diff --git a/.gitignore b/.gitignore
index b2df77f4e..87337288e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -100,6 +100,7 @@ dmypy.json
*.tfstate
*.tfstate.*
*.tfstate.backup
+.tfshared/
# Lock files (uncomment if you don't want to track lock files)
# .terraform.lock.hcl
diff --git a/docs/gcp/Backup_for_GKE/gke_backup_backup_channel.md b/docs/gcp/Backup_for_GKE/gke_backup_backup_channel.md
new file mode 100644
index 000000000..9883086df
--- /dev/null
+++ b/docs/gcp/Backup_for_GKE/gke_backup_backup_channel.md
@@ -0,0 +1,18 @@
+## 🛡️ Policy Deployment Engine: `gke_backup_backup_channel`
+
+This section provides a concise policy evaluation for the `gke_backup_backup_channel` resource in GCP.
+
+Reference: [Terraform Registry – gke_backup_backup_channel](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/gke_backup_backup_channel)
+
+---
+
+## Argument Reference
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `name` | The full name of the BackupChannel Resource. | true | false | None | None | None |
+| `destination_project` | The project where Backups are allowed to be stored. The format is `projects/{project}`. {project} can be project number or project id. | true | true | Backups must be stored in a dedicated backup project to ensure isolation. | projects/backup-prod | projects/my-app-dev |
+| `location` | The region of the Backup Channel. | true | true | Data sovereignty requires backups to be stored in specific Australian regions. | australia-southeast1 | us-central1 |
+| `description` | User specified descriptive string for this BackupChannel. | false | false | None | None | None |
+| `labels` | Description: A set of custom labels supplied by the user. A list of key->value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }. **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field `effective_labels` for all of the labels present on the resource. | false | false | Labels are required for cost allocation and ownership tracking. | environment='prod', cost-center='123', owner='team' | missing required labels |
+| `project` | If it is not provided, the provider project is used. | false | false | None | None | None |
diff --git a/docs/gcp/Backup_for_GKE/gke_backup_backup_plan.md b/docs/gcp/Backup_for_GKE/gke_backup_backup_plan.md
new file mode 100644
index 000000000..942994e8b
--- /dev/null
+++ b/docs/gcp/Backup_for_GKE/gke_backup_backup_plan.md
@@ -0,0 +1,124 @@
+## 🛡️ Policy Deployment Engine: `gke_backup_backup_plan`
+
+This section provides a concise policy evaluation for the `gke_backup_backup_plan` resource in GCP.
+
+Reference: [Terraform Registry – gke_backup_backup_plan](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/gke_backup_backup_plan)
+
+---
+
+## Argument Reference
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `name` | The full name of the BackupPlan Resource. | true | false | None | None | None |
+| `cluster` | The source cluster from which Backups will be created via this BackupPlan. | true | false | None | None | None |
+| `location` | The region of the Backup Plan. | true | true | Data sovereignty requires backups to be stored in specific Australian regions. | australia-southeast1 | us-central1 |
+| `description` | User specified descriptive string for this BackupPlan. | false | false | None | None | None |
+| `retention_policy` | RetentionPolicy governs lifecycle of Backups created under this plan. Structure is [documented below](#nested_retention_policy). | false | false | None | None | None |
+| `labels` | Description: A set of custom labels supplied by the user. A list of key->value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }. **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field `effective_labels` for all of the labels present on the resource. | false | false | Labels are required for cost allocation and ownership tracking. | environment='prod', cost-center='123', owner='team' | missing required labels |
+| `backup_schedule` | Defines a schedule for automatic Backup creation via this BackupPlan. Structure is [documented below](#nested_backup_schedule). | false | false | None | None | None |
+| `deactivated` | This flag indicates whether this BackupPlan has been deactivated. Setting this field to True locks the BackupPlan such that no further updates will be allowed (except deletes), including the deactivated field itself. It also prevents any new Backups from being created via this BackupPlan (including scheduled Backups). | false | true | Deactivated plans do not create backups, putting data at risk. | false | true |
+| `backup_config` | Defines the configuration of Backups created via this BackupPlan. Structure is [documented below](#nested_backup_config). | false | true | Backup configuration must explicitly define secret handling and encryption. | See sub-arguments | See sub-arguments |
+| `project` | If it is not provided, the provider project is used. | false | false | None | None | None |
+| `rpo_config` | | false | false | None | None | None |
+| `exclusion_windows` | | false | false | None | None | None |
+| `start_time` | | false | false | None | None | None |
+| `single_occurrence_date` | | false | false | None | None | None |
+| `days_of_week` | | false | false | None | None | None |
+| `encryption_key` | | false | false | None | None | None |
+| `selected_namespaces` | | false | false | None | None | None |
+| `selected_applications` | | false | false | None | None | None |
+| `namespaced_names` | | false | false | None | None | None |
+
+### retention_policy Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `backup_delete_lock_days` | Minimum age for a Backup created via this BackupPlan (in days). Must be an integer value between 0-90 (inclusive). A Backup created under this BackupPlan will not be deletable until it reaches Backup's (create time + backup_delete_lock_days). Updating this field of a BackupPlan does not affect existing Backups. Backups created after a successful update will inherit this new value. | false | false | None | None | None |
+| `backup_retain_days` | The default maximum age of a Backup created via this BackupPlan. This field MUST be an integer value >= 0 and <= 365. If specified, a Backup created under this BackupPlan will be automatically deleted after its age reaches (createTime + backupRetainDays). If not specified, Backups created under this BackupPlan will NOT be subject to automatic deletion. Updating this field does NOT affect existing Backups under it. Backups created AFTER a successful update will automatically pick up the new value. NOTE: backupRetainDays must be >= backupDeleteLockDays. If cronSchedule is defined, then this must be <= 360 * the creation interval. If rpo_config is defined, then this must be <= 360 * targetRpoMinutes/(1440minutes/day) | false | true | Retention period must be sufficient for disaster recovery but not exceed data retention policies (7-90 days). | 30 | 1 |
+| `locked` | This flag denotes whether the retention policy of this BackupPlan is locked. If set to True, no further update is allowed on this policy, including the locked field itself. | false | false | None | None | None |
+
+### backup_schedule Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `cron_schedule` | A standard cron string that defines a repeating schedule for creating Backups via this BackupPlan. This is mutually exclusive with the rpoConfig field since at most one schedule can be defined for a BackupPlan. If this is defined, then backupRetainDays must also be defined. | false | true | Backups should run during off-peak hours to minimize impact. | 0 2 * * * | * * * * * |
+| `paused` | This flag denotes whether automatic Backup creation is paused for this BackupPlan. | false | false | None | None | None |
+| `rpo_config` | Defines the RPO schedule configuration for this BackupPlan. This is mutually exclusive with the cronSchedule field since at most one schedule can be defined for a BackupPLan. If this is defined, then backupRetainDays must also be defined. Structure is [documented below](#nested_backup_schedule_rpo_config). | false | false | None | None | None |
+
+### backup_config Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `include_volume_data` | This flag specifies whether volume data should be backed up when PVCs are included in the scope of a Backup. | false | false | None | None | None |
+| `include_secrets` | This flag specifies whether Kubernetes Secret resources should be included when they fall into the scope of Backups. | false | false | None | None | None |
+| `encryption_key` | This defines a customer managed encryption key that will be used to encrypt the "config" portion (the Kubernetes resources) of Backups created via this plan. Structure is [documented below](#nested_backup_config_encryption_key). | false | false | None | None | None |
+| `all_namespaces` | If True, include all namespaced resources. | false | false | None | None | None |
+| `selected_namespaces` | If set, include just the resources in the listed namespaces. Structure is [documented below](#nested_backup_config_selected_namespaces). | false | false | None | None | None |
+| `selected_applications` | A list of namespaced Kubernetes Resources. Structure is [documented below](#nested_backup_config_selected_applications). | false | false | None | None | None |
+| `permissive_mode` | This flag specifies whether Backups will not fail when Backup for GKE detects Kubernetes configuration that is non-standard or requires additional setup to restore. | false | false | None | None | None |
+
+### rpo_config Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `target_rpo_minutes` | Defines the target RPO for the BackupPlan in minutes, which means the target maximum data loss in time that is acceptable for this BackupPlan. This must be at least 60, i.e., 1 hour, and at most 86400, i.e., 60 days. | true | false | None | None | None |
+| `exclusion_windows` | User specified time windows during which backup can NOT happen for this BackupPlan. Backups should start and finish outside of any given exclusion window. Note: backup jobs will be scheduled to start and finish outside the duration of the window as much as possible, but running jobs will not get canceled when it runs into the window. All the time and date values in exclusionWindows entry in the API are in UTC. We only allow <=1 recurrence (daily or weekly) exclusion window for a BackupPlan while no restriction on number of single occurrence windows. Structure is [documented below](#nested_backup_schedule_rpo_config_exclusion_windows). | false | false | None | None | None |
+
+### exclusion_windows Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `start_time` | Specifies the start time of the window using time of the day in UTC. Structure is [documented below](#nested_backup_schedule_rpo_config_exclusion_windows_exclusion_windows_start_time). | true | false | None | None | None |
+| `duration` | Specifies duration of the window in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s". Restrictions for duration based on the recurrence type to allow some time for backup to happen: - single_occurrence_date: no restriction - daily window: duration < 24 hours - weekly window: - days of week includes all seven days of a week: duration < 24 hours - all other weekly window: duration < 168 hours (i.e., 24 * 7 hours) | true | false | None | None | None |
+| `single_occurrence_date` | No recurrence. The exclusion window occurs only once and on this date in UTC. Only one of singleOccurrenceDate, daily and daysOfWeek may be set. Structure is [documented below](#nested_backup_schedule_rpo_config_exclusion_windows_exclusion_windows_single_occurrence_date). | false | false | None | None | None |
+| `daily` | The exclusion window occurs every day if set to "True". Specifying this field to "False" is an error. Only one of singleOccurrenceDate, daily and daysOfWeek may be set. | false | false | None | None | None |
+| `days_of_week` | The exclusion window occurs on these days of each week in UTC. Only one of singleOccurrenceDate, daily and daysOfWeek may be set. Structure is [documented below](#nested_backup_schedule_rpo_config_exclusion_windows_exclusion_windows_days_of_week). | false | false | None | None | None |
+
+### start_time Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `hours` | Hours of day in 24 hour format. | false | false | None | None | None |
+| `minutes` | Minutes of hour of day. | false | false | None | None | None |
+| `seconds` | Seconds of minutes of the time. | false | false | None | None | None |
+| `nanos` | Fractions of seconds in nanoseconds. | false | false | None | None | None |
+
+### single_occurrence_date Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `year` | Year of the date. | false | false | None | None | None |
+| `month` | Month of a year. | false | false | None | None | None |
+| `day` | Day of a month. | false | false | None | None | None |
+
+### days_of_week Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `days_of_week` | A list of days of week. Each value may be one of: `MONDAY`, `TUESDAY`, `WEDNESDAY`, `THURSDAY`, `FRIDAY`, `SATURDAY`, `SUNDAY`. | false | false | None | None | None |
+
+### encryption_key Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `gcp_kms_encryption_key` | Google Cloud KMS encryption key. Format: projects/*/locations/*/keyRings/*/cryptoKeys/* | true | true | CMEK keys must be in the same region as the backup plan (australia-southeast1). | projects/p/locations/australia-southeast1/keyRings/k/cryptoKeys/c | projects/p/locations/us-central1/keyRings/k/cryptoKeys/c |
+
+### selected_namespaces Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `namespaces` | A list of Kubernetes Namespaces. | true | false | None | None | None |
+
+### selected_applications Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `namespaced_names` | A list of namespaced Kubernetes resources. Structure is [documented below](#nested_backup_config_selected_applications_namespaced_names). | true | false | None | None | None |
+
+### namespaced_names Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `namespace` | The namespace of a Kubernetes Resource. | true | false | None | None | None |
+| `name` | The name of a Kubernetes Resource. | true | false | None | None | None |
diff --git a/docs/gcp/Backup_for_GKE/gke_backup_backup_plan_iam.md b/docs/gcp/Backup_for_GKE/gke_backup_backup_plan_iam.md
new file mode 100644
index 000000000..669e5eb12
--- /dev/null
+++ b/docs/gcp/Backup_for_GKE/gke_backup_backup_plan_iam.md
@@ -0,0 +1,18 @@
+## 🛡️ Policy Deployment Engine: `gke_backup_backup_plan_iam`
+
+This section provides a concise policy evaluation for the `gke_backup_backup_plan_iam` resource in GCP.
+
+Reference: [Terraform Registry – gke_backup_backup_plan_iam](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/gke_backup_backup_plan_iam)
+
+---
+
+## Argument Reference
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `location` | Used to find the parent resource to bind the IAM policy to. If not specified, the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no location is specified, it is taken from the provider configuration. | false | false | None | None | None |
+| `name` | | false | false | None | None | None |
+| `project` | If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. | false | false | None | None | None |
+| `member/members` | Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project" | false | true | Only corporate identities and internal service accounts are allowed. Personal emails and external accounts are blocked. | group:team@company.com | user:hacker@gmail.com |
+| `role` | `google_gke_backup_backup_plan_iam_binding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`. | false | true | Least privilege principle: use specific backup roles. | roles/gkebackup.viewer | roles/owner |
+| `policy_data` | a `google_iam_policy` data source. | false | false | None | None | None |
diff --git a/docs/gcp/Backup_for_GKE/gke_backup_restore_channel.md b/docs/gcp/Backup_for_GKE/gke_backup_restore_channel.md
new file mode 100644
index 000000000..60c66ee9d
--- /dev/null
+++ b/docs/gcp/Backup_for_GKE/gke_backup_restore_channel.md
@@ -0,0 +1,18 @@
+## 🛡️ Policy Deployment Engine: `gke_backup_restore_channel`
+
+This section provides a concise policy evaluation for the `gke_backup_restore_channel` resource in GCP.
+
+Reference: [Terraform Registry – gke_backup_restore_channel](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/gke_backup_restore_channel)
+
+---
+
+## Argument Reference
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `name` | The full name of the RestoreChannel Resource. | true | false | None | None | None |
+| `destination_project` | The project where Backups will be restored. The format is `projects/{project}`. {project} can be project number or project id. | true | true | Restores must be performed in approved projects, typically the same region as the backup. | projects/restore-prod | projects/untrusted-dev |
+| `location` | The region of the Restore Channel. | true | true | Data sovereignty requires restores to occur in specific Australian regions. | australia-southeast1 | us-central1 |
+| `description` | User specified descriptive string for this RestoreChannel. | false | false | None | None | None |
+| `labels` | Description: A set of custom labels supplied by the user. A list of key->value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }. **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field `effective_labels` for all of the labels present on the resource. | false | false | Labels are required for cost allocation and ownership tracking. | environment='prod', cost-center='123', owner='team' | missing required labels |
+| `project` | If it is not provided, the provider project is used. | false | false | None | None | None |
diff --git a/docs/gcp/Backup_for_GKE/gke_backup_restore_plan.md b/docs/gcp/Backup_for_GKE/gke_backup_restore_plan.md
new file mode 100644
index 000000000..ae92547cf
--- /dev/null
+++ b/docs/gcp/Backup_for_GKE/gke_backup_restore_plan.md
@@ -0,0 +1,167 @@
+## 🛡️ Policy Deployment Engine: `gke_backup_restore_plan`
+
+This section provides a concise policy evaluation for the `gke_backup_restore_plan` resource in GCP.
+
+Reference: [Terraform Registry – gke_backup_restore_plan](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/gke_backup_restore_plan)
+
+---
+
+## Argument Reference
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `name` | The full name of the BackupPlan Resource. | true | false | None | None | None |
+| `backup_plan` | A reference to the BackupPlan from which Backups may be used as the source for Restores created via this RestorePlan. | true | false | None | None | None |
+| `cluster` | The source cluster from which Restores will be created via this RestorePlan. | true | true | Restores must target a designated DR cluster in the approved region. | projects/*/locations/australia-southeast1/clusters/*-dr | projects/*/locations/us-central1/clusters/*-dr |
+| `restore_config` | Defines the configuration of Restores created via this RestorePlan. Structure is [documented below](#nested_restore_config). | true | false | None | None | None |
+| `location` | The region of the Restore Plan. | true | true | Restore plans must be created in the approved region (australia-southeast1). | australia-southeast1 | us-central1 |
+| `description` | User specified descriptive string for this RestorePlan. | false | false | None | None | None |
+| `labels` | Description: A set of custom labels supplied by the user. A list of key->value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }. **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field `effective_labels` for all of the labels present on the resource. | false | false | None | None | None |
+| `project` | If it is not provided, the provider project is used. | false | false | None | None | None |
+| `excluded_namespaces` | | false | false | None | None | None |
+| `selected_namespaces` | | false | false | None | None | None |
+| `selected_applications` | | false | false | None | None | None |
+| `namespaced_names` | | false | false | None | None | None |
+| `cluster_resource_restore_scope` | | false | false | None | None | None |
+| `excluded_group_kinds` | | false | false | None | None | None |
+| `selected_group_kinds` | | false | false | None | None | None |
+| `transformation_rules` | | false | false | None | None | None |
+| `resource_filter` | | false | false | None | None | None |
+| `group_kinds` | | false | false | None | None | None |
+| `field_actions` | | false | false | None | None | None |
+| `volume_data_restore_policy_bindings` | | false | false | None | None | None |
+| `restore_order` | | false | false | None | None | None |
+| `group_kind_dependencies` | | false | false | None | None | None |
+| `satisfying` | | false | false | None | None | None |
+| `requiring` | | false | false | None | None | None |
+
+### restore_config Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `all_namespaces` | If True, restore all namespaced resources in the Backup. Setting this field to False will result in an error. | false | false | None | None | None |
+| `excluded_namespaces` | A list of selected namespaces excluded from restoration. All namespaces except those in this list will be restored. Structure is [documented below](#nested_restore_config_excluded_namespaces). | false | false | None | None | None |
+| `selected_namespaces` | A list of selected namespaces to restore from the Backup. The listed Namespaces and all resources contained in them will be restored. Structure is [documented below](#nested_restore_config_selected_namespaces). | false | false | None | None | None |
+| `selected_applications` | A list of selected ProtectedApplications to restore. The listed ProtectedApplications and all the resources to which they refer will be restored. Structure is [documented below](#nested_restore_config_selected_applications). | false | false | None | None | None |
+| `no_namespaces` | Do not restore any namespaced resources if set to "True". Specifying this field to "False" is not allowed. | false | false | None | None | None |
+| `namespaced_resource_restore_mode` | Defines the behavior for handling the situation where sets of namespaced resources being restored already exist in the target cluster. This MUST be set to a value other than `NAMESPACED_RESOURCE_RESTORE_MODE_UNSPECIFIED` if the `namespacedResourceRestoreScope` is anything other than `noNamespaces`. See https://cloud.google.com/kubernetes-engine/docs/add-on/backup-for-gke/reference/rest/v1/RestoreConfig#namespacedresourcerestoremode for more information on each mode. Possible values are: `DELETE_AND_RESTORE`, `FAIL_ON_CONFLICT`, `MERGE_SKIP_ON_CONFLICT`, `MERGE_REPLACE_VOLUME_ON_CONFLICT`, `MERGE_REPLACE_ON_CONFLICT`. | false | false | None | None | None |
+| `volume_data_restore_policy` | Specifies the mechanism to be used to restore volume data. This should be set to a value other than `NAMESPACED_RESOURCE_RESTORE_MODE_UNSPECIFIED` if the `namespacedResourceRestoreScope` is anything other than `noNamespaces`. If not specified, it will be treated as `NO_VOLUME_DATA_RESTORATION`. See https://cloud.google.com/kubernetes-engine/docs/add-on/backup-for-gke/reference/rest/v1/RestoreConfig#VolumeDataRestorePolicy for more information on each policy option. Possible values are: `RESTORE_VOLUME_DATA_FROM_BACKUP`, `REUSE_VOLUME_HANDLE_FROM_BACKUP`, `NO_VOLUME_DATA_RESTORATION`. | false | false | None | None | None |
+| `cluster_resource_restore_scope` | Identifies the cluster-scoped resources to restore from the Backup. Structure is [documented below](#nested_restore_config_cluster_resource_restore_scope). | false | false | None | None | None |
+| `cluster_resource_conflict_policy` | Defines the behavior for handling the situation where cluster-scoped resources being restored already exist in the target cluster. This MUST be set to a value other than `CLUSTER_RESOURCE_CONFLICT_POLICY_UNSPECIFIED` if `clusterResourceRestoreScope` is anyting other than `noGroupKinds`. See https://cloud.google.com/kubernetes-engine/docs/add-on/backup-for-gke/reference/rest/v1/RestoreConfig#clusterresourceconflictpolicy for more information on each policy option. Possible values are: `USE_EXISTING_VERSION`, `USE_BACKUP_VERSION`. | false | true | Conflict policy should default to using existing versions to preserve state stability. | USE_EXISTING_VERSION | USE_BACKUP_VERSION |
+| `transformation_rules` | A list of transformation rules to be applied against Kubernetes resources as they are selected for restoration from a Backup. Rules are executed in order defined - this order matters, as changes made by a rule may impact the filtering logic of subsequent rules. An empty list means no transformation will occur. Structure is [documented below](#nested_restore_config_transformation_rules). | false | false | None | None | None |
+| `volume_data_restore_policy_bindings` | A table that binds volumes by their scope to a restore policy. Bindings must have a unique scope. Any volumes not scoped in the bindings are subject to the policy defined in volume_data_restore_policy. Structure is [documented below](#nested_restore_config_volume_data_restore_policy_bindings). | false | false | None | None | None |
+| `restore_order` | It contains custom ordering to use on a Restore. Structure is [documented below](#nested_restore_config_restore_order). | false | false | None | None | None |
+
+### excluded_namespaces Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `namespaces` | A list of Kubernetes Namespaces. | true | false | None | None | None |
+
+### selected_namespaces Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `namespaces` | A list of Kubernetes Namespaces. | true | false | None | None | None |
+
+### selected_applications Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `namespaced_names` | A list of namespaced Kubernetes resources. Structure is [documented below](#nested_restore_config_selected_applications_namespaced_names). | true | false | None | None | None |
+
+### namespaced_names Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `namespace` | The namespace of a Kubernetes Resource. | true | false | None | None | None |
+| `name` | The name of a Kubernetes Resource. | true | false | None | None | None |
+
+### cluster_resource_restore_scope Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `all_group_kinds` | If True, all valid cluster-scoped resources will be restored. Mutually exclusive to any other field in `clusterResourceRestoreScope`. | false | true | Avoid full cluster restores to prevent overwriting critical existing resources unless explicitly intended. | selected_group_kinds | all_group_kinds=true |
+| `excluded_group_kinds` | A list of cluster-scoped resource group kinds to NOT restore from the backup. If specified, all valid cluster-scoped resources will be restored except for those specified in the list. Mutually exclusive to any other field in `clusterResourceRestoreScope`. Structure is [documented below](#nested_restore_config_cluster_resource_restore_scope_excluded_group_kinds). | false | false | None | None | None |
+| `selected_group_kinds` | A list of cluster-scoped resource group kinds to restore from the backup. If specified, only the selected resources will be restored. Mutually exclusive to any other field in the `clusterResourceRestoreScope`. Structure is [documented below](#nested_restore_config_cluster_resource_restore_scope_selected_group_kinds). | false | false | None | None | None |
+| `no_group_kinds` | If True, no cluster-scoped resources will be restored. Mutually exclusive to any other field in `clusterResourceRestoreScope`. | false | false | None | None | None |
+
+### excluded_group_kinds Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `resource_group` | API Group string of a Kubernetes resource, e.g. "apiextensions.k8s.io", "storage.k8s.io", etc. Use empty string for core group. | false | false | None | None | None |
+| `resource_kind` | Kind of a Kubernetes resource, e.g. "CustomResourceDefinition", "StorageClass", etc. | false | false | None | None | None |
+
+### selected_group_kinds Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `resource_group` | API Group string of a Kubernetes resource, e.g. "apiextensions.k8s.io", "storage.k8s.io", etc. Use empty string for core group. | false | false | None | None | None |
+| `resource_kind` | Kind of a Kubernetes resource, e.g. "CustomResourceDefinition", "StorageClass", etc. | false | false | None | None | None |
+
+### transformation_rules Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `description` | The description is a user specified string description of the transformation rule. | false | false | None | None | None |
+| `resource_filter` | This field is used to specify a set of fields that should be used to determine which resources in backup should be acted upon by the supplied transformation rule actions, and this will ensure that only specific resources are affected by transformation rule actions. Structure is [documented below](#nested_restore_config_transformation_rules_transformation_rules_resource_filter). | false | false | None | None | None |
+| `field_actions` | A list of transformation rule actions to take against candidate resources. Actions are executed in order defined - this order matters, as they could potentially interfere with each other and the first operation could affect the outcome of the second operation. Structure is [documented below](#nested_restore_config_transformation_rules_transformation_rules_field_actions). | true | false | None | None | None |
+
+### resource_filter Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `namespaces` | (Filtering parameter) Any resource subject to transformation must be contained within one of the listed Kubernetes Namespace in the Backup. If this field is not provided, no namespace filtering will be performed (all resources in all Namespaces, including all cluster-scoped resources, will be candidates for transformation). To mix cluster-scoped and namespaced resources in the same rule, use an empty string ("") as one of the target namespaces. | false | false | None | None | None |
+| `group_kinds` | (Filtering parameter) Any resource subject to transformation must belong to one of the listed "types". If this field is not provided, no type filtering will be performed (all resources of all types matching previous filtering parameters will be candidates for transformation). Structure is [documented below](#nested_restore_config_transformation_rules_transformation_rules_resource_filter_group_kinds). | false | false | None | None | None |
+| `json_path` | This is a JSONPath expression that matches specific fields of candidate resources and it operates as a filtering parameter (resources that are not matched with this expression will not be candidates for transformation). | false | false | None | None | None |
+
+### group_kinds Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `resource_group` | API Group string of a Kubernetes resource, e.g. "apiextensions.k8s.io", "storage.k8s.io", etc. Use empty string for core group. | false | false | None | None | None |
+| `resource_kind` | Kind of a Kubernetes resource, e.g. "CustomResourceDefinition", "StorageClass", etc. | false | false | None | None | None |
+
+### field_actions Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `op` | Specifies the operation to perform. Possible values are: `REMOVE`, `MOVE`, `COPY`, `ADD`, `TEST`, `REPLACE`. | true | false | None | None | None |
+| `from_path` | A string containing a JSON Pointer value that references the location in the target document to move the value from. | false | false | None | None | None |
+| `path` | A string containing a JSON-Pointer value that references a location within the target document where the operation is performed. | false | false | None | None | None |
+| `value` | A string that specifies the desired value in string format to use for transformation. | false | false | None | None | None |
+
+### volume_data_restore_policy_bindings Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `policy` | Specifies the mechanism to be used to restore this volume data. See https://cloud.google.com/kubernetes-engine/docs/add-on/backup-for-gke/reference/rest/v1/RestoreConfig#VolumeDataRestorePolicy for more information on each policy option. Possible values are: `RESTORE_VOLUME_DATA_FROM_BACKUP`, `REUSE_VOLUME_HANDLE_FROM_BACKUP`, `NO_VOLUME_DATA_RESTORATION`. | true | false | None | None | None |
+| `volume_type` | The volume type, as determined by the PVC's bound PV, to apply the policy to. Possible values are: `GCE_PERSISTENT_DISK`. | true | false | None | None | None |
+
+### restore_order Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `group_kind_dependencies` | A list of group kind dependency pairs that is used by Backup for GKE to generate a group kind restore order. Structure is [documented below](#nested_restore_config_restore_order_group_kind_dependencies). | true | false | None | None | None |
+
+### group_kind_dependencies Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `satisfying` | The satisfying group kind must be restored first in order to satisfy the dependency. Structure is [documented below](#nested_restore_config_restore_order_group_kind_dependencies_group_kind_dependencies_satisfying). | true | false | None | None | None |
+| `requiring` | The requiring group kind requires that the satisfying group kind be restored first. Structure is [documented below](#nested_restore_config_restore_order_group_kind_dependencies_group_kind_dependencies_requiring). | true | false | None | None | None |
+
+### satisfying Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `resource_group` | API Group of a Kubernetes resource, e.g. "apiextensions.k8s.io", "storage.k8s.io", etc. Use empty string for core group. | false | false | None | None | None |
+| `resource_kind` | Kind of a Kubernetes resource, e.g. "CustomResourceDefinition", "StorageClass", etc. | false | false | None | None | None |
+
+### requiring Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `resource_group` | API Group of a Kubernetes resource, e.g. "apiextensions.k8s.io", "storage.k8s.io", etc. Use empty string for core group. | false | false | None | None | None |
+| `resource_kind` | Kind of a Kubernetes resource, e.g. "CustomResourceDefinition", "StorageClass", etc. | false | false | None | None | None |
diff --git a/docs/gcp/Backup_for_GKE/gke_backup_restore_plan_iam.md b/docs/gcp/Backup_for_GKE/gke_backup_restore_plan_iam.md
new file mode 100644
index 000000000..23a84d577
--- /dev/null
+++ b/docs/gcp/Backup_for_GKE/gke_backup_restore_plan_iam.md
@@ -0,0 +1,18 @@
+## 🛡️ Policy Deployment Engine: `gke_backup_restore_plan_iam`
+
+This section provides a concise policy evaluation for the `gke_backup_restore_plan_iam` resource in GCP.
+
+Reference: [Terraform Registry – gke_backup_restore_plan_iam](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/gke_backup_restore_plan_iam)
+
+---
+
+## Argument Reference
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `location` | Used to find the parent resource to bind the IAM policy to. If not specified, the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no location is specified, it is taken from the provider configuration. | false | false | None | None | None |
+| `name` | | false | false | None | None | None |
+| `project` | If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. | false | false | None | None | None |
+| `member/members` | Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project" | false | true | Only corporate identities and internal service accounts are allowed. Cross-project groups and personal emails are blocked. | group:team@company.com | group:external@other.com |
+| `role` | `google_gke_backup_restore_plan_iam_binding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`. | false | true | Least privilege principle: use specific restore roles. | roles/gkebackup.restoreAdmin | roles/owner |
+| `policy_data` | a `google_iam_policy` data source. | false | false | None | None | None |
diff --git a/docs/gcp/Backup_for_GKE/resource_json/gke_backup_backup_channel.json b/docs/gcp/Backup_for_GKE/resource_json/gke_backup_backup_channel.json
index 9f76a988f..ed9acfbd7 100644
--- a/docs/gcp/Backup_for_GKE/resource_json/gke_backup_backup_channel.json
+++ b/docs/gcp/Backup_for_GKE/resource_json/gke_backup_backup_channel.json
@@ -14,19 +14,19 @@
"destination_project": {
"description": "The project where Backups are allowed to be stored. The format is `projects/{project}`. {project} can be project number or project id.",
"required": true,
- "security_impact": null,
- "rationale": null,
- "compliant": null,
- "non-compliant": null,
+ "security_impact": true,
+ "rationale": "Backups must be stored in a dedicated backup project to ensure isolation.",
+ "compliant": "projects/backup-prod",
+ "non-compliant": "projects/my-app-dev",
"parent": null
},
"location": {
"description": "The region of the Backup Channel.",
"required": true,
- "security_impact": null,
- "rationale": null,
- "compliant": null,
- "non-compliant": null,
+ "security_impact": true,
+ "rationale": "Data sovereignty requires backups to be stored in specific Australian regions.",
+ "compliant": "australia-southeast1",
+ "non-compliant": "us-central1",
"parent": null
},
"description": {
@@ -41,10 +41,10 @@
"labels": {
"description": "Description: A set of custom labels supplied by the user. A list of key->value pairs. Example: { \"name\": \"wrench\", \"mass\": \"1.3kg\", \"count\": \"3\" }. **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field `effective_labels` for all of the labels present on the resource.",
"required": false,
- "security_impact": null,
- "rationale": null,
- "compliant": null,
- "non-compliant": null,
+ "security_impact": true,
+ "rationale": "Labels are required for cost allocation and ownership tracking.",
+ "compliant": "environment='prod', cost-center='123', owner='team'",
+ "non-compliant": "missing required labels",
"parent": null
},
"project": {
diff --git a/docs/gcp/Backup_for_GKE/resource_json/gke_backup_backup_plan.json b/docs/gcp/Backup_for_GKE/resource_json/gke_backup_backup_plan.json
index 7ded8e92a..0ceaadbfb 100644
--- a/docs/gcp/Backup_for_GKE/resource_json/gke_backup_backup_plan.json
+++ b/docs/gcp/Backup_for_GKE/resource_json/gke_backup_backup_plan.json
@@ -23,10 +23,10 @@
"location": {
"description": "The region of the Backup Plan.",
"required": true,
- "security_impact": null,
- "rationale": null,
- "compliant": null,
- "non-compliant": null,
+ "security_impact": true,
+ "rationale": "Data sovereignty requires backups to be stored in specific Australian regions.",
+ "compliant": "australia-southeast1",
+ "non-compliant": "us-central1",
"parent": null
},
"description": {
@@ -59,10 +59,10 @@
"backup_retain_days": {
"description": "The default maximum age of a Backup created via this BackupPlan. This field MUST be an integer value >= 0 and <= 365. If specified, a Backup created under this BackupPlan will be automatically deleted after its age reaches (createTime + backupRetainDays). If not specified, Backups created under this BackupPlan will NOT be subject to automatic deletion. Updating this field does NOT affect existing Backups under it. Backups created AFTER a successful update will automatically pick up the new value. NOTE: backupRetainDays must be >= backupDeleteLockDays. If cronSchedule is defined, then this must be <= 360 * the creation interval. If rpo_config is defined, then this must be <= 360 * targetRpoMinutes/(1440minutes/day)",
"required": false,
- "security_impact": null,
- "rationale": null,
- "compliant": null,
- "non-compliant": null,
+ "security_impact": true,
+ "rationale": "Retention period must be sufficient for disaster recovery but not exceed data retention policies (7-90 days).",
+ "compliant": "30",
+ "non-compliant": "1",
"parent": "retention_policy"
},
"locked": {
@@ -79,10 +79,10 @@
"labels": {
"description": "Description: A set of custom labels supplied by the user. A list of key->value pairs. Example: { \"name\": \"wrench\", \"mass\": \"1.3kg\", \"count\": \"3\" }. **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field `effective_labels` for all of the labels present on the resource.",
"required": false,
- "security_impact": null,
- "rationale": null,
- "compliant": null,
- "non-compliant": null,
+ "security_impact": false,
+ "rationale": "Labels are required for cost allocation and ownership tracking.",
+ "compliant": "environment='prod', cost-center='123', owner='team'",
+ "non-compliant": "missing required labels",
"parent": null
},
"backup_schedule": {
@@ -97,10 +97,10 @@
"cron_schedule": {
"description": "A standard cron string that defines a repeating schedule for creating Backups via this BackupPlan. This is mutually exclusive with the rpoConfig field since at most one schedule can be defined for a BackupPlan. If this is defined, then backupRetainDays must also be defined.",
"required": false,
- "security_impact": null,
- "rationale": null,
- "compliant": null,
- "non-compliant": null,
+ "security_impact": true,
+ "rationale": "Backups should run during off-peak hours to minimize impact.",
+ "compliant": "0 2 * * *",
+ "non-compliant": "* * * * *",
"parent": "backup_schedule"
},
"paused": {
@@ -126,19 +126,19 @@
"deactivated": {
"description": "This flag indicates whether this BackupPlan has been deactivated. Setting this field to True locks the BackupPlan such that no further updates will be allowed (except deletes), including the deactivated field itself. It also prevents any new Backups from being created via this BackupPlan (including scheduled Backups).",
"required": false,
- "security_impact": null,
- "rationale": null,
- "compliant": null,
- "non-compliant": null,
+ "security_impact": true,
+ "rationale": "Deactivated plans do not create backups, putting data at risk.",
+ "compliant": "false",
+ "non-compliant": "true",
"parent": null
},
"backup_config": {
"description": "Defines the configuration of Backups created via this BackupPlan. Structure is [documented below](#nested_backup_config).",
"required": false,
- "security_impact": null,
- "rationale": null,
- "compliant": null,
- "non-compliant": null,
+ "security_impact": true,
+ "rationale": "Backup configuration must explicitly define secret handling and encryption.",
+ "compliant": "See sub-arguments",
+ "non-compliant": "See sub-arguments",
"parent": null,
"arguments": {
"include_volume_data": {
@@ -417,10 +417,10 @@
"gcp_kms_encryption_key": {
"description": "Google Cloud KMS encryption key. Format: projects/*/locations/*/keyRings/*/cryptoKeys/*",
"required": true,
- "security_impact": null,
- "rationale": null,
- "compliant": null,
- "non-compliant": null,
+ "security_impact": true,
+ "rationale": "CMEK keys must be in the same region as the backup plan (australia-southeast1).",
+ "compliant": "projects/p/locations/australia-southeast1/keyRings/k/cryptoKeys/c",
+ "non-compliant": "projects/p/locations/us-central1/keyRings/k/cryptoKeys/c",
"parent": "encryption_key"
}
}
diff --git a/docs/gcp/Backup_for_GKE/resource_json/gke_backup_backup_plan_iam.json b/docs/gcp/Backup_for_GKE/resource_json/gke_backup_backup_plan_iam.json
index 25f1a51ad..95419ecda 100644
--- a/docs/gcp/Backup_for_GKE/resource_json/gke_backup_backup_plan_iam.json
+++ b/docs/gcp/Backup_for_GKE/resource_json/gke_backup_backup_plan_iam.json
@@ -31,20 +31,18 @@
},
"member/members": {
"description": "Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, \"projectOwner:my-example-project\" * **projectEditor:projectid**: Editors of the given project. For example, \"projectEditor:my-example-project\" * **projectViewer:projectid**: Viewers of the given project. For example, \"projectViewer:my-example-project\"",
- "required": null,
- "security_impact": null,
- "rationale": null,
- "compliant": null,
- "non-compliant": null,
+ "security_impact": true,
+ "rationale": "Only corporate identities and internal service accounts are allowed. Personal emails and external accounts are blocked.",
+ "compliant": "group:team@company.com",
+ "non-compliant": "user:hacker@gmail.com",
"parent": null
},
"role": {
"description": "`google_gke_backup_backup_plan_iam_binding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.",
- "required": null,
- "security_impact": null,
- "rationale": null,
- "compliant": null,
- "non-compliant": null,
+ "security_impact": true,
+ "rationale": "Least privilege principle: use specific backup roles.",
+ "compliant": "roles/gkebackup.viewer",
+ "non-compliant": "roles/owner",
"parent": null
},
"policy_data": {
diff --git a/docs/gcp/Backup_for_GKE/resource_json/gke_backup_restore_channel.json b/docs/gcp/Backup_for_GKE/resource_json/gke_backup_restore_channel.json
index 5935d7987..402e7cd75 100644
--- a/docs/gcp/Backup_for_GKE/resource_json/gke_backup_restore_channel.json
+++ b/docs/gcp/Backup_for_GKE/resource_json/gke_backup_restore_channel.json
@@ -14,19 +14,19 @@
"destination_project": {
"description": "The project where Backups will be restored. The format is `projects/{project}`. {project} can be project number or project id.",
"required": true,
- "security_impact": null,
- "rationale": null,
- "compliant": null,
- "non-compliant": null,
+ "security_impact": true,
+ "rationale": "Restores must be performed in approved projects, typically the same region as the backup.",
+ "compliant": "projects/restore-prod",
+ "non-compliant": "projects/untrusted-dev",
"parent": null
},
"location": {
"description": "The region of the Restore Channel.",
"required": true,
- "security_impact": null,
- "rationale": null,
- "compliant": null,
- "non-compliant": null,
+ "security_impact": true,
+ "rationale": "Data sovereignty requires restores to occur in specific Australian regions.",
+ "compliant": "australia-southeast1",
+ "non-compliant": "us-central1",
"parent": null
},
"description": {
@@ -41,10 +41,10 @@
"labels": {
"description": "Description: A set of custom labels supplied by the user. A list of key->value pairs. Example: { \"name\": \"wrench\", \"mass\": \"1.3kg\", \"count\": \"3\" }. **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field `effective_labels` for all of the labels present on the resource.",
"required": false,
- "security_impact": null,
- "rationale": null,
- "compliant": null,
- "non-compliant": null,
+ "security_impact": false,
+ "rationale": "Labels are required for cost allocation and ownership tracking.",
+ "compliant": "environment='prod', cost-center='123', owner='team'",
+ "non-compliant": "missing required labels",
"parent": null
},
"project": {
diff --git a/docs/gcp/Backup_for_GKE/resource_json/gke_backup_restore_plan.json b/docs/gcp/Backup_for_GKE/resource_json/gke_backup_restore_plan.json
index 6ed3801c8..1cea25fe5 100644
--- a/docs/gcp/Backup_for_GKE/resource_json/gke_backup_restore_plan.json
+++ b/docs/gcp/Backup_for_GKE/resource_json/gke_backup_restore_plan.json
@@ -23,10 +23,10 @@
"cluster": {
"description": "The source cluster from which Restores will be created via this RestorePlan.",
"required": true,
- "security_impact": null,
- "rationale": null,
- "compliant": null,
- "non-compliant": null,
+ "security_impact": true,
+ "rationale": "Restores must target a designated DR cluster in the approved region.",
+ "compliant": "projects/*/locations/australia-southeast1/clusters/*-dr",
+ "non-compliant": "projects/*/locations/us-central1/clusters/*-dr",
"parent": null
},
"restore_config": {
@@ -113,10 +113,10 @@
"cluster_resource_conflict_policy": {
"description": "Defines the behavior for handling the situation where cluster-scoped resources being restored already exist in the target cluster. This MUST be set to a value other than `CLUSTER_RESOURCE_CONFLICT_POLICY_UNSPECIFIED` if `clusterResourceRestoreScope` is anyting other than `noGroupKinds`. See https://cloud.google.com/kubernetes-engine/docs/add-on/backup-for-gke/reference/rest/v1/RestoreConfig#clusterresourceconflictpolicy for more information on each policy option. Possible values are: `USE_EXISTING_VERSION`, `USE_BACKUP_VERSION`.",
"required": false,
- "security_impact": null,
- "rationale": null,
- "compliant": null,
- "non-compliant": null,
+ "security_impact": true,
+ "rationale": "Conflict policy should default to using existing versions to preserve state stability.",
+ "compliant": "USE_EXISTING_VERSION",
+ "non-compliant": "USE_BACKUP_VERSION",
"parent": "restore_config"
},
"transformation_rules": {
@@ -151,10 +151,10 @@
"location": {
"description": "The region of the Restore Plan.",
"required": true,
- "security_impact": null,
- "rationale": null,
- "compliant": null,
- "non-compliant": null,
+ "security_impact": true,
+ "rationale": "Restore plans must be created in the approved region (australia-southeast1).",
+ "compliant": "australia-southeast1",
+ "non-compliant": "us-central1",
"parent": null
},
"description": {
@@ -285,10 +285,10 @@
"all_group_kinds": {
"description": "If True, all valid cluster-scoped resources will be restored. Mutually exclusive to any other field in `clusterResourceRestoreScope`.",
"required": false,
- "security_impact": null,
- "rationale": null,
- "compliant": null,
- "non-compliant": null,
+ "security_impact": true,
+ "rationale": "Avoid full cluster restores to prevent overwriting critical existing resources unless explicitly intended.",
+ "compliant": "selected_group_kinds",
+ "non-compliant": "all_group_kinds=true",
"parent": "cluster_resource_restore_scope"
},
"excluded_group_kinds": {
diff --git a/docs/gcp/Backup_for_GKE/resource_json/gke_backup_restore_plan_iam.json b/docs/gcp/Backup_for_GKE/resource_json/gke_backup_restore_plan_iam.json
index 6b64d1691..c773a690f 100644
--- a/docs/gcp/Backup_for_GKE/resource_json/gke_backup_restore_plan_iam.json
+++ b/docs/gcp/Backup_for_GKE/resource_json/gke_backup_restore_plan_iam.json
@@ -32,19 +32,19 @@
"member/members": {
"description": "Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, \"projectOwner:my-example-project\" * **projectEditor:projectid**: Editors of the given project. For example, \"projectEditor:my-example-project\" * **projectViewer:projectid**: Viewers of the given project. For example, \"projectViewer:my-example-project\"",
"required": null,
- "security_impact": null,
- "rationale": null,
- "compliant": null,
- "non-compliant": null,
+ "security_impact": true,
+ "rationale": "Only corporate identities and internal service accounts are allowed. Cross-project groups and personal emails are blocked.",
+ "compliant": "group:team@company.com",
+ "non-compliant": "group:external@other.com",
"parent": null
},
"role": {
"description": "`google_gke_backup_restore_plan_iam_binding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.",
"required": null,
- "security_impact": null,
- "rationale": null,
- "compliant": null,
- "non-compliant": null,
+ "security_impact": true,
+ "rationale": "Least privilege principle: use specific restore roles.",
+ "compliant": "roles/gkebackup.restoreAdmin",
+ "non-compliant": "roles/owner",
"parent": null
},
"policy_data": {
diff --git a/docs/gcp/_helpers/helpers.md b/docs/gcp/_helpers/helpers.md
new file mode 100644
index 000000000..9fe0bc140
--- /dev/null
+++ b/docs/gcp/_helpers/helpers.md
@@ -0,0 +1,856 @@
+# terraform.gcp.helpers Documentation
+
+**Tested on:** OPA Version 1.2.0, Rego Version v1
+**Purpose:** Provides helper functions for GCP Terraform compliance policies, including resource handling, array checks, attribute formatting, range tests, and empty value handling.
