Hardhat-Enterprises · trongnhanphan223878459 · Feb 3, 2026 · Dec 7, 2025 · Dec 7, 2025 · Dec 7, 2025
diff --git a/...PC_Service_Controls)/resource_json/access_context_manager_service_perimeter.template.json b/...PC_Service_Controls)/resource_json/access_context_manager_service_perimeter.template.json
diff --git a/docs/gcp/Apikeys/apikeys_key.md b/docs/gcp/Apikeys/apikeys_key.md
@@ -0,0 +1,70 @@
+## 🛡️ Policy Deployment Engine: `apikeys_key`
+
+This section provides a concise policy evaluation for the `apikeys_key` resource in GCP.
+
+Reference: [Terraform Registry – apikeys_key](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/apikeys_key)
+
+---
+
+## Argument Reference  
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `name` | The resource name of the key. The name must be unique within the project, must conform with RFC-1034, is restricted to lower-cased letters, and has a maximum length of 63 characters. In another word, the name must match the regular expression: `[a-z]([a-z0-9-]{0,61}[a-z0-9])?`. - - - | true | false | None | None | None |
+| `display_name` | Human-readable display name of this API key. Modifiable by user. | false | false | None | None | None |
+| `project` | The project for the resource | false | false | None | None | None |
+| `restrictions` | Key restrictions. | false | false | None | None | None |
+| `android_key_restrictions` |  | false | false | None | None | None |
+| `allowed_applications` |  | false | false | None | None | None |
+| `api_targets` |  | false | false | None | None | None |
+| `browser_key_restrictions` |  | false | false | None | None | None |
+| `ios_key_restrictions` |  | false | false | None | None | None |
+| `server_key_restrictions` |  | false | false | None | None | None |
+
+### restrictions Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `android_key_restrictions` | The Android apps that are allowed to use the key. | false | true | API key restrictions limit how and where the key can be used. API keys without restrictions may be abused or used outside their intended context. | At least one restriction block is defined | No restrictions are configured |
+| `api_targets` | A restriction for a specific service and optionally one or more specific methods. Requests are allowed if they match any of these restrictions. If no restrictions are specified, all targets are allowed. | false | false | None | None | None |
+| `browser_key_restrictions` | The HTTP referrers (websites) that are allowed to use the key. | false | false | None | None | None |
+| `ios_key_restrictions` | The iOS apps that are allowed to use the key. | false | false | None | None | None |
+| `server_key_restrictions` | The IP addresses of callers that are allowed to use the key. | false | false | None | None | None |
+
+### android_key_restrictions Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `allowed_applications` | A list of Android applications that are allowed to make API calls with this key. | true | false | Restricting Android applications ensures that only trusted mobile apps can use the API key. | None | None |
+
+### allowed_applications Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `package_name` | The package name of the application. | true | false | None | None | None |
+| `sha1_fingerprint` | The SHA1 fingerprint of the application. For example, both sha1 formats are acceptable : DA:39:A3:EE:5E:6B:4B:0D:32:55:BF:EF:95:60:18:90:AF:D8:07:09 or DA39A3EE5E6B4B0D3255BFEF95601890AFD80709. Output format is the latter. | true | false | None | None | None |
+
+### api_targets Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `methods` | Optional. List of one or more methods that can be called. If empty, all methods for the service are allowed. A wildcard (*) can be used as the last symbol. Valid examples: `google.cloud.translate.v2.TranslateService.GetSupportedLanguage` `TranslateText` `Get*` `translate.googleapis.com.Get*` | false | true | Allowing wildcard methods significantly increases the attack surface of the API key. | ['TranslateText', 'DetectLanguage'] | ['*'] |
+| `service` | The service for this restriction. It should be the canonical service name, for example: `translate.googleapis.com`. You can use `gcloud services list` to get a list of services that are enabled in the project. | true | true | Restricting API targets ensures that the API key can only be used with explicitly approved Google Cloud services. | translate.googleapis.com | * |
+
+### browser_key_restrictions Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `allowed_referrers` | A list of regular expressions for the referrer URLs that are allowed to make API calls with this key. | true | true | Restricting browser referrers prevents unauthorized websites from using the API key. | ['https://example.com'] | ['*'] |
+
+### ios_key_restrictions Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `allowed_bundle_ids` | A list of bundle IDs that are allowed when making API calls with this key. | true | true | Restricting iOS bundle IDs ensures that only trusted iOS applications can use the API key. | None | None |
+
+### server_key_restrictions Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `allowed_ips` | A list of the caller IP addresses that are allowed to make API calls with this key. | true | true | Restricting server IP addresses ensures that only trusted network locations can use the API key. | ['203.0.113.0/24'] | ['0.0.0.0/0'] |
diff --git a/docs/gcp/Apikeys/resource_json/apikeys_key.json b/docs/gcp/Apikeys/resource_json/apikeys_key.json
@@ -5,7 +5,7 @@
     "name": {
       "description": "The resource name of the key. The name must be unique within the project, must conform with RFC-1034, is restricted to lower-cased letters, and has a maximum length of 63 characters. In another word, the name must match the regular expression: `[a-z]([a-z0-9-]{0,61}[a-z0-9])?`. - - -",
       "required": true,
-      "security_impact": null,
+      "security_impact": false,
       "rationale": null,
       "compliant": null,
       "non-compliant": null,
@@ -14,7 +14,7 @@
     "display_name": {
       "description": "Human-readable display name of this API key. Modifiable by user.",
       "required": false,
-      "security_impact": null,
+      "security_impact": false,
       "rationale": null,
       "compliant": null,
       "non-compliant": null,
@@ -23,7 +23,7 @@
     "project": {
       "description": "The project for the resource",
       "required": false,
-      "security_impact": null,
