Gcp/service/cloud iam by 224774388deakin · Pull Request #357 · Hardhat-Enterprises/Policy-Deployment-Engine

224774388deakin · 2026-05-02T05:45:08Z

No description provided.

Sundi202

You have too many attributes such as id, display name ,description etc marked as security related in your docs when they are not security related. Please correct this and only add c and nc values for security relevant attributes. Location should be australia for this project. Just a friendly reminder please go through your entire work and correct the service where relevant because too much time is spent commenting on mistakes that can be avoided. Further review will be addressed when comments are resolved.

Note: : Comments should be addressed throughout your work, if you fix an error in one area, make sure it's not still appearing in the sections that follow.

github-actions · 2026-05-21T14:54:08Z

🔍 Policy Check Results

Status: ❌ CHECKS FAILED

⚠️ Your PR will not be reviewed until you fix all policy check failures below:

Test Output

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_folders_policy_binding.location_validation.message
Total Cloud_IAM folder policy binding detected: 2 
['Situation 1: ocation must be restricted to approved Australia regions for IAM folder policy bindings', 'Non-Compliant Resources: nc', 'Potential Remedies: Set location to an approved Australia region such as australia-southeast1 or australia-southeast2']
Unique resource names in plan (google_iam_folders_policy_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_folders_policy_binding.policy_validation.message
Total Cloud_IAM folder policy binding detected: 2 
['Situation 1: Folder policy binding must use an approved policy', 'Non-Compliant Resources: c, nc', 'Potential Remedies: Use only approved Principal Access Boundary policies, Ensure policy belongs to your organization']
Check failed: Resources in output other than 'nc' found: c

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_folders_policy_binding.policy_kind_validation.message
Total Cloud_IAM folder policy binding detected: 2 
['Situation 1: Only approved policy kinds are allowed for folder policy bindings', 'Non-Compliant Resources: nc', 'Potential Remedies: Use PRINCIPAL_ACCESS_BOUNDARY as the policy_kind, Avoid using ACCESS or unspecified policy kinds']
Unique resource names in plan (google_iam_folders_policy_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_oauth_client.client_type_validation.message
Total Cloud_IAM OAuth client detected: 2 
['Situation 1: OAuth clients must use approved secure client types', 'Non-Compliant Resources: nc', 'Potential Remedies: Use PUBLIC_CLIENT or CONFIDENTIAL_CLIENT, Do not use CLIENT_TYPE_UNSPECIFIED']
Unique resource names in plan (google_iam_oauth_client): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_oauth_client.scope_restriction.message
Total Cloud_IAM OAuth client detected: 2 
['Situation 1: OAuth client must not request overly broad scopes', 'Non-Compliant Resources: nc', 'Potential Remedies: Avoid using cloud-platform scope, Use least privilege scopes like email or openid']
Unique resource names in plan (google_iam_oauth_client): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_oauth_client.location_validation.message
Total Cloud_IAM OAuth client detected: 2 
['Situation 1: OAuth client location must be restricted to approved Australia regions', 'Non-Compliant Resources: nc', 'Potential Remedies: Set location to australia-southeast1 or australia-southeast2']
Unique resource names in plan (google_iam_oauth_client): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_oauth_client.oauth_scope_whitelist.message
Total Cloud_IAM OAuth client detected: 2 
['Situation 1: OAuth client must only request approved least-privilege scopes to prevent over-permissioned identity access', 'Non-Compliant Resources: nc', 'Potential Remedies: Remove cloud-platform scope if not strictly required, Prefer openid, email, or groups scopes, Follow least privilege OAuth design']
Unique resource names in plan (google_iam_oauth_client): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_principal_access_boundary_policy.location_validation.message
