjBm literal 0 HcmV?d00001 diff --git a/inputs/gcp/discovery_engine/license_config/license_config_location/.terraform.lock.hcl b/inputs/gcp/discovery_engine/license_config/license_config_location/.terraform.lock.hcl new file mode 100644 index 000000000..9813aa78c --- /dev/null +++ b/inputs/gcp/discovery_engine/license_config/license_config_location/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.13.0" + hashes = [ + "h1:b6SwI27s+SxY2+YBwYsc4ufKymznA7KjxouNMRX49nc=", + "zh:01d22b268d44f885add27ba87b3c0a1e3c9efa35131831ce4275b2a1bfd7e0df", + "zh:104efd3d66a818d9311c7ebd5d1886a7e17ef79562869aa39df9a5b57ec6c630", + "zh:116f0a1cf4db399c4ac2173f0b1fa9f08518bd20cade8d4370a0c5e1b99177be", + "zh:4384e66934dd866ae76dd6f73711b4d9eab8442754a969bb5b1ad6b20429665c", + "zh:595ef531359dcd95ebc52e10e4b94f5676039f336ede9caef95e7b46cd4b635b", + "zh:b0fa219a3339a28c8f450b55d272eeb44b86118b65989ac1f09d174d1fab9069", + "zh:d0119fb709d5e9d52220a545157a5310f31027999c411ec602b51c301aa2db6c", + "zh:d29b3104c9497c32f2479a88fcc741360eb3e3be3279f84086d9fdd3dca56777", + "zh:d5a4cee375237ca451f209b849b4993b288fc027ce2c1a3f4912b03f0f24537e", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:fa02aaf1210b55618a1fa909b8a722e79786ef315b889c35377a7ade9a0f7dbb", + "zh:ff339e275183e3b9bc2449102277b5abb63e2877f819e319ac6f0d8e06a5e7d3", + ] +} diff --git a/inputs/gcp/discovery_engine/license_config/license_config_location/c.tf b/inputs/gcp/discovery_engine/license_config/license_config_location/c.tf new file mode 100644 index 000000000..8108695ce --- /dev/null +++ b/inputs/gcp/discovery_engine/license_config/license_config_location/c.tf @@ -0,0 +1,23 @@ +# Describe your resource type here + +#license_config_location + +resource "google_discovery_engine_license_config" "c" { + project = "735927692082" + location = "eu" + license_config_id = "c" + license_count = 50 + subscription_tier = "SUBSCRIPTION_TIER_SEARCH_AND_ASSISTANT" + + start_date { + year = 2099 + month = 1 + day = 1 + } + end_date { + year = 2100 + month = 1 + day = 1 + } + subscription_term = "SUBSCRIPTION_TERM_ONE_YEAR" +} \ No newline at end of file diff --git a/inputs/gcp/discovery_engine/license_config/license_config_location/config.tf b/inputs/gcp/discovery_engine/license_config/license_config_location/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/discovery_engine/license_config/license_config_location/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/discovery_engine/license_config/license_config_location/nc.tf b/inputs/gcp/discovery_engine/license_config/license_config_location/nc.tf new file mode 100644 index 000000000..ba01dd97d --- /dev/null +++ b/inputs/gcp/discovery_engine/license_config/license_config_location/nc.tf @@ -0,0 +1,23 @@ +# Describe your resource type here + +#license_config_location + +resource "google_discovery_engine_license_config" "nc" { + project = "735927692082" + location = "us" + license_config_id = "nc" + license_count = 50 + subscription_tier = "SUBSCRIPTION_TIER_SEARCH_AND_ASSISTANT" + + start_date { + year = 2099 + month = 1 + day = 1 + } + end_date { + year = 2100 + month = 1 + day = 1 + } + subscription_term = "SUBSCRIPTION_TERM_ONE_YEAR" +} \ No newline at end of file diff --git a/inputs/gcp/discovery_engine/license_config/license_config_location/plan.json b/inputs/gcp/discovery_engine/license_config/license_config_location/plan.json new file mode 100644 index 0000000000000000000000000000000000000000..a890abca025c1454cf304a9328904274b1d91c04 GIT binary patch literal 21028 zcmeHP-A^Mo5TEBt{U6Xiw<)AYuiV@9dQy4lhYtGCo=}uRfV3fr0<=Ylf4%K*>52yQCyh|Mq%m5jRM8vs zt7wOM)JOT5GxkdLUSO<12|?Ha3_qMXO#owx&xlSG7DKdLqjtH(!N$7AegQmZ3iAt; zCm1uqD2=y&j5(I!&oE{|$HrVAtyM~Yw+usfdskTB2|f!okF2VqGll<|!g_$;$H3?q zZF(PWK#LKma)x%M%>ezz3fC$6ah>~4LH#lM^iXs6$i>60SJ-)`o6wBwyc0vf*LX+9icSkq-G$1#%6oJPPF!I9J(Mg*reyT+`;5Mz zb6|9dZ{A0iygAxT8l|t1Ip!Sm@y_|>Z`+YvmkZo_h1JGMpgYp7Gv8l>8Z%(VRAMgv zYbl>oC9RW0++>DIL1S%kf;pJpTI%DZSD?6MnpC@^rCuqVZk8DBWUf%4NvUOZinX41 z4*3T38)Anv4g1je+xVC#gjl-TF`2ojj8Z)CO#nv3<~@1XhdJ(d-{ zrY~ui_Hfp}rms}FO<#Mg2Z6J$tdv$|-emiv$oe{Zt^2*g`DDxbHg;(*OIl^FhnDqA z@a=Eli(@6}^LxH#+2?cj;$9*T=x6$d4(J_ypndv@4)OgX{Qyonr1xn19{+LuJ<4D3 z{T6Nc5)r~{tS}Qz5yERc72kv{uQZ;QQ>*wUTd?!RPf{N{0wJ1 zIC{?ckUBHukN1Wx!iVvC*84ndeVhuu=;LKuD(pmRc16zRr;<&nES}Qwk1+3u1TqhC z+*3zXC3f;rR%5QJ+k8#8d78A< z$f~65)*9;G=UI)-=I3E-?J5*#DpTWO-TO3tA4786ZSyRC=GU3hikPq$%=U{4?vwM{eiz3o`sO7 ztkR^Z`Bbf~{ItkP1zJcZn=|PA^i?VZ+aAn?(p`ones@f}Yv9REY0K~w*40G)8b=v> z*H<%MDfXst)+TnoONxh162Bg7+NH2WFl{&gL|shO^#A6?#jW{iWuA&3C;CB`EFHy< zvuV;)D}G#;&&~NgEx#WZqiNh-^TXeiCzq3hDxO@(25|S&tv`e`7EjKly1!mLxmCK@ zHhuBrRw*Pc;fPc1r^aZDCLclOlG2W#7f;T-7m-Tw(7rTza^{#LCw{;-dVO1oZ(X@h zr29QSIZw@;kqIfri?(lC#f+#q%8qKdkYXbNr?AH-_-y+2khuf01}U3%&A$fDz?R!} zV!8Ifz2zBJ;Uq3|^1tSI4P!NqV9NFYanccT+*)GuWKZVg$l2fO)(Ss8Aa`6PbL-bV zGPbE~j>d)LunC&9=iwrwrL?o1x68~lYhWGk zUSe^OTX0N|HoKWO+C4p+XzaH8{bSK$W*#+`4t#D`Ex5vuk?FC=V#0Ue^0|}o@ZE!p zote5^-rlTFtO^bzc$YxGEUV1`z?waoc zwv(*5Ja{*2NWV9j$`h$}0Y?DVzndUN$HdN@rgNT74srDqe_8M4$jby2-@)Y@j`76E z)9N_8rT7k-9_|yFv6{O04&t$E$!>Fs`rg0s9K8pfOKd}l;yu_}YJIKfv9@}wcn|vB zKE-=*-#YS~yoZoYbmX;|?5LgVf7H(o>*&b^;>vR3^%14&;~hw!<92;teZRuHTDa{E zTK4e0ORwlx^tbaa?2XLvnIPUh#7&_3O@{s_X>~r0XXc)Drmv~Dej^>fb56h6kNLWO KqLnG6*Zd!@sNYur literal 0 HcmV?d00001 diff --git a/inputs/gcp/discovery_engine/license_config/license_config_subscription_tier/.terraform.lock.hcl b/inputs/gcp/discovery_engine/license_config/license_config_subscription_tier/.terraform.lock.hcl new file mode 100644 index 000000000..9813aa78c --- /dev/null +++ b/inputs/gcp/discovery_engine/license_config/license_config_subscription_tier/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.13.0" + hashes = [ + "h1:b6SwI27s+SxY2+YBwYsc4ufKymznA7KjxouNMRX49nc=", + "zh:01d22b268d44f885add27ba87b3c0a1e3c9efa35131831ce4275b2a1bfd7e0df", + "zh:104efd3d66a818d9311c7ebd5d1886a7e17ef79562869aa39df9a5b57ec6c630", + "zh:116f0a1cf4db399c4ac2173f0b1fa9f08518bd20cade8d4370a0c5e1b99177be", + "zh:4384e66934dd866ae76dd6f73711b4d9eab8442754a969bb5b1ad6b20429665c", + "zh:595ef531359dcd95ebc52e10e4b94f5676039f336ede9caef95e7b46cd4b635b", + "zh:b0fa219a3339a28c8f450b55d272eeb44b86118b65989ac1f09d174d1fab9069", + "zh:d0119fb709d5e9d52220a545157a5310f31027999c411ec602b51c301aa2db6c", + "zh:d29b3104c9497c32f2479a88fcc741360eb3e3be3279f84086d9fdd3dca56777", + "zh:d5a4cee375237ca451f209b849b4993b288fc027ce2c1a3f4912b03f0f24537e", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:fa02aaf1210b55618a1fa909b8a722e79786ef315b889c35377a7ade9a0f7dbb", + "zh:ff339e275183e3b9bc2449102277b5abb63e2877f819e319ac6f0d8e06a5e7d3", + ] +} diff --git a/inputs/gcp/discovery_engine/license_config/license_config_subscription_tier/c.tf b/inputs/gcp/discovery_engine/license_config/license_config_subscription_tier/c.tf new file mode 100644 index 000000000..ef7ad62ca --- /dev/null +++ b/inputs/gcp/discovery_engine/license_config/license_config_subscription_tier/c.tf @@ -0,0 +1,23 @@ +# Describe your resource type here + +#license_config_subscription + +resource "google_discovery_engine_license_config" "c" { + project = "735927692082" + location = "eu" + license_config_id = "c" + license_count = 50 + subscription_tier = "SUBSCRIPTION_TIER_ENTERPRISE" + + start_date { + year = 2099 + month = 1 + day = 1 + } + end_date { + year = 2100 + month = 1 + day = 1 + } + subscription_term = "SUBSCRIPTION_TERM_ONE_YEAR" +} \ No newline at end of file diff --git a/inputs/gcp/discovery_engine/license_config/license_config_subscription_tier/config.tf b/inputs/gcp/discovery_engine/license_config/license_config_subscription_tier/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/discovery_engine/license_config/license_config_subscription_tier/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/discovery_engine/license_config/license_config_subscription_tier/nc.tf b/inputs/gcp/discovery_engine/license_config/license_config_subscription_tier/nc.tf new file mode 100644 index 000000000..f35a61d51 --- /dev/null +++ b/inputs/gcp/discovery_engine/license_config/license_config_subscription_tier/nc.tf @@ -0,0 +1,23 @@ +# Describe your resource type here + +#license_config_subscription + +resource "google_discovery_engine_license_config" "nc" { + project = "735927692082" + location = "eu" + license_config_id = "nc" + license_count = 50 + subscription_tier = "SUBSCRIPTION_TIER_SEARCH_AND_ASSISTANT" + + start_date { + year = 2099 + month = 1 + day = 1 + } + end_date { + year = 2100 + month = 1 + day = 1 + } + subscription_term = "SUBSCRIPTION_TERM_ONE_YEAR" +} \ No newline at end of file diff --git a/inputs/gcp/discovery_engine/license_config/license_config_subscription_tier/plan.json b/inputs/gcp/discovery_engine/license_config/license_config_subscription_tier/plan.json new file mode 100644 index 0000000000000000000000000000000000000000..8942e6f92a9dce5d3b175b61d1c02b93edef2173 GIT binary patch literal 20968 zcmeHP-%leq5T55s{U6Xiw-o4IuXk_P>q+II*V92CT7;q$0;CN|6re3a{OfJM&(4rt z$Gfq;8-5fkBE}ngc0Bfs=bKsYzyI9G=kl3s%s+*k$V6sxE`7O_p8P2T)GlO*t79qT z4cZm5Et|4~@(ZW$rD;7wU!~GSVH-63bfz)_jWIq0IW}DMapelNi#ZQft{2?Tz~{tp zeva}OeMabI`S$lI_a*%a`po30bgzTTD7C#?HdA+77Z~3$J~MM49aSNxhW}H;bq~J} z!O;<}*?G8zEC!IuDXvpCJ+vDdUdL$1I@^vR{UO?HqUO$#%ZFPpF!Pj~%8Yf+L?84x z7xDBik%o*Rzjyu?k4gr=A^&dAWnX$GmgR5`1hqYJFW8OFbfl6q9uj7|JL zk+0+o99`g>^GMB`;#yfo@nhtQIm7)pbAJ8Xax~Xn1#Z2-Xu~wn?djIJ?yn$?2{@ya zxQhRp>*v^L>nM^py+dKB(OMki9+bD$`Y`QPDsCC4)oyRC7lxfq3#WJ<_HZX! zNxM(RTNjmP;kE2n(3i_O^_Q5B>i(;JSCynafsLS+RQL4(G%(iQ=-mofF51Q4A@id< zE(>`jU&~8*jlKSrd}GQj`PSn-D4kVhVXP|GCjFDF>#O9o>h}WsQ&rcuFiWqKv{mnQ z-@1N*b^9CE#gWnU>D{`f?sMNgzthM)`B}b`J$WaeWLG}QKE8jF4_Hb2@*dZI#DA>6 zNBIlB-{M-jMl|s?G@PlWXyR+vaMr{3hdGxY4flJvlFl1-pPmr?-Al->Y8zuL{cWTj zq6Ty4C#oP9^lj;rs%myRn%zZ4fK>pZnvqyM8sAo0iX^U~FBM+BZDKHbUnG}r> zK9qs)t-djB(oNsm4wYOm37hD8|!l1|mG#P#}UenCDG3cM%tg;ZG0$=wHa+K3wXQ0Gx-vE%);*^2V+_q>x6P^e zskh6ebels_%eb!GNwaUzw0qaBndhd9={b>g>ta)m;r??UTxs>Wn1{)Ebb%&Z54BD& z%6o7Rk{HV$_?zGv2Yq@fPIKya(1k}I7sV^!wP=Q#nQ=Z<6-%M&`=wIpE}IfQJ7piM z=gC7^FYpAO)X4lACYkE2FK4%6d`n$f>zMg2CEm1a_-$U@EH!HcWxM_-&g#hBv+oljO6SoBR)M?hq*G6E3X*e|9-5dE&ab%ue$ML z`sj;ONIXsDK56dXhcpUW&JUF-g`nu_3967DI@0BgR>~RQ(Y=kvgjgr`$W_PE8 zy2Ib(ET5WF&vg^4H$ShcTETKzGg2h997ibYb`NpV0rJ^aV_hu{i^3_-jGX;#PNVQi z0X@5_Sz5pC(Y|$MeKf8~59_Gu^)z0zx0Y4E{AQkorUka~KAssWKVNTUyp48s5jmwC zS}r5&hvB07{8%Utdb*ABXfvB>z1`h2T;`$Y&_dNZEq!&?13Q>CE`A58ETa?PEd4iHM`A@>BBDN++OIMWTa5{c8xZ(laYdJJFE4l z9`DFV!M>m8xgdq`eC$&~4^0^3&>P9CM(AApvB)l4`*)5QvhH|0h)C_=Jw{*R)clV5 zet}bty!Hlv_WOnWiuTo5HPOfvpAll)eVp)Fyp7QR)U3^&@y=|yc#BzGYx`C?zBkUk Posa8!k@KX4?3n)pqIlLM literal 0 HcmV?d00001 diff --git a/policies/gcp/discovery_engine/data_connector/google_discovery_engine_data_connector/policy.rego b/policies/gcp/discovery_engine/data_connector/google_discovery_engine_data_connector/policy.rego index 73ace6ef4..705030a54 100644 --- a/policies/gcp/discovery_engine/data_connector/google_discovery_engine_data_connector/policy.rego +++ b/policies/gcp/discovery_engine/data_connector/google_discovery_engine_data_connector/policy.rego @@ -16,6 +16,42 @@ conditions := [ "values": ["OAUTH_PASSWORD_GRANT"], "policy_type": "whitelist" } + ], + [ + { + "situation_description": "Is the static_ip_enabled set correctly", + "remedies": ["Ensure that it is set to the correct static_ip_enabled"] + }, + { + "condition": "static_ip_enabled is misconfigured", + "attribute_path": ["params", 0, "static_ip_enabled"], + "values": ["false"], + "policy_type": "whitelist" + } + ], + [ + { + "situation_description": "Is the client_id set correctly", + "remedies": ["Ensure that it is set to the correct client_id"] + }, + { + "condition": "client_id is misconfigured", + "attribute_path": ["params", 0, "client_id"], + "values": ["VALID-ID"], + "policy_type": "whitelist" + } + ], + [ + { + "situation_description": "Is the user_account set correctly", + "remedies": ["Ensure that it is set to the correct user_account"] + }, + { + "condition": "parms is misconfigured", + "attribute_path": ["params", 0, "user_account"], + "values": ["Validuser@google.com"], + "policy_type": "whitelist" + } ] ] diff --git a/policies/gcp/discovery_engine/license_config/license_config_auto_renew/policy.rego b/policies/gcp/discovery_engine/license_config/license_config_auto_renew/policy.rego new file mode 100644 index 000000000..7a9531bcb --- /dev/null +++ b/policies/gcp/discovery_engine/license_config/license_config_auto_renew/policy.rego @@ -0,0 +1,25 @@ +package terraform.gcp.security.discovery_engine.license_config.license_config_auto_renew +import data.terraform.gcp.helpers +import data.terraform.gcp.security.discovery_engine.license_config.vars + +#license_config_auto_renew + +conditions := [ + [ + { + "situation_description": "Is license_config_auto_renew configured correctly", + "remedies": ["Ensure that it is set to false"] + }, + { + "condition": "license_config_auto_renew is mis-configured", + "attribute_path": ["auto_renew"], + "values": [false], + "policy_type": "whitelist" + } + ] +] + + +message := helpers.get_multi_summary(conditions, vars.variables).message + +details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file diff --git a/policies/gcp/discovery_engine/license_config/license_config_location/policy.rego b/policies/gcp/discovery_engine/license_config/license_config_location/policy.rego new file mode 100644 index 000000000..893c4ced2 --- /dev/null +++ b/policies/gcp/discovery_engine/license_config/license_config_location/policy.rego @@ -0,0 +1,25 @@ +package terraform.gcp.security.discovery_engine.license_config.license_config_location +import data.terraform.gcp.helpers +import data.terraform.gcp.security.discovery_engine.license_config.vars + +#license_config_location + +conditions := [ + [ + { + "situation_description": "Is license_config_location configured correctly", + "remedies": ["Ensure that it is set to eu"] + }, + { + "condition": "license_config_location is mis-configured", + "attribute_path": ["location"], + "values": ["eu"], + "policy_type": "whitelist" + } + ] +] + + +message := helpers.get_multi_summary(conditions, vars.variables).message + +details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file diff --git a/policies/gcp/discovery_engine/license_config/license_config_subscription_tier/policy.rego b/policies/gcp/discovery_engine/license_config/license_config_subscription_tier/policy.rego new file mode 100644 index 000000000..727c57da5 --- /dev/null +++ b/policies/gcp/discovery_engine/license_config/license_config_subscription_tier/policy.rego @@ -0,0 +1,25 @@ +package terraform.gcp.security.discovery_engine.license_config.license_config_subscription_tier +import data.terraform.gcp.helpers +import data.terraform.gcp.security.discovery_engine.license_config.vars + +#license_config_subscription_tier + +conditions := [ + [ + { + "situation_description": "Is license_config_subscription_tier configured correctly", + "remedies": ["Ensure that it is set to SUBSCRIPTION_TIER_ENTERPRISE"] + }, + { + "condition": "search_engine_industry_vertical is mis-configured", + "attribute_path": ["subscription_tier"], + "values": ["SUBSCRIPTION_TIER_ENTERPRISE"], + "policy_type": "whitelist" + } + ] +] + + +message := helpers.get_multi_summary(conditions, vars.variables).message + +details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file diff --git a/policies/gcp/discovery_engine/license_config/vars.rego b/policies/gcp/discovery_engine/license_config/vars.rego new file mode 100644 index 000000000..51bada1a1 --- /dev/null +++ b/policies/gcp/discovery_engine/license_config/vars.rego @@ -0,0 +1,9 @@ +package terraform.gcp.security.discovery_engine.license_config.vars + +#This is for the license_config + +variables := { + "friendly_resource_name": "license_config_id", + "resource_type": "google_discovery_engine_license_config", + "resource_value_name" : "license_config_id" +} From 4185354a98371c1f32c885bf8a08ef2eaea1accc Mon Sep 17 00:00:00 2001 From: LegendaryMercury Date: Wed, 17 Dec 2025 17:23:59 +1100 Subject: [PATCH 10/20] Another one (policy) --- .../engine_control_filter_action/plan.json | Bin 31212 -> 61064 bytes .../.terraform.lock.hcl | 21 +++++++++++++++ .../engine_sitemap_location/c.tf | 9 +++++++ .../engine_sitemap_location/config.tf | 11 ++++++++ .../engine_sitemap_location/nc.tf | 9 +++++++ .../engine_sitemap_location/plan.json | Bin 0 -> 10176 bytes .../engine_sitemap_location/policy.rego | 25 ++++++++++++++++++ .../discovery_engine/engine_sitemap/vars.rego | 9 +++++++ 8 files changed, 84 insertions(+) create mode 100644 inputs/gcp/discovery_engine/engine_sitemap/engine_sitemap_location/.terraform.lock.hcl create mode 100644 inputs/gcp/discovery_engine/engine_sitemap/engine_sitemap_location/c.tf create mode 100644 inputs/gcp/discovery_engine/engine_sitemap/engine_sitemap_location/config.tf create mode 100644 inputs/gcp/discovery_engine/engine_sitemap/engine_sitemap_location/nc.tf create mode 100644 inputs/gcp/discovery_engine/engine_sitemap/engine_sitemap_location/plan.json create mode 100644 policies/gcp/discovery_engine/engine_sitemap/engine_sitemap_location/policy.rego create mode 100644 policies/gcp/discovery_engine/engine_sitemap/vars.rego diff --git a/inputs/gcp/discovery_engine/engine_control/engine_control_filter_action/plan.json b/inputs/gcp/discovery_engine/engine_control/engine_control_filter_action/plan.json index a00286c53b3cbb3375bc883ab17dd0f180f90247..0e326babe64039300a7b015f97e16a175bdb2b10 100644 GIT binary patch literal 61064 zcmeHQS#KP<5$1D%{0F07^0JbTjn`fSc@P|9BVb`0vi-0TjDc2?y^2R8L5CB=@Lx|- zA30?nO?Hz_cF!SVfZ_DaG>>9cvF`rgf4_=9i$95b%U2^lhzoHg&c%_q5i{{woYK{` zIHPYDq7l#Ne~ox3cEuxVe{k--k^jD;d%2gc9v)I3{(dgSocdVM>r|Y`Ssc+fw{&&A zoP#}UJ^L$~=Y^d4IkhKr&z$a3^Y-6k-i!V(=$ahit&;!mw%xtE|88h~C-l0K z>3hItCVyMdda>>~LG!q^EAGhdbwhg% zNHLUf4cH&iD1g4Z%kKT|bwjiHA})>o^463-KIVRIj6Vb>mlC3%3C@7b6+znV6+4H0 zxR%iWLa=XR|1SN0A?}MmXhzrcekS+pilB4f+UfK)0xSNY8DOvcH1@!uPIsT&>xOVF zj>_CS-RnmDPOH9KdjCu#2D&BSI<`Q55-NvJ6s$-7CRC?dhFqlvH6m@BjztV z%e}Hs4xVvei__^$?yI6nA8whaSzmwd?`b^Ty_>Ha!VjFDpiFQFoTr+*0_Obtj`4dQ zWO!_DZAfX_xS;*MmD~|~{&vZ!?}@+Bx&9a8OSeS3bAs_PT{ThX9*^j@-v-@1oHNV` z&c_n&Ca=MXieG-GU*^eY8Lz1!$l!$i7wseX4#V?__)$C-Ka(8uMEoS%2jZzmGU9&v zS{?@{GES4y+!J^Ro`4qXDBVA#C&+2c?`QPMmIdC3SK?RkjxcYZKE0$FycNHR*Wv|z zdPDDf;y^qX|H#;>YZ`Gu^H@-OPV`lJjaVC`3&@E#)W5=o1zq8k8OqmgsV61RK~m6i z?xB>oO~}j$dbpkuoc5NV%-HdHIVtBr&L{0?=9TlOm&_qnucza{(Z zOR{XI;s)f zU$yNWn=QRQDi#EohRBQ3xP@L3r^0ar?9GRt0sbs_t(0f`7l~Cb$V0MEcs3ljJ}vzs zp9sU+Ug2C%#&-DOuEi&U|0V6V8&6bbf{^3v1{jy1gs@tIEO}R&k%e z=c+8+2dmXsgl(Ie>7U=-3VArZzI>^8h`vx|;yju7Qd(@>nBzT)FMdt3gpM@cm)6+> zil2Q+HnluEZ9BWfwv@W|qw@JE=VZ@AymNUQMLUZ@t%`C3K! zYmb`BSDi^t!}Onrt2`37?ud}Ik>|z!4>QXF+qP;p$oT&({jjR%y9APGZiTP*0|6{boX)sD{fBvzTJ zenc7ryu4LsC=)5;^Dy~zhJLGg)f!kXGFxOeRIR~;i0^YlQ8U|+4IVyi{E|nCyy3zv zO=58G=4)4muUZ2`#@E(}92Y7o&#h_=E?h#_v06hHXYf}GuzPm(4wVOhcp|Qr1&)L| zM~IQs)~rKsC4z2VQ%W0w{;4x2V>}kQna)$!zG~|b{ay#Qd96!rD^R?~8)fV1#t)_i z;EApR#WpDw7pdbiQF$j`mPAGo>PMM1d(y02nAHavq0E-6xYg)Ym9Czpc&b|iYkV(- z8n;vq75B!q?(F&Z<2}Qd+y3|(_%&=ElCI<1mfo_Sgt4-m)9{ty$t~d8_8YMcx6fBJ z%toijHfyo)m~MQ*7*((A(~{>CYE$LDar7BJ3C7A)=Kjl8tr;r=ag`a#7<-JY$G&K# zG-_K-=CLbzhG@z>cV{G(E+~Tob-?~j?@HI)9A| z?TJX;X?;@RyhY{R)E?|wlS6w^5iy&?LB^rtu8e=%$JM3hF=oe8lqn0V3`;u`N70p@ zK^%_QlnNV{uh%pwVaO_yTs%6agp{Y)$UM% zDsKL>(8US9PSuU0$w2cSxReXK8Cx)%I~uzza02 z=5|At8Gf3`P^(3?eUz%Z-%WSg@(^38BA%kE?W3IMZcIyMwS83E2dXr+eU7^uVgK;W zyieb%aUa_l_c3iPDs5YUu0Cc}LyRlfnieO=!-X#H=(pR4 z@MjtyHcLcy4f+^Q*XljlzPYDsa&c>|{%k(m+wD5U@K4RJI8OcU>T;z$tW}#US9`u{ zbDB#*t6D{E`Krz3M}$w$)vGqADX0BueSEd!N${~T)m58o}{x{JSurf62Hh1PRIIRR$A zYFbSU?%8eKk*2Nq>bHNpbL8vy$r-TheM60$o9~&v47r$n4cX#(PTZD{|1Dp;)r|sS z=;Zn)V@?)3PBc!V(y-0VkmpVRps%l1`A1^n!@KcxAj>W^_} zOP*|BbyW3KPTQK$rI9f0gme)8om)GqY~8D2RUMW0&20TzDF4I%tNpFZVU?d|K^1@T z{0!8>hCNEv_EWg%*Jb$(H>)tWZ8-jWdA<#ectNj^^t1z1IgWpJVmp7(?kSGL!5?u; zW6#M(WLvmYjZXMMklA!awJmq4#k0HsA5~rXoW28`?#oI@*Ytiyd19!Va!KFW^XZ~v zdw&=5^b}vg zxgX{mZgy2)MRv?P2Xltq?aF#C3_{nTEaTO1k9PI6VVKp;rSf@)ihZ-|vBjSNPsESn zvG`d$5>LcWvV9<)(pBF16prLf#rTvA>EY*Tr~+;*91rEGVn1j1ovdv(6VJuo@{{?y z-uD#xOkE-3L{KsHlw|fJIzQD(%94=Uiw990B6j4ovt}$=9nwXgC(q?V+b^vTgGxKL zR-IHzbH5w%x`NzrDWIIhj+t=08|$WdyxNwjS1Ge&ZBt3@yrVg?-B`~NV$PJtOZhIh zT^G4s?XFMG9z$|3vA=Cdjw`#nHHEA6K1}ylm^Ov{UINS5B332%ob$Cx@GiG5i+=M_x3cT!#Z|7W*UZeVH1U>WHdNG%vIf9r#Lrr+ zQD7(E&coaPh*KJStZDKsZg z3~bP;xgfqCnZM+oX=7Qe%#)}}a|>x_3};zP<$s%!4#t(|)Y*}X{p;x=+;)ksOY(g0 z%?+@#f?Ug<$^%1YHS!)+qy~5}qLt6clZ={ohTjsBwUqUeNGWMEHOM14=CI9F-0Lfq;^MMy_N6J z#9!(4jDCA6{z?D0DIJu3Nv}D@_Z*Q_qbtck&OxmQ_y6#mU}XFg5|Elf=-;a53#z)P QxFbaE>F7_aR!L$12gO{#eEY}F5aqc*|3lzQF16#dO_LhvAxMJOK#>HAduWY7@ORwEvf+=kL6E=R_C1cr zBzMVO%GzB?E@8-$mb>I|IGlMi98&-O^VzJJLvw1*&57ADmu6%>nge{hFvqw$LFoow z56znS7VqESb!p4bakoB~e&!*ba!;O_F`k;>@4)QamUeLE3g0elJEY|tt)5ysPVl~u z(lN?Og_QE%Q(QeadpFN*+p-L+V>GN4B;jTgM2c$0*suHR59P`ybB6E2ui4s_8rj0hO^r&)nWgO`DBefe zIcN^=WB=Ko3)_oN=tF(H)=++G9+>xN;R64UZNJY!|AT;ILI*ka9<{R9v5{W49QugT z>R9et?vs)cO84;YWNO>Iv(Irf#&&#M`3U!suarFY@(@o`4p>j@exZ{k6Wo7%(~d}i z-;x_!zYXQB$cIQNWh3P5o>{f6yE>%ZP=Xxg{`J-C9#NJK@tJ**(W~=?a=woqU*a{g zo=E?e5ox_=elqvWeT@8-*#%XUg!^d!%k}7t!P7lU ziyJx4Dqi2k^)c>cpF}GE1eF{`Y4fr9&O9YpZq!b*1R&mn%~g(O?-NZnzqdE=Cyf&PjB)6sd;0bnP0AZbb)6l zsBwb#6Yx3RF5BZgrB=Gco$UPtpDESk%@wYRZsBZGUAK)Azts^a5I)E7mCdwva9FsFh_x>IsETss>N435T6Ah6>N@c(1sxF?5iRXtJm|xyKBj~oK~gtN)i)rrQZHj- zC0XuU0bYEC=bu^RxCNZ{66jHF39+f@L88PwTG+b7C!9C25emJOc0Jx~lP=NXs@2!@ z$y{yxrap#H5_$`xYkV&rH+f5+In7O$({ooJRJ}$bWqK21%lj4cv*qIp;O}M&XF2Jreay=>z0?CE_nPc^lLD z2f31(9_M{Xjqg=XD<|#zas2EW!N+FXn$;j8hkfJtSo_j)sE?`B8tDuyxVN zvqy`HPR>O#%dC?_tmem0hr`Kf8e-acId$`yMK@t|^eG~tuYq}7Omx#?+&73uz64Hl zXty3y@lk3OGd0KSPk{CqV{O71^+>q1=P*=TghP>p{5F1OzUBj6rQP`0k{d&wiyqB1lKDDeX_)&4n>n5c04J7C-K2uho z+erR%+^wA6xgaLl_7QA1Z6SoJV7SHj#Bjsi0*7%NlzUour(Mhp4XZKjIPZ(;>m?R9x2 zK4Nq+Tdu6r2JeC%$!L;X3m>a7*GV!qwBC~2qFGZR<}JA`nhjHOTQs94Kexrrvk}%0 zCWyo{2j?&RpLX7LlhvZxT+9e$o+9;xAD{KFFMbA0Rm(|CDa<7zpPg;w6aJVGbJXvr zp3T*V-HglP^SWE_OmZ7tUaIqa`d+69TV6CTtXO=>RQBUhPBxk&Uc65|1(mGZM!IIP z`t9B$wUD1xLLJ5R@^JOBp3_<~l$Ix})weRm^5kH>%b(8Q?wZ%#TK-rhW9=p< zpl|CRYdwYm=C=+uBm$T{V@A;wQFO^Ot6K1B^M{sw1#P+W%-St>7xTr%>A0UqcG?jC z`JQ)m%{k1|i}~=gOP=gc^QlP11*Xk%>(f@xJ|eSnZdz^(VNIRKv?%t}Q8awkU$Lmo zS>*KySqvprJ#v?Ao!Yh8?5&sFZSne>ca<)Co?x-5p=B>Nm1h~W?YEe(O-<(^4Ckk& zY4|^Tt9LEWsN{M2`q0l$=yNyJUCQ%px375_o^J0K_ZX)A(ze`Xx6&#(C^28vA9LT| zOzS*d)$#W^e!j_uy+Zc4Al4M^UuyX};W7ea*XO4;dwB_A5oJOy^np+2^-i4=y_&bbtAx?|dj0ktZ}2i^$Am-BqIdW@NQW zPy}}|g?rs8+4bn8{|qBGyvsigPp|o?rh13ud&mh|)l=BI%^DW#Urrt5p1$ckWq+JU z$kXI$4HBUXN1J1LVE(p}!Yp`3Gq~eVP#mR0YSIiO7dLffJV%0g^jtA@C!I-aTzM9} z+GOQ&>#CpdCw2QaF{F_4c!(F@X^&l|e<;;Cr%yJa$32|n7^8yx^*KI!JMN@8Kj$iz zKS8d>aJtU%E_oAchw-JgCVVASbfh$Y9P>|Xkv8KQS~>mM#u$gYU31Qe)Sl9} zYC5%*_mK+OiA!1P?%Z5zLa`@(uc(IBBWA-KEzM|Uo>oj~l#!d=jg= z*tOVPTpP@`#afS9IJLDy*f-jbSmtUDo=KgeD0VMgQ_0O#%hgtHwLqzNPBFerSeZ_ z)L2rOeOmuDjrC4foMJj+$hD?e`!O9Qc91?}(Nbxd>qASC^F>ePYxSb1WVd~{da5n* zL(R~4tRPK8Ok)j!s&=3adD5_d7GIuq&N;77Y%DEv`WJTcTC47`h}EePhL}YV|JB*v zE+dz*_K4Bv5gDF6c2mWAe!NCG>|fK!KrRaNpVgCF=8YYPk%l^Qy-fr=C2d2*uBXey zlhs`Iaacr}*0Mw5(liw@T|W#uE!v*iXSOxc`21t7L+N{w6^$wvjZb7<|1F2+XhHuP zUnHVWogd0Uf02wnwLYa-Mv5cCU)q%4QDKCS@iDF*9ph{#{<59RY#?Uj{aj7eU*Z%g zm^Kq3KARPJ*C}8tjLXEHQzRrabN)2eWp5bDL@sIf)BIax+J+q4G)nNX$~^hlL}B|p z@zH)?^P`Ev99f(Hym`@t-I`_9msJtfIu) z&3ZgHpPBLO?_YQFQeMd3{l~~i7E;Je`f@Ej`6feLtz?3`b1`y`=ZqZ5z8qtG70tc2 zPZyZ0RGKIpfkri*rA$F%j?YjoEf;;r$9=5J|3H?$4?u`cZpA7*HNjAj4l6T%XJU`Pr%Ut_naMWp^G83GRA%C zre`fftGJ-)P8K`cz%3sp#59$QqtQ_ru_BE`^;Ov zjZT)Z47EP7nkk^^m?|wtJFFmY0g3l9aOFQC?atUv@wI`pX}c_*8DAUdjOanms2$=7eU-XY1j)CFu41q^7LcARgs3#c z&dt?iN!3~W3pgEsvhsN*Z{$SY1F6pB)Q*Spt^)g%&Zd#OV`9CNICBmCxRvG>siv7W z)76Z{tVu-6$8~+OZv2_KvH|BrB1Q&EM0}zju6xkWB=k&O|7oD?96plkY0n>L+i9gk zTIN)FeyzJW1!>z@rKDenwKo>I!u(HXZ5j>YAERrBwVO2M{@*>;HbsVuO1utHJVt9{ zBfOtG_iTQ`Jd#O{gW9ZtCBsrNX&MOe8vn{%W6H7m#LAfkzKdA&(4~?U8T`61>rYaS*hu` z+ZfkBTscNP)n+{UHt!)bpUYQ#7xEpyIUcQaL;vkrA1~`$R-Zf>$&1AX z`$Vg;wiLpOxGfb|LFfsFUnMHVrf8))O1F)_qgkKERgAOH$W}7^H%+gh&FiS%Nf<|! zdmXF)t&^=8NyyPdoG_*2lmC9?Oq23y)h=D^)P3Z}l-QYK=a4G%iCtDjUGxm~8zN~J zJwxq;SF8+q{?ZLAv`uRhg`4cnQ*&0EQV|$7kpDR~KS>3gM-Q-hB$@9W)Ps$9n z{(7b7_gGR-CfVy_e{71A+c1}N_5AL-8@>fp1|93HR-Jc|v#!HetsB*7JZ_tfttZp{H_?x^kYk zJ!TE5lIi&TQLJ4pvR;G!uQ=xPw+)U|*LCSg;<{qnaL^%Hbv~#laM7werSDw0I5 Date: Mon, 5 Jan 2026 14:02:11 +1100 Subject: [PATCH 11/20] Policy Done Done --- .../acl_config/acl_config_idp_type/c.tf | 13 --------- .../acl_config/acl_config_idp_type/nc.tf | 13 --------- .../engine_sitemap_uri/.terraform.lock.hcl | 21 +++++++++++++++ .../engine_sitemap/engine_sitemap_uri/c.tf | 10 +++++++ .../engine_sitemap_uri}/config.tf | 0 .../engine_sitemap/engine_sitemap_uri/nc.tf | 10 +++++++ .../engine_sitemap_uri/plan.json | Bin 0 -> 10800 bytes .../gcp/discovery_engine/acl_config/vars.rego | 9 ------- .../engine_sitemap_url/policy.rego | 25 ++++++++++++++++++ 9 files changed, 66 insertions(+), 35 deletions(-) delete mode 100644 inputs/gcp/discovery_engine/acl_config/acl_config_idp_type/c.tf delete mode 100644 inputs/gcp/discovery_engine/acl_config/acl_config_idp_type/nc.tf create mode 100644 inputs/gcp/discovery_engine/engine_sitemap/engine_sitemap_uri/.terraform.lock.hcl create mode 100644 inputs/gcp/discovery_engine/engine_sitemap/engine_sitemap_uri/c.tf rename inputs/gcp/discovery_engine/{acl_config/acl_config_idp_type => engine_sitemap/engine_sitemap_uri}/config.tf (100%) create mode 100644 inputs/gcp/discovery_engine/engine_sitemap/engine_sitemap_uri/nc.tf create mode 100644 inputs/gcp/discovery_engine/engine_sitemap/engine_sitemap_uri/plan.json delete mode 100644 policies/gcp/discovery_engine/acl_config/vars.rego create mode 100644 policies/gcp/discovery_engine/engine_sitemap/engine_sitemap_url/policy.rego diff --git a/inputs/gcp/discovery_engine/acl_config/acl_config_idp_type/c.tf b/inputs/gcp/discovery_engine/acl_config/acl_config_idp_type/c.tf deleted file mode 100644 index 3a669d294..000000000 --- a/inputs/gcp/discovery_engine/acl_config/acl_config_idp_type/c.tf +++ /dev/null @@ -1,13 +0,0 @@ -# Describe your resource type here -# Keep "c" as the name to indicate that this resource and its attributes are compliant - -resource "google_discovery_engine_acl_config" "c" { - location = "eu" - id = "1" - idp_config { - idp_type = "THIRD_PARTY" - external_idp_config { - workforce_pool_name = "locations/global/workforcePools/cloud-console-pool-manual" - } - } -} \ No newline at end of file diff --git a/inputs/gcp/discovery_engine/acl_config/acl_config_idp_type/nc.tf b/inputs/gcp/discovery_engine/acl_config/acl_config_idp_type/nc.tf deleted file mode 100644 index 4a035caf7..000000000 --- a/inputs/gcp/discovery_engine/acl_config/acl_config_idp_type/nc.tf +++ /dev/null @@ -1,13 +0,0 @@ -# Describe your resource type here -# Keep "nc" as the name to indicate that this resource and its attributes are non-compliant - -resource "google_discovery_engine_acl_config" "nc" { - location = "eu" - id = "1" - idp_config { - idp_type = "THIRD_PARTY" - external_idp_config { - workforce_pool_name = "locations/global/workforcePools/cloud-console-pool-manual" - } - } -} \ No newline at end of file diff --git a/inputs/gcp/discovery_engine/engine_sitemap/engine_sitemap_uri/.terraform.lock.hcl b/inputs/gcp/discovery_engine/engine_sitemap/engine_sitemap_uri/.terraform.lock.hcl new file mode 100644 index 000000000..fb70c16e3 --- /dev/null +++ b/inputs/gcp/discovery_engine/engine_sitemap/engine_sitemap_uri/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.14.1" + hashes = [ + "h1:T3ZZsRvZxmFd9e945+QPH6Fpz2y3AM0qewPaceNyjEA=", + "zh:0006182db112098af8514fc38d9cd4e816da4145a2a0b9fb62cc9e281eb2b2a1", + "zh:60311d9770ca26c549af9a964ee6cb60ce7541b52fedfaf5f112b0931e6bcce1", + "zh:65b400c0718f6b7c5cd0fba1b2e3696d5f4f69868229627b11b0b2b94b613ade", + "zh:9ec00812dc750687610140f9a97c374492ef320eddcb669b154e1d2e8714f7f3", + "zh:adaf0486d68da121886992a3762cedffa86b611fa43294359b2a569044c462a7", + "zh:ba95c0d8279dd8e7b9294e521e461d4adaa7c171b00502be197b6c7ff4f07d65", + "zh:c216ca4b350a90c4e74e3f502ef3f35617cdd5c278e2b04ecba2bca980fb5e96", + "zh:dd7991a71477dee46c7c57f60775341524271c425ab04e66d8f2762f9b4763eb", + "zh:dd7b63b40e67b073d2acb32ee60099d884ce75bf1152a307422c47358054d170", + "zh:e5d601ca4ab813c51d897e4c2e80bf3e3565c0dd4f37f85bb91964e90ca92dfe", + "zh:f12d8f91ed783ffac9ed8d6c331e0cbe5189455fe352ba633b171b366f52e2cd", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/discovery_engine/engine_sitemap/engine_sitemap_uri/c.tf b/inputs/gcp/discovery_engine/engine_sitemap/engine_sitemap_uri/c.tf new file mode 100644 index 000000000..13951cbe4 --- /dev/null +++ b/inputs/gcp/discovery_engine/engine_sitemap/engine_sitemap_uri/c.tf @@ -0,0 +1,10 @@ +# Describe your resource type here + +#engine_sitemap + +resource "google_discovery_engine_sitemap" "c" { + project = "735927692082" + location = "eu" + data_store_id = "c" + uri = "https://www.valid.com/sitemap.xml" +} \ No newline at end of file diff --git a/inputs/gcp/discovery_engine/acl_config/acl_config_idp_type/config.tf b/inputs/gcp/discovery_engine/engine_sitemap/engine_sitemap_uri/config.tf similarity index 100% rename from inputs/gcp/discovery_engine/acl_config/acl_config_idp_type/config.tf rename to inputs/gcp/discovery_engine/engine_sitemap/engine_sitemap_uri/config.tf diff --git a/inputs/gcp/discovery_engine/engine_sitemap/engine_sitemap_uri/nc.tf b/inputs/gcp/discovery_engine/engine_sitemap/engine_sitemap_uri/nc.tf new file mode 100644 index 000000000..dc2c16e42 --- /dev/null +++ b/inputs/gcp/discovery_engine/engine_sitemap/engine_sitemap_uri/nc.tf @@ -0,0 +1,10 @@ +# Describe your resource type here + +#engine_sitemap + +resource "google_discovery_engine_sitemap" "nc" { + project = "735927692082" + location = "eu" + data_store_id = "nc" + uri = "https://www.invaild.com/sitemap.xml" +} \ No newline at end of file diff --git a/inputs/gcp/discovery_engine/engine_sitemap/engine_sitemap_uri/plan.json b/inputs/gcp/discovery_engine/engine_sitemap/engine_sitemap_uri/plan.json new file mode 100644 index 0000000000000000000000000000000000000000..c220b5a95754c9578e68025e763829c781d8b08a GIT binary patch literal 10800 zcmeHN+iu%14CV8H{X?PWEonP+?fM;iS`h?UnzY{1Byh5=MbTg1c8(O*mVAkvOK&iY zR7_E zH_^!)mZ8=YtC|w8H}PO)=vRTCSD6_jmC7OuBLni5B>uSX-vhPS>+^^EuKh zuECGCDqmxV!Rid{6uukGHg1)LBg1zCoe@1K8MQ+^p|4VxiXhExqFfBt#tgG32OpJ2 zSh-C#nNf8X{{cydpsaG9$|pIIFF>kO`E1)mIV-_FrL(T(>PW125@(jskK;78NHu9_ zGv#J1W+jhOUxV@zUbX;Uck%qOPiJLe+JQ(hgB)G-NzgY#kXwA6fKq-}P(D@dLqoX@ zxDv-4@5G`Ty}0Oq4^eW&@_!i^J%#R@`sv$8>CLp#;xr?&W`3=!I0mOTu}Vh2MQYWB zwy{Xf_>Op(0E^!qTG#C@y;8*Y_kj@ajg2t!v3nmF%czU7a+WoeNAmTn=lLS_Z886; zBXLuRk=O5Y22sjOinNXAH!*o*wz3Bpt1+p@br&{Y9$Noo#LBGbKzfn!l9BHi;c{us zrtB07Wwg}t2 z$Mlg`Oywv3X2>A){HLi0<-NaeS4ftfGk4~>j(?IA$`rmE?2DR9Zc4$==QpL|XHWSY zS1H!*bvmzj+vM?p*>#vjIm8;D9M+71ew3cVU%Y+wxzl=2q`T``UG5;@Q`~ z@5art-Fek>i|y;!d1LGx&aK^h*PoN^Bm1ht!J>V#h^^g!L+$wQJV(r*Ubg#hR>@OM z`MYv2hzOYPu(CIX9QMshlb%?8$)3&MQ8Fj3$zQ;%q z%emPadCuHfb*k;#$KK6yuoit4eVzWcL7MU^V?5@x_^Y)AgPK|S&5@=V@oU21I;8HE z?j-*H5~6rkFW~Jb-bI@~#!<&|h}%P-d?+udAqH?{O+Jv&9FhTNS01B(X!D*ylh literal 0 HcmV?d00001 diff --git a/policies/gcp/discovery_engine/acl_config/vars.rego b/policies/gcp/discovery_engine/acl_config/vars.rego deleted file mode 100644 index 8d15b7b43..000000000 --- a/policies/gcp/discovery_engine/acl_config/vars.rego +++ /dev/null @@ -1,9 +0,0 @@ -package terraform.gcp.security.discovery_engine.acl_config.vars - -#acl_config - -variables := { - "friendly_resource_name": "acl_config", - "resource_type": "google_discovery_engine_acl_config", - "resource_value_name" : "id" -} diff --git a/policies/gcp/discovery_engine/engine_sitemap/engine_sitemap_url/policy.rego b/policies/gcp/discovery_engine/engine_sitemap/engine_sitemap_url/policy.rego new file mode 100644 index 000000000..46eadeba4 --- /dev/null +++ b/policies/gcp/discovery_engine/engine_sitemap/engine_sitemap_url/policy.rego @@ -0,0 +1,25 @@ +package terraform.gcp.security.discovery_engine.engine_sitemap.engine_sitemap_uri +import data.terraform.gcp.helpers +import data.terraform.gcp.security.discovery_engine.engine_sitemap.vars + +#engine_sitemap_uri + +conditions := [ + [ + { + "situation_description": "Is engine_sitemap_uri set to correct uri?", + "remedies": ["Ensure that it is set to valid"] + }, + { + "condition": "engine_sitemap_uri is mis-configured", + "attribute_path": ["uri"], + "values": ["https://www.valid.com/sitemap.xml"], + "policy_type": "whitelist" + } + ] +] + + +message := helpers.get_multi_summary(conditions, vars.variables).message + +details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file From 9118856130eeeae6c02c44ef009b47c83d2b48ff Mon Sep 17 00:00:00 2001 From: LegendaryMercury Date: Mon, 5 Jan 2026 17:50:05 +1100 Subject: [PATCH 12/20] Reapply "Merge remote-tracking branch 'origin/dev' into discovery_engine" This reverts commit 2660c26054639973b0a08318775fc450258f1668. --- .github/ISSUE_TEMPLATE/config.yml | 5 + .github/ISSUE_TEMPLATE/task.yml | 86 +++ docs/gcp/API_Gateway/api_gateway_api.md | 17 + .../gcp/API_Gateway/api_gateway_api_config.md | 71 ++ .../API_Gateway/api_gateway_api_config_iam.md | 18 + docs/gcp/API_Gateway/api_gateway_api_iam.md | 17 + docs/gcp/API_Gateway/api_gateway_gateway.md | 18 + .../API_Gateway/api_gateway_gateway_iam.md | 18 + docs/gcp/API_Hub/apihub_api_hub_instance.md | 4 +- docs/gcp/API_Hub/apihub_curation.md | 5 +- .../apihub_host_project_registration.md | 3 +- docs/gcp/API_Hub/apihub_plugin.md | 12 +- docs/gcp/API_Hub/apihub_plugin_instance.md | 14 +- .../folder_access_approval_settings.md | 4 +- .../organization_access_approval_settings.md | 4 +- .../project_access_approval_settings.md | 4 +- .../integrations_auth_config.md | 17 +- .../integrations_client.md | 4 +- .../bigquery_datapolicy_data_policy.md | 4 +- .../bigquery_datapolicy_data_policy_iam.md | 3 +- .../Chronicle/chronicle_data_access_label.md | 3 +- .../Chronicle/chronicle_data_access_scope.md | 6 +- .../gcp/Chronicle/chronicle_reference_list.md | 4 +- docs/gcp/Chronicle/chronicle_retrohunt.md | 4 +- docs/gcp/Chronicle/chronicle_rule.md | 3 +- .../Chronicle/chronicle_rule_deployment.md | 3 +- docs/gcp/Chronicle/chronicle_watchlist.md | 5 +- .../Cloud_Deploy/clouddeploy_automation.md | 13 +- .../clouddeploy_custom_target_type.md | 8 +- .../clouddeploy_custom_target_type_iam.md | 3 +- .../clouddeploy_delivery_pipeline.md | 20 +- .../clouddeploy_delivery_pipeline_iam.md | 3 +- .../Cloud_Deploy/clouddeploy_deploy_policy.md | 15 +- docs/gcp/Cloud_Deploy/clouddeploy_target.md | 12 +- .../Cloud_Deploy/clouddeploy_target_iam.md | 3 +- .../deployment_manager_deployment.md | 7 +- .../Cloud_Platform/folder_service_identity.md | 3 +- .../google_billing_subaccount.md | 3 +- docs/gcp/Cloud_Platform/google_folder.md | 3 +- docs/gcp/Cloud_Platform/google_folder_iam.md | 5 +- .../google_folder_organization_policy.md | 6 +- .../Cloud_Platform/google_organization_iam.md | 5 +- .../google_organization_iam_custom_role.md | 3 +- .../google_organization_policy.md | 6 +- docs/gcp/Cloud_Platform/google_project.md | 3 +- ...google_project_default_service_accounts.md | 3 +- docs/gcp/Cloud_Platform/google_project_iam.md | 5 +- .../google_project_iam_custom_role.md | 3 +- .../google_project_iam_member_remove.md | 3 +- .../google_project_organization_policy.md | 6 +- .../Cloud_Platform/google_project_service.md | 3 +- .../Cloud_Platform/google_service_account.md | 3 +- .../google_service_account_iam.md | 4 +- .../google_service_account_key.md | 3 +- .../project_service_identity.md | 3 +- .../Cloud_Storage/storage_anywhere_cache.md | 3 +- docs/gcp/Cloud_Storage/storage_bucket.md | 16 +- .../storage_bucket_access_control.md | 3 +- docs/gcp/Cloud_Storage/storage_bucket_acl.md | 3 +- docs/gcp/Cloud_Storage/storage_bucket_iam.md | 3 +- .../Cloud_Storage/storage_bucket_object.md | 5 +- .../storage_default_object_access_control.md | 3 +- .../storage_default_object_acl.md | 3 +- docs/gcp/Cloud_Storage/storage_folder.md | 3 +- docs/gcp/Cloud_Storage/storage_hmac_key.md | 3 +- .../Cloud_Storage/storage_managed_folder.md | 3 +- .../storage_managed_folder_iam.md | 4 +- .../gcp/Cloud_Storage/storage_notification.md | 3 +- .../storage_object_access_control.md | 3 +- docs/gcp/Cloud_Storage/storage_object_acl.md | 3 +- .../google_storage_batch_operations_job.md | 11 +- .../storage_batch_operations_job.md | 80 +++ ...se_migration_service_connection_profile.md | 17 +- ...atabase_migration_service_migration_job.md | 7 +- ...se_migration_service_private_connection.md | 4 +- docs/gcp/Dataform/dataform_repository.md | 6 +- docs/gcp/Dataform/dataform_repository_iam.md | 3 +- .../dataform_repository_release_config.md | 4 +- .../dataform_repository_workflow_config.md | 5 +- .../discovery_engine_chat_engine.md | 6 +- .../discovery_engine_cmek_config.md | 4 +- .../discovery_engine_data_store.md | 11 +- .../discovery_engine_recommendation_engine.md | 9 +- .../discovery_engine_schema.md | 3 +- .../discovery_engine_search_engine.md | 5 +- .../discovery_engine_sitemap.md | 3 +- .../discovery_engine_target_site.md | 3 +- docs/gcp/Firebase/firebase_android_app.md | 3 +- docs/gcp/Firebase/firebase_apple_app.md | 3 +- docs/gcp/Firebase/firebase_project.md | 3 +- docs/gcp/Firebase/firebase_web_app.md | 3 +- .../firebase_app_hosting_backend.md | 4 +- .../firebase_app_hosting_build.md | 6 +- .../firebase_app_hosting_default_domain.md | 3 +- .../firebase_app_hosting_domain.md | 5 +- .../firebase_app_hosting_traffic.md | 6 +- .../firebase_data_connect_service.md | 3 +- .../Firestore/firestore_backup_schedule.md | 4 +- docs/gcp/Firestore/firestore_database.md | 4 +- docs/gcp/Firestore/firestore_document.md | 3 +- docs/gcp/Firestore/firestore_field.md | 6 +- docs/gcp/Firestore/firestore_index.md | 5 +- .../lustre_instance.md | 3 +- .../netapp_active_directory.md | 3 +- .../netapp_backup.md | 3 +- .../netapp_backup_policy.md | 3 +- .../netapp_backup_vault.md | 4 +- .../netapp_kmsconfig.md | 3 +- .../netapp_storage_pool.md | 3 +- .../netapp_volume.md | 14 +- .../netapp_volume_quota_rule.md | 3 +- .../netapp_volume_replication.md | 5 +- .../netapp_volume_snapshot.md | 3 +- .../edgecontainer_cluster.md | 22 +- .../edgecontainer_node_pool.md | 5 +- .../edgecontainer_vpn_connection.md | 4 +- .../iap_app_engine_service_iam.md | 4 +- .../iap_app_engine_version_iam.md | 4 +- docs/gcp/Identity-Aware_Proxy/iap_brand.md | 3 +- docs/gcp/Identity-Aware_Proxy/iap_client.md | 3 +- docs/gcp/Identity-Aware_Proxy/iap_settings.md | 16 +- .../iap_tunnel_dest_group.md | 3 +- .../iap_tunnel_dest_group_iam.md | 4 +- .../Identity-Aware_Proxy/iap_tunnel_iam.md | 4 +- .../iap_tunnel_instance_iam.md | 4 +- .../iap_web_backend_service_iam.md | 4 +- .../iap_web_cloud_run_service_iam.md | 4 +- docs/gcp/Identity-Aware_Proxy/iap_web_iam.md | 4 +- .../iap_web_region_backend_service_iam.md | 4 +- .../iap_web_type_app_engine_iam.md | 4 +- .../iap_web_type_compute_iam.md | 4 +- docs/gcp/Managed_Kafka/managed_kafka_acl.md | 4 +- .../Managed_Kafka/managed_kafka_cluster.md | 7 +- .../managed_kafka_connect_cluster.md | 7 +- .../Managed_Kafka/managed_kafka_connector.md | 4 +- docs/gcp/Managed_Kafka/managed_kafka_topic.md | 3 +- docs/gcp/Memcache/memcache_instance.md | 20 +- docs/gcp/Memorystore/memorystore_instance.md | 17 +- ...instance_desired_user_created_endpoints.md | 6 +- .../Model_Armor/model_armor_floorsetting.md | 14 +- docs/gcp/Model_Armor/model_armor_template.md | 13 +- .../os_config_v2_policy_orchestrator.md | 37 +- ...onfig_v2_policy_orchestrator_for_folder.md | 36 +- ...v2_policy_orchestrator_for_organization.md | 36 +- .../recaptcha_enterprise_key.md | 8 +- index.html | 23 +- policies/_helpers/README.md | 665 ++++++++++++++++++ policies/_helpers/helpers.rego | 249 +++++++ policies/_helpers/policies/blacklist.rego | 81 +++ .../_helpers/policies/element_blacklist.rego | 109 +++ .../_helpers/policies/pattern_blacklist.rego | 91 +++ .../_helpers/policies/pattern_whitelist.rego | 92 +++ policies/_helpers/policies/range.rego | 88 +++ policies/_helpers/policies/whitelist.rego | 72 ++ policies/_helpers/shared.rego | 165 +++++ policies/gcp/_helpers/helpers.rego | 590 +--------------- scripts/docgen/create_markdown.py | 5 +- tests/_helpers/README.md | 175 +++++ tests/_helpers/blacklist_test.rego | 315 +++++++++ tests/_helpers/check_ux.sh | 82 +++ tests/_helpers/element_blacklist_test.rego | 412 +++++++++++ .../fixtures/gcp_access_level/plan.json | 507 +++++++++++++ tests/_helpers/fixtures/gcp_project/plan.json | 606 ++++++++++++++++ .../fixtures/gcp_storage_bucket/plan.json | 368 ++++++++++ tests/_helpers/pattern_blacklist_test.rego | 430 +++++++++++ tests/_helpers/pattern_whitelist_test.rego | 428 +++++++++++ tests/_helpers/policy_debug.sh | 136 ++++ tests/_helpers/range_test.rego | 234 ++++++ tests/_helpers/shared_test.rego | 326 +++++++++ tests/_helpers/smoke_test_helpers.sh | 122 ++++ tests/_helpers/unit_test_helpers.sh | 103 +++ tests/_helpers/whitelist_test.rego | 345 +++++++++ 172 files changed, 7259 insertions(+), 735 deletions(-) create mode 100644 .github/ISSUE_TEMPLATE/config.yml create mode 100644 .github/ISSUE_TEMPLATE/task.yml create mode 100644 docs/gcp/API_Gateway/api_gateway_api.md create mode 100644 docs/gcp/API_Gateway/api_gateway_api_config.md create mode 100644 docs/gcp/API_Gateway/api_gateway_api_config_iam.md create mode 100644 docs/gcp/API_Gateway/api_gateway_api_iam.md create mode 100644 docs/gcp/API_Gateway/api_gateway_gateway.md create mode 100644 docs/gcp/API_Gateway/api_gateway_gateway_iam.md create mode 100644 docs/gcp/Cloud_Storage_Batch_Operations/storage_batch_operations_job.md create mode 100644 policies/_helpers/README.md create mode 100644 policies/_helpers/helpers.rego create mode 100644 policies/_helpers/policies/blacklist.rego create mode 100644 policies/_helpers/policies/element_blacklist.rego create mode 100644 policies/_helpers/policies/pattern_blacklist.rego create mode 100644 policies/_helpers/policies/pattern_whitelist.rego create mode 100644 policies/_helpers/policies/range.rego create mode 100644 policies/_helpers/policies/whitelist.rego create mode 100644 policies/_helpers/shared.rego create mode 100644 tests/_helpers/README.md create mode 100644 tests/_helpers/blacklist_test.rego create mode 100755 tests/_helpers/check_ux.sh create mode 100644 tests/_helpers/element_blacklist_test.rego create mode 100644 tests/_helpers/fixtures/gcp_access_level/plan.json create mode 100644 tests/_helpers/fixtures/gcp_project/plan.json create mode 100644 tests/_helpers/fixtures/gcp_storage_bucket/plan.json create mode 100644 tests/_helpers/pattern_blacklist_test.rego create mode 100644 tests/_helpers/pattern_whitelist_test.rego create mode 100755 tests/_helpers/policy_debug.sh create mode 100644 tests/_helpers/range_test.rego create mode 100644 tests/_helpers/shared_test.rego create mode 100755 tests/_helpers/smoke_test_helpers.sh create mode 100755 tests/_helpers/unit_test_helpers.sh create mode 100644 tests/_helpers/whitelist_test.rego diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml new file mode 100644 index 000000000..e74d18a43 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -0,0 +1,5 @@ +blank_issues_enabled: false +contact_links: + - name: GitHub Community Support + url: https://github.com/orgs/community/discussions + about: Please ask and answer questions here. diff --git a/.github/ISSUE_TEMPLATE/task.yml b/.github/ISSUE_TEMPLATE/task.yml new file mode 100644 index 000000000..970080c24 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/task.yml @@ -0,0 +1,86 @@ +name: "PDE Task" +description: "Create a new task for PDE (non-policy work: scripts, tooling, initiatives, improvements)" +title: "[PDE] " +labels: + - task + - feature + - help wanted +body: + - type: input + id: assignee + attributes: + label: Assignee + description: "GitHub username of the person responsible" + placeholder: "@username" + validations: + required: true + + - type: input + id: start_date + attributes: + label: Start Date + description: "Format: YYYY-MM-DD" + placeholder: "2025-01-01" + validations: + required: true + + - type: input + id: end_date + attributes: + label: End Date (Target) + description: "Format: YYYY-MM-DD" + placeholder: "2025-01-15" + validations: + required: false + + - type: textarea + id: description + attributes: + label: Description + description: "Explain the task, context, purpose, and impact" + placeholder: "What is this task about?" + validations: + required: true + + - type: textarea + id: objectives + attributes: + label: Objectives / Expected Outcome + description: "Define what success looks like" + placeholder: "- Improve script reliability\n- Produce documentation\n- Resolve workflow errors" + + - type: textarea + id: steps + attributes: + label: Steps / Action Items + description: "List the steps required to complete the task" + placeholder: | + 1. + 2. + 3. + + - type: textarea + id: dependencies + attributes: + label: Dependencies + description: "Other tasks, PRs, or teams this depends on" + placeholder: "- PR #123\n- Waiting on external review" + + - type: textarea + id: links + attributes: + label: Related Links + description: "PRs, docs, Slack threads, references" + placeholder: "- https://..." + + - type: dropdown + id: status + attributes: + label: Status + options: + - Not started + - In progress + - Blocked + - Completed + validations: + required: true diff --git a/docs/gcp/API_Gateway/api_gateway_api.md b/docs/gcp/API_Gateway/api_gateway_api.md new file mode 100644 index 000000000..6c097cb47 --- /dev/null +++ b/docs/gcp/API_Gateway/api_gateway_api.md @@ -0,0 +1,17 @@ +## 🛡️ Policy Deployment Engine: `api_gateway_api` + +This section provides a concise policy evaluation for the `api_gateway_api` resource in GCP. + +Reference: [Terraform Registry – api_gateway_api](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/api_gateway_api) + +--- + +## Argument Reference + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `api_id` | Identifier to assign to the API. Must be unique within scope of the parent resource(project) | true | false | None | None | None | +| `display_name` | A user-visible name for the API. | false | false | None | None | None | +| `managed_service` | Immutable. The name of a Google Managed Service ( https://cloud.google.com/service-infrastructure/docs/glossary#managed). If not specified, a new Service will automatically be created in the same project as this API. | false | false | None | None | None | +| `labels` | Resource labels to represent user-provided metadata. **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field `effective_labels` for all of the labels present on the resource. | false | false | None | None | None | +| `project` | If it is not provided, the provider project is used. | false | false | None | None | None | diff --git a/docs/gcp/API_Gateway/api_gateway_api_config.md b/docs/gcp/API_Gateway/api_gateway_api_config.md new file mode 100644 index 000000000..62f4f562e --- /dev/null +++ b/docs/gcp/API_Gateway/api_gateway_api_config.md @@ -0,0 +1,71 @@ +## 🛡️ Policy Deployment Engine: `api_gateway_api_config` + +This section provides a concise policy evaluation for the `api_gateway_api_config` resource in GCP. + +Reference: [Terraform Registry – api_gateway_api_config](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/api_gateway_api_config) + +--- + +## Argument Reference + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `api` | The API to attach the config to. | true | false | None | None | None | +| `display_name` | A user-visible name for the API. | false | false | None | None | None | +| `labels` | Resource labels to represent user-provided metadata. **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field `effective_labels` for all of the labels present on the resource. | false | false | None | None | None | +| `gateway_config` | Immutable. Gateway specific configuration. If not specified, backend authentication will be set to use OIDC authentication using the default compute service account Structure is [documented below](#nested_gateway_config). | false | false | None | None | None | +| `openapi_documents` | OpenAPI specification documents. If specified, grpcServices and managedServiceConfigs must not be included. Structure is [documented below](#nested_openapi_documents). | false | false | None | None | None | +| `grpc_services` | gRPC service definition files. If specified, openapiDocuments must not be included. Structure is [documented below](#nested_grpc_services). | false | false | None | None | None | +| `managed_service_configs` | Optional. Service Configuration files. At least one must be included when using gRPC service definitions. See https://cloud.google.com/endpoints/docs/grpc/grpc-service-config#service_configuration_overview for the expected file contents. If multiple files are specified, the files are merged with the following rules: * All singular scalar fields are merged using "last one wins" semantics in the order of the files uploaded. * Repeated fields are concatenated. * Singular embedded messages are merged using these rules for nested fields. Structure is [documented below](#nested_managed_service_configs). | false | false | None | None | None | +| `api_config_id` | Identifier to assign to the API Config. Must be unique within scope of the parent resource(api). | false | false | None | None | None | +| `project` | If it is not provided, the provider project is used. | false | false | None | None | None | +| `api_config_id_prefix` | specified prefix. If this and api_config_id are unspecified, a random value is chosen for the name. | false | false | None | None | None | +| `backend_config` | | false | false | None | None | None | +| `document` | | false | false | None | None | None | +| `file_descriptor_set` | | false | false | None | None | None | +| `source` | | false | false | None | None | None | + +### gateway_config Block +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `backend_config` | Backend settings that are applied to all backends of the Gateway. Structure is [documented below](#nested_gateway_config_backend_config). | true | false | None | None | None | + +### openapi_documents Block +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `document` | The OpenAPI Specification document file. Structure is [documented below](#nested_openapi_documents_openapi_documents_document). | true | false | None | None | None | + +### grpc_services Block +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `file_descriptor_set` | Input only. File descriptor set, generated by protoc. To generate, use protoc with imports and source info included. For an example test.proto file, the following command would put the value in a new file named out.pb. $ protoc --include_imports --include_source_info test.proto -o out.pb Structure is [documented below](#nested_grpc_services_grpc_services_file_descriptor_set). | true | false | None | None | None | +| `source` | Uncompiled proto files associated with the descriptor set, used for display purposes (server-side compilation is not supported). These should match the inputs to 'protoc' command used to generate fileDescriptorSet. Structure is [documented below](#nested_grpc_services_grpc_services_source). | false | false | None | None | None | + +### managed_service_configs Block +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `path` | The file path (full or relative path). This is typically the path of the file when it is uploaded. | true | false | None | None | None | +| `contents` | Base64 encoded content of the file. | true | false | None | None | None | + +### backend_config Block +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `google_service_account` | Google Cloud IAM service account used to sign OIDC tokens for backends that have authentication configured (https://cloud.google.com/service-infrastructure/docs/service-management/reference/rest/v1/services.configs#backend). | true | false | None | None | None | + +### document Block +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `path` | The file path (full or relative path). This is typically the path of the file when it is uploaded. | true | false | None | None | None | +| `contents` | Base64 encoded content of the file. | true | false | None | None | None | + +### file_descriptor_set Block +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `path` | The file path (full or relative path). This is typically the path of the file when it is uploaded. | true | false | None | None | None | +| `contents` | Base64 encoded content of the file. | true | false | None | None | None | + +### source Block +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `path` | The file path (full or relative path). This is typically the path of the file when it is uploaded. | true | false | None | None | None | +| `contents` | Base64 encoded content of the file. | true | false | None | None | None | diff --git a/docs/gcp/API_Gateway/api_gateway_api_config_iam.md b/docs/gcp/API_Gateway/api_gateway_api_config_iam.md new file mode 100644 index 000000000..3e6c4f672 --- /dev/null +++ b/docs/gcp/API_Gateway/api_gateway_api_config_iam.md @@ -0,0 +1,18 @@ +## 🛡️ Policy Deployment Engine: `api_gateway_api_config_iam` + +This section provides a concise policy evaluation for the `api_gateway_api_config_iam` resource in GCP. + +Reference: [Terraform Registry – api_gateway_api_config_iam](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/api_gateway_api_config_iam) + +--- + +## Argument Reference + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `api` | Used to find the parent resource to bind the IAM policy to | false | false | None | None | None | +| `api_config` | | false | false | None | None | None | +| `project` | If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. | false | false | None | None | None | +| `member/members` | Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project" | false | false | None | None | None | +| `role` | `google_api_gateway_api_config_iam_binding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`. | false | false | None | None | None | +| `policy_data` | a `google_iam_policy` data source. | false | false | None | None | None | diff --git a/docs/gcp/API_Gateway/api_gateway_api_iam.md b/docs/gcp/API_Gateway/api_gateway_api_iam.md new file mode 100644 index 000000000..ff825df6f --- /dev/null +++ b/docs/gcp/API_Gateway/api_gateway_api_iam.md @@ -0,0 +1,17 @@ +## 🛡️ Policy Deployment Engine: `api_gateway_api_iam` + +This section provides a concise policy evaluation for the `api_gateway_api_iam` resource in GCP. + +Reference: [Terraform Registry – api_gateway_api_iam](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/api_gateway_api_iam) + +--- + +## Argument Reference + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `api` | | false | false | None | None | None | +| `project` | If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. | false | false | None | None | None | +| `member/members` | Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project" | false | false | None | None | None | +| `role` | `google_api_gateway_api_iam_binding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`. | false | false | None | None | None | +| `policy_data` | a `google_iam_policy` data source. | false | false | None | None | None | diff --git a/docs/gcp/API_Gateway/api_gateway_gateway.md b/docs/gcp/API_Gateway/api_gateway_gateway.md new file mode 100644 index 000000000..0fff855ae --- /dev/null +++ b/docs/gcp/API_Gateway/api_gateway_gateway.md @@ -0,0 +1,18 @@ +## 🛡️ Policy Deployment Engine: `api_gateway_gateway` + +This section provides a concise policy evaluation for the `api_gateway_gateway` resource in GCP. + +Reference: [Terraform Registry – api_gateway_gateway](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/api_gateway_gateway) + +--- + +## Argument Reference + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `api_config` | Resource name of the API Config for this Gateway. Format: projects/{project}/locations/global/apis/{api}/configs/{apiConfig}. When changing api configs please ensure the new config is a new resource and the [lifecycle](https://developer.hashicorp.com/terraform/language/meta-arguments/lifecycle) rule `create_before_destroy` is set. | true | false | None | None | None | +| `gateway_id` | Identifier to assign to the Gateway. Must be unique within scope of the parent resource(project). | true | false | None | None | None | +| `display_name` | A user-visible name for the API. | false | false | None | None | None | +| `labels` | Resource labels to represent user-provided metadata. **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field `effective_labels` for all of the labels present on the resource. | false | false | None | None | None | +| `region` | The region of the gateway for the API. | false | false | None | None | None | +| `project` | If it is not provided, the provider project is used. | false | false | None | None | None | diff --git a/docs/gcp/API_Gateway/api_gateway_gateway_iam.md b/docs/gcp/API_Gateway/api_gateway_gateway_iam.md new file mode 100644 index 000000000..7a6e0c851 --- /dev/null +++ b/docs/gcp/API_Gateway/api_gateway_gateway_iam.md @@ -0,0 +1,18 @@ +## 🛡️ Policy Deployment Engine: `api_gateway_gateway_iam` + +This section provides a concise policy evaluation for the `api_gateway_gateway_iam` resource in GCP. + +Reference: [Terraform Registry – api_gateway_gateway_iam](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/api_gateway_gateway_iam) + +--- + +## Argument Reference + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `region` | Used to find the parent resource to bind the IAM policy to. If not specified, the value will be parsed from the identifier of the parent resource. If no region is provided in the parent identifier and no region is specified, it is taken from the provider configuration. | false | false | None | None | None | +| `gateway` | | false | false | None | None | None | +| `project` | If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. | false | false | None | None | None | +| `member/members` | Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project" | false | false | None | None | None | +| `role` | `google_api_gateway_gateway_iam_binding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`. | false | false | None | None | None | +| `policy_data` | a `google_iam_policy` data source. | false | false | None | None | None | diff --git a/docs/gcp/API_Hub/apihub_api_hub_instance.md b/docs/gcp/API_Hub/apihub_api_hub_instance.md index c3c4366f5..624bf7f87 100644 --- a/docs/gcp/API_Hub/apihub_api_hub_instance.md +++ b/docs/gcp/API_Hub/apihub_api_hub_instance.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – apihub_api_hub_instance](https://registry.ter --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `config` | Available configurations to provision an ApiHub Instance. Structure is [documented below](#nested_config). | true | false | Config block is required but security impact depends on its nested arguments. | None | None | @@ -17,6 +18,7 @@ Reference: [Terraform Registry – apihub_api_hub_instance](https://registry.ter | `project` | If it is not provided, the provider project is used. | true | false | Required for terraform files to operate correctly | ['PDE'] | ['anything else'] | ### config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `encryption_type` | Optional. Encryption type for the region. If the encryption type is CMEK, the cmek_key_name must be provided. If no encryption type is provided, GMEK will be used. Possible values: ENCRYPTION_TYPE_UNSPECIFIED GMEK CMEK | false | true | Encryption type directly impacts data confidentiality. CMEK should be enforced to ensure org-controlled keys are used. | ['CMEK'] | ['GMEK', 'ENCRYPTION_TYPE_UNSPECIFIED'] | diff --git a/docs/gcp/API_Hub/apihub_curation.md b/docs/gcp/API_Hub/apihub_curation.md index d0274ec73..d5be98fa6 100644 --- a/docs/gcp/API_Hub/apihub_curation.md +++ b/docs/gcp/API_Hub/apihub_curation.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – apihub_curation](https://registry.terraform.i --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `display_name` | The display name of the curation. | true | false | None | None | None | @@ -18,11 +19,13 @@ Reference: [Terraform Registry – apihub_curation](https://registry.terraform.i | `application_integration_endpoint_details` | | true | false | Arguments inside may impact security | None | None | ### endpoint Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `application_integration_endpoint_details` | The details of the Application Integration endpoint to be triggered for curation. Structure is [documented below](#nested_endpoint_application_integration_endpoint_details). | true | false | Controls workflow routing for API metadata. | None | None | ### application_integration_endpoint_details Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `trigger_id` | The API trigger ID of the Application Integration workflow. | true | true | Trigger IDs must follow strict naming conventions to prevent routing to unauthorized workflows. | ['api_trigger/curation_API_PDE_1', 'api_trigger/curation_API_PDE_2', 'api_trigger/curation_API_PDE_3'] | ['RANDOM_9999', 'api_trigger/aaaa', ''] | diff --git a/docs/gcp/API_Hub/apihub_host_project_registration.md b/docs/gcp/API_Hub/apihub_host_project_registration.md index 872d48ab8..9b6210334 100644 --- a/docs/gcp/API_Hub/apihub_host_project_registration.md +++ b/docs/gcp/API_Hub/apihub_host_project_registration.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – apihub_host_project_registration](https://reg --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `gcp_project` | Required. Immutable. Google cloud project name in the format: "projects/abc" or "projects/123". As input, project name with either project id or number are accepted. As output, this field will contain project number. | true | false | None | None | None | diff --git a/docs/gcp/API_Hub/apihub_plugin.md b/docs/gcp/API_Hub/apihub_plugin.md index faeedc022..5abef6490 100644 --- a/docs/gcp/API_Hub/apihub_plugin.md +++ b/docs/gcp/API_Hub/apihub_plugin.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – apihub_plugin](https://registry.terraform.io/ --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `display_name` | The display name of the plugin. Max length is 50 characters (Unicode code points). | true | false | Display name. No security relevance. | None | None | @@ -26,6 +27,7 @@ Reference: [Terraform Registry – apihub_plugin](https://registry.terraform.io/ | `multi_select_options` | | false | false | Option metadata only. Not security relevant. | None | None | ### actions_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `id` | The id of the action. | true | false | Identifier only. Not sensitive. | None | None | @@ -34,33 +36,39 @@ Reference: [Terraform Registry – apihub_plugin](https://registry.terraform.io/ | `trigger_mode` | The trigger mode supported by the action. Possible values: TRIGGER_MODE_UNSPECIFIED API_HUB_ON_DEMAND_TRIGGER API_HUB_SCHEDULE_TRIGGER NON_API_HUB_MANAGED | true | false | Configuration setting. Not a secret. | None | None | ### documentation Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `external_uri` | The uri of the externally hosted documentation. | false | false | Points to external docs. No secret values. | None | None | ### config_template Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `auth_config_template` | AuthConfigTemplate represents the authentication template for a plugin. Structure is [documented below](#nested_config_template_auth_config_template). | false | false | Container for auth config. Not directly sensitive. | None | None | | `additional_config_template` | The list of additional configuration variables for the plugin's configuration. Structure is [documented below](#nested_config_template_additional_config_template). | false | false | Additional metadata. Security depends on nested values. | None | None | ### hosting_service Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `service_uri` | The URI of the service implemented by the plugin developer, used to invoke the plugin's functionality. This information is only required for user defined plugins. | false | false | Public endpoint reference. Not secret. | None | None | ### auth_config_template Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `supported_auth_types` | The list of authentication types supported by the plugin. | true | false | Lists allowed auth mechanisms. Not a secret but security-relevant in configuration enforcement. | None | None | | `service_account` | Config for Google service account authentication. Structure is [documented below](#nested_config_template_auth_config_template_service_account). | false | false | Container for service account settings. Secret risk exists at child level. | None | None | ### service_account Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `service_account` | The service account to be used for authenticating request. The `iam.serviceAccounts.getAccessToken` permission should be granted on this service account to the impersonator service account. | true | true | Directly references a service account used for authentication. Exposure could compromise system access. | None | None | ### additional_config_template Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `required` | Flag represents that this `ConfigVariable` must be provided for a PluginInstance. | false | false | Boolean flag. Not sensitive. | None | None | @@ -72,6 +80,7 @@ Reference: [Terraform Registry – apihub_plugin](https://registry.terraform.io/ | `validation_regex` | Regular expression in RE2 syntax used for validating the `value` of a `ConfigVariable`. | false | false | Validation expression. Not sensitive. | None | None | ### enum_options Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `id` | Id of the option. | true | false | Identifier only. Not sensitive. | None | None | @@ -79,6 +88,7 @@ Reference: [Terraform Registry – apihub_plugin](https://registry.terraform.io/ | `description` | Description of the option. | false | false | Metadata only. Not sensitive. | None | None | ### multi_select_options Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `id` | Id of the option. | true | false | Identifier only. Not sensitive. | None | None | diff --git a/docs/gcp/API_Hub/apihub_plugin_instance.md b/docs/gcp/API_Hub/apihub_plugin_instance.md index b18d29c99..b56cf333b 100644 --- a/docs/gcp/API_Hub/apihub_plugin_instance.md +++ b/docs/gcp/API_Hub/apihub_plugin_instance.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – apihub_plugin_instance](https://registry.terr --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `display_name` | The display name for this plugin instance. Max length is 255 characters. | true | false | Display name. No security relevance. | None | None | @@ -28,6 +29,7 @@ Reference: [Terraform Registry – apihub_plugin_instance](https://registry.terr | `client_secret` | | true | false | Parent | None | None | ### actions Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `hub_instance_action` | (Output) The execution status for the plugin instance. Structure is [documented below](#nested_actions_actions_hub_instance_action). | true | false | Arguments inside could be security relevant however. | None | None | @@ -44,6 +46,7 @@ Reference: [Terraform Registry – apihub_plugin_instance](https://registry.terr | `end_time` | (Output) The last execution end time of the plugin instance. | false | false | None | None | None | ### auth_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `google_service_account_config` | Config for Google service account authentication. Structure is [documented below](#nested_auth_config_google_service_account_config). | false | false | Parameter, not security related. | None | None | @@ -53,33 +56,39 @@ Reference: [Terraform Registry – apihub_plugin_instance](https://registry.terr | `auth_type` | Possible values: AUTH_TYPE_UNSPECIFIED NO_AUTH GOOGLE_SERVICE_ACCOUNT USER_PASSWORD API_KEY OAUTH2_CLIENT_CREDENTIALS | true | true | Controls authentication methods. | ['USER_PASSWORD', 'OAUTH2_CLIENT_CREDENTIALS'] | ['NO_AUTH', 'Anything else'] | ### curation_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `custom_curation` | Custom curation information for this plugin instance. Structure is [documented below](#nested_actions_actions_curation_config_custom_curation). | false | false | Configuration settings. Not security relevant. | None | None | | `curation_type` | Possible values: CURATION_TYPE_UNSPECIFIED DEFAULT_CURATION_FOR_API_METADATA CUSTOM_CURATION_FOR_API_METADATA | true | false | Configuration settings. Not security relevant. | None | None | ### custom_curation Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `curation` | The unique name of the curation resource. This will be the name of the curation resource in the format: `projects/{project}/locations/{location}/curations/{curation}` | true | false | Unique name. Not security relevant. | None | None | ### google_service_account_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `service_account` | The service account to be used for authenticating request. The `iam.serviceAccounts.getAccessToken` permission should be granted on this service account to the impersonator service account. | true | true | Misconfigured or over-privileged service accounts are a major security risk. | None | None | ### user_password_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `username` | Username. | true | true | Potentially security relevant. Credentials-relevant. | None | None | | `password` | Secret provides a reference to entries in Secret Manager. Structure is [documented below](#nested_auth_config_user_password_config_password). | true | true | Potentially security relevant. Credentials-relevant and related to secrets manager. | None | None | ### password Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `secret_version` | The resource name of the secret version in the format, format as: `projects/*/secrets/*/versions/*`. | true | true | Potentiall security relevant, points to the location where secrets are stored. | None | None | ### api_key_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | The parameter name of the API key. E.g. If the API request is "https://example.com/act?api_key=", "api_key" would be the parameter name. | true | false | Name of API key. Not security relevant. | None | None | @@ -87,17 +96,20 @@ Reference: [Terraform Registry – apihub_plugin_instance](https://registry.terr | `http_element_location` | The location of the API key. The default value is QUERY. Possible values: HTTP_ELEMENT_LOCATION_UNSPECIFIED QUERY HEADER PATH BODY COOKIE | true | false | Not a secret, just a config. | None | None | ### api_key Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `secret_version` | The resource name of the secret version in the format, format as: `projects/*/secrets/*/versions/*`. | true | true | Potentially security relevant, points to the location where secrets are stored. | None | None | ### oauth2_client_credentials_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `client_secret` | Secret provides a reference to entries in Secret Manager. Structure is [documented below](#nested_auth_config_oauth2_client_credentials_config_client_secret). | true | true | Potentially security relevant, points to the location where secrets are stored. | None | None | | `client_id` | The client identifier. | true | true | Could be used to pair with secrets in auth if compromised. Potentially security relevant. | None | None | ### client_secret Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `secret_version` | The resource name of the secret version in the format, format as: `projects/*/secrets/*/versions/*`. | true | true | Could be security relevant. Points to secrets. | None | None | diff --git a/docs/gcp/Access_Approval/folder_access_approval_settings.md b/docs/gcp/Access_Approval/folder_access_approval_settings.md index c41741146..e1bb46076 100644 --- a/docs/gcp/Access_Approval/folder_access_approval_settings.md +++ b/docs/gcp/Access_Approval/folder_access_approval_settings.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – folder_access_approval_settings](https://regi --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `enrolled_services` | A list of Google Cloud Services for which the given resource has Access Approval enrolled. Access requests for the resource given by name against any of these services contained here will be required to have explicit approval. Enrollment can only be done on an all or nothing basis. A maximum of 10 enrolled services will be enforced, to be expanded as the set of supported services is expanded. Structure is [documented below](#nested_enrolled_services). | true | false | None | None | None | @@ -15,6 +16,7 @@ Reference: [Terraform Registry – folder_access_approval_settings](https://regi | `active_key_version` | The asymmetric crypto key version to use for signing approval requests. Empty active_key_version indicates that a Google-managed key should be used for signing. This property will be ignored if set by an ancestor of the resource, and new non-empty values may not be set. | false | false | Active key version has no impact on the security of the resource. | None | None | ### enrolled_services Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `cloud_product` | The product for which Access Approval will be enrolled. Allowed values are listed (case-sensitive): * all * App Engine * BigQuery * Cloud Bigtable * Cloud Key Management Service * Compute Engine * Cloud Dataflow * Cloud Identity and Access Management * Cloud Pub/Sub * Cloud Storage * Persistent Disk Note: These values are supported as input, but considered a legacy format: * all * appengine.googleapis.com * bigquery.googleapis.com * bigtable.googleapis.com * cloudkms.googleapis.com * compute.googleapis.com * dataflow.googleapis.com * iam.googleapis.com * pubsub.googleapis.com * storage.googleapis.com | true | false | Allow access to Google services | Set cloud_product to all | Other cloud product types are invalidated | diff --git a/docs/gcp/Access_Approval/organization_access_approval_settings.md b/docs/gcp/Access_Approval/organization_access_approval_settings.md index 5a33a8081..8d610af49 100644 --- a/docs/gcp/Access_Approval/organization_access_approval_settings.md +++ b/docs/gcp/Access_Approval/organization_access_approval_settings.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – organization_access_approval_settings](https: --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `enrolled_services` | A list of Google Cloud Services for which the given resource has Access Approval enrolled. Access requests for the resource given by name against any of these services contained here will be required to have explicit approval. Enrollment can be done for individual services. A maximum of 10 enrolled services will be enforced, to be expanded as the set of supported services is expanded. Structure is [documented below](#nested_enrolled_services). | true | false | None | None | None | @@ -15,6 +16,7 @@ Reference: [Terraform Registry – organization_access_approval_settings](https: | `active_key_version` | The asymmetric crypto key version to use for signing approval requests. Empty active_key_version indicates that a Google-managed key should be used for signing. | false | false | None | None | None | ### enrolled_services Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `cloud_product` | The product for which Access Approval will be enrolled. Allowed values are listed (case-sensitive): all appengine.googleapis.com bigquery.googleapis.com bigtable.googleapis.com cloudkms.googleapis.com compute.googleapis.com dataflow.googleapis.com iam.googleapis.com pubsub.googleapis.com storage.googleapis.com | true | false | Allow access to Google services depending on the organization. | Set cloud_product to all | Other cloud product types are invalidated. | diff --git a/docs/gcp/Access_Approval/project_access_approval_settings.md b/docs/gcp/Access_Approval/project_access_approval_settings.md index 23e6a0b31..2100f902a 100644 --- a/docs/gcp/Access_Approval/project_access_approval_settings.md +++ b/docs/gcp/Access_Approval/project_access_approval_settings.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – project_access_approval_settings](https://reg --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `enrolled_services` | A list of Google Cloud Services for which the given resource has Access Approval enrolled. Access requests for the resource given by name against any of these services contained here will be required to have explicit approval. Enrollment can only be done on an all or nothing basis. A maximum of 10 enrolled services will be enforced, to be expanded as the set of supported services is expanded. Structure is [documented below](#nested_enrolled_services). | true | false | None | None | None | @@ -16,6 +17,7 @@ Reference: [Terraform Registry – project_access_approval_settings](https://reg | `project` | , Deprecated) Project id. ~> **Warning:** `project` is deprecated and will be removed in a future major release. Use `project_id` instead. | false | false | None | None | None | ### enrolled_services Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `cloud_product` | The product for which Access Approval will be enrolled. Allowed values are listed (case-sensitive): all appengine.googleapis.com bigquery.googleapis.com bigtable.googleapis.com cloudkms.googleapis.com compute.googleapis.com dataflow.googleapis.com iam.googleapis.com pubsub.googleapis.com storage.googleapis.com | true | false | Allow access to Google services depending on the project. | Set cloud_product to all | Other cloud product types are invalidated. | diff --git a/docs/gcp/Application_Integration/integrations_auth_config.md b/docs/gcp/Application_Integration/integrations_auth_config.md index 472b8782f..02549a194 100644 --- a/docs/gcp/Application_Integration/integrations_auth_config.md +++ b/docs/gcp/Application_Integration/integrations_auth_config.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – integrations_auth_config](https://registry.te --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `display_name` | The name of the auth config. | true | false | None | None | None | @@ -32,6 +33,7 @@ Reference: [Terraform Registry – integrations_auth_config](https://registry.te | `oidc_token` | | false | false | None | None | None | ### decrypted_credential Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `credential_type` | Credential type associated with auth configs. | true | true | Only approved credential types are allowed to ensure strong, secure, and supported authentication methods | oauth2_client_credentials | basic_auth | @@ -44,6 +46,7 @@ Reference: [Terraform Registry – integrations_auth_config](https://registry.te | `oidc_token` | Google OIDC ID Token. Structure is [documented below](#nested_decrypted_credential_oidc_token). | false | false | None | None | None | ### client_certificate Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `ssl_certificate` | The ssl certificate encoded in PEM format. This string must include the begin header and end footer lines. | true | false | None | None | None | @@ -51,12 +54,14 @@ Reference: [Terraform Registry – integrations_auth_config](https://registry.te | `passphrase` | 'passphrase' should be left unset if private key is not encrypted. Note that 'passphrase' is not the password for web server, but an extra layer of security to protected private key. | false | false | None | None | None | ### username_and_password Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `username` | Username to be used. | false | false | None | None | None | | `password` | Password to be used. | false | false | None | None | None | ### oauth2_authorization_code Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `client_id` | The client's id. | false | false | None | None | None | @@ -66,6 +71,7 @@ Reference: [Terraform Registry – integrations_auth_config](https://registry.te | `token_endpoint` | The token url endpoint to send the token request to. | false | false | None | None | None | ### oauth2_client_credentials Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `client_id` | The client's ID. | false | false | None | None | None | @@ -76,32 +82,38 @@ Reference: [Terraform Registry – integrations_auth_config](https://registry.te | `request_type` | Represent how to pass parameters to fetch access token Possible values are: `REQUEST_TYPE_UNSPECIFIED`, `REQUEST_BODY`, `QUERY_PARAMETERS`, `ENCODED_HEADER`. | false | true | Only secure request types should be used to transmit credentials. Types like 'ENCODED_HEADER' or 'REQUEST_BODY' ensures safer handling of credentials. | ENCODED_HEADER | QUERY_PARAMETERS | ### token_params Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `entries` | A list of parameter map entries. Structure is [documented below](#nested_decrypted_credential_oauth2_client_credentials_token_params_entries). | false | false | None | None | None | ### entries Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `key` | Key of the map entry. Structure is [documented below](#nested_decrypted_credential_oauth2_client_credentials_token_params_entries_entries_key). | false | false | None | None | None | | `value` | Value of the map entry. Structure is [documented below](#nested_decrypted_credential_oauth2_client_credentials_token_params_entries_entries_value). | false | false | None | None | None | ### key Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `literal_value` | Passing a literal value Structure is [documented below](#nested_decrypted_credential_oauth2_client_credentials_token_params_entries_entries_key_literal_value). | false | false | None | None | None | ### literal_value Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `string_value` | String. | false | false | None | None | None | ### value Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `literal_value` | Passing a literal value Structure is [documented below](#nested_decrypted_credential_oauth2_client_credentials_token_params_entries_entries_value_literal_value). | false | false | None | None | None | ### jwt Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `jwt_header` | Identifies which algorithm is used to generate the signature. | false | true | Using secure JWT headers ensures proper validation. The 'HS256' algorithm should be used to prevent weak or insecure cryptographic signing, and the type must be set to 'JWT' to maintain standardization and avoid parsing errors or misuse. | {"alg": "HS256", "typ": "JWT"} | {"alg": "RS256", "typ": "JWS"} | @@ -110,18 +122,21 @@ Reference: [Terraform Registry – integrations_auth_config](https://registry.te | `jwt` | (Output) The token calculated by the header, payload and signature. | false | false | None | None | None | ### auth_token Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `type` | Authentication type must be set, e.g. "Basic", "Bearer", etc. | false | true | Using secure authentication token types ensures proper authorization standards are enforced. | Bearer | Basic | | `token` | The token for the auth type. | false | true | Providing a token value is critical for secure authentication. Empty tokens can result in unauthorized access, increasing the risk of security breaches. | secure-value-token | | ### service_account_credentials Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `service_account` | Name of the service account that has the permission to make the request. | false | false | None | None | None | | `scope` | A space-delimited list of requested scope permissions. | false | false | None | None | None | ### oidc_token Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `service_account_email` | The service account email to be used as the identity for the token. | false | false | None | None | None | diff --git a/docs/gcp/Application_Integration/integrations_client.md b/docs/gcp/Application_Integration/integrations_client.md index ee026d715..322a0de92 100644 --- a/docs/gcp/Application_Integration/integrations_client.md +++ b/docs/gcp/Application_Integration/integrations_client.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – integrations_client](https://registry.terrafo --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `location` | Location in which client needs to be provisioned. | true | true | Enforcing location restrictions to Australian regions helps maintain data compliance and reduces the risk of unauthorized data access. | australia-southeast1 | us-east1 | @@ -16,6 +17,7 @@ Reference: [Terraform Registry – integrations_client](https://registry.terrafo | `project` | If it is not provided, the provider project is used. | false | false | None | None | None | ### cloud_kms_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `kms_location` | Location name of the key ring | true | true | Enforcing Cloud KMS keys to reside in Australian regions ensures data residency compliance and minimizes exposure risks. | australia-southeast1 | us-central1 | diff --git a/docs/gcp/BigQuery_Data_Policy/bigquery_datapolicy_data_policy.md b/docs/gcp/BigQuery_Data_Policy/bigquery_datapolicy_data_policy.md index 84d968182..233043e57 100644 --- a/docs/gcp/BigQuery_Data_Policy/bigquery_datapolicy_data_policy.md +++ b/docs/gcp/BigQuery_Data_Policy/bigquery_datapolicy_data_policy.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – bigquery_datapolicy_data_policy](https://regi --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `data_policy_id` | User-assigned (human readable) ID of the data policy that needs to be unique within a project. Used as {dataPolicyId} in part of the resource name. | false | false | Display policy id has no impact on the security of the resource. | None | None | @@ -17,6 +18,7 @@ Reference: [Terraform Registry – bigquery_datapolicy_data_policy](https://regi | `project` | If it is not provided, the provider project is used. | false | false | Display policy id has no impact on the security of the resource. | None | None | ### data_masking_policy Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `predefined_expression` | The available masking rules. Learn more here: https://cloud.google.com/bigquery/docs/column-data-masking-intro#masking_options. Possible values are: `SHA256`, `ALWAYS_NULL`, `DEFAULT_MASKING_VALUE`, `LAST_FOUR_CHARACTERS`, `FIRST_FOUR_CHARACTERS`, `EMAIL_MASK`, `DATE_YEAR_MASK`. | true | false | Ensure predefined expression is setting to SHA256 because it will be | Set predefined_expression to SHA256 | Other predefined expressions are invalidated | diff --git a/docs/gcp/BigQuery_Data_Policy/bigquery_datapolicy_data_policy_iam.md b/docs/gcp/BigQuery_Data_Policy/bigquery_datapolicy_data_policy_iam.md index 02b6dbbd5..6c1d793f0 100644 --- a/docs/gcp/BigQuery_Data_Policy/bigquery_datapolicy_data_policy_iam.md +++ b/docs/gcp/BigQuery_Data_Policy/bigquery_datapolicy_data_policy_iam.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – bigquery_datapolicy_data_policy_iam](https:// --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `location` | Used to find the parent resource to bind the IAM policy to. If not specified, the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no location is specified, it is taken from the provider configuration. | true | false | Ensure the location must be configured to correct location | Set location to Australia. | Other locations are not valid. | diff --git a/docs/gcp/Chronicle/chronicle_data_access_label.md b/docs/gcp/Chronicle/chronicle_data_access_label.md index 3aecb1468..87e01a516 100644 --- a/docs/gcp/Chronicle/chronicle_data_access_label.md +++ b/docs/gcp/Chronicle/chronicle_data_access_label.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – chronicle_data_access_label](https://registry --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `udm_query` | A UDM query over event data. | false | true | Improper UDM queries may include disallowed or malicious values, potentially leading to incorrect data access labeling or security misinterpretations. | principal.hostname="example.com" | principal.hostname="malicious.com" | diff --git a/docs/gcp/Chronicle/chronicle_data_access_scope.md b/docs/gcp/Chronicle/chronicle_data_access_scope.md index 28988e167..eb4275645 100644 --- a/docs/gcp/Chronicle/chronicle_data_access_scope.md +++ b/docs/gcp/Chronicle/chronicle_data_access_scope.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – chronicle_data_access_scope](https://registry --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `location` | The location of the resource. This is the geographical region where the Chronicle instance resides, such as "us" or "europe-west2". | true | true | Restricting to allowed locations ensures compliance with regional data residency, privacy regulations, and service availability. | australia-southeast1 | Any location not in the approved list, e.g., europe-west3, us-central1, asia-northeast1 | @@ -20,6 +21,7 @@ Reference: [Terraform Registry – chronicle_data_access_scope](https://registry | `ingestion_label` | | false | false | None | None | None | ### allowed_data_access_labels Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `data_access_label` | The name of the data access label. | false | false | None | None | None | @@ -29,6 +31,7 @@ Reference: [Terraform Registry – chronicle_data_access_scope](https://registry | `display_name` | (Output) Output only. The display name of the label. Data access label and log types's name will match the display name of the resource. The asset namespace will match the namespace itself. The ingestion key value pair will match the key of the tuple. | false | false | None | None | None | ### denied_data_access_labels Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `display_name` | (Output) Output only. The display name of the label. Data access label and log types's name will match the display name of the resource. The asset namespace will match the namespace itself. The ingestion key value pair will match the key of the tuple. | false | false | None | None | None | @@ -38,6 +41,7 @@ Reference: [Terraform Registry – chronicle_data_access_scope](https://registry | `ingestion_label` | Representation of an ingestion label type. Structure is [documented below](#nested_denied_data_access_labels_denied_data_access_labels_ingestion_label). | false | false | None | None | None | ### ingestion_label Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `ingestion_label_key` | Required. The key of the ingestion label. Always required. | true | false | None | None | None | diff --git a/docs/gcp/Chronicle/chronicle_reference_list.md b/docs/gcp/Chronicle/chronicle_reference_list.md index 1fb98f66f..8a530db2c 100644 --- a/docs/gcp/Chronicle/chronicle_reference_list.md +++ b/docs/gcp/Chronicle/chronicle_reference_list.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – chronicle_reference_list](https://registry.te --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `description` | Required. A user-provided description of the reference list. | true | false | None | None | None | @@ -18,6 +19,7 @@ Reference: [Terraform Registry – chronicle_reference_list](https://registry.te | `project` | If it is not provided, the provider project is used. | false | false | None | None | None | ### entries Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `value` | Required. The value of the entry. Maximum length is 512 characters. | true | false | None | None | None | diff --git a/docs/gcp/Chronicle/chronicle_retrohunt.md b/docs/gcp/Chronicle/chronicle_retrohunt.md index d8be897c7..c36883a3d 100644 --- a/docs/gcp/Chronicle/chronicle_retrohunt.md +++ b/docs/gcp/Chronicle/chronicle_retrohunt.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – chronicle_retrohunt](https://registry.terrafo --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `process_interval` | Represents a time interval, encoded as a Timestamp start (inclusive) and a Timestamp end (exclusive). The start must be less than or equal to the end. When the start equals the end, the interval is empty (matches no time). When both start and end are unspecified, the interval matches any time. Structure is [documented below](#nested_process_interval). | true | false | None | None | None | @@ -17,6 +18,7 @@ Reference: [Terraform Registry – chronicle_retrohunt](https://registry.terrafo | `project` | If it is not provided, the provider project is used. | false | false | None | None | None | ### process_interval Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `start_time` | Inclusive start of the interval. | true | false | None | None | None | diff --git a/docs/gcp/Chronicle/chronicle_rule.md b/docs/gcp/Chronicle/chronicle_rule.md index 1153ec790..e9b4e48f5 100644 --- a/docs/gcp/Chronicle/chronicle_rule.md +++ b/docs/gcp/Chronicle/chronicle_rule.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – chronicle_rule](https://registry.terraform.io --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `location` | The location of the resource. This is the geographical region where the Chronicle instance resides, such as "us" or "europe-west2". | true | true | Restricting Chronicle resources to approved regions ensures compliance with data residency and service availability requirements. | australia-southeast1 | Any location other than 'australia-southeast1', such as 'europe-west3', is considered non-compliant. | diff --git a/docs/gcp/Chronicle/chronicle_rule_deployment.md b/docs/gcp/Chronicle/chronicle_rule_deployment.md index fcabb9b02..87b42786c 100644 --- a/docs/gcp/Chronicle/chronicle_rule_deployment.md +++ b/docs/gcp/Chronicle/chronicle_rule_deployment.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – chronicle_rule_deployment](https://registry.t --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `location` | The location of the resource. This is the geographical region where the Chronicle instance resides, such as "us" or "europe-west2". | true | true | Restricting Chronicle resources to approved regions ensures compliance with data residency and service availability requirements. | australia-southeast1 | Any location other than 'australia-southeast1', such as 'europe-west3', is considered non-compliant. | diff --git a/docs/gcp/Chronicle/chronicle_watchlist.md b/docs/gcp/Chronicle/chronicle_watchlist.md index 0ce0f5668..f4e3a0128 100644 --- a/docs/gcp/Chronicle/chronicle_watchlist.md +++ b/docs/gcp/Chronicle/chronicle_watchlist.