+      "security_impact": false,
       "rationale": null,
       "compliant": null,
       "non-compliant": null,
@@ -32,7 +32,7 @@
     "restrictions": {
       "description": "Key restrictions.",
       "required": false,
-      "security_impact": null,
+      "security_impact": false,
       "rationale": null,
       "compliant": null,
       "non-compliant": null,
@@ -41,10 +41,10 @@
         "android_key_restrictions": {
           "description": "The Android apps that are allowed to use the key.",
           "required": false,
-          "security_impact": null,
-          "rationale": null,
-          "compliant": null,
-          "non-compliant": null,
+          "security_impact": true,
+          "rationale": "API key restrictions limit how and where the key can be used. API keys without restrictions may be abused or used outside their intended context.",
+          "compliant": "At least one restriction block is defined",
+          "non-compliant": "No restrictions are configured",
           "parent": "restrictions"
         },
         "api_targets": {
@@ -88,7 +88,7 @@
     "android_key_restrictions": {
       "description": "",
       "required": null,
-      "security_impact": null,
+      "security_impact": false,
       "rationale": null,
       "compliant": null,
       "non-compliant": null,
@@ -98,7 +98,7 @@
           "description": "A list of Android applications that are allowed to make API calls with this key.",
           "required": true,
           "security_impact": null,
-          "rationale": null,
+          "rationale": "Restricting Android applications ensures that only trusted mobile apps can use the API key.",
           "compliant": null,
           "non-compliant": null,
           "parent": "android_key_restrictions"
@@ -137,7 +137,7 @@
     "api_targets": {
       "description": "",
       "required": null,
-      "security_impact": null,
+      "security_impact": false,
       "rationale": null,
       "compliant": null,
       "non-compliant": null,
@@ -146,27 +146,32 @@
         "methods": {
           "description": "Optional. List of one or more methods that can be called. If empty, all methods for the service are allowed. A wildcard (*) can be used as the last symbol. Valid examples: `google.cloud.translate.v2.TranslateService.GetSupportedLanguage` `TranslateText` `Get*` `translate.googleapis.com.Get*`",
           "required": false,
-          "security_impact": null,
-          "rationale": null,
-          "compliant": null,
-          "non-compliant": null,
+          "security_impact": true,
+          "rationale": "Allowing wildcard methods significantly increases the attack surface of the API key.",
+          "compliant": [
+            "TranslateText",
+            "DetectLanguage"
+          ],
+          "non-compliant": [
+            "*"
+          ],
           "parent": "api_targets"
         },
         "service": {
           "description": "The service for this restriction. It should be the canonical service name, for example: `translate.googleapis.com`. You can use `gcloud services list` to get a list of services that are enabled in the project.",
           "required": true,
-          "security_impact": null,
-          "rationale": null,
-          "compliant": null,
-          "non-compliant": null,
+          "security_impact": true,
+          "rationale": "Restricting API targets ensures that the API key can only be used with explicitly approved Google Cloud services.",
+          "compliant": "translate.googleapis.com",
+          "non-compliant": "*",
           "parent": "api_targets"
         }
       }
     },
     "browser_key_restrictions": {
       "description": "",
       "required": null,
-      "security_impact": null,
+      "security_impact": false,
       "rationale": null,
       "compliant": null,
       "non-compliant": null,
@@ -175,18 +180,22 @@
         "allowed_referrers": {
           "description": "A list of regular expressions for the referrer URLs that are allowed to make API calls with this key.",
           "required": true,
-          "security_impact": null,
-          "rationale": null,
-          "compliant": null,
-          "non-compliant": null,
+          "security_impact": true,
+          "rationale": "Restricting browser referrers prevents unauthorized websites from using the API key.",
+          "compliant": [
+            "https://example.com"
+          ],
+          "non-compliant": [
+            "*"
+          ],
           "parent": "browser_key_restrictions"
         }
       }
     },
     "ios_key_restrictions": {
       "description": "",
       "required": null,
-      "security_impact": null,
+      "security_impact": false,
       "rationale": null,
       "compliant": null,
       "non-compliant": null,
@@ -195,8 +204,8 @@
         "allowed_bundle_ids": {
           "description": "A list of bundle IDs that are allowed when making API calls with this key.",
           "required": true,
-          "security_impact": null,
-          "rationale": null,
+          "security_impact": true,
+          "rationale": "Restricting iOS bundle IDs ensures that only trusted iOS applications can use the API key.",
           "compliant": null,
           "non-compliant": null,
           "parent": "ios_key_restrictions"
@@ -206,7 +215,7 @@
     "server_key_restrictions": {
       "description": "",
       "required": null,
-      "security_impact": null,
+      "security_impact": false,
       "rationale": null,
       "compliant": null,
       "non-compliant": null,
@@ -215,10 +224,14 @@
         "allowed_ips": {
           "description": "A list of the caller IP addresses that are allowed to make API calls with this key.",
           "required": true,
-          "security_impact": null,
-          "rationale": null,
-          "compliant": null,
-          "non-compliant": null,
+          "security_impact": true,
+          "rationale": "Restricting server IP addresses ensures that only trusted network locations can use the API key.",
+          "compliant": [
+            "203.0.113.0/24"
+          ],
+          "non-compliant": [
+            "0.0.0.0/0"
+          ],
           "parent": "server_key_restrictions"
         }
       }

diff --git a/docs/gcp/Biglake/biglake_catalog.md b/docs/gcp/Biglake/biglake_catalog.md
@@ -0,0 +1,15 @@
+## 🛡️ Policy Deployment Engine: `biglake_catalog`
+
+This section provides a concise policy evaluation for the `biglake_catalog` resource in GCP.