+
+##
+**Last updated:** 21 September 2025 (T2 2025)
+**By:** Visal Dam
+
+---
+## Table of Contents
+
+1. [Architecture](#architecture)
+2. [Utility Functions](#utility-functions)
+3. [Entry Functions](#entry-functions)
+4. [Policy Types](#policy-types)
+5. [Tips](#tips)
+6. [Development Team](#development-team)
+---
+
+## Architecture
+The helpers is built on Rego, which is a declarative language. Hence, development is very different compared to popular functional langauges.
+
+In a declarative language, think of functions as being built out of conditions which are all assumed true. If any condition is not, then the function does not execute any further.
+
+Development of the helpers should be backwards-compatible. All new features should ensure that previously-made policies remain supported - unless you come across something far too critical.
+
+Our policies check for non-compliance. When a condition or situation is "triggered", it means that the resource(s) - and by extension the entire configuration - is non-compliant.
+
+Our policies assess only values that are prone to misconfiguration. This is the main objective of the PDE. This means that values that are not allowed Terraform are irrelevant; otherwise, they would not be generated in the json plan in the firt place. For example, consider the attribute "number_of_cpus", which should take integer values by default. Hence, policies or methods to check if the input is a string is irrelevant.
+
+## Utility Functions
+### get_resource_name()
+```rego
+get_resource_name(this_nc_resource, value_name) = resource_name if {
+ this_nc_resource.values[value_name]
+ resource_name := this_nc_resource.values[value_name]
+} else = resource_name if {
+ resource_name := this_nc_resource[value_name]
+} else = null if {
+ print(sprintf("Resource name for '%s' was not found! Your 'resource_value_name' in vars is wrong. Try 'resource_value_name': 'name'.", [this_nc_resource.type]))
+}
+```
+#### Notes
+Likely to be depreceated - just have all resources collected by resource_name, set to c1, c2, ..., nc1, nc2, ... etc.
+
+### resource_type_match()
+```rego
+# for resource filtering
+resource_type_match(resource, resource_type) if {
+ resource.type == resource_type
+}
+```
+#### Notes
+A json plan may contain multiple resources. This function ensures that only the resources of interest are collected.
+
+### get_all_resources()
+```rego
+# returns all resouce blocks in json plan of given type
+get_all_resources(resource_type) = resources if
+{
+ resources := [
+ resource |
+ resource := input.planned_values.root_module.resources[_]
+ resource_type_match(resource, resource_type)
+ ]
+}
+```
+#### Notes
+This returns all the resource blocks (their config values and attributes) in the json plan, based on their resource type.
+
+### get_policy_type()
+```rego
+# extract policy type
+get_policy_type(chosen_type) = policy_type if {
+ policy_type := policy_types[_]
+ policy_type == chosen_type
+}
+```
+#### Notes
+Simple array checker.
+
+### Attribute Path Mapping
+```rego
+# returns workable string for Rego's object.get()
+format_attribute_path(attribute_path) = string_path if {
+ is_array(attribute_path)
+ string_path := concat(".", get_attribute_path(attribute_path))
+}
+
+format_attribute_path(attribute_path) = string_path if {
+ is_string(attribute_path)
+ string_path := replace(attribute_path, "_", " ")
+}
+
+# converts given attribute path into workable string for Rego's object.get()
+get_attribute_path(attribute_path) = result if {
+ is_array(attribute_path)
+ result := [ val |
+ x := attribute_path[_]
+ val := convert_value(x)
+ ]
+}
+
+# converts values from an int to a string but leaves strings as is
+convert_value(x) = string if {
+ type_name(x) == "number"
+ string := sprintf("[%v]", [x])
+}
+
+convert_value(x) = x if {
+ type_name(x) == "string"
+}
+```
+#### Notes
+N/A
+
+### Presence Checks()
+```rego
+# empty_message: if empty, return fomratted warning
+empty_message(value) = msg if {
+ is_empty(value)
+ msg = " (!!!EMPTY!!!)"
+}
+
+# empty_message: if present, return nothing (space)
+empty_message(value) = msg if {
+ not is_empty(value)
+ msg = ""
+}
+
+# checks if value is empty space
+is_empty(value) if {
+ value == ""
+}
+```
+#### Notes
+Checks if assessed value is empty. Integrable functions where it is added by default to all messages to be formatted. If empty, displays warning. If not, leaves as is.
+
+### get_value_from_array()
+```rego
+get_value_from_array(arr, key) = value if {
+ some i
+ obj := arr[i]
+ obj[key] != null
+ value := obj[key]
+}
+```
+#### Notes
+N/A
+
+### check_empty_set()
+```rego
+# checks if a set is empty and returns a message if it is
+check_empty_set(set,msg) = return if {
+ count(set) == 0
+ return := [msg]
+}
+check_empty_set(set,msg) = return if {
+ count(set) != 0
+ return := set
+}
+```
+#### Notes
+N/A
+
+### intersection_all()
+```rego
+intersection_all(sets) = result if {
+ result = {x |
+ x = sets[0][_]
+ all_other := [s | s := sets[_]]
+ every s in all_other { x in s }
+ }
+}
+```
+#### Notes
+Custom intersection function, used in processing resource violations.
+
+## Entry Functions
+
+### Main
+```rego
+get_multi_summary(situations, variables) = summary if {
+ resource_type := variables.resource_type
+ friendly_resource_name := variables.friendly_resource_name
+ value_name := variables.resource_value_name
+ all_resources := get_all_resources(resource_type)
+ violations := check_violations(resource_type, situations, friendly_resource_name, value_name)
+ violations_object := process_violations(violations)
+ formatted_message := format_violations(violations_object)
+ summary := {
+ "message": array.concat(
+ [sprintf("Total %s detected: %d ", [friendly_resource_name, count(all_resources)])],
+ formatted_message
+ ),
+ "details": violations_object
+ }
+} else := "Policy type not supported."
+```
+#### Notes
+Unpacks the policy into its core components. Situtations have their descriptions, remedies, and conditions (as well as each condition's attribute paths, allowed/disallowed values, and policy types) extracted.
+
+All resources of interest from the json plan are extracted. Then, we for each resource, we check for non-compliance at the situation level (check_violations() below). Remember that for a situation composed of multiple conditions c1, c2, ..., etc., all of the conditions must be triggered for the situation to be triggered. For a policy composed of multiple situations, any of those triggered situations will trigger the entire policy.
+
+### Policy Selectors
+
+select_policy_logic()
+
+```rego
+select_policy_logic(resource_type, attribute_path, values_formatted, friendly_resource_name, chosen_type, value_name) = results if {
+ chosen_type == policy_types[0] # Blacklist
+ results := get_blacklist_violations(resource_type, attribute_path, values_formatted, friendly_resource_name, value_name)
+}
+
+select_policy_logic(resource_type, attribute_path, values_formatted, friendly_resource_name, chosen_type, value_name) = results if {
+ chosen_type == policy_types[1] # Whitelist
+ results := get_whitelist_violations(resource_type, attribute_path, values_formatted, friendly_resource_name, value_name)
+}
+
+select_policy_logic(resource_type, attribute_path, values_formatted, friendly_resource_name, chosen_type, value_name) = results if {
+ chosen_type == policy_types[2] # Range (Upper and lower bounds)
+ values_formatted_range := format_range_input(values_formatted[0], values_formatted[1])
+ results := get_range_violations(resource_type, attribute_path, values_formatted_range, friendly_resource_name, value_name)
+}
+
+select_policy_logic(resource_type, attribute_path, values_formatted, friendly_resource_name, chosen_type, value_name) = results if {
+ chosen_type == policy_types[3] # Patterns (B)
+ results := get_pattern_blacklist_violations(resource_type, attribute_path, values_formatted, friendly_resource_name, value_name)
+}
+
+select_policy_logic(resource_type, attribute_path, values_formatted, friendly_resource_name, chosen_type, value_name) = results if {
+ chosen_type == policy_types[4] # Patterns (W)
+ results := get_pattern_whitelist_violations(resource_type, attribute_path, values_formatted, friendly_resource_name, value_name)
+}
+```
+
+
+#### Notes
+N/A
+
+### check_violations()
+```rego
+check_violations(resource_type, situations, friendly_resource_name, value_name) = violations if {
+ some i
+ violations := [
+ msg |
+ msg := check_conditions(resource_type, situations[i], friendly_resource_name, value_name)
+ ]
+}
+```
+#### Notes
+This function operates at the policy -> situation(s) level. For each situation (in the list of situations), we call check_conditions() below.
+
+### check_conditions()
+```rego
+check_conditions(resource_type, situation, friendly_resource_name, value_name) = violations if {
+ messages := [
+ msg |
+ condition := situation[_]
+ condition_name := condition.condition
+ attribute_path := condition.attribute_path
+ values := condition.values
+ pol := lower(condition.policy_type)
+ pol == get_policy_type(pol)
+ values_formatted = array_check(values)
+ msg := {condition_name : select_policy_logic(resource_type, attribute_path, values_formatted, friendly_resource_name, pol, value_name)}
+ ]
+ sd := get_value_from_array(situation,"situation_description")
+ remedies := get_value_from_array(situation,"remedies")
+ violations := {
+ "situation_description": sd,
+ "remedies": remedies,
+ "all_conditions": messages
+ }
+}
+```
+#### Notes
+This function operates at the situation -> conditon(s) level. Here we enumerate each condition for a situation, extracting key components. We are now working on the condition level. We then apply policy logic depending on the policy type. We also format the inputs to expected forms. We collect all instances of non-compliance as "msg" dictionary objects, which contains the output non-compliance message for that specific condition.
+
+Once all triggered conditions have been collected, they are returned and mapped to their corresponding situations in the "violations" dictionary object. I.e., this function returns all triggered conditions for a given situation. "all_conditions": [{c1 : [{msg, nc}, {msg, nc}, ...]}, {c2 :[{msg, nc}, ...]}, ... : [...], ...}] for the given situation.
+
+### Processing Resource Violations
+```rego
+process_violations(violations) = situation_summary if {
+ # in each set of rules, get each unique nc resource name and each violation message
+ situation := [
+ {sit_desc : {"remedies": remedies, "conds": conds}} |
+ this_sit := violations[_]
+ sit_desc := this_sit.situation_description
+ remedies := this_sit.remedies
+ conds := this_sit.all_conditions
+ ]
+
+ # create a set containing only the nc resource for each situation
+ resource_sets := [ {sit_desc : resource_set} |
+ this_sit := situation[_]
+ some key, val in this_sit
+ sit_desc := key
+ this_condition := val.conds
+ resource_set := [nc |
+ some keyy, vall in this_condition[_]
+ nc := {x | x := vall[_].name}]
+ ]
+
+ # implements AND logic per situation
+ overall_nc_resources := [ {sit_desc : intersec} |
+ this_set := resource_sets[_]
+ some key, val in this_set
+ sit_desc := key
+ intersec := intersection_all(val)
+ ]
+
+ # final formating
+ resource_message := [ {sit : msg} |
+ some key, val in overall_nc_resources[_]
+ sit := key
+ msg := check_empty_set(val, "All passed")
+ ]
+
+ # operate per situation: returns the entire details
+ situation_summary := [ summary |
+ this_sit := situation[_]
+ some key, val in this_sit
+ sit_name := key
+ details := val.conds
+ remedies := val.remedies
+ nc_all := object.get(resource_message[_], sit_name, null)
+ nc_all != null
+
+ summary := {
+ "situation" : sit_name,
+ "remedies" : remedies,
+ "non_compliant_resources" : nc_all,
+ "details" : details
+ }
+ ]
+}
+
+format_violations(violations_object) = formatted_message if {
+ formatted_message := [
+ [ sd, nc, remedies] |
+ some i
+ this_sit := violations_object[i]
+ sd := sprintf("Situation %d: %s",[i+1, this_sit.situation])
+ resources_value := [value |
+ value := this_sit.non_compliant_resources[_]
+ ]
+ nc := sprintf("Non-Compliant Resources: %s", [concat(", ", resources_value)])
+ remedies := sprintf("Potential Remedies: %s", [concat(", ", this_sit.remedies)])
+ ]
+}
+```
+#### Notes
+Finally, after each situation has their condition(s) assessed via check_conditions(), the "violations" dictionary object is filled for the entire policy, detailing all situations and their triggered conditions (if any). The main idea in process_violations() is to implement AND and OR logic.
+
+situation := [...] returns a list of situations and their conditions. Consider a policy that contains two situations sit1 and sit2. They each have two conditions. For sit1, the same resources, nc1 and nc2, trigger both conditions. For sit2, nc1 triggers c1 but not nc2; and nc2 triggers c2 but not nc1.
+
+Click each of the below to expand.
+
+
+situation
+
+```json
+situation = [
+ {
+ "sit1": {
+ "remedies": "...",
+ "conds": [
+ {
+ "c1": [
+ {
+ "msg": "...",
+ "nc": "nc1"
+ },
+ {
+ "msg": "...",
+ "nc": "nc2"
+ },
+ ],
+ "c2": [
+ {
+ "msg": "...",
+ "nc": "nc1"
+ },
+ {
+ "msg": "...",
+ "nc": "nc2"
+ },
+ ],
+ ...other conditions (if any)
+ }
+ ]
+ },
+ "sit2": {
+ "remedies": "...",
+ "conds": [
+ {
+ "c1": [
+ {
+ "msg": "...",
+ "nc": "nc1" // note how only nc1 here for c1
+ },
+ ],
+ "c2": [
+ {
+ "msg": "...",
+ "nc": "nc2" // note how only nc2 here for c2
+ },
+ ],
+ ...other conditions (if any)
+ }
+ ]
+ },
+ ...other situations (if any)
+ }
+]
+```
+The situations are evaluated and each of the conditions, triggered or otherwise, are listed alongside the non-compliant resource that triggered it.
+
+
+
+
+overall_nc_resources
+
+```json
+overall_nc_resources = [
+ {
+ "sit1": ["nc1", "nc2"],
+ "sit2": [] // empty, as both conditions must share the same nc resource(s)
+ }
+]
+```
+
+Afterwards, for each situation we perform an INTERSECTION operation for all of their conditions based on the non-compliant resource. We see that as both nc1 and nc2 are in c1 and c2, the overall non-compliant resource for this situation (after having triggered ALL of its conditions) are listed.
+
+For sit2, as not all of the conditions share the same resource, the result from the INTERSECTION operation is empty.
+
+
+
+
+resource_message
+
+```json
+resource_message: [
+ {
+ "sit1": ["c", "nc"]
+ },
+ {
+ "sit2": ["All passed"]
+ }
+]
+```
+
+Finally, we structure the situations into individual blocks. For any empty sets, we simply assign the message "All passed".
+
+
+
+situation_summary
+
+```json
+situation_summary: [
+ {
+ "non_compliant_resources": ["nc1", "nc2"],
+ "remedies": ["..."],
+ "situation": "sit1",
+ "details": [
+ {
+ "c1": [
+ {
+ "message": "...",
+ "name": "nc1"
+ },
+ {
+ "message": "...",
+ "name": "nc2"
+ }
+ ]
+ },
+ {
+ "c2": [
+ {
+ "message": "...",
+ "name": "nc1"
+ },
+ {
+ "message": "...",
+ "name": "nc2"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "non_compliant_resources": ["All passed"],
+ "remedies": ["..."],
+ "situation": "sit2",
+ "details": [
+ {
+ "c1": [
+ {
+ "message": "...",
+ "name": "nc1"
+ }
+ ]
+ },
+ {
+ "c2": [
+ {
+ "message": "...",
+ "name": "nc2"
+ }
+ ]
+ }
+ ]
+ },
+]
+```
+
+Finally, we return the resources that are truly non-compliant per situation. In terms of resources, if all conditions in a situation are triggered, the sitaution is triggered; hence why sit2 results in "All passed" as both resources only triggered a single condition each. If any situation is triggered, then the policy as a whole is triggered; the config contains some non-compliant resource(s).
+
+The above block is what is returned for engineers to view the inticate details of a triggered policy violation, namely, which specific condition was triggered and by which resource(s).
+
+
+## Policy Types
+
+```rego
+policy_types := ["blacklist", "whitelist", "range", "pattern blacklist", "pattern whitelist"]
+```
+
+### Blacklisting
+#### Checking
+```rego
+# ***** Entry Function *****
+get_blacklisted_resources(resource_type, attribute_path, blacklisted_values) = resources if {
+ resources := [
+ resource |
+ resource := input.planned_values.root_module.resources[_]
+ resource_type_match(resource, resource_type)
+ array_contains(blacklisted_values, object.get(resource.values, attribute_path, null), "blacklist")
+ ]
+}
+
+# if single element (function name: Bl1)
+array_contains(arr, elem, pol) if {
+ not is_array(elem)
+ arr[_] == elem
+}
+
+# if array (function name: Bl2)
+array_contains(arr, elem, pol) if {
+ is_array(elem)
+ pol == "blacklist"
+ arr_to_set = {x | x := arr[_]}
+ elem_to_set = {x | x := elem[_]}
+ count(arr_to_set & elem_to_set) > 0
+}
+```
+Blacklisting is the simplest policy, and two functions are used to support two main types of inputs:
+
+1) Single elements: consider an array of disallowed values, a = [1, 2, 3, 4, 5]. Given an element input, i = 3, Bl1 iterates through a, and if 3 is spotted, non-compliance is triggered.
+2) Arrays: consider an array of disallowed values, a = [1, 2, 3, 4, 5]. Given an array input, i = [2, 5, 3] (order not important), Bl2 turns both into sets and applies the INTERSECTION (&) set operation. Any elements shared between the two is counted; if greater than 0, non-compliance is triggered.
+
+These two functions are iteratively applied to each resource block in the json plan; the 'resource := input.planned_values.root_module.resources[_]' block goes through each resource dictionary block in the json plan under the planned_values -> root_module -> resources.
+
+#### Collecting
+```rego
+# iterates through given set of resources, applies Bl functions to each
+get_blacklist_violations(resource_type, attribute_path, blacklisted_values, friendly_resource_name, value_name) = results if {
+ string_path := format_attribute_path(attribute_path)
+ results :=
+ [ { "name": get_resource_name(this_nc_resource, value_name),
+ "message": msg
+ } |
+ nc_resources := get_blacklisted_resources(resource_type, attribute_path, blacklisted_values)
+ this_nc_resource = nc_resources[_]
+ this_nc_attribute = object.get(this_nc_resource.values, attribute_path, null)
+ msg := format_blacklist_message(friendly_resource_name, get_resource_name(this_nc_resource, value_name), string_path, this_nc_attribute, empty_message(this_nc_attribute), blacklisted_values)
+ ]
+}
+```
+get_blacklist_violations() iterates through the given json input of resource configs, applying the Bl functions to each. We begin with a list operation in rego to assign values to a dictionary: "name" and "msg". All non-compliant resources are collected based on what happens when the Bl functions are applied.
+
+Then, for each of the non-compliant resources, we use Rego's object.get to get the non-compliant attribute.
+```rego
+# displays non-compliant message for given non-compliant resources
+format_blacklist_message(friendly_resource_name, resource_value_name, string_path, nc_value, empty, nc_values) = msg if {
+ msg := sprintf(
+ "%s '%s' has '%s' set to '%v'%s. This is blacklisted: %v",
+ [friendly_resource_name, resource_value_name, string_path, nc_value, empty, nc_values]
+ )
+}
+```
+Finally, we use the collected information to display an informative message, namely, that the detected value is non-compliant because it is listed in the array of disallowed values.
+
+#### Notes
+N/A
+
+### Whitelisting
+#### Checking
+```rego
+# ***** Entry Function *****
+get_nc_whitelisted_resources(resource_type, attribute_path, compliant_values) = resources if {
+ resources := [
+ resource |
+ resource := input.planned_values.root_module.resources[_]
+ resource_type_match(resource, resource_type)
+ # Test array of array and deeply nested values
+ not array_contains(compliant_values, object.get(resource.values, attribute_path, null), "whitelist")
+ ]
+}
+
+# if single element (function name: Wl1)
+array_contains(arr, elem, pol) if {
+ not is_array(elem)
+ arr[_] == elem
+}
+
+# if array (function name: Wl2)
+array_contains(arr, elem, pol) if {
+ is_array(elem)
+ pol == "whitelist"
+ arr_to_set = {x | x := arr[_]}
+ elem_to_set = {x | x := elem[_]}
+ object.subset(arr_to_set, elem_to_set)
+}
+```
+
+Whitelisting is the opposite of Blacklisting. It follows the exact opposite logic for single elements, but not for array elements.
+1) Single elements: consider an array of allowed values, a = [1, 2, 3, 4, 5]. Given an element input, i = 3, Wl1 iterates through a. It seems that 3 is in the list, and thus the resource is compliant. The opposite is true for a different input, say, i = 6.
+2) Arrays: consider an array of allowed values, a = [1, 2, 3, 4, 5]. Given an array input, i = [2, 5, 8], Wl2 converts them into sets and applies the SUBSET set operation. A resource is only compliant if i is a direct subset of a. In this case, while a and i share 2 and 5, i contains 8, which is not in a. Thus, non-compliant is triggered. If i = [5, 3, 2], then the resource is compliant as a and i share all elements in i.
+
+#### Collecting
+Same logic as in Blacklisting.
+
+#### Notes
+N/A
+
+### Range
+#### Checking
+```rego
+# ***** Entry Function *****
+get_nc_range_resources(resource_type, attribute_path, range_values) = resources if {
+ resources := [
+ resource |
+ resource := input.planned_values.root_module.resources[_]
+ resource_type_match(resource, resource_type)
+ not test_value_range(range_values, to_number(object.get(resource.values, attribute_path, null)))
+ ]
+}
+
+test_value_range(range_values, value) if {
+ test_lower_range(range_values, value)
+ test_upper_range(range_values, value)
+}
+
+# ***** Lower bound checks *****
+test_lower_range(range_values,value) = true if {
+ # Check value exists
+ not is_null(range_values.lower_bound)
+ value >= range_values.lower_bound
+}
+
+# null indicates no higher bound
+test_lower_range(range_values,value) = true if {
+ is_null(range_values.lower_bound)
+}
+
+# ***** Upper bound checks *****
+test_upper_range(range_values,value) = true if {
+ # Check value exists
+ not is_null(range_values.upper_bound)
+ value <= range_values.upper_bound
+}
+
+# null indicates no higher bound
+test_upper_range(range_values,value) = true if {
+ is_null(range_values.upper_bound)
+}
+```
+
+The Range policy type performs a seemingly simple purpose: to check that a given integer input i is within a certain range, defined by lower and upper bounds L and U, respectively; i.e., L <= i <= U. However, many utility sub-functions are needed to ensure that this purpose is met, namely, datatype checking and handling cases where a range is not defined as between two bounds, but rather (either) a min/max.
+
+If L = 100 and U = 200, then i = 150 is compliant, however both i = 99 and i = 201 are non-compliant. To handle a minimum value for i, simply set L = 100 and U = null; thus any i >= 100 is compliant with no limits. Likewise, setting L = null and U = 100 means only i <= 100 is compliant with no limits.
+
+#### Collecting
+```rego
+get_range_violations(resource_type, attribute_path, range_values, friendly_resource_name, value_name) = results if {
+ unpacked_range_values = range_values
+ string_path := format_attribute_path(attribute_path)
+ results :=
+ [ { "name": get_resource_name(this_nc_resource, value_name),
+ "message": msg
+ } |
+ nc_resources := get_nc_range_resources(resource_type, attribute_path, unpacked_range_values)
+ this_nc_resource = nc_resources[_]
+ this_nc_attribute = object.get(this_nc_resource.values, attribute_path, null)
+ msg := format_range_validation_message(friendly_resource_name, get_resource_name(this_nc_resource, value_name), string_path, this_nc_attribute, empty_message(this_nc_attribute), unpacked_range_values)
+ ]
+}
+```
+
+```rego
+format_range_validation_message(friendly_resource_name, resource_value_name, attribute_path_string, nc_value, empty, range_values) = msg if {
+ upper_bound := get_upper_bound(range_values)
+ lower_bound := get_lower_bound(range_values)
+ msg := sprintf(
+ "%s '%s' has '%s' set to '%s'%s. It should be set between '%s and %s'.",
+ [friendly_resource_name, resource_value_name, attribute_path_string, nc_value, empty, lower_bound, upper_bound]
+ )
+}
+
+get_upper_bound(range_values) = bound if {
+ not is_null(range_values.upper_bound)
+ bound := sprintf("%v", [range_values.upper_bound])
+}
+
+get_upper_bound(range_values) = "Inf" if {
+ is_null(range_values.upper_bound)
+}
+
+get_lower_bound(range_values) = bound if {
+ not is_null(range_values.lower_bound)
+ bound := sprintf("%v", [range_values.lower_bound])
+}
+
+get_lower_bound(range_values) = "-Inf" if {
+ is_null(range_values.lower_bound)
+}
+```
+
+#### Notes
+N/A
+
+### Patterns (Blacklisting & Whitelisting)
+Note that Patterns Blacklist and Whitelist use the same pattern logic in get_target_list(), just treating non-compliance differently. Hence, we will only be discussing the Pattern Blacklist method.
+#### Checking
+```rego
+# returns a list of the found values based on a given pattern
+get_target_list(resource, attribute_path, target) = target_list if {
+ p := regex.replace(target, "\\*", "([^/]+)")
+ target_value := object.get(resource.values, attribute_path, null)
+ matches := regex.find_all_string_submatch_n(p, target_value, 1)[0]
+ target_list := array.slice(matches, 1, count(matches))
+} else := "Wrong pattern"
+
+# iterates through target list and given disallowed/allowed patterns
+get_nc_pattern_blacklist(resource, attribute_path, target, patterns) = ncc if {
+ target_list = get_target_list(resource, attribute_path, target)
+ ncc := [
+ {"value": target_list[i], "allowed": patterns[i]} | # note: "allowed" should be "disallowed" here due to mistake from copying over
+ some i
+ array_contains(patterns[i], target_list[i], "blacklist")
+ ]
+}
+
+# returns the non-compliant resources where a disallowed value was found
+get_nc_pattern_blacklist_resources(resource_type, attribute_path, values) = resources if {
+ resources := [
+ resource |
+ target := values[0]
+ patterns := values[1]
+ resource := input.planned_values.root_module.resources[_]
+ resource_type_match(resource, resource_type)
+ count(get_nc_pattern_blacklist(resource, attribute_path, target, patterns)) > 0
+ ]
+}
+```
+For a given pattern, get_target_list() first replaces all instances of the * character with the simple regex pattern ([^/]+), which is used for simple searches of all alpha-numerical-symbolic characters. For a given pattern P = a/\*/c/\*/e this creates the regex search for a/**([^/]+)**/c/**([^/]+)**/e. Then we simply find this pattern in the json; if the input string i = a/**b**/c/**d**/e, then we have a match. We strip off b and d into a 'target' list, which is returned. Note their positions.
+
+Next, for a given array of arrays of disallowed patterns, get_nc_pattern_blacklist() simply checks, in order, whether or not the 'target' values are in the disallowed strings. Any value that fits is returned, alongside the pattern. So, consider the following array of array of disallowed patterns: A = [[array of patterns], [array of patterns]] = [[1, #, b], [2, e, %]]. Matching target_list[i] and A[i], we see that b is in [1, #, b], but that d is not in [2, e, %]. Hence, we have found a non-complaint value.
+
+Finally, based on get_nc_pattern_blacklist(), the resulting non-complaint values are counted. Any one match (as we are blacklisting) will result in the count of values greater than 0.
+#### Collecting
+
+```rego
+get_pattern_blacklist_violations(resource_type, attribute_path, values_formatted, friendly_resource_name, value_name) = results if {
+ string_path := format_attribute_path(attribute_path)
+ results :=
+ [ { "name": get_resource_name(this_nc_resource, value_name),
+ "message": msg
+ } |
+ nc_resources := get_nc_pattern_blacklist_resources(resource_type, attribute_path, values_formatted)
+ this_nc_resource = nc_resources[_]
+ nc := get_nc_pattern_blacklist(this_nc_resource, attribute_path, values_formatted[0], values_formatted[1])
+ this_nc := nc[_]
+ msg := format_pattern_blacklist_message(friendly_resource_name, get_resource_name(this_nc_resource, value_name), string_path, final_formatter(object.get(this_nc_resource.values, attribute_path, null), this_nc.value), empty_message(this_nc.value), this_nc.allowed)
+ ]
+}
+
+format_pattern_blacklist_message(friendly_resource_name, resource_value_name, attribute_path_string, nc_value, empty, allowed_values) = msg if {
+ msg := sprintf(
+ "%s '%s' has '%s' set to '%s'%s. This is blacklisted: %s",
+ [friendly_resource_name, resource_value_name, attribute_path_string, nc_value, empty, allowed_values]
+ )
+}
+
+final_formatter(target, sub_pattern) = final_format if {
+ final_format := regex.replace(target, sub_pattern, sprintf("'%s'", [sub_pattern]))
+}
+```
+Follows the same formatting logic as above. Returns all inputted and collected information to the user. Namely, each detected disallowed value is collected and displayed alongside the given disallowed pattern list for clarity.
+
+#### Notes
+1) The Pattern methods will only work as intended if the desired pattern to be checked exists. If you provide a pattern, say a/\*/d which is not found, then get_target_list() will fail. Hence, the Pattern method is meant for attributes whose values can be repeated often, such as compliant/non-compliant directory paths.
+2) Due to (1), for other patterns, simply add a new situation (OR logic) to detect other patterns in your policies.
+
+## Tips
+### Debugging
+When debugging custom functions, it is useful to print values as the function executes. This is done in Rego using sprintf().
+```rego
+print(sprintf("This is a custom message. val1: %v, val2: %v", [val1, val2]))
+```
+We add a print() to force it to show on output. Otherwise, sprintf() will only output results when the --explain=notes flag is used in the opa eval command. Notice how the values in the array maps to the formatted string. Make sure to comment them out before deployment.