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – chronicle_watchlist](https://registry.terrafo --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `display_name` | Required. Display name of the watchlist. Note that it must be at least one character and less than 63 characters (https://google.aip.dev/148). | true | false | None | None | None | @@ -20,11 +21,13 @@ Reference: [Terraform Registry – chronicle_watchlist](https://registry.terrafo | `project` | If it is not provided, the provider project is used. | false | false | None | None | None | ### entity_population_mechanism Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `manual` | Entities are added manually. | false | true | Manual entry is error-prone and may miss timely threat intelligence, reducing the reliability of the watchlist. | None | Using only manual entity population without automation. | ### watchlist_user_preferences Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `pinned` | Optional. Whether the watchlist is pinned on the dashboard. | false | false | None | None | None | diff --git a/docs/gcp/Cloud_Deploy/clouddeploy_automation.md b/docs/gcp/Cloud_Deploy/clouddeploy_automation.md index 343aa9c16..5610cf3ad 100644 --- a/docs/gcp/Cloud_Deploy/clouddeploy_automation.md +++ b/docs/gcp/Cloud_Deploy/clouddeploy_automation.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – clouddeploy_automation](https://registry.terr --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | Name of the `Automation`. | true | false | Display name has no impact on the security of the resource or data contained. | None | None | @@ -30,11 +31,13 @@ Reference: [Terraform Registry – clouddeploy_automation](https://registry.terr | `timed_promote_release_rule` | Optional. The `TimedPromoteReleaseRule` will automatically promote a release from the current target(s) to the specified target(s) on a configured schedule. | false | false | Defines a schedule for automatic promotions but cannot execute them without the permissions granted to the service_account. The security impact is contingent on that principal's rights. | None | None | ### selector Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `targets` | Contains attributes about a target. Structure is [documented below](#nested_selector_targets). | true | false | None | None | None | ### rules Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `promote_release_rule` | Optional. `PromoteReleaseRule` will automatically promote a release from the current target to a specified target. Structure is [documented below](#nested_rules_rules_promote_release_rule). | false | false | Defines the conditions for a promotion but cannot execute it without the permissions granted to the service_account. The security impact is contingent on that principal's rights. | None | None | @@ -43,12 +46,14 @@ Reference: [Terraform Registry – clouddeploy_automation](https://registry.terr | `timed_promote_release_rule` | Optional. The `TimedPromoteReleaseRule` will automatically promote a release from the current target(s) to the specified target(s) on a configured schedule. Structure is [documented below](#nested_rules_rules_timed_promote_release_rule). | false | false | Defines a schedule for automatic promotions but cannot execute them without the permissions granted to the service_account. The security impact is contingent on that principal's rights. | None | None | ### targets Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `id` | ID of the `Target`. The value of this field could be one of the following: * The last segment of a target name. It only needs the ID to determine which target is being referred to * "*", all targets in a location. | false | false | Specifies which target(s) to act upon. Using "*" broadens scope but does not grant new permissions; the service_account must already have access to all targets for any action to succeed. | None | None | | `labels` | Target labels. | false | false | Used to select targets based on metadata labels. This is a filtering operation and does not bypass IAM checks performed against the service_account when actions are executed on those targets. | None | None | ### promote_release_rule Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `id` | Required. ID of the rule. This id must be unique in the `Automation` resource to which this rule belongs. The format is `a-z{0,62}`. | true | false | None | None | None | @@ -57,6 +62,7 @@ Reference: [Terraform Registry – clouddeploy_automation](https://registry.terr | `destination_phase` | Optional. The starting phase of the rollout created by this operation. Default to the first phase. | false | false | None | None | None | ### advance_rollout_rule Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `id` | Required. ID of the rule. This id must be unique in the `Automation` resource to which this rule belongs. The format is `a-z{0,62}`. | true | false | None | None | None | @@ -64,6 +70,7 @@ Reference: [Terraform Registry – clouddeploy_automation](https://registry.terr | `source_phases` | Optional. Proceeds only after phase name matched any one in the list. This value must consist of lower-case letters, numbers, and hyphens, start with a letter and end with a letter or a number, and have a max length of 63 characters. In other words, it must match the following regex: `^[a-z]([a-z0-9-]{0,61}[a-z0-9])?$`. | false | false | None | None | None | ### repair_rollout_rule Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `id` | Required. ID of the rule. This id must be unique in the `Automation` resource to which this rule belongs. The format is `a-z{0,62}`. | true | false | None | None | None | @@ -72,12 +79,14 @@ Reference: [Terraform Registry – clouddeploy_automation](https://registry.terr | `repair_phases` | Optional. Proceeds only after phase name matched any one in the list. This value must consist of lower-case letters, numbers, and hyphens, start with a letter and end with a letter or a number, and have a max length of 63 characters. In other words, it must match the following regex: `^[a-z]([a-z0-9-]{0,61}[a-z0-9])?$`. Structure is [documented below](#nested_rules_rules_repair_rollout_rule_repair_phases). | false | false | None | None | None | ### repair_phases Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `retry` | Optional. Retries a failed job. Structure is [documented below](#nested_rules_rules_repair_rollout_rule_repair_phases_repair_phases_retry). | false | false | None | None | None | | `rollback` | Optional. Rolls back a Rollout. Structure is [documented below](#nested_rules_rules_repair_rollout_rule_repair_phases_repair_phases_rollback). | false | false | None | None | None | ### retry Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `attempts` | Required. Total number of retries. Retry is skipped if set to 0; The minimum value is 1, and the maximum value is 10. | true | false | None | None | None | @@ -85,12 +94,14 @@ Reference: [Terraform Registry – clouddeploy_automation](https://registry.terr | `backoff_mode` | Optional. The pattern of how wait time will be increased. Default is linear. Backoff mode will be ignored if wait is 0. Possible values are: `BACKOFF_MODE_UNSPECIFIED`, `BACKOFF_MODE_LINEAR`, `BACKOFF_MODE_EXPONENTIAL`. | false | false | None | None | None | ### rollback Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `destination_phase` | Optional. The starting phase ID for the Rollout. If unspecified, the Rollout will start in the stable phase. | false | false | None | None | None | | `disable_rollback_if_rollout_pending` | Optional. If pending rollout exists on the target, the rollback operation will be aborted. | false | false | None | None | None | ### timed_promote_release_rule Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `id` | Required. ID of the rule. This id must be unique in the `Automation` resource to which this rule belongs. The format is `a-z{0,62}`. | true | false | None | None | None | diff --git a/docs/gcp/Cloud_Deploy/clouddeploy_custom_target_type.md b/docs/gcp/Cloud_Deploy/clouddeploy_custom_target_type.md index 009ce655a..dd8bd509a 100644 --- a/docs/gcp/Cloud_Deploy/clouddeploy_custom_target_type.md +++ b/docs/gcp/Cloud_Deploy/clouddeploy_custom_target_type.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – clouddeploy_custom_target_type](https://regis --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | Name of the `CustomTargetType`. | true | false | Simple string identifier with no security implications. Cannot be used to access resources or execute code. | None | None | @@ -22,6 +23,7 @@ Reference: [Terraform Registry – clouddeploy_custom_target_type](https://regis | `google_cloud_build_repo` | | false | false | None | None | None | ### custom_actions Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `render_action` | The Skaffold custom action responsible for render operations. If not provided then Cloud Deploy will perform the render operations via `skaffold render`. | false | true | Can execute arbitrary code during render phase. Should be restricted to approved render actions only. | render-action | unauthorized-render | @@ -29,6 +31,7 @@ Reference: [Terraform Registry – clouddeploy_custom_target_type](https://regis | `include_skaffold_modules` | List of Skaffold modules Cloud Deploy will include in the Skaffold Config as required before performing diagnose. Structure is [documented below](#nested_custom_actions_include_skaffold_modules). | false | true | Can include external Skaffold configurations that may contain malicious code or reference untrusted sources. | None | None | ### include_skaffold_modules Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `configs` | The Skaffold Config modules to use from the specified source. | false | false | Simple list of configuration names - no direct security impact as it doesn't specify sources. | None | None | @@ -37,6 +40,7 @@ Reference: [Terraform Registry – clouddeploy_custom_target_type](https://regis | `google_cloud_build_repo` | Cloud Build 2nd gen repository containing the Skaffold Config modules. Structure is [documented below](#nested_custom_actions_include_skaffold_modules_include_skaffold_modules_google_cloud_build_repo). | false | true | References external Cloud Build repositories which could contain malicious configurations or be compromised. | approved-cloud-build-repos | unauthorized-cloud-build-repos | ### git Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `repo` | Git repository the package should be cloned from. | true | false | None | None | None | @@ -44,12 +48,14 @@ Reference: [Terraform Registry – clouddeploy_custom_target_type](https://regis | `ref` | Git ref the package should be cloned from. | false | false | None | None | None | ### google_cloud_storage Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `source` | Cloud Storage source paths to copy recursively. For example, providing `gs://my-bucket/dir/configs/*` will result in Skaffold copying all files within the `dir/configs` directory in the bucket `my-bucket`. | true | false | None | None | None | | `path` | Relative path from the source to the Skaffold file. | false | false | None | None | None | ### google_cloud_build_repo Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `repository` | Cloud Build 2nd gen repository in the format of 'projects//locations//connections//repositories/'. | true | false | None | None | None | diff --git a/docs/gcp/Cloud_Deploy/clouddeploy_custom_target_type_iam.md b/docs/gcp/Cloud_Deploy/clouddeploy_custom_target_type_iam.md index e561eb4d0..2eaae4dde 100644 --- a/docs/gcp/Cloud_Deploy/clouddeploy_custom_target_type_iam.md +++ b/docs/gcp/Cloud_Deploy/clouddeploy_custom_target_type_iam.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – clouddeploy_custom_target_type_iam](https://r --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `location` | the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no location is specified, it is taken from the provider configuration. | false | false | Geographic/regional identifier only. Used for resource location but has no direct access control implications. | None | None | diff --git a/docs/gcp/Cloud_Deploy/clouddeploy_delivery_pipeline.md b/docs/gcp/Cloud_Deploy/clouddeploy_delivery_pipeline.md index 838c1204c..16454fafc 100644 --- a/docs/gcp/Cloud_Deploy/clouddeploy_delivery_pipeline.md +++ b/docs/gcp/Cloud_Deploy/clouddeploy_delivery_pipeline.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – clouddeploy_delivery_pipeline](https://regist --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `location` | The location for the resource | true | false | Geographic/regional identifier only. Determines where the resource is stored but has no access control implications. | None | None | @@ -35,11 +36,13 @@ Reference: [Terraform Registry – clouddeploy_delivery_pipeline](https://regist | `standard` | | false | false | None | None | None | ### serial_pipeline Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `stages` | Each stage specifies configuration for a `Target`. The ordering of this list defines the promotion flow. | false | false | Defines deployment stage sequence - organizational configuration with no direct security impact. | None | None | ### stages Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `deploy_parameters` | Optional. The deploy parameters to use for the target in this stage. | false | true | Can pass arbitrary parameters to deployment processes. Could be used to inject malicious configuration or override security settings. | validated-parameters-only | arbitrary-parameters, security-override-parameters | @@ -48,18 +51,21 @@ Reference: [Terraform Registry – clouddeploy_delivery_pipeline](https://regist | `target_id` | The target_id to which this stage points. This field refers exclusively to the last segment of a target name. | false | false | References existing targets within the same location - doesn't create new access paths or execute code. | None | None | ### deploy_parameters Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `match_target_labels` | Optional. Deploy parameters are applied to targets with match labels. If unspecified, deploy parameters are applied to all targets (including child targets of a multi-target). | false | false | Label matching for parameter application - organizational feature with no direct security impact. | None | None | | `values` | Required. Values are deploy parameters in key-value pairs. | true | false | Arbitrary key-value pairs passed to deployment processes | None | None | ### strategy Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `canary` | Canary deployment strategy provides progressive percentage based deployments to a Target. | false | false | Canary strategy configuration - affects rollout behavior but inherits security concerns from nested actions. | None | None | | `standard` | Standard deployment strategy executes a single deploy and allows verifying the deployment. | false | false | Standard strategy configuration - affects rollout behavior but inherits security concerns from nested actions. | None | None | ### canary Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `canary_deployment` | Configures the progressive based deployment for a Target. | false | false | None | None | None | @@ -67,6 +73,7 @@ Reference: [Terraform Registry – clouddeploy_delivery_pipeline](https://regist | `runtime_config` | Optional. Runtime specific configurations for the deployment strategy. The runtime configuration is used to determine how Cloud Deploy will split traffic to enable a progressive deployment. | false | false | None | None | None | ### canary_deployment Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `percentages` | Required. The percentage based deployments that will occur as a part of a `Rollout`. List is expected in ascending order and each integer n is 0 <= n < 100. | true | false | None | None | None | @@ -75,21 +82,25 @@ Reference: [Terraform Registry – clouddeploy_delivery_pipeline](https://regist | `verify` | Whether to run verify tests after each percentage deployment. | false | false | None | None | None | ### postdeploy Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `actions` | Optional. A sequence of skaffold custom actions to invoke during execution of the postdeploy job. | false | false | None | None | None | ### predeploy Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `actions` | Optional. A sequence of skaffold custom actions to invoke during execution of the predeploy job. | false | false | None | None | None | ### custom_canary_deployment Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `phase_configs` | Required. Configuration for each phase in the canary deployment in the order executed. | true | false | None | None | None | ### phase_configs Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `percentage` | Required. Percentage deployment for the phase. | true | false | None | None | None | @@ -100,12 +111,14 @@ Reference: [Terraform Registry – clouddeploy_delivery_pipeline](https://regist | `verify` | Whether to run verify tests after the deployment. | false | false | None | None | None | ### runtime_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `cloud_run` | Cloud Run runtime configuration. | false | false | None | None | None | | `kubernetes` | Kubernetes runtime configuration. | false | false | None | None | None | ### cloud_run Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `automatic_traffic_control` | Whether Cloud Deploy should update the traffic stanza in a Cloud Run Service on the user's behalf to facilitate traffic splitting. This is required to be true for CanaryDeployments, but optional for CustomCanaryDeployments. | false | false | None | None | None | @@ -114,12 +127,14 @@ Reference: [Terraform Registry – clouddeploy_delivery_pipeline](https://regist | `stable_revision_tags` | Optional. A list of tags that are added to the final stable revision when the stable phase is applied. | false | false | None | None | None | ### kubernetes Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `gateway_service_mesh` | Kubernetes Gateway API service mesh configuration. | false | false | None | None | None | | `service_networking` | Kubernetes Service networking configuration. | false | false | None | None | None | ### gateway_service_mesh Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `deployment` | Required. Name of the Kubernetes Deployment whose traffic is managed by the specified HTTPRoute and Service. | true | false | None | None | None | @@ -131,12 +146,14 @@ Reference: [Terraform Registry – clouddeploy_delivery_pipeline](https://regist | `stable_cutback_duration` | Optional. The amount of time to migrate traffic back from the canary Service to the original Service during the stable phase deployment. If specified, must be between 15s and 3600s. If unspecified, there is no cutback time. | false | false | None | None | None | ### route_destinations Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `destination_ids` | Required. The clusters where the Gateway API HTTPRoute resource will be deployed to. Valid entries include the associated entities IDs configured in the Target resource and "@self" to include the Target cluster. | true | false | None | None | None | | `propagate_service` | Optional. Whether to propagate the Kubernetes Service to the route destination clusters. The Service will always be deployed to the Target cluster even if the HTTPRoute is not. This option may be used to facilitiate successful DNS lookup in the route destination clusters. Can only be set to true if destinations are specified. | false | false | None | None | None | ### service_networking Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `deployment` | Required. Name of the Kubernetes Deployment whose traffic is managed by the specified Service. | true | false | None | None | None | @@ -145,6 +162,7 @@ Reference: [Terraform Registry – clouddeploy_delivery_pipeline](https://regist | `service` | Required. Name of the Kubernetes Service. | true | false | None | None | None | ### standard Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `postdeploy` | Optional. Configuration for the postdeploy job. If this is not configured, postdeploy job will not be present. | false | false | None | None | None | diff --git a/docs/gcp/Cloud_Deploy/clouddeploy_delivery_pipeline_iam.md b/docs/gcp/Cloud_Deploy/clouddeploy_delivery_pipeline_iam.md index ac35feaca..b724f3642 100644 --- a/docs/gcp/Cloud_Deploy/clouddeploy_delivery_pipeline_iam.md +++ b/docs/gcp/Cloud_Deploy/clouddeploy_delivery_pipeline_iam.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – clouddeploy_delivery_pipeline_iam](https://re --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `location` | the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no location is specified, it is taken from the provider configuration. | false | false | Geographic/regional identifier only. Used for resource location but has no direct access control implications. | None | None | diff --git a/docs/gcp/Cloud_Deploy/clouddeploy_deploy_policy.md b/docs/gcp/Cloud_Deploy/clouddeploy_deploy_policy.md index 409746374..c82bf4ee4 100644 --- a/docs/gcp/Cloud_Deploy/clouddeploy_deploy_policy.md +++ b/docs/gcp/Cloud_Deploy/clouddeploy_deploy_policy.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – clouddeploy_deploy_policy](https://registry.t --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | Name of the `DeployPolicy`. | true | false | Just a resource identifier. No security implications. | None | None | @@ -30,29 +31,34 @@ Reference: [Terraform Registry – clouddeploy_deploy_policy](https://registry.t | `weekly_windows` | | false | false | None | None | None | ### selectors Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `target` | Contains attributes about a target. Structure is [documented below](#nested_selectors_selectors_target). | false | false | None | None | None | | `delivery_pipeline` | Contains attributes about a delivery pipeline. Structure is [documented below](#nested_selectors_selectors_delivery_pipeline). | false | false | None | None | None | ### rules Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `rollout_restriction` | Optional. Rollout restrictions. Structure is [documented below](#nested_rules_rules_rollout_restriction). | false | false | None | None | None | ### target Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `id` | ID of the `Target`. The value of this field could be one of the following: * The last segment of a target name. It only needs the ID to determine which target is being referred to * "*", all targets in a location. | false | false | None | None | None | | `labels` | Target labels. | false | false | None | None | None | ### delivery_pipeline Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `id` | Optional. ID of the DeliveryPipeline. The value of this field could be one of the following: - The last segment of a pipeline name - "*", all delivery pipelines in a location | false | false | None | None | None | | `labels` | DeliveryPipeline labels. | false | false | None | None | None | ### rollout_restriction Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `id` | Required. ID of the rule. This id must be unique in the `DeployPolicy` resource to which this rule belongs. The format is `a-z{0,62}`. | true | false | None | None | None | @@ -61,6 +67,7 @@ Reference: [Terraform Registry – clouddeploy_deploy_policy](https://registry.t | `time_windows` | Required. Time window within which actions are restricted. Structure is [documented below](#nested_rules_rules_rollout_restriction_time_windows). | false | false | None | None | None | ### time_windows Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `time_zone` | Required. The time zone in IANA format IANA Time Zone Database (e.g. America/New_York). | true | false | None | None | None | @@ -68,6 +75,7 @@ Reference: [Terraform Registry – clouddeploy_deploy_policy](https://registry.t | `weekly_windows` | Optional. Recurring weekly windows within which actions are restricted. Structure is [documented below](#nested_rules_rules_rollout_restriction_time_windows_weekly_windows). | false | false | None | None | None | ### one_time_windows Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `start_date` | Required. Start date. Structure is [documented below](#nested_rules_rules_rollout_restriction_time_windows_one_time_windows_one_time_windows_start_date). | true | false | None | None | None | @@ -76,6 +84,7 @@ Reference: [Terraform Registry – clouddeploy_deploy_policy](https://registry.t | `end_time` | Required. End time (exclusive). You may use 24:00 for the end of the day. Structure is [documented below](#nested_rules_rules_rollout_restriction_time_windows_one_time_windows_one_time_windows_end_time). | true | false | None | None | None | ### start_date Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `year` | Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. | false | false | None | None | None | @@ -83,6 +92,7 @@ Reference: [Terraform Registry – clouddeploy_deploy_policy](https://registry.t | `day` | Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. | false | false | None | None | None | ### end_date Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `year` | Year of the date. Must be from 1 to 9999. | false | false | None | None | None | @@ -90,6 +100,7 @@ Reference: [Terraform Registry – clouddeploy_deploy_policy](https://registry.t | `day` | Day of a month. Must be from 1 to 31 and valid for the year and month. | false | false | None | None | None | ### start_time Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `hours` | Hours of a day in 24 hour format. Must be greater than or equal to 0 and typically must be less than or equal to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. | false | false | None | None | None | @@ -98,6 +109,7 @@ Reference: [Terraform Registry – clouddeploy_deploy_policy](https://registry.t | `nanos` | Fractions of seconds, in nanoseconds. Must be greater than or equal to 0 and less than or equal to 999,999,999. | false | false | None | None | None | ### end_time Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `hours` | Hours of a day in 24 hour format. Must be greater than or equal to 0 and typically must be less than or equal to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. | false | false | None | None | None | @@ -106,6 +118,7 @@ Reference: [Terraform Registry – clouddeploy_deploy_policy](https://registry.t | `nanos` | Fractions of seconds, in nanoseconds. Must be greater than or equal to 0 and less than or equal to 999,999,999. | false | false | None | None | None | ### weekly_windows Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `days_of_week` | Optional. Days of week. If left empty, all days of the week will be included. Each value may be one of: `MONDAY`, `TUESDAY`, `WEDNESDAY`, `THURSDAY`, `FRIDAY`, `SATURDAY`, `SUNDAY`. | false | false | None | None | None | diff --git a/docs/gcp/Cloud_Deploy/clouddeploy_target.md b/docs/gcp/Cloud_Deploy/clouddeploy_target.md index d5782b2f3..cd98163aa 100644 --- a/docs/gcp/Cloud_Deploy/clouddeploy_target.md +++ b/docs/gcp/Cloud_Deploy/clouddeploy_target.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – clouddeploy_target](https://registry.terrafor --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `location` | The location for the resource | true | false | A geographic identifier for resource placement. It does not affect the security of the target or its connectivity. | None | None | @@ -28,11 +29,13 @@ Reference: [Terraform Registry – clouddeploy_target](https://registry.terrafor | `gke_clusters` | | false | false | None | None | None | ### anthos_cluster Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `membership` | Membership of the GKE Hub-registered cluster to which to apply the Skaffold configuration. Format is `projects/{project}/locations/{location}/memberships/{membership_name}`. | false | false | None | None | None | ### associated_entities Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `anthos_clusters` | Optional. Information specifying Anthos clusters as associated entities. | false | false | None | None | None | @@ -40,11 +43,13 @@ Reference: [Terraform Registry – clouddeploy_target](https://registry.terrafor | `gke_clusters` | Optional. Information specifying GKE clusters as associated entities. | false | false | None | None | None | ### custom_target Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `custom_target_type` | Required. The name of the CustomTargetType. Format must be `projects/{project}/locations/{location}/customTargetTypes/{custom_target_type}`. | true | false | None | None | None | ### execution_configs Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `artifact_storage` | Optional. Cloud Storage location in which to store execution outputs. This can either be a bucket ("gs://my-bucket") or a path within a bucket ("gs://my-bucket/my-dir"). If unspecified, a default bucket located in the same region will be used. | false | false | None | None | None | @@ -55,6 +60,7 @@ Reference: [Terraform Registry – clouddeploy_target](https://registry.terrafor | `worker_pool` | Optional. The resource name of the `WorkerPool`, with the format `projects/{project}/locations/{location}/workerPools/{worker_pool}`. If this optional field is unspecified, the default Cloud Build pool will be used. | false | false | None | None | None | ### gke Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `cluster` | Information specifying a GKE Cluster. Format is `projects/{project_id}/locations/{location_id}/clusters/{cluster_id}. | false | false | None | None | None | @@ -63,21 +69,25 @@ Reference: [Terraform Registry – clouddeploy_target](https://registry.terrafor | `proxy_url` | Optional. If set, used to configure a [proxy](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/#proxy) to the Kubernetes server. | false | false | None | None | None | ### multi_target Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `target_ids` | Required. The target_ids of this multiTarget. | true | false | None | None | None | ### run Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `location` | Required. The location where the Cloud Run Service should be located. Format is `projects/{project}/locations/{location}`. | true | true | The physical location of the Cloud Run service has implications for data sovereignty, compliance, and latency. Deploying to unapproved regions may violate organizational policy or regulatory requirements. | Must be set to an approved region - projects/my-project-name/locations/us-central1, us-east1, europe-west1, asia-southeast1 | Deploying to a region that is not on the approved list - projects/my-project-name/locations/us-west2 | ### anthos_clusters Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `membership` | Optional. Membership of the GKE Hub-registered cluster to which to apply the Skaffold configuration. Format is `projects/{project}/locations/{location}/memberships/{membership_name}`. | false | false | None | None | None | ### gke_clusters Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `cluster` | Optional. Information specifying a GKE Cluster. Format is `projects/{project_id}/locations/{location_id}/clusters/{cluster_id}`. | false | false | None | None | None | diff --git a/docs/gcp/Cloud_Deploy/clouddeploy_target_iam.md b/docs/gcp/Cloud_Deploy/clouddeploy_target_iam.md index c654d57dc..ed1767615 100644 --- a/docs/gcp/Cloud_Deploy/clouddeploy_target_iam.md +++ b/docs/gcp/Cloud_Deploy/clouddeploy_target_iam.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – clouddeploy_target_iam](https://registry.terr --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `location` | the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no location is specified, it is taken from the provider configuration. | false | false | A geographic identifier used to locate the specific Target resource. It is part of the resource's address but does not confer any permissions or define access rules itself. | None | None | diff --git a/docs/gcp/Cloud_Deployment_Manager/deployment_manager_deployment.md b/docs/gcp/Cloud_Deployment_Manager/deployment_manager_deployment.md index 6a2918831..4ac5dfcd8 100644 --- a/docs/gcp/Cloud_Deployment_Manager/deployment_manager_deployment.md +++ b/docs/gcp/Cloud_Deployment_Manager/deployment_manager_deployment.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – deployment_manager_deployment](https://regist --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | Unique name for the deployment | true | false | Identifier only; does not change security posture. | Name is set and follows org/project naming standard. | Missing name or violates naming standard. | @@ -21,23 +22,27 @@ Reference: [Terraform Registry – deployment_manager_deployment](https://regist | `imports` | | false | false | None | None | None | ### target Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `config` | The root configuration file to use for this deployment. Structure is [documented below](#nested_target_config). | true | false | None | None | None | | `imports` | Specifies import files for this configuration. This can be used to import templates or other files. For example, you might import a text file in order to use the file in a template. Structure is [documented below](#nested_target_imports). | false | false | None | None | None | ### labels Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `key` | Key for label. | false | false | None | None | None | | `value` | Value of label. | false | false | None | None | None | ### config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `content` | The full YAML contents of your configuration file. | true | false | None | None | None | ### imports Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `content` | The full contents of the template that you want to import. | false | false | None | None | None | diff --git a/docs/gcp/Cloud_Platform/folder_service_identity.md b/docs/gcp/Cloud_Platform/folder_service_identity.md index fdb9d1aad..561568b1b 100644 --- a/docs/gcp/Cloud_Platform/folder_service_identity.md +++ b/docs/gcp/Cloud_Platform/folder_service_identity.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – folder_service_identity](https://registry.ter --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `service` | The service to generate identity for. - - - | true | false | None | None | None | diff --git a/docs/gcp/Cloud_Platform/google_billing_subaccount.md b/docs/gcp/Cloud_Platform/google_billing_subaccount.md index 8580f9773..f025fb326 100644 --- a/docs/gcp/Cloud_Platform/google_billing_subaccount.md +++ b/docs/gcp/Cloud_Platform/google_billing_subaccount.md @@ -6,6 +6,7 @@ Reference: [Terraform Registry – google_billing_subaccount](https://registry.t --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| diff --git a/docs/gcp/Cloud_Platform/google_folder.md b/docs/gcp/Cloud_Platform/google_folder.md index 0c86fa297..d6ecc2a1e 100644 --- a/docs/gcp/Cloud_Platform/google_folder.md +++ b/docs/gcp/Cloud_Platform/google_folder.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – google_folder](https://registry.terraform.io/ --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `display_name` | A folder’s display name must be unique amongst its siblings, e.g. no two folders with the same parent can share the same display name. The display name must start and end with a letter or digit, may contain letters, digits, spaces, hyphens and underscores and can be no longer than 30 characters. | true | false | Display name is a label for identification, no impact on security. | None | None | diff --git a/docs/gcp/Cloud_Platform/google_folder_iam.md b/docs/gcp/Cloud_Platform/google_folder_iam.md index dcd1514c8..99c280e51 100644 --- a/docs/gcp/Cloud_Platform/google_folder_iam.md +++ b/docs/gcp/Cloud_Platform/google_folder_iam.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – google_folder_iam](https://registry.terraform --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `member/members` | Each entry can have one of the following values: * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. | true | true | Improperly assigned members can cause unauthorised access or privilege escalation. | members = ["user:alice@example.com"] | members = ["domain:example.com"] # grants access to entire domain | @@ -18,12 +19,14 @@ Reference: [Terraform Registry – google_folder_iam](https://registry.terraform | `condition` | Structure is [documented below](#nested_condition). --- | false | true | To reduce risk by applying time- or context-based constraints to access. Misconfiguration can unintentionally allow or block access. | None | None | ### audit_log_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `log_type` | Permission type for which logging is to be configured. Must be one of DATA_READ, DATA_WRITE, or ADMIN_READ. | true | true | Ensures important access events are captured in logs. | log_type = "ADMIN_READ" | log_type = "" | | `exempted_members` | Identities that do not cause logging for this type of permission. The format is the same as that for members. | false | true | Members being excluded from records weakens control and creates blind spots. | exempted_members not set | exempted_members = ["user:admin@example.com"] | ### condition Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `expression` | Textual representation of an expression in Common Expression Language syntax. | true | true | Defines when the role is valid. Incorrect expressions may lead to overly permissive or broken access control. | expression = "request.time < timestamp('2025-12-31T00:00:00Z')" | expression = "" | diff --git a/docs/gcp/Cloud_Platform/google_folder_organization_policy.md b/docs/gcp/Cloud_Platform/google_folder_organization_policy.md index 3b9271112..3533400bc 100644 --- a/docs/gcp/Cloud_Platform/google_folder_organization_policy.md +++ b/docs/gcp/Cloud_Platform/google_folder_organization_policy.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – google_folder_organization_policy](https://re --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `folder` | The resource name of the folder to set the policy for. Its format is folders/{folder_id}. | true | false | identifier only, no security impact | None | None | @@ -17,11 +18,13 @@ Reference: [Terraform Registry – google_folder_organization_policy](https://re | `restore_policy` | ~> **Note:** If none of [`boolean_policy`, `list_policy`, `restore_policy`] are defined the policy for a given constraint will effectively be unset. This is represented in the UI as the constraint being 'Inherited'. - - - | false | true | Restoring defaults can weaken protections. | None | None | ### boolean_policy Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `enforced` | If true, then the Policy is enforced. If false, then any configuration is acceptable. | true | true | Enforcement ensures mandatory restrictions are applied. | enforced = true | enforced = false | ### list_policy Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `suggested_value` | The Google Cloud Console will try to default to a configuration that matches the value specified in this field. | false | false | Console-only suggestion, it does not enforce or weaken security. | None | None | @@ -30,6 +33,7 @@ Reference: [Terraform Registry – google_folder_organization_policy](https://re | `values` | The policy can define specific values that are allowed or denied. | false | true | Improper values may allow risky APIs or services. | deny.values = ["cloudresourcemanager.googleapis.com"] | allow.values = ["cloudresourcemanager.googleapis.com"] | ### restore_policy Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `default` | May only be set to true. If set, then the default Policy is restored. | true | false | Restoring default removes explicit protections. | default = false | default = true | diff --git a/docs/gcp/Cloud_Platform/google_organization_iam.md b/docs/gcp/Cloud_Platform/google_organization_iam.md index f46254f12..9ae537cd3 100644 --- a/docs/gcp/Cloud_Platform/google_organization_iam.md +++ b/docs/gcp/Cloud_Platform/google_organization_iam.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – google_organization_iam](https://registry.ter --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `member/members` | Each entry can have one of the following values: * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. | false | false | None | None | None | @@ -18,12 +19,14 @@ Reference: [Terraform Registry – google_organization_iam](https://registry.ter | `condition` | Structure is [documented below](#nested_condition). --- | false | false | None | None | None | ### audit_log_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `log_type` | | false | false | None | None | None | | `exempted_members` | | false | false | None | None | None | ### condition Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `expression` | | false | false | None | None | None | diff --git a/docs/gcp/Cloud_Platform/google_organization_iam_custom_role.md b/docs/gcp/Cloud_Platform/google_organization_iam_custom_role.md index c6443222c..efa346626 100644 --- a/docs/gcp/Cloud_Platform/google_organization_iam_custom_role.md +++ b/docs/gcp/Cloud_Platform/google_organization_iam_custom_role.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – google_organization_iam_custom_role](https:// --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `role_id` | The role id to use for this role. | true | false | Identifier only and does not grant permissions by itself | None | None | diff --git a/docs/gcp/Cloud_Platform/google_organization_policy.md b/docs/gcp/Cloud_Platform/google_organization_policy.md index 47b2c7495..6a127e27b 100644 --- a/docs/gcp/Cloud_Platform/google_organization_policy.md +++ b/docs/gcp/Cloud_Platform/google_organization_policy.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – google_organization_policy](https://registry. --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `org_id` | | false | false | None | None | None | @@ -17,11 +18,13 @@ Reference: [Terraform Registry – google_organization_policy](https://registry. | `restore_policy` | ~> **Note:** If none of [`boolean_policy`, `list_policy`, `restore_policy`] are defined the policy for a given constraint will effectively be unset. This is represented in the UI as the constraint being 'Inherited'. - - - | false | false | None | None | None | ### boolean_policy Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `enforced` | | false | false | None | None | None | ### list_policy Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `suggested_value` | | false | false | None | None | None | @@ -30,6 +33,7 @@ Reference: [Terraform Registry – google_organization_policy](https://registry. | `values` | | false | false | None | None | None | ### restore_policy Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `default` | | false | false | None | None | None | diff --git a/docs/gcp/Cloud_Platform/google_project.md b/docs/gcp/Cloud_Platform/google_project.md index 87d8e6780..6bf123e3a 100644 --- a/docs/gcp/Cloud_Platform/google_project.md +++ b/docs/gcp/Cloud_Platform/google_project.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – google_project](https://registry.terraform.io --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | The display name of the project. | true | false | Label only and does not affect security | None | None | diff --git a/docs/gcp/Cloud_Platform/google_project_default_service_accounts.md b/docs/gcp/Cloud_Platform/google_project_default_service_accounts.md index d12f23df1..91401035f 100644 --- a/docs/gcp/Cloud_Platform/google_project_default_service_accounts.md +++ b/docs/gcp/Cloud_Platform/google_project_default_service_accounts.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – google_project_default_service_accounts](http --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `project` | The project ID where service accounts are created. | true | false | Identifier only and does not affect security directly | None | None | diff --git a/docs/gcp/Cloud_Platform/google_project_iam.md b/docs/gcp/Cloud_Platform/google_project_iam.md index 56ead9b36..6c798281b 100644 --- a/docs/gcp/Cloud_Platform/google_project_iam.md +++ b/docs/gcp/Cloud_Platform/google_project_iam.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – google_project_iam](https://registry.terrafor --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `member/members` | Each entry can have one of the following values: * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. | false | false | None | None | None | @@ -18,12 +19,14 @@ Reference: [Terraform Registry – google_project_iam](https://registry.terrafor | `condition` | Structure is [documented below](#nested_condition). --- | false | false | None | None | None | ### audit_log_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `log_type` | | false | false | None | None | None | | `exempted_members` | | false | false | None | None | None | ### condition Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `expression` | | false | false | None | None | None | diff --git a/docs/gcp/Cloud_Platform/google_project_iam_custom_role.md b/docs/gcp/Cloud_Platform/google_project_iam_custom_role.md index 8defb5688..7db4a5e69 100644 --- a/docs/gcp/Cloud_Platform/google_project_iam_custom_role.md +++ b/docs/gcp/Cloud_Platform/google_project_iam_custom_role.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – google_project_iam_custom_role](https://regis --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `role_id` | | false | false | None | None | None | diff --git a/docs/gcp/Cloud_Platform/google_project_iam_member_remove.md b/docs/gcp/Cloud_Platform/google_project_iam_member_remove.md index bd6e3252a..6f20942d0 100644 --- a/docs/gcp/Cloud_Platform/google_project_iam_member_remove.md +++ b/docs/gcp/Cloud_Platform/google_project_iam_member_remove.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – google_project_iam_member_remove](https://reg --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `project` | | false | false | None | None | None | diff --git a/docs/gcp/Cloud_Platform/google_project_organization_policy.md b/docs/gcp/Cloud_Platform/google_project_organization_policy.md index 1a9a40513..91c5f8164 100644 --- a/docs/gcp/Cloud_Platform/google_project_organization_policy.md +++ b/docs/gcp/Cloud_Platform/google_project_organization_policy.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – google_project_organization_policy](https://r --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `project` | | false | false | None | None | None | @@ -17,11 +18,13 @@ Reference: [Terraform Registry – google_project_organization_policy](https://r | `restore_policy` | ~> **Note:** If none of [`boolean_policy`, `list_policy`, `restore_policy`] are defined the policy for a given constraint will effectively be unset. This is represented in the UI as the constraint being 'Inherited'. - - - | false | false | None | None | None | ### boolean_policy Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `enforced` | | false | false | None | None | None | ### list_policy Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `suggested_value` | | false | false | None | None | None | @@ -30,6 +33,7 @@ Reference: [Terraform Registry – google_project_organization_policy](https://r | `values` | | false | false | None | None | None | ### restore_policy Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `default` | | false | false | None | None | None | diff --git a/docs/gcp/Cloud_Platform/google_project_service.md b/docs/gcp/Cloud_Platform/google_project_service.md index b0c48b6f6..efef89e22 100644 --- a/docs/gcp/Cloud_Platform/google_project_service.md +++ b/docs/gcp/Cloud_Platform/google_project_service.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – google_project_service](https://registry.terr --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `service` | The service to enable. | true | true | Enabling some APIs, like IAM, is necessary for safely managing access and credentials. Security measures are weakened when essential APIs are missed. | service = "iam.googleapis.com" | service = "storage.googleapis.com" # IAM missing | diff --git a/docs/gcp/Cloud_Platform/google_service_account.md b/docs/gcp/Cloud_Platform/google_service_account.md index 9634bf2e5..16c3acf50 100644 --- a/docs/gcp/Cloud_Platform/google_service_account.md +++ b/docs/gcp/Cloud_Platform/google_service_account.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – google_service_account](https://registry.terr --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `account_id` | account email address and a stable unique id. It is unique within a project, must be 6-30 characters long, and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])` to comply with RFC1035. Changing this forces a new service account to be created. | true | true | Risky names like admin, root, or owner give false sense of privilege and can confuse audits | account_id = "payments-batcher-prod" | account_id = "admin" | diff --git a/docs/gcp/Cloud_Platform/google_service_account_iam.md b/docs/gcp/Cloud_Platform/google_service_account_iam.md index ce3808730..fa30d85c5 100644 --- a/docs/gcp/Cloud_Platform/google_service_account_iam.md +++ b/docs/gcp/Cloud_Platform/google_service_account_iam.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – google_service_account_iam](https://registry. --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `service_account_id` | | false | false | None | None | None | @@ -16,6 +17,7 @@ Reference: [Terraform Registry – google_service_account_iam](https://registry. | `condition` | Structure is [documented below](#nested_condition). | false | false | None | None | None | ### condition Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `expression` | | false | false | None | None | None | diff --git a/docs/gcp/Cloud_Platform/google_service_account_key.md b/docs/gcp/Cloud_Platform/google_service_account_key.md index 31b6423dd..da110bfa3 100644 --- a/docs/gcp/Cloud_Platform/google_service_account_key.md +++ b/docs/gcp/Cloud_Platform/google_service_account_key.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – google_service_account_key](https://registry. --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `service_account_id` | The service account ID for the key. Can be in the form {ACCOUNT} or projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}. | true | false | This only identifies which service account the key belongs to. It does not affect the security of the key itself. | None | None | diff --git a/docs/gcp/Cloud_Platform/project_service_identity.md b/docs/gcp/Cloud_Platform/project_service_identity.md index d2faaf1fe..85dea28f0 100644 --- a/docs/gcp/Cloud_Platform/project_service_identity.md +++ b/docs/gcp/Cloud_Platform/project_service_identity.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – project_service_identity](https://registry.te --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `service` | The service to generate identity for. - - - | true | false | None | None | None | diff --git a/docs/gcp/Cloud_Storage/storage_anywhere_cache.md b/docs/gcp/Cloud_Storage/storage_anywhere_cache.md index 73b7c8af1..fb5f587cc 100644 --- a/docs/gcp/Cloud_Storage/storage_anywhere_cache.md +++ b/docs/gcp/Cloud_Storage/storage_anywhere_cache.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – storage_anywhere_cache](https://registry.terr --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `zone` | The zone in which the cache instance needs to be created. For example, `us-central1-a.` | true | true | Zone location need to be set in Aus regions for data sovereignty purposes | australia-southeast1-b | us-west-2 | diff --git a/docs/gcp/Cloud_Storage/storage_bucket.md b/docs/gcp/Cloud_Storage/storage_bucket.md index 19418a28f..997b96e66 100644 --- a/docs/gcp/Cloud_Storage/storage_bucket.md +++ b/docs/gcp/Cloud_Storage/storage_bucket.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – storage_bucket](https://registry.terraform.io --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | | false | false | None | None | None | @@ -40,18 +41,21 @@ Reference: [Terraform Registry – storage_bucket](https://registry.terraform.io | `vpc_network_sources` | | false | false | None | None | None | ### autoclass Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `enabled` | | false | false | None | None | None | | `terminal_storage_class` | | false | false | None | None | None | ### lifecycle_rule Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `action` | | false | false | None | None | None | | `condition` | | false | false | None | None | None | ### versioning Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `enabled` | The `website` block supports the following elements, and requires at least one to be defined: | false | false | None | None | None | @@ -59,6 +63,7 @@ Reference: [Terraform Registry – storage_bucket](https://registry.terraform.io | `not_found_page` | resource is not found. | false | false | None | None | None | ### cors Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `origin` | | false | false | None | None | None | @@ -67,34 +72,40 @@ Reference: [Terraform Registry – storage_bucket](https://registry.terraform.io | `max_age_seconds` | | false | false | None | None | None | ### retention_policy Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `is_locked` | | false | true | Should not be used because locking is irreversible ation | false/null | true | | `retention_period` | | false | true | Rentention period should be within specified timeline for compliance | 604800/7 days | 2692000 / > 30 days | ### logging Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `log_bucket` | | false | false | None | None | None | | `log_object_prefix` | by default GCS sets this to this bucket's name. | false | false | None | None | None | ### custom_placement_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `data_locations` | | false | false | None | None | None | ### soft_delete_policy Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `retention_duration_seconds` | | false | false | None | None | None | | `effective_time` | | false | false | None | None | None | ### hierarchical_namespace Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `enabled` | | false | false | None | None | None | ### ip_filter Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `mode` | | false | false | None | None | None | @@ -103,6 +114,7 @@ Reference: [Terraform Registry – storage_bucket](https://registry.terraform.io | `vpc_network_sources` | | false | false | None | None | None | ### action Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `type` | | false | false | None | None | None | @@ -124,11 +136,13 @@ Reference: [Terraform Registry – storage_bucket](https://registry.terraform.io | `noncurrent_time_before` | | false | false | None | None | None | ### public_network_source Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `allowed_ip_cidr_ranges` | | false | false | None | None | None | ### vpc_network_sources Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `network` | | false | false | None | None | None | diff --git a/docs/gcp/Cloud_Storage/storage_bucket_access_control.md b/docs/gcp/Cloud_Storage/storage_bucket_access_control.md index f8d302996..04fcce2d9 100644 --- a/docs/gcp/Cloud_Storage/storage_bucket_access_control.md +++ b/docs/gcp/Cloud_Storage/storage_bucket_access_control.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – storage_bucket_access_control](https://regist --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `bucket` | The name of the bucket. | true | false | Naming bucket is not related to security | None | None | diff --git a/docs/gcp/Cloud_Storage/storage_bucket_acl.md b/docs/gcp/Cloud_Storage/storage_bucket_acl.md index 6d095eb97..30bccf649 100644 --- a/docs/gcp/Cloud_Storage/storage_bucket_acl.md +++ b/docs/gcp/Cloud_Storage/storage_bucket_acl.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – storage_bucket_acl](https://registry.terrafor --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `bucket` | The name of the bucket. | true | false | Naming of bucket is not security related | None | None | diff --git a/docs/gcp/Cloud_Storage/storage_bucket_iam.md b/docs/gcp/Cloud_Storage/storage_bucket_iam.md index e6a92660c..ae6500171 100644 --- a/docs/gcp/Cloud_Storage/storage_bucket_iam.md +++ b/docs/gcp/Cloud_Storage/storage_bucket_iam.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – storage_bucket_iam](https://registry.terrafor --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `bucket` | The storage bucket in GCP | true | false | References to the existing bucket | None | None | diff --git a/docs/gcp/Cloud_Storage/storage_bucket_object.md b/docs/gcp/Cloud_Storage/storage_bucket_object.md index ed64df365..13958fbbb 100644 --- a/docs/gcp/Cloud_Storage/storage_bucket_object.md +++ b/docs/gcp/Cloud_Storage/storage_bucket_object.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – storage_bucket_object](https://registry.terra --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `bucket` | | false | false | None | None | None | @@ -31,12 +32,14 @@ Reference: [Terraform Registry – storage_bucket_object](https://registry.terra | `deletion_policy` | --- | false | false | None | None | None | ### customer_encryption Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `encryption_algorithm` | | false | false | None | None | None | | `encryption_key` | | false | false | None | None | None | ### retention Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `mode` | | false | false | None | None | None | diff --git a/docs/gcp/Cloud_Storage/storage_default_object_access_control.md b/docs/gcp/Cloud_Storage/storage_default_object_access_control.md index 1ec8fbb61..a6384161c 100644 --- a/docs/gcp/Cloud_Storage/storage_default_object_access_control.md +++ b/docs/gcp/Cloud_Storage/storage_default_object_access_control.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – storage_default_object_access_control](https: --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `bucket` | The name of the bucket. | true | false | None | None | None | diff --git a/docs/gcp/Cloud_Storage/storage_default_object_acl.md b/docs/gcp/Cloud_Storage/storage_default_object_acl.md index 01215600d..b61d4a9e4 100644 --- a/docs/gcp/Cloud_Storage/storage_default_object_acl.md +++ b/docs/gcp/Cloud_Storage/storage_default_object_acl.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – storage_default_object_acl](https://registry. --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `bucket` | --- | false | false | None | None | None | diff --git a/docs/gcp/Cloud_Storage/storage_folder.md b/docs/gcp/Cloud_Storage/storage_folder.md index 74a45b9b8..a0800ad16 100644 --- a/docs/gcp/Cloud_Storage/storage_folder.md +++ b/docs/gcp/Cloud_Storage/storage_folder.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – storage_folder](https://registry.terraform.io --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `bucket` | The name of the bucket that contains the folder. | true | false | None | None | None | diff --git a/docs/gcp/Cloud_Storage/storage_hmac_key.md b/docs/gcp/Cloud_Storage/storage_hmac_key.md index 4434a9fb4..f0ed33d90 100644 --- a/docs/gcp/Cloud_Storage/storage_hmac_key.md +++ b/docs/gcp/Cloud_Storage/storage_hmac_key.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – storage_hmac_key](https://registry.terraform. --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `service_account_email` | The email address of the key's associated service account. | true | false | None | None | None | diff --git a/docs/gcp/Cloud_Storage/storage_managed_folder.md b/docs/gcp/Cloud_Storage/storage_managed_folder.md index cea8c364a..e3b07b076 100644 --- a/docs/gcp/Cloud_Storage/storage_managed_folder.md +++ b/docs/gcp/Cloud_Storage/storage_managed_folder.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – storage_managed_folder](https://registry.terr --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `bucket` | The name of the bucket that contains the managed folder. | true | false | None | None | None | diff --git a/docs/gcp/Cloud_Storage/storage_managed_folder_iam.md b/docs/gcp/Cloud_Storage/storage_managed_folder_iam.md index 372f9ca36..e59b422a2 100644 --- a/docs/gcp/Cloud_Storage/storage_managed_folder_iam.md +++ b/docs/gcp/Cloud_Storage/storage_managed_folder_iam.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – storage_managed_folder_iam](https://registry. --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `bucket` | | false | false | None | None | None | @@ -17,6 +18,7 @@ Reference: [Terraform Registry – storage_managed_folder_iam](https://registry. | `condition` | Structure is documented below. --- | false | false | None | None | None | ### condition Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `expression` | | false | false | None | None | None | diff --git a/docs/gcp/Cloud_Storage/storage_notification.md b/docs/gcp/Cloud_Storage/storage_notification.md index 6245e75e0..1aeac8b1c 100644 --- a/docs/gcp/Cloud_Storage/storage_notification.md +++ b/docs/gcp/Cloud_Storage/storage_notification.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – storage_notification](https://registry.terraf --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `bucket` | | false | false | None | None | None | diff --git a/docs/gcp/Cloud_Storage/storage_object_access_control.md b/docs/gcp/Cloud_Storage/storage_object_access_control.md index c2e05870e..4ce28bfc6 100644 --- a/docs/gcp/Cloud_Storage/storage_object_access_control.md +++ b/docs/gcp/Cloud_Storage/storage_object_access_control.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – storage_object_access_control](https://regist --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `bucket` | The name of the bucket. | true | false | None | None | None | diff --git a/docs/gcp/Cloud_Storage/storage_object_acl.md b/docs/gcp/Cloud_Storage/storage_object_acl.md index f81441d29..75fa2d2e9 100644 --- a/docs/gcp/Cloud_Storage/storage_object_acl.md +++ b/docs/gcp/Cloud_Storage/storage_object_acl.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – storage_object_acl](https://registry.terrafor --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `bucket` | | false | false | None | None | None | diff --git a/docs/gcp/Cloud_Storage_Batch_Operations/google_storage_batch_operations_job.md b/docs/gcp/Cloud_Storage_Batch_Operations/google_storage_batch_operations_job.md index 6eb9855c8..ff453b757 100644 --- a/docs/gcp/Cloud_Storage_Batch_Operations/google_storage_batch_operations_job.md +++ b/docs/gcp/Cloud_Storage_Batch_Operations/google_storage_batch_operations_job.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – google_storage_batch_operations_job](https:// --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `job_id` | The ID of the job. | false | false | Job ID is an identifier and does not affect security; only identifies the operation. | None | None | @@ -18,11 +19,13 @@ Reference: [Terraform Registry – google_storage_batch_operations_job](https:// | `put_metadata` | Allows batch operations to update metadata for objects in bucket. | false | false | Metadata updates are generally safe operations that don't affect data integrity or security. | None | None | ### bucket_list Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `buckets` | List of buckets and their objects to be transformed. | true | false | Bucket configuration is required for batch operations but doesn't directly impact security. | None | None | ### buckets Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `bucket` | Bucket name for the objects to be transformed. | true | false | Bucket name is required for batch operations but doesn't directly impact security. | None | None | @@ -30,32 +33,38 @@ Reference: [Terraform Registry – google_storage_batch_operations_job](https:// | `manifest` | Contains the manifest source file that is a CSV file in a Google Cloud Storage bucket. | false | true | Manifest files provide explicit object lists, ensuring operations only affect intended objects. | manifest = [{ manifest_location = 'gs://bucket/manifest.csv' }] | manifest = [] or manifest_location = '' | ### prefix_list Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `included_object_prefixes` | List of object name prefixes to include in the batch operation. | true | true | Prefixes ensure operations are scoped to specific objects, preventing accidental mass operations. | included_object_prefixes = ['secure-data/', 'backup/'] | included_object_prefixes = [] or included_object_prefixes = [''] | ### manifest Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `manifest_location` | Specifies objects in a manifest file stored in Cloud Storage. | true | true | Valid manifest location ensures operations target only explicitly listed objects. | manifest_location = 'gs://secure-bucket/manifest.csv' | manifest_location = '' or manifest_location = null | ### delete_object Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `permanent_object_deletion_enabled` | Enable flag to permanently delete object and all object versions if versioning is enabled on bucket. | true | true | Permanent deletion removes recovery options and poses a major security risk for data loss. | permanent_object_deletion_enabled = false | permanent_object_deletion_enabled = true | ### rewrite_object Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `kms_key` | Valid KMS key for encryption during rewrite operations. | true | true | CMEK ensures encryption is customer-managed rather than default Google-managed keys. | kms_key = 'projects/my-project/locations/us-central1/keyRings/kr/cryptoKeys/key' | kms_key = null or kms_key = '' | ### put_object_hold Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `event_based_hold` | Set/unset to update event based hold for objects. | false | true | Unsetting event-based holds can allow premature deletion of objects that should be retained. | event_based_hold = 'SET' | event_based_hold = 'UNSET' | | `temporary_hold` | Set/unset to update temporary based hold for objects. | false | true | Unsetting temporary holds can allow premature deletion of objects that should be retained. | temporary_hold = 'SET' | temporary_hold = 'UNSET' | ### put_metadata Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `custom_time` | Updates the objects fixed custom time metadata. | false | false | Custom time metadata is informational and doesn't impact security. | None | None | diff --git a/docs/gcp/Cloud_Storage_Batch_Operations/storage_batch_operations_job.md b/docs/gcp/Cloud_Storage_Batch_Operations/storage_batch_operations_job.md new file mode 100644 index 000000000..8dcc424e1 --- /dev/null +++ b/docs/gcp/Cloud_Storage_Batch_Operations/storage_batch_operations_job.md @@ -0,0 +1,80 @@ +## 🛡️ Policy Deployment Engine: `storage_batch_operations_job` + +This section provides a concise policy evaluation for the `storage_batch_operations_job` resource in GCP. + +Reference: [Terraform Registry – storage_batch_operations_job](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_batch_operations_job) + +--- + +## Argument Reference + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `bucket_list` | List of buckets and their objects to be transformed. Currently, only one bucket configuration is supported. If multiple buckets are specified, an error will be returned Structure is [documented below](#nested_bucket_list). | false | false | None | None | None | +| `delete_object` | allows batch operations to delete objects in bucket Structure is [documented below](#nested_delete_object). | false | false | None | None | None | +| `put_metadata` | allows batch operations to update metadata for objects in bucket Structure is [documented below](#nested_put_metadata). | false | false | None | None | None | +| `rewrite_object` | allows to update encryption key for objects in bucket. Structure is [documented below](#nested_rewrite_object). | false | false | None | None | None | +| `put_object_hold` | allows to update temporary hold or eventBased hold for objects in bucket. Structure is [documented below](#nested_put_object_hold). | false | false | None | None | None | +| `job_id` | The ID of the job. | false | false | None | None | None | +| `project` | If it is not provided, the provider project is used. | false | false | None | None | None | +| `delete_protection` | | false | false | None | None | None | +| `buckets` | | false | false | None | None | None | +| `prefix_list` | | false | false | None | None | None | +| `manifest` | | false | false | None | None | None | + +### bucket_list Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `buckets` | List of buckets and their objects to be transformed. Structure is [documented below](#nested_bucket_list_buckets). | true | false | None | None | None | + +### delete_object Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `permanent_object_deletion_enabled` | enable flag to permanently delete object and all object versions if versioning is enabled on bucket. | true | false | None | None | None | + +### put_metadata Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `custom_time` | Updates the objects fixed custom time metadata. | false | false | None | None | None | +| `content_disposition` | Content-Disposition of the object data. | false | false | None | None | None | +| `content_encoding` | Content Encoding of the object data. | false | false | None | None | None | +| `content_type` | Content-Type of the object data. | false | false | None | None | None | +| `content_language` | Content-Language of the object data. | false | false | None | None | None | +| `cache_control` | Cache-Control directive to specify caching behavior of object data. If omitted and object is accessible to all anonymous users, the default will be public, max-age=3600 | false | false | None | None | None | +| `custom_metadata` | User-provided metadata, in key/value pairs. | false | false | None | None | None | + +### rewrite_object Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `kms_key` | valid kms key | true | false | None | None | None | + +### put_object_hold Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `event_based_hold` | set/unset to update event based hold for objects. | false | false | None | None | None | +| `temporary_hold` | set/unset to update temporary based hold for objects. | false | false | None | None | None | + +### buckets Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `bucket` | Bucket name for the objects to be transformed. | true | false | None | None | None | +| `prefix_list` | Specifies objects matching a prefix set. Structure is [documented below](#nested_bucket_list_buckets_buckets_prefix_list). | false | false | None | None | None | +| `manifest` | contain the manifest source file that is a CSV file in a Google Cloud Storage bucket. Structure is [documented below](#nested_bucket_list_buckets_buckets_manifest). | false | false | None | None | None | + +### prefix_list Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `included_object_prefixes` | | false | false | None | None | None | + +### manifest Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `manifest_location` | Specifies objects in a manifest file. | false | false | None | None | None | diff --git a/docs/gcp/DatabaseMigrationService/database_migration_service_connection_profile.md b/docs/gcp/DatabaseMigrationService/database_migration_service_connection_profile.md index 27107c153..4e5d15818 100644 --- a/docs/gcp/DatabaseMigrationService/database_migration_service_connection_profile.md +++ b/docs/gcp/DatabaseMigrationService/database_migration_service_connection_profile.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – database_migration_service_connection_profile --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `connection_profile_id` | The ID of the connection profile. | true | false | Connection Profile ID has no impact on the security of the resource or data contained | None | None | @@ -30,6 +31,7 @@ Reference: [Terraform Registry – database_migration_service_connection_profile | `machine_config` | Configuration for the machines that host the underlying database engine. Structure is [documented below](#nested_alloydb_settings_primary_instance_settings_machine_config). | true | false | Not Security Related | None | None | ### mysql Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `host` | The IP or hostname of the source MySQL database. | false | false | host value itself does not impact security since networking and SSL enforcement are controlled by other parameters such as private_network and require_ssl. | None | None | @@ -41,6 +43,7 @@ Reference: [Terraform Registry – database_migration_service_connection_profile | `cloud_sql_id` | If the source is a Cloud SQL database, use this field to provide the Cloud SQL instance ID of the source. | false | false | cloud_sql_id has no impact on the security of the resource or data contained | None | None | ### postgresql Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `host` | The IP or hostname of the source postgresql database. | false | false | host value itself does not impact security since networking and SSL enforcement are controlled by other parameters such as private_network and require_ssl. | None | None | @@ -54,6 +57,7 @@ Reference: [Terraform Registry – database_migration_service_connection_profile | `network_architecture` | (Output) Output only. If the source is a Cloud SQL database, this field indicates the network architecture it's associated with. | false | false | This is the output | None | None | ### oracle Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `host` | Required. The IP or hostname of the source Oracle database. | true | false | host value itself does not impact security since networking and SSL enforcement are controlled by other parameters. | None | None | @@ -68,6 +72,7 @@ Reference: [Terraform Registry – database_migration_service_connection_profile | `private_connectivity` | Configuration for using a private network to communicate with the source database Structure is [documented below](#nested_oracle_private_connectivity). | false | true | Private connectivity prevents external access over public networks. | Configured | Not configured | ### cloudsql Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `cloud_sql_id` | (Output) Output only. The Cloud SQL instance ID that this connection profile is associated with. | false | false | This is the output | None | None | @@ -76,12 +81,14 @@ Reference: [Terraform Registry – database_migration_service_connection_profile | `public_ip` | (Output) Output only. The Cloud SQL database instance's public IP. | false | false | This is the output | None | None | ### alloydb Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `cluster_id` | Required. The AlloyDB cluster ID that this connection profile is associated with. | true | false | Not Security Related | None | None | | `settings` | Immutable. Metadata used to create the destination AlloyDB cluster. Structure is [documented below](#nested_alloydb_settings). | false | false | Not Security Related | None | None | ### ssl Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `type` | (Output) The current connection profile state. | false | true | The SSL type determines the level of encryption and whether client certificates are enforced. | 'SERVER_ONLY','SERVER_CLIENT','REQUIRED' | NONE | @@ -90,6 +97,7 @@ Reference: [Terraform Registry – database_migration_service_connection_profile | `ca_certificate` | Input only. The x509 PEM-encoded certificate of the CA that signed the source database server's certificate. The replica will use this certificate to verify it's connecting to the right host. **Note**: This property is sensitive and will not be displayed in the plan. | false | false | Depends on SSL Type | None | None | ### forward_ssh_connectivity Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `hostname` | Required. Hostname for the SSH tunnel. | true | false | None | None | None | @@ -99,11 +107,13 @@ Reference: [Terraform Registry – database_migration_service_connection_profile | `private_key` | Input only. SSH private key. Only one of `password` and `private_key` can be configured. **Note**: This property is sensitive and will not be displayed in the plan. | false | false | None | None | None | ### private_connectivity Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `private_connection` | Required. The resource name (URI) of the private connection. | true | true | Private connectivity prevents external access over public networks. | Compliant URI | Non-Compliant URI | ### settings Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `database_version` | The database engine type and version. Currently supported values located at https://cloud.google.com/database-migration/docs/reference/rest/v1/projects.locations.connectionProfiles#sqldatabaseversion | false | false | Not Security Related | None | None | @@ -129,6 +139,7 @@ Reference: [Terraform Registry – database_migration_service_connection_profile | `primary_instance_settings` | Settings for the cluster's primary instance Structure is [documented below](#nested_alloydb_settings_primary_instance_settings). | false | false | Not Security Related | None | None | ### ip_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `enable_ipv4` | Whether the instance should be assigned an IPv4 address or not. | false | false | Not Security Related | None | None | @@ -137,6 +148,7 @@ Reference: [Terraform Registry – database_migration_service_connection_profile | `authorized_networks` | The list of external networks that are allowed to connect to the instance using the IP. Structure is [documented below](#nested_cloudsql_settings_ip_config_authorized_networks). | false | true | Authorized networks define which external IPs can access the database. Better not configured | Not configured | Configured | ### authorized_networks Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `value` | The allowlisted value for the access control list. | true | false | None | None | None | @@ -145,6 +157,7 @@ Reference: [Terraform Registry – database_migration_service_connection_profile | `ttl` | Input only. The time-to-leave of this access control entry. | false | false | None | None | None | ### initial_user Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `user` | The database username. | true | false | None | None | None | @@ -152,6 +165,7 @@ Reference: [Terraform Registry – database_migration_service_connection_profile | `password_set` | (Output) Output only. Indicates if the initialUser.password field has been set. | false | false | None | None | None | ### primary_instance_settings Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `id` | The database username. | true | false | None | None | None | @@ -161,6 +175,7 @@ Reference: [Terraform Registry – database_migration_service_connection_profile | `private_ip` | (Output) Output only. The private IP address for the Instance. This is the connection endpoint for an end-user application. | false | false | None | None | None | ### machine_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `cpu_count` | The number of CPU's in the VM instance. | true | false | None | None | None | diff --git a/docs/gcp/DatabaseMigrationService/database_migration_service_migration_job.md b/docs/gcp/DatabaseMigrationService/database_migration_service_migration_job.md index 61774363b..e023aacad 100644 --- a/docs/gcp/DatabaseMigrationService/database_migration_service_migration_job.md +++ b/docs/gcp/DatabaseMigrationService/database_migration_service_migration_job.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – database_migration_service_migration_job](htt --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `type` | The type of the migration job. Possible values are: `ONE_TIME`, `CONTINUOUS`. | true | true | Migration type impacts how long source databases are exposed. Continuous migrations may carry higher security and cost implications than one-time jobs. | ONE_TIME | CONTINUOUS | @@ -26,6 +27,7 @@ Reference: [Terraform Registry – database_migration_service_migration_job](htt | `project` | If it is not provided, the provider project is used. | false | false | Not Security Related | None | None | ### dump_flags Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `dump_flags` | A list of dump flags Structure is [documented below](#nested_dump_flags_dump_flags). | false | false | None | None | None | @@ -33,11 +35,13 @@ Reference: [Terraform Registry – database_migration_service_migration_job](htt | `value` | The vale of the flag | false | false | None | None | None | ### performance_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `dump_parallel_level` | Initial dump parallelism level. Possible values are: `MIN`, `OPTIMAL`, `MAX`. | false | false | None | None | None | ### reverse_ssh_connectivity Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `vm_ip` | The IP of the virtual machine (Compute Engine) used as the bastion server for the SSH tunnel. | false | false | Must be setup anyway when reverse_ssh_connectivity is chosen | None | None | @@ -46,6 +50,7 @@ Reference: [Terraform Registry – database_migration_service_migration_job](htt | `vpc` | The name of the VPC to peer with the Cloud SQL private network. | false | false | Must be setup anyway when reverse_ssh_connectivity is chosen | None | None | ### vpc_peering_connectivity Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `vpc` | The name of the VPC network to peer with the Cloud SQL private network. | false | true | VPC peering is the preferred secure method to connect source and destination over private networks, avoiding public exposure. | Valid VPC | Not Configured | diff --git a/docs/gcp/DatabaseMigrationService/database_migration_service_private_connection.md b/docs/gcp/DatabaseMigrationService/database_migration_service_private_connection.md index b664c2874..ce6b4705e 100644 --- a/docs/gcp/DatabaseMigrationService/database_migration_service_private_connection.md +++ b/docs/gcp/DatabaseMigrationService/database_migration_service_private_connection.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – database_migration_service_private_connection --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `vpc_peering_config` | The VPC Peering configuration is used to create VPC peering between databasemigrationservice and the consumer's VPC. Structure is [documented below](#nested_vpc_peering_config). | true | false | This is a required field and doesnot need a Rego policy | None | None | @@ -18,6 +19,7 @@ Reference: [Terraform Registry – database_migration_service_private_connection | `project` | If it is not provided, the provider project is used. | false | false | Not Security Related | None | None | ### vpc_peering_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `vpc_name` | Fully qualified name of the VPC that Database Migration Service will peer to. Format: projects/{project}/global/{networks}/{name} | true | false | None | None | None | diff --git a/docs/gcp/Dataform/dataform_repository.md b/docs/gcp/Dataform/dataform_repository.md index 456929c03..c73ec2753 100644 --- a/docs/gcp/Dataform/dataform_repository.md +++ b/docs/gcp/Dataform/dataform_repository.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – dataform_repository](https://registry.terrafo --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | The repository's name. | true | false | None | None | None | @@ -23,6 +24,7 @@ Reference: [Terraform Registry – dataform_repository](https://registry.terrafo | `ssh_authentication_config` | | false | false | None | None | None | ### git_remote_settings Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `url` | The Git remote's URL. | true | false | None | None | None | @@ -32,6 +34,7 @@ Reference: [Terraform Registry – dataform_repository](https://registry.terrafo | `token_status` | (Output) Indicates the status of the Git access token. https://cloud.google.com/dataform/reference/rest/v1beta1/projects.locations.repositories#TokenStatus | false | false | None | None | None | ### workspace_compilation_overrides Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `default_database` | The default database (Google Cloud project ID). | false | false | None | None | None | @@ -39,6 +42,7 @@ Reference: [Terraform Registry – dataform_repository](https://registry.terrafo | `table_prefix` | The prefix that should be prepended to all table names. | false | false | None | None | None | ### ssh_authentication_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `user_private_key_secret_version` | The name of the Secret Manager secret version to use as a ssh private key for Git operations. Must be in the format projects/*/secrets/*/versions/*. | true | false | None | None | None | diff --git a/docs/gcp/Dataform/dataform_repository_iam.md b/docs/gcp/Dataform/dataform_repository_iam.md index 3cb280a9c..cd5104a4c 100644 --- a/docs/gcp/Dataform/dataform_repository_iam.md +++ b/docs/gcp/Dataform/dataform_repository_iam.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – dataform_repository_iam](https://registry.ter --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `region` | the value will be parsed from the identifier of the parent resource. If no region is provided in the parent identifier and no region is specified, it is taken from the provider configuration. | false | false | None | None | None | diff --git a/docs/gcp/Dataform/dataform_repository_release_config.md b/docs/gcp/Dataform/dataform_repository_release_config.md index b47d3010f..c564cb8a9 100644 --- a/docs/gcp/Dataform/dataform_repository_release_config.md +++ b/docs/gcp/Dataform/dataform_repository_release_config.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – dataform_repository_release_config](https://r --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | The release's name. | true | false | None | None | None | @@ -19,6 +20,7 @@ Reference: [Terraform Registry – dataform_repository_release_config](https://r | `project` | If it is not provided, the provider project is used. | false | false | None | None | None | ### code_compilation_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `default_database` | Optional. The default database (Google Cloud project ID). | false | false | None | None | None | diff --git a/docs/gcp/Dataform/dataform_repository_workflow_config.md b/docs/gcp/Dataform/dataform_repository_workflow_config.md index d42e0120f..0cb9295fd 100644 --- a/docs/gcp/Dataform/dataform_repository_workflow_config.md +++ b/docs/gcp/Dataform/dataform_repository_workflow_config.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – dataform_repository_workflow_config](https:// --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | The workflow's name. | true | false | None | None | None | @@ -20,6 +21,7 @@ Reference: [Terraform Registry – dataform_repository_workflow_config](https:// | `included_targets` | | false | false | None | None | None | ### invocation_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `included_targets` | Optional. The set of action identifiers to include. Structure is [documented below](#nested_invocation_config_included_targets). | false | false | None | None | None | @@ -30,6 +32,7 @@ Reference: [Terraform Registry – dataform_repository_workflow_config](https:// | `service_account` | Optional. The service account to run workflow invocations under. | false | false | None | None | None | ### included_targets Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `database` | The action's database (Google Cloud project ID). | false | false | None | None | None | diff --git a/docs/gcp/Discovery_Engine/discovery_engine_chat_engine.md b/docs/gcp/Discovery_Engine/discovery_engine_chat_engine.md index 04783137e..4ff4dbdf3 100644 --- a/docs/gcp/Discovery_Engine/discovery_engine_chat_engine.md +++ b/docs/gcp/Discovery_Engine/discovery_engine_chat_engine.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – discovery_engine_chat_engine](https://registr --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `display_name` | The display name of the engine. Should be human readable. UTF-8 encoded string with limit of 1024 characters. | true | false | Just the displayed name | None | None | @@ -21,6 +22,7 @@ Reference: [Terraform Registry – discovery_engine_chat_engine](https://registr | `agent_creation_config` | | false | false | This happens in the backgroud | None | None | ### chat_engine_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `agent_creation_config` | The configuration to generate the Dialogflow agent that is associated to this Engine. Exactly one of `agent_creation_config` or `dialogflow_agent_to_link` must be set. Structure is [documented below](#nested_chat_engine_config_agent_creation_config). | false | true | linking to other agents can be a risk | False | True | @@ -28,11 +30,13 @@ Reference: [Terraform Registry – discovery_engine_chat_engine](https://registr | `allow_cross_region` | If the flag set to true, we allow the agent and engine are in different locations, otherwise the agent and engine are required to be in the same location. The flag is set to false by default. Note that the `allow_cross_region` are one-time consumed by and passed to EngineService.CreateEngine. It means they cannot be retrieved using EngineService.GetEngine or EngineService.ListEngines API after engine creation. | false | true | data residency laws | false | true | ### common_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `company_name` | The name of the company, business or entity that is associated with the engine. Setting this may help improve LLM related features. | false | false | None | None | None | ### agent_creation_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `business` | Name of the company, organization or other entity that the agent represents. Used for knowledge connector LLM prompt and for knowledge search. | false | false | None | None | None | diff --git a/docs/gcp/Discovery_Engine/discovery_engine_cmek_config.md b/docs/gcp/Discovery_Engine/discovery_engine_cmek_config.md index d30ade48b..614a66603 100644 --- a/docs/gcp/Discovery_Engine/discovery_engine_cmek_config.md +++ b/docs/gcp/Discovery_Engine/discovery_engine_cmek_config.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – discovery_engine_cmek_config](https://registr --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `kms_key` | KMS key resource name which will be used to encrypt resources `projects/{project}/locations/{location}/keyRings/{keyRing}/cryptoKeys/{keyId}`. | true | true | Encryption key related | my-crypto-key | nc-crypto-key | @@ -17,6 +18,7 @@ Reference: [Terraform Registry – discovery_engine_cmek_config](https://registr | `project` | If it is not provided, the provider project is used. | true | false | project ID | None | None | ### single_region_keys Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `kms_key` | Single-regional kms key resource name which will be used to encrypt resources `projects/{project}/locations/{location}/keyRings/{keyRing}/cryptoKeys/{keyId}`. | true | true | encryption | projects/735927692082/locations/europe-west1/keyRings/my-ring/cryptoKeys/my-eu1-key | | diff --git a/docs/gcp/Discovery_Engine/discovery_engine_data_store.md b/docs/gcp/Discovery_Engine/discovery_engine_data_store.md index d7d19f942..5d60eecc5 100644 --- a/docs/gcp/Discovery_Engine/discovery_engine_data_store.md +++ b/docs/gcp/Discovery_Engine/discovery_engine_data_store.