+
+Reference: [Terraform Registry – biglake_catalog](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/biglake_catalog)
+
+---
+
+## Argument Reference  
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `location` | The geographic location where the Catalog should reside. | true | true | The catalog location determines where metadata is stored and affects data residency, compliance, and regulatory requirements. | Catalog is created in an approved region | Catalog is created in an unapproved or unrestricted region |
+| `name` | The name of the Catalog. Format: projects/{project_id_or_number}/locations/{locationId}/catalogs/{catalogId} | true | false | None | None | None |
+| `project` | If it is not provided, the provider project is used. | false | true | Explicitly specifying the project ensures that the catalog is created within the intended security boundary and access controls. | Project is explicitly specified | Project is omitted or points to an unintended project |
diff --git a/docs/gcp/Biglake/biglake_database.md b/docs/gcp/Biglake/biglake_database.md
@@ -0,0 +1,23 @@
+## 🛡️ Policy Deployment Engine: `biglake_database`
+
+This section provides a concise policy evaluation for the `biglake_database` resource in GCP.
+
+Reference: [Terraform Registry – biglake_database](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/biglake_database)
+
+---
+
+## Argument Reference  
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `type` | The database type. | true | false | None | None | None |
+| `hive_options` | Options of a Hive database. Structure is [documented below](#nested_hive_options). | true | false | None | None | None |
+| `catalog` | The parent catalog. | true | false | None | None | None |
+| `name` | The name of the database. | true | false | None | None | None |
+
+### hive_options Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `location_uri` | Cloud Storage folder URI where the database data is stored, starting with "gs://". | false | true | The storage location defines where database data is physically stored. Incorrect configuration may expose sensitive data or violate data residency requirements. | Storage location points to a controlled and private Cloud Storage bucket | Storage location points to an uncontrolled or public bucket |
+| `parameters` | Stores user supplied Hive database parameters. An object containing a list of"key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }. | false | false | None | None | None |
diff --git a/docs/gcp/Biglake/biglake_table.md b/docs/gcp/Biglake/biglake_table.md
@@ -0,0 +1,33 @@
+## 🛡️ Policy Deployment Engine: `biglake_table`
+
+This section provides a concise policy evaluation for the `biglake_table` resource in GCP.
+
+Reference: [Terraform Registry – biglake_table](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/biglake_table)
+
+---
+
+## Argument Reference  
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `name` | Output only. The name of the Table. Format: projects/{project_id_or_number}/locations/{locationId}/catalogs/{catalogId}/databases/{databaseId}/tables/{tableId} | true | false | None | None | None |
+| `type` | The database type. Possible values are: `HIVE`. | false | false | None | None | None |
+| `hive_options` | Options of a Hive table. Structure is [documented below](#nested_hive_options). | false | false | None | None | None |
+| `database` | The id of the parent database. | false | false | None | None | None |
+| `storage_descriptor` |  | false | false | None | None | None |
+
+### hive_options Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `parameters` | Stores user supplied Hive table parameters. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }. | false | false | None | None | None |
+| `table_type` | Hive table type. For example, MANAGED_TABLE, EXTERNAL_TABLE. | false | false | None | None | None |
+| `storage_descriptor` | Stores physical storage information on the data. Structure is [documented below](#nested_hive_options_storage_descriptor). | false | false | None | None | None |
+
+### storage_descriptor Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `location_uri` | Cloud Storage folder URI where the table data is stored, starting with "gs://". | false | true | The table storage location determines where table data is stored and must be secured to prevent unauthorized data access. | Table data is stored in a secured Cloud Storage bucket | Table data is stored in an unsecured or public bucket |
+| `input_format` | The fully qualified Java class name of the input format. | false | false | None | None | None |
+| `output_format` | The fully qualified Java class name of the output format. | false | false | None | None | None |