From 8fffdb890be531a33bf61a40bd9fc8e6e52d704a Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Tue, 28 Apr 2026 23:28:55 +1000 Subject: [PATCH 01/91] Cloud IAM clean implementation --- .../Cloud_IAM/iam_access_boundary_policy.md | 20 ++ docs/gcp/Cloud_IAM/iam_deny_policy.md | 20 ++ .../Cloud_IAM/iam_folders_policy_binding.md | 35 ++++ docs/gcp/Cloud_IAM/iam_oauth_client.md | 22 ++ .../Cloud_IAM/iam_oauth_client_credential.md | 18 ++ .../iam_organizations_policy_binding.md | 18 ++ .../iam_principal_access_boundary_policy.md | 17 ++ .../Cloud_IAM/iam_projects_policy_binding.md | 35 ++++ docs/gcp/Cloud_IAM/iam_workforce_pool.md | 34 ++++ docs/gcp/Cloud_IAM/iam_workforce_pool_iam.md | 17 ++ .../Cloud_IAM/iam_workforce_pool_provider.md | 80 ++++++++ .../iam_workforce_pool_provider_key.md | 28 +++ .../Cloud_IAM/iam_workload_identity_pool.md | 50 +++++ .../iam_workload_identity_pool_iam.md | 26 +++ ...workload_identity_pool_managed_identity.md | 25 +++ .../iam_workload_identity_pool_namespace.md | 17 ++ .../iam_workload_identity_pool_provider.md | 72 +++++++ .../iam_access_boundary_policy.json | 179 ++++++----------- .../resource_json/iam_deny_policy.json | 189 ++++++------------ .../iam_folders_policy_binding.json | 179 +++++++++-------- .../resource_json/iam_oauth_client.json | 125 ++++++------ .../iam_oauth_client_credential.json | 65 +++--- .../iam_organizations_policy_binding.json | 136 +++---------- .../iam_principal_access_boundary_policy.json | 117 +++-------- .../iam_projects_policy_binding.json | 183 +++++++++-------- .../name_validation/.terraform.lock.hcl | 21 ++ .../name_validation/c.tf | 14 ++ .../name_validation/config.tf | 11 + .../name_validation/nc.tf | 14 ++ .../parent_validation/.terraform.lock.hcl | 21 ++ .../parent_validation/c.tf | 17 ++ .../parent_validation/config.tf | 11 + .../parent_validation/nc.tf | 17 ++ .../name_validation/.terraform.lock.hcl | 21 ++ .../name_validation/c.tf | 23 +++ .../name_validation/config.tf | 11 + .../name_validation/nc.tf | 23 +++ .../parent_validation/.terraform.lock.hcl | 21 ++ .../parent_validation/c.tf | 20 ++ .../parent_validation/config.tf | 11 + .../parent_validation/nc.tf | 20 ++ .../folder_validation/.terraform.lock.hcl | 21 ++ .../folder_validation/c.tf | 11 + .../folder_validation/config.tf | 11 + .../folder_validation/nc.tf | 11 + .../location_validation/.terraform.lock.hcl | 21 ++ .../location_validation/c.tf | 11 + .../location_validation/config.tf | 11 + .../location_validation/nc.tf | 11 + .../.terraform.lock.hcl | 21 ++ .../client_type_validation/c.tf | 12 ++ .../client_type_validation/config.tf | 11 + .../client_type_validation/nc.tf | 12 ++ .../location_validation/.terraform.lock.hcl | 21 ++ .../location_validation/c.tf | 12 ++ .../location_validation/config.tf | 11 + .../location_validation/nc.tf | 12 ++ .../.terraform.lock.hcl | 21 ++ .../credential_id_validation/c.tf | 8 + .../credential_id_validation/config.tf | 11 + .../credential_id_validation/nc.tf | 8 + .../location_validation/.terraform.lock.hcl | 21 ++ .../location_validation/c.tf | 7 + .../location_validation/config.tf | 11 + .../location_validation/nc.tf | 7 + .../Location_Validation/.terraform.lock.hcl | 21 ++ .../Location_Validation/c.tf | 13 ++ .../Location_Validation/config.tf | 11 + .../Location_Validation/nc.tf | 13 ++ .../.terraform.lock.hcl | 21 ++ .../organization_validation/c.tf | 13 ++ .../organization_validation/config.tf | 11 + .../organization_validation/nc.tf | 13 ++ .../location_validation/.terraform.lock.hcl | 21 ++ .../location_validation/c.tf | 15 ++ .../location_validation/config.tf | 11 + .../location_validation/nc.tf | 15 ++ .../.terraform.lock.hcl | 21 ++ .../organization_validation/c.tf | 15 ++ .../organization_validation/config.tf | 11 + .../organization_validation/nc.tf | 15 ++ .../location_validation/.terraform.lock.hcl | 21 ++ .../location_validation/c.tf | 13 ++ .../location_validation/config.tf | 11 + .../location_validation/nc.tf | 13 ++ .../project_validation/.terraform.lock.hcl | 21 ++ .../project_validation/c.tf | 13 ++ .../project_validation/config.tf | 11 + .../project_validation/nc.tf | 13 ++ .../name_validation/policy.rego | 26 +++ .../parent_validation/policy.rego | 27 +++ .../vars.rego | 8 + .../name_validation/policy.rego | 23 +++ .../parent_validation/policy.rego | 22 ++ .../google_iam_deny_policy/vars.rego | 7 + .../folder_validation/policy.rego | 26 +++ .../location_validation/policy.rego | 25 +++ .../vars.rego | 7 + .../client_type_validation/policy.rego | 23 +++ .../location_validation/policy.rego | 22 ++ .../google_iam_oauth_client/vars.rego | 7 + .../credential_id_validation/policy.rego | 27 +++ .../location_validation/policy.rego | 23 +++ .../vars.rego | 7 + .../Location_Validation/policy.rego | 25 +++ .../organization_validation/policy.rego | 26 +++ .../vars.rego | 7 + .../location_validation/policy.rego | 24 +++ .../organization_validation/policy.rego | 26 +++ .../vars.rego | 7 + .../location_validation/policy.rego | 23 +++ .../project_validation/policy.rego | 23 +++ .../vars.rego | 7 + 113 files changed, 2397 insertions(+), 704 deletions(-) create mode 100644 docs/gcp/Cloud_IAM/iam_access_boundary_policy.md create mode 100644 docs/gcp/Cloud_IAM/iam_deny_policy.md create mode 100644 docs/gcp/Cloud_IAM/iam_folders_policy_binding.md create mode 100644 docs/gcp/Cloud_IAM/iam_oauth_client.md create mode 100644 docs/gcp/Cloud_IAM/iam_oauth_client_credential.md create mode 100644 docs/gcp/Cloud_IAM/iam_organizations_policy_binding.md create mode 100644 docs/gcp/Cloud_IAM/iam_principal_access_boundary_policy.md create mode 100644 docs/gcp/Cloud_IAM/iam_projects_policy_binding.md create mode 100644 docs/gcp/Cloud_IAM/iam_workforce_pool.md create mode 100644 docs/gcp/Cloud_IAM/iam_workforce_pool_iam.md create mode 100644 docs/gcp/Cloud_IAM/iam_workforce_pool_provider.md create mode 100644 docs/gcp/Cloud_IAM/iam_workforce_pool_provider_key.md create mode 100644 docs/gcp/Cloud_IAM/iam_workload_identity_pool.md create mode 100644 docs/gcp/Cloud_IAM/iam_workload_identity_pool_iam.md create mode 100644 docs/gcp/Cloud_IAM/iam_workload_identity_pool_managed_identity.md create mode 100644 docs/gcp/Cloud_IAM/iam_workload_identity_pool_namespace.md create mode 100644 docs/gcp/Cloud_IAM/iam_workload_identity_pool_provider.md create mode 100644 inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/.terraform.lock.hcl create mode 100644 inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/config.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/.terraform.lock.hcl create mode 100644 inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/config.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/.terraform.lock.hcl create mode 100644 inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/c.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/config.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/nc.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/.terraform.lock.hcl create mode 100644 inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/c.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/config.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/nc.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/.terraform.lock.hcl create mode 100644 inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/c.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/config.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/nc.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/.terraform.lock.hcl create mode 100644 inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/c.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/config.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/nc.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/.terraform.lock.hcl create mode 100644 inputs/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/c.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/config.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/nc.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_oauth_client/location_validation/.terraform.lock.hcl create mode 100644 inputs/gcp/Cloud_IAM/google_iam_oauth_client/location_validation/c.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_oauth_client/location_validation/config.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_oauth_client/location_validation/nc.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/credential_id_validation/.terraform.lock.hcl create mode 100644 inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/credential_id_validation/c.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/credential_id_validation/config.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/credential_id_validation/nc.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/location_validation/.terraform.lock.hcl create mode 100644 inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/location_validation/c.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/location_validation/config.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/location_validation/nc.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/.terraform.lock.hcl create mode 100644 inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/c.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/config.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/nc.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/.terraform.lock.hcl create mode 100644 inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/c.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/config.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/nc.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/location_validation/.terraform.lock.hcl create mode 100644 inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/location_validation/c.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/location_validation/config.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/location_validation/nc.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/.terraform.lock.hcl create mode 100644 inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/c.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/config.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/nc.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/.terraform.lock.hcl create mode 100644 inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/c.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/config.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/nc.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_validation/.terraform.lock.hcl create mode 100644 inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_validation/c.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_validation/config.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_validation/nc.tf create mode 100644 policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego create mode 100644 policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/policy.rego create mode 100644 policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/vars.rego create mode 100644 policies/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/policy.rego create mode 100644 policies/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/policy.rego create mode 100644 policies/gcp/Cloud_IAM/google_iam_deny_policy/vars.rego create mode 100644 policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/policy.rego create mode 100644 policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/policy.rego create mode 100644 policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/vars.rego create mode 100644 policies/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/policy.rego create mode 100644 policies/gcp/Cloud_IAM/google_iam_oauth_client/location_validation/policy.rego create mode 100644 policies/gcp/Cloud_IAM/google_iam_oauth_client/vars.rego create mode 100644 policies/gcp/Cloud_IAM/google_iam_oauth_client_credential/credential_id_validation/policy.rego create mode 100644 policies/gcp/Cloud_IAM/google_iam_oauth_client_credential/location_validation/policy.rego create mode 100644 policies/gcp/Cloud_IAM/google_iam_oauth_client_credential/vars.rego create mode 100644 policies/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/policy.rego create mode 100644 policies/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/policy.rego create mode 100644 policies/gcp/Cloud_IAM/google_iam_organizations_policy_binding/vars.rego create mode 100644 policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/location_validation/policy.rego create mode 100644 policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/policy.rego create mode 100644 policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/vars.rego create mode 100644 policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/policy.rego create mode 100644 policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_validation/policy.rego create mode 100644 policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/vars.rego diff --git a/docs/gcp/Cloud_IAM/iam_access_boundary_policy.md b/docs/gcp/Cloud_IAM/iam_access_boundary_policy.md new file mode 100644 index 000000000..4250def1e --- /dev/null +++ b/docs/gcp/Cloud_IAM/iam_access_boundary_policy.md @@ -0,0 +1,20 @@ +## 🛡️ Policy Deployment Engine: `iam_access_boundary_policy` + +This section provides a concise policy evaluation for the `iam_access_boundary_policy` resource in GCP. + +Reference: [Terraform Registry – iam_access_boundary_policy](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_access_boundary_policy) + +--- + +## Argument Reference + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `name` | The name of the policy. | true | false | We enforce a simple naming rule (pde-*) so all policies follow the same pattern and are easy to identify. | pde-access-boundary-prod | myPolicy123 | +| `parent` | The resource where this policy is attached. | true | false | Parent must always be a valid GCP project or organization path so the policy applies correctly. | cloudresourcemanager.googleapis.com/projects/123456789 | projects/test-project | +| `rules` | Rules that define what resources and permissions are allowed. | true | false | We use rules to enforce least privilege and limit access only to required resources. | None | None | +| `display_name` | A simple name shown in the console. | false | false | Used for readability and easier management. | Production Access Boundary Policy | test | +| `access_boundary_rule` | Defines which resources and permissions are allowed. | false | false | We use this to enforce least privilege access in GCP. | None | None | +| `available_resource` | The GCP resource that is allowed. | false | false | Avoids access to wrong or sensitive projects. | //cloudresourcemanager.googleapis.com/projects/123456789 | //cloudresourcemanager.googleapis.com/projects/random-project | +| `available_permissions` | Permissions allowed for the resource. | false | false | We only allow required permissions instead of full access. | ['resourcemanager.projects.get'] | ['*'] | +| `availability_condition` | Extra condition to control when access is allowed. | false | false | Used to restrict access under specific conditions only. | {'expression': "request.time < timestamp('2026-12-31T00:00:00Z')", 'title': 'Time limit', 'description': 'Access allowed only before expiry date', 'location': 'global'} | {'expression': 'true'} | diff --git a/docs/gcp/Cloud_IAM/iam_deny_policy.md b/docs/gcp/Cloud_IAM/iam_deny_policy.md new file mode 100644 index 000000000..0a819320e --- /dev/null +++ b/docs/gcp/Cloud_IAM/iam_deny_policy.md @@ -0,0 +1,20 @@ +## 🛡️ Policy Deployment Engine: `iam_deny_policy` + +This section provides a concise policy evaluation for the `iam_deny_policy` resource in GCP. + +Reference: [Terraform Registry – iam_deny_policy](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_deny_policy) + +--- + +## Argument Reference + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `name` | The name of the policy. | true | false | We enforce a simple naming rule using prefix 'pde-' so all deny policies are consistent and easy to track. | pde-deny-policy-prod | denyPolicy123 | +| `parent` | The attachment point is identified by its URL-encoded full resource name. | true | false | Parent must always follow valid GCP resource format so the deny policy is applied to the correct scope. | cloudresourcemanager.googleapis.com/projects/123456789 | projects/test-project | +| `rules` | Rules to be applied. | true | false | Rules are used to enforce strict deny controls on sensitive resources. | None | None | +| `display_name` | The display name of the rule. | false | false | Used for readability and easier management of policies. | Production Deny Policy | test123 | +| `deny_rule` | | false | false | Used to enforce security restrictions and prevent unauthorized actions. | None | None | +| `denied_principals` | Users or identities that are blocked from access. | false | false | We block risky or unwanted identities using deny rules. | ['user:blocked-user@example.com'] | ['allUsers'] | +| `denied_permissions` | Permissions that are explicitly denied. | false | false | We deny high-risk permissions to enforce least privilege. | ['iam.googleapis.com/roles.list'] | ['*'] | +| `denial_condition` | Condition when the deny rule should apply. | false | false | Used to apply deny rules only in specific situations. | {'expression': "request.time < timestamp('2026-12-31T00:00:00Z')", 'title': 'Time restriction', 'description': 'Deny access after expiry date', 'location': 'global'} | {'expression': 'true'} | diff --git a/docs/gcp/Cloud_IAM/iam_folders_policy_binding.md b/docs/gcp/Cloud_IAM/iam_folders_policy_binding.md new file mode 100644 index 000000000..e31fe9734 --- /dev/null +++ b/docs/gcp/Cloud_IAM/iam_folders_policy_binding.md @@ -0,0 +1,35 @@ +## 🛡️ Policy Deployment Engine: `iam_folders_policy_binding` + +This section provides a concise policy evaluation for the `iam_folders_policy_binding` resource in GCP. + +Reference: [Terraform Registry – iam_folders_policy_binding](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_folders_policy_binding) + +--- + +## Argument Reference + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `folder` | The parent folder for the IAM policy binding. Must be a valid numeric GCP folder ID. | true | true | Ensures IAM policy is applied only at a valid folder scope. | 224774388 | my-folder | +| `location` | The location of the policy binding. Must always be global for folder IAM bindings. | true | true | IAM folder bindings are global to ensure consistent access control. | global | us-central1 | +| `policy_binding_id` | Unique identifier for the policy binding. | true | true | Ensures each binding is uniquely identifiable. | folder-binding-01 | Folder Binding 01 | +| `display_name` | Optional human-readable name for the policy binding (max 63 characters). | false | false | Used only for display purposes. | Folder IAM Binding | This name is way too long and not valid for IAM folder binding display name usage | +| `annotations` | Optional metadata used for tagging and classification. | false | false | Does not affect IAM security enforcement. | {'environment': 'dev', 'team': 'security'} | {'notes': 'this is an invalid overly long annotation example used for testing purposes and should not be used in production environments because it violates expected size constraints'} | +| `policy_kind` | Type of IAM policy being applied (e.g., ACCESS or PRINCIPAL_ACCESS_BOUNDARY). | false | true | Defines how IAM policy is enforced. | ACCESS | INVALID_TYPE | +| `target` | Full resource name of the target folder where the policy is applied. | true | true | Defines the exact scope of IAM enforcement. | //cloudresourcemanager.googleapis.com/folders/224774388 | //invalid/resource | +| `condition` | Optional CEL condition for conditional IAM access control. | false | true | Enables fine-grained access control rules. | {'expression': "resource.name.startsWith('folders/')", 'title': 'Folder access rule', 'description': 'Allows access only to folder resources'} | {'expression': 'true'} | + +### target Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `principal_set` | Principal set used for access boundary enforcement within the folder. | false | true | Restricts access to approved identities within folder boundary. | //cloudresourcemanager.googleapis.com/folders/224774388 | //cloudresourcemanager.googleapis.com/projects/123 | + +### condition Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `expression` | CEL expression defining IAM condition logic. | false | true | Controls conditional access behavior. | resource.name.startsWith('folders/') | true | +| `title` | Short title for the condition. | false | false | For readability only. | Folder Condition | | +| `description` | Detailed explanation of the condition. | false | false | Documentation purpose only. | Restricts access to folder-level resources | | +| `location` | Debug location for condition evaluation. | false | false | Used for error tracing. | global | | diff --git a/docs/gcp/Cloud_IAM/iam_oauth_client.md b/docs/gcp/Cloud_IAM/iam_oauth_client.md new file mode 100644 index 000000000..996c52354 --- /dev/null +++ b/docs/gcp/Cloud_IAM/iam_oauth_client.md @@ -0,0 +1,22 @@ +## 🛡️ Policy Deployment Engine: `iam_oauth_client` + +This section provides a concise policy evaluation for the `iam_oauth_client` resource in GCP. + +Reference: [Terraform Registry – iam_oauth_client](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_oauth_client) + +--- + +## Argument Reference + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `location` | Location where the OAuth client is deployed. Must always be global. | true | true | Ensures OAuth configuration consistency across GCP IAM services. | global | us-central1 | +| `oauth_client_id` | Unique OAuth client ID. Must be 6–63 characters, lowercase letters, digits, or hyphens. Cannot start or end with hyphen and cannot use 'gcp-' prefix. | true | true | Prevents insecure or invalid OAuth client identifiers. | example-client-01 | gcp-client-01- | +| `client_type` | Type of OAuth client. Only PUBLIC_CLIENT or CONFIDENTIAL_CLIENT are allowed. | false | true | Restricts OAuth client types to approved security models. | CONFIDENTIAL_CLIENT | UNKNOWN_CLIENT | +| `allowed_scopes` | List of OAuth scopes allowed for authentication flows. | true | true | Restricting scopes reduces access exposure and privilege escalation risk. | ['openid', 'email'] | ['*'] | +| `allowed_grant_types` | OAuth grant types allowed for the client. | true | true | Controls authentication flow security. | ['AUTHORIZATION_CODE_GRANT'] | [] | +| `allowed_redirect_uris` | List of allowed redirect URIs after authentication. | true | true | Prevents redirect attacks and phishing risks. | ['https://example.com'] | ['http://evil.com'] | +| `disabled` | Indicates whether the OAuth client is disabled. | false | true | Disabled clients cannot be used for authentication. | False | True | +| `display_name` | Human-readable name