+
+Likewise, we use also use flags in the opa eval command for debugging:
+
+```
+--explain=fails
+--explain=full
+--explain=notes
+```
+
+We usually use --explain=fails when a policy fails to determine the root cause. The other two are not usually used. These flags will output the entire Rego execution process from function to function, so it can be overwhelming.
+
+### Development
+You should create a seperate workfolder for helpers development, mimicking the same file and folder structure as the PDE.
+
+You should commit changes to the helpers in dev in a seperate PR always! You can simply edit the contents of the helpers.rego file there. Do not publish changes to the helpers in your service PRs. Only the development team should be making changes to the helpers.
+
+You should have your changes tested and looked at by others too, just in case.
+
+Changes and features should be backwards compatible, unless it is something truly critical.
+
+The OPA version is very important. Some members may have installed a version of OPA incompatible with the helper functions. Make sure everyone uses at least version 1.2.0+.
+
+Do not be scared by how complex the helpers seem; that's just Rego being Rego. The functionalities are rather simple when decoupled into their core operations.
+
+Lastly, do not hesitate to come up with new features, functionalities, or problem-solving perspectives. If an idea is not currently supported by the current utility functions, create your own! Likewise, feel free to improve existing ones - just make sure they're backwards compatible. You do not have to stick with what has been layed down; rather, use them as a means to go forward.
+
+Good luck, and have fun!
+
+## Development Team
+
+Contributions from individuals to the helpers.rego across trimester iterations.
+
+### T1 2025
+VISAL DAM
+PATRICK STUART
+SAMIRA FALAHAZANDEHI
+
+### T2 2025
+VISAL DAM
+PATRICK STUART
+SEBASTIAN EDGE
+
diff --git a/inputs/gcp/backup_for_gke/backup_channel/destination_project/.terraform.lock.hcl b/inputs/gcp/backup_for_gke/backup_channel/destination_project/.terraform.lock.hcl
new file mode 100644
index 000000000..316309c9a
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_channel/destination_project/.terraform.lock.hcl
@@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/google" {
+ version = "7.17.0"
+ hashes = [
+ "h1:VPHRMsm3eQrxzk1b7eHuSG9sG7315ZaGPshFjqzZ5No=",
+ "zh:103778d776fb994a6b24d70fa095c23a1672361f2a05d882b227b02507b402fc",
+ "zh:34bcd6cce3081a21983ccfad5cbf2cbf69ff298c65c6570edb4ec7d38a8183f5",
+ "zh:5f8fd0e8e40068b597b28c0bc08372c9228aad77746068101c72acf4bb902937",
+ "zh:6b25cee7dec78470feb987438aedb1f4354c696f6548edee7775621e8df24fa9",
+ "zh:6b5bd97884b51b86fa6a9f1905c0ebf695539e905122052896e8b05122416ff4",
+ "zh:86e634c5825d8bd32592ae6b74f15e1db5d9b61c85d1a2e529d1696effb76d54",
+ "zh:c3190609f6f638f4efd7359a5638eeff81d41a38a00861f7df870b5c8f4c11cb",
+ "zh:d42d854642b4d3b010f232d848197945f90af60e7f9883ac96d7caae9c9d2474",
+ "zh:da9929be5d3873ad317e488e7ada08d5b95b5461b34d91cef76314317bdc0d49",
+ "zh:ed2763c21b2f3c1eb7b4b92f6502069a24078345e19c88f91d9e3a46a17147f8",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ "zh:fbca63b82bbdef6fd329d2c8356b3f39f8c785ad93fd0596cfff676dbaef23ac",
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/backup_channel/destination_project/c.tf b/inputs/gcp/backup_for_gke/backup_channel/destination_project/c.tf
new file mode 100644
index 000000000..f744d63a9
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_channel/destination_project/c.tf
@@ -0,0 +1,6 @@
+resource "google_gke_backup_backup_channel" "c" {
+ name = "c"
+ location = "australia-southeast1"
+ project = "PDE"
+ destination_project = "projects/backup-prod"
+}
diff --git a/inputs/gcp/backup_for_gke/backup_channel/destination_project/config.tf b/inputs/gcp/backup_for_gke/backup_channel/destination_project/config.tf
new file mode 100644
index 000000000..d066e09a3
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_channel/destination_project/config.tf
@@ -0,0 +1,12 @@
+##### DO NOT EDIT ######
+
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ }
+}
+
+provider "google" {}
+
diff --git a/inputs/gcp/backup_for_gke/backup_channel/destination_project/nc.tf b/inputs/gcp/backup_for_gke/backup_channel/destination_project/nc.tf
new file mode 100644
index 000000000..733fae814
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_channel/destination_project/nc.tf
@@ -0,0 +1,7 @@
+resource "google_gke_backup_backup_channel" "nc" {
+ name = "nc"
+ location = "australia-southeast1"
+ project = "PDE"
+ destination_project = "" # Violates existence check
+}
+
diff --git a/inputs/gcp/backup_for_gke/backup_channel/destination_project/plan.json b/inputs/gcp/backup_for_gke/backup_channel/destination_project/plan.json
new file mode 100644
index 000000000..e69de29bb
diff --git a/inputs/gcp/backup_for_gke/backup_channel/labels/.terraform.lock.hcl b/inputs/gcp/backup_for_gke/backup_channel/labels/.terraform.lock.hcl
new file mode 100644
index 000000000..316309c9a
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_channel/labels/.terraform.lock.hcl
@@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/google" {
+ version = "7.17.0"
+ hashes = [
+ "h1:VPHRMsm3eQrxzk1b7eHuSG9sG7315ZaGPshFjqzZ5No=",
+ "zh:103778d776fb994a6b24d70fa095c23a1672361f2a05d882b227b02507b402fc",
+ "zh:34bcd6cce3081a21983ccfad5cbf2cbf69ff298c65c6570edb4ec7d38a8183f5",
+ "zh:5f8fd0e8e40068b597b28c0bc08372c9228aad77746068101c72acf4bb902937",
+ "zh:6b25cee7dec78470feb987438aedb1f4354c696f6548edee7775621e8df24fa9",
+ "zh:6b5bd97884b51b86fa6a9f1905c0ebf695539e905122052896e8b05122416ff4",
+ "zh:86e634c5825d8bd32592ae6b74f15e1db5d9b61c85d1a2e529d1696effb76d54",
+ "zh:c3190609f6f638f4efd7359a5638eeff81d41a38a00861f7df870b5c8f4c11cb",
+ "zh:d42d854642b4d3b010f232d848197945f90af60e7f9883ac96d7caae9c9d2474",
+ "zh:da9929be5d3873ad317e488e7ada08d5b95b5461b34d91cef76314317bdc0d49",
+ "zh:ed2763c21b2f3c1eb7b4b92f6502069a24078345e19c88f91d9e3a46a17147f8",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ "zh:fbca63b82bbdef6fd329d2c8356b3f39f8c785ad93fd0596cfff676dbaef23ac",
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/backup_channel/labels/c.tf b/inputs/gcp/backup_for_gke/backup_channel/labels/c.tf
new file mode 100644
index 000000000..c2f67ee3a
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_channel/labels/c.tf
@@ -0,0 +1,16 @@
+resource "google_gke_backup_backup_channel" "c" {
+ name = "c"
+ location = "australia-southeast1"
+ project = "PDE"
+ destination_project = "projects/PDE"
+
+ labels = {
+ environment = "prod"
+ team = "platform"
+ compliance = "required"
+ cost-center = "engineering"
+ owner = "platform-team"
+ bandwidth-limit = "50mbps"
+ }
+}
+
diff --git a/inputs/gcp/backup_for_gke/backup_channel/labels/config.tf b/inputs/gcp/backup_for_gke/backup_channel/labels/config.tf
new file mode 100644
index 000000000..d066e09a3
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_channel/labels/config.tf
@@ -0,0 +1,12 @@
+##### DO NOT EDIT ######
+
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ }
+}
+
+provider "google" {}
+
diff --git a/inputs/gcp/backup_for_gke/backup_channel/labels/nc.tf b/inputs/gcp/backup_for_gke/backup_channel/labels/nc.tf
new file mode 100644
index 000000000..7538ca453
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_channel/labels/nc.tf
@@ -0,0 +1,7 @@
+resource "google_gke_backup_backup_channel" "nc" {
+ name = "nc"
+ location = "australia-southeast1"
+ project = "PDE"
+ destination_project = "projects/PDE"
+}
+
diff --git a/inputs/gcp/backup_for_gke/backup_channel/labels/plan.json b/inputs/gcp/backup_for_gke/backup_channel/labels/plan.json
new file mode 100644
index 000000000..e69de29bb
diff --git a/inputs/gcp/backup_for_gke/backup_channel/location/.terraform.lock.hcl b/inputs/gcp/backup_for_gke/backup_channel/location/.terraform.lock.hcl
new file mode 100644
index 000000000..316309c9a
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_channel/location/.terraform.lock.hcl
@@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/google" {
+ version = "7.17.0"
+ hashes = [
+ "h1:VPHRMsm3eQrxzk1b7eHuSG9sG7315ZaGPshFjqzZ5No=",
+ "zh:103778d776fb994a6b24d70fa095c23a1672361f2a05d882b227b02507b402fc",
+ "zh:34bcd6cce3081a21983ccfad5cbf2cbf69ff298c65c6570edb4ec7d38a8183f5",
+ "zh:5f8fd0e8e40068b597b28c0bc08372c9228aad77746068101c72acf4bb902937",
+ "zh:6b25cee7dec78470feb987438aedb1f4354c696f6548edee7775621e8df24fa9",
+ "zh:6b5bd97884b51b86fa6a9f1905c0ebf695539e905122052896e8b05122416ff4",
+ "zh:86e634c5825d8bd32592ae6b74f15e1db5d9b61c85d1a2e529d1696effb76d54",
+ "zh:c3190609f6f638f4efd7359a5638eeff81d41a38a00861f7df870b5c8f4c11cb",
+ "zh:d42d854642b4d3b010f232d848197945f90af60e7f9883ac96d7caae9c9d2474",
+ "zh:da9929be5d3873ad317e488e7ada08d5b95b5461b34d91cef76314317bdc0d49",
+ "zh:ed2763c21b2f3c1eb7b4b92f6502069a24078345e19c88f91d9e3a46a17147f8",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ "zh:fbca63b82bbdef6fd329d2c8356b3f39f8c785ad93fd0596cfff676dbaef23ac",
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/backup_channel/location/c.tf b/inputs/gcp/backup_for_gke/backup_channel/location/c.tf
new file mode 100644
index 000000000..cb6e20b4b
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_channel/location/c.tf
@@ -0,0 +1,7 @@
+resource "google_gke_backup_backup_channel" "c" {
+ name = "c"
+ location = "australia-southeast1"
+ project = "PDE"
+ destination_project = "projects/PDE"
+}
+
diff --git a/inputs/gcp/backup_for_gke/backup_channel/location/config.tf b/inputs/gcp/backup_for_gke/backup_channel/location/config.tf
new file mode 100644
index 000000000..d066e09a3
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_channel/location/config.tf
@@ -0,0 +1,12 @@
+##### DO NOT EDIT ######
+
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ }
+}
+
+provider "google" {}
+
diff --git a/inputs/gcp/backup_for_gke/backup_channel/location/nc.tf b/inputs/gcp/backup_for_gke/backup_channel/location/nc.tf
new file mode 100644
index 000000000..e0565ee09
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_channel/location/nc.tf
@@ -0,0 +1,7 @@
+resource "google_gke_backup_backup_channel" "nc" {
+ name = "nc"
+ location = "us-central1"
+ project = "PDE"
+ destination_project = "projects/PDE"
+}
+
diff --git a/inputs/gcp/backup_for_gke/backup_channel/location/plan.json b/inputs/gcp/backup_for_gke/backup_channel/location/plan.json
new file mode 100644
index 000000000..e69de29bb
diff --git a/inputs/gcp/backup_for_gke/backup_channel/name/.terraform.lock.hcl b/inputs/gcp/backup_for_gke/backup_channel/name/.terraform.lock.hcl
new file mode 100644
index 000000000..316309c9a
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_channel/name/.terraform.lock.hcl
@@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/google" {
+ version = "7.17.0"
+ hashes = [
+ "h1:VPHRMsm3eQrxzk1b7eHuSG9sG7315ZaGPshFjqzZ5No=",
+ "zh:103778d776fb994a6b24d70fa095c23a1672361f2a05d882b227b02507b402fc",
+ "zh:34bcd6cce3081a21983ccfad5cbf2cbf69ff298c65c6570edb4ec7d38a8183f5",
+ "zh:5f8fd0e8e40068b597b28c0bc08372c9228aad77746068101c72acf4bb902937",
+ "zh:6b25cee7dec78470feb987438aedb1f4354c696f6548edee7775621e8df24fa9",
+ "zh:6b5bd97884b51b86fa6a9f1905c0ebf695539e905122052896e8b05122416ff4",
+ "zh:86e634c5825d8bd32592ae6b74f15e1db5d9b61c85d1a2e529d1696effb76d54",
+ "zh:c3190609f6f638f4efd7359a5638eeff81d41a38a00861f7df870b5c8f4c11cb",
+ "zh:d42d854642b4d3b010f232d848197945f90af60e7f9883ac96d7caae9c9d2474",
+ "zh:da9929be5d3873ad317e488e7ada08d5b95b5461b34d91cef76314317bdc0d49",
+ "zh:ed2763c21b2f3c1eb7b4b92f6502069a24078345e19c88f91d9e3a46a17147f8",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ "zh:fbca63b82bbdef6fd329d2c8356b3f39f8c785ad93fd0596cfff676dbaef23ac",
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/backup_channel/name/c.tf b/inputs/gcp/backup_for_gke/backup_channel/name/c.tf
new file mode 100644
index 000000000..dc9deba62
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_channel/name/c.tf
@@ -0,0 +1,7 @@
+resource "google_gke_backup_backup_channel" "c" {
+ name = "gke-backup-channel-compliant"
+ location = "australia-southeast1"
+ project = "PDE"
+ destination_project = "projects/PDE"
+}
+
diff --git a/inputs/gcp/backup_for_gke/backup_channel/name/config.tf b/inputs/gcp/backup_for_gke/backup_channel/name/config.tf
new file mode 100644
index 000000000..90318dbac
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_channel/name/config.tf
@@ -0,0 +1,13 @@
+##### DO NOT EDIT ######
+
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ }
+}
+
+provider "google" {}
+
+# Add this variable definition if you want to use var.gcp_project
diff --git a/inputs/gcp/backup_for_gke/backup_channel/name/nc.tf b/inputs/gcp/backup_for_gke/backup_channel/name/nc.tf
new file mode 100644
index 000000000..7538ca453
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_channel/name/nc.tf
@@ -0,0 +1,7 @@
+resource "google_gke_backup_backup_channel" "nc" {
+ name = "nc"
+ location = "australia-southeast1"
+ project = "PDE"
+ destination_project = "projects/PDE"
+}
+
diff --git a/inputs/gcp/backup_for_gke/backup_channel/name/plan.json b/inputs/gcp/backup_for_gke/backup_channel/name/plan.json
new file mode 100644
index 000000000..e69de29bb
diff --git a/inputs/gcp/backup_for_gke/backup_plan/all_namespaces/.terraform.lock.hcl b/inputs/gcp/backup_for_gke/backup_plan/all_namespaces/.terraform.lock.hcl
new file mode 100644
index 000000000..316309c9a
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan/all_namespaces/.terraform.lock.hcl
@@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/google" {
+ version = "7.17.0"
+ hashes = [
+ "h1:VPHRMsm3eQrxzk1b7eHuSG9sG7315ZaGPshFjqzZ5No=",
+ "zh:103778d776fb994a6b24d70fa095c23a1672361f2a05d882b227b02507b402fc",
+ "zh:34bcd6cce3081a21983ccfad5cbf2cbf69ff298c65c6570edb4ec7d38a8183f5",
+ "zh:5f8fd0e8e40068b597b28c0bc08372c9228aad77746068101c72acf4bb902937",
+ "zh:6b25cee7dec78470feb987438aedb1f4354c696f6548edee7775621e8df24fa9",
+ "zh:6b5bd97884b51b86fa6a9f1905c0ebf695539e905122052896e8b05122416ff4",
+ "zh:86e634c5825d8bd32592ae6b74f15e1db5d9b61c85d1a2e529d1696effb76d54",
+ "zh:c3190609f6f638f4efd7359a5638eeff81d41a38a00861f7df870b5c8f4c11cb",
+ "zh:d42d854642b4d3b010f232d848197945f90af60e7f9883ac96d7caae9c9d2474",
+ "zh:da9929be5d3873ad317e488e7ada08d5b95b5461b34d91cef76314317bdc0d49",
+ "zh:ed2763c21b2f3c1eb7b4b92f6502069a24078345e19c88f91d9e3a46a17147f8",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ "zh:fbca63b82bbdef6fd329d2c8356b3f39f8c785ad93fd0596cfff676dbaef23ac",
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/backup_plan/all_namespaces/c.tf b/inputs/gcp/backup_for_gke/backup_plan/all_namespaces/c.tf
new file mode 100644
index 000000000..4ee518337
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan/all_namespaces/c.tf
@@ -0,0 +1,16 @@
+resource "google_gke_backup_backup_plan" "c" {
+ name = "c"
+ cluster = "projects/PDE/locations/australia-southeast1/clusters/prod-cluster"
+ location = "australia-southeast1"
+ project = "PDE"
+
+ backup_config {
+ include_volume_data = true
+ include_secrets = false
+
+ selected_namespaces {
+ namespaces = ["production", "critical-apps"]
+ }
+ }
+}
+
diff --git a/inputs/gcp/backup_for_gke/backup_plan/all_namespaces/config.tf b/inputs/gcp/backup_for_gke/backup_plan/all_namespaces/config.tf
new file mode 100644
index 000000000..c5d6ff5b2
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan/all_namespaces/config.tf
@@ -0,0 +1,11 @@
+##### DO NOT EDIT ######
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ }
+}
+
+provider "google" {}
+
diff --git a/inputs/gcp/backup_for_gke/backup_plan/all_namespaces/nc.tf b/inputs/gcp/backup_for_gke/backup_plan/all_namespaces/nc.tf
new file mode 100644
index 000000000..e60fccf62
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan/all_namespaces/nc.tf
@@ -0,0 +1,13 @@
+resource "google_gke_backup_backup_plan" "nc" {
+ name = "nc"
+ cluster = "projects/PDE/locations/australia-southeast1/clusters/prod-cluster"
+ location = "australia-southeast1"
+ project = "PDE"
+
+ backup_config {
+ include_volume_data = true
+ include_secrets = false
+ all_namespaces = true
+ }
+}
+
diff --git a/inputs/gcp/backup_for_gke/backup_plan/all_namespaces/plan.json b/inputs/gcp/backup_for_gke/backup_plan/all_namespaces/plan.json
new file mode 100644
index 000000000..e69de29bb
diff --git a/inputs/gcp/backup_for_gke/backup_plan/backup_config/.terraform.lock.hcl b/inputs/gcp/backup_for_gke/backup_plan/backup_config/.terraform.lock.hcl
new file mode 100644
index 000000000..316309c9a
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan/backup_config/.terraform.lock.hcl
@@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/google" {
+ version = "7.17.0"
+ hashes = [
+ "h1:VPHRMsm3eQrxzk1b7eHuSG9sG7315ZaGPshFjqzZ5No=",
+ "zh:103778d776fb994a6b24d70fa095c23a1672361f2a05d882b227b02507b402fc",
+ "zh:34bcd6cce3081a21983ccfad5cbf2cbf69ff298c65c6570edb4ec7d38a8183f5",
+ "zh:5f8fd0e8e40068b597b28c0bc08372c9228aad77746068101c72acf4bb902937",
+ "zh:6b25cee7dec78470feb987438aedb1f4354c696f6548edee7775621e8df24fa9",
+ "zh:6b5bd97884b51b86fa6a9f1905c0ebf695539e905122052896e8b05122416ff4",
+ "zh:86e634c5825d8bd32592ae6b74f15e1db5d9b61c85d1a2e529d1696effb76d54",
+ "zh:c3190609f6f638f4efd7359a5638eeff81d41a38a00861f7df870b5c8f4c11cb",
+ "zh:d42d854642b4d3b010f232d848197945f90af60e7f9883ac96d7caae9c9d2474",
+ "zh:da9929be5d3873ad317e488e7ada08d5b95b5461b34d91cef76314317bdc0d49",
+ "zh:ed2763c21b2f3c1eb7b4b92f6502069a24078345e19c88f91d9e3a46a17147f8",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ "zh:fbca63b82bbdef6fd329d2c8356b3f39f8c785ad93fd0596cfff676dbaef23ac",
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/backup_plan/backup_config/c.tf b/inputs/gcp/backup_for_gke/backup_plan/backup_config/c.tf
new file mode 100644
index 000000000..db82518a2
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan/backup_config/c.tf
@@ -0,0 +1,20 @@
+resource "google_gke_backup_backup_plan" "c" {
+ name = "c"
+ cluster = "projects/PDE/locations/australia-southeast1/clusters/prod-cluster"
+ location = "australia-southeast1"
+ project = "PDE"
+
+ backup_config {
+ include_volume_data = true
+ include_secrets = false
+
+ selected_namespaces {
+ namespaces = ["production", "critical-apps"]
+ }
+
+ encryption_key {
+ gcp_kms_encryption_key = "projects/PDE/locations/australia-southeast1/keyRings/backup-keyring/cryptoKeys/backup-key"
+ }
+ }
+}
+
diff --git a/inputs/gcp/backup_for_gke/backup_plan/backup_config/config.tf b/inputs/gcp/backup_for_gke/backup_plan/backup_config/config.tf
new file mode 100644
index 000000000..c5d6ff5b2
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan/backup_config/config.tf
@@ -0,0 +1,11 @@
+##### DO NOT EDIT ######
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ }
+}
+
+provider "google" {}
+
diff --git a/inputs/gcp/backup_for_gke/backup_plan/backup_config/nc.tf b/inputs/gcp/backup_for_gke/backup_plan/backup_config/nc.tf
new file mode 100644
index 000000000..9e43421ce
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan/backup_config/nc.tf
@@ -0,0 +1,12 @@
+resource "google_gke_backup_backup_plan" "nc" {
+ name = "nc"
+ cluster = "projects/PDE/locations/australia-southeast1/clusters/prod-cluster"
+ location = "australia-southeast1"
+ project = "PDE"
+
+ backup_config {
+ include_secrets = true
+ all_namespaces = true
+ }
+}
+
diff --git a/inputs/gcp/backup_for_gke/backup_plan/backup_config/plan.json b/inputs/gcp/backup_for_gke/backup_plan/backup_config/plan.json
new file mode 100644
index 000000000..e69de29bb
diff --git a/inputs/gcp/backup_for_gke/backup_plan/backup_delete_lock_days/.terraform.lock.hcl b/inputs/gcp/backup_for_gke/backup_plan/backup_delete_lock_days/.terraform.lock.hcl
new file mode 100644
index 000000000..316309c9a
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan/backup_delete_lock_days/.terraform.lock.hcl
@@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/google" {
+ version = "7.17.0"
+ hashes = [
+ "h1:VPHRMsm3eQrxzk1b7eHuSG9sG7315ZaGPshFjqzZ5No=",
+ "zh:103778d776fb994a6b24d70fa095c23a1672361f2a05d882b227b02507b402fc",
+ "zh:34bcd6cce3081a21983ccfad5cbf2cbf69ff298c65c6570edb4ec7d38a8183f5",
+ "zh:5f8fd0e8e40068b597b28c0bc08372c9228aad77746068101c72acf4bb902937",
+ "zh:6b25cee7dec78470feb987438aedb1f4354c696f6548edee7775621e8df24fa9",
+ "zh:6b5bd97884b51b86fa6a9f1905c0ebf695539e905122052896e8b05122416ff4",
+ "zh:86e634c5825d8bd32592ae6b74f15e1db5d9b61c85d1a2e529d1696effb76d54",
+ "zh:c3190609f6f638f4efd7359a5638eeff81d41a38a00861f7df870b5c8f4c11cb",
+ "zh:d42d854642b4d3b010f232d848197945f90af60e7f9883ac96d7caae9c9d2474",
+ "zh:da9929be5d3873ad317e488e7ada08d5b95b5461b34d91cef76314317bdc0d49",
+ "zh:ed2763c21b2f3c1eb7b4b92f6502069a24078345e19c88f91d9e3a46a17147f8",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ "zh:fbca63b82bbdef6fd329d2c8356b3f39f8c785ad93fd0596cfff676dbaef23ac",
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/backup_plan/backup_delete_lock_days/c.tf b/inputs/gcp/backup_for_gke/backup_plan/backup_delete_lock_days/c.tf
new file mode 100644
index 000000000..39ff6b641
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan/backup_delete_lock_days/c.tf
@@ -0,0 +1,20 @@
+resource "google_gke_backup_backup_plan" "c" {
+ name = "c"
+ cluster = "projects/PDE/locations/australia-southeast1/clusters/prod-cluster"
+ location = "australia-southeast1"
+ project = "PDE"
+
+ retention_policy {
+ backup_delete_lock_days = 30
+ backup_retain_days = 90
+ }
+
+ backup_config {
+ include_volume_data = true
+ include_secrets = false
+ selected_namespaces {
+ namespaces = ["production"]
+ }
+ }
+}
+
diff --git a/inputs/gcp/backup_for_gke/backup_plan/backup_delete_lock_days/config.tf b/inputs/gcp/backup_for_gke/backup_plan/backup_delete_lock_days/config.tf
new file mode 100644
index 000000000..c5d6ff5b2
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan/backup_delete_lock_days/config.tf
@@ -0,0 +1,11 @@
+##### DO NOT EDIT ######
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ }
+}
+
+provider "google" {}
+
diff --git a/inputs/gcp/backup_for_gke/backup_plan/backup_delete_lock_days/nc.tf b/inputs/gcp/backup_for_gke/backup_plan/backup_delete_lock_days/nc.tf
new file mode 100644
index 000000000..3c309d518
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan/backup_delete_lock_days/nc.tf
@@ -0,0 +1,18 @@
+resource "google_gke_backup_backup_plan" "nc" {
+ name = "nc"
+ cluster = "projects/PDE/locations/australia-southeast1/clusters/prod-cluster"
+ location = "australia-southeast1"
+ project = "PDE"
+
+ backup_config {
+ include_volume_data = true
+ include_secrets = false
+ all_namespaces = true
+ }
+
+ retention_policy {
+ backup_delete_lock_days = 5
+ backup_retain_days = 3
+ }
+}
+
diff --git a/inputs/gcp/backup_for_gke/backup_plan/backup_delete_lock_days/plan.json b/inputs/gcp/backup_for_gke/backup_plan/backup_delete_lock_days/plan.json
new file mode 100644
index 000000000..e69de29bb
diff --git a/inputs/gcp/backup_for_gke/backup_plan/backup_schedule/.terraform.lock.hcl b/inputs/gcp/backup_for_gke/backup_plan/backup_schedule/.terraform.lock.hcl
new file mode 100644
index 000000000..316309c9a
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan/backup_schedule/.terraform.lock.hcl
@@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/google" {
+ version = "7.17.0"
+ hashes = [
+ "h1:VPHRMsm3eQrxzk1b7eHuSG9sG7315ZaGPshFjqzZ5No=",
+ "zh:103778d776fb994a6b24d70fa095c23a1672361f2a05d882b227b02507b402fc",
+ "zh:34bcd6cce3081a21983ccfad5cbf2cbf69ff298c65c6570edb4ec7d38a8183f5",
+ "zh:5f8fd0e8e40068b597b28c0bc08372c9228aad77746068101c72acf4bb902937",
+ "zh:6b25cee7dec78470feb987438aedb1f4354c696f6548edee7775621e8df24fa9",
+ "zh:6b5bd97884b51b86fa6a9f1905c0ebf695539e905122052896e8b05122416ff4",
+ "zh:86e634c5825d8bd32592ae6b74f15e1db5d9b61c85d1a2e529d1696effb76d54",
+ "zh:c3190609f6f638f4efd7359a5638eeff81d41a38a00861f7df870b5c8f4c11cb",
+ "zh:d42d854642b4d3b010f232d848197945f90af60e7f9883ac96d7caae9c9d2474",
+ "zh:da9929be5d3873ad317e488e7ada08d5b95b5461b34d91cef76314317bdc0d49",
+ "zh:ed2763c21b2f3c1eb7b4b92f6502069a24078345e19c88f91d9e3a46a17147f8",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ "zh:fbca63b82bbdef6fd329d2c8356b3f39f8c785ad93fd0596cfff676dbaef23ac",
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/backup_plan/backup_schedule/c.tf b/inputs/gcp/backup_for_gke/backup_plan/backup_schedule/c.tf
new file mode 100644
index 000000000..11a49b5c8
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan/backup_schedule/c.tf
@@ -0,0 +1,12 @@
+resource "google_gke_backup_backup_plan" "c" {
+ name = "c"
+ cluster = "projects/PDE/locations/australia-southeast1/clusters/prod-cluster"
+ location = "australia-southeast1"
+ project = "PDE"
+
+ backup_schedule {
+ cron_schedule = "0 2 * * *"
+ paused = false
+ }
+}
+
diff --git a/inputs/gcp/backup_for_gke/backup_plan/backup_schedule/config.tf b/inputs/gcp/backup_for_gke/backup_plan/backup_schedule/config.tf
new file mode 100644
index 000000000..c5d6ff5b2
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan/backup_schedule/config.tf
@@ -0,0 +1,11 @@
+##### DO NOT EDIT ######
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ }
+}
+
+provider "google" {}
+
diff --git a/inputs/gcp/backup_for_gke/backup_plan/backup_schedule/nc.tf b/inputs/gcp/backup_for_gke/backup_plan/backup_schedule/nc.tf
new file mode 100644
index 000000000..c387814c8
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan/backup_schedule/nc.tf
@@ -0,0 +1,12 @@
+resource "google_gke_backup_backup_plan" "nc" {
+ name = "nc"
+ cluster = "projects/PDE/locations/australia-southeast1/clusters/prod-cluster"
+ location = "australia-southeast1"
+ project = "PDE"
+
+ backup_schedule {
+ cron_schedule = "0 0 * * 0"
+ paused = true
+ }
+}
+
diff --git a/inputs/gcp/backup_for_gke/backup_plan/backup_schedule/plan.json b/inputs/gcp/backup_for_gke/backup_plan/backup_schedule/plan.json
new file mode 100644
index 000000000..e69de29bb
diff --git a/inputs/gcp/backup_for_gke/backup_plan/deactivated/.terraform.lock.hcl b/inputs/gcp/backup_for_gke/backup_plan/deactivated/.terraform.lock.hcl
new file mode 100644
index 000000000..316309c9a
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan/deactivated/.terraform.lock.hcl
@@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/google" {
+ version = "7.17.0"
+ hashes = [
+ "h1:VPHRMsm3eQrxzk1b7eHuSG9sG7315ZaGPshFjqzZ5No=",
+ "zh:103778d776fb994a6b24d70fa095c23a1672361f2a05d882b227b02507b402fc",
+ "zh:34bcd6cce3081a21983ccfad5cbf2cbf69ff298c65c6570edb4ec7d38a8183f5",
+ "zh:5f8fd0e8e40068b597b28c0bc08372c9228aad77746068101c72acf4bb902937",
+ "zh:6b25cee7dec78470feb987438aedb1f4354c696f6548edee7775621e8df24fa9",
+ "zh:6b5bd97884b51b86fa6a9f1905c0ebf695539e905122052896e8b05122416ff4",
+ "zh:86e634c5825d8bd32592ae6b74f15e1db5d9b61c85d1a2e529d1696effb76d54",
+ "zh:c3190609f6f638f4efd7359a5638eeff81d41a38a00861f7df870b5c8f4c11cb",
+ "zh:d42d854642b4d3b010f232d848197945f90af60e7f9883ac96d7caae9c9d2474",
+ "zh:da9929be5d3873ad317e488e7ada08d5b95b5461b34d91cef76314317bdc0d49",
+ "zh:ed2763c21b2f3c1eb7b4b92f6502069a24078345e19c88f91d9e3a46a17147f8",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ "zh:fbca63b82bbdef6fd329d2c8356b3f39f8c785ad93fd0596cfff676dbaef23ac",
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/backup_plan/deactivated/c.tf b/inputs/gcp/backup_for_gke/backup_plan/deactivated/c.tf
new file mode 100644
index 000000000..215bd9c7d
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan/deactivated/c.tf
@@ -0,0 +1,8 @@
+resource "google_gke_backup_backup_plan" "c" {
+ name = "c"
+ cluster = "projects/PDE/locations/australia-southeast1/clusters/prod-cluster"
+ location = "australia-southeast1"
+ project = "PDE"
+ deactivated = false
+}
+
diff --git a/inputs/gcp/backup_for_gke/backup_plan/deactivated/config.tf b/inputs/gcp/backup_for_gke/backup_plan/deactivated/config.tf
new file mode 100644
index 000000000..c5d6ff5b2
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan/deactivated/config.tf
@@ -0,0 +1,11 @@
+##### DO NOT EDIT ######
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ }
+}
+
+provider "google" {}
+
diff --git a/inputs/gcp/backup_for_gke/backup_plan/deactivated/nc.tf b/inputs/gcp/backup_for_gke/backup_plan/deactivated/nc.tf
new file mode 100644
index 000000000..e24771f16
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan/deactivated/nc.tf
@@ -0,0 +1,8 @@
+resource "google_gke_backup_backup_plan" "nc" {
+ name = "nc"
+ cluster = "projects/PDE/locations/australia-southeast1/clusters/prod-cluster"
+ location = "australia-southeast1"
+ project = "PDE"
+ deactivated = true
+}
+
diff --git a/inputs/gcp/backup_for_gke/backup_plan/deactivated/plan.json b/inputs/gcp/backup_for_gke/backup_plan/deactivated/plan.json
new file mode 100644
index 000000000..e69de29bb
diff --git a/inputs/gcp/backup_for_gke/backup_plan/encryption_key/.terraform.lock.hcl b/inputs/gcp/backup_for_gke/backup_plan/encryption_key/.terraform.lock.hcl
new file mode 100644
index 000000000..316309c9a
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan/encryption_key/.terraform.lock.hcl
@@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/google" {
+ version = "7.17.0"
+ hashes = [
+ "h1:VPHRMsm3eQrxzk1b7eHuSG9sG7315ZaGPshFjqzZ5No=",
+ "zh:103778d776fb994a6b24d70fa095c23a1672361f2a05d882b227b02507b402fc",
+ "zh:34bcd6cce3081a21983ccfad5cbf2cbf69ff298c65c6570edb4ec7d38a8183f5",
+ "zh:5f8fd0e8e40068b597b28c0bc08372c9228aad77746068101c72acf4bb902937",
+ "zh:6b25cee7dec78470feb987438aedb1f4354c696f6548edee7775621e8df24fa9",
+ "zh:6b5bd97884b51b86fa6a9f1905c0ebf695539e905122052896e8b05122416ff4",
+ "zh:86e634c5825d8bd32592ae6b74f15e1db5d9b61c85d1a2e529d1696effb76d54",
+ "zh:c3190609f6f638f4efd7359a5638eeff81d41a38a00861f7df870b5c8f4c11cb",
+ "zh:d42d854642b4d3b010f232d848197945f90af60e7f9883ac96d7caae9c9d2474",
+ "zh:da9929be5d3873ad317e488e7ada08d5b95b5461b34d91cef76314317bdc0d49",
+ "zh:ed2763c21b2f3c1eb7b4b92f6502069a24078345e19c88f91d9e3a46a17147f8",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ "zh:fbca63b82bbdef6fd329d2c8356b3f39f8c785ad93fd0596cfff676dbaef23ac",
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/backup_plan/encryption_key/c.tf b/inputs/gcp/backup_for_gke/backup_plan/encryption_key/c.tf
new file mode 100644
index 000000000..86db20624
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan/encryption_key/c.tf
@@ -0,0 +1,22 @@
+resource "google_gke_backup_backup_plan" "c" {
+ name = "c"
+ cluster = "projects/PDE/locations/australia-southeast1/clusters/my-cluster"
+ location = "australia-southeast1"
+ project = "PDE"
+
+ backup_config {
+ include_volume_data = true
+ include_secrets = true
+ all_namespaces = true
+
+ encryption_key {
+ gcp_kms_encryption_key = "projects/PDE/locations/australia-southeast1/keyRings/pde-ring/cryptoKeys/pde-key"
+ }
+ }
+
+ retention_policy {
+ backup_delete_lock_days = 30
+ backup_retain_days = 90
+ }
+}
+
diff --git a/inputs/gcp/backup_for_gke/backup_plan/encryption_key/config.tf b/inputs/gcp/backup_for_gke/backup_plan/encryption_key/config.tf
new file mode 100644
index 000000000..7a9f34a60
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan/encryption_key/config.tf
@@ -0,0 +1,11 @@
+##### DO NOT EDIT ######
+
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ }
+}
+
+provider "google" {}
diff --git a/inputs/gcp/backup_for_gke/backup_plan/encryption_key/nc.tf b/inputs/gcp/backup_for_gke/backup_plan/encryption_key/nc.tf
new file mode 100644
index 000000000..46231e49f
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan/encryption_key/nc.tf
@@ -0,0 +1,21 @@
+resource "google_gke_backup_backup_plan" "nc" {
+ name = "nc"
+ cluster = "projects/PDE/locations/australia-southeast1/clusters/my-cluster"
+ location = "australia-southeast1"
+ project = "PDE"
+
+ backup_config {
+ include_volume_data = true
+ include_secrets = true
+ all_namespaces = true
+ encryption_key {
+ gcp_kms_encryption_key = ""
+ }
+ }
+
+ retention_policy {
+ backup_delete_lock_days = 30
+ backup_retain_days = 180
+ }
+}
+
