Hardhat-Enterprises · LegendaryMercury · Nov 23, 2025 · Nov 30, 2025 · Dec 3, 2025 · Dec 7, 2025
diff --git a/docs/gcp/Discovery_Engine/discovery_engine_control.md b/docs/gcp/Discovery_Engine/discovery_engine_control.md
@@ -0,0 +1,20 @@
+## 🛡️ Policy Deployment Engine: `discovery_engine_target_site`
+
+This section provides a concise policy evaluation for the `discovery_engine_target_site` resource in GCP.
+
+Reference: [Terraform Registry – discovery_engine_target_site](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/discovery_engine_target_site)
+
+---
+
+## Argument Reference  
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `display_name ` | Its the Name. | true | false | Its the name | None | None |
+| `location` | The geographic location where the data store should reside. The value can only be one of "global", "us" and "eu". | true | true | laws apply based on location | eu, us, global | US-West23 |
+| `solution_type` | The solution type that the control belongs to. | true | false | Just technical stuff, not security related technical | None | None |
+| `engine_id` | The engine to add the control to. | false | false | Just ID | None | None |
+| `control_id` | The engine to add the control to. | false | false | Just ID | None | None |
+| `redirect_action` | could be used to send to unsafe external sites. | false | false | None | None | None |
+| `filter_action` |  filters out results that shouldn't be shown. Data leakage. | false | false | None | None | None |
+| `project` | If it is not provided, the provider project is used. | false | false | None | None | None |
diff --git a/docs/gcp/Discovery_Engine/discovery_engine_data_connector.md b/docs/gcp/Discovery_Engine/discovery_engine_data_connector.md
@@ -0,0 +1,20 @@
+## 🛡️ Policy Deployment Engine: `discovery_engine_data_connector`
+
+This section provides a concise policy evaluation for the `discovery_engine_data_connector` resource in GCP.
+
+Reference: [Terraform Registry – discovery_engine_data_connector](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/discovery_engine_data_connector)
+
+---
+
+## Argument Reference  
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `data_source` |  The full resource name of the associated data store for the source entity | true | true | The source of the data may be confidential or set incorrectly | c-datasource, salesforce, jira, confluence, bigquery | Invalid data source |
+| `location` | The geographic location where the data store should reside. The value can only be one of "global", "us" and "eu". | true | true | data residencey laws | us, eu, global | Us-West |
+| `refresh_interval` | The refresh interval for data sync. | true | false | None | None | None |
+| `collection_id` | The ID to use for the Collection. | true | false | IDs | None | None |
+| `collection_display_name` | The display name of the Collection. | true | false | Names | None | None |
+| `params` | Params needed to access the source in the format of String-to-String (Key, Value) pairs. | false | true | formating of keys to access the data. | Valid parameters | Invalid parameters |
+| `json_params` | Params needed to access the source in the format of json string. | false | true | Has to be a valid string or else Json data could be leaked. | Valid string | Invalid string |
+| `project` | If it is not provided, the provider project is used. | true | false | None | None | None |
diff --git a/docs/gcp/Discovery_Engine/discovery_engine_engine_assistant.md b/docs/gcp/Discovery_Engine/discovery_engine_engine_assistant.md
@@ -0,0 +1,22 @@
+## 🛡️ Policy Deployment Engine: `discovery_engine_assistant`
+
+This section provides a concise policy evaluation for the `discovery_engine_assistant` resource in GCP.
+
+Reference: [Terraform Registry – discovery_engine_assistant](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/discovery_engine_assistant)
+
+---
+
+## Argument Reference  
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `display_name` | The name displayed | true | false | Its the name | None | None |
+| `collection_id` | The collection ID | true | false | Its the ID | None | None |
+| `engine_id` | The Engine ID | true | false | Its the ID | None | None |
+| `assistant_id` | The Engine ID | true | false | Its the ID | None | None |
+| `description` |  Description for additional information. | true | false | Its the Description | None | None |
+| `generation_config` | Configuration for the generation of the assistant response. | true | true | this one affects the response of the assistant. It can cause a data leak if you don't configure it right. Write a policy. | None | None |
+| `customer_policy` | Customer policy for the assistant. | true | true | this relates to what the LLM can and cannot say and sanitizes inputs from users. Write a policy. | None | None |
+| `web_grounding_type` | The type of web grounding to use. | true | true |  controls how the LLM can grab external data or use internal data. Write a policy. | None | None |
+| `location` | The geographic location where the data store should reside. The value can only be one of "global", "us" and "eu". | true | true | laws apply based on location | eu, us, global | US-West23 |
+| `project` | If it is not provided, the provider project is used. | false | false | None | None | None |
diff --git a/docs/gcp/Discovery_Engine/discovery_engine_license_config.md b/docs/gcp/Discovery_Engine/discovery_engine_license_config.md
@@ -0,0 +1,23 @@
+## 🛡️ Policy Deployment Engine: `discovery_engine_license_config`
+
+This section provides a concise policy evaluation for the `discovery_engine_license_config` resource in GCP.