Total Cloud_IAM principal access boundary policy detected: 2 
['Situation 1: Principal access boundary policy location must be restricted to approved Australia regions', 'Non-Compliant Resources: nc', 'Potential Remedies: Set location to australia-southeast1 or australia-southeast2']
Unique resource names in plan (google_iam_principal_access_boundary_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_principal_access_boundary_policy.organization_validation.message
Total Cloud_IAM principal access boundary policy detected: 2 
['Situation 1: Principal Access Boundary policies must use only approved organization IDs to ensure proper IAM governance and organizational compliance.', 'Non-Compliant Resources: nc', 'Potential Remedies: Use only approved organization IDs']
Unique resource names in plan (google_iam_principal_access_boundary_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_organizations_policy_binding.location_validation.message
Total Cloud_IAM organization policy binding detected: 2 
['Situation 1: Organization policy binding location must be restricted to approved Australia regions', 'Non-Compliant Resources: nc', 'Potential Remedies: Set location to australia-southeast1 or australia-southeast2']
Unique resource names in plan (google_iam_organizations_policy_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_oauth_client_credential.location_validation.message
Total Cloud_IAM OAuth client credential detected: 2 
['Situation 1: OAuth client credential location must be restricted to approved Australia regions', 'Non-Compliant Resources: nc', 'Potential Remedies: Set location to australia-southeast1 or australia-southeast2']
Unique resource names in plan (google_iam_oauth_client_credential): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_projects_policy_binding.location_validation.message
Total Cloud_IAM project policy binding detected: 2 
['Situation 1: Project policy binding location must be restricted to approved Australia regions', 'Non-Compliant Resources: nc', 'Potential Remedies: Set location to australia-southeast1 or australia-southeast2']
Unique resource names in plan (google_iam_projects_policy_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_projects_policy_binding.project_principal_whitelist.message
Total Cloud_IAM project policy binding detected: 2 
['Situation 1: Project policy binding must only allow approved project-level principals to reduce unauthorized access exposure', 'Non-Compliant Resources: nc', 'Potential Remedies: Restrict bindings to approved project IDs only, Remove wildcard or external project principals, Ensure only enterprise-managed projects are included']
Unique resource names in plan (google_iam_projects_policy_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_projects_policy_binding.policy_kind_restriction.message
Total Cloud_IAM project policy binding detected: 2 
['Situation 1: Policy binding must enforce only Principal Access Boundary to prevent privilege escalation via access policies', 'Non-Compliant Resources: nc', 'Potential Remedies: Set policy_kind strictly to PRINCIPAL_ACCESS_BOUNDARY, Avoid using ACCESS or unspecified policy kinds, Standardize IAM boundary enforcement across all projects']
Unique resource names in plan (google_iam_projects_policy_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: Cloud_IAM
  Resource: google_iam_folders_policy_binding
    Policy: location_validation - ✅
    Policy: policy_validation - ❌
    Policy: policy_kind_validation - ✅
  Resource: google_iam_oauth_client
    Policy: client_type_validation - ✅
    Policy: scope_restriction - ✅
    Policy: location_validation - ✅
    Policy: oauth_scope_whitelist - ✅
  Resource: google_iam_oauth_client_credential
    Policy: location_validation - ✅
  Resource: google_iam_organizations_policy_binding
    Policy: Location_Validation - ✅
  Resource: google_iam_principal_access_boundary_policy
    Policy: location_validation - ✅
    Policy: organization_validation - ✅
  Resource: google_iam_projects_policy_binding
    Policy: location_validation - ✅
    Policy: project_principal_whitelist - ✅
    Policy: policy_kind_restriction - ✅