diff --git a/inputs/gcp/backup_for_gke/backup_plan/encryption_key/plan.json b/inputs/gcp/backup_for_gke/backup_plan/encryption_key/plan.json
new file mode 100644
index 000000000..c68748e37
Binary files /dev/null and b/inputs/gcp/backup_for_gke/backup_plan/encryption_key/plan.json differ
diff --git a/inputs/gcp/backup_for_gke/backup_plan/include_secrets/.terraform.lock.hcl b/inputs/gcp/backup_for_gke/backup_plan/include_secrets/.terraform.lock.hcl
new file mode 100644
index 000000000..316309c9a
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan/include_secrets/.terraform.lock.hcl
@@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/google" {
+ version = "7.17.0"
+ hashes = [
+ "h1:VPHRMsm3eQrxzk1b7eHuSG9sG7315ZaGPshFjqzZ5No=",
+ "zh:103778d776fb994a6b24d70fa095c23a1672361f2a05d882b227b02507b402fc",
+ "zh:34bcd6cce3081a21983ccfad5cbf2cbf69ff298c65c6570edb4ec7d38a8183f5",
+ "zh:5f8fd0e8e40068b597b28c0bc08372c9228aad77746068101c72acf4bb902937",
+ "zh:6b25cee7dec78470feb987438aedb1f4354c696f6548edee7775621e8df24fa9",
+ "zh:6b5bd97884b51b86fa6a9f1905c0ebf695539e905122052896e8b05122416ff4",
+ "zh:86e634c5825d8bd32592ae6b74f15e1db5d9b61c85d1a2e529d1696effb76d54",
+ "zh:c3190609f6f638f4efd7359a5638eeff81d41a38a00861f7df870b5c8f4c11cb",
+ "zh:d42d854642b4d3b010f232d848197945f90af60e7f9883ac96d7caae9c9d2474",
+ "zh:da9929be5d3873ad317e488e7ada08d5b95b5461b34d91cef76314317bdc0d49",
+ "zh:ed2763c21b2f3c1eb7b4b92f6502069a24078345e19c88f91d9e3a46a17147f8",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ "zh:fbca63b82bbdef6fd329d2c8356b3f39f8c785ad93fd0596cfff676dbaef23ac",
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/backup_plan/include_secrets/c.tf b/inputs/gcp/backup_for_gke/backup_plan/include_secrets/c.tf
new file mode 100644
index 000000000..c013c2253
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan/include_secrets/c.tf
@@ -0,0 +1,15 @@
+resource "google_gke_backup_backup_plan" "c" {
+ name = "c"
+ cluster = "projects/PDE/locations/australia-southeast1/clusters/prod-cluster"
+ location = "australia-southeast1"
+ project = "PDE"
+
+ backup_config {
+ include_volume_data = true
+ include_secrets = false
+ selected_namespaces {
+ namespaces = ["production", "app"]
+ }
+ }
+}
+
diff --git a/inputs/gcp/backup_for_gke/backup_plan/include_secrets/config.tf b/inputs/gcp/backup_for_gke/backup_plan/include_secrets/config.tf
new file mode 100644
index 000000000..c5d6ff5b2
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan/include_secrets/config.tf
@@ -0,0 +1,11 @@
+##### DO NOT EDIT ######
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ }
+}
+
+provider "google" {}
+
diff --git a/inputs/gcp/backup_for_gke/backup_plan/include_secrets/nc.tf b/inputs/gcp/backup_for_gke/backup_plan/include_secrets/nc.tf
new file mode 100644
index 000000000..edf8b6b2c
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan/include_secrets/nc.tf
@@ -0,0 +1,13 @@
+resource "google_gke_backup_backup_plan" "nc" {
+ name = "nc"
+ cluster = "projects/PDE/locations/australia-southeast1/clusters/prod-cluster"
+ location = "australia-southeast1"
+ project = "PDE"
+
+ backup_config {
+ include_volume_data = true
+ include_secrets = true
+ all_namespaces = true
+ }
+}
+
diff --git a/inputs/gcp/backup_for_gke/backup_plan/include_secrets/plan.json b/inputs/gcp/backup_for_gke/backup_plan/include_secrets/plan.json
new file mode 100644
index 000000000..e69de29bb
diff --git a/inputs/gcp/backup_for_gke/backup_plan/labels/.terraform.lock.hcl b/inputs/gcp/backup_for_gke/backup_plan/labels/.terraform.lock.hcl
new file mode 100644
index 000000000..316309c9a
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan/labels/.terraform.lock.hcl
@@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/google" {
+ version = "7.17.0"
+ hashes = [
+ "h1:VPHRMsm3eQrxzk1b7eHuSG9sG7315ZaGPshFjqzZ5No=",
+ "zh:103778d776fb994a6b24d70fa095c23a1672361f2a05d882b227b02507b402fc",
+ "zh:34bcd6cce3081a21983ccfad5cbf2cbf69ff298c65c6570edb4ec7d38a8183f5",
+ "zh:5f8fd0e8e40068b597b28c0bc08372c9228aad77746068101c72acf4bb902937",
+ "zh:6b25cee7dec78470feb987438aedb1f4354c696f6548edee7775621e8df24fa9",
+ "zh:6b5bd97884b51b86fa6a9f1905c0ebf695539e905122052896e8b05122416ff4",
+ "zh:86e634c5825d8bd32592ae6b74f15e1db5d9b61c85d1a2e529d1696effb76d54",
+ "zh:c3190609f6f638f4efd7359a5638eeff81d41a38a00861f7df870b5c8f4c11cb",
+ "zh:d42d854642b4d3b010f232d848197945f90af60e7f9883ac96d7caae9c9d2474",
+ "zh:da9929be5d3873ad317e488e7ada08d5b95b5461b34d91cef76314317bdc0d49",
+ "zh:ed2763c21b2f3c1eb7b4b92f6502069a24078345e19c88f91d9e3a46a17147f8",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ "zh:fbca63b82bbdef6fd329d2c8356b3f39f8c785ad93fd0596cfff676dbaef23ac",
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/backup_plan/labels/c.tf b/inputs/gcp/backup_for_gke/backup_plan/labels/c.tf
new file mode 100644
index 000000000..dee6409bb
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan/labels/c.tf
@@ -0,0 +1,16 @@
+resource "google_gke_backup_backup_plan" "c" {
+ name = "c"
+ cluster = "projects/PDE/locations/australia-southeast1/clusters/prod-cluster"
+ location = "australia-southeast1"
+ project = "PDE"
+
+ labels = {
+ environment = "prod"
+ team = "platform-engineering"
+ compliance = "required"
+ backup-frequency = "daily"
+ cost-center = "engineering"
+ owner = "platform-team"
+ }
+}
+
diff --git a/inputs/gcp/backup_for_gke/backup_plan/labels/config.tf b/inputs/gcp/backup_for_gke/backup_plan/labels/config.tf
new file mode 100644
index 000000000..c5d6ff5b2
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan/labels/config.tf
@@ -0,0 +1,11 @@
+##### DO NOT EDIT ######
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ }
+}
+
+provider "google" {}
+
diff --git a/inputs/gcp/backup_for_gke/backup_plan/labels/nc.tf b/inputs/gcp/backup_for_gke/backup_plan/labels/nc.tf
new file mode 100644
index 000000000..46ca75e60
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan/labels/nc.tf
@@ -0,0 +1,11 @@
+resource "google_gke_backup_backup_plan" "nc" {
+ name = "nc"
+ cluster = "projects/PDE/locations/australia-southeast1/clusters/prod-cluster"
+ location = "australia-southeast1"
+ project = "PDE"
+ labels = {
+ "environment" = "prod"
+ # Missing cost-center and owner
+ }
+}
+
diff --git a/inputs/gcp/backup_for_gke/backup_plan/labels/plan.json b/inputs/gcp/backup_for_gke/backup_plan/labels/plan.json
new file mode 100644
index 000000000..e69de29bb
diff --git a/inputs/gcp/backup_for_gke/backup_plan/labels/test_input.json b/inputs/gcp/backup_for_gke/backup_plan/labels/test_input.json
new file mode 100644
index 000000000..6510108ed
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan/labels/test_input.json
@@ -0,0 +1,28 @@
+{
+ "planned_values": {
+ "root_module": {
+ "resources": [
+ {
+ "type": "google_gke_backup_backup_plan",
+ "values": {
+ "name": "nc",
+ "labels": {
+ "environment": "prod"
+ }
+ }
+ },
+ {
+ "type": "google_gke_backup_backup_plan",
+ "values": {
+ "name": "c",
+ "labels": {
+ "environment": "prod",
+ "cost-center": "123",
+ "owner": "team"
+ }
+ }
+ }
+ ]
+ }
+ }
+}
diff --git a/inputs/gcp/backup_for_gke/backup_plan/location/.terraform.lock.hcl b/inputs/gcp/backup_for_gke/backup_plan/location/.terraform.lock.hcl
new file mode 100644
index 000000000..316309c9a
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan/location/.terraform.lock.hcl
@@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/google" {
+ version = "7.17.0"
+ hashes = [
+ "h1:VPHRMsm3eQrxzk1b7eHuSG9sG7315ZaGPshFjqzZ5No=",
+ "zh:103778d776fb994a6b24d70fa095c23a1672361f2a05d882b227b02507b402fc",
+ "zh:34bcd6cce3081a21983ccfad5cbf2cbf69ff298c65c6570edb4ec7d38a8183f5",
+ "zh:5f8fd0e8e40068b597b28c0bc08372c9228aad77746068101c72acf4bb902937",
+ "zh:6b25cee7dec78470feb987438aedb1f4354c696f6548edee7775621e8df24fa9",
+ "zh:6b5bd97884b51b86fa6a9f1905c0ebf695539e905122052896e8b05122416ff4",
+ "zh:86e634c5825d8bd32592ae6b74f15e1db5d9b61c85d1a2e529d1696effb76d54",
+ "zh:c3190609f6f638f4efd7359a5638eeff81d41a38a00861f7df870b5c8f4c11cb",
+ "zh:d42d854642b4d3b010f232d848197945f90af60e7f9883ac96d7caae9c9d2474",
+ "zh:da9929be5d3873ad317e488e7ada08d5b95b5461b34d91cef76314317bdc0d49",
+ "zh:ed2763c21b2f3c1eb7b4b92f6502069a24078345e19c88f91d9e3a46a17147f8",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ "zh:fbca63b82bbdef6fd329d2c8356b3f39f8c785ad93fd0596cfff676dbaef23ac",
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/backup_plan/location/c.tf b/inputs/gcp/backup_for_gke/backup_plan/location/c.tf
new file mode 100644
index 000000000..71e6dae50
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan/location/c.tf
@@ -0,0 +1,18 @@
+resource "google_gke_backup_backup_plan" "c" {
+ name = "c"
+ cluster = "projects/PDE/locations/australia-southeast1/clusters/my-cluster"
+ location = "australia-southeast1"
+ project = "PDE"
+
+ backup_config {
+ include_volume_data = true
+ include_secrets = true
+ all_namespaces = true
+ }
+
+ retention_policy {
+ backup_delete_lock_days = 30
+ backup_retain_days = 90
+ }
+}
+
diff --git a/inputs/gcp/backup_for_gke/backup_plan/location/config.tf b/inputs/gcp/backup_for_gke/backup_plan/location/config.tf
new file mode 100644
index 000000000..7a9f34a60
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan/location/config.tf
@@ -0,0 +1,11 @@
+##### DO NOT EDIT ######
+
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ }
+}
+
+provider "google" {}
diff --git a/inputs/gcp/backup_for_gke/backup_plan/location/nc.tf b/inputs/gcp/backup_for_gke/backup_plan/location/nc.tf
new file mode 100644
index 000000000..bd26a49fe
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan/location/nc.tf
@@ -0,0 +1,18 @@
+resource "google_gke_backup_backup_plan" "nc" {
+ name = "nc"
+ cluster = "projects/PDE/locations/us-central1/clusters/my-cluster"
+ location = "us-central1"
+ project = "PDE"
+
+ backup_config {
+ include_volume_data = true
+ include_secrets = true
+ all_namespaces = true
+ }
+
+ retention_policy {
+ backup_delete_lock_days = 30
+ backup_retain_days = 180
+ }
+}
+
diff --git a/inputs/gcp/backup_for_gke/backup_plan/name/.terraform.lock.hcl b/inputs/gcp/backup_for_gke/backup_plan/name/.terraform.lock.hcl
new file mode 100644
index 000000000..316309c9a
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan/name/.terraform.lock.hcl
@@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/google" {
+ version = "7.17.0"
+ hashes = [
+ "h1:VPHRMsm3eQrxzk1b7eHuSG9sG7315ZaGPshFjqzZ5No=",
+ "zh:103778d776fb994a6b24d70fa095c23a1672361f2a05d882b227b02507b402fc",
+ "zh:34bcd6cce3081a21983ccfad5cbf2cbf69ff298c65c6570edb4ec7d38a8183f5",
+ "zh:5f8fd0e8e40068b597b28c0bc08372c9228aad77746068101c72acf4bb902937",
+ "zh:6b25cee7dec78470feb987438aedb1f4354c696f6548edee7775621e8df24fa9",
+ "zh:6b5bd97884b51b86fa6a9f1905c0ebf695539e905122052896e8b05122416ff4",
+ "zh:86e634c5825d8bd32592ae6b74f15e1db5d9b61c85d1a2e529d1696effb76d54",
+ "zh:c3190609f6f638f4efd7359a5638eeff81d41a38a00861f7df870b5c8f4c11cb",
+ "zh:d42d854642b4d3b010f232d848197945f90af60e7f9883ac96d7caae9c9d2474",
+ "zh:da9929be5d3873ad317e488e7ada08d5b95b5461b34d91cef76314317bdc0d49",
+ "zh:ed2763c21b2f3c1eb7b4b92f6502069a24078345e19c88f91d9e3a46a17147f8",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ "zh:fbca63b82bbdef6fd329d2c8356b3f39f8c785ad93fd0596cfff676dbaef23ac",
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/backup_plan/name/c.tf b/inputs/gcp/backup_for_gke/backup_plan/name/c.tf
new file mode 100644
index 000000000..c22895abf
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan/name/c.tf
@@ -0,0 +1,11 @@
+resource "google_gke_backup_backup_plan" "c" {
+ name = "gke-backup-plan-daily-prod"
+ project = "PDE"
+ cluster = "projects/PDE/locations/us-central1/clusters/cluster-1"
+ location = "us-central1"
+ backup_config {
+ include_volume_data = true
+ include_secrets = true
+ all_namespaces = true
+ }
+}
diff --git a/inputs/gcp/backup_for_gke/backup_plan/name/config.tf b/inputs/gcp/backup_for_gke/backup_plan/name/config.tf
new file mode 100644
index 000000000..c5d6ff5b2
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan/name/config.tf
@@ -0,0 +1,11 @@
+##### DO NOT EDIT ######
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ }
+}
+
+provider "google" {}
+
diff --git a/inputs/gcp/backup_for_gke/backup_plan/name/nc.tf b/inputs/gcp/backup_for_gke/backup_plan/name/nc.tf
new file mode 100644
index 000000000..35aac6002
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan/name/nc.tf
@@ -0,0 +1,11 @@
+resource "google_gke_backup_backup_plan" "nc" {
+ name = "my-custom-backup-plan"
+ project = "PDE"
+ cluster = "projects/PDE/locations/us-central1/clusters/cluster-1"
+ location = "us-central1"
+ backup_config {
+ include_volume_data = true
+ include_secrets = true
+ all_namespaces = true
+ }
+}
diff --git a/inputs/gcp/backup_for_gke/backup_plan/name/plan.json b/inputs/gcp/backup_for_gke/backup_plan/name/plan.json
new file mode 100644
index 000000000..e69de29bb
diff --git a/inputs/gcp/backup_for_gke/backup_plan/permissive_mode/.terraform.lock.hcl b/inputs/gcp/backup_for_gke/backup_plan/permissive_mode/.terraform.lock.hcl
new file mode 100644
index 000000000..316309c9a
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan/permissive_mode/.terraform.lock.hcl
@@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/google" {
+ version = "7.17.0"
+ hashes = [
+ "h1:VPHRMsm3eQrxzk1b7eHuSG9sG7315ZaGPshFjqzZ5No=",
+ "zh:103778d776fb994a6b24d70fa095c23a1672361f2a05d882b227b02507b402fc",
+ "zh:34bcd6cce3081a21983ccfad5cbf2cbf69ff298c65c6570edb4ec7d38a8183f5",
+ "zh:5f8fd0e8e40068b597b28c0bc08372c9228aad77746068101c72acf4bb902937",
+ "zh:6b25cee7dec78470feb987438aedb1f4354c696f6548edee7775621e8df24fa9",
+ "zh:6b5bd97884b51b86fa6a9f1905c0ebf695539e905122052896e8b05122416ff4",
+ "zh:86e634c5825d8bd32592ae6b74f15e1db5d9b61c85d1a2e529d1696effb76d54",
+ "zh:c3190609f6f638f4efd7359a5638eeff81d41a38a00861f7df870b5c8f4c11cb",
+ "zh:d42d854642b4d3b010f232d848197945f90af60e7f9883ac96d7caae9c9d2474",
+ "zh:da9929be5d3873ad317e488e7ada08d5b95b5461b34d91cef76314317bdc0d49",
+ "zh:ed2763c21b2f3c1eb7b4b92f6502069a24078345e19c88f91d9e3a46a17147f8",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ "zh:fbca63b82bbdef6fd329d2c8356b3f39f8c785ad93fd0596cfff676dbaef23ac",
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/backup_plan/permissive_mode/c.tf b/inputs/gcp/backup_for_gke/backup_plan/permissive_mode/c.tf
new file mode 100644
index 000000000..cc8915ca9
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan/permissive_mode/c.tf
@@ -0,0 +1,19 @@
+resource "google_gke_backup_backup_plan" "c" {
+ name = "c"
+ cluster = "projects/PDE/locations/australia-southeast1/clusters/prod-cluster"
+ location = "australia-southeast1"
+ project = "PDE"
+
+ backup_config {
+ include_volume_data = true
+ include_secrets = false
+ permissive_mode = false
+ selected_applications {
+ namespaced_names {
+ name = "c"
+ namespace = "production"
+ }
+ }
+ }
+}
+
diff --git a/inputs/gcp/backup_for_gke/backup_plan/permissive_mode/config.tf b/inputs/gcp/backup_for_gke/backup_plan/permissive_mode/config.tf
new file mode 100644
index 000000000..c5d6ff5b2
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan/permissive_mode/config.tf
@@ -0,0 +1,11 @@
+##### DO NOT EDIT ######
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ }
+}
+
+provider "google" {}
+
diff --git a/inputs/gcp/backup_for_gke/backup_plan/permissive_mode/nc.tf b/inputs/gcp/backup_for_gke/backup_plan/permissive_mode/nc.tf
new file mode 100644
index 000000000..7d7d4d073
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan/permissive_mode/nc.tf
@@ -0,0 +1,19 @@
+resource "google_gke_backup_backup_plan" "nc" {
+ name = "nc"
+ cluster = "projects/PDE/locations/australia-southeast1/clusters/prod-cluster"
+ location = "australia-southeast1"
+ project = "PDE"
+
+ backup_config {
+ include_volume_data = true
+ include_secrets = false
+ permissive_mode = true
+ selected_applications {
+ namespaced_names {
+ name = "nc"
+ namespace = "ns1"
+ }
+ }
+ }
+}
+
diff --git a/inputs/gcp/backup_for_gke/backup_plan/permissive_mode/plan.json b/inputs/gcp/backup_for_gke/backup_plan/permissive_mode/plan.json
new file mode 100644
index 000000000..e69de29bb
diff --git a/inputs/gcp/backup_for_gke/backup_plan/retention_policy/.terraform.lock.hcl b/inputs/gcp/backup_for_gke/backup_plan/retention_policy/.terraform.lock.hcl
new file mode 100644
index 000000000..316309c9a
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan/retention_policy/.terraform.lock.hcl
@@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/google" {
+ version = "7.17.0"
+ hashes = [
+ "h1:VPHRMsm3eQrxzk1b7eHuSG9sG7315ZaGPshFjqzZ5No=",
+ "zh:103778d776fb994a6b24d70fa095c23a1672361f2a05d882b227b02507b402fc",
+ "zh:34bcd6cce3081a21983ccfad5cbf2cbf69ff298c65c6570edb4ec7d38a8183f5",
+ "zh:5f8fd0e8e40068b597b28c0bc08372c9228aad77746068101c72acf4bb902937",
+ "zh:6b25cee7dec78470feb987438aedb1f4354c696f6548edee7775621e8df24fa9",
+ "zh:6b5bd97884b51b86fa6a9f1905c0ebf695539e905122052896e8b05122416ff4",
+ "zh:86e634c5825d8bd32592ae6b74f15e1db5d9b61c85d1a2e529d1696effb76d54",
+ "zh:c3190609f6f638f4efd7359a5638eeff81d41a38a00861f7df870b5c8f4c11cb",
+ "zh:d42d854642b4d3b010f232d848197945f90af60e7f9883ac96d7caae9c9d2474",
+ "zh:da9929be5d3873ad317e488e7ada08d5b95b5461b34d91cef76314317bdc0d49",
+ "zh:ed2763c21b2f3c1eb7b4b92f6502069a24078345e19c88f91d9e3a46a17147f8",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ "zh:fbca63b82bbdef6fd329d2c8356b3f39f8c785ad93fd0596cfff676dbaef23ac",
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/backup_plan/retention_policy/c.tf b/inputs/gcp/backup_for_gke/backup_plan/retention_policy/c.tf
new file mode 100644
index 000000000..5fdc4172d
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan/retention_policy/c.tf
@@ -0,0 +1,13 @@
+resource "google_gke_backup_backup_plan" "c" {
+ name = "c"
+ cluster = "projects/PDE/locations/australia-southeast1/clusters/prod-cluster"
+ location = "australia-southeast1"
+ project = "PDE"
+
+ retention_policy {
+ backup_delete_lock_days = 30
+ backup_retain_days = 90
+ locked = true
+ }
+}
+
diff --git a/inputs/gcp/backup_for_gke/backup_plan/retention_policy/config.tf b/inputs/gcp/backup_for_gke/backup_plan/retention_policy/config.tf
new file mode 100644
index 000000000..c5d6ff5b2
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan/retention_policy/config.tf
@@ -0,0 +1,11 @@
+##### DO NOT EDIT ######
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ }
+}
+
+provider "google" {}
+
diff --git a/inputs/gcp/backup_for_gke/backup_plan/retention_policy/nc.tf b/inputs/gcp/backup_for_gke/backup_plan/retention_policy/nc.tf
new file mode 100644
index 000000000..83cfd7b64
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan/retention_policy/nc.tf
@@ -0,0 +1,13 @@
+resource "google_gke_backup_backup_plan" "nc" {
+ name = "nc"
+ cluster = "projects/PDE/locations/australia-southeast1/clusters/prod-cluster"
+ location = "australia-southeast1"
+ project = "PDE"
+
+ retention_policy {
+ backup_delete_lock_days = 0
+ backup_retain_days = 3
+ locked = false
+ }
+}
+
diff --git a/inputs/gcp/backup_for_gke/backup_plan/retention_policy/plan.json b/inputs/gcp/backup_for_gke/backup_plan/retention_policy/plan.json
new file mode 100644
index 000000000..e69de29bb
diff --git a/inputs/gcp/backup_for_gke/backup_plan_iam_binding/custom_roles/.terraform.lock.hcl b/inputs/gcp/backup_for_gke/backup_plan_iam_binding/custom_roles/.terraform.lock.hcl
new file mode 100644
index 000000000..894abb857
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan_iam_binding/custom_roles/.terraform.lock.hcl
@@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/google" {
+ version = "7.12.0"
+ hashes = [
+ "h1:vd1110nYSvbUdAM3MDtQD97ikZvuyDgKExlzTwutYqw=",
+ "zh:38722ec7777543c23e22e02695e53dd5c94644022647c3c79e11e587063d4d2b",
+ "zh:417b12b69c91c12e3fcefee38744b7a37bae73b706e3071c714151a623a6b0e9",
+ "zh:4902cea92c78b462beaf053de03d0d55fb2241d41ca3379b4568ba247f667fa9",
+ "zh:50ccce39d403ba477943e6652ccb6913092d9dcce1d55533b00b66062888db3d",
+ "zh:56dccfe5df28cfe368d93c37ad6c46a16e76da61482fd0bfc83676b1423cecf5",
+ "zh:7265fca2921e5e300da5d8de7e28b658c0863fdda9da696c5b97dbd3122c17c2",
+ "zh:8317467e828178a6db9ddabe431bb13935c00bfb5e4b4d9760bd56f7ae596eca",
+ "zh:84cc9d9277422a0d6c80d2bd204642d8776ddbba23feb94cf2760bb5f15410bc",
+ "zh:8f79d72e7ed4e36d01560ce5fc944dc7e0387fa0f8272a4345fc6ae896e8f575",
+ "zh:98c3d756beca036f84e7840e2099ff7359e9a246cd9a35386e03ce65032b3f5f",
+ "zh:a07e3ca19673d28da9289ca28dfb83204fa6636f642b8cf46de8caaf526b7dde",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/backup_plan_iam_binding/custom_roles/c.tf b/inputs/gcp/backup_for_gke/backup_plan_iam_binding/custom_roles/c.tf
new file mode 100644
index 000000000..de9ddef7a
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan_iam_binding/custom_roles/c.tf
@@ -0,0 +1,11 @@
+resource "google_gke_backup_backup_plan_iam_binding" "c" {
+ name = "c"
+ location = "australia-southeast1"
+ project = "PDE"
+
+ role = "roles/gkebackup.backupViewer" # SECURE: Standard predefined role
+
+ members = [
+ "serviceAccount:monitor@fluent-coder-468700-h4.iam.gserviceaccount.com"
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/backup_plan_iam_binding/custom_roles/config.tf b/inputs/gcp/backup_for_gke/backup_plan_iam_binding/custom_roles/config.tf
new file mode 100644
index 000000000..c5d6ff5b2
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan_iam_binding/custom_roles/config.tf
@@ -0,0 +1,11 @@
+##### DO NOT EDIT ######
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ }
+}
+
+provider "google" {}
+
diff --git a/inputs/gcp/backup_for_gke/backup_plan_iam_binding/custom_roles/nc.tf b/inputs/gcp/backup_for_gke/backup_plan_iam_binding/custom_roles/nc.tf
new file mode 100644
index 000000000..f3355b463
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan_iam_binding/custom_roles/nc.tf
@@ -0,0 +1,11 @@
+resource "google_gke_backup_backup_plan_iam_binding" "nc" {
+ name = "nc"
+ location = "australia-southeast1"
+ project = "PDE"
+
+ role = "organizations/12345/roles/super_admin" # SECURITY RISK: Org-level custom role!
+
+ members = [
+ "user:contractor@gmail.com"
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/backup_plan_iam_binding/domain_access/.terraform.lock.hcl b/inputs/gcp/backup_for_gke/backup_plan_iam_binding/domain_access/.terraform.lock.hcl
new file mode 100644
index 000000000..316309c9a
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan_iam_binding/domain_access/.terraform.lock.hcl
@@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/google" {
+ version = "7.17.0"
+ hashes = [
+ "h1:VPHRMsm3eQrxzk1b7eHuSG9sG7315ZaGPshFjqzZ5No=",
+ "zh:103778d776fb994a6b24d70fa095c23a1672361f2a05d882b227b02507b402fc",
+ "zh:34bcd6cce3081a21983ccfad5cbf2cbf69ff298c65c6570edb4ec7d38a8183f5",
+ "zh:5f8fd0e8e40068b597b28c0bc08372c9228aad77746068101c72acf4bb902937",
+ "zh:6b25cee7dec78470feb987438aedb1f4354c696f6548edee7775621e8df24fa9",
+ "zh:6b5bd97884b51b86fa6a9f1905c0ebf695539e905122052896e8b05122416ff4",
+ "zh:86e634c5825d8bd32592ae6b74f15e1db5d9b61c85d1a2e529d1696effb76d54",
+ "zh:c3190609f6f638f4efd7359a5638eeff81d41a38a00861f7df870b5c8f4c11cb",
+ "zh:d42d854642b4d3b010f232d848197945f90af60e7f9883ac96d7caae9c9d2474",
+ "zh:da9929be5d3873ad317e488e7ada08d5b95b5461b34d91cef76314317bdc0d49",
+ "zh:ed2763c21b2f3c1eb7b4b92f6502069a24078345e19c88f91d9e3a46a17147f8",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ "zh:fbca63b82bbdef6fd329d2c8356b3f39f8c785ad93fd0596cfff676dbaef23ac",
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/backup_plan_iam_binding/domain_access/c.tf b/inputs/gcp/backup_for_gke/backup_plan_iam_binding/domain_access/c.tf
new file mode 100644
index 000000000..14fa60a8a
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan_iam_binding/domain_access/c.tf
@@ -0,0 +1,12 @@
+resource "google_gke_backup_backup_plan_iam_binding" "c" {
+ name = "c"
+ location = "australia-southeast1"
+ project = "PDE"
+
+ role = "roles/gkebackup.backupViewer"
+
+ members = [
+ "group:backup-admins@yourdomain.com", # SECURE: Specific group
+ "user:admin@yourdomain.com" # SECURE: Individual user
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/backup_plan_iam_binding/domain_access/config.tf b/inputs/gcp/backup_for_gke/backup_plan_iam_binding/domain_access/config.tf
new file mode 100644
index 000000000..c5d6ff5b2
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan_iam_binding/domain_access/config.tf
@@ -0,0 +1,11 @@
+##### DO NOT EDIT ######
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ }
+}
+
+provider "google" {}
+
diff --git a/inputs/gcp/backup_for_gke/backup_plan_iam_binding/domain_access/nc.tf b/inputs/gcp/backup_for_gke/backup_plan_iam_binding/domain_access/nc.tf
new file mode 100644
index 000000000..9b266232f
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan_iam_binding/domain_access/nc.tf
@@ -0,0 +1,11 @@
+resource "google_gke_backup_backup_plan_iam_binding" "nc" {
+ name = "nc"
+ location = "australia-southeast1"
+ project = "PDE"
+
+ role = "roles/gkebackup.backupAdmin"
+
+ members = [
+ "user:hacker@gmail.com" # Violates personal email policy
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/backup_plan_iam_binding/federated_identities/c.tf b/inputs/gcp/backup_for_gke/backup_plan_iam_binding/federated_identities/c.tf
new file mode 100644
index 000000000..e69de29bb
diff --git a/inputs/gcp/backup_for_gke/backup_plan_iam_binding/federated_identities/config.tf b/inputs/gcp/backup_for_gke/backup_plan_iam_binding/federated_identities/config.tf
new file mode 100644
index 000000000..e69de29bb
diff --git a/inputs/gcp/backup_for_gke/backup_plan_iam_binding/federated_identities/nc.tf b/inputs/gcp/backup_for_gke/backup_plan_iam_binding/federated_identities/nc.tf
new file mode 100644
index 000000000..e69de29bb
diff --git a/inputs/gcp/backup_for_gke/backup_plan_iam_binding/members/.terraform.lock.hcl b/inputs/gcp/backup_for_gke/backup_plan_iam_binding/members/.terraform.lock.hcl
new file mode 100644
index 000000000..894abb857
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan_iam_binding/members/.terraform.lock.hcl
@@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/google" {
+ version = "7.12.0"
+ hashes = [
+ "h1:vd1110nYSvbUdAM3MDtQD97ikZvuyDgKExlzTwutYqw=",
+ "zh:38722ec7777543c23e22e02695e53dd5c94644022647c3c79e11e587063d4d2b",
+ "zh:417b12b69c91c12e3fcefee38744b7a37bae73b706e3071c714151a623a6b0e9",
+ "zh:4902cea92c78b462beaf053de03d0d55fb2241d41ca3379b4568ba247f667fa9",
+ "zh:50ccce39d403ba477943e6652ccb6913092d9dcce1d55533b00b66062888db3d",
+ "zh:56dccfe5df28cfe368d93c37ad6c46a16e76da61482fd0bfc83676b1423cecf5",
+ "zh:7265fca2921e5e300da5d8de7e28b658c0863fdda9da696c5b97dbd3122c17c2",
+ "zh:8317467e828178a6db9ddabe431bb13935c00bfb5e4b4d9760bd56f7ae596eca",
+ "zh:84cc9d9277422a0d6c80d2bd204642d8776ddbba23feb94cf2760bb5f15410bc",
+ "zh:8f79d72e7ed4e36d01560ce5fc944dc7e0387fa0f8272a4345fc6ae896e8f575",
+ "zh:98c3d756beca036f84e7840e2099ff7359e9a246cd9a35386e03ce65032b3f5f",
+ "zh:a07e3ca19673d28da9289ca28dfb83204fa6636f642b8cf46de8caaf526b7dde",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/backup_plan_iam_binding/members/c.tf b/inputs/gcp/backup_for_gke/backup_plan_iam_binding/members/c.tf
new file mode 100644
index 000000000..5d6272e9a
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan_iam_binding/members/c.tf
@@ -0,0 +1,8 @@
+resource "google_gke_backup_backup_plan_iam_member" "c" {
+ name = "c"
+ location = "australia-southeast1"
+ project = "PDE"
+
+ role = "roles/gkebackup.backupViewer"
+ member = "serviceAccount:backup-monitor@fluent-coder-468700-h4.iam.gserviceaccount.com"
+}
diff --git a/inputs/gcp/backup_for_gke/backup_plan_iam_binding/members/config.tf b/inputs/gcp/backup_for_gke/backup_plan_iam_binding/members/config.tf
new file mode 100644
index 000000000..c5d6ff5b2
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan_iam_binding/members/config.tf
@@ -0,0 +1,11 @@
+##### DO NOT EDIT ######
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ }
+}
+
+provider "google" {}
+
diff --git a/inputs/gcp/backup_for_gke/backup_plan_iam_binding/members/fake-creds_test.json b/inputs/gcp/backup_for_gke/backup_plan_iam_binding/members/fake-creds_test.json
new file mode 100644
index 000000000..32fdcbbe1
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan_iam_binding/members/fake-creds_test.json
@@ -0,0 +1 @@
+{"type":"service_account","project_id":"f"}
\ No newline at end of file
diff --git a/inputs/gcp/backup_for_gke/backup_plan_iam_binding/members/nc.tf b/inputs/gcp/backup_for_gke/backup_plan_iam_binding/members/nc.tf
new file mode 100644
index 000000000..270ef85ce
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan_iam_binding/members/nc.tf
@@ -0,0 +1,8 @@
+resource "google_gke_backup_backup_plan_iam_member" "nc" {
+ name = "nc"
+ location = "australia-southeast1"
+ project = "PDE"
+
+ role = "roles/gkebackup.backupAdmin"
+ member = "allUsers" # CRITICAL SECURITY RISK: Public access!
+}
diff --git a/inputs/gcp/backup_for_gke/backup_plan_iam_binding/members/plan_test b/inputs/gcp/backup_for_gke/backup_plan_iam_binding/members/plan_test
new file mode 100644
index 000000000..518440bd3
Binary files /dev/null and b/inputs/gcp/backup_for_gke/backup_plan_iam_binding/members/plan_test differ
diff --git a/inputs/gcp/backup_for_gke/backup_plan_iam_binding/project_roles/.terraform.lock.hcl b/inputs/gcp/backup_for_gke/backup_plan_iam_binding/project_roles/.terraform.lock.hcl
new file mode 100644
index 000000000..894abb857
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan_iam_binding/project_roles/.terraform.lock.hcl
@@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/google" {
+ version = "7.12.0"
+ hashes = [
+ "h1:vd1110nYSvbUdAM3MDtQD97ikZvuyDgKExlzTwutYqw=",
+ "zh:38722ec7777543c23e22e02695e53dd5c94644022647c3c79e11e587063d4d2b",
+ "zh:417b12b69c91c12e3fcefee38744b7a37bae73b706e3071c714151a623a6b0e9",
+ "zh:4902cea92c78b462beaf053de03d0d55fb2241d41ca3379b4568ba247f667fa9",
+ "zh:50ccce39d403ba477943e6652ccb6913092d9dcce1d55533b00b66062888db3d",
+ "zh:56dccfe5df28cfe368d93c37ad6c46a16e76da61482fd0bfc83676b1423cecf5",
+ "zh:7265fca2921e5e300da5d8de7e28b658c0863fdda9da696c5b97dbd3122c17c2",
+ "zh:8317467e828178a6db9ddabe431bb13935c00bfb5e4b4d9760bd56f7ae596eca",
+ "zh:84cc9d9277422a0d6c80d2bd204642d8776ddbba23feb94cf2760bb5f15410bc",
+ "zh:8f79d72e7ed4e36d01560ce5fc944dc7e0387fa0f8272a4345fc6ae896e8f575",
+ "zh:98c3d756beca036f84e7840e2099ff7359e9a246cd9a35386e03ce65032b3f5f",
+ "zh:a07e3ca19673d28da9289ca28dfb83204fa6636f642b8cf46de8caaf526b7dde",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/backup_plan_iam_binding/project_roles/c.tf b/inputs/gcp/backup_for_gke/backup_plan_iam_binding/project_roles/c.tf
new file mode 100644
index 000000000..7a3e27178
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan_iam_binding/project_roles/c.tf
@@ -0,0 +1,12 @@
+resource "google_gke_backup_backup_plan_iam_binding" "c" {
+ name = "c"
+ location = "australia-southeast1"
+ project = "PDE"
+
+ role = "roles/gkebackup.backupViewer"
+
+ members = [
+ "serviceAccount:backup-sa@fluent-coder-468700-h4.iam.gserviceaccount.com",
+ "group:backup-viewers@yourdomain.com"
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/backup_plan_iam_binding/project_roles/config.tf b/inputs/gcp/backup_for_gke/backup_plan_iam_binding/project_roles/config.tf
new file mode 100644
index 000000000..c5d6ff5b2
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan_iam_binding/project_roles/config.tf
@@ -0,0 +1,11 @@
+##### DO NOT EDIT ######
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ }
+}
+
+provider "google" {}
+
diff --git a/inputs/gcp/backup_for_gke/backup_plan_iam_binding/project_roles/nc.tf b/inputs/gcp/backup_for_gke/backup_plan_iam_binding/project_roles/nc.tf
new file mode 100644
index 000000000..a73e8fae7
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan_iam_binding/project_roles/nc.tf
@@ -0,0 +1,12 @@
+resource "google_gke_backup_backup_plan_iam_binding" "nc" {
+ name = "nc"
+ location = "australia-southeast1"
+ project = "PDE"
+
+ role = "roles/gkebackup.backupAdmin"
+
+ members = [
+ "projectOwner:fluent-coder-468700-h4", # SECURITY RISK: All project owners!