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – discovery_engine_data_store](https://registry --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `display_name` | The display name of the data store. This field must be a UTF-8 encoded string with a length limit of 128 characters. | true | false | Just the name | None | None | @@ -29,12 +30,14 @@ Reference: [Terraform Registry – discovery_engine_data_store](https://registry | `parsing_config_overrides` | | false | false | None | None | None | ### advanced_site_search_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `disable_initial_index` | If set true, initial indexing is disabled for the DataStore. | false | false | None | None | None | | `disable_automatic_refresh` | If set true, automatic refresh is disabled for the DataStore. | false | false | None | None | None | ### document_processing_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | (Output) The full resource name of the Document Processing Config. Format: `projects/{project}/locations/{location}/collections/{collection_id}/dataStores/{data_store_id}/documentProcessingConfig`. | false | false | None | None | None | @@ -43,17 +46,20 @@ Reference: [Terraform Registry – discovery_engine_data_store](https://registry | `parsing_config_overrides` | Map from file type to override the default parsing configuration based on the file type. Supported keys: * `pdf`: Override parsing config for PDF files, either digital parsing, ocr parsing or layout parsing is supported. * `html`: Override parsing config for HTML files, only digital parsing and or layout parsing are supported. * `docx`: Override parsing config for DOCX files, only digital parsing and or layout parsing are supported. Structure is [documented below](#nested_document_processing_config_parsing_config_overrides). | false | false | None | None | None | ### chunking_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `layout_based_chunking_config` | Configuration for the layout based chunking. Structure is [documented below](#nested_document_processing_config_chunking_config_layout_based_chunking_config). | false | false | None | None | None | ### layout_based_chunking_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `chunk_size` | The token size limit for each chunk. Supported values: 100-500 (inclusive). Default value: 500. | false | false | None | None | None | | `include_ancestor_headings` | Whether to include appending different levels of headings to chunks from the middle of the document to prevent context loss. Default value: False. | false | false | None | None | None | ### default_parsing_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `digital_parsing_config` | Configurations applied to digital parser. | false | false | None | None | None | @@ -61,11 +67,13 @@ Reference: [Terraform Registry – discovery_engine_data_store](https://registry | `layout_parsing_config` | Configurations applied to layout parser. Structure is [documented below](#nested_document_processing_config_default_parsing_config_layout_parsing_config). | false | false | None | None | None | ### ocr_parsing_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `use_native_text` | If true, will use native text instead of OCR text on pages containing native text. | false | true | can make private info public if set to false | True | False | ### layout_parsing_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `enable_table_annotation` | If true, the LLM based annotation is added to the table during parsing. | false | false | None | None | None | @@ -76,6 +84,7 @@ Reference: [Terraform Registry – discovery_engine_data_store](https://registry | `exclude_html_ids` | List of HTML ids to exclude from the parsed content. | false | false | None | None | None | ### parsing_config_overrides Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `file_type` | | false | false | None | None | None | diff --git a/docs/gcp/Discovery_Engine/discovery_engine_recommendation_engine.md b/docs/gcp/Discovery_Engine/discovery_engine_recommendation_engine.md index 4ce7a7e77..be5fafc7a 100644 --- a/docs/gcp/Discovery_Engine/discovery_engine_recommendation_engine.md +++ b/docs/gcp/Discovery_Engine/discovery_engine_recommendation_engine.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – discovery_engine_recommendation_engine](https --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `display_name` | Required. The display name of the engine. Should be human readable. UTF-8 encoded string with limit of 1024 characters. | true | false | naming | None | None | @@ -23,6 +24,7 @@ Reference: [Terraform Registry – discovery_engine_recommendation_engine](https | `most_popular_config` | | false | false | None | None | None | ### media_recommendation_engine_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `type` | The type of engine. e.g., `recommended-for-you`. This field together with MediaRecommendationEngineConfig.optimizationObjective describes engine metadata to use to control engine training and serving. Currently supported values: `recommended-for-you`, `others-you-may-like`, `more-like-this`, `most-popular-items`. | false | false | None | None | None | @@ -32,28 +34,33 @@ Reference: [Terraform Registry – discovery_engine_recommendation_engine](https | `engine_features_config` | More feature configs of the selected engine type. Structure is [documented below](#nested_media_recommendation_engine_config_engine_features_config). | false | false | None | None | None | ### common_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `company_name` | The name of the company, business or entity that is associated with the engine. Setting this may help improve LLM related features.cd | false | false | None | None | None | ### optimization_objective_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `target_field` | The name of the field to target. Currently supported values: `watch-percentage`, `watch-time`. | false | false | None | None | None | | `target_field_value_float` | The threshold to be applied to the target (e.g., 0.5). | false | false | None | None | None | ### engine_features_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `recommended_for_you_config` | Additional feature configurations for creating a `recommended-for-you` engine. Structure is [documented below](#nested_media_recommendation_engine_config_engine_features_config_recommended_for_you_config). | false | false | None | None | None | | `most_popular_config` | Feature configurations that are required for creating a Most Popular engine. Structure is [documented below](#nested_media_recommendation_engine_config_engine_features_config_most_popular_config). | false | false | None | None | None | ### recommended_for_you_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `context_event_type` | The type of event with which the engine is queried at prediction time. If set to `generic`, only `view-item`, `media-play`,and `media-complete` will be used as `context-event` in engine training. If set to `view-home-page`, `view-home-page` will also be used as `context-events` in addition to `view-item`, `media-play`, and `media-complete`. Currently supported for the `recommended-for-you` engine. Currently supported values: `view-home-page`, `generic`. | false | false | None | None | None | ### most_popular_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `time_window_days` | The time window of which the engine is queried at training and prediction time. Positive integers only. The value translates to the last X days of events. Currently required for the `most-popular-items` engine. | false | false | None | None | None | diff --git a/docs/gcp/Discovery_Engine/discovery_engine_schema.md b/docs/gcp/Discovery_Engine/discovery_engine_schema.md index 95c73c72f..626c4b326 100644 --- a/docs/gcp/Discovery_Engine/discovery_engine_schema.md +++ b/docs/gcp/Discovery_Engine/discovery_engine_schema.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – discovery_engine_schema](https://registry.ter --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `location` | The geographic location where the data store should reside. The value can only be one of "global", "us" and "eu". | true | true | laws apply based on location | None | None | diff --git a/docs/gcp/Discovery_Engine/discovery_engine_search_engine.md b/docs/gcp/Discovery_Engine/discovery_engine_search_engine.md index f8213dd89..a8ab190a1 100644 --- a/docs/gcp/Discovery_Engine/discovery_engine_search_engine.md +++ b/docs/gcp/Discovery_Engine/discovery_engine_search_engine.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – discovery_engine_search_engine](https://regis --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `display_name` | Required. The display name of the engine. Should be human readable. UTF-8 encoded string with limit of 1024 characters. | true | false | Name | None | None | @@ -20,12 +21,14 @@ Reference: [Terraform Registry – discovery_engine_search_engine](https://regis | `project` | If it is not provided, the provider project is used. | true | false | Needed to work | None | None | ### search_engine_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `search_tier` | The search feature tier of this engine. Defaults to SearchTier.SEARCH_TIER_STANDARD if not specified. Default value is `SEARCH_TIER_STANDARD`. Possible values are: `SEARCH_TIER_STANDARD`, `SEARCH_TIER_ENTERPRISE`. | false | false | None | None | None | | `search_add_ons` | The add-on that this search engine enables. Each value may be one of: `SEARCH_ADD_ON_LLM`. | false | false | None | None | None | ### common_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `company_name` | The name of the company, business or entity that is associated with the engine. Setting this may help improve LLM related features.cd | false | false | None | None | None | diff --git a/docs/gcp/Discovery_Engine/discovery_engine_sitemap.md b/docs/gcp/Discovery_Engine/discovery_engine_sitemap.md index cd3c084d9..f7ded6ce8 100644 --- a/docs/gcp/Discovery_Engine/discovery_engine_sitemap.md +++ b/docs/gcp/Discovery_Engine/discovery_engine_sitemap.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – discovery_engine_sitemap](https://registry.te --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `location` | The geographic location where the data store should reside. The value can only be one of "global", "us" and "eu". | true | false | None | None | None | diff --git a/docs/gcp/Discovery_Engine/discovery_engine_target_site.md b/docs/gcp/Discovery_Engine/discovery_engine_target_site.md index 9ab390c77..01cce5649 100644 --- a/docs/gcp/Discovery_Engine/discovery_engine_target_site.md +++ b/docs/gcp/Discovery_Engine/discovery_engine_target_site.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – discovery_engine_target_site](https://registr --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `provided_uri_pattern` | The user provided URI pattern from which the `generated_uri_pattern` is generated. | true | false | None | None | None | diff --git a/docs/gcp/Firebase/firebase_android_app.md b/docs/gcp/Firebase/firebase_android_app.md index 23f67eae5..d11c750c5 100644 --- a/docs/gcp/Firebase/firebase_android_app.md +++ b/docs/gcp/Firebase/firebase_android_app.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – firebase_android_app](https://registry.terraf --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `display_name` | The user-assigned display name of the AndroidApp. | true | false | Display Name has no impact on the security of the resource or data contained. | None | None | diff --git a/docs/gcp/Firebase/firebase_apple_app.md b/docs/gcp/Firebase/firebase_apple_app.md index 5e3437feb..143cd2d1c 100644 --- a/docs/gcp/Firebase/firebase_apple_app.md +++ b/docs/gcp/Firebase/firebase_apple_app.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – firebase_apple_app](https://registry.terrafor --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `display_name` | The user-assigned display name of the App. | true | false | Display name is only a user-friendly identifier and does not expose sensitive data or impact the security of the application or its resources. | None | None | diff --git a/docs/gcp/Firebase/firebase_project.md b/docs/gcp/Firebase/firebase_project.md index fda4595f7..530247fa5 100644 --- a/docs/gcp/Firebase/firebase_project.md +++ b/docs/gcp/Firebase/firebase_project.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – firebase_project](https://registry.terraform. --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `project` | If it is not provided, the provider project is used. | false | false | The 'project' attribute is used to associate the Firebase resource with a specific Google Cloud project. It does not directly affect security or data protection since access and permissions are controlled through project-level IAM policies rather than this field itself. | None | None | diff --git a/docs/gcp/Firebase/firebase_web_app.md b/docs/gcp/Firebase/firebase_web_app.md index 1bb9e1f99..5e0781b9f 100644 --- a/docs/gcp/Firebase/firebase_web_app.md +++ b/docs/gcp/Firebase/firebase_web_app.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – firebase_web_app](https://registry.terraform. --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `display_name` | The user-assigned display name of the App. | true | false | The display name is only a user-friendly label to help identify the web application. It does not affect authentication, access control, or security posture. | None | None | diff --git a/docs/gcp/Firebase_App_Hosting/firebase_app_hosting_backend.md b/docs/gcp/Firebase_App_Hosting/firebase_app_hosting_backend.md index 5a891f64d..cf9e611da 100644 --- a/docs/gcp/Firebase_App_Hosting/firebase_app_hosting_backend.md +++ b/docs/gcp/Firebase_App_Hosting/firebase_app_hosting_backend.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – firebase_app_hosting_backend](https://registr --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `serving_locality` | Immutable. Specifies how App Hosting will serve the content for this backend. It will either be contained to a single region (REGIONAL_STRICT) or allowed to use App Hosting's global-replicated serving infrastructure (GLOBAL_ACCESS). Possible values are: `REGIONAL_STRICT`, `GLOBAL_ACCESS`. | true | true | Serving locality must be set to REGIONAL_STRICT to ensure data residency compliance and maintain regional data sovereignty requirements. | REGIONAL_STRICT | GLOBAL_ACCESS | @@ -22,6 +23,7 @@ Reference: [Terraform Registry – firebase_app_hosting_backend](https://registr | `project` | If it is not provided, the provider project is used. | false | false | Project specification uses default provider project when not specified. | None | None | ### codebase Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `repository` | The resource name for the Developer Connect [`gitRepositoryLink`](https://cloud.google.com/developer-connect/docs/api/reference/rest/v1/projects.locations.connections.gitRepositoryLinks) connected to this backend, in the format: projects/{project}/locations/{location}/connections/{connection}/gitRepositoryLinks/{repositoryLink} | true | true | Repository must use the GCP Developer Connect format to ensure secure authentication and authorization through GCP's managed connections. | projects/my-project/locations/australia-southeast2/connections/github-connection/gitRepositoryLinks/my-repo-link | github.com/user/repo | diff --git a/docs/gcp/Firebase_App_Hosting/firebase_app_hosting_build.md b/docs/gcp/Firebase_App_Hosting/firebase_app_hosting_build.md index 25be93389..73216ccb0 100644 --- a/docs/gcp/Firebase_App_Hosting/firebase_app_hosting_build.md +++ b/docs/gcp/Firebase_App_Hosting/firebase_app_hosting_build.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – firebase_app_hosting_build](https://registry. --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `source` | The source for the build. Structure is [documented below](#nested_source). | true | true | Build source must use approved container registries to ensure secure and trusted container images. | Refer to child arguments | Refer to child arguments | @@ -21,17 +22,20 @@ Reference: [Terraform Registry – firebase_app_hosting_build](https://registry. | `codebase` | | false | false | Codebase fields are output-only or have no specific security policies. | None | None | ### source Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `container` | The URI of an Artifact Registry [container image](https://cloud.google.com/artifact-registry/docs/reference/rest/v1/projects.locations.repositories.dockerImages) to use as the build source. Structure is [documented below](#nested_source_container). | false | true | Container images must be sourced from approved registries to ensure security and compliance. | Refer to child arguments | Refer to child arguments | | `codebase` | A codebase source, representing the state of the codebase that the build will be created at. Structure is [documented below](#nested_source_codebase). | false | false | Codebase source has no specific security policy in place. | None | None | ### container Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `image` | A URI representing a container for the backend to use. | true | true | Container image must be sourced from approved Australian Artifact Registry to ensure security, compliance, and data residency requirements. | au-docker.pkg.dev | docker.io/nginx:latest | ### codebase Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `display_name` | (Output) The 'name' field in a Git user's git.config. Required by Git. | false | false | Output field with no security policy. | None | None | diff --git a/docs/gcp/Firebase_App_Hosting/firebase_app_hosting_default_domain.md b/docs/gcp/Firebase_App_Hosting/firebase_app_hosting_default_domain.md index 2b11208bf..59f7fd013 100644 --- a/docs/gcp/Firebase_App_Hosting/firebase_app_hosting_default_domain.md +++ b/docs/gcp/Firebase_App_Hosting/firebase_app_hosting_default_domain.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – firebase_app_hosting_default_domain](https:// --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `location` | The location of the Backend that this Domain is associated with | true | false | Location inherits from backend configuration and has no independent security policy. | australia-southeast2-a | us-east1 | diff --git a/docs/gcp/Firebase_App_Hosting/firebase_app_hosting_domain.md b/docs/gcp/Firebase_App_Hosting/firebase_app_hosting_domain.md index 83f352b76..5de220dae 100644 --- a/docs/gcp/Firebase_App_Hosting/firebase_app_hosting_domain.md +++ b/docs/gcp/Firebase_App_Hosting/firebase_app_hosting_domain.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – firebase_app_hosting_domain](https://registry --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `location` | The location of the Backend that this Domain is associated with | true | false | Location inherits from backend configuration and has no independent security policy. | australia-southeast2-a | us-east1 | @@ -17,11 +18,13 @@ Reference: [Terraform Registry – firebase_app_hosting_domain](https://registry | `redirect` | | false | false | Redirect configuration has no specific security policy. | None | None | ### serve Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `redirect` | Specifies redirect behavior for a domain. Structure is [documented below](#nested_serve_redirect). | false | false | Domain redirect configuration has no specific security policy. | None | None | ### redirect Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `uri` | The URI of the redirect's intended destination. This URI will be prepended to the original request path. URI without a scheme are assumed to be HTTPS. | true | false | Redirect URI has no specific security policy. | None | None | diff --git a/docs/gcp/Firebase_App_Hosting/firebase_app_hosting_traffic.md b/docs/gcp/Firebase_App_Hosting/firebase_app_hosting_traffic.md index 8b15c4331..ae8623dab 100644 --- a/docs/gcp/Firebase_App_Hosting/firebase_app_hosting_traffic.md +++ b/docs/gcp/Firebase_App_Hosting/firebase_app_hosting_traffic.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – firebase_app_hosting_traffic](https://registr --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `location` | The location the Backend that this Traffic config applies to | true | false | Location inherits from backend configuration and has no independent security policy. | australia-southeast2-a | us-east1 | @@ -17,11 +18,13 @@ Reference: [Terraform Registry – firebase_app_hosting_traffic](https://registr | `splits` | | false | false | Traffic splits configuration has no specific security policy. | None | None | ### target Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `splits` | A list of traffic splits that together represent where traffic is being routed. Structure is [documented below](#nested_target_splits). | true | false | Traffic splits configuration has no specific security policy. | None | None | ### rollout_policy Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `disabled` | A flag that, if true, prevents rollouts from being created via this RolloutPolicy. | false | false | Rollout enable/disable flag has no specific security policy. | None | None | @@ -29,6 +32,7 @@ Reference: [Terraform Registry – firebase_app_hosting_traffic](https://registr | `codebase_branch` | Specifies a branch that triggers a new build to be started with this policy. If not set, no automatic rollouts will happen. | false | true | Codebase branch must be set to 'main' to ensure only stable, production-ready code triggers automatic deployments. | main | dev | ### splits Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `build` | The build that traffic is being routed to. | true | false | Build reference has no specific security policy. | None | None | diff --git a/docs/gcp/Firebase_Data_Connect/firebase_data_connect_service.md b/docs/gcp/Firebase_Data_Connect/firebase_data_connect_service.md index 9fbf71d44..e1eae5a11 100644 --- a/docs/gcp/Firebase_Data_Connect/firebase_data_connect_service.md +++ b/docs/gcp/Firebase_Data_Connect/firebase_data_connect_service.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – firebase_data_connect_service](https://regist --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `location` | The region in which the service resides, e.g. "us-central1" or "asia-east1". | true | false | The location attribute determines the physical region where the service is deployed. It does not directly affect security, but it may have compliance or data residency implications depending on organizational and regulatory requirements. | None | None | diff --git a/docs/gcp/Firestore/firestore_backup_schedule.md b/docs/gcp/Firestore/firestore_backup_schedule.md index 2608824d0..65fd4a7e2 100644 --- a/docs/gcp/Firestore/firestore_backup_schedule.md +++ b/docs/gcp/Firestore/firestore_backup_schedule.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – firestore_backup_schedule](https://registry.t --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `retention` | Firestore backup schedules must retain backups for at least 7 days (604800 seconds). | true | false | None | None | None | @@ -16,6 +17,7 @@ Reference: [Terraform Registry – firestore_backup_schedule](https://registry.t | `project` | If it is not provided, the provider project is used. | false | false | None | None | None | ### weekly_recurrence Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `day` | The day of week to run. Possible values are: `DAY_OF_WEEK_UNSPECIFIED`, `MONDAY`, `TUESDAY`, `WEDNESDAY`, `THURSDAY`, `FRIDAY`, `SATURDAY`, `SUNDAY`. | false | false | None | None | None | diff --git a/docs/gcp/Firestore/firestore_database.md b/docs/gcp/Firestore/firestore_database.md index da854be41..670385a69 100644 --- a/docs/gcp/Firestore/firestore_database.md +++ b/docs/gcp/Firestore/firestore_database.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – firestore_database](https://registry.terrafor --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | The ID to use for the database, which will become the final component of the database's resource name. This value should be 4-63 characters. Valid characters are /[a-z][0-9]-/ with first character a letter and the last a letter or a number. Must not be UUID-like /[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}/. "(default)" database id is also valid. | true | false | None | None | None | @@ -23,6 +24,7 @@ Reference: [Terraform Registry – firestore_database](https://registry.terrafor | `deletion_policy` | If the deletion policy is `ABANDON`, the database will be removed from Terraform state but not deleted from Google Cloud upon destruction. If the deletion policy is `DELETE`, the database will both be removed from Terraform state and deleted from Google Cloud upon destruction. The default value is `ABANDON`. See also `delete_protection`. | false | false | None | None | None | ### cmek_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `kms_key_name` | The resource ID of a Cloud KMS key. If set, the database created will be a Customer-managed Encryption Key (CMEK) database encrypted with this key. This feature is allowlist only in initial launch. Only keys in the same location as this database are allowed to be used for encryption. For Firestore's nam5 multi-region, this corresponds to Cloud KMS multi-region us. For Firestore's eur3 multi-region, this corresponds to Cloud KMS multi-region europe. See https://cloud.google.com/kms/docs/locations. This value should be the KMS key resource ID in the format of `projects/{project_id}/locations/{kms_location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}`. How to retrieve this resource ID is listed at https://cloud.google.com/kms/docs/getting-resource-ids#getting_the_id_for_a_key_and_version. | true | false | None | None | None | diff --git a/docs/gcp/Firestore/firestore_document.md b/docs/gcp/Firestore/firestore_document.md index aae845f0d..5360d64a9 100644 --- a/docs/gcp/Firestore/firestore_document.md +++ b/docs/gcp/Firestore/firestore_document.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – firestore_document](https://registry.terrafor --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `fields` | The document's [fields](https://cloud.google.com/firestore/docs/reference/rest/v1/projects.databases.documents) formated as a json string.Firestore documents must include both 'field1' and 'field2' to satisfy mandatory data schema. | true | false | None | None | None | diff --git a/docs/gcp/Firestore/firestore_field.md b/docs/gcp/Firestore/firestore_field.md index 98445e0bb..d1ed4cbc2 100644 --- a/docs/gcp/Firestore/firestore_field.md +++ b/docs/gcp/Firestore/firestore_field.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – firestore_field](https://registry.terraform.i --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `collection` | The id of the collection group to configure. | true | false | None | None | None | @@ -18,16 +19,19 @@ Reference: [Terraform Registry – firestore_field](https://registry.terraform.i | `indexes` | | false | false | None | None | None | ### index_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `indexes` | The indexes to configure on the field. Order or array contains must be specified. Structure is [documented below](#nested_index_config_indexes). | false | false | None | None | None | ### ttl_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `state` | (Output) The state of TTL (time-to-live) configuration for documents that have this Field set. | false | false | None | None | None | ### indexes Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `query_scope` | The scope at which a query is run. Collection scoped queries require you specify the collection at query time. Collection group scope allows queries across all collections with the same id. Default value is `COLLECTION`. Possible values are: `COLLECTION`, `COLLECTION_GROUP`. | false | false | None | None | None | diff --git a/docs/gcp/Firestore/firestore_index.md b/docs/gcp/Firestore/firestore_index.md index 0dbbfa7c7..e5ef4d936 100644 --- a/docs/gcp/Firestore/firestore_index.md +++ b/docs/gcp/Firestore/firestore_index.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – firestore_index](https://registry.terraform.i --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `collection` | The collection being indexed. | true | false | None | None | None | @@ -20,6 +21,7 @@ Reference: [Terraform Registry – firestore_index](https://registry.terraform.i | `vector_config` | | false | false | None | None | None | ### fields Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `field_path` | Name of the field. | false | false | None | None | None | @@ -28,6 +30,7 @@ Reference: [Terraform Registry – firestore_index](https://registry.terraform.i | `vector_config` | Indicates that this field supports vector search operations. Only one of `order`, `arrayConfig`, and `vectorConfig` can be specified. Vector Fields should come after the field path `__name__`. Structure is [documented below](#nested_fields_fields_vector_config). | false | false | None | None | None | ### vector_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `dimension` | The resulting index will only include vectors of this dimension, and can be used for vector search with the same dimension. | false | false | None | None | None | diff --git a/docs/gcp/Google_Cloud_Managed_Lustre/lustre_instance.md b/docs/gcp/Google_Cloud_Managed_Lustre/lustre_instance.md index 608a31798..bd3bb4f62 100644 --- a/docs/gcp/Google_Cloud_Managed_Lustre/lustre_instance.md +++ b/docs/gcp/Google_Cloud_Managed_Lustre/lustre_instance.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – lustre_instance](https://registry.terraform.i --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `capacity_gib` | The storage capacity of the instance in gibibytes (GiB). Allowed values are from `18000` to `954000`, in increments of 9000. | false | false | None | None | None | diff --git a/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_active_directory.md b/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_active_directory.md index d8f905e6a..b1d2b2805 100644 --- a/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_active_directory.md +++ b/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_active_directory.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – netapp_active_directory](https://registry.ter --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `domain` | Fully qualified domain name for the Active Directory domain. | true | true | Ensures join operations target the trusted domain. | deakin.internal | ad.internal | diff --git a/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_backup.md b/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_backup.md index b212c0016..bdf6d6fa7 100644 --- a/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_backup.md +++ b/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_backup.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – netapp_backup](https://registry.terraform.io/ --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `location` | Region of the backup resource. | true | true | Data residency and compliance. | australia-southeast2 | us-central1 | diff --git a/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_backup_policy.md b/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_backup_policy.md index c5e3b4fdc..02a13e028 100644 --- a/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_backup_policy.md +++ b/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_backup_policy.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – netapp_backup_policy](https://registry.terraf --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `daily_backup_limit` | Number of daily backups to retain (minimum 2). | true | true | Defines baseline retention to support recovery objectives. | 7 | 1 | diff --git a/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_backup_vault.md b/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_backup_vault.md index fb6351092..20de7e941 100644 --- a/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_backup_vault.md +++ b/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_backup_vault.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – netapp_backup_vault](https://registry.terrafo --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `location` | Region where the backup vault is created. | true | true | Controls data residency and compliance for where backups are stored. | australia-southeast2 | us-central1 | @@ -19,6 +20,7 @@ Reference: [Terraform Registry – netapp_backup_vault](https://registry.terrafo | `project` | If it is not provided, the provider project is used. | false | false | None | None | None | ### backup_retention_policy Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `backup_minimum_enforced_retention_days` | Minimum retention duration in days for backups in the backup vault. | true | false | None | None | None | diff --git a/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_kmsconfig.md b/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_kmsconfig.md index 7346ce840..7e66e40f8 100644 --- a/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_kmsconfig.md +++ b/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_kmsconfig.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – netapp_kmsconfig](https://registry.terraform. --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `crypto_key_name` | Resource name of the regional CMEK key. | true | true | Encrypts data with an approved customer-managed key. | projects/deakin-lab-123/locations/australia-southeast2/keyRings/netapp-kr/cryptoKeys/netapp-cmek | projects/other-proj/locations/us-central1/keyRings/kr/cryptoKeys/key | diff --git a/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_storage_pool.md b/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_storage_pool.md index 25040eb4b..fc47ab550 100644 --- a/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_storage_pool.md +++ b/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_storage_pool.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – netapp_storage_pool](https://registry.terrafo --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `service_level` | Service level of the storage pool. Possible values are: `PREMIUM`, `EXTREME`, `STANDARD`, `FLEX`. | true | false | None | None | None | diff --git a/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_volume.md b/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_volume.md index 6b2d8d4fa..4a933c5d6 100644 --- a/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_volume.md +++ b/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_volume.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – netapp_volume](https://registry.terraform.io/ --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `share_name` | Share name (SMB) or export path (NFS) of the volume. Needs to be unique per location. | true | false | None | None | None | @@ -40,17 +41,20 @@ Reference: [Terraform Registry – netapp_volume](https://registry.terraform.io/ | `monthly_schedule` | | false | false | None | None | None | ### export_policy Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `rules` | Export rules (up to 5) control NFS volume access. Structure is [documented below](#nested_export_policy_rules). | true | false | None | None | None | ### restore_parameters Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `source_snapshot` | Full name of the snapshot to use for creating this volume. `source_snapshot` and `source_backup` cannot be used simultaneously. Format: `projects/{{project}}/locations/{{location}}/volumes/{{volume}}/snapshots/{{snapshot}}`. | false | false | None | None | None | | `source_backup` | Full name of the backup to use for creating this volume. `source_snapshot` and `source_backup` cannot be used simultaneously. Format: `projects/{{project}}/locations/{{location}}/backupVaults/{{backupVaultId}}/backups/{{backup}}`. | false | false | None | None | None | ### snapshot_policy Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `enabled` | Enables automated snapshot creation according to defined schedule. Default is false. To disable automatic snapshot creation you have to remove the whole snapshot_policy block. | false | false | None | None | None | @@ -60,6 +64,7 @@ Reference: [Terraform Registry – netapp_volume](https://registry.terraform.io/ | `monthly_schedule` | Monthly schedule policy. Structure is [documented below](#nested_snapshot_policy_monthly_schedule). | false | false | None | None | None | ### backup_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `backup_policies` | Specify a single backup policy ID for scheduled backups. Format: `projects/{{projectId}}/locations/{{location}}/backupPolicies/{{backupPolicyName}}` | false | false | None | None | None | @@ -67,6 +72,7 @@ Reference: [Terraform Registry – netapp_volume](https://registry.terraform.io/ | `scheduled_backup_enabled` | When set to true, scheduled backup is enabled on the volume. Omit if no backup_policy is specified. | false | false | None | None | None | ### tiering_policy Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `cooling_threshold_days` | Optional. Time in days to mark the volume's data block as cold and make it eligible for tiering, can be range from 2-183. Default is 31. | false | false | None | None | None | @@ -74,6 +80,7 @@ Reference: [Terraform Registry – netapp_volume](https://registry.terraform.io/ | `hot_tier_bypass_mode_enabled` | , [Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html)) Optional. Flag indicating that the hot tier bypass mode is enabled. Default is false. Only applicable to Flex service level. | false | false | None | None | None | ### hybrid_replication_parameters Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `replication` | Required. Desired name for the replication of this volume. | false | false | None | None | None | @@ -86,6 +93,7 @@ Reference: [Terraform Registry – netapp_volume](https://registry.terraform.io/ | `labels` | Optional. Labels to be added to the replication as the key value pairs. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }. | false | false | None | None | None | ### rules Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `allowed_clients` | Defines the client ingress specification (allowed clients) as a comma separated list with IPv4 CIDRs or IPv4 host addresses. | false | false | None | None | None | @@ -101,12 +109,14 @@ Reference: [Terraform Registry – netapp_volume](https://registry.terraform.io/ | `kerberos5p_read_write` | If enabled (true) the rule defines read and write access for clients matching the 'allowedClients' specification. It enables nfs clients to mount using 'privacy' kerberos security mode. The 'kerberos5pReadOnly' value is ignored if this is enabled. | false | false | None | None | None | ### hourly_schedule Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `snapshots_to_keep` | The maximum number of snapshots to keep for the hourly schedule. | true | false | None | None | None | | `minute` | Set the minute of the hour to create the snapshot (0-59), defaults to the top of the hour (0). | false | false | None | None | None | ### daily_schedule Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `snapshots_to_keep` | The maximum number of snapshots to keep for the daily schedule. | true | false | None | None | None | @@ -114,6 +124,7 @@ Reference: [Terraform Registry – netapp_volume](https://registry.terraform.io/ | `hour` | Set the hour to create the snapshot (0-23), defaults to midnight (0). | false | false | None | None | None | ### weekly_schedule Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `snapshots_to_keep` | The maximum number of snapshots to keep for the weekly schedule. | true | false | None | None | None | @@ -122,6 +133,7 @@ Reference: [Terraform Registry – netapp_volume](https://registry.terraform.io/ | `day` | Set the day or days of the week to make a snapshot. Accepts a comma separated days of the week. Defaults to 'Sunday'. | false | false | None | None | None | ### monthly_schedule Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `snapshots_to_keep` | The maximum number of snapshots to keep for the monthly schedule | true | false | None | None | None | diff --git a/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_volume_quota_rule.md b/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_volume_quota_rule.md index 45e8266b8..05bddbb54 100644 --- a/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_volume_quota_rule.md +++ b/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_volume_quota_rule.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – netapp_volume_quota_rule](https://registry.te --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `type` | Types of Quota Rule. Possible values are: `INDIVIDUAL_USER_QUOTA`, `INDIVIDUAL_GROUP_QUOTA`, `DEFAULT_USER_QUOTA`, `DEFAULT_GROUP_QUOTA`. | true | false | None | None | None | diff --git a/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_volume_replication.md b/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_volume_replication.md index 90b3057c8..dcc6fba49 100644 --- a/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_volume_replication.md +++ b/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_volume_replication.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – netapp_volume_replication](https://registry.t --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `replication_schedule` | Replication interval. | true | true | Controls RPO to meet policy (e.g., ≥ hourly). | EVERY_10_MINUTES | DAILY | @@ -24,6 +25,7 @@ Reference: [Terraform Registry – netapp_volume_replication](https://registry.t | `tiering_policy` | | false | false | None | None | None | ### destination_volume_parameters Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `storage_pool` | Name of an existing storage pool for the destination volume with format: `projects/{{project}}/locations/{{location}}/storagePools/{{poolId}}` | true | false | None | None | None | @@ -33,6 +35,7 @@ Reference: [Terraform Registry – netapp_volume_replication](https://registry.t | `tiering_policy` | Tiering policy for the volume. Structure is [documented below](#nested_destination_volume_parameters_tiering_policy). | false | false | None | None | None | ### tiering_policy Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `cooling_threshold_days` | Optional. Time in days to mark the volume's data block as cold and make it eligible for tiering, can be range from 2-183. Default is 31. | false | false | None | None | None | diff --git a/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_volume_snapshot.md b/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_volume_snapshot.md index 56a8bfde0..fd6675cef 100644 --- a/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_volume_snapshot.md +++ b/docs/gcp/Google_Cloud_NetApp_Volumes/netapp_volume_snapshot.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – netapp_volume_snapshot](https://registry.terr --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `location` | Region where the snapshot is created. | true | true | Residency/compliance. | australia-southeast2 | us-central1 | diff --git a/docs/gcp/Google_Distributed_Cloud_Edge/edgecontainer_cluster.md b/docs/gcp/Google_Distributed_Cloud_Edge/edgecontainer_cluster.md index b49ad3977..08f035df0 100644 --- a/docs/gcp/Google_Distributed_Cloud_Edge/edgecontainer_cluster.md +++ b/docs/gcp/Google_Distributed_Cloud_Edge/edgecontainer_cluster.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – edgecontainer_cluster](https://registry.terra --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `fleet` | Fleet related configuration. Fleets are a Google Cloud concept for logically organizing clusters, letting you use and manage multi-cluster capabilities and apply consistent policies across your systems. | true | true | Proper fleet configuration ensures clusters are organized in a secure and manageable way with consistent policy enforcement. | Properly formatted project reference using project number | Hardcoded project numbers or incorrect formatting | @@ -33,12 +34,14 @@ Reference: [Terraform Registry – edgecontainer_cluster](https://registry.terra | `ingress` | Ingress add-on configuration for external access to cluster services. | false | true | Ingress configuration controls external access to cluster services and significantly impacts the cluster's security posture. | Properly secured ingress configuration | Misconfigured or overly permissive ingress settings | ### fleet Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `project` | The name of the Fleet host project where this cluster will be registered. Project names are formatted as `projects/`. | true | true | Correct project reference format ensures proper cluster registration and management within the intended fleet. | projects/1234567890 | projects/gdce-dev (using project ID instead of number) | | `membership` | (Output) The name of the managed Hub Membership resource associated to this cluster. Membership names are formatted as `projects//locations/global/membership/`. | false | false | Output-only field used for tracking cluster membership, no security impact. | None | None | ### networking Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `cluster_ipv4_cidr_blocks` | All pods in the cluster are assigned an RFC1918 IPv4 address from these blocks. Only a single block is supported. This field cannot be changed after creation. | true | true | Properly scoped CIDR blocks prevent overly permissive network access between pods. | 10.0.0.0/16 | 0.0.0.0/0 | @@ -48,38 +51,45 @@ Reference: [Terraform Registry – edgecontainer_cluster](https://registry.terra | `network_type` | (Output) IP addressing type of this cluster i.e. SINGLESTACK_V4 vs DUALSTACK_V4_V6. | false | false | Output-only field indicating network configuration type, no security impact. | None | None | ### authorization Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `admin_users` | User that will be granted the cluster-admin role on the cluster, providing full access to the cluster. Currently, this is a singular field, but will be expanded to allow multiple admins in the future. | true | true | Admin users should be properly vetted and authorized individuals with valid organizational email addresses. | authorized.user@company.com | invalid@example.com | ### maintenance_policy Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `window` | Specifies the maintenance window in which maintenance may be performed. | true | true | Maintenance windows should be scheduled during low-usage periods with proper recurrence patterns. | Properly configured recurring window | Missing or improperly configured window | | `maintenance_exclusions` | Exclusions to automatic maintenance. Non-emergency maintenance should not occur in these windows. Each exclusion has a unique name and may be active or expired. The max number of maintenance exclusions allowed at a given time is 3. | false | true | Maintenance exclusions prevent updates during critical business periods but should be used judiciously. | Properly defined exclusions with unique IDs | Excessive or improperly configured exclusions | ### window Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `recurring_window` | Represents an arbitrary window of time that recurs. | true | true | Recurring windows provide predictable maintenance schedules that can be planned around. | Properly configured recurrence pattern | Missing or invalid recurrence pattern | ### maintenance_exclusions Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `id` | A unique (per cluster) id for the window. | false | true | Unique IDs ensure proper tracking and management of maintenance exclusions. | unique-exclusion-id-001 | Duplicate or missing IDs | ### control_plane Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `remote` | Remote control plane configuration. | false | true | Remote control plane location impacts latency, availability, and data residency. | Properly configured edge zone location | Unapproved or insecure locations | | `local` | Local control plane configuration. | false | true | Local control plane configuration impacts high availability, resource isolation, and deployment policies. | Proper node count (1 or 3) with appropriate machine filtering | Invalid node count or overly permissive machine filters | ### remote Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `node_location` | Name of the Google Distributed Cloud Edge zones where this node pool will be created. For example: `us-central1-edge-customer-a`. | false | true | Node location should be in approved zones that meet data residency and performance requirements. | us-central1-edge-customer-a | Unapproved or restricted locations | ### local Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `node_location` | Name of the Google Distributed Cloud Edge zones where this node pool will be created. For example: `us-central1-edge-customer-a`. | false | true | Node location should be in approved zones that meet data residency and performance requirements. | us-central1-edge-customer-a | Unapproved or restricted locations | @@ -88,17 +98,20 @@ Reference: [Terraform Registry – edgecontainer_cluster](https://registry.terra | `shared_deployment_policy` | Policy configuration about how user applications are deployed. Possible values are: `SHARED_DEPLOYMENT_POLICY_UNSPECIFIED`, `ALLOWED`, `DISALLOWED`. | false | true | Shared deployment policy controls whether user applications can run on control plane nodes, impacting security isolation. | DISALLOWED | ALLOWED (reduces security isolation) | ### system_addons_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `ingress` | Config for the Ingress add-on which allows customers to create an Ingress object to manage external access to the servers in a cluster. The add-on consists of istiod and istio-ingress. | false | true | Ingress configuration controls external access to cluster services and should be properly secured. | Properly configured ingress with secure VIP settings | Misconfigured or overly permissive ingress settings | ### ingress Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `disabled` | Whether Ingress is disabled. | false | true | Disabling ingress when not needed reduces attack surface. | true (when external access not required) | false (when external access not properly secured) | | `ipv4_vip` | Ingress VIP. | false | true | Ingress VIP should use properly scoped IP addresses to prevent unauthorized access. | 192.168.1.100 | 0.0.0.0 (overly permissive) | ### control_plane_encryption Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `kms_key` | The Cloud KMS CryptoKey e.g. projects/{project}/locations/{location}/keyRings/{keyRing}/cryptoKeys/{cryptoKey} to use for protecting control plane disks. If not specified, a Google-managed key will be used instead. | false | true | Customer-managed keys provide better control over encryption and access policies. | projects/my-project/locations/us-central1/keyRings/my-keyring/cryptoKeys/my-key | Missing or improperly formatted KMS key reference | @@ -107,33 +120,39 @@ Reference: [Terraform Registry – edgecontainer_cluster](https://registry.terra | `kms_status` | (Output) Error status returned by Cloud KMS when using this key. This field may be populated only if `kms_key_state` is not `KMS_KEY_STATE_KEY_AVAILABLE`. If populated, this field contains the error status reported by Cloud KMS. | false | false | Output-only field for KMS error status, no security impact. | None | None | ### admin_users Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `username` | An active Google username. | true | true | Admin usernames should be valid organizational accounts with proper authorization. | authorized.user@company.com | invalid@example.com | ### window Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `recurring_window` | Represents an arbitrary window of time that recurs. | true | true | Recurring windows provide predictable maintenance schedules that can be planned around. | Properly configured recurrence pattern | Missing or invalid recurrence pattern | ### recurring_window Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `window` | Represents an arbitrary window of time. | false | true | Window timing should align with business low-usage periods to minimize impact. | Proper start and end times during low-usage periods | Window during peak business hours | | `recurrence` | An RRULE (https://tools.ietf.org/html/rfc5545#section-3.8.5.3) for how this window recurs. They go on for the span of time between the start and end time. | false | true | Proper recurrence patterns ensure maintenance occurs at predictable intervals. | FREQ=WEEKLY;BYDAY=SA | Missing or invalid recurrence pattern | ### maintenance_exclusions Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `window` | Represents an arbitrary window of time. | false | true | Exclusion windows should be properly defined to prevent maintenance during critical periods. | Properly defined exclusion period | Overly broad exclusion windows | | `id` | A unique (per cluster) id for the window. | false | true | Unique IDs ensure proper tracking and management of maintenance exclusions. | unique-exclusion-id-001 | Duplicate or missing IDs | ### remote Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `node_location` | Name of the Google Distributed Cloud Edge zones where this node pool will be created. For example: `us-central1-edge-customer-a`. | false | true | Remote node location should be in approved zones that meet security and compliance requirements. | us-central1-edge-customer-a | Unapproved or restricted edge zones | ### local Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `node_location` | Name of the Google Distributed Cloud Edge zones where this node pool will be created. For example: `us-central1-edge-customer-a`. | false | true | Local node location should be in approved zones that meet security and compliance requirements. | us-central1-edge-customer-a | Unapproved or restricted edge zones | @@ -142,6 +161,7 @@ Reference: [Terraform Registry – edgecontainer_cluster](https://registry.terra | `shared_deployment_policy` | Policy configuration about how user applications are deployed. Possible values are: `SHARED_DEPLOYMENT_POLICY_UNSPECIFIED`, `ALLOWED`, `DISALLOWED`. | false | true | Shared deployment policy controls whether user applications can run on control plane nodes, impacting security isolation and attack surface. | DISALLOWED | ALLOWED (reduces security isolation) | ### ingress Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `disabled` | Whether Ingress is disabled. | false | true | Disabling ingress when not needed reduces the attack surface and prevents unauthorized external access. | true (when external access not required) | false (when external access is not properly secured) | diff --git a/docs/gcp/Google_Distributed_Cloud_Edge/edgecontainer_node_pool.md b/docs/gcp/Google_Distributed_Cloud_Edge/edgecontainer_node_pool.md index d9dcd0581..a7b518232 100644 --- a/docs/gcp/Google_Distributed_Cloud_Edge/edgecontainer_node_pool.md +++ b/docs/gcp/Google_Distributed_Cloud_Edge/edgecontainer_node_pool.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – edgecontainer_node_pool](https://registry.ter --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `node_location` | Name of the Google Distributed Cloud Edge zone where this node pool will be created. For example: `us-central1-edge-customer-a`. | true | true | Node location determines the physical and geographical placement of nodes, impacting data residency, latency, and compliance with regional regulations. | us-central1-edge-customer-a (approved zone) | Unapproved or restricted edge zones | @@ -21,6 +22,7 @@ Reference: [Terraform Registry – edgecontainer_node_pool](https://registry.ter | `project` | If it is not provided, the provider project is used. | false | true | Project selection impacts resource isolation, billing accountability, and access control boundaries. | Proper project reference | Incorrect or unauthorized project | ### local_disk_encryption Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `kms_key` | The Cloud KMS CryptoKey e.g. projects/{project}/locations/{location}/keyRings/{keyRing}/cryptoKeys/{cryptoKey} to use for protecting node local disks. If not specified, a Google-managed key will be used instead. | false | true | Customer-managed keys provide better control over encryption policies, access controls, and key rotation procedures. | projects/my-project/locations/us-central1/keyRings/my-keyring/cryptoKeys/my-key | Missing or improperly formatted KMS key reference | @@ -28,6 +30,7 @@ Reference: [Terraform Registry – edgecontainer_node_pool](https://registry.ter | `kms_key_state` | (Output) Availability of the Cloud KMS CryptoKey. If not KEY_AVAILABLE, then nodes may go offline as they cannot access their local data. This can be caused by a lack of permissions to use the key, or if the key is disabled or deleted. | false | false | Output-only field indicating key status, no security impact. | None | None | ### node_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `labels` | The Kubernetes node labels. | false | true | Node labels enable proper workload placement, security zoning, and resource management based on security requirements. | security-zone=restricted, environment=production | Missing security labels or incorrect labeling that could lead to improper workload placement | diff --git a/docs/gcp/Google_Distributed_Cloud_Edge/edgecontainer_vpn_connection.md b/docs/gcp/Google_Distributed_Cloud_Edge/edgecontainer_vpn_connection.md index 5f83f5e42..1621a6a71 100644 --- a/docs/gcp/Google_Distributed_Cloud_Edge/edgecontainer_vpn_connection.md +++ b/docs/gcp/Google_Distributed_Cloud_Edge/edgecontainer_vpn_connection.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – edgecontainer_vpn_connection](https://registr --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `cluster` | The canonical Cluster name to connect to. It is in the form of projects/{project}/locations/{location}/clusters/{cluster}. | true | true | Proper cluster reference ensures the VPN connection is established with the correct, authorized cluster with appropriate security controls. | projects/my-project/locations/us-central1/clusters/my-cluster | Incorrect or unauthorized cluster reference | @@ -21,6 +22,7 @@ Reference: [Terraform Registry – edgecontainer_vpn_connection](https://registr | `project` | If it is not provided, the provider project is used. | false | true | Project selection impacts resource isolation, billing accountability, and access control boundaries for the VPN connection. | Proper project reference | Incorrect or unauthorized project | ### vpc_project Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `project_id` | The project of the VPC to connect to. If not specified, it is the same as the cluster project. | false | true | Project ID must reference an authorized project with proper security controls and network policies. | authorized-vpc-project | Unauthorized or incorrect project reference | diff --git a/docs/gcp/Identity-Aware_Proxy/iap_app_engine_service_iam.md b/docs/gcp/Identity-Aware_Proxy/iap_app_engine_service_iam.md index 48d5b2347..34602cb43 100644 --- a/docs/gcp/Identity-Aware_Proxy/iap_app_engine_service_iam.md +++ b/docs/gcp/Identity-Aware_Proxy/iap_app_engine_service_iam.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – iap_app_engine_service_iam](https://registry. --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `app_id` | App Engine application ID used in the IAP resource path (typically the project ID). Identifies which App Engine app’s service IAM is being managed. | true | true | Must point to the correct application; mis-scoping could attach IAM to the wrong app. | app_id = "my-gcp-project" | app_id = "" | @@ -18,6 +19,7 @@ Reference: [Terraform Registry – iap_app_engine_service_iam](https://registry. | `condition` | Optional IAM Condition block to scope the binding (for example, by host/path/time/device). | false | true | Reduces blast radius by restricting when/where the binding applies. | condition { title = "OnlyProd" expression = "request.host == 'app.example.com'" description = "Limit to prod host" } | condition { } (missing required fields) or an empty expression | ### condition Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `expression` | CEL expression evaluated to determine if the binding applies. | true | true | A non-empty, precise expression is required for the condition to function. | expression = "request.host == 'app.example.com'" | expression = "" | diff --git a/docs/gcp/Identity-Aware_Proxy/iap_app_engine_version_iam.md b/docs/gcp/Identity-Aware_Proxy/iap_app_engine_version_iam.md index 048250b48..69670c53b 100644 --- a/docs/gcp/Identity-Aware_Proxy/iap_app_engine_version_iam.md +++ b/docs/gcp/Identity-Aware_Proxy/iap_app_engine_version_iam.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – iap_app_engine_version_iam](https://registry. --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `app_id` | App Engine application ID used in the IAP resource path (typically the project ID). Identifies which App Engine app’s **version** IAM is managed. | true | true | Must point to the correct application; mis-scoping could attach IAM to the wrong app. | app_id = "my-gcp-project" | app_id = "" | @@ -19,6 +20,7 @@ Reference: [Terraform Registry – iap_app_engine_version_iam](https://registry. | `condition` | Optional IAM Condition block to scope the binding (for example, by host/path/time/device). | false | true | Reduces blast radius by restricting when/where the binding applies. | condition { title = "OnlyProd" expression = "request.host == 'app.example.com'" description = "Limit to prod host" } | condition { } (missing required fields) or an empty expression | ### condition Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `expression` | CEL expression evaluated to determine if the binding applies. | true | true | A non-empty, precise expression is required for the condition to function. | expression = "request.host == 'app.example.com'" | expression = "" | diff --git a/docs/gcp/Identity-Aware_Proxy/iap_brand.md b/docs/gcp/Identity-Aware_Proxy/iap_brand.md index 26eea520e..f6076b7ad 100644 --- a/docs/gcp/Identity-Aware_Proxy/iap_brand.md +++ b/docs/gcp/Identity-Aware_Proxy/iap_brand.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – iap_brand](https://registry.terraform.io/prov --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `support_email` | Support email displayed on the OAuth consent screen. Can be a user or group email. If a user email is specified, the caller must be that user. If a group email is specified, the caller can be a user or a service account that owns the group in Cloud Identity. | true | true | A corporate mailbox helps users reach the right owner and prevents phishing/confusion from public/vendor addresses. | support_email = "support@example.com" | support_email = "support@gmail.com" / "help@vendor.io" / "support@example.com " | diff --git a/docs/gcp/Identity-Aware_Proxy/iap_client.md b/docs/gcp/Identity-Aware_Proxy/iap_client.md index 1af95fa46..a9296c049 100644 --- a/docs/gcp/Identity-Aware_Proxy/iap_client.md +++ b/docs/gcp/Identity-Aware_Proxy/iap_client.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – iap_client](https://registry.terraform.io/pro --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `display_name` | Human-friendly name shown for the OAuth client. | true | true | Clear, production-ready names reduce user confusion on the consent screen and avoid test/generic labels. | display_name = "Customer Portal OAuth Client" | display_name = "Test" / "Demo" / "App" / "Customer Portal OAuth Client " (trailing space) | diff --git a/docs/gcp/Identity-Aware_Proxy/iap_settings.md b/docs/gcp/Identity-Aware_Proxy/iap_settings.md index 0b76eb61c..1fc2e3be2 100644 --- a/docs/gcp/Identity-Aware_Proxy/iap_settings.md +++ b/docs/gcp/Identity-Aware_Proxy/iap_settings.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – iap_settings](https://registry.terraform.io/p --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | The resource name of the IAP protected resource. Name can have below resources: * organizations/{organization_id} * folders/{folder_id} * projects/{project_id} * projects/{project_id}/iap_web * projects/{project_id}/iap_web/compute * projects/{project_id}/iap_web/compute-{region} * projects/{project_id}/iap_web/compute/services/{service_id} * projects/{project_id}/iap_web/compute-{region}/services/{service_id} * projects/{project_id}/iap_web/appengine-{app_id} * projects/{project_id}/iap_web/appengine-{app_id}/services/{service_id} * projects/{project_id}/iap_web/appengine-{app_id}/services/{service_id}/version/{version_id} | true | true | This path defines which surface is protected by the settings. A wrong or malformed name applies settings to the wrong scope. | name = "projects/my-gcp-project/iap_web" or "projects/my-gcp-project/iap_web/appengine-myapp/services/default" | name = "projects/my-gcp-project" (missing iap_web segment) or "projects/my-gcp-project/iap_web/compute/services/" (empty service_id) | @@ -24,6 +25,7 @@ Reference: [Terraform Registry – iap_settings](https://registry.terraform.io/p | `attribute_propagation_settings` | | false | false | None | None | None | ### access_settings Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `gcip_settings` | GCIP claims and endpoint configurations for 3p identity providers. * Enabling gcipSetting significantly changes the way IAP authenticates users. Identity Platform does not support IAM, so IAP will not enforce any IAM policies for requests to your application. Structure is [documented below](#nested_access_settings_gcip_settings). | false | false | None | None | None | @@ -35,12 +37,14 @@ Reference: [Terraform Registry – iap_settings](https://registry.terraform.io/p | `identity_sources` | Identity sources that IAP can use to authenticate the end user. Only one identity source can be configured. The possible values are: * `WORKFORCE_IDENTITY_FEDERATION`: Use external identities set up on Google Cloud Workforce Identity Federation. Each value may be one of: `WORKFORCE_IDENTITY_FEDERATION`. | false | false | None | None | None | ### allowed_domains_settings Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `domains` | List of trusted domains. | false | true | Restrict sign-in to the corporate domain only. | domains = ["example.com"] | domains = ["*"], ["gmail.com"], ["yahoo.com"] | | `enable` | Configuration for customers to opt in for the feature. | false | true | Allowed Domains must be enabled to take effect. | enable = true | enable = false | ### application_settings Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `csm_settings` | Settings to configure IAP's behavior for a service mesh. Structure is [documented below](#nested_application_settings_csm_settings). | false | false | None | None | None | @@ -49,23 +53,27 @@ Reference: [Terraform Registry – iap_settings](https://registry.terraform.io/p | `attribute_propagation_settings` | Settings to configure attribute propagation. Structure is [documented below](#nested_application_settings_attribute_propagation_settings). | false | false | None | None | None | ### gcip_settings Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `tenant_ids` | GCIP tenant ids that are linked to the IAP resource. tenantIds could be a string beginning with a number character to indicate authenticating with GCIP tenant flow, or in the format of _ to indicate authenticating with GCIP agent flow. If agent flow is used, tenantIds should only contain one single element, while for tenant flow, tenantIds can contain multiple elements. | false | false | None | None | None | | `login_page_uri` | Login page URI associated with the GCIP tenants. Typically, all resources within the same project share the same login page, though it could be overridden at the sub resource level. | false | false | None | None | None | ### cors_settings Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `allow_http_options` | Configuration to allow HTTP OPTIONS calls to skip authorization. If undefined, IAP will not apply any special logic to OPTIONS requests. | false | false | None | None | None | ### oauth_settings Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `login_hint` | Domain hint to send as hd=? parameter in OAuth request flow. Enables redirect to primary IDP by skipping Google's login screen. (https://developers.google.com/identity/protocols/OpenIDConnect#hd-param) Note: IAP does not verify that the id token's hd claim matches this value since access behavior is managed by IAM policies. * loginHint setting is not a replacement for access control. Always enforce an appropriate access policy if you want to restrict access to users outside your domain. | false | false | None | None | None | | `programmatic_clients` | List of client ids allowed to use IAP programmatically. | false | false | None | None | None | ### reauth_settings Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `method` | Reauth method requested. The possible values are: * `LOGIN`: Prompts the user to log in again. * `SECURE_KEY`: User must use their secure key 2nd factor device. * `ENROLLED_SECOND_FACTORS`: User can use any enabled 2nd factor. Possible values are: `LOGIN`, `SECURE_KEY`, `ENROLLED_SECOND_FACTORS`. | true | false | None | None | None | @@ -73,18 +81,21 @@ Reference: [Terraform Registry – iap_settings](https://registry.terraform.io/p | `policy_type` | How IAP determines the effective policy in cases of hierarchical policies. Policies are merged from higher in the hierarchy to lower in the hierarchy. The possible values are: * `MINIMUM`: This policy acts as a minimum to other policies, lower in the hierarchy. Effective policy may only be the same or stricter. * `DEFAULT`: This policy acts as a default if no other reauth policy is set. Possible values are: `MINIMUM`, `DEFAULT`. | true | false | None | None | None | ### allowed_domains_settings Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `domains` | List of trusted domains. | false | true | Restrict sign-in to the corporate domain only. | domains = ["example.com"] | domains = ["*"], ["gmail.com"], ["yahoo.com"] | | `enable` | Configuration for customers to opt in for the feature. | false | true | Allowed Domains must be enabled to take effect. | enable = true | enable = false | ### workforce_identity_settings Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `workforce_pools` | The workforce pool resources. Only one workforce pool is accepted. | false | false | None | None | None | | `oauth2` | OAuth 2.0 settings for IAP to perform OIDC flow with workforce identity federation services. Structure is [documented below](#nested_access_settings_workforce_identity_settings_oauth2). | false | false | None | None | None | ### oauth2 Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `client_id` | The OAuth 2.0 client ID registered in the workforce identity federation OAuth 2.0 Server. | false | false | None | None | None | @@ -92,11 +103,13 @@ Reference: [Terraform Registry – iap_settings](https://registry.terraform.io/p | `client_secret_sha256` | (Output) Output only. SHA256 hash value for the client secret. This field is returned by IAP when the settings are retrieved. | false | false | None | None | None | ### csm_settings Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `rctoken_aud` | Audience claim set in the generated RCToken. This value is not validated by IAP. | false | false | None | None | None | ### access_denied_page_settings Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `access_denied_page_uri` | The URI to be redirected to when access is denied. | false | false | None | None | None | @@ -104,6 +117,7 @@ Reference: [Terraform Registry – iap_settings](https://registry.terraform.io/p | `remediation_token_generation_enabled` | Whether to generate remediation token on access denied events to this application. | false | false | None | None | None | ### attribute_propagation_settings Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `output_credentials` | Which output credentials attributes selected by the CEL expression should be propagated in. All attributes will be fully duplicated in each selected output credential. Possible values are: * `HEADER`: Propagate attributes in the headers with "x-goog-iap-attr-" prefix. * `JWT`: Propagate attributes in the JWT of the form: "additional_claims": { "my_attribute": ["value1", "value2"] } * `RCTOKEN`: Propagate attributes in the RCToken of the form: " additional_claims": { "my_attribute": ["value1", "value2"] } Each value may be one of: `HEADER`, `JWT`, `RCTOKEN`. | false | false | None | None | None | diff --git a/docs/gcp/Identity-Aware_Proxy/iap_tunnel_dest_group.md b/docs/gcp/Identity-Aware_Proxy/iap_tunnel_dest_group.md index c64f262e7..5c7a93b7e 100644 --- a/docs/gcp/Identity-Aware_Proxy/iap_tunnel_dest_group.md +++ b/docs/gcp/Identity-Aware_Proxy/iap_tunnel_dest_group.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – iap_tunnel_dest_group](https://registry.terra --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `group_name` | Unique tunnel destination group name. | true | true | Clear, unique names avoid misrouting and make reviews/audits easier. | group_name = "corp-admin-tcp" | group_name = "test" / "" / "corp-admin-tcp " (trailing space) | diff --git a/docs/gcp/Identity-Aware_Proxy/iap_tunnel_dest_group_iam.md b/docs/gcp/Identity-Aware_Proxy/iap_tunnel_dest_group_iam.md index ef4d0dc8c..052f716b4 100644 --- a/docs/gcp/Identity-Aware_Proxy/iap_tunnel_dest_group_iam.md +++ b/docs/gcp/Identity-Aware_Proxy/iap_tunnel_dest_group_iam.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – iap_tunnel_dest_group_iam](https://registry.t --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `region` | Region of the IAP TCP destination group. If omitted, it is parsed from the parent identifier or taken from the provider configuration. | false | true | Ensures the binding is applied in the intended location; a mismatch can grant access in the wrong region. | region = "australia-southeast1" | region = "" or a region that does not match the parent resource | @@ -18,6 +19,7 @@ Reference: [Terraform Registry – iap_tunnel_dest_group_iam](https://registry.t | `condition` | Optional IAM Condition block to scope the binding (for example, by source IP, time, or device attributes when evaluated by the proxy). | false | true | Reduces blast radius by restricting when/where the binding applies. | condition { title = "OfficeHours" expression = "request.time.getHours() >= 8 && request.time.getHours() < 18" description = "Limit tunnel use to office hours" } | condition { } (missing required fields) or an empty expression | ### condition Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `expression` | CEL expression evaluated to determine if the binding applies. | true | true | A non-empty, precise expression is required for the condition to function. | expression = "request.client_ip.startsWith('10.0.')" | expression = "" | diff --git a/docs/gcp/Identity-Aware_Proxy/iap_tunnel_iam.md b/docs/gcp/Identity-Aware_Proxy/iap_tunnel_iam.md index d88640c28..c8186b7c8 100644 --- a/docs/gcp/Identity-Aware_Proxy/iap_tunnel_iam.md +++ b/docs/gcp/Identity-Aware_Proxy/iap_tunnel_iam.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – iap_tunnel_iam](https://registry.terraform.io --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `project` | If not provided, the project is parsed from the parent identifier; if missing there too, the provider project is used. | false | true | Ensures the binding is applied to the intended tenant; mismatches can grant access in the wrong project. | project = "my-gcp-project" (matches provider/parent context) | project = "other-project" while parent/provider point elsewhere | @@ -16,6 +17,7 @@ Reference: [Terraform Registry – iap_tunnel_iam](https://registry.terraform.io | `condition` | Optional IAM Condition to scope the binding (e.g., by source IP, time, or device attributes when evaluated). | false | true | Reduces blast radius by restricting when/where the binding applies. | condition { title = "OfficeHours" expression = "request.time.getHours() >= 8 && request.time.getHours() < 18" description = "Restrict tunnel use to office hours" } | condition { } (missing required fields) or an empty expression | ### condition Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `expression` | CEL expression evaluated to determine if the binding applies. | true | true | A non-empty, precise expression is required for the condition to function. | expression = "request.client_ip.startsWith('10.0.')" | expression = "" | diff --git a/docs/gcp/Identity-Aware_Proxy/iap_tunnel_instance_iam.md b/docs/gcp/Identity-Aware_Proxy/iap_tunnel_instance_iam.md index b036b993b..2f59a706e 100644 --- a/docs/gcp/Identity-Aware_Proxy/iap_tunnel_instance_iam.md +++ b/docs/gcp/Identity-Aware_Proxy/iap_tunnel_instance_iam.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – iap_tunnel_instance_iam](https://registry.ter --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `zone` | Zone of the Compute Engine instance. If omitted, parsed from the parent identifier; otherwise taken from the provider configuration. | false | true | Must match the instance’s actual zone so the binding targets the correct resource. | zone = "australia-southeast1-b" | zone = "us-central1-a" while the instance is in "australia-southeast1-b" | @@ -18,6 +19,7 @@ Reference: [Terraform Registry – iap_tunnel_instance_iam](https://registry.ter | `condition` | Optional IAM Condition to scope the binding (e.g., by source IP, time, or device attributes when evaluated). | false | true | Reduces blast radius by restricting when/where the binding applies. | condition { title = "OfficeHours" expression = "request.time.getHours() >= 8 && request.time.getHours() < 18" description = "Restrict tunnel use to office hours" } | condition { } (missing required fields) or an empty expression | ### condition Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `expression` | CEL expression evaluated to determine if the binding applies. | true | true | A non-empty, precise expression is required for the condition to function. | expression = "request.client_ip.startsWith('10.0.')" | expression = "" | diff --git a/docs/gcp/Identity-Aware_Proxy/iap_web_backend_service_iam.md b/docs/gcp/Identity-Aware_Proxy/iap_web_backend_service_iam.md index 3b2bbd414..5da81722d 100644 --- a/docs/gcp/Identity-Aware_Proxy/iap_web_backend_service_iam.md +++ b/docs/gcp/Identity-Aware_Proxy/iap_web_backend_service_iam.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – iap_web_backend_service_iam](https://registry --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `web_backend_service` | Name of the backend service to bind with IAP Web IAM. | true | true | Scopes the IAM binding to a specific HTTPS backend. Pointing at the wrong service can expose an unintended or sensitive admin surface. | web_backend_service = "orders-edge-iap" | web_backend_service = "grafana" / "kibana" (admin consoles) or empty/typo value | @@ -17,6 +18,7 @@ Reference: [Terraform Registry – iap_web_backend_service_iam](https://registry | `condition` | Structure is documented below. --- | false | true | IAM Conditions reduce blast radius by scoping access (time, path/host, device context). | condition { title = "OfficeHours" description = "Limit access to business hours" expression = "request.time.getHours() >= 8 && request.time.getHours() < 18" } | Empty condition block or empty expression | ### condition Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `expression` | CEL expression that decides when the binding applies. | true | true | Must be specific and non-empty to be effective. | expression = "request.host == 'app.example.com'" | expression = "" | diff --git a/docs/gcp/Identity-Aware_Proxy/iap_web_cloud_run_service_iam.md b/docs/gcp/Identity-Aware_Proxy/iap_web_cloud_run_service_iam.md index fda9a9b42..f721b4e65 100644 --- a/docs/gcp/Identity-Aware_Proxy/iap_web_cloud_run_service_iam.md +++ b/docs/gcp/Identity-Aware_Proxy/iap_web_cloud_run_service_iam.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – iap_web_cloud_run_service_iam](https://regist --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `location` | Region of the Cloud Run service. If omitted, it is parsed from the parent identifier; otherwise taken from the provider configuration. | false | true | Must match the Cloud Run service’s region so the binding targets the correct resource. | location = "australia-southeast1" | location = "us-east1" while the service is deployed in "australia-southeast1" | @@ -18,6 +19,7 @@ Reference: [Terraform Registry – iap_web_cloud_run_service_iam](https://regist | `condition` | Optional IAM Condition to scope the binding (e.g., by request host/path, time, or device context). | false | true | Reduces blast radius by restricting when/where the binding applies. | condition { title = "OfficeHours" description = "Limit access to business hours" expression = "request.time.getHours() >= 8 && request.time.getHours() < 18" } | Empty condition block or empty expression | ### condition Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `expression` | CEL expression that decides when the binding applies. | true | true | Must be specific and non-empty to be effective. | expression = "request.host == 'app.example.com'" | expression = "" | diff --git a/docs/gcp/Identity-Aware_Proxy/iap_web_iam.md b/docs/gcp/Identity-Aware_Proxy/iap_web_iam.md index ebccf4a05..a18ceda49 100644 --- a/docs/gcp/Identity-Aware_Proxy/iap_web_iam.md +++ b/docs/gcp/Identity-Aware_Proxy/iap_web_iam.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – iap_web_iam](https://registry.terraform.io/pr --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `project` | If not provided, the project is parsed from the parent identifier; if missing there too, the provider project is used. | false | true | Ensures the binding lands in the intended tenant; a mismatch can grant access in the wrong project. | project = "my-gcp-project" (aligned with provider/parent) | project = "other-project" while parent/provider point elsewhere | @@ -16,6 +17,7 @@ Reference: [Terraform Registry – iap_web_iam](https://registry.terraform.io/pr | `condition` | Optional IAM Condition to scope the binding (e.g., by request host/path, time, or device context). | false | true | Reduces blast radius by restricting when/where the binding applies. | condition { title = "OfficeHours" description = "Limit access to business hours" expression = "request.time.getHours() >= 8 && request.time.getHours() < 18" } | Empty condition block or empty expression | ### condition Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `expression` | CEL expression that decides when the binding applies. | true | true | Must be specific and non-empty to be effective. | expression = "request.host == 'app.example.com'" | expression = "" | diff --git a/docs/gcp/Identity-Aware_Proxy/iap_web_region_backend_service_iam.md b/docs/gcp/Identity-Aware_Proxy/iap_web_region_backend_service_iam.md index b2a073d36..065b54d49 100644 --- a/docs/gcp/Identity-Aware_Proxy/iap_web_region_backend_service_iam.md +++ b/docs/gcp/Identity-Aware_Proxy/iap_web_region_backend_service_iam.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – iap_web_region_backend_service_iam](https://r --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `region` | Region of the regional backend service. If omitted, it is parsed from the parent identifier; otherwise taken from the provider configuration. | false | true | Must match the backend’s region so the IAM binding targets the correct regional service. | region = "australia-southeast1" | region = "us-east1" while the backend is in "australia-southeast1" | @@ -18,6 +19,7 @@ Reference: [Terraform Registry – iap_web_region_backend_service_iam](https://r | `condition` | Optional IAM Condition to scope the binding (e.g., by request host/path, time, or device context). | false | true | Reduces blast radius by restricting when/where the binding applies. | condition { title = "OfficeHours" description = "Limit access to business hours" expression = "request.time.getHours() >= 8 && request.time.getHours() < 18" } | Empty condition block or empty expression | ### condition Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `expression` | CEL expression that decides when the binding applies. | true | true | Must be specific and non-empty to be effective. | expression = "request.host == 'app.example.com'" | expression = "" | diff --git a/docs/gcp/Identity-Aware_Proxy/iap_web_type_app_engine_iam.md b/docs/gcp/Identity-Aware_Proxy/iap_web_type_app_engine_iam.md index ca995e97a..53ef85038 100644 --- a/docs/gcp/Identity-Aware_Proxy/iap_web_type_app_engine_iam.md +++ b/docs/gcp/Identity-Aware_Proxy/iap_web_type_app_engine_iam.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – iap_web_type_app_engine_iam](https://registry --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `app_id` | App Engine application ID used in the IAP resource path (projects/{project}/iap_web/appengine-{app_id}). | true | true | Targets the correct App Engine application for the IAP Web IAM binding; a wrong ID can expose or fail to protect the intended app. | app_id = "my-app" | app_id = "" or an ID that does not exist in the project | @@ -17,6 +18,7 @@ Reference: [Terraform Registry – iap_web_type_app_engine_iam](https://registry | `condition` | Optional IAM Condition to scope the binding (e.g., by request host/path, time, or device context). | false | true | Reduces blast radius by restricting when/where the binding applies. | condition { title = "OfficeHours" description = "Limit access to business hours" expression = "request.time.getHours() >= 8 && request.time.getHours() < 18" } | Empty condition block or empty expression | ### condition Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `expression` | CEL expression that decides when the binding applies. | true | true | Must be specific and non-empty to be effective. | expression = "request.host == 'app.example.com'" | expression = "" | diff --git a/docs/gcp/Identity-Aware_Proxy/iap_web_type_compute_iam.md b/docs/gcp/Identity-Aware_Proxy/iap_web_type_compute_iam.md index c296fbaef..ab8b7a1ef 100644 --- a/docs/gcp/Identity-Aware_Proxy/iap_web_type_compute_iam.md +++ b/docs/gcp/Identity-Aware_Proxy/iap_web_type_compute_iam.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – iap_web_type_compute_iam](https://registry.te --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `project` | If not provided, the project is parsed from the parent identifier; if missing there too, the provider project is used. | false | true | Ensures the binding lands in the intended tenant; a mismatch can grant access in the wrong project. | project = "my-gcp-project" (aligned with provider/parent) | project = "other-project" while parent/provider point elsewhere | @@ -16,6 +17,7 @@ Reference: [Terraform Registry – iap_web_type_compute_iam](https://registry.te | `condition` | Optional IAM Condition to scope the binding (e.g., request host/path, time, or device context). | false | true | Reduces blast radius by restricting when/where the binding applies. | condition { title = "OfficeHours" description = "Limit access to business hours" expression = "request.time.getHours() >= 8 && request.time.getHours() < 18" } | Empty condition block or empty expression | ### condition Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `expression` | CEL expression that decides when the binding applies. | true | true | Must be specific and non-empty to be effective. | expression = "request.host == 'app.example.com'" | expression = "" | diff --git a/docs/gcp/Managed_Kafka/managed_kafka_acl.md b/docs/gcp/Managed_Kafka/managed_kafka_acl.md index 96ff4c70b..a337e9eea 100644 --- a/docs/gcp/Managed_Kafka/managed_kafka_acl.md +++ b/docs/gcp/Managed_Kafka/managed_kafka_acl.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – managed_kafka_acl](https://registry.terraform --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `acl_entries` | The acl entries that apply to the resource pattern. The maximum number of allowed entries is 100. Structure is [documented below](#nested_acl_entries). | true | true | ACLs are used to control access to Kafka resources, ensuring that only authorized users can perform specific operations. Properly configured ACLs help maintain the security and integrity of the Kafka environment by preventing unauthorized access and potential data breaches. | ['User:specific-user@project.iam.gserviceaccount.com', 'permission_type: ALLOW', 'operation: READ or WRITE'] | ['User:*', 'permission_type: ALLOW', 'operation: ALL'] | @@ -16,6 +17,7 @@ Reference: [Terraform Registry – managed_kafka_acl](https://registry.terraform | `project` | If it is not provided, the provider project is used. | false | false | Project identifier used for resource scoping; does not define security posture of the resource. | none | none | ### acl_entries Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `principal` | The principal. Specified as Google Cloud account, with the Kafka StandardAuthorizer prefix User:". For example: "User:test-kafka-client@test-project.iam.gserviceaccount.com". Can be the wildcard "User:*" to refer to all users. | true | true | Specifying the principal is crucial for defining who has access to Kafka resources. Using specific user accounts enhances security by limiting access to authorized individuals, while using wildcards can expose resources to unauthorized access. | ['User:app-client@project.iam.gserviceaccount.com'] | ['User:*'] | diff --git a/docs/gcp/Managed_Kafka/managed_kafka_cluster.md b/docs/gcp/Managed_Kafka/managed_kafka_cluster.md index da323d531..2d79ec935 100644 --- a/docs/gcp/Managed_Kafka/managed_kafka_cluster.md +++ b/docs/gcp/Managed_Kafka/managed_kafka_cluster.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – managed_kafka_cluster](https://registry.terra --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `gcp_config` | Configuration properties for a Kafka cluster deployed to Google Cloud Platform. | true | true | Defines networking and encryption aspects that directly affect cluster confidentiality and access controls. | ['Internal subnets defined', 'KMS key specified'] | ['Public access', 'Missing KMS key'] | @@ -15,24 +16,28 @@ Reference: [Terraform Registry – managed_kafka_cluster](https://registry.terra | `network_configs` | Defines the subnets where the Kafka cluster is accessible. | true | true | Improper subnet configuration can expose cluster externally. | ['Private subnet from secure VPC'] | ['Public subnet or undefined'] | ### gcp_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `access_config` | The configuration of access to the Kafka cluster. | true | true | Improper access can expose internal systems. | ['Restricts access to internal subnets'] | ['Open public access'] | | `kms_key` | The Cloud KMS Key name to use for encryption. | false | true | Ensures data-at-rest encryption compliance. | ['Valid CMK from same-region KMS'] | ['KMS not used or wrongly scoped'] | ### capacity_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `vcpu_count` | The number of vCPUs to provision for the cluster. The minimum is 3. | true | true | Low vCPU count may affect availability under load. | ['3 or more vCPUs'] | ['< 3 vCPUs'] | | `memory_bytes` | The memory to provision for the cluster in bytes (1 GiB to 8 GiB per vCPU). | true | true | Too little or too much memory allocation can destabilize workloads. | ['Between 1-8 GiB per vCPU'] | ['Outside supported range'] | ### tls_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `trust_config` | The configuration of the broker truststore. | false | true | Validates identities through certificate chains. | ['Defined with trusted CA pools'] | ['Omitted or invalid trust store'] | | `ssl_principal_mapping_rules` | Rules for mapping mTLS certificate DNs to principal names for Kafka ACLs. | false | true | Weak or default rules may allow identity spoofing. | ['Explicit mapping using regex'] | ['Defaults or overly broad patterns'] | ### network_configs Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `subnet` | Name of the VPC subnet. | true | true | Subnets influence traffic routing and access visibility. | ['Private subnet in isolated VPC'] | ['Untrusted or shared subnet'] | diff --git a/docs/gcp/Managed_Kafka/managed_kafka_connect_cluster.md b/docs/gcp/Managed_Kafka/managed_kafka_connect_cluster.md index 3714136f7..c762048f7 100644 --- a/docs/gcp/Managed_Kafka/managed_kafka_connect_cluster.md +++ b/docs/gcp/Managed_Kafka/managed_kafka_connect_cluster.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – managed_kafka_connect_cluster](https://regist --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `kafka_cluster` | The name of the Kafka cluster this Kafka Connect cluster is attached to. Structured like: `projects/PROJECT_ID/locations/LOCATION/clusters/CLUSTER_ID`. | true | false | Used for attachment reference; does not directly impact access or data protection. | [] | [] | @@ -20,22 +21,26 @@ Reference: [Terraform Registry – managed_kafka_connect_cluster](https://regist | `network_configs` | | false | true | Defines networking for PSC interfaces, which affect secure access. | ['Primary and additional subnets from approved VPC'] | ['No subnet or misconfigured region/VPC'] | ### capacity_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `vcpu_count` | The number of vCPUs to provision for the cluster. The minimum is 3. | true | false | Affects performance but not confidentiality or integrity. | ['3 or more vCPUs'] | ['Less than 3 vCPUs'] | | `memory_bytes` | The memory to provision for the cluster. CPU:Memory ratio must be between 1:1 and 1:8. | true | false | Availability concern rather than access/security. | ['Ratio within 1:1 to 1:8'] | ['Outside defined ratio'] | ### gcp_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `access_config` | Access configuration for the Kafka Connect cluster. | true | true | Controls how the Connect cluster is accessed. Improper setup risks exposure. | ['Subnets from secure VPC only'] | ['Public or overly permissive settings'] | ### access_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `network_configs` | VPC subnets used for Kafka Connect cluster. | true | true | Defines network isolation. Insecure subnet increases exposure. | ['Private subnets with PSC'] | ['Public subnets'] | ### network_configs Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `primary_subnet` | Primary VPC subnet used for PSC interface. | true | true | Defines where traffic is routed from/to. Impacts exposure level. | ['Private RFC1918 subnet with /22 or larger'] | ['Shared or public subnets', 'CIDR < /22'] | diff --git a/docs/gcp/Managed_Kafka/managed_kafka_connector.md b/docs/gcp/Managed_Kafka/managed_kafka_connector.md index cfd94797b..d0501d234 100644 --- a/docs/gcp/Managed_Kafka/managed_kafka_connector.md +++ b/docs/gcp/Managed_Kafka/managed_kafka_connector.