Failures:
Service: Cloud_IAM | Resource: google_iam_folders_policy_binding | Policy: policy_validation
Resources in output other than 'nc' found: c

github-actions · 2026-05-21T14:54:19Z

🔍 Policy Check Results

Status: ❌ CHECKS FAILED

⚠️ Your PR will not be reviewed until you fix all policy check failures below:

Test Output

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_folders_policy_binding.location_validation.message
Total Cloud_IAM folder policy binding detected: 2 
['Situation 1: ocation must be restricted to approved Australia regions for IAM folder policy bindings', 'Non-Compliant Resources: nc', 'Potential Remedies: Set location to an approved Australia region such as australia-southeast1 or australia-southeast2']
Unique resource names in plan (google_iam_folders_policy_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_folders_policy_binding.policy_validation.message
Total Cloud_IAM folder policy binding detected: 2 
['Situation 1: Folder policy binding must use an approved policy', 'Non-Compliant Resources: c, nc', 'Potential Remedies: Use only approved Principal Access Boundary policies, Ensure policy belongs to your organization']
Check failed: Resources in output other than 'nc' found: c

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_folders_policy_binding.policy_kind_validation.message
Total Cloud_IAM folder policy binding detected: 2 
['Situation 1: Only approved policy kinds are allowed for folder policy bindings', 'Non-Compliant Resources: nc', 'Potential Remedies: Use PRINCIPAL_ACCESS_BOUNDARY as the policy_kind, Avoid using ACCESS or unspecified policy kinds']
Unique resource names in plan (google_iam_folders_policy_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_oauth_client.client_type_validation.message
Total Cloud_IAM OAuth client detected: 2 
['Situation 1: OAuth clients must use approved secure client types', 'Non-Compliant Resources: nc', 'Potential Remedies: Use PUBLIC_CLIENT or CONFIDENTIAL_CLIENT, Do not use CLIENT_TYPE_UNSPECIFIED']
Unique resource names in plan (google_iam_oauth_client): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_oauth_client.scope_restriction.message
Total Cloud_IAM OAuth client detected: 2 
['Situation 1: OAuth client must not request overly broad scopes', 'Non-Compliant Resources: nc', 'Potential Remedies: Avoid using cloud-platform scope, Use least privilege scopes like email or openid']
Unique resource names in plan (google_iam_oauth_client): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_oauth_client.location_validation.message
Total Cloud_IAM OAuth client detected: 2 
['Situation 1: OAuth client location must be restricted to approved Australia regions', 'Non-Compliant Resources: nc', 'Potential Remedies: Set location to australia-southeast1 or australia-southeast2']
Unique resource names in plan (google_iam_oauth_client): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_oauth_client.oauth_scope_whitelist.message
Total Cloud_IAM OAuth client detected: 2 
['Situation 1: OAuth client must only request approved least-privilege scopes to prevent over-permissioned identity access', 'Non-Compliant Resources: nc', 'Potential Remedies: Remove cloud-platform scope if not strictly required, Prefer openid, email, or groups scopes, Follow least privilege OAuth design']
Unique resource names in plan (google_iam_oauth_client): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_principal_access_boundary_policy.location_validation.message
Total Cloud_IAM principal access boundary policy detected: 2 
['Situation 1: Principal access boundary policy location must be restricted to approved Australia regions', 'Non-Compliant Resources: nc', 'Potential Remedies: Set location to australia-southeast1 or australia-southeast2']