+ "projectEditor:fluent-coder-468700-h4" # SECURITY RISK: All project editors!
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/backup_plan_iam_binding/role/.terraform.lock.hcl b/inputs/gcp/backup_for_gke/backup_plan_iam_binding/role/.terraform.lock.hcl
new file mode 100644
index 000000000..894abb857
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan_iam_binding/role/.terraform.lock.hcl
@@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/google" {
+ version = "7.12.0"
+ hashes = [
+ "h1:vd1110nYSvbUdAM3MDtQD97ikZvuyDgKExlzTwutYqw=",
+ "zh:38722ec7777543c23e22e02695e53dd5c94644022647c3c79e11e587063d4d2b",
+ "zh:417b12b69c91c12e3fcefee38744b7a37bae73b706e3071c714151a623a6b0e9",
+ "zh:4902cea92c78b462beaf053de03d0d55fb2241d41ca3379b4568ba247f667fa9",
+ "zh:50ccce39d403ba477943e6652ccb6913092d9dcce1d55533b00b66062888db3d",
+ "zh:56dccfe5df28cfe368d93c37ad6c46a16e76da61482fd0bfc83676b1423cecf5",
+ "zh:7265fca2921e5e300da5d8de7e28b658c0863fdda9da696c5b97dbd3122c17c2",
+ "zh:8317467e828178a6db9ddabe431bb13935c00bfb5e4b4d9760bd56f7ae596eca",
+ "zh:84cc9d9277422a0d6c80d2bd204642d8776ddbba23feb94cf2760bb5f15410bc",
+ "zh:8f79d72e7ed4e36d01560ce5fc944dc7e0387fa0f8272a4345fc6ae896e8f575",
+ "zh:98c3d756beca036f84e7840e2099ff7359e9a246cd9a35386e03ce65032b3f5f",
+ "zh:a07e3ca19673d28da9289ca28dfb83204fa6636f642b8cf46de8caaf526b7dde",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/backup_plan_iam_binding/role/c.tf b/inputs/gcp/backup_for_gke/backup_plan_iam_binding/role/c.tf
new file mode 100644
index 000000000..9c98d07e1
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan_iam_binding/role/c.tf
@@ -0,0 +1,23 @@
+resource "google_gke_backup_backup_plan_iam_binding" "c" {
+ name = "c"
+ location = "australia-southeast1"
+ project = "PDE"
+ role = "roles/gkebackup.backupViewer"
+
+ members = [
+ "user:security-auditor@example.com",
+ "group:backup-viewers@example.com"
+ ]
+}
+
+resource "google_gke_backup_backup_plan_iam_binding" "c_owner_group" {
+ name = "c_owner_group"
+ location = "australia-southeast1"
+ project = "PDE"
+ role = "roles/owner"
+
+ members = [
+ "group:admins@example.com"
+ ]
+}
+
diff --git a/inputs/gcp/backup_for_gke/backup_plan_iam_binding/role/config.tf b/inputs/gcp/backup_for_gke/backup_plan_iam_binding/role/config.tf
new file mode 100644
index 000000000..c5d6ff5b2
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan_iam_binding/role/config.tf
@@ -0,0 +1,11 @@
+##### DO NOT EDIT ######
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ }
+}
+
+provider "google" {}
+
diff --git a/inputs/gcp/backup_for_gke/backup_plan_iam_binding/role/nc.tf b/inputs/gcp/backup_for_gke/backup_plan_iam_binding/role/nc.tf
new file mode 100644
index 000000000..74a93b7f2
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/backup_plan_iam_binding/role/nc.tf
@@ -0,0 +1,11 @@
+resource "google_gke_backup_backup_plan_iam_binding" "nc" {
+ name = "nc"
+ location = "australia-southeast1"
+ project = "PDE"
+ role = "roles/owner" # Blocked because member is a user
+
+ members = [
+ "user:random-contractor@gmail.com"
+ ]
+}
+
diff --git a/inputs/gcp/backup_for_gke/backup_plan_iam_binding/role/tfplan b/inputs/gcp/backup_for_gke/backup_plan_iam_binding/role/tfplan
new file mode 100644
index 000000000..6899a6af3
Binary files /dev/null and b/inputs/gcp/backup_for_gke/backup_plan_iam_binding/role/tfplan differ
diff --git a/inputs/gcp/backup_for_gke/restore_channel/destination_project/.terraform.lock.hcl b/inputs/gcp/backup_for_gke/restore_channel/destination_project/.terraform.lock.hcl
new file mode 100644
index 000000000..894abb857
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_channel/destination_project/.terraform.lock.hcl
@@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/google" {
+ version = "7.12.0"
+ hashes = [
+ "h1:vd1110nYSvbUdAM3MDtQD97ikZvuyDgKExlzTwutYqw=",
+ "zh:38722ec7777543c23e22e02695e53dd5c94644022647c3c79e11e587063d4d2b",
+ "zh:417b12b69c91c12e3fcefee38744b7a37bae73b706e3071c714151a623a6b0e9",
+ "zh:4902cea92c78b462beaf053de03d0d55fb2241d41ca3379b4568ba247f667fa9",
+ "zh:50ccce39d403ba477943e6652ccb6913092d9dcce1d55533b00b66062888db3d",
+ "zh:56dccfe5df28cfe368d93c37ad6c46a16e76da61482fd0bfc83676b1423cecf5",
+ "zh:7265fca2921e5e300da5d8de7e28b658c0863fdda9da696c5b97dbd3122c17c2",
+ "zh:8317467e828178a6db9ddabe431bb13935c00bfb5e4b4d9760bd56f7ae596eca",
+ "zh:84cc9d9277422a0d6c80d2bd204642d8776ddbba23feb94cf2760bb5f15410bc",
+ "zh:8f79d72e7ed4e36d01560ce5fc944dc7e0387fa0f8272a4345fc6ae896e8f575",
+ "zh:98c3d756beca036f84e7840e2099ff7359e9a246cd9a35386e03ce65032b3f5f",
+ "zh:a07e3ca19673d28da9289ca28dfb83204fa6636f642b8cf46de8caaf526b7dde",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/restore_channel/destination_project/c.tf b/inputs/gcp/backup_for_gke/restore_channel/destination_project/c.tf
new file mode 100644
index 000000000..fd1a1754e
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_channel/destination_project/c.tf
@@ -0,0 +1,8 @@
+resource "google_gke_backup_restore_channel" "c" {
+ name = "c"
+ location = "australia-southeast1"
+ project = "PDE"
+ destination_project = "projects/PDE"
+ description = "Restore channel for same-project disaster recovery"
+}
+
diff --git a/inputs/gcp/backup_for_gke/restore_channel/destination_project/config.tf b/inputs/gcp/backup_for_gke/restore_channel/destination_project/config.tf
new file mode 100644
index 000000000..c5d6ff5b2
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_channel/destination_project/config.tf
@@ -0,0 +1,11 @@
+##### DO NOT EDIT ######
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ }
+}
+
+provider "google" {}
+
diff --git a/inputs/gcp/backup_for_gke/restore_channel/destination_project/nc.tf b/inputs/gcp/backup_for_gke/restore_channel/destination_project/nc.tf
new file mode 100644
index 000000000..4abf53f75
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_channel/destination_project/nc.tf
@@ -0,0 +1,7 @@
+resource "google_gke_backup_restore_channel" "nc" {
+ name = "nc"
+ location = "australia-southeast1"
+ project = "PDE"
+ destination_project = "external-project-12345"
+}
+
diff --git a/inputs/gcp/backup_for_gke/restore_channel/destination_project/plan.json b/inputs/gcp/backup_for_gke/restore_channel/destination_project/plan.json
new file mode 100644
index 000000000..e69de29bb
diff --git a/inputs/gcp/backup_for_gke/restore_channel/labels/.terraform.lock.hcl b/inputs/gcp/backup_for_gke/restore_channel/labels/.terraform.lock.hcl
new file mode 100644
index 000000000..894abb857
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_channel/labels/.terraform.lock.hcl
@@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/google" {
+ version = "7.12.0"
+ hashes = [
+ "h1:vd1110nYSvbUdAM3MDtQD97ikZvuyDgKExlzTwutYqw=",
+ "zh:38722ec7777543c23e22e02695e53dd5c94644022647c3c79e11e587063d4d2b",
+ "zh:417b12b69c91c12e3fcefee38744b7a37bae73b706e3071c714151a623a6b0e9",
+ "zh:4902cea92c78b462beaf053de03d0d55fb2241d41ca3379b4568ba247f667fa9",
+ "zh:50ccce39d403ba477943e6652ccb6913092d9dcce1d55533b00b66062888db3d",
+ "zh:56dccfe5df28cfe368d93c37ad6c46a16e76da61482fd0bfc83676b1423cecf5",
+ "zh:7265fca2921e5e300da5d8de7e28b658c0863fdda9da696c5b97dbd3122c17c2",
+ "zh:8317467e828178a6db9ddabe431bb13935c00bfb5e4b4d9760bd56f7ae596eca",
+ "zh:84cc9d9277422a0d6c80d2bd204642d8776ddbba23feb94cf2760bb5f15410bc",
+ "zh:8f79d72e7ed4e36d01560ce5fc944dc7e0387fa0f8272a4345fc6ae896e8f575",
+ "zh:98c3d756beca036f84e7840e2099ff7359e9a246cd9a35386e03ce65032b3f5f",
+ "zh:a07e3ca19673d28da9289ca28dfb83204fa6636f642b8cf46de8caaf526b7dde",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/restore_channel/labels/c.tf b/inputs/gcp/backup_for_gke/restore_channel/labels/c.tf
new file mode 100644
index 000000000..cb209d8b3
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_channel/labels/c.tf
@@ -0,0 +1,17 @@
+resource "google_gke_backup_restore_channel" "c" {
+ name = "c"
+ location = "australia-southeast1"
+ project = "PDE"
+ destination_project = "projects/PDE"
+
+ labels = {
+ data-classification = "sensitive"
+ compliance = "required"
+ environment = "prod"
+ disaster-recovery = "critical"
+ encryption = "cmek-required"
+ owner = "platform-team"
+ cost-center = "engineering"
+ }
+}
+
diff --git a/inputs/gcp/backup_for_gke/restore_channel/labels/config.tf b/inputs/gcp/backup_for_gke/restore_channel/labels/config.tf
new file mode 100644
index 000000000..c5d6ff5b2
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_channel/labels/config.tf
@@ -0,0 +1,11 @@
+##### DO NOT EDIT ######
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ }
+}
+
+provider "google" {}
+
diff --git a/inputs/gcp/backup_for_gke/restore_channel/labels/nc.tf b/inputs/gcp/backup_for_gke/restore_channel/labels/nc.tf
new file mode 100644
index 000000000..7db703d56
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_channel/labels/nc.tf
@@ -0,0 +1,7 @@
+resource "google_gke_backup_restore_channel" "nc" {
+ name = "nc"
+ location = "australia-southeast1"
+ project = "PDE"
+ destination_project = "projects/PDE"
+}
+
diff --git a/inputs/gcp/backup_for_gke/restore_channel/labels/plan.json b/inputs/gcp/backup_for_gke/restore_channel/labels/plan.json
new file mode 100644
index 000000000..e69de29bb
diff --git a/inputs/gcp/backup_for_gke/restore_channel/location/.terraform.lock.hcl b/inputs/gcp/backup_for_gke/restore_channel/location/.terraform.lock.hcl
new file mode 100644
index 000000000..894abb857
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_channel/location/.terraform.lock.hcl
@@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/google" {
+ version = "7.12.0"
+ hashes = [
+ "h1:vd1110nYSvbUdAM3MDtQD97ikZvuyDgKExlzTwutYqw=",
+ "zh:38722ec7777543c23e22e02695e53dd5c94644022647c3c79e11e587063d4d2b",
+ "zh:417b12b69c91c12e3fcefee38744b7a37bae73b706e3071c714151a623a6b0e9",
+ "zh:4902cea92c78b462beaf053de03d0d55fb2241d41ca3379b4568ba247f667fa9",
+ "zh:50ccce39d403ba477943e6652ccb6913092d9dcce1d55533b00b66062888db3d",
+ "zh:56dccfe5df28cfe368d93c37ad6c46a16e76da61482fd0bfc83676b1423cecf5",
+ "zh:7265fca2921e5e300da5d8de7e28b658c0863fdda9da696c5b97dbd3122c17c2",
+ "zh:8317467e828178a6db9ddabe431bb13935c00bfb5e4b4d9760bd56f7ae596eca",
+ "zh:84cc9d9277422a0d6c80d2bd204642d8776ddbba23feb94cf2760bb5f15410bc",
+ "zh:8f79d72e7ed4e36d01560ce5fc944dc7e0387fa0f8272a4345fc6ae896e8f575",
+ "zh:98c3d756beca036f84e7840e2099ff7359e9a246cd9a35386e03ce65032b3f5f",
+ "zh:a07e3ca19673d28da9289ca28dfb83204fa6636f642b8cf46de8caaf526b7dde",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/restore_channel/location/c.tf b/inputs/gcp/backup_for_gke/restore_channel/location/c.tf
new file mode 100644
index 000000000..742ed7705
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_channel/location/c.tf
@@ -0,0 +1,7 @@
+resource "google_gke_backup_restore_channel" "c" {
+ name = "c"
+ location = "australia-southeast1"
+ project = "PDE"
+ destination_project = "projects/PDE"
+}
+
diff --git a/inputs/gcp/backup_for_gke/restore_channel/location/config.tf b/inputs/gcp/backup_for_gke/restore_channel/location/config.tf
new file mode 100644
index 000000000..c5d6ff5b2
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_channel/location/config.tf
@@ -0,0 +1,11 @@
+##### DO NOT EDIT ######
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ }
+}
+
+provider "google" {}
+
diff --git a/inputs/gcp/backup_for_gke/restore_channel/location/nc.tf b/inputs/gcp/backup_for_gke/restore_channel/location/nc.tf
new file mode 100644
index 000000000..7e71d27da
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_channel/location/nc.tf
@@ -0,0 +1,7 @@
+resource "google_gke_backup_restore_channel" "nc" {
+ name = "nc"
+ location = "us-central1"
+ project = "PDE"
+ destination_project = "projects/PDE"
+}
+
diff --git a/inputs/gcp/backup_for_gke/restore_channel/location/plan.json b/inputs/gcp/backup_for_gke/restore_channel/location/plan.json
new file mode 100644
index 000000000..e69de29bb
diff --git a/inputs/gcp/backup_for_gke/restore_channel/name/.terraform.lock.hcl b/inputs/gcp/backup_for_gke/restore_channel/name/.terraform.lock.hcl
new file mode 100644
index 000000000..316309c9a
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_channel/name/.terraform.lock.hcl
@@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/google" {
+ version = "7.17.0"
+ hashes = [
+ "h1:VPHRMsm3eQrxzk1b7eHuSG9sG7315ZaGPshFjqzZ5No=",
+ "zh:103778d776fb994a6b24d70fa095c23a1672361f2a05d882b227b02507b402fc",
+ "zh:34bcd6cce3081a21983ccfad5cbf2cbf69ff298c65c6570edb4ec7d38a8183f5",
+ "zh:5f8fd0e8e40068b597b28c0bc08372c9228aad77746068101c72acf4bb902937",
+ "zh:6b25cee7dec78470feb987438aedb1f4354c696f6548edee7775621e8df24fa9",
+ "zh:6b5bd97884b51b86fa6a9f1905c0ebf695539e905122052896e8b05122416ff4",
+ "zh:86e634c5825d8bd32592ae6b74f15e1db5d9b61c85d1a2e529d1696effb76d54",
+ "zh:c3190609f6f638f4efd7359a5638eeff81d41a38a00861f7df870b5c8f4c11cb",
+ "zh:d42d854642b4d3b010f232d848197945f90af60e7f9883ac96d7caae9c9d2474",
+ "zh:da9929be5d3873ad317e488e7ada08d5b95b5461b34d91cef76314317bdc0d49",
+ "zh:ed2763c21b2f3c1eb7b4b92f6502069a24078345e19c88f91d9e3a46a17147f8",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ "zh:fbca63b82bbdef6fd329d2c8356b3f39f8c785ad93fd0596cfff676dbaef23ac",
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/restore_channel/name/c.tf b/inputs/gcp/backup_for_gke/restore_channel/name/c.tf
new file mode 100644
index 000000000..de5f002e6
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_channel/name/c.tf
@@ -0,0 +1,14 @@
+resource "google_gke_backup_restore_plan" "c" {
+ name = "gke-restore-channel-daily"
+ project = "PDE"
+ location = "australia-southeast1"
+ backup_plan = "projects/PDE/locations/australia-southeast1/backupPlans/bp1"
+ cluster = "projects/PDE/locations/australia-southeast1/clusters/c1"
+ restore_config {
+ volume_data_restore_policy = "RESTORE_VOLUME_DATA_FROM_BACKUP"
+ cluster_resource_restore_scope {
+ all_group_kinds = true
+ }
+ all_namespaces = true
+ }
+}
diff --git a/inputs/gcp/backup_for_gke/restore_channel/name/config.tf b/inputs/gcp/backup_for_gke/restore_channel/name/config.tf
new file mode 100644
index 000000000..c5d6ff5b2
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_channel/name/config.tf
@@ -0,0 +1,11 @@
+##### DO NOT EDIT ######
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ }
+}
+
+provider "google" {}
+
diff --git a/inputs/gcp/backup_for_gke/restore_channel/name/nc.tf b/inputs/gcp/backup_for_gke/restore_channel/name/nc.tf
new file mode 100644
index 000000000..f8fded7cd
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_channel/name/nc.tf
@@ -0,0 +1,14 @@
+resource "google_gke_backup_restore_plan" "nc" {
+ name = "my-custom-restore-channel"
+ project = "PDE"
+ location = "australia-southeast1"
+ backup_plan = "projects/PDE/locations/australia-southeast1/backupPlans/bp1"
+ cluster = "projects/PDE/locations/australia-southeast1/clusters/c1"
+ restore_config {
+ volume_data_restore_policy = "RESTORE_VOLUME_DATA_FROM_BACKUP"
+ cluster_resource_restore_scope {
+ all_group_kinds = true
+ }
+ all_namespaces = true
+ }
+}
diff --git a/inputs/gcp/backup_for_gke/restore_channel/name/plan.json b/inputs/gcp/backup_for_gke/restore_channel/name/plan.json
new file mode 100644
index 000000000..e69de29bb
diff --git a/inputs/gcp/backup_for_gke/restore_plan/all_namespaces/.terraform.lock.hcl b/inputs/gcp/backup_for_gke/restore_plan/all_namespaces/.terraform.lock.hcl
new file mode 100644
index 000000000..894abb857
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan/all_namespaces/.terraform.lock.hcl
@@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/google" {
+ version = "7.12.0"
+ hashes = [
+ "h1:vd1110nYSvbUdAM3MDtQD97ikZvuyDgKExlzTwutYqw=",
+ "zh:38722ec7777543c23e22e02695e53dd5c94644022647c3c79e11e587063d4d2b",
+ "zh:417b12b69c91c12e3fcefee38744b7a37bae73b706e3071c714151a623a6b0e9",
+ "zh:4902cea92c78b462beaf053de03d0d55fb2241d41ca3379b4568ba247f667fa9",
+ "zh:50ccce39d403ba477943e6652ccb6913092d9dcce1d55533b00b66062888db3d",
+ "zh:56dccfe5df28cfe368d93c37ad6c46a16e76da61482fd0bfc83676b1423cecf5",
+ "zh:7265fca2921e5e300da5d8de7e28b658c0863fdda9da696c5b97dbd3122c17c2",
+ "zh:8317467e828178a6db9ddabe431bb13935c00bfb5e4b4d9760bd56f7ae596eca",
+ "zh:84cc9d9277422a0d6c80d2bd204642d8776ddbba23feb94cf2760bb5f15410bc",
+ "zh:8f79d72e7ed4e36d01560ce5fc944dc7e0387fa0f8272a4345fc6ae896e8f575",
+ "zh:98c3d756beca036f84e7840e2099ff7359e9a246cd9a35386e03ce65032b3f5f",
+ "zh:a07e3ca19673d28da9289ca28dfb83204fa6636f642b8cf46de8caaf526b7dde",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/restore_plan/all_namespaces/c.tf b/inputs/gcp/backup_for_gke/restore_plan/all_namespaces/c.tf
new file mode 100644
index 000000000..ec09db3fd
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan/all_namespaces/c.tf
@@ -0,0 +1,22 @@
+resource "google_gke_backup_restore_plan" "c" {
+ name = "c"
+ location = "australia-southeast1"
+ project = "PDE"
+ backup_plan = "c"
+ cluster = "projects/PDE/locations/australia-southeast1/clusters/c"
+
+ restore_config {
+ selected_namespaces {
+ namespaces = ["production", "critical-apps"]
+ }
+
+ transformation_rules {
+ description = "Security policy for restore"
+ field_actions {
+ op = "REMOVE"
+ path = "/spec/serviceAccountName"
+ }
+ }
+ }
+}
+
diff --git a/inputs/gcp/backup_for_gke/restore_plan/all_namespaces/config.tf b/inputs/gcp/backup_for_gke/restore_plan/all_namespaces/config.tf
new file mode 100644
index 000000000..c5d6ff5b2
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan/all_namespaces/config.tf
@@ -0,0 +1,11 @@
+##### DO NOT EDIT ######
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ }
+}
+
+provider "google" {}
+
diff --git a/inputs/gcp/backup_for_gke/restore_plan/all_namespaces/nc.tf b/inputs/gcp/backup_for_gke/restore_plan/all_namespaces/nc.tf
new file mode 100644
index 000000000..f2743fb88
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan/all_namespaces/nc.tf
@@ -0,0 +1,12 @@
+resource "google_gke_backup_restore_plan" "nc" {
+ name = "nc"
+ location = "australia-southeast1"
+ project = "PDE"
+ backup_plan = "nc"
+ cluster = "projects/PDE/locations/australia-southeast1/clusters/c"
+
+ restore_config {
+ all_namespaces = true
+ }
+}
+
diff --git a/inputs/gcp/backup_for_gke/restore_plan/all_namespaces/plan.json b/inputs/gcp/backup_for_gke/restore_plan/all_namespaces/plan.json
new file mode 100644
index 000000000..e69de29bb
diff --git a/inputs/gcp/backup_for_gke/restore_plan/cluster/.terraform.lock.hcl b/inputs/gcp/backup_for_gke/restore_plan/cluster/.terraform.lock.hcl
new file mode 100644
index 000000000..894abb857
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan/cluster/.terraform.lock.hcl
@@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/google" {
+ version = "7.12.0"
+ hashes = [
+ "h1:vd1110nYSvbUdAM3MDtQD97ikZvuyDgKExlzTwutYqw=",
+ "zh:38722ec7777543c23e22e02695e53dd5c94644022647c3c79e11e587063d4d2b",
+ "zh:417b12b69c91c12e3fcefee38744b7a37bae73b706e3071c714151a623a6b0e9",
+ "zh:4902cea92c78b462beaf053de03d0d55fb2241d41ca3379b4568ba247f667fa9",
+ "zh:50ccce39d403ba477943e6652ccb6913092d9dcce1d55533b00b66062888db3d",
+ "zh:56dccfe5df28cfe368d93c37ad6c46a16e76da61482fd0bfc83676b1423cecf5",
+ "zh:7265fca2921e5e300da5d8de7e28b658c0863fdda9da696c5b97dbd3122c17c2",
+ "zh:8317467e828178a6db9ddabe431bb13935c00bfb5e4b4d9760bd56f7ae596eca",
+ "zh:84cc9d9277422a0d6c80d2bd204642d8776ddbba23feb94cf2760bb5f15410bc",
+ "zh:8f79d72e7ed4e36d01560ce5fc944dc7e0387fa0f8272a4345fc6ae896e8f575",
+ "zh:98c3d756beca036f84e7840e2099ff7359e9a246cd9a35386e03ce65032b3f5f",
+ "zh:a07e3ca19673d28da9289ca28dfb83204fa6636f642b8cf46de8caaf526b7dde",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/restore_plan/cluster/c.tf b/inputs/gcp/backup_for_gke/restore_plan/cluster/c.tf
new file mode 100644
index 000000000..47698f2f3
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan/cluster/c.tf
@@ -0,0 +1,15 @@
+resource "google_gke_backup_restore_plan" "c" {
+ name = "c"
+ location = "australia-southeast1"
+ project = "PDE"
+ backup_plan = "c"
+ cluster = "projects/PDE/locations/australia-southeast1/clusters/prod-dr"
+
+ restore_config {
+ selected_namespaces {
+ namespaces = ["production"]
+ }
+ }
+
+}
+
diff --git a/inputs/gcp/backup_for_gke/restore_plan/cluster/config.tf b/inputs/gcp/backup_for_gke/restore_plan/cluster/config.tf
new file mode 100644
index 000000000..c5d6ff5b2
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan/cluster/config.tf
@@ -0,0 +1,11 @@
+##### DO NOT EDIT ######
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ }
+}
+
+provider "google" {}
+
diff --git a/inputs/gcp/backup_for_gke/restore_plan/cluster/nc.tf b/inputs/gcp/backup_for_gke/restore_plan/cluster/nc.tf
new file mode 100644
index 000000000..9154e8786
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan/cluster/nc.tf
@@ -0,0 +1,12 @@
+resource "google_gke_backup_restore_plan" "nc" {
+ name = "nc"
+ location = "australia-southeast1"
+ project = "PDE"
+ backup_plan = "nc"
+ cluster = "" # Invalid: empty
+
+ restore_config {
+ all_namespaces = true
+ }
+}
+
diff --git a/inputs/gcp/backup_for_gke/restore_plan/cluster/plan.json b/inputs/gcp/backup_for_gke/restore_plan/cluster/plan.json
new file mode 100644
index 000000000..e69de29bb
diff --git a/inputs/gcp/backup_for_gke/restore_plan/cluster_resource_scope/.terraform.lock.hcl b/inputs/gcp/backup_for_gke/restore_plan/cluster_resource_scope/.terraform.lock.hcl
new file mode 100644
index 000000000..894abb857
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan/cluster_resource_scope/.terraform.lock.hcl
@@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/google" {
+ version = "7.12.0"
+ hashes = [
+ "h1:vd1110nYSvbUdAM3MDtQD97ikZvuyDgKExlzTwutYqw=",
+ "zh:38722ec7777543c23e22e02695e53dd5c94644022647c3c79e11e587063d4d2b",
+ "zh:417b12b69c91c12e3fcefee38744b7a37bae73b706e3071c714151a623a6b0e9",
+ "zh:4902cea92c78b462beaf053de03d0d55fb2241d41ca3379b4568ba247f667fa9",
+ "zh:50ccce39d403ba477943e6652ccb6913092d9dcce1d55533b00b66062888db3d",
+ "zh:56dccfe5df28cfe368d93c37ad6c46a16e76da61482fd0bfc83676b1423cecf5",
+ "zh:7265fca2921e5e300da5d8de7e28b658c0863fdda9da696c5b97dbd3122c17c2",
+ "zh:8317467e828178a6db9ddabe431bb13935c00bfb5e4b4d9760bd56f7ae596eca",
+ "zh:84cc9d9277422a0d6c80d2bd204642d8776ddbba23feb94cf2760bb5f15410bc",
+ "zh:8f79d72e7ed4e36d01560ce5fc944dc7e0387fa0f8272a4345fc6ae896e8f575",
+ "zh:98c3d756beca036f84e7840e2099ff7359e9a246cd9a35386e03ce65032b3f5f",
+ "zh:a07e3ca19673d28da9289ca28dfb83204fa6636f642b8cf46de8caaf526b7dde",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/restore_plan/cluster_resource_scope/c.tf b/inputs/gcp/backup_for_gke/restore_plan/cluster_resource_scope/c.tf
new file mode 100644
index 000000000..5e815bca0
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan/cluster_resource_scope/c.tf
@@ -0,0 +1,18 @@
+resource "google_gke_backup_restore_plan" "c" {
+ name = "c"
+ location = "australia-southeast1"
+ project = "PDE"
+ backup_plan = "c"
+ cluster = "projects/PDE/locations/australia-southeast1/clusters/c"
+
+ restore_config {
+ selected_namespaces {
+ namespaces = ["production"]
+ }
+
+ cluster_resource_restore_scope {
+ no_group_kinds = true
+ }
+ }
+}
+
diff --git a/inputs/gcp/backup_for_gke/restore_plan/cluster_resource_scope/config.tf b/inputs/gcp/backup_for_gke/restore_plan/cluster_resource_scope/config.tf
new file mode 100644
index 000000000..c5d6ff5b2
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan/cluster_resource_scope/config.tf
@@ -0,0 +1,11 @@
+##### DO NOT EDIT ######
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ }
+}
+
+provider "google" {}
+
diff --git a/inputs/gcp/backup_for_gke/restore_plan/cluster_resource_scope/nc.tf b/inputs/gcp/backup_for_gke/restore_plan/cluster_resource_scope/nc.tf
new file mode 100644
index 000000000..10f48077e
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan/cluster_resource_scope/nc.tf
@@ -0,0 +1,18 @@
+resource "google_gke_backup_restore_plan" "nc" {
+ name = "nc"
+ location = "australia-southeast1"
+ project = "PDE"
+ backup_plan = "nc"
+ cluster = "projects/PDE/locations/australia-southeast1/clusters/c"
+
+ restore_config {
+ selected_namespaces {
+ namespaces = ["production"]
+ }
+
+ cluster_resource_restore_scope {
+ all_group_kinds = true
+ }
+ }
+}
+
diff --git a/inputs/gcp/backup_for_gke/restore_plan/cluster_resource_scope/plan.json b/inputs/gcp/backup_for_gke/restore_plan/cluster_resource_scope/plan.json
new file mode 100644
index 000000000..e69de29bb
diff --git a/inputs/gcp/backup_for_gke/restore_plan/conflict_policy/.terraform.lock.hcl b/inputs/gcp/backup_for_gke/restore_plan/conflict_policy/.terraform.lock.hcl
new file mode 100644
index 000000000..894abb857
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan/conflict_policy/.terraform.lock.hcl
@@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/google" {
+ version = "7.12.0"
+ hashes = [
+ "h1:vd1110nYSvbUdAM3MDtQD97ikZvuyDgKExlzTwutYqw=",
+ "zh:38722ec7777543c23e22e02695e53dd5c94644022647c3c79e11e587063d4d2b",
+ "zh:417b12b69c91c12e3fcefee38744b7a37bae73b706e3071c714151a623a6b0e9",
+ "zh:4902cea92c78b462beaf053de03d0d55fb2241d41ca3379b4568ba247f667fa9",
+ "zh:50ccce39d403ba477943e6652ccb6913092d9dcce1d55533b00b66062888db3d",
+ "zh:56dccfe5df28cfe368d93c37ad6c46a16e76da61482fd0bfc83676b1423cecf5",
+ "zh:7265fca2921e5e300da5d8de7e28b658c0863fdda9da696c5b97dbd3122c17c2",
+ "zh:8317467e828178a6db9ddabe431bb13935c00bfb5e4b4d9760bd56f7ae596eca",
+ "zh:84cc9d9277422a0d6c80d2bd204642d8776ddbba23feb94cf2760bb5f15410bc",
+ "zh:8f79d72e7ed4e36d01560ce5fc944dc7e0387fa0f8272a4345fc6ae896e8f575",
+ "zh:98c3d756beca036f84e7840e2099ff7359e9a246cd9a35386e03ce65032b3f5f",
+ "zh:a07e3ca19673d28da9289ca28dfb83204fa6636f642b8cf46de8caaf526b7dde",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/restore_plan/conflict_policy/c.tf b/inputs/gcp/backup_for_gke/restore_plan/conflict_policy/c.tf
new file mode 100644
index 000000000..3696b1aa9
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan/conflict_policy/c.tf
@@ -0,0 +1,15 @@
+resource "google_gke_backup_restore_plan" "c" {
+ name = "c"
+ location = "australia-southeast1"
+ project = "PDE"
+ backup_plan = "c"
+ cluster = "projects/PDE/locations/australia-southeast1/clusters/c"
+
+ restore_config {
+ selected_namespaces {
+ namespaces = ["production"]
+ }
+ cluster_resource_conflict_policy = "USE_EXISTING_VERSION"
+ }
+}
+
diff --git a/inputs/gcp/backup_for_gke/restore_plan/conflict_policy/config.tf b/inputs/gcp/backup_for_gke/restore_plan/conflict_policy/config.tf
new file mode 100644
index 000000000..c5d6ff5b2
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan/conflict_policy/config.tf
@@ -0,0 +1,11 @@
+##### DO NOT EDIT ######
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ }
+}
+
+provider "google" {}
+
diff --git a/inputs/gcp/backup_for_gke/restore_plan/conflict_policy/nc.tf b/inputs/gcp/backup_for_gke/restore_plan/conflict_policy/nc.tf
new file mode 100644
index 000000000..eec3cb82c
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan/conflict_policy/nc.tf
@@ -0,0 +1,15 @@
+resource "google_gke_backup_restore_plan" "nc" {
+ name = "nc"
+ location = "australia-southeast1"
+ project = "PDE"
+ backup_plan = "nc"
+ cluster = "projects/PDE/locations/australia-southeast1/clusters/c"
+
+ restore_config {
+ selected_namespaces {
+ namespaces = ["production"]
+ }
+ cluster_resource_conflict_policy = "USE_BACKUP_VERSION"
+ }
+}
+
diff --git a/inputs/gcp/backup_for_gke/restore_plan/conflict_policy/plan.json b/inputs/gcp/backup_for_gke/restore_plan/conflict_policy/plan.json
new file mode 100644
index 000000000..e69de29bb
diff --git a/inputs/gcp/backup_for_gke/restore_plan/excluded_namespaces/.terraform.lock.hcl b/inputs/gcp/backup_for_gke/restore_plan/excluded_namespaces/.terraform.lock.hcl
new file mode 100644
index 000000000..894abb857
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan/excluded_namespaces/.terraform.lock.hcl
@@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/google" {
+ version = "7.12.0"
+ hashes = [
+ "h1:vd1110nYSvbUdAM3MDtQD97ikZvuyDgKExlzTwutYqw=",
+ "zh:38722ec7777543c23e22e02695e53dd5c94644022647c3c79e11e587063d4d2b",
+ "zh:417b12b69c91c12e3fcefee38744b7a37bae73b706e3071c714151a623a6b0e9",
+ "zh:4902cea92c78b462beaf053de03d0d55fb2241d41ca3379b4568ba247f667fa9",
+ "zh:50ccce39d403ba477943e6652ccb6913092d9dcce1d55533b00b66062888db3d",
+ "zh:56dccfe5df28cfe368d93c37ad6c46a16e76da61482fd0bfc83676b1423cecf5",
+ "zh:7265fca2921e5e300da5d8de7e28b658c0863fdda9da696c5b97dbd3122c17c2",
+ "zh:8317467e828178a6db9ddabe431bb13935c00bfb5e4b4d9760bd56f7ae596eca",
+ "zh:84cc9d9277422a0d6c80d2bd204642d8776ddbba23feb94cf2760bb5f15410bc",
+ "zh:8f79d72e7ed4e36d01560ce5fc944dc7e0387fa0f8272a4345fc6ae896e8f575",
+ "zh:98c3d756beca036f84e7840e2099ff7359e9a246cd9a35386e03ce65032b3f5f",
+ "zh:a07e3ca19673d28da9289ca28dfb83204fa6636f642b8cf46de8caaf526b7dde",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/restore_plan/excluded_namespaces/c.tf b/inputs/gcp/backup_for_gke/restore_plan/excluded_namespaces/c.tf
new file mode 100644
index 000000000..dbed6bcef
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan/excluded_namespaces/c.tf
@@ -0,0 +1,15 @@
+resource "google_gke_backup_restore_plan" "c" {
+ name = "c"
+ location = "australia-southeast1"
+ project = "PDE"
+ backup_plan = "c"
+ cluster = "projects/PDE/locations/australia-southeast1/clusters/c"
+
+ restore_config {
+ excluded_namespaces {
+ namespaces = ["custom-namespace"]
+ }
+ }
+
+}
+
diff --git a/inputs/gcp/backup_for_gke/restore_plan/excluded_namespaces/config.tf b/inputs/gcp/backup_for_gke/restore_plan/excluded_namespaces/config.tf
new file mode 100644
index 000000000..c5d6ff5b2
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan/excluded_namespaces/config.tf
@@ -0,0 +1,11 @@
+##### DO NOT EDIT ######
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ }
+}
+
+provider "google" {}
+
diff --git a/inputs/gcp/backup_for_gke/restore_plan/excluded_namespaces/nc.tf b/inputs/gcp/backup_for_gke/restore_plan/excluded_namespaces/nc.tf
new file mode 100644
index 000000000..ee0b6e205
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan/excluded_namespaces/nc.tf
@@ -0,0 +1,14 @@
+resource "google_gke_backup_restore_plan" "nc" {
+ name = "nc"
+ location = "australia-southeast1"
+ project = "PDE"
+ backup_plan = "nc"
+ cluster = "projects/PDE/locations/australia-southeast1/clusters/c"
+
+ restore_config {
+ excluded_namespaces {
+ namespaces = ["kube-system"]
+ }
+ }
+}
+
diff --git a/inputs/gcp/backup_for_gke/restore_plan/excluded_namespaces/plan.json b/inputs/gcp/backup_for_gke/restore_plan/excluded_namespaces/plan.json
new file mode 100644
index 000000000..e69de29bb
diff --git a/inputs/gcp/backup_for_gke/restore_plan/field_actions/.terraform.lock.hcl b/inputs/gcp/backup_for_gke/restore_plan/field_actions/.terraform.lock.hcl
new file mode 100644
index 000000000..894abb857
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan/field_actions/.terraform.lock.hcl
@@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/google" {
+ version = "7.12.0"
+ hashes = [
+ "h1:vd1110nYSvbUdAM3MDtQD97ikZvuyDgKExlzTwutYqw=",
+ "zh:38722ec7777543c23e22e02695e53dd5c94644022647c3c79e11e587063d4d2b",
+ "zh:417b12b69c91c12e3fcefee38744b7a37bae73b706e3071c714151a623a6b0e9",
+ "zh:4902cea92c78b462beaf053de03d0d55fb2241d41ca3379b4568ba247f667fa9",