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – managed_kafka_connector](https://registry.ter --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `location` | ID of the location of the Kafka Connect resource. | true | false | Defines geographic location; does not affect access or data protection. | none | none | @@ -17,6 +18,7 @@ Reference: [Terraform Registry – managed_kafka_connector](https://registry.ter | `project` | If it is not provided, the provider project is used. | false | false | Resource scoping identifier; does not influence security directly. | none | none | ### task_restart_policy Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `minimum_backoff` | Minimum time to wait before retrying a failed task. Example: "3.5s". | false | false | Availability-related; does not directly influence security posture. | [] | [] | diff --git a/docs/gcp/Managed_Kafka/managed_kafka_topic.md b/docs/gcp/Managed_Kafka/managed_kafka_topic.md index 2a4a6d533..96300ff47 100644 --- a/docs/gcp/Managed_Kafka/managed_kafka_topic.md +++ b/docs/gcp/Managed_Kafka/managed_kafka_topic.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – managed_kafka_topic](https://registry.terrafo --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `replication_factor` | The number of replicas of each partition. A replication factor of 3 is recommended for high availability. | true | true | Ensures data availability and fault tolerance. Lower replication factors increase the risk of data loss during failures. | ['replication_factor: 3 or more'] | ['replication_factor: 1'] | diff --git a/docs/gcp/Memcache/memcache_instance.md b/docs/gcp/Memcache/memcache_instance.md index 1cf70530a..92a5cf350 100644 --- a/docs/gcp/Memcache/memcache_instance.md +++ b/docs/gcp/Memcache/memcache_instance.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – memcache_instance](https://registry.terraform --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | The resource name of the instance. | true | false | None | None | None | @@ -24,18 +25,21 @@ Reference: [Terraform Registry – memcache_instance](https://registry.terraform | `project` | If it is not provided, the provider project is used. | false | false | None | None | None | ### node_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `cpu_count` | Number of CPUs per node. | true | false | None | None | None | | `memory_size_mb` | Memory size in Mebibytes for each memcache node. | true | false | None | None | None | ### memcache_parameters Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `id` | (Output) This is a unique ID associated with this set of parameters. | false | false | None | None | None | | `params` | User-defined set of parameters to use in the memcache process. | false | false | None | None | None | ### maintenance_policy Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `create_time` | (Output) Output only. The time when the policy was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits | false | false | None | None | None | @@ -44,6 +48,7 @@ Reference: [Terraform Registry – memcache_instance](https://registry.terraform | `weekly_maintenance_window` | Required. Maintenance window that is applied to resources covered by this policy. Minimum 1. For the current version, the maximum number of weekly_maintenance_windows is expected to be one. Structure is [documented below](#nested_maintenance_policy_weekly_maintenance_window). | true | true | Setting a weekly maintenance window allows administrators to align system updates with low-traffic periods, minimizing operational impact and ensuring service stability. | None | None | ### weekly_maintenance_window Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `day` | Day of the week when the maintenance window starts (e.g., MONDAY, SUNDAY). | true | false | Selecting an appropriate day ensures maintenance does not disrupt peak traffic periods. | ['MONDAY', 'TUESDAY', 'WEDNESDAY', 'THURSDAY', 'FRIDAY', 'SATURDAY', 'SUNDAY'] | [None, '', 'DAY_OF_WEEK_UNSPECIFIED', 3] | @@ -51,9 +56,10 @@ Reference: [Terraform Registry – memcache_instance](https://registry.terraform | `duration` | Duration of the maintenance window in seconds. | true | false | Specifying the duration ensures that updates are completed within a controlled timeframe. | 10800s to 28800s | None | ### start_time Block - | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | - |----------|-------------|----------|-----------------|-----------|-----------|---------------| - | `hours` | Hour of the day (0-23). | false | false | Correct hour selection ensures updates align with expected downtime periods. | Integer between 0 - 23 | [-1, 24, 'non-integer values'] | - | `minutes` | Minute of the hour (0-59). | true | false | Precise minute specification helps align maintenance with exact scheduling needs. | Integer between 0 - 59 | [-1, 60, 'non-integer values'] | - | `seconds` | Second of the minute (0-59). | false | false | Seconds allow fine-grained control of the start time, but usually default to 0. | Integer between 0 - 59 | [-1, 60, 'non-integer values'] | - | `nanos` | Fractions of a second in nanoseconds (0-999,999,999). | false | false | Nanosecond precision is rarely required for maintenance windows but ensures full compatibility with GCP TimeOfDay format. | 0 | 999999999 | + + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | + |----------|-------------|----------|-----------------|-----------|-----------|---------------| + | `hours` | Hour of the day (0-23). | false | false | Correct hour selection ensures updates align with expected downtime periods. | Integer between 0 - 23 | [-1, 24, 'non-integer values'] | + | `minutes` | Minute of the hour (0-59). | true | false | Precise minute specification helps align maintenance with exact scheduling needs. | Integer between 0 - 59 | [-1, 60, 'non-integer values'] | + | `seconds` | Second of the minute (0-59). | false | false | Seconds allow fine-grained control of the start time, but usually default to 0. | Integer between 0 - 59 | [-1, 60, 'non-integer values'] | + | `nanos` | Fractions of a second in nanoseconds (0-999,999,999). | false | false | Nanosecond precision is rarely required for maintenance windows but ensures full compatibility with GCP TimeOfDay format. | 0 | 999999999 | diff --git a/docs/gcp/Memorystore/memorystore_instance.md b/docs/gcp/Memorystore/memorystore_instance.md index 15792e8bf..fce01afc2 100644 --- a/docs/gcp/Memorystore/memorystore_instance.md +++ b/docs/gcp/Memorystore/memorystore_instance.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – memorystore_instance](https://registry.terraf --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `shard_count` | Required. Number of shards for the instance. | true | false | None | None | None | @@ -42,12 +43,14 @@ Reference: [Terraform Registry – memorystore_instance](https://registry.terraf | `secondary_instances` | | false | false | None | None | None | ### automated_backup_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `fixed_frequency_schedule` | Trigger automated backups at a fixed frequency. Structure is [documented below](#nested_automated_backup_config_fixed_frequency_schedule). | true | false | None | None | None | | `retention` | How long to keep automated backups before the backups are deleted. The value should be between 1 day and 365 days. If not specified, the default value is 35 days. A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s". The default_value is "3024000s" | true | false | None | None | None | ### persistence_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `mode` | Optional. Current persistence mode. Possible values: DISABLED RDB AOF Possible values are: `DISABLED`, `RDB`, `AOF`. | false | false | None | None | None | @@ -55,6 +58,7 @@ Reference: [Terraform Registry – memorystore_instance](https://registry.terraf | `aof_config` | Configuration for AOF based persistence. Structure is [documented below](#nested_persistence_config_aof_config). | false | false | None | None | None | ### maintenance_policy Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `create_time` | (Output) The time when the policy was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. | false | false | None | None | None | @@ -62,12 +66,14 @@ Reference: [Terraform Registry – memorystore_instance](https://registry.terraf | `weekly_maintenance_window` | Optional. Maintenance window that is applied to resources covered by this policy. Minimum 1. For the current version, the maximum number of weekly_window is expected to be one. Structure is [documented below](#nested_maintenance_policy_weekly_maintenance_window). | false | false | None | None | None | ### zone_distribution_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `zone` | Optional. Defines zone where all resources will be allocated with SINGLE_ZONE mode. Ignored for MULTI_ZONE mode. | false | false | None | None | None | | `mode` | Optional. Current zone distribution mode. Defaults to MULTI_ZONE. Possible values: MULTI_ZONE SINGLE_ZONE Possible values are: `MULTI_ZONE`, `SINGLE_ZONE`. | false | false | None | None | None | ### cross_instance_replication_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `instance_role` | The instance role supports the following values: 1. `INSTANCE_ROLE_UNSPECIFIED`: This is an independent instance that has never participated in cross instance replication. It allows both reads and writes. 2. `NONE`: This is an independent instance that previously participated in cross instance replication(either as a `PRIMARY` or `SECONDARY` cluster). It allows both reads and writes. 3. `PRIMARY`: This instance serves as the replication source for secondary instance that are replicating from it. Any data written to it is automatically replicated to its secondary clusters. It allows both reads and writes. 4. `SECONDARY`: This instance replicates data from the primary instance. It allows only reads. Possible values are: `INSTANCE_ROLE_UNSPECIFIED`, `NONE`, `PRIMARY`, `SECONDARY`. | false | false | None | None | None | @@ -77,21 +83,25 @@ Reference: [Terraform Registry – memorystore_instance](https://registry.terraf | `update_time` | (Output) The last time cross instance replication config was updated. | false | false | None | None | None | ### gcs_source Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `uris` | URIs of the GCS objects to import. Example: gs://bucket1/object1, gs://bucket2/folder2/object2 | true | false | None | None | None | ### managed_backup_source Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `backup` | Example: `projects/{project}/locations/{location}/backupCollections/{collection}/backups/{backup}`. | true | false | None | None | None | ### fixed_frequency_schedule Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `start_time` | The start time of every automated backup in UTC. It must be set to the start of an hour. This field is required. Structure is [documented below](#nested_automated_backup_config_fixed_frequency_schedule_start_time). | true | false | None | None | None | ### start_time Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `hours` | Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time. | false | false | None | None | None | @@ -100,17 +110,20 @@ Reference: [Terraform Registry – memorystore_instance](https://registry.terraf | `nanos` | Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999. | false | false | None | None | None | ### rdb_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `rdb_snapshot_period` | Optional. Period between RDB snapshots. Possible values: ONE_HOUR SIX_HOURS TWELVE_HOURS TWENTY_FOUR_HOURS | false | false | None | None | None | | `rdb_snapshot_start_time` | Optional. Time that the first snapshot was/will be attempted, and to which future snapshots will be aligned. If not provided, the current time will be used. | false | false | None | None | None | ### aof_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `append_fsync` | Optional. The fsync mode. Possible values: NEVER EVERY_SEC ALWAYS | false | false | None | None | None | ### weekly_maintenance_window Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `day` | The day of week that maintenance updates occur. - DAY_OF_WEEK_UNSPECIFIED: The day of the week is unspecified. - MONDAY: Monday - TUESDAY: Tuesday - WEDNESDAY: Wednesday - THURSDAY: Thursday - FRIDAY: Friday - SATURDAY: Saturday - SUNDAY: Sunday Possible values are: `DAY_OF_WEEK_UNSPECIFIED`, `MONDAY`, `TUESDAY`, `WEDNESDAY`, `THURSDAY`, `FRIDAY`, `SATURDAY`, `SUNDAY`. | true | false | None | None | None | @@ -118,12 +131,14 @@ Reference: [Terraform Registry – memorystore_instance](https://registry.terraf | `start_time` | Start time of the window in UTC time. Structure is [documented below](#nested_maintenance_policy_weekly_maintenance_window_weekly_maintenance_window_start_time). | true | false | None | None | None | ### primary_instance Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `instance` | The full resource path of the primary instance in the format: projects/{project}/locations/{region}/instances/{instance-id} | false | false | None | None | None | | `uid` | (Output) The unique id of the primary instance. | false | false | None | None | None | ### secondary_instances Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `instance` | (Output) The full resource path of the secondary instance in the format: projects/{project}/locations/{region}/instance/{instance-id} | false | false | None | None | None | diff --git a/docs/gcp/Memorystore/memorystore_instance_desired_user_created_endpoints.md b/docs/gcp/Memorystore/memorystore_instance_desired_user_created_endpoints.md index 4ed08c394..fd1827bbb 100644 --- a/docs/gcp/Memorystore/memorystore_instance_desired_user_created_endpoints.md +++ b/docs/gcp/Memorystore/memorystore_instance_desired_user_created_endpoints.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – memorystore_instance_desired_user_created_end --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | The name of the Memorystore instance these endpoints should be added to. | true | false | None | None | None | @@ -17,16 +18,19 @@ Reference: [Terraform Registry – memorystore_instance_desired_user_created_end | `psc_connection` | | false | false | None | None | None | ### desired_user_created_endpoints Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `connections` | Structure is [documented below](#nested_desired_user_created_endpoints_desired_user_created_endpoints_connections). | false | false | None | None | None | ### connections Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `psc_connection` | Detailed information of a PSC connection that is created by the customer who owns the cluster. Structure is [documented below](#nested_desired_user_created_endpoints_desired_user_created_endpoints_connections_connections_psc_connection). | false | false | None | None | None | ### psc_connection Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `psc_connection_id` | The PSC connection id of the forwarding rule connected to the service attachment. | true | false | None | None | None | diff --git a/docs/gcp/Model_Armor/model_armor_floorsetting.md b/docs/gcp/Model_Armor/model_armor_floorsetting.md index 53f60ccb6..8e0c5a04b 100644 --- a/docs/gcp/Model_Armor/model_armor_floorsetting.md +++ b/docs/gcp/Model_Armor/model_armor_floorsetting.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – model_armor_floorsetting](https://registry.te --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `filter_config` | Filters configuration. Structure is [documented below](#nested_filter_config). | true | true | Central configuration for malicious-URI, Responsible-AI, sensitive-data and prompt-injection filters. Misconfiguration may allow harmful or sensitive content to pass unchecked. | MEDIUM_AND_ABOVE | | @@ -26,6 +27,7 @@ Reference: [Terraform Registry – model_armor_floorsetting](https://registry.te | `multi_language_detection` | | false | false | None | None | None | ### filter_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `malicious_uri_filter_settings` | Malicious URI filter settings. Structure is [documented below](#nested_filter_config_malicious_uri_filter_settings). | false | true | Controls detection of malicious links to prevent data exfiltration and phishing. | filter_enforcement set to ENABLED | filter_enforcement set to DISABLED | @@ -34,6 +36,7 @@ Reference: [Terraform Registry – model_armor_floorsetting](https://registry.te | `pi_and_jailbreak_filter_settings` | Prompt injection and Jailbreak Filter settings. Structure is [documented below](#nested_filter_config_pi_and_jailbreak_filter_settings). | false | true | Blocks malicious attempts to override system instructions or leak data. | filter_enforcement set to ENABLED | filter_enforcement set to DISABLED | ### ai_platform_floor_setting Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `inspect_only` | If true, Model Armor filters will be run in inspect only mode. No action will be taken on the request. | false | false | None | None | None | @@ -41,50 +44,59 @@ Reference: [Terraform Registry – model_armor_floorsetting](https://registry.te | `enable_cloud_logging` | If true, log Model Armor filter results to Cloud Logging. | false | false | None | None | None | ### floor_setting_metadata Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `multi_language_detection` | Metadata for multi language detection. Structure is [documented below](#nested_floor_setting_metadata_multi_language_detection). | false | false | None | None | None | ### malicious_uri_filter_settings Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `filter_enforcement` | Tells whether the Malicious URI filter is enabled or disabled. Possible values: ENABLED DISABLED | false | false | None | None | None | ### rai_settings Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `rai_filters` | List of Responsible AI filters enabled for template. Structure is [documented below](#nested_filter_config_rai_settings_rai_filters). | true | false | None | None | None | ### rai_filters Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `filter_type` | Possible values: SEXUALLY_EXPLICIT HATE_SPEECH HARASSMENT DANGEROUS | true | true | Determines which harmful content is blocked. | SEXUAL | INVALID_TYPE | | `confidence_level` | Possible values: LOW_AND_ABOVE MEDIUM_AND_ABOVE HIGH | false | true | Higher thresholds reduce false positives but may allow harmful content if too low. | MEDIUM_AND_ABOVE | LOW_ONLY | ### sdp_settings Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `advanced_config` | Sensitive Data Protection Advanced configuration. Structure is [documented below](#nested_filter_config_sdp_settings_advanced_config). | false | false | None | None | None | | `basic_config` | Sensitive Data Protection basic configuration. Structure is [documented below](#nested_filter_config_sdp_settings_basic_config). | false | false | None | None | None | ### advanced_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `inspect_template` | Sensitive Data Protection inspect template resource name If only inspect template is provided (de-identify template not provided), then Sensitive Data Protection InspectContent action is performed during Sanitization. All Sensitive Data Protection findings identified during inspection will be returned as SdpFinding in SdpInsepctionResult. e.g:- `projects/{project}/locations/{location}/inspectTemplates/{inspect_template}` | false | false | None | None | None | | `deidentify_template` | Optional Sensitive Data Protection Deidentify template resource name. If provided then DeidentifyContent action is performed during Sanitization using this template and inspect template. The De-identified data will be returned in SdpDeidentifyResult. Note that all info-types present in the deidentify template must be present in inspect template. e.g. `projects/{project}/locations/{location}/deidentifyTemplates/{deidentify_template}` | false | false | None | None | None | ### basic_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `filter_enforcement` | Tells whether the Sensitive Data Protection basic config is enabled or disabled. Possible values: ENABLED DISABLED | false | false | None | None | None | ### pi_and_jailbreak_filter_settings Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `filter_enforcement` | Tells whether Prompt injection and Jailbreak filter is enabled or disabled. Possible values: ENABLED DISABLED | false | true | Disabling increases risk of prompt manipulation. | ENABLED | DISABLED | | `confidence_level` | Possible values: LOW_AND_ABOVE MEDIUM_AND_ABOVE HIGH | false | true | Determines sensitivity to possible prompt injection attempts. | MEDIUM_AND_ABOVE | HIGH | ### multi_language_detection Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `enable_multi_language_detection` | If true, multi language detection will be enabled. | true | false | None | None | None | diff --git a/docs/gcp/Model_Armor/model_armor_template.md b/docs/gcp/Model_Armor/model_armor_template.md index 6705ac937..945d0d65a 100644 --- a/docs/gcp/Model_Armor/model_armor_template.md +++ b/docs/gcp/Model_Armor/model_armor_template.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – model_armor_template](https://registry.terraf --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `filter_config` | Filters configuration. Structure is [documented below](#nested_filter_config). | true | true | Controls which filters (malicious URI, Responsible AI, sensitive data, prompt-injection) are active. Misconfiguration could allow harmful or sensitive data to pass unchecked. | Properly configured filters covering all required categories. | Filters disabled or missing critical protections. | @@ -25,6 +26,7 @@ Reference: [Terraform Registry – model_armor_template](https://registry.terraf | `multi_language_detection` | | false | false | None | None | None | ### filter_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `malicious_uri_filter_settings` | Malicious URI filter settings. Structure is [documented below](#nested_filter_config_malicious_uri_filter_settings). | false | true | Prevents injection of malicious URLs. Disabling increases phishing or malware risk. | filter_enforcement set to ENABLED. | filter_enforcement set to DISABLED. | @@ -33,6 +35,7 @@ Reference: [Terraform Registry – model_armor_template](https://registry.terraf | `pi_and_jailbreak_filter_settings` | Prompt injection and Jailbreak Filter settings. Structure is [documented below](#nested_filter_config_pi_and_jailbreak_filter_settings). | false | true | Blocks attempts to override safeguards or exfiltrate data via prompt injection. | filter_enforcement set to ENABLED. | filter_enforcement set to DISABLED. | ### template_metadata Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `log_template_operations` | If true, log template crud operations. | false | false | None | None | None | @@ -46,45 +49,53 @@ Reference: [Terraform Registry – model_armor_template](https://registry.terraf | `enforcement_type` | Possible values: INSPECT_ONLY INSPECT_AND_BLOCK | false | false | None | None | None | ### malicious_uri_filter_settings Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `filter_enforcement` | Tells whether the Malicious URI filter is enabled or disabled. Possible values: ENABLED DISABLED | false | false | None | None | None | ### rai_settings Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `rai_filters` | List of Responsible AI filters enabled for template. Structure is [documented below](#nested_filter_config_rai_settings_rai_filters). | true | false | None | None | None | ### rai_filters Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `filter_type` | Possible values: SEXUALLY_EXPLICIT HATE_SPEECH HARASSMENT DANGEROUS | true | true | Specifies which harmful content categories to filter. Omitting critical categories can allow unsafe output. | Includes all required categories (e.g., SEXUALLY_EXPLICIT, HATE_SPEECH, HARASSMENT, DANGEROUS). | Missing any mandated category or set incorrectly. | | `confidence_level` | Possible values: LOW_AND_ABOVE MEDIUM_AND_ABOVE HIGH | false | true | Determines sensitivity of detection. Too low can allow harmful content through; too high can overblock legitimate content. | Configured to MEDIUM_AND_ABOVE or higher per policy. | LOW_ONLY | ### sdp_settings Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `advanced_config` | Sensitive Data Protection Advanced configuration. Structure is [documented below](#nested_filter_config_sdp_settings_advanced_config). | false | false | None | None | None | | `basic_config` | Sensitive Data Protection basic configuration. Structure is [documented below](#nested_filter_config_sdp_settings_basic_config). | false | false | None | None | None | ### advanced_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `inspect_template` | Sensitive Data Protection inspect template resource name If only inspect template is provided (de-identify template not provided), then Sensitive Data Protection InspectContent action is performed during Sanitization. All Sensitive Data Protection findings identified during inspection will be returned as SdpFinding in SdpInsepctionResult. e.g:- `projects/{project}/locations/{location}/inspectTemplates/{inspect_template}` | false | false | None | None | None | | `deidentify_template` | Optional Sensitive Data Protection Deidentify template resource name. If provided then DeidentifyContent action is performed during Sanitization using this template and inspect template. The De-identified data will be returned in SdpDeidentifyResult. Note that all info-types present in the deidentify template must be present in inspect template. e.g. `projects/{project}/locations/{location}/deidentifyTemplates/{deidentify_template}` | false | false | None | None | None | ### basic_config Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `filter_enforcement` | Tells whether the Sensitive Data Protection basic config is enabled or disabled. Possible values: ENABLED DISABLED | false | false | None | None | None | ### pi_and_jailbreak_filter_settings Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `filter_enforcement` | Tells whether Prompt injection and Jailbreak filter is enabled or disabled. Possible values: ENABLED DISABLED | false | false | None | None | None | | `confidence_level` | Possible values: LOW_AND_ABOVE MEDIUM_AND_ABOVE HIGH | false | false | None | None | None | ### multi_language_detection Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `enable_multi_language_detection` | If true, multi language detection will be enabled. | true | false | None | None | None | diff --git a/docs/gcp/OS_Config_v2/os_config_v2_policy_orchestrator.md b/docs/gcp/OS_Config_v2/os_config_v2_policy_orchestrator.md index c766aa5dc..e77f7c78e 100644 --- a/docs/gcp/OS_Config_v2/os_config_v2_policy_orchestrator.md +++ b/docs/gcp/OS_Config_v2/os_config_v2_policy_orchestrator.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator](https://reg --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `action` | Required. Action to be done by the orchestrator in `projects/{project_id}/zones/{zone_id}` locations defined by the `orchestration_scope`. Allowed values: - `UPSERT` - Orchestrator will create or update target resources. - `DELETE` - Orchestrator will delete target resources, if they exist | true | true | Users cannot perform high-impact operations without escalated approval | ['UPSERT'] | ['DELETE'] | @@ -50,22 +51,26 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator](https://reg | `location_selector` | | false | false | None | None | None | ### orchestrated_resource Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `os_policy_assignment_v1_payload` | OS policy assignment is an API resource that is used to apply a set of OS policies to a dynamically targeted group of Compute Engine VM instances. An OS policy is used to define the desired state configuration for a Compute Engine VM instance through a set of configuration resources that provide capabilities such as installing or removing software packages, or executing a script. For more information about the OS policy resource definitions and examples, see [OS policy and OS policy assignment](https://cloud.google.com/compute/docs/os-configuration-management/working-with-os-policies). Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload). | false | true | Maintains security policy structure and prevents malformed configurations | None | None | | `id` | Optional. ID of the resource to be used while generating set of affected resources. For UPSERT action the value is auto-generated during PolicyOrchestrator creation when not set. When the value is set it should following next restrictions: * Must contain only lowercase letters, numbers, and hyphens. * Must start with a letter. * Must be between 1-63 characters. * Must end with a number or a letter. * Must be unique within the project. For DELETE action, ID must be specified explicitly during PolicyOrchestrator creation. | false | false | None | None | None | ### orchestration_scope Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `selectors` | Optional. Selectors of the orchestration scope. There is a logical AND between each selector defined. When there is no explicit `ResourceHierarchySelector` selector specified, the scope is by default bounded to the parent of the policy orchestrator resource. Structure is [documented below](#nested_orchestration_scope_selectors). | false | true | Provides security controls for determining which resources meet selection criteria. | None | None | ### labels Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `environment` | Optional. The environment label is a key that can be used to distinguish between different deployment environments such as 'development', 'staging', and 'production'. | false | true | Facilitates environment-specific security policies, ensuring that production environments have stricter controls compared to development or staging. | ['test'] | ['dev', 'prod'] | ### os_policy_assignment_v1_payload Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `uid` | (Output) Output only. Server generated unique id for the OS policy assignment resource. | false | false | None | None | None | @@ -82,6 +87,7 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator](https://reg | `reconciling` | (Output) Output only. Indicates that reconciliation is in progress for the revision. This value is `true` when the `rollout_state` is one of: * IN_PROGRESS * CANCELLING | false | false | None | None | None | ### os_policies Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `mode` | Required. Policy mode Possible values: MODE_UNSPECIFIED VALIDATION ENFORCEMENT | true | true | Ensures conscious decision-making about policy impact levels | ['VALIDATION', 'ENFORCEMENT'] | ['MODE_UNSPECIFIED'] | @@ -91,18 +97,21 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator](https://reg | `description` | Policy description. Length of the description is limited to 1024 characters. | false | false | None | None | None | ### resource_groups Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `inventory_filters` | List of inventory filters for the resource group. The resources in this resource group are applied to the target VM if it satisfies at least one of the following inventory filters. For example, to apply this resource group to VMs running either `RHEL` or `CentOS` operating systems, specify 2 items for the list with following values: inventory_filters[0].os_short_name='rhel' and inventory_filters[1].os_short_name='centos' If the list is empty, this resource group will be applied to the target VM unconditionally. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_inventory_filters). | false | false | None | None | None | | `resources` | Required. List of resources configured for this resource group. The resources are executed in the exact order specified here. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources). | true | true | Enables fine-grained security controls at the resource level | None | None | ### inventory_filters Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `os_short_name` | Required. The OS short name | true | false | None | None | None | | `os_version` | The OS version Prefix matches are supported if asterisk(*) is provided as the last character. For example, to match all versions with a major version of `7`, specify the following value for this field `7.*` An empty string matches all OS versions. | false | false | None | None | None | ### resources Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `repository` | A resource that manages a package repository. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_repository). | false | true | Maintains security through controlled software distribution channels | None | None | @@ -112,6 +121,7 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator](https://reg | `pkg` | A resource that manages a system package. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_pkg). | false | false | None | None | None | ### repository Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `yum` | Represents a single yum package repository. These are added to a repo file that is managed at `/etc/yum.repos.d/google_osconfig.repo`. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_repository_yum). | false | false | None | None | None | @@ -120,6 +130,7 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator](https://reg | `apt` | Represents a single apt package repository. These will be added to a repo file that will be managed at `/etc/apt/sources.list.d/google_osconfig.list`. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_repository_apt). | false | true | Enforces consistent package management across Debian systems. | None | None | ### yum Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `id` | Required. A one word, unique name for this repository. This is the `repo id` in the yum config file and also the `display_name` if `display_name` is omitted. This id is also used as the unique identifier when checking for resource conflicts. | true | false | None | None | None | @@ -129,6 +140,7 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator](https://reg | `name` | Required. Package name. | true | false | None | None | None | ### zypper Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `id` | Required. A one word, unique name for this repository. This is the `repo id` in the zypper config file and also the `display_name` if `display_name` is omitted. This id is also used as the unique identifier when checking for GuestPolicy conflicts. | true | false | None | None | None | @@ -138,12 +150,14 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator](https://reg | `name` | Required. Package name. | true | false | None | None | None | ### goo Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | Required. The name of the repository. | true | false | None | None | None | | `url` | Required. The url of the repository. | true | false | None | None | None | ### apt Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `uri` | Required. URI for this repository. | true | false | None | None | None | @@ -154,12 +168,14 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator](https://reg | `name` | Required. Package name. | true | false | None | None | None | ### exec Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `enforce` | A file or script to execute. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_exec_enforce). | false | false | None | None | None | | `validate` | A file or script to execute. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_exec_validate). | true | false | None | None | None | ### enforce Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `script` | An inline script. The size of the script is limited to 32KiB. | false | false | None | None | None | @@ -169,6 +185,7 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator](https://reg | `file` | A remote or local file. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_exec_enforce_file). | false | false | None | None | None | ### file Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `remote` | Specifies a file available via some URI. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_file_file_remote). | false | false | None | None | None | @@ -182,12 +199,14 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator](https://reg | `permissions` | Consists of three octal digits which represent, in order, the permissions of the owner, group, and other users for the file (similarly to the numeric mode used in the linux chmod utility). Each digit represents a three bit number with the 4 bit corresponding to the read permissions, the 2 bit corresponds to the write bit, and the one bit corresponds to the execute permission. Default behavior is 755. Below are some examples of permissions and their associated values: read, write, and execute: 7 read and execute: 5 read and write: 6 read only: 4 | false | false | None | None | None | ### remote Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `uri` | Required. URI from which to fetch the object. It should contain both the protocol and path following the format `{protocol}://{location}`. | true | false | None | None | None | | `sha256_checksum` | SHA256 checksum of the remote file. | false | false | None | None | None | ### gcs Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `bucket` | Required. Bucket of the Cloud Storage object. | true | false | None | None | None | @@ -195,6 +214,7 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator](https://reg | `generation` | Generation number of the Cloud Storage object. | false | false | None | None | None | ### validate Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `file` | A remote or local file. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_exec_validate_file). | false | false | None | None | None | @@ -204,6 +224,7 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator](https://reg | `output_file_path` | Only recorded for enforce Exec. Path to an output file (that is created by this Exec) whose content will be recorded in OSPolicyResourceCompliance after a successful run. Absence or failure to read this file will result in this ExecResource being non-compliant. Output file size is limited to 500K bytes. | false | false | None | None | None | ### pkg Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `msi` | An MSI package. MSI packages only support INSTALLED state. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_pkg_msi). | false | false | None | None | None | @@ -216,12 +237,14 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator](https://reg | `googet` | A package managed by GooGet. - install: `googet -noconfirm install package` - remove: `googet -noconfirm remove package` Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_pkg_googet). | false | false | None | None | None | ### msi Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `source` | A remote or local file. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_pkg_msi_source). | true | false | None | None | None | | `properties` | Additional properties to use during installation. This should be in the format of Property=Setting. Appended to the defaults of `ACTION=INSTALL REBOOT=ReallySuppress`. | false | false | None | None | None | ### source Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `gcs` | Specifies a file available as a Cloud Storage Object. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_pkg_rpm_source_gcs). | false | false | None | None | None | @@ -230,23 +253,27 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator](https://reg | `remote` | Specifies a file available via some URI. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_pkg_rpm_source_remote). | false | false | None | None | None | ### deb Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `source` | A remote or local file. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_pkg_deb_source). | true | false | None | None | None | | `pull_deps` | Whether dependencies should also be installed. - install when false: `dpkg -i package` - install when true: `apt-get update && apt-get -y install package.deb` | false | false | None | None | None | ### rpm Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `source` | A remote or local file. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_pkg_rpm_source). | true | false | None | None | None | | `pull_deps` | Whether dependencies should also be installed. - install when false: `rpm --upgrade --replacepkgs package.rpm` - install when true: `yum -y install package.rpm` or `zypper -y install package.rpm` | false | false | None | None | None | ### googet Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | Required. Package name. | true | false | None | None | None | ### instance_filter Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `inclusion_labels` | List of label sets used for VM inclusion. If the list has more than one `LabelSet`, the VM is included if any of the label sets are applicable for the VM. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_instance_filter_inclusion_labels). | false | false | None | None | None | @@ -255,46 +282,54 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator](https://reg | `all` | Target all VMs in the project. If true, no other criteria is permitted. | false | false | None | None | None | ### inclusion_labels Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `labels` | Labels are identified by key/value pairs in this map. A VM should contain all the key/value pairs specified in this map to be selected. | false | false | None | None | None | ### exclusion_labels Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `labels` | Labels are identified by key/value pairs in this map. A VM should contain all the key/value pairs specified in this map to be selected. | false | false | None | None | None | ### inventories Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `os_short_name` | Required. The OS short name | true | false | Enforces consistent OS platform security across all managed instances. | ['debian'] | ['windows'] | | `os_version` | The OS version Prefix matches are supported if asterisk(*) is provided as the last character. For example, to match all versions with a major version of `7`, specify the following value for this field `7.*` An empty string matches all OS versions. | false | false | None | None | None | ### rollout Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `disruption_budget` | Message encapsulating a value that can be either absolute ("fixed") or relative ("percent") to a value. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_rollout_disruption_budget). | true | false | None | None | None | | `min_wait_duration` | Required. This determines the minimum duration of time to wait after the configuration changes are applied through the current rollout. A VM continues to count towards the `disruption_budget` at least until this duration of time has passed after configuration changes are applied. | true | false | None | None | None | ### disruption_budget Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `fixed` | Specifies a fixed value. | false | false | None | None | None | | `percent` | Specifies the relative value defined as a percentage, which will be multiplied by a reference value. | false | false | None | None | None | ### selectors Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `resource_hierarchy_selector` | Selector containing Cloud Resource Manager resource hierarchy nodes. Structure is [documented below](#nested_orchestration_scope_selectors_selectors_resource_hierarchy_selector). | false | false | None | None | None | | `location_selector` | Selector containing locations in scope. Structure is [documented below](#nested_orchestration_scope_selectors_selectors_location_selector). | false | true | Manages security policies based on physical and logical location constraints. | None | None | ### resource_hierarchy_selector Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `included_projects` | Optional. Names of the projects in scope. Format: `projects/{project_number}` | false | false | None | None | None | | `included_folders` | Optional. Names of the folders in scope. Format: `folders/{folder_id}` | false | false | None | None | None | ### location_selector Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `included_locations` | Optional. Names of the locations in scope. | false | true | Defines precisely which geographic locations are approved for resource deployment, enhancing compliance with data residency regulations. | ['Sydney', 'Melbourne'] | ['Mumbai', 'Berlin'] | diff --git a/docs/gcp/OS_Config_v2/os_config_v2_policy_orchestrator_for_folder.md b/docs/gcp/OS_Config_v2/os_config_v2_policy_orchestrator_for_folder.md index b21f9a065..f3fa1ba69 100644 --- a/docs/gcp/OS_Config_v2/os_config_v2_policy_orchestrator_for_folder.md +++ b/docs/gcp/OS_Config_v2/os_config_v2_policy_orchestrator_for_folder.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_folder]( --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `action` | Action to be done by the orchestrator in `projects/{project_id}/zones/{zone_id}` locations defined by the `orchestration_scope`. Allowed values: - `UPSERT` - Orchestrator will create or update target resources. - `DELETE` - Orchestrator will delete target resources, if they exist | true | true | Action defines whether the orchestrator will create/update or delete resources in the scope. Incorrectly setting this value could result in unintended resource deletion. | ['UPSERT'] | ['DELETE'] | @@ -50,17 +51,20 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_folder]( | `location_selector` | | false | false | None | None | None | ### orchestrated_resource Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `os_policy_assignment_v1_payload` | OS policy assignment is an API resource that is used to apply a set of OS policies to a dynamically targeted group of Compute Engine VM instances. An OS policy is used to define the desired state configuration for a Compute Engine VM instance through a set of configuration resources that provide capabilities such as installing or removing software packages, or executing a script. For more information about the OS policy resource definitions and examples, see [OS policy and OS policy assignment](https://cloud.google.com/compute/docs/os-configuration-management/working-with-os-policies). Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload). | false | true | Ensures that the correct OS policies are applied to the targeted VM instances, maintaining compliance with organizational standards. | None | None | | `id` | ID of the resource to be used while generating set of affected resources. For UPSERT action the value is auto-generated during PolicyOrchestrator creation when not set. When the value is set it should following next restrictions: * Must contain only lowercase letters, numbers, and hyphens. * Must start with a letter. * Must be between 1-63 characters. * Must end with a number or a letter. * Must be unique within the project. For DELETE action, ID must be specified explicitly during PolicyOrchestrator creation. | false | false | None | None | None | ### orchestration_scope Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `selectors` | Selectors of the orchestration scope. There is a logical AND between each selector defined. When there is no explicit `ResourceHierarchySelector` selector specified, the scope is by default bounded to the parent of the policy orchestrator resource. Structure is [documented below](#nested_orchestration_scope_selectors). | false | true | Specifying the correct selectors is crucial for ensuring that the policy is applied to the intended resources. | None | None | ### os_policy_assignment_v1_payload Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | Resource name. Format: `projects/{project_number}/locations/{location}/osPolicyAssignments/{os_policy_assignment_id}` This field is ignored when you create an OS policy assignment. | false | false | None | None | None | @@ -78,6 +82,7 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_folder]( | `uid` | (Output) Server generated unique id for the OS policy assignment resource. | false | false | None | None | None | ### os_policies Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `id` | The id of the OS policy with the following restrictions: * Must contain only lowercase letters, numbers, and hyphens. * Must start with a letter. * Must be between 1-63 characters. * Must end with a number or a letter. * Must be unique within the assignment. | true | false | None | None | None | @@ -87,18 +92,21 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_folder]( | `allow_no_resource_group_match` | This flag determines the OS policy compliance status when none of the resource groups within the policy are applicable for a VM. Set this value to `true` if the policy needs to be reported as compliant even if the policy has nothing to validate or enforce. | false | false | None | None | None | ### resource_groups Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `inventory_filters` | List of inventory filters for the resource group. The resources in this resource group are applied to the target VM if it satisfies at least one of the following inventory filters. For example, to apply this resource group to VMs running either `RHEL` or `CentOS` operating systems, specify 2 items for the list with following values: inventory_filters[0].os_short_name='rhel' and inventory_filters[1].os_short_name='centos' If the list is empty, this resource group will be applied to the target VM unconditionally. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_inventory_filters). | false | false | None | None | None | | `resources` | List of resources configured for this resource group. The resources are executed in the exact order specified here. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources). | true | true | Defines the specific configurations and resources that will be managed on the target VMs, ensuring they meet organizational standards. | None | None | ### inventory_filters Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `os_short_name` | The OS short name | true | false | None | None | None | | `os_version` | The OS version Prefix matches are supported if asterisk(*) is provided as the last character. For example, to match all versions with a major version of `7`, specify the following value for this field `7.*` An empty string matches all OS versions. | false | false | None | None | None | ### resources Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `id` | The id of the resource with the following restrictions: * Must contain only lowercase letters, numbers, and hyphens. * Must start with a letter. * Must be between 1-63 characters. * Must end with a number or a letter. * Must be unique within the OS policy. | true | false | None | None | None | @@ -108,6 +116,7 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_folder]( | `file` | A resource that manages the state of a file. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_file). | false | false | None | None | None | ### pkg Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `googet` | A package managed by GooGet. - install: `googet -noconfirm install package` - remove: `googet -noconfirm remove package` Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_pkg_googet). | false | false | None | None | None | @@ -120,17 +129,20 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_folder]( | `rpm` | An RPM package file. RPM packages only support INSTALLED state. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_pkg_rpm). | false | false | None | None | None | ### googet Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | Package name. | true | false | None | None | None | ### msi Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `source` | A remote or local file. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_pkg_msi_source). | true | false | None | None | None | | `properties` | Additional properties to use during installation. This should be in the format of Property=Setting. Appended to the defaults of `ACTION=INSTALL REBOOT=ReallySuppress`. | false | false | None | None | None | ### source Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `remote` | Specifies a file available via some URI. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_pkg_rpm_source_remote). | false | false | None | None | None | @@ -139,12 +151,14 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_folder]( | `allow_insecure` | Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified. | false | false | None | None | None | ### remote Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `uri` | URI from which to fetch the object. It should contain both the protocol and path following the format `{protocol}://{location}`. | true | false | None | None | None | | `sha256_checksum` | SHA256 checksum of the remote file. | false | false | None | None | None | ### gcs Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `bucket` | Bucket of the Cloud Storage object. | true | false | None | None | None | @@ -152,6 +166,7 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_folder]( | `generation` | Generation number of the Cloud Storage object. | false | false | None | None | None | ### apt Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | Package name. | true | false | None | None | None | @@ -162,12 +177,14 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_folder]( | `distribution` | Distribution of this repository. | true | false | None | None | None | ### deb Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `source` | A remote or local file. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_pkg_deb_source). | true | false | None | None | None | | `pull_deps` | Whether dependencies should also be installed. - install when false: `dpkg -i package` - install when true: `apt-get update && apt-get -y install package.deb` | false | false | None | None | None | ### yum Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | Package name. | true | false | None | None | None | @@ -177,6 +194,7 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_folder]( | `id` | A one word, unique name for this repository. This is the `repo id` in the yum config file and also the `display_name` if `display_name` is omitted. This id is also used as the unique identifier when checking for resource conflicts. | true | false | None | None | None | ### zypper Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | Package name. | true | false | None | None | None | @@ -186,12 +204,14 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_folder]( | `display_name` | The display name of the repository. | false | false | None | None | None | ### rpm Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `pull_deps` | Whether dependencies should also be installed. - install when false: `rpm --upgrade --replacepkgs package.rpm` - install when true: `yum -y install package.rpm` or `zypper -y install package.rpm` | false | false | None | None | None | | `source` | A remote or local file. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_pkg_rpm_source). | true | false | None | None | None | ### repository Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `apt` | Represents a single apt package repository. These will be added to a repo file that will be managed at `/etc/apt/sources.list.d/google_osconfig.list`. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_repository_apt). | false | true | Ensures that only trusted package repositories are used for software installations. | None | None | @@ -200,18 +220,21 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_folder]( | `goo` | Represents a Goo package repository. These are added to a repo file that is managed at `C:/ProgramData/GooGet/repos/google_osconfig.repo`. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_repository_goo). | false | false | None | None | None | ### goo Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | The name of the repository. | true | false | None | None | None | | `url` | The url of the repository. | true | false | None | None | None | ### exec Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `validate` | A file or script to execute. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_exec_validate). | true | false | None | None | None | | `enforce` | A file or script to execute. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_exec_enforce). | false | false | None | None | None | ### validate Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `args` | Optional arguments to pass to the source during execution. | false | false | None | None | None | @@ -221,6 +244,7 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_folder]( | `script` | An inline script. The size of the script is limited to 32KiB. | false | false | None | None | None | ### file Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `allow_insecure` | Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified. | false | false | None | None | None | @@ -234,6 +258,7 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_folder]( | `permissions` | Consists of three octal digits which represent, in order, the permissions of the owner, group, and other users for the file (similarly to the numeric mode used in the linux chmod utility). Each digit represents a three bit number with the 4 bit corresponding to the read permissions, the 2 bit corresponds to the write bit, and the one bit corresponds to the execute permission. Default behavior is 755. Below are some examples of permissions and their associated values: read, write, and execute: 7 read and execute: 5 read and write: 6 read only: 4 | false | false | None | None | None | ### enforce Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `args` | Optional arguments to pass to the source during execution. | false | false | None | None | None | @@ -243,6 +268,7 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_folder]( | `script` | An inline script. The size of the script is limited to 32KiB. | false | false | None | None | None | ### instance_filter Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `inclusion_labels` | List of label sets used for VM inclusion. If the list has more than one `LabelSet`, the VM is included if any of the label sets are applicable for the VM. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_instance_filter_inclusion_labels). | false | false | None | None | None | @@ -251,46 +277,54 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_folder]( | `all` | Target all VMs in the project. If true, no other criteria is permitted. | false | false | None | None | None | ### inclusion_labels Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `labels` | Labels are identified by key/value pairs in this map. A VM should contain all the key/value pairs specified in this map to be selected. | false | false | None | None | None | ### exclusion_labels Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `labels` | Labels are identified by key/value pairs in this map. A VM should contain all the key/value pairs specified in this map to be selected. | false | false | None | None | None | ### inventories Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `os_short_name` | The OS short name | true | false | None | None | None | | `os_version` | The OS version Prefix matches are supported if asterisk(*) is provided as the last character. For example, to match all versions with a major version of `7`, specify the following value for this field `7.*` An empty string matches all OS versions. | false | false | None | None | None | ### rollout Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `disruption_budget` | Message encapsulating a value that can be either absolute ("fixed") or relative ("percent") to a value. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_rollout_disruption_budget). | true | false | None | None | None | | `min_wait_duration` | This determines the minimum duration of time to wait after the configuration changes are applied through the current rollout. A VM continues to count towards the `disruption_budget` at least until this duration of time has passed after configuration changes are applied. | true | false | None | None | None | ### disruption_budget Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `fixed` | Specifies a fixed value. | false | false | None | None | None | | `percent` | Specifies the relative value defined as a percentage, which will be multiplied by a reference value. | false | false | None | None | None | ### selectors Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `resource_hierarchy_selector` | Selector containing Cloud Resource Manager resource hierarchy nodes. Structure is [documented below](#nested_orchestration_scope_selectors_selectors_resource_hierarchy_selector). | false | false | None | None | None | | `location_selector` | Selector containing locations in scope. Structure is [documented below](#nested_orchestration_scope_selectors_selectors_location_selector). | false | true | Specifying the correct locations is crucial for ensuring that the policy is applied to the intended resources. | None | None | ### resource_hierarchy_selector Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `included_projects` | Names of the projects in scope. Format: `projects/{project_number}` | false | false | None | None | None | | `included_folders` | Names of the folders in scope. Format: `folders/{folder_id}` | false | false | None | None | None | ### location_selector Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `included_locations` | Names of the locations in scope. Format: `us-central1-a` | false | true | Specifying the correct locations is crucial for ensuring that the policy is applied to the intended resources. | ['Sydney', 'Melbourne'] | ['Mumbai', 'Berlin'] | diff --git a/docs/gcp/OS_Config_v2/os_config_v2_policy_orchestrator_for_organization.md b/docs/gcp/OS_Config_v2/os_config_v2_policy_orchestrator_for_organization.md index cd94b8a25..ded71dd83 100644 --- a/docs/gcp/OS_Config_v2/os_config_v2_policy_orchestrator_for_organization.md +++ b/docs/gcp/OS_Config_v2/os_config_v2_policy_orchestrator_for_organization.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_organiza --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `action` | Required. Action to be done by the orchestrator in `projects/{project_id}/zones/{zone_id}` locations defined by the `orchestration_scope`. Allowed values: - `UPSERT` - Orchestrator will create or update target resources. - `DELETE` - Orchestrator will delete target resources, if they exist | true | true | Defines the operational intent of the orchestrator, which is crucial for maintaining the desired state of security configurations. | ['UPSERT'] | ['DELETE'] | @@ -50,17 +51,20 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_organiza | `location_selector` | | false | false | None | None | None | ### orchestrated_resource Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `os_policy_assignment_v1_payload` | OS policy assignment is an API resource that is used to apply a set of OS policies to a dynamically targeted group of Compute Engine VM instances. An OS policy is used to define the desired state configuration for a Compute Engine VM instance through a set of configuration resources that provide capabilities such as installing or removing software packages, or executing a script. For more information about the OS policy resource definitions and examples, see [OS policy and OS policy assignment](https://cloud.google.com/compute/docs/os-configuration-management/working-with-os-policies). Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload). | false | true | Maintains the structural integrity of security policy configurations. | None | None | | `id` | Optional. ID of the resource to be used while generating set of affected resources. For UPSERT action the value is auto-generated during PolicyOrchestrator creation when not set. When the value is set it should following next restrictions: * Must contain only lowercase letters, numbers, and hyphens. * Must start with a letter. * Must be between 1-63 characters. * Must end with a number or a letter. * Must be unique within the project. For DELETE action, ID must be specified explicitly during PolicyOrchestrator creation. | false | false | None | None | None | ### orchestration_scope Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `selectors` | Optional. Selectors of the orchestration scope. There is a logical AND between each selector defined. When there is no explicit `ResourceHierarchySelector` selector specified, the scope is by default bounded to the parent of the policy orchestrator resource. Structure is [documented below](#nested_orchestration_scope_selectors). | false | false | None | None | None | ### os_policy_assignment_v1_payload Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `etag` | The etag for this OS policy assignment. If this is provided on update, it must match the server's etag. | false | false | None | None | None | @@ -78,6 +82,7 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_organiza | `revision_create_time` | (Output) Output only. The timestamp that the revision was created. | false | false | None | None | None | ### os_policies Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `id` | Required. The id of the OS policy with the following restrictions: * Must contain only lowercase letters, numbers, and hyphens. * Must start with a letter. * Must be between 1-63 characters. * Must end with a number or a letter. * Must be unique within the assignment. | true | false | None | None | None | @@ -87,18 +92,21 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_organiza | `allow_no_resource_group_match` | This flag determines the OS policy compliance status when none of the resource groups within the policy are applicable for a VM. Set this value to `true` if the policy needs to be reported as compliant even if the policy has nothing to validate or enforce. | false | false | None | None | None | ### resource_groups Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `inventory_filters` | List of inventory filters for the resource group. The resources in this resource group are applied to the target VM if it satisfies at least one of the following inventory filters. For example, to apply this resource group to VMs running either `RHEL` or `CentOS` operating systems, specify 2 items for the list with following values: inventory_filters[0].os_short_name='rhel' and inventory_filters[1].os_short_name='centos' If the list is empty, this resource group will be applied to the target VM unconditionally. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_inventory_filters). | false | false | None | None | None | | `resources` | Required. List of resources configured for this resource group. The resources are executed in the exact order specified here. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources). | true | true | Enables fine-grained security controls at the resource level, allowing for tailored configurations. | None | None | ### inventory_filters Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `os_short_name` | Required. The OS short name | true | false | None | None | None | | `os_version` | The OS version Prefix matches are supported if asterisk(*) is provided as the last character. For example, to match all versions with a major version of `7`, specify the following value for this field `7.*` An empty string matches all OS versions. | false | false | None | None | None | ### resources Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `exec` | A resource that allows executing scripts on the VM. The `ExecResource` has 2 stages: `validate` and `enforce` and both stages accept a script as an argument to execute. When the `ExecResource` is applied by the agent, it first executes the script in the `validate` stage. The `validate` stage can signal that the `ExecResource` is already in the desired state by returning an exit code of `100`. If the `ExecResource` is not in the desired state, it should return an exit code of `101`. Any other exit code returned by this stage is considered an error. If the `ExecResource` is not in the desired state based on the exit code from the `validate` stage, the agent proceeds to execute the script from the `enforce` stage. If the `ExecResource` is already in the desired state, the `enforce` stage will not be run. Similar to `validate` stage, the `enforce` stage should return an exit code of `100` to indicate that the resource in now in its desired state. Any other exit code is considered an error. NOTE: An exit code of `100` was chosen over `0` (and `101` vs `1`) to have an explicit indicator of `in desired state`, `not in desired state` and errors. Because, for example, Powershell will always return an exit code of `0` unless an `exit` statement is provided in the script. So, for reasons of consistency and being explicit, exit codes `100` and `101` were chosen. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_exec). | false | false | None | None | None | @@ -108,12 +116,14 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_organiza | `repository` | A resource that manages a package repository. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_repository). | false | true | Enforces consistent package management policies across all targeted virtual machines. | None | None | ### exec Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `validate` | A file or script to execute. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_exec_validate). | true | false | None | None | None | | `enforce` | A file or script to execute. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_exec_enforce). | false | false | None | None | None | ### validate Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `file` | A remote or local file. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_exec_validate_file). | false | false | None | None | None | @@ -123,6 +133,7 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_organiza | `output_file_path` | Only recorded for enforce Exec. Path to an output file (that is created by this Exec) whose content will be recorded in OSPolicyResourceCompliance after a successful run. Absence or failure to read this file will result in this ExecResource being non-compliant. Output file size is limited to 500K bytes. | false | false | None | None | None | ### file Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `gcs` | Specifies a file available as a Cloud Storage Object. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_file_file_gcs). | false | false | None | None | None | @@ -136,6 +147,7 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_organiza | `permissions` | Consists of three octal digits which represent, in order, the permissions of the owner, group, and other users for the file (similarly to the numeric mode used in the linux chmod utility). Each digit represents a three bit number with the 4 bit corresponding to the read permissions, the 2 bit corresponds to the write bit, and the one bit corresponds to the execute permission. Default behavior is 755. Below are some examples of permissions and their associated values: read, write, and execute: 7 read and execute: 5 read and write: 6 read only: 4 | false | false | None | None | None | ### gcs Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `bucket` | Required. Bucket of the Cloud Storage object. | true | false | None | None | None | @@ -143,12 +155,14 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_organiza | `generation` | Generation number of the Cloud Storage object. | false | false | None | None | None | ### remote Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `uri` | Required. URI from which to fetch the object. It should contain both the protocol and path following the format `{protocol}://{location}`. | true | false | None | None | None | | `sha256_checksum` | SHA256 checksum of the remote file. | false | false | None | None | None | ### enforce Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `file` | A remote or local file. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_exec_enforce_file). | false | false | None | None | None | @@ -158,6 +172,7 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_organiza | `output_file_path` | Only recorded for enforce Exec. Path to an output file (that is created by this Exec) whose content will be recorded in OSPolicyResourceCompliance after a successful run. Absence or failure to read this file will result in this ExecResource being non-compliant. Output file size is limited to 500K bytes. | false | false | None | None | None | ### pkg Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `msi` | An MSI package. MSI packages only support INSTALLED state. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_pkg_msi). | false | false | None | None | None | @@ -170,12 +185,14 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_organiza | `googet` | A package managed by GooGet. - install: `googet -noconfirm install package` - remove: `googet -noconfirm remove package` Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_pkg_googet). | false | false | None | None | None | ### msi Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `source` | A remote or local file. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_pkg_msi_source). | true | false | None | None | None | | `properties` | Additional properties to use during installation. This should be in the format of Property=Setting. Appended to the defaults of `ACTION=INSTALL REBOOT=ReallySuppress`. | false | false | None | None | None | ### source Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `local_path` | A local path within the VM to use. | false | false | None | None | None | @@ -184,6 +201,7 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_organiza | `gcs` | Specifies a file available as a Cloud Storage Object. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_pkg_rpm_source_gcs). | false | false | None | None | None | ### apt Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | Required. Package name. | true | false | None | None | None | @@ -194,12 +212,14 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_organiza | `gpg_key` | URI of the key file for this repository. The agent maintains a keyring at `/etc/apt/trusted.gpg.d/osconfig_agent_managed.gpg`. | false | false | None | None | None | ### deb Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `source` | A remote or local file. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_pkg_deb_source). | true | false | None | None | None | | `pull_deps` | Whether dependencies should also be installed. - install when false: `dpkg -i package` - install when true: `apt-get update && apt-get -y install package.deb` | false | false | None | None | None | ### yum Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | Required. Package name. | true | false | None | None | None | @@ -209,6 +229,7 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_organiza | `id` | Required. A one word, unique name for this repository. This is the `repo id` in the yum config file and also the `display_name` if `display_name` is omitted. This id is also used as the unique identifier when checking for resource conflicts. | true | false | None | None | None | ### zypper Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | Required. Package name. | true | false | None | None | None | @@ -218,17 +239,20 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_organiza | `gpg_keys` | URIs of GPG keys. | false | false | None | None | None | ### rpm Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `source` | A remote or local file. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_pkg_rpm_source). | true | false | None | None | None | | `pull_deps` | Whether dependencies should also be installed. - install when false: `rpm --upgrade --replacepkgs package.rpm` - install when true: `yum -y install package.rpm` or `zypper -y install package.rpm` | false | false | None | None | None | ### googet Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `name` | Required. Package name. | true | false | None | None | None | ### repository Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `yum` | Represents a single yum package repository. These are added to a repo file that is managed at `/etc/yum.repos.d/google_osconfig.repo`. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_repository_yum). | false | false | None | None | None | @@ -237,12 +261,14 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_organiza | `apt` | Represents a single apt package repository. These will be added to a repo file that will be managed at `/etc/apt/sources.list.d/google_osconfig.list`. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_os_policies_os_policies_resource_groups_resource_groups_resources_resources_repository_apt). | false | true | Ensures that only approved package sources are used, reducing the risk of malicious software installation. | None | None | ### goo Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `url` | Required. The url of the repository. | true | false | None | None | None | | `name` | Required. The name of the repository. | true | false | None | None | None | ### instance_filter Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `all` | Target all VMs in the project. If true, no other criteria is permitted. | false | true | Ensures that all VMs are considered for policy application, preventing accidental exclusions. | None | None | @@ -251,46 +277,54 @@ Reference: [Terraform Registry – os_config_v2_policy_orchestrator_for_organiza | `inventories` | List of inventories to select VMs. A VM is selected if its inventory data matches at least one of the following inventories. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_instance_filter_inventories). | false | true | Ensures that only VMs with the specified inventory are targeted, reducing the risk of misconfiguration. | None | None | ### inclusion_labels Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `labels` | Labels are identified by key/value pairs in this map. A VM should contain all the key/value pairs specified in this map to be selected. | false | false | None | None | None | ### exclusion_labels Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `labels` | Labels are identified by key/value pairs in this map. A VM should contain all the key/value pairs specified in this map to be selected. | false | false | None | None | None | ### inventories Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `os_short_name` | Required. The OS short name | true | true | Specifying the OS short name ensures that policies are applied only to compatible operating systems, reducing the risk of misconfiguration. | ['debian'] | ['windows'] | | `os_version` | The OS version Prefix matches are supported if asterisk(*) is provided as the last character. For example, to match all versions with a major version of `7`, specify the following value for this field `7.*` An empty string matches all OS versions. | false | false | None | None | None | ### rollout Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `disruption_budget` | Message encapsulating a value that can be either absolute ("fixed") or relative ("percent") to a value. Structure is [documented below](#nested_orchestrated_resource_os_policy_assignment_v1_payload_rollout_disruption_budget). | true | false | None | None | None | | `min_wait_duration` | Required. This determines the minimum duration of time to wait after the configuration changes are applied through the current rollout. A VM continues to count towards the `disruption_budget` at least until this duration of time has passed after configuration changes are applied. | true | false | None | None | None | ### disruption_budget Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `fixed` | Specifies a fixed value. | false | false | None | None | None | | `percent` | Specifies the relative value defined as a percentage, which will be multiplied by a reference value. | false | false | None | None | None | ### selectors Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `resource_hierarchy_selector` | Selector containing Cloud Resource Manager resource hierarchy nodes. Structure is [documented below](#nested_orchestration_scope_selectors_selectors_resource_hierarchy_selector). | false | false | None | None | None | | `location_selector` | Selector containing locations in scope. Structure is [documented below](#nested_orchestration_scope_selectors_selectors_location_selector). | false | false | None | None | None | ### resource_hierarchy_selector Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `included_projects` | Optional. Names of the projects in scope. Format: `projects/{project_number}` | false | false | None | None | None | | `included_folders` | Optional. Names of the folders in scope. Format: `folders/{folder_id}` | false | false | None | None | None | ### location_selector Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `included_locations` | Optional. Names of the locations in scope. Format: `us-central1-a` | false | false | None | None | None | diff --git a/docs/gcp/RecaptchaEnterprise/recaptcha_enterprise_key.md b/docs/gcp/RecaptchaEnterprise/recaptcha_enterprise_key.md index aac5f2466..20aa65a29 100644 --- a/docs/gcp/RecaptchaEnterprise/recaptcha_enterprise_key.md +++ b/docs/gcp/RecaptchaEnterprise/recaptcha_enterprise_key.md @@ -6,7 +6,8 @@ Reference: [Terraform Registry – recaptcha_enterprise_key](https://registry.te --- -## Argument Reference +## Argument Reference + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `display_name` | Human-readable display name of this key. Modifiable by user. - - - | true | false | None | None | None | @@ -19,30 +20,35 @@ Reference: [Terraform Registry – recaptcha_enterprise_key](https://registry.te | `web_settings` | Settings for keys that can be used by websites. | false | false | None | None | None | ### android_settings Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `allow_all_package_names` | If set to true, it means allowed_package_names will not be enforced. | false | false | None | None | None | | `allowed_package_names` | Android package names of apps allowed to use the key. Example: 'com.companyname.appname' | false | false | None | None | None | ### ios_settings Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `allow_all_bundle_ids` | If set to true, it means allowed_bundle_ids will not be enforced. | false | false | None | None | None | | `allowed_bundle_ids` | iOS bundle ids of apps allowed to use the key. Example: 'com.companyname.productname.appname' | false | false | None | None | None | ### testing_options Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `testing_challenge` | For challenge-based keys only (CHECKBOX, INVISIBLE), all challenge requests for this site will return nocaptcha if NOCAPTCHA, or an unsolvable challenge if UNSOLVABLE_CHALLENGE. Possible values: TESTING_CHALLENGE_UNSPECIFIED, NOCAPTCHA, UNSOLVABLE_CHALLENGE | false | false | None | None | None | | `testing_score` | All assessments for this Key will return this score. Must be between 0 (likely not legitimate) and 1 (likely legitimate) inclusive. | false | false | None | None | None | ### waf_settings Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `waf_feature` | Supported WAF features. For more information, see https://cloud.google.com/recaptcha-enterprise/docs/usecase#comparison_of_features. Possible values: CHALLENGE_PAGE, SESSION_TOKEN, ACTION_TOKEN, EXPRESS | true | false | None | None | None | | `waf_service` | The WAF service that uses this key. Possible values: CA, FASTLY | true | false | None | None | None | ### web_settings Block + | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `allow_all_domains` | If set to true, it means allowed_domains will not be enforced. | false | true | Allowing all domains bypasses origin allowlisting and can expose the key to abuse. Restrict usage to trusted domains via allowed_domains. | false | true | diff --git a/index.html b/index.html index 3afc86258..711f3768c 100644 --- a/index.html +++ b/index.html @@ -1,8 +1,10 @@ + Policy Deployment Engine Wiki + +

    Policy Deployment Engine Wiki

    - ⚠️ This wiki uses GitHub Pages and only allows for 60 API calls per hour per ID. + ⚠️ This wiki uses GitHub Pages and only allows for 60 API calls per hour per ID. If you use this website often, you may need to try a different device or wait.

    - +
    @@ -97,14 +100,16 @@

    Policy Deployment Engine Wiki

    try { const branch = "dev"; // 👈 change this const url = `https://api.github.com/repos/Hardhat-Enterprises/Policy-Deployment-Engine/git/trees/${branch}?recursive=1`; - + const response = await fetch(url); if (!response.ok) throw new Error('Network response was not ok'); const data = await response.json(); - // Get only files inside docs/gcp/ - const files = data.tree.filter(item => - item.path.startsWith("docs/gcp/") && item.type === "blob" + // Get only md files inside docs/gcp/ + const files = data.tree.filter(item => + item.path.startsWith("docs/gcp/") && + item.type === "blob" && + item.path.endsWith(".md") ); let htmlString = ""; @@ -124,8 +129,9 @@

    Policy Deployment Engine Wiki

    let cleanPath = subFile.path.endsWith(".md") ? subFile.path.slice(0, -3) : subFile.path; - + const subItem = `
  • ${displayName}
    • `; + folderMap[folder].push(subItem); htmlString += subItem; } @@ -170,4 +176,5 @@

    Policy Deployment Engine Wiki