Unique resource names in plan (google_iam_principal_access_boundary_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_principal_access_boundary_policy.organization_validation.message
Total Cloud_IAM principal access boundary policy detected: 2 
['Situation 1: Principal Access Boundary policies must use only approved organization IDs to ensure proper IAM governance and organizational compliance.', 'Non-Compliant Resources: nc', 'Potential Remedies: Use only approved organization IDs']
Unique resource names in plan (google_iam_principal_access_boundary_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_organizations_policy_binding.location_validation.message
Total Cloud_IAM organization policy binding detected: 2 
['Situation 1: Organization policy binding location must be restricted to approved Australia regions', 'Non-Compliant Resources: nc', 'Potential Remedies: Set location to australia-southeast1 or australia-southeast2']
Unique resource names in plan (google_iam_organizations_policy_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_oauth_client_credential.location_validation.message
Total Cloud_IAM OAuth client credential detected: 2 
['Situation 1: OAuth client credential location must be restricted to approved Australia regions', 'Non-Compliant Resources: nc', 'Potential Remedies: Set location to australia-southeast1 or australia-southeast2']
Unique resource names in plan (google_iam_oauth_client_credential): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_projects_policy_binding.location_validation.message
Total Cloud_IAM project policy binding detected: 2 
['Situation 1: Project policy binding location must be restricted to approved Australia regions', 'Non-Compliant Resources: nc', 'Potential Remedies: Set location to australia-southeast1 or australia-southeast2']
Unique resource names in plan (google_iam_projects_policy_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_projects_policy_binding.project_principal_whitelist.message
Total Cloud_IAM project policy binding detected: 2 
['Situation 1: Project policy binding must only allow approved project-level principals to reduce unauthorized access exposure', 'Non-Compliant Resources: nc', 'Potential Remedies: Restrict bindings to approved project IDs only, Remove wildcard or external project principals, Ensure only enterprise-managed projects are included']
Unique resource names in plan (google_iam_projects_policy_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_projects_policy_binding.policy_kind_restriction.message
Total Cloud_IAM project policy binding detected: 2 
['Situation 1: Policy binding must enforce only Principal Access Boundary to prevent privilege escalation via access policies', 'Non-Compliant Resources: nc', 'Potential Remedies: Set policy_kind strictly to PRINCIPAL_ACCESS_BOUNDARY, Avoid using ACCESS or unspecified policy kinds, Standardize IAM boundary enforcement across all projects']
Unique resource names in plan (google_iam_projects_policy_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: Cloud_IAM
  Resource: google_iam_folders_policy_binding
    Policy: location_validation - ✅
    Policy: policy_validation - ❌
    Policy: policy_kind_validation - ✅
  Resource: google_iam_oauth_client
    Policy: client_type_validation - ✅
    Policy: scope_restriction - ✅
    Policy: location_validation - ✅
    Policy: oauth_scope_whitelist - ✅
  Resource: google_iam_oauth_client_credential
    Policy: location_validation - ✅
  Resource: google_iam_organizations_policy_binding
    Policy: Location_Validation - ✅
  Resource: google_iam_principal_access_boundary_policy
    Policy: location_validation - ✅
    Policy: organization_validation - ✅
  Resource: google_iam_projects_policy_binding
    Policy: location_validation - ✅
    Policy: project_principal_whitelist - ✅
    Policy: policy_kind_restriction - ✅