+ "zh:50ccce39d403ba477943e6652ccb6913092d9dcce1d55533b00b66062888db3d",
+ "zh:56dccfe5df28cfe368d93c37ad6c46a16e76da61482fd0bfc83676b1423cecf5",
+ "zh:7265fca2921e5e300da5d8de7e28b658c0863fdda9da696c5b97dbd3122c17c2",
+ "zh:8317467e828178a6db9ddabe431bb13935c00bfb5e4b4d9760bd56f7ae596eca",
+ "zh:84cc9d9277422a0d6c80d2bd204642d8776ddbba23feb94cf2760bb5f15410bc",
+ "zh:8f79d72e7ed4e36d01560ce5fc944dc7e0387fa0f8272a4345fc6ae896e8f575",
+ "zh:98c3d756beca036f84e7840e2099ff7359e9a246cd9a35386e03ce65032b3f5f",
+ "zh:a07e3ca19673d28da9289ca28dfb83204fa6636f642b8cf46de8caaf526b7dde",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/restore_plan/field_actions/c.tf b/inputs/gcp/backup_for_gke/restore_plan/field_actions/c.tf
new file mode 100644
index 000000000..8aa4b73e7
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan/field_actions/c.tf
@@ -0,0 +1,39 @@
+resource "google_gke_backup_restore_plan" "c" {
+ name = "c"
+ location = "australia-southeast1"
+ project = "PDE"
+ backup_plan = "c"
+ cluster = "projects/PDE/locations/australia-southeast1/clusters/c"
+
+ restore_config {
+ selected_namespaces {
+ namespaces = ["production"]
+ }
+
+ transformation_rules {
+ description = "Remove service accounts"
+ field_actions {
+ op = "REMOVE"
+ path = "/spec/serviceAccountName"
+ }
+ }
+
+ transformation_rules {
+ description = "Remove secrets"
+ field_actions {
+ op = "REMOVE"
+ path = "/spec/containers[]/env[]/valueFrom/secretKeyRef"
+ }
+ }
+
+ transformation_rules {
+ description = "Remove privileged mode"
+ field_actions {
+ op = "REPLACE"
+ path = "/spec/containers[]/securityContext/privileged"
+ value = "false"
+ }
+ }
+ }
+}
+
diff --git a/inputs/gcp/backup_for_gke/restore_plan/field_actions/config.tf b/inputs/gcp/backup_for_gke/restore_plan/field_actions/config.tf
new file mode 100644
index 000000000..c5d6ff5b2
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan/field_actions/config.tf
@@ -0,0 +1,11 @@
+##### DO NOT EDIT ######
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ }
+}
+
+provider "google" {}
+
diff --git a/inputs/gcp/backup_for_gke/restore_plan/field_actions/nc.tf b/inputs/gcp/backup_for_gke/restore_plan/field_actions/nc.tf
new file mode 100644
index 000000000..9609894ae
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan/field_actions/nc.tf
@@ -0,0 +1,14 @@
+resource "google_gke_backup_restore_plan" "nc" {
+ name = "nc"
+ location = "australia-southeast1"
+ project = "PDE"
+ backup_plan = "nc"
+ cluster = "projects/PDE/locations/australia-southeast1/clusters/c"
+
+ restore_config {
+ selected_namespaces {
+ namespaces = ["production"]
+ }
+ }
+}
+
diff --git a/inputs/gcp/backup_for_gke/restore_plan/field_actions/plan.json b/inputs/gcp/backup_for_gke/restore_plan/field_actions/plan.json
new file mode 100644
index 000000000..e69de29bb
diff --git a/inputs/gcp/backup_for_gke/restore_plan/namespaced_resource_restore_mode/.terraform.lock.hcl b/inputs/gcp/backup_for_gke/restore_plan/namespaced_resource_restore_mode/.terraform.lock.hcl
new file mode 100644
index 000000000..894abb857
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan/namespaced_resource_restore_mode/.terraform.lock.hcl
@@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/google" {
+ version = "7.12.0"
+ hashes = [
+ "h1:vd1110nYSvbUdAM3MDtQD97ikZvuyDgKExlzTwutYqw=",
+ "zh:38722ec7777543c23e22e02695e53dd5c94644022647c3c79e11e587063d4d2b",
+ "zh:417b12b69c91c12e3fcefee38744b7a37bae73b706e3071c714151a623a6b0e9",
+ "zh:4902cea92c78b462beaf053de03d0d55fb2241d41ca3379b4568ba247f667fa9",
+ "zh:50ccce39d403ba477943e6652ccb6913092d9dcce1d55533b00b66062888db3d",
+ "zh:56dccfe5df28cfe368d93c37ad6c46a16e76da61482fd0bfc83676b1423cecf5",
+ "zh:7265fca2921e5e300da5d8de7e28b658c0863fdda9da696c5b97dbd3122c17c2",
+ "zh:8317467e828178a6db9ddabe431bb13935c00bfb5e4b4d9760bd56f7ae596eca",
+ "zh:84cc9d9277422a0d6c80d2bd204642d8776ddbba23feb94cf2760bb5f15410bc",
+ "zh:8f79d72e7ed4e36d01560ce5fc944dc7e0387fa0f8272a4345fc6ae896e8f575",
+ "zh:98c3d756beca036f84e7840e2099ff7359e9a246cd9a35386e03ce65032b3f5f",
+ "zh:a07e3ca19673d28da9289ca28dfb83204fa6636f642b8cf46de8caaf526b7dde",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/restore_plan/namespaced_resource_restore_mode/c.tf b/inputs/gcp/backup_for_gke/restore_plan/namespaced_resource_restore_mode/c.tf
new file mode 100644
index 000000000..028231c78
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan/namespaced_resource_restore_mode/c.tf
@@ -0,0 +1,15 @@
+resource "google_gke_backup_restore_plan" "c" {
+ name = "c"
+ location = "australia-southeast1"
+ project = "PDE"
+ backup_plan = "c"
+ cluster = "projects/PDE/locations/australia-southeast1/clusters/c"
+
+ restore_config {
+ selected_namespaces {
+ namespaces = ["production"]
+ }
+ namespaced_resource_restore_mode = "FAIL_ON_CONFLICT"
+ }
+}
+
diff --git a/inputs/gcp/backup_for_gke/restore_plan/namespaced_resource_restore_mode/config.tf b/inputs/gcp/backup_for_gke/restore_plan/namespaced_resource_restore_mode/config.tf
new file mode 100644
index 000000000..c5d6ff5b2
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan/namespaced_resource_restore_mode/config.tf
@@ -0,0 +1,11 @@
+##### DO NOT EDIT ######
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ }
+}
+
+provider "google" {}
+
diff --git a/inputs/gcp/backup_for_gke/restore_plan/namespaced_resource_restore_mode/nc.tf b/inputs/gcp/backup_for_gke/restore_plan/namespaced_resource_restore_mode/nc.tf
new file mode 100644
index 000000000..d30c2b0f3
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan/namespaced_resource_restore_mode/nc.tf
@@ -0,0 +1,15 @@
+resource "google_gke_backup_restore_plan" "nc" {
+ name = "nc"
+ location = "australia-southeast1"
+ project = "PDE"
+ backup_plan = "nc"
+ cluster = "projects/PDE/locations/australia-southeast1/clusters/c"
+
+ restore_config {
+ selected_namespaces {
+ namespaces = ["production"]
+ }
+ namespaced_resource_restore_mode = "MERGE_SKIP_ON_CONFLICT"
+ }
+}
+
diff --git a/inputs/gcp/backup_for_gke/restore_plan/namespaced_resource_restore_mode/plan.json b/inputs/gcp/backup_for_gke/restore_plan/namespaced_resource_restore_mode/plan.json
new file mode 100644
index 000000000..e69de29bb
diff --git a/inputs/gcp/backup_for_gke/restore_plan/transformation_rules/.terraform.lock.hcl b/inputs/gcp/backup_for_gke/restore_plan/transformation_rules/.terraform.lock.hcl
new file mode 100644
index 000000000..894abb857
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan/transformation_rules/.terraform.lock.hcl
@@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/google" {
+ version = "7.12.0"
+ hashes = [
+ "h1:vd1110nYSvbUdAM3MDtQD97ikZvuyDgKExlzTwutYqw=",
+ "zh:38722ec7777543c23e22e02695e53dd5c94644022647c3c79e11e587063d4d2b",
+ "zh:417b12b69c91c12e3fcefee38744b7a37bae73b706e3071c714151a623a6b0e9",
+ "zh:4902cea92c78b462beaf053de03d0d55fb2241d41ca3379b4568ba247f667fa9",
+ "zh:50ccce39d403ba477943e6652ccb6913092d9dcce1d55533b00b66062888db3d",
+ "zh:56dccfe5df28cfe368d93c37ad6c46a16e76da61482fd0bfc83676b1423cecf5",
+ "zh:7265fca2921e5e300da5d8de7e28b658c0863fdda9da696c5b97dbd3122c17c2",
+ "zh:8317467e828178a6db9ddabe431bb13935c00bfb5e4b4d9760bd56f7ae596eca",
+ "zh:84cc9d9277422a0d6c80d2bd204642d8776ddbba23feb94cf2760bb5f15410bc",
+ "zh:8f79d72e7ed4e36d01560ce5fc944dc7e0387fa0f8272a4345fc6ae896e8f575",
+ "zh:98c3d756beca036f84e7840e2099ff7359e9a246cd9a35386e03ce65032b3f5f",
+ "zh:a07e3ca19673d28da9289ca28dfb83204fa6636f642b8cf46de8caaf526b7dde",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/restore_plan/transformation_rules/c.tf b/inputs/gcp/backup_for_gke/restore_plan/transformation_rules/c.tf
new file mode 100644
index 000000000..df8ded4d0
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan/transformation_rules/c.tf
@@ -0,0 +1,30 @@
+resource "google_gke_backup_restore_plan" "c" {
+ name = "c"
+ location = "australia-southeast1"
+ project = "PDE"
+ backup_plan = "c"
+ cluster = "projects/PDE/locations/australia-southeast1/clusters/c"
+
+ restore_config {
+ selected_namespaces {
+ namespaces = ["production"]
+ }
+
+ transformation_rules {
+ description = "Remove sensitive fields"
+ field_actions {
+ op = "REMOVE"
+ path = "/spec/serviceAccountName"
+ }
+ }
+
+ transformation_rules {
+ description = "Remove privileged security context"
+ field_actions {
+ op = "REMOVE"
+ path = "/spec/containers[]/securityContext/privileged"
+ }
+ }
+ }
+}
+
diff --git a/inputs/gcp/backup_for_gke/restore_plan/transformation_rules/config.tf b/inputs/gcp/backup_for_gke/restore_plan/transformation_rules/config.tf
new file mode 100644
index 000000000..c5d6ff5b2
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan/transformation_rules/config.tf
@@ -0,0 +1,11 @@
+##### DO NOT EDIT ######
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ }
+}
+
+provider "google" {}
+
diff --git a/inputs/gcp/backup_for_gke/restore_plan/transformation_rules/nc.tf b/inputs/gcp/backup_for_gke/restore_plan/transformation_rules/nc.tf
new file mode 100644
index 000000000..9609894ae
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan/transformation_rules/nc.tf
@@ -0,0 +1,14 @@
+resource "google_gke_backup_restore_plan" "nc" {
+ name = "nc"
+ location = "australia-southeast1"
+ project = "PDE"
+ backup_plan = "nc"
+ cluster = "projects/PDE/locations/australia-southeast1/clusters/c"
+
+ restore_config {
+ selected_namespaces {
+ namespaces = ["production"]
+ }
+ }
+}
+
diff --git a/inputs/gcp/backup_for_gke/restore_plan/transformation_rules/plan.json b/inputs/gcp/backup_for_gke/restore_plan/transformation_rules/plan.json
new file mode 100644
index 000000000..e69de29bb
diff --git a/inputs/gcp/backup_for_gke/restore_plan/volume_bindings/.terraform.lock.hcl b/inputs/gcp/backup_for_gke/restore_plan/volume_bindings/.terraform.lock.hcl
new file mode 100644
index 000000000..316309c9a
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan/volume_bindings/.terraform.lock.hcl
@@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/google" {
+ version = "7.17.0"
+ hashes = [
+ "h1:VPHRMsm3eQrxzk1b7eHuSG9sG7315ZaGPshFjqzZ5No=",
+ "zh:103778d776fb994a6b24d70fa095c23a1672361f2a05d882b227b02507b402fc",
+ "zh:34bcd6cce3081a21983ccfad5cbf2cbf69ff298c65c6570edb4ec7d38a8183f5",
+ "zh:5f8fd0e8e40068b597b28c0bc08372c9228aad77746068101c72acf4bb902937",
+ "zh:6b25cee7dec78470feb987438aedb1f4354c696f6548edee7775621e8df24fa9",
+ "zh:6b5bd97884b51b86fa6a9f1905c0ebf695539e905122052896e8b05122416ff4",
+ "zh:86e634c5825d8bd32592ae6b74f15e1db5d9b61c85d1a2e529d1696effb76d54",
+ "zh:c3190609f6f638f4efd7359a5638eeff81d41a38a00861f7df870b5c8f4c11cb",
+ "zh:d42d854642b4d3b010f232d848197945f90af60e7f9883ac96d7caae9c9d2474",
+ "zh:da9929be5d3873ad317e488e7ada08d5b95b5461b34d91cef76314317bdc0d49",
+ "zh:ed2763c21b2f3c1eb7b4b92f6502069a24078345e19c88f91d9e3a46a17147f8",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ "zh:fbca63b82bbdef6fd329d2c8356b3f39f8c785ad93fd0596cfff676dbaef23ac",
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/restore_plan/volume_bindings/c.tf b/inputs/gcp/backup_for_gke/restore_plan/volume_bindings/c.tf
new file mode 100644
index 000000000..bcdb9148f
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan/volume_bindings/c.tf
@@ -0,0 +1,14 @@
+resource "google_gke_backup_restore_plan" "c" {
+ name = "rp-volume-bindings-c"
+ project = "PDE"
+ location = "australia-southeast1"
+ backup_plan = "projects/PDE/locations/australia-southeast1/backupPlans/bp1"
+ cluster = "projects/PDE/locations/australia-southeast1/clusters/c1"
+ restore_config {
+ volume_data_restore_policy = "RESTORE_VOLUME_DATA_FROM_BACKUP"
+ cluster_resource_restore_scope {
+ all_group_kinds = true
+ }
+ all_namespaces = true
+ }
+}
diff --git a/inputs/gcp/backup_for_gke/restore_plan/volume_bindings/config.tf b/inputs/gcp/backup_for_gke/restore_plan/volume_bindings/config.tf
new file mode 100644
index 000000000..c5d6ff5b2
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan/volume_bindings/config.tf
@@ -0,0 +1,11 @@
+##### DO NOT EDIT ######
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ }
+}
+
+provider "google" {}
+
diff --git a/inputs/gcp/backup_for_gke/restore_plan/volume_bindings/nc.tf b/inputs/gcp/backup_for_gke/restore_plan/volume_bindings/nc.tf
new file mode 100644
index 000000000..f056096c3
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan/volume_bindings/nc.tf
@@ -0,0 +1,14 @@
+resource "google_gke_backup_restore_plan" "nc" {
+ name = "rp-volume-bindings-nc"
+ project = "PDE"
+ location = "australia-southeast1"
+ backup_plan = "projects/PDE/locations/australia-southeast1/backupPlans/bp1"
+ cluster = "projects/PDE/locations/australia-southeast1/clusters/c1"
+ restore_config {
+ volume_data_restore_policy = "NO_VOLUME_DATA_RESTORATION"
+ cluster_resource_restore_scope {
+ all_group_kinds = true
+ }
+ all_namespaces = true
+ }
+}
diff --git a/inputs/gcp/backup_for_gke/restore_plan/volume_bindings/plan.json b/inputs/gcp/backup_for_gke/restore_plan/volume_bindings/plan.json
new file mode 100644
index 000000000..e69de29bb
diff --git a/inputs/gcp/backup_for_gke/restore_plan/volume_data_restore/.terraform.lock.hcl b/inputs/gcp/backup_for_gke/restore_plan/volume_data_restore/.terraform.lock.hcl
new file mode 100644
index 000000000..894abb857
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan/volume_data_restore/.terraform.lock.hcl
@@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/google" {
+ version = "7.12.0"
+ hashes = [
+ "h1:vd1110nYSvbUdAM3MDtQD97ikZvuyDgKExlzTwutYqw=",
+ "zh:38722ec7777543c23e22e02695e53dd5c94644022647c3c79e11e587063d4d2b",
+ "zh:417b12b69c91c12e3fcefee38744b7a37bae73b706e3071c714151a623a6b0e9",
+ "zh:4902cea92c78b462beaf053de03d0d55fb2241d41ca3379b4568ba247f667fa9",
+ "zh:50ccce39d403ba477943e6652ccb6913092d9dcce1d55533b00b66062888db3d",
+ "zh:56dccfe5df28cfe368d93c37ad6c46a16e76da61482fd0bfc83676b1423cecf5",
+ "zh:7265fca2921e5e300da5d8de7e28b658c0863fdda9da696c5b97dbd3122c17c2",
+ "zh:8317467e828178a6db9ddabe431bb13935c00bfb5e4b4d9760bd56f7ae596eca",
+ "zh:84cc9d9277422a0d6c80d2bd204642d8776ddbba23feb94cf2760bb5f15410bc",
+ "zh:8f79d72e7ed4e36d01560ce5fc944dc7e0387fa0f8272a4345fc6ae896e8f575",
+ "zh:98c3d756beca036f84e7840e2099ff7359e9a246cd9a35386e03ce65032b3f5f",
+ "zh:a07e3ca19673d28da9289ca28dfb83204fa6636f642b8cf46de8caaf526b7dde",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/restore_plan/volume_data_restore/c.tf b/inputs/gcp/backup_for_gke/restore_plan/volume_data_restore/c.tf
new file mode 100644
index 000000000..ebb0aea21
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan/volume_data_restore/c.tf
@@ -0,0 +1,15 @@
+resource "google_gke_backup_restore_plan" "c" {
+ name = "c"
+ location = "australia-southeast1"
+ project = "PDE"
+ backup_plan = "c"
+ cluster = "projects/PDE/locations/australia-southeast1/clusters/c"
+
+ restore_config {
+ selected_namespaces {
+ namespaces = ["production"]
+ }
+ volume_data_restore_policy = "RESTORE_VOLUME_DATA_FROM_BACKUP"
+ }
+}
+
diff --git a/inputs/gcp/backup_for_gke/restore_plan/volume_data_restore/config.tf b/inputs/gcp/backup_for_gke/restore_plan/volume_data_restore/config.tf
new file mode 100644
index 000000000..c5d6ff5b2
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan/volume_data_restore/config.tf
@@ -0,0 +1,11 @@
+##### DO NOT EDIT ######
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ }
+}
+
+provider "google" {}
+
diff --git a/inputs/gcp/backup_for_gke/restore_plan/volume_data_restore/nc.tf b/inputs/gcp/backup_for_gke/restore_plan/volume_data_restore/nc.tf
new file mode 100644
index 000000000..bba92650b
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan/volume_data_restore/nc.tf
@@ -0,0 +1,15 @@
+resource "google_gke_backup_restore_plan" "nc" {
+ name = "nc"
+ location = "australia-southeast1"
+ project = "PDE"
+ backup_plan = "nc"
+ cluster = "projects/PDE/locations/australia-southeast1/clusters/c"
+
+ restore_config {
+ selected_namespaces {
+ namespaces = ["production"]
+ }
+ volume_data_restore_policy = "REUSE_VOLUME_HANDLE_FROM_BACKUP"
+ }
+}
+
diff --git a/inputs/gcp/backup_for_gke/restore_plan/volume_data_restore/plan.json b/inputs/gcp/backup_for_gke/restore_plan/volume_data_restore/plan.json
new file mode 100644
index 000000000..e69de29bb
diff --git a/inputs/gcp/backup_for_gke/restore_plan_iam_binding/cross_project_groups/.terraform.lock.hcl b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/cross_project_groups/.terraform.lock.hcl
new file mode 100644
index 000000000..316309c9a
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/cross_project_groups/.terraform.lock.hcl
@@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/google" {
+ version = "7.17.0"
+ hashes = [
+ "h1:VPHRMsm3eQrxzk1b7eHuSG9sG7315ZaGPshFjqzZ5No=",
+ "zh:103778d776fb994a6b24d70fa095c23a1672361f2a05d882b227b02507b402fc",
+ "zh:34bcd6cce3081a21983ccfad5cbf2cbf69ff298c65c6570edb4ec7d38a8183f5",
+ "zh:5f8fd0e8e40068b597b28c0bc08372c9228aad77746068101c72acf4bb902937",
+ "zh:6b25cee7dec78470feb987438aedb1f4354c696f6548edee7775621e8df24fa9",
+ "zh:6b5bd97884b51b86fa6a9f1905c0ebf695539e905122052896e8b05122416ff4",
+ "zh:86e634c5825d8bd32592ae6b74f15e1db5d9b61c85d1a2e529d1696effb76d54",
+ "zh:c3190609f6f638f4efd7359a5638eeff81d41a38a00861f7df870b5c8f4c11cb",
+ "zh:d42d854642b4d3b010f232d848197945f90af60e7f9883ac96d7caae9c9d2474",
+ "zh:da9929be5d3873ad317e488e7ada08d5b95b5461b34d91cef76314317bdc0d49",
+ "zh:ed2763c21b2f3c1eb7b4b92f6502069a24078345e19c88f91d9e3a46a17147f8",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ "zh:fbca63b82bbdef6fd329d2c8356b3f39f8c785ad93fd0596cfff676dbaef23ac",
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/restore_plan_iam_binding/cross_project_groups/c.tf b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/cross_project_groups/c.tf
new file mode 100644
index 000000000..561a1ea25
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/cross_project_groups/c.tf
@@ -0,0 +1,12 @@
+resource "google_gke_backup_restore_plan_iam_binding" "c" {
+ name = "c"
+ location = "australia-southeast1"
+ project = "PDE"
+
+ role = "roles/gkebackup.restoreViewer"
+
+ members = [
+ "group:sre-team@yourdomain.com", # SECURE: Company domain group
+ "group:dr-team@yourdomain.com" # SECURE: Company domain group
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/restore_plan_iam_binding/cross_project_groups/config.tf b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/cross_project_groups/config.tf
new file mode 100644
index 000000000..c5d6ff5b2
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/cross_project_groups/config.tf
@@ -0,0 +1,11 @@
+##### DO NOT EDIT ######
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ }
+}
+
+provider "google" {}
+
diff --git a/inputs/gcp/backup_for_gke/restore_plan_iam_binding/cross_project_groups/nc.tf b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/cross_project_groups/nc.tf
new file mode 100644
index 000000000..cf89b5883
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/cross_project_groups/nc.tf
@@ -0,0 +1,12 @@
+resource "google_gke_backup_restore_plan_iam_binding" "nc" {
+ name = "nc"
+ location = "australia-southeast1"
+ project = "PDE"
+
+ role = "roles/gkebackup.restoreAdmin"
+
+ members = [
+ "group:consultants@external-contractors.com", # SECURITY RISK: External domain!
+ "group:partners@partner-collab.org" # SECURITY RISK: Partner domain!
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/restore_plan_iam_binding/domain_access/.terraform.lock.hcl b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/domain_access/.terraform.lock.hcl
new file mode 100644
index 000000000..316309c9a
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/domain_access/.terraform.lock.hcl
@@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/google" {
+ version = "7.17.0"
+ hashes = [
+ "h1:VPHRMsm3eQrxzk1b7eHuSG9sG7315ZaGPshFjqzZ5No=",
+ "zh:103778d776fb994a6b24d70fa095c23a1672361f2a05d882b227b02507b402fc",
+ "zh:34bcd6cce3081a21983ccfad5cbf2cbf69ff298c65c6570edb4ec7d38a8183f5",
+ "zh:5f8fd0e8e40068b597b28c0bc08372c9228aad77746068101c72acf4bb902937",
+ "zh:6b25cee7dec78470feb987438aedb1f4354c696f6548edee7775621e8df24fa9",
+ "zh:6b5bd97884b51b86fa6a9f1905c0ebf695539e905122052896e8b05122416ff4",
+ "zh:86e634c5825d8bd32592ae6b74f15e1db5d9b61c85d1a2e529d1696effb76d54",
+ "zh:c3190609f6f638f4efd7359a5638eeff81d41a38a00861f7df870b5c8f4c11cb",
+ "zh:d42d854642b4d3b010f232d848197945f90af60e7f9883ac96d7caae9c9d2474",
+ "zh:da9929be5d3873ad317e488e7ada08d5b95b5461b34d91cef76314317bdc0d49",
+ "zh:ed2763c21b2f3c1eb7b4b92f6502069a24078345e19c88f91d9e3a46a17147f8",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ "zh:fbca63b82bbdef6fd329d2c8356b3f39f8c785ad93fd0596cfff676dbaef23ac",
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/restore_plan_iam_binding/domain_access/c.tf b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/domain_access/c.tf
new file mode 100644
index 000000000..90c7259b0
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/domain_access/c.tf
@@ -0,0 +1,12 @@
+resource "google_gke_backup_restore_plan_iam_binding" "c" {
+ name = "c"
+ location = "australia-southeast1"
+ project = "PDE"
+
+ role = "roles/gkebackup.restoreViewer"
+
+ members = [
+ "group:sre-team@yourdomain.com", # SECURE: Specific group
+ "group:incident-response@yourdomain.com" # SECURE: Specific group
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/restore_plan_iam_binding/domain_access/config.tf b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/domain_access/config.tf
new file mode 100644
index 000000000..c5d6ff5b2
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/domain_access/config.tf
@@ -0,0 +1,11 @@
+##### DO NOT EDIT ######
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ }
+}
+
+provider "google" {}
+
diff --git a/inputs/gcp/backup_for_gke/restore_plan_iam_binding/domain_access/nc.tf b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/domain_access/nc.tf
new file mode 100644
index 000000000..5bdc9213c
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/domain_access/nc.tf
@@ -0,0 +1,11 @@
+resource "google_gke_backup_restore_plan_iam_binding" "nc" {
+ name = "nc"
+ location = "australia-southeast1"
+ project = "PDE"
+
+ role = "roles/gkebackup.restoreAdmin"
+
+ members = [
+ "user:hacker@gmail.com"
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/restore_plan_iam_binding/member_count/.terraform.lock.hcl b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/member_count/.terraform.lock.hcl
new file mode 100644
index 000000000..316309c9a
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/member_count/.terraform.lock.hcl
@@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/google" {
+ version = "7.17.0"
+ hashes = [
+ "h1:VPHRMsm3eQrxzk1b7eHuSG9sG7315ZaGPshFjqzZ5No=",
+ "zh:103778d776fb994a6b24d70fa095c23a1672361f2a05d882b227b02507b402fc",
+ "zh:34bcd6cce3081a21983ccfad5cbf2cbf69ff298c65c6570edb4ec7d38a8183f5",
+ "zh:5f8fd0e8e40068b597b28c0bc08372c9228aad77746068101c72acf4bb902937",
+ "zh:6b25cee7dec78470feb987438aedb1f4354c696f6548edee7775621e8df24fa9",
+ "zh:6b5bd97884b51b86fa6a9f1905c0ebf695539e905122052896e8b05122416ff4",
+ "zh:86e634c5825d8bd32592ae6b74f15e1db5d9b61c85d1a2e529d1696effb76d54",
+ "zh:c3190609f6f638f4efd7359a5638eeff81d41a38a00861f7df870b5c8f4c11cb",
+ "zh:d42d854642b4d3b010f232d848197945f90af60e7f9883ac96d7caae9c9d2474",
+ "zh:da9929be5d3873ad317e488e7ada08d5b95b5461b34d91cef76314317bdc0d49",
+ "zh:ed2763c21b2f3c1eb7b4b92f6502069a24078345e19c88f91d9e3a46a17147f8",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ "zh:fbca63b82bbdef6fd329d2c8356b3f39f8c785ad93fd0596cfff676dbaef23ac",
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/restore_plan_iam_binding/member_count/c.tf b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/member_count/c.tf
new file mode 100644
index 000000000..d54ef5bad
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/member_count/c.tf
@@ -0,0 +1,12 @@
+resource "google_gke_backup_restore_plan_iam_binding" "c" {
+ name = "rp-iam-c"
+ location = "australia-southeast1"
+ project = "PDE"
+ role = "roles/gkebackup.restoreViewer"
+
+ members = [
+ "user:alice@example.com",
+ "user:bob@example.com",
+ "group:viewers@example.com"
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/restore_plan_iam_binding/member_count/config.tf b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/member_count/config.tf
new file mode 100644
index 000000000..c5d6ff5b2
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/member_count/config.tf
@@ -0,0 +1,11 @@
+##### DO NOT EDIT ######
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ }
+}
+
+provider "google" {}
+
diff --git a/inputs/gcp/backup_for_gke/restore_plan_iam_binding/member_count/nc.tf b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/member_count/nc.tf
new file mode 100644
index 000000000..1c56e2bab
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/member_count/nc.tf
@@ -0,0 +1,20 @@
+resource "google_gke_backup_restore_plan_iam_binding" "nc" {
+ name = "rp-iam-nc"
+ location = "australia-southeast1"
+ project = "PDE"
+ role = "roles/gkebackup.restoreViewer"
+
+ members = [
+ "user:user1@example.com",
+ "user:user2@example.com",
+ "user:user3@example.com",
+ "user:user4@example.com",
+ "user:user5@example.com",
+ "user:user6@example.com",
+ "user:user7@example.com",
+ "user:user8@example.com",
+ "user:user9@example.com",
+ "user:user10@example.com",
+ "user:user11@example.com" # 11 members, exceeding limit of 10
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/restore_plan_iam_binding/personal_emails/.terraform.lock.hcl b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/personal_emails/.terraform.lock.hcl
new file mode 100644
index 000000000..316309c9a
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/personal_emails/.terraform.lock.hcl
@@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/google" {
+ version = "7.17.0"
+ hashes = [
+ "h1:VPHRMsm3eQrxzk1b7eHuSG9sG7315ZaGPshFjqzZ5No=",
+ "zh:103778d776fb994a6b24d70fa095c23a1672361f2a05d882b227b02507b402fc",
+ "zh:34bcd6cce3081a21983ccfad5cbf2cbf69ff298c65c6570edb4ec7d38a8183f5",
+ "zh:5f8fd0e8e40068b597b28c0bc08372c9228aad77746068101c72acf4bb902937",
+ "zh:6b25cee7dec78470feb987438aedb1f4354c696f6548edee7775621e8df24fa9",
+ "zh:6b5bd97884b51b86fa6a9f1905c0ebf695539e905122052896e8b05122416ff4",
+ "zh:86e634c5825d8bd32592ae6b74f15e1db5d9b61c85d1a2e529d1696effb76d54",
+ "zh:c3190609f6f638f4efd7359a5638eeff81d41a38a00861f7df870b5c8f4c11cb",
+ "zh:d42d854642b4d3b010f232d848197945f90af60e7f9883ac96d7caae9c9d2474",
+ "zh:da9929be5d3873ad317e488e7ada08d5b95b5461b34d91cef76314317bdc0d49",
+ "zh:ed2763c21b2f3c1eb7b4b92f6502069a24078345e19c88f91d9e3a46a17147f8",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ "zh:fbca63b82bbdef6fd329d2c8356b3f39f8c785ad93fd0596cfff676dbaef23ac",
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/restore_plan_iam_binding/personal_emails/c.tf b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/personal_emails/c.tf
new file mode 100644
index 000000000..d2023f868
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/personal_emails/c.tf
@@ -0,0 +1,12 @@
+resource "google_gke_backup_restore_plan_iam_binding" "c" {
+ name = "c"
+ location = "australia-southeast1"
+ project = "PDE"
+
+ role = "roles/gkebackup.restoreViewer"
+
+ members = [
+ "user:john.doe@yourdomain.com", # SECURE: Company domain
+ "user:jane.admin@yourdomain.com" # SECURE: Company domain
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/restore_plan_iam_binding/personal_emails/config.tf b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/personal_emails/config.tf
new file mode 100644
index 000000000..c5d6ff5b2
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/personal_emails/config.tf
@@ -0,0 +1,11 @@
+##### DO NOT EDIT ######
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ }
+}
+
+provider "google" {}
+
diff --git a/inputs/gcp/backup_for_gke/restore_plan_iam_binding/personal_emails/nc.tf b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/personal_emails/nc.tf
new file mode 100644
index 000000000..77e83296b
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/personal_emails/nc.tf
@@ -0,0 +1,13 @@
+resource "google_gke_backup_restore_plan_iam_binding" "nc" {
+ name = "nc"
+ location = "australia-southeast1"
+ project = "PDE"
+
+ role = "roles/gkebackup.restoreAdmin"
+
+ members = [
+ "user:johndoe123@gmail.com", # SECURITY RISK: Personal Gmail!
+ "user:contractor@hotmail.com", # SECURITY RISK: Personal email!
+ "user:admin@yahoo.com" # SECURITY RISK: Personal email!
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/restore_plan_iam_binding/project_roles/.terraform.lock.hcl b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/project_roles/.terraform.lock.hcl
new file mode 100644
index 000000000..894abb857
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/project_roles/.terraform.lock.hcl
@@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/google" {
+ version = "7.12.0"
+ hashes = [
+ "h1:vd1110nYSvbUdAM3MDtQD97ikZvuyDgKExlzTwutYqw=",
+ "zh:38722ec7777543c23e22e02695e53dd5c94644022647c3c79e11e587063d4d2b",
+ "zh:417b12b69c91c12e3fcefee38744b7a37bae73b706e3071c714151a623a6b0e9",
+ "zh:4902cea92c78b462beaf053de03d0d55fb2241d41ca3379b4568ba247f667fa9",
+ "zh:50ccce39d403ba477943e6652ccb6913092d9dcce1d55533b00b66062888db3d",
+ "zh:56dccfe5df28cfe368d93c37ad6c46a16e76da61482fd0bfc83676b1423cecf5",
+ "zh:7265fca2921e5e300da5d8de7e28b658c0863fdda9da696c5b97dbd3122c17c2",
+ "zh:8317467e828178a6db9ddabe431bb13935c00bfb5e4b4d9760bd56f7ae596eca",
+ "zh:84cc9d9277422a0d6c80d2bd204642d8776ddbba23feb94cf2760bb5f15410bc",
+ "zh:8f79d72e7ed4e36d01560ce5fc944dc7e0387fa0f8272a4345fc6ae896e8f575",
+ "zh:98c3d756beca036f84e7840e2099ff7359e9a246cd9a35386e03ce65032b3f5f",
+ "zh:a07e3ca19673d28da9289ca28dfb83204fa6636f642b8cf46de8caaf526b7dde",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/restore_plan_iam_binding/project_roles/c.tf b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/project_roles/c.tf
new file mode 100644
index 000000000..1f0db9f01
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/project_roles/c.tf
@@ -0,0 +1,11 @@
+resource "google_gke_backup_restore_plan_iam_binding" "c" {
+ name = "c"
+ location = "australia-southeast1"
+ project = "PDE"
+
+ role = "roles/gkebackup.restoreViewer"
+
+ members = [
+ "serviceAccount:restore-viewer@fluent-coder-468700-h4.iam.gserviceaccount.com"
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/restore_plan_iam_binding/project_roles/config.tf b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/project_roles/config.tf
new file mode 100644
index 000000000..c5d6ff5b2
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/project_roles/config.tf
@@ -0,0 +1,11 @@
+##### DO NOT EDIT ######
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ }
+}
+
+provider "google" {}
+
diff --git a/inputs/gcp/backup_for_gke/restore_plan_iam_binding/project_roles/nc.tf b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/project_roles/nc.tf
new file mode 100644
index 000000000..3a6ed8b87
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/project_roles/nc.tf
@@ -0,0 +1,13 @@
+resource "google_gke_backup_restore_plan_iam_binding" "nc" {
+ name = "nc"
+ location = "australia-southeast1"
+ project = "PDE"
+
+ role = "roles/gkebackup.restoreAdmin"
+
+ members = [
+ "projectOwner:fluent-coder-468700-h4", # SECURITY RISK: All project owners!