for the OAuth client. | false | false | None | Valid OAuth Client | Invalid Client | +| `description` | Optional description of the OAuth client. | false | false | None | OAuth client for production app | | +| `project` | GCP project where the OAuth client is created. | false | true | Ensures correct project-level isolation. | smooth-verve-467716-v1 | | diff --git a/docs/gcp/Cloud_IAM/iam_oauth_client_credential.md b/docs/gcp/Cloud_IAM/iam_oauth_client_credential.md new file mode 100644 index 000000000..a14251e0c --- /dev/null +++ b/docs/gcp/Cloud_IAM/iam_oauth_client_credential.md @@ -0,0 +1,18 @@ +## 🛡️ Policy Deployment Engine: `iam_oauth_client_credential` + +This section provides a concise policy evaluation for the `iam_oauth_client_credential` resource in GCP. + +Reference: [Terraform Registry – iam_oauth_client_credential](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_oauth_client_credential) + +--- + +## Argument Reference + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `location` | Location where the OAuth client credential is created. Must always be global. | true | true | Restricting location to global ensures consistent IAM control and avoids regional misconfiguration. | global | us-central1 | +| `oauthclient` | Parent OAuth client identifier used to associate the credential. | true | true | Invalid client associations can lead to unauthorized credential binding. | example-client-id | invalid-client | +| `oauth_client_credential_id` | Unique credential ID. Must follow 4–32 chars, lowercase letters, numbers, and hyphens. Cannot start with 'gcp-'. | true | true | Strict naming prevents insecure or reserved prefix usage. | cred-01a | gcp-cred-01a | +| `disabled` | Indicates whether the credential is disabled. | false | true | Disabled credentials cannot be used for authentication. | False | True | +| `display_name` | Human-readable name for the credential. | false | false | None | Valid Credential | Invalid Credential | +| `project` | GCP project where the resource is created. If not set, provider project is used. | false | true | Ensures correct project scoping for IAM isolation. | smooth-verve-467716-v1 | | diff --git a/docs/gcp/Cloud_IAM/iam_organizations_policy_binding.md b/docs/gcp/Cloud_IAM/iam_organizations_policy_binding.md new file mode 100644 index 000000000..6a3b37d5a --- /dev/null +++ b/docs/gcp/Cloud_IAM/iam_organizations_policy_binding.md @@ -0,0 +1,18 @@ +## 🛡️ Policy Deployment Engine: `iam_organizations_policy_binding` + +This section provides a concise policy evaluation for the `iam_organizations_policy_binding` resource in GCP. + +Reference: [Terraform Registry – iam_organizations_policy_binding](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_organizations_policy_binding) + +--- + +## Argument Reference + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `organization` | Numeric organization ID for binding. | true | true | Ensures policy is attached to correct organization boundary. | 123456789 | org-name | +| `location` | Must always be global. | true | true | IAM bindings must be globally consistent. | global | us-central1 | +| `policy_binding_id` | Unique identifier for policy binding. | true | true | Ensures unique tracking of bindings. | binding-001 | binding#1 | +| `display_name` | Human readable name for policy binding. | false | false | No security impact. | Org Binding | | +| `annotations` | User-defined metadata annotations. | false | false | Used for tagging only. | {} | {} | +| `policy_kind` | Type of policy: PRINCIPAL_ACCESS_BOUNDARY or ACCESS. | false | true | Controls IAM enforcement behavior. | ACCESS | UNKNOWN | diff --git a/docs/gcp/Cloud_IAM/iam_principal_access_boundary_policy.md b/docs/gcp/Cloud_IAM/iam_principal_access_boundary_policy.md new file mode 100644 index 000000000..3438032f0 --- /dev/null +++ b/docs/gcp/Cloud_IAM/iam_principal_access_boundary_policy.md @@ -0,0 +1,17 @@ +## 🛡️ Policy Deployment Engine: `iam_principal_access_boundary_policy` + +This section provides a concise policy evaluation for the `iam_principal_access_boundary_policy` resource in GCP. + +Reference: [Terraform Registry – iam_principal_access_boundary_policy](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_principal_access_boundary_policy) + +--- + +## Argument Reference + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `organization` | Numeric organization ID. | true | true | Defines IAM boundary scope at organization level. | 123456789 | org-name | +| `location` | Must always be global. | true | true | Ensures centralized IAM enforcement. | global | us-central1 | +| `principal_access_boundary_policy_id` | Policy ID (2–62 chars, lowercase, numbers, hyphen, dot allowed). | true | true | Ensures valid IAM naming standard. | pab-policy-01 | INVALID_ID | +| `display_name` | Display name of policy. | false | false | No security impact. | PAB Policy | | +| `annotations` | Metadata tags for policy. | false | false | Only metadata. | {} | {} | diff --git a/docs/gcp/Cloud_IAM/iam_projects_policy_binding.md b/docs/gcp/Cloud_IAM/iam_projects_policy_binding.md new file mode 100644 index 000000000..64a7d901a --- /dev/null +++ b/docs/gcp/Cloud_IAM/iam_projects_policy_binding.md @@ -0,0 +1,35 @@ +## 🛡️ Policy Deployment Engine: `iam_projects_policy_binding` + +This section provides a concise policy evaluation for the `iam_projects_policy_binding` resource in GCP. + +Reference: [Terraform Registry – iam_projects_policy_binding](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_projects_policy_binding) + +--- + +## Argument Reference + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `project` | GCP project ID where the policy binding is applied. Must follow valid project naming rules (lowercase letters, numbers, and hyphens). | false | true | Ensures IAM policy is attached to a valid and controlled project scope. | my-project-123 | Invalid_Project | +| `location` | Location of the policy binding. Must always be global for IAM project policy bindings. | true | true | IAM bindings must be globally consistent for proper access control enforcement. | global | us-central1 | +| `policy_binding_id` | Unique identifier for the policy binding within the project. | true | true | Ensures each IAM binding can be uniquely tracked and managed. | project-binding-01 | Project Binding #1 | +| `display_name` | Optional human-readable name for the policy binding (maximum 63 characters). | false | false | Used only for identification and has no security impact. | Project IAM Binding | This is an extremely long invalid display name that exceeds allowed character limits for IAM resources | +| `annotations` | Optional metadata used to tag and classify the policy binding. | false | false | Annotations are informational only and do not affect IAM enforcement. | {'environment': 'prod', 'team': 'security'} | {'note': 'This annotation contains excessive invalid metadata that should not be used in production IAM configurations because it violates expected structure and readability standards'} | +| `policy_kind` | Type of policy being applied. Possible values include ACCESS or PRINCIPAL_ACCESS_BOUNDARY. | false | true | Determines IAM enforcement behavior and access model. | ACCESS | UNKNOWN_TYPE | +| `target` | Full resource name of the target project where the policy binding is applied. | true | true | Defines exact IAM enforcement scope at project level. | //cloudresourcemanager.googleapis.com/projects/my-project-123 | //invalid/resource/name | +| `condition` | Optional IAM condition using Common Expression Language (CEL) for conditional access control. | false | true | Allows fine-grained access control based on logical conditions. | {'expression': "resource.name.startsWith('projects/')", 'title': 'Project access rule', 'description': 'Allows access only to project resources'} | {'expression': 'true'} | + +### target Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `principal_set` | Principal set defining which identities are allowed within the project scope. | false | true | Restricts access to approved identities within project boundary. | //cloudresourcemanager.googleapis.com/projects/123456789 | //cloudresourcemanager.googleapis.com/folders/123 | + +### condition Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `expression` | CEL expression used to define IAM conditional logic. | false | true | Controls when IAM policy is applied. | resource.name.startsWith('projects/') | true | +| `title` | Short title describing the IAM condition. | false | false | Used for readability only. | Project Condition | | +| `description` | Detailed explanation of the IAM condition. | false | false | Documentation purpose only. | Restricts access to project-level resources only | | +| `location` | Debugging reference for IAM condition evaluation. | false | false | Used for error tracing and debugging. | global | | diff --git a/docs/gcp/Cloud_IAM/iam_workforce_pool.md b/docs/gcp/Cloud_IAM/iam_workforce_pool.md new file mode 100644 index 000000000..f5be42d82 --- /dev/null +++ b/docs/gcp/Cloud_IAM/iam_workforce_pool.md @@ -0,0 +1,34 @@ +## 🛡️ Policy Deployment Engine: `iam_workforce_pool` + +This section provides a concise policy evaluation for the `iam_workforce_pool` resource in GCP. + +Reference: [Terraform Registry – iam_workforce_pool](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workforce_pool) + +--- + +## Argument Reference + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `parent` | Immutable. The resource name of the parent. Format: `organizations/{org-id}`. | true | false | None | None | None | +| `location` | The location for the resource. | true | false | None | None | None | +| `workforce_pool_id` | The name of the pool. The ID must be a globally unique string of 6 to 63 lowercase letters, digits, or hyphens. It must start with a letter, and cannot have a trailing hyphen. The prefix `gcp-` is reserved for use by Google, and may not be specified. | true | false | None | None | None | +| `display_name` | A user-specified display name of the pool in Google Cloud Console. Cannot exceed 32 characters. | false | false | None | None | None | +| `description` | A user-specified description of the pool. Cannot exceed 256 characters. | false | false | None | None | None | +| `disabled` | Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again. | false | false | None | None | None | +| `session_duration` | Duration that the Google Cloud access tokens, console sign-in sessions, and `gcloud` sign-in sessions from this pool are valid. Must be greater than 15 minutes (900s) and less than 12 hours (43200s). If `sessionDuration` is not configured, minted credentials have a default duration of one hour (3600s). A duration in seconds with up to nine fractional digits, ending with '`s`'. Example: "`3.5s`". | false | false | None | None | None | +| `access_restrictions` | Configure access restrictions on the workforce pool users. This is an optional field. If specified web sign-in can be restricted to given set of services or programmatic sign-in can be disabled for pool users. Structure is [documented below](#nested_access_restrictions). | false | false | None | None | None | +| `allowed_services` | | false | false | None | None | None | + +### access_restrictions Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `allowed_services` | Services allowed for web sign-in with the workforce pool. If not set by default there are no restrictions. Structure is [documented below](#nested_access_restrictions_allowed_services). | false | false | None | None | None | +| `disable_programmatic_signin` | Disable programmatic sign-in by disabling token issue via the Security Token API endpoint. See [Security Token Service API](https://cloud.google.com/iam/docs/reference/sts/rest). | false | false | None | None | None | + +### allowed_services Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `domain` | Domain name of the service. Example: console.cloud.google | false | false | None | None | None | diff --git a/docs/gcp/Cloud_IAM/iam_workforce_pool_iam.md b/docs/gcp/Cloud_IAM/iam_workforce_pool_iam.md new file mode 100644 index 000000000..6984accfa --- /dev/null +++ b/docs/gcp/Cloud_IAM/iam_workforce_pool_iam.md @@ -0,0 +1,17 @@ +## 🛡️ Policy Deployment Engine: `iam_workforce_pool_iam` + +This section provides a concise policy evaluation for the `iam_workforce_pool_iam` resource in GCP. + +Reference: [Terraform Registry – iam_workforce_pool_iam](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workforce_pool_iam) + +--- + +## Argument Reference + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `location` | the value will be parsed from the identifier of the parent resource. If no location is provided in the parent identifier and no location is specified, it is taken from the provider configuration. | false | false | None | None | None | +| `workforce_pool_id` | | false | false | None | None | None | +| `member/members` | Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project" | false | false | None | None | None | +| `role` | `google_iam_workforce_pool_iam_binding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`. | false | false | None | None | None | +| `policy_data` | a `google_iam_policy` data source. | false | false | None | None | None | diff --git a/docs/gcp/Cloud_IAM/iam_workforce_pool_provider.md b/docs/gcp/Cloud_IAM/iam_workforce_pool_provider.md new file mode 100644 index 000000000..4e97ed001 --- /dev/null +++ b/docs/gcp/Cloud_IAM/iam_workforce_pool_provider.md @@ -0,0 +1,80 @@ +## 🛡️ Policy Deployment Engine: `iam_workforce_pool_provider` + +This section provides a concise policy evaluation for the `iam_workforce_pool_provider` resource in GCP. + +Reference: [Terraform Registry – iam_workforce_pool_provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workforce_pool_provider) + +--- + +## Argument Reference + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `location` | The location for the resource. | true | false | None | None | None | +| `workforce_pool_id` | The ID to use for the pool, which becomes the final component of the resource name. The IDs must be a globally unique string of 6 to 63 lowercase letters, digits, or hyphens. It must start with a letter, and cannot have a trailing hyphen. The prefix `gcp-` is reserved for use by Google, and may not be specified. | true | false | None | None | None | +| `provider_id` | The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix `gcp-` is reserved for use by Google, and may not be specified. | true | false | None | None | None | +| `display_name` | A user-specified display name for the provider. Cannot exceed 32 characters. | false | false | None | None | None | +| `description` | A user-specified description of the provider. Cannot exceed 256 characters. | false | false | None | None | None | +| `disabled` | Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access. | false | false | None | None | None | +| `attribute_mapping` | Maps attributes from the authentication credentials issued by an external identity provider to Google Cloud attributes, such as `subject` and `segment`. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported: * `google.subject`: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. This is a required field and the mapped subject cannot exceed 127 bytes. * `google.groups`: Groups the authenticating user belongs to. You can grant groups access to resources using an IAM `principalSet` binding; access applies to all members of the group. * `google.display_name`: The name of the authenticated user. This is an optional field and the mapped display name cannot exceed 100 bytes. If not set, `google.subject` will be displayed instead. This attribute cannot be referenced in IAM bindings. * `google.profile_photo`: The URL that specifies the authenticated user's thumbnail photo. This is an optional field. When set, the image will be visible as the user's profile picture. If not set, a generic user icon will be displayed instead. This attribute cannot be referenced in IAM bindings. You can also provide custom attributes by specifying `attribute.{custom_attribute}`, where {custom_attribute} is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workforce pool to Google Cloud resources. For example: * `google.subject`: `principal://iam.googleapis.com/locations/{location}/workforcePools/{pool}/subject/{value}` * `google.groups`: `principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/group/{value}` * `attribute.{custom_attribute}`: `principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/attribute.{custom_attribute}/{value}` Each value must be a [Common Expression Language](https://opensource.google/projects/cel) function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the `assertion` keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For OIDC providers, you must supply a custom mapping that includes the `google.subject` attribute. For example, the following maps the sub claim of the incoming credential to the `subject` attribute on a Google token: ``` {"google.subject": "assertion.sub"} ``` An object containing a list of `"key": value` pairs. Example: `{ "name": "wrench", "mass": "1.3kg", "count": "3" }`. | false | false | None | None | None | +| `attribute_condition` | A [Common Expression Language](https://opensource.google/projects/cel) expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions: * `assertion`: JSON representing the authentication credential issued by the provider. * `google`: The Google attributes mapped from the assertion in the `attribute_mappings`. `google.profile_photo` and `google.display_name` are not supported. * `attribute`: The custom attributes mapped from the assertion in the `attribute_mappings`. The maximum length of the attribute condition expression is 4096 characters. If unspecified, all valid authentication credentials will be accepted. The following example shows how to only allow credentials with a mapped `google.groups` value of `admins`: ``` "'admins' in google.groups" ``` | false | false | None | None | None | +| `saml` | Represents a SAML identity provider. Structure is [documented below](#nested_saml). | false | false | None | None | None | +| `oidc` | Represents an OpenId Connect 1.0 identity provider. Structure is [documented below](#nested_oidc). | false | false | None | None | None | +| `extra_attributes_oauth2_client` | The configuration for OAuth 2.0 client used to get the additional user attributes. This should be used when users can't get the desired claims in authentication credentials. Currently this configuration is only supported with SAML and OIDC protocol. Structure is [documented below](#nested_extra_attributes_oauth2_client). | false | false | None | None | None | +| `client_secret` | | false | false | None | None | None | +| `value` | | false | false | None | None | None | +| `web_sso_config` | | false | false | None | None | None | +| `query_parameters` | | false | false | None | None | None | + +### saml Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `idp_metadata_xml` | SAML Identity provider configuration metadata xml doc. The xml document should comply with [SAML 2.0 specification](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf). The max size of the acceptable xml document will be bounded to 128k characters. The metadata xml document should satisfy the following constraints: 1) Must contain an Identity Provider Entity ID. 2) Must contain at least one non-expired signing key certificate. 3) For each signing key: a) Valid from should be no more than 7 days from now. b) Valid to should be no more than 10 years in the future. 4) Up to 3 IdP signing keys are allowed in the metadata xml. When updating the provider's metadata xml, at least one non-expired signing key must overlap with the existing metadata. This requirement is skipped if there are no non-expired signing keys present in the existing metadata. | true | false | None | None | None | + +### oidc Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `issuer_uri` | The OIDC issuer URI. Must be a valid URI using the 'https' scheme. | true | false | None | None | None | +| `client_id` | The client ID. Must match the audience claim of the JWT issued by the identity provider. | true | false | None | None | None | +| `client_secret` | The optional client secret. Required to enable Authorization Code flow for web sign-in. Structure is [documented below](#nested_oidc_client_secret). | false | false | None | None | None | +| `web_sso_config` | Configuration for web single sign-on for the OIDC provider. Here, web sign-in refers to console sign-in and gcloud sign-in through the browser. Structure is [documented below](#nested_oidc_web_sso_config). | false | false | None | None | None | +| `jwks_json` | OIDC JWKs in JSON String format. For details on definition of a JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we use the `jwks_uri` from the discovery document fetched from the .well-known path for the `issuer_uri`. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields: ``` { "keys": [ { "kty": "RSA/EC", "alg": "", "use": "sig", "kid": "", "n": "", "e": "", "x": "", "y": "", "crv": "" } ] } ``` | false | false | None | None | None | + +### extra_attributes_oauth2_client Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `issuer_uri` | The OIDC identity provider's issuer URI. Must be a valid URI using the `https` scheme. Required to get the OIDC discovery document. | true | false | None | None | None | +| `client_id` | The OAuth 2.0 client ID for retrieving extra attributes from the identity provider. Required to get the Access Token using client credentials grant flow. | true | false | None | None | None | +| `client_secret` | The OAuth 2.0 client secret for retrieving extra attributes from the identity provider. Required to get the Access Token using client credentials grant flow. Structure is [documented below](#nested_extra_attributes_oauth2_client_client_secret). | true | false | None | None | None | +| `attributes_type` | Represents the IdP and type of claims that should be fetched. * AZURE_AD_GROUPS_MAIL: Used to get the user's group claims from the Azure AD identity provider using configuration provided in ExtraAttributesOAuth2Client and `mail` property of the `microsoft.graph.group` object is used for claim mapping. See https://learn.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-1.0#properties for more details on `microsoft.graph.group` properties. The attributes obtained from idntity provider are mapped to `assertion.groups`. * AZURE_AD_GROUPS_ID: Used to get the user's group claims from the Azure AD identity provider using configuration provided in ExtraAttributesOAuth2Client and `id` property of the `microsoft.graph.group` object is used for claim mapping. See https://learn.