Failures:
Service: Cloud_IAM | Resource: google_iam_folders_policy_binding | Policy: policy_validation
Resources in output other than 'nc' found: c

github-actions · 2026-05-21T14:59:55Z

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_folders_policy_binding.location_validation.message
Total Cloud_IAM folder policy binding detected: 2 
['Situation 1: ocation must be restricted to approved Australia regions for IAM folder policy bindings', 'Non-Compliant Resources: nc', 'Potential Remedies: Set location to an approved Australia region such as australia-southeast1 or australia-southeast2']
Unique resource names in plan (google_iam_folders_policy_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_folders_policy_binding.policy_validation.message
Total Cloud_IAM folder policy binding detected: 2 
['Situation 1: Folder policy binding must use an approved policy', 'Non-Compliant Resources: nc', 'Potential Remedies: Use only approved Principal Access Boundary policies, Ensure policy belongs to your organization']
Unique resource names in plan (google_iam_folders_policy_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_folders_policy_binding.policy_kind_validation.message
Total Cloud_IAM folder policy binding detected: 2 
['Situation 1: Only approved policy kinds are allowed for folder policy bindings', 'Non-Compliant Resources: nc', 'Potential Remedies: Use PRINCIPAL_ACCESS_BOUNDARY as the policy_kind, Avoid using ACCESS or unspecified policy kinds']
Unique resource names in plan (google_iam_folders_policy_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_oauth_client.client_type_validation.message
Total Cloud_IAM OAuth client detected: 2 
['Situation 1: OAuth clients must use approved secure client types', 'Non-Compliant Resources: nc', 'Potential Remedies: Use PUBLIC_CLIENT or CONFIDENTIAL_CLIENT, Do not use CLIENT_TYPE_UNSPECIFIED']
Unique resource names in plan (google_iam_oauth_client): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_oauth_client.scope_restriction.message
Total Cloud_IAM OAuth client detected: 2 
['Situation 1: OAuth client must not request overly broad scopes', 'Non-Compliant Resources: nc', 'Potential Remedies: Avoid using cloud-platform scope, Use least privilege scopes like email or openid']
Unique resource names in plan (google_iam_oauth_client): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_oauth_client.location_validation.message
Total Cloud_IAM OAuth client detected: 2 
['Situation 1: OAuth client location must be restricted to approved Australia regions', 'Non-Compliant Resources: nc', 'Potential Remedies: Set location to australia-southeast1 or australia-southeast2']
Unique resource names in plan (google_iam_oauth_client): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_oauth_client.oauth_scope_whitelist.message
Total Cloud_IAM OAuth client detected: 2 
['Situation 1: OAuth client must only request approved least-privilege scopes to prevent over-permissioned identity access', 'Non-Compliant Resources: nc', 'Potential Remedies: Remove cloud-platform scope if not strictly required, Prefer openid, email, or groups scopes, Follow least privilege OAuth design']
Unique resource names in plan (google_iam_oauth_client): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_principal_access_boundary_policy.location_validation.message
Total Cloud_IAM principal access boundary policy detected: 2 
['Situation 1: Principal access boundary policy location must be restricted to approved Australia regions', 'Non-Compliant Resources: nc', 'Potential Remedies: Set location to australia-southeast1 or australia-southeast2']
Unique resource names in plan (google_iam_principal_access_boundary_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_principal_access_boundary_policy.organization_validation.message
Total Cloud_IAM principal access boundary policy detected: 2 
['Situation 1: Principal Access Boundary policies must use only approved organization IDs to ensure proper IAM governance and organizational compliance.', 'Non-Compliant Resources: nc', 'Potential Remedies: Use only approved organization IDs']
Unique resource names in plan (google_iam_principal_access_boundary_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_organizations_policy_binding.location_validation.message
Total Cloud_IAM organization policy binding detected: 2 
['Situation 1: Organization policy binding location must be restricted to approved Australia regions', 'Non-Compliant Resources: nc', 'Potential Remedies: Set location to australia-southeast1 or australia-southeast2']
Unique resource names in plan (google_iam_organizations_policy_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_oauth_client_credential.location_validation.message
Total Cloud_IAM OAuth client credential detected: 2 
['Situation 1: OAuth client credential location must be restricted to approved Australia regions', 'Non-Compliant Resources: nc', 'Potential Remedies: Set location to australia-southeast1 or australia-southeast2']
Unique resource names in plan (google_iam_oauth_client_credential): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_projects_policy_binding.location_validation.message
Total Cloud_IAM project policy binding detected: 2 
['Situation 1: Project policy binding location must be restricted to approved Australia regions', 'Non-Compliant Resources: nc', 'Potential Remedies: Set location to australia-southeast1 or australia-southeast2']
Unique resource names in plan (google_iam_projects_policy_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_projects_policy_binding.project_principal_whitelist.message
Total Cloud_IAM project policy binding detected: 2 
['Situation 1: Project policy binding must only allow approved project-level principals to reduce unauthorized access exposure', 'Non-Compliant Resources: nc', 'Potential Remedies: Restrict bindings to approved project IDs only, Remove wildcard or external project principals, Ensure only enterprise-managed projects are included']
Unique resource names in plan (google_iam_projects_policy_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_projects_policy_binding.policy_kind_restriction.message
Total Cloud_IAM project policy binding detected: 2 
['Situation 1: Policy binding must enforce only Principal Access Boundary to prevent privilege escalation via access policies', 'Non-Compliant Resources: nc', 'Potential Remedies: Set policy_kind strictly to PRINCIPAL_ACCESS_BOUNDARY, Avoid using ACCESS or unspecified policy kinds, Standardize IAM boundary enforcement across all projects']
Unique resource names in plan (google_iam_projects_policy_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: Cloud_IAM
  Resource: google_iam_folders_policy_binding
    Policy: location_validation - ✅
    Policy: policy_validation - ✅
    Policy: policy_kind_validation - ✅
  Resource: google_iam_oauth_client
    Policy: client_type_validation - ✅
    Policy: scope_restriction - ✅
    Policy: location_validation - ✅
    Policy: oauth_scope_whitelist - ✅
  Resource: google_iam_oauth_client_credential
    Policy: location_validation - ✅
  Resource: google_iam_organizations_policy_binding
    Policy: Location_Validation - ✅
  Resource: google_iam_principal_access_boundary_policy
    Policy: location_validation - ✅
    Policy: organization_validation - ✅
  Resource: google_iam_projects_policy_binding
    Policy: location_validation - ✅
    Policy: project_principal_whitelist - ✅
    Policy: policy_kind_restriction - ✅