    })() - + + \ No newline at end of file diff --git a/policies/_helpers/README.md b/policies/_helpers/README.md new file mode 100644 index 000000000..9c8de2c8d --- /dev/null +++ b/policies/_helpers/README.md @@ -0,0 +1,665 @@ +# Policy Helpers Framework + +## Overview + +The `_helpers` directory contains the core policy evaluation framework for the Policy Deployment Engine. This modular system evaluates Terraform plans against configurable security policies and returns structured violation reports. + +**Key Features:** +- Modular architecture with specialized policy modules +- Support for 6 policy types: Blacklist, Whitelist, Range, Pattern Blacklist, Pattern Whitelist, Element Blacklist +- AND logic for multi-condition situations +- Standardized interfaces across all policy modules +- Shared utility functions for common operations + +**Version Compatibility:** +- OPA: 1.2.0 +- Rego: v1 + +--- + +## Table of Contents + +- [Architecture](#architecture) + - [Directory Structure](#directory-structure) + - [Component Responsibilities](#component-responsibilities) +- [Policy Types](#policy-types) + - [1. Blacklist](#1-blacklist) + - [2. Whitelist](#2-whitelist) + - [3. Range](#3-range) + - [4. Pattern Blacklist](#4-pattern-blacklist) + - [5. Pattern Whitelist](#5-pattern-whitelist) + - [6. Element Blacklist](#6-element-blacklist) +- [Usage Guide](#usage-guide) + - [Input Format](#input-format) + - [Multi-Condition Example (AND Logic)](#multi-condition-example-and-logic) + - [Output Format](#output-format) +- [Testing](#testing) + - [Quick Smoke Tests](#quick-smoke-tests) + - [Detailed Verification](#detailed-verification) + - [Individual Policy Tests](#individual-policy-tests) + - [Creating Test Inputs](#creating-test-inputs) +- [Adding New Policy Types](#adding-new-policy-types) + - [Step 1: Create Policy Module](#step-1-create-policy-module) + - [Step 2: Update helpers.rego](#step-2-update-helpersrego) + - [Step 3: Create Tests](#step-3-create-tests) + - [Step 4: Document](#step-4-document) +- [Design Principles](#design-principles) + - [1. Standardized Interfaces](#1-standardized-interfaces) + - [2. Separation of Concerns](#2-separation-of-concerns) + - [3. Encapsulation](#3-encapsulation) + - [4. Defensive Programming](#4-defensive-programming) + - [5. No Circular Dependencies](#5-no-circular-dependencies) +- [Common Patterns](#common-patterns) + - [Accessing Resource Attributes](#accessing-resource-attributes) + - [Formatting Paths](#formatting-paths) + - [Array Normalization](#array-normalization) + - [Set Comprehensions](#set-comprehensions) +- [Troubleshooting](#troubleshooting) + - [Issue: Policy not detecting violations](#issue-policy-not-detecting-violations) + - [Issue: "resource attribute not found" error](#issue-resource-attribute-not-found-error) + - [Issue: Empty results when violations expected](#issue-empty-results-when-violations-expected) + - [Issue: Pattern matching not working](#issue-pattern-matching-not-working) +- [Performance Considerations](#performance-considerations) + - [Set Operations](#set-operations) + - [Resource Filtering](#resource-filtering) + - [Avoid Over-fetching](#avoid-over-fetching) +- [Migration Notes](#migration-notes) +- [Contributing](#contributing) + - [Before Submitting Changes](#before-submitting-changes) + - [Code Style](#code-style) + - [Adding Examples](#adding-examples) + +--- + +## Architecture + +### Directory Structure + +``` +policies/_helpers/ +├── README.md # This file +├── PLAN.md # Detailed refactoring plan and migration guide +├── helpers.rego # Main orchestration layer +├── shared.rego # Shared utility functions +└── policies/ # Policy-specific modules + ├── blacklist.rego + ├── whitelist.rego + ├── range.rego + ├── pattern_blacklist.rego + ├── pattern_whitelist.rego + └── element_blacklist.rego +``` + +### Component Responsibilities + +#### **helpers.rego** - Orchestration Layer +- **Package:** `terraform.helpers` +- **Role:** Main entry point and coordinator +- **Responsibilities:** + - Aggregate policy results across multiple conditions + - Route evaluation to appropriate policy modules + - Apply AND logic for multi-condition situations (resources must fail ALL conditions to be non-compliant) + - Format summary output for end users + +**Key Functions:** +- `get_multi_summary(conditions, tf_variables)` - Main entry point +- `select_policy_logic(...)` - Routes to correct policy module +- `set_intersection_all(sets)` - Implements AND logic via set intersection + +#### **shared.rego** - Utility Library +- **Package:** `terraform.helpers.shared` +- **Role:** Shared functions used by all modules +- **Responsibilities:** + - Resource attribute extraction + - Attribute path formatting + - Data normalization + - Empty value handling + - Pattern matching utilities + +**No imports** - Designed to avoid circular dependencies + +**Key Functions:** +- `get_resource_attribute(resource, key)` - Extract resource attributes safely +- `format_attribute_path(path)` - Convert paths to readable strings +- `ensure_array(values)` - Normalize to array format +- `get_target_list(resource, path, pattern)` - Extract wildcard matches + +#### **policies/*.rego** - Policy Modules +- **Packages:** `terraform.helpers.policies.` +- **Role:** Implement specific policy evaluation logic +- **Responsibilities:** + - Detect violations for their specific policy type + - Generate formatted violation messages + - Filter resources based on policy constraints + +**All modules follow the same interface:** +```rego +get_violations(tf_variables, attribute_path, values) = results +``` + +--- + +## Policy Types + +### 1. Blacklist +**Module:** `policies/blacklist.rego` +**Use Case:** Forbid specific values + +**Logic:** +- Scalar values: Direct match = violation +- Arrays: ANY element matching = violation (OR logic) +- Special: Empty array `[]` can be explicitly blacklisted + +**Example:** +```json +{ + "policy_type": "Blacklist", + "attribute_path": "enable_private_nodes", + "values": [false] +} +``` + +### 2. Whitelist +**Module:** `policies/whitelist.rego` +**Use Case:** Allow only specific values + +**Logic:** +- Scalar values: Not in allowed list = violation +- Arrays: ALL elements must be allowed (AND logic) + +**Example:** +```json +{ + "policy_type": "Whitelist", + "attribute_path": "config_encryption_type", + "values": ["CMEK"] +} +``` + +### 3. Range +**Module:** `policies/range.rego` +**Use Case:** Enforce numeric bounds + +**Logic:** +- Value must be between lower and upper bound (inclusive) +- Requires exactly 2 values: `[lower, upper]` + +**Example:** +```json +{ + "policy_type": "Range", + "attribute_path": "retention_period", + "values": [2592000, 31536000] +} +``` + +### 4. Pattern Blacklist +**Module:** `policies/pattern_blacklist.rego` +**Use Case:** Forbid patterns with wildcard matching + +**Logic:** +- Extract substrings using `*` wildcards in target pattern +- Check each position against position-specific blacklists +- ANY match = violation (OR logic) + +**Example:** +```json +{ + "policy_type": "Pattern Blacklist", + "attribute_path": "name", + "values": [ + "projects/*/locations/*", + [["test-project"], ["us-east1", "europe-west1"]] + ] +} +``` + +### 5. Pattern Whitelist +**Module:** `policies/pattern_whitelist.rego` +**Use Case:** Allow only specific patterns with wildcard matching + +**Logic:** +- Extract substrings using `*` wildcards in target pattern +- Check each position against position-specific whitelists +- ANY non-match = violation + +**Example:** +```json +{ + "policy_type": "Pattern Whitelist", + "attribute_path": "project_id", + "values": [ + "projects/*", + [["prod-", "staging-"]] + ] +} +``` + +### 6. Element Blacklist +**Module:** `policies/element_blacklist.rego` +**Use Case:** Forbid array elements containing substrings + +**Logic:** +- Array attribute must be checked +- ANY element containing ANY pattern = violation +- Uses simple substring matching (`contains`) + +**Example:** +```json +{ + "policy_type": "Element Blacklist", + "attribute_path": ["status", 0, "restricted_services"], + "values": ["*", "0.0.0.0"] +} +``` + +--- + +## Usage Guide + +### Input Format + +**tf_variables:** +```json +{ + "resource_type": "google_storage_bucket", + "friendly_resource_name": "Storage Bucket", + "resource_value_name": "name" +} +``` + +**conditions:** Array of situation objects +```json +[ + { + "situation_description": "Buckets must use CMEK encryption", + "remedies": ["Enable CMEK encryption", "Configure encryption key"], + "condition": "Encryption configuration", + "policy_type": "Whitelist", + "attribute_path": "encryption_type", + "values": ["CUSTOMER_MANAGED_ENCRYPTION"] + } +] +``` + +### Multi-Condition Example (AND Logic) + +Resources must violate ALL conditions in a situation to be non-compliant: + +```rego +conditions := [ + { + "situation_description": "Production buckets require strict settings", + "remedies": ["Update configuration"], + + # Condition 1: Name must start with "prod-" + "condition": "Production naming", + "policy_type": "Pattern Whitelist", + "attribute_path": "name", + "values": ["prod-*", [["prod-"]]] + }, + { + # Condition 2: Must use CMEK + "condition": "Encryption type", + "policy_type": "Whitelist", + "attribute_path": "encryption_type", + "values": ["CMEK"] + } +] +``` + +Only buckets that BOTH: +1. Don't match "prod-*" pattern, AND +2. Don't use CMEK encryption + +...will be flagged as non-compliant. + +### Output Format + +```json +{ + "message": [ + "Total Storage Bucket detected: 5", + [ + "Situation 1: Buckets must use CMEK encryption", + "Non-Compliant Resources: my-bucket-1, my-bucket-2", + "Potential Remedies: Enable CMEK encryption, Configure encryption key" + ] + ], + "details": [ + { + "situation": "Buckets must use CMEK encryption", + "remedies": ["Enable CMEK encryption", "Configure encryption key"], + "non_compliant_resources": ["my-bucket-1", "my-bucket-2"], + "conditions": [ + { + "Encryption configuration": [ + { + "name": "my-bucket-1", + "message": "Storage Bucket 'my-bucket-1' has 'encryption_type' set to 'GOOGLE_DEFAULT_ENCRYPTION'. It should be set to '[\"CUSTOMER_MANAGED_ENCRYPTION\"]'" + } + ] + } + ] + } + ] +} +``` + +--- + +## Testing + +### Quick Smoke Tests + +Run all policy types with pass/fail output: + +```bash +cd /path/to/Policy-Deployment-Engine +./tests/smoke_test_helpers.sh +``` + +### Detailed Verification + +View full output for debugging: + +```bash +./tests/verify_helpers.sh +``` + +### Individual Policy Tests + +Test specific policy modules: + +```bash +# Blacklist test +opa eval --data ./policies/_helpers --data ./policies/gcp \ + --input ./inputs/gcp/access_context_manager_vpc_service_controls/access_context_manager_service_perimeter/status/plan.json \ + "data.terraform.gcp.security.access_context_manager_vpc_service_controls.access_context_manager_service_perimeter.status.message" \ + --format pretty + +# Whitelist test +opa eval --data ./policies/_helpers --data ./policies/gcp \ + --input ./inputs/gcp/api_hub/google_apihub_api_hub_instance/config_encryption_type/plan.json \ + "data.terraform.gcp.security.api_hub.google_apihub_api_hub_instance.config_encryption_type.message" \ + --format pretty + +# Range test +opa eval --data ./policies/_helpers --data ./policies/gcp \ + --input ./inputs/gcp/cloud_storage/google_storage_bucket/retention_period/plan.json \ + "data.terraform.gcp.security.cloud_storage.google_storage_bucket.message" \ + --format pretty +``` + +### Creating Test Inputs + +Generate Terraform plan JSON for testing: + +```bash +terraform plan --out=plan +terraform show -json plan | cat > plan.json +``` + +--- + +## Adding New Policy Types + +### Step 1: Create Policy Module + +Create `policies/.rego`: + +```rego +package terraform.helpers.policies. + +import data.terraform.helpers.shared + +# Public API - must match this signature +get_violations(tf_variables, attribute_path, values) = results if { + nc_resources := _get_resources(tf_variables.resource_type, attribute_path, values) + results := { + _build_violation(tf_variables, attribute_path, values, resource) | + some resource in nc_resources + } +} + +# Private helper - filter non-compliant resources +_get_resources(resource_type, attribute_path, values) = resources if { + resources := { + resource | + resource := input.planned_values.root_module.resources[_] + resource.type == resource_type + # Your policy logic here + } +} + +# Private helper - format violation message +_build_violation(tf_variables, attribute_path, values, resource) = violation if { + violation := { + "name": shared.get_resource_attribute(resource, tf_variables.resource_value_name), + "message": _format_message(...) + } +} + +_format_message(...) = msg if { + msg := sprintf("...", [...]) +} +``` + +### Step 2: Update helpers.rego + +Add import: +```rego +import data.terraform.helpers.policies. +``` + +Add routing rule: +```rego +select_policy_logic(tf_variables, attribute_path, values_formatted, "") = results if { + results := .get_violations(tf_variables, attribute_path, values_formatted) +} +``` + +### Step 3: Create Tests + +Create test files following the pattern in `tests/_helpers/`. + +### Step 4: Document + +Update this README with: +- Policy type description +- Logic explanation +- Example usage + +--- + +## Design Principles + +### 1. Standardized Interfaces +All policy modules export the same public API: +```rego +get_violations(tf_variables, attribute_path, values) = results +``` + +This consistency enables: +- Easy addition of new policy types +- Predictable behavior +- Simple orchestration logic + +### 2. Separation of Concerns +- **helpers.rego** - Orchestration only, no policy logic +- **shared.rego** - Pure utility functions, no policy decisions +- **policies/*.rego** - Self-contained policy implementations + +### 3. Encapsulation +- Public functions: `get_violations()` +- Private functions: `_prefixed_with_underscore()` +- No cross-module dependencies between policy modules + +### 4. Defensive Programming +- Null-safe attribute access via `object.get(resource.values, path, null)` +- Type checking before operations +- Fallback values for missing data + +### 5. No Circular Dependencies +`shared.rego` has no imports to ensure it can be imported by all modules without circular dependency issues. + +--- + +## Common Patterns + +### Accessing Resource Attributes + +```rego +# Safe with fallback +attribute_value := shared.get_attribute_value(resource, attribute_path) + +# Get resource identifier +resource_name := shared.get_resource_attribute(resource, tf_variables.resource_value_name) +``` + +### Formatting Paths + +```rego +# ["status", 0, "restricted_services"] → "status.[0].restricted_services" +path_string := shared.format_attribute_path(attribute_path) +``` + +### Array Normalization + +```rego +# Ensure value is array (handles both single values and arrays) +values_array := shared.ensure_array(values) +``` + +### Set Comprehensions + +```rego +# Build set of non-compliant resources +nc_resources := { + resource | + resource := input.planned_values.root_module.resources[_] + resource.type == resource_type + # violation condition here +} +``` + +--- + +## Troubleshooting + +### Issue: Policy not detecting violations + +**Check:** +1. Is the `resource_type` correct in tf_variables? +2. Does the `attribute_path` match the actual resource structure? +3. Is the policy type string exactly correct (case-sensitive)? +4. Run with `--explain full` to see evaluation trace + +**Debug command:** +```bash +opa eval --explain full --data ./policies/_helpers --data ./policies/gcp \ + --input ./inputs/gcp/.../plan.json \ + "data.terraform.gcp.security..." \ + --format pretty +``` + +### Issue: "resource attribute not found" error + +**Cause:** The `resource_value_name` doesn't match the actual attribute in the resource. + +**Solution:** +1. Check the Terraform plan JSON structure +2. Common values: `"name"`, `"id"`, `"bucket"`, `"project"` +3. Update `resource_value_name` in tf_variables + +### Issue: Empty results when violations expected + +**Check:** +1. Is `--data ./policies/_helpers` included in the opa eval command? +2. Is the input JSON correctly formatted? +3. Are resources in `planned_values.root_module.resources`? + +### Issue: Pattern matching not working + +**For Pattern Whitelist/Blacklist:** +1. Verify target pattern has `*` wildcards +2. Ensure patterns array has one sub-array per wildcard +3. Check that attribute value matches target pattern structure + +--- + +## Performance Considerations + +### Set Operations +The framework uses Rego's native set operations for efficient intersections: +```rego +# Efficient AND logic via set intersection +failing_resources := set_intersection_all(resource_sets) +``` + +### Resource Filtering +Policy modules use set comprehensions for parallel evaluation: +```rego +resources := { + resource | + resource := input.planned_values.root_module.resources[_] + # filters applied in parallel +} +``` + +### Avoid Over-fetching +- Don't load full resource objects when only checking one attribute +- Use `object.get()` for safe, efficient attribute access + +--- + +## Migration Notes + +This framework was refactored from a monolithic `helpers.rego` into modular components. See `PLAN.md` for: +- Detailed migration checklist +- Rationale for architectural decisions +- Step-by-step refactoring guide + +**Key Changes:** +- Policy logic moved from helpers.rego to individual modules +- Shared utilities centralized in shared.rego +- Standardized interface across all policy types +- Improved testability and maintainability + +--- + +## Contributing + +### Before Submitting Changes + +1. **Run tests:** Ensure all smoke tests pass + ```bash + ./tests/smoke_test_helpers.sh + ``` + +2. **Test your specific changes:** Run relevant individual policy tests + +3. **Update documentation:** Add examples and update this README if adding features + +4. **Follow naming conventions:** + - Public functions: `get_violations()`, `format_message()` + - Private functions: `_get_resources()`, `_build_violation()` + +### Code Style + +- Use descriptive variable names +- Add comments for complex logic +- Include function docstrings explaining parameters and return values +- Keep functions focused and single-purpose + +### Adding Examples + +When adding new policy types or features, include: +1. Description of the use case +2. Example policy JSON +3. Expected behavior explanation +4. Test case with sample input/output + +--- + +**Last Updated:** December 2025 diff --git a/policies/_helpers/helpers.rego b/policies/_helpers/helpers.rego new file mode 100644 index 000000000..df98d193e --- /dev/null +++ b/policies/_helpers/helpers.rego @@ -0,0 +1,249 @@ +package terraform.helpers +# Tested on OPA Version: 1.2.0, Rego Version: v1 + +# Policy Orchestration Layer +# +# This module serves as the main entry point for all policy evaluation. +# It coordinates policy execution across multiple situations and conditions, +# aggregating results and formatting them for consumption. +# +# Architecture: +# - Delegates policy logic to specialized modules (blacklist, whitelist, range, etc.) +# - Uses set intersection for AND logic across conditions +# - Returns structured summaries with violation details + +import data.terraform.helpers.shared +import data.terraform.helpers.policies.blacklist +import data.terraform.helpers.policies.whitelist +import data.terraform.helpers.policies.range +import data.terraform.helpers.policies.pattern_blacklist +import data.terraform.helpers.policies.pattern_whitelist +import data.terraform.helpers.policies.element_blacklist + +################################################################################ +# Public API +################################################################################ + +# Main entry point for policy evaluation +# +# Evaluates a set of policy conditions against Terraform plan resources and +# returns a structured summary of compliant and non-compliant resources. +# +# Parameters: +# conditions - Array of condition groups, each containing: +# - situation_description: Human-readable scenario name +# - remedies: Array of suggested fixes +# - condition objects with policy_type, attribute_path, values +# tf_variables - Resource configuration containing: +# - resource_type: Terraform resource type (e.g., "google_storage_bucket") +# - friendly_resource_name: Display name for messages +# - value_name: Attribute key for resource identification +# +# Returns: +# Object with: +# - message: Array of formatted summary strings +# - details: Array of situation results with non_compliant_resources +# +# Logic: +# Resources must fail ALL conditions within a situation to be non-compliant (AND logic) +get_multi_summary(conditions, tf_variables) = summary if { + # Count resources without storing them + resource_count := count([r | + r := input.planned_values.root_module.resources[_] + r.type == tf_variables.resource_type + ]) + + # Build situation results using declarative approach + situation_results := build_situation_results(tf_variables, conditions) + + summary := { + "message": format_summary_messages( + tf_variables.friendly_resource_name, + resource_count, + situation_results + ), + "details": situation_results + } +} else := "Policy type not supported." + +################################################################################ +# Situation Processing +################################################################################ + +# Build all situation results in one pass +build_situation_results(tf_variables, conditions) = results if { + results := [ + build_single_situation(tf_variables, condition_group) | + some condition_group in conditions + ] +} + +# Process a single situation (metadata + conditions) +build_single_situation(tf_variables, condition_group) = situation_result if { + # Extract metadata + metadata := extract_situation_metadata(condition_group) + + # Evaluate all conditions for this situation + condition_results := evaluate_conditions(tf_variables, condition_group) + + # Find resources that fail ALL conditions (AND logic) + nc_resources := find_failing_resources(condition_results) + + situation_result := { + "situation": metadata.description, + "remedies": metadata.remedies, + "non_compliant_resources": nc_resources, + "conditions": condition_results + } +} + +# Extract metadata from condition group +extract_situation_metadata(condition_group) = metadata if { + # Find metadata entry + description := shared.get_value_from_array(condition_group, "situation_description") + remedies := shared.get_value_from_array(condition_group, "remedies") + + metadata := { + "description": description, + "remedies": remedies + } +} + +################################################################################ +# Condition Evaluation +################################################################################ + +# Evaluate all conditions, returning structured results +evaluate_conditions(tf_variables, condition_group) = results if { + results := [ + {condition_obj.condition: violations} | + some condition_entry in condition_group + condition_obj := condition_entry + condition_obj.policy_type # Skip metadata entries without policy_type + + # Get violations for this condition + values := shared.ensure_array(condition_obj.values) + policy_type := lower(condition_obj.policy_type) + violations := select_policy_logic( + tf_variables, + condition_obj.attribute_path, + values, + policy_type + ) + ] +} + +# Find resources failing ALL conditions using set intersection +find_failing_resources(condition_results) = failing_resources if { + # Extract resource names from each condition into sets + resource_sets := [ + {resource.name | + some _, violations in condition_results[_] + some resource in violations + } + ] + + # Apply intersection across all sets + count(resource_sets) > 0 + failing_resources := set_intersection_all(resource_sets) +} else = set() + +################################################################################ +# Policy Type Dispatch +################################################################################ +# Routes evaluation to appropriate policy module based on policy_type string +# Each policy type implements its own violation detection logic + +select_policy_logic(tf_variables, attribute_path, values_formatted, "blacklist") = results if { + results := blacklist.get_violations(tf_variables, attribute_path, values_formatted) +} + +select_policy_logic(tf_variables, attribute_path, values_formatted, "whitelist") = results if { + results := whitelist.get_violations(tf_variables, attribute_path, values_formatted) +} + +select_policy_logic(tf_variables, attribute_path, values_formatted, "range") = results if { + results := range.get_violations(tf_variables, attribute_path, values_formatted) +} + +select_policy_logic(tf_variables, attribute_path, values_formatted, "pattern blacklist") = results if { + results := pattern_blacklist.get_violations(tf_variables, attribute_path, values_formatted) +} + +select_policy_logic(tf_variables, attribute_path, values_formatted, "pattern whitelist") = results if { + results := pattern_whitelist.get_violations(tf_variables, attribute_path, values_formatted) +} + +select_policy_logic(tf_variables, attribute_path, values_formatted, "element blacklist") = results if { + results := element_blacklist.get_violations(tf_variables, attribute_path, values_formatted) +} + +# Fallback for unknown policy types +select_policy_logic(_, _, _, policy_type) = results if { + not policy_type in ["blacklist", "whitelist", "range", "pattern blacklist", "pattern whitelist", "element blacklist"] + results := { + {"error": sprintf("Unknown policy type: '%s'. Valid types: blacklist, whitelist, range, pattern blacklist, pattern whitelist, element blacklist", [policy_type])} + } +} + +################################################################################ +# Output Formatting +################################################################################ + +# Format messages using array comprehension +format_summary_messages(resource_name, total_count, situations) = messages if { + header := sprintf("Total %s detected: %d ", [resource_name, total_count]) + + situation_messages := [msg | + some i + sit := situations[i] + + # Convert set to array for formatting + nc_list := [r | some r in sit.non_compliant_resources] + + # Handle empty case: display "All passed" if no violations + display_list := _get_display_list(nc_list) + + msg := array.concat( + [ + sprintf("Situation %d: %s", [i+1, sit.situation]), + sprintf("Non-Compliant Resources: %s", [concat(", ", display_list)]) + ], + [sprintf("Potential Remedies: %s", [concat(", ", sit.remedies)]) | count(nc_list) > 0] + ) + ] + + messages := array.concat([header], situation_messages) +} + +# Helper to format non-compliant resources list +_get_display_list(nc_list) = ["None - All passed"] if { + count(nc_list) == 0 +} +_get_display_list(nc_list) = nc_list if { + count(nc_list) > 0 +} + +################################################################################ +# Set Utilities +################################################################################ + +# Improved set intersection using native Rego idioms +set_intersection_all(sets) = result if { + count(sets) == 0 + result := set() +} else = result if { + count(sets) == 1 + result := sets[0] +} else = result if { + # Find intersection of all sets using 'every' keyword + first_set := sets[0] + # Set comprehension: for each resource in first_set, include it in result + # only if it exists in every remaining set (intersection logic) + result := {resource | + some resource in first_set + every remaining_set in sets { + resource in remaining_set + } + } +} \ No newline at end of file diff --git a/policies/_helpers/policies/blacklist.rego b/policies/_helpers/policies/blacklist.rego new file mode 100644 index 000000000..8dc187174 --- /dev/null +++ b/policies/_helpers/policies/blacklist.rego @@ -0,0 +1,81 @@ +package terraform.helpers.policies.blacklist + +# Blacklist Policy +# +# Detects resources with attributes matching forbidden values. +# Supports both scalar values and arrays with OR logic (any match = violation). +# +# Special case: Empty array [] can be blacklisted explicitly. + +import data.terraform.helpers.shared + +# Identifies resources violating blacklist constraints +# +# Parameters: +# tf_variables - Resource metadata (resource_type, friendly_resource_name, value_name) +# attribute_path - Path to attribute being evaluated (array or string) +# blacklisted_values - Array of forbidden values +# +# Returns: +# Set of violation objects with {name, message} +get_violations(tf_variables, attribute_path, blacklisted_values) = results if { + nc_resources := _get_resources(tf_variables.resource_type, attribute_path, blacklisted_values) + results := { + _build_violation(tf_variables, attribute_path, blacklisted_values, resource) | + some resource in nc_resources + } +} + +_build_violation(tf_variables, attribute_path, blacklisted_values, resource) = violation if { + attribute_path_string := shared.format_attribute_path(attribute_path) + attribute_value := shared.get_attribute_value(resource, attribute_path) + + violation := { + "name": shared.get_resource_attribute(resource, tf_variables.resource_value_name), + "message": _format_message( + tf_variables.friendly_resource_name, + shared.get_resource_attribute(resource, tf_variables.resource_value_name), + attribute_path_string, + attribute_value, + shared.empty_message(attribute_value), + blacklisted_values + ) + } +} + +# Check if a value is blacklisted (handles both scalars and arrays) +_is_blacklisted(forbidden, value) if { + # Handle empty array blacklisting specifically + [] in forbidden + is_array(value) + count(value) == 0 +} + +_is_blacklisted(forbidden, value) if { + # Array case: ANY intersection means violation (OR logic) + is_array(value) + forbidden_set := {x | some x in forbidden} + value_set := {x | some x in value} + count(forbidden_set & value_set) > 0 +} + +_is_blacklisted(forbidden, value) if { + # Scalar case: direct membership check + shared.value_in_array(forbidden, value) +} + +_get_resources(resource_type, attribute_path, blacklisted_values) = resources if { + resources := { + resource | + resource := input.planned_values.root_module.resources[_] + resource.type == resource_type + _is_blacklisted(blacklisted_values, shared.get_attribute_value(resource, attribute_path)) + } +} + +_format_message(friendly_resource_name, resource_value_name, attribute_path_string, nc_value, empty, nc_values) = msg if { + msg := sprintf( + "%s '%s' has '%s' set to '%v'%s. This is blacklisted: %v", + [friendly_resource_name, resource_value_name, attribute_path_string, nc_value, empty, nc_values] + ) +} \ No newline at end of file diff --git a/policies/_helpers/policies/element_blacklist.rego b/policies/_helpers/policies/element_blacklist.rego new file mode 100644 index 000000000..795061b38 --- /dev/null +++ b/policies/_helpers/policies/element_blacklist.rego @@ -0,0 +1,109 @@ +package terraform.helpers.policies.element_blacklist + +# Element Blacklist Policy +# +# Detects array attributes containing elements with blacklisted substrings. +# Uses simple substring matching (contains) rather than regex patterns. +# +# Example: +# patterns: ["test", "staging"] +# Violates if any array element contains "test" or "staging" + +import data.terraform.helpers.shared + +# Identifies resources with array elements containing blacklisted substrings +# +# Parameters: +# tf_variables - Resource metadata +# attribute_path - Path to array attribute +# patterns - Array of substring patterns to match against +# +# Returns: +# Set of violation objects with {name, message} +get_violations(tf_variables, attribute_path, patterns) = results if { + nc_resources := _get_resources(tf_variables.resource_type, attribute_path, patterns) + results := { + _build_violation(tf_variables, attribute_path, patterns, resource) | + some resource in nc_resources + } +} + +_build_violation(tf_variables, attribute_path, patterns, resource) = violation if { + attribute_path_string := shared.format_attribute_path(attribute_path) + array_value := shared.get_attribute_value(resource, attribute_path) + violating_elements := [elem | + elem := array_value[_] + some pattern in patterns + contains(elem, pattern) + ] + + violation := { + "name": shared.get_resource_attribute(resource, tf_variables.resource_value_name), + "message": _format_message( + tf_variables.friendly_resource_name, + shared.get_resource_attribute(resource, tf_variables.resource_value_name), + attribute_path_string, + violating_elements, + patterns + ) + } +} + + +# get_resources() filters Terraform resources based on array element content violations. +# +# Parameters: +# resource_type - Terraform resource type (e.g., "google_access_context_manager_service_perimeter") +# attribute_path - Array path to target array attribute (e.g., ["status", 0, "restricted_services"]) +# patterns - Array of forbidden substrings (e.g., ["*", "0.0.0.0"]) +# +# Returns: +# An array of resources that violate the policy by having at least one array element +# containing at least one of the blacklisted patterns. Returns empty array if no violations found. +# +# Example: +# For a resource with restricted_services = ["*.googleapis.com", "storage.googleapis.com"] +# and patterns = ["*"], this function returns the resource because "*.googleapis.com" contains "*" +_get_resources(resource_type, attribute_path, patterns) = resources if { + resources := { + resource | + resource := input.planned_values.root_module.resources[_] + resource.type == resource_type + array_value := shared.get_attribute_value(resource, attribute_path) + is_array(array_value) + # Check if ANY element contains ANY pattern - collect matches + matches := [1 | + some element in array_value + some pattern in patterns + contains(element, pattern) + ] + count(matches) > 0 + } +} + + +# format_message() generates a human-readable error message for element blacklist violations. +# +# Parameters: +# friendly_resource_name - Human-readable resource type (e.g., "Service Perimeter", "Storage Bucket") +# resource_value_name - Specific resource identifier (e.g., "my-service-perimeter") +# attribute_path_string - Path to violating attribute (e.g., "status.[0].restricted_services") +# violating_elements - Array containing blacklisted patterns (e.g., ["*.googleapis.com"]) +# patterns - Array of forbidden substrings (e.g., ["*", "0.0.0.0"]) +# +# Returns: +# Formatted error message for and user feedback. +# +# Message Format: +# "{friendly_resource_name} '{resource_value_name}' has '{attribute_path_string}' containing blacklisted patterns +# {patterns} in elements: {violating_elements}" +# +# Example Output: +# "Service Perimeter 'my-perimeter' has 'status.[0].restricted_services' containing blacklisted patterns [\"*\"] in +# elements: [\"*.googleapis.com\"]" +_format_message(friendly_resource_name, resource_value_name, attribute_path_string, violating_elements, patterns) = msg if { + msg := sprintf( + "%s '%s' has '%s' containing blacklisted patterns %v in elements: %v", + [friendly_resource_name, resource_value_name, attribute_path_string, patterns, violating_elements] + ) +} diff --git a/policies/_helpers/policies/pattern_blacklist.rego b/policies/_helpers/policies/pattern_blacklist.rego new file mode 100644 index 000000000..f7596760a --- /dev/null +++ b/policies/_helpers/policies/pattern_blacklist.rego @@ -0,0 +1,91 @@ +package terraform.helpers.policies.pattern_blacklist + +# Pattern Blacklist Policy +# +# Detects resources where wildcard-extracted substrings match blacklisted patterns. +# Uses target pattern with * wildcards to extract substrings, then checks each +# against position-specific blacklists. +# +# Example: +# target: "projects/*/locations/*" +# patterns: [["test-project"], ["us-east1", "europe-west1"]] +# Matches if project is "test-project" OR location is blacklisted region + +import data.terraform.helpers.shared + +# Identifies resources matching pattern blacklist constraints +# +# Parameters: +# tf_variables - Resource metadata +# attribute_path - Path to attribute for pattern matching +# values_formatted - [target_pattern, patterns_array] where: +# - target_pattern: String with * wildcards +# - patterns_array: Array of arrays (one per wildcard position) +# +# Returns: +# Set of violation objects with {name, message} +get_violations(tf_variables, attribute_path, values_formatted) = results if { + nc_resources := _get_resources(tf_variables.resource_type, attribute_path, values_formatted) + results := { + _build_violation(tf_variables, attribute_path, values_formatted, resource) | + some resource in nc_resources + } +} + +_build_violation(tf_variables, attribute_path, values_formatted, resource) = violation if { + attribute_path_string := shared.format_attribute_path(attribute_path) + nc := _get_blacklist(resource, attribute_path, values_formatted[0], values_formatted[1]) + + violation := { + "name": shared.get_resource_attribute(resource, tf_variables.resource_value_name), + "message": _format_message( + tf_variables.friendly_resource_name, + shared.get_resource_attribute(resource, tf_variables.resource_value_name), + attribute_path_string, + shared.get_attribute_value(resource, attribute_path), + nc + ) + } +} + +# Check if a value matches blacklist patterns +_matches_blacklist(patterns, value) if { + shared.value_in_array(patterns, value) +} + +_get_blacklist(resource, attribute_path, target, patterns) = ncc if { + target_list = shared.get_target_list(resource, attribute_path, target) # list of targetted substrings + ncc := [ + {"value": target_list[i], "allowed": patterns[i]} | + some i + _matches_blacklist(patterns[i], target_list[i]) # direct mapping of positions of target * with its list of allowed patterns + ] +} + +_get_resources(resource_type, attribute_path, values) = resources if { + resources := { + resource | + target := values[0] # target val string + patterns := values[1] # allowed patterns (list) + resource := input.planned_values.root_module.resources[_] + resource.type == resource_type + count(_get_blacklist(resource, attribute_path, target, patterns)) > 0 # ok, there is a resource with at least one non-compliant + } +} + +_format_message(friendly_resource_name, resource_value_name, attribute_path_string, full_value, nc_list) = msg if { + count(nc_list) == 1 + this_nc := nc_list[0] + formatted_value := shared.final_formatter(full_value, this_nc.value) + msg := sprintf( + "%s '%s' has '%s' set to '%s'%s. This is blacklisted: %v", + [friendly_resource_name, resource_value_name, attribute_path_string, formatted_value, shared.empty_message(this_nc.value), this_nc.allowed] + ) +} else = msg if { + count(nc_list) > 1 + failures := concat(", ", [sprintf("position %d '%s' (blacklisted: %v)", [i, nc.value, nc.allowed]) | some i, nc in nc_list]) + msg := sprintf( + "%s '%s' has '%s' set to '%s'. Multiple positions matched blacklist: %s", + [friendly_resource_name, resource_value_name, attribute_path_string, full_value, failures] + ) +} \ No newline at end of file diff --git a/policies/_helpers/policies/pattern_whitelist.rego b/policies/_helpers/policies/pattern_whitelist.rego new file mode 100644 index 000000000..11dd9fada --- /dev/null +++ b/policies/_helpers/policies/pattern_whitelist.rego @@ -0,0 +1,92 @@ +package terraform.helpers.policies.pattern_whitelist + +# Pattern Whitelist Policy +# +# Detects resources where wildcard-extracted substrings DON'T match allowed patterns. +# Uses target pattern with * wildcards to extract substrings, then validates each +# against position-specific whitelists. +# +# Example: +# target: "projects/*/locations/*" +# patterns: [["prod-project"], ["us-central1"]] +# Violates if project is NOT "prod-project" OR location is NOT "us-central1" + +import data.terraform.helpers.shared + +# Identifies resources violating pattern whitelist constraints +# +# Parameters: +# tf_variables - Resource metadata +# attribute_path - Path to attribute for pattern matching +# values_formatted - [target_pattern, patterns_array] where: +# - target_pattern: String with * wildcards +# - patterns_array: Array of arrays (one per wildcard position) +# +# Returns: +# Set of violation objects with {name, message} +get_violations(tf_variables, attribute_path, values_formatted) = results if { + nc_resources := _get_resources(tf_variables.resource_type, attribute_path, values_formatted) + results := { + _build_violation(tf_variables, attribute_path, values_formatted, resource) | + some resource in nc_resources + } +} + +_build_violation(tf_variables, attribute_path, values_formatted, resource) = violation if { + attribute_path_string := shared.format_attribute_path(attribute_path) + nc := _get_whitelist(resource, attribute_path, values_formatted[0], values_formatted[1]) + + violation := { + "name": shared.get_resource_attribute(resource, tf_variables.resource_value_name), + "message": _format_message( + tf_variables.friendly_resource_name, + shared.get_resource_attribute(resource, tf_variables.resource_value_name), + attribute_path_string, + shared.get_attribute_value(resource, attribute_path), + nc + ) + } +} + +# Check if a value matches whitelist patterns +_matches_whitelist(patterns, value) if { + shared.value_in_array(patterns, value) +} + +_get_whitelist(resource, attribute_path, target, patterns) = ncc if { + target_list = shared.get_target_list(resource, attribute_path, target) # list of targetted substrings + ncc := [ + {"value": target_list[i], "allowed": patterns[i]} | + some i + not _matches_whitelist(patterns[i], target_list[i]) # direct mapping of positions of target * with its list of allowed patterns + ] +} + +_get_resources(resource_type, attribute_path, values) = resources if { + resources := { + resource | + target := values[0] # target val string + patterns := values[1] # allowed patterns (list) + resource := input.planned_values.root_module.resources[_] + resource.type == resource_type + count(_get_whitelist(resource, attribute_path, target, patterns)) > 0 # ok, there is a resource with at least one non-compliant + } +} + +_format_message(friendly_resource_name, resource_value_name, attribute_path_string, full_value, nc_list) = msg if { + count(nc_list) == 1 + this_nc := nc_list[0] + formatted_value := shared.final_formatter(full_value, this_nc.value) + msg := sprintf( + "%s '%s' has '%s' set to '%s'%s. It should be set to one of: %v", + [friendly_resource_name, resource_value_name, attribute_path_string, formatted_value, shared.empty_message(this_nc.value), this_nc.allowed] + ) +} else = msg if { + count(nc_list) > 1 + failures := concat(", ", [sprintf("position %d '%s' (allowed: %v)", [i, nc.value, nc.allowed]) | some i, nc in nc_list]) + msg := sprintf( + "%s '%s' has '%s' set to '%s'. Multiple positions failed: %s", + [friendly_resource_name, resource_value_name, attribute_path_string, full_value, failures] + ) +} + diff --git a/policies/_helpers/policies/range.rego b/policies/_helpers/policies/range.rego new file mode 100644 index 000000000..93a8ceed3 --- /dev/null +++ b/policies/_helpers/policies/range.rego @@ -0,0 +1,88 @@ +package terraform.helpers.policies.range + +# Range Policy +# +# Detects resources with numeric attributes outside specified bounds. +# Both lower and upper bounds are required. +# +# Example: [10, 100] requires value between 10 and 100 (inclusive) + +import data.terraform.helpers.shared + +################################################################################ +# Range Validation Utilities +################################################################################ + +# Checks if a value is within the specified range (inclusive) +_test_value_range(value, lower_bound, upper_bound) if { + value >= lower_bound + value <= upper_bound +} + +################################################################################ +# Public API +################################################################################ + +# Identifies resources with numeric attributes outside specified range +# +# Parameters: +# tf_variables - Resource metadata +# attribute_path - Path to numeric attribute +# values_formatted - Two-element array [lower_bound, upper_bound] +# +# Returns: +# Set of violation objects with {name, message} +get_violations(tf_variables, attribute_path, values_formatted) = results if { + count(values_formatted) == 2 + lower_bound := values_formatted[0] + upper_bound := values_formatted[1] + + nc_resources := _get_resources(tf_variables.resource_type, attribute_path, lower_bound, upper_bound) + results := { + _build_violation(tf_variables, attribute_path, lower_bound, upper_bound, resource) | + some resource in nc_resources + } +} + +_build_violation(tf_variables, attribute_path, lower_bound, upper_bound, resource) = violation if { + attribute_path_string := shared.format_attribute_path(attribute_path) + attribute_value := shared.get_attribute_value(resource, attribute_path) + + violation := { + "name": shared.get_resource_attribute(resource, tf_variables.resource_value_name), + "message": _format_message( + tf_variables.friendly_resource_name, + shared.get_resource_attribute(resource, tf_variables.resource_value_name), + attribute_path_string, + attribute_value, + shared.empty_message(attribute_value), + lower_bound, + upper_bound + ) + } +} + +_get_resources(resource_type, attribute_path, lower_bound, upper_bound) = resources if { + resources := { + resource | + resource := input.planned_values.root_module.resources[_] + resource.type == resource_type + attribute_value := to_number(shared.get_attribute_value(resource, attribute_path)) + not _test_value_range(attribute_value, lower_bound, upper_bound) + } +} + +_format_message( + friendly_resource_name, + resource_value_name, + attribute_path_string, + nc_value, + empty, + lower_bound, + upper_bound +) = msg if { + msg := sprintf( + "%s '%s' has '%s' set to '%v'%s. It must be between %v and %v", + [friendly_resource_name, resource_value_name, attribute_path_string, nc_value, empty, lower_bound, upper_bound] + ) +} diff --git a/policies/_helpers/policies/whitelist.rego b/policies/_helpers/policies/whitelist.rego new file mode 100644 index 000000000..7e1442f5f --- /dev/null +++ b/policies/_helpers/policies/whitelist.rego @@ -0,0 +1,72 @@ +package terraform.helpers.policies.whitelist + +# Whitelist Policy +# +# Detects resources with attributes NOT matching allowed values. +# Supports both scalar values and arrays with AND logic (all must be allowed). + +import data.terraform.helpers.shared + +# Identifies resources violating whitelist constraints +# +# Parameters: +# tf_variables - Resource metadata (resource_type, friendly_resource_name, value_name) +# attribute_path - Path to attribute being evaluated (array or string) +# compliant_values - Array of allowed values +# +# Returns: +# Set of violation objects with {name, message} +get_violations(tf_variables, attribute_path, compliant_values) = results if { + nc_resources := _get_resources(tf_variables.resource_type, attribute_path, compliant_values) + results := { + _build_violation(tf_variables, attribute_path, compliant_values, resource) | + some resource in nc_resources + } +} + +_build_violation(tf_variables, attribute_path, compliant_values, resource) = violation if { + attribute_path_string := shared.format_attribute_path(attribute_path) + attribute_value := shared.get_attribute_value(resource, attribute_path) + + violation := { + "name": shared.get_resource_attribute(resource, tf_variables.resource_value_name), + "message": _format_message( + tf_variables.friendly_resource_name, + shared.get_resource_attribute(resource, tf_variables.resource_value_name), + attribute_path_string, + attribute_value, + shared.empty_message(attribute_value), + compliant_values + ) + } +} + +# Check if a value is whitelisted (handles both scalars and arrays) +_is_whitelisted(allowed, value) if { + # Array case: ALL elements must be allowed (AND logic) + is_array(value) + allowed_set := {x | some x in allowed} + value_set := {x | some x in value} + object.subset(allowed_set, value_set) +} + +_is_whitelisted(allowed, value) if { + # Scalar case: direct membership check + shared.value_in_array(allowed, value) +} + +_get_resources(resource_type, attribute_path, compliant_values) = resources if { + resources := { + resource | + resource := input.planned_values.root_module.resources[_] + resource.type == resource_type + not _is_whitelisted(compliant_values, shared.get_attribute_value(resource, attribute_path)) + } +} + +_format_message(friendly_resource_name, resource_value_name, attribute_path_string, nc_value, empty, compliant_values) = msg if { + msg := sprintf( + "%s '%s' has '%s' set to '%v'%s. It should be set to '%v'", + [friendly_resource_name, resource_value_name, attribute_path_string, nc_value, empty, compliant_values] + ) +} diff --git a/policies/_helpers/shared.rego b/policies/_helpers/shared.rego new file mode 100644 index 000000000..b62a7f4bd --- /dev/null +++ b/policies/_helpers/shared.rego @@ -0,0 +1,165 @@ +package terraform.helpers.shared + +# Shared utility functions used by all policy modules +# No imports to avoid circular dependencies + +################################################################################ +# Resource Attribute Extraction +################################################################################ + +# Retrieves a resource's attribute value with defensive fallback logic +# +# This function handles variations in Terraform resource structure by attempting +# multiple lookup paths. Different resource types and states (planned vs existing) +# may store attributes in different locations within the resource object. +# +# Lookup sequence: +# 1. resource.values[attribute_key] - Primary path for planned resource values +# 2. resource[attribute_key] - Fallback for direct attribute access +# 3. null - Returns null and prints diagnostic error if both paths fail +# +# Parameters: +# tf_resource_object - A Terraform resource object from the plan +# attribute_key - The attribute name to extract (e.g., "name", "id", "bucket") +# +# Returns: +# Value of the specified attribute, or null if attribute doesn't exist +# +# Example: get_resource_attribute(s3_resource, "bucket") → "my-app-logs" +get_resource_attribute(tf_resource_object, attribute_key) = attribute_value if { + tf_resource_object.values[attribute_key] + attribute_value := tf_resource_object.values[attribute_key] +} else = attribute_value if { + attribute_value := tf_resource_object[attribute_key] +} else = null if { + print(sprintf("Resource attribute '%s' for resource type '%s' was not found! Your 'resource_value_name' in vars is wrong. Try 'resource_value_name': 'name'.", [attribute_key, tf_resource_object.type])) +} + +################################################################################ +# Attribute Path Formatting +################################################################################ +# This code is used by policies to convert error messages from: +# ["status", 0, "restricted_services"] → "status.[0].restricted_services"all this code +# Converts values from an int to a string but leaves strings as is + + +# Converts values from an int to a string but leaves strings as is +convert_value(x) = string if { + type_name(x) == "number" + string := sprintf("[%v]", [x]) +} + +convert_value(x) = x if { + type_name(x) == "string" +} + +# Converts each entry in attribute path into a string +get_attribute_path(attribute_path) = result if { + is_array(attribute_path) + result := [ val | + x := attribute_path[_] + val := convert_value(x) + ] +} + +# Returns a formatted string of any given attribute path +# Example: ["status", 0, "restricted_services"] → "status.[0].restricted_services" +format_attribute_path(attribute_path) = string_path if { + is_array(attribute_path) + string_path := concat(".", get_attribute_path(attribute_path)) +} + +format_attribute_path(attribute_path) = string_path if { + is_string(attribute_path) + string_path := replace(attribute_path, "_", " ") +} + +################################################################################ +# Data Normalization +################################################################################ + +# Normalizes input values into an array format +# Accepts either a single value or an array and ensures array output +# Used to handle flexible policy definition formats +ensure_array(values) = values if { + is_array(values) +} +ensure_array(values) = [values] if { + not is_array(values) +} + +# Get attribute value from a resource with null fallback +# Simplifies the common pattern of accessing nested resource attributes +# +# Enhanced: Array-of-Objects Field Extraction (Added 2025-12-04) +# When the attribute path ends with a string field name and leads to an array of objects, +# this function automatically extracts that field from each object in the array. +get_attribute_value(resource, attribute_path) := extracted_values if { + # Check if this might be an array-of-objects extraction pattern + count(attribute_path) > 1 + last_element := attribute_path[count(attribute_path) - 1] + is_string(last_element) + + # Get the path to the array (everything except the last element) + array_path := array.slice(attribute_path, 0, count(attribute_path) - 1) + array_value := object.get(resource.values, array_path, null) + + # If it's an array of objects, extract the field from each + is_array(array_value) + count(array_value) > 0 + is_object(array_value[0]) + + # Extract the field from each object in the array + extracted_values := [obj[last_element] | obj := array_value[_]; obj[last_element] != null] +} else := object.get(resource.values, attribute_path, null) + +# Searches an array of objects for a specific key and returns its value +# Used to extract metadata from condition groups +get_value_from_array(arr, key) = value if { + some i + obj := arr[i] + obj[key] != null + value := obj[key] +} + +################################################################################ +# Empty Value Handling +################################################################################ + +# Returns warning string for empty values, empty string otherwise +# Handles empty strings and null values gracefully +empty_message(value) = " (EMPTY!)" if { + value == "" +} + +empty_message(value) = "" if { + value != "" +} + +################################################################################ +# Array Membership Checking +################################################################################ + +# Generic helper: Check if a scalar value exists in an array +# Used by policy modules for simple membership testing +value_in_array(arr, value) if { + not is_array(value) + arr[_] == value +} + +################################################################################ +# Regex Pattern Utilities (for pattern policies) +################################################################################ + +# Gets the target * pattern - extracts substrings matching wildcard positions +get_target_list(resource, attribute_path, target) = target_list if { + p := regex.replace(target, "\\*", "([^/]+)") + target_value := object.get(resource.values, attribute_path, null) + matches := regex.find_all_string_submatch_n(p, target_value, 1)[0] # all matches, including main string + target_list := array.slice(matches, 1, count(matches)) # leaves every single * match except main string +} else := "Wrong pattern" + +# Formats pattern with quotes for display +final_formatter(target, sub_pattern) = final_format if { + final_format := regex.replace(target, sub_pattern, sprintf("'%s'", [sub_pattern])) +} \ No newline at end of file diff --git a/policies/gcp/_helpers/helpers.rego b/policies/gcp/_helpers/helpers.rego index 6b1b3949e..bf811d45f 100644 --- a/policies/gcp/_helpers/helpers.rego +++ b/policies/gcp/_helpers/helpers.rego @@ -1,587 +1,11 @@ package terraform.gcp.helpers -# tested on OPA Version: 1.2.0, Rego Version: v1 -# Defines the types of policies capable of being processed -policy_types := ["blacklist", "whitelist", "range", "pattern blacklist", "pattern whitelist"] +# Shim to redirect to common helpers at policies/_helpers/ +# This allows existing GCP policies to continue using terraform.gcp.helpers +# while the actual implementation has moved to terraform.helpers -#################################################### +import data.terraform.helpers -# NEW FUNCTIONS - -# Get resource's name; if not in values, take default "name". Checked! -get_resource_name(this_nc_resource, value_name) = resource_name if { - this_nc_resource.values[value_name] - resource_name := this_nc_resource.values[value_name] -} else = resource_name if { - resource_name := this_nc_resource[value_name] -} else = null if { - print(sprintf("Resource name for '%s' was not found! Your 'resource_value_name' in vars is wrong. Try 'resource_value_name': 'name'.", [this_nc_resource.type])) -} - -# Handle empty array blacklisting specifically -array_contains(arr, elem, pol) if { - pol == "blacklist" - [] in arr # Check if empty array is in blacklisted values - is_array(elem) - count(elem) == 0 # elem is empty -} - -# if elem is an array; checks if elem contains any blacklisted items. e.g., elem=[w, r, a], arr=[a] -> true -array_contains(arr, elem, pol) if { - is_array(elem) - pol == "blacklist" - #print(sprintf("%s", ["bb"])) - arr_to_set = {x | x := arr[_]} - elem_to_set = {x | x := elem[_]} - count(arr_to_set & elem_to_set) > 0 -} - -# if elem is an array; checks if elem is at least a subset of arr. e.g., elem=[write, read], arr=[read, write, eat] -> true -array_contains(arr, elem, pol) if { - is_array(elem) - pol == "whitelist" - #print(sprintf("%s", ["ww"])) - arr_to_set = {x | x := arr[_]} - elem_to_set = {x | x := elem[_]} - object.subset(arr_to_set, elem_to_set) -} - -# Generic helper functions: - -# Helper: Check if value exists in array -array_contains(arr, elem, pol) if { - not is_array(elem) - #print(sprintf("%s", ["a2"])) - arr[_] == elem -} - -# For resource filtering -resource_type_match(resource, resource_type) if { - resource.type == resource_type -} - -# Collect all relevant resources -get_all_resources(resource_type) = resources if -{ - resources := [ - resource | - resource := input.planned_values.root_module.resources[_] - resource_type_match(resource, resource_type) - ] -} -# Extract policy type -get_policy_type(chosen_type) = policy_type if { - policy_type := policy_types[_] - policy_type == chosen_type -} - -# Converts values from an int to a string but leaves strings as is -convert_value(x) = string if { - type_name(x) == "number" - string := sprintf("[%v]", [x]) -} - -convert_value(x) = x if { - type_name(x) == "string" -} -# Converts each entry in attribute path into a string -get_attribute_path(attribute_path) = result if { - is_array(attribute_path) - result := [ val | - x := attribute_path[_] - val := convert_value(x) - ] -} -# Returns a formatted string of any given attribute path -format_attribute_path(attribute_path) = string_path if { - is_array(attribute_path) - string_path := concat(".", get_attribute_path(attribute_path)) -} -format_attribute_path(attribute_path) = string_path if { - is_string(attribute_path) - string_path := replace(attribute_path, "_", " ") -} -array_check(values) = result if { - type := type_name(values) - type != "array" - result := [values] -} -array_check(values) = result if { - type := type_name(values) - type == "array" - result := values -} - -# Check if value is empty space -is_empty(value) if { - value == "" -} - -# empty_message: if empty, return fomratted warning -empty_message(value) = msg if { - is_empty(value) - msg = " (!!!EMPTY!!!)" -} - -# empty_message: if present, return nothing (space) -empty_message(value) = msg if { - not is_empty(value) - msg = "" -} - -#Checks a value sits between a given range of a passed object with keys upper_bound and lower_bound - -test_value_range(range_values, value) if { - test_lower_range(range_values, value) - test_upper_range(range_values, value) -} - -test_lower_range(range_values,value) = true if { - # Check value exists - not is_null(range_values.lower_bound) - value >= range_values.lower_bound -} - -# Null indicates no lower bound -test_lower_range(range_values,value) = true if { - is_null(range_values.lower_bound) -} - -test_upper_range(range_values,value) = true if { - # Check value exists - not is_null(range_values.upper_bound) - value <= range_values.upper_bound -} - -# Null indicates no higher bound -test_upper_range(range_values,value) = true if { - is_null(range_values.upper_bound) -} - -is_null_or_number(value) if { - is_null(value) # true if value is null -} - -is_null_or_number(value) if { - type_name(value) == "number" # true if value is a number -} - -# Search an array of objects for a specific key, return the value -get_value_from_array(arr, key) = value if { - some i - obj := arr[i] - obj[key] != null - value := obj[key] -} - -# Checks if a set is empty and returns a message if it is -check_empty_set(set,msg) = return if { - count(set) == 0 - return := [msg] -} -check_empty_set(set,msg) = return if { - count(set) != 0 - return := set -} - -#################################################### - -# Entry point for all policies -get_multi_summary(situations, variables) = summary if { # Samira , Patrick - # Unpack values from vars - resource_type := variables.resource_type - friendly_resource_name := variables.friendly_resource_name - value_name := variables.resource_value_name - all_resources := get_all_resources(resource_type) - violations := check_violations(resource_type, situations, friendly_resource_name, value_name) - violations_object := process_violations(violations) - formatted_message := format_violations(violations_object) - summary := { - "message": array.concat( - [sprintf("Total %s detected: %d ", [friendly_resource_name, count(all_resources)])], - formatted_message - ), - "details": violations_object - } -} else := "Policy type not supported." - -select_policy_logic(resource_type, attribute_path, values_formatted, friendly_resource_name, chosen_type, value_name) = results if { - chosen_type == policy_types[0] # Blacklist - results := get_blacklist_violations(resource_type, attribute_path, values_formatted, friendly_resource_name, value_name) -} - -select_policy_logic(resource_type, attribute_path, values_formatted, friendly_resource_name, chosen_type, value_name) = results if { - chosen_type == policy_types[1] # Whitelist - results := get_whitelist_violations(resource_type, attribute_path, values_formatted, friendly_resource_name, value_name) -} - -select_policy_logic(resource_type, attribute_path, values_formatted, friendly_resource_name, chosen_type, value_name) = results if { - chosen_type == policy_types[2] # Range (Upper and lower bounds) - values_formatted_range := format_range_input(values_formatted[0], values_formatted[1]) - results := get_range_violations(resource_type, attribute_path, values_formatted_range, friendly_resource_name, value_name) -} - -select_policy_logic(resource_type, attribute_path, values_formatted, friendly_resource_name, chosen_type, value_name) = results if { - chosen_type == policy_types[3] # Patterns (B) - results := get_pattern_blacklist_violations(resource_type, attribute_path, values_formatted, friendly_resource_name, value_name) -} - -select_policy_logic(resource_type, attribute_path, values_formatted, friendly_resource_name, chosen_type, value_name) = results if { - chosen_type == policy_types[4] # Patterns (W) - results := get_pattern_whitelist_violations(resource_type, attribute_path, values_formatted, friendly_resource_name, value_name) -} - -check_violations(resource_type, situations, friendly_resource_name, value_name) = violations if { - some i - violations := [ - msg | - msg := check_conditions(resource_type, situations[i], friendly_resource_name, value_name) - ] -} - -check_conditions(resource_type, situation, friendly_resource_name, value_name) = violations if { - messages := [ - msg | - condition := situation[_] # per cond - condition_name := condition.condition - attribute_path := condition.attribute_path - values := condition.values - pol := lower(condition.policy_type) - pol == get_policy_type(pol) # checks, leads to else - values_formatted = array_check(values) - msg := {condition_name : select_policy_logic(resource_type, attribute_path, values_formatted, friendly_resource_name, pol, value_name)} # all in - ] - sd := get_value_from_array(situation,"situation_description") - remedies := get_value_from_array(situation,"remedies") - violations := { - "situation_description": sd, - "remedies": remedies, - "all_conditions": messages #[{c1 : [{msg, nc}, {msg, nc}, ...]}, {c2 :[{msg, nc}, ...]}, ... : [...], ...}] - } -} - -process_violations(violations) = situation_summary if { - # In each set of rules, get each unique nc resource name and each violation message - situation := [ - {sit_desc : {"remedies": remedies, "conds": conds}} | - this_sit := violations[_] - sit_desc := this_sit.situation_description - remedies := this_sit.remedies - conds := this_sit.all_conditions - ] - - # There is an issue here if you use the same situation description however that shouldn't happen - - # Create a set containing only the nc resource for each situation - resource_sets := [ {sit_desc : resource_set} | - this_sit := situation[_] - some key, val in this_sit - sit_desc := key - this_condition := val.conds - resource_set := [nc | - some keyy, vall in this_condition[_] - nc := {x | x := vall[_].name}] - ] - - overall_nc_resources :=[ {sit_desc : intersec} | - this_set := resource_sets[_] - some key, val in this_set - sit_desc := key - intersec := intersection_all(val) - ] - - resource_message := [ {sit : msg} | # USE THIS - some key, val in overall_nc_resources[_] - sit := key - msg := check_empty_set(val, "All passed") - ] - # PER SITUATION - - situation_summary := [ summary | - this_sit := situation[_] - some key, val in this_sit - sit_name := key - details := val.conds - remedies := val.remedies - nc_all := object.get(resource_message[_], sit_name, null) - nc_all != null - - summary := { - "situation" : sit_name, - "remedies" : remedies, - "non_compliant_resources" : nc_all, - "details" : details - } - ] - -} - -format_violations(violations_object) = formatted_message if { - formatted_message := [ - [ sd, nc, remedies] | - some i - this_sit := violations_object[i] - sd := sprintf("Situation %d: %s",[i+1, this_sit.situation]) - resources_value := [value | - value := this_sit.non_compliant_resources[_] - ] - nc := sprintf("Non-Compliant Resources: %s", [concat(", ", resources_value)]) - remedies := sprintf("Potential Remedies: %s", [concat(", ", this_sit.remedies)]) - ] -} - -intersection_all(sets) = result if { - result = {x | - x = sets[0][_] - all_other := [s | s := sets[_]] - every s in all_other { x in s } - } -} -#################################################### - -# Policy type specific methods - -# Each policy type needs the following: -# 1. A method that formats the error message to be displayed for a non-compliant value -# 2. A method that obtains non-complaint resources -# 3. A method that calls method to obtain nc resources and for each calls the format method - -# Blacklist methods - -get_blacklisted_resources(resource_type, attribute_path, blacklisted_values) = resources if { - resources := [ - resource | - resource := input.planned_values.root_module.resources[_] - resource_type_match(resource, resource_type) - # Test array of array and deeply nested values - array_contains(blacklisted_values, object.get(resource.values, attribute_path, null), "blacklist") - ] -} - -get_blacklist_violations(resource_type, attribute_path, blacklisted_values, friendly_resource_name, value_name) = results if { - string_path := format_attribute_path(attribute_path) - results := - [ { "name": get_resource_name(this_nc_resource, value_name), - "message": msg - } | - nc_resources := get_blacklisted_resources(resource_type, attribute_path, blacklisted_values) - this_nc_resource = nc_resources[_] - this_nc_attribute = object.get(this_nc_resource.values, attribute_path, null) - msg := format_blacklist_message(friendly_resource_name, get_resource_name(this_nc_resource, value_name), string_path, this_nc_attribute, empty_message(this_nc_attribute), blacklisted_values) - ] -} - -format_blacklist_message(friendly_resource_name, resource_value_name, string_path, nc_value, empty, nc_values) = msg if { - msg := sprintf( - #Change message however we want it displayed - "%s '%s' has '%s' set to '%v'%s. This is blacklisted: %v", - [friendly_resource_name, resource_value_name, string_path, nc_value, empty, nc_values] - ) -} -#################################################### -# Whitelist methods - -format_whitelist_message(friendly_resource_name, resource_value_name, attribute_path_string, nc_value, empty, compliant_values) = msg if { - msg := sprintf( - "%s '%s' has '%s' set to '%v'%s. It should be set to '%v'", - [friendly_resource_name, resource_value_name, attribute_path_string, nc_value, empty, compliant_values] - ) -} - -get_nc_whitelisted_resources(resource_type, attribute_path, compliant_values) = resources if { - resources := [ - resource | - resource := input.planned_values.root_module.resources[_] - resource_type_match(resource, resource_type) - # Test array of array and deeply nested values - not array_contains(compliant_values, object.get(resource.values, attribute_path, null), "whitelist") - ] -} - -get_whitelist_violations(resource_type, attribute_path, compliant_values, friendly_resource_name, value_name) = results if { - string_path := format_attribute_path(attribute_path) - results := - [ { "name": get_resource_name(this_nc_resource, value_name), - "message": msg - } | - nc_resources := get_nc_whitelisted_resources(resource_type, attribute_path, compliant_values) - this_nc_resource = nc_resources[_] - this_nc_attribute = object.get(this_nc_resource.values, attribute_path, null) - msg := format_whitelist_message(friendly_resource_name, get_resource_name(this_nc_resource, value_name), string_path, this_nc_attribute, empty_message(this_nc_attribute), compliant_values) - ] -} - -#################################################### -# Range methods - -get_upper_bound(range_values) = bound if { - not is_null(range_values.upper_bound) - bound := sprintf("%v", [range_values.upper_bound]) -} -get_upper_bound(range_values) = "Inf" if { - is_null(range_values.upper_bound) -} - -get_lower_bound(range_values) = bound if { - not is_null(range_values.lower_bound) - bound := sprintf("%v", [range_values.lower_bound]) -} -get_lower_bound(range_values) = "-Inf" if { - is_null(range_values.lower_bound) -} - -format_range_validation_message(friendly_resource_name, resource_value_name, attribute_path_string, nc_value, empty, range_values) = msg if { - upper_bound := get_upper_bound(range_values) - lower_bound := get_lower_bound(range_values) - msg := sprintf( - "%s '%s' has '%s' set to '%s'%s. It should be set between '%s and %s'.", - [friendly_resource_name, resource_value_name, attribute_path_string, nc_value, empty, lower_bound, upper_bound] - ) -} - -get_nc_range_resources(resource_type, attribute_path, range_values) = resources if { - resources := [ - resource | - resource := input.planned_values.root_module.resources[_] - resource_type_match(resource, resource_type) - # Test array of array and deeply nested values - not test_value_range(range_values, to_number(object.get(resource.values, attribute_path, null))) - ] -} - -get_range_violations(resource_type, attribute_path, range_values, friendly_resource_name, value_name) = results if { - unpacked_range_values = range_values #[0] <===================================================================== removed [0] - Visal - string_path := format_attribute_path(attribute_path) - results := - [ { "name": get_resource_name(this_nc_resource, value_name), - "message": msg - } | - nc_resources := get_nc_range_resources(resource_type, attribute_path, unpacked_range_values) - this_nc_resource = nc_resources[_] - this_nc_attribute = object.get(this_nc_resource.values, attribute_path, null) - msg := format_range_validation_message(friendly_resource_name, get_resource_name(this_nc_resource, value_name), string_path, this_nc_attribute, empty_message(this_nc_attribute), unpacked_range_values) - ] -} - -format_range_input(lower,upper) = range_values if { - is_null_or_number(lower) - is_null_or_number(upper) - range_values := {"lower_bound":lower,"upper_bound":upper} -} - -format_range_validation_message( - friendly_resource_name, - resource_value_name, - attribute_path_string, - nc_value, - empty, - range_values -) = msg if { - lower := get_lower_bound(range_values) - upper := get_upper_bound(range_values) - - msg := sprintf( - "%s '%s' has '%s' set to '%v'%s. It must be between %v and %v", - [friendly_resource_name, resource_value_name, attribute_path_string, nc_value, empty, lower, upper] - ) -} - -############### REGEX - -# HELPER: gets the target * pattern -get_target_list(resource, attribute_path, target) = target_list if { - p := regex.replace(target, "\\*", "([^/]+)") - #print(sprintf("SSSSSSSSSSSSSSSSSSSSound %s", [p])) - target_value := object.get(resource.values, attribute_path, null) - matches := regex.find_all_string_submatch_n(p, target_value, 1)[0] # all matches, including main string - target_list := array.slice(matches, 1, count(matches)) # leaves every single * match except main string - #print(sprintf("SSSSSSSSSSSSSSSSSSSSound %s", [target_list])) -} else := "Wrong pattern" - -final_formatter(target, sub_pattern) = final_format if { - final_format := regex.replace(target, sub_pattern, sprintf("'%s'", [sub_pattern])) -} - -# PATTERN BLACKLIST -get_nc_pattern_blacklist(resource, attribute_path, target, patterns) = ncc if { - target_list = get_target_list(resource, attribute_path, target) # list of targetted substrings - ncc := [ - {"value": target_list[i], "allowed": patterns[i]} | - some i - array_contains(patterns[i], target_list[i], "blacklist") # direct mapping of positions of target * with its list of allowed patterns - ] -} - -get_nc_pattern_blacklist_resources(resource_type, attribute_path, values) = resources if { - resources := [ - resource | - target := values[0] # target val string - patterns := values[1] # allowed patterns (list) - resource := input.planned_values.root_module.resources[_] - resource_type_match(resource, resource_type) - count(get_nc_pattern_blacklist(resource, attribute_path, target, patterns)) > 0 # ok, there is a resource with at least one non-compliant - ] -} - -get_pattern_blacklist_violations(resource_type, attribute_path, values_formatted, friendly_resource_name, value_name) = results if { - string_path := format_attribute_path(attribute_path) - results := # and their patterns - [ { "name": get_resource_name(this_nc_resource, value_name), - "message": msg - } | - nc_resources := get_nc_pattern_blacklist_resources(resource_type, attribute_path, values_formatted) - this_nc_resource = nc_resources[_] - nc := get_nc_pattern_blacklist(this_nc_resource, attribute_path, values_formatted[0], values_formatted[1]) - this_nc := nc[_] - msg := format_pattern_blacklist_message(friendly_resource_name, get_resource_name(this_nc_resource, value_name), string_path, final_formatter(object.get(this_nc_resource.values, attribute_path, null), this_nc.value), empty_message(this_nc.value), this_nc.allowed) - ] -} - -format_pattern_blacklist_message(friendly_resource_name, resource_value_name, attribute_path_string, nc_value, empty, allowed_values) = msg if { - msg := sprintf( - "%s '%s' has '%s' set to '%s'%s. This is blacklisted: %s", - [friendly_resource_name, resource_value_name, attribute_path_string, nc_value, empty, allowed_values] - ) -} - -# PATTERN WHITELIST (clone of blacklist, but not array_contains() -get_nc_pattern_whitelist(resource, attribute_path, target, patterns) = ncc if { - target_list = get_target_list(resource, attribute_path, target) # list of targetted substrings - ncc := [ - {"value": target_list[i], "allowed": patterns[i]} | - some i - not array_contains(patterns[i], target_list[i], "whitelist") # direct mapping of positions of target * with its list of allowed patterns - ] -} - -get_nc_pattern_whitelist_resources(resource_type, attribute_path, values) = resources if { - resources := [ - resource | - target := values[0] # target val string - patterns := values[1] # allowed patterns (list) - resource := input.planned_values.root_module.resources[_] - resource_type_match(resource, resource_type) - count(get_nc_pattern_whitelist(resource, attribute_path, target, patterns)) > 0 # ok, there is a resource with at least one non-compliant - ] -} - -get_pattern_whitelist_violations(resource_type, attribute_path, values_formatted, friendly_resource_name, value_name) = results if { - string_path := format_attribute_path(attribute_path) - results := # and their patterns - [ { "name": get_resource_name(this_nc_resource, value_name), - "message": msg - } | - nc_resources := get_nc_pattern_whitelist_resources(resource_type, attribute_path, values_formatted) - this_nc_resource = nc_resources[_] - nc := get_nc_pattern_whitelist(this_nc_resource, attribute_path, values_formatted[0], values_formatted[1]) - this_nc := nc[_] - msg := format_pattern_whitelist_message(friendly_resource_name, get_resource_name(this_nc_resource, value_name), string_path, final_formatter(object.get(this_nc_resource.values, attribute_path, null), this_nc.value), empty_message(this_nc.value), this_nc.allowed) - ] -} - -format_pattern_whitelist_message(friendly_resource_name, resource_value_name, attribute_path_string, nc_value, empty, allowed_values) = msg if { - msg := sprintf( - "%s '%s' has '%s' set to '%s'%s. It should be set to one of: %s", - [friendly_resource_name, resource_value_name, attribute_path_string, nc_value, empty, allowed_values] - ) -} +# Re-export the function that policies actually use +# In Rego, we need to wrap the function call, not assign it +get_multi_summary(situations, variables) = helpers.get_multi_summary(situations, variables) diff --git a/scripts/docgen/create_markdown.py b/scripts/docgen/create_markdown.py index 8d7af4524..3b6a96204 100644 --- a/scripts/docgen/create_markdown.py +++ b/scripts/docgen/create_markdown.py @@ -59,7 +59,7 @@ def generate_nested_blocks(args_dict, level=0, resource_name=None): for arg, details in args_dict.items(): if "arguments" in details and details["arguments"]: # Create a block header - md += f"\n### {indent}{arg} Block\n" + md += f"\n### {indent}{arg} Block\n\n" # Table header md += ( f"{indent}| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |\n" @@ -94,7 +94,8 @@ def generate_markdown_from_json(resource_json): --- -## Argument Reference +## Argument Reference + """ # 1️⃣ Top-level table diff --git a/tests/_helpers/README.md b/tests/_helpers/README.md new file mode 100644 index 000000000..d8907db86 --- /dev/null +++ b/tests/_helpers/README.md @@ -0,0 +1,175 @@ +# Helper Policy Tests + +Unit tests for policy helper functions in `policies/_helpers/`. + +## Quick Start + +```bash +# Run all helper tests +./tests/_helpers/unit_test_helpers.sh + +# Quick integration check +./tests/_helpers/smoke_test_helpers.sh + +# Debug policy output +./tests/_helpers/policy_debug.sh + +# Review violation messages +./tests/_helpers/check_ux.sh +``` + +## Test Files + +| File | Tests | Coverage | +|------|-------|----------| +| `shared_test.rego` | 12 | Shared utilities (get_resource_attribute, format paths, etc.) | +| `blacklist_test.rego` | 10 | Blacklist policy (forbidden values) | +| `whitelist_test.rego` | 10 | Whitelist policy (required values) | +| `range_test.rego` | 8 | Range policy (numeric bounds, simplified) | +| `pattern_blacklist_test.rego` | 8 | Pattern blacklist (glob matching forbidden) | +| `pattern_whitelist_test.rego` | 8 | Pattern whitelist (glob matching required) | +| `element_blacklist_test.rego` | 8 | Element blacklist (array elements with substrings) | + +**Total:** 64 tests covering all 7 helper policies + +## Test Structure + +Each test file follows an 8-test pattern: +- **Unit tests (6):** Test individual helper functions with boundary cases +- **Integration test (1):** Realistic mocks with multiple resources +- **Reality check (1):** Uses real Terraform fixtures + +## Test Scripts + +### unit_test_helpers.sh +Runs all 7 test suites with fixtures. Use for comprehensive validation. + +### smoke_test_helpers.sh +Fast integration tests (5 policies at policy level). Use for quick feedback during development. + +### policy_debug.sh +Shows full policy output with `--format pretty`. Use when debugging failures. + +### check_ux.sh +Displays complete violation objects. Use to review user-facing error messages before merging. + +## Fixtures + +Real Terraform plans wrapped in unique keys to avoid OPA namespace conflicts. + +### Why Wrapper Structure? + +OPA loads all JSON files recursively and merges them into a single `data` namespace. When multiple files have identical top-level keys (like `format_version`, `terraform_version`), OPA throws merge conflicts. + +**Solution:** Wrap each Terraform plan in a unique outer key matching the directory name + `_plan` suffix. + +```json +{ + "gcp_storage_bucket_plan": { + "format_version": "1.2", + "terraform_version": "1.12.2", + "planned_values": { ... }, + "resource_changes": [ ... ] + } +} +``` + +### Available Fixtures + +| Fixture | Resource | Used By | Source | +|---------|----------|---------|--------| +| `gcp_storage_bucket_plan` | `google_storage_bucket` | blacklist, whitelist, range tests | `inputs/gcp/cloud_storage/google_storage_bucket/retention_period/` | +| `gcp_project_plan` | `google_project` | pattern blacklist/whitelist tests | `inputs/gcp/cloud_platform_service/google_project/project_id/` | +| `gcp_access_level_plan` | `google_access_context_manager_access_level` | shared tests (deep nesting) | `inputs/gcp/access_context_manager_vpc_service_controls/access_context_manager_access_level/device_policy/` | + +**Note:** `gcp_access_level_plan` has 5-level deep nesting, ideal for testing nested attribute extraction. + +### Using Fixtures + +```rego +test_with_fixture if { + plan := data.gcp_storage_bucket_plan # Wrapper key becomes data path + resource := plan.planned_values.root_module.resources[0] + # ... test logic +} +``` + +### Regenerating Fixtures + +When helper functions change or test cases need updates: + +```bash +# 1. Navigate to Terraform configuration +cd inputs/gcp/// + +# 2. Generate plan (if not already exists) +terraform init +terraform plan -out=plan.tfplan + +# 3. Export to JSON and wrap in unique namespace +terraform show -json plan.tfplan > plan.json +jq '{_plan: .}' plan.json > ../../../../tests/_helpers/fixtures//plan.json + +# 4. Cleanup +rm plan.json plan.tfplan +``` + +**Examples:** + +```bash +# Storage Bucket +cd inputs/gcp/cloud_storage/google_storage_bucket/retention_period +terraform show -json plan.tfplan > plan.json +jq '{gcp_storage_bucket_plan: .}' plan.json > ../../../../tests/_helpers/fixtures/gcp_storage_bucket/plan.json +rm plan.json + +# Project +cd inputs/gcp/cloud_platform_service/google_project/project_id +terraform show -json plan.tfplan > plan.json +jq '{gcp_project_plan: .}' plan.json > ../../../../tests/_helpers/fixtures/gcp_project/plan.json +rm plan.json + +# Access Level +cd inputs/gcp/access_context_manager_vpc_service_controls/access_context_manager_access_level/device_policy +terraform show -json plan.tfplan > plan.json +jq '{gcp_access_level_plan: .}' plan.json > ../../../../tests/_helpers/fixtures/gcp_access_level/plan.json +rm plan.json +``` + +### Creating New Fixtures + +Follow this pattern for new fixtures: + +```bash +# 1. Create fixture directory (name becomes data path prefix) +mkdir tests/_helpers/fixtures/gcp_compute_instance + +# 2. Navigate to relevant Terraform configuration +cd inputs/gcp//google_compute_instance/ + +# 3. Generate Terraform plan +terraform init +terraform plan -out=plan.tfplan +terraform show -json plan.tfplan > plan.json + +# 4. Wrap with unique key matching directory name + _plan +jq '{gcp_compute_instance_plan: .}' plan.json > ../../../../tests/_helpers/fixtures/gcp_compute_instance/plan.json + +# 5. Cleanup +rm plan.json plan.tfplan + +# 6. Access in tests as data.gcp_compute_instance_plan +``` + +**Key requirements:** +- Directory name must match wrapper key prefix (e.g., `gcp_compute_instance/` → `gcp_compute_instance_plan`) +- Always use `jq` to wrap the plan (prevents namespace conflicts) +- Source Terraform configs from `inputs/gcp/` directory + +## Adding New Tests + +1. Create `_test.rego` in `tests/_helpers/` +2. Follow 8-test pattern (6 unit + 1 integration + 1 reality check) +3. Use fixtures for reality checks: `data._plan` +4. Update `unit_test_helpers.sh` to include new test file +5. Run tests to verify: `./tests/_helpers/unit_test_helpers.sh` diff --git a/tests/_helpers/blacklist_test.rego b/tests/_helpers/blacklist_test.rego new file mode 100644 index 000000000..a0d9954a7 --- /dev/null +++ b/tests/_helpers/blacklist_test.rego @@ -0,0 +1,315 @@ +package terraform.helpers.policies.blacklist_test + +# Blacklist Policy Test Suite +# +# Tests the blacklist policy module which detects resources with forbidden values. +# Covers scalar values, array OR logic, empty array special case, and message formatting. + +import data.terraform.helpers.policies.blacklist +import data.terraform.helpers.shared +import data.terraform.helpers.shared_test +import rego.v1 + +# ============================================================================== +# UNIT TESTS (6): Test _is_blacklisted helper function +# ============================================================================== + +# Test 1: Scalar value in blacklist (boundary: match) +test_is_blacklisted_scalar_match if { + blacklist._is_blacklisted(["forbidden", "banned"], "forbidden") +} + +# Test 2: Scalar value not in blacklist (boundary: no match) +test_is_blacklisted_scalar_no_match if { + not blacklist._is_blacklisted(["forbidden", "banned"], "allowed") +} + +# Test 3: Array with ANY blacklisted value (OR logic proof) +test_is_blacklisted_array_any_match if { + blacklist._is_blacklisted(["bad", "evil"], ["good", "bad", "ugly"]) +} + +# Test 4: Array with NO blacklisted values (OR logic negative) +test_is_blacklisted_array_no_match if { + not blacklist._is_blacklisted(["bad", "evil"], ["good", "ugly"]) +} + +# Test 5: Empty array blacklisting (critical edge case) +test_is_blacklisted_empty_array if { + blacklist._is_blacklisted([[]], []) +} + +# ============================================================================== +# MOCK DATA PROVENANCE +# ============================================================================== +# Minimal mocks in tests 6-10 are synthetic, designed to test specific logic paths. +# They represent simplified versions of real Terraform resources with controlled +# attributes to validate exact behavior (e.g., single violation, edge cases). +# +# Reality check (test 8) uses: tests/_helpers/fixtures/gcp_storage_bucket/plan.json +# Source: inputs/gcp/cloud_storage/google_storage_bucket/retention_period/ +# Purpose: Tests against actual Terraform plan structure with 2 buckets: +# - c123: retention_period=604800 (7 days), location=US, force_destroy=true +# - nc123: retention_period=2692000 (31 days), location=US, force_destroy=true +# ============================================================================== + +# Test 6: get_violations with minimal mock (happy path + structure validation) +test_get_violations_minimal if { + # Minimal mock with blacklisted location + mock_input := { + "planned_values": { + "root_module": { + "resources": [ + { + "type": "google_storage_bucket", + "values": { + "name": "test-bucket", + "location": "US", + }, + }, + ], + }, + }, + } + + tf_variables := { + "resource_type": "google_storage_bucket", + "friendly_resource_name": "Storage Bucket", + "resource_value_name": "name", + } + + violations := blacklist.get_violations( + tf_variables, + ["location"], + ["US"], + ) with input as mock_input + + count(violations) == 1 + some v in violations + v.name == "test-bucket" + shared_test._assert_valid_violation(v) + contains(v.message, "test-bucket") # Resource name + contains(v.message, "US") # Violating value + contains(v.message, "blacklisted") # Verdict +} + +# ============================================================================== +# INTEGRATION TEST (1): Realistic structure with edge cases +# ============================================================================== + +# Test 7: get_violations with realistic Terraform structures +test_get_violations_realistic if { + # Realistic mock including edge cases + mock_input := { + "planned_values": { + "root_module": { + "resources": [ + # Normal resource with blacklisted value + { + "type": "google_storage_bucket", + "values": { + "name": "violating-bucket", + "location": "US", + "storage_class": "STANDARD", + }, + }, + # Resource with allowed value + { + "type": "google_storage_bucket", + "values": { + "name": "compliant-bucket", + "location": "EU", + "storage_class": "STANDARD", + }, + }, + # Resource with null location (edge case) + { + "type": "google_storage_bucket", + "values": { + "name": "null-bucket", + "location": null, + "storage_class": "STANDARD", + }, + }, + # Different resource type (should be ignored) + { + "type": "google_project", + "values": { + "name": "test-project", + "location": "US", + }, + }, + ], + }, + }, + } + + tf_variables := { + "resource_type": "google_storage_bucket", + "friendly_resource_name": "Storage Bucket", + "resource_value_name": "name", + } + + violations := blacklist.get_violations( + tf_variables, + ["location"], + ["US"], + ) with input as mock_input + + # Should only flag the violating bucket + count(violations) == 1 + violation_names := {v.name | some v in violations} + violation_names == {"violating-bucket"} + + some v in violations + contains(v.message, "Storage Bucket") + contains(v.message, "location") + contains(v.message, "'US'") +} + +# ============================================================================== +# REALITY CHECK (1): Test with real Terraform plan structure +# ============================================================================== + +# Test 8: get_violations with real Terraform plan +test_real_plan_violations if { + # Use real fixture - gcp_storage_bucket from fixtures + tf_variables := { + "resource_type": "google_storage_bucket", + "friendly_resource_name": "Storage Bucket", + "resource_value_name": "name", + } + + # Test with real data - blacklist a location that might exist + violations := blacklist.get_violations( + tf_variables, + ["location"], + ["US", "EU"], + ) with input as data.gcp_storage_bucket_plan + + is_set(violations) + every v in violations { + shared_test._assert_valid_violation(v) + contains(v.message, "Storage Bucket") + contains(v.message, "location") + } +} + +# ============================================================================== +# ADDITIONAL TESTS (2): Real-world usage patterns +# ============================================================================== + +# Test 9: Boolean blacklisting (real-world use case - force_destroy) +test_get_violations_boolean_blacklist if { + # Mock matching real policy: force_destroy: true is blacklisted + mock_input := { + "planned_values": { + "root_module": { + "resources": [ + { + "type": "google_storage_bucket", + "values": { + "name": "unsafe-bucket", + "force_destroy": true, + "location": "US", + }, + }, + { + "type": "google_storage_bucket", + "values": { + "name": "safe-bucket", + "force_destroy": false, + "location": "US", + }, + }, + ], + }, + }, + } + + tf_variables := { + "resource_type": "google_storage_bucket", + "friendly_resource_name": "Storage Bucket", + "resource_value_name": "name", + } + + # Blacklist force_destroy: true (actual policy usage pattern) + violations := blacklist.get_violations( + tf_variables, + ["force_destroy"], + [true], + ) with input as mock_input + + # Should only flag unsafe-bucket + count(violations) == 1 + some v in violations + v.name == "unsafe-bucket" + contains(v.message, "force_destroy") + contains(v.message, "true") +} + +# Test 10: Array attribute with OR logic (tests helper's array intersection) +test_get_violations_array_attribute if { + # Mock with array attributes (e.g., labels, tags) + mock_input := { + "planned_values": { + "root_module": { + "resources": [ + { + "type": "google_storage_bucket", + "values": { + "name": "violating-bucket", + "labels": { + "env": "dev", + "team": "security", + }, + "uniform_bucket_level_access": [ + { + "enabled": false, + "locked": false, + }, + ], + }, + }, + { + "type": "google_storage_bucket", + "values": { + "name": "compliant-bucket", + "labels": { + "env": "prod", + "team": "security", + }, + "uniform_bucket_level_access": [ + { + "enabled": true, + "locked": true, + }, + ], + }, + }, + ], + }, + }, + } + + tf_variables := { + "resource_type": "google_storage_bucket", + "friendly_resource_name": "Storage Bucket", + "resource_value_name": "name", + } + + # Blacklist specific nested array attribute values (OR logic) + # If uniform_bucket_level_access array contains enabled: false, it violates + violations := blacklist.get_violations( + tf_variables, + ["uniform_bucket_level_access", 0, "enabled"], + [false], + ) with input as mock_input + + # Should flag bucket with enabled: false + count(violations) == 1 + some v in violations + v.name == "violating-bucket" + contains(v.message, "uniform_bucket_level_access") + contains(v.message, "false") +} diff --git a/tests/_helpers/check_ux.sh b/tests/_helpers/check_ux.sh new file mode 100755 index 000000000..775037ee2 --- /dev/null +++ b/tests/_helpers/check_ux.sh @@ -0,0 +1,82 @@ +#!/bin/bash +# UX Message Review Tool +# Displays actual violation messages to verify they are clear and actionable + +# Navigate to repository root +cd "$(git rev-parse --show-toplevel)" || exit 1 + +echo "🔍 UX Message Review" +echo "======================================" +echo "" + +inspect_policy() { + local name="$1" + local input="$2" + local query="$3" + + + echo "Policy: $name" + echo "======================================" + echo "" + + # Get message and details fields + message=$(opa eval \ + --data ./policies/_helpers \ + --data ./policies/gcp \ + --input "$input" \ + "${query}.message" \ + --format pretty 2>&1) + + details=$(opa eval \ + --data ./policies/_helpers \ + --data ./policies/gcp \ + --input "$input" \ + "${query}.details" \ + --format pretty 2>&1) + + if [ $? -eq 0 ]; then + echo "MESSAGE:" + echo "$message" + echo "" + echo "DETAILS:" + echo "$details" + else + echo "❌ Error evaluating policy:" + echo "$message" + fi + + echo "" + echo "" +} + +# Test all 6 policy types with their violations + +inspect_policy "Blacklist & Element Blacklist (Access Context Manager)" \ + "./inputs/gcp/access_context_manager_vpc_service_controls/access_context_manager_service_perimeter/status/plan.json" \ + "data.terraform.gcp.security.access_context_manager_vpc_service_controls.access_context_manager_service_perimeter.status" + +inspect_policy "Whitelist (API Hub Encryption)" \ + "./inputs/gcp/api_hub/google_apihub_api_hub_instance/config_encryption_type/plan.json" \ + "data.terraform.gcp.security.api_hub.google_apihub_api_hub_instance.config_encryption_type" + +inspect_policy "Range (Storage Bucket Retention Period)" \ + "./inputs/gcp/cloud_storage/google_storage_bucket/retention_period/plan.json" \ + "data.terraform.gcp.security.cloud_storage.google_storage_bucket.retention_period" + +inspect_policy "Pattern Blacklist (Storage Default Object ACL)" \ + "./inputs/gcp/cloud_storage/google_storage_default_object_acl/public_access_prevention/plan.json" \ + "data.terraform.gcp.security.cloud_storage.google_storage_default_object_acl.public_access_prevention" + +inspect_policy "Pattern Whitelist (Project ID)" \ + "./inputs/gcp/cloud_platform_service/google_project/project_id/plan.json" \ + "data.terraform.gcp.security.cloud_platform_service.google_project.project_id" + +echo "======================================" +echo "✅ Inspection complete" +echo "" +echo "Use this to verify:" +echo " - Violation messages are clear and actionable" +echo " - Resource names are displayed correctly" +echo " - Attribute paths are formatted properly" +echo " - Blacklist/whitelist values are shown" +echo " - Empty values show (EMPTY!) warning" diff --git a/tests/_helpers/element_blacklist_test.rego b/tests/_helpers/element_blacklist_test.rego new file mode 100644 index 000000000..b72255067 --- /dev/null +++ b/tests/_helpers/element_blacklist_test.rego @@ -0,0 +1,412 @@ +package terraform.helpers.policies.element_blacklist_test + +# Element Blacklist Policy Test Suite +# +# Tests the element blacklist policy module which detects array elements containing +# forbidden substring patterns (e.g., wildcards "*" or template variables "${var.*}"). + +import data.terraform.helpers.policies.element_blacklist +import data.terraform.helpers.shared +import data.terraform.helpers.shared_test +import rego.v1 + +# ============================================================================== +# UNIT TESTS (6): Test _get_resources and get_violations with simple mocks +# ============================================================================== + +# Test 1: Single pattern match (wildcard detection) +test_get_resources_single_pattern if { + mock_input := { + "planned_values": { + "root_module": { + "resources": [ + { + "type": "google_access_context_manager_service_perimeter", + "name": "wildcard-perimeter", + "values": { + "title": "wildcard-perimeter", + "status": [{ + "restricted_services": [ + "*.googleapis.com", + "storage.googleapis.com", + ], + }], + }, + }, + { + "type": "google_access_context_manager_service_perimeter", + "name": "compliant-perimeter", + "values": { + "title": "compliant-perimeter", + "status": [{ + "restricted_services": [ + "storage.googleapis.com", + "bigquery.googleapis.com", + ], + }], + }, + }, + ], + }, + }, + } + + resources := element_blacklist._get_resources( + "google_access_context_manager_service_perimeter", + ["status", 0, "restricted_services"], + ["*"], + ) with input as mock_input + + # Only wildcard-perimeter should match + count(resources) == 1 + some r in resources + r.name == "wildcard-perimeter" +} + +# Test 2: Multiple patterns with OR logic +test_get_resources_multi_pattern_or_logic if { + mock_input := { + "planned_values": { + "root_module": { + "resources": [ + { + "type": "google_access_context_manager_service_perimeter", + "name": "wildcard-perimeter", + "values": { + "title": "wildcard-perimeter", + "status": [{ + "restricted_services": ["*.googleapis.com"], + }], + }, + }, + { + "type": "google_access_context_manager_service_perimeter", + "name": "variable-perimeter", + "values": { + "title": "variable-perimeter", + "status": [{ + "restricted_services": ["${var.service}.googleapis.com"], + }], + }, + }, + { + "type": "google_access_context_manager_service_perimeter", + "name": "compliant-perimeter", + "values": { + "title": "compliant-perimeter", + "status": [{ + "restricted_services": ["storage.googleapis.com"], + }], + }, + }, + ], + }, + }, + } + + resources := element_blacklist._get_resources( + "google_access_context_manager_service_perimeter", + ["status", 0, "restricted_services"], + ["*", "${"], + ) with input as mock_input + + # Both wildcard and variable perimeters should match (OR logic) + count(resources) == 2 + resource_names := {r.name | some r in resources} + resource_names == {"wildcard-perimeter", "variable-perimeter"} +} + +# Test 3: Non-matching pattern returns empty set +test_get_resources_no_match if { + mock_input := { + "planned_values": { + "root_module": { + "resources": [ + { + "type": "google_access_context_manager_service_perimeter", + "name": "compliant-perimeter", + "values": { + "title": "compliant-perimeter", + "status": [{ + "restricted_services": ["storage.googleapis.com"], + }], + }, + }, + ], + }, + }, + } + + resources := element_blacklist._get_resources( + "google_access_context_manager_service_perimeter", + ["status", 0, "restricted_services"], + ["forbidden-pattern"], + ) with input as mock_input + + count(resources) == 0 +} + +# Test 4: Resource type filter (only matches specified type) +test_get_resources_resource_type_filter if { + mock_input := { + "planned_values": { + "root_module": { + "resources": [ + { + "type": "google_access_context_manager_service_perimeter", + "name": "wildcard-perimeter", + "values": { + "title": "wildcard-perimeter", + "status": [{ + "restricted_services": ["*.googleapis.com"], + }], + }, + }, + { + "type": "google_access_context_manager_access_policy", + "name": "different-type", + "values": { + "title": "my-policy", + "services": ["*.googleapis.com"], + }, + }, + ], + }, + }, + } + + resources := element_blacklist._get_resources( + "google_access_context_manager_service_perimeter", + ["status", 0, "restricted_services"], + ["*"], + ) with input as mock_input + + # Only service_perimeter type should match + count(resources) == 1 + some r in resources + r.type == "google_access_context_manager_service_perimeter" +} + +# Test 5: Missing attribute path returns empty set +test_get_resources_missing_attribute if { + mock_input := { + "planned_values": { + "root_module": { + "resources": [ + { + "type": "google_access_context_manager_service_perimeter", + "name": "perimeter", + "values": { + "title": "perimeter", + }, + }, + ], + }, + }, + } + + resources := element_blacklist._get_resources( + "google_access_context_manager_service_perimeter", + ["nonexistent", 0, "field"], + ["*"], + ) with input as mock_input + + count(resources) == 0 +} + +# Test 6: get_violations minimal mock (structure validation) +test_get_violations_minimal if { + mock_input := { + "planned_values": { + "root_module": { + "resources": [ + { + "type": "google_access_context_manager_service_perimeter", + "name": "wildcard-perimeter", + "values": { + "title": "wildcard-perimeter", + "status": [{ + "restricted_services": ["*.googleapis.com"], + }], + }, + }, + ], + }, + }, + } + + tf_variables := { + "resource_type": "google_access_context_manager_service_perimeter", + "friendly_resource_name": "Service Perimeter", + "resource_value_name": "title", + } + + violations := element_blacklist.get_violations( + tf_variables, + ["status", 0, "restricted_services"], + ["*"], + ) with input as mock_input + + count(violations) == 1 + some v in violations + v.name == "wildcard-perimeter" + shared_test._assert_valid_violation(v) + contains(v.message, "wildcard-perimeter") # Resource name + contains(v.message, "*.googleapis.com") # Violating element + contains(v.message, "[\"*\"]") # Pattern matched +} + +# ============================================================================== +# INTEGRATION TEST (1): Realistic structure with edge cases +# ============================================================================== + +# Test 7: get_violations with realistic multi-resource scenario +test_get_violations_realistic if { + mock_input := { + "planned_values": { + "root_module": { + "resources": [ + # Wildcard violation + { + "type": "google_access_context_manager_service_perimeter", + "name": "wildcard-perimeter", + "values": { + "title": "wildcard-perimeter", + "status": [{ + "restricted_services": [ + "*.googleapis.com", + "storage.googleapis.com", + ], + }], + }, + }, + # Variable template violation + { + "type": "google_access_context_manager_service_perimeter", + "name": "variable-perimeter", + "values": { + "title": "variable-perimeter", + "status": [{ + "restricted_services": [ + "${var.service}.googleapis.com", + "compute.googleapis.com", + ], + }], + }, + }, + # Multiple violations in one resource + { + "type": "google_access_context_manager_service_perimeter", + "name": "multi-violation-perimeter", + "values": { + "title": "multi-violation-perimeter", + "status": [{ + "restricted_services": [ + "*.googleapis.com", + "${var.service}.googleapis.com", + "pubsub.googleapis.com", + ], + }], + }, + }, + # Compliant resource + { + "type": "google_access_context_manager_service_perimeter", + "name": "compliant-perimeter", + "values": { + "title": "compliant-perimeter", + "status": [{ + "restricted_services": [ + "storage.googleapis.com", + "bigquery.googleapis.com", + ], + }], + }, + }, + # Different resource type (should be ignored) + { + "type": "google_access_context_manager_access_policy", + "name": "different-type", + "values": { + "title": "my-policy", + "parent": "organizations/123456789", + }, + }, + ], + }, + }, + } + + tf_variables := { + "resource_type": "google_access_context_manager_service_perimeter", + "friendly_resource_name": "Service Perimeter", + "resource_value_name": "title", + } + + violations := element_blacklist.get_violations( + tf_variables, + ["status", 0, "restricted_services"], + ["*", "${"], + ) with input as mock_input + + # Should detect all three violating perimeters + count(violations) == 3 + violation_names := {v.name | some v in violations} + violation_names == {"wildcard-perimeter", "variable-perimeter", "multi-violation-perimeter"} + + every v in violations { + shared_test._assert_valid_violation(v) + contains(v.message, "Service Perimeter") + contains(v.message, "status.