+
+Reference: [Terraform Registry – discovery_engine_license_config](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/discovery_engine_license_config)
+
+---
+
+## Argument Reference  
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `display_name` | Its the Name. | true | false | Its the name | None | None |
+| `license_count` | Number of licenses purchased | true | true | It could be a potential legal issue. Write a policy on it if so. | None | None |
+| `subscription_tier` | Subscription tier information for the license config. | true | true | Cost/Risk Management: Ensures the correct service tier is used, preventing either over-spending or using a lower tier that might lack necessary enterprise security features. | SUBSCRIPTION_TIER_ENTERPRISE |  |
+| `start_date` | Its the start of the licence | true | true | It affects when you can start working. Write a policy. | None | None |
+| `subscription_term` | The term you have the subscription active for | true | true | How long you can use the service before you lose access or break TOS. Write a policy. | None | None |
+| `license_config_id` | Its the ID. | true | false | Its the ID | None | None |
+| `auto_renew` | Whether the license config should be auto renewed when it reaches the end date. | true | true |  this attribute controls whether the license will automatically renew at the end date: While not a direct data security attribute, it's critical financial security/governance control. | None | None |
+| `end_date` | Its the End Date of the licence. | true | true | Its the end date before you lose the licence and break TOS or lose acess. Write a policy. | None | None |
+| `free_trial` | Whether the license config is for free trial. | true | false | If you run out of free trial, you could end up paying money or losing work. Write a policy | None | None |
+| `location` | The geographic location where the data store should reside. The value can only be one of "global", "us" and "eu". | true | true | laws apply based on location | eu, us, global | US-West23 |
+| `project` | If it is not provided, the provider project is used. | true | false | None | None | None |
diff --git a/docs/gcp/Discovery_Engine/discovery_engine_schema.md b/docs/gcp/Discovery_Engine/discovery_engine_schema.md
@@ -10,7 +10,7 @@ Reference: [Terraform Registry – discovery_engine_schema](https://registry.ter
 
 | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
 |----------|-------------|----------|-----------------|-----------|-----------|---------------|
-| `location` | The geographic location where the data store should reside. The value can only be one of "global", "us" and "eu". | true | true | laws apply based on location | None | None |
+| `location` | The geographic location where the data store should reside. The value can only be one of "global", "us" and "eu". | true | true | laws apply based on location | eu, us, global | US-West23 |
 | `data_store_id` | The unique id of the data store. | true | false | None | None | None |
 | `schema_id` | The unique id of the schema. | true | false | None | None | None |
 | `json_schema` | The JSON representation of the schema. | false | true | Since it's the actual schema definition, if it's too permissive (e.g., allows freeform fields or deep nesting), it can allow arbitrary data injection   | {"$schema":"https://json-schema.org/draft/2020-12/schema","datetime_detection":true,"type":"object","geolocation_detection":true} | {"$schema":"https://json-schema.org/draft/2020-12/schema","datetime_detection":false,"type":"object","geolocation_detection":false} |

diff --git a/docs/gcp/Discovery_Engine/discovery_engine_sitemap.md b/docs/gcp/Discovery_Engine/discovery_engine_sitemap.md
@@ -10,7 +10,7 @@ Reference: [Terraform Registry – discovery_engine_sitemap](https://registry.te
 
 | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
 |----------|-------------|----------|-----------------|-----------|-----------|---------------|
-| `location` | The geographic location where the data store should reside. The value can only be one of "global", "us" and "eu". | true | false | None | None | None |
+| `location` | The geographic location where the data store should reside. The value can only be one of "global", "us" and "eu". | true | true | laws apply based on location | eu, us, global | US-West23 |
 | `data_store_id` | The unique id of the data store. | true | false | None | None | None |
 | `uri` | Public URI for the sitemap, e.g. "www.example.com/sitemap.xml". | false | false | None | None | None |
 | `project` | If it is not provided, the provider project is used. | false | false | None | None | None |
diff --git a/docs/gcp/Discovery_Engine/discovery_engine_target_site.md b/docs/gcp/Discovery_Engine/discovery_engine_target_site.md
@@ -11,7 +11,7 @@ Reference: [Terraform Registry – discovery_engine_target_site](https://registr
 | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
 |----------|-------------|----------|-----------------|-----------|-----------|---------------|
 | `provided_uri_pattern` | The user provided URI pattern from which the `generated_uri_pattern` is generated. | true | false | None | None | None |
-| `location` | The geographic location where the data store should reside. The value can only be one of "global", "us" and "eu". | true | false | None | None | None |
+| `location` | The geographic location where the data store should reside. The value can only be one of "global", "us" and "eu". | true | true | laws apply based on location | eu, us, global | US-West23 |
 | `data_store_id` | The unique id of the data store. | true | false | None | None | None |
 | `type` | The possible target site types. Possible values are: `INCLUDE`, `EXCLUDE`. | false | false | None | None | None |
 | `exact_match` | If set to false, a uri_pattern is generated to include all pages whose address contains the provided_uri_pattern. If set to true, an uri_pattern is generated to try to be an exact match of the provided_uri_pattern or just the specific page if the provided_uri_pattern is a specific one. provided_uri_pattern is always normalized to generate the URI pattern to be used by the search engine. | false | false | None | None | None |