224774388deakin · 2026-05-21T15:00:32Z

All the changes you requested done. Thanks.

Sundi202

You're missing security impact and rational in some of your attributes in your json documentation. Plus you need to add all json files to your PR. For the resources that you have not worked on just write at the top "will not be completed in one trimester" in caps at the top.

github-actions · 2026-05-24T06:25:03Z

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_folders_policy_binding.location_validation.message
Total Cloud_IAM folder policy binding detected: 2 
['Situation 1: ocation must be restricted to approved Australia regions for IAM folder policy bindings', 'Non-Compliant Resources: nc', 'Potential Remedies: Set location to an approved Australia region such as australia-southeast1 or australia-southeast2']
Unique resource names in plan (google_iam_folders_policy_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_folders_policy_binding.policy_validation.message
Total Cloud_IAM folder policy binding detected: 2 
['Situation 1: Folder policy binding must use an approved policy', 'Non-Compliant Resources: nc', 'Potential Remedies: Use only approved Principal Access Boundary policies, Ensure policy belongs to your organization']
Unique resource names in plan (google_iam_folders_policy_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_folders_policy_binding.policy_kind_validation.message
Total Cloud_IAM folder policy binding detected: 2 
['Situation 1: Only approved policy kinds are allowed for folder policy bindings', 'Non-Compliant Resources: nc', 'Potential Remedies: Use PRINCIPAL_ACCESS_BOUNDARY as the policy_kind, Avoid using ACCESS or unspecified policy kinds']
Unique resource names in plan (google_iam_folders_policy_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_oauth_client.client_type_validation.message
Total Cloud_IAM OAuth client detected: 2 
['Situation 1: OAuth clients must use approved secure client types', 'Non-Compliant Resources: nc', 'Potential Remedies: Use PUBLIC_CLIENT or CONFIDENTIAL_CLIENT, Do not use CLIENT_TYPE_UNSPECIFIED']
Unique resource names in plan (google_iam_oauth_client): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_oauth_client.scope_restriction.message
Total Cloud_IAM OAuth client detected: 2 
['Situation 1: OAuth client must not request overly broad scopes', 'Non-Compliant Resources: nc', 'Potential Remedies: Avoid using cloud-platform scope, Use least privilege scopes like email or openid']
Unique resource names in plan (google_iam_oauth_client): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_oauth_client.location_validation.message
Total Cloud_IAM OAuth client detected: 2 
['Situation 1: OAuth client location must be restricted to approved Australia regions', 'Non-Compliant Resources: nc', 'Potential Remedies: Set location to australia-southeast1 or australia-southeast2']
Unique resource names in plan (google_iam_oauth_client): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_oauth_client.oauth_scope_whitelist.message
Total Cloud_IAM OAuth client detected: 2 
['Situation 1: OAuth client must only request approved least-privilege scopes to prevent over-permissioned identity access', 'Non-Compliant Resources: nc', 'Potential Remedies: Remove cloud-platform scope if not strictly required, Prefer openid, email, or groups scopes, Follow least privilege OAuth design']
Unique resource names in plan (google_iam_oauth_client): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_principal_access_boundary_policy.location_validation.message
Total Cloud_IAM principal access boundary policy detected: 2 
['Situation 1: Principal access boundary policy location must be restricted to approved Australia regions', 'Non-Compliant Resources: nc', 'Potential Remedies: Set location to australia-southeast1 or australia-southeast2']
Unique resource names in plan (google_iam_principal_access_boundary_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_principal_access_boundary_policy.organization_validation.message
Total Cloud_IAM principal access boundary policy detected: 2 
['Situation 1: Principal Access Boundary policies must use only approved organization IDs to ensure proper IAM governance and organizational compliance.', 'Non-Compliant Resources: nc', 'Potential Remedies: Use only approved organization IDs']
Unique resource names in plan (google_iam_principal_access_boundary_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_organizations_policy_binding.location_validation.message
Total Cloud_IAM organization policy binding detected: 2 
['Situation 1: Organization policy binding location must be restricted to approved Australia regions', 'Non-Compliant Resources: nc', 'Potential Remedies: Set location to australia-southeast1 or australia-southeast2']
Unique resource names in plan (google_iam_organizations_policy_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_oauth_client_credential.location_validation.message
Total Cloud_IAM OAuth client credential detected: 2 
['Situation 1: OAuth client credential location must be restricted to approved Australia regions', 'Non-Compliant Resources: nc', 'Potential Remedies: Set location to australia-southeast1 or australia-southeast2']
Unique resource names in plan (google_iam_oauth_client_credential): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_projects_policy_binding.location_validation.message
Total Cloud_IAM project policy binding detected: 2 
['Situation 1: Project policy binding location must be restricted to approved Australia regions', 'Non-Compliant Resources: nc', 'Potential Remedies: Set location to australia-southeast1 or australia-southeast2']
Unique resource names in plan (google_iam_projects_policy_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_projects_policy_binding.project_principal_whitelist.message
Total Cloud_IAM project policy binding detected: 2 
['Situation 1: Project policy binding must only allow approved project-level principals to reduce unauthorized access exposure', 'Non-Compliant Resources: nc', 'Potential Remedies: Restrict bindings to approved project IDs only, Remove wildcard or external project principals, Ensure only enterprise-managed projects are included']
Unique resource names in plan (google_iam_projects_policy_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_projects_policy_binding.policy_kind_restriction.message
Total Cloud_IAM project policy binding detected: 2 
['Situation 1: Policy binding must enforce only Principal Access Boundary to prevent privilege escalation via access policies', 'Non-Compliant Resources: nc', 'Potential Remedies: Set policy_kind strictly to PRINCIPAL_ACCESS_BOUNDARY, Avoid using ACCESS or unspecified policy kinds, Standardize IAM boundary enforcement across all projects']
Unique resource names in plan (google_iam_projects_policy_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: Cloud_IAM
  Resource: google_iam_folders_policy_binding
    Policy: location_validation - ✅
    Policy: policy_validation - ✅
    Policy: policy_kind_validation - ✅
  Resource: google_iam_oauth_client
    Policy: client_type_validation - ✅
    Policy: scope_restriction - ✅
    Policy: location_validation - ✅
    Policy: oauth_scope_whitelist - ✅
  Resource: google_iam_oauth_client_credential
    Policy: location_validation - ✅
  Resource: google_iam_organizations_policy_binding
    Policy: Location_Validation - ✅
  Resource: google_iam_principal_access_boundary_policy
    Policy: location_validation - ✅
    Policy: organization_validation - ✅
  Resource: google_iam_projects_policy_binding
    Policy: location_validation - ✅
    Policy: project_principal_whitelist - ✅
    Policy: policy_kind_restriction - ✅