[0].restricted_services") + } + + # Verify multi-violation includes both patterns + some v in violations + v.name == "multi-violation-perimeter" + contains(v.message, "*") + contains(v.message, "${") +} + +# ============================================================================== +# REALITY CHECK (1): Test with real Terraform plan structure +# ============================================================================== + +# ============================================================================== +# REALITY CHECK (1): Test with real Terraform plan structure +# ============================================================================== +# ============================================================================ +# FIXTURE PROVENANCE +# ============================================================================ +# Source: inputs/gcp/access_context_manager_vpc_service_controls/ +# access_context_manager_access_level/device_policy/ +# Fixture: tests/_helpers/fixtures/gcp_access_level/plan.json +# Why this fixture: Contains actual array data (regions: ["CH", "IT", "US"]) +# for testing element blacklist on string arrays +# Alternative: gcp_storage_bucket has empty arrays (cors: [], lifecycle_rule: []) +# ============================================================================ + +# Test 8: get_violations with real Terraform plan (access level fixture) +test_real_plan_violations if { + # Use real fixture with actual array data from access level regions + tf_variables := { + "resource_type": "google_access_context_manager_access_level", + "friendly_resource_name": "Access Level", + "resource_value_name": "title", + } + + # Test regions array for any restricted regions + # Fixture has regions: ["CH", "IT", "US"] in nc resource + violations := element_blacklist.get_violations( + tf_variables, + ["basic", 0, "conditions", 0, "regions"], + ["US", "CN", "RU"], # Blacklist certain countries + ) with input as data.gcp_access_level_plan + + is_set(violations) + every v in violations { + shared_test._assert_valid_violation(v) + contains(v.message, "Access Level") + contains(v.message, "basic") + contains(v.message, "regions") + } +} diff --git a/tests/_helpers/fixtures/gcp_access_level/plan.json b/tests/_helpers/fixtures/gcp_access_level/plan.json new file mode 100644 index 000000000..4058c9911 --- /dev/null +++ b/tests/_helpers/fixtures/gcp_access_level/plan.json @@ -0,0 +1,507 @@ +{ + "gcp_access_level_plan": { + "format_version": "1.2", + "terraform_version": "1.12.2", + "planned_values": { + "root_module": { + "resources": [ + { + "address": "google_access_context_manager_access_level.c", + "mode": "managed", + "type": "google_access_context_manager_access_level", + "name": "c", + "provider_name": "registry.terraform.io/hashicorp/google", + "schema_version": 0, + "values": { + "basic": [ + { + "combining_function": "AND", + "conditions": [ + { + "device_policy": [ + { + "allowed_device_management_levels": null, + "allowed_encryption_statuses": null, + "os_constraints": [], + "require_admin_approval": null, + "require_corp_owned": null, + "require_screen_lock": true + } + ], + "ip_subnetworks": null, + "members": null, + "negate": null, + "regions": null, + "required_access_levels": null, + "vpc_network_sources": [] + } + ] + } + ], + "custom": [], + "description": null, + "timeouts": null, + "title": "chromeos_no_lock" + }, + "sensitive_values": { + "basic": [ + { + "conditions": [ + { + "device_policy": [ + { + "os_constraints": [] + } + ], + "vpc_network_sources": [] + } + ] + } + ], + "custom": [] + } + }, + { + "address": "google_access_context_manager_access_level.nc", + "mode": "managed", + "type": "google_access_context_manager_access_level", + "name": "nc", + "provider_name": "registry.terraform.io/hashicorp/google", + "schema_version": 0, + "values": { + "basic": [ + { + "combining_function": "AND", + "conditions": [ + { + "device_policy": [ + { + "allowed_device_management_levels": null, + "allowed_encryption_statuses": null, + "os_constraints": [ + { + "minimum_version": null, + "os_type": "DESKTOP_CHROME_OS", + "require_verified_chrome_os": null + } + ], + "require_admin_approval": null, + "require_corp_owned": null, + "require_screen_lock": true + } + ], + "ip_subnetworks": null, + "members": null, + "negate": null, + "regions": [ + "CH", + "IT", + "US" + ], + "required_access_levels": null, + "vpc_network_sources": [] + } + ] + } + ], + "custom": [], + "description": null, + "timeouts": null, + "title": "chromeos_no_lock" + }, + "sensitive_values": { + "basic": [ + { + "conditions": [ + { + "device_policy": [ + { + "os_constraints": [ + {} + ] + } + ], + "regions": [ + false, + false, + false + ], + "vpc_network_sources": [] + } + ] + } + ], + "custom": [] + } + }, + { + "address": "google_access_context_manager_access_policy.access-policy", + "mode": "managed", + "type": "google_access_context_manager_access_policy", + "name": "access-policy", + "provider_name": "registry.terraform.io/hashicorp/google", + "schema_version": 0, + "values": { + "parent": "organizations/123456789", + "scopes": null, + "timeouts": null, + "title": "my policy" + }, + "sensitive_values": {} + } + ] + } + }, + "resource_changes": [ + { + "address": "google_access_context_manager_access_level.c", + "mode": "managed", + "type": "google_access_context_manager_access_level", + "name": "c", + "provider_name": "registry.terraform.io/hashicorp/google", + "change": { + "actions": [ + "create" + ], + "before": null, + "after": { + "basic": [ + { + "combining_function": "AND", + "conditions": [ + { + "device_policy": [ + { + "allowed_device_management_levels": null, + "allowed_encryption_statuses": null, + "os_constraints": [], + "require_admin_approval": null, + "require_corp_owned": null, + "require_screen_lock": true + } + ], + "ip_subnetworks": null, + "members": null, + "negate": null, + "regions": null, + "required_access_levels": null, + "vpc_network_sources": [] + } + ] + } + ], + "custom": [], + "description": null, + "timeouts": null, + "title": "chromeos_no_lock" + }, + "after_unknown": { + "basic": [ + { + "conditions": [ + { + "device_policy": [ + { + "os_constraints": [] + } + ], + "vpc_network_sources": [] + } + ] + } + ], + "custom": [], + "id": true, + "name": true, + "parent": true + }, + "before_sensitive": false, + "after_sensitive": { + "basic": [ + { + "conditions": [ + { + "device_policy": [ + { + "os_constraints": [] + } + ], + "vpc_network_sources": [] + } + ] + } + ], + "custom": [] + } + } + }, + { + "address": "google_access_context_manager_access_level.nc", + "mode": "managed", + "type": "google_access_context_manager_access_level", + "name": "nc", + "provider_name": "registry.terraform.io/hashicorp/google", + "change": { + "actions": [ + "create" + ], + "before": null, + "after": { + "basic": [ + { + "combining_function": "AND", + "conditions": [ + { + "device_policy": [ + { + "allowed_device_management_levels": null, + "allowed_encryption_statuses": null, + "os_constraints": [ + { + "minimum_version": null, + "os_type": "DESKTOP_CHROME_OS", + "require_verified_chrome_os": null + } + ], + "require_admin_approval": null, + "require_corp_owned": null, + "require_screen_lock": true + } + ], + "ip_subnetworks": null, + "members": null, + "negate": null, + "regions": [ + "CH", + "IT", + "US" + ], + "required_access_levels": null, + "vpc_network_sources": [] + } + ] + } + ], + "custom": [], + "description": null, + "timeouts": null, + "title": "chromeos_no_lock" + }, + "after_unknown": { + "basic": [ + { + "conditions": [ + { + "device_policy": [ + { + "os_constraints": [ + {} + ] + } + ], + "regions": [ + false, + false, + false + ], + "vpc_network_sources": [] + } + ] + } + ], + "custom": [], + "id": true, + "name": true, + "parent": true + }, + "before_sensitive": false, + "after_sensitive": { + "basic": [ + { + "conditions": [ + { + "device_policy": [ + { + "os_constraints": [ + {} + ] + } + ], + "regions": [ + false, + false, + false + ], + "vpc_network_sources": [] + } + ] + } + ], + "custom": [] + } + } + }, + { + "address": "google_access_context_manager_access_policy.access-policy", + "mode": "managed", + "type": "google_access_context_manager_access_policy", + "name": "access-policy", + "provider_name": "registry.terraform.io/hashicorp/google", + "change": { + "actions": [ + "create" + ], + "before": null, + "after": { + "parent": "organizations/123456789", + "scopes": null, + "timeouts": null, + "title": "my policy" + }, + "after_unknown": { + "create_time": true, + "id": true, + "name": true, + "update_time": true + }, + "before_sensitive": false, + "after_sensitive": {} + } + } + ], + "configuration": { + "provider_config": { + "google": { + "name": "google", + "full_name": "registry.terraform.io/hashicorp/google" + } + }, + "root_module": { + "resources": [ + { + "address": "google_access_context_manager_access_level.c", + "mode": "managed", + "type": "google_access_context_manager_access_level", + "name": "c", + "provider_config_key": "google", + "expressions": { + "basic": [ + { + "conditions": [ + { + "device_policy": [ + { + "require_screen_lock": { + "constant_value": true + } + } + ] + } + ] + } + ], + "name": { + "references": [ + "google_access_context_manager_access_policy.access-policy.name", + "google_access_context_manager_access_policy.access-policy" + ] + }, + "parent": { + "references": [ + "google_access_context_manager_access_policy.access-policy.name", + "google_access_context_manager_access_policy.access-policy" + ] + }, + "title": { + "constant_value": "chromeos_no_lock" + } + }, + "schema_version": 0 + }, + { + "address": "google_access_context_manager_access_level.nc", + "mode": "managed", + "type": "google_access_context_manager_access_level", + "name": "nc", + "provider_config_key": "google", + "expressions": { + "basic": [ + { + "conditions": [ + { + "device_policy": [ + { + "os_constraints": [ + { + "os_type": { + "constant_value": "DESKTOP_CHROME_OS" + } + } + ], + "require_screen_lock": { + "constant_value": true + } + } + ], + "regions": { + "constant_value": [ + "CH", + "IT", + "US" + ] + } + } + ] + } + ], + "name": { + "references": [ + "google_access_context_manager_access_policy.access-policy.name", + "google_access_context_manager_access_policy.access-policy" + ] + }, + "parent": { + "references": [ + "google_access_context_manager_access_policy.access-policy.name", + "google_access_context_manager_access_policy.access-policy" + ] + }, + "title": { + "constant_value": "chromeos_no_lock" + } + }, + "schema_version": 0 + }, + { + "address": "google_access_context_manager_access_policy.access-policy", + "mode": "managed", + "type": "google_access_context_manager_access_policy", + "name": "access-policy", + "provider_config_key": "google", + "expressions": { + "parent": { + "constant_value": "organizations/123456789" + }, + "title": { + "constant_value": "my policy" + } + }, + "schema_version": 0 + } + ] + } + }, + "relevant_attributes": [ + { + "resource": "google_access_context_manager_access_policy.access-policy", + "attribute": [ + "name" + ] + } + ], + "timestamp": "2025-12-02T04:18:21Z", + "applyable": true, + "complete": true, + "errored": false + } +} diff --git a/tests/_helpers/fixtures/gcp_project/plan.json b/tests/_helpers/fixtures/gcp_project/plan.json new file mode 100644 index 000000000..5e05dfefd --- /dev/null +++ b/tests/_helpers/fixtures/gcp_project/plan.json @@ -0,0 +1,606 @@ +{ + "gcp_project_plan": { + "format_version": "1.2", + "terraform_version": "1.12.2", + "planned_values": { + "root_module": { + "resources": [ + { + "address": "google_project.c123", + "mode": "managed", + "type": "google_project", + "name": "c123", + "provider_name": "registry.terraform.io/hashicorp/google", + "schema_version": 1, + "values": { + "auto_create_network": false, + "billing_account": null, + "deletion_policy": "PREVENT", + "effective_labels": { + "goog-terraform-provisioned": "true" + }, + "folder_id": null, + "labels": null, + "name": "c123", + "org_id": "123456789", + "project_id": "proj-app-dev", + "tags": null, + "terraform_labels": { + "goog-terraform-provisioned": "true" + }, + "timeouts": null + }, + "sensitive_values": { + "effective_labels": {}, + "terraform_labels": {} + } + }, + { + "address": "google_project.c223", + "mode": "managed", + "type": "google_project", + "name": "c223", + "provider_name": "registry.terraform.io/hashicorp/google", + "schema_version": 1, + "values": { + "auto_create_network": false, + "billing_account": null, + "deletion_policy": "PREVENT", + "effective_labels": { + "goog-terraform-provisioned": "true" + }, + "folder_id": null, + "labels": null, + "name": "c223", + "org_id": "123456789", + "project_id": "proj-sec-prod", + "tags": null, + "terraform_labels": { + "goog-terraform-provisioned": "true" + }, + "timeouts": null + }, + "sensitive_values": { + "effective_labels": {}, + "terraform_labels": {} + } + }, + { + "address": "google_project.c323", + "mode": "managed", + "type": "google_project", + "name": "c323", + "provider_name": "registry.terraform.io/hashicorp/google", + "schema_version": 1, + "values": { + "auto_create_network": false, + "billing_account": null, + "deletion_policy": "PREVENT", + "effective_labels": { + "goog-terraform-provisioned": "true" + }, + "folder_id": null, + "labels": null, + "name": "c323", + "org_id": "123456789", + "project_id": "proj-app-prod", + "tags": null, + "terraform_labels": { + "goog-terraform-provisioned": "true" + }, + "timeouts": null + }, + "sensitive_values": { + "effective_labels": {}, + "terraform_labels": {} + } + }, + { + "address": "google_project.nc123", + "mode": "managed", + "type": "google_project", + "name": "nc123", + "provider_name": "registry.terraform.io/hashicorp/google", + "schema_version": 1, + "values": { + "auto_create_network": false, + "billing_account": null, + "deletion_policy": "PREVENT", + "effective_labels": { + "goog-terraform-provisioned": "true" + }, + "folder_id": null, + "labels": null, + "name": "nc123", + "org_id": "123456789", + "project_id": "project-app-dev", + "tags": null, + "terraform_labels": { + "goog-terraform-provisioned": "true" + }, + "timeouts": null + }, + "sensitive_values": { + "effective_labels": {}, + "terraform_labels": {} + } + }, + { + "address": "google_project.nc223", + "mode": "managed", + "type": "google_project", + "name": "nc223", + "provider_name": "registry.terraform.io/hashicorp/google", + "schema_version": 1, + "values": { + "auto_create_network": false, + "billing_account": null, + "deletion_policy": "PREVENT", + "effective_labels": { + "goog-terraform-provisioned": "true" + }, + "folder_id": null, + "labels": null, + "name": "nc223", + "org_id": "123456789", + "project_id": "proj-ops-staging", + "tags": null, + "terraform_labels": { + "goog-terraform-provisioned": "true" + }, + "timeouts": null + }, + "sensitive_values": { + "effective_labels": {}, + "terraform_labels": {} + } + }, + { + "address": "google_project.nc323", + "mode": "managed", + "type": "google_project", + "name": "nc323", + "provider_name": "registry.terraform.io/hashicorp/google", + "schema_version": 1, + "values": { + "auto_create_network": false, + "billing_account": null, + "deletion_policy": "PREVENT", + "effective_labels": { + "goog-terraform-provisioned": "true" + }, + "folder_id": null, + "labels": null, + "name": "nc323", + "org_id": "123456789", + "project_id": "myproject-prod-01", + "tags": null, + "terraform_labels": { + "goog-terraform-provisioned": "true" + }, + "timeouts": null + }, + "sensitive_values": { + "effective_labels": {}, + "terraform_labels": {} + } + } + ] + } + }, + "resource_changes": [ + { + "address": "google_project.c123", + "mode": "managed", + "type": "google_project", + "name": "c123", + "provider_name": "registry.terraform.io/hashicorp/google", + "change": { + "actions": [ + "create" + ], + "before": null, + "after": { + "auto_create_network": false, + "billing_account": null, + "deletion_policy": "PREVENT", + "effective_labels": { + "goog-terraform-provisioned": "true" + }, + "folder_id": null, + "labels": null, + "name": "c123", + "org_id": "123456789", + "project_id": "proj-app-dev", + "tags": null, + "terraform_labels": { + "goog-terraform-provisioned": "true" + }, + "timeouts": null + }, + "after_unknown": { + "effective_labels": {}, + "id": true, + "number": true, + "terraform_labels": {} + }, + "before_sensitive": false, + "after_sensitive": { + "effective_labels": {}, + "terraform_labels": {} + } + } + }, + { + "address": "google_project.c223", + "mode": "managed", + "type": "google_project", + "name": "c223", + "provider_name": "registry.terraform.io/hashicorp/google", + "change": { + "actions": [ + "create" + ], + "before": null, + "after": { + "auto_create_network": false, + "billing_account": null, + "deletion_policy": "PREVENT", + "effective_labels": { + "goog-terraform-provisioned": "true" + }, + "folder_id": null, + "labels": null, + "name": "c223", + "org_id": "123456789", + "project_id": "proj-sec-prod", + "tags": null, + "terraform_labels": { + "goog-terraform-provisioned": "true" + }, + "timeouts": null + }, + "after_unknown": { + "effective_labels": {}, + "id": true, + "number": true, + "terraform_labels": {} + }, + "before_sensitive": false, + "after_sensitive": { + "effective_labels": {}, + "terraform_labels": {} + } + } + }, + { + "address": "google_project.c323", + "mode": "managed", + "type": "google_project", + "name": "c323", + "provider_name": "registry.terraform.io/hashicorp/google", + "change": { + "actions": [ + "create" + ], + "before": null, + "after": { + "auto_create_network": false, + "billing_account": null, + "deletion_policy": "PREVENT", + "effective_labels": { + "goog-terraform-provisioned": "true" + }, + "folder_id": null, + "labels": null, + "name": "c323", + "org_id": "123456789", + "project_id": "proj-app-prod", + "tags": null, + "terraform_labels": { + "goog-terraform-provisioned": "true" + }, + "timeouts": null + }, + "after_unknown": { + "effective_labels": {}, + "id": true, + "number": true, + "terraform_labels": {} + }, + "before_sensitive": false, + "after_sensitive": { + "effective_labels": {}, + "terraform_labels": {} + } + } + }, + { + "address": "google_project.nc123", + "mode": "managed", + "type": "google_project", + "name": "nc123", + "provider_name": "registry.terraform.io/hashicorp/google", + "change": { + "actions": [ + "create" + ], + "before": null, + "after": { + "auto_create_network": false, + "billing_account": null, + "deletion_policy": "PREVENT", + "effective_labels": { + "goog-terraform-provisioned": "true" + }, + "folder_id": null, + "labels": null, + "name": "nc123", + "org_id": "123456789", + "project_id": "project-app-dev", + "tags": null, + "terraform_labels": { + "goog-terraform-provisioned": "true" + }, + "timeouts": null + }, + "after_unknown": { + "effective_labels": {}, + "id": true, + "number": true, + "terraform_labels": {} + }, + "before_sensitive": false, + "after_sensitive": { + "effective_labels": {}, + "terraform_labels": {} + } + } + }, + { + "address": "google_project.nc223", + "mode": "managed", + "type": "google_project", + "name": "nc223", + "provider_name": "registry.terraform.io/hashicorp/google", + "change": { + "actions": [ + "create" + ], + "before": null, + "after": { + "auto_create_network": false, + "billing_account": null, + "deletion_policy": "PREVENT", + "effective_labels": { + "goog-terraform-provisioned": "true" + }, + "folder_id": null, + "labels": null, + "name": "nc223", + "org_id": "123456789", + "project_id": "proj-ops-staging", + "tags": null, + "terraform_labels": { + "goog-terraform-provisioned": "true" + }, + "timeouts": null + }, + "after_unknown": { + "effective_labels": {}, + "id": true, + "number": true, + "terraform_labels": {} + }, + "before_sensitive": false, + "after_sensitive": { + "effective_labels": {}, + "terraform_labels": {} + } + } + }, + { + "address": "google_project.nc323", + "mode": "managed", + "type": "google_project", + "name": "nc323", + "provider_name": "registry.terraform.io/hashicorp/google", + "change": { + "actions": [ + "create" + ], + "before": null, + "after": { + "auto_create_network": false, + "billing_account": null, + "deletion_policy": "PREVENT", + "effective_labels": { + "goog-terraform-provisioned": "true" + }, + "folder_id": null, + "labels": null, + "name": "nc323", + "org_id": "123456789", + "project_id": "myproject-prod-01", + "tags": null, + "terraform_labels": { + "goog-terraform-provisioned": "true" + }, + "timeouts": null + }, + "after_unknown": { + "effective_labels": {}, + "id": true, + "number": true, + "terraform_labels": {} + }, + "before_sensitive": false, + "after_sensitive": { + "effective_labels": {}, + "terraform_labels": {} + } + } + } + ], + "configuration": { + "provider_config": { + "google": { + "name": "google", + "full_name": "registry.terraform.io/hashicorp/google" + } + }, + "root_module": { + "resources": [ + { + "address": "google_project.c123", + "mode": "managed", + "type": "google_project", + "name": "c123", + "provider_config_key": "google", + "expressions": { + "auto_create_network": { + "constant_value": false + }, + "deletion_policy": { + "constant_value": "PREVENT" + }, + "name": { + "constant_value": "c123" + }, + "org_id": { + "constant_value": "123456789" + }, + "project_id": { + "constant_value": "proj-app-dev" + } + }, + "schema_version": 1 + }, + { + "address": "google_project.c223", + "mode": "managed", + "type": "google_project", + "name": "c223", + "provider_config_key": "google", + "expressions": { + "auto_create_network": { + "constant_value": false + }, + "deletion_policy": { + "constant_value": "PREVENT" + }, + "name": { + "constant_value": "c223" + }, + "org_id": { + "constant_value": "123456789" + }, + "project_id": { + "constant_value": "proj-sec-prod" + } + }, + "schema_version": 1 + }, + { + "address": "google_project.c323", + "mode": "managed", + "type": "google_project", + "name": "c323", + "provider_config_key": "google", + "expressions": { + "auto_create_network": { + "constant_value": false + }, + "name": { + "constant_value": "c323" + }, + "org_id": { + "constant_value": "123456789" + }, + "project_id": { + "constant_value": "proj-app-prod" + } + }, + "schema_version": 1 + }, + { + "address": "google_project.nc123", + "mode": "managed", + "type": "google_project", + "name": "nc123", + "provider_config_key": "google", + "expressions": { + "auto_create_network": { + "constant_value": false + }, + "deletion_policy": { + "constant_value": "PREVENT" + }, + "name": { + "constant_value": "nc123" + }, + "org_id": { + "constant_value": "123456789" + }, + "project_id": { + "constant_value": "project-app-dev" + } + }, + "schema_version": 1 + }, + { + "address": "google_project.nc223", + "mode": "managed", + "type": "google_project", + "name": "nc223", + "provider_config_key": "google", + "expressions": { + "auto_create_network": { + "constant_value": false + }, + "deletion_policy": { + "constant_value": "PREVENT" + }, + "name": { + "constant_value": "nc223" + }, + "org_id": { + "constant_value": "123456789" + }, + "project_id": { + "constant_value": "proj-ops-staging" + } + }, + "schema_version": 1 + }, + { + "address": "google_project.nc323", + "mode": "managed", + "type": "google_project", + "name": "nc323", + "provider_config_key": "google", + "expressions": { + "auto_create_network": { + "constant_value": false + }, + "name": { + "constant_value": "nc323" + }, + "org_id": { + "constant_value": "123456789" + }, + "project_id": { + "constant_value": "myproject-prod-01" + } + }, + "schema_version": 1 + } + ] + } + }, + "timestamp": "2025-11-27T04:15:45Z", + "applyable": true, + "complete": true, + "errored": false + } +} diff --git a/tests/_helpers/fixtures/gcp_storage_bucket/plan.json b/tests/_helpers/fixtures/gcp_storage_bucket/plan.json new file mode 100644 index 000000000..cdacbc34b --- /dev/null +++ b/tests/_helpers/fixtures/gcp_storage_bucket/plan.json @@ -0,0 +1,368 @@ +{ + "gcp_storage_bucket_plan": { + "format_version": "1.2", + "terraform_version": "1.12.2", + "planned_values": { + "root_module": { + "resources": [ + { + "address": "google_storage_bucket.c123", + "mode": "managed", + "type": "google_storage_bucket", + "name": "c123", + "provider_name": "registry.terraform.io/hashicorp/google", + "schema_version": 3, + "values": { + "autoclass": [], + "cors": [], + "custom_placement_config": [], + "default_event_based_hold": null, + "effective_labels": { + "goog-terraform-provisioned": "true" + }, + "enable_object_retention": null, + "encryption": [], + "force_destroy": true, + "hierarchical_namespace": [], + "labels": null, + "lifecycle_rule": [], + "location": "US", + "logging": [], + "name": "c123", + "requester_pays": null, + "retention_policy": [ + { + "is_locked": false, + "retention_period": 604800 + } + ], + "storage_class": "STANDARD", + "terraform_labels": { + "goog-terraform-provisioned": "true" + }, + "timeouts": null + }, + "sensitive_values": { + "autoclass": [], + "cors": [], + "custom_placement_config": [], + "effective_labels": {}, + "encryption": [], + "hierarchical_namespace": [], + "lifecycle_rule": [], + "logging": [], + "retention_policy": [ + {} + ], + "soft_delete_policy": [], + "terraform_labels": {}, + "versioning": [], + "website": [] + } + }, + { + "address": "google_storage_bucket.nc123", + "mode": "managed", + "type": "google_storage_bucket", + "name": "nc123", + "provider_name": "registry.terraform.io/hashicorp/google", + "schema_version": 3, + "values": { + "autoclass": [], + "cors": [], + "custom_placement_config": [], + "default_event_based_hold": null, + "effective_labels": { + "goog-terraform-provisioned": "true" + }, + "enable_object_retention": null, + "encryption": [], + "force_destroy": true, + "hierarchical_namespace": [], + "labels": null, + "lifecycle_rule": [], + "location": "US", + "logging": [], + "name": "nc123", + "requester_pays": null, + "retention_policy": [ + { + "is_locked": false, + "retention_period": 2692000 + } + ], + "storage_class": "STANDARD", + "terraform_labels": { + "goog-terraform-provisioned": "true" + }, + "timeouts": null + }, + "sensitive_values": { + "autoclass": [], + "cors": [], + "custom_placement_config": [], + "effective_labels": {}, + "encryption": [], + "hierarchical_namespace": [], + "lifecycle_rule": [], + "logging": [], + "retention_policy": [ + {} + ], + "soft_delete_policy": [], + "terraform_labels": {}, + "versioning": [], + "website": [] + } + } + ] + } + }, + "resource_changes": [ + { + "address": "google_storage_bucket.c123", + "mode": "managed", + "type": "google_storage_bucket", + "name": "c123", + "provider_name": "registry.terraform.io/hashicorp/google", + "change": { + "actions": [ + "create" + ], + "before": null, + "after": { + "autoclass": [], + "cors": [], + "custom_placement_config": [], + "default_event_based_hold": null, + "effective_labels": { + "goog-terraform-provisioned": "true" + }, + "enable_object_retention": null, + "encryption": [], + "force_destroy": true, + "hierarchical_namespace": [], + "labels": null, + "lifecycle_rule": [], + "location": "US", + "logging": [], + "name": "c123", + "requester_pays": null, + "retention_policy": [ + { + "is_locked": false, + "retention_period": 604800 + } + ], + "storage_class": "STANDARD", + "terraform_labels": { + "goog-terraform-provisioned": "true" + }, + "timeouts": null + }, + "after_unknown": { + "autoclass": [], + "cors": [], + "custom_placement_config": [], + "effective_labels": {}, + "encryption": [], + "hierarchical_namespace": [], + "id": true, + "lifecycle_rule": [], + "logging": [], + "project": true, + "project_number": true, + "public_access_prevention": true, + "retention_policy": [ + {} + ], + "rpo": true, + "self_link": true, + "soft_delete_policy": true, + "terraform_labels": {}, + "time_created": true, + "uniform_bucket_level_access": true, + "updated": true, + "url": true, + "versioning": true, + "website": true + }, + "before_sensitive": false, + "after_sensitive": { + "autoclass": [], + "cors": [], + "custom_placement_config": [], + "effective_labels": {}, + "encryption": [], + "hierarchical_namespace": [], + "lifecycle_rule": [], + "logging": [], + "retention_policy": [ + {} + ], + "soft_delete_policy": [], + "terraform_labels": {}, + "versioning": [], + "website": [] + } + } + }, + { + "address": "google_storage_bucket.nc123", + "mode": "managed", + "type": "google_storage_bucket", + "name": "nc123", + "provider_name": "registry.terraform.io/hashicorp/google", + "change": { + "actions": [ + "create" + ], + "before": null, + "after": { + "autoclass": [], + "cors": [], + "custom_placement_config": [], + "default_event_based_hold": null, + "effective_labels": { + "goog-terraform-provisioned": "true" + }, + "enable_object_retention": null, + "encryption": [], + "force_destroy": true, + "hierarchical_namespace": [], + "labels": null, + "lifecycle_rule": [], + "location": "US", + "logging": [], + "name": "nc123", + "requester_pays": null, + "retention_policy": [ + { + "is_locked": false, + "retention_period": 2692000 + } + ], + "storage_class": "STANDARD", + "terraform_labels": { + "goog-terraform-provisioned": "true" + }, + "timeouts": null + }, + "after_unknown": { + "autoclass": [], + "cors": [], + "custom_placement_config": [], + "effective_labels": {}, + "encryption": [], + "hierarchical_namespace": [], + "id": true, + "lifecycle_rule": [], + "logging": [], + "project": true, + "project_number": true, + "public_access_prevention": true, + "retention_policy": [ + {} + ], + "rpo": true, + "self_link": true, + "soft_delete_policy": true, + "terraform_labels": {}, + "time_created": true, + "uniform_bucket_level_access": true, + "updated": true, + "url": true, + "versioning": true, + "website": true + }, + "before_sensitive": false, + "after_sensitive": { + "autoclass": [], + "cors": [], + "custom_placement_config": [], + "effective_labels": {}, + "encryption": [], + "hierarchical_namespace": [], + "lifecycle_rule": [], + "logging": [], + "retention_policy": [ + {} + ], + "soft_delete_policy": [], + "terraform_labels": {}, + "versioning": [], + "website": [] + } + } + } + ], + "configuration": { + "provider_config": { + "google": { + "name": "google", + "full_name": "registry.terraform.io/hashicorp/google" + } + }, + "root_module": { + "resources": [ + { + "address": "google_storage_bucket.c123", + "mode": "managed", + "type": "google_storage_bucket", + "name": "c123", + "provider_config_key": "google", + "expressions": { + "force_destroy": { + "constant_value": true + }, + "location": { + "constant_value": "US" + }, + "name": { + "constant_value": "c123" + }, + "retention_policy": [ + { + "retention_period": { + "constant_value": 604800 + } + } + ] + }, + "schema_version": 3 + }, + { + "address": "google_storage_bucket.nc123", + "mode": "managed", + "type": "google_storage_bucket", + "name": "nc123", + "provider_config_key": "google", + "expressions": { + "force_destroy": { + "constant_value": true + }, + "location": { + "constant_value": "US" + }, + "name": { + "constant_value": "nc123" + }, + "retention_policy": [ + { + "retention_period": { + "constant_value": 2692000 + } + } + ] + }, + "schema_version": 3 + } + ] + } + }, + "timestamp": "2025-11-27T02:50:59Z", + "applyable": true, + "complete": true, + "errored": false + } +} diff --git a/tests/_helpers/pattern_blacklist_test.rego b/tests/_helpers/pattern_blacklist_test.rego new file mode 100644 index 000000000..98b1b5c71 --- /dev/null +++ b/tests/_helpers/pattern_blacklist_test.rego @@ -0,0 +1,430 @@ +package terraform.helpers.policies.pattern_blacklist_test + +# Pattern Blacklist Policy Test Suite +# +# Tests the pattern blacklist policy module which detects resources where +# wildcard-extracted substrings match forbidden patterns. +# Uses target patterns with * wildcards to extract values, then checks against +# position-specific blacklists. + +import data.terraform.helpers.policies.pattern_blacklist +import data.terraform.helpers.shared +import data.terraform.helpers.shared_test +import rego.v1 + +# ============================================================================== +# UNIT TESTS (6): Test pattern matching logic +# ============================================================================== + +# Test 1: Exact match in blacklist (boundary: match) +test_matches_blacklist_exact_match if { + pattern_blacklist._matches_blacklist(["forbidden", "banned"], "forbidden") +} + +# Test 2: No match in blacklist (boundary: no match) +test_matches_blacklist_no_match if { + not pattern_blacklist._matches_blacklist(["forbidden", "banned"], "allowed") +} + +# Test 3: Single wildcard pattern match +test_get_blacklist_single_wildcard_match if { + # Mock resource with hierarchical pattern + mock_resource := { + "type": "google_project", + "values": { + "name": "test-project", + "parent": "projects/test-project/locations/us-east1", + }, + } + + # Target pattern with 2 wildcards + target := "projects/*/locations/*" + # Blacklist patterns: first position ["test-project"], second position ["us-east1"] + patterns := [["test-project"], ["us-east1"]] + + blacklist := pattern_blacklist._get_blacklist(mock_resource, ["parent"], target, patterns) + + # Should find 2 matches (both positions blacklisted) + count(blacklist) == 2 + + # Verify both positions are flagged + values := {b.value | some b in blacklist} + values == {"test-project", "us-east1"} +} + +# Test 4: Single wildcard pattern no match +test_get_blacklist_single_wildcard_no_match if { + # Mock resource with different values + mock_resource := { + "type": "google_project", + "values": { + "name": "prod-project", + "parent": "projects/prod-project/locations/us-central1", + }, + } + + target := "projects/*/locations/*" + patterns := [["test-project"], ["us-east1"]] + + blacklist := pattern_blacklist._get_blacklist(mock_resource, ["parent"], target, patterns) + + # Should find no matches + count(blacklist) == 0 +} + +# Test 5: Multiple patterns with OR logic within position +test_get_blacklist_multiple_patterns_or_logic if { + # Mock with value matching one of multiple patterns at a position + mock_resource := { + "type": "google_project", + "values": { + "name": "dev-project", + "parent": "projects/dev-project/locations/us-east1", + }, + } + + target := "projects/*/locations/*" + # First position: ["test-project", "dev-project"] (OR logic - full extracted strings) + # Second position: ["us-east1"] + patterns := [["test-project", "dev-project"], ["us-east1"]] + + blacklist := pattern_blacklist._get_blacklist(mock_resource, ["parent"], target, patterns) + + # Should match both positions (dev-project matches first, us-east1 matches second) + count(blacklist) == 2 + values := {b.value | some b in blacklist} + values == {"dev-project", "us-east1"} +} + +# ============================================================================== +# MOCK DATA PROVENANCE +# ============================================================================== +# Minimal mocks in tests 6-7 are synthetic, designed to test specific logic paths. +# They represent simplified hierarchical patterns (organizations/*/folders/*). +# +# Reality check (test 8) uses: tests/_helpers/fixtures/gcp_project/plan.json +# Source: inputs/gcp/cloud_platform_service/google_project/project_id/ +# Purpose: Tests pattern extraction on actual project_id values: +# - c123: project_id="proj-app-dev" (pattern: proj-*-*) +# - c223: project_id="proj-sec-prod" (pattern: proj-*-*) +# ============================================================================== + +# Test 6: get_violations with minimal mock +test_get_violations_minimal if { + # Minimal mock with blacklisted pattern + mock_input := { + "planned_values": { + "root_module": { + "resources": [ + { + "type": "google_project", + "values": { + "name": "test-project", + "parent": "organizations/123456/folders/test-folder", + }, + }, + ], + }, + }, + } + + tf_variables := { + "resource_type": "google_project", + "friendly_resource_name": "Project", + "resource_value_name": "name", + } + + # Blacklist pattern: organizations/*/folders/* where folder is "test-folder" + violations := pattern_blacklist.get_violations( + tf_variables, + ["parent"], + ["organizations/*/folders/*", [[], ["test-folder"]]], + ) with input as mock_input + + # Property: Returns a set with no duplicate resource names + shared_test._assert_unique_violations(violations) + count(violations) == 1 + + some v in violations + v.name == "test-project" + shared_test._assert_valid_violation(v) + contains(v.message, "test-project") # Resource name + contains(v.message, "'test-folder'") # Violating value + contains(v.message, "blacklisted") # Verdict +} + +# ============================================================================== +# INTEGRATION TEST (1): Complex wildcard patterns +# ============================================================================== + +# Test 7: get_violations with realistic complex patterns +test_get_violations_realistic if { + # Realistic mock with multiple wildcards and edge cases + mock_input := { + "planned_values": { + "root_module": { + "resources": [ + # Resource with blacklisted pattern at one position + { + "type": "google_project", + "values": { + "name": "violating-project", + "parent": "organizations/12345/folders/dev-folder", + }, + }, + # Resource with multiple blacklisted positions (CRITICAL TEST CASE) + { + "type": "google_project", + "values": { + "name": "multi-fail-project", + "parent": "organizations/bad-org/folders/dev-folder", + }, + }, + # Resource with compliant pattern + { + "type": "google_project", + "values": { + "name": "compliant-project", + "parent": "organizations/12345/folders/prod-folder", + }, + }, + # Resource with null parent (edge case) + { + "type": "google_project", + "values": { + "name": "null-project", + "parent": null, + }, + }, + # Different resource type (should be ignored) + { + "type": "google_storage_bucket", + "values": { + "name": "test-bucket", + "parent": "organizations/12345/folders/dev-folder", + }, + }, + ], + }, + }, + } + + tf_variables := { + "resource_type": "google_project", + "friendly_resource_name": "Project", + "resource_value_name": "name", + } + + # Pattern with 2 wildcards: organizations/*/folders/* + # Blacklist: org "bad-org" and folder "dev-folder" + violations := pattern_blacklist.get_violations( + tf_variables, + ["parent"], + ["organizations/*/folders/*", [["bad-org"], ["dev-folder"]]], + ) with input as mock_input + + # Property: Returns a set with no duplicate resource names + shared_test._assert_unique_violations(violations) + + # Should flag 2 projects: violating-project (single position) and multi-fail-project (both positions) + count(violations) == 2 + violation_name_set := {v.name | some v in violations} + violation_name_set == {"violating-project", "multi-fail-project"} + + every violation in violations { + is_string(violation.name) + is_string(violation.message) + violation.name != "" + violation.message != "" + contains(violation.message, "Project") + contains(violation.message, "parent") + contains(violation.message, "blacklisted") + } + + # Verify single-failure message + some single_violation in violations + single_violation.name == "violating-project" + contains(single_violation.message, "'dev-folder'") + + # Verify multi-failure message mentions multiple positions + some multi_violation in violations + multi_violation.name == "multi-fail-project" + # Message should indicate multiple blacklist matches + contains(multi_violation.message, "Multiple positions matched blacklist") +} + +# ============================================================================== +# REALITY CHECK (1): Test with real Terraform plan structure +# ============================================================================== + +# Test 8: get_violations with real Terraform plan +test_get_violations_with_real_terraform_plan if { + # Use real fixture - gcp_project from fixtures + tf_variables := { + "resource_type": "google_project", + "friendly_resource_name": "Project", + "resource_value_name": "name", + } + + # Test with real data - blacklist a pattern that might exist + # If project has parent with hierarchical structure + violations := pattern_blacklist.get_violations( + tf_variables, + ["parent"], + ["organizations/*/folders/*", [[], ["test", "dev", "staging"]]], + ) with input as data.gcp_project_plan + + # Property: Returns a set with no duplicate resource names + shared_test._assert_unique_violations(violations) + + every v in violations { + shared_test._assert_valid_violation(v) + contains(v.message, "Project") + contains(v.message, "blacklisted") + } +} + +# ============================================================================== +# CRITICAL TESTS (2): Multiple failures and functional purity +# ============================================================================== + +# Test 9: Multiple position failures per resource (THE BUG THAT WAS MISSED) +test_get_violations_multiple_failures_per_resource if { + # This test validates the fix for eval_conflict_error + # When a resource matches multiple blacklist positions, _build_violation must + # return exactly ONE violation object (not multiple) + mock_input := { + "planned_values": { + "root_module": { + "resources": [ + # Resource matching ALL 3 blacklisted positions + { + "type": "google_project", + "values": { + "name": "bad-project", + "project_id": "test-dev-staging", + }, + }, + # Resource matching 2 blacklisted positions + { + "type": "google_project", + "values": { + "name": "partial-bad", + "project_id": "test-dev-prod", + }, + }, + # Compliant resource + { + "type": "google_project", + "values": { + "name": "good-project", + "project_id": "proj-app-prod", + }, + }, + ], + }, + }, + } + + tf_variables := { + "resource_type": "google_project", + "friendly_resource_name": "Project", + "resource_value_name": "name", + } + + # Pattern: *-*-* with blacklist on all positions + violations := pattern_blacklist.get_violations( + tf_variables, + ["project_id"], + ["*-*-*", [["test"], ["dev"], ["staging"]]], + ) with input as mock_input + + # Property: Returns a set with no duplicate resource names + shared_test._assert_unique_violations(violations) + + # CRITICAL: Must return exactly 1 violation per resource (not 3 for bad-project) + count(violations) == 2 + + some v1 in violations + v1.name == "bad-project" + is_string(v1.message) + # Message must mention multiple blacklist matches + contains(v1.message, "Multiple positions matched blacklist") + + some v2 in violations + v2.name == "partial-bad" + is_string(v2.message) +} + +# Test 10: Functional purity - _build_violation returns single output +test_build_violation_functional_purity if { + # This test ensures _build_violation never produces multiple outputs + # for the same inputs (Rego functional semantics requirement) + mock_resource := { + "type": "google_project", + "values": { + "name": "test-project", + "project_id": "bad-bad-bad", + }, + } + + tf_variables := { + "resource_type": "google_project", + "friendly_resource_name": "Project", + "resource_value_name": "name", + } + + # Call _build_violation with resource that matches all 3 blacklist positions + # This would have caused eval_conflict_error before the fix + violation := pattern_blacklist._build_violation( + tf_variables, + ["project_id"], + ["*-*-*", [["bad"], ["bad"], ["bad"]]], + mock_resource, + ) + + # Must return exactly ONE violation object + is_object(violation) + violation.name == "test-project" + is_string(violation.message) + violation.message != "" + + # Verify deterministic behavior - calling twice yields same result + violation2 := pattern_blacklist._build_violation( + tf_variables, + ["project_id"], + ["*-*-*", [["bad"], ["bad"], ["bad"]]], + mock_resource, + ) + violation == violation2 +} + +# Test 11: Utilize fixture attribute - project_id pattern from project +test_project_id_fixture if { + # Test using actual project_id patterns from gcp_project_plan + # Blacklist production projects matching pattern "proj-*-prod" + tf_variables := { + "resource_type": "google_project", + "friendly_resource_name": "Project", + "resource_value_name": "name", + } + + # Pattern "proj-*-prod" extracts middle segment + # Blacklist middle segments: "sec" and "app" + # Should match: proj-sec-prod (c223), proj-app-prod (c323) + violations := pattern_blacklist.get_violations( + tf_variables, + ["project_id"], + ["proj-*-prod", [["sec", "app"]]], + ) with input as data.gcp_project_plan + + # c223 has project_id "proj-sec-prod" and c323 has "proj-app-prod" + count(violations) == 2 + violation_names := {v.name | some v in violations} + violation_names == {"c223", "c323"} + + every v in violations { + contains(v.message, "project_id") + contains(v.message, "prod") + } +} diff --git a/tests/_helpers/pattern_whitelist_test.rego b/tests/_helpers/pattern_whitelist_test.rego new file mode 100644 index 000000000..9a4c952a2 --- /dev/null +++ b/tests/_helpers/pattern_whitelist_test.rego @@ -0,0 +1,428 @@ +package terraform.helpers.policies.pattern_whitelist_test + +# Pattern Whitelist Policy Test Suite +# +# Tests the pattern whitelist policy module which detects resources where +# wildcard-extracted substrings DON'T match allowed patterns. +# Uses target patterns with * wildcards to extract values, then validates each +# against position-specific whitelists (inverted logic from blacklist). + +import data.terraform.helpers.policies.pattern_whitelist +import data.terraform.helpers.shared +import data.terraform.helpers.shared_test +import rego.v1 + +# ============================================================================== +# UNIT TESTS (6): Test pattern matching logic +# ============================================================================== + +# Test 1: Exact match in whitelist (boundary: match - should pass) +test_matches_whitelist_exact_match if { + pattern_whitelist._matches_whitelist(["allowed", "permitted"], "allowed") +} + +# Test 2: No match in whitelist (boundary: no match - should fail) +test_matches_whitelist_no_match if { + not pattern_whitelist._matches_whitelist(["allowed", "permitted"], "forbidden") +} + +# Test 3: Single wildcard pattern - all positions whitelisted (no violation) +test_get_whitelist_single_wildcard_all_match if { + # Mock resource with values matching whitelist + mock_resource := { + "type": "google_project", + "values": { + "name": "prod-project", + "parent": "projects/prod-project/locations/us-central1", + }, + } + + # Target pattern with 2 wildcards + target := "projects/*/locations/*" + # Whitelist patterns: first position ["prod-project"], second position ["us-central1"] + patterns := [["prod-project"], ["us-central1"]] + + whitelist := pattern_whitelist._get_whitelist(mock_resource, ["parent"], target, patterns) + + # Should find 0 violations (all positions whitelisted) + count(whitelist) == 0 +} + +# Test 4: Single wildcard pattern - one position not whitelisted (violation) +test_get_whitelist_single_wildcard_violation if { + # Mock resource with non-whitelisted value + mock_resource := { + "type": "google_project", + "values": { + "name": "test-project", + "parent": "projects/test-project/locations/us-east1", + }, + } + + target := "projects/*/locations/*" + patterns := [["prod-project"], ["us-central1"]] + + whitelist := pattern_whitelist._get_whitelist(mock_resource, ["parent"], target, patterns) + + # Should find 2 violations (both positions not whitelisted) + count(whitelist) == 2 + values := {w.value | some w in whitelist} + values == {"test-project", "us-east1"} +} + +# Test 5: Multiple patterns with OR logic within position +test_get_whitelist_multiple_patterns_or_logic if { + # Mock with value matching one of multiple allowed patterns at a position + mock_resource := { + "type": "google_project", + "values": { + "name": "staging-project", + "parent": "projects/staging-project/locations/us-central1", + }, + } + + target := "projects/*/locations/*" + # First position: ["prod-project", "staging-project"] (OR logic) + # Second position: ["us-central1"] + patterns := [["prod-project", "staging-project"], ["us-central1"]] + + whitelist := pattern_whitelist._get_whitelist(mock_resource, ["parent"], target, patterns) + + # Should match both positions (staging-project matches first, us-central1 matches second) + # No violations + count(whitelist) == 0 +} + +# ============================================================================== +# MOCK DATA PROVENANCE +# ============================================================================== +# Minimal mocks in tests 6-7 are synthetic, designed to test specific logic paths. +# They represent simplified hierarchical patterns (folders/*/projects/*). +# +# Reality check (test 8) uses: tests/_helpers/fixtures/gcp_project/plan.json +# Source: inputs/gcp/cloud_platform_service/google_project/project_id/ +# Purpose: Tests pattern validation on actual project_id values (see pattern_blacklist_test.rego) +# ============================================================================== + +# Test 6: get_violations with minimal mock +test_get_violations_minimal if { + # Minimal mock with non-whitelisted pattern + mock_input := { + "planned_values": { + "root_module": { + "resources": [ + { + "type": "google_project", + "values": { + "name": "dev-project", + "parent": "folders/dev-folder/projects/test-app", + }, + }, + ], + }, + }, + } + + tf_variables := { + "resource_type": "google_project", + "friendly_resource_name": "Project", + "resource_value_name": "name", + } + + # Whitelist pattern: folders/*/projects/* where project is "prod-app" only + # First wildcard (folder) allows any value, second (project) restricted + violations := pattern_whitelist.get_violations( + tf_variables, + ["parent"], + ["folders/*/projects/*", [["dev-folder", "prod-folder"], ["prod-app"]]], + ) with input as mock_input + + # Property: Returns a set with no duplicate resource names + shared_test._assert_unique_violations(violations) + count(violations) == 1 + + # Verify violation structure (violates because project is "test-app" not "prod-app") + some v in violations + v.name == "dev-project" + shared_test._assert_valid_violation(v) + contains(v.message, "dev-project") # Resource name + contains(v.message, "'test-app'") # Violating value + contains(v.message, "should be set to one of") # Verdict +} + +# ============================================================================== +# INTEGRATION TEST (1): Complex whitelist patterns +# ============================================================================== + +# Test 7: get_violations with realistic complex patterns +test_get_violations_realistic if { + # Realistic mock with multiple wildcards and edge cases + mock_input := { + "planned_values": { + "root_module": { + "resources": [ + # Resource with non-whitelisted pattern (single position fails) + { + "type": "google_project", + "values": { + "name": "violating-project", + "parent": "organizations/12345/folders/dev-folder", + }, + }, + # Resource with multiple position failures (CRITICAL TEST CASE) + { + "type": "google_project", + "values": { + "name": "multi-fail-project", + "parent": "organizations/99999/folders/test-folder", + }, + }, + # Resource with whitelisted pattern + { + "type": "google_project", + "values": { + "name": "compliant-project", + "parent": "organizations/12345/folders/prod-folder", + }, + }, + # Resource with null parent (edge case) + { + "type": "google_project", + "values": { + "name": "null-project", + "parent": null, + }, + }, + # Different resource type (should be ignored) + { + "type": "google_storage_bucket", + "values": { + "name": "test-bucket", + "parent": "organizations/12345/folders/dev-folder", + }, + }, + ], + }, + }, + } + + tf_variables := { + "resource_type": "google_project", + "friendly_resource_name": "Project", + "resource_value_name": "name", + } + + # Pattern with 2 wildcards: organizations/*/folders/* + # Whitelist both positions to ensure only one violation per resource + # First position (org): allow "12345", second position (folder): ["prod-folder", "staging-folder"] + violations := pattern_whitelist.get_violations( + tf_variables, + ["parent"], + ["organizations/*/folders/*", [["12345"], ["prod-folder", "staging-folder"]]], + ) with input as mock_input + + # Property: Returns a set with no duplicate resource names + shared_test._assert_unique_violations(violations) + + # Should flag 2 projects: violating-project (single position) and multi-fail-project (both positions) + count(violations) == 2 + violation_name_set := {v.name | some v in violations} + violation_name_set == {"violating-project", "multi-fail-project"} + + every violation in violations { + shared_test._assert_valid_violation(violation) + contains(violation.message, "Project") + contains(violation.message, "parent") + } + + # Verify single-failure message + some single_violation in violations + single_violation.name == "violating-project" + contains(single_violation.message, "should be set to one of") + contains(single_violation.message, "'dev-folder'") + + # Verify multi-failure message mentions multiple positions + some multi_violation in violations + multi_violation.name == "multi-fail-project" + # Message should indicate multiple positions failed + contains(multi_violation.message, "Multiple positions failed") +} + +# ============================================================================== +# CRITICAL TESTS (2): Multiple failures and functional purity +# ============================================================================== + +# Test 9: Multiple position failures per resource (THE BUG THAT WAS MISSED) +test_get_violations_multiple_failures_per_resource if { + # This test validates the fix for eval_conflict_error + # When a resource fails multiple pattern positions, _build_violation must + # return exactly ONE violation object (not multiple) + mock_input := { + "planned_values": { + "root_module": { + "resources": [ + # Resource failing ALL 3 positions + { + "type": "google_project", + "values": { + "name": "bad-project", + "project_id": "bad-wrong-invalid", + }, + }, + # Resource failing 2 positions + { + "type": "google_project", + "values": { + "name": "partial-bad", + "project_id": "proj-bad-bad", + }, + }, + # Compliant resource + { + "type": "google_project", + "values": { + "name": "good-project", + "project_id": "proj-app-dev", + }, + }, + ], + }, + }, + } + + tf_variables := { + "resource_type": "google_project", + "friendly_resource_name": "Project", + "resource_value_name": "name", + } + + # Pattern: *-*-* with strict whitelist (most resources will fail) + violations := pattern_whitelist.get_violations( + tf_variables, + ["project_id"], + ["*-*-*", [["proj"], ["app", "sec"], ["dev", "prod"]]], + ) with input as mock_input + + # Property: Returns a set with no duplicate resource names + shared_test._assert_unique_violations(violations) + + # CRITICAL: Must return exactly 1 violation per resource (not 3 for bad-project) + count(violations) == 2 + + # Verify structure of resource with 3 position failures + some v1 in violations + v1.name == "bad-project" + is_string(v1.message) + # Message must mention multiple failures + contains(v1.message, "Multiple positions failed") + + # Verify structure of resource with 2 position failures + some v2 in violations + v2.name == "partial-bad" + is_string(v2.message) +} + +# Test 10: Functional purity - _build_violation returns single output +test_build_violation_functional_purity if { + # This test ensures _build_violation never produces multiple outputs + # for the same inputs (Rego functional semantics requirement) + mock_resource := { + "type": "google_project", + "values": { + "name": "test-project", + "project_id": "fail-fail-fail", + }, + } + + tf_variables := { + "resource_type": "google_project", + "friendly_resource_name": "Project", + "resource_value_name": "name", + } + + # Call _build_violation with resource that fails all 3 positions + # This would have caused eval_conflict_error before the fix + violation := pattern_whitelist._build_violation( + tf_variables, + ["project_id"], + ["*-*-*", [["good"], ["good"], ["good"]]], + mock_resource, + ) + + # Must return exactly ONE violation object + is_object(violation) + violation.name == "test-project" + is_string(violation.message) + violation.message != "" + + # Verify deterministic behavior - calling twice yields same result + violation2 := pattern_whitelist._build_violation( + tf_variables, + ["project_id"], + ["*-*-*", [["good"], ["good"], ["good"]]], + mock_resource, + ) + violation == violation2 +} + +# ============================================================================== +# REALITY CHECK (1): Test with real Terraform plan structure +# ============================================================================== + +# Test 8: get_violations with real Terraform plan +test_get_violations_with_real_terraform_plan if { + # Use real fixture - gcp_project from fixtures + tf_variables := { + "resource_type": "google_project", + "friendly_resource_name": "Project", + "resource_value_name": "name", + } + + # Test with real data - whitelist specific patterns + # If project has parent with hierarchical structure + violations := pattern_whitelist.get_violations( + tf_variables, + ["parent"], + ["organizations/*/folders/*", [[], ["prod", "production", "main"]]], + ) with input as data.gcp_project_plan + + # Property: Returns a set with no duplicate resource names + shared_test._assert_unique_violations(violations) + + # Verify no crashes and proper structure + every v in violations { + shared_test._assert_valid_violation(v) + contains(v.message, "Project") + contains(v.message, "should be set to one of") + } +} + +# Test 11: Utilize fixture attribute - project_id pattern from project +test_project_id_fixture if { + # Test using actual project_id patterns from gcp_project_plan + # Whitelist only dev projects with allowed teams + tf_variables := { + "resource_type": "google_project", + "resource_value_name": "name", + "friendly_resource_name": "Project", + } + + # Pattern "proj-*-*" matches: proj-app-dev, proj-sec-prod, proj-app-prod, proj-ops-staging + # Whitelist: first position can be "app", second position can be "dev" + # Only proj-app-dev (c123) matches both → compliant + # Violations: c223 (proj-sec-prod), c323 (proj-app-prod), nc223 (proj-ops-staging) + violations := pattern_whitelist.get_violations( + tf_variables, + ["project_id"], + ["proj-*-*", [["app"], ["dev"]]], + ) with input as data.gcp_project_plan + + # 3 projects match pattern but don't meet whitelist criteria + count(violations) == 3 + violation_names := {v.name | some v in violations} + violation_names == {"c223", "c323", "nc223"} + + every v in violations { + contains(v.message, "project_id") + } +} diff --git a/tests/_helpers/policy_debug.sh b/tests/_helpers/policy_debug.sh new file mode 100755 index 000000000..5d564e979 --- /dev/null +++ b/tests/_helpers/policy_debug.sh @@ -0,0 +1,136 @@ +#!/bin/bash +# Policy Debug Tool +# Shows full policy output for debugging and validation + +# Navigate to repository root +cd "$(git rev-parse --show-toplevel)" || exit 1 + +SUCCESS=0 +ERRORS=0 + +test_policy() { + local name="$1" + local input="$2" + local query="$3" + + echo "" + echo "Testing: $name" + echo "========================================" + + # Check if input file exists + if [[ ! -f "$input" ]]; then + echo "❌ ERROR: Input file not found" + echo " Path: $input" + ((ERRORS++)) + return + fi + + # Capture output and exit code + local output + local exit_code + output=$(opa eval \ + --data ./policies/_helpers \ + --data ./policies/gcp \ + --input "$input" \ + "$query" \ + --format raw 2>&1) + exit_code=$? + + # Check for errors + if [[ $exit_code -ne 0 ]]; then + echo "❌ ERROR: Policy evaluation failed" + echo "$output" + ((ERRORS++)) + return + fi + + # Parse and format the JSON output + if echo "$output" | jq -e . >/dev/null 2>&1; then + local header + local situations + + # Extract header (first element) + header=$(echo "$output" | jq -r '.[0] // empty') + + if [[ -z "$header" ]]; then + echo "❌ ERROR: Unexpected output format" + echo "$output" + ((ERRORS++)) + return + fi + + echo "$header" + + # Check if there are violations (array length > 1) + local violations_count + violations_count=$(echo "$output" | jq 'length - 1') + + if [[ $violations_count -eq 0 ]]; then + echo "Policy executed: All resources compliant" + ((SUCCESS++)) + else + echo "Policy executed: Found $violations_count violation(s)" + ((SUCCESS++)) + echo "" + + # Format each situation + echo "$output" | jq -r ' + .[] | + select(type == "array") | + to_entries | + map( + if .key == 0 then + " " + .value + else + " " + .value + end + ) | + join("\n") + ' + fi + else + # Handle non-JSON output (like "undefined") + if [[ "$output" == "undefined" ]]; then + echo "❌ ERROR: Query returned undefined (likely wrong query path)" + ((ERRORS++)) + else + echo "Output: $output" + ((SUCCESS++)) + fi + fi + + echo "" +} + +echo "Policy Debug Output" +echo "======================================" + +test_policy "Blacklist & Element Blacklist" \ + "./inputs/gcp/access_context_manager_vpc_service_controls/access_context_manager_service_perimeter/status/plan.json" \ + "data.terraform.gcp.security.access_context_manager_vpc_service_controls.access_context_manager_service_perimeter.status.message" + +test_policy "Whitelist" \ + "./inputs/gcp/api_hub/google_apihub_api_hub_instance/config_encryption_type/plan.json" \ + "data.terraform.gcp.security.api_hub.google_apihub_api_hub_instance.config_encryption_type.message" + +test_policy "Range" \ + "./inputs/gcp/cloud_storage/google_storage_bucket/retention_period/plan.json" \ + "data.terraform.gcp.security.cloud_storage.google_storage_bucket.retention_period.message" + +test_policy "Pattern Blacklist" \ + "./inputs/gcp/cloud_storage/google_storage_default_object_acl/public_access_prevention/plan.json" \ + "data.terraform.gcp.security.cloud_storage.google_storage_default_object_acl.public_access_prevention.message" + +test_policy "Pattern Whitelist" \ + "./inputs/gcp/cloud_platform_service/google_project/project_id/plan.json" \ + "data.terraform.gcp.security.cloud_platform_service.google_project.project_id.message" + +echo "" +echo "======================================" +echo "Summary" +echo "======================================" +echo "✅ Successful: $SUCCESS" +echo "❌ Errors: $ERRORS" +echo "======================================" + +exit $ERRORS diff --git a/tests/_helpers/range_test.rego b/tests/_helpers/range_test.rego new file mode 100644 index 000000000..8d80b3fa0 --- /dev/null +++ b/tests/_helpers/range_test.rego @@ -0,0 +1,234 @@ +package terraform.helpers.policies.range_test + +# Range Policy Test Suite +# +# Tests the range policy module which validates numeric attributes fall within bounds. +# Covers boundary values and numeric edge cases. Both bounds are required. + +import data.terraform.helpers.policies.range +import data.terraform.helpers.shared +import data.terraform.helpers.shared_test +import rego.v1 + +# ============================================================================== +# UNIT TESTS (6): Test _test_value_range helper function +# ============================================================================== + +# Test 1: Value within range (happy path) +test_value_range_within if { + range._test_value_range(50, 10, 100) +} + +# Test 2: Value below range (boundary: below) +test_value_range_below if { + not range._test_value_range(5, 10, 100) +} + +# Test 3: Value above range (boundary: above) +test_value_range_above if { + not range._test_value_range(150, 10, 100) +} + +# Test 4: Value at lower boundary (boundary: exact min) +test_value_range_lower_boundary if { + range._test_value_range(10, 10, 100) +} + +# Test 5: Value at upper boundary (boundary: exact max) +test_value_range_upper_boundary if { + range._test_value_range(100, 10, 100) +} + +# ============================================================================== +# MOCK DATA PROVENANCE +# ============================================================================== +# Minimal mocks in tests 6-7 are synthetic, designed to test specific logic paths. +# They represent simplified versions of real Terraform resources with controlled +# numeric values to validate boundary conditions. +# +# Reality check (test 8) uses: tests/_helpers/fixtures/gcp_storage_bucket/plan.json +# Source: inputs/gcp/cloud_storage/google_storage_bucket/retention_period/ +# Purpose: Tests numeric range validation on actual retention_period values: +# - c123: retention_period=604800 (7 days in seconds) +# - nc123: retention_period=2692000 (31 days in seconds) +# ============================================================================== + +# Test 6: get_violations with minimal mock (violation + compliant) +test_get_violations_minimal if { + # Mock with resources in and out of range + mock_input := { + "planned_values": { + "root_module": { + "resources": [ + { + "type": "google_storage_bucket", + "values": { + "name": "compliant-bucket", + "retention_policy": [ + { + "retention_period": 90, + }, + ], + }, + }, + { + "type": "google_storage_bucket", + "values": { + "name": "violating-bucket", + "retention_policy": [ + { + "retention_period": 400, + }, + ], + }, + }, + ], + }, + }, + } + + tf_variables := { + "resource_type": "google_storage_bucket", + "friendly_resource_name": "Storage Bucket", + "resource_value_name": "name", + } + + # Range: [30, 365] days + violations := range.get_violations( + tf_variables, + ["retention_policy", 0, "retention_period"], + [30, 365], + ) with input as mock_input + + count(violations) == 1 + some v in violations + v.name == "violating-bucket" + shared_test._assert_valid_violation(v) + contains(v.message, "violating-bucket") # Resource name + contains(v.message, "400") # Violating value + contains(v.message, "must be between") # Verdict +} + +# ============================================================================== +# INTEGRATION TEST (1): Numeric edge cases +# ============================================================================== + +# Test 7: get_violations with realistic numeric edge cases +test_get_violations_realistic if { + # Realistic mock with various numeric edge cases + mock_input := { + "planned_values": { + "root_module": { + "resources": [ + # Resource with value in range + { + "type": "google_storage_bucket", + "values": { + "name": "compliant-bucket", + "lifecycle_rule": [ + { + "action": [{"type": "Delete"}], + "condition": [{"age": 30}], + }, + ], + }, + }, + # Resource with value below range + { + "type": "google_storage_bucket", + "values": { + "name": "below-bucket", + "lifecycle_rule": [ + { + "action": [{"type": "Delete"}], + "condition": [{"age": -10}], + }, + ], + }, + }, + # Resource with large value (out of range) + { + "type": "google_storage_bucket", + "values": { + "name": "large-bucket", + "lifecycle_rule": [ + { + "action": [{"type": "Delete"}], + "condition": [{"age": 10000}], + }, + ], + }, + }, + # Different resource type (should be ignored) + { + "type": "google_project", + "values": { + "name": "test-project", + "lifecycle_rule": [ + { + "action": [{"type": "Delete"}], + "condition": [{"age": 5000}], + }, + ], + }, + }, + ], + }, + }, + } + + tf_variables := { + "resource_type": "google_storage_bucket", + "friendly_resource_name": "Storage Bucket", + "resource_value_name": "name", + } + + # Range: [0, 365] - zero is inclusive, negatives and large values violate + violations := range.get_violations( + tf_variables, + ["lifecycle_rule", 0, "condition", 0, "age"], + [0, 365], + ) with input as mock_input + + # Should flag below-bucket and large-bucket + count(violations) == 2 + violation_names := {v.name | some v in violations} + violation_names == {"below-bucket", "large-bucket"} + + # Verify messages include range information + every v in violations { + contains(v.message, "must be between") + contains(v.message, "0") + contains(v.message, "365") + } +} + +# ============================================================================== +# REALITY CHECK (1): Test with real Terraform plan structure +# ============================================================================== + +# Test 8: get_violations with real Terraform plan +test_real_plan_violations if { + # Use real fixture - gcp_storage_bucket from fixtures + tf_variables := { + "resource_type": "google_storage_bucket", + "friendly_resource_name": "Storage Bucket", + "resource_value_name": "name", + } + + # Test with real data - check retention_period attribute + # Range: 604800 to 2592000 seconds (7 to 30 days) + violations := range.get_violations( + tf_variables, + ["retention_policy", 0, "retention_period"], + [604800, 2592000], # 7 days to 30 days in seconds + ) with input as data.gcp_storage_bucket_plan + + # Verify no crashes and proper structure + is_set(violations) + every v in violations { + shared_test._assert_valid_violation(v) + contains(v.message, "Storage Bucket") + contains(v.message, "must be between") + } +} diff --git a/tests/_helpers/shared_test.rego b/tests/_helpers/shared_test.rego new file mode 100644 index 000000000..3bfe4901a --- /dev/null +++ b/tests/_helpers/shared_test.rego @@ -0,0 +1,326 @@ +package terraform.helpers.shared_test + +# Shared Utilities Test Suite +# +# Tests the shared utility module which provides helper functions used by all policy types. +# Foundation tests - all other policy tests depend on these utilities working correctly. + +import rego.v1 + +import data.terraform.helpers.shared + +# ============================================================================== +# UNIT TESTS (10): Test individual utility functions +# ============================================================================== + +# Test 1: get_resource_attribute - Happy Path +test_get_resource_attribute_found if { + resource := {"values": {"name": "test-resource"}} + result := shared.get_resource_attribute(resource, "name") + result == "test-resource" +} + +# Test 2: get_resource_attribute - Not Found +test_get_resource_attribute_not_found if { + resource := {"values": {}} + result := shared.get_resource_attribute(resource, "missing_key") + result == null +} + +# Test 3: format_attribute_path - Array Path +test_format_attribute_path_array if { + path := ["status", 0, "restricted_services"] + result := shared.format_attribute_path(path) + result == "status.[0].restricted_services" +} + +# Test 4: format_attribute_path - String Path +test_format_attribute_path_string if { + path := "attribute_name" + result := shared.format_attribute_path(path) + result == "attribute name" +} + +# Test 5: ensure_array - Already Array +test_ensure_array_with_array if { + input_array := [1, 2, 3] + result := shared.ensure_array(input_array) + result == [1, 2, 3] +} + +# Test 6: ensure_array - Scalar to Array +test_ensure_array_with_scalar if { + input_scalar := "value" + result := shared.ensure_array(input_scalar) + result == ["value"] +} + +# Test 7: value_in_array - Exists +test_value_in_array_exists if { + array := [1, 2, 3] + value := 2 + shared.value_in_array(array, value) +} + +# Test 8: value_in_array - Not Exists +test_value_in_array_not_exists if { + array := [1, 2, 3] + value := 4 + not shared.value_in_array(array, value) +} + +# Test 9: get_target_list - Wildcard Extraction +test_get_target_list_wildcard_extraction if { + mock_resource := { + "values": { + "project_id": "projects/test-project/locations/us-east1", + }, + } + attribute_path := ["project_id"] + target := "projects/*/locations/*" + result := shared.get_target_list(mock_resource, attribute_path, target) + result == ["test-project", "us-east1"] +} + +# Test 10: final_formatter - Pattern Highlighting +test_final_formatter_highlight if { + target := "projects/test-project/locations/us" + sub_pattern := "test-project" + result := shared.final_formatter(target, sub_pattern) + result == "projects/'test-project'/locations/us" +} + +# ============================================================================== +# INTEGRATION TEST (1): Deep Nesting (Realistic Mock) +# ============================================================================== +# ============================================================================ +# MOCK DATA PROVENANCE +# ============================================================================ +# Source: tests/_helpers/fixtures/real_terraform_plans/gcp_access_level_plan.json +# Extracted: 2025-12-02 +# Terraform: v1.12.2 +# Provider: google (from plan file) +# +# Fields used in this mock: basic, basic.conditions, basic.conditions.device_policy +# Testing: Deep nested path access (5 levels) +# +# Fields intentionally omitted: custom, description, timeouts, title +# Reason: Not needed for nested attribute access testing +# +# Validation: See mock_validator_test.rego +# ============================================================================ + +# Test 11: Deep nesting with realistic mock +test_shared_utilities_with_deep_nesting if { + # Realistic mock with 5 levels of nesting from real Terraform plan + mock_resource := { + "type": "google_access_context_manager_access_level", + "values": { + "basic": [{ + "conditions": [{ + "device_policy": [{ + "require_screen_lock": true, + "os_constraints": [{"os_type": "DESKTOP_CHROME_OS"}], + }], + "regions": ["US", "EU"], + }], + }], + }, + } + + # Test get_attribute_value with deep path + screen_lock := shared.get_attribute_value( + mock_resource, + ["basic", 0, "conditions", 0, "device_policy", 0, "require_screen_lock"], + ) + screen_lock == true + + # Test format_attribute_path with complex array indices + formatted_path := shared.format_attribute_path([ + "basic", + 0, + "conditions", + 0, + "device_policy", + 0, + "require_screen_lock", + ]) + formatted_path == "basic.[0].conditions.[0].device_policy.[0].require_screen_lock" + + # Test ensure_array with nested array attribute + regions := shared.get_attribute_value(mock_resource, ["basic", 0, "conditions", 0, "regions"]) + ensured_regions := shared.ensure_array(regions) + ensured_regions == ["US", "EU"] +} + +# ============================================================================== +# ARRAY-OF-OBJECTS FIELD EXTRACTION (1): Test new enhancement +# ============================================================================== + +# Test 12: Array-of-objects field extraction (new enhancement) +test_get_attribute_value_array_of_objects_extraction if { + # Mock resource with array of objects (realistic os_constraints pattern) + mock_resource := { + "type": "google_access_context_manager_access_level", + "values": { + "basic": [{ + "conditions": [{ + "device_policy": [{ + "os_constraints": [ + {"os_type": "ANDROID", "minimum_version": "10"}, + {"os_type": "IOS", "minimum_version": "14"}, + {"os_type": "OS_UNSPECIFIED", "minimum_version": null}, + ], + }], + }], + }], + }, + } + + # Test: Extract os_type field from array of objects + os_types := shared.get_attribute_value( + mock_resource, + ["basic", 0, "conditions", 0, "device_policy", 0, "os_constraints", "os_type"], + ) + + # Should return array of extracted field values + trace(sprintf("Extracted os_types: %v", [os_types])) + is_array(os_types) + count(os_types) == 3 + os_types == ["ANDROID", "IOS", "OS_UNSPECIFIED"] + + # Test: Also works with other fields in the same array + versions := shared.get_attribute_value( + mock_resource, + ["basic", 0, "conditions", 0, "device_policy", 0, "os_constraints", "minimum_version"], + ) + trace(sprintf("Extracted versions: %v", [versions])) + is_array(versions) + count(versions) == 2 # null values are filtered out + versions == ["10", "14"] +} + +# Test 13: Array-of-objects extraction edge cases +test_get_attribute_value_array_of_objects_edge_cases if { + mock_resource := { + "type": "test_resource", + "values": { + "empty_array": [], + "scalar_value": "not-an-array", + "array_of_scalars": ["a", "b", "c"], + "nested": [{ + "items": [ + {"field": "value1"}, + {"field": "value2"}, + {"different": "ignored"}, # Missing 'field' key + ], + }], + }, + } + + # Empty array should return null (fallback to object.get) + empty_result := shared.get_attribute_value(mock_resource, ["empty_array", "field"]) + empty_result == null + + # Scalar value with field access should return null + scalar_result := shared.get_attribute_value(mock_resource, ["scalar_value", "field"]) + scalar_result == null + + # Array of scalars (not objects) should return null + scalar_array_result := shared.get_attribute_value(mock_resource, ["array_of_scalars", "field"]) + scalar_array_result == null + + # Extraction from nested array with missing field in some objects + nested_result := shared.get_attribute_value(mock_resource, ["nested", 0, "items", "field"]) + trace(sprintf("Nested extraction: %v", [nested_result])) + is_array(nested_result) + count(nested_result) == 2 # Only objects with 'field' key + nested_result == ["value1", "value2"] +} + +# ============================================================================== +# REALITY CHECK (1): Test with real Terraform plan structure +# ============================================================================== + +# Test 14: Reality check with actual fixture data +test_shared_utilities_with_real_structure if { + # Access real Terraform plan loaded by OPA from fixtures/gcp_access_level/ + # The wrapped file loads as data.gcp_access_level_plan (wrapper key becomes the path) + real_plan_data := data.gcp_access_level_plan + + trace(sprintf("Assertion 1: Plan data loaded = %v", [real_plan_data != null])) + real_plan_data != null + + real_resource := real_plan_data.planned_values.root_module.resources[0] + trace(sprintf("Assertion 2: Resource exists = %v", [real_resource != null])) + real_resource != null + + trace(sprintf("Assertion 3: Resource type = %v (expected google_access_context_manager_access_level)", [real_resource.type])) + real_resource.type == "google_access_context_manager_access_level" + + basic_config := shared.get_resource_attribute(real_resource, "basic") + trace(sprintf("Assertion 4: basic_config type = %v, is_array = %v", [type_name(basic_config), is_array(basic_config)])) + is_array(basic_config) + + trace(sprintf("Assertion 5: basic_config count = %v", [count(basic_config)])) + count(basic_config) > 0 + + require_screen_lock := shared.get_attribute_value( + real_resource, + ["basic", 0, "conditions", 0, "device_policy", 0, "require_screen_lock"], + ) + trace(sprintf("Assertion 6: require_screen_lock = %v, type = %v", [require_screen_lock, type_name(require_screen_lock)])) + require_screen_lock != null + + # Assertion 7: Should be boolean (validates deep path exists in real data) + trace(sprintf("Assertion 7: require_screen_lock is_boolean = %v", [is_boolean(require_screen_lock)])) + is_boolean(require_screen_lock) + + conditions := real_resource.values.basic[0].conditions + trace(sprintf("Assertion 8: conditions is_array = %v, type = %v", [is_array(conditions), type_name(conditions)])) + is_array(conditions) +} + +# ============================================================================== +# TEST ASSERTION HELPERS (4): Reusable validation functions +# ============================================================================== + +# Verifies violations is a set with no duplicate resource names +_assert_unique_violations(violations) if { + is_set(violations) + violation_names := [v.name | some v in violations] + count(violation_names) == count({n | some n in violation_names}) +} + +# Verifies a single violation has the required structure +_assert_valid_violation(v) if { + is_string(v.name) + is_string(v.message) + v.name != "" + v.message != "" +} + +# Test 13: Assertion helper - Unique violations +test_assert_unique_violations_pass if { + mock_violations := { + {"name": "resource-1", "message": "error 1"}, + {"name": "resource-2", "message": "error 2"}, + } + _assert_unique_violations(mock_violations) +} + +# Test 14: Assertion helper - Valid violation structure +test_assert_valid_violation_pass if { + mock_violation := {"name": "test-resource", "message": "Test violation message"} + _assert_valid_violation(mock_violation) +} + +test_assert_valid_violation_fails_empty_name if { + mock_violation := {"name": "", "message": "Test violation message"} + not _assert_valid_violation(mock_violation) +} + +test_assert_valid_violation_fails_empty_message if { + mock_violation := {"name": "test-resource", "message": ""} + not _assert_valid_violation(mock_violation) +} diff --git a/tests/_helpers/smoke_test_helpers.sh b/tests/_helpers/smoke_test_helpers.sh new file mode 100755 index 000000000..0b4af5f5a --- /dev/null +++ b/tests/_helpers/smoke_test_helpers.sh @@ -0,0 +1,122 @@ +#!/bin/bash +# Smoke tests for helper refactoring +# Tests all 6 policy types with minimal output for quick verification + +# Navigate to repository root +cd "$(git rev-parse --show-toplevel)" || exit 1 + +echo "Helper Refactor Smoke Tests" +echo "================================" +echo "Testing against actual Terraform plans for:" +echo " • access_context_manager_service_perimeter.status" +echo " • google_apihub_api_hub_instance.config_encryption_type" +echo " • google_storage_bucket.retention_period" +echo " • google_storage_default_object_acl.public_access_prevention" +echo " • google_project.project_id" +echo "" + +FAILED=0 +PASSED=0 + +run_test() { + local name="$1" + local input="$2" + local query="$3" + local expected_violations="$4" + local expected_resource="$5" + + echo -n "Testing $name... " + + # Check if input file exists + if [[ ! -f "$input" ]]; then + echo "❌ FAIL (input file not found: $input)" + ((FAILED++)) + return + fi + + # Capture output and exit code + local output + local exit_code + output=$(opa eval \ + --data ./policies/_helpers \ + --data ./policies/gcp \ + --input "$input" \ + "$query" \ + --format raw 2>&1) + exit_code=$? + + # Check for OPA errors + if [[ $exit_code -ne 0 ]]; then + echo "❌ FAIL (policy error: $output)" + ((FAILED++)) + return + fi + + # Validate output is valid JSON + if ! echo "$output" | jq -e . >/dev/null 2>&1; then + echo "❌ FAIL (invalid JSON output)" + ((FAILED++)) + return + fi + + # Check expected violation count + local violation_count + violation_count=$(echo "$output" | jq 'length - 1') + + if [[ "$violation_count" != "$expected_violations" ]]; then + echo "❌ FAIL (expected $expected_violations violations, found $violation_count)" + ((FAILED++)) + return + fi + + # If expecting violations, check for expected resource in output + if [[ $expected_violations -gt 0 ]] && [[ -n "$expected_resource" ]]; then + if ! echo "$output" | grep -q "$expected_resource"; then + echo "❌ FAIL (expected resource '$expected_resource' not found in output)" + ((FAILED++)) + return + fi + fi + + echo "✅ PASS" + ((PASSED++)) +} + +# Test all 6 policy types +# Format: run_test "name" "input" "query" expected_violations expected_resource_in_output + +run_test "Blacklist & Element Blacklist" \ + "./inputs/gcp/access_context_manager_vpc_service_controls/access_context_manager_service_perimeter/status/plan.json" \ + "data.terraform.gcp.security.access_context_manager_vpc_service_controls.access_context_manager_service_perimeter.status.message" \ + 1 \ + "nc-null-restricted-services" + +run_test "Whitelist" \ + "./inputs/gcp/api_hub/google_apihub_api_hub_instance/config_encryption_type/plan.json" \ + "data.terraform.gcp.security.api_hub.google_apihub_api_hub_instance.config_encryption_type.message" \ + 0 \ + "" + +run_test "Range" \ + "./inputs/gcp/cloud_storage/google_storage_bucket/retention_period/plan.json" \ + "data.terraform.gcp.security.cloud_storage.google_storage_bucket.retention_period.message" \ + 1 \ + "nc123" + +run_test "Pattern Blacklist" \ + "./inputs/gcp/cloud_storage/google_storage_default_object_acl/public_access_prevention/plan.json" \ + "data.terraform.gcp.security.cloud_storage.google_storage_default_object_acl.public_access_prevention.message" \ + 1 \ + "nc123" + +run_test "Pattern Whitelist" \ + "./inputs/gcp/cloud_platform_service/google_project/project_id/plan.json" \ + "data.terraform.gcp.security.cloud_platform_service.google_project.project_id.message" \ + 1 \ + "nc123" + +echo "" +echo "================================" +echo "Results: $PASSED passed, $FAILED failed" + +exit $FAILED diff --git a/tests/_helpers/unit_test_helpers.sh b/tests/_helpers/unit_test_helpers.sh new file mode 100755 index 000000000..578e2ef65 --- /dev/null +++ b/tests/_helpers/unit_test_helpers.sh @@ -0,0 +1,103 @@ +#!