diff --git a/docs/gcp/Discovery_Engine/resource_json/discovery_engine_control.json b/docs/gcp/Discovery_Engine/resource_json/discovery_engine_control.json
@@ -0,0 +1,78 @@
+{
+  "resource_name": "discovery_engine_target_site",
+  "subcategory": "Discovery Engine",
+    "arguments": {
+        "display_name ": {
+            "description": "Its the Name.",
+            "required": true,
+            "security_impact": false,
+            "rationale": "Its the name",
+            "compliant": null,
+            "non-compliant": null,
+            "parent": null
+        },
+        "location": {
+            "description": "The geographic location where the data store should reside. The value can only be one of \"global\", \"us\" and \"eu\".",
+            "required": true,
+            "security_impact": true,
+            "rationale": "laws apply based on location",
+            "compliant": "eu, us, global",
+            "non-compliant": "US-West23",
+            "parent": null
+        },
+        "solution_type": {
+            "description": "The solution type that the control belongs to.",
+            "required": true,
+            "security_impact": false,
+            "rationale": "Just technical stuff, not security related technical",
+            "compliant": null,
+            "non-compliant": null,
+            "parent": null
+        },
+        "engine_id": {
+            "description": "The engine to add the control to.",
+            "required": false,
+            "security_impact": false,
+            "rationale": "Just ID",
+            "compliant": null,
+            "non-compliant": null,
+            "parent": null
+        },
+        "control_id": {
+            "description": "The engine to add the control to.",
+            "required": false,
+            "security_impact": false,
+            "rationale": "Just ID",
+            "compliant": null,
+            "non-compliant": null,
+            "parent": null
+        },
+        "redirect_action": {
+            "description": "could be used to send to unsafe external sites.",
+            "required": false,
+            "security_impact": null,
+            "rationale": null,
+            "compliant": null,
+            "non-compliant": null,
+            "parent": null
+        },
+        "filter_action": {
+            "description": " filters out results that shouldn't be shown. Data leakage.",
+            "required": false,
+            "security_impact": null,
+            "rationale": null,
+            "compliant": null,
+            "non-compliant": null,
+            "parent": null
+        },
+        "project": {
+            "description": "If it is not provided, the provider project is used.",
+            "required": null,
+            "security_impact": null,
+            "rationale": null,
+            "compliant": null,
+            "non-compliant": null,
+            "parent": null
+        }
+    }
+}
diff --git a/docs/gcp/Discovery_Engine/resource_json/discovery_engine_data_connector.json b/docs/gcp/Discovery_Engine/resource_json/discovery_engine_data_connector.json
@@ -0,0 +1,78 @@
+{
+    "resource_name": "discovery_engine_data_connector",
+    "subcategory": "Discovery Engine",
+    "arguments": {
+        "data_source": {
+            "description": " The full resource name of the associated data store for the source entity",
+            "required": true,
+            "security_impact": true,
+            "rationale": "The source of the data may be confidential or set incorrectly",
+            "compliant": "c-datasource, salesforce, jira, confluence, bigquery",
+            "non-compliant": "Invalid data source",
+            "parent": null
+        },
+        "location": {
+            "description": "The geographic location where the data store should reside. The value can only be one of \"global\", \"us\" and \"eu\".",
+            "required": true,
+            "security_impact": true,
+            "rationale": "data residencey laws",
+            "compliant": "us, eu, global",
+            "non-compliant": "Us-West",
+            "parent": null
+        },
+        "refresh_interval": {
+            "description": "The refresh interval for data sync.",
+            "required": true,
+            "security_impact": false,
+            "rationale": null,
+            "compliant": null,
+            "non-compliant": null,
+            "parent": null
+        },
+        "collection_id": {
+            "description": "The ID to use for the Collection.",
+            "required": true,
+            "security_impact": false,
+            "rationale": "IDs",
+            "compliant": null,
+            "non-compliant": null,
+            "parent": null
+        },
+        "collection_display_name": {
+            "description": "The display name of the Collection.",
+            "required": true,
+            "security_impact": false,
+            "rationale": "Names",
+            "compliant": null,
+            "non-compliant": null,
+            "parent": null
+        },
+        "params": {
+            "description": "Params needed to access the source in the format of String-to-String (Key, Value) pairs.",
+            "required": false,
+            "security_impact": true,
+            "rationale": "formating of keys to access the data.",
+            "compliant": "Valid parameters",
+            "non-compliant": "Invalid parameters",
+            "parent": null
+        },
+        "json_params": {
+            "description": "Params needed to access the source in the format of json string.",
+            "required": false,
+            "security_impact": true,
+            "rationale": "Has to be a valid string or else Json data could be leaked.",
+            "compliant": "Valid string",
+            "non-compliant": "Invalid string",
+            "parent": null
+        },
+        "project": {
+            "description": "If it is not provided, the provider project is used.",
+            "required": true,
+            "security_impact": false,
+            "rationale": null,
+            "compliant": null,
+            "non-compliant": null,
+            "parent": null
+        }
+    }
+}