Hardhat-Enterprises · uni-student3 · Feb 4, 2026 · Jan 14, 2026 · Feb 2, 2026 · Feb 2, 2026
diff --git a/docs/gcp/App_Engine/app_engine_application.md b/docs/gcp/App_Engine/app_engine_application.md
@@ -0,0 +1,23 @@
+## 🛡️ Policy Deployment Engine: `app_engine_application`
+
+This section provides a concise policy evaluation for the `app_engine_application` resource in GCP.
+
+Reference: [Terraform Registry – app_engine_application](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/app_engine_application)
+
+---
+
+## Argument Reference  
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `project` | ~>**NOTE:** GCP only accepts project ID, not project number. If you are using number, you may get a "Permission denied" error. | true | true | To enforce the use of Project IDs over Project Numbers to prevent API resolution failures and (Permission Denied) errors during deployment. | gcp-project-12345 | 123456789 |
+| `location_id` | The location to serve the app from. | true | true | To esnure data residency compliance, prevents deployment to unauthorized regions, as App Engine locations cannot be changed once set. | australia-southeast1 | europe-west1 |
+| `auth_domain` | The domain to authenticate users with when using App Engine's User API. | false | false | Modern identity management is handled via Identity-Aware Proxy IAP), making the legacy domain setting redundant for security enforcement. | None | None |
+| `database_type` | Can be `CLOUD_FIRESTORE` or `CLOUD_DATASTORE_COMPATIBILITY` for new instances.  To support old instances, the value `CLOUD_DATASTORE` is accepted by the provider, but will be rejected by the API. To create a Cloud Firestore database without creating an App Engine application, use the [`google_firestore_database`](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/firestore_database) resource instead. | false | true | To enforce the selection of Cloud Firestore so the application uses Google's latest scalable database technology with modern security and consistency features. | CLOUD_FIRESTORE | CLOUD_DATASTORE_COMPATIBILITY |
+| `serving_status` | The serving status of the app. | false | true | Ensures applications are deployed in an active state and prevents accidental service outages caused by manual or uncoordinated status overrides. | SERVING | USER_DISABLED |
+| `feature_settings` | A block of optional settings to configure specific App Engine features: | false | true | to enforce the use of modern split health checks to ensure precise monitoring of application readiness and liveness, replacing legacy combined health checks. | None | None |
+| `split_health_checks` | Set to false to use the legacy health check instead of the readiness and liveness checks. | true | true | Enables the separation of readiness and liveness probes to improve deployment reliability and prevent traffic from being routed to instances that are still initializing. | split_health_checks = true | split_health_checks = false |
+| `iap` | Settings for enabling Cloud Identity Aware Proxy | false | true | Enforces Identity-Aware Proxy to establish a Zero Trust security layer, ensuring that only authenticated and authorized users can access the application, regardless of network location. | None | None |
+| `oauth2_client_id` | OAuth2 client ID to use for the authentication flow. | true | true | Mandates a valid OAuth2 Client ID to securely link the IAP to the organization's identity provider, ensuring only verified corporate credentials can grant access. | 12345.apps.googleusercontent.com | incorrect-id.apps.googleusercontent.com |
+| `oauth2_client_secret` | OAuth2 client secret to use for the authentication flow. The SHA-256 hash of the value is returned in the oauth2ClientSecretSha256 field. | true | true | Ensures the authenticity of the handshake between Google Cloud and the Identity Provider to prevent man-in-the-middle attacks/unauthorized identity spoofing. | GOCSPX-abc123def456_actual_secret | 12345 |
+| `ssl_policy` | A list of the SSL policy that will be applied. Each block has a SSL_POLICY_UNSPECIFIED, DEFAULT, and MODERN field. | false | true | To enforce secure managed SSL certificates to ensure all data in transit is encrypted using modern protocols and to prevent service outages caused by manual certificate expiration. | AUTOMATIC | MANUAL |
diff --git a/docs/gcp/App_Engine/app_engine_application_url_dispatch_rules.md b/docs/gcp/App_Engine/app_engine_application_url_dispatch_rules.md
@@ -0,0 +1,22 @@
+## 🛡️ Policy Deployment Engine: `app_engine_application_url_dispatch_rules`
+
+This section provides a concise policy evaluation for the `app_engine_application_url_dispatch_rules` resource in GCP.
+
+Reference: [Terraform Registry – app_engine_application_url_dispatch_rules](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/app_engine_application_url_dispatch_rules)
+
+---
+
+## Argument Reference  
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `dispatch_rules` | Rules to match an HTTP request and dispatch that request to a service. Structure is [documented below](#nested_dispatch_rules). | true | true | Establishes centralized routing logic to ensure requests are directed to the correct microservices based on URL patterns, preventing leaky traffic/unauthorized cross-service access. | None | None |
+| `project` | If it is not provided, the provider project is used. | false | false | Unnecessary as it defaults to the provider-level project configuration if it is not provided, ensuring the resource is naturally governed by the existing project-level access controls. | None | None |
+
+### dispatch_rules Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `domain` | Domain name to match against. The wildcard "*" is supported if specified before a period: "*.". Defaults to matching all domains: "*". | false | true | To enforce strict hostname mapping to ensure traffic is only routed through approved domains, preventing 'Host Header Injection' and ensuring cross-site requests are properly isolated. | hardhat.pythonanywhere.com | invalid-domain.com |
+| `path` | Pathname within the host. Must start with a "/". A single "*" can be included at the end of the path. The sum of the lengths of the domain and path may not exceed 100 characters. | true | true | To define explicit URL patterns to ensure sensitive application paths are strictly mapped to their intended microservices, preventing accidental exposure of internal endpoints | /* | admin/* |
+| `service` | Pathname within the host. Must start with a "/". A single "*" can be included at the end of the path. The sum of the lengths of the domain and path may not exceed 100 characters. | true | true | To enforce explicit mapping of URL patterns to specific microservices to ensure architectural isolation and prevent traffic from falling back to a service that may not have the appropriate security context/permissions | default | unauthorized-service |
diff --git a/docs/gcp/App_Engine/app_engine_domain_mapping.md b/docs/gcp/App_Engine/app_engine_domain_mapping.md
@@ -0,0 +1,24 @@
+## 🛡️ Policy Deployment Engine: `app_engine_domain_mapping`
+
+This section provides a concise policy evaluation for the `app_engine_domain_mapping` resource in GCP.