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-1.0#properties for more details on `microsoft.graph.group` properties. The group IDs obtained from Azure AD are present in `assertion.groups` for OIDC providers and `assertion.attributes.groups` for SAML providers for attribute mapping. Possible values are: `AZURE_AD_GROUPS_MAIL`, `AZURE_AD_GROUPS_ID`. | true | false | None | None | None | +| `query_parameters` | Represents the parameters to control which claims are fetched from an IdP. Structure is [documented below](#nested_extra_attributes_oauth2_client_query_parameters). | false | false | None | None | None | + +### client_secret Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `value` | The value of the client secret. Structure is [documented below](#nested_extra_attributes_oauth2_client_client_secret_value). | false | false | None | None | None | + +### value Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `plain_text` | The plain text of the client secret value. | true | false | None | None | None | +| `thumbprint` | (Output) A thumbprint to represent the current client secret value. | false | false | None | None | None | + +### web_sso_config Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `response_type` | The Response Type to request for in the OIDC Authorization Request for web sign-in. The `CODE` Response Type is recommended to avoid the Implicit Flow, for security reasons. * CODE: The `response_type=code` selection uses the Authorization Code Flow for web sign-in. Requires a configured client secret. * ID_TOKEN: The `response_type=id_token` selection uses the Implicit Flow for web sign-in. Possible values are: `CODE`, `ID_TOKEN`. | true | false | None | None | None | +| `assertion_claims_behavior` | The behavior for how OIDC Claims are included in the `assertion` object used for attribute mapping and attribute condition. * MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS: Merge the UserInfo Endpoint Claims with ID Token Claims, preferring UserInfo Claim Values for the same Claim Name. This option is available only for the Authorization Code Flow. * ONLY_ID_TOKEN_CLAIMS: Only include ID Token Claims. Possible values are: `MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS`, `ONLY_ID_TOKEN_CLAIMS`. | true | false | None | None | None | +| `additional_scopes` | Additional scopes to request for in the OIDC authentication request on top of scopes requested by default. By default, the `openid`, `profile` and `email` scopes that are supported by the identity provider are requested. Each additional scope may be at most 256 characters. A maximum of 10 additional scopes may be configured. | false | false | None | None | None | + +### query_parameters Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `filter` | The filter used to request specific records from IdP. In case of attributes type as AZURE_AD_GROUPS_MAIL and AZURE_AD_GROUPS_ID, it represents the filter used to request specific groups for users from IdP. By default, all of the groups associated with the user are fetched. The groups should be security enabled. See https://learn.microsoft.com/en-us/graph/search-query-parameter for more details. | false | false | None | None | None | diff --git a/docs/gcp/Cloud_IAM/iam_workforce_pool_provider_key.md b/docs/gcp/Cloud_IAM/iam_workforce_pool_provider_key.md new file mode 100644 index 000000000..91883b7b5 --- /dev/null +++ b/docs/gcp/Cloud_IAM/iam_workforce_pool_provider_key.md @@ -0,0 +1,28 @@ +## 🛡️ Policy Deployment Engine: `iam_workforce_pool_provider_key` + +This section provides a concise policy evaluation for the `iam_workforce_pool_provider_key` resource in GCP. + +Reference: [Terraform Registry – iam_workforce_pool_provider_key](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workforce_pool_provider_key) + +--- + +## Argument Reference + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `key_data` | Immutable. Public half of the asymmetric key. Structure is [documented below](#nested_key_data). | true | false | None | None | None | +| `use` | The purpose of the key. Possible values are: `ENCRYPTION`. | true | false | None | None | None | +| `location` | The location for the resource. | true | false | None | None | None | +| `workforce_pool_id` | The ID of the workforce pool. | true | false | None | None | None | +| `provider_id` | The ID of the provider. | true | false | None | None | None | +| `key_id` | The ID to use for the key, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. | true | false | None | None | None | + +### key_data Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `format` | (Output) The format of the key. | false | false | None | None | None | +| `not_before_time` | (Output) Earliest timestamp when this key is valid. Attempts to use this key before this time will fail. Only present if the key data represents a X.509 certificate. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30". | false | false | None | None | None | +| `not_after_time` | (Output) Latest timestamp when this key is valid. Attempts to use this key after this time will fail. Only present if the key data represents a X.509 certificate. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30". | false | false | None | None | None | +| `key` | (Output) The key data. The format of the key is represented by the format field. | false | false | None | None | None | +| `key_spec` | The specifications for the key. Possible values are: `RSA_2048`, `RSA_3072`, `RSA_4096`. | true | false | None | None | None | diff --git a/docs/gcp/Cloud_IAM/iam_workload_identity_pool.md b/docs/gcp/Cloud_IAM/iam_workload_identity_pool.md new file mode 100644 index 000000000..5b51fdd84 --- /dev/null +++ b/docs/gcp/Cloud_IAM/iam_workload_identity_pool.md @@ -0,0 +1,50 @@ +## 🛡️ Policy Deployment Engine: `iam_workload_identity_pool` + +This section provides a concise policy evaluation for the `iam_workload_identity_pool` resource in GCP. + +Reference: [Terraform Registry – iam_workload_identity_pool](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool) + +--- + +## Argument Reference + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `workload_identity_pool_id` | The ID to use for the pool, which becomes the final component of the resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix `gcp-` is reserved for use by Google, and may not be specified. | true | false | None | None | None | +| `display_name` | A display name for the pool. Cannot exceed 32 characters. | false | false | None | None | None | +| `description` | A description of the pool. Cannot exceed 256 characters. | false | false | None | None | None | +| `disabled` | Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again. | false | false | None | None | None | +| `mode` | , [Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html)) The mode for the pool is operating in. Pools with an unspecified mode will operate as if they are in `FEDERATION_ONLY` mode. ~> **Note** This field cannot be changed after the Workload Identity Pool is created. While `terraform plan` may show an update if you change this field's value, `terraform apply` **will fail with an API error** (such as `Error 400: Attempted to update an immutable field.`). To specify a different `mode`, please create a new Workload Identity Pool resource. * `FEDERATION_ONLY`: Pools can only be used for federating external workload identities into Google Cloud. Unless otherwise noted, no structure or format constraints are applied to workload identities in a `FEDERATION_ONLY` mode pool, and you may not create any resources within the pool besides providers. * `TRUST_DOMAIN`: Pools can be used to assign identities to Google Cloud workloads. All identities within a `TRUST_DOMAIN` mode pool must consist of a single namespace and individual workload identifier. The subject identifier for all identities must conform to the following format: `ns//sa/`. `google_iam_workload_identity_pool_provider`s cannot be created within `TRUST_DOMAIN` mode pools. Possible values are: `FEDERATION_ONLY`, `TRUST_DOMAIN`. | false | false | None | None | None | +| `inline_certificate_issuance_config` | , [Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html)) Represents configuration for generating mutual TLS (mTLS) certificates for the identities within this pool. Defines the Certificate Authority (CA) pool resources and configurations required for issuance and rotation of mTLS workload certificates. Structure is [documented below](#nested_inline_certificate_issuance_config). | false | false | None | None | None | +| `inline_trust_config` | , [Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html)) Represents config to add additional trusted trust domains. Defines configuration for extending trust to additional trust domains. By establishing trust with another domain, the current domain will recognize and accept certificates issued by entities within the trusted domains. Note that a trust domain automatically trusts itself, eliminating the need for explicit configuration. Structure is [documented below](#nested_inline_trust_config). | false | false | None | None | None | +| `project` | If it is not provided, the provider project is used. | false | false | None | None | None | +| `additional_trust_bundles` | | false | false | None | None | None | +| `trust_anchors` | | false | false | None | None | None | + +### inline_certificate_issuance_config Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `ca_pools` | A required mapping of a cloud region to the CA pool resource located in that region used for certificate issuance, adhering to these constraints: * **Key format:** A supported cloud region name equivalent to the location identifier in the corresponding map entry's value. * **Value format:** A valid CA pool resource path format like: `projects/{project}/locations/{location}/caPools/{ca_pool}` * **Region Matching:** Workloads are ONLY issued certificates from CA pools within the same region. Also the CA pool region (in value) must match the workload's region (key). | true | false | None | None | None | +| `lifetime` | Lifetime of the workload certificates issued by the CA pool in seconds. Must be between `86400s` (24 hours) to `2592000s` (30 days), ends in the suffix "`s`" (indicating seconds) and is preceded by the number of seconds. If unspecified, this will be defaulted to `86400s` (24 hours). | false | false | None | None | None | +| `rotation_window_percentage` | Rotation window percentage indicating when certificate rotation should be initiated based on remaining lifetime. Must be between `50` - `80`. If unspecified, this will be defaulted to `50`. | false | false | None | None | None | +| `key_algorithm` | Key algorithm to use when generating the key pair. This key pair will be used to create the certificate. If unspecified, this will default to `ECDSA_P256`. * `RSA_2048`: Specifies RSA with a 2048-bit modulus. * `RSA_3072`: Specifies RSA with a 3072-bit modulus. * `RSA_4096`: Specifies RSA with a 4096-bit modulus. * `ECDSA_P256`: Specifies ECDSA with curve P256. * `ECDSA_P384`: Specifies ECDSA with curve P384. Possible values are: `RSA_2048`, `RSA_3072`, `RSA_4096`, `ECDSA_P256`, `ECDSA_P384`. | false | false | None | None | None | + +### inline_trust_config Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `additional_trust_bundles` | Maps specific trust domains (e.g., "example.com") to their corresponding `TrustStore` objects, which contain the trusted root certificates for that domain. There can be a maximum of `10` trust domain entries in this map. Note that a trust domain automatically trusts itself and don't need to be specified here. If however, this `WorkloadIdentityPool`'s trust domain contains any trust anchors in the `additional_trust_bundles` map, those trust anchors will be *appended to* the Trust Bundle automatically derived from your `InlineCertificateIssuanceConfig`'s `ca_pools`. Structure is [documented below](#nested_inline_trust_config_additional_trust_bundles). | false | false | None | None | None | + +### additional_trust_bundles Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `trust_domain` | | false | false | None | None | None | +| `trust_anchors` | List of Trust Anchors to be used while performing validation against a given `TrustStore`. The incoming end entity's certificate must be chained up to one of the trust anchors here. Structure is [documented below](#nested_inline_trust_config_additional_trust_bundles_trust_store_trust_anchors). | true | false | None | None | None | + +### trust_anchors Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `pem_certificate` | PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert). | true | false | None | None | None | diff --git a/docs/gcp/Cloud_IAM/iam_workload_identity_pool_iam.md b/docs/gcp/Cloud_IAM/iam_workload_identity_pool_iam.md new file mode 100644 index 000000000..ece2fba2c --- /dev/null +++ b/docs/gcp/Cloud_IAM/iam_workload_identity_pool_iam.md @@ -0,0 +1,26 @@ +## 🛡️ Policy Deployment Engine: `iam_workload_identity_pool_iam` + +This section provides a concise policy evaluation for the `iam_workload_identity_pool_iam` resource in GCP. + +Reference: [Terraform Registry – iam_workload_identity_pool_iam](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_iam) + +--- + +## Argument Reference + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `workload_identity_pool_id` | | false | false | None | None | None | +| `project` | If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used. | false | false | None | None | None | +| `member/members` | Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project" | false | false | None | None | None | +| `role` | `google_iam_workload_identity_pool_iam_binding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`. | false | false | None | None | None | +| `policy_data` | a `google_iam_policy` data source. | false | false | None | None | None | +| `condition` | Structure is documented below. --- | false | false | None | None | None | + +### condition Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `expression` | | false | false | None | None | None | +| `title` | | false | false | None | None | None | +| `description` | ~> **Warning:** Terraform considers the `role` and condition contents (`title`+`description`+`expression`) as the identifier for the binding. This means that if any part of the condition is changed out-of-band, Terraform will consider it to be an entirely different resource and will treat it as such. | false | false | None | None | None | diff --git a/docs/gcp/Cloud_IAM/iam_workload_identity_pool_managed_identity.md b/docs/gcp/Cloud_IAM/iam_workload_identity_pool_managed_identity.md new file mode 100644 index 000000000..a57a2e6d0 --- /dev/null +++ b/docs/gcp/Cloud_IAM/iam_workload_identity_pool_managed_identity.md @@ -0,0 +1,25 @@ +## 🛡️ Policy Deployment Engine: `iam_workload_identity_pool_managed_identity` + +This section provides a concise policy evaluation for the `iam_workload_identity_pool_managed_identity` resource in GCP. + +Reference: [Terraform Registry – iam_workload_identity_pool_managed_identity](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_managed_identity) + +--- + +## Argument Reference + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `workload_identity_pool_id` | The ID to use for the pool, which becomes the final component of the resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix `gcp-` is reserved for use by Google, and may not be specified. | true | false | None | None | None | +| `workload_identity_pool_namespace_id` | The ID to use for the namespace. This value must: * contain at most 63 characters * contain only lowercase alphanumeric characters or `-` * start with an alphanumeric character * end with an alphanumeric character The prefix `gcp-` will be reserved for future uses. | true | false | None | None | None | +| `workload_identity_pool_managed_identity_id` | The ID to use for the managed identity. This value must: * contain at most 63 characters * contain only lowercase alphanumeric characters or `-` * start with an alphanumeric character * end with an alphanumeric character The prefix `gcp-` will be reserved for future uses. | true | false | None | None | None | +| `description` | A description of the managed identity. Cannot exceed 256 characters. | false | false | None | None | None | +| `disabled` | Whether the managed identity is disabled. If disabled, credentials may no longer be issued for the identity, however existing credentials will still be accepted until they expire. | false | false | None | None | None | +| `attestation_rules` | Defines which workloads can receive an identity within a pool. When an AttestationRule is defined under a managed identity, matching workloads may receive that identity. A maximum of 50 AttestationRules can be set. Structure is [documented below](#nested_attestation_rules). | false | false | None | None | None | +| `project` | If it is not provided, the provider project is used. | false | false | None | None | None | + +### attestation_rules Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `google_cloud_resource` | A single workload operating on Google Cloud. For example: `//compute.googleapis.com/projects/123/uid/zones/us-central1-a/instances/12345678`. | true | false | None | None | None | diff --git a/docs/gcp/Cloud_IAM/iam_workload_identity_pool_namespace.md b/docs/gcp/Cloud_IAM/iam_workload_identity_pool_namespace.md new file mode 100644 index 000000000..c89e47163 --- /dev/null +++ b/docs/gcp/Cloud_IAM/iam_workload_identity_pool_namespace.md @@ -0,0 +1,17 @@ +## 🛡️ Policy Deployment Engine: `iam_workload_identity_pool_namespace` + +This section provides a concise policy evaluation for the `iam_workload_identity_pool_namespace` resource in GCP. + +Reference: [Terraform Registry – iam_workload_identity_pool_namespace](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_namespace) + +--- + +## Argument Reference + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `workload_identity_pool_id` | The ID to use for the pool, which becomes the final component of the resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix `gcp-` is reserved for use by Google, and may not be specified. | true | false | None | None | None | +| `workload_identity_pool_namespace_id` | The ID to use for the namespace. This value must: * contain at most 63 characters * contain only lowercase alphanumeric characters or `-` * start with an alphanumeric character * end with an alphanumeric character The prefix `gcp-` will be reserved for future uses. | true | false | None | None | None | +| `description` | A description of the namespace. Cannot exceed 256 characters. | false | false | None | None | None | +| `disabled` | Whether the namespace is disabled. If disabled, credentials may no longer be issued for identities within this namespace, however existing credentials will still be accepted until they expire. | false | false | None | None | None | +| `project` | If it is not provided, the provider project is used. | false | false | None | None | None | diff --git a/docs/gcp/Cloud_IAM/iam_workload_identity_pool_provider.md b/docs/gcp/Cloud_IAM/iam_workload_identity_pool_provider.md new file mode 100644 index 000000000..d9e42c86a --- /dev/null +++ b/docs/gcp/Cloud_IAM/iam_workload_identity_pool_provider.md @@ -0,0 +1,72 @@ +## 🛡️ Policy Deployment Engine: `iam_workload_identity_pool_provider` + +This section provides a concise policy evaluation for the `iam_workload_identity_pool_provider` resource in GCP. + +Reference: [Terraform Registry – iam_workload_identity_pool_provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider) + +--- + +## Argument Reference + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `workload_identity_pool_id` | The ID used for the pool, which is the final component of the pool resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix `gcp-` is reserved for use by Google, and may not be specified. | true | false | None | None | None | +| `workload_identity_pool_provider_id` | The ID for the provider, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix `gcp-` is reserved for use by Google, and may not be specified. | true | false | None | None | None | +| `display_name` | A display name for the provider. Cannot exceed 32 characters. | false | false | None | None | None | +| `description` | A description for the provider. Cannot exceed 256 characters. | false | false | None | None | None | +| `disabled` | Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. However, existing tokens still grant access. | false | false | None | None | None | +| `attribute_mapping` | Maps attributes from authentication credentials issued by an external identity provider to Google Cloud attributes, such as `subject` and `segment`. Each key must be a string specifying the Google Cloud IAM attribute to map to. The following keys are supported: * `google.subject`: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. Cannot exceed 127 characters. * `google.groups`: Groups the external identity belongs to. You can grant groups access to resources using an IAM `principalSet` binding; access applies to all members of the group. You can also provide custom attributes by specifying `attribute.{custom_attribute}`, where `{custom_attribute}` is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. You can reference these attributes in IAM policies to define fine-grained access for a workload to Google Cloud resources. For example: * `google.subject`: `principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}` * `google.groups`: `principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}` * `attribute.