+ "projectEditor:fluent-coder-468700-h4", # SECURITY RISK: All project editors!
+ "projectViewer:fluent-coder-468700-h4" # SECURITY RISK: All project viewers!
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/restore_plan_iam_binding/public_access/.terraform.lock.hcl b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/public_access/.terraform.lock.hcl
new file mode 100644
index 000000000..316309c9a
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/public_access/.terraform.lock.hcl
@@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/google" {
+ version = "7.17.0"
+ hashes = [
+ "h1:VPHRMsm3eQrxzk1b7eHuSG9sG7315ZaGPshFjqzZ5No=",
+ "zh:103778d776fb994a6b24d70fa095c23a1672361f2a05d882b227b02507b402fc",
+ "zh:34bcd6cce3081a21983ccfad5cbf2cbf69ff298c65c6570edb4ec7d38a8183f5",
+ "zh:5f8fd0e8e40068b597b28c0bc08372c9228aad77746068101c72acf4bb902937",
+ "zh:6b25cee7dec78470feb987438aedb1f4354c696f6548edee7775621e8df24fa9",
+ "zh:6b5bd97884b51b86fa6a9f1905c0ebf695539e905122052896e8b05122416ff4",
+ "zh:86e634c5825d8bd32592ae6b74f15e1db5d9b61c85d1a2e529d1696effb76d54",
+ "zh:c3190609f6f638f4efd7359a5638eeff81d41a38a00861f7df870b5c8f4c11cb",
+ "zh:d42d854642b4d3b010f232d848197945f90af60e7f9883ac96d7caae9c9d2474",
+ "zh:da9929be5d3873ad317e488e7ada08d5b95b5461b34d91cef76314317bdc0d49",
+ "zh:ed2763c21b2f3c1eb7b4b92f6502069a24078345e19c88f91d9e3a46a17147f8",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ "zh:fbca63b82bbdef6fd329d2c8356b3f39f8c785ad93fd0596cfff676dbaef23ac",
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/restore_plan_iam_binding/public_access/c.tf b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/public_access/c.tf
new file mode 100644
index 000000000..359022399
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/public_access/c.tf
@@ -0,0 +1,12 @@
+resource "google_gke_backup_restore_plan_iam_binding" "c" {
+ name = "c"
+ location = "australia-southeast1"
+ project = "PDE"
+
+ role = "roles/gkebackup.restoreViewer"
+
+ members = [
+ "serviceAccount:dr-restore@fluent-coder-468700-h4.iam.gserviceaccount.com",
+ "group:incident-response@yourdomain.com"
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/restore_plan_iam_binding/public_access/config.tf b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/public_access/config.tf
new file mode 100644
index 000000000..c5d6ff5b2
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/public_access/config.tf
@@ -0,0 +1,11 @@
+##### DO NOT EDIT ######
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ }
+}
+
+provider "google" {}
+
diff --git a/inputs/gcp/backup_for_gke/restore_plan_iam_binding/public_access/nc.tf b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/public_access/nc.tf
new file mode 100644
index 000000000..3c5e810c2
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/public_access/nc.tf
@@ -0,0 +1,12 @@
+resource "google_gke_backup_restore_plan_iam_binding" "nc" {
+ name = "nc"
+ location = "australia-southeast1"
+ project = "PDE"
+
+ role = "roles/gkebackup.restoreAdmin"
+
+ members = [
+ "allUsers", # CRITICAL SECURITY RISK: Public restore access!
+ "allAuthenticatedUsers" # SECURITY RISK: Any Google account can restore!
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/restore_plan_iam_binding/restore_permissions/.terraform.lock.hcl b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/restore_permissions/.terraform.lock.hcl
new file mode 100644
index 000000000..894abb857
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/restore_permissions/.terraform.lock.hcl
@@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/google" {
+ version = "7.12.0"
+ hashes = [
+ "h1:vd1110nYSvbUdAM3MDtQD97ikZvuyDgKExlzTwutYqw=",
+ "zh:38722ec7777543c23e22e02695e53dd5c94644022647c3c79e11e587063d4d2b",
+ "zh:417b12b69c91c12e3fcefee38744b7a37bae73b706e3071c714151a623a6b0e9",
+ "zh:4902cea92c78b462beaf053de03d0d55fb2241d41ca3379b4568ba247f667fa9",
+ "zh:50ccce39d403ba477943e6652ccb6913092d9dcce1d55533b00b66062888db3d",
+ "zh:56dccfe5df28cfe368d93c37ad6c46a16e76da61482fd0bfc83676b1423cecf5",
+ "zh:7265fca2921e5e300da5d8de7e28b658c0863fdda9da696c5b97dbd3122c17c2",
+ "zh:8317467e828178a6db9ddabe431bb13935c00bfb5e4b4d9760bd56f7ae596eca",
+ "zh:84cc9d9277422a0d6c80d2bd204642d8776ddbba23feb94cf2760bb5f15410bc",
+ "zh:8f79d72e7ed4e36d01560ce5fc944dc7e0387fa0f8272a4345fc6ae896e8f575",
+ "zh:98c3d756beca036f84e7840e2099ff7359e9a246cd9a35386e03ce65032b3f5f",
+ "zh:a07e3ca19673d28da9289ca28dfb83204fa6636f642b8cf46de8caaf526b7dde",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/restore_plan_iam_binding/restore_permissions/c.tf b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/restore_permissions/c.tf
new file mode 100644
index 000000000..99fb6820f
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/restore_permissions/c.tf
@@ -0,0 +1,11 @@
+resource "google_gke_backup_restore_plan_iam_binding" "c" {
+ name = "c"
+ location = "australia-southeast1"
+ project = "PDE"
+
+ role = "roles/gkebackup.viewer" # SECURE: Read-only access
+
+ members = [
+ "serviceAccount:audit-sa@fluent-coder-468700-h4.iam.gserviceaccount.com"
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/restore_plan_iam_binding/restore_permissions/config.tf b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/restore_permissions/config.tf
new file mode 100644
index 000000000..c5d6ff5b2
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/restore_permissions/config.tf
@@ -0,0 +1,11 @@
+##### DO NOT EDIT ######
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ }
+}
+
+provider "google" {}
+
diff --git a/inputs/gcp/backup_for_gke/restore_plan_iam_binding/restore_permissions/nc.tf b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/restore_permissions/nc.tf
new file mode 100644
index 000000000..a5c21df4f
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/restore_permissions/nc.tf
@@ -0,0 +1,11 @@
+resource "google_gke_backup_restore_plan_iam_binding" "nc" {
+ name = "nc"
+ location = "australia-southeast1"
+ project = "PDE"
+
+ role = "roles/container.clusterAdmin" # SECURITY RISK: Full cluster admin for restore!
+
+ members = [
+ "user:contractor@gmail.com"
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/restore_plan_iam_binding/role/.terraform.lock.hcl b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/role/.terraform.lock.hcl
new file mode 100644
index 000000000..316309c9a
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/role/.terraform.lock.hcl
@@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/google" {
+ version = "7.17.0"
+ hashes = [
+ "h1:VPHRMsm3eQrxzk1b7eHuSG9sG7315ZaGPshFjqzZ5No=",
+ "zh:103778d776fb994a6b24d70fa095c23a1672361f2a05d882b227b02507b402fc",
+ "zh:34bcd6cce3081a21983ccfad5cbf2cbf69ff298c65c6570edb4ec7d38a8183f5",
+ "zh:5f8fd0e8e40068b597b28c0bc08372c9228aad77746068101c72acf4bb902937",
+ "zh:6b25cee7dec78470feb987438aedb1f4354c696f6548edee7775621e8df24fa9",
+ "zh:6b5bd97884b51b86fa6a9f1905c0ebf695539e905122052896e8b05122416ff4",
+ "zh:86e634c5825d8bd32592ae6b74f15e1db5d9b61c85d1a2e529d1696effb76d54",
+ "zh:c3190609f6f638f4efd7359a5638eeff81d41a38a00861f7df870b5c8f4c11cb",
+ "zh:d42d854642b4d3b010f232d848197945f90af60e7f9883ac96d7caae9c9d2474",
+ "zh:da9929be5d3873ad317e488e7ada08d5b95b5461b34d91cef76314317bdc0d49",
+ "zh:ed2763c21b2f3c1eb7b4b92f6502069a24078345e19c88f91d9e3a46a17147f8",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ "zh:fbca63b82bbdef6fd329d2c8356b3f39f8c785ad93fd0596cfff676dbaef23ac",
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/restore_plan_iam_binding/role/c.tf b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/role/c.tf
new file mode 100644
index 000000000..cb858406a
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/role/c.tf
@@ -0,0 +1,23 @@
+resource "google_gke_backup_restore_plan_iam_binding" "c" {
+ name = "c"
+ location = "australia-southeast1"
+ project = "PDE"
+ role = "roles/gkebackup.restoreViewer"
+
+ members = [
+ "serviceAccount:restore-monitor@PDE.iam.gserviceaccount.com",
+ "group:sre-readonly@yourdomain.com"
+ ]
+}
+
+resource "google_gke_backup_restore_plan_iam_binding" "c_owner_group" {
+ name = "c_owner_group"
+ location = "australia-southeast1"
+ project = "PDE"
+ role = "roles/owner"
+
+ members = [
+ "group:admins@example.com"
+ ]
+}
+
diff --git a/inputs/gcp/backup_for_gke/restore_plan_iam_binding/role/config.tf b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/role/config.tf
new file mode 100644
index 000000000..c5d6ff5b2
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/role/config.tf
@@ -0,0 +1,11 @@
+##### DO NOT EDIT ######
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ }
+}
+
+provider "google" {}
+
diff --git a/inputs/gcp/backup_for_gke/restore_plan_iam_binding/role/nc.tf b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/role/nc.tf
new file mode 100644
index 000000000..4bb251a55
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/role/nc.tf
@@ -0,0 +1,11 @@
+resource "google_gke_backup_restore_plan_iam_binding" "nc" {
+ name = "nc"
+ location = "australia-southeast1"
+ project = "PDE"
+ role = "roles/owner"
+
+ members = [
+ "user:contractor@external.com"
+ ]
+}
+
diff --git a/inputs/gcp/backup_for_gke/restore_plan_iam_binding/service_accounts/.terraform.lock.hcl b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/service_accounts/.terraform.lock.hcl
new file mode 100644
index 000000000..316309c9a
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/service_accounts/.terraform.lock.hcl
@@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/google" {
+ version = "7.17.0"
+ hashes = [
+ "h1:VPHRMsm3eQrxzk1b7eHuSG9sG7315ZaGPshFjqzZ5No=",
+ "zh:103778d776fb994a6b24d70fa095c23a1672361f2a05d882b227b02507b402fc",
+ "zh:34bcd6cce3081a21983ccfad5cbf2cbf69ff298c65c6570edb4ec7d38a8183f5",
+ "zh:5f8fd0e8e40068b597b28c0bc08372c9228aad77746068101c72acf4bb902937",
+ "zh:6b25cee7dec78470feb987438aedb1f4354c696f6548edee7775621e8df24fa9",
+ "zh:6b5bd97884b51b86fa6a9f1905c0ebf695539e905122052896e8b05122416ff4",
+ "zh:86e634c5825d8bd32592ae6b74f15e1db5d9b61c85d1a2e529d1696effb76d54",
+ "zh:c3190609f6f638f4efd7359a5638eeff81d41a38a00861f7df870b5c8f4c11cb",
+ "zh:d42d854642b4d3b010f232d848197945f90af60e7f9883ac96d7caae9c9d2474",
+ "zh:da9929be5d3873ad317e488e7ada08d5b95b5461b34d91cef76314317bdc0d49",
+ "zh:ed2763c21b2f3c1eb7b4b92f6502069a24078345e19c88f91d9e3a46a17147f8",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ "zh:fbca63b82bbdef6fd329d2c8356b3f39f8c785ad93fd0596cfff676dbaef23ac",
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/restore_plan_iam_binding/service_accounts/c.tf b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/service_accounts/c.tf
new file mode 100644
index 000000000..43b0219e0
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/service_accounts/c.tf
@@ -0,0 +1,12 @@
+resource "google_gke_backup_restore_plan_iam_binding" "c" {
+ name = "c"
+ location = "australia-southeast1"
+ project = "PDE"
+
+ role = "roles/gkebackup.restoreAdmin"
+
+ members = [
+ "serviceAccount:restore-automation@fluent-coder-468700-h4.iam.gserviceaccount.com", # SECURE: Same project SA
+ "serviceAccount:dr-restore@fluent-coder-468700-h4.iam.gserviceaccount.com" # SECURE: Allowed project SA
+ ]
+}
diff --git a/inputs/gcp/backup_for_gke/restore_plan_iam_binding/service_accounts/config.tf b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/service_accounts/config.tf
new file mode 100644
index 000000000..c5d6ff5b2
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/service_accounts/config.tf
@@ -0,0 +1,11 @@
+##### DO NOT EDIT ######
+terraform {
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ }
+ }
+}
+
+provider "google" {}
+
diff --git a/inputs/gcp/backup_for_gke/restore_plan_iam_binding/service_accounts/nc.tf b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/service_accounts/nc.tf
new file mode 100644
index 000000000..1fed3c670
--- /dev/null
+++ b/inputs/gcp/backup_for_gke/restore_plan_iam_binding/service_accounts/nc.tf
@@ -0,0 +1,12 @@
+resource "google_gke_backup_restore_plan_iam_binding" "nc" {
+ name = "nc"
+ location = "australia-southeast1"
+ project = "PDE"
+
+ role = "roles/gkebackup.restoreAdmin"
+
+ members = [
+ "serviceAccount:unknown-sa@random-project-12345.iam.gserviceaccount.com", # SECURITY RISK: Unknown project!
+ "serviceAccount:external@suspicious-org.iam.gserviceaccount.com" # SECURITY RISK: External SA!
+ ]
+}
diff --git a/policies/gcp/backup_for_gke/backup_channel/destination_project/policy.rego b/policies/gcp/backup_for_gke/backup_channel/destination_project/policy.rego
new file mode 100644
index 000000000..7d400c1d6
--- /dev/null
+++ b/policies/gcp/backup_for_gke/backup_channel/destination_project/policy.rego
@@ -0,0 +1,21 @@
+package terraform.gcp.security.backup_for_gke.backup_channel.destination_project
+import data.terraform.helpers
+import data.terraform.gcp.security.backup_for_gke.backup_channel.vars
+
+conditions := [
+ [
+ {
+ "situation_description": "Destination project must be set.",
+ "remedies": ["Ensure destination_project is configured."]
+ },
+ {
+ "condition": "Destination Project must not be empty",
+ "attribute_path": ["destination_project"],
+ "values": [null, ""],
+ "policy_type": "blacklist"
+ }
+ ]
+]
+
+message := helpers.get_multi_summary(conditions, vars.variables).message
+details := helpers.get_multi_summary(conditions, vars.variables).details
diff --git a/policies/gcp/backup_for_gke/backup_channel/labels/policy.rego b/policies/gcp/backup_for_gke/backup_channel/labels/policy.rego
new file mode 100644
index 000000000..7c689b98d
--- /dev/null
+++ b/policies/gcp/backup_for_gke/backup_channel/labels/policy.rego
@@ -0,0 +1,51 @@
+package terraform.gcp.security.backup_for_gke.backup_channel.labels
+import data.terraform.helpers
+import data.terraform.gcp.security.backup_for_gke.backup_channel.vars
+
+conditions := [
+ [
+ {
+ "situation_description": "GKE Backup Channel must have a valid environment label.",
+ "remedies": ["Set labels.environment to one of: prod, staging, dev."]
+ },
+ {
+ "condition": "Label environment must be one of: prod, staging, dev",
+ "attribute_path": ["labels", "environment"],
+ "values": ["prod", "staging", "dev"],
+ "policy_type": "whitelist"
+ }
+ ],
+ [
+ {
+ "situation_description": "GKE Backup Channel must have ownership labels.",
+ "remedies": ["Ensure 'owner' and 'cost-center' labels are present."]
+ },
+ {
+ "condition": "Must have owner label",
+ "attribute_path": ["labels", "owner"],
+ "values": ["^.+$"],
+ "policy_type": "pattern_whitelist"
+ },
+ {
+ "condition": "Must have cost-center label",
+ "attribute_path": ["labels", "cost-center"],
+ "values": ["^.+$"],
+ "policy_type": "pattern_whitelist"
+ }
+ ],
+ [
+ {
+ "situation_description": "To prevent network congestion during business hours, backup channels must define a bandwidth limit.",
+ "remedies": ["Add label 'bandwidth-limit' with a value."]
+ },
+ {
+ "condition": "Must have bandwidth-limit label",
+ "attribute_path": ["labels", "bandwidth-limit"],
+ "values": ["^.+$"],
+ "policy_type": "pattern_whitelist"
+ }
+ ]
+]
+
+message := helpers.get_multi_summary(conditions, vars.variables).message
+details := helpers.get_multi_summary(conditions, vars.variables).details
diff --git a/policies/gcp/backup_for_gke/backup_channel/location/policy.rego b/policies/gcp/backup_for_gke/backup_channel/location/policy.rego
new file mode 100644
index 000000000..de52f1391
--- /dev/null
+++ b/policies/gcp/backup_for_gke/backup_channel/location/policy.rego
@@ -0,0 +1,33 @@
+package terraform.gcp.security.backup_for_gke.backup_channel.location
+import data.terraform.helpers
+import data.terraform.gcp.security.backup_for_gke.backup_channel.vars
+
+conditions := [
+ [
+ {
+ "situation_description": "GKE Backup Channels must be located in approved regions.",
+ "remedies": ["Set the location to 'australia-southeast1' or 'australia-southeast2'."]
+ },
+ {
+ "condition": "Location must be in australia-southeast",
+ "attribute_path": ["location"],
+ "values": ["australia-southeast1", "australia-southeast2"],
+ "policy_type": "whitelist"
+ }
+ ],
+ [
+ {
+ "situation_description": "Location must follow valid GCP region format.",
+ "remedies": ["Ensure location matches regex '^[a-z]+-[a-z]+\\d$'."]
+ },
+ {
+ "condition": "Location must match valid region format",
+ "attribute_path": ["location"],
+ "values": ["^[a-z]+-[a-z]+\\d$"],
+ "policy_type": "pattern_whitelist"
+ }
+ ]
+]
+
+message := helpers.get_multi_summary(conditions, vars.variables).message
+details := helpers.get_multi_summary(conditions, vars.variables).details
diff --git a/policies/gcp/backup_for_gke/backup_channel/name/policy.rego b/policies/gcp/backup_for_gke/backup_channel/name/policy.rego
new file mode 100644
index 000000000..38e50869a
--- /dev/null
+++ b/policies/gcp/backup_for_gke/backup_channel/name/policy.rego
@@ -0,0 +1,21 @@
+package terraform.gcp.security.backup_for_gke.backup_channel.name
+import data.terraform.helpers
+import data.terraform.gcp.security.backup_for_gke.backup_channel.vars
+
+conditions := [
+ [
+ {
+ "situation_description": "GKE Backup Channel name must follow naming convention.",
+ "remedies": ["Rename to match pattern 'gke-backup-channel-*'."]
+ },
+ {
+ "condition": "Name must match pattern gke-backup-channel-*",
+ "attribute_path": ["name"],
+ "values": ["^gke-backup-channel-.*"],
+ "policy_type": "pattern_whitelist"
+ }
+ ]
+]
+
+message := helpers.get_multi_summary(conditions, vars.variables).message
+details := helpers.get_multi_summary(conditions, vars.variables).details
diff --git a/policies/gcp/backup_for_gke/backup_channel/vars.rego b/policies/gcp/backup_for_gke/backup_channel/vars.rego
new file mode 100644
index 000000000..a87265875
--- /dev/null
+++ b/policies/gcp/backup_for_gke/backup_channel/vars.rego
@@ -0,0 +1,8 @@
+package terraform.gcp.security.backup_for_gke.backup_channel.vars
+
+import rego.v1
+variables := {
+ "friendly_resource_name": "GKE Backup Channel",
+ "resource_type": "google_gke_backup_backup_channel",
+ "resource_value_name": "name"
+}
diff --git a/policies/gcp/backup_for_gke/backup_plan/all_namespaces/policy.rego b/policies/gcp/backup_for_gke/backup_plan/all_namespaces/policy.rego
new file mode 100644
index 000000000..28bcddc5e
--- /dev/null
+++ b/policies/gcp/backup_for_gke/backup_plan/all_namespaces/policy.rego
@@ -0,0 +1,21 @@
+package terraform.gcp.security.backup_for_gke.backup_plan.all_namespaces
+import data.terraform.helpers
+import data.terraform.gcp.security.backup_for_gke.backup_plan.vars
+
+conditions := [
+ [
+ {
+ "situation_description": "Backup Plan must not backup all namespaces.",
+ "remedies": ["Set backup_config.all_namespaces to false or specify selected_namespaces."]
+ },
+ {
+ "condition": "Backup config must not have all_namespaces set to true",
+ "attribute_path": ["backup_config", 0, "all_namespaces"],
+ "values": [true],
+ "policy_type": "blacklist"
+ }
+ ]
+]
+
+message := helpers.get_multi_summary(conditions, vars.variables).message
+details := helpers.get_multi_summary(conditions, vars.variables).details
diff --git a/policies/gcp/backup_for_gke/backup_plan/backup_config/policy.rego b/policies/gcp/backup_for_gke/backup_plan/backup_config/policy.rego
new file mode 100644
index 000000000..4586c351a
--- /dev/null
+++ b/policies/gcp/backup_for_gke/backup_plan/backup_config/policy.rego
@@ -0,0 +1,33 @@
+package terraform.gcp.security.backup_for_gke.backup_plan.backup_config
+import data.terraform.helpers
+import data.terraform.gcp.security.backup_for_gke.backup_plan.vars
+
+conditions := [
+ [
+ {
+ "situation_description": "Backup Plan must have a defined backup_config.",
+ "remedies": ["Define backup_config block."]
+ },
+ {
+ "condition": "Backup config must not be empty or null",
+ "attribute_path": ["backup_config"],
+ "values": [[], null],
+ "policy_type": "blacklist"
+ }
+ ],
+ [
+ {
+ "situation_description": "Backup Plan must explicitly handle volume data.",
+ "remedies": ["Set include_volume_data to true or false (do not leave undefined)."]
+ },
+ {
+ "condition": "include_volume_data must be defined",
+ "attribute_path": ["backup_config", 0, "include_volume_data"],
+ "values": [null],
+ "policy_type": "blacklist"
+ }
+ ]
+]
+
+message := helpers.get_multi_summary(conditions, vars.variables).message
+details := helpers.get_multi_summary(conditions, vars.variables).details
diff --git a/policies/gcp/backup_for_gke/backup_plan/backup_delete_lock_days/policy.rego b/policies/gcp/backup_for_gke/backup_plan/backup_delete_lock_days/policy.rego
new file mode 100644
index 000000000..fc6d7f3b0
--- /dev/null
+++ b/policies/gcp/backup_for_gke/backup_plan/backup_delete_lock_days/policy.rego
@@ -0,0 +1,21 @@
+package terraform.gcp.security.backup_for_gke.backup_plan.backup_delete_lock_days
+import data.terraform.helpers
+import data.terraform.gcp.security.backup_for_gke.backup_plan.vars
+
+conditions := [
+ [
+ {
+ "situation_description": "Backup Plan delete lock days must be between 14 and 90.",
+ "remedies": ["Set retention_policy.backup_delete_lock_days to a value between 14 and 90."]
+ },
+ {
+ "condition": "Backup delete lock days must be between 14 and 90",
+ "attribute_path": ["retention_policy", 0, "backup_delete_lock_days"],
+ "values": [14, 90],
+ "policy_type": "range"
+ }
+ ]
+]
+
+message := helpers.get_multi_summary(conditions, vars.variables).message
+details := helpers.get_multi_summary(conditions, vars.variables).details
diff --git a/policies/gcp/backup_for_gke/backup_plan/backup_schedule/policy.rego b/policies/gcp/backup_for_gke/backup_plan/backup_schedule/policy.rego
new file mode 100644
index 000000000..8f292a40f
--- /dev/null
+++ b/policies/gcp/backup_for_gke/backup_plan/backup_schedule/policy.rego
@@ -0,0 +1,33 @@
+package terraform.gcp.security.backup_for_gke.backup_plan.backup_schedule
+import data.terraform.helpers
+import data.terraform.gcp.security.backup_for_gke.backup_plan.vars
+
+conditions := [
+ [
+ {
+ "situation_description": "Backup Plan schedule must be one of the approved schedules.",
+ "remedies": ["Set backup_schedule.cron_schedule to '0 2 * * *', '0 3 * * *', or '0 4 * * *'."]
+ },
+ {
+ "condition": "Backup schedule must be one of: 0 2 * * *, 0 3 * * *, 0 4 * * *",
+ "attribute_path": ["backup_schedule", 0, "cron_schedule"],
+ "values": ["0 2 * * *", "0 3 * * *", "0 4 * * *"],
+ "policy_type": "whitelist"
+ }
+ ],
+ [
+ {
+ "situation_description": "Backup Plan schedule must not be paused.",
+ "remedies": ["Set backup_schedule.paused to false."]
+ },
+ {
+ "condition": "Backup schedule must not be paused",
+ "attribute_path": ["backup_schedule", 0, "paused"],
+ "values": [true],
+ "policy_type": "blacklist"
+ }
+ ]
+]
+
+message := helpers.get_multi_summary(conditions, vars.variables).message
+details := helpers.get_multi_summary(conditions, vars.variables).details
diff --git a/policies/gcp/backup_for_gke/backup_plan/deactivated/policy.rego b/policies/gcp/backup_for_gke/backup_plan/deactivated/policy.rego
new file mode 100644
index 000000000..af8923278
--- /dev/null
+++ b/policies/gcp/backup_for_gke/backup_plan/deactivated/policy.rego
@@ -0,0 +1,21 @@
+package terraform.gcp.security.backup_for_gke.backup_plan.deactivated
+import data.terraform.helpers
+import data.terraform.gcp.security.backup_for_gke.backup_plan.vars
+
+conditions := [
+ [
+ {
+ "situation_description": "Backup Plan must not be deactivated.",
+ "remedies": ["Set deactivated to false."]
+ },
+ {
+ "condition": "Deactivated must not be true",
+ "attribute_path": ["deactivated"],
+ "values": [true],
+ "policy_type": "blacklist"
+ }
+ ]
+]
+
+message := helpers.get_multi_summary(conditions, vars.variables).message
+details := helpers.get_multi_summary(conditions, vars.variables).details
diff --git a/policies/gcp/backup_for_gke/backup_plan/encryption_key/policy.rego b/policies/gcp/backup_for_gke/backup_plan/encryption_key/policy.rego
new file mode 100644
index 000000000..4f5becb33
--- /dev/null
+++ b/policies/gcp/backup_for_gke/backup_plan/encryption_key/policy.rego
@@ -0,0 +1,21 @@
+package terraform.gcp.security.backup_for_gke.backup_plan.encryption_key
+import data.terraform.helpers
+import data.terraform.gcp.security.backup_for_gke.backup_plan.vars
+
+conditions := [
+ [
+ {
+ "situation_description": "Backup Plan encryption key must be set.",
+ "remedies": ["Ensure encryption key is configured."]
+ },
+ {
+ "condition": "Encryption key must not be empty",
+ "attribute_path": ["backup_config", 0, "encryption_key", 0, "gcp_kms_encryption_key"],
+ "values": [null, ""],
+ "policy_type": "blacklist"
+ }
+ ]
+]
+
+message := helpers.get_multi_summary(conditions, vars.variables).message
+details := helpers.get_multi_summary(conditions, vars.variables).details
diff --git a/policies/gcp/backup_for_gke/backup_plan/include_secrets/policy.rego b/policies/gcp/backup_for_gke/backup_plan/include_secrets/policy.rego
new file mode 100644
index 000000000..1f6c6bd3d
--- /dev/null
+++ b/policies/gcp/backup_for_gke/backup_plan/include_secrets/policy.rego
@@ -0,0 +1,21 @@
+package terraform.gcp.security.backup_for_gke.backup_plan.include_secrets
+import data.terraform.helpers
+import data.terraform.gcp.security.backup_for_gke.backup_plan.vars
+
+conditions := [
+ [
+ {
+ "situation_description": "Backup Plan must not include secrets.",
+ "remedies": ["Set backup_config.include_secrets to false."]
+ },
+ {
+ "condition": "Include secrets must not be true",
+ "attribute_path": ["backup_config", 0, "include_secrets"],
+ "values": [true],
+ "policy_type": "blacklist"
+ }
+ ]
+]
+
+message := helpers.get_multi_summary(conditions, vars.variables).message
+details := helpers.get_multi_summary(conditions, vars.variables).details
diff --git a/policies/gcp/backup_for_gke/backup_plan/labels/policy.rego b/policies/gcp/backup_for_gke/backup_plan/labels/policy.rego
new file mode 100644
index 000000000..44a36afee
--- /dev/null
+++ b/policies/gcp/backup_for_gke/backup_plan/labels/policy.rego
@@ -0,0 +1,46 @@
+package terraform.gcp.security.backup_for_gke.backup_plan.labels
+import data.terraform.helpers
+import data.terraform.gcp.security.backup_for_gke.backup_plan.vars
+
+conditions := [
+ [
+ {
+ "situation_description": "Backup Plan must have 'environment' label.",
+ "remedies": ["Ensure labels.environment is set and not empty."]
+ },
+ {
+ "condition": "Label environment must not be empty",
+ "attribute_path": ["labels", "environment"],
+ "values": [null, ""],
+ "policy_type": "blacklist"
+ }
+ ],
+ [
+ {
+ "situation_description": "Backup Plan must have 'cost-center' label.",
+ "remedies": ["Ensure labels.cost-center is set and not empty."]
+ },
+ {
+ "condition": "Label cost-center must not be empty",
+ "attribute_path": ["labels", "cost-center"],
+ "values": [null, ""],
+ "policy_type": "blacklist"
+ }
+ ],
+ [
+ {
+ "situation_description": "Backup Plan must have 'owner' label.",
+ "remedies": ["Ensure labels.owner is set and not empty."]
+ },
+ {
+ "condition": "Label owner must not be empty",
+ "attribute_path": ["labels", "owner"],
+ "values": [null, ""],
+ "policy_type": "blacklist"
+ }
+ ]
+]
+
+message := helpers.get_multi_summary(conditions, vars.variables).message
+details := helpers.get_multi_summary(conditions, vars.variables).details
+
diff --git a/policies/gcp/backup_for_gke/backup_plan/location/policy.rego b/policies/gcp/backup_for_gke/backup_plan/location/policy.rego
new file mode 100644
index 000000000..3970c5824
--- /dev/null
+++ b/policies/gcp/backup_for_gke/backup_plan/location/policy.rego
@@ -0,0 +1,26 @@
+package terraform.gcp.security.backup_for_gke.backup_plan.location
+import data.terraform.helpers
+import data.terraform.gcp.security.backup_for_gke.backup_plan.vars
+
+approved_locations := [
+ "australia-southeast1", # Sydney
+ "australia-southeast2" # Melbourne (DR)
+]
+
+conditions := [
+ [
+ {
+ "situation_description": "s1: GKE Backup Plan is in a non-approved region",
+ "remedies": ["Ensure the backup plan location is set to an approved Australian region (australia-southeast1 or australia-southeast2)"]
+ },
+ {
+ "condition": "c1: backup plan location is not in approved regions",
+ "attribute_path": ["location"],
+ "values": approved_locations,
+ "policy_type": "whitelist"
+ }
+ ]
+]
+
+message := helpers.get_multi_summary(conditions, vars.variables).message
+details := helpers.get_multi_summary(conditions, vars.variables).details
diff --git a/policies/gcp/backup_for_gke/backup_plan/name/policy.rego b/policies/gcp/backup_for_gke/backup_plan/name/policy.rego
new file mode 100644
index 000000000..5197f789b
--- /dev/null
+++ b/policies/gcp/backup_for_gke/backup_plan/name/policy.rego
@@ -0,0 +1,21 @@
+package terraform.gcp.security.backup_for_gke.backup_plan.name
+import data.terraform.helpers
+import data.terraform.gcp.security.backup_for_gke.backup_plan.vars
+
+conditions := [
+ [
+ {
+ "situation_description": "Backup Plan name must follow the naming convention.",
+ "remedies": ["Name must start with 'gke-backup-plan-'."]
+ },
+ {
+ "condition": "Name must start with gke-backup-plan-",
+ "attribute_path": ["name"],
+ "values": ["^gke-backup-plan-.*$"],
+ "policy_type": "pattern_whitelist"
+ }
+ ]
+]
+
+message := helpers.get_multi_summary(conditions, vars.variables).message
+details := helpers.get_multi_summary(conditions, vars.variables).details
diff --git a/policies/gcp/backup_for_gke/backup_plan/permissive_mode/policy.rego b/policies/gcp/backup_for_gke/backup_plan/permissive_mode/policy.rego
new file mode 100644
index 000000000..3f330a79b
--- /dev/null
+++ b/policies/gcp/backup_for_gke/backup_plan/permissive_mode/policy.rego
@@ -0,0 +1,21 @@
+package terraform.gcp.security.backup_for_gke.backup_plan.permissive_mode
+import data.terraform.helpers
+import data.terraform.gcp.security.backup_for_gke.backup_plan.vars
+
+conditions := [
+ [
+ {
+ "situation_description": "Backup Plan must not use permissive mode.",
+ "remedies": ["Set backup_config.permissive_mode to false."]
+ },
+ {
+ "condition": "Permissive mode must not be true",
+ "attribute_path": ["backup_config", 0, "permissive_mode"],
+ "values": [true],
+ "policy_type": "blacklist"
+ }
+ ]
+]
+
+message := helpers.get_multi_summary(conditions, vars.variables).message
+details := helpers.get_multi_summary(conditions, vars.variables).details
diff --git a/policies/gcp/backup_for_gke/backup_plan/retention_policy/policy.rego b/policies/gcp/backup_for_gke/backup_plan/retention_policy/policy.rego
new file mode 100644
index 000000000..1c8b9b621
--- /dev/null
+++ b/policies/gcp/backup_for_gke/backup_plan/retention_policy/policy.rego
@@ -0,0 +1,21 @@
+package terraform.gcp.security.backup_for_gke.backup_plan.retention_policy
+import data.terraform.helpers
+import data.terraform.gcp.security.backup_for_gke.backup_plan.vars
+
+conditions := [
+ [
+ {
+ "situation_description": "Backup Plan retention days must be between 7 and 90.",
+ "remedies": ["Set retention_policy.backup_retain_days to a value between 7 and 90."]
+ },
+ {
+ "condition": "Retention days must be between 7 and 90",
+ "attribute_path": ["retention_policy", 0, "backup_retain_days"],
+ "values": [7, 90],
+ "policy_type": "range"
+ }
+ ]
+]
+
+message := helpers.get_multi_summary(conditions, vars.variables).message
+details := helpers.get_multi_summary(conditions, vars.variables).details
diff --git a/policies/gcp/backup_for_gke/backup_plan/vars.rego b/policies/gcp/backup_for_gke/backup_plan/vars.rego
new file mode 100644
index 000000000..9d2a3f20c
--- /dev/null
+++ b/policies/gcp/backup_for_gke/backup_plan/vars.rego
@@ -0,0 +1,8 @@
+package terraform.gcp.security.backup_for_gke.backup_plan.vars
+
+import rego.v1
+variables := {
+ "resource_type": "google_gke_backup_backup_plan",
+ "friendly_resource_name": "GKE Backup Plan",
+ "resource_value_name": "name"
+}
diff --git a/policies/gcp/backup_for_gke/backup_plan_iam_binding/custom_roles/policy.rego b/policies/gcp/backup_for_gke/backup_plan_iam_binding/custom_roles/policy.rego
new file mode 100644
index 000000000..b0f64a40c
--- /dev/null
+++ b/policies/gcp/backup_for_gke/backup_plan_iam_binding/custom_roles/policy.rego
@@ -0,0 +1,21 @@
+package terraform.gcp.security.backup_for_gke.backup_plan_iam_binding.custom_roles
+import data.terraform.helpers
+import data.terraform.gcp.security.backup_for_gke.backup_plan_iam_binding.vars
+
+conditions := [
+ [
+ {
+ "situation_description": "Custom roles should not be used in Backup Plan IAM.",
+ "remedies": ["Use predefined roles instead of custom roles."]
+ },
+ {
+ "condition": "Role must not be a custom role",
+ "attribute_path": ["role"],
+ "values": ["roles/gkebackup.backupViewer", "roles/gkebackup.admin", "roles/gkebackup.viewer", "roles/iam.serviceAccountUser"],
+ "policy_type": "whitelist"
+ }
+ ]
+]
+
+message := helpers.get_multi_summary(conditions, vars.variables).message
+details := helpers.get_multi_summary(conditions, vars.variables).details
diff --git a/policies/gcp/backup_for_gke/backup_plan_iam_binding/domain_access/policy.rego b/policies/gcp/backup_for_gke/backup_plan_iam_binding/domain_access/policy.rego
new file mode 100644
index 000000000..d6a9fa970
--- /dev/null
+++ b/policies/gcp/backup_for_gke/backup_plan_iam_binding/domain_access/policy.rego
@@ -0,0 +1,21 @@
+package terraform.gcp.security.backup_for_gke.backup_plan_iam_binding.domain_access
+import data.terraform.helpers
+import data.terraform.gcp.security.backup_for_gke.backup_plan_iam_binding.vars
+
+conditions := [
+ [
+ {
+ "situation_description": "Backup Plan IAM members must not correspond to personal email accounts.",
+ "remedies": ["Remove members with personal email domains (@gmail.com, etc)."]