224774388deakin · 2026-05-24T06:27:09Z

add all json files to pr. I filled the rationale and security_impact fields for all attributes in the resource types I worked on. add "WILL NOT BE COMPLETED IN ONE TRIMESTER" at the top of the JSON files that unworked. Thanks

github-actions · 2026-05-24T06:29:36Z

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_folders_policy_binding.location_validation.message
Total Cloud_IAM folder policy binding detected: 2 
['Situation 1: ocation must be restricted to approved Australia regions for IAM folder policy bindings', 'Non-Compliant Resources: nc', 'Potential Remedies: Set location to an approved Australia region such as australia-southeast1 or australia-southeast2']
Unique resource names in plan (google_iam_folders_policy_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_folders_policy_binding.policy_validation.message
Total Cloud_IAM folder policy binding detected: 2 
['Situation 1: Folder policy binding must use an approved policy', 'Non-Compliant Resources: nc', 'Potential Remedies: Use only approved Principal Access Boundary policies, Ensure policy belongs to your organization']
Unique resource names in plan (google_iam_folders_policy_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_folders_policy_binding.policy_kind_validation.message
Total Cloud_IAM folder policy binding detected: 2 
['Situation 1: Only approved policy kinds are allowed for folder policy bindings', 'Non-Compliant Resources: nc', 'Potential Remedies: Use PRINCIPAL_ACCESS_BOUNDARY as the policy_kind, Avoid using ACCESS or unspecified policy kinds']
Unique resource names in plan (google_iam_folders_policy_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_oauth_client.client_type_validation.message
Total Cloud_IAM OAuth client detected: 2 
['Situation 1: OAuth clients must use approved secure client types', 'Non-Compliant Resources: nc', 'Potential Remedies: Use PUBLIC_CLIENT or CONFIDENTIAL_CLIENT, Do not use CLIENT_TYPE_UNSPECIFIED']
Unique resource names in plan (google_iam_oauth_client): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_oauth_client.scope_restriction.message
Total Cloud_IAM OAuth client detected: 2 
['Situation 1: OAuth client must not request overly broad scopes', 'Non-Compliant Resources: nc', 'Potential Remedies: Avoid using cloud-platform scope, Use least privilege scopes like email or openid']
Unique resource names in plan (google_iam_oauth_client): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_oauth_client.location_validation.message
Total Cloud_IAM OAuth client detected: 2 
['Situation 1: OAuth client location must be restricted to approved Australia regions', 'Non-Compliant Resources: nc', 'Potential Remedies: Set location to australia-southeast1 or australia-southeast2']
Unique resource names in plan (google_iam_oauth_client): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_oauth_client.oauth_scope_whitelist.message
Total Cloud_IAM OAuth client detected: 2 
['Situation 1: OAuth client must only request approved least-privilege scopes to prevent over-permissioned identity access', 'Non-Compliant Resources: nc', 'Potential Remedies: Remove cloud-platform scope if not strictly required, Prefer openid, email, or groups scopes, Follow least privilege OAuth design']
Unique resource names in plan (google_iam_oauth_client): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_principal_access_boundary_policy.location_validation.message
Total Cloud_IAM principal access boundary policy detected: 2 
['Situation 1: Principal access boundary policy location must be restricted to approved Australia regions', 'Non-Compliant Resources: nc', 'Potential Remedies: Set location to australia-southeast1 or australia-southeast2']
Unique resource names in plan (google_iam_principal_access_boundary_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_principal_access_boundary_policy.organization_validation.message
Total Cloud_IAM principal access boundary policy detected: 2 
['Situation 1: Principal Access Boundary policies must use only approved organization IDs to ensure proper IAM governance and organizational compliance.', 'Non-Compliant Resources: nc', 'Potential Remedies: Use only approved organization IDs']
Unique resource names in plan (google_iam_principal_access_boundary_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_organizations_policy_binding.location_validation.message
Total Cloud_IAM organization policy binding detected: 2 
['Situation 1: Organization policy binding location must be restricted to approved Australia regions', 'Non-Compliant Resources: nc', 'Potential Remedies: Set location to australia-southeast1 or australia-southeast2']
Unique resource names in plan (google_iam_organizations_policy_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_oauth_client_credential.location_validation.message
Total Cloud_IAM OAuth client credential detected: 2 
['Situation 1: OAuth client credential location must be restricted to approved Australia regions', 'Non-Compliant Resources: nc', 'Potential Remedies: Set location to australia-southeast1 or australia-southeast2']
Unique resource names in plan (google_iam_oauth_client_credential): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_projects_policy_binding.location_validation.message
Total Cloud_IAM project policy binding detected: 2 
['Situation 1: Project policy binding location must be restricted to approved Australia regions', 'Non-Compliant Resources: nc', 'Potential Remedies: Set location to australia-southeast1 or australia-southeast2']
Unique resource names in plan (google_iam_projects_policy_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_projects_policy_binding.project_principal_whitelist.message
Total Cloud_IAM project policy binding detected: 2 
['Situation 1: Project policy binding must only allow approved project-level principals to reduce unauthorized access exposure', 'Non-Compliant Resources: nc', 'Potential Remedies: Restrict bindings to approved project IDs only, Remove wildcard or external project principals, Ensure only enterprise-managed projects are included']
Unique resource names in plan (google_iam_projects_policy_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.Cloud_IAM.google_iam_projects_policy_binding.policy_kind_restriction.message
Total Cloud_IAM project policy binding detected: 2 
['Situation 1: Policy binding must enforce only Principal Access Boundary to prevent privilege escalation via access policies', 'Non-Compliant Resources: nc', 'Potential Remedies: Set policy_kind strictly to PRINCIPAL_ACCESS_BOUNDARY, Avoid using ACCESS or unspecified policy kinds, Standardize IAM boundary enforcement across all projects']
Unique resource names in plan (google_iam_projects_policy_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: Cloud_IAM
  Resource: google_iam_folders_policy_binding
    Policy: location_validation - ✅
    Policy: policy_validation - ✅
    Policy: policy_kind_validation - ✅
  Resource: google_iam_oauth_client
    Policy: client_type_validation - ✅
    Policy: scope_restriction - ✅
    Policy: location_validation - ✅
    Policy: oauth_scope_whitelist - ✅
  Resource: google_iam_oauth_client_credential
    Policy: location_validation - ✅
  Resource: google_iam_organizations_policy_binding
    Policy: Location_Validation - ✅
  Resource: google_iam_principal_access_boundary_policy
    Policy: location_validation - ✅
    Policy: organization_validation - ✅
  Resource: google_iam_projects_policy_binding
    Policy: location_validation - ✅
    Policy: project_principal_whitelist - ✅
    Policy: policy_kind_restriction - ✅