{custom_attribute}`: `principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value}` Each value must be a [Common Expression Language](https://opensource.google/projects/cel) function that maps an identity provider credential to the normalized attribute specified by the corresponding map key. You can use the `assertion` keyword in the expression to access a JSON representation of the authentication credential issued by the provider. The maximum length of an attribute mapping expression is 2048 characters. When evaluated, the total size of all mapped attributes must not exceed 8KB. For AWS providers, the following rules apply: - If no attribute mapping is defined, the following default mapping applies: ``` { "google.subject":"assertion.arn", "attribute.aws_role": "assertion.arn.contains('assumed-role')" " ? assertion.arn.extract('{account_arn}assumed-role/')" " + 'assumed-role/'" " + assertion.arn.extract('assumed-role/{role_name}/')" " : assertion.arn", } ``` - If any custom attribute mappings are defined, they must include a mapping to the `google.subject` attribute. For OIDC providers, the following rules apply: - Custom attribute mappings must be defined, and must include a mapping to the `google.subject` attribute. For example, the following maps the `sub` claim of the incoming credential to the `subject` attribute on a Google token. ``` {"google.subject": "assertion.sub"} ``` | false | false | None | None | None | +| `attribute_condition` | [A Common Expression Language](https://opensource.google/projects/cel) expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted. The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions: * `assertion`: JSON representing the authentication credential issued by the provider. * `google`: The Google attributes mapped from the assertion in the `attribute_mappings`. * `attribute`: The custom attributes mapped from the assertion in the `attribute_mappings`. The maximum length of the attribute condition expression is 4096 characters. If unspecified, all valid authentication credential are accepted. The following example shows how to only allow credentials with a mapped `google.groups` value of `admins`: ``` "'admins' in google.groups" ``` | false | false | None | None | None | +| `aws` | An Amazon Web Services identity provider. Not compatible with the property oidc or saml. Structure is [documented below](#nested_aws). | false | false | None | None | None | +| `oidc` | An OpenId Connect 1.0 identity provider. Not compatible with the property aws or saml. Structure is [documented below](#nested_oidc). | false | false | None | None | None | +| `saml` | An SAML 2.0 identity provider. Not compatible with the property oidc or aws. Structure is [documented below](#nested_saml). | false | false | None | None | None | +| `x509` | An X.509-type identity provider represents a CA. It is trusted to assert a client identity if the client has a certificate that chains up to this CA. Structure is [documented below](#nested_x509). | false | false | None | None | None | +| `project` | If it is not provided, the provider project is used. | false | false | None | None | None | +| `trust_store` | | false | false | None | None | None | +| `trust_anchors` | | false | false | None | None | None | +| `intermediate_cas` | | false | false | None | None | None | + +### aws Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `account_id` | The AWS account ID. | true | false | None | None | None | + +### oidc Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `allowed_audiences` | Acceptable values for the `aud` field (audience) in the OIDC token. Token exchange requests are rejected if the token audience does not match one of the configured values. Each audience may be at most 256 characters. A maximum of 10 audiences may be configured. If this list is empty, the OIDC token audience must be equal to the full canonical resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix. For example: ``` //iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ https://iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ ``` | false | false | None | None | None | +| `issuer_uri` | The OIDC issuer URL. | true | false | None | None | None | +| `jwks_json` | OIDC JWKs in JSON String format. For details on definition of a JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we use the `jwks_uri` from the discovery document fetched from the .well-known path for the `issuer_uri`. Currently, RSA and EC asymmetric keys are supported. The JWK must use following format and include only the following fields: ``` { "keys": [ { "kty": "RSA/EC", "alg": "", "use": "sig", "kid": "", "n": "", "e": "", "x": "", "y": "", "crv": "" } ] } ``` | false | false | None | None | None | + +### saml Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `idp_metadata_xml` | SAML Identity provider configuration metadata xml doc. | true | false | None | None | None | + +### x509 Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `trust_store` | A Trust store, use this trust store as a wrapper to config the trust anchor and optional intermediate cas to help build the trust chain for the incoming end entity certificate. Follow the x509 guidelines to define those PEM encoded certs. Only 1 trust store is currently supported. Structure is [documented below](#nested_x509_trust_store). | true | false | None | None | None | + +### trust_store Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `trust_anchors` | List of Trust Anchors to be used while performing validation against a given TrustStore. The incoming end entity's certificate must be chained up to one of the trust anchors here. Structure is [documented below](#nested_x509_trust_store_trust_anchors). | true | false | None | None | None | +| `intermediate_cas` | Set of intermediate CA certificates used for building the trust chain to trust anchor. IMPORTANT: Intermediate CAs are only supported when configuring x509 federation. Structure is [documented below](#nested_x509_trust_store_intermediate_cas). | false | false | None | None | None | + +### trust_anchors Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `pem_certificate` | PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert). | false | false | None | None | None | + +### intermediate_cas Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `pem_certificate` | PEM certificate of the PKI used for validation. Must only contain one ca certificate(either root or intermediate cert). | false | false | None | None | None | diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_access_boundary_policy.json b/docs/gcp/Cloud_IAM/resource_json/iam_access_boundary_policy.json index f5e78fb01..9e3fa084b 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_access_boundary_policy.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_access_boundary_policy.json @@ -5,143 +5,88 @@ "name": { "description": "The name of the policy.", "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": "If naming is not consistent, it becomes hard to manage or track policies in GCP.", + "rationale": "We enforce a simple naming rule (pde-*) so all policies follow the same pattern and are easy to identify.", + "compliant": "pde-access-boundary-prod", + "non-compliant": "myPolicy123", "parent": null }, + "parent": { - "description": "The attachment point is identified by its URL-encoded full resource name.", + "description": "The resource where this policy is attached.", "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": "If parent is wrong, policy may be applied to the wrong project or not applied at all.", + "rationale": "Parent must always be a valid GCP project or organization path so the policy applies correctly.", + "compliant": "cloudresourcemanager.googleapis.com/projects/123456789", + "non-compliant": "projects/test-project", "parent": null }, + "rules": { - "description": "Rules to be applied. Structure is [documented below](#nested_rules).", + "description": "Rules that define what resources and permissions are allowed.", "required": true, - "security_impact": null, - "rationale": null, + "security_impact": "Rules control access. Wrong rules can give too much access or block needed access.", + "rationale": "We use rules to enforce least privilege and limit access only to required resources.", "compliant": null, "non-compliant": null, - "parent": null, - "arguments": { - "description": { - "description": "The description of the rule.", - "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "rules" - }, - "access_boundary_rule": { - "description": "An access boundary rule in an IAM policy. Structure is [documented below](#nested_rules_rules_access_boundary_rule).", - "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "rules" - } - } + "parent": null }, + "display_name": { - "description": "The display name of the rule.", + "description": "A simple name shown in the console.", "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": "Helps identify policies easily in UI.", + "rationale": "Used for readability and easier management.", + "compliant": "Production Access Boundary Policy", + "non-compliant": "test", "parent": null }, + "access_boundary_rule": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, + "description": "Defines which resources and permissions are allowed.", + "required": false, + "security_impact": "Prevents users from accessing unauthorized resources.", + "rationale": "We use this to enforce least privilege access in GCP.", "compliant": null, "non-compliant": null, - "parent": null, - "arguments": { - "available_resource": { - "description": "The full resource name of a Google Cloud resource entity.", - "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "access_boundary_rule" - }, - "available_permissions": { - "description": "A list of permissions that may be allowed for use on the specified resource.", - "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "access_boundary_rule" - }, - "availability_condition": { - "description": "The availability condition further constrains the access allowed by the access boundary rule. Structure is [documented below](#nested_rules_rules_access_boundary_rule_availability_condition).", - "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "access_boundary_rule" - } - } + "parent": null + }, + + "available_resource": { + "description": "The GCP resource that is allowed.", + "required": false, + "security_impact": "Restricts access to only approved projects or resources.", + "rationale": "Avoids access to wrong or sensitive projects.", + "compliant": "//cloudresourcemanager.googleapis.com/projects/123456789", + "non-compliant": "//cloudresourcemanager.googleapis.com/projects/random-project", + "parent": "access_boundary_rule" + }, + + "available_permissions": { + "description": "Permissions allowed for the resource.", + "required": false, + "security_impact": "Prevents giving full admin access accidentally.", + "rationale": "We only allow required permissions instead of full access.", + "compliant": ["resourcemanager.projects.get"], + "non-compliant": ["*"], + "parent": "access_boundary_rule" }, + "availability_condition": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": null, - "arguments": { - "expression": { - "description": "Textual representation of an expression in Common Expression Language syntax.", - "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "availability_condition" - }, - "title": { - "description": "Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.", - "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "availability_condition" - }, - "description": { - "description": "Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.", - "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "availability_condition" - }, - "location": { - "description": "String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.", - "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "availability_condition" - } - } + "description": "Extra condition to control when access is allowed.", + "required": false, + "security_impact": "Adds extra safety like time-based or condition-based access control.", + "rationale": "Used to restrict access under specific conditions only.", + "compliant": { + "expression": "request.time < timestamp('2026-12-31T00:00:00Z')", + "title": "Time limit", + "description": "Access allowed only before expiry date", + "location": "global" + }, + "non-compliant": { + "expression": "true" + }, + "parent": "access_boundary_rule" } } } \ No newline at end of file diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_deny_policy.json b/docs/gcp/Cloud_IAM/resource_json/iam_deny_policy.json index 656e17ee7..621d7ed27 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_deny_policy.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_deny_policy.json @@ -5,161 +5,88 @@ "name": { "description": "The name of the policy.", "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": "If naming is not controlled, deny policies become hard to identify and manage, which can cause security confusion.", + "rationale": "We enforce a simple naming rule using prefix 'pde-' so all deny policies are consistent and easy to track.", + "compliant": "pde-deny-policy-prod", + "non-compliant": "denyPolicy123", "parent": null }, + "parent": { "description": "The attachment point is identified by its URL-encoded full resource name.", "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": "If parent is wrong, deny policy may be applied to the wrong project or not applied at all, which is a major security risk.", + "rationale": "Parent must always follow valid GCP resource format so the deny policy is applied to the correct scope.", + "compliant": "cloudresourcemanager.googleapis.com/projects/123456789", + "non-compliant": "projects/test-project", "parent": null }, + "rules": { - "description": "Rules to be applied. Structure is [documented below](#nested_rules).", + "description": "Rules to be applied.", "required": true, - "security_impact": null, - "rationale": null, + "security_impact": "Rules define what access is denied. Incorrect rules can either block valid users or allow unauthorized access.", + "rationale": "Rules are used to enforce strict deny controls on sensitive resources.", "compliant": null, "non-compliant": null, - "parent": null, - "arguments": { - "description": { - "description": "The description of the rule.", - "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "rules" - }, - "deny_rule": { - "description": "A deny rule in an IAM deny policy. Structure is [documented below](#nested_rules_rules_deny_rule).", - "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "rules" - } - } + "parent": null }, + "display_name": { "description": "The display name of the rule.", "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": "Helps identify the deny policy in console and audit logs.", + "rationale": "Used for readability and easier management of policies.", + "compliant": "Production Deny Policy", + "non-compliant": "test123", "parent": null }, + "deny_rule": { "description": "", "required": null, - "security_impact": null, - "rationale": null, + "security_impact": "Controls which users and permissions are explicitly blocked from accessing resources.", + "rationale": "Used to enforce security restrictions and prevent unauthorized actions.", "compliant": null, "non-compliant": null, - "parent": null, - "arguments": { - "denied_principals": { - "description": "The identities that are prevented from using one or more permissions on Google Cloud resources.", - "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "deny_rule" - }, - "exception_principals": { - "description": "The identities that are excluded from the deny rule, even if they are listed in the deniedPrincipals. For example, you could add a Google group to the deniedPrincipals, then exclude specific users who belong to that group.", - "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "deny_rule" - }, - "denied_permissions": { - "description": "The permissions that are explicitly denied by this rule. Each permission uses the format `{service-fqdn}/{resource}.{verb}`, where `{service-fqdn}` is the fully qualified domain name for the service. For example, `iam.googleapis.com/roles.list`.", - "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "deny_rule" - }, - "exception_permissions": { - "description": "Specifies the permissions that this rule excludes from the set of denied permissions given by deniedPermissions. If a permission appears in deniedPermissions and in exceptionPermissions then it will not be denied. The excluded permissions can be specified using the same syntax as deniedPermissions.", - "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "deny_rule" - }, - "denial_condition": { - "description": "User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. Structure is [documented below](#nested_rules_rules_deny_rule_denial_condition).", - "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "deny_rule" - } - } + "parent": null }, + + "denied_principals": { + "description": "Users or identities that are blocked from access.", + "required": false, + "security_impact": "Prevents unauthorized users from accessing sensitive resources.", + "rationale": "We block risky or unwanted identities using deny rules.", + "compliant": ["user:blocked-user@example.com"], + "non-compliant": ["allUsers"], + "parent": "deny_rule" + }, + + "denied_permissions": { + "description": "Permissions that are explicitly denied.", + "required": false, + "security_impact": "Prevents execution of sensitive or admin-level operations.", + "rationale": "We deny high-risk permissions to enforce least privilege.", + "compliant": ["iam.googleapis.com/roles.list"], + "non-compliant": ["*"], + "parent": "deny_rule" + }, + "denial_condition": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": null, - "arguments": { - "expression": { - "description": "Textual representation of an expression in Common Expression Language syntax.", - "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "denial_condition" - }, - "title": { - "description": "Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.", - "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "denial_condition" - }, - "description": { - "description": "Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.", - "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "denial_condition" - }, - "location": { - "description": "String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.", - "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "denial_condition" - } - } + "description": "Condition when the deny rule should apply.", + "required": false, + "security_impact": "Adds conditional security checks (like time, IP, or context-based restrictions).", + "rationale": "Used to apply deny rules only in specific situations.", + "compliant": { + "expression": "request.time < timestamp('2026-12-31T00:00:00Z')", + "title": "Time restriction", + "description": "Deny access after expiry date", + "location": "global" + }, + "non-compliant": { + "expression": "true" + }, + "parent": "deny_rule" } } } \ No newline at end of file diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_folders_policy_binding.json b/docs/gcp/Cloud_IAM/resource_json/iam_folders_policy_binding.json index d5324c411..a551fe373 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_folders_policy_binding.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_folders_policy_binding.json @@ -2,132 +2,143 @@ "resource_name": "iam_folders_policy_binding", "subcategory": "Cloud IAM", "arguments": { - "target": { - "description": "Target is the full resource name of the resource to which the policy will be bound. Immutable once set. Structure is [documented below](#nested_target).", - "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": null, - "arguments": { - "principal_set": { - "description": "Required. Immutable. Full Resource Name of the principal set used for principal access boundary policy bindings. Examples for each one of the following supported principal set types: * Folder: `//cloudresourcemanager.googleapis.com/folders/FOLDER_ID` It must be parent by the policy binding's parent (the folder).", - "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "target" - } - } - }, - "policy": { - "description": "Required. Immutable. The resource name of the policy to be bound. The binding parent and policy must belong to the same Organization (or Project).", - "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": null - }, "folder": { - "description": "The parent folder for the PolicyBinding.", + "description": "The parent folder for the IAM policy binding. Must be a valid numeric GCP folder ID.", "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "Ensures IAM policy is applied only at a valid folder scope.", + "compliant": "224774388", + "non-compliant": "my-folder", "parent": null }, + "location": { - "description": "The location of the PolicyBinding.", + "description": "The location of the policy binding. Must always be global for folder IAM bindings.", "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "IAM folder bindings are global to ensure consistent access control.", + "compliant": "global", + "non-compliant": "us-central1", "parent": null }, + "policy_binding_id": { - "description": "The Policy Binding ID.", + "description": "Unique identifier for the policy binding.", "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "Ensures each binding is uniquely identifiable.", + "compliant": "folder-binding-01", + "non-compliant": "Folder Binding 01", "parent": null }, + "display_name": { - "description": "Optional. The description of the policy binding. Must be less than or equal to 63 characters.", + "description": "Optional human-readable name for the policy binding (max 63 characters).", "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": false, + "rationale": "Used only for display purposes.", + "compliant": "Folder IAM Binding", + "non-compliant": "This name is way too long and not valid for IAM folder binding display name usage", "parent": null }, + "annotations": { - "description": "Optional. User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations **Note**: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field `effective_annotations` for all of the annotations present on the resource.", + "description": "Optional metadata used for tagging and classification.", "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": false, + "rationale": "Does not affect IAM security enforcement.", + "compliant": { + "environment": "dev", + "team": "security" + }, + "non-compliant": { + "notes": "this is an invalid overly long annotation example used for testing purposes and should not be used in production environments because it violates expected size constraints" + }, "parent": null }, + "policy_kind": { - "description": "Immutable. The kind of the policy to attach in this binding. This field must be one of the following: - Left empty (will be automatically set to the policy kind) - The input policy kind Possible values: POLICY_KIND_UNSPECIFIED PRINCIPAL_ACCESS_BOUNDARY ACCESS", + "description": "Type of IAM policy being applied (e.g., ACCESS or PRINCIPAL_ACCESS_BOUNDARY).", "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "Defines how IAM policy is enforced.", + "compliant": "ACCESS", + "non-compliant": "INVALID_TYPE", "parent": null }, + + "target": { + "description": "Full resource name of the target folder where the policy is applied.", + "required": true, + "security_impact": true, + "rationale": "Defines the exact scope of IAM enforcement.", + "compliant": "//cloudresourcemanager.googleapis.com/folders/224774388", + "non-compliant": "//invalid/resource", + "parent": null, + + "arguments": { + "principal_set": { + "description": "Principal set used for access boundary enforcement within the folder.", + "required": false, + "security_impact": true, + "rationale": "Restricts access to approved identities within folder boundary.", + "compliant": "//cloudresourcemanager.googleapis.com/folders/224774388", + "non-compliant": "//cloudresourcemanager.googleapis.com/projects/123", + "parent": "target" + } + } + }, + "condition": { - "description": "Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: \\\"Summary size limit\\\" description: \\\"Determines if a summary is less than 100 chars\\\" expression: \\\"document.summary.size() < 100\\\" Example (Equality): title: \\\"Requestor is owner\\\" description: \\\"Determines if requestor is the document owner\\\" expression: \\\"document.owner == request.auth.claims.email\\\" Example (Logic): title: \\\"Public documents\\\" description: \\\"Determine whether the document should be publicly visible\\\" expression: \\\"document.type != 'private' && document.type != 'internal'\\\" Example (Data Manipulation): title: \\\"Notification string\\\" description: \\\"Create a notification string with a timestamp.\\\" expression: \\\"'New message received at ' + string(document.create_time)\\\" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. Structure is [documented below](#nested_condition).", + "description": "Optional CEL condition for conditional IAM access control.", "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "Enables fine-grained access control rules.", + "compliant": { + "expression": "resource.name.startsWith('folders/')", + "title": "Folder access rule", + "description": "Allows access only to folder resources" + }, + "non-compliant": { + "expression": "true" + }, "parent": null, + "arguments": { "expression": { - "description": "Textual representation of an expression in Common Expression Language syntax.", + "description": "CEL expression defining IAM condition logic.", "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "Controls conditional access behavior.", + "compliant": "resource.name.startsWith('folders/')", + "non-compliant": "true", "parent": "condition" }, "title": { - "description": "Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.", + "description": "Short title for the condition.", "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": false, + "rationale": "For readability only.", + "compliant": "Folder Condition", + "non-compliant": "", "parent": "condition" }, "description": { - "description": "Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.", + "description": "Detailed explanation of the condition.", "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": false, + "rationale": "Documentation purpose only.", + "compliant": "Restricts access to folder-level resources", + "non-compliant": "", "parent": "condition" }, "location": { - "description": "Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.", + "description": "Debug location for condition evaluation.", "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": false, + "rationale": "Used for error tracing.", + "compliant": "global", + "non-compliant": "", "parent": "condition" } } diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client.json b/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client.json index c8a8ee200..b8c6c6ab3 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client.json @@ -2,94 +2,103 @@ "resource_name": "iam_oauth_client", "subcategory": "Cloud IAM", "arguments": { - "allowed_scopes": { - "description": "Required. The list of scopes that the OauthClient is allowed to request during OAuth flows. The following scopes are supported: * `https://www.googleapis.com/auth/cloud-platform`: See, edit, configure, and delete your Google Cloud data and see the email address for your Google Account. * `openid`: The OAuth client can associate you with your personal information on Google Cloud. * `email`: The OAuth client can read a federated identity's email address. * `groups`: The OAuth client can read a federated identity's groups.", + "location": { + "description": "Location where the OAuth client is deployed. Must always be global.", "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "Ensures OAuth configuration consistency across GCP IAM services.", + "compliant": "global", + "non-compliant": "us-central1", "parent": null }, - "allowed_grant_types": { - "description": "Required. The list of OAuth grant types is allowed for the OauthClient.", + + "oauth_client_id": { + "description": "Unique OAuth client ID. Must be 6–63 characters, lowercase letters, digits, or hyphens. Cannot start or end with hyphen and cannot use 'gcp-' prefix.", "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "Prevents insecure or invalid OAuth client identifiers.", + "compliant": "example-client-01", + "non-compliant": "gcp-client-01-", "parent": null }, - "allowed_redirect_uris": { - "description": "Required. The list of redirect uris that is allowed to redirect back when authorization process is completed.", + + "client_type": { + "description": "Type of OAuth client. Only PUBLIC_CLIENT or CONFIDENTIAL_CLIENT are allowed.", + "required": false, + "security_impact": true, + "rationale": "Restricts OAuth client types to approved security models.", + "compliant": "CONFIDENTIAL_CLIENT", + "non-compliant": "UNKNOWN_CLIENT", + "parent": null + }, + + "allowed_scopes": { + "description": "List of OAuth scopes allowed for authentication flows.", "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "Restricting scopes reduces access exposure and privilege escalation risk.", + "compliant": ["openid", "email"], + "non-compliant": ["*"], "parent": null }, - "location": { - "description": "Resource ID segment making up resource `name`. It identifies the resource within its parent collection as described in https://google.aip.dev/122.", + + "allowed_grant_types": { + "description": "OAuth grant types allowed for the client.", "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "Controls authentication flow security.", + "compliant": ["AUTHORIZATION_CODE_GRANT"], + "non-compliant": [], "parent": null }, - "oauth_client_id": { - "description": "Required. The ID to use for the OauthClient, which becomes the final component of the resource name. This value should be a string of 6 to 63 lowercase letters, digits, or hyphens. It must start with a letter, and cannot have a trailing hyphen. The prefix `gcp-` is reserved for use by Google, and may not be specified.", + + "allowed_redirect_uris": { + "description": "List of allowed redirect URIs after authentication.", "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "Prevents redirect attacks and phishing risks.", + "compliant": ["https://example.com"], + "non-compliant": ["http://evil.com"], "parent": null }, + "disabled": { - "description": "Whether the OauthClient is disabled. You cannot use a disabled OAuth client.", + "description": "Indicates whether the OAuth client is disabled.", "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "Disabled clients cannot be used for authentication.", + "compliant": false, + "non-compliant": true, "parent": null }, + "display_name": { - "description": "A user-specified display name of the OauthClient. Cannot exceed 32 characters.", + "description": "Human-readable name for the OAuth client.", "required": false, - "security_impact": null, + "security_impact": false, "rationale": null, - "compliant": null, - "non-compliant": null, + "compliant": "Valid OAuth Client", + "non-compliant": "Invalid Client", "parent": null }, + "description": { - "description": "A user-specified description of the OauthClient. Cannot exceed 256 characters.", + "description": "Optional description of the OAuth client.", "required": false, - "security_impact": null, + "security_impact": false, "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": null - }, - "client_type": { - "description": "Immutable. The type of OauthClient. Either public or private. For private clients, the client secret can be managed using the dedicated OauthClientCredential resource. Possible values: CLIENT_TYPE_UNSPECIFIED PUBLIC_CLIENT CONFIDENTIAL_CLIENT", - "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "compliant": "OAuth client for production app", + "non-compliant": "", "parent": null }, + "project": { - "description": "If it is not provided, the provider project is used.", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "description": "GCP project where the OAuth client is created.", + "required": false, + "security_impact": true, + "rationale": "Ensures correct project-level isolation.", + "compliant": "smooth-verve-467716-v1", + "non-compliant": "", "parent": null } } diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client_credential.json b/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client_credential.json index 2172b837b..c60d88c5f 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client_credential.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client_credential.json @@ -3,57 +3,62 @@ "subcategory": "Cloud IAM", "arguments": { "location": { - "description": "Resource ID segment making up resource `name`. It identifies the resource within its parent collection as described in https://google.aip.dev/122.", + "description": "Location where the OAuth client credential is created. Must always be global.", "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "Restricting location to global ensures consistent IAM control and avoids regional misconfiguration.", + "compliant": "global", + "non-compliant": "us-central1", "parent": null }, + "oauthclient": { - "description": "Resource ID segment making up resource `name`. It identifies the resource within its parent collection as described in https://google.aip.dev/122.", + "description": "Parent OAuth client identifier used to associate the credential.", "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "Invalid client associations can lead to unauthorized credential binding.", + "compliant": "example-client-id", + "non-compliant": "invalid-client", "parent": null }, + "oauth_client_credential_id": { - "description": "Required. The ID to use for the OauthClientCredential, which becomes the final component of the resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix `gcp-` is reserved for use by Google, and may not be specified.", + "description": "Unique credential ID. Must follow 4–32 chars, lowercase letters, numbers, and hyphens. Cannot start with 'gcp-'.", "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "Strict naming prevents insecure or reserved prefix usage.", + "compliant": "cred-01a", + "non-compliant": "gcp-cred-01a", "parent": null }, + "disabled": { - "description": "Whether the OauthClientCredential is disabled. You cannot use a disabled OauthClientCredential.", + "description": "Indicates whether the credential is disabled.", "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "Disabled credentials cannot be used for authentication.", + "compliant": false, + "non-compliant": true, "parent": null }, + "display_name": { - "description": "A user-specified display name of the OauthClientCredential. Cannot exceed 32 characters.", + "description": "Human-readable name for the credential.", "required": false, - "security_impact": null, + "security_impact": false, "rationale": null, - "compliant": null, - "non-compliant": null, + "compliant": "Valid Credential", + "non-compliant": "Invalid Credential", "parent": null }, + "project": { - "description": "If it is not provided, the provider project is used.", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "description": "GCP project where the resource is created. If not set, provider project is used.", + "required": false, + "security_impact": true, + "rationale": "Ensures correct project scoping for IAM isolation.", + "compliant": "smooth-verve-467716-v1", + "non-compliant": "", "parent": null } } diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_organizations_policy_binding.json b/docs/gcp/Cloud_IAM/resource_json/iam_organizations_policy_binding.json index 6438bf6d2..05453ca6b 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_organizations_policy_binding.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_organizations_policy_binding.json @@ -2,135 +2,59 @@ "resource_name": "iam_organizations_policy_binding", "subcategory": "Cloud IAM", "arguments": { - "target": { - "description": "Target is the full resource name of the resource to which the policy will be bound. Immutable once set. Structure is [documented below](#nested_target).", - "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": null, - "arguments": { - "principal_set": { - "description": "Required. Immutable. Full Resource Name of the principal set used for principal access boundary policy bindings. Examples for each one of the following supported principal set types: * Organization `//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID` * Workforce Identity: `//iam.googleapis.com/locations/global/workforcePools/WORKFORCE_POOL_ID` * Workspace Identity: `//iam.googleapis.com/locations/global/workspace/WORKSPACE_ID` It must be parent by the policy binding's parent (the organization).", - "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "target" - } - } - }, - "policy": { - "description": "Required. Immutable. The resource name of the policy to be bound. The binding parent and policy must belong to the same Organization (or Project).", - "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": null - }, "organization": { - "description": "The parent organization of the Policy Binding.", + "description": "Numeric organization ID for binding.", "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "Ensures policy is attached to correct organization boundary.", + "compliant": "123456789", + "non-compliant": "org-name", "parent": null }, "location": { - "description": "The location of the Policy Binding", + "description": "Must always be global.", "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "IAM bindings must be globally consistent.", + "compliant": "global", + "non-compliant": "us-central1", "parent": null }, "policy_binding_id": { - "description": "The Policy Binding ID.", + "description": "Unique identifier for policy binding.", "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "Ensures unique tracking of bindings.", + "compliant": "binding-001", + "non-compliant": "binding#1", "parent": null }, "display_name": { - "description": "Optional. The description of the policy binding. Must be less than or equal to 63 characters.", + "description": "Human readable name for policy binding.", "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": false, + "rationale": "No security impact.", + "compliant": "Org Binding", + "non-compliant": "", "parent": null }, "annotations": { - "description": "Optional. User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations **Note**: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field `effective_annotations` for all of the annotations present on the resource.", + "description": "User-defined metadata annotations.", "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": false, + "rationale": "Used for tagging only.", + "compliant": {}, + "non-compliant": {}, "parent": null }, "policy_kind": { - "description": "Immutable. The kind of the policy to attach in this binding. This field must be one of the following: - Left empty (will be automatically set to the policy kind) - The input policy kind Possible values: POLICY_KIND_UNSPECIFIED PRINCIPAL_ACCESS_BOUNDARY ACCESS", + "description": "Type of policy: PRINCIPAL_ACCESS_BOUNDARY or ACCESS.", "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "Controls IAM enforcement behavior.", + "compliant": "ACCESS", + "non-compliant": "UNKNOWN", "parent": null - }, - "condition": { - "description": "Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: \\\"Summary size limit\\\" description: \\\"Determines if a summary is less than 100 chars\\\" expression: \\\"document.summary.size() < 100\\\" Example (Equality): title: \\\"Requestor is owner\\\" description: \\\"Determines if requestor is the document owner\\\" expression: \\\"document.owner == request.auth.claims.email\\\" Example (Logic): title: \\\"Public documents\\\" description: \\\"Determine whether the document should be publicly visible\\\" expression: \\\"document.type != 'private' && document.type != 'internal'\\\" Example (Data Manipulation): title: \\\"Notification string\\\" description: \\\"Create a notification string with a timestamp.\\\" expression: \\\"'New message received at ' + string(document.create_time)\\\" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. Structure is [documented below](#nested_condition).", - "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": null, - "arguments": { - "expression": { - "description": "Textual representation of an expression in Common Expression Language syntax.", - "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "condition" - }, - "title": { - "description": "Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.", - "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "condition" - }, - "description": { - "description": "Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.", - "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "condition" - }, - "location": { - "description": "Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.", - "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "condition" - } - } } } } \ No newline at end of file diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_principal_access_boundary_policy.json b/docs/gcp/Cloud_IAM/resource_json/iam_principal_access_boundary_policy.json index 9c47b3dfe..d336f019f 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_principal_access_boundary_policy.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_principal_access_boundary_policy.json @@ -3,116 +3,49 @@ "subcategory": "Cloud IAM", "arguments": { "organization": { - "description": "The parent organization of the principal access boundary policy.", + "description": "Numeric organization ID.", "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "Defines IAM boundary scope at organization level.", + "compliant": "123456789", + "non-compliant": "org-name", "parent": null }, "location": { - "description": "The location the principal access boundary policy is in.", + "description": "Must always be global.", "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "Ensures centralized IAM enforcement.", + "compliant": "global", + "non-compliant": "us-central1", "parent": null }, "principal_access_boundary_policy_id": { - "description": "The ID to use to create the principal access boundary policy. This value must start with a lowercase letter followed by up to 62 lowercase letters, numbers, hyphens, or dots. Pattern, /a-z{2,62}/.", + "description": "Policy ID (2–62 chars, lowercase, numbers, hyphen, dot allowed).", "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "Ensures valid IAM naming standard.", + "compliant": "pab-policy-01", + "non-compliant": "INVALID_ID", "parent": null }, "display_name": { - "description": "The description of the principal access boundary policy. Must be less than or equal to 63 characters.", + "description": "Display name of policy.", "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": false, + "rationale": "No security impact.", + "compliant": "PAB Policy", + "non-compliant": "", "parent": null }, "annotations": { - "description": "User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations **Note**: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field `effective_annotations` for all of the annotations present on the resource.", + "description": "Metadata tags for policy.", "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": false, + "rationale": "Only metadata.", + "compliant": {}, + "non-compliant": {}, "parent": null - }, - "details": { - "description": "Principal access boundary policy details Structure is [documented below](#nested_details).", - "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": null, - "arguments": { - "rules": { - "description": "A list of principal access boundary policy rules. The number of rules in a policy is limited to 500. Structure is [documented below](#nested_details_rules).", - "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "details" - }, - "enforcement_version": { - "description": "The version number that indicates which Google Cloud services are included in the enforcement (e.g. \\\"latest\\\", \\\"1\\\", ...). If empty, the PAB policy version will be set to the current latest version, and this version won't get updated when new versions are released.", - "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "details" - } - } - }, - "rules": { - "description": "", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": null, - "arguments": { - "description": { - "description": "The description of the principal access boundary policy rule. Must be less than or equal to 256 characters.", - "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "rules" - }, - "resources": { - "description": "A list of Cloud Resource Manager resources. The resource and all the descendants are included. The number of resources in a policy is limited to 500 across all rules. The following resource types are supported: * Organizations, such as `//cloudresourcemanager.googleapis.com/organizations/123`. * Folders, such as `//cloudresourcemanager.googleapis.com/folders/123`. * Projects, such as `//cloudresourcemanager.googleapis.com/projects/123` or `//cloudresourcemanager.googleapis.com/projects/my-project-id`.", - "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "rules" - }, - "effect": { - "description": "The access relationship of principals to the resources in this rule. Possible values: ALLOW", - "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "rules" - } - } } } } \ No newline at end of file diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_projects_policy_binding.json b/docs/gcp/Cloud_IAM/resource_json/iam_projects_policy_binding.json index e58cd4d6c..62767e11d 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_projects_policy_binding.