/bin/bash +# Unit tests for policy helpers +# Runs comprehensive test suites for all helper modules with fixtures + +# Navigate to repository root +cd "$(git rev-parse --show-toplevel)" || exit 1 + +echo "Policy Helper Unit Tests" +echo "============================" + +# Common fixtures needed by all tests +FIXTURES=( + "tests/_helpers/fixtures/gcp_storage_bucket/plan.json" + "tests/_helpers/fixtures/gcp_project/plan.json" + "tests/_helpers/fixtures/gcp_access_level/plan.json" +) + +# Common helper modules +HELPERS=( + "policies/_helpers/shared.rego" +) + +# Test utilities (assertion helpers used by all test files) +TEST_HELPERS=( + "tests/_helpers/shared_test.rego" +) + +FAILED=0 +PASSED=0 +TOTAL_TESTS_PASSED=0 +TOTAL_TESTS_FAILED=0 + +run_test_suite() { + local name="$1" + local test_file="$2" + local policy_file="$3" + local include_test_helpers="${4:-true}" # Default to true + + echo "" + echo "Testing $name..." + echo "============================" + + # Build test command with optional test helpers + if [ "$include_test_helpers" = "true" ]; then + output=$(opa test "$test_file" "$policy_file" "${HELPERS[@]}" "${TEST_HELPERS[@]}" "${FIXTURES[@]}" -v 2>&1) + else + output=$(opa test "$test_file" "$policy_file" "${HELPERS[@]}" "${FIXTURES[@]}" -v 2>&1) + fi + exit_code=$? + + echo "$output" + + if [ $exit_code -eq 0 ]; then + ((PASSED++)) + # Count PASS occurrences in individual test lines (format: "data.package.test_name: PASS") + pass_count=$(echo "$output" | grep -c ": PASS") + ((TOTAL_TESTS_PASSED += pass_count)) + else + ((FAILED++)) + # Count both PASS and FAIL occurrences in individual test lines + pass_count=$(echo "$output" | grep -c ": PASS") + fail_count=$(echo "$output" | grep -c ": FAIL") + ((TOTAL_TESTS_PASSED += pass_count)) + ((TOTAL_TESTS_FAILED += fail_count)) + fi +} + +# Run all helper test suites +run_test_suite "Shared Helpers" \ + "tests/_helpers/shared_test.rego" \ + "policies/_helpers/shared.rego" \ + "false" # Don't include shared_test.rego when testing itself + +run_test_suite "Blacklist Policy" \ + "tests/_helpers/blacklist_test.rego" \ + "policies/_helpers/policies/blacklist.rego" + +run_test_suite "Whitelist Policy" \ + "tests/_helpers/whitelist_test.rego" \ + "policies/_helpers/policies/whitelist.rego" + +run_test_suite "Range Policy" \ + "tests/_helpers/range_test.rego" \ + "policies/_helpers/policies/range.rego" + +run_test_suite "Pattern Blacklist Policy" \ + "tests/_helpers/pattern_blacklist_test.rego" \ + "policies/_helpers/policies/pattern_blacklist.rego" + +run_test_suite "Pattern Whitelist Policy" \ + "tests/_helpers/pattern_whitelist_test.rego" \ + "policies/_helpers/policies/pattern_whitelist.rego" + +run_test_suite "Element Blacklist Policy" \ + "tests/_helpers/element_blacklist_test.rego" \ + "policies/_helpers/policies/element_blacklist.rego" + +echo "" +echo "================================" +echo "Test Suites: $PASSED passed, $FAILED failed" +echo "Total Tests: $TOTAL_TESTS_PASSED passed, $TOTAL_TESTS_FAILED failed" + +exit $FAILED diff --git a/tests/_helpers/whitelist_test.rego b/tests/_helpers/whitelist_test.rego new file mode 100644 index 000000000..f6cbaee8e --- /dev/null +++ b/tests/_helpers/whitelist_test.rego @@ -0,0 +1,345 @@ +package terraform.helpers.policies.whitelist_test + +# Whitelist Policy Test Suite +# +# Tests the whitelist policy module which detects resources with non-allowed values. +# Covers scalar values, array AND logic (all must be whitelisted), and message formatting. + +import data.terraform.helpers.policies.whitelist +import data.terraform.helpers.shared +import data.terraform.helpers.shared_test +import rego.v1 + +# ============================================================================== +# UNIT TESTS (6): Test _is_whitelisted helper function +# ============================================================================== + +# Test 1: Scalar value in whitelist (boundary: match) +test_is_whitelisted_scalar_match if { + whitelist._is_whitelisted(["allowed", "permitted"], "allowed") +} + +# Test 2: Scalar value not in whitelist (boundary: no match) +test_is_whitelisted_scalar_no_match if { + not whitelist._is_whitelisted(["allowed", "permitted"], "forbidden") +} + +# Test 3: Array with ALL whitelisted values (AND logic proof) +test_is_whitelisted_array_all_match if { + whitelist._is_whitelisted(["good", "better", "best"], ["good", "best"]) +} + +# Test 4: Array with SOME non-whitelisted values (AND logic negative) +test_is_whitelisted_array_partial_match if { + not whitelist._is_whitelisted(["good", "better"], ["good", "bad"]) +} + +# Test 5: Empty array whitelisting (edge case) +test_is_whitelisted_empty_array if { + whitelist._is_whitelisted(["allowed"], []) +} + +# ============================================================================== +# MOCK DATA PROVENANCE +# ============================================================================== +# Minimal mocks in tests 6-10 are synthetic, designed to test specific logic paths. +# They represent simplified versions of real Terraform resources with controlled +# attributes to validate exact behavior (e.g., AND logic, edge cases). +# +# Reality check (test 8) uses: tests/_helpers/fixtures/gcp_storage_bucket/plan.json +# Source: inputs/gcp/cloud_storage/google_storage_bucket/retention_period/ +# Purpose: Tests against actual Terraform plan structure (see blacklist_test.rego) +# ============================================================================== + +# Test 6: get_violations with minimal mock (happy path + structure validation) +test_get_violations_minimal if { + # Minimal mock with non-whitelisted location + mock_input := { + "planned_values": { + "root_module": { + "resources": [ + { + "type": "google_storage_bucket", + "values": { + "name": "test-bucket", + "location": "ASIA", + }, + }, + ], + }, + }, + } + + tf_variables := { + "resource_type": "google_storage_bucket", + "friendly_resource_name": "Storage Bucket", + "resource_value_name": "name", + } + + violations := whitelist.get_violations( + tf_variables, + ["location"], + ["US", "EU"], + ) with input as mock_input + + count(violations) == 1 + some v in violations + v.name == "test-bucket" + shared_test._assert_valid_violation(v) + contains(v.message, "test-bucket") # Resource name + contains(v.message, "ASIA") # Violating value + contains(v.message, "should be set to") # Verdict +} + +# ============================================================================== +# INTEGRATION TEST (1): Realistic structure with edge cases +# ============================================================================== + +# Test 7: get_violations with realistic Terraform structures +test_get_violations_realistic if { + # Realistic mock including edge cases + mock_input := { + "planned_values": { + "root_module": { + "resources": [ + # Resource with non-whitelisted value + { + "type": "google_storage_bucket", + "values": { + "name": "violating-bucket", + "location": "ASIA", + "storage_class": "STANDARD", + }, + }, + # Resource with whitelisted value + { + "type": "google_storage_bucket", + "values": { + "name": "compliant-bucket", + "location": "US", + "storage_class": "STANDARD", + }, + }, + # Resource with null location (edge case - should violate) + { + "type": "google_storage_bucket", + "values": { + "name": "null-bucket", + "location": null, + "storage_class": "STANDARD", + }, + }, + # Different resource type (should be ignored) + { + "type": "google_project", + "values": { + "name": "test-project", + "location": "ASIA", + }, + }, + ], + }, + }, + } + + tf_variables := { + "resource_type": "google_storage_bucket", + "friendly_resource_name": "Storage Bucket", + "resource_value_name": "name", + } + + violations := whitelist.get_violations( + tf_variables, + ["location"], + ["US", "EU"], + ) with input as mock_input + + # Should flag violating-bucket and null-bucket + count(violations) == 2 + violation_names := {v.name | some v in violations} + violation_names == {"violating-bucket", "null-bucket"} + + # Verify message format + some v in violations + v.name == "violating-bucket" + contains(v.message, "Storage Bucket") + contains(v.message, "location") + contains(v.message, "should be set to") +} + +# ============================================================================== +# REALITY CHECK (1): Test with real Terraform plan structure +# ============================================================================== + +# Test 8: get_violations with real Terraform plan +test_get_violations_with_real_terraform_plan if { + # Use real fixture - gcp_storage_bucket from fixtures + tf_variables := { + "resource_type": "google_storage_bucket", + "friendly_resource_name": "Storage Bucket", + "resource_value_name": "name", + } + + # Test with real data - whitelist specific locations + violations := whitelist.get_violations( + tf_variables, + ["location"], + ["US-CENTRAL1", "US-EAST1"], + ) with input as data.gcp_storage_bucket_plan + + is_set(violations) + every v in violations { + shared_test._assert_valid_violation(v) + contains(v.message, "Storage Bucket") + contains(v.message, "location") + contains(v.message, "should be set to") + } +} + +# Test 11: Utilize fixture attribute - storage_class whitelist +test_storage_class_fixture if { + # Test using actual storage_class attribute from gcp_storage_bucket_plan + # Fixture has storage_class: "STANDARD" for both buckets + tf_variables := { + "resource_type": "google_storage_bucket", + "friendly_resource_name": "Storage Bucket", + "resource_value_name": "name", + } + + # Whitelist only NEARLINE and COLDLINE (both buckets should violate) + violations := whitelist.get_violations( + tf_variables, + ["storage_class"], + ["NEARLINE", "COLDLINE"], + ) with input as data.gcp_storage_bucket_plan + + # Both c123 and nc123 have non-whitelisted storage_class: "STANDARD" + count(violations) == 2 + violation_names := {v.name | some v in violations} + violation_names == {"c123", "nc123"} + + every v in violations { + contains(v.message, "storage_class") + contains(v.message, "STANDARD") + contains(v.message, "should be set to") + } +} + +# ============================================================================== +# ADDITIONAL TESTS (2): Real-world usage patterns +# ============================================================================== + +# Test 9: Boolean whitelisting (real-world use case - versioning enabled) +test_get_violations_boolean_whitelist if { + # Mock matching real policy: versioning.enabled must be true + mock_input := { + "planned_values": { + "root_module": { + "resources": [ + { + "type": "google_storage_bucket", + "values": { + "name": "compliant-bucket", + "versioning": [ + { + "enabled": true, + }, + ], + "location": "US", + }, + }, + { + "type": "google_storage_bucket", + "values": { + "name": "non-compliant-bucket", + "versioning": [ + { + "enabled": false, + }, + ], + "location": "US", + }, + }, + ], + }, + }, + } + + tf_variables := { + "resource_type": "google_storage_bucket", + "friendly_resource_name": "Storage Bucket", + "resource_value_name": "name", + } + + # Whitelist versioning.enabled: true (actual policy usage pattern) + violations := whitelist.get_violations( + tf_variables, + ["versioning", 0, "enabled"], + [true], + ) with input as mock_input + + # Should only flag non-compliant-bucket + count(violations) == 1 + some v in violations + v.name == "non-compliant-bucket" + contains(v.message, "versioning") + contains(v.message, "false") + contains(v.message, "should be set to") +} + +# Test 10: Array attribute with AND logic (all elements must be whitelisted) +test_get_violations_array_attribute_and_logic if { + # Mock with array attributes testing AND logic + mock_input := { + "planned_values": { + "root_module": { + "resources": [ + { + "type": "google_storage_bucket", + "values": { + "name": "compliant-bucket", + "cors": [ + { + "method": ["GET", "POST"], + "origin": ["https://example.com"], + }, + ], + }, + }, + { + "type": "google_storage_bucket", + "values": { + "name": "violating-bucket", + "cors": [ + { + "method": ["GET", "DELETE"], + "origin": ["https://example.com"], + }, + ], + }, + }, + ], + }, + }, + } + + tf_variables := { + "resource_type": "google_storage_bucket", + "friendly_resource_name": "Storage Bucket", + "resource_value_name": "name", + } + + # Whitelist only safe HTTP methods (AND logic: ALL must be in whitelist) + violations := whitelist.get_violations( + tf_variables, + ["cors", 0, "method"], + ["GET", "POST", "HEAD"], + ) with input as mock_input + + # Should flag bucket with DELETE (not in whitelist) + count(violations) == 1 + some v in violations + v.name == "violating-bucket" + contains(v.message, "cors") + contains(v.message, "method") +} From a2359cabb532b037c0574e6c3b25515e357a5fe2 Mon Sep 17 00:00:00 2001 From: LegendaryMercury Date: Thu, 8 Jan 2026 19:24:07 +1100 Subject: [PATCH 13/20] Updated Paths Updated .helpers paths --- .../data_connector/data_connector_data_source/policy.rego | 2 +- .../data_connector/data_connector_json_params/policy.rego | 2 +- .../data_connector/data_connector_location/policy.rego | 2 +- .../google_discovery_engine_data_connector/policy.rego | 2 +- .../engine_assistant/engine_assistant_location/policy.rego | 2 +- .../engine_control/engine_control_filter_action/policy.rego | 2 +- .../engine_control/engine_control_location/policy.rego | 2 +- .../engine_control/engine_control_redirect_action/policy.rego | 2 +- .../engine_sitemap/engine_sitemap_location/policy.rego | 2 +- .../engine_sitemap/engine_sitemap_url/policy.rego | 2 +- .../license_config/license_config_auto_renew/policy.rego | 2 +- .../license_config/license_config_location/policy.rego | 2 +- .../license_config/license_config_subscription_tier/policy.rego | 2 +- 13 files changed, 13 insertions(+), 13 deletions(-) diff --git a/policies/gcp/discovery_engine/data_connector/data_connector_data_source/policy.rego b/policies/gcp/discovery_engine/data_connector/data_connector_data_source/policy.rego index aaf59ffce..97f8a2ff8 100644 --- a/policies/gcp/discovery_engine/data_connector/data_connector_data_source/policy.rego +++ b/policies/gcp/discovery_engine/data_connector/data_connector_data_source/policy.rego @@ -1,5 +1,5 @@ package terraform.gcp.security.discovery_engine.data_connector.data_connector_data_source -import data.terraform.gcp.helpers +import data.terraform.helpers import data.terraform.gcp.security.discovery_engine.data_connector.vars #Data_connector diff --git a/policies/gcp/discovery_engine/data_connector/data_connector_json_params/policy.rego b/policies/gcp/discovery_engine/data_connector/data_connector_json_params/policy.rego index af6337e16..0183b043c 100644 --- a/policies/gcp/discovery_engine/data_connector/data_connector_json_params/policy.rego +++ b/policies/gcp/discovery_engine/data_connector/data_connector_json_params/policy.rego @@ -1,5 +1,5 @@ package terraform.gcp.security.discovery_engine.data_connector.data_connector_json_params -import data.terraform.gcp.helpers +import data.terraform.helpers import data.terraform.gcp.security.discovery_engine.data_connector.vars #Data_connector_json diff --git a/policies/gcp/discovery_engine/data_connector/data_connector_location/policy.rego b/policies/gcp/discovery_engine/data_connector/data_connector_location/policy.rego index c5c2f70fd..960d42281 100644 --- a/policies/gcp/discovery_engine/data_connector/data_connector_location/policy.rego +++ b/policies/gcp/discovery_engine/data_connector/data_connector_location/policy.rego @@ -1,5 +1,5 @@ package terraform.gcp.security.discovery_engine.data_connector.data_connector_location -import data.terraform.gcp.helpers +import data.terraform.helpers import data.terraform.gcp.security.discovery_engine.data_connector.vars #Data_connector diff --git a/policies/gcp/discovery_engine/data_connector/google_discovery_engine_data_connector/policy.rego b/policies/gcp/discovery_engine/data_connector/google_discovery_engine_data_connector/policy.rego index 705030a54..9a2b0dd4b 100644 --- a/policies/gcp/discovery_engine/data_connector/google_discovery_engine_data_connector/policy.rego +++ b/policies/gcp/discovery_engine/data_connector/google_discovery_engine_data_connector/policy.rego @@ -1,5 +1,5 @@ package terraform.gcp.security.discovery_engine.data_connector.google_discovery_engine_data_connector -import data.terraform.gcp.helpers +import data.terraform.helpers import data.terraform.gcp.security.discovery_engine.data_connector.vars #Data_connector diff --git a/policies/gcp/discovery_engine/engine_assistant/engine_assistant_location/policy.rego b/policies/gcp/discovery_engine/engine_assistant/engine_assistant_location/policy.rego index 240c3e86a..f29ad252f 100644 --- a/policies/gcp/discovery_engine/engine_assistant/engine_assistant_location/policy.rego +++ b/policies/gcp/discovery_engine/engine_assistant/engine_assistant_location/policy.rego @@ -1,5 +1,5 @@ package terraform.gcp.security.discovery_engine.engine_assistant.engine_assistant_location -import data.terraform.gcp.helpers +import data.terraform.helpers import data.terraform.gcp.security.discovery_engine.engine_assistant.vars #engine_assistant_location diff --git a/policies/gcp/discovery_engine/engine_control/engine_control_filter_action/policy.rego b/policies/gcp/discovery_engine/engine_control/engine_control_filter_action/policy.rego index d4cc1fe78..17e54b2e5 100644 --- a/policies/gcp/discovery_engine/engine_control/engine_control_filter_action/policy.rego +++ b/policies/gcp/discovery_engine/engine_control/engine_control_filter_action/policy.rego @@ -1,5 +1,5 @@ package terraform.gcp.security.discovery_engine.engine_control.engine_control_filter_action -import data.terraform.gcp.helpers +import data.terraform.helpers import data.terraform.gcp.security.discovery_engine.engine_control.vars #engine_control_filter diff --git a/policies/gcp/discovery_engine/engine_control/engine_control_location/policy.rego b/policies/gcp/discovery_engine/engine_control/engine_control_location/policy.rego index 006f5b32b..d01943486 100644 --- a/policies/gcp/discovery_engine/engine_control/engine_control_location/policy.rego +++ b/policies/gcp/discovery_engine/engine_control/engine_control_location/policy.rego @@ -1,5 +1,5 @@ package terraform.gcp.security.discovery_engine.engine_control.engine_control_location -import data.terraform.gcp.helpers +import data.terraform.helpers import data.terraform.gcp.security.discovery_engine.engine_control.vars #engine_control_location diff --git a/policies/gcp/discovery_engine/engine_control/engine_control_redirect_action/policy.rego b/policies/gcp/discovery_engine/engine_control/engine_control_redirect_action/policy.rego index 63b96bfcb..689b95927 100644 --- a/policies/gcp/discovery_engine/engine_control/engine_control_redirect_action/policy.rego +++ b/policies/gcp/discovery_engine/engine_control/engine_control_redirect_action/policy.rego @@ -1,5 +1,5 @@ package terraform.gcp.security.discovery_engine.engine_control.engine_control_redirect_action -import data.terraform.gcp.helpers +import data.terraform.helpers import data.terraform.gcp.security.discovery_engine.engine_control.vars #engine_control_redirect_action diff --git a/policies/gcp/discovery_engine/engine_sitemap/engine_sitemap_location/policy.rego b/policies/gcp/discovery_engine/engine_sitemap/engine_sitemap_location/policy.rego index 3c7dcd347..b0f79f86d 100644 --- a/policies/gcp/discovery_engine/engine_sitemap/engine_sitemap_location/policy.rego +++ b/policies/gcp/discovery_engine/engine_sitemap/engine_sitemap_location/policy.rego @@ -1,5 +1,5 @@ package terraform.gcp.security.discovery_engine.engine_sitemap.engine_sitemap_location -import data.terraform.gcp.helpers +import data.terraform.helpers import data.terraform.gcp.security.discovery_engine.engine_sitemap.vars #engine_sitemap_location diff --git a/policies/gcp/discovery_engine/engine_sitemap/engine_sitemap_url/policy.rego b/policies/gcp/discovery_engine/engine_sitemap/engine_sitemap_url/policy.rego index 46eadeba4..018e84a89 100644 --- a/policies/gcp/discovery_engine/engine_sitemap/engine_sitemap_url/policy.rego +++ b/policies/gcp/discovery_engine/engine_sitemap/engine_sitemap_url/policy.rego @@ -1,5 +1,5 @@ package terraform.gcp.security.discovery_engine.engine_sitemap.engine_sitemap_uri -import data.terraform.gcp.helpers +import data.terraform.helpers import data.terraform.gcp.security.discovery_engine.engine_sitemap.vars #engine_sitemap_uri diff --git a/policies/gcp/discovery_engine/license_config/license_config_auto_renew/policy.rego b/policies/gcp/discovery_engine/license_config/license_config_auto_renew/policy.rego index 7a9531bcb..93061797d 100644 --- a/policies/gcp/discovery_engine/license_config/license_config_auto_renew/policy.rego +++ b/policies/gcp/discovery_engine/license_config/license_config_auto_renew/policy.rego @@ -1,5 +1,5 @@ package terraform.gcp.security.discovery_engine.license_config.license_config_auto_renew -import data.terraform.gcp.helpers +import data.terraform.helpers import data.terraform.gcp.security.discovery_engine.license_config.vars #license_config_auto_renew diff --git a/policies/gcp/discovery_engine/license_config/license_config_location/policy.rego b/policies/gcp/discovery_engine/license_config/license_config_location/policy.rego index 893c4ced2..907391194 100644 --- a/policies/gcp/discovery_engine/license_config/license_config_location/policy.rego +++ b/policies/gcp/discovery_engine/license_config/license_config_location/policy.rego @@ -1,5 +1,5 @@ package terraform.gcp.security.discovery_engine.license_config.license_config_location -import data.terraform.gcp.helpers +import data.terraform.helpers import data.terraform.gcp.security.discovery_engine.license_config.vars #license_config_location diff --git a/policies/gcp/discovery_engine/license_config/license_config_subscription_tier/policy.rego b/policies/gcp/discovery_engine/license_config/license_config_subscription_tier/policy.rego index 727c57da5..acf0458af 100644 --- a/policies/gcp/discovery_engine/license_config/license_config_subscription_tier/policy.rego +++ b/policies/gcp/discovery_engine/license_config/license_config_subscription_tier/policy.rego @@ -1,5 +1,5 @@ package terraform.gcp.security.discovery_engine.license_config.license_config_subscription_tier -import data.terraform.gcp.helpers +import data.terraform.helpers import data.terraform.gcp.security.discovery_engine.license_config.vars #license_config_subscription_tier From f89d0cd8e4fdf769ff5dbeef4d103105d0b33d56 Mon Sep 17 00:00:00 2001 From: LegendaryMercury Date: Wed, 14 Jan 2026 18:56:49 +1100 Subject: [PATCH 14/20] File name fix --- .../{engine_sitemap_url => engine_sitemap_uri}/policy.rego | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename policies/gcp/discovery_engine/engine_sitemap/{engine_sitemap_url => engine_sitemap_uri}/policy.rego (100%) diff --git a/policies/gcp/discovery_engine/engine_sitemap/engine_sitemap_url/policy.rego b/policies/gcp/discovery_engine/engine_sitemap/engine_sitemap_uri/policy.rego similarity index 100% rename from policies/gcp/discovery_engine/engine_sitemap/engine_sitemap_url/policy.rego rename to policies/gcp/discovery_engine/engine_sitemap/engine_sitemap_uri/policy.rego From 67e2def92ffe70de729df748bfca8f80afcda580 Mon Sep 17 00:00:00 2001 From: LegendaryMercury Date: Wed, 14 Jan 2026 20:17:33 +1100 Subject: [PATCH 15/20] Fix 2 --- .../google_discovery_engine_data_connector/policy.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policies/gcp/discovery_engine/data_connector/google_discovery_engine_data_connector/policy.rego b/policies/gcp/discovery_engine/data_connector/google_discovery_engine_data_connector/policy.rego index 9a2b0dd4b..17f206e34 100644 --- a/policies/gcp/discovery_engine/data_connector/google_discovery_engine_data_connector/policy.rego +++ b/policies/gcp/discovery_engine/data_connector/google_discovery_engine_data_connector/policy.rego @@ -12,7 +12,7 @@ conditions := [ }, { "condition": "parms is misconfigured", - "attribute_path": ["params",0, "auth_type"], + "attribute_path": ["params", "auth_type"], "values": ["OAUTH_PASSWORD_GRANT"], "policy_type": "whitelist" } From b5c242cff212e3a3bc851603587c41be879353bd Mon Sep 17 00:00:00 2001 From: LegendaryMercury Date: Thu, 22 Jan 2026 14:14:20 +1100 Subject: [PATCH 16/20] Fixes 1 Fixed some issues. --- .../data_connector/data_connector_data_source/policy.rego | 2 +- .../data_connector/data_connector_location/policy.rego | 4 ++-- .../engine_assistant/engine_assistant_location/policy.rego | 6 +++--- .../engine_control/engine_control_location/policy.rego | 6 +++--- .../engine_schema/engine_schema_location/policy.rego | 4 ++-- .../engine_sitemap/engine_sitemap_location/policy.rego | 6 +++--- .../license_config/license_config_location/policy.rego | 4 ++-- .../license_config_subscription_tier/policy.rego | 2 +- 8 files changed, 17 insertions(+), 17 deletions(-) diff --git a/policies/gcp/discovery_engine/data_connector/data_connector_data_source/policy.rego b/policies/gcp/discovery_engine/data_connector/data_connector_data_source/policy.rego index 97f8a2ff8..5acd2427c 100644 --- a/policies/gcp/discovery_engine/data_connector/data_connector_data_source/policy.rego +++ b/policies/gcp/discovery_engine/data_connector/data_connector_data_source/policy.rego @@ -13,7 +13,7 @@ conditions := [ { "condition": "data source is set to c-datasource", "attribute_path": ["data_source"], - "values": ["c-datasource"], + "values": ["c-datasource", "salesforce", "jira"", "confluence", "bigquery"], "policy_type": "whitelist" } ] diff --git a/policies/gcp/discovery_engine/data_connector/data_connector_location/policy.rego b/policies/gcp/discovery_engine/data_connector/data_connector_location/policy.rego index 960d42281..413551bf8 100644 --- a/policies/gcp/discovery_engine/data_connector/data_connector_location/policy.rego +++ b/policies/gcp/discovery_engine/data_connector/data_connector_location/policy.rego @@ -11,9 +11,9 @@ conditions := [ "remedies": ["Ensure that it is set to the correct location"] }, { - "condition": "location is set to eu", + "condition": "location is set to a valid location", "attribute_path": ["location"], - "values": ["eu"], + "values": ["eu", "us", "global"], "policy_type": "whitelist" } ] diff --git a/policies/gcp/discovery_engine/engine_assistant/engine_assistant_location/policy.rego b/policies/gcp/discovery_engine/engine_assistant/engine_assistant_location/policy.rego index f29ad252f..ab15a1fbe 100644 --- a/policies/gcp/discovery_engine/engine_assistant/engine_assistant_location/policy.rego +++ b/policies/gcp/discovery_engine/engine_assistant/engine_assistant_location/policy.rego @@ -7,13 +7,13 @@ import data.terraform.gcp.security.discovery_engine.engine_assistant.vars conditions := [ [ { - "situation_description": "Is location set to eu?", - "remedies": ["Ensure that it is set to eu"] + "situation_description": "Is location set to a valid location?", + "remedies": ["Ensure that it is set to a valid location"] }, { "condition": "location is mis-configured", "attribute_path": ["location"], - "values": ["eu"], + "values": ["eu", "us", "global"], "policy_type": "whitelist" } ] diff --git a/policies/gcp/discovery_engine/engine_control/engine_control_location/policy.rego b/policies/gcp/discovery_engine/engine_control/engine_control_location/policy.rego index d01943486..3946cbe30 100644 --- a/policies/gcp/discovery_engine/engine_control/engine_control_location/policy.rego +++ b/policies/gcp/discovery_engine/engine_control/engine_control_location/policy.rego @@ -7,13 +7,13 @@ import data.terraform.gcp.security.discovery_engine.engine_control.vars conditions := [ [ { - "situation_description": "Is location set to eu?", - "remedies": ["Ensure that it is set to eu"] + "situation_description": "Is location set to a valid location?", + "remedies": ["Ensure that it is set to a valid location"] }, { "condition": "location is mis-configured", "attribute_path": ["location"], - "values": ["eu"], + "values": ["eu", "us", "global"], "policy_type": "whitelist" } ] diff --git a/policies/gcp/discovery_engine/engine_schema/engine_schema_location/policy.rego b/policies/gcp/discovery_engine/engine_schema/engine_schema_location/policy.rego index 166cdcf60..bc3d45bda 100644 --- a/policies/gcp/discovery_engine/engine_schema/engine_schema_location/policy.rego +++ b/policies/gcp/discovery_engine/engine_schema/engine_schema_location/policy.rego @@ -8,12 +8,12 @@ conditions := [ [ { "situation_description": "Location is set to the wrong place", - "remedies": ["Ensure Location is set to eu"] + "remedies": ["Ensure Location is set to a valid location"] }, { "condition": "Location is mis-configured", "attribute_path": ["location"], - "values": ["eu"], + "values": ["eu", "us", "global"], "policy_type": "whitelist" } ] diff --git a/policies/gcp/discovery_engine/engine_sitemap/engine_sitemap_location/policy.rego b/policies/gcp/discovery_engine/engine_sitemap/engine_sitemap_location/policy.rego index b0f79f86d..2e0ca101c 100644 --- a/policies/gcp/discovery_engine/engine_sitemap/engine_sitemap_location/policy.rego +++ b/policies/gcp/discovery_engine/engine_sitemap/engine_sitemap_location/policy.rego @@ -7,13 +7,13 @@ import data.terraform.gcp.security.discovery_engine.engine_sitemap.vars conditions := [ [ { - "situation_description": "Is engine_sitemap_location set to eu?", - "remedies": ["Ensure that it is set to eu"] + "situation_description": "Is engine_sitemap_location set to a valid location?", + "remedies": ["Ensure that it is set to a valid location"] }, { "condition": "engine_sitemap_location is mis-configured", "attribute_path": ["location"], - "values": ["eu"], + "values": ["eu", "us", "global"], "policy_type": "whitelist" } ] diff --git a/policies/gcp/discovery_engine/license_config/license_config_location/policy.rego b/policies/gcp/discovery_engine/license_config/license_config_location/policy.rego index 907391194..344bd65f5 100644 --- a/policies/gcp/discovery_engine/license_config/license_config_location/policy.rego +++ b/policies/gcp/discovery_engine/license_config/license_config_location/policy.rego @@ -8,12 +8,12 @@ conditions := [ [ { "situation_description": "Is license_config_location configured correctly", - "remedies": ["Ensure that it is set to eu"] + "remedies": ["Ensure that it is set to a valid location"] }, { "condition": "license_config_location is mis-configured", "attribute_path": ["location"], - "values": ["eu"], + "values": ["eu", "us", "global"], "policy_type": "whitelist" } ] diff --git a/policies/gcp/discovery_engine/license_config/license_config_subscription_tier/policy.rego b/policies/gcp/discovery_engine/license_config/license_config_subscription_tier/policy.rego index acf0458af..cb837d965 100644 --- a/policies/gcp/discovery_engine/license_config/license_config_subscription_tier/policy.rego +++ b/policies/gcp/discovery_engine/license_config/license_config_subscription_tier/policy.rego @@ -11,7 +11,7 @@ conditions := [ "remedies": ["Ensure that it is set to SUBSCRIPTION_TIER_ENTERPRISE"] }, { - "condition": "search_engine_industry_vertical is mis-configured", + "condition": "license_config_subscription_tier is mis-configured", "attribute_path": ["subscription_tier"], "values": ["SUBSCRIPTION_TIER_ENTERPRISE"], "policy_type": "whitelist" From 94b776000aea8529e9a450b8088b87960d36f3fc Mon Sep 17 00:00:00 2001 From: LegendaryMercury Date: Wed, 28 Jan 2026 15:57:37 +1100 Subject: [PATCH 17/20] changes misc changes --- .../engine_assistant_location/plan.json | Bin 64710 -> 31314 bytes .../data_connector_data_source/policy.rego | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/inputs/gcp/discovery_engine/engine_assistant/engine_assistant_location/plan.json b/inputs/gcp/discovery_engine/engine_assistant/engine_assistant_location/plan.json index 34af6c1d09fba985b01f014902b4056037c93cc4..3e8913b16948b2e9640d8d0436a15bbe855ed77e 100644 GIT binary patch literal 31314 zcmeHQU2hyU6!kL_|DoDv5<(Fa`c~SgR04`x5Q3^&rTHR|ZlX=vQlb8J;2fXa+B0Ks zJlWYH+gMe1vojw1`ucwR`p&=q{Ou<0z@50cd+B!ExtqGzZXdtS+!3zMaQ80$f95vb zZG3-%|L6Yx9IfrS{4<~7sqo~fJH}Hp{M&bXexw~-d4*qRejLIw$EYVBj+gk}!`)-t zCltENwkNnccf0SOd*<)$p!FWEvxWMbxI^FDq3>ggyGOXQi))(WTfndnXby3mFiim+ zpJl6a59v9e-^J*hx8M;h{Kc8<;91VaF!R=(;G4&d-?&01X zus7Qg51bcgGIwt=kM6o{;{J*I)cuYT&hUBUaWlspK5bx5a1e99qgT#6wc=YIORsUa zy{28PPCeYhlg)_ha_m=X7qE)@;&zsLn< z^8&pEYCOg4NY!T;NA#msN5I7l&l97fp&j%y2ZV%j_o6K!JND0tR>(`l*A(9|RXlZ% z-1qKB_nq6uy{GOc_XJmda1Zh8dv_1N@4Ig==qZLsxFW}$;O;y3yg`%4czOpgkw!UR z;${YH5q3WL4DIb1;*o2~8Jzk#1U|oqJ5Bn({Bvj(?87x}$0RnmkDg*X;M*U+C>6dZkR*!2iIz8<>spA$gMg%+(B()Wr!UN}H-A zp$p5WLGc){6 zp5)BmpsyEz{t&RR%?!BX{10)hN#nnOw!gvEhoJ4p?q^W!tDbyk$n+Cf{CG8!a~aQ?y^@4Rx(>aksA1uAaf#>v}K~ zSdou${XRZ_fS0uGKZQT~G8}_X(+?_xh5DuGwWU@l*2iuC!`g2|^c4Fci@l?^H$<8= zKZ5ZM`AjxOpjgd$&)fg6yu~hziCz>HA@*gN=kU$@jIL-@`fiGe$fu=^E&cn@V|v?r zsrN4=?VlL+3{U(C7~5W7>@lPz_C7|vs>D9SnDkodhc}}E&FDm+h!DkUt~H}bj8mBZ z6nq%-{U`9wAHzHO8PxX3Q{5DQnfLM(cnSWBXqbI5Qj_waXt~pSEc0keX}HTL^z=E> zvh;B|egZz}m2!T;<0bW8Jql+u-;~qAZeF!-k{UlHsRKk+R>#q%DytcLBo9ZWx^?Pj|v<5|{u7*bMuJ?-mLZ}r4+*4WY-GLpny6KdEQtgM{%n9`84l!Nuu z$67Xx-GuE%^q>0@aqC;~2W+2=_D@WSi){F~U2MA_pa*&svc$X5@O8DHV_z(u zdupv|&oy~V`x#SD9bKF>+tM259*q2m*j}a`{RsB+6Hpj;!0ut~9(Zf|0a{x;VmND> zR6GPt#}=^;?1pk_(TeZEMhax3^16=E6HCG8-C9q`KauJLw zfv;{=3?+drV!?bPMk+!^5%nPRVQ9zl4p+S97mbl$6yu#(S2QVPRoGfgutHol#d{|g z@vaxRqI@*vU&YojGu0RymMx-w+j%arjc9svNUOSLB-MKv6pC++xN-h%pAIr?szSX|pcZl~g?K(Z433A7Rgx0QLGq;Nv4Emi<#Mq{f(QQvz zep4{cJ(eMT$8J{cm_B27^y}s;ULSiTc+AxzsX5Z(lQ`BB+pg`XYuql5Z}!PmZSS?O zcaHRjl`$6U$ZC;PizGhj(TB&cnvXuDMUvW88gCadHG0Y>vFO0~(d%(7lCmti)V|Sk zZ|^J0S2Ox_GN@+srB5BLdq&^o`gi$UzBt~=JVj+0(qA?Yo8EHUN^53BrZnTSc_*np zQ~p1p>zhxw%80@8E3z!+`eI{P&p)N<#`OJDF^>KhzVP&><%{^vD4_Eh5apzihWq3JZC zBoWslUDLCy*KQ@weBDn$zo@oN*_g3bDXk8wvE!V!CJ&HzcygEDwA;f8o~8^fsRf+( z5*WGL^ds0=cY}gl9P{<^i|A|8#4`{W2MTl=&OI&nj&j~eqt zs`^k_uZjl=>)lgu!-+VASL zG2;N;(Nns8k^g_4w7cNcDyDR?$tc;Ef_#y+(3T;oK20(Vc?N^$N=hnjmvBba@8Zj< z-@CQ`7wLEM(l{DkTw8T~-fLNnj@K!Gs^hKhBP&MQdjN*j@u{7PP4Jg=?W${&q()C^ zd4p$h#AZ1UUOG3Q5nZCua<%nL@6#UB$@qSiP)o*cYts~N`&t?8^Geods-~*uxV-0i z_1rN*P*(e?1fvtY|A3WjLw!|^aJ_w(%d%HXX8sKP->1H+MIy)bPmCJZxe}?Qj-u36 ze(4=OCP{Mn2eg_?s8})ExI({COqE~lx6_p3lesurpH;(qF(xHoY|C@=A@61z_IC)?gU+U2da@|+Awjr{JwYE8iK(w+AXWf_jjrXOB>qif;i4JH@n9wW}4XLSAimE3X|n zgDwOdg?@4BIg6`^UWbD*zXH8`6b?kx`lT%Z{Y9SsHeS!D|hjE2cKWy4WGZEwbqdtzQ=fH&km^G-m4s+ hA*Y38?^h*HaFqByGb{M^Px6P}${NQ6KXxCv{{Y3x7-j$f literal 64710 zcmeHQS#KOS66SM&{SQJvNAeLkj{WA?f?^=H0v`ynf+5Jdtc@;=q;-tIe?7bPu~g>K zWH;IDp3z8zVR3p6Hd!pz@l~<=smk9wOvKcW%s(tErPUx*g_M3qB&AGFz~UM}b#zICZ7c1aZ7ZLN%dcmKMf z^#-+sQn&{Fcj!)70e_|a-}~1MjpmCwxB4reSN<3<{u65qL+El&D+KBvY3j^~;(o7K zL97Q>U`DfEqZWI{-UVy)`I)+>KGBFS=@qaDXjrvG5FtYTV_yxRqLDUhsQ#MYy zleFWETY8hWp*23Fc|bcs@)Y-=)aIKm-MPV#^G|; zwSSJz4W8+9p<``S^u{C{2 znvg9zLowL&!?;3dBW*)#{Y9@gtPyD9Q++j~yBZBGJ8(t)tvw00f?0xNpF(nPXY|DW z%9+-2Gn&ha`bz(oYkwb;gxa<9T^1L3aA9Z_Q z{S@%!WL5iGSo%lW0)pRkNh`;9I@MO!@j%{c)Mpy^N8*G-J&P;i49FmOK5dQrJ89aV z>HQ7Tw43TZ>Dm|HH10d~2kByH;tl$2lm3ccUMH#a=2{o$?AfoGbHcuW?0}30t>DSQ zQXk94-X%&y%H9q;6mo%g@K{nwJlor67o_VXk+!)Knpa|oOiiI! zIp^_d+B7&YaZ$>mrGcI6Hq_=ZoW;$QtD6w~WllwBf6=r!Chj9bscmV8oR36Tyod6C0QN&?|B$ zd47oabN(Uc*&uQyNcM*2yLFx8^1Q&7{*z{SLHGHSXxPp$D2*n@?Eih5kavPSa3|E=I&p5Zx zzLaw-(k#0u-p()6B(7`1yE+GL_2-v|sQJH^YqmE{6pqi6ZEHz14v)&6r1kFzR2=65 z1y{3?ZXn<<3Hg3QQV}PCpV97rp>gmR^!*a*rJVI>n2pMp`TxuAA7g+;B23>dJVGr)oW_3jfKXk7V5QB*o|RvJ%*CYp*I4?Jc2Tt*ao?$G>EuyWC?Rdy z$*wNxDLwVIW#jaFUwqBRn^;KzGHu!#jjmSoSEcXzLt;*BtRJJBrmGZ?H^bZ+@%ipW zR0P1C?ReoLYAw#U0zl3w%OMi3OrkL-0HK#E!c(5~hdsXBH58}bmt&sf5!-UA8i{>p zRq`S|H?bz7?{CF5g0V8UX(yf1i6&HX{!D*!Y-s6!*)28WMd$H=%wO8uplRn_#W0WJ zuwbRaFzWl`85FraxYd%SmlR!=zQ1fgkWVJN6-RlOnMiZm9Bl6}-fNzQt$UYuZ{54V z3HoY8=T{)@wm`z4#`ak^XHSU$rsN?Q4&vR7>zt>y+zbpbZKgLX>liYuqJUzB;M7MO z#dcA^lvOtUiG&PgDZBknk=MNJ8Y;!I@M-N|cS}D1+kMv+2MkfD;(+DPWC`o@5Vi4M z#Q}3 zFIM7W326wJ8DGT#IZLGCfL!ml?p?Dt=8fT}Sh3v}Nchv39_#jo$HD>S?16pKc{y?c zLnH4yX;iZTZ)Y~(JZpggsYA_y>Fea;PV=vi3$Jr=b#eQ1k>*to7bC$F9OhF87ii^t z>fbh$2Qhx#+i}kmP468qroJt5trlOit1m|=&C*HpWybfu=Ua`-m%&n#fTN$1SCK{w zW4rnhB)6t=xz{&u$u&*3N-kB?_Lj*=8ytV0cywD{bm&e0PiH$El*CS+!=KFYQbFJAPA{*MRE7@50 zl0=NYiA(S=Gy%`Y9*X%j0OxBA#MWy}a_X7S+oWSs82RZBdtd zrQtIPxte1-%RX%+t}Rr(Jexn~&6Csd!m@dJ@#=fa5zUK_Ki}W$ul^wTa;@-T?_PQB zO1MRNd*f9fg zNVA~I_}G=|W7oLsmZsrPWBk#rzc^03cU{v`EKFq1pV7ZVdIAu*mg`3$V#3et#?!Rj zImhXdR{wtSvB>xg@;%fVkz7$+3*F9eT)rxl)khWWW4F~utv;&F53$!ZM#(YCJWDgh z7W66Jt>gV~``5nbSbbDbsQRb}l(T+#T}y9k06lEoAMq;gxr1kd0*^W(ud}!yNOyf?Y%yd3BLhlsNn_@x)nNvB+Ccx)jN4Dq z5bR+q_)HENi?rRVDc_QIER>^Nkt`+pE~AjP6zh15kJ)v{*(@^@^mC4u-Ua>DV%mWyjCBRrVLU1t1k{;(^{afJz%OxVjfn}NN9QyRy# z`(@`q4gxEQ?K`<&tYtac6%S7ziGPv_qxX9*9qUxj#}N7qTTS`3w8)ykik;Fr?a`{) z&sz|_Nt0dDV_!SYxc$4N*Ud}i65C1{%Cr6`{cEm6dPzIu6Vcv%(tYYU8+u;yOZ7_q zrhcX8C-c*j-_Sd+)dpR?QqSmV%Fop=MSIU5w|@;8=Rc<-ef-e&XV>FPvC;gy$F9SA zKlbg|`yY}tckI{0#^BqKvEKdn;YmXB!$&=$HSz6CvHQ7}a9mP9yVf2?p0Ci;xWhe{ zNc8R}c%*ZX9gW;mt2FNe{TCy?q*v|vlu36tN@P519x=2p@^8>0W`a?$cHh#Tmu*Rx zMxl1eMh=bU`w8v@ntdqJ;OW(GO60&e8iw~0v_SXsOwzd&>r}#b?cKhJXP~6dm*qO_ zi`n(OAuGT`C96Aci5jk-m`;U#;-8XL7yrS{H%q_&WA%f2q@JjU>aqG!xA)agbX7K{ z&m?s|l6`SVYm4k9Q~^OPki!By=6AARex~1Vs5fd;y(bIi#Wy?Vo%(|;9N0Hq6&S%^ zIlPr?*CD0=TWw$0kB5%~DKCB&%lP|ABS^h-o-CUZ5lD&twiOtGnOs&$W?V zZ#hMmwtd-DEKA1H#sr2@rhRhTM)&RxD!|k$u_8m>`!Ix};sS=tD=rYmu_`VgJksA* zTp&iHJUc~tski{gU{Z06yNe4ztIi7<5Di|j0mOHA$OjU8H{DCC*uY)H2KX5aCAKen z5fvM#*nrpwv34wMAao98jkHa^AAQrXfzZtIXXWR)457@jV*`w2bk&+p*Nm?T3*4p% z<|g5R?+5|J-!kmd&EQO}*(3QsX}0GWUSd~XXx?a$+5Z<=CMOgVL@v`Rp|yM}a#csj z&UCD5l@MIiL@m)rV@34*2p(sNU6Gu*BpVBnHN^R37WkCsP&WG1YS!u8yP-LDoe=Gp z#KUEytC5JdZcC|JmbzM7#QDgk*rZH~_atRrYMHZ5uO#;HmR9o_t)=8su*Xv)4&^5; zWhc8&^kC02HwW%+*cHQQQ!NYe%^R{Ls%2sCw_!1pYFV_klK)P61)Wq~)leK9ws5s9 zptGmRapy$yrYGy4i8K*3v#?D9$ z-50xQ?VCp)vMYw=q{i+AU%D*fG!|BoUNf)+SqWwN=0!t&OU>?a4D6@k6Kz@JS0S)z zKE`=fxnpWRp?v?YWHQFJV_F3#p_jBb@04SFhUNPI?qUr7X~1E=@$~tGA?>(03jq8w zKO2C#vswYw3J~dx_GX@!h)e0)Vg+Xg5g>Uh*t9R{&1!oF-ttX@`%o! zT+u80WL@a~-H1cGS_4N_^G_9oq%i!UJ`IeV41Y#E21blR{fZ`voul&UD0^dGw1{(h zn#I*e6W4;4h;@v^!m*=y(IT{d<4_^g^D=Wr`CiH63tL+FS=HuA!+ic3SrZ}|9;*9v zcJ2}79z39btMvK_#fNdC?x}wLl-~VO{kygE!PTg{c}$f)c1U`eiZbD+@iGo2`5KUP ZJc8J_aSjb9@i;SrziV<(Fk6 Date: Wed, 28 Jan 2026 18:24:09 +1100 Subject: [PATCH 18/20] changes --- uv.lock | 617 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 617 insertions(+) create mode 100644 uv.lock diff --git a/uv.lock b/uv.lock new file mode 100644 index 000000000..dbd16a6f2 --- /dev/null +++ b/uv.lock @@ -0,0 +1,617 @@ +version = 1 +revision = 3 +requires-python = ">=3.11" + +[[package]] +name = "annotated-types" +version = "0.7.0" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/ee/67/531ea369ba64dcff5ec9c3402f9f51bf748cec26dde048a2f973a4eea7f5/annotated_types-0.7.0.tar.gz", hash = "sha256:aff07c09a53a08bc8cfccb9c85b05f1aa9a2a6f23728d790723543408344ce89", size = 16081, upload-time = "2024-05-20T21:33:25.928Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/78/b6/6307fbef88d9b5ee7421e68d78a9f162e0da4900bc5f5793f6d3d0e34fb8/annotated_types-0.7.0-py3-none-any.whl", hash = "sha256:1f02e8b43a8fbbc3f3e0d4f0f4bfc8131bcb4eebe8849b8e5c773f3a1c582a53", size = 13643, upload-time = "2024-05-20T21:33:24.1Z" }, +] + +[[package]] +name = "attrs" +version = "25.4.0" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/6b/5c/685e6633917e101e5dcb62b9dd76946cbb57c26e133bae9e0cd36033c0a9/attrs-25.4.0.tar.gz", hash = "sha256:16d5969b87f0859ef33a48b35d55ac1be6e42ae49d5e853b597db70c35c57e11", size = 934251, upload-time = "2025-10-06T13:54:44.725Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/3a/2a/7cc015f5b9f5db42b7d48157e23356022889fc354a2813c15934b7cb5c0e/attrs-25.4.0-py3-none-any.whl", hash = "sha256:adcf7e2a1fb3b36ac48d97835bb6d8ade15b8dcce26aba8bf1d14847b57a3373", size = 67615, upload-time = "2025-10-06T13:54:43.17Z" }, +] + +[[package]] +name = "colorama" +version = "0.4.6" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/d8/53/6f443c9a4a8358a93a6792e2acffb9d9d5cb0a5cfd8802644b7b1c9a02e4/colorama-0.4.6.tar.gz", hash = "sha256:08695f5cb7ed6e0531a20572697297273c47b8cae5a63ffc6d6ed5c201be6e44", size = 27697, upload-time = "2022-10-25T02:36:22.414Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/d1/d6/3965ed04c63042e047cb6a3e6ed1a63a35087b6a609aa3a15ed8ac56c221/colorama-0.4.6-py2.py3-none-any.whl", hash = "sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6", size = 25335, upload-time = "2022-10-25T02:36:20.889Z" }, +] + +[[package]] +name = "coverage" +version = "7.13.2" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/ad/49/349848445b0e53660e258acbcc9b0d014895b6739237920886672240f84b/coverage-7.13.2.tar.gz", hash = "sha256:044c6951ec37146b72a50cc81ef02217d27d4c3640efd2640311393cbbf143d3", size = 826523, upload-time = "2026-01-25T13:00:04.889Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/6c/01/abca50583a8975bb6e1c59eff67ed8e48bb127c07dad5c28d9e96ccc09ec/coverage-7.13.2-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:060ebf6f2c51aff5ba38e1f43a2095e087389b1c69d559fde6049a4b0001320e", size = 218971, upload-time = "2026-01-25T12:57:36.953Z" }, + { url = "https://files.pythonhosted.org/packages/eb/0e/b6489f344d99cd1e5b4d5e1be52dfd3f8a3dc5112aa6c33948da8cabad4e/coverage-7.13.2-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:c1ea8ca9db5e7469cd364552985e15911548ea5b69c48a17291f0cac70484b2e", size = 219473, upload-time = "2026-01-25T12:57:38.934Z" }, + { url = "https://files.pythonhosted.org/packages/17/11/db2f414915a8e4ec53f60b17956c27f21fb68fcf20f8a455ce7c2ccec638/coverage-7.13.2-cp311-cp311-manylinux1_i686.manylinux_2_28_i686.manylinux_2_5_i686.whl", hash = "sha256:b780090d15fd58f07cf2011943e25a5f0c1c894384b13a216b6c86c8a8a7c508", size = 249896, upload-time = "2026-01-25T12:57:40.365Z" }, + { url = "https://files.pythonhosted.org/packages/80/06/0823fe93913663c017e508e8810c998c8ebd3ec2a5a85d2c3754297bdede/coverage-7.13.2-cp311-cp311-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:88a800258d83acb803c38175b4495d293656d5fac48659c953c18e5f539a274b", size = 251810, upload-time = "2026-01-25T12:57:42.045Z" }, + { url = "https://files.pythonhosted.org/packages/61/dc/b151c3cc41b28cdf7f0166c5fa1271cbc305a8ec0124cce4b04f74791a18/coverage-7.13.2-cp311-cp311-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:6326e18e9a553e674d948536a04a80d850a5eeefe2aae2e6d7cf05d54046c01b", size = 253920, upload-time = "2026-01-25T12:57:44.026Z" }, + { url = "https://files.pythonhosted.org/packages/2d/35/e83de0556e54a4729a2b94ea816f74ce08732e81945024adee46851c2264/coverage-7.13.2-cp311-cp311-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:59562de3f797979e1ff07c587e2ac36ba60ca59d16c211eceaa579c266c5022f", size = 250025, upload-time = "2026-01-25T12:57:45.624Z" }, + { url = "https://files.pythonhosted.org/packages/39/67/af2eb9c3926ce3ea0d58a0d2516fcbdacf7a9fc9559fe63076beaf3f2596/coverage-7.13.2-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:27ba1ed6f66b0e2d61bfa78874dffd4f8c3a12f8e2b5410e515ab345ba7bc9c3", size = 251612, upload-time = "2026-01-25T12:57:47.713Z" }, + { url = "https://files.pythonhosted.org/packages/26/62/5be2e25f3d6c711d23b71296f8b44c978d4c8b4e5b26871abfc164297502/coverage-7.13.2-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:8be48da4d47cc68754ce643ea50b3234557cbefe47c2f120495e7bd0a2756f2b", size = 249670, upload-time = "2026-01-25T12:57:49.378Z" }, + { url = "https://files.pythonhosted.org/packages/b3/51/400d1b09a8344199f9b6a6fc1868005d766b7ea95e7882e494fa862ca69c/coverage-7.13.2-cp311-cp311-musllinux_1_2_riscv64.whl", hash = "sha256:2a47a4223d3361b91176aedd9d4e05844ca67d7188456227b6bf5e436630c9a1", size = 249395, upload-time = "2026-01-25T12:57:50.86Z" }, + { url = "https://files.pythonhosted.org/packages/e0/36/f02234bc6e5230e2f0a63fd125d0a2093c73ef20fdf681c7af62a140e4e7/coverage-7.13.2-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:c6f141b468740197d6bd38f2b26ade124363228cc3f9858bd9924ab059e00059", size = 250298, upload-time = "2026-01-25T12:57:52.287Z" }, + { url = "https://files.pythonhosted.org/packages/b0/06/713110d3dd3151b93611c9cbfc65c15b4156b44f927fced49ac0b20b32a4/coverage-7.13.2-cp311-cp311-win32.whl", hash = "sha256:89567798404af067604246e01a49ef907d112edf2b75ef814b1364d5ce267031", size = 221485, upload-time = "2026-01-25T12:57:53.876Z" }, + { url = "https://files.pythonhosted.org/packages/16/0c/3ae6255fa1ebcb7dec19c9a59e85ef5f34566d1265c70af5b2fc981da834/coverage-7.13.2-cp311-cp311-win_amd64.whl", hash = "sha256:21dd57941804ae2ac7e921771a5e21bbf9aabec317a041d164853ad0a96ce31e", size = 222421, upload-time = "2026-01-25T12:57:55.433Z" }, + { url = "https://files.pythonhosted.org/packages/b5/37/fabc3179af4d61d89ea47bd04333fec735cd5e8b59baad44fed9fc4170d7/coverage-7.13.2-cp311-cp311-win_arm64.whl", hash = "sha256:10758e0586c134a0bafa28f2d37dd2cdb5e4a90de25c0fc0c77dabbad46eca28", size = 221088, upload-time = "2026-01-25T12:57:57.41Z" }, + { url = "https://files.pythonhosted.org/packages/46/39/e92a35f7800222d3f7b2cbb7bbc3b65672ae8d501cb31801b2d2bd7acdf1/coverage-7.13.2-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:f106b2af193f965d0d3234f3f83fc35278c7fb935dfbde56ae2da3dd2c03b84d", size = 219142, upload-time = "2026-01-25T12:58:00.448Z" }, + { url = "https://files.pythonhosted.org/packages/45/7a/8bf9e9309c4c996e65c52a7c5a112707ecdd9fbaf49e10b5a705a402bbb4/coverage-7.13.2-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:78f45d21dc4d5d6bd29323f0320089ef7eae16e4bef712dff79d184fa7330af3", size = 219503, upload-time = "2026-01-25T12:58:02.451Z" }, + { url = "https://files.pythonhosted.org/packages/87/93/17661e06b7b37580923f3f12406ac91d78aeed293fb6da0b69cc7957582f/coverage-7.13.2-cp312-cp312-manylinux1_i686.manylinux_2_28_i686.manylinux_2_5_i686.whl", hash = "sha256:fae91dfecd816444c74531a9c3d6ded17a504767e97aa674d44f638107265b99", size = 251006, upload-time = "2026-01-25T12:58:04.059Z" }, + { url = "https://files.pythonhosted.org/packages/12/f0/f9e59fb8c310171497f379e25db060abef9fa605e09d63157eebec102676/coverage-7.13.2-cp312-cp312-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:264657171406c114787b441484de620e03d8f7202f113d62fcd3d9688baa3e6f", size = 253750, upload-time = "2026-01-25T12:58:05.574Z" }, + { url = "https://files.pythonhosted.org/packages/e5/b1/1935e31add2232663cf7edd8269548b122a7d100047ff93475dbaaae673e/coverage-7.13.2-cp312-cp312-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:ae47d8dcd3ded0155afbb59c62bd8ab07ea0fd4902e1c40567439e6db9dcaf2f", size = 254862, upload-time = "2026-01-25T12:58:07.647Z" }, + { url = "https://files.pythonhosted.org/packages/af/59/b5e97071ec13df5f45da2b3391b6cdbec78ba20757bc92580a5b3d5fa53c/coverage-7.13.2-cp312-cp312-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:8a0b33e9fd838220b007ce8f299114d406c1e8edb21336af4c97a26ecfd185aa", size = 251420, upload-time = "2026-01-25T12:58:09.309Z" }, + { url = "https://files.pythonhosted.org/packages/3f/75/9495932f87469d013dc515fb0ce1aac5fa97766f38f6b1a1deb1ee7b7f3a/coverage-7.13.2-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:b3becbea7f3ce9a2d4d430f223ec15888e4deb31395840a79e916368d6004cce", size = 252786, upload-time = "2026-01-25T12:58:10.909Z" }, + { url = "https://files.pythonhosted.org/packages/6a/59/af550721f0eb62f46f7b8cb7e6f1860592189267b1c411a4e3a057caacee/coverage-7.13.2-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:f819c727a6e6eeb8711e4ce63d78c620f69630a2e9d53bc95ca5379f57b6ba94", size = 250928, upload-time = "2026-01-25T12:58:12.449Z" }, + { url = "https://files.pythonhosted.org/packages/9b/b1/21b4445709aae500be4ab43bbcfb4e53dc0811c3396dcb11bf9f23fd0226/coverage-7.13.2-cp312-cp312-musllinux_1_2_riscv64.whl", hash = "sha256:4f7b71757a3ab19f7ba286e04c181004c1d61be921795ee8ba6970fd0ec91da5", size = 250496, upload-time = "2026-01-25T12:58:14.047Z" }, + { url = "https://files.pythonhosted.org/packages/ba/b1/0f5d89dfe0392990e4f3980adbde3eb34885bc1effb2dc369e0bf385e389/coverage-7.13.2-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:b7fc50d2afd2e6b4f6f2f403b70103d280a8e0cb35320cbbe6debcda02a1030b", size = 252373, upload-time = "2026-01-25T12:58:15.976Z" }, + { url = "https://files.pythonhosted.org/packages/01/c9/0cf1a6a57a9968cc049a6b896693faa523c638a5314b1fc374eb2b2ac904/coverage-7.13.2-cp312-cp312-win32.whl", hash = "sha256:292250282cf9bcf206b543d7608bda17ca6fc151f4cbae949fc7e115112fbd41", size = 221696, upload-time = "2026-01-25T12:58:17.517Z" }, + { url = "https://files.pythonhosted.org/packages/4d/05/d7540bf983f09d32803911afed135524570f8c47bb394bf6206c1dc3a786/coverage-7.13.2-cp312-cp312-win_amd64.whl", hash = "sha256:eeea10169fac01549a7921d27a3e517194ae254b542102267bef7a93ed38c40e", size = 222504, upload-time = "2026-01-25T12:58:19.115Z" }, + { url = "https://files.pythonhosted.org/packages/15/8b/1a9f037a736ced0a12aacf6330cdaad5008081142a7070bc58b0f7930cbc/coverage-7.13.2-cp312-cp312-win_arm64.whl", hash = "sha256:2a5b567f0b635b592c917f96b9a9cb3dbd4c320d03f4bf94e9084e494f2e8894", size = 221120, upload-time = "2026-01-25T12:58:21.334Z" }, + { url = "https://files.pythonhosted.org/packages/a7/f0/3d3eac7568ab6096ff23791a526b0048a1ff3f49d0e236b2af6fb6558e88/coverage-7.13.2-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:ed75de7d1217cf3b99365d110975f83af0528c849ef5180a12fd91b5064df9d6", size = 219168, upload-time = "2026-01-25T12:58:23.376Z" }, + { url = "https://files.pythonhosted.org/packages/a3/a6/f8b5cfeddbab95fdef4dcd682d82e5dcff7a112ced57a959f89537ee9995/coverage-7.13.2-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:97e596de8fa9bada4d88fde64a3f4d37f1b6131e4faa32bad7808abc79887ddc", size = 219537, upload-time = "2026-01-25T12:58:24.932Z" }, + { url = "https://files.pythonhosted.org/packages/7b/e6/8d8e6e0c516c838229d1e41cadcec91745f4b1031d4db17ce0043a0423b4/coverage-7.13.2-cp313-cp313-manylinux1_i686.manylinux_2_28_i686.manylinux_2_5_i686.whl", hash = "sha256:68c86173562ed4413345410c9480a8d64864ac5e54a5cda236748031e094229f", size = 250528, upload-time = "2026-01-25T12:58:26.567Z" }, + { url = "https://files.pythonhosted.org/packages/8e/78/befa6640f74092b86961f957f26504c8fba3d7da57cc2ab7407391870495/coverage-7.13.2-cp313-cp313-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:7be4d613638d678b2b3773b8f687537b284d7074695a43fe2fbbfc0e31ceaed1", size = 253132, upload-time = "2026-01-25T12:58:28.251Z" }, + { url = "https://files.pythonhosted.org/packages/9d/10/1630db1edd8ce675124a2ee0f7becc603d2bb7b345c2387b4b95c6907094/coverage-7.13.2-cp313-cp313-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:d7f63ce526a96acd0e16c4af8b50b64334239550402fb1607ce6a584a6d62ce9", size = 254374, upload-time = "2026-01-25T12:58:30.294Z" }, + { url = "https://files.pythonhosted.org/packages/ed/1d/0d9381647b1e8e6d310ac4140be9c428a0277330991e0c35bdd751e338a4/coverage-7.13.2-cp313-cp313-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:406821f37f864f968e29ac14c3fccae0fec9fdeba48327f0341decf4daf92d7c", size = 250762, upload-time = "2026-01-25T12:58:32.036Z" }, + { url = "https://files.pythonhosted.org/packages/43/e4/5636dfc9a7c871ee8776af83ee33b4c26bc508ad6cee1e89b6419a366582/coverage-7.13.2-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:ee68e5a4e3e5443623406b905db447dceddffee0dceb39f4e0cd9ec2a35004b5", size = 252502, upload-time = "2026-01-25T12:58:33.961Z" }, + { url = "https://files.pythonhosted.org/packages/02/2a/7ff2884d79d420cbb2d12fed6fff727b6d0ef27253140d3cdbbd03187ee0/coverage-7.13.2-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:2ee0e58cca0c17dd9c6c1cdde02bb705c7b3fbfa5f3b0b5afeda20d4ebff8ef4", size = 250463, upload-time = "2026-01-25T12:58:35.529Z" }, + { url = "https://files.pythonhosted.org/packages/91/c0/ba51087db645b6c7261570400fc62c89a16278763f36ba618dc8657a187b/coverage-7.13.2-cp313-cp313-musllinux_1_2_riscv64.whl", hash = "sha256:6e5bbb5018bf76a56aabdb64246b5288d5ae1b7d0dd4d0534fe86df2c2992d1c", size = 250288, upload-time = "2026-01-25T12:58:37.226Z" }, + { url = "https://files.pythonhosted.org/packages/03/07/44e6f428551c4d9faf63ebcefe49b30e5c89d1be96f6a3abd86a52da9d15/coverage-7.13.2-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:a55516c68ef3e08e134e818d5e308ffa6b1337cc8b092b69b24287bf07d38e31", size = 252063, upload-time = "2026-01-25T12:58:38.821Z" }, + { url = "https://files.pythonhosted.org/packages/c2/67/35b730ad7e1859dd57e834d1bc06080d22d2f87457d53f692fce3f24a5a9/coverage-7.13.2-cp313-cp313-win32.whl", hash = "sha256:5b20211c47a8abf4abc3319d8ce2464864fa9f30c5fcaf958a3eed92f4f1fef8", size = 221716, upload-time = "2026-01-25T12:58:40.484Z" }, + { url = "https://files.pythonhosted.org/packages/0d/82/e5fcf5a97c72f45fc14829237a6550bf49d0ab882ac90e04b12a69db76b4/coverage-7.13.2-cp313-cp313-win_amd64.whl", hash = "sha256:14f500232e521201cf031549fb1ebdfc0a40f401cf519157f76c397e586c3beb", size = 222522, upload-time = "2026-01-25T12:58:43.247Z" }, + { url = "https://files.pythonhosted.org/packages/b1/f1/25d7b2f946d239dd2d6644ca2cc060d24f97551e2af13b6c24c722ae5f97/coverage-7.13.2-cp313-cp313-win_arm64.whl", hash = "sha256:9779310cb5a9778a60c899f075a8514c89fa6d10131445c2207fc893e0b14557", size = 221145, upload-time = "2026-01-25T12:58:45Z" }, + { url = "https://files.pythonhosted.org/packages/9e/f7/080376c029c8f76fadfe43911d0daffa0cbdc9f9418a0eead70c56fb7f4b/coverage-7.13.2-cp313-cp313t-macosx_10_13_x86_64.whl", hash = "sha256:e64fa5a1e41ce5df6b547cbc3d3699381c9e2c2c369c67837e716ed0f549d48e", size = 219861, upload-time = "2026-01-25T12:58:46.586Z" }, + { url = "https://files.pythonhosted.org/packages/42/11/0b5e315af5ab35f4c4a70e64d3314e4eec25eefc6dec13be3a7d5ffe8ac5/coverage-7.13.2-cp313-cp313t-macosx_11_0_arm64.whl", hash = "sha256:b01899e82a04085b6561eb233fd688474f57455e8ad35cd82286463ba06332b7", size = 220207, upload-time = "2026-01-25T12:58:48.277Z" }, + { url = "https://files.pythonhosted.org/packages/b2/0c/0874d0318fb1062117acbef06a09cf8b63f3060c22265adaad24b36306b7/coverage-7.13.2-cp313-cp313t-manylinux1_i686.manylinux_2_28_i686.manylinux_2_5_i686.whl", hash = "sha256:838943bea48be0e2768b0cf7819544cdedc1bbb2f28427eabb6eb8c9eb2285d3", size = 261504, upload-time = "2026-01-25T12:58:49.904Z" }, + { url = "https://files.pythonhosted.org/packages/83/5e/1cd72c22ecb30751e43a72f40ba50fcef1b7e93e3ea823bd9feda8e51f9a/coverage-7.13.2-cp313-cp313t-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:93d1d25ec2b27e90bcfef7012992d1f5121b51161b8bffcda756a816cf13c2c3", size = 263582, upload-time = "2026-01-25T12:58:51.582Z" }, + { url = "https://files.pythonhosted.org/packages/9b/da/8acf356707c7a42df4d0657020308e23e5a07397e81492640c186268497c/coverage-7.13.2-cp313-cp313t-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:93b57142f9621b0d12349c43fc7741fe578e4bc914c1e5a54142856cfc0bf421", size = 266008, upload-time = "2026-01-25T12:58:53.234Z" }, + { url = "https://files.pythonhosted.org/packages/41/41/ea1730af99960309423c6ea8d6a4f1fa5564b2d97bd1d29dda4b42611f04/coverage-7.13.2-cp313-cp313t-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:f06799ae1bdfff7ccb8665d75f8291c69110ba9585253de254688aa8a1ccc6c5", size = 260762, upload-time = "2026-01-25T12:58:55.372Z" }, + { url = "https://files.pythonhosted.org/packages/22/fa/02884d2080ba71db64fdc127b311db60e01fe6ba797d9c8363725e39f4d5/coverage-7.13.2-cp313-cp313t-musllinux_1_2_aarch64.whl", hash = "sha256:7f9405ab4f81d490811b1d91c7a20361135a2df4c170e7f0b747a794da5b7f23", size = 263571, upload-time = "2026-01-25T12:58:57.52Z" }, + { url = "https://files.pythonhosted.org/packages/d2/6b/4083aaaeba9b3112f55ac57c2ce7001dc4d8fa3fcc228a39f09cc84ede27/coverage-7.13.2-cp313-cp313t-musllinux_1_2_i686.whl", hash = "sha256:f9ab1d5b86f8fbc97a5b3cd6280a3fd85fef3b028689d8a2c00918f0d82c728c", size = 261200, upload-time = "2026-01-25T12:58:59.255Z" }, + { url = "https://files.pythonhosted.org/packages/e9/d2/aea92fa36d61955e8c416ede9cf9bf142aa196f3aea214bb67f85235a050/coverage-7.13.2-cp313-cp313t-musllinux_1_2_riscv64.whl", hash = "sha256:f674f59712d67e841525b99e5e2b595250e39b529c3bda14764e4f625a3fa01f", size = 260095, upload-time = "2026-01-25T12:59:01.066Z" }, + { url = "https://files.pythonhosted.org/packages/0d/ae/04ffe96a80f107ea21b22b2367175c621da920063260a1c22f9452fd7866/coverage-7.13.2-cp313-cp313t-musllinux_1_2_x86_64.whl", hash = "sha256:c6cadac7b8ace1ba9144feb1ae3cb787a6065ba6d23ffc59a934b16406c26573", size = 262284, upload-time = "2026-01-25T12:59:02.802Z" }, + { url = "https://files.pythonhosted.org/packages/1c/7a/6f354dcd7dfc41297791d6fb4e0d618acb55810bde2c1fd14b3939e05c2b/coverage-7.13.2-cp313-cp313t-win32.whl", hash = "sha256:14ae4146465f8e6e6253eba0cccd57423e598a4cb925958b240c805300918343", size = 222389, upload-time = "2026-01-25T12:59:04.563Z" }, + { url = "https://files.pythonhosted.org/packages/8d/d5/080ad292a4a3d3daf411574be0a1f56d6dee2c4fdf6b005342be9fac807f/coverage-7.13.2-cp313-cp313t-win_amd64.whl", hash = "sha256:9074896edd705a05769e3de0eac0a8388484b503b68863dd06d5e473f874fd47", size = 223450, upload-time = "2026-01-25T12:59:06.677Z" }, + { url = "https://files.pythonhosted.org/packages/88/96/df576fbacc522e9fb8d1c4b7a7fc62eb734be56e2cba1d88d2eabe08ea3f/coverage-7.13.2-cp313-cp313t-win_arm64.whl", hash = "sha256:69e526e14f3f854eda573d3cf40cffd29a1a91c684743d904c33dbdcd0e0f3e7", size = 221707, upload-time = "2026-01-25T12:59:08.363Z" }, + { url = "https://files.pythonhosted.org/packages/55/53/1da9e51a0775634b04fcc11eb25c002fc58ee4f92ce2e8512f94ac5fc5bf/coverage-7.13.2-cp314-cp314-macosx_10_15_x86_64.whl", hash = "sha256:387a825f43d680e7310e6f325b2167dd093bc8ffd933b83e9aa0983cf6e0a2ef", size = 219213, upload-time = "2026-01-25T12:59:11.909Z" }, + { url = "https://files.pythonhosted.org/packages/46/35/b3caac3ebbd10230fea5a33012b27d19e999a17c9285c4228b4b2e35b7da/coverage-7.13.2-cp314-cp314-macosx_11_0_arm64.whl", hash = "sha256:f0d7fea9d8e5d778cd5a9e8fc38308ad688f02040e883cdc13311ef2748cb40f", size = 219549, upload-time = "2026-01-25T12:59:13.638Z" }, + { url = "https://files.pythonhosted.org/packages/76/9c/e1cf7def1bdc72c1907e60703983a588f9558434a2ff94615747bd73c192/coverage-7.13.2-cp314-cp314-manylinux1_i686.manylinux_2_28_i686.manylinux_2_5_i686.whl", hash = "sha256:e080afb413be106c95c4ee96b4fffdc9e2fa56a8bbf90b5c0918e5c4449412f5", size = 250586, upload-time = "2026-01-25T12:59:15.808Z" }, + { url = "https://files.pythonhosted.org/packages/ba/49/f54ec02ed12be66c8d8897270505759e057b0c68564a65c429ccdd1f139e/coverage-7.13.2-cp314-cp314-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:a7fc042ba3c7ce25b8a9f097eb0f32a5ce1ccdb639d9eec114e26def98e1f8a4", size = 253093, upload-time = "2026-01-25T12:59:17.491Z" }, + { url = "https://files.pythonhosted.org/packages/fb/5e/aaf86be3e181d907e23c0f61fccaeb38de8e6f6b47aed92bf57d8fc9c034/coverage-7.13.2-cp314-cp314-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:d0ba505e021557f7f8173ee8cd6b926373d8653e5ff7581ae2efce1b11ef4c27", size = 254446, upload-time = "2026-01-25T12:59:19.752Z" }, + { url = "https://files.pythonhosted.org/packages/28/c8/a5fa01460e2d75b0c853b392080d6829d3ca8b5ab31e158fa0501bc7c708/coverage-7.13.2-cp314-cp314-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:7de326f80e3451bd5cc7239ab46c73ddb658fe0b7649476bc7413572d36cd548", size = 250615, upload-time = "2026-01-25T12:59:21.928Z" }, + { url = "https://files.pythonhosted.org/packages/86/0b/6d56315a55f7062bb66410732c24879ccb2ec527ab6630246de5fe45a1df/coverage-7.13.2-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:abaea04f1e7e34841d4a7b343904a3f59481f62f9df39e2cd399d69a187a9660", size = 252452, upload-time = "2026-01-25T12:59:23.592Z" }, + { url = "https://files.pythonhosted.org/packages/30/19/9bc550363ebc6b0ea121977ee44d05ecd1e8bf79018b8444f1028701c563/coverage-7.13.2-cp314-cp314-musllinux_1_2_i686.whl", hash = "sha256:9f93959ee0c604bccd8e0697be21de0887b1f73efcc3aa73a3ec0fd13feace92", size = 250418, upload-time = "2026-01-25T12:59:25.392Z" }, + { url = "https://files.pythonhosted.org/packages/1f/53/580530a31ca2f0cc6f07a8f2ab5460785b02bb11bdf815d4c4d37a4c5169/coverage-7.13.2-cp314-cp314-musllinux_1_2_riscv64.whl", hash = "sha256:13fe81ead04e34e105bf1b3c9f9cdf32ce31736ee5d90a8d2de02b9d3e1bcb82", size = 250231, upload-time = "2026-01-25T12:59:27.888Z" }, + { url = "https://files.pythonhosted.org/packages/e2/42/dd9093f919dc3088cb472893651884bd675e3df3d38a43f9053656dca9a2/coverage-7.13.2-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:d6d16b0f71120e365741bca2cb473ca6fe38930bc5431c5e850ba949f708f892", size = 251888, upload-time = "2026-01-25T12:59:29.636Z" }, + { url = "https://files.pythonhosted.org/packages/fa/a6/0af4053e6e819774626e133c3d6f70fae4d44884bfc4b126cb647baee8d3/coverage-7.13.2-cp314-cp314-win32.whl", hash = "sha256:9b2f4714bb7d99ba3790ee095b3b4ac94767e1347fe424278a0b10acb3ff04fe", size = 221968, upload-time = "2026-01-25T12:59:31.424Z" }, + { url = "https://files.pythonhosted.org/packages/c4/cc/5aff1e1f80d55862442855517bb8ad8ad3a68639441ff6287dde6a58558b/coverage-7.13.2-cp314-cp314-win_amd64.whl", hash = "sha256:e4121a90823a063d717a96e0a0529c727fb31ea889369a0ee3ec00ed99bf6859", size = 222783, upload-time = "2026-01-25T12:59:33.118Z" }, + { url = "https://files.pythonhosted.org/packages/de/20/09abafb24f84b3292cc658728803416c15b79f9ee5e68d25238a895b07d9/coverage-7.13.2-cp314-cp314-win_arm64.whl", hash = "sha256:6873f0271b4a15a33e7590f338d823f6f66f91ed147a03938d7ce26efd04eee6", size = 221348, upload-time = "2026-01-25T12:59:34.939Z" }, + { url = "https://files.pythonhosted.org/packages/b6/60/a3820c7232db63be060e4019017cd3426751c2699dab3c62819cdbcea387/coverage-7.13.2-cp314-cp314t-macosx_10_15_x86_64.whl", hash = "sha256:f61d349f5b7cd95c34017f1927ee379bfbe9884300d74e07cf630ccf7a610c1b", size = 219950, upload-time = "2026-01-25T12:59:36.624Z" }, + { url = "https://files.pythonhosted.org/packages/fd/37/e4ef5975fdeb86b1e56db9a82f41b032e3d93a840ebaf4064f39e770d5c5/coverage-7.13.2-cp314-cp314t-macosx_11_0_arm64.whl", hash = "sha256:a43d34ce714f4ca674c0d90beb760eb05aad906f2c47580ccee9da8fe8bfb417", size = 220209, upload-time = "2026-01-25T12:59:38.339Z" }, + { url = "https://files.pythonhosted.org/packages/54/df/d40e091d00c51adca1e251d3b60a8b464112efa3004949e96a74d7c19a64/coverage-7.13.2-cp314-cp314t-manylinux1_i686.manylinux_2_28_i686.manylinux_2_5_i686.whl", hash = "sha256:bff1b04cb9d4900ce5c56c4942f047dc7efe57e2608cb7c3c8936e9970ccdbee", size = 261576, upload-time = "2026-01-25T12:59:40.446Z" }, + { url = "https://files.pythonhosted.org/packages/c5/44/5259c4bed54e3392e5c176121af9f71919d96dde853386e7730e705f3520/coverage-7.13.2-cp314-cp314t-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:6ae99e4560963ad8e163e819e5d77d413d331fd00566c1e0856aa252303552c1", size = 263704, upload-time = "2026-01-25T12:59:42.346Z" }, + { url = "https://files.pythonhosted.org/packages/16/bd/ae9f005827abcbe2c70157459ae86053971c9fa14617b63903abbdce26d9/coverage-7.13.2-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:e79a8c7d461820257d9aa43716c4efc55366d7b292e46b5b37165be1d377405d", size = 266109, upload-time = "2026-01-25T12:59:44.073Z" }, + { url = "https://files.pythonhosted.org/packages/a2/c0/8e279c1c0f5b1eaa3ad9b0fb7a5637fc0379ea7d85a781c0fe0bb3cfc2ab/coverage-7.13.2-cp314-cp314t-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:060ee84f6a769d40c492711911a76811b4befb6fba50abb450371abb720f5bd6", size = 260686, upload-time = "2026-01-25T12:59:45.804Z" }, + { url = "https://files.pythonhosted.org/packages/b2/47/3a8112627e9d863e7cddd72894171c929e94491a597811725befdcd76bce/coverage-7.13.2-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:3bca209d001fd03ea2d978f8a4985093240a355c93078aee3f799852c23f561a", size = 263568, upload-time = "2026-01-25T12:59:47.929Z" }, + { url = "https://files.pythonhosted.org/packages/92/bc/7ea367d84afa3120afc3ce6de294fd2dcd33b51e2e7fbe4bbfd200f2cb8c/coverage-7.13.2-cp314-cp314t-musllinux_1_2_i686.whl", hash = "sha256:6b8092aa38d72f091db61ef83cb66076f18f02da3e1a75039a4f218629600e04", size = 261174, upload-time = "2026-01-25T12:59:49.717Z" }, + { url = "https://files.pythonhosted.org/packages/33/b7/f1092dcecb6637e31cc2db099581ee5c61a17647849bae6b8261a2b78430/coverage-7.13.2-cp314-cp314t-musllinux_1_2_riscv64.whl", hash = "sha256:4a3158dc2dcce5200d91ec28cd315c999eebff355437d2765840555d765a6e5f", size = 260017, upload-time = "2026-01-25T12:59:51.463Z" }, + { url = "https://files.pythonhosted.org/packages/2b/cd/f3d07d4b95fbe1a2ef0958c15da614f7e4f557720132de34d2dc3aa7e911/coverage-7.13.2-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:3973f353b2d70bd9796cc12f532a05945232ccae966456c8ed7034cb96bbfd6f", size = 262337, upload-time = "2026-01-25T12:59:53.407Z" }, + { url = "https://files.pythonhosted.org/packages/e0/db/b0d5b2873a07cb1e06a55d998697c0a5a540dcefbf353774c99eb3874513/coverage-7.13.2-cp314-cp314t-win32.whl", hash = "sha256:79f6506a678a59d4ded048dc72f1859ebede8ec2b9a2d509ebe161f01c2879d3", size = 222749, upload-time = "2026-01-25T12:59:56.316Z" }, + { url = "https://files.pythonhosted.org/packages/e5/2f/838a5394c082ac57d85f57f6aba53093b30d9089781df72412126505716f/coverage-7.13.2-cp314-cp314t-win_amd64.whl", hash = "sha256:196bfeabdccc5a020a57d5a368c681e3a6ceb0447d153aeccc1ab4d70a5032ba", size = 223857, upload-time = "2026-01-25T12:59:58.201Z" }, + { url = "https://files.pythonhosted.org/packages/44/d4/b608243e76ead3a4298824b50922b89ef793e50069ce30316a65c1b4d7ef/coverage-7.13.2-cp314-cp314t-win_arm64.whl", hash = "sha256:69269ab58783e090bfbf5b916ab3d188126e22d6070bbfc93098fdd474ef937c", size = 221881, upload-time = "2026-01-25T13:00:00.449Z" }, + { url = "https://files.pythonhosted.org/packages/d2/db/d291e30fdf7ea617a335531e72294e0c723356d7fdde8fba00610a76bda9/coverage-7.13.2-py3-none-any.whl", hash = "sha256:40ce1ea1e25125556d8e76bd0b61500839a07944cc287ac21d5626f3e620cad5", size = 210943, upload-time = "2026-01-25T13:00:02.388Z" }, +] + +[package.optional-dependencies] +toml = [ + { name = "tomli", marker = "python_full_version <= '3.11'" }, +] + +[[package]] +name = "iniconfig" +version = "2.3.0" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/72/34/14ca021ce8e5dfedc35312d08ba8bf51fdd999c576889fc2c24cb97f4f10/iniconfig-2.3.0.tar.gz", hash = "sha256:c76315c77db068650d49c5b56314774a7804df16fee4402c1f19d6d15d8c4730", size = 20503, upload-time = "2025-10-18T21:55:43.219Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/cb/b1/3846dd7f199d53cb17f49cba7e651e9ce294d8497c8c150530ed11865bb8/iniconfig-2.3.0-py3-none-any.whl", hash = "sha256:f631c04d2c48c52b84d0d0549c99ff3859c98df65b3101406327ecc7d53fbf12", size = 7484, upload-time = "2025-10-18T21:55:41.639Z" }, +] + +[[package]] +name = "jsonschema" +version = "4.26.0" +source = { registry = "https://pypi.org/simple" } +dependencies = [ + { name = "attrs" }, + { name = "jsonschema-specifications" }, + { name = "referencing" }, + { name = "rpds-py" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/b3/fc/e067678238fa451312d4c62bf6e6cf5ec56375422aee02f9cb5f909b3047/jsonschema-4.26.0.tar.gz", hash = "sha256:0c26707e2efad8aa1bfc5b7ce170f3fccc2e4918ff85989ba9ffa9facb2be326", size = 366583, upload-time = "2026-01-07T13:41:07.246Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/69/90/f63fb5873511e014207a475e2bb4e8b2e570d655b00ac19a9a0ca0a385ee/jsonschema-4.26.0-py3-none-any.whl", hash = "sha256:d489f15263b8d200f8387e64b4c3a75f06629559fb73deb8fdfb525f2dab50ce", size = 90630, upload-time = "2026-01-07T13:41:05.306Z" }, +] + +[[package]] +name = "jsonschema-specifications" +version = "2025.9.1" +source = { registry = "https://pypi.org/simple" } +dependencies = [ + { name = "referencing" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/19/74/a633ee74eb36c44aa6d1095e7cc5569bebf04342ee146178e2d36600708b/jsonschema_specifications-2025.9.1.tar.gz", hash = "sha256:b540987f239e745613c7a9176f3edb72b832a4ac465cf02712288397832b5e8d", size = 32855, upload-time = "2025-09-08T01:34:59.186Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/41/45/1a4ed80516f02155c51f51e8cedb3c1902296743db0bbc66608a0db2814f/jsonschema_specifications-2025.9.1-py3-none-any.whl", hash = "sha256:98802fee3a11ee76ecaca44429fda8a41bff98b00a0f2838151b113f210cc6fe", size = 18437, upload-time = "2025-09-08T01:34:57.871Z" }, +] + +[[package]] +name = "packaging" +version = "26.0" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/65/ee/299d360cdc32edc7d2cf530f3accf79c4fca01e96ffc950d8a52213bd8e4/packaging-26.0.tar.gz", hash = "sha256:00243ae351a257117b6a241061796684b084ed1c516a08c48a3f7e147a9d80b4", size = 143416, upload-time = "2026-01-21T20:50:39.064Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/b7/b9/c538f279a4e237a006a2c98387d081e9eb060d203d8ed34467cc0f0b9b53/packaging-26.0-py3-none-any.whl", hash = "sha256:b36f1fef9334a5588b4166f8bcd26a14e521f2b55e6b9de3aaa80d3ff7a37529", size = 74366, upload-time = "2026-01-21T20:50:37.788Z" }, +] + +[[package]] +name = "pluggy" +version = "1.6.0" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/f9/e2/3e91f31a7d2b083fe6ef3fa267035b518369d9511ffab804f839851d2779/pluggy-1.6.0.tar.gz", hash = "sha256:7dcc130b76258d33b90f61b658791dede3486c3e6bfb003ee5c9bfb396dd22f3", size = 69412, upload-time = "2025-05-15T12:30:07.975Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/54/20/4d324d65cc6d9205fabedc306948156824eb9f0ee1633355a8f7ec5c66bf/pluggy-1.6.0-py3-none-any.whl", hash = "sha256:e920276dd6813095e9377c0bc5566d94c932c33b27a3e3945d8389c374dd4746", size = 20538, upload-time = "2025-05-15T12:30:06.134Z" }, +] + +[[package]] +name = "policy-deployment-engine" +version = "0.1.0" +source = { editable = "." } +dependencies = [ + { name = "pydantic" }, +] + +[package.optional-dependencies] +dev = [ + { name = "jsonschema" }, + { name = "pytest" }, + { name = "pytest-cov" }, +] +docgen = [ + { name = "pydantic" }, + { name = "pyyaml" }, +] + +[package.dev-dependencies] +dev = [ + { name = "jsonschema" }, +] + +[package.metadata] +requires-dist = [ + { name = "jsonschema", marker = "extra == 'dev'", specifier = ">=4.0.0" }, + { name = "pydantic", specifier = ">=2.12.4" }, + { name = "pydantic", marker = "extra == 'docgen'", specifier = ">=2.0.0" }, + { name = "pytest", marker = "extra == 'dev'", specifier = ">=8.0.0" }, + { name = "pytest-cov", marker = "extra == 'dev'", specifier = ">=4.1.0" }, + { name = "pyyaml", marker = "extra == 'docgen'", specifier = ">=6.0.0" }, +] +provides-extras = ["dev", "docgen"] + +[package.metadata.requires-dev] +dev = [{ name = "jsonschema", specifier = ">=4.25.1" }] + +[[package]] +name = "pydantic" +version = "2.12.5" +source = { registry = "https://pypi.org/simple" } +dependencies = [ + { name = "annotated-types" }, + { name = "pydantic-core" }, + { name = "typing-extensions" }, + { name = "typing-inspection" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/69/44/36f1a6e523abc58ae5f928898e4aca2e0ea509b5aa6f6f392a5d882be928/pydantic-2.12.5.tar.gz", hash = "sha256:4d351024c75c0f085a9febbb665ce8c0c6ec5d30e903bdb6394b7ede26aebb49", size = 821591, upload-time = "2025-11-26T15:11:46.471Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/5a/87/b70ad306ebb6f9b585f114d0ac2137d792b48be34d732d60e597c2f8465a/pydantic-2.12.5-py3-none-any.whl", hash = "sha256:e561593fccf61e8a20fc46dfc2dfe075b8be7d0188df33f221ad1f0139180f9d", size = 463580, upload-time = "2025-11-26T15:11:44.605Z" }, +] + +[[package]] +name = "pydantic-core" +version = "2.41.5" +source = { registry = "https://pypi.org/simple" } +dependencies = [ + { name = "typing-extensions" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/71/70/23b021c950c2addd24ec408e9ab05d59b035b39d97cdc1130e1bce647bb6/pydantic_core-2.41.5.tar.gz", hash = "sha256:08daa51ea16ad373ffd5e7606252cc32f07bc72b28284b6bc9c6df804816476e", size = 460952, upload-time = "2025-11-04T13:43:49.098Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/e8/72/74a989dd9f2084b3d9530b0915fdda64ac48831c30dbf7c72a41a5232db8/pydantic_core-2.41.5-cp311-cp311-macosx_10_12_x86_64.whl", hash = "sha256:a3a52f6156e73e7ccb0f8cced536adccb7042be67cb45f9562e12b319c119da6", size = 2105873, upload-time = "2025-11-04T13:39:31.373Z" }, + { url = "https://files.pythonhosted.org/packages/12/44/37e403fd9455708b3b942949e1d7febc02167662bf1a7da5b78ee1ea2842/pydantic_core-2.41.5-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:7f3bf998340c6d4b0c9a2f02d6a400e51f123b59565d74dc60d252ce888c260b", size = 1899826, upload-time = "2025-11-04T13:39:32.897Z" }, + { url = "https://files.pythonhosted.org/packages/33/7f/1d5cab3ccf44c1935a359d51a8a2a9e1a654b744b5e7f80d41b88d501eec/pydantic_core-2.41.5-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:378bec5c66998815d224c9ca994f1e14c0c21cb95d2f52b6021cc0b2a58f2a5a", size = 1917869, upload-time = "2025-11-04T13:39:34.469Z" }, + { url = "https://files.pythonhosted.org/packages/6e/6a/30d94a9674a7fe4f4744052ed6c5e083424510be1e93da5bc47569d11810/pydantic_core-2.41.5-cp311-cp311-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:e7b576130c69225432866fe2f4a469a85a54ade141d96fd396dffcf607b558f8", size = 2063890, upload-time = "2025-11-04T13:39:36.053Z" }, + { url = "https://files.pythonhosted.org/packages/50/be/76e5d46203fcb2750e542f32e6c371ffa9b8ad17364cf94bb0818dbfb50c/pydantic_core-2.41.5-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:6cb58b9c66f7e4179a2d5e0f849c48eff5c1fca560994d6eb6543abf955a149e", size = 2229740, upload-time = "2025-11-04T13:39:37.753Z" }, + { url = "https://files.pythonhosted.org/packages/d3/ee/fed784df0144793489f87db310a6bbf8118d7b630ed07aa180d6067e653a/pydantic_core-2.41.5-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:88942d3a3dff3afc8288c21e565e476fc278902ae4d6d134f1eeda118cc830b1", size = 2350021, upload-time = "2025-11-04T13:39:40.94Z" }, + { url = "https://files.pythonhosted.org/packages/c8/be/8fed28dd0a180dca19e72c233cbf58efa36df055e5b9d90d64fd1740b828/pydantic_core-2.41.5-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:f31d95a179f8d64d90f6831d71fa93290893a33148d890ba15de25642c5d075b", size = 2066378, upload-time = "2025-11-04T13:39:42.523Z" }, + { url = "https://files.pythonhosted.org/packages/b0/3b/698cf8ae1d536a010e05121b4958b1257f0b5522085e335360e53a6b1c8b/pydantic_core-2.41.5-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:c1df3d34aced70add6f867a8cf413e299177e0c22660cc767218373d0779487b", size = 2175761, upload-time = "2025-11-04T13:39:44.553Z" }, + { url = "https://files.pythonhosted.org/packages/b8/ba/15d537423939553116dea94ce02f9c31be0fa9d0b806d427e0308ec17145/pydantic_core-2.41.5-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:4009935984bd36bd2c774e13f9a09563ce8de4abaa7226f5108262fa3e637284", size = 2146303, upload-time = "2025-11-04T13:39:46.238Z" }, + { url = "https://files.pythonhosted.org/packages/58/7f/0de669bf37d206723795f9c90c82966726a2ab06c336deba4735b55af431/pydantic_core-2.41.5-cp311-cp311-musllinux_1_1_armv7l.whl", hash = "sha256:34a64bc3441dc1213096a20fe27e8e128bd3ff89921706e83c0b1ac971276594", size = 2340355, upload-time = "2025-11-04T13:39:48.002Z" }, + { url = "https://files.pythonhosted.org/packages/e5/de/e7482c435b83d7e3c3ee5ee4451f6e8973cff0eb6007d2872ce6383f6398/pydantic_core-2.41.5-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:c9e19dd6e28fdcaa5a1de679aec4141f691023916427ef9bae8584f9c2fb3b0e", size = 2319875, upload-time = "2025-11-04T13:39:49.705Z" }, + { url = "https://files.pythonhosted.org/packages/fe/e6/8c9e81bb6dd7560e33b9053351c29f30c8194b72f2d6932888581f503482/pydantic_core-2.41.5-cp311-cp311-win32.whl", hash = "sha256:2c010c6ded393148374c0f6f0bf89d206bf3217f201faa0635dcd56bd1520f6b", size = 1987549, upload-time = "2025-11-04T13:39:51.842Z" }, + { url = "https://files.pythonhosted.org/packages/11/66/f14d1d978ea94d1bc21fc98fcf570f9542fe55bfcc40269d4e1a21c19bf7/pydantic_core-2.41.5-cp311-cp311-win_amd64.whl", hash = "sha256:76ee27c6e9c7f16f47db7a94157112a2f3a00e958bc626e2f4ee8bec5c328fbe", size = 2011305, upload-time = "2025-11-04T13:39:53.485Z" }, + { url = "https://files.pythonhosted.org/packages/56/d8/0e271434e8efd03186c5386671328154ee349ff0354d83c74f5caaf096ed/pydantic_core-2.41.5-cp311-cp311-win_arm64.whl", hash = "sha256:4bc36bbc0b7584de96561184ad7f012478987882ebf9f9c389b23f432ea3d90f", size = 1972902, upload-time = "2025-11-04T13:39:56.488Z" }, + { url = "https://files.pythonhosted.org/packages/5f/5d/5f6c63eebb5afee93bcaae4ce9a898f3373ca23df3ccaef086d0233a35a7/pydantic_core-2.41.5-cp312-cp312-macosx_10_12_x86_64.whl", hash = "sha256:f41a7489d32336dbf2199c8c0a215390a751c5b014c2c1c5366e817202e9cdf7", size = 2110990, upload-time = "2025-11-04T13:39:58.079Z" }, + { url = "https://files.pythonhosted.org/packages/aa/32/9c2e8ccb57c01111e0fd091f236c7b371c1bccea0fa85247ac55b1e2b6b6/pydantic_core-2.41.5-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:070259a8818988b9a84a449a2a7337c7f430a22acc0859c6b110aa7212a6d9c0", size = 1896003, upload-time = "2025-11-04T13:39:59.956Z" }, + { url = "https://files.pythonhosted.org/packages/68/b8/a01b53cb0e59139fbc9e4fda3e9724ede8de279097179be4ff31f1abb65a/pydantic_core-2.41.5-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:e96cea19e34778f8d59fe40775a7a574d95816eb150850a85a7a4c8f4b94ac69", size = 1919200, upload-time = "2025-11-04T13:40:02.241Z" }, + { url = "https://files.pythonhosted.org/packages/38/de/8c36b5198a29bdaade07b5985e80a233a5ac27137846f3bc2d3b40a47360/pydantic_core-2.41.5-cp312-cp312-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:ed2e99c456e3fadd05c991f8f437ef902e00eedf34320ba2b0842bd1c3ca3a75", size = 2052578, upload-time = "2025-11-04T13:40:04.401Z" }, + { url = "https://files.pythonhosted.org/packages/00/b5/0e8e4b5b081eac6cb3dbb7e60a65907549a1ce035a724368c330112adfdd/pydantic_core-2.41.5-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:65840751b72fbfd82c3c640cff9284545342a4f1eb1586ad0636955b261b0b05", size = 2208504, upload-time = "2025-11-04T13:40:06.072Z" }, + { url = "https://files.pythonhosted.org/packages/77/56/87a61aad59c7c5b9dc8caad5a41a5545cba3810c3e828708b3d7404f6cef/pydantic_core-2.41.5-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:e536c98a7626a98feb2d3eaf75944ef6f3dbee447e1f841eae16f2f0a72d8ddc", size = 2335816, upload-time = "2025-11-04T13:40:07.835Z" }, + { url = "https://files.pythonhosted.org/packages/0d/76/941cc9f73529988688a665a5c0ecff1112b3d95ab48f81db5f7606f522d3/pydantic_core-2.41.5-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:eceb81a8d74f9267ef4081e246ffd6d129da5d87e37a77c9bde550cb04870c1c", size = 2075366, upload-time = "2025-11-04T13:40:09.804Z" }, + { url = "https://files.pythonhosted.org/packages/d3/43/ebef01f69baa07a482844faaa0a591bad1ef129253ffd0cdaa9d8a7f72d3/pydantic_core-2.41.5-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:d38548150c39b74aeeb0ce8ee1d8e82696f4a4e16ddc6de7b1d8823f7de4b9b5", size = 2171698, upload-time = "2025-11-04T13:40:12.004Z" }, + { url = "https://files.pythonhosted.org/packages/b1/87/41f3202e4193e3bacfc2c065fab7706ebe81af46a83d3e27605029c1f5a6/pydantic_core-2.41.5-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:c23e27686783f60290e36827f9c626e63154b82b116d7fe9adba1fda36da706c", size = 2132603, upload-time = "2025-11-04T13:40:13.868Z" }, + { url = "https://files.pythonhosted.org/packages/49/7d/4c00df99cb12070b6bccdef4a195255e6020a550d572768d92cc54dba91a/pydantic_core-2.41.5-cp312-cp312-musllinux_1_1_armv7l.whl", hash = "sha256:482c982f814460eabe1d3bb0adfdc583387bd4691ef00b90575ca0d2b6fe2294", size = 2329591, upload-time = "2025-11-04T13:40:15.672Z" }, + { url = "https://files.pythonhosted.org/packages/cc/6a/ebf4b1d65d458f3cda6a7335d141305dfa19bdc61140a884d165a8a1bbc7/pydantic_core-2.41.5-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:bfea2a5f0b4d8d43adf9d7b8bf019fb46fdd10a2e5cde477fbcb9d1fa08c68e1", size = 2319068, upload-time = "2025-11-04T13:40:17.532Z" }, + { url = "https://files.pythonhosted.org/packages/49/3b/774f2b5cd4192d5ab75870ce4381fd89cf218af999515baf07e7206753f0/pydantic_core-2.41.5-cp312-cp312-win32.whl", hash = "sha256:b74557b16e390ec12dca509bce9264c3bbd128f8a2c376eaa68003d7f327276d", size = 1985908, upload-time = "2025-11-04T13:40:19.309Z" }, + { url = "https://files.pythonhosted.org/packages/86/45/00173a033c801cacf67c190fef088789394feaf88a98a7035b0e40d53dc9/pydantic_core-2.41.5-cp312-cp312-win_amd64.whl", hash = "sha256:1962293292865bca8e54702b08a4f26da73adc83dd1fcf26fbc875b35d81c815", size = 2020145, upload-time = "2025-11-04T13:40:21.548Z" }, + { url = "https://files.pythonhosted.org/packages/f9/22/91fbc821fa6d261b376a3f73809f907cec5ca6025642c463d3488aad22fb/pydantic_core-2.41.5-cp312-cp312-win_arm64.whl", hash = "sha256:1746d4a3d9a794cacae06a5eaaccb4b8643a131d45fbc9af23e353dc0a5ba5c3", size = 1976179, upload-time = "2025-11-04T13:40:23.393Z" }, + { url = "https://files.pythonhosted.org/packages/87/06/8806241ff1f70d9939f9af039c6c35f2360cf16e93c2ca76f184e76b1564/pydantic_core-2.41.5-cp313-cp313-macosx_10_12_x86_64.whl", hash = "sha256:941103c9be18ac8daf7b7adca8228f8ed6bb7a1849020f643b3a14d15b1924d9", size = 2120403, upload-time = "2025-11-04T13:40:25.248Z" }, + { url = "https://files.pythonhosted.org/packages/94/02/abfa0e0bda67faa65fef1c84971c7e45928e108fe24333c81f3bfe35d5f5/pydantic_core-2.41.5-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:112e305c3314f40c93998e567879e887a3160bb8689ef3d2c04b6cc62c33ac34", size = 1896206, upload-time = "2025-11-04T13:40:27.099Z" }, + { url = "https://files.pythonhosted.org/packages/15/df/a4c740c0943e93e6500f9eb23f4ca7ec9bf71b19e608ae5b579678c8d02f/pydantic_core-2.41.5-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:0cbaad15cb0c90aa221d43c00e77bb33c93e8d36e0bf74760cd00e732d10a6a0", size = 1919307, upload-time = "2025-11-04T13:40:29.806Z" }, + { url = "https://files.pythonhosted.org/packages/9a/e3/6324802931ae1d123528988e0e86587c2072ac2e5394b4bc2bc34b61ff6e/pydantic_core-2.41.5-cp313-cp313-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:03ca43e12fab6023fc79d28ca6b39b05f794ad08ec2feccc59a339b02f2b3d33", size = 2063258, upload-time = "2025-11-04T13:40:33.544Z" }, + { url = "https://files.pythonhosted.org/packages/c9/d4/2230d7151d4957dd79c3044ea26346c148c98fbf0ee6ebd41056f2d62ab5/pydantic_core-2.41.5-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:dc799088c08fa04e43144b164feb0c13f9a0bc40503f8df3e9fde58a3c0c101e", size = 2214917, upload-time = "2025-11-04T13:40:35.479Z" }, + { url = "https://files.pythonhosted.org/packages/e6/9f/eaac5df17a3672fef0081b6c1bb0b82b33ee89aa5cec0d7b05f52fd4a1fa/pydantic_core-2.41.5-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:97aeba56665b4c3235a0e52b2c2f5ae9cd071b8a8310ad27bddb3f7fb30e9aa2", size = 2332186, upload-time = "2025-11-04T13:40:37.436Z" }, + { url = "https://files.pythonhosted.org/packages/cf/4e/35a80cae583a37cf15604b44240e45c05e04e86f9cfd766623149297e971/pydantic_core-2.41.5-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:406bf18d345822d6c21366031003612b9c77b3e29ffdb0f612367352aab7d586", size = 2073164, upload-time = "2025-11-04T13:40:40.289Z" }, + { url = "https://files.pythonhosted.org/packages/bf/e3/f6e262673c6140dd3305d144d032f7bd5f7497d3871c1428521f19f9efa2/pydantic_core-2.41.5-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:b93590ae81f7010dbe380cdeab6f515902ebcbefe0b9327cc4804d74e93ae69d", size = 2179146, upload-time = "2025-11-04T13:40:42.809Z" }, + { url = "https://files.pythonhosted.org/packages/75/c7/20bd7fc05f0c6ea2056a4565c6f36f8968c0924f19b7d97bbfea55780e73/pydantic_core-2.41.5-cp313-cp313-musllinux_1_1_aarch64.whl", hash = "sha256:01a3d0ab748ee531f4ea6c3e48ad9dac84ddba4b0d82291f87248f2f9de8d740", size = 2137788, upload-time = "2025-11-04T13:40:44.752Z" }, + { url = "https://files.pythonhosted.org/packages/3a/8d/34318ef985c45196e004bc46c6eab2eda437e744c124ef0dbe1ff2c9d06b/pydantic_core-2.41.5-cp313-cp313-musllinux_1_1_armv7l.whl", hash = "sha256:6561e94ba9dacc9c61bce40e2d6bdc3bfaa0259d3ff36ace3b1e6901936d2e3e", size = 2340133, upload-time = "2025-11-04T13:40:46.66Z" }, + { url = "https://files.pythonhosted.org/packages/9c/59/013626bf8c78a5a5d9350d12e7697d3d4de951a75565496abd40ccd46bee/pydantic_core-2.41.5-cp313-cp313-musllinux_1_1_x86_64.whl", hash = "sha256:915c3d10f81bec3a74fbd4faebe8391013ba61e5a1a8d48c4455b923bdda7858", size = 2324852, upload-time = "2025-11-04T13:40:48.575Z" }, + { url = "https://files.pythonhosted.org/packages/1a/d9/c248c103856f807ef70c18a4f986693a46a8ffe1602e5d361485da502d20/pydantic_core-2.41.5-cp313-cp313-win32.whl", hash = "sha256:650ae77860b45cfa6e2cdafc42618ceafab3a2d9a3811fcfbd3bbf8ac3c40d36", size = 1994679, upload-time = "2025-11-04T13:40:50.619Z" }, + { url = "https://files.pythonhosted.org/packages/9e/8b/341991b158ddab181cff136acd2552c9f35bd30380422a639c0671e99a91/pydantic_core-2.41.5-cp313-cp313-win_amd64.whl", hash = "sha256:79ec52ec461e99e13791ec6508c722742ad745571f234ea6255bed38c6480f11", size = 2019766, upload-time = "2025-11-04T13:40:52.631Z" }, + { url = "https://files.pythonhosted.org/packages/73/7d/f2f9db34af103bea3e09735bb40b021788a5e834c81eedb541991badf8f5/pydantic_core-2.41.5-cp313-cp313-win_arm64.whl", hash = "sha256:3f84d5c1b4ab906093bdc1ff10484838aca54ef08de4afa9de0f5f14d69639cd", size = 1981005, upload-time = "2025-11-04T13:40:54.734Z" }, + { url = "https://files.pythonhosted.org/packages/ea/28/46b7c5c9635ae96ea0fbb779e271a38129df2550f763937659ee6c5dbc65/pydantic_core-2.41.5-cp314-cp314-macosx_10_12_x86_64.whl", hash = "sha256:3f37a19d7ebcdd20b96485056ba9e8b304e27d9904d233d7b1015db320e51f0a", size = 2119622, upload-time = "2025-11-04T13:40:56.68Z" }, + { url = "https://files.pythonhosted.org/packages/74/1a/145646e5687e8d9a1e8d09acb278c8535ebe9e972e1f162ed338a622f193/pydantic_core-2.41.5-cp314-cp314-macosx_11_0_arm64.whl", hash = "sha256:1d1d9764366c73f996edd17abb6d9d7649a7eb690006ab6adbda117717099b14", size = 1891725, upload-time = "2025-11-04T13:40:58.807Z" }, + { url = "https://files.pythonhosted.org/packages/23/04/e89c29e267b8060b40dca97bfc64a19b2a3cf99018167ea1677d96368273/pydantic_core-2.41.5-cp314-cp314-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:25e1c2af0fce638d5f1988b686f3b3ea8cd7de5f244ca147c777769e798a9cd1", size = 1915040, upload-time = "2025-11-04T13:41:00.853Z" }, + { url = "https://files.pythonhosted.org/packages/84/a3/15a82ac7bd97992a82257f777b3583d3e84bdb06ba6858f745daa2ec8a85/pydantic_core-2.41.5-cp314-cp314-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:506d766a8727beef16b7adaeb8ee6217c64fc813646b424d0804d67c16eddb66", size = 2063691, upload-time = "2025-11-04T13:41:03.504Z" }, + { url = "https://files.pythonhosted.org/packages/74/9b/0046701313c6ef08c0c1cf0e028c67c770a4e1275ca73131563c5f2a310a/pydantic_core-2.41.5-cp314-cp314-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:4819fa52133c9aa3c387b3328f25c1facc356491e6135b459f1de698ff64d869", size = 2213897, upload-time = "2025-11-04T13:41:05.804Z" }, + { url = "https://files.pythonhosted.org/packages/8a/cd/6bac76ecd1b27e75a95ca3a9a559c643b3afcd2dd62086d4b7a32a18b169/pydantic_core-2.41.5-cp314-cp314-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:2b761d210c9ea91feda40d25b4efe82a1707da2ef62901466a42492c028553a2", size = 2333302, upload-time = "2025-11-04T13:41:07.809Z" }, + { url = "https://files.pythonhosted.org/packages/4c/d2/ef2074dc020dd6e109611a8be4449b98cd25e1b9b8a303c2f0fca2f2bcf7/pydantic_core-2.41.5-cp314-cp314-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:22f0fb8c1c583a3b6f24df2470833b40207e907b90c928cc8d3594b76f874375", size = 2064877, upload-time = "2025-11-04T13:41:09.827Z" }, + { url = "https://files.pythonhosted.org/packages/18/66/e9db17a9a763d72f03de903883c057b2592c09509ccfe468187f2a2eef29/pydantic_core-2.41.5-cp314-cp314-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:2782c870e99878c634505236d81e5443092fba820f0373997ff75f90f68cd553", size = 2180680, upload-time = "2025-11-04T13:41:12.379Z" }, + { url = "https://files.pythonhosted.org/packages/d3/9e/3ce66cebb929f3ced22be85d4c2399b8e85b622db77dad36b73c5387f8f8/pydantic_core-2.41.5-cp314-cp314-musllinux_1_1_aarch64.whl", hash = "sha256:0177272f88ab8312479336e1d777f6b124537d47f2123f89cb37e0accea97f90", size = 2138960, upload-time = "2025-11-04T13:41:14.627Z" }, + { url = "https://files.pythonhosted.org/packages/a6/62/205a998f4327d2079326b01abee48e502ea739d174f0a89295c481a2272e/pydantic_core-2.41.5-cp314-cp314-musllinux_1_1_armv7l.whl", hash = "sha256:63510af5e38f8955b8ee5687740d6ebf7c2a0886d15a6d65c32814613681bc07", size = 2339102, upload-time = "2025-11-04T13:41:16.868Z" }, + { url = "https://files.pythonhosted.org/packages/3c/0d/f05e79471e889d74d3d88f5bd20d0ed189ad94c2423d81ff8d0000aab4ff/pydantic_core-2.41.5-cp314-cp314-musllinux_1_1_x86_64.whl", hash = "sha256:e56ba91f47764cc14f1daacd723e3e82d1a89d783f0f5afe9c364b8bb491ccdb", size = 2326039, upload-time = "2025-11-04T13:41:18.934Z" }, + { url = "https://files.pythonhosted.org/packages/ec/e1/e08a6208bb100da7e0c4b288eed624a703f4d129bde2da475721a80cab32/pydantic_core-2.41.5-cp314-cp314-win32.whl", hash = "sha256:aec5cf2fd867b4ff45b9959f8b20ea3993fc93e63c7363fe6851424c8a7e7c23", size = 1995126, upload-time = "2025-11-04T13:41:21.418Z" }, + { url = "https://files.pythonhosted.org/packages/48/5d/56ba7b24e9557f99c9237e29f5c09913c81eeb2f3217e40e922353668092/pydantic_core-2.41.5-cp314-cp314-win_amd64.whl", hash = "sha256:8e7c86f27c585ef37c35e56a96363ab8de4e549a95512445b85c96d3e2f7c1bf", size = 2015489, upload-time = "2025-11-04T13:41:24.076Z" }, + { url = "https://files.pythonhosted.org/packages/4e/bb/f7a190991ec9e3e0ba22e4993d8755bbc4a32925c0b5b42775c03e8148f9/pydantic_core-2.41.5-cp314-cp314-win_arm64.whl", hash = "sha256:e672ba74fbc2dc8eea59fb6d4aed6845e6905fc2a8afe93175d94a83ba2a01a0", size = 1977288, upload-time = "2025-11-04T13:41:26.33Z" }, + { url = "https://files.pythonhosted.org/packages/92/ed/77542d0c51538e32e15afe7899d79efce4b81eee631d99850edc2f5e9349/pydantic_core-2.41.5-cp314-cp314t-macosx_10_12_x86_64.whl", hash = "sha256:8566def80554c3faa0e65ac30ab0932b9e3a5cd7f8323764303d468e5c37595a", size = 2120255, upload-time = "2025-11-04T13:41:28.569Z" }, + { url = "https://files.pythonhosted.org/packages/bb/3d/6913dde84d5be21e284439676168b28d8bbba5600d838b9dca99de0fad71/pydantic_core-2.41.5-cp314-cp314t-macosx_11_0_arm64.whl", hash = "sha256:b80aa5095cd3109962a298ce14110ae16b8c1aece8b72f9dafe81cf597ad80b3", size = 1863760, upload-time = "2025-11-04T13:41:31.055Z" }, + { url = "https://files.pythonhosted.org/packages/5a/f0/e5e6b99d4191da102f2b0eb9687aaa7f5bea5d9964071a84effc3e40f997/pydantic_core-2.41.5-cp314-cp314t-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:3006c3dd9ba34b0c094c544c6006cc79e87d8612999f1a5d43b769b89181f23c", size = 1878092, upload-time = "2025-11-04T13:41:33.21Z" }, + { url = "https://files.pythonhosted.org/packages/71/48/36fb760642d568925953bcc8116455513d6e34c4beaa37544118c36aba6d/pydantic_core-2.41.5-cp314-cp314t-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:72f6c8b11857a856bcfa48c86f5368439f74453563f951e473514579d44aa612", size = 2053385, upload-time = "2025-11-04T13:41:35.508Z" }, + { url = "https://files.pythonhosted.org/packages/20/25/92dc684dd8eb75a234bc1c764b4210cf2646479d54b47bf46061657292a8/pydantic_core-2.41.5-cp314-cp314t-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:5cb1b2f9742240e4bb26b652a5aeb840aa4b417c7748b6f8387927bc6e45e40d", size = 2218832, upload-time = "2025-11-04T13:41:37.732Z" }, + { url = "https://files.pythonhosted.org/packages/e2/09/f53e0b05023d3e30357d82eb35835d0f6340ca344720a4599cd663dca599/pydantic_core-2.41.5-cp314-cp314t-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:bd3d54f38609ff308209bd43acea66061494157703364ae40c951f83ba99a1a9", size = 2327585, upload-time = "2025-11-04T13:41:40Z" }, + { url = "https://files.pythonhosted.org/packages/aa/4e/2ae1aa85d6af35a39b236b1b1641de73f5a6ac4d5a7509f77b814885760c/pydantic_core-2.41.5-cp314-cp314t-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:2ff4321e56e879ee8d2a879501c8e469414d948f4aba74a2d4593184eb326660", size = 2041078, upload-time = "2025-11-04T13:41:42.323Z" }, + { url = "https://files.pythonhosted.org/packages/cd/13/2e215f17f0ef326fc72afe94776edb77525142c693767fc347ed6288728d/pydantic_core-2.41.5-cp314-cp314t-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:d0d2568a8c11bf8225044aa94409e21da0cb09dcdafe9ecd10250b2baad531a9", size = 2173914, upload-time = "2025-11-04T13:41:45.221Z" }, + { url = "https://files.pythonhosted.org/packages/02/7a/f999a6dcbcd0e5660bc348a3991c8915ce6599f4f2c6ac22f01d7a10816c/pydantic_core-2.41.5-cp314-cp314t-musllinux_1_1_aarch64.whl", hash = "sha256:a39455728aabd58ceabb03c90e12f71fd30fa69615760a075b9fec596456ccc3", size = 2129560, upload-time = "2025-11-04T13:41:47.474Z" }, + { url = "https://files.pythonhosted.org/packages/3a/b1/6c990ac65e3b4c079a4fb9f5b05f5b013afa0f4ed6780a3dd236d2cbdc64/pydantic_core-2.41.5-cp314-cp314t-musllinux_1_1_armv7l.whl", hash = "sha256:239edca560d05757817c13dc17c50766136d21f7cd0fac50295499ae24f90fdf", size = 2329244, upload-time = "2025-11-04T13:41:49.992Z" }, + { url = "https://files.pythonhosted.org/packages/d9/02/3c562f3a51afd4d88fff8dffb1771b30cfdfd79befd9883ee094f5b6c0d8/pydantic_core-2.41.5-cp314-cp314t-musllinux_1_1_x86_64.whl", hash = "sha256:2a5e06546e19f24c6a96a129142a75cee553cc018ffee48a460059b1185f4470", size = 2331955, upload-time = "2025-11-04T13:41:54.079Z" }, + { url = "https://files.pythonhosted.org/packages/5c/96/5fb7d8c3c17bc8c62fdb031c47d77a1af698f1d7a406b0f79aaa1338f9ad/pydantic_core-2.41.5-cp314-cp314t-win32.whl", hash = "sha256:b4ececa40ac28afa90871c2cc2b9ffd2ff0bf749380fbdf57d165fd23da353aa", size = 1988906, upload-time = "2025-11-04T13:41:56.606Z" }, + { url = "https://files.pythonhosted.org/packages/22/ed/182129d83032702912c2e2d8bbe33c036f342cc735737064668585dac28f/pydantic_core-2.41.5-cp314-cp314t-win_amd64.whl", hash = "sha256:80aa89cad80b32a912a65332f64a4450ed00966111b6615ca6816153d3585a8c", size = 1981607, upload-time = "2025-11-04T13:41:58.889Z" }, + { url = "https://files.pythonhosted.org/packages/9f/ed/068e41660b832bb0b1aa5b58011dea2a3fe0ba7861ff38c4d4904c1c1a99/pydantic_core-2.41.5-cp314-cp314t-win_arm64.whl", hash = "sha256:35b44f37a3199f771c3eaa53051bc8a70cd7b54f333531c59e29fd4db5d15008", size = 1974769, upload-time = "2025-11-04T13:42:01.186Z" }, + { url = "https://files.pythonhosted.org/packages/11/72/90fda5ee3b97e51c494938a4a44c3a35a9c96c19bba12372fb9c634d6f57/pydantic_core-2.41.5-graalpy311-graalpy242_311_native-macosx_10_12_x86_64.whl", hash = "sha256:b96d5f26b05d03cc60f11a7761a5ded1741da411e7fe0909e27a5e6a0cb7b034", size = 2115441, upload-time = "2025-11-04T13:42:39.557Z" }, + { url = "https://files.pythonhosted.org/packages/1f/53/8942f884fa33f50794f119012dc6a1a02ac43a56407adaac20463df8e98f/pydantic_core-2.41.5-graalpy311-graalpy242_311_native-macosx_11_0_arm64.whl", hash = "sha256:634e8609e89ceecea15e2d61bc9ac3718caaaa71963717bf3c8f38bfde64242c", size = 1930291, upload-time = "2025-11-04T13:42:42.169Z" }, + { url = "https://files.pythonhosted.org/packages/79/c8/ecb9ed9cd942bce09fc888ee960b52654fbdbede4ba6c2d6e0d3b1d8b49c/pydantic_core-2.41.5-graalpy311-graalpy242_311_native-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:93e8740d7503eb008aa2df04d3b9735f845d43ae845e6dcd2be0b55a2da43cd2", size = 1948632, upload-time = "2025-11-04T13:42:44.564Z" }, + { url = "https://files.pythonhosted.org/packages/2e/1b/687711069de7efa6af934e74f601e2a4307365e8fdc404703afc453eab26/pydantic_core-2.41.5-graalpy311-graalpy242_311_native-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:f15489ba13d61f670dcc96772e733aad1a6f9c429cc27574c6cdaed82d0146ad", size = 2138905, upload-time = "2025-11-04T13:42:47.156Z" }, + { url = "https://files.pythonhosted.org/packages/09/32/59b0c7e63e277fa7911c2fc70ccfb45ce4b98991e7ef37110663437005af/pydantic_core-2.41.5-graalpy312-graalpy250_312_native-macosx_10_12_x86_64.whl", hash = "sha256:7da7087d756b19037bc2c06edc6c170eeef3c3bafcb8f532ff17d64dc427adfd", size = 2110495, upload-time = "2025-11-04T13:42:49.689Z" }, + { url = "https://files.pythonhosted.org/packages/aa/81/05e400037eaf55ad400bcd318c05bb345b57e708887f07ddb2d20e3f0e98/pydantic_core-2.41.5-graalpy312-graalpy250_312_native-macosx_11_0_arm64.whl", hash = "sha256:aabf5777b5c8ca26f7824cb4a120a740c9588ed58df9b2d196ce92fba42ff8dc", size = 1915388, upload-time = "2025-11-04T13:42:52.215Z" }, + { url = "https://files.pythonhosted.org/packages/6e/0d/e3549b2399f71d56476b77dbf3cf8937cec5cd70536bdc0e374a421d0599/pydantic_core-2.41.5-graalpy312-graalpy250_312_native-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:c007fe8a43d43b3969e8469004e9845944f1a80e6acd47c150856bb87f230c56", size = 1942879, upload-time = "2025-11-04T13:42:56.483Z" }, + { url = "https://files.pythonhosted.org/packages/f7/07/34573da085946b6a313d7c42f82f16e8920bfd730665de2d11c0c37a74b5/pydantic_core-2.41.5-graalpy312-graalpy250_312_native-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:76d0819de158cd855d1cbb8fcafdf6f5cf1eb8e470abe056d5d161106e38062b", size = 2139017, upload-time = "2025-11-04T13:42:59.471Z" }, + { url = "https://files.pythonhosted.org/packages/5f/9b/1b3f0e9f9305839d7e84912f9e8bfbd191ed1b1ef48083609f0dabde978c/pydantic_core-2.41.5-pp311-pypy311_pp73-macosx_10_12_x86_64.whl", hash = "sha256:b2379fa7ed44ddecb5bfe4e48577d752db9fc10be00a6b7446e9663ba143de26", size = 2101980, upload-time = "2025-11-04T13:43:25.97Z" }, + { url = "https://files.pythonhosted.org/packages/a4/ed/d71fefcb4263df0da6a85b5d8a7508360f2f2e9b3bf5814be9c8bccdccc1/pydantic_core-2.41.5-pp311-pypy311_pp73-macosx_11_0_arm64.whl", hash = "sha256:266fb4cbf5e3cbd0b53669a6d1b039c45e3ce651fd5442eff4d07c2cc8d66808", size = 1923865, upload-time = "2025-11-04T13:43:28.763Z" }, + { url = "https://files.pythonhosted.org/packages/ce/3a/626b38db460d675f873e4444b4bb030453bbe7b4ba55df821d026a0493c4/pydantic_core-2.41.5-pp311-pypy311_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:58133647260ea01e4d0500089a8c4f07bd7aa6ce109682b1426394988d8aaacc", size = 2134256, upload-time = "2025-11-04T13:43:31.71Z" }, + { url = "https://files.pythonhosted.org/packages/83/d9/8412d7f06f616bbc053d30cb4e5f76786af3221462ad5eee1f202021eb4e/pydantic_core-2.41.5-pp311-pypy311_pp73-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:287dad91cfb551c363dc62899a80e9e14da1f0e2b6ebde82c806612ca2a13ef1", size = 2174762, upload-time = "2025-11-04T13:43:34.744Z" }, + { url = "https://files.pythonhosted.org/packages/55/4c/162d906b8e3ba3a99354e20faa1b49a85206c47de97a639510a0e673f5da/pydantic_core-2.41.5-pp311-pypy311_pp73-musllinux_1_1_aarch64.whl", hash = "sha256:03b77d184b9eb40240ae9fd676ca364ce1085f203e1b1256f8ab9984dca80a84", size = 2143141, upload-time = "2025-11-04T13:43:37.701Z" }, + { url = "https://files.pythonhosted.org/packages/1f/f2/f11dd73284122713f5f89fc940f370d035fa8e1e078d446b3313955157fe/pydantic_core-2.41.5-pp311-pypy311_pp73-musllinux_1_1_armv7l.whl", hash = "sha256:a668ce24de96165bb239160b3d854943128f4334822900534f2fe947930e5770", size = 2330317, upload-time = "2025-11-04T13:43:40.406Z" }, + { url = "https://files.pythonhosted.org/packages/88/9d/b06ca6acfe4abb296110fb1273a4d848a0bfb2ff65f3ee92127b3244e16b/pydantic_core-2.41.5-pp311-pypy311_pp73-musllinux_1_1_x86_64.whl", hash = "sha256:f14f8f046c14563f8eb3f45f499cc658ab8d10072961e07225e507adb700e93f", size = 2316992, upload-time = "2025-11-04T13:43:43.602Z" }, + { url = "https://files.pythonhosted.org/packages/36/c7/cfc8e811f061c841d7990b0201912c3556bfeb99cdcb7ed24adc8d6f8704/pydantic_core-2.41.5-pp311-pypy311_pp73-win_amd64.whl", hash = "sha256:56121965f7a4dc965bff783d70b907ddf3d57f6eba29b6d2e5dabfaf07799c51", size = 2145302, upload-time = "2025-11-04T13:43:46.64Z" }, +] + +[[package]] +name = "pygments" +version = "2.19.2" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/b0/77/a5b8c569bf593b0140bde72ea885a803b82086995367bf2037de0159d924/pygments-2.19.2.tar.gz", hash = "sha256:636cb2477cec7f8952536970bc533bc43743542f70392ae026374600add5b887", size = 4968631, upload-time = "2025-06-21T13:39:12.283Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/c7/21/705964c7812476f378728bdf590ca4b771ec72385c533964653c68e86bdc/pygments-2.19.2-py3-none-any.whl", hash = "sha256:86540386c03d588bb81d44bc3928634ff26449851e99741617ecb9037ee5ec0b", size = 1225217, upload-time = "2025-06-21T13:39:07.939Z" }, +] + +[[package]] +name = "pytest" +version = "9.0.2" +source = { registry = "https://pypi.org/simple" } +dependencies = [ + { name = "colorama", marker = "sys_platform == 'win32'" }, + { name = "iniconfig" }, + { name = "packaging" }, + { name = "pluggy" }, + { name = "pygments" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/d1/db/7ef3487e0fb0049ddb5ce41d3a49c235bf9ad299b6a25d5780a89f19230f/pytest-9.0.2.tar.gz", hash = "sha256:75186651a92bd89611d1d9fc20f0b4345fd827c41ccd5c299a868a05d70edf11", size = 1568901, upload-time = "2025-12-06T21:30:51.014Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/3b/ab/b3226f0bd7cdcf710fbede2b3548584366da3b19b5021e74f5bde2a8fa3f/pytest-9.0.2-py3-none-any.whl", hash = "sha256:711ffd45bf766d5264d487b917733b453d917afd2b0ad65223959f59089f875b", size = 374801, upload-time = "2025-12-06T21:30:49.154Z" }, +] + +[[package]] +name = "pytest-cov" +version = "7.0.0" +source = { registry = "https://pypi.org/simple" } +dependencies = [ + { name = "coverage", extra = ["toml"] }, + { name = "pluggy" }, + { name = "pytest" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/5e/f7/c933acc76f5208b3b00089573cf6a2bc26dc80a8aece8f52bb7d6b1855ca/pytest_cov-7.0.0.tar.gz", hash = "sha256:33c97eda2e049a0c5298e91f519302a1334c26ac65c1a483d6206fd458361af1", size = 54328, upload-time = "2025-09-09T10:57:02.113Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/ee/49/1377b49de7d0c1ce41292161ea0f721913fa8722c19fb9c1e3aa0367eecb/pytest_cov-7.0.0-py3-none-any.whl", hash = "sha256:3b8e9558b16cc1479da72058bdecf8073661c7f57f7d3c5f22a1c23507f2d861", size = 22424, upload-time = "2025-09-09T10:57:00.695Z" }, +] + +[[package]] +name = "pyyaml" +version = "6.0.3" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/05/8e/961c0007c59b8dd7729d542c61a4d537767a59645b82a0b521206e1e25c2/pyyaml-6.0.3.tar.gz", hash = "sha256:d76623373421df22fb4cf8817020cbb7ef15c725b9d5e45f17e189bfc384190f", size = 130960, upload-time = "2025-09-25T21:33:16.546Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/6d/16/a95b6757765b7b031c9374925bb718d55e0a9ba8a1b6a12d25962ea44347/pyyaml-6.0.3-cp311-cp311-macosx_10_13_x86_64.whl", hash = "sha256:44edc647873928551a01e7a563d7452ccdebee747728c1080d881d68af7b997e", size = 185826, upload-time = "2025-09-25T21:31:58.655Z" }, + { url = "https://files.pythonhosted.org/packages/16/19/13de8e4377ed53079ee996e1ab0a9c33ec2faf808a4647b7b4c0d46dd239/pyyaml-6.0.3-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:652cb6edd41e718550aad172851962662ff2681490a8a711af6a4d288dd96824", size = 175577, upload-time = "2025-09-25T21:32:00.088Z" }, + { url = "https://files.pythonhosted.org/packages/0c/62/d2eb46264d4b157dae1275b573017abec435397aa59cbcdab6fc978a8af4/pyyaml-6.0.3-cp311-cp311-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:10892704fc220243f5305762e276552a0395f7beb4dbf9b14ec8fd43b57f126c", size = 775556, upload-time = "2025-09-25T21:32:01.31Z" }, + { url = "https://files.pythonhosted.org/packages/10/cb/16c3f2cf3266edd25aaa00d6c4350381c8b012ed6f5276675b9eba8d9ff4/pyyaml-6.0.3-cp311-cp311-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:850774a7879607d3a6f50d36d04f00ee69e7fc816450e5f7e58d7f17f1ae5c00", size = 882114, upload-time = "2025-09-25T21:32:03.376Z" }, + { url = "https://files.pythonhosted.org/packages/71/60/917329f640924b18ff085ab889a11c763e0b573da888e8404ff486657602/pyyaml-6.0.3-cp311-cp311-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:b8bb0864c5a28024fac8a632c443c87c5aa6f215c0b126c449ae1a150412f31d", size = 806638, upload-time = "2025-09-25T21:32:04.553Z" }, + { url = "https://files.pythonhosted.org/packages/dd/6f/529b0f316a9fd167281a6c3826b5583e6192dba792dd55e3203d3f8e655a/pyyaml-6.0.3-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:1d37d57ad971609cf3c53ba6a7e365e40660e3be0e5175fa9f2365a379d6095a", size = 767463, upload-time = "2025-09-25T21:32:06.152Z" }, + { url = "https://files.pythonhosted.org/packages/f2/6a/b627b4e0c1dd03718543519ffb2f1deea4a1e6d42fbab8021936a4d22589/pyyaml-6.0.3-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:37503bfbfc9d2c40b344d06b2199cf0e96e97957ab1c1b546fd4f87e53e5d3e4", size = 794986, upload-time = "2025-09-25T21:32:07.367Z" }, + { url = "https://files.pythonhosted.org/packages/45/91/47a6e1c42d9ee337c4839208f30d9f09caa9f720ec7582917b264defc875/pyyaml-6.0.3-cp311-cp311-win32.whl", hash = "sha256:8098f252adfa6c80ab48096053f512f2321f0b998f98150cea9bd23d83e1467b", size = 142543, upload-time = "2025-09-25T21:32:08.95Z" }, + { url = "https://files.pythonhosted.org/packages/da/e3/ea007450a105ae919a72393cb06f122f288ef60bba2dc64b26e2646fa315/pyyaml-6.0.3-cp311-cp311-win_amd64.whl", hash = "sha256:9f3bfb4965eb874431221a3ff3fdcddc7e74e3b07799e0e84ca4a0f867d449bf", size = 158763, upload-time = "2025-09-25T21:32:09.96Z" }, + { url = "https://files.pythonhosted.org/packages/d1/33/422b98d2195232ca1826284a76852ad5a86fe23e31b009c9886b2d0fb8b2/pyyaml-6.0.3-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:7f047e29dcae44602496db43be01ad42fc6f1cc0d8cd6c83d342306c32270196", size = 182063, upload-time = "2025-09-25T21:32:11.445Z" }, + { url = "https://files.pythonhosted.org/packages/89/a0/6cf41a19a1f2f3feab0e9c0b74134aa2ce6849093d5517a0c550fe37a648/pyyaml-6.0.3-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:fc09d0aa354569bc501d4e787133afc08552722d3ab34836a80547331bb5d4a0", size = 173973, upload-time = "2025-09-25T21:32:12.492Z" }, + { url = "https://files.pythonhosted.org/packages/ed/23/7a778b6bd0b9a8039df8b1b1d80e2e2ad78aa04171592c8a5c43a56a6af4/pyyaml-6.0.3-cp312-cp312-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:9149cad251584d5fb4981be1ecde53a1ca46c891a79788c0df828d2f166bda28", size = 775116, upload-time = "2025-09-25T21:32:13.652Z" }, + { url = "https://files.pythonhosted.org/packages/65/30/d7353c338e12baef4ecc1b09e877c1970bd3382789c159b4f89d6a70dc09/pyyaml-6.0.3-cp312-cp312-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:5fdec68f91a0c6739b380c83b951e2c72ac0197ace422360e6d5a959d8d97b2c", size = 844011, upload-time = "2025-09-25T21:32:15.21Z" }, + { url = "https://files.pythonhosted.org/packages/8b/9d/b3589d3877982d4f2329302ef98a8026e7f4443c765c46cfecc8858c6b4b/pyyaml-6.0.3-cp312-cp312-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:ba1cc08a7ccde2d2ec775841541641e4548226580ab850948cbfda66a1befcdc", size = 807870, upload-time = "2025-09-25T21:32:16.431Z" }, + { url = "https://files.pythonhosted.org/packages/05/c0/b3be26a015601b822b97d9149ff8cb5ead58c66f981e04fedf4e762f4bd4/pyyaml-6.0.3-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:8dc52c23056b9ddd46818a57b78404882310fb473d63f17b07d5c40421e47f8e", size = 761089, upload-time = "2025-09-25T21:32:17.56Z" }, + { url = "https://files.pythonhosted.org/packages/be/8e/98435a21d1d4b46590d5459a22d88128103f8da4c2d4cb8f14f2a96504e1/pyyaml-6.0.3-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:41715c910c881bc081f1e8872880d3c650acf13dfa8214bad49ed4cede7c34ea", size = 790181, upload-time = "2025-09-25T21:32:18.834Z" }, + { url = "https://files.pythonhosted.org/packages/74/93/7baea19427dcfbe1e5a372d81473250b379f04b1bd3c4c5ff825e2327202/pyyaml-6.0.3-cp312-cp312-win32.whl", hash = "sha256:96b533f0e99f6579b3d4d4995707cf36df9100d67e0c8303a0c55b27b5f99bc5", size = 137658, upload-time = "2025-09-25T21:32:20.209Z" }, + { url = "https://files.pythonhosted.org/packages/86/bf/899e81e4cce32febab4fb42bb97dcdf66bc135272882d1987881a4b519e9/pyyaml-6.0.3-cp312-cp312-win_amd64.whl", hash = "sha256:5fcd34e47f6e0b794d17de1b4ff496c00986e1c83f7ab2fb8fcfe9616ff7477b", size = 154003, upload-time = "2025-09-25T21:32:21.167Z" }, + { url = "https://files.pythonhosted.org/packages/1a/08/67bd04656199bbb51dbed1439b7f27601dfb576fb864099c7ef0c3e55531/pyyaml-6.0.3-cp312-cp312-win_arm64.whl", hash = "sha256:64386e5e707d03a7e172c0701abfb7e10f0fb753ee1d773128192742712a98fd", size = 140344, upload-time = "2025-09-25T21:32:22.617Z" }, + { url = "https://files.pythonhosted.org/packages/d1/11/0fd08f8192109f7169db964b5707a2f1e8b745d4e239b784a5a1dd80d1db/pyyaml-6.0.3-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:8da9669d359f02c0b91ccc01cac4a67f16afec0dac22c2ad09f46bee0697eba8", size = 181669, upload-time = "2025-09-25T21:32:23.673Z" }, + { url = "https://files.pythonhosted.org/packages/b1/16/95309993f1d3748cd644e02e38b75d50cbc0d9561d21f390a76242ce073f/pyyaml-6.0.3-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:2283a07e2c21a2aa78d9c4442724ec1eb15f5e42a723b99cb3d822d48f5f7ad1", size = 173252, upload-time = "2025-09-25T21:32:25.149Z" }, + { url = "https://files.pythonhosted.org/packages/50/31/b20f376d3f810b9b2371e72ef5adb33879b25edb7a6d072cb7ca0c486398/pyyaml-6.0.3-cp313-cp313-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:ee2922902c45ae8ccada2c5b501ab86c36525b883eff4255313a253a3160861c", size = 767081, upload-time = "2025-09-25T21:32:26.575Z" }, + { url = "https://files.pythonhosted.org/packages/49/1e/a55ca81e949270d5d4432fbbd19dfea5321eda7c41a849d443dc92fd1ff7/pyyaml-6.0.3-cp313-cp313-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:a33284e20b78bd4a18c8c2282d549d10bc8408a2a7ff57653c0cf0b9be0afce5", size = 841159, upload-time = "2025-09-25T21:32:27.727Z" }, + { url = "https://files.pythonhosted.org/packages/74/27/e5b8f34d02d9995b80abcef563ea1f8b56d20134d8f4e5e81733b1feceb2/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:0f29edc409a6392443abf94b9cf89ce99889a1dd5376d94316ae5145dfedd5d6", size = 801626, upload-time = "2025-09-25T21:32:28.878Z" }, + { url = "https://files.pythonhosted.org/packages/f9/11/ba845c23988798f40e52ba45f34849aa8a1f2d4af4b798588010792ebad6/pyyaml-6.0.3-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:f7057c9a337546edc7973c0d3ba84ddcdf0daa14533c2065749c9075001090e6", size = 753613, upload-time = "2025-09-25T21:32:30.178Z" }, + { url = "https://files.pythonhosted.org/packages/3d/e0/7966e1a7bfc0a45bf0a7fb6b98ea03fc9b8d84fa7f2229e9659680b69ee3/pyyaml-6.0.3-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:eda16858a3cab07b80edaf74336ece1f986ba330fdb8ee0d6c0d68fe82bc96be", size = 794115, upload-time = "2025-09-25T21:32:31.353Z" }, + { url = "https://files.pythonhosted.org/packages/de/94/980b50a6531b3019e45ddeada0626d45fa85cbe22300844a7983285bed3b/pyyaml-6.0.3-cp313-cp313-win32.whl", hash = "sha256:d0eae10f8159e8fdad514efdc92d74fd8d682c933a6dd088030f3834bc8e6b26", size = 137427, upload-time = "2025-09-25T21:32:32.58Z" }, + { url = "https://files.pythonhosted.org/packages/97/c9/39d5b874e8b28845e4ec2202b5da735d0199dbe5b8fb85f91398814a9a46/pyyaml-6.0.3-cp313-cp313-win_amd64.whl", hash = "sha256:79005a0d97d5ddabfeeea4cf676af11e647e41d81c9a7722a193022accdb6b7c", size = 154090, upload-time = "2025-09-25T21:32:33.659Z" }, + { url = "https://files.pythonhosted.org/packages/73/e8/2bdf3ca2090f68bb3d75b44da7bbc71843b19c9f2b9cb9b0f4ab7a5a4329/pyyaml-6.0.3-cp313-cp313-win_arm64.whl", hash = "sha256:5498cd1645aa724a7c71c8f378eb29ebe23da2fc0d7a08071d89469bf1d2defb", size = 140246, upload-time = "2025-09-25T21:32:34.663Z" }, + { url = "https://files.pythonhosted.org/packages/9d/8c/f4bd7f6465179953d3ac9bc44ac1a8a3e6122cf8ada906b4f96c60172d43/pyyaml-6.0.3-cp314-cp314-macosx_10_13_x86_64.whl", hash = "sha256:8d1fab6bb153a416f9aeb4b8763bc0f22a5586065f86f7664fc23339fc1c1fac", size = 181814, upload-time = "2025-09-25T21:32:35.712Z" }, + { url = "https://files.pythonhosted.org/packages/bd/9c/4d95bb87eb2063d20db7b60faa3840c1b18025517ae857371c4dd55a6b3a/pyyaml-6.0.3-cp314-cp314-macosx_11_0_arm64.whl", hash = "sha256:34d5fcd24b8445fadc33f9cf348c1047101756fd760b4dacb5c3e99755703310", size = 173809, upload-time = "2025-09-25T21:32:36.789Z" }, + { url = "https://files.pythonhosted.org/packages/92/b5/47e807c2623074914e29dabd16cbbdd4bf5e9b2db9f8090fa64411fc5382/pyyaml-6.0.3-cp314-cp314-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:501a031947e3a9025ed4405a168e6ef5ae3126c59f90ce0cd6f2bfc477be31b7", size = 766454, upload-time = "2025-09-25T21:32:37.966Z" }, + { url = "https://files.pythonhosted.org/packages/02/9e/e5e9b168be58564121efb3de6859c452fccde0ab093d8438905899a3a483/pyyaml-6.0.3-cp314-cp314-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:b3bc83488de33889877a0f2543ade9f70c67d66d9ebb4ac959502e12de895788", size = 836355, upload-time = "2025-09-25T21:32:39.178Z" }, + { url = "https://files.pythonhosted.org/packages/88/f9/16491d7ed2a919954993e48aa941b200f38040928474c9e85ea9e64222c3/pyyaml-6.0.3-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:c458b6d084f9b935061bc36216e8a69a7e293a2f1e68bf956dcd9e6cbcd143f5", size = 794175, upload-time = "2025-09-25T21:32:40.865Z" }, + { url = "https://files.pythonhosted.org/packages/dd/3f/5989debef34dc6397317802b527dbbafb2b4760878a53d4166579111411e/pyyaml-6.0.3-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:7c6610def4f163542a622a73fb39f534f8c101d690126992300bf3207eab9764", size = 755228, upload-time = "2025-09-25T21:32:42.084Z" }, + { url = "https://files.pythonhosted.org/packages/d7/ce/af88a49043cd2e265be63d083fc75b27b6ed062f5f9fd6cdc223ad62f03e/pyyaml-6.0.3-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:5190d403f121660ce8d1d2c1bb2ef1bd05b5f68533fc5c2ea899bd15f4399b35", size = 789194, upload-time = "2025-09-25T21:32:43.362Z" }, + { url = "https://files.pythonhosted.org/packages/23/20/bb6982b26a40bb43951265ba29d4c246ef0ff59c9fdcdf0ed04e0687de4d/pyyaml-6.0.3-cp314-cp314-win_amd64.whl", hash = "sha256:4a2e8cebe2ff6ab7d1050ecd59c25d4c8bd7e6f400f5f82b96557ac0abafd0ac", size = 156429, upload-time = "2025-09-25T21:32:57.844Z" }, + { url = "https://files.pythonhosted.org/packages/f4/f4/a4541072bb9422c8a883ab55255f918fa378ecf083f5b85e87fc2b4eda1b/pyyaml-6.0.3-cp314-cp314-win_arm64.whl", hash = "sha256:93dda82c9c22deb0a405ea4dc5f2d0cda384168e466364dec6255b293923b2f3", size = 143912, upload-time = "2025-09-25T21:32:59.247Z" }, + { url = "https://files.pythonhosted.org/packages/7c/f9/07dd09ae774e4616edf6cda684ee78f97777bdd15847253637a6f052a62f/pyyaml-6.0.3-cp314-cp314t-macosx_10_13_x86_64.whl", hash = "sha256:02893d100e99e03eda1c8fd5c441d8c60103fd175728e23e431db1b589cf5ab3", size = 189108, upload-time = "2025-09-25T21:32:44.377Z" }, + { url = "https://files.pythonhosted.org/packages/4e/78/8d08c9fb7ce09ad8c38ad533c1191cf27f7ae1effe5bb9400a46d9437fcf/pyyaml-6.0.3-cp314-cp314t-macosx_11_0_arm64.whl", hash = "sha256:c1ff362665ae507275af2853520967820d9124984e0f7466736aea23d8611fba", size = 183641, upload-time = "2025-09-25T21:32:45.407Z" }, + { url = "https://files.pythonhosted.org/packages/7b/5b/3babb19104a46945cf816d047db2788bcaf8c94527a805610b0289a01c6b/pyyaml-6.0.3-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:6adc77889b628398debc7b65c073bcb99c4a0237b248cacaf3fe8a557563ef6c", size = 831901, upload-time = "2025-09-25T21:32:48.83Z" }, + { url = "https://files.pythonhosted.org/packages/8b/cc/dff0684d8dc44da4d22a13f35f073d558c268780ce3c6ba1b87055bb0b87/pyyaml-6.0.3-cp314-cp314t-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:a80cb027f6b349846a3bf6d73b5e95e782175e52f22108cfa17876aaeff93702", size = 861132, upload-time = "2025-09-25T21:32:50.149Z" }, + { url = "https://files.pythonhosted.org/packages/b1/5e/f77dc6b9036943e285ba76b49e118d9ea929885becb0a29ba8a7c75e29fe/pyyaml-6.0.3-cp314-cp314t-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:00c4bdeba853cc34e7dd471f16b4114f4162dc03e6b7afcc2128711f0eca823c", size = 839261, upload-time = "2025-09-25T21:32:51.808Z" }, + { url = "https://files.pythonhosted.org/packages/ce/88/a9db1376aa2a228197c58b37302f284b5617f56a5d959fd1763fb1675ce6/pyyaml-6.0.3-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:66e1674c3ef6f541c35191caae2d429b967b99e02040f5ba928632d9a7f0f065", size = 805272, upload-time = "2025-09-25T21:32:52.941Z" }, + { url = "https://files.pythonhosted.org/packages/da/92/1446574745d74df0c92e6aa4a7b0b3130706a4142b2d1a5869f2eaa423c6/pyyaml-6.0.3-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:16249ee61e95f858e83976573de0f5b2893b3677ba71c9dd36b9cf8be9ac6d65", size = 829923, upload-time = "2025-09-25T21:32:54.537Z" }, + { url = "https://files.pythonhosted.org/packages/f0/7a/1c7270340330e575b92f397352af856a8c06f230aa3e76f86b39d01b416a/pyyaml-6.0.3-cp314-cp314t-win_amd64.whl", hash = "sha256:4ad1906908f2f5ae4e5a8ddfce73c320c2a1429ec52eafd27138b7f1cbe341c9", size = 174062, upload-time = "2025-09-25T21:32:55.767Z" }, + { url = "https://files.pythonhosted.org/packages/f1/12/de94a39c2ef588c7e6455cfbe7343d3b2dc9d6b6b2f40c4c6565744c873d/pyyaml-6.0.3-cp314-cp314t-win_arm64.whl", hash = "sha256:ebc55a14a21cb14062aa4162f906cd962b28e2e9ea38f9b4391244cd8de4ae0b", size = 149341, upload-time = "2025-09-25T21:32:56.828Z" }, +] + +[[package]] +name = "referencing" +version = "0.37.0" +source = { registry = "https://pypi.org/simple" } +dependencies = [ + { name = "attrs" }, + { name = "rpds-py" }, + { name = "typing-extensions", marker = "python_full_version < '3.13'" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/22/f5/df4e9027acead3ecc63e50fe1e36aca1523e1719559c499951bb4b53188f/referencing-0.37.0.tar.gz", hash = "sha256:44aefc3142c5b842538163acb373e24cce6632bd54bdb01b21ad5863489f50d8", size = 78036, upload-time = "2025-10-13T15:30:48.871Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/2c/58/ca301544e1fa93ed4f80d724bf5b194f6e4b945841c5bfd555878eea9fcb/referencing-0.37.0-py3-none-any.whl", hash = "sha256:381329a9f99628c9069361716891d34ad94af76e461dcb0335825aecc7692231", size = 26766, upload-time = "2025-10-13T15:30:47.625Z" }, +] + +[[package]] +name = "rpds-py" +version = "0.30.0" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/20/af/3f2f423103f1113b36230496629986e0ef7e199d2aa8392452b484b38ced/rpds_py-0.30.0.tar.gz", hash = "sha256:dd8ff7cf90014af0c0f787eea34794ebf6415242ee1d6fa91eaba725cc441e84", size = 69469, upload-time = "2025-11-30T20:24:38.837Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/4d/6e/f964e88b3d2abee2a82c1ac8366da848fce1c6d834dc2132c3fda3970290/rpds_py-0.30.0-cp311-cp311-macosx_10_12_x86_64.whl", hash = "sha256:a2bffea6a4ca9f01b3f8e548302470306689684e61602aa3d141e34da06cf425", size = 370157, upload-time = "2025-11-30T20:21:53.789Z" }, + { url = "https://files.pythonhosted.org/packages/94/ba/24e5ebb7c1c82e74c4e4f33b2112a5573ddc703915b13a073737b59b86e0/rpds_py-0.30.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:dc4f992dfe1e2bc3ebc7444f6c7051b4bc13cd8e33e43511e8ffd13bf407010d", size = 359676, upload-time = "2025-11-30T20:21:55.475Z" }, + { url = "https://files.pythonhosted.org/packages/84/86/04dbba1b087227747d64d80c3b74df946b986c57af0a9f0c98726d4d7a3b/rpds_py-0.30.0-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:422c3cb9856d80b09d30d2eb255d0754b23e090034e1deb4083f8004bd0761e4", size = 389938, upload-time = "2025-11-30T20:21:57.079Z" }, + { url = "https://files.pythonhosted.org/packages/42/bb/1463f0b1722b7f45431bdd468301991d1328b16cffe0b1c2918eba2c4eee/rpds_py-0.30.0-cp311-cp311-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:07ae8a593e1c3c6b82ca3292efbe73c30b61332fd612e05abee07c79359f292f", size = 402932, upload-time = "2025-11-30T20:21:58.47Z" }, + { url = "https://files.pythonhosted.org/packages/99/ee/2520700a5c1f2d76631f948b0736cdf9b0acb25abd0ca8e889b5c62ac2e3/rpds_py-0.30.0-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:12f90dd7557b6bd57f40abe7747e81e0c0b119bef015ea7726e69fe550e394a4", size = 525830, upload-time = "2025-11-30T20:21:59.699Z" }, + { url = "https://files.pythonhosted.org/packages/e0/ad/bd0331f740f5705cc555a5e17fdf334671262160270962e69a2bdef3bf76/rpds_py-0.30.0-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:99b47d6ad9a6da00bec6aabe5a6279ecd3c06a329d4aa4771034a21e335c3a97", size = 412033, upload-time = "2025-11-30T20:22:00.991Z" }, + { url = "https://files.pythonhosted.org/packages/f8/1e/372195d326549bb51f0ba0f2ecb9874579906b97e08880e7a65c3bef1a99/rpds_py-0.30.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:33f559f3104504506a44bb666b93a33f5d33133765b0c216a5bf2f1e1503af89", size = 390828, upload-time = "2025-11-30T20:22:02.723Z" }, + { url = "https://files.pythonhosted.org/packages/ab/2b/d88bb33294e3e0c76bc8f351a3721212713629ffca1700fa94979cb3eae8/rpds_py-0.30.0-cp311-cp311-manylinux_2_31_riscv64.whl", hash = "sha256:946fe926af6e44f3697abbc305ea168c2c31d3e3ef1058cf68f379bf0335a78d", size = 404683, upload-time = "2025-11-30T20:22:04.367Z" }, + { url = "https://files.pythonhosted.org/packages/50/32/c759a8d42bcb5289c1fac697cd92f6fe01a018dd937e62ae77e0e7f15702/rpds_py-0.30.0-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:495aeca4b93d465efde585977365187149e75383ad2684f81519f504f5c13038", size = 421583, upload-time = "2025-11-30T20:22:05.814Z" }, + { url = "https://files.pythonhosted.org/packages/2b/81/e729761dbd55ddf5d84ec4ff1f47857f4374b0f19bdabfcf929164da3e24/rpds_py-0.30.0-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:d9a0ca5da0386dee0655b4ccdf46119df60e0f10da268d04fe7cc87886872ba7", size = 572496, upload-time = "2025-11-30T20:22:07.713Z" }, + { url = "https://files.pythonhosted.org/packages/14/f6/69066a924c3557c9c30baa6ec3a0aa07526305684c6f86c696b08860726c/rpds_py-0.30.0-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:8d6d1cc13664ec13c1b84241204ff3b12f9bb82464b8ad6e7a5d3486975c2eed", size = 598669, upload-time = "2025-11-30T20:22:09.312Z" }, + { url = "https://files.pythonhosted.org/packages/5f/48/905896b1eb8a05630d20333d1d8ffd162394127b74ce0b0784ae04498d32/rpds_py-0.30.0-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:3896fa1be39912cf0757753826bc8bdc8ca331a28a7c4ae46b7a21280b06bb85", size = 561011, upload-time = "2025-11-30T20:22:11.309Z" }, + { url = "https://files.pythonhosted.org/packages/22/16/cd3027c7e279d22e5eb431dd3c0fbc677bed58797fe7581e148f3f68818b/rpds_py-0.30.0-cp311-cp311-win32.whl", hash = "sha256:55f66022632205940f1827effeff17c4fa7ae1953d2b74a8581baaefb7d16f8c", size = 221406, upload-time = "2025-11-30T20:22:13.101Z" }, + { url = "https://files.pythonhosted.org/packages/fa/5b/e7b7aa136f28462b344e652ee010d4de26ee9fd16f1bfd5811f5153ccf89/rpds_py-0.30.0-cp311-cp311-win_amd64.whl", hash = "sha256:a51033ff701fca756439d641c0ad09a41d9242fa69121c7d8769604a0a629825", size = 236024, upload-time = "2025-11-30T20:22:14.853Z" }, + { url = "https://files.pythonhosted.org/packages/14/a6/364bba985e4c13658edb156640608f2c9e1d3ea3c81b27aa9d889fff0e31/rpds_py-0.30.0-cp311-cp311-win_arm64.whl", hash = "sha256:47b0ef6231c58f506ef0b74d44e330405caa8428e770fec25329ed2cb971a229", size = 229069, upload-time = "2025-11-30T20:22:16.577Z" }, + { url = "https://files.pythonhosted.org/packages/03/e7/98a2f4ac921d82f33e03f3835f5bf3a4a40aa1bfdc57975e74a97b2b4bdd/rpds_py-0.30.0-cp312-cp312-macosx_10_12_x86_64.whl", hash = "sha256:a161f20d9a43006833cd7068375a94d035714d73a172b681d8881820600abfad", size = 375086, upload-time = "2025-11-30T20:22:17.93Z" }, + { url = "https://files.pythonhosted.org/packages/4d/a1/bca7fd3d452b272e13335db8d6b0b3ecde0f90ad6f16f3328c6fb150c889/rpds_py-0.30.0-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:6abc8880d9d036ecaafe709079969f56e876fcf107f7a8e9920ba6d5a3878d05", size = 359053, upload-time = "2025-11-30T20:22:19.297Z" }, + { url = "https://files.pythonhosted.org/packages/65/1c/ae157e83a6357eceff62ba7e52113e3ec4834a84cfe07fa4b0757a7d105f/rpds_py-0.30.0-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ca28829ae5f5d569bb62a79512c842a03a12576375d5ece7d2cadf8abe96ec28", size = 390763, upload-time = "2025-11-30T20:22:21.661Z" }, + { url = "https://files.pythonhosted.org/packages/d4/36/eb2eb8515e2ad24c0bd43c3ee9cd74c33f7ca6430755ccdb240fd3144c44/rpds_py-0.30.0-cp312-cp312-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:a1010ed9524c73b94d15919ca4d41d8780980e1765babf85f9a2f90d247153dd", size = 408951, upload-time = "2025-11-30T20:22:23.408Z" }, + { url = "https://files.pythonhosted.org/packages/d6/65/ad8dc1784a331fabbd740ef6f71ce2198c7ed0890dab595adb9ea2d775a1/rpds_py-0.30.0-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:f8d1736cfb49381ba528cd5baa46f82fdc65c06e843dab24dd70b63d09121b3f", size = 514622, upload-time = "2025-11-30T20:22:25.16Z" }, + { url = "https://files.pythonhosted.org/packages/63/8e/0cfa7ae158e15e143fe03993b5bcd743a59f541f5952e1546b1ac1b5fd45/rpds_py-0.30.0-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:d948b135c4693daff7bc2dcfc4ec57237a29bd37e60c2fabf5aff2bbacf3e2f1", size = 414492, upload-time = "2025-11-30T20:22:26.505Z" }, + { url = "https://files.pythonhosted.org/packages/60/1b/6f8f29f3f995c7ffdde46a626ddccd7c63aefc0efae881dc13b6e5d5bb16/rpds_py-0.30.0-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:47f236970bccb2233267d89173d3ad2703cd36a0e2a6e92d0560d333871a3d23", size = 394080, upload-time = "2025-11-30T20:22:27.934Z" }, + { url = "https://files.pythonhosted.org/packages/6d/d5/a266341051a7a3ca2f4b750a3aa4abc986378431fc2da508c5034d081b70/rpds_py-0.30.0-cp312-cp312-manylinux_2_31_riscv64.whl", hash = "sha256:2e6ecb5a5bcacf59c3f912155044479af1d0b6681280048b338b28e364aca1f6", size = 408680, upload-time = "2025-11-30T20:22:29.341Z" }, + { url = "https://files.pythonhosted.org/packages/10/3b/71b725851df9ab7a7a4e33cf36d241933da66040d195a84781f49c50490c/rpds_py-0.30.0-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:a8fa71a2e078c527c3e9dc9fc5a98c9db40bcc8a92b4e8858e36d329f8684b51", size = 423589, upload-time = "2025-11-30T20:22:31.469Z" }, + { url = "https://files.pythonhosted.org/packages/00/2b/e59e58c544dc9bd8bd8384ecdb8ea91f6727f0e37a7131baeff8d6f51661/rpds_py-0.30.0-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:73c67f2db7bc334e518d097c6d1e6fed021bbc9b7d678d6cc433478365d1d5f5", size = 573289, upload-time = "2025-11-30T20:22:32.997Z" }, + { url = "https://files.pythonhosted.org/packages/da/3e/a18e6f5b460893172a7d6a680e86d3b6bc87a54c1f0b03446a3c8c7b588f/rpds_py-0.30.0-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:5ba103fb455be00f3b1c2076c9d4264bfcb037c976167a6047ed82f23153f02e", size = 599737, upload-time = "2025-11-30T20:22:34.419Z" }, + { url = "https://files.pythonhosted.org/packages/5c/e2/714694e4b87b85a18e2c243614974413c60aa107fd815b8cbc42b873d1d7/rpds_py-0.30.0-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:7cee9c752c0364588353e627da8a7e808a66873672bcb5f52890c33fd965b394", size = 563120, upload-time = "2025-11-30T20:22:35.903Z" }, + { url = "https://files.pythonhosted.org/packages/6f/ab/d5d5e3bcedb0a77f4f613706b750e50a5a3ba1c15ccd3665ecc636c968fd/rpds_py-0.30.0-cp312-cp312-win32.whl", hash = "sha256:1ab5b83dbcf55acc8b08fc62b796ef672c457b17dbd7820a11d6c52c06839bdf", size = 223782, upload-time = "2025-11-30T20:22:37.271Z" }, + { url = "https://files.pythonhosted.org/packages/39/3b/f786af9957306fdc38a74cef405b7b93180f481fb48453a114bb6465744a/rpds_py-0.30.0-cp312-cp312-win_amd64.whl", hash = "sha256:a090322ca841abd453d43456ac34db46e8b05fd9b3b4ac0c78bcde8b089f959b", size = 240463, upload-time = "2025-11-30T20:22:39.021Z" }, + { url = "https://files.pythonhosted.org/packages/f3/d2/b91dc748126c1559042cfe41990deb92c4ee3e2b415f6b5234969ffaf0cc/rpds_py-0.30.0-cp312-cp312-win_arm64.whl", hash = "sha256:669b1805bd639dd2989b281be2cfd951c6121b65e729d9b843e9639ef1fd555e", size = 230868, upload-time = "2025-11-30T20:22:40.493Z" }, + { url = "https://files.pythonhosted.org/packages/ed/dc/d61221eb88ff410de3c49143407f6f3147acf2538c86f2ab7ce65ae7d5f9/rpds_py-0.30.0-cp313-cp313-macosx_10_12_x86_64.whl", hash = "sha256:f83424d738204d9770830d35290ff3273fbb02b41f919870479fab14b9d303b2", size = 374887, upload-time = "2025-11-30T20:22:41.812Z" }, + { url = "https://files.pythonhosted.org/packages/fd/32/55fb50ae104061dbc564ef15cc43c013dc4a9f4527a1f4d99baddf56fe5f/rpds_py-0.30.0-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:e7536cd91353c5273434b4e003cbda89034d67e7710eab8761fd918ec6c69cf8", size = 358904, upload-time = "2025-11-30T20:22:43.479Z" }, + { url = "https://files.pythonhosted.org/packages/58/70/faed8186300e3b9bdd138d0273109784eea2396c68458ed580f885dfe7ad/rpds_py-0.30.0-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:2771c6c15973347f50fece41fc447c054b7ac2ae0502388ce3b6738cd366e3d4", size = 389945, upload-time = "2025-11-30T20:22:44.819Z" }, + { url = "https://files.pythonhosted.org/packages/bd/a8/073cac3ed2c6387df38f71296d002ab43496a96b92c823e76f46b8af0543/rpds_py-0.30.0-cp313-cp313-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:0a59119fc6e3f460315fe9d08149f8102aa322299deaa5cab5b40092345c2136", size = 407783, upload-time = "2025-11-30T20:22:46.103Z" }, + { url = "https://files.pythonhosted.org/packages/77/57/5999eb8c58671f1c11eba084115e77a8899d6e694d2a18f69f0ba471ec8b/rpds_py-0.30.0-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:76fec018282b4ead0364022e3c54b60bf368b9d926877957a8624b58419169b7", size = 515021, upload-time = "2025-11-30T20:22:47.458Z" }, + { url = "https://files.pythonhosted.org/packages/e0/af/5ab4833eadc36c0a8ed2bc5c0de0493c04f6c06de223170bd0798ff98ced/rpds_py-0.30.0-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:692bef75a5525db97318e8cd061542b5a79812d711ea03dbc1f6f8dbb0c5f0d2", size = 414589, upload-time = "2025-11-30T20:22:48.872Z" }, + { url = "https://files.pythonhosted.org/packages/b7/de/f7192e12b21b9e9a68a6d0f249b4af3fdcdff8418be0767a627564afa1f1/rpds_py-0.30.0-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9027da1ce107104c50c81383cae773ef5c24d296dd11c99e2629dbd7967a20c6", size = 394025, upload-time = "2025-11-30T20:22:50.196Z" }, + { url = "https://files.pythonhosted.org/packages/91/c4/fc70cd0249496493500e7cc2de87504f5aa6509de1e88623431fec76d4b6/rpds_py-0.30.0-cp313-cp313-manylinux_2_31_riscv64.whl", hash = "sha256:9cf69cdda1f5968a30a359aba2f7f9aa648a9ce4b580d6826437f2b291cfc86e", size = 408895, upload-time = "2025-11-30T20:22:51.87Z" }, + { url = "https://files.pythonhosted.org/packages/58/95/d9275b05ab96556fefff73a385813eb66032e4c99f411d0795372d9abcea/rpds_py-0.30.0-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:a4796a717bf12b9da9d3ad002519a86063dcac8988b030e405704ef7d74d2d9d", size = 422799, upload-time = "2025-11-30T20:22:53.341Z" }, + { url = "https://files.pythonhosted.org/packages/06/c1/3088fc04b6624eb12a57eb814f0d4997a44b0d208d6cace713033ff1a6ba/rpds_py-0.30.0-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:5d4c2aa7c50ad4728a094ebd5eb46c452e9cb7edbfdb18f9e1221f597a73e1e7", size = 572731, upload-time = "2025-11-30T20:22:54.778Z" }, + { url = "https://files.pythonhosted.org/packages/d8/42/c612a833183b39774e8ac8fecae81263a68b9583ee343db33ab571a7ce55/rpds_py-0.30.0-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:ba81a9203d07805435eb06f536d95a266c21e5b2dfbf6517748ca40c98d19e31", size = 599027, upload-time = "2025-11-30T20:22:56.212Z" }, + { url = "https://files.pythonhosted.org/packages/5f/60/525a50f45b01d70005403ae0e25f43c0384369ad24ffe46e8d9068b50086/rpds_py-0.30.0-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:945dccface01af02675628334f7cf49c2af4c1c904748efc5cf7bbdf0b579f95", size = 563020, upload-time = "2025-11-30T20:22:58.2Z" }, + { url = "https://files.pythonhosted.org/packages/0b/5d/47c4655e9bcd5ca907148535c10e7d489044243cc9941c16ed7cd53be91d/rpds_py-0.30.0-cp313-cp313-win32.whl", hash = "sha256:b40fb160a2db369a194cb27943582b38f79fc4887291417685f3ad693c5a1d5d", size = 223139, upload-time = "2025-11-30T20:23:00.209Z" }, + { url = "https://files.pythonhosted.org/packages/f2/e1/485132437d20aa4d3e1d8b3fb5a5e65aa8139f1e097080c2a8443201742c/rpds_py-0.30.0-cp313-cp313-win_amd64.whl", hash = "sha256:806f36b1b605e2d6a72716f321f20036b9489d29c51c91f4dd29a3e3afb73b15", size = 240224, upload-time = "2025-11-30T20:23:02.008Z" }, + { url = "https://files.pythonhosted.org/packages/24/95/ffd128ed1146a153d928617b0ef673960130be0009c77d8fbf0abe306713/rpds_py-0.30.0-cp313-cp313-win_arm64.whl", hash = "sha256:d96c2086587c7c30d44f31f42eae4eac89b60dabbac18c7669be3700f13c3ce1", size = 230645, upload-time = "2025-11-30T20:23:03.43Z" }, + { url = "https://files.pythonhosted.org/packages/ff/1b/b10de890a0def2a319a2626334a7f0ae388215eb60914dbac8a3bae54435/rpds_py-0.30.0-cp313-cp313t-macosx_10_12_x86_64.whl", hash = "sha256:eb0b93f2e5c2189ee831ee43f156ed34e2a89a78a66b98cadad955972548be5a", size = 364443, upload-time = "2025-11-30T20:23:04.878Z" }, + { url = "https://files.pythonhosted.org/packages/0d/bf/27e39f5971dc4f305a4fb9c672ca06f290f7c4e261c568f3dea16a410d47/rpds_py-0.30.0-cp313-cp313t-macosx_11_0_arm64.whl", hash = "sha256:922e10f31f303c7c920da8981051ff6d8c1a56207dbdf330d9047f6d30b70e5e", size = 353375, upload-time = "2025-11-30T20:23:06.342Z" }, + { url = "https://files.pythonhosted.org/packages/40/58/442ada3bba6e8e6615fc00483135c14a7538d2ffac30e2d933ccf6852232/rpds_py-0.30.0-cp313-cp313t-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:cdc62c8286ba9bf7f47befdcea13ea0e26bf294bda99758fd90535cbaf408000", size = 383850, upload-time = "2025-11-30T20:23:07.825Z" }, + { url = "https://files.pythonhosted.org/packages/14/14/f59b0127409a33c6ef6f5c1ebd5ad8e32d7861c9c7adfa9a624fc3889f6c/rpds_py-0.30.0-cp313-cp313t-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:47f9a91efc418b54fb8190a6b4aa7813a23fb79c51f4bb84e418f5476c38b8db", size = 392812, upload-time = "2025-11-30T20:23:09.228Z" }, + { url = "https://files.pythonhosted.org/packages/b3/66/e0be3e162ac299b3a22527e8913767d869e6cc75c46bd844aa43fb81ab62/rpds_py-0.30.0-cp313-cp313t-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:1f3587eb9b17f3789ad50824084fa6f81921bbf9a795826570bda82cb3ed91f2", size = 517841, upload-time = "2025-11-30T20:23:11.186Z" }, + { url = "https://files.pythonhosted.org/packages/3d/55/fa3b9cf31d0c963ecf1ba777f7cf4b2a2c976795ac430d24a1f43d25a6ba/rpds_py-0.30.0-cp313-cp313t-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:39c02563fc592411c2c61d26b6c5fe1e51eaa44a75aa2c8735ca88b0d9599daa", size = 408149, upload-time = "2025-11-30T20:23:12.864Z" }, + { url = "https://files.pythonhosted.org/packages/60/ca/780cf3b1a32b18c0f05c441958d3758f02544f1d613abf9488cd78876378/rpds_py-0.30.0-cp313-cp313t-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:51a1234d8febafdfd33a42d97da7a43f5dcb120c1060e352a3fbc0c6d36e2083", size = 383843, upload-time = "2025-11-30T20:23:14.638Z" }, + { url = "https://files.pythonhosted.org/packages/82/86/d5f2e04f2aa6247c613da0c1dd87fcd08fa17107e858193566048a1e2f0a/rpds_py-0.30.0-cp313-cp313t-manylinux_2_31_riscv64.whl", hash = "sha256:eb2c4071ab598733724c08221091e8d80e89064cd472819285a9ab0f24bcedb9", size = 396507, upload-time = "2025-11-30T20:23:16.105Z" }, + { url = "https://files.pythonhosted.org/packages/4b/9a/453255d2f769fe44e07ea9785c8347edaf867f7026872e76c1ad9f7bed92/rpds_py-0.30.0-cp313-cp313t-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:6bdfdb946967d816e6adf9a3d8201bfad269c67efe6cefd7093ef959683c8de0", size = 414949, upload-time = "2025-11-30T20:23:17.539Z" }, + { url = "https://files.pythonhosted.org/packages/a3/31/622a86cdc0c45d6df0e9ccb6becdba5074735e7033c20e401a6d9d0e2ca0/rpds_py-0.30.0-cp313-cp313t-musllinux_1_2_aarch64.whl", hash = "sha256:c77afbd5f5250bf27bf516c7c4a016813eb2d3e116139aed0096940c5982da94", size = 565790, upload-time = "2025-11-30T20:23:19.029Z" }, + { url = "https://files.pythonhosted.org/packages/1c/5d/15bbf0fb4a3f58a3b1c67855ec1efcc4ceaef4e86644665fff03e1b66d8d/rpds_py-0.30.0-cp313-cp313t-musllinux_1_2_i686.whl", hash = "sha256:61046904275472a76c8c90c9ccee9013d70a6d0f73eecefd38c1ae7c39045a08", size = 590217, upload-time = "2025-11-30T20:23:20.885Z" }, + { url = "https://files.pythonhosted.org/packages/6d/61/21b8c41f68e60c8cc3b2e25644f0e3681926020f11d06ab0b78e3c6bbff1/rpds_py-0.30.0-cp313-cp313t-musllinux_1_2_x86_64.whl", hash = "sha256:4c5f36a861bc4b7da6516dbdf302c55313afa09b81931e8280361a4f6c9a2d27", size = 555806, upload-time = "2025-11-30T20:23:22.488Z" }, + { url = "https://files.pythonhosted.org/packages/f9/39/7e067bb06c31de48de3eb200f9fc7c58982a4d3db44b07e73963e10d3be9/rpds_py-0.30.0-cp313-cp313t-win32.whl", hash = "sha256:3d4a69de7a3e50ffc214ae16d79d8fbb0922972da0356dcf4d0fdca2878559c6", size = 211341, upload-time = "2025-11-30T20:23:24.449Z" }, + { url = "https://files.pythonhosted.org/packages/0a/4d/222ef0b46443cf4cf46764d9c630f3fe4abaa7245be9417e56e9f52b8f65/rpds_py-0.30.0-cp313-cp313t-win_amd64.whl", hash = "sha256:f14fc5df50a716f7ece6a80b6c78bb35ea2ca47c499e422aa4463455dd96d56d", size = 225768, upload-time = "2025-11-30T20:23:25.908Z" }, + { url = "https://files.pythonhosted.org/packages/86/81/dad16382ebbd3d0e0328776d8fd7ca94220e4fa0798d1dc5e7da48cb3201/rpds_py-0.30.0-cp314-cp314-macosx_10_12_x86_64.whl", hash = "sha256:68f19c879420aa08f61203801423f6cd5ac5f0ac4ac82a2368a9fcd6a9a075e0", size = 362099, upload-time = "2025-11-30T20:23:27.316Z" }, + { url = "https://files.pythonhosted.org/packages/2b/60/19f7884db5d5603edf3c6bce35408f45ad3e97e10007df0e17dd57af18f8/rpds_py-0.30.0-cp314-cp314-macosx_11_0_arm64.whl", hash = "sha256:ec7c4490c672c1a0389d319b3a9cfcd098dcdc4783991553c332a15acf7249be", size = 353192, upload-time = "2025-11-30T20:23:29.151Z" }, + { url = "https://files.pythonhosted.org/packages/bf/c4/76eb0e1e72d1a9c4703c69607cec123c29028bff28ce41588792417098ac/rpds_py-0.30.0-cp314-cp314-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:f251c812357a3fed308d684a5079ddfb9d933860fc6de89f2b7ab00da481e65f", size = 384080, upload-time = "2025-11-30T20:23:30.785Z" }, + { url = "https://files.pythonhosted.org/packages/72/87/87ea665e92f3298d1b26d78814721dc39ed8d2c74b86e83348d6b48a6f31/rpds_py-0.30.0-cp314-cp314-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:ac98b175585ecf4c0348fd7b29c3864bda53b805c773cbf7bfdaffc8070c976f", size = 394841, upload-time = "2025-11-30T20:23:32.209Z" }, + { url = "https://files.pythonhosted.org/packages/77/ad/7783a89ca0587c15dcbf139b4a8364a872a25f861bdb88ed99f9b0dec985/rpds_py-0.30.0-cp314-cp314-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:3e62880792319dbeb7eb866547f2e35973289e7d5696c6e295476448f5b63c87", size = 516670, upload-time = "2025-11-30T20:23:33.742Z" }, + { url = "https://files.pythonhosted.org/packages/5b/3c/2882bdac942bd2172f3da574eab16f309ae10a3925644e969536553cb4ee/rpds_py-0.30.0-cp314-cp314-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:4e7fc54e0900ab35d041b0601431b0a0eb495f0851a0639b6ef90f7741b39a18", size = 408005, upload-time = "2025-11-30T20:23:35.253Z" }, + { url = "https://files.pythonhosted.org/packages/ce/81/9a91c0111ce1758c92516a3e44776920b579d9a7c09b2b06b642d4de3f0f/rpds_py-0.30.0-cp314-cp314-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:47e77dc9822d3ad616c3d5759ea5631a75e5809d5a28707744ef79d7a1bcfcad", size = 382112, upload-time = "2025-11-30T20:23:36.842Z" }, + { url = "https://files.pythonhosted.org/packages/cf/8e/1da49d4a107027e5fbc64daeab96a0706361a2918da10cb41769244b805d/rpds_py-0.30.0-cp314-cp314-manylinux_2_31_riscv64.whl", hash = "sha256:b4dc1a6ff022ff85ecafef7979a2c6eb423430e05f1165d6688234e62ba99a07", size = 399049, upload-time = "2025-11-30T20:23:38.343Z" }, + { url = "https://files.pythonhosted.org/packages/df/5a/7ee239b1aa48a127570ec03becbb29c9d5a9eb092febbd1699d567cae859/rpds_py-0.30.0-cp314-cp314-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:4559c972db3a360808309e06a74628b95eaccbf961c335c8fe0d590cf587456f", size = 415661, upload-time = "2025-11-30T20:23:40.263Z" }, + { url = "https://files.pythonhosted.org/packages/70/ea/caa143cf6b772f823bc7929a45da1fa83569ee49b11d18d0ada7f5ee6fd6/rpds_py-0.30.0-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:0ed177ed9bded28f8deb6ab40c183cd1192aa0de40c12f38be4d59cd33cb5c65", size = 565606, upload-time = "2025-11-30T20:23:42.186Z" }, + { url = "https://files.pythonhosted.org/packages/64/91/ac20ba2d69303f961ad8cf55bf7dbdb4763f627291ba3d0d7d67333cced9/rpds_py-0.30.0-cp314-cp314-musllinux_1_2_i686.whl", hash = "sha256:ad1fa8db769b76ea911cb4e10f049d80bf518c104f15b3edb2371cc65375c46f", size = 591126, upload-time = "2025-11-30T20:23:44.086Z" }, + { url = "https://files.pythonhosted.org/packages/21/20/7ff5f3c8b00c8a95f75985128c26ba44503fb35b8e0259d812766ea966c7/rpds_py-0.30.0-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:46e83c697b1f1c72b50e5ee5adb4353eef7406fb3f2043d64c33f20ad1c2fc53", size = 553371, upload-time = "2025-11-30T20:23:46.004Z" }, + { url = "https://files.pythonhosted.org/packages/72/c7/81dadd7b27c8ee391c132a6b192111ca58d866577ce2d9b0ca157552cce0/rpds_py-0.30.0-cp314-cp314-win32.whl", hash = "sha256:ee454b2a007d57363c2dfd5b6ca4a5d7e2c518938f8ed3b706e37e5d470801ed", size = 215298, upload-time = "2025-11-30T20:23:47.696Z" }, + { url = "https://files.pythonhosted.org/packages/3e/d2/1aaac33287e8cfb07aab2e6b8ac1deca62f6f65411344f1433c55e6f3eb8/rpds_py-0.30.0-cp314-cp314-win_amd64.whl", hash = "sha256:95f0802447ac2d10bcc69f6dc28fe95fdf17940367b21d34e34c737870758950", size = 228604, upload-time = "2025-11-30T20:23:49.501Z" }, + { url = "https://files.pythonhosted.org/packages/e8/95/ab005315818cc519ad074cb7784dae60d939163108bd2b394e60dc7b5461/rpds_py-0.30.0-cp314-cp314-win_arm64.whl", hash = "sha256:613aa4771c99f03346e54c3f038e4cc574ac09a3ddfb0e8878487335e96dead6", size = 222391, upload-time = "2025-11-30T20:23:50.96Z" }, + { url = "https://files.pythonhosted.org/packages/9e/68/154fe0194d83b973cdedcdcc88947a2752411165930182ae41d983dcefa6/rpds_py-0.30.0-cp314-cp314t-macosx_10_12_x86_64.whl", hash = "sha256:7e6ecfcb62edfd632e56983964e6884851786443739dbfe3582947e87274f7cb", size = 364868, upload-time = "2025-11-30T20:23:52.494Z" }, + { url = "https://files.pythonhosted.org/packages/83/69/8bbc8b07ec854d92a8b75668c24d2abcb1719ebf890f5604c61c9369a16f/rpds_py-0.30.0-cp314-cp314t-macosx_11_0_arm64.whl", hash = "sha256:a1d0bc22a7cdc173fedebb73ef81e07faef93692b8c1ad3733b67e31e1b6e1b8", size = 353747, upload-time = "2025-11-30T20:23:54.036Z" }, + { url = "https://files.pythonhosted.org/packages/ab/00/ba2e50183dbd9abcce9497fa5149c62b4ff3e22d338a30d690f9af970561/rpds_py-0.30.0-cp314-cp314t-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:0d08f00679177226c4cb8c5265012eea897c8ca3b93f429e546600c971bcbae7", size = 383795, upload-time = "2025-11-30T20:23:55.556Z" }, + { url = "https://files.pythonhosted.org/packages/05/6f/86f0272b84926bcb0e4c972262f54223e8ecc556b3224d281e6598fc9268/rpds_py-0.30.0-cp314-cp314t-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:5965af57d5848192c13534f90f9dd16464f3c37aaf166cc1da1cae1fd5a34898", size = 393330, upload-time = "2025-11-30T20:23:57.033Z" }, + { url = "https://files.pythonhosted.org/packages/cb/e9/0e02bb2e6dc63d212641da45df2b0bf29699d01715913e0d0f017ee29438/rpds_py-0.30.0-cp314-cp314t-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:9a4e86e34e9ab6b667c27f3211ca48f73dba7cd3d90f8d5b11be56e5dbc3fb4e", size = 518194, upload-time = "2025-11-30T20:23:58.637Z" }, + { url = "https://files.pythonhosted.org/packages/ee/ca/be7bca14cf21513bdf9c0606aba17d1f389ea2b6987035eb4f62bd923f25/rpds_py-0.30.0-cp314-cp314t-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:e5d3e6b26f2c785d65cc25ef1e5267ccbe1b069c5c21b8cc724efee290554419", size = 408340, upload-time = "2025-11-30T20:24:00.2Z" }, + { url = "https://files.pythonhosted.org/packages/c2/c7/736e00ebf39ed81d75544c0da6ef7b0998f8201b369acf842f9a90dc8fce/rpds_py-0.30.0-cp314-cp314t-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:626a7433c34566535b6e56a1b39a7b17ba961e97ce3b80ec62e6f1312c025551", size = 383765, upload-time = "2025-11-30T20:24:01.759Z" }, + { url = "https://files.pythonhosted.org/packages/4a/3f/da50dfde9956aaf365c4adc9533b100008ed31aea635f2b8d7b627e25b49/rpds_py-0.30.0-cp314-cp314t-manylinux_2_31_riscv64.whl", hash = "sha256:acd7eb3f4471577b9b5a41baf02a978e8bdeb08b4b355273994f8b87032000a8", size = 396834, upload-time = "2025-11-30T20:24:03.687Z" }, + { url = "https://files.pythonhosted.org/packages/4e/00/34bcc2565b6020eab2623349efbdec810676ad571995911f1abdae62a3a0/rpds_py-0.30.0-cp314-cp314t-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:fe5fa731a1fa8a0a56b0977413f8cacac1768dad38d16b3a296712709476fbd5", size = 415470, upload-time = "2025-11-30T20:24:05.232Z" }, + { url = "https://files.pythonhosted.org/packages/8c/28/882e72b5b3e6f718d5453bd4d0d9cf8df36fddeb4ddbbab17869d5868616/rpds_py-0.30.0-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:74a3243a411126362712ee1524dfc90c650a503502f135d54d1b352bd01f2404", size = 565630, upload-time = "2025-11-30T20:24:06.878Z" }, + { url = "https://files.pythonhosted.org/packages/3b/97/04a65539c17692de5b85c6e293520fd01317fd878ea1995f0367d4532fb1/rpds_py-0.30.0-cp314-cp314t-musllinux_1_2_i686.whl", hash = "sha256:3e8eeb0544f2eb0d2581774be4c3410356eba189529a6b3e36bbbf9696175856", size = 591148, upload-time = "2025-11-30T20:24:08.445Z" }, + { url = "https://files.pythonhosted.org/packages/85/70/92482ccffb96f5441aab93e26c4d66489eb599efdcf96fad90c14bbfb976/rpds_py-0.30.0-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:dbd936cde57abfee19ab3213cf9c26be06d60750e60a8e4dd85d1ab12c8b1f40", size = 556030, upload-time = "2025-11-30T20:24:10.956Z" }, + { url = "https://files.pythonhosted.org/packages/20/53/7c7e784abfa500a2b6b583b147ee4bb5a2b3747a9166bab52fec4b5b5e7d/rpds_py-0.30.0-cp314-cp314t-win32.whl", hash = "sha256:dc824125c72246d924f7f796b4f63c1e9dc810c7d9e2355864b3c3a73d59ade0", size = 211570, upload-time = "2025-11-30T20:24:12.735Z" }, + { url = "https://files.pythonhosted.org/packages/d0/02/fa464cdfbe6b26e0600b62c528b72d8608f5cc49f96b8d6e38c95d60c676/rpds_py-0.30.0-cp314-cp314t-win_amd64.whl", hash = "sha256:27f4b0e92de5bfbc6f86e43959e6edd1425c33b5e69aab0984a72047f2bcf1e3", size = 226532, upload-time = "2025-11-30T20:24:14.634Z" }, + { url = "https://files.pythonhosted.org/packages/69/71/3f34339ee70521864411f8b6992e7ab13ac30d8e4e3309e07c7361767d91/rpds_py-0.30.0-pp311-pypy311_pp73-macosx_10_12_x86_64.whl", hash = "sha256:c2262bdba0ad4fc6fb5545660673925c2d2a5d9e2e0fb603aad545427be0fc58", size = 372292, upload-time = "2025-11-30T20:24:16.537Z" }, + { url = "https://files.pythonhosted.org/packages/57/09/f183df9b8f2d66720d2ef71075c59f7e1b336bec7ee4c48f0a2b06857653/rpds_py-0.30.0-pp311-pypy311_pp73-macosx_11_0_arm64.whl", hash = "sha256:ee6af14263f25eedc3bb918a3c04245106a42dfd4f5c2285ea6f997b1fc3f89a", size = 362128, upload-time = "2025-11-30T20:24:18.086Z" }, + { url = "https://files.pythonhosted.org/packages/7a/68/5c2594e937253457342e078f0cc1ded3dd7b2ad59afdbf2d354869110a02/rpds_py-0.30.0-pp311-pypy311_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:3adbb8179ce342d235c31ab8ec511e66c73faa27a47e076ccc92421add53e2bb", size = 391542, upload-time = "2025-11-30T20:24:20.092Z" }, + { url = "https://files.pythonhosted.org/packages/49/5c/31ef1afd70b4b4fbdb2800249f34c57c64beb687495b10aec0365f53dfc4/rpds_py-0.30.0-pp311-pypy311_pp73-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:250fa00e9543ac9b97ac258bd37367ff5256666122c2d0f2bc97577c60a1818c", size = 404004, upload-time = "2025-11-30T20:24:22.231Z" }, + { url = "https://files.pythonhosted.org/packages/e3/63/0cfbea38d05756f3440ce6534d51a491d26176ac045e2707adc99bb6e60a/rpds_py-0.30.0-pp311-pypy311_pp73-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:9854cf4f488b3d57b9aaeb105f06d78e5529d3145b1e4a41750167e8c213c6d3", size = 527063, upload-time = "2025-11-30T20:24:24.302Z" }, + { url = "https://files.pythonhosted.org/packages/42/e6/01e1f72a2456678b0f618fc9a1a13f882061690893c192fcad9f2926553a/rpds_py-0.30.0-pp311-pypy311_pp73-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:993914b8e560023bc0a8bf742c5f303551992dcb85e247b1e5c7f4a7d145bda5", size = 413099, upload-time = "2025-11-30T20:24:25.916Z" }, + { url = "https://files.pythonhosted.org/packages/b8/25/8df56677f209003dcbb180765520c544525e3ef21ea72279c98b9aa7c7fb/rpds_py-0.30.0-pp311-pypy311_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:58edca431fb9b29950807e301826586e5bbf24163677732429770a697ffe6738", size = 392177, upload-time = "2025-11-30T20:24:27.834Z" }, + { url = "https://files.pythonhosted.org/packages/4a/b4/0a771378c5f16f8115f796d1f437950158679bcd2a7c68cf251cfb00ed5b/rpds_py-0.30.0-pp311-pypy311_pp73-manylinux_2_31_riscv64.whl", hash = "sha256:dea5b552272a944763b34394d04577cf0f9bd013207bc32323b5a89a53cf9c2f", size = 406015, upload-time = "2025-11-30T20:24:29.457Z" }, + { url = "https://files.pythonhosted.org/packages/36/d8/456dbba0af75049dc6f63ff295a2f92766b9d521fa00de67a2bd6427d57a/rpds_py-0.30.0-pp311-pypy311_pp73-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:ba3af48635eb83d03f6c9735dfb21785303e73d22ad03d489e88adae6eab8877", size = 423736, upload-time = "2025-11-30T20:24:31.22Z" }, + { url = "https://files.pythonhosted.org/packages/13/64/b4d76f227d5c45a7e0b796c674fd81b0a6c4fbd48dc29271857d8219571c/rpds_py-0.30.0-pp311-pypy311_pp73-musllinux_1_2_aarch64.whl", hash = "sha256:dff13836529b921e22f15cb099751209a60009731a68519630a24d61f0b1b30a", size = 573981, upload-time = "2025-11-30T20:24:32.934Z" }, + { url = "https://files.pythonhosted.org/packages/20/91/092bacadeda3edf92bf743cc96a7be133e13a39cdbfd7b5082e7ab638406/rpds_py-0.30.0-pp311-pypy311_pp73-musllinux_1_2_i686.whl", hash = "sha256:1b151685b23929ab7beec71080a8889d4d6d9fa9a983d213f07121205d48e2c4", size = 599782, upload-time = "2025-11-30T20:24:35.169Z" }, + { url = "https://files.pythonhosted.org/packages/d1/b7/b95708304cd49b7b6f82fdd039f1748b66ec2b21d6a45180910802f1abf1/rpds_py-0.30.0-pp311-pypy311_pp73-musllinux_1_2_x86_64.whl", hash = "sha256:ac37f9f516c51e5753f27dfdef11a88330f04de2d564be3991384b2f3535d02e", size = 562191, upload-time = "2025-11-30T20:24:36.853Z" }, +] + +[[package]] +name = "tomli" +version = "2.4.0" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/82/30/31573e9457673ab10aa432461bee537ce6cef177667deca369efb79df071/tomli-2.4.0.tar.gz", hash = "sha256:aa89c3f6c277dd275d8e243ad24f3b5e701491a860d5121f2cdd399fbb31fc9c", size = 17477, upload-time = "2026-01-11T11:22:38.165Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/3c/d9/3dc2289e1f3b32eb19b9785b6a006b28ee99acb37d1d47f78d4c10e28bf8/tomli-2.4.0-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:b5ef256a3fd497d4973c11bf142e9ed78b150d36f5773f1ca6088c230ffc5867", size = 153663, upload-time = "2026-01-11T11:21:45.27Z" }, + { url = "https://files.pythonhosted.org/packages/51/32/ef9f6845e6b9ca392cd3f64f9ec185cc6f09f0a2df3db08cbe8809d1d435/tomli-2.4.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:5572e41282d5268eb09a697c89a7bee84fae66511f87533a6f88bd2f7b652da9", size = 148469, upload-time = "2026-01-11T11:21:46.873Z" }, + { url = "https://files.pythonhosted.org/packages/d6/c2/506e44cce89a8b1b1e047d64bd495c22c9f71f21e05f380f1a950dd9c217/tomli-2.4.0-cp311-cp311-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:551e321c6ba03b55676970b47cb1b73f14a0a4dce6a3e1a9458fd6d921d72e95", size = 236039, upload-time = "2026-01-11T11:21:48.503Z" }, + { url = "https://files.pythonhosted.org/packages/b3/40/e1b65986dbc861b7e986e8ec394598187fa8aee85b1650b01dd925ca0be8/tomli-2.4.0-cp311-cp311-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:5e3f639a7a8f10069d0e15408c0b96a2a828cfdec6fca05296ebcdcc28ca7c76", size = 243007, upload-time = "2026-01-11T11:21:49.456Z" }, + { url = "https://files.pythonhosted.org/packages/9c/6f/6e39ce66b58a5b7ae572a0f4352ff40c71e8573633deda43f6a379d56b3e/tomli-2.4.0-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:1b168f2731796b045128c45982d3a4874057626da0e2ef1fdd722848b741361d", size = 240875, upload-time = "2026-01-11T11:21:50.755Z" }, + { url = "https://files.pythonhosted.org/packages/aa/ad/cb089cb190487caa80204d503c7fd0f4d443f90b95cf4ef5cf5aa0f439b0/tomli-2.4.0-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:133e93646ec4300d651839d382d63edff11d8978be23da4cc106f5a18b7d0576", size = 246271, upload-time = "2026-01-11T11:21:51.81Z" }, + { url = "https://files.pythonhosted.org/packages/0b/63/69125220e47fd7a3a27fd0de0c6398c89432fec41bc739823bcc66506af6/tomli-2.4.0-cp311-cp311-win32.whl", hash = "sha256:b6c78bdf37764092d369722d9946cb65b8767bfa4110f902a1b2542d8d173c8a", size = 96770, upload-time = "2026-01-11T11:21:52.647Z" }, + { url = "https://files.pythonhosted.org/packages/1e/0d/a22bb6c83f83386b0008425a6cd1fa1c14b5f3dd4bad05e98cf3dbbf4a64/tomli-2.4.0-cp311-cp311-win_amd64.whl", hash = "sha256:d3d1654e11d724760cdb37a3d7691f0be9db5fbdaef59c9f532aabf87006dbaa", size = 107626, upload-time = "2026-01-11T11:21:53.459Z" }, + { url = "https://files.pythonhosted.org/packages/2f/6d/77be674a3485e75cacbf2ddba2b146911477bd887dda9d8c9dfb2f15e871/tomli-2.4.0-cp311-cp311-win_arm64.whl", hash = "sha256:cae9c19ed12d4e8f3ebf46d1a75090e4c0dc16271c5bce1c833ac168f08fb614", size = 94842, upload-time = "2026-01-11T11:21:54.831Z" }, + { url = "https://files.pythonhosted.org/packages/3c/43/7389a1869f2f26dba52404e1ef13b4784b6b37dac93bac53457e3ff24ca3/tomli-2.4.0-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:920b1de295e72887bafa3ad9f7a792f811847d57ea6b1215154030cf131f16b1", size = 154894, upload-time = "2026-01-11T11:21:56.07Z" }, + { url = "https://files.pythonhosted.org/packages/e9/05/2f9bf110b5294132b2edf13fe6ca6ae456204f3d749f623307cbb7a946f2/tomli-2.4.0-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:7d6d9a4aee98fac3eab4952ad1d73aee87359452d1c086b5ceb43ed02ddb16b8", size = 149053, upload-time = "2026-01-11T11:21:57.467Z" }, + { url = "https://files.pythonhosted.org/packages/e8/41/1eda3ca1abc6f6154a8db4d714a4d35c4ad90adc0bcf700657291593fbf3/tomli-2.4.0-cp312-cp312-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:36b9d05b51e65b254ea6c2585b59d2c4cb91c8a3d91d0ed0f17591a29aaea54a", size = 243481, upload-time = "2026-01-11T11:21:58.661Z" }, + { url = "https://files.pythonhosted.org/packages/d2/6d/02ff5ab6c8868b41e7d4b987ce2b5f6a51d3335a70aa144edd999e055a01/tomli-2.4.0-cp312-cp312-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:1c8a885b370751837c029ef9bc014f27d80840e48bac415f3412e6593bbc18c1", size = 251720, upload-time = "2026-01-11T11:22:00.178Z" }, + { url = "https://files.pythonhosted.org/packages/7b/57/0405c59a909c45d5b6f146107c6d997825aa87568b042042f7a9c0afed34/tomli-2.4.0-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:8768715ffc41f0008abe25d808c20c3d990f42b6e2e58305d5da280ae7d1fa3b", size = 247014, upload-time = "2026-01-11T11:22:01.238Z" }, + { url = "https://files.pythonhosted.org/packages/2c/0e/2e37568edd944b4165735687cbaf2fe3648129e440c26d02223672ee0630/tomli-2.4.0-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:7b438885858efd5be02a9a133caf5812b8776ee0c969fea02c45e8e3f296ba51", size = 251820, upload-time = "2026-01-11T11:22:02.727Z" }, + { url = "https://files.pythonhosted.org/packages/5a/1c/ee3b707fdac82aeeb92d1a113f803cf6d0f37bdca0849cb489553e1f417a/tomli-2.4.0-cp312-cp312-win32.whl", hash = "sha256:0408e3de5ec77cc7f81960c362543cbbd91ef883e3138e81b729fc3eea5b9729", size = 97712, upload-time = "2026-01-11T11:22:03.777Z" }, + { url = "https://files.pythonhosted.org/packages/69/13/c07a9177d0b3bab7913299b9278845fc6eaaca14a02667c6be0b0a2270c8/tomli-2.4.0-cp312-cp312-win_amd64.whl", hash = "sha256:685306e2cc7da35be4ee914fd34ab801a6acacb061b6a7abca922aaf9ad368da", size = 108296, upload-time = "2026-01-11T11:22:04.86Z" }, + { url = "https://files.pythonhosted.org/packages/18/27/e267a60bbeeee343bcc279bb9e8fbed0cbe224bc7b2a3dc2975f22809a09/tomli-2.4.0-cp312-cp312-win_arm64.whl", hash = "sha256:5aa48d7c2356055feef06a43611fc401a07337d5b006be13a30f6c58f869e3c3", size = 94553, upload-time = "2026-01-11T11:22:05.854Z" }, + { url = "https://files.pythonhosted.org/packages/34/91/7f65f9809f2936e1f4ce6268ae1903074563603b2a2bd969ebbda802744f/tomli-2.4.0-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:84d081fbc252d1b6a982e1870660e7330fb8f90f676f6e78b052ad4e64714bf0", size = 154915, upload-time = "2026-01-11T11:22:06.703Z" }, + { url = "https://files.pythonhosted.org/packages/20/aa/64dd73a5a849c2e8f216b755599c511badde80e91e9bc2271baa7b2cdbb1/tomli-2.4.0-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:9a08144fa4cba33db5255f9b74f0b89888622109bd2776148f2597447f92a94e", size = 149038, upload-time = "2026-01-11T11:22:07.56Z" }, + { url = "https://files.pythonhosted.org/packages/9e/8a/6d38870bd3d52c8d1505ce054469a73f73a0fe62c0eaf5dddf61447e32fa/tomli-2.4.0-cp313-cp313-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:c73add4bb52a206fd0c0723432db123c0c75c280cbd67174dd9d2db228ebb1b4", size = 242245, upload-time = "2026-01-11T11:22:08.344Z" }, + { url = "https://files.pythonhosted.org/packages/59/bb/8002fadefb64ab2669e5b977df3f5e444febea60e717e755b38bb7c41029/tomli-2.4.0-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:1fb2945cbe303b1419e2706e711b7113da57b7db31ee378d08712d678a34e51e", size = 250335, upload-time = "2026-01-11T11:22:09.951Z" }, + { url = "https://files.pythonhosted.org/packages/a5/3d/4cdb6f791682b2ea916af2de96121b3cb1284d7c203d97d92d6003e91c8d/tomli-2.4.0-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:bbb1b10aa643d973366dc2cb1ad94f99c1726a02343d43cbc011edbfac579e7c", size = 245962, upload-time = "2026-01-11T11:22:11.27Z" }, + { url = "https://files.pythonhosted.org/packages/f2/4a/5f25789f9a460bd858ba9756ff52d0830d825b458e13f754952dd15fb7bb/tomli-2.4.0-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:4cbcb367d44a1f0c2be408758b43e1ffb5308abe0ea222897d6bfc8e8281ef2f", size = 250396, upload-time = "2026-01-11T11:22:12.325Z" }, + { url = "https://files.pythonhosted.org/packages/aa/2f/b73a36fea58dfa08e8b3a268750e6853a6aac2a349241a905ebd86f3047a/tomli-2.4.0-cp313-cp313-win32.whl", hash = "sha256:7d49c66a7d5e56ac959cb6fc583aff0651094ec071ba9ad43df785abc2320d86", size = 97530, upload-time = "2026-01-11T11:22:13.865Z" }, + { url = "https://files.pythonhosted.org/packages/3b/af/ca18c134b5d75de7e8dc551c5234eaba2e8e951f6b30139599b53de9c187/tomli-2.4.0-cp313-cp313-win_amd64.whl", hash = "sha256:3cf226acb51d8f1c394c1b310e0e0e61fecdd7adcb78d01e294ac297dd2e7f87", size = 108227, upload-time = "2026-01-11T11:22:15.224Z" }, + { url = "https://files.pythonhosted.org/packages/22/c3/b386b832f209fee8073c8138ec50f27b4460db2fdae9ffe022df89a57f9b/tomli-2.4.0-cp313-cp313-win_arm64.whl", hash = "sha256:d20b797a5c1ad80c516e41bc1fb0443ddb5006e9aaa7bda2d71978346aeb9132", size = 94748, upload-time = "2026-01-11T11:22:16.009Z" }, + { url = "https://files.pythonhosted.org/packages/f3/c4/84047a97eb1004418bc10bdbcfebda209fca6338002eba2dc27cc6d13563/tomli-2.4.0-cp314-cp314-macosx_10_15_x86_64.whl", hash = "sha256:26ab906a1eb794cd4e103691daa23d95c6919cc2fa9160000ac02370cc9dd3f6", size = 154725, upload-time = "2026-01-11T11:22:17.269Z" }, + { url = "https://files.pythonhosted.org/packages/a8/5d/d39038e646060b9d76274078cddf146ced86dc2b9e8bbf737ad5983609a0/tomli-2.4.0-cp314-cp314-macosx_11_0_arm64.whl", hash = "sha256:20cedb4ee43278bc4f2fee6cb50daec836959aadaf948db5172e776dd3d993fc", size = 148901, upload-time = "2026-01-11T11:22:18.287Z" }, + { url = "https://files.pythonhosted.org/packages/73/e5/383be1724cb30f4ce44983d249645684a48c435e1cd4f8b5cded8a816d3c/tomli-2.4.0-cp314-cp314-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:39b0b5d1b6dd03684b3fb276407ebed7090bbec989fa55838c98560c01113b66", size = 243375, upload-time = "2026-01-11T11:22:19.154Z" }, + { url = "https://files.pythonhosted.org/packages/31/f0/bea80c17971c8d16d3cc109dc3585b0f2ce1036b5f4a8a183789023574f2/tomli-2.4.0-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:a26d7ff68dfdb9f87a016ecfd1e1c2bacbe3108f4e0f8bcd2228ef9a766c787d", size = 250639, upload-time = "2026-01-11T11:22:20.168Z" }, + { url = "https://files.pythonhosted.org/packages/2c/8f/2853c36abbb7608e3f945d8a74e32ed3a74ee3a1f468f1ffc7d1cb3abba6/tomli-2.4.0-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:20ffd184fb1df76a66e34bd1b36b4a4641bd2b82954befa32fe8163e79f1a702", size = 246897, upload-time = "2026-01-11T11:22:21.544Z" }, + { url = "https://files.pythonhosted.org/packages/49/f0/6c05e3196ed5337b9fe7ea003e95fd3819a840b7a0f2bf5a408ef1dad8ed/tomli-2.4.0-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:75c2f8bbddf170e8effc98f5e9084a8751f8174ea6ccf4fca5398436e0320bc8", size = 254697, upload-time = "2026-01-11T11:22:23.058Z" }, + { url = "https://files.pythonhosted.org/packages/f3/f5/2922ef29c9f2951883525def7429967fc4d8208494e5ab524234f06b688b/tomli-2.4.0-cp314-cp314-win32.whl", hash = "sha256:31d556d079d72db7c584c0627ff3a24c5d3fb4f730221d3444f3efb1b2514776", size = 98567, upload-time = "2026-01-11T11:22:24.033Z" }, + { url = "https://files.pythonhosted.org/packages/7b/31/22b52e2e06dd2a5fdbc3ee73226d763b184ff21fc24e20316a44ccc4d96b/tomli-2.4.0-cp314-cp314-win_amd64.whl", hash = "sha256:43e685b9b2341681907759cf3a04e14d7104b3580f808cfde1dfdb60ada85475", size = 108556, upload-time = "2026-01-11T11:22:25.378Z" }, + { url = "https://files.pythonhosted.org/packages/48/3d/5058dff3255a3d01b705413f64f4306a141a8fd7a251e5a495e3f192a998/tomli-2.4.0-cp314-cp314-win_arm64.whl", hash = "sha256:3d895d56bd3f82ddd6faaff993c275efc2ff38e52322ea264122d72729dca2b2", size = 96014, upload-time = "2026-01-11T11:22:26.138Z" }, + { url = "https://files.pythonhosted.org/packages/b8/4e/75dab8586e268424202d3a1997ef6014919c941b50642a1682df43204c22/tomli-2.4.0-cp314-cp314t-macosx_10_15_x86_64.whl", hash = "sha256:5b5807f3999fb66776dbce568cc9a828544244a8eb84b84b9bafc080c99597b9", size = 163339, upload-time = "2026-01-11T11:22:27.143Z" }, + { url = "https://files.pythonhosted.org/packages/06/e3/b904d9ab1016829a776d97f163f183a48be6a4deb87304d1e0116a349519/tomli-2.4.0-cp314-cp314t-macosx_11_0_arm64.whl", hash = "sha256:c084ad935abe686bd9c898e62a02a19abfc9760b5a79bc29644463eaf2840cb0", size = 159490, upload-time = "2026-01-11T11:22:28.399Z" }, + { url = "https://files.pythonhosted.org/packages/e3/5a/fc3622c8b1ad823e8ea98a35e3c632ee316d48f66f80f9708ceb4f2a0322/tomli-2.4.0-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:0f2e3955efea4d1cfbcb87bc321e00dc08d2bcb737fd1d5e398af111d86db5df", size = 269398, upload-time = "2026-01-11T11:22:29.345Z" }, + { url = "https://files.pythonhosted.org/packages/fd/33/62bd6152c8bdd4c305ad9faca48f51d3acb2df1f8791b1477d46ff86e7f8/tomli-2.4.0-cp314-cp314t-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:0e0fe8a0b8312acf3a88077a0802565cb09ee34107813bba1c7cd591fa6cfc8d", size = 276515, upload-time = "2026-01-11T11:22:30.327Z" }, + { url = "https://files.pythonhosted.org/packages/4b/ff/ae53619499f5235ee4211e62a8d7982ba9e439a0fb4f2f351a93d67c1dd2/tomli-2.4.0-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:413540dce94673591859c4c6f794dfeaa845e98bf35d72ed59636f869ef9f86f", size = 273806, upload-time = "2026-01-11T11:22:32.56Z" }, + { url = "https://files.pythonhosted.org/packages/47/71/cbca7787fa68d4d0a9f7072821980b39fbb1b6faeb5f5cf02f4a5559fa28/tomli-2.4.0-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:0dc56fef0e2c1c470aeac5b6ca8cc7b640bb93e92d9803ddaf9ea03e198f5b0b", size = 281340, upload-time = "2026-01-11T11:22:33.505Z" }, + { url = "https://files.pythonhosted.org/packages/f5/00/d595c120963ad42474cf6ee7771ad0d0e8a49d0f01e29576ee9195d9ecdf/tomli-2.4.0-cp314-cp314t-win32.whl", hash = "sha256:d878f2a6707cc9d53a1be1414bbb419e629c3d6e67f69230217bb663e76b5087", size = 108106, upload-time = "2026-01-11T11:22:34.451Z" }, + { url = "https://files.pythonhosted.org/packages/de/69/9aa0c6a505c2f80e519b43764f8b4ba93b5a0bbd2d9a9de6e2b24271b9a5/tomli-2.4.0-cp314-cp314t-win_amd64.whl", hash = "sha256:2add28aacc7425117ff6364fe9e06a183bb0251b03f986df0e78e974047571fd", size = 120504, upload-time = "2026-01-11T11:22:35.764Z" }, + { url = "https://files.pythonhosted.org/packages/b3/9f/f1668c281c58cfae01482f7114a4b88d345e4c140386241a1a24dcc9e7bc/tomli-2.4.0-cp314-cp314t-win_arm64.whl", hash = "sha256:2b1e3b80e1d5e52e40e9b924ec43d81570f0e7d09d11081b797bc4692765a3d4", size = 99561, upload-time = "2026-01-11T11:22:36.624Z" }, + { url = "https://files.pythonhosted.org/packages/23/d1/136eb2cb77520a31e1f64cbae9d33ec6df0d78bdf4160398e86eec8a8754/tomli-2.4.0-py3-none-any.whl", hash = "sha256:1f776e7d669ebceb01dee46484485f43a4048746235e683bcdffacdf1fb4785a", size = 14477, upload-time = "2026-01-11T11:22:37.446Z" }, +] + +[[package]] +name = "typing-extensions" +version = "4.15.0" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/72/94/1a15dd82efb362ac84269196e94cf00f187f7ed21c242792a923cdb1c61f/typing_extensions-4.15.0.tar.gz", hash = "sha256:0cea48d173cc12fa28ecabc3b837ea3cf6f38c6d1136f85cbaaf598984861466", size = 109391, upload-time = "2025-08-25T13:49:26.313Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/18/67/36e9267722cc04a6b9f15c7f3441c2363321a3ea07da7ae0c0707beb2a9c/typing_extensions-4.15.0-py3-none-any.whl", hash = "sha256:f0fa19c6845758ab08074a0cfa8b7aecb71c999ca73d62883bc25cc018c4e548", size = 44614, upload-time = "2025-08-25T13:49:24.86Z" }, +] + +[[package]] +name = "typing-inspection" +version = "0.4.2" +source = { registry = "https://pypi.org/simple" } +dependencies = [ + { name = "typing-extensions" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/55/e3/70399cb7dd41c10ac53367ae42139cf4b1ca5f36bb3dc6c9d33acdb43655/typing_inspection-0.4.2.tar.gz", hash = "sha256:ba561c48a67c5958007083d386c3295464928b01faa735ab8547c5692e87f464", size = 75949, upload-time = "2025-10-01T02:14:41.687Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/dc/9b/47798a6c91d8bdb567fe2698fe81e0c6b7cb7ef4d13da4114b41d239f65d/typing_inspection-0.4.2-py3-none-any.whl", hash = "sha256:4ed1cacbdc298c220f1bd249ed5287caa16f34d44ef4e9c3d0cbad5b521545e7", size = 14611, upload-time = "2025-10-01T02:14:40.154Z" }, +] From c01c3f917ae49ced9d5be57065aedc5aa9b3aa65 Mon Sep 17 00:00:00 2001 From: LegendaryMercury Date: Sat, 31 Jan 2026 14:45:32 +1100 Subject: [PATCH 19/20] Documentation added step 1 --- .../discovery_engine_control.json | 78 +++++++++++++ .../discovery_engine_data_connector.json | 78 +++++++++++++ .../discovery_engine_engine_assistant.json | 96 ++++++++++++++++ .../discovery_engine_license_config.json | 105 ++++++++++++++++++ .../discovery_engine_schema.json | 4 +- .../discovery_engine_sitemap.json | 14 +-- .../discovery_engine_target_site.json | 14 +-- 7 files changed, 373 insertions(+), 16 deletions(-) create mode 100644 docs/gcp/Discovery_Engine/resource_json/discovery_engine_control.json create mode 100644 docs/gcp/Discovery_Engine/resource_json/discovery_engine_data_connector.json create mode 100644 docs/gcp/Discovery_Engine/resource_json/discovery_engine_engine_assistant.json create mode 100644 docs/gcp/Discovery_Engine/resource_json/discovery_engine_license_config.json diff --git a/docs/gcp/Discovery_Engine/resource_json/discovery_engine_control.json b/docs/gcp/Discovery_Engine/resource_json/discovery_engine_control.json new file mode 100644 index 000000000..9b3fadc39 --- /dev/null +++ b/docs/gcp/Discovery_Engine/resource_json/discovery_engine_control.json @@ -0,0 +1,78 @@ +{ + "resource_name": "discovery_engine_target_site", + "subcategory": "Discovery Engine", + "arguments": { + "display_name ": { + "description": "Its the Name.", + "required": true, + "security_impact": false, + "rationale": "Its the name", + "compliant": null, + "non-compliant": null, + "parent": null + }, + "location": { + "description": "The geographic location where the data store should reside. The value can only be one of \"global\", \"us\" and \"eu\".", + "required": true, + "security_impact": true, + "rationale": "laws apply based on location", + "compliant": "eu, us, global", + "non-compliant": "US-West23", + "parent": null + }, + "solution_type": { + "description": "The solution type that the control belongs to.", + "required": true, + "security_impact": false, + "rationale": "Just technical stuff, not security related technical", + "compliant": null, + "non-compliant": null, + "parent": null + }, + "engine_id": { + "description": "The engine to add the control to.", + "required": false, + "security_impact": false, + "rationale": "Just ID", + "compliant": null, + "non-compliant": null, + "parent": null + }, + "control_id": { + "description": "The engine to add the control to.", + "required": false, + "security_impact": false, + "rationale": "Just ID", + "compliant": null, + "non-compliant": null, + "parent": null + }, + "redirect_action": { + "description": "could be used to send to unsafe external sites.", + "required": false, + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, + "parent": null + }, + "filter_action": { + "description": " filters out results that shouldn't be shown. Data leakage.", + "required": false, + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, + "parent": null + }, + "project": { + "description": "If it is not provided, the provider project is used.", + "required": null, + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, + "parent": null + } + } +} \ No newline at end of file diff --git a/docs/gcp/Discovery_Engine/resource_json/discovery_engine_data_connector.json b/docs/gcp/Discovery_Engine/resource_json/discovery_engine_data_connector.json new file mode 100644 index 000000000..7e0c120b4 --- /dev/null +++ b/docs/gcp/Discovery_Engine/resource_json/discovery_engine_data_connector.json @@ -0,0 +1,78 @@ +{ + "resource_name": "discovery_engine_data_connector", + "subcategory": "Discovery Engine", + "arguments": { + "data_source": { + "description": " The full resource name of the associated data store for the source entity", + "required": true, + "security_impact": true, + "rationale": "The source of the data may be confidential or set incorrectly", + "compliant": "c-datasource, salesforce, jira, confluence, bigquery", + "non-compliant": "Invalid data source", + "parent": null + }, + "location": { + "description": "The geographic location where the data store should reside. The value can only be one of \"global\", \"us\" and \"eu\".", + "required": true, + "security_impact": true, + "rationale": "data residencey laws", + "compliant": "us, eu, global", + "non-compliant": "Us-West", + "parent": null + }, + "refresh_interval": { + "description": "The refresh interval for data sync.", + "required": true, + "security_impact": false, + "rationale": null, + "compliant": null, + "non-compliant": null, + "parent": null + }, + "collection_id": { + "description": "The ID to use for the Collection.", + "required": true, + "security_impact": false, + "rationale": "IDs", + "compliant": null, + "non-compliant": null, + "parent": null + }, + "collection_display_name": { + "description": "The display name of the Collection.", + "required": true, + "security_impact": false, + "rationale": "Names", + "compliant": null, + "non-compliant": null, + "parent": null + }, + "params": { + "description": "Params needed to access the source in the format of String-to-String (Key, Value) pairs.", + "required": false, + "security_impact": true, + "rationale": "formating of keys to access the data.", + "compliant": "Valid parameters", + "non-compliant": "Invalid parameters", + "parent": null + }, + "json_params": { + "description": "Params needed to access the source in the format of json string.", + "required": false, + "security_impact": true, + "rationale": "Has to be a valid string or else Json data could be leaked.", + "compliant": "Valid string", + "non-compliant": "Invalid string", + "parent": null + }, + "project": { + "description": "If it is not provided, the provider project is used.", + "required": true, + "security_impact": false, + "rationale": null, + "compliant": null, + "non-compliant": null, + "parent": null + } + } +} \ No newline at end of file diff --git a/docs/gcp/Discovery_Engine/resource_json/discovery_engine_engine_assistant.json b/docs/gcp/Discovery_Engine/resource_json/discovery_engine_engine_assistant.json new file mode 100644 index 000000000..db1d6b867 --- /dev/null +++ b/docs/gcp/Discovery_Engine/resource_json/discovery_engine_engine_assistant.json @@ -0,0 +1,96 @@ +{ + "resource_name": "discovery_engine_assistant", + "subcategory": "Discovery Engine", + "arguments": { + "display_name": { + "description": "The name displayed", + "required": true, + "security_impact": false, + "rationale": "Its the name", + "compliant": null, + "non-compliant": null, + "parent": null + }, + "collection_id": { + "description": "The collection ID", + "required": true, + "security_impact": false, + "rationale": "Its the ID", + "compliant": null, + "non-compliant": null, + "parent": null + }, + "engine_id": { + "description": "The Engine ID", + "required": true, + "security_impact": false, + "rationale": "Its the ID", + "compliant": null, + "non-compliant": null, + "parent": null + }, + "assistant_id": { + "description": "The Engine ID", + "required": true, + "security_impact": false, + "rationale": "Its the ID", + "compliant": null, + "non-compliant": null, + "parent": null + }, + "description": { + "description": " Description for additional information.", + "required": true, + "security_impact": false, + "rationale": "Its the Description", + "compliant": null, + "non-compliant": null, + "parent": null + }, + "generation_config": { + "description": "Configuration for the generation of the assistant response.", + "required": true, + "security_impact": true, + "rationale": "this one affects the response of the assistant. It can cause a data leak if you don't configure it right. Write a policy.", + "compliant": null, + "non-compliant": null, + "parent": null + }, + "customer_policy": { + "description": "Customer policy for the assistant.", + "required": true, + "security_impact": true, + "rationale": "this relates to what the LLM can and cannot say and sanitizes inputs from users. Write a policy.", + "compliant": null, + "non-compliant": null, + "parent": null + }, + "web_grounding_type": { + "description": "The type of web grounding to use.", + "required": true, + "security_impact": true, + "rationale": " controls how the LLM can grab external data or use internal data. Write a policy.", + "compliant": null, + "non-compliant": null, + "parent": null + }, + "location": { + "description": "The geographic location where the data store should reside. The value can only be one of \"global\", \"us\" and \"eu\".", + "required": true, + "security_impact": true, + "rationale": "laws apply based on location", + "compliant": "eu, us, global", + "non-compliant": "US-West23", + "parent": null + }, + "project": { + "description": "If it is not provided, the provider project is used.", + "required": null, + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, + "parent": null + } + } +} \ No newline at end of file diff --git a/docs/gcp/Discovery_Engine/resource_json/discovery_engine_license_config.json b/docs/gcp/Discovery_Engine/resource_json/discovery_engine_license_config.json new file mode 100644 index 000000000..c7b5bd4d7 --- /dev/null +++ b/docs/gcp/Discovery_Engine/resource_json/discovery_engine_license_config.json @@ -0,0 +1,105 @@ +{ + "resource_name": "discovery_engine_license_config", + "subcategory": "Discovery Engine", + "arguments": { + "display_name": { + "description": "Its the Name.", + "required": true, + "security_impact": false, + "rationale": "Its the name", + "compliant": null, + "non-compliant": null, + "parent": null + }, + "license_count": { + "description": "Number of licenses purchased", + "required": true, + "security_impact": true, + "rationale": "It could be a potential legal issue. Write a policy on it if so.", + "compliant": null, + "non-compliant": null, + "parent": null + }, + "subscription_tier": { + "description": "Subscription tier information for the license config.", + "required": true, + "security_impact": true, + "rationale": "Cost/Risk Management: Ensures the correct service tier is used, preventing either over-spending or using a lower tier that might lack necessary enterprise security features.", + "compliant": "SUBSCRIPTION_TIER_ENTERPRISE", + "non-compliant": "", + "parent": null + }, + "start_date": { + "description": "Its the start of the licence", + "required": true, + "security_impact": true, + "rationale": "It affects when you can start working. Write a policy.", + "compliant": null, + "non-compliant": null, + "parent": null + }, + "subscription_term": { + "description": "The term you have the subscription active for", + "required": true, + "security_impact": true, + "rationale": "How long you can use the service before you lose access or break TOS. Write a policy.", + "compliant": null, + "non-compliant": null, + "parent": null + }, + "license_config_id": { + "description": "Its the ID.", + "required": true, + "security_impact": false, + "rationale": "Its the ID", + "compliant": null, + "non-compliant": null, + "parent": null + }, + "auto_renew": { + "description": "Whether the license config should be auto renewed when it reaches the end date.", + "required": true, + "security_impact": true, + "rationale": " this attribute controls whether the license will automatically renew at the end date: While not a direct data security attribute, it's critical financial security/governance control.", + "compliant": null, + "non-compliant": null, + "parent": null + }, + "end_date": { + "description": "Its the End Date of the licence.", + "required": true, + "security_impact": true, + "rationale": "Its the end date before you lose the licence and break TOS or lose acess. Write a policy.", + "compliant": null, + "non-compliant": null, + "parent": null + }, + "free_trial": { + "description": "Whether the license config is for free trial.", + "required": true, + "security_impact": false, + "rationale": "If you run out of free trial, you could end up paying money or losing work. Write a policy", + "compliant": null, + "non-compliant": null, + "parent": null + }, + "location": { + "description": "The geographic location where the data store should reside. The value can only be one of \"global\", \"us\" and \"eu\".", + "required": true, + "security_impact": true, + "rationale": "laws apply based on location", + "compliant": "eu, us, global", + "non-compliant": "US-West23", + "parent": null + }, + "project": { + "description": "If it is not provided, the provider project is used.", + "required": true, + "security_impact": false, + "rationale": null, + "compliant": null, + "non-compliant": null, + "parent": null + } + } +} \ No newline at end of file diff --git a/docs/gcp/Discovery_Engine/resource_json/discovery_engine_schema.json b/docs/gcp/Discovery_Engine/resource_json/discovery_engine_schema.json index 57a40daf9..ecb70acc4 100644 --- a/docs/gcp/Discovery_Engine/resource_json/discovery_engine_schema.json +++ b/docs/gcp/Discovery_Engine/resource_json/discovery_engine_schema.json @@ -7,8 +7,8 @@ "required": true, "security_impact": true, "rationale": "laws apply based on location", - "compliant": null, - "non-compliant": null, + "compliant": "eu, us, global", + "non-compliant": "US-West23", "parent": null }, "data_store_id": { diff --git a/docs/gcp/Discovery_Engine/resource_json/discovery_engine_sitemap.json b/docs/gcp/Discovery_Engine/resource_json/discovery_engine_sitemap.json index d2c4365da..f4e868ddd 100644 --- a/docs/gcp/Discovery_Engine/resource_json/discovery_engine_sitemap.json +++ b/docs/gcp/Discovery_Engine/resource_json/discovery_engine_sitemap.json @@ -3,13 +3,13 @@ "subcategory": "Discovery Engine", "arguments": { "location": { - "description": "The geographic location where the data store should reside. The value can only be one of \"global\", \"us\" and \"eu\".", - "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": null + "description": "The geographic location where the data store should reside. The value can only be one of \"global\", \"us\" and \"eu\".", + "required": true, + "security_impact": true, + "rationale": "laws apply based on location", + "compliant": "eu, us, global", + "non-compliant": "US-West23", + "parent": null }, "data_store_id": { "description": "The unique id of the data store.", diff --git a/docs/gcp/Discovery_Engine/resource_json/discovery_engine_target_site.json b/docs/gcp/Discovery_Engine/resource_json/discovery_engine_target_site.json index 4ab17428f..af9db15f9 100644 --- a/docs/gcp/Discovery_Engine/resource_json/discovery_engine_target_site.json +++ b/docs/gcp/Discovery_Engine/resource_json/discovery_engine_target_site.json @@ -12,13 +12,13 @@ "parent": null }, "location": { - "description": "The geographic location where the data store should reside. The value can only be one of \"global\", \"us\" and \"eu\".", - "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": null + "description": "The geographic location where the data store should reside. The value can only be one of \"global\", \"us\" and \"eu\".", + "required": true, + "security_impact": true, + "rationale": "laws apply based on location", + "compliant": "eu, us, global", + "non-compliant": "US-West23", + "parent": null }, "data_store_id": { "description": "The unique id of the data store.", From 1b3095a17880ecfbe7298645e2118f8685ad4d11 Mon Sep 17 00:00:00 2001 From: LegendaryMercury Date: Sat, 31 Jan 2026 16:19:09 +1100 Subject: [PATCH 20/20] Markdowns Markdowns --- .../discovery_engine_control.md | 20 ++++++++++++++++ .../discovery_engine_data_connector.md | 20 ++++++++++++++++ .../discovery_engine_engine_assistant.md | 22 ++++++++++++++++++ .../discovery_engine_license_config.md | 23 +++++++++++++++++++ .../discovery_engine_schema.md | 2 +- .../discovery_engine_sitemap.md | 2 +- .../discovery_engine_target_site.md | 2 +- 7 files changed, 88 insertions(+), 3 deletions(-) create mode 100644 docs/gcp/Discovery_Engine/discovery_engine_control.md create mode 100644 docs/gcp/Discovery_Engine/discovery_engine_data_connector.md create mode 100644 docs/gcp/Discovery_Engine/discovery_engine_engine_assistant.md create mode 100644 docs/gcp/Discovery_Engine/discovery_engine_license_config.md diff --git a/docs/gcp/Discovery_Engine/discovery_engine_control.md b/docs/gcp/Discovery_Engine/discovery_engine_control.md new file mode 100644 index 000000000..07a16af33 --- /dev/null +++ b/docs/gcp/Discovery_Engine/discovery_engine_control.md @@ -0,0 +1,20 @@ +## 🛡️ Policy Deployment Engine: `discovery_engine_target_site` + +This section provides a concise policy evaluation for the `discovery_engine_target_site` resource in GCP. + +Reference: [Terraform Registry – discovery_engine_target_site](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/discovery_engine_target_site) + +--- + +## Argument Reference + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `display_name ` | Its the Name. | true | false | Its the name | None | None | +| `location` | The geographic location where the data store should reside. The value can only be one of "global", "us" and "eu". | true | true | laws apply based on location | eu, us, global | US-West23 | +| `solution_type` | The solution type that the control belongs to. | true | false | Just technical stuff, not security related technical | None | None | +| `engine_id` | The engine to add the control to. | false | false | Just ID | None | None | +| `control_id` | The engine to add the control to. | false | false | Just ID | None | None | +| `redirect_action` | could be used to send to unsafe external sites. | false | false | None | None | None | +| `filter_action` | filters out results that shouldn't be shown. Data leakage. | false | false | None | None | None | +| `project` | If it is not provided, the provider project is used. | false | false | None | None | None | diff --git a/docs/gcp/Discovery_Engine/discovery_engine_data_connector.md b/docs/gcp/Discovery_Engine/discovery_engine_data_connector.md new file mode 100644 index 000000000..d405c9acd --- /dev/null +++ b/docs/gcp/Discovery_Engine/discovery_engine_data_connector.md @@ -0,0 +1,20 @@ +## 🛡️ Policy Deployment Engine: `discovery_engine_data_connector` + +This section provides a concise policy evaluation for the `discovery_engine_data_connector` resource in GCP. + +Reference: [Terraform Registry – discovery_engine_data_connector](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/discovery_engine_data_connector) + +--- + +## Argument Reference + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `data_source` | The full resource name of the associated data store for the source entity | true | true | The source of the data may be confidential or set incorrectly | c-datasource, salesforce, jira, confluence, bigquery | Invalid data source | +| `location` | The geographic location where the data store should reside. The value can only be one of "global", "us" and "eu". | true | true | data residencey laws | us, eu, global | Us-West | +| `refresh_interval` | The refresh interval for data sync. | true | false | None | None | None | +| `collection_id` | The ID to use for the Collection. | true | false | IDs | None | None | +| `collection_display_name` | The display name of the Collection. | true | false | Names | None | None | +| `params` | Params needed to access the source in the format of String-to-String (Key, Value) pairs. | false | true | formating of keys to access the data. | Valid parameters | Invalid parameters | +| `json_params` | Params needed to access the source in the format of json string. | false | true | Has to be a valid string or else Json data could be leaked. | Valid string | Invalid string | +| `project` | If it is not provided, the provider project is used. | true | false | None | None | None | diff --git a/docs/gcp/Discovery_Engine/discovery_engine_engine_assistant.md b/docs/gcp/Discovery_Engine/discovery_engine_engine_assistant.md new file mode 100644 index 000000000..b5eef1cab --- /dev/null +++ b/docs/gcp/Discovery_Engine/discovery_engine_engine_assistant.md @@ -0,0 +1,22 @@ +## 🛡️ Policy Deployment Engine: `discovery_engine_assistant` + +This section provides a concise policy evaluation for the `discovery_engine_assistant` resource in GCP. + +Reference: [Terraform Registry – discovery_engine_assistant](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/discovery_engine_assistant) + +--- + +## Argument Reference + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `display_name` | The name displayed | true | false | Its the name | None | None | +| `collection_id` | The collection ID | true | false | Its the ID | None | None | +| `engine_id` | The Engine ID | true | false | Its the ID | None | None | +| `assistant_id` | The Engine ID | true | false | Its the ID | None | None | +| `description` | Description for additional information. | true | false | Its the Description | None | None | +| `generation_config` | Configuration for the generation of the assistant response. | true | true | this one affects the response of the assistant. It can cause a data leak if you don't configure it right. Write a policy. | None | None | +| `customer_policy` | Customer policy for the assistant. | true | true | this relates to what the LLM can and cannot say and sanitizes inputs from users. Write a policy. | None | None | +| `web_grounding_type` | The type of web grounding to use. | true | true | controls how the LLM can grab external data or use internal data. Write a policy. | None | None | +| `location` | The geographic location where the data store should reside. The value can only be one of "global", "us" and "eu". | true | true | laws apply based on location | eu, us, global | US-West23 | +| `project` | If it is not provided, the provider project is used. | false | false | None | None | None | diff --git a/docs/gcp/Discovery_Engine/discovery_engine_license_config.md b/docs/gcp/Discovery_Engine/discovery_engine_license_config.md new file mode 100644 index 000000000..b8847875b --- /dev/null +++ b/docs/gcp/Discovery_Engine/discovery_engine_license_config.md @@ -0,0 +1,23 @@ +## 🛡️ Policy Deployment Engine: `discovery_engine_license_config` + +This section provides a concise policy evaluation for the `discovery_engine_license_config` resource in GCP. + +Reference: [Terraform Registry – discovery_engine_license_config](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/discovery_engine_license_config) + +--- + +## Argument Reference + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `display_name` | Its the Name. | true | false | Its the name | None | None | +| `license_count` | Number of licenses purchased | true | true | It could be a potential legal issue. Write a policy on it if so. | None | None | +| `subscription_tier` | Subscription tier information for the license config. | true | true | Cost/Risk Management: Ensures the correct service tier is used, preventing either over-spending or using a lower tier that might lack necessary enterprise security features. | SUBSCRIPTION_TIER_ENTERPRISE | | +| `start_date` | Its the start of the licence | true | true | It affects when you can start working. Write a policy. | None | None | +| `subscription_term` | The term you have the subscription active for | true | true | How long you can use the service before you lose access or break TOS. Write a policy. | None | None | +| `license_config_id` | Its the ID. | true | false | Its the ID | None | None | +| `auto_renew` | Whether the license config should be auto renewed when it reaches the end date. | true | true | this attribute controls whether the license will automatically renew at the end date: While not a direct data security attribute, it's critical financial security/governance control. | None | None | +| `end_date` | Its the End Date of the licence. | true | true | Its the end date before you lose the licence and break TOS or lose acess. Write a policy. | None | None | +| `free_trial` | Whether the license config is for free trial. | true | false | If you run out of free trial, you could end up paying money or losing work. Write a policy | None | None | +| `location` | The geographic location where the data store should reside. The value can only be one of "global", "us" and "eu". | true | true | laws apply based on location | eu, us, global | US-West23 | +| `project` | If it is not provided, the provider project is used. | true | false | None | None | None | diff --git a/docs/gcp/Discovery_Engine/discovery_engine_schema.md b/docs/gcp/Discovery_Engine/discovery_engine_schema.md index 626c4b326..0a1b767ce 100644 --- a/docs/gcp/Discovery_Engine/discovery_engine_schema.md +++ b/docs/gcp/Discovery_Engine/discovery_engine_schema.md @@ -10,7 +10,7 @@ Reference: [Terraform Registry – discovery_engine_schema](https://registry.ter | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `location` | The geographic location where the data store should reside. The value can only be one of "global", "us" and "eu". | true | true | laws apply based on location | None | None | +| `location` | The geographic location where the data store should reside. The value can only be one of "global", "us" and "eu". | true | true | laws apply based on location | eu, us, global | US-West23 | | `data_store_id` | The unique id of the data store. | true | false | None | None | None | | `schema_id` | The unique id of the schema. | true | false | None | None | None | | `json_schema` | The JSON representation of the schema. | false | true | Since it's the actual schema definition, if it's too permissive (e.g., allows freeform fields or deep nesting), it can allow arbitrary data injection | {"$schema":"https://json-schema.org/draft/2020-12/schema","datetime_detection":true,"type":"object","geolocation_detection":true} | {"$schema":"https://json-schema.org/draft/2020-12/schema","datetime_detection":false,"type":"object","geolocation_detection":false} | diff --git a/docs/gcp/Discovery_Engine/discovery_engine_sitemap.md b/docs/gcp/Discovery_Engine/discovery_engine_sitemap.md index f7ded6ce8..7f6397a52 100644 --- a/docs/gcp/Discovery_Engine/discovery_engine_sitemap.md +++ b/docs/gcp/Discovery_Engine/discovery_engine_sitemap.md @@ -10,7 +10,7 @@ Reference: [Terraform Registry – discovery_engine_sitemap](https://registry.te | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `location` | The geographic location where the data store should reside. The value can only be one of "global", "us" and "eu". | true | false | None | None | None | +| `location` | The geographic location where the data store should reside. The value can only be one of "global", "us" and "eu". | true | true | laws apply based on location | eu, us, global | US-West23 | | `data_store_id` | The unique id of the data store. | true | false | None | None | None | | `uri` | Public URI for the sitemap, e.g. "www.example.com/sitemap.xml". | false | false | None | None | None | | `project` | If it is not provided, the provider project is used. | false | false | None | None | None | diff --git a/docs/gcp/Discovery_Engine/discovery_engine_target_site.md b/docs/gcp/Discovery_Engine/discovery_engine_target_site.md index 01cce5649..7cb381bd0 100644 --- a/docs/gcp/Discovery_Engine/discovery_engine_target_site.md +++ b/docs/gcp/Discovery_Engine/discovery_engine_target_site.md @@ -11,7 +11,7 @@ Reference: [Terraform Registry – discovery_engine_target_site](https://registr | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `provided_uri_pattern` | The user provided URI pattern from which the `generated_uri_pattern` is generated. | true | false | None | None | None | -| `location` | The geographic location where the data store should reside. The value can only be one of "global", "us" and "eu". | true | false | None | None | None | +| `location` | The geographic location where the data store should reside. The value can only be one of "global", "us" and "eu". | true | true | laws apply based on location | eu, us, global | US-West23 | | `data_store_id` | The unique id of the data store. | true | false | None | None | None | | `type` | The possible target site types. Possible values are: `INCLUDE`, `EXCLUDE`. | false | false | None | None | None | | `exact_match` | If set to false, a uri_pattern is generated to include all pages whose address contains the provided_uri_pattern. If set to true, an uri_pattern is generated to try to be an exact match of the provided_uri_pattern or just the specific page if the provided_uri_pattern is a specific one. provided_uri_pattern is always normalized to generate the URI pattern to be used by the search engine. | false | false | None | None | None |