Conversation
…253) Refactors how the auto-test script locates and loads shared policy helpers, ensuring robust and flexible handling of policy directory structures. The goal is to make it easier for users to run policy tests from service-specific directories while guaranteeing that the shared `_helpers` module is always available for OPA evaluation. Additionally, it removes a deprecated GCP helper shim, as all policies now use the unified helpers location. Key changes include: * Added a `normalize_policies_root` function in `auto_test.py` to traverse up from the user-provided policies directory to find the root containing the `_helpers` module. * Removed the obsolete `policies/gcp/_helpers/helpers.rego` shim, as GCP policies now directly use the unified `terraform.helpers` module. * Changed the `terraform show` command in `run_terraform_commands` to use a pipe (`| cat > plan.json`) for improved cross-platform compatibility.
Output of local run of auto-test - see my comment below for github
auto-test results explanation.
Summary of policy checks:
Service: access_context_manager_vpc_service_controls
Resource: google_access_context_manager_access_level
Policy: require_admin_approval - ✅
Policy: os_type - ✅
Policy: region - ✅
Policy: combining_function - ✅
Policy: require_corp_owned - ✅
Policy: allowed_encryption_statuses - ✅
Policy: require_screen_lock - ✅
Policy: allowed_device_management_levels - ✅
Resource: google_access_context_manager_access_level_condition
Policy: require_admin_approval - ✅
Policy: os_type - ✅
Policy: region - ✅
Policy: require_corp_owned - ✅
Policy: require_screen_lock - ✅
Resource: google_access_context_manager_access_levels
Policy: os_type - ✅
Policy: region - ✅
Policy: require_screen_lock - ✅
Resource: google_access_context_manager_service_perimeter
Policy: status - ✅
This reverts commit fbf85fc.
Shani1116
requested changes
Jan 31, 2026
Contributor
Shani1116
left a comment
Shani1116
left a comment
There was a problem hiding this comment.
- Policies for google_biglake_iceberg_catalog/ google_biglake_iceberg_catalog_iam are missing. Were you not able to find any security relevant attributes in these two resources?
- More policies can be written for google_biglake_table - such as TABLE_TYPE and sql version, etc.
inputs/gcp/biglake/google_biglake_table/storage_location_allowlist/nc.tf
Outdated
Show resolved
Hide resolved
…efix for google_biglake_table
Shani1116
requested changes
Feb 2, 2026
inputs/gcp/biglake/google_biglake_database/location_uri_allowlist/nc.tf
Outdated
Show resolved
Hide resolved
Shani1116
approved these changes
Feb 3, 2026
Contributor
Shani1116
left a comment
Shani1116
left a comment
There was a problem hiding this comment.
Resolved all PR comments. Approved!
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Finalizing policies and inputs for the Apikeys and Biglake service