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_projects_policy_binding.json @@ -2,135 +2,146 @@ "resource_name": "iam_projects_policy_binding", "subcategory": "Cloud IAM", "arguments": { - "target": { - "description": "Target is the full resource name of the resource to which the policy will be bound. Immutable once set. Structure is [documented below](#nested_target).", - "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": null, - "arguments": { - "principal_set": { - "description": "Required. Immutable. Full Resource Name of the principal set used for principal access boundary policy bindings. Examples for each one of the following supported principal set types: * Project: * `//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER` * `//cloudresourcemanager.googleapis.com/projects/PROJECT_ID` * Workload Identity Pool: `//iam.googleapis.com/projects/PROJECT_NUMBER/locations/LOCATION/workloadIdentityPools/WORKLOAD_POOL_ID` It must be parent by the policy binding's parent (the project).", - "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": "target" - } - } - }, - "policy": { - "description": "Required. Immutable. The resource name of the policy to be bound. The binding parent and policy must belong to the same Organization (or Project).", - "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "project": { + "description": "GCP project ID where the policy binding is applied. Must follow valid project naming rules (lowercase letters, numbers, and hyphens).", + "required": false, + "security_impact": true, + "rationale": "Ensures IAM policy is attached to a valid and controlled project scope.", + "compliant": "my-project-123", + "non-compliant": "Invalid_Project", "parent": null }, + "location": { - "description": "The location of the Policy Binding", + "description": "Location of the policy binding. Must always be global for IAM project policy bindings.", "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "IAM bindings must be globally consistent for proper access control enforcement.", + "compliant": "global", + "non-compliant": "us-central1", "parent": null }, + "policy_binding_id": { - "description": "The Policy Binding ID.", + "description": "Unique identifier for the policy binding within the project.", "required": true, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "Ensures each IAM binding can be uniquely tracked and managed.", + "compliant": "project-binding-01", + "non-compliant": "Project Binding #1", "parent": null }, + "display_name": { - "description": "Optional. The description of the policy binding. Must be less than or equal to 63 characters.", + "description": "Optional human-readable name for the policy binding (maximum 63 characters).", "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": false, + "rationale": "Used only for identification and has no security impact.", + "compliant": "Project IAM Binding", + "non-compliant": "This is an extremely long invalid display name that exceeds allowed character limits for IAM resources", "parent": null }, + "annotations": { - "description": "Optional. User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations **Note**: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field `effective_annotations` for all of the annotations present on the resource.", + "description": "Optional metadata used to tag and classify the policy binding.", "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": false, + "rationale": "Annotations are informational only and do not affect IAM enforcement.", + "compliant": { + "environment": "prod", + "team": "security" + }, + "non-compliant": { + "note": "This annotation contains excessive invalid metadata that should not be used in production IAM configurations because it violates expected structure and readability standards" + }, "parent": null }, + "policy_kind": { - "description": "Immutable. The kind of the policy to attach in this binding. This field must be one of the following: - Left empty (will be automatically set to the policy kind) - The input policy kind Possible values: POLICY_KIND_UNSPECIFIED PRINCIPAL_ACCESS_BOUNDARY ACCESS", + "description": "Type of policy being applied. Possible values include ACCESS or PRINCIPAL_ACCESS_BOUNDARY.", "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "Determines IAM enforcement behavior and access model.", + "compliant": "ACCESS", + "non-compliant": "UNKNOWN_TYPE", "parent": null }, + + "target": { + "description": "Full resource name of the target project where the policy binding is applied.", + "required": true, + "security_impact": true, + "rationale": "Defines exact IAM enforcement scope at project level.", + "compliant": "//cloudresourcemanager.googleapis.com/projects/my-project-123", + "non-compliant": "//invalid/resource/name", + "parent": null, + + "arguments": { + "principal_set": { + "description": "Principal set defining which identities are allowed within the project scope.", + "required": false, + "security_impact": true, + "rationale": "Restricts access to approved identities within project boundary.", + "compliant": "//cloudresourcemanager.googleapis.com/projects/123456789", + "non-compliant": "//cloudresourcemanager.googleapis.com/folders/123", + "parent": "target" + } + } + }, + "condition": { - "description": "Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: \\\"Summary size limit\\\" description: \\\"Determines if a summary is less than 100 chars\\\" expression: \\\"document.summary.size() < 100\\\" Example (Equality): title: \\\"Requestor is owner\\\" description: \\\"Determines if requestor is the document owner\\\" expression: \\\"document.owner == request.auth.claims.email\\\" Example (Logic): title: \\\"Public documents\\\" description: \\\"Determine whether the document should be publicly visible\\\" expression: \\\"document.type != 'private' && document.type != 'internal'\\\" Example (Data Manipulation): title: \\\"Notification string\\\" description: \\\"Create a notification string with a timestamp.\\\" expression: \\\"'New message received at ' + string(document.create_time)\\\" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. Structure is [documented below](#nested_condition).", + "description": "Optional IAM condition using Common Expression Language (CEL) for conditional access control.", "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "Allows fine-grained access control based on logical conditions.", + "compliant": { + "expression": "resource.name.startsWith('projects/')", + "title": "Project access rule", + "description": "Allows access only to project resources" + }, + "non-compliant": { + "expression": "true" + }, "parent": null, + "arguments": { "expression": { - "description": "Textual representation of an expression in Common Expression Language syntax.", + "description": "CEL expression used to define IAM conditional logic.", "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": true, + "rationale": "Controls when IAM policy is applied.", + "compliant": "resource.name.startsWith('projects/')", + "non-compliant": "true", "parent": "condition" }, "title": { - "description": "Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.", + "description": "Short title describing the IAM condition.", "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": false, + "rationale": "Used for readability only.", + "compliant": "Project Condition", + "non-compliant": "", "parent": "condition" }, "description": { - "description": "Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.", + "description": "Detailed explanation of the IAM condition.", "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": false, + "rationale": "Documentation purpose only.", + "compliant": "Restricts access to project-level resources only", + "non-compliant": "", "parent": "condition" }, "location": { - "description": "Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.", + "description": "Debugging reference for IAM condition evaluation.", "required": false, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, + "security_impact": false, + "rationale": "Used for error tracing and debugging.", + "compliant": "global", + "non-compliant": "", "parent": "condition" } } - }, - "project": { - "description": "If it is not provided, the provider project is used.", - "required": null, - "security_impact": null, - "rationale": null, - "compliant": null, - "non-compliant": null, - "parent": null } } } \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/.terraform.lock.hcl new file mode 100644 index 000000000..3247f9b34 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.27.0" + hashes = [ + "h1:yWX9RsPIemhUiN5JswiS4n+o51eLF81ZOpRw6hbqOiA=", + "zh:240605f01c575a32378b96634a7bbe17462051320fa7df064dae8d81e9c9c471", + "zh:41ffa473e08379de494c7beb4bc1ee98631c2657355dacd15fe75f52eb2ffd99", + "zh:4b813338a275c7d5bbd69f8a9d4fbd97b7672064ee42e98f1f01699f7b8ced77", + "zh:7f582320ea0578e3eaf4ec54fc370b1eac684972afe0728a94a961a52a037053", + "zh:84f53702ba1c8d912236d1911b90db2b1dbc011127831ae67dfcd280710334d8", + "zh:85d775e3c42f3b88914d059bd11c46e25a1cb9cce912c9fbc35428114b099d47", + "zh:93a2a30bc254706525eaa5e0a35d2122377b735fe1f3dccd887c35b3755b32d3", + "zh:a921d2ab38464bce393e8fd2aa11a140ed56632f94895d93bb272e204931c8c6", + "zh:c221992557de048b40a4fae102dfa5200c32715b21c0a251c1e931eafbc6a698", + "zh:cef310150cdf62a6a49e45f049f21077c58971c6197b70528a69b572dbf218fd", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:f630cf936bbbadc67a374329cc80fbe9d706fa2fb1556e130bc7a3f0386697fb", + ] +} diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf new file mode 100644 index 000000000..9e774aa7a --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf @@ -0,0 +1,14 @@ +resource "google_iam_access_boundary_policy" "c" { + name = "pde-my-ab-policy" + parent = "cloudresourcemanager.googleapis.com/projects/my-project-id" + display_name = "My AB policy" + rules { + description = "AB rule" + access_boundary_rule { + availability_condition { + title = "Access level expr" + expression = "request.matchAccessLevels('123456789', ['accessPolicies/123/accessLevels/chromeos_no_lock'])" + } + } + } +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/config.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf new file mode 100644 index 000000000..49ad9a89a --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf @@ -0,0 +1,14 @@ +resource "google_iam_access_boundary_policy" "nc" { + name = "my-ab-policy" + parent = "cloudresourcemanager.googleapis.com/projects/my-project-id" + display_name = "My AB policy" + rules { + description = "AB rule" + access_boundary_rule { + availability_condition { + title = "Access level expr" + expression = "request.matchAccessLevels('123456789', ['accessPolicies/123/accessLevels/chromeos_no_lock'])" + } + } + } +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/.terraform.lock.hcl new file mode 100644 index 000000000..3247f9b34 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.27.0" + hashes = [ + "h1:yWX9RsPIemhUiN5JswiS4n+o51eLF81ZOpRw6hbqOiA=", + "zh:240605f01c575a32378b96634a7bbe17462051320fa7df064dae8d81e9c9c471", + "zh:41ffa473e08379de494c7beb4bc1ee98631c2657355dacd15fe75f52eb2ffd99", + "zh:4b813338a275c7d5bbd69f8a9d4fbd97b7672064ee42e98f1f01699f7b8ced77", + "zh:7f582320ea0578e3eaf4ec54fc370b1eac684972afe0728a94a961a52a037053", + "zh:84f53702ba1c8d912236d1911b90db2b1dbc011127831ae67dfcd280710334d8", + "zh:85d775e3c42f3b88914d059bd11c46e25a1cb9cce912c9fbc35428114b099d47", + "zh:93a2a30bc254706525eaa5e0a35d2122377b735fe1f3dccd887c35b3755b32d3", + "zh:a921d2ab38464bce393e8fd2aa11a140ed56632f94895d93bb272e204931c8c6", + "zh:c221992557de048b40a4fae102dfa5200c32715b21c0a251c1e931eafbc6a698", + "zh:cef310150cdf62a6a49e45f049f21077c58971c6197b70528a69b572dbf218fd", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:f630cf936bbbadc67a374329cc80fbe9d706fa2fb1556e130bc7a3f0386697fb", + ] +} diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf new file mode 100644 index 000000000..f25bf6180 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf @@ -0,0 +1,17 @@ +resource "google_project" "c_project" { + project_id = "my-project-id" + name = "My Project" + org_id = "123456789" + billing_account = "000000-0000000-0000000-000000" +} + +resource "google_beyondcorp_app_connection" "c" { + name = "my-app-connection" + project = google_project.c_project.project_id + type = "TCP_PROXY" + + application_endpoint { + host = "foo-host" + port = 8080 + } +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/config.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf new file mode 100644 index 000000000..bebb7d8af --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf @@ -0,0 +1,17 @@ +resource "google_project" "nc_project" { + project_id = "my-project-id" + name = "My Project" + org_id = "123456789" + billing_account = "000000-0000000-0000000-000000" +} + +resource "google_beyondcorp_app_connection" "nc" { + name = "my-app-connection" + project = "invalid-project-format" + type = "TCP_PROXY" + + application_endpoint { + host = "foo-host" + port = 8080 + } +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/.terraform.lock.hcl new file mode 100644 index 000000000..3247f9b34 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.27.0" + hashes = [ + "h1:yWX9RsPIemhUiN5JswiS4n+o51eLF81ZOpRw6hbqOiA=", + "zh:240605f01c575a32378b96634a7bbe17462051320fa7df064dae8d81e9c9c471", + "zh:41ffa473e08379de494c7beb4bc1ee98631c2657355dacd15fe75f52eb2ffd99", + "zh:4b813338a275c7d5bbd69f8a9d4fbd97b7672064ee42e98f1f01699f7b8ced77", + "zh:7f582320ea0578e3eaf4ec54fc370b1eac684972afe0728a94a961a52a037053", + "zh:84f53702ba1c8d912236d1911b90db2b1dbc011127831ae67dfcd280710334d8", + "zh:85d775e3c42f3b88914d059bd11c46e25a1cb9cce912c9fbc35428114b099d47", + "zh:93a2a30bc254706525eaa5e0a35d2122377b735fe1f3dccd887c35b3755b32d3", + "zh:a921d2ab38464bce393e8fd2aa11a140ed56632f94895d93bb272e204931c8c6", + "zh:c221992557de048b40a4fae102dfa5200c32715b21c0a251c1e931eafbc6a698", + "zh:cef310150cdf62a6a49e45f049f21077c58971c6197b70528a69b572dbf218fd", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:f630cf936bbbadc67a374329cc80fbe9d706fa2fb1556e130bc7a3f0386697fb", + ] +} diff --git a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/c.tf new file mode 100644 index 000000000..eef74600d --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/c.tf @@ -0,0 +1,23 @@ +resource "google_iam_deny_policy" "c" { + name = "pde-deny-policy" + parent = "cloudresourcemanager.googleapis.com/projects/my-project-id" + + display_name = "Deny policy" + + rules { + description = "Deny rule" + + deny_rule { + denied_principals = ["principal://goog/subject/user@example.com"] + + denied_permissions = [ + "cloudresourcemanager.googleapis.com/projects.update" + ] + + denial_condition { + title = "Condition" + expression = "true" + } + } + } +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/config.tf b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/nc.tf new file mode 100644 index 000000000..6697a35f5 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/nc.tf @@ -0,0 +1,23 @@ +resource "google_iam_deny_policy" "nc" { + name = "deny-policy" + parent = "cloudresourcemanager.googleapis.com/projects/my-project-id" + + display_name = "Deny policy" + + rules { + description = "Deny rule" + + deny_rule { + denied_principals = ["principal://goog/subject/user@example.com"] + + denied_permissions = [ + "cloudresourcemanager.googleapis.com/projects.update" + ] + + denial_condition { + title = "Condition" + expression = "true" + } + } + } +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/.terraform.lock.hcl new file mode 100644 index 000000000..3247f9b34 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.27.0" + hashes = [ + "h1:yWX9RsPIemhUiN5JswiS4n+o51eLF81ZOpRw6hbqOiA=", + "zh:240605f01c575a32378b96634a7bbe17462051320fa7df064dae8d81e9c9c471", + "zh:41ffa473e08379de494c7beb4bc1ee98631c2657355dacd15fe75f52eb2ffd99", + "zh:4b813338a275c7d5bbd69f8a9d4fbd97b7672064ee42e98f1f01699f7b8ced77", + "zh:7f582320ea0578e3eaf4ec54fc370b1eac684972afe0728a94a961a52a037053", + "zh:84f53702ba1c8d912236d1911b90db2b1dbc011127831ae67dfcd280710334d8", + "zh:85d775e3c42f3b88914d059bd11c46e25a1cb9cce912c9fbc35428114b099d47", + "zh:93a2a30bc254706525eaa5e0a35d2122377b735fe1f3dccd887c35b3755b32d3", + "zh:a921d2ab38464bce393e8fd2aa11a140ed56632f94895d93bb272e204931c8c6", + "zh:c221992557de048b40a4fae102dfa5200c32715b21c0a251c1e931eafbc6a698", + "zh:cef310150cdf62a6a49e45f049f21077c58971c6197b70528a69b572dbf218fd", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:f630cf936bbbadc67a374329cc80fbe9d706fa2fb1556e130bc7a3f0386697fb", + ] +} diff --git a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/c.tf new file mode 100644 index 000000000..2c1e74122 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/c.tf @@ -0,0 +1,20 @@ +resource "google_iam_deny_policy" "c" { + name = "pde-deny-policy" + parent = "cloudresourcemanager.googleapis.com/projects/my-project-id" + + display_name = "PDE Deny Policy" + + rules { + description = "Prevent unauthorized project updates" + + deny_rule { + denied_principals = ["principalSet://goog/public:all"] + denied_permissions = ["cloudresourcemanager.googleapis.com/projects.update"] + + denial_condition { + title = "Only allow test environments" + expression = "!resource.matchTag('project/env', 'production')" + } + } + } +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/config.tf b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/nc.tf new file mode 100644 index 000000000..2a20b1b59 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/nc.tf @@ -0,0 +1,20 @@ +resource "google_iam_deny_policy" "nc" { + name = "pde-deny-policy" + parent = "projects/my-project-id" # Invalid format + + display_name = "PDE Deny Policy" + + rules { + description = "Prevent unauthorized project updates" + + deny_rule { + denied_principals = ["principalSet://goog/public:all"] + denied_permissions = ["cloudresourcemanager.googleapis.com/projects.update"] + + denial_condition { + title = "Only allow test environments" + expression = "!resource.matchTag('project/env', 'production')" + } + } + } +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/.terraform.lock.hcl new file mode 100644 index 000000000..3247f9b34 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.27.0" + hashes = [ + "h1:yWX9RsPIemhUiN5JswiS4n+o51eLF81ZOpRw6hbqOiA=", + "zh:240605f01c575a32378b96634a7bbe17462051320fa7df064dae8d81e9c9c471", + "zh:41ffa473e08379de494c7beb4bc1ee98631c2657355dacd15fe75f52eb2ffd99", + "zh:4b813338a275c7d5bbd69f8a9d4fbd97b7672064ee42e98f1f01699f7b8ced77", + "zh:7f582320ea0578e3eaf4ec54fc370b1eac684972afe0728a94a961a52a037053", + "zh:84f53702ba1c8d912236d1911b90db2b1dbc011127831ae67dfcd280710334d8", + "zh:85d775e3c42f3b88914d059bd11c46e25a1cb9cce912c9fbc35428114b099d47", + "zh:93a2a30bc254706525eaa5e0a35d2122377b735fe1f3dccd887c35b3755b32d3", + "zh:a921d2ab38464bce393e8fd2aa11a140ed56632f94895d93bb272e204931c8c6", + "zh:c221992557de048b40a4fae102dfa5200c32715b21c0a251c1e931eafbc6a698", + "zh:cef310150cdf62a6a49e45f049f21077c58971c6197b70528a69b572dbf218fd", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:f630cf936bbbadc67a374329cc80fbe9d706fa2fb1556e130bc7a3f0386697fb", + ] +} diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/c.tf new file mode 100644 index 000000000..9ab80c2c7 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/c.tf @@ -0,0 +1,11 @@ +resource "google_iam_folders_policy_binding" "c" { + folder = "123456789" + location = "global" + policy_binding_id = "folder-binding-c" + + policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pab-policy" + + target { + principal_set = "//cloudresourcemanager.googleapis.com/folders/123456789" + } +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/config.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/nc.tf new file mode 100644 index 000000000..bc66d6185 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/nc.tf @@ -0,0 +1,11 @@ +resource "google_iam_folders_policy_binding" "nc" { + folder = "" + location = "global" + policy_binding_id = "folder-binding-nc" + + policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pab-policy" + + target { + principal_set = "//cloudresourcemanager.googleapis.com/folders/123456789" + } +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/.terraform.lock.hcl new file mode 100644 index 000000000..3247f9b34 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.27.0" + hashes = [ + "h1:yWX9RsPIemhUiN5JswiS4n+o51eLF81ZOpRw6hbqOiA=", + "zh:240605f01c575a32378b96634a7bbe17462051320fa7df064dae8d81e9c9c471", + "zh:41ffa473e08379de494c7beb4bc1ee98631c2657355dacd15fe75f52eb2ffd99", + "zh:4b813338a275c7d5bbd69f8a9d4fbd97b7672064ee42e98f1f01699f7b8ced77", + "zh:7f582320ea0578e3eaf4ec54fc370b1eac684972afe0728a94a961a52a037053", + "zh:84f53702ba1c8d912236d1911b90db2b1dbc011127831ae67dfcd280710334d8", + "zh:85d775e3c42f3b88914d059bd11c46e25a1cb9cce912c9fbc35428114b099d47", + "zh:93a2a30bc254706525eaa5e0a35d2122377b735fe1f3dccd887c35b3755b32d3", + "zh:a921d2ab38464bce393e8fd2aa11a140ed56632f94895d93bb272e204931c8c6", + "zh:c221992557de048b40a4fae102dfa5200c32715b21c0a251c1e931eafbc6a698", + "zh:cef310150cdf62a6a49e45f049f21077c58971c6197b70528a69b572dbf218fd", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:f630cf936bbbadc67a374329cc80fbe9d706fa2fb1556e130bc7a3f0386697fb", + ] +} diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/c.tf new file mode 100644 index 000000000..a86f841df --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/c.tf @@ -0,0 +1,11 @@ +resource "google_iam_folders_policy_binding" "c" { + folder = "123456789" + location = "global" + policy_binding_id = "binding-c" + + policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pab-policy" + + target { + principal_set = "//cloudresourcemanager.googleapis.com/folders/123456789" + } +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/config.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/nc.tf new file mode 100644 index 000000000..5b8375b13 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/nc.tf @@ -0,0 +1,11 @@ +resource "google_iam_folders_policy_binding" "nc" { + folder = "123456789" + location = "australia-southeast1" + policy_binding_id = "binding-nc" + + policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pab-policy" + + target { + principal_set = "//cloudresourcemanager.googleapis.com/folders/123456789" + } +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/.terraform.lock.hcl new file mode 100644 index 000000000..3247f9b34 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.27.0" + hashes = [ + "h1:yWX9RsPIemhUiN5JswiS4n+o51eLF81ZOpRw6hbqOiA=", + "zh:240605f01c575a32378b96634a7bbe17462051320fa7df064dae8d81e9c9c471", + "zh:41ffa473e08379de494c7beb4bc1ee98631c2657355dacd15fe75f52eb2ffd99", + "zh:4b813338a275c7d5bbd69f8a9d4fbd97b7672064ee42e98f1f01699f7b8ced77", + "zh:7f582320ea0578e3eaf4ec54fc370b1eac684972afe0728a94a961a52a037053", + "zh:84f53702ba1c8d912236d1911b90db2b1dbc011127831ae67dfcd280710334d8", + "zh:85d775e3c42f3b88914d059bd11c46e25a1cb9cce912c9fbc35428114b099d47", + "zh:93a2a30bc254706525eaa5e0a35d2122377b735fe1f3dccd887c35b3755b32d3", + "zh:a921d2ab38464bce393e8fd2aa11a140ed56632f94895d93bb272e204931c8c6", + "zh:c221992557de048b40a4fae102dfa5200c32715b21c0a251c1e931eafbc6a698", + "zh:cef310150cdf62a6a49e45f049f21077c58971c6197b70528a69b572dbf218fd", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:f630cf936bbbadc67a374329cc80fbe9d706fa2fb1556e130bc7a3f0386697fb", + ] +} diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/c.tf new file mode 100644 index 000000000..998aa143a --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/c.tf @@ -0,0 +1,12 @@ +resource "google_iam_oauth_client" "c" { + oauth_client_id = "example-client-id" + display_name = "Valid OAuth Client" + description = "Compliant OAuth client configuration" + location = "global" + disabled = false + allowed_grant_types = ["AUTHORIZATION_CODE_GRANT"] + allowed_redirect_uris = ["https://www.example.com"] + allowed_scopes = ["https://www.googleapis.com/auth/cloud-platform"] + client_type = "CONFIDENTIAL_CLIENT" + project = "smooth-verve-467716-v1" +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/config.