+
+Reference: [Terraform Registry – app_engine_domain_mapping](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/app_engine_domain_mapping)
+
+---
+
+## Argument Reference  
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `domain_name` | Relative name of the domain serving the application. Example: example.com. | true | true | To enforce the use of verified domains to prevent unauthorized shadow branding and ensure all application traffic is protected by corporate-standard SSL/TLS configurations | hardhatenterprises.com | unverified-domain.com |
+| `ssl_settings` | SSL configuration for this domain. If unconfigured, this domain will not serve with SSL. Structure is [documented below](#nested_ssl_settings). | false | true | Mandates the use of managed SSL settings to guarantee that all custom domain traffic is encrypted via TLS and to eliminate the risk of service downtime caused by expired manual certificates | None | None |
+| `override_strategy` | Whether the domain creation should override any existing mappings for this domain. By default, overrides are rejected. Default value is `STRICT`. Possible values are: `STRICT`, `OVERRIDE`. | false | true | to enforce a clear resolution strategy for domain mapping conflicts to prevent accidental hijacking of custom domains from other projects and ensure predictable routing behavior. | STRICT | OVERRIDE |
+| `project` | If it is not provided, the provider project is used. | false | false | It is a standard provider-inherited field as the resource is inherently constrained by the project-level permissions and deployment context of the authenticated service account. | None | None |
+
+### ssl_settings Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `certificate_id` | ID of the AuthorizedCertificate resource configuring SSL for the application. Clearing this field will remove SSL support. By default, a managed certificate is automatically created for every domain mapping. To omit SSL support or to configure SSL manually, specify `SslManagementType.MANUAL` on a `CREATE` or `UPDATE` request. You must be authorized to administer the `AuthorizedCertificate` resource to manually map it to a DomainMapping resource. Example: 12345. | false | false | Mandating/managing specific certificate IDs manually increases operational overhead and introduces the risk of service outages due to manual renewal failures. | None | None |
+| `ssl_management_type` | SSL management type for this domain. If `AUTOMATIC`, a managed certificate is automatically provisioned. If `MANUAL`, `certificateId` must be manually specified in order to configure SSL for this domain. Possible values are: `AUTOMATIC`, `MANUAL`. | true | true | Mandates 'AUTOMATIC' SSL management to utilise Google's managed certificate authority, ensuring renewals and the use of modern cryptographic protocols without human intervention. | AUTOMATIC | MANUAL |
+| `pending_managed_certificate_id` | (Output) ID of the managed `AuthorizedCertificate` resource currently being provisioned, if applicable. Until the new managed certificate has been successfully provisioned, the previous SSL state will be preserved. Once the provisioning process completes, the `certificateId` field will reflect the new managed certificate and this field will be left empty. To remove SSL support while there is still a pending managed certificate, clear the `certificateId` field with an update request. | false | false | Is a read-only output attribute managed by Google Cloud, represents a transient state during certificate provisioning and cannot be influenced/configured by the user. | None | None |
diff --git a/docs/gcp/App_Engine/app_engine_firewall_rule.md b/docs/gcp/App_Engine/app_engine_firewall_rule.md
@@ -0,0 +1,17 @@
+## 🛡️ Policy Deployment Engine: `app_engine_firewall_rule`
+
+This section provides a concise policy evaluation for the `app_engine_firewall_rule` resource in GCP.
+
+Reference: [Terraform Registry – app_engine_firewall_rule](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/app_engine_firewall_rule)
+
+---
+
+## Argument Reference  
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `source_range` | IP address or range, defined using CIDR notation, of requests that this rule applies to. | true | true | Enforces strict IP CIDR boundaries to minimize the application's attack surface by ensuring only trusted networks or specific geographic IP ranges can interact with the App Engine environment. | 192.168.1.0/24 | * |
+| `action` | The action to take if this rule matches. Possible values are: `UNSPECIFIED_ACTION`, `ALLOW`, `DENY`. | true | true | Is the explicit binary outcome for a network request, ensuring that the firewall behaves as a definitive gatekeeper rather than allowing traffic to pass through ambiguity. | ALLOW | DENY |
+| `description` | An optional string description of this rule. | false | false | Is an informative field that does not influence the network logic/security enforcement of the firewall rule. | None | None |
+| `priority` | A positive integer that defines the order of rule evaluation. Rules with the lowest priority are evaluated first. A default rule at priority Int32.MaxValue matches all IPv4 and IPv6 traffic when no previous rule matches. Only the action of this rule can be modified by the user. | false | true | Enforces an ordering of firewall rules to ensure that specific security 'Allow' or 'Deny' logic is evaluated in the correct sequence. | 1000 | 2147483647 |
+| `project` | If it is not provided, the provider project is used. | false | false | Is automatically constrained by the Google provider's project configuration, ensuring that firewall rules are strictly applied to the intended environment without manual entry. | None | None |