+ },
+ {
+ "condition": "Members must not be personal emails",
+ "attribute_path": ["members"],
+ "values": ["@gmail.com", "@yahoo.com", "@hotmail.com", "@aol.com", "@outlook.com"],
+ "policy_type": "element_blacklist"
+ }
+ ]
+]
+
+message := helpers.get_multi_summary(conditions, vars.variables).message
+details := helpers.get_multi_summary(conditions, vars.variables).details
diff --git a/policies/gcp/backup_for_gke/backup_plan_iam_binding/federated_identities/policy.rego b/policies/gcp/backup_for_gke/backup_plan_iam_binding/federated_identities/policy.rego
new file mode 100644
index 000000000..dd387328b
--- /dev/null
+++ b/policies/gcp/backup_for_gke/backup_plan_iam_binding/federated_identities/policy.rego
@@ -0,0 +1,21 @@
+package terraform.gcp.security.backup_for_gke.backup_plan_iam_binding.federated_identities
+import data.terraform.helpers
+import data.terraform.gcp.security.backup_for_gke.backup_plan_iam_binding.vars
+
+conditions := [
+ [
+ {
+ "situation_description": "Backup Plan IAM members must not be federated identities.",
+ "remedies": ["Remove federated identities."]
+ },
+ {
+ "condition": "Members should not include federated identities",
+ "attribute_path": ["members"],
+ "values": ["principal://iam.googleapis.com/*", "principalSet://iam.googleapis.com/*"],
+ "policy_type": "whitelist"
+ }
+ ]
+]
+
+message := helpers.get_multi_summary(conditions, vars.variables).message
+details := helpers.get_multi_summary(conditions, vars.variables).details
diff --git a/policies/gcp/backup_for_gke/backup_plan_iam_binding/members/policy.rego b/policies/gcp/backup_for_gke/backup_plan_iam_binding/members/policy.rego
new file mode 100644
index 000000000..e3dcf3cdc
--- /dev/null
+++ b/policies/gcp/backup_for_gke/backup_plan_iam_binding/members/policy.rego
@@ -0,0 +1,33 @@
+package terraform.gcp.security.backup_for_gke.backup_plan_iam_binding.members
+import data.terraform.helpers
+import data.terraform.gcp.security.backup_for_gke.backup_plan_iam_binding.vars
+
+conditions := [
+ [
+ {
+ "situation_description": "Backup Plan IAM members must not contain public or personal access.",
+ "remedies": ["Remove allUsers, allAuthenticatedUsers, and personal emails."]
+ },
+ {
+ "condition": "Members must not include public/personal access",
+ "attribute_path": ["members"],
+ "values": ["@gmail.com", "@hotmail.com", "@yahoo.com", "allUsers", "allAuthenticatedUsers"],
+ "policy_type": "element_blacklist"
+ }
+ ],
+ [
+ {
+ "situation_description": "Backup Plan IAM members must not contain deleted accounts.",
+ "remedies": ["Remove members with 'deleted:' prefix."]
+ },
+ {
+ "condition": "Members must not include deleted accounts",
+ "attribute_path": ["members"],
+ "values": ["deleted:"],
+ "policy_type": "element_blacklist"
+ }
+ ]
+]
+
+message := helpers.get_multi_summary(conditions, vars.variables).message
+details := helpers.get_multi_summary(conditions, vars.variables).details
diff --git a/policies/gcp/backup_for_gke/backup_plan_iam_binding/project_roles/policy.rego b/policies/gcp/backup_for_gke/backup_plan_iam_binding/project_roles/policy.rego
new file mode 100644
index 000000000..bb6d34360
--- /dev/null
+++ b/policies/gcp/backup_for_gke/backup_plan_iam_binding/project_roles/policy.rego
@@ -0,0 +1,21 @@
+package terraform.gcp.security.backup_for_gke.backup_plan_iam_binding.project_roles
+import data.terraform.helpers
+import data.terraform.gcp.security.backup_for_gke.backup_plan_iam_binding.vars
+
+conditions := [
+ [
+ {
+ "situation_description": "Backup Plan IAM role must not be project-wide admin.",
+ "remedies": ["Use more granular roles."]
+ },
+ {
+ "condition": "Role must not be gkebackup.admin or backupAdmin",
+ "attribute_path": ["role"],
+ "values": ["roles/gkebackup.admin", "roles/gkebackup.backupAdmin"],
+ "policy_type": "blacklist"
+ }
+ ]
+]
+
+message := helpers.get_multi_summary(conditions, vars.variables).message
+details := helpers.get_multi_summary(conditions, vars.variables).details
diff --git a/policies/gcp/backup_for_gke/backup_plan_iam_binding/role/policy.rego b/policies/gcp/backup_for_gke/backup_plan_iam_binding/role/policy.rego
new file mode 100644
index 000000000..f049e6d09
--- /dev/null
+++ b/policies/gcp/backup_for_gke/backup_plan_iam_binding/role/policy.rego
@@ -0,0 +1,18 @@
+package terraform.gcp.security.backup_for_gke.backup_plan_iam_binding.role
+import data.terraform.helpers
+import data.terraform.gcp.security.backup_for_gke.backup_plan_iam_binding.vars
+
+conditions := [
+ {
+ "situation_description": "Backup Plan IAM role must not be permissive.",
+ "remedies": ["Do not use owner, editor, or gkebackup.admin roles."],
+ "condition": "Role must not be permissive",
+ "attribute_path": ["role"],
+ "values": ["roles/owner", "roles/editor", "roles/gkebackup.admin", "roles/iam.securityAdmin", "roles/resourcemanager.organizationAdmin"],
+ "policy_type": "blacklist"
+ }
+]
+
+message := helpers.get_multi_summary(conditions, vars.variables).message
+details := helpers.get_multi_summary(conditions, vars.variables).details
+
diff --git a/policies/gcp/backup_for_gke/backup_plan_iam_binding/vars.rego b/policies/gcp/backup_for_gke/backup_plan_iam_binding/vars.rego
new file mode 100644
index 000000000..f1d3f397a
--- /dev/null
+++ b/policies/gcp/backup_for_gke/backup_plan_iam_binding/vars.rego
@@ -0,0 +1,8 @@
+package terraform.gcp.security.backup_for_gke.backup_plan_iam_binding.vars
+
+import rego.v1
+variables := {
+ "friendly_resource_name": "GKE Backup Plan IAM",
+ "resource_type": "google_gke_backup_backup_plan_iam_binding",
+ "resource_value_name": "name"
+}
diff --git a/policies/gcp/backup_for_gke/restore_channel/destination_project/policy.rego b/policies/gcp/backup_for_gke/restore_channel/destination_project/policy.rego
new file mode 100644
index 000000000..5ed54946d
--- /dev/null
+++ b/policies/gcp/backup_for_gke/restore_channel/destination_project/policy.rego
@@ -0,0 +1,21 @@
+package terraform.gcp.security.backup_for_gke.restore_channel.destination_project
+import data.terraform.helpers
+import data.terraform.gcp.security.backup_for_gke.restore_channel.vars
+
+conditions := [
+ [
+ {
+ "situation_description": "Restore Channel destination_project must be in australia-southeast1.",
+ "remedies": ["Set destination_project to a location in australia-southeast1."]
+ },
+ {
+ "condition": "Destination project must be 'projects/PDE'",
+ "attribute_path": ["destination_project"],
+ "values": ["projects/PDE"],
+ "policy_type": "whitelist"
+ }
+ ]
+]
+
+message := helpers.get_multi_summary(conditions, vars.variables).message
+details := helpers.get_multi_summary(conditions, vars.variables).details
diff --git a/policies/gcp/backup_for_gke/restore_channel/labels/policy.rego b/policies/gcp/backup_for_gke/restore_channel/labels/policy.rego
new file mode 100644
index 000000000..0c9e1d280
--- /dev/null
+++ b/policies/gcp/backup_for_gke/restore_channel/labels/policy.rego
@@ -0,0 +1,39 @@
+package terraform.gcp.security.backup_for_gke.restore_channel.labels
+import data.terraform.helpers
+import data.terraform.gcp.security.backup_for_gke.restore_channel.vars
+
+conditions := [
+ [
+ {
+ "situation_description": "GKE Restore Channel must have a valid environment label.",
+ "remedies": ["Set labels.environment to one of: prod, staging, dev."]
+ },
+ {
+ "condition": "Label environment must be one of: prod, staging, dev",
+ "attribute_path": ["labels", "environment"],
+ "values": ["prod", "staging", "dev"],
+ "policy_type": "whitelist"
+ }
+ ],
+ [
+ {
+ "situation_description": "GKE Restore Channel must have ownership labels.",
+ "remedies": ["Ensure 'owner' and 'cost-center' labels are present."]
+ },
+ {
+ "condition": "Must have owner label",
+ "attribute_path": ["labels", "owner"],
+ "values": ["^.+$"],
+ "policy_type": "pattern_whitelist"
+ },
+ {
+ "condition": "Must have cost-center label",
+ "attribute_path": ["labels", "cost-center"],
+ "values": ["^.+$"],
+ "policy_type": "pattern_whitelist"
+ }
+ ]
+]
+
+message := helpers.get_multi_summary(conditions, vars.variables).message
+details := helpers.get_multi_summary(conditions, vars.variables).details
diff --git a/policies/gcp/backup_for_gke/restore_channel/location/policy.rego b/policies/gcp/backup_for_gke/restore_channel/location/policy.rego
new file mode 100644
index 000000000..b3aa857f3
--- /dev/null
+++ b/policies/gcp/backup_for_gke/restore_channel/location/policy.rego
@@ -0,0 +1,33 @@
+package terraform.gcp.security.backup_for_gke.restore_channel.location
+import data.terraform.helpers
+import data.terraform.gcp.security.backup_for_gke.restore_channel.vars
+
+conditions := [
+ [
+ {
+ "situation_description": "GKE Restore Channels must be located in approved regions.",
+ "remedies": ["Set the location to 'australia-southeast1' or 'australia-southeast2'."]
+ },
+ {
+ "condition": "Location must be in australia-southeast",
+ "attribute_path": ["location"],
+ "values": ["australia-southeast1", "australia-southeast2"],
+ "policy_type": "whitelist"
+ }
+ ],
+ [
+ {
+ "situation_description": "Location must follow valid GCP region format.",
+ "remedies": ["Ensure location matches regex '^[a-z]+-[a-z]+\\d$'."]
+ },
+ {
+ "condition": "Location must match valid region format",
+ "attribute_path": ["location"],
+ "values": ["^[a-z]+-[a-z]+\\d$"],
+ "policy_type": "pattern_whitelist"
+ }
+ ]
+]
+
+message := helpers.get_multi_summary(conditions, vars.variables).message
+details := helpers.get_multi_summary(conditions, vars.variables).details
diff --git a/policies/gcp/backup_for_gke/restore_channel/name/policy.rego b/policies/gcp/backup_for_gke/restore_channel/name/policy.rego
new file mode 100644
index 000000000..fa6cfd9f2
--- /dev/null
+++ b/policies/gcp/backup_for_gke/restore_channel/name/policy.rego
@@ -0,0 +1,21 @@
+package terraform.gcp.security.backup_for_gke.restore_channel.name
+import data.terraform.helpers
+import data.terraform.gcp.security.backup_for_gke.restore_channel.vars
+
+conditions := [
+ [
+ {
+ "situation_description": "Restore Channel name must follow the naming convention.",
+ "remedies": ["Name must start with 'gke-restore-channel-'."]
+ },
+ {
+ "condition": "Name must start with gke-restore-channel-",
+ "attribute_path": ["name"],
+ "values": ["^gke-restore-channel-.*$"],
+ "policy_type": "pattern_whitelist"
+ }
+ ]
+]
+
+message := helpers.get_multi_summary(conditions, vars.variables).message
+details := helpers.get_multi_summary(conditions, vars.variables).details
diff --git a/policies/gcp/backup_for_gke/restore_channel/vars.rego b/policies/gcp/backup_for_gke/restore_channel/vars.rego
new file mode 100644
index 000000000..8082fbb03
--- /dev/null
+++ b/policies/gcp/backup_for_gke/restore_channel/vars.rego
@@ -0,0 +1,8 @@
+package terraform.gcp.security.backup_for_gke.restore_channel.vars
+
+import rego.v1
+variables := {
+ "friendly_resource_name": "GKE Restore Channel",
+ "resource_type": "google_gke_backup_restore_channel",
+ "resource_value_name": "name"
+}
diff --git a/policies/gcp/backup_for_gke/restore_plan/all_namespaces/policy.rego b/policies/gcp/backup_for_gke/restore_plan/all_namespaces/policy.rego
new file mode 100644
index 000000000..88099660d
--- /dev/null
+++ b/policies/gcp/backup_for_gke/restore_plan/all_namespaces/policy.rego
@@ -0,0 +1,21 @@
+package terraform.gcp.security.backup_for_gke.restore_plan.all_namespaces
+import data.terraform.helpers
+import data.terraform.gcp.security.backup_for_gke.restore_plan.vars
+
+conditions := [
+ [
+ {
+ "situation_description": "Restore Plan must not restore all namespaces.",
+ "remedies": ["Set restore_config.all_namespaces to false or specify selected_namespaces."]
+ },
+ {
+ "condition": "Restore config must not have all_namespaces set to true",
+ "attribute_path": ["restore_config", 0, "all_namespaces"],
+ "values": [true],
+ "policy_type": "blacklist"
+ }
+ ]
+]
+
+message := helpers.get_multi_summary(conditions, vars.variables).message
+details := helpers.get_multi_summary(conditions, vars.variables).details
diff --git a/policies/gcp/backup_for_gke/restore_plan/cluster/policy.rego b/policies/gcp/backup_for_gke/restore_plan/cluster/policy.rego
new file mode 100644
index 000000000..665984b16
--- /dev/null
+++ b/policies/gcp/backup_for_gke/restore_plan/cluster/policy.rego
@@ -0,0 +1,21 @@
+package terraform.gcp.security.backup_for_gke.restore_plan.cluster
+import data.terraform.helpers
+import data.terraform.gcp.security.backup_for_gke.restore_plan.vars
+
+conditions := [
+ [
+ {
+ "situation_description": "Restore Plan cluster must be set.",
+ "remedies": ["Ensure cluster is configured."]
+ },
+ {
+ "condition": "Cluster must not be empty",
+ "attribute_path": ["cluster"],
+ "values": [null, ""],
+ "policy_type": "blacklist"
+ }
+ ]
+]
+
+message := helpers.get_multi_summary(conditions, vars.variables).message
+details := helpers.get_multi_summary(conditions, vars.variables).details
diff --git a/policies/gcp/backup_for_gke/restore_plan/cluster_resource_scope/policy.rego b/policies/gcp/backup_for_gke/restore_plan/cluster_resource_scope/policy.rego
new file mode 100644
index 000000000..460086cd3
--- /dev/null
+++ b/policies/gcp/backup_for_gke/restore_plan/cluster_resource_scope/policy.rego
@@ -0,0 +1,21 @@
+package terraform.gcp.security.backup_for_gke.restore_plan.cluster_resource_scope
+import data.terraform.helpers
+import data.terraform.gcp.security.backup_for_gke.restore_plan.vars
+
+conditions := [
+ [
+ {
+ "situation_description": "Restore Plan must not restore all cluster resources.",
+ "remedies": ["Set all_group_kinds to false and specify selected_group_kinds."]
+ },
+ {
+ "condition": "Cluster resource restore scope must not have all_group_kinds true",
+ "attribute_path": ["restore_config", 0, "cluster_resource_restore_scope", 0, "all_group_kinds"],
+ "values": [true],
+ "policy_type": "blacklist"
+ }
+ ]
+]
+
+message := helpers.get_multi_summary(conditions, vars.variables).message
+details := helpers.get_multi_summary(conditions, vars.variables).details
diff --git a/policies/gcp/backup_for_gke/restore_plan/conflict_policy/policy.rego b/policies/gcp/backup_for_gke/restore_plan/conflict_policy/policy.rego
new file mode 100644
index 000000000..7c0d4a5f7
--- /dev/null
+++ b/policies/gcp/backup_for_gke/restore_plan/conflict_policy/policy.rego
@@ -0,0 +1,21 @@
+package terraform.gcp.security.backup_for_gke.restore_plan.conflict_policy
+import data.terraform.helpers
+import data.terraform.gcp.security.backup_for_gke.restore_plan.vars
+
+conditions := [
+ [
+ {
+ "situation_description": "Restore Plan conflict policy must be USE_EXISTING_VERSION.",
+ "remedies": ["Set cluster_resource_conflict_policy to USE_EXISTING_VERSION."]
+ },
+ {
+ "condition": "Conflict policy must be USE_EXISTING_VERSION",
+ "attribute_path": ["restore_config", 0, "cluster_resource_conflict_policy"],
+ "values": ["USE_EXISTING_VERSION"],
+ "policy_type": "whitelist"
+ }
+ ]
+]
+
+message := helpers.get_multi_summary(conditions, vars.variables).message
+details := helpers.get_multi_summary(conditions, vars.variables).details
diff --git a/policies/gcp/backup_for_gke/restore_plan/excluded_namespaces/policy.rego b/policies/gcp/backup_for_gke/restore_plan/excluded_namespaces/policy.rego
new file mode 100644
index 000000000..11955ee3f
--- /dev/null
+++ b/policies/gcp/backup_for_gke/restore_plan/excluded_namespaces/policy.rego
@@ -0,0 +1,21 @@
+package terraform.gcp.security.backup_for_gke.restore_plan.excluded_namespaces
+import data.terraform.helpers
+import data.terraform.gcp.security.backup_for_gke.restore_plan.vars
+
+conditions := [
+ [
+ {
+ "situation_description": "Critical system namespaces must not be excluded from restoration.",
+ "remedies": ["Remove 'kube-system' and 'gatekeeper-system' from excluded_namespaces."]
+ },
+ {
+ "condition": "Excluded namespaces must not contain system critical namespaces",
+ "attribute_path": ["restore_config", 0, "excluded_namespaces", 0, "namespaces"],
+ "values": ["kube-system", "gatekeeper-system"],
+ "policy_type": "element_blacklist"
+ }
+ ]
+]
+
+message := helpers.get_multi_summary(conditions, vars.variables).message
+details := helpers.get_multi_summary(conditions, vars.variables).details
diff --git a/policies/gcp/backup_for_gke/restore_plan/field_actions/policy.rego b/policies/gcp/backup_for_gke/restore_plan/field_actions/policy.rego
new file mode 100644
index 000000000..d38635cd7
--- /dev/null
+++ b/policies/gcp/backup_for_gke/restore_plan/field_actions/policy.rego
@@ -0,0 +1,21 @@
+package terraform.gcp.security.backup_for_gke.restore_plan.field_actions
+import data.terraform.helpers
+import data.terraform.gcp.security.backup_for_gke.restore_plan.vars
+
+conditions := [
+ [
+ {
+ "situation_description": "Restore Plan transformation rule field action op must be valid.",
+ "remedies": ["Set op to REMOVE, REPLACE, or ADD."]
+ },
+ {
+ "condition": "Field action op must be REMOVE, REPLACE, or ADD",
+ "attribute_path": ["restore_config", 0, "transformation_rules", 0, "field_actions", 0, "op"],
+ "values": ["REMOVE", "REPLACE", "ADD"],
+ "policy_type": "whitelist"
+ }
+ ]
+]
+
+message := helpers.get_multi_summary(conditions, vars.variables).message
+details := helpers.get_multi_summary(conditions, vars.variables).details
diff --git a/policies/gcp/backup_for_gke/restore_plan/namespaced_resource_restore_mode/policy.rego b/policies/gcp/backup_for_gke/restore_plan/namespaced_resource_restore_mode/policy.rego
new file mode 100644
index 000000000..249d50c31
--- /dev/null
+++ b/policies/gcp/backup_for_gke/restore_plan/namespaced_resource_restore_mode/policy.rego
@@ -0,0 +1,21 @@
+package terraform.gcp.security.backup_for_gke.restore_plan.namespaced_resource_restore_mode
+import data.terraform.helpers
+import data.terraform.gcp.security.backup_for_gke.restore_plan.vars
+
+conditions := [
+ [
+ {
+ "situation_description": "Restore Plan namespaced resource restore mode must be valid.",
+ "remedies": ["Set namespaced_resource_restore_mode to DELETE_AND_RESTORE or FAIL_ON_CONFLICT."]
+ },
+ {
+ "condition": "Namespaced resource restore mode must be valid",
+ "attribute_path": ["restore_config", 0, "namespaced_resource_restore_mode"],
+ "values": ["DELETE_AND_RESTORE", "FAIL_ON_CONFLICT"],
+ "policy_type": "whitelist"
+ }
+ ]
+]
+
+message := helpers.get_multi_summary(conditions, vars.variables).message
+details := helpers.get_multi_summary(conditions, vars.variables).details
diff --git a/policies/gcp/backup_for_gke/restore_plan/transformation_rules/policy.rego b/policies/gcp/backup_for_gke/restore_plan/transformation_rules/policy.rego
new file mode 100644
index 000000000..b3bdbe47a
--- /dev/null
+++ b/policies/gcp/backup_for_gke/restore_plan/transformation_rules/policy.rego
@@ -0,0 +1,33 @@
+package terraform.gcp.security.backup_for_gke.restore_plan.transformation_rules
+import data.terraform.helpers
+import data.terraform.gcp.security.backup_for_gke.restore_plan.vars
+
+conditions := [
+ [
+ {
+ "situation_description": "Restore Plan transformation rules must be defined correctly.",
+ "remedies": ["Ensure transformation rules field actions are valid."]
+ },
+ {
+ "condition": "Transformation rules field actions must be valid",
+ "attribute_path": ["restore_config", 0, "transformation_rules", 0, "field_actions", 0, "op"],
+ "values": ["REMOVE", "REPLACE", "ADD"],
+ "policy_type": "whitelist"
+ }
+ ],
+ [
+ {
+ "situation_description": "Restore Plan transformation rules should have a description.",
+ "remedies": ["Add a description to transformation rules explanation."]
+ },
+ {
+ "condition": "Transformation rule description must not be empty",
+ "attribute_path": ["restore_config", 0, "transformation_rules", 0, "description"],
+ "values": ["", null],
+ "policy_type": "blacklist"
+ }
+ ]
+]
+
+message := helpers.get_multi_summary(conditions, vars.variables).message
+details := helpers.get_multi_summary(conditions, vars.variables).details
diff --git a/policies/gcp/backup_for_gke/restore_plan/vars.rego b/policies/gcp/backup_for_gke/restore_plan/vars.rego
new file mode 100644
index 000000000..e09220585
--- /dev/null
+++ b/policies/gcp/backup_for_gke/restore_plan/vars.rego
@@ -0,0 +1,8 @@
+package terraform.gcp.security.backup_for_gke.restore_plan.vars
+
+import rego.v1
+variables := {
+ "friendly_resource_name": "GKE Restore Plan",
+ "resource_type": "google_gke_backup_restore_plan",
+ "resource_value_name": "name"
+}
diff --git a/policies/gcp/backup_for_gke/restore_plan/volume_bindings/policy.rego b/policies/gcp/backup_for_gke/restore_plan/volume_bindings/policy.rego
new file mode 100644
index 000000000..b15a92b40
--- /dev/null
+++ b/policies/gcp/backup_for_gke/restore_plan/volume_bindings/policy.rego
@@ -0,0 +1,21 @@
+package terraform.gcp.security.backup_for_gke.restore_plan.volume_bindings
+import data.terraform.helpers
+import data.terraform.gcp.security.backup_for_gke.restore_plan.vars
+
+conditions := [
+ [
+ {
+ "situation_description": "Restore Plans must ensure volume data is restored from backup.",
+ "remedies": ["Set volume_data_restore_policy to 'RESTORE_VOLUME_DATA_FROM_BACKUP'."]
+ },
+ {
+ "condition": "volume_data_restore_policy must be RESTORE_VOLUME_DATA_FROM_BACKUP",
+ "attribute_path": ["restore_config", 0, "volume_data_restore_policy"],
+ "values": ["RESTORE_VOLUME_DATA_FROM_BACKUP"],
+ "policy_type": "whitelist"
+ }
+ ]
+]
+
+message := helpers.get_multi_summary(conditions, vars.variables).message
+details := helpers.get_multi_summary(conditions, vars.variables).details
diff --git a/policies/gcp/backup_for_gke/restore_plan/volume_data_restore/policy.rego b/policies/gcp/backup_for_gke/restore_plan/volume_data_restore/policy.rego
new file mode 100644
index 000000000..379757e71
--- /dev/null
+++ b/policies/gcp/backup_for_gke/restore_plan/volume_data_restore/policy.rego
@@ -0,0 +1,21 @@
+package terraform.gcp.security.backup_for_gke.restore_plan.volume_data_restore
+import data.terraform.helpers
+import data.terraform.gcp.security.backup_for_gke.restore_plan.vars
+
+conditions := [
+ [
+ {
+ "situation_description": "Restore Plan volume data restore policy must be safe.",
+ "remedies": ["Set volume_data_restore_policy to RESTORE_VOLUME_DATA_FROM_BACKUP or NO_VOLUME_DATA_RESTORATION."]
+ },
+ {
+ "condition": "Volume data restore policy must be safe",
+ "attribute_path": ["restore_config", 0, "volume_data_restore_policy"],
+ "values": ["RESTORE_VOLUME_DATA_FROM_BACKUP", "NO_VOLUME_DATA_RESTORATION"],
+ "policy_type": "whitelist"
+ }
+ ]
+]
+
+message := helpers.get_multi_summary(conditions, vars.variables).message
+details := helpers.get_multi_summary(conditions, vars.variables).details
diff --git a/policies/gcp/backup_for_gke/restore_plan_iam_binding/cross_project_groups/policy.rego b/policies/gcp/backup_for_gke/restore_plan_iam_binding/cross_project_groups/policy.rego
new file mode 100644
index 000000000..fd2e2c46f
--- /dev/null
+++ b/policies/gcp/backup_for_gke/restore_plan_iam_binding/cross_project_groups/policy.rego
@@ -0,0 +1,21 @@
+package terraform.gcp.security.backup_for_gke.restore_plan_iam_binding.cross_project_groups
+import data.terraform.helpers
+import data.terraform.gcp.security.backup_for_gke.restore_plan_iam_binding.vars
+
+conditions := [
+ [
+ {
+ "situation_description": "Restore Plan IAM members must not contain cross-project groups.",
+ "remedies": ["Remove cross-project groups (ext-, external-, partner-)."]
+ },
+ {
+ "condition": "Members must not be cross-project groups",
+ "attribute_path": ["members"],
+ "values": ["@ext-", "@external-", "@partner-"],
+ "policy_type": "element_blacklist"
+ }
+ ]
+]
+
+message := helpers.get_multi_summary(conditions, vars.variables).message
+details := helpers.get_multi_summary(conditions, vars.variables).details
diff --git a/policies/gcp/backup_for_gke/restore_plan_iam_binding/domain_access/policy.rego b/policies/gcp/backup_for_gke/restore_plan_iam_binding/domain_access/policy.rego
new file mode 100644
index 000000000..07e3b6a79
--- /dev/null
+++ b/policies/gcp/backup_for_gke/restore_plan_iam_binding/domain_access/policy.rego
@@ -0,0 +1,21 @@
+package terraform.gcp.security.backup_for_gke.restore_plan_iam_binding.domain_access
+import data.terraform.helpers
+import data.terraform.gcp.security.backup_for_gke.restore_plan_iam_binding.vars
+
+conditions := [
+ [
+ {
+ "situation_description": "Restore operations must be restricted to corporate accounts.",
+ "remedies": ["Remove members with @gmail.com, @hotmail.com, etc."]
+ },
+ {
+ "condition": "Members must not be personal emails",
+ "attribute_path": ["members"],
+ "values": ["@gmail.com", "@yahoo.com", "@hotmail.com", "@outlook.com", "@live.com"],
+ "policy_type": "element_blacklist"
+ }
+ ]
+]
+
+message := helpers.get_multi_summary(conditions, vars.variables).message
+details := helpers.get_multi_summary(conditions, vars.variables).details
diff --git a/policies/gcp/backup_for_gke/restore_plan_iam_binding/member_count/policy.rego b/policies/gcp/backup_for_gke/restore_plan_iam_binding/member_count/policy.rego
new file mode 100644
index 000000000..1a11943f8
--- /dev/null
+++ b/policies/gcp/backup_for_gke/restore_plan_iam_binding/member_count/policy.rego
@@ -0,0 +1,21 @@
+package terraform.gcp.security.backup_for_gke.restore_plan_iam_binding.member_count
+import data.terraform.helpers
+import data.terraform.gcp.security.backup_for_gke.restore_plan_iam_binding.vars
+
+conditions := [
+ [
+ {
+ "situation_description": "Member count check requires valid accounts.",
+ "remedies": ["Remove members with 'deleted:' prefix."]
+ },
+ {
+ "condition": "Members must not include deleted accounts",
+ "attribute_path": ["members"],
+ "values": ["deleted:"],
+ "policy_type": "element_blacklist"
+ }
+ ]
+]
+
+message := helpers.get_multi_summary(conditions, vars.variables).message
+details := helpers.get_multi_summary(conditions, vars.variables).details
diff --git a/policies/gcp/backup_for_gke/restore_plan_iam_binding/personal_emails/policy.rego b/policies/gcp/backup_for_gke/restore_plan_iam_binding/personal_emails/policy.rego
new file mode 100644
index 000000000..446822372
--- /dev/null
+++ b/policies/gcp/backup_for_gke/restore_plan_iam_binding/personal_emails/policy.rego
@@ -0,0 +1,21 @@
+package terraform.gcp.security.backup_for_gke.restore_plan_iam_binding.personal_emails
+import data.terraform.helpers
+import data.terraform.gcp.security.backup_for_gke.restore_plan_iam_binding.vars
+
+conditions := [
+ [
+ {
+ "situation_description": "Restore Plan IAM members must not correspond to personal email accounts.",
+ "remedies": ["Remove members with personal email domains (@gmail.com, etc)."]
+ },
+ {
+ "condition": "Members must not be personal emails",
+ "attribute_path": ["members"],
+ "values": ["@gmail.com", "@yahoo.com", "@hotmail.com", "@outlook.com"],
+ "policy_type": "element_blacklist"
+ }
+ ]
+]
+
+message := helpers.get_multi_summary(conditions, vars.variables).message
+details := helpers.get_multi_summary(conditions, vars.variables).details
diff --git a/policies/gcp/backup_for_gke/restore_plan_iam_binding/project_roles/policy.rego b/policies/gcp/backup_for_gke/restore_plan_iam_binding/project_roles/policy.rego
new file mode 100644
index 000000000..6db2eec38
--- /dev/null
+++ b/policies/gcp/backup_for_gke/restore_plan_iam_binding/project_roles/policy.rego
@@ -0,0 +1,21 @@
+package terraform.gcp.security.backup_for_gke.restore_plan_iam_binding.project_roles
+import data.terraform.helpers
+import data.terraform.gcp.security.backup_for_gke.restore_plan_iam_binding.vars
+
+conditions := [
+ [
+ {
+ "situation_description": "Restore Plan IAM role must not be project-wide admin.",
+ "remedies": ["Use more granular roles."]
+ },
+ {
+ "condition": "Role must not be gkebackup.admin or restoreAdmin",
+ "attribute_path": ["role"],
+ "values": ["roles/gkebackup.admin", "roles/gkebackup.restoreAdmin"],
+ "policy_type": "blacklist"
+ }
+ ]
+]
+
+message := helpers.get_multi_summary(conditions, vars.variables).message
+details := helpers.get_multi_summary(conditions, vars.variables).details
diff --git a/policies/gcp/backup_for_gke/restore_plan_iam_binding/public_access/policy.rego b/policies/gcp/backup_for_gke/restore_plan_iam_binding/public_access/policy.rego
new file mode 100644
index 000000000..b22cf0a2c
--- /dev/null
+++ b/policies/gcp/backup_for_gke/restore_plan_iam_binding/public_access/policy.rego
@@ -0,0 +1,21 @@
+package terraform.gcp.security.backup_for_gke.restore_plan_iam_binding.public_access
+import data.terraform.helpers
+import data.terraform.gcp.security.backup_for_gke.restore_plan_iam_binding.vars
+
+conditions := [
+ [
+ {
+ "situation_description": "Restore Plan IAM must strictly prohibit public access to prevent unauthorized data restoration.",
+ "remedies": ["Remove 'allUsers' and 'allAuthenticatedUsers' from IAM bindings."]
+ },
+ {
+ "condition": "Public access forbidden",
+ "attribute_path": ["members"],
+ "values": ["allUsers", "allAuthenticatedUsers"],
+ "policy_type": "element_blacklist"
+ }
+ ]
+]
+
+message := helpers.get_multi_summary(conditions, vars.variables).message
+details := helpers.get_multi_summary(conditions, vars.variables).details
diff --git a/policies/gcp/backup_for_gke/restore_plan_iam_binding/restore_permissions/policy.rego b/policies/gcp/backup_for_gke/restore_plan_iam_binding/restore_permissions/policy.rego
new file mode 100644
index 000000000..e48e82aa6
--- /dev/null
+++ b/policies/gcp/backup_for_gke/restore_plan_iam_binding/restore_permissions/policy.rego
@@ -0,0 +1,21 @@
+package terraform.gcp.security.backup_for_gke.restore_plan_iam_binding.restore_permissions
+import data.terraform.helpers
+import data.terraform.gcp.security.backup_for_gke.restore_plan_iam_binding.vars
+
+conditions := [
+ [
+ {
+ "situation_description": "Restore Plan IAM role must be allowed.",
+ "remedies": ["Use roles/gkebackup.viewer or roles/gkebackup.restoreAgent."]
+ },
+ {
+ "condition": "Role must be allowed",
+ "attribute_path": ["role"],
+ "values": ["roles/gkebackup.viewer", "roles/gkebackup.restoreAgent"],
+ "policy_type": "whitelist"
+ }
+ ]
+]
+
+message := helpers.get_multi_summary(conditions, vars.variables).message
+details := helpers.get_multi_summary(conditions, vars.variables).details
diff --git a/policies/gcp/backup_for_gke/restore_plan_iam_binding/role/policy.rego b/policies/gcp/backup_for_gke/restore_plan_iam_binding/role/policy.rego
new file mode 100644
index 000000000..8377b8622
--- /dev/null
+++ b/policies/gcp/backup_for_gke/restore_plan_iam_binding/role/policy.rego
@@ -0,0 +1,17 @@
+package terraform.gcp.security.backup_for_gke.restore_plan_iam_binding.role
+import data.terraform.helpers
+import data.terraform.gcp.security.backup_for_gke.restore_plan_iam_binding.vars
+
+conditions := [
+ {
+ "situation_description": "Restore Plan IAM role must not be permissive.",
+ "remedies": ["Do not use owner, editor, or gkebackup.restoreAdmin roles."],
+ "condition": "Role must not be permissive",
+ "attribute_path": ["role"],
+ "values": ["roles/owner", "roles/editor", "roles/gkebackup.restoreAdmin", "roles/iam.securityAdmin", "roles/resourcemanager.organizationAdmin"],
+ "policy_type": "blacklist"
+ }
+]
+
+message := helpers.get_multi_summary(conditions, vars.variables).message
+details := helpers.get_multi_summary(conditions, vars.variables).details
diff --git a/policies/gcp/backup_for_gke/restore_plan_iam_binding/service_accounts/policy.rego b/policies/gcp/backup_for_gke/restore_plan_iam_binding/service_accounts/policy.rego
new file mode 100644
index 000000000..00be8e18b
--- /dev/null
+++ b/policies/gcp/backup_for_gke/restore_plan_iam_binding/service_accounts/policy.rego
@@ -0,0 +1,21 @@
+package terraform.gcp.security.backup_for_gke.restore_plan_iam_binding.service_accounts
+import data.terraform.helpers
+import data.terraform.gcp.security.backup_for_gke.restore_plan_iam_binding.vars
+
+conditions := [
+ [
+ {
+ "situation_description": "Service accounts must not include deleted accounts.",
+ "remedies": ["Remove members with 'deleted:' prefix."]
+ },
+ {
+ "condition": "Service accounts must not include deleted accounts",
+ "attribute_path": ["members"],
+ "values": ["deleted:"],
+ "policy_type": "element_blacklist"
+ }
+ ]
+]
+
+message := helpers.get_multi_summary(conditions, vars.variables).message
+details := helpers.get_multi_summary(conditions, vars.variables).details
diff --git a/policies/gcp/backup_for_gke/restore_plan_iam_binding/vars.rego b/policies/gcp/backup_for_gke/restore_plan_iam_binding/vars.rego
new file mode 100644
index 000000000..b9a3e5689
--- /dev/null
+++ b/policies/gcp/backup_for_gke/restore_plan_iam_binding/vars.rego
@@ -0,0 +1,8 @@
+package terraform.gcp.security.backup_for_gke.restore_plan_iam_binding.vars
+
+import rego.v1
+variables := {
+ "friendly_resource_name": "GKE Restore Plan IAM",
+ "resource_type": "google_gke_backup_restore_plan_iam_binding",
+ "resource_value_name": "name"
+}