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/nc.tf new file mode 100644 index 000000000..08a8f7664 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/nc.tf @@ -0,0 +1,12 @@ +resource "google_iam_oauth_client" "nc" { + oauth_client_id = "example-client-id" + display_name = "Invalid OAuth Client" + description = "Non-compliant OAuth client configuration" + location = "global" + disabled = false + allowed_grant_types = ["AUTHORIZATION_CODE_GRANT"] + allowed_redirect_uris = ["https://www.example.com"] + allowed_scopes = ["https://www.googleapis.com/auth/cloud-platform"] + client_type = "INTERNAL_CLIENT" + project = "smooth-verve-467716-v1" +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/location_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/location_validation/.terraform.lock.hcl new file mode 100644 index 000000000..3247f9b34 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/location_validation/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.27.0" + hashes = [ + "h1:yWX9RsPIemhUiN5JswiS4n+o51eLF81ZOpRw6hbqOiA=", + "zh:240605f01c575a32378b96634a7bbe17462051320fa7df064dae8d81e9c9c471", + "zh:41ffa473e08379de494c7beb4bc1ee98631c2657355dacd15fe75f52eb2ffd99", + "zh:4b813338a275c7d5bbd69f8a9d4fbd97b7672064ee42e98f1f01699f7b8ced77", + "zh:7f582320ea0578e3eaf4ec54fc370b1eac684972afe0728a94a961a52a037053", + "zh:84f53702ba1c8d912236d1911b90db2b1dbc011127831ae67dfcd280710334d8", + "zh:85d775e3c42f3b88914d059bd11c46e25a1cb9cce912c9fbc35428114b099d47", + "zh:93a2a30bc254706525eaa5e0a35d2122377b735fe1f3dccd887c35b3755b32d3", + "zh:a921d2ab38464bce393e8fd2aa11a140ed56632f94895d93bb272e204931c8c6", + "zh:c221992557de048b40a4fae102dfa5200c32715b21c0a251c1e931eafbc6a698", + "zh:cef310150cdf62a6a49e45f049f21077c58971c6197b70528a69b572dbf218fd", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:f630cf936bbbadc67a374329cc80fbe9d706fa2fb1556e130bc7a3f0386697fb", + ] +} diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/location_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/location_validation/c.tf new file mode 100644 index 000000000..62b500a41 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/location_validation/c.tf @@ -0,0 +1,12 @@ +resource "google_iam_oauth_client" "c" { + oauth_client_id = "example-client-id" + display_name = "Valid OAuth Client" + description = "Compliant OAuth client" + location = "global" + disabled = false + allowed_grant_types = ["AUTHORIZATION_CODE_GRANT"] + allowed_redirect_uris = ["https://www.example.com"] + allowed_scopes = ["https://www.googleapis.com/auth/cloud-platform"] + client_type = "CONFIDENTIAL_CLIENT" + project = "smooth-verve-467716-v1" +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/location_validation/config.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/location_validation/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/location_validation/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/location_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/location_validation/nc.tf new file mode 100644 index 000000000..8bf258aeb --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/location_validation/nc.tf @@ -0,0 +1,12 @@ +resource "google_iam_oauth_client" "nc" { + oauth_client_id = "example-client-id" + display_name = "Invalid OAuth Client" + description = "Non-compliant OAuth client" + location = "australia-southeast1" + disabled = false + allowed_grant_types = ["AUTHORIZATION_CODE_GRANT"] + allowed_redirect_uris = ["https://www.example.com"] + allowed_scopes = ["https://www.googleapis.com/auth/cloud-platform"] + client_type = "CONFIDENTIAL_CLIENT" + project = "smooth-verve-467716-v1" +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/credential_id_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/credential_id_validation/.terraform.lock.hcl new file mode 100644 index 000000000..3247f9b34 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/credential_id_validation/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.27.0" + hashes = [ + "h1:yWX9RsPIemhUiN5JswiS4n+o51eLF81ZOpRw6hbqOiA=", + "zh:240605f01c575a32378b96634a7bbe17462051320fa7df064dae8d81e9c9c471", + "zh:41ffa473e08379de494c7beb4bc1ee98631c2657355dacd15fe75f52eb2ffd99", + "zh:4b813338a275c7d5bbd69f8a9d4fbd97b7672064ee42e98f1f01699f7b8ced77", + "zh:7f582320ea0578e3eaf4ec54fc370b1eac684972afe0728a94a961a52a037053", + "zh:84f53702ba1c8d912236d1911b90db2b1dbc011127831ae67dfcd280710334d8", + "zh:85d775e3c42f3b88914d059bd11c46e25a1cb9cce912c9fbc35428114b099d47", + "zh:93a2a30bc254706525eaa5e0a35d2122377b735fe1f3dccd887c35b3755b32d3", + "zh:a921d2ab38464bce393e8fd2aa11a140ed56632f94895d93bb272e204931c8c6", + "zh:c221992557de048b40a4fae102dfa5200c32715b21c0a251c1e931eafbc6a698", + "zh:cef310150cdf62a6a49e45f049f21077c58971c6197b70528a69b572dbf218fd", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:f630cf936bbbadc67a374329cc80fbe9d706fa2fb1556e130bc7a3f0386697fb", + ] +} diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/credential_id_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/credential_id_validation/c.tf new file mode 100644 index 000000000..9da6360ea --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/credential_id_validation/c.tf @@ -0,0 +1,8 @@ +resource "google_iam_oauth_client_credential" "c" { + oauthclient = "example-client-id" + location = "global" + oauth_client_credential_id = "cred-01a" + disabled = false + display_name = "Valid Credential" + project = "smooth-verve-467716-v1" +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/credential_id_validation/config.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/credential_id_validation/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/credential_id_validation/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/credential_id_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/credential_id_validation/nc.tf new file mode 100644 index 000000000..b222420dd --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/credential_id_validation/nc.tf @@ -0,0 +1,8 @@ +resource "google_iam_oauth_client_credential" "nc" { + oauthclient = "example-client-id" + location = "global" + oauth_client_credential_id = "gcp-cred-01a" + disabled = false + display_name = "Invalid Credential" + project = "smooth-verve-467716-v1" +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/location_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/location_validation/.terraform.lock.hcl new file mode 100644 index 000000000..3247f9b34 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/location_validation/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.27.0" + hashes = [ + "h1:yWX9RsPIemhUiN5JswiS4n+o51eLF81ZOpRw6hbqOiA=", + "zh:240605f01c575a32378b96634a7bbe17462051320fa7df064dae8d81e9c9c471", + "zh:41ffa473e08379de494c7beb4bc1ee98631c2657355dacd15fe75f52eb2ffd99", + "zh:4b813338a275c7d5bbd69f8a9d4fbd97b7672064ee42e98f1f01699f7b8ced77", + "zh:7f582320ea0578e3eaf4ec54fc370b1eac684972afe0728a94a961a52a037053", + "zh:84f53702ba1c8d912236d1911b90db2b1dbc011127831ae67dfcd280710334d8", + "zh:85d775e3c42f3b88914d059bd11c46e25a1cb9cce912c9fbc35428114b099d47", + "zh:93a2a30bc254706525eaa5e0a35d2122377b735fe1f3dccd887c35b3755b32d3", + "zh:a921d2ab38464bce393e8fd2aa11a140ed56632f94895d93bb272e204931c8c6", + "zh:c221992557de048b40a4fae102dfa5200c32715b21c0a251c1e931eafbc6a698", + "zh:cef310150cdf62a6a49e45f049f21077c58971c6197b70528a69b572dbf218fd", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:f630cf936bbbadc67a374329cc80fbe9d706fa2fb1556e130bc7a3f0386697fb", + ] +} diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/location_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/location_validation/c.tf new file mode 100644 index 000000000..f1db18278 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/location_validation/c.tf @@ -0,0 +1,7 @@ +resource "google_iam_oauth_client_credential" "c" { + oauthclient = "example-client-id" + location = "global" + oauth_client_credential_id = "cred01" + display_name = "Valid Credential" + project = "smooth-verve-467716-v1" +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/location_validation/config.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/location_validation/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/location_validation/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/location_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/location_validation/nc.tf new file mode 100644 index 000000000..c105a6caa --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/location_validation/nc.tf @@ -0,0 +1,7 @@ +resource "google_iam_oauth_client_credential" "nc" { + oauthclient = "example-client-id" + location = "australia-southeast1" + oauth_client_credential_id = "cred02" + display_name = "Invalid Credential" + project = "smooth-verve-467716-v1" +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/.terraform.lock.hcl new file mode 100644 index 000000000..3247f9b34 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.27.0" + hashes = [ + "h1:yWX9RsPIemhUiN5JswiS4n+o51eLF81ZOpRw6hbqOiA=", + "zh:240605f01c575a32378b96634a7bbe17462051320fa7df064dae8d81e9c9c471", + "zh:41ffa473e08379de494c7beb4bc1ee98631c2657355dacd15fe75f52eb2ffd99", + "zh:4b813338a275c7d5bbd69f8a9d4fbd97b7672064ee42e98f1f01699f7b8ced77", + "zh:7f582320ea0578e3eaf4ec54fc370b1eac684972afe0728a94a961a52a037053", + "zh:84f53702ba1c8d912236d1911b90db2b1dbc011127831ae67dfcd280710334d8", + "zh:85d775e3c42f3b88914d059bd11c46e25a1cb9cce912c9fbc35428114b099d47", + "zh:93a2a30bc254706525eaa5e0a35d2122377b735fe1f3dccd887c35b3755b32d3", + "zh:a921d2ab38464bce393e8fd2aa11a140ed56632f94895d93bb272e204931c8c6", + "zh:c221992557de048b40a4fae102dfa5200c32715b21c0a251c1e931eafbc6a698", + "zh:cef310150cdf62a6a49e45f049f21077c58971c6197b70528a69b572dbf218fd", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:f630cf936bbbadc67a374329cc80fbe9d706fa2fb1556e130bc7a3f0386697fb", + ] +} diff --git a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/c.tf new file mode 100644 index 000000000..f87f21045 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/c.tf @@ -0,0 +1,13 @@ +resource "google_iam_organizations_policy_binding" "c" { + organization = "123456789" + location = "global" + display_name = "Compliant Org Policy Binding" + policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" + policy_binding_id = "org-binding-c" + + policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/my-pab-policy" + + target { + principal_set = "//cloudresourcemanager.googleapis.com/organizations/123456789" + } +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/config.tf b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/nc.tf new file mode 100644 index 000000000..920afa31b --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/nc.tf @@ -0,0 +1,13 @@ +resource "google_iam_organizations_policy_binding" "nc" { + organization = "123456789" + location = "australia-southeast1" + display_name = "Non-Compliant Org Policy Binding" + policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" + policy_binding_id = "org-binding-nc" + + policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/my-pab-policy" + + target { + principal_set = "//cloudresourcemanager.googleapis.com/organizations/123456789" + } +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/.terraform.lock.hcl new file mode 100644 index 000000000..3247f9b34 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.27.0" + hashes = [ + "h1:yWX9RsPIemhUiN5JswiS4n+o51eLF81ZOpRw6hbqOiA=", + "zh:240605f01c575a32378b96634a7bbe17462051320fa7df064dae8d81e9c9c471", + "zh:41ffa473e08379de494c7beb4bc1ee98631c2657355dacd15fe75f52eb2ffd99", + "zh:4b813338a275c7d5bbd69f8a9d4fbd97b7672064ee42e98f1f01699f7b8ced77", + "zh:7f582320ea0578e3eaf4ec54fc370b1eac684972afe0728a94a961a52a037053", + "zh:84f53702ba1c8d912236d1911b90db2b1dbc011127831ae67dfcd280710334d8", + "zh:85d775e3c42f3b88914d059bd11c46e25a1cb9cce912c9fbc35428114b099d47", + "zh:93a2a30bc254706525eaa5e0a35d2122377b735fe1f3dccd887c35b3755b32d3", + "zh:a921d2ab38464bce393e8fd2aa11a140ed56632f94895d93bb272e204931c8c6", + "zh:c221992557de048b40a4fae102dfa5200c32715b21c0a251c1e931eafbc6a698", + "zh:cef310150cdf62a6a49e45f049f21077c58971c6197b70528a69b572dbf218fd", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:f630cf936bbbadc67a374329cc80fbe9d706fa2fb1556e130bc7a3f0386697fb", + ] +} diff --git a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/c.tf new file mode 100644 index 000000000..f87f21045 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/c.tf @@ -0,0 +1,13 @@ +resource "google_iam_organizations_policy_binding" "c" { + organization = "123456789" + location = "global" + display_name = "Compliant Org Policy Binding" + policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" + policy_binding_id = "org-binding-c" + + policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/my-pab-policy" + + target { + principal_set = "//cloudresourcemanager.googleapis.com/organizations/123456789" + } +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/config.tf b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/nc.tf new file mode 100644 index 000000000..5db077a60 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/nc.tf @@ -0,0 +1,13 @@ +resource "google_iam_organizations_policy_binding" "nc" { + organization = "org-123abc" + location = "global" + display_name = "Non Compliant Org Policy Binding" + policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" + policy_binding_id = "org-binding-nc" + + policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/my-pab-policy" + + target { + principal_set = "//cloudresourcemanager.googleapis.com/organizations/123456789" + } +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/location_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/location_validation/.terraform.lock.hcl new file mode 100644 index 000000000..830cad037 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/location_validation/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.29.0" + hashes = [ + "h1:xM/PrKzyMDI6sHYmnpB7od1OqFkmdDK3ZCon7pc2pMk=", + "zh:0e1057526f44cbb5462fd103f022743bbfe13aa33a460dc3adf76408b766a845", + "zh:207a6de17871088d907bf11854419fbc9793fa832f4bbdcc1aa0d63d18f87dcf", + "zh:2afdb8530b53edb1ea39aa3736e0a28eb8413d042296e01026c027e3b5abf12f", + "zh:2b920672181a115a72c901a0f121b4a5425d9977b05c0231e84a669f3c8ac731", + "zh:38112b22bb9e8ab3c45caa6ff084b2a288ce609335688c11666c637e4f0c335f", + "zh:3996360bf8f3a17819183df69fc6dad750e8661cbf8f24b1ef96f2db5632f92d", + "zh:68a6e45fe1c2bd2d5261a45f88fc7a99f45ba86133d1a6e9921a61a2a32a5720", + "zh:b301dab9f82659564ee82e3df4f860af3c1577f5e1836815ef4242f2a7f2758d", + "zh:b4358fc2c02d4352349b07efd255ee63b7f8adc68ecf4e4ec976bfa1782003cf", + "zh:d1545abb633519b7ff86d37fac822b2a624aa573b34228a2ea63fb925005cae2", + "zh:e8f17a3f2b9fdd352e9e88524af91c8938345f996b303a29239c65edaf1c25a8", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/location_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/location_validation/c.tf new file mode 100644 index 000000000..875583dfa --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/location_validation/c.tf @@ -0,0 +1,15 @@ +resource "google_iam_principal_access_boundary_policy" "c" { + organization = "123456789" + location = "global" + display_name = "Compliant PAB Policy" + principal_access_boundary_policy_id = "pab-policy-c" + + details { + rules { + effect = "ALLOW" + resources = [ + "//cloudresourcemanager.googleapis.com/organizations/123456789" + ] + } + } +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/location_validation/config.tf b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/location_validation/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/location_validation/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/location_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/location_validation/nc.tf new file mode 100644 index 000000000..abd5e3366 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/location_validation/nc.tf @@ -0,0 +1,15 @@ +resource "google_iam_principal_access_boundary_policy" "nc" { + organization = "123456789" + location = "australia-southeast1" + display_name = "Non-Compliant PAB Policy" + principal_access_boundary_policy_id = "pab-policy-nc" + + details { + rules { + effect = "ALLOW" + resources = [ + "//cloudresourcemanager.googleapis.com/organizations/123456789" + ] + } + } +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/.terraform.lock.hcl new file mode 100644 index 000000000..830cad037 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.29.0" + hashes = [ + "h1:xM/PrKzyMDI6sHYmnpB7od1OqFkmdDK3ZCon7pc2pMk=", + "zh:0e1057526f44cbb5462fd103f022743bbfe13aa33a460dc3adf76408b766a845", + "zh:207a6de17871088d907bf11854419fbc9793fa832f4bbdcc1aa0d63d18f87dcf", + "zh:2afdb8530b53edb1ea39aa3736e0a28eb8413d042296e01026c027e3b5abf12f", + "zh:2b920672181a115a72c901a0f121b4a5425d9977b05c0231e84a669f3c8ac731", + "zh:38112b22bb9e8ab3c45caa6ff084b2a288ce609335688c11666c637e4f0c335f", + "zh:3996360bf8f3a17819183df69fc6dad750e8661cbf8f24b1ef96f2db5632f92d", + "zh:68a6e45fe1c2bd2d5261a45f88fc7a99f45ba86133d1a6e9921a61a2a32a5720", + "zh:b301dab9f82659564ee82e3df4f860af3c1577f5e1836815ef4242f2a7f2758d", + "zh:b4358fc2c02d4352349b07efd255ee63b7f8adc68ecf4e4ec976bfa1782003cf", + "zh:d1545abb633519b7ff86d37fac822b2a624aa573b34228a2ea63fb925005cae2", + "zh:e8f17a3f2b9fdd352e9e88524af91c8938345f996b303a29239c65edaf1c25a8", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/c.tf new file mode 100644 index 000000000..59e66340a --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/c.tf @@ -0,0 +1,15 @@ +resource "google_iam_principal_access_boundary_policy" "c" { + organization = "123456789" + location = "global" + display_name = "Compliant PAB Policy" + principal_access_boundary_policy_id = "pab-org-c" + + details { + rules { + effect = "ALLOW" + resources = [ + "//cloudresourcemanager.googleapis.com/organizations/123456789" + ] + } + } +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/config.tf b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/nc.tf new file mode 100644 index 000000000..76d0f11af --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/nc.tf @@ -0,0 +1,15 @@ +resource "google_iam_principal_access_boundary_policy" "nc" { + organization = "org-123abc" + location = "global" + display_name = "Non-Compliant PAB Policy" + principal_access_boundary_policy_id = "pab-org-nc" + + details { + rules { + effect = "ALLOW" + resources = [ + "//cloudresourcemanager.googleapis.com/organizations/123456789" + ] + } + } +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/.terraform.lock.hcl new file mode 100644 index 000000000..830cad037 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.29.0" + hashes = [ + "h1:xM/PrKzyMDI6sHYmnpB7od1OqFkmdDK3ZCon7pc2pMk=", + "zh:0e1057526f44cbb5462fd103f022743bbfe13aa33a460dc3adf76408b766a845", + "zh:207a6de17871088d907bf11854419fbc9793fa832f4bbdcc1aa0d63d18f87dcf", + "zh:2afdb8530b53edb1ea39aa3736e0a28eb8413d042296e01026c027e3b5abf12f", + "zh:2b920672181a115a72c901a0f121b4a5425d9977b05c0231e84a669f3c8ac731", + "zh:38112b22bb9e8ab3c45caa6ff084b2a288ce609335688c11666c637e4f0c335f", + "zh:3996360bf8f3a17819183df69fc6dad750e8661cbf8f24b1ef96f2db5632f92d", + "zh:68a6e45fe1c2bd2d5261a45f88fc7a99f45ba86133d1a6e9921a61a2a32a5720", + "zh:b301dab9f82659564ee82e3df4f860af3c1577f5e1836815ef4242f2a7f2758d", + "zh:b4358fc2c02d4352349b07efd255ee63b7f8adc68ecf4e4ec976bfa1782003cf", + "zh:d1545abb633519b7ff86d37fac822b2a624aa573b34228a2ea63fb925005cae2", + "zh:e8f17a3f2b9fdd352e9e88524af91c8938345f996b303a29239c65edaf1c25a8", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/c.tf new file mode 100644 index 000000000..987572b8f --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/c.tf @@ -0,0 +1,13 @@ +resource "google_iam_projects_policy_binding" "c" { + project = "smooth-verve-467716-v1" + location = "global" + display_name = "Valid Project Policy Binding" + policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" + policy_binding_id = "binding-project-c" + + policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pab-policy" + + target { + principal_set = "//cloudresourcemanager.googleapis.com/projects/123456789" + } +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/config.tf b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/nc.tf new file mode 100644 index 000000000..4b8458ec4 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/nc.tf @@ -0,0 +1,13 @@ +resource "google_iam_projects_policy_binding" "nc" { + project = "smooth-verve-467716-v1" + location = "us-central1" + display_name = "Invalid Project Policy Binding" + policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" + policy_binding_id = "binding-project-nc" + + policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pab-policy" + + target { + principal_set = "//cloudresourcemanager.googleapis.com/projects/123456789" + } +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_validation/.terraform.lock.hcl new file mode 100644 index 000000000..830cad037 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_validation/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.29.0" + hashes = [ + "h1:xM/PrKzyMDI6sHYmnpB7od1OqFkmdDK3ZCon7pc2pMk=", + "zh:0e1057526f44cbb5462fd103f022743bbfe13aa33a460dc3adf76408b766a845", + "zh:207a6de17871088d907bf11854419fbc9793fa832f4bbdcc1aa0d63d18f87dcf", + "zh:2afdb8530b53edb1ea39aa3736e0a28eb8413d042296e01026c027e3b5abf12f", + "zh:2b920672181a115a72c901a0f121b4a5425d9977b05c0231e84a669f3c8ac731", + "zh:38112b22bb9e8ab3c45caa6ff084b2a288ce609335688c11666c637e4f0c335f", + "zh:3996360bf8f3a17819183df69fc6dad750e8661cbf8f24b1ef96f2db5632f92d", + "zh:68a6e45fe1c2bd2d5261a45f88fc7a99f45ba86133d1a6e9921a61a2a32a5720", + "zh:b301dab9f82659564ee82e3df4f860af3c1577f5e1836815ef4242f2a7f2758d", + "zh:b4358fc2c02d4352349b07efd255ee63b7f8adc68ecf4e4ec976bfa1782003cf", + "zh:d1545abb633519b7ff86d37fac822b2a624aa573b34228a2ea63fb925005cae2", + "zh:e8f17a3f2b9fdd352e9e88524af91c8938345f996b303a29239c65edaf1c25a8", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_validation/c.tf new file mode 100644 index 000000000..141f6f557 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_validation/c.tf @@ -0,0 +1,13 @@ +resource "google_iam_projects_policy_binding" "c" { + project = "smooth-verve-467716-v1" + location = "global" + display_name = "Valid Project Binding" + policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" + policy_binding_id = "binding-project-c" + + policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pab-policy" + + target { + principal_set = "//cloudresourcemanager.googleapis.com/projects/smooth-verve-467716-v1" + } +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_validation/config.tf b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_validation/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_validation/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_validation/nc.tf new file mode 100644 index 000000000..025addfc5 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_validation/nc.tf @@ -0,0 +1,13 @@ +resource "google_iam_projects_policy_binding" "nc" { + project = "INVALID_PROJECT_ID!!!" + location = "global" + display_name = "Invalid Project Binding" + policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" + policy_binding_id = "binding-project-nc" + + policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pab-policy" + + target { + principal_set = "//cloudresourcemanager.googleapis.com/projects/INVALID_PROJECT_ID!!!" + } +} \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego new file mode 100644 