JBarazani

Hi Thanuka
At present I will not approve this PR as I still see some issues with it.
Given we are in week 12, and this PR has gone though 5+ rounds of review, I would like us to leave it as is.

I have no concerns about you passing the unit even without the merge, as you have made quite a few good policies as well, there are just other things that require fixing before this can be merged, and will likely give it other a Snr next trimester to pick up and fix based on my feedback.

224774388deakin added 30 commits April 28, 2026 23:28

Cloud IAM clean implementation

8fffdb8

Cloud IAM clean implementation

e1be53b

Cloud IAM

694bf45

Cloud IAM

b857faf

Cloud IAM

4b66dc7

Cloud IAM

f6df04a

Cloud IAM

9c94aaf

Cloud IAM

b1ac2d6

Cloud IAM

a03af00

Cloud IAM

c759522

Cloud IAM

dc1eb22

Cloud IAM

30358bb

Cloud IAM

db7da0c

Cloud IAM

75c27af

Cloud IAM

54462f0

Cloud IAM

0ebd472

Cloud IAM

c8b2e02

Cloud IAM

995beb1

Cloud IAM

6f710b8

Cloud IAM

7ce58f5

Merge branch 'dev' into gcp/service/Cloud_IAM

e2e31c5

Cloud IAM

ca784ed

Cloud IAM

78d6eb7

fix folder policy validation

cbc6835

fix folder policy validation

f7ab7f7

Cloud IAM

6fcc19e

Cloud IAM

53b50f1

Cloud IAM

ce0f0ab

Cloud IAM

5d63843

Cloud IAM

cf1922b

Sundi202 reviewed May 21, 2026

View reviewed changes

Comment thread docs/gcp/Cloud_IAM/resource_json/iam_oauth_client.json Outdated

Sundi202 reviewed May 21, 2026

View reviewed changes

Comment thread docs/gcp/Cloud_IAM/resource_json/iam_oauth_client.json

Sundi202 requested changes May 21, 2026

View reviewed changes

Sundi202 added the 3rd review label May 21, 2026

224774388deakin added 2 commits May 22, 2026 00:52

fix folder policy

09ccc1f

fix folder policy

4f6eff5

github-actions Bot added CI-Review-Required PR requires review due to failed CI checks and removed CI-Approved PR approved by CI checks labels May 21, 2026

fix folder policy

158343f

github-actions Bot added CI-Approved PR approved by CI checks and removed CI-Review-Required PR requires review due to failed CI checks labels May 21, 2026