index 000000000..76b095bca --- /dev/null +++ b/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego @@ -0,0 +1,26 @@ +package terraform.gcp.security.Cloud_IAM.google_iam_access_boundary_policy.name_validation +import data.terraform.helpers +import data.terraform.gcp.security.Cloud_IAM.google_iam_access_boundary_policy.vars + +conditions := [ + + [ + { + "situation_description": "Policy name is missing or not properly defined", + "remedies": [ + "Provide a valid policy name", + "Use meaningful naming (e.g., pde-access-boundary)" + ] + }, + { + "condition": "Validate policy name format", + "attribute_path": ["address"], + "values": ["pde-*"], + "policy_type": "pattern whitelist" + } + ] +] + +result := helpers.get_multi_summary(conditions, vars.variables) +message := result.message +details := result.details \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/policy.rego new file mode 100644 index 000000000..44d3b1702 --- /dev/null +++ b/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/policy.rego @@ -0,0 +1,27 @@ +package terraform.gcp.security.Cloud_IAM.google_iam_access_boundary_policy.parent_validation + +import data.terraform.helpers +import data.terraform.gcp.security.Cloud_IAM.google_iam_access_boundary_policy.vars + +conditions := [ + + [ + { + "situation_description": "Parent is not properly defined or not URL encoded", + "remedies": [ + "Ensure parent uses URL-encoded format", + "Use format: cloudresourcemanager.googleapis.com/projects/" + ] + }, + { + "condition": "Validate parent format", + "attribute_path": ["address"], + "values": ["cloudresourcemanager.googleapis.com/projects/*"], + "policy_type": "pattern whitelist" + } + ] +] + +result := helpers.get_multi_summary(conditions, vars.variables) +message := result.message +details := result.details \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/vars.rego b/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/vars.rego new file mode 100644 index 000000000..cf3bba0e0 --- /dev/null +++ b/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/vars.rego @@ -0,0 +1,8 @@ +package terraform.gcp.security.Cloud_IAM.google_iam_access_boundary_policy.vars + + +variables := { + "friendly_resource_name": "Cloud_IAM access boundary policy ", + "resource_type": "google_iam_access_boundary_policy", + "resource_value_name": "name" +} diff --git a/policies/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/policy.rego new file mode 100644 index 000000000..557e8c54c --- /dev/null +++ b/policies/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/policy.rego @@ -0,0 +1,23 @@ +package terraform.gcp.security.Cloud_IAM.google_iam_deny_policy.name_validation + +import data.terraform.helpers +import data.terraform.gcp.security.Cloud_IAM.google_iam_deny_policy.vars + +conditions := [ + [ + { + "situation_description": "Deny policy name is not following naming convention", + "remedies": ["Use prefix 'pde-' for deny policies"] + }, + { + "condition": "Validate deny policy name", + "attribute_path": ["address"], + "values": ["pde-*"], + "policy_type": "pattern whitelist" + } + ] +] + +result := helpers.get_multi_summary(conditions, vars.variables) +message := result.message +details := result.details \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/policy.rego new file mode 100644 index 000000000..9720ef22c --- /dev/null +++ b/policies/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/policy.rego @@ -0,0 +1,22 @@ +package terraform.gcp.security.Cloud_IAM.google_iam_deny_policy.parent_validation +import data.terraform.helpers +import data.terraform.gcp.security.Cloud_IAM.google_iam_deny_policy.vars + +conditions := [ + [ + { + "situation_description": "Parent is not correctly defined", + "remedies": ["Use format: cloudresourcemanager.googleapis.com/projects/"] + }, + { + "condition": "Validate parent format", + "attribute_path": ["address"], + "values": ["cloudresourcemanager.googleapis.com/projects/*"], + "policy_type": "pattern whitelist" + } + ] +] + +result := helpers.get_multi_summary(conditions, vars.variables) +message := result.message +details := result.details \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_deny_policy/vars.rego b/policies/gcp/Cloud_IAM/google_iam_deny_policy/vars.rego new file mode 100644 index 000000000..a53e0000c --- /dev/null +++ b/policies/gcp/Cloud_IAM/google_iam_deny_policy/vars.rego @@ -0,0 +1,7 @@ +package terraform.gcp.security.Cloud_IAM.google_iam_deny_policy.vars + +variables := { + "friendly_resource_name": "Cloud_IAM deny policy", + "resource_type": "google_iam_deny_policy", + "resource_value_name": "name" +} \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/policy.rego new file mode 100644 index 000000000..33e8927ee --- /dev/null +++ b/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/policy.rego @@ -0,0 +1,26 @@ +package terraform.gcp.security.Cloud_IAM.google_iam_folders_policy_binding.folder_validation + +import data.terraform.helpers +import data.terraform.gcp.security.Cloud_IAM.google_iam_folders_policy_binding.vars + +conditions := [ + [ + { + "situation_description": "Folder must be a valid numeric GCP folder ID", + "remedies": [ + "Provide a valid numeric folder ID", + "Example: 224774388" + ] + }, + { + "condition": "Validate folder format using pattern", + "attribute_path": ["address"], + "values": ["^[0-9]+$"], + "policy_type": "pattern whitelist" + } + ] +] + +result := helpers.get_multi_summary(conditions, vars.variables) +message := result.message +details := result.details \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/policy.rego new file mode 100644 index 000000000..c447e4c93 --- /dev/null +++ b/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/policy.rego @@ -0,0 +1,25 @@ +package terraform.gcp.security.Cloud_IAM.google_iam_folders_policy_binding.location_validation + +import data.terraform.helpers +import data.terraform.gcp.security.Cloud_IAM.google_iam_folders_policy_binding.vars + +conditions := [ + [ + { + "situation_description": "Location must strictly be global for IAM folder policy bindings", + "remedies": [ + "Set location = global" + ] + }, + { + "condition": "Validate allowed location", + "attribute_path": ["address"], + "values": ["global"], + "policy_type": "whitelist" + } + ] +] + +result := helpers.get_multi_summary(conditions, vars.variables) +message := result.message +details := result.details \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/vars.rego b/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/vars.rego new file mode 100644 index 000000000..23d310bbc --- /dev/null +++ b/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/vars.rego @@ -0,0 +1,7 @@ +package terraform.gcp.security.Cloud_IAM.google_iam_folders_policy_binding.vars + +variables := { + "friendly_resource_name": "Cloud_IAM folder policy binding", + "resource_type": "google_iam_folders_policy_binding", + "resource_value_name": "folder" +} \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/policy.rego new file mode 100644 index 000000000..6db1c53be --- /dev/null +++ b/policies/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/policy.rego @@ -0,0 +1,23 @@ +package terraform.gcp.security.Cloud_IAM.google_iam_oauth_client.client_type_validation + +import data.terraform.helpers +import data.terraform.gcp.security.Cloud_IAM.google_iam_oauth_client.vars + +conditions := [ + [ + { + "situation_description": "Only approved OAuth client types are allowed", + "remedies": ["Use PUBLIC_CLIENT or CONFIDENTIAL_CLIENT"] + }, + { + "condition": "Validate client_type", + "attribute_path": ["address"], + "values": ["PUBLIC_CLIENT", "CONFIDENTIAL_CLIENT"], + "policy_type": "whitelist" + } + ] +] + +result := helpers.get_multi_summary(conditions, vars.variables) +message := result.message +details := result.details \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_oauth_client/location_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_oauth_client/location_validation/policy.rego new file mode 100644 index 000000000..7ae41d2f8 --- /dev/null +++ b/policies/gcp/Cloud_IAM/google_iam_oauth_client/location_validation/policy.rego @@ -0,0 +1,22 @@ +package terraform.gcp.security.Cloud_IAM.google_iam_oauth_client.location_validation +import data.terraform.helpers +import data.terraform.gcp.security.Cloud_IAM.google_iam_oauth_client.vars + +conditions := [ + [ + { + "situation_description": "OAuth client must only be deployed in global location", + "remedies": ["Set location to global"] + }, + { + "condition": "Validate location", + "attribute_path": ["address"], + "values": ["global"], + "policy_type": "whitelist" + } + ] +] + +result := helpers.get_multi_summary(conditions, vars.variables) +message := result.message +details := result.details \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_oauth_client/vars.rego b/policies/gcp/Cloud_IAM/google_iam_oauth_client/vars.rego new file mode 100644 index 000000000..5e447d206 --- /dev/null +++ b/policies/gcp/Cloud_IAM/google_iam_oauth_client/vars.rego @@ -0,0 +1,7 @@ +package terraform.gcp.security.Cloud_IAM.google_iam_oauth_client.vars + +variables := { + "friendly_resource_name": "Cloud_IAM OAuth client", + "resource_type": "google_iam_oauth_client", + "resource_value_name": "oauth_client_id" +} \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_oauth_client_credential/credential_id_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_oauth_client_credential/credential_id_validation/policy.rego new file mode 100644 index 000000000..7bc18e49f --- /dev/null +++ b/policies/gcp/Cloud_IAM/google_iam_oauth_client_credential/credential_id_validation/policy.rego @@ -0,0 +1,27 @@ +package terraform.gcp.security.Cloud_IAM.google_iam_oauth_client_credential.credential_id_validation + +import data.terraform.helpers +import data.terraform.gcp.security.Cloud_IAM.google_iam_oauth_client_credential.vars + +conditions := [ + [ + { + "situation_description": "Credential ID must follow secure naming rules (4–32 chars, lowercase, digits, hyphen allowed)", + "remedies": [ + "Use lowercase letters, numbers, hyphens", + "Length 4–32 characters", + "Do not use gcp- prefix" + ] + }, + { + "condition": "Validate oauth_client_credential_id format", + "attribute_path": ["address"], + "values": ["^[a-z][a-z0-9-]{2,30}[a-z0-9]$"], + "policy_type": "pattern whitelist" + } + ] +] + +result := helpers.get_multi_summary(conditions, vars.variables) +message := result.message +details := result.details \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_oauth_client_credential/location_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_oauth_client_credential/location_validation/policy.rego new file mode 100644 index 000000000..9bd1fa7ef --- /dev/null +++ b/policies/gcp/Cloud_IAM/google_iam_oauth_client_credential/location_validation/policy.rego @@ -0,0 +1,23 @@ +package terraform.gcp.security.Cloud_IAM.google_iam_oauth_client_credential.location_validation + +import data.terraform.helpers +import data.terraform.gcp.security.Cloud_IAM.google_iam_oauth_client_credential.vars + +conditions := [ + [ + { + "situation_description": "OAuth client credential must use global location only", + "remedies": ["Set location = global"] + }, + { + "condition": "Validate location whitelist", + "attribute_path": ["address"], + "values": ["global"], + "policy_type": "whitelist" + } + ] +] + +result := helpers.get_multi_summary(conditions, vars.variables) +message := result.message +details := result.details \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_oauth_client_credential/vars.rego b/policies/gcp/Cloud_IAM/google_iam_oauth_client_credential/vars.rego new file mode 100644 index 000000000..77e64f598 --- /dev/null +++ b/policies/gcp/Cloud_IAM/google_iam_oauth_client_credential/vars.rego @@ -0,0 +1,7 @@ +package terraform.gcp.security.Cloud_IAM.google_iam_oauth_client_credential.vars + +variables := { + "friendly_resource_name": "Cloud_IAM OAuth client credential", + "resource_type": "google_iam_oauth_client_credential", + "resource_value_name": "oauth_client_credential_id" +} \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/policy.rego new file mode 100644 index 000000000..30f7110d7 --- /dev/null +++ b/policies/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/policy.rego @@ -0,0 +1,25 @@ +package terraform.gcp.security.Cloud_IAM.google_iam_organizations_policy_binding.location_validation + +import data.terraform.helpers +import data.terraform.gcp.security.Cloud_IAM.google_iam_organizations_policy_binding.vars + +conditions := [ + [ + { + "situation_description": "Organization policy binding must use global location", + "remedies": [ + "Set location = global" + ] + }, + { + "condition": "Validate location whitelist", + "attribute_path": ["address"], + "values": ["global"], + "policy_type": "whitelist" + } + ] +] + +result := helpers.get_multi_summary(conditions, vars.variables) +message := result.message +details := result.details \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/policy.rego new file mode 100644 index 000000000..710c40a94 --- /dev/null +++ b/policies/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/policy.rego @@ -0,0 +1,26 @@ +package terraform.gcp.security.Cloud_IAM.google_iam_organizations_policy_binding.organization_validation + +import data.terraform.helpers +import data.terraform.gcp.security.Cloud_IAM.google_iam_organizations_policy_binding.vars + +conditions := [ + [ + { + "situation_description": "Organization ID must be numeric", + "remedies": [ + "Use valid numeric organization ID", + "Example: 224774388" + ] + }, + { + "condition": "Validate organization ID pattern", + "attribute_path": ["address"], + "values": ["^[0-9]+$"], + "policy_type": "pattern whitelist" + } + ] +] + +result := helpers.get_multi_summary(conditions, vars.variables) +message := result.message +details := result.details \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_organizations_policy_binding/vars.rego b/policies/gcp/Cloud_IAM/google_iam_organizations_policy_binding/vars.rego new file mode 100644 index 000000000..b8c203bb8 --- /dev/null +++ b/policies/gcp/Cloud_IAM/google_iam_organizations_policy_binding/vars.rego @@ -0,0 +1,7 @@ +package terraform.gcp.security.Cloud_IAM.google_iam_organizations_policy_binding.vars + +variables := { + "friendly_resource_name": "Cloud_IAM organization policy binding", + "resource_type": "google_iam_organizations_policy_binding", + "resource_value_name": "policy_binding_id" +} \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/location_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/location_validation/policy.rego new file mode 100644 index 000000000..f114fd29b --- /dev/null +++ b/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/location_validation/policy.rego @@ -0,0 +1,24 @@ +package terraform.gcp.security.Cloud_IAM.google_iam_principal_access_boundary_policy.location_validation +import data.terraform.helpers +import data.terraform.gcp.security.Cloud_IAM.google_iam_principal_access_boundary_policy.vars + +conditions := [ + [ + { + "situation_description": "Location must always be global for PAB policy", + "remedies": [ + "Set location = global" + ] + }, + { + "condition": "Validate location whitelist", + "attribute_path": ["address"], + "values": ["global"], + "policy_type": "whitelist" + } + ] +] + +result := helpers.get_multi_summary(conditions, vars.variables) +message := result.message +details := result.details \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/policy.rego new file mode 100644 index 000000000..14fafb0f0 --- /dev/null +++ b/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/policy.rego @@ -0,0 +1,26 @@ +package terraform.gcp.security.Cloud_IAM.google_iam_principal_access_boundary_policy.organization_validation + +import data.terraform.helpers +import data.terraform.gcp.security.Cloud_IAM.google_iam_principal_access_boundary_policy.vars + +conditions := [ + [ + { + "situation_description": "Organization ID must be numeric only", + "remedies": [ + "Use a valid GCP organization ID", + "Example: 123456789" + ] + }, + { + "condition": "Validate organization format", + "attribute_path": ["address"], + "values": ["^[0-9]+$"], + "policy_type": "pattern whitelist" + } + ] +] + +result := helpers.get_multi_summary(conditions, vars.variables) +message := result.message +details := result.details \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/vars.rego b/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/vars.rego new file mode 100644 index 000000000..a78d145f3 --- /dev/null +++ b/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/vars.rego @@ -0,0 +1,7 @@ +package terraform.gcp.security.Cloud_IAM.google_iam_principal_access_boundary_policy.vars + +variables := { + "friendly_resource_name": "Cloud_IAM principal access boundary policy", + "resource_type": "google_iam_principal_access_boundary_policy", + "resource_value_name": "principal_access_boundary_policy_id" +} \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/policy.rego new file mode 100644 index 000000000..98a73414e --- /dev/null +++ b/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/policy.rego @@ -0,0 +1,23 @@ +package terraform.gcp.security.Cloud_IAM.google_iam_projects_policy_binding.location_validation + +import data.terraform.helpers +import data.terraform.gcp.security.Cloud_IAM.google_iam_projects_policy_binding.vars + +conditions := [ + [ + { + "situation_description": "Project policy binding must use global location only", + "remedies": ["Set location = global"] + }, + { + "condition": "Validate location whitelist", + "attribute_path": ["address"], + "values": ["global"], + "policy_type": "whitelist" + } + ] +] + +result := helpers.get_multi_summary(conditions, vars.variables) +message := result.message +details := result.details \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_validation/policy.rego new file mode 100644 index 000000000..f715a1521 --- /dev/null +++ b/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_validation/policy.rego @@ -0,0 +1,23 @@ +package terraform.gcp.security.Cloud_IAM.google_iam_projects_policy_binding.project_validation + +import data.terraform.helpers +import data.terraform.gcp.security.Cloud_IAM.google_iam_projects_policy_binding.vars + +conditions := [ + [ + { + "situation_description": "Project ID must be valid format (alphanumeric and hyphen allowed)", + "remedies": ["Use valid GCP project ID format"] + }, + { + "condition": "Validate project format", + "attribute_path": ["address"], + "values": ["^[a-z][a-z0-9-]{4,28}[a-z0-9]$"], + "policy_type": "pattern whitelist" + } + ] +] + +result := helpers.get_multi_summary(conditions, vars.variables) +message := result.message +details := result.details \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/vars.rego b/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/vars.rego new file mode 100644 index 000000000..a0e2db25a --- /dev/null +++ b/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/vars.rego @@ -0,0 +1,7 @@ +package terraform.gcp.security.Cloud_IAM.google_iam_projects_policy_binding.vars + +variables := { + "friendly_resource_name": "Cloud_IAM project policy binding", + "resource_type": "google_iam_projects_policy_binding", + "resource_value_name": "policy_binding_id" +} \ No newline at end of file From e1be53b9ce2eb91f7b160335f15f553f5b524052 Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Tue, 28 Apr 2026 23:49:44 +1000 Subject: [PATCH 02/91] Cloud IAM clean implementation --- .../parent_validation/c.tf | 25 +++++++++---------- .../parent_validation/nc.tf | 25 +++++++++---------- 2 files changed, 24 insertions(+), 26 deletions(-) diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf index f25bf6180..81cbbd792 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf @@ -1,17 +1,16 @@ -resource "google_project" "c_project" { - project_id = "my-project-id" - name = "My Project" - org_id = "123456789" - billing_account = "000000-0000000-0000000-000000" -} +resource "google_iam_access_boundary_policy" "c" { + name = "valid-policy-name" + parent = "cloudresourcemanager.googleapis.com/projects/123456789" + display_name = "Valid AB policy" -resource "google_beyondcorp_app_connection" "c" { - name = "my-app-connection" - project = google_project.c_project.project_id - type = "TCP_PROXY" + rules { + description = "Valid rule" - application_endpoint { - host = "foo-host" - port = 8080 + access_boundary_rule { + availability_condition { + title = "Access level expr" + expression = "true" + } + } } } \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf index bebb7d8af..b9a6d296a 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf @@ -1,17 +1,16 @@ -resource "google_project" "nc_project" { - project_id = "my-project-id" - name = "My Project" - org_id = "123456789" - billing_account = "000000-0000000-0000000-000000" -} +resource "google_iam_access_boundary_policy" "nc" { + name = "also-valid-name" + parent = "invalid-parent" + display_name = "Invalid parent policy" -resource "google_beyondcorp_app_connection" "nc" { - name = "my-app-connection" - project = "invalid-project-format" - type = "TCP_PROXY" + rules { + description = "Invalid rule" - application_endpoint { - host = "foo-host" - port = 8080 + access_boundary_rule { + availability_condition { + title = "Bad expr" + expression = "false" + } + } } } \ No newline at end of file From 694bf45d1f5beb13b34de972f5cd55de88ac655d Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Wed, 29 Apr 2026 00:13:25 +1000 Subject: [PATCH 03/91] Cloud IAM --- .../name_validation/policy.rego | 2 +- .../parent_validation/policy.rego | 4 ++-- .../google_iam_deny_policy/name_validation/policy.rego | 2 +- .../google_iam_deny_policy/parent_validation/policy.rego | 2 +- .../folder_validation/policy.rego | 2 +- .../location_validation/policy.rego | 2 +- .../client_type_validation/policy.rego | 2 +- .../google_iam_oauth_client/location_validation/policy.rego | 2 +- .../credential_id_validation/policy.rego | 2 +- .../location_validation/policy.rego | 2 +- .../Location_Validation/policy.rego | 2 +- .../organization_validation/policy.rego | 2 +- .../location_validation/policy.rego | 2 +- .../organization_validation/policy.rego | 2 +- .../location_validation/policy.rego | 2 +- .../project_validation/policy.rego | 2 +- 16 files changed, 17 insertions(+), 17 deletions(-) diff --git a/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego index 76b095bca..502659d59 100644 --- a/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego +++ b/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego @@ -14,7 +14,7 @@ conditions := [ }, { "condition": "Validate policy name format", - "attribute_path": ["address"], + "attribute_path": ["name"], "values": ["pde-*"], "policy_type": "pattern whitelist" } diff --git a/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/policy.rego index 44d3b1702..dc75974bf 100644 --- a/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/policy.rego +++ b/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/policy.rego @@ -15,8 +15,8 @@ conditions := [ }, { "condition": "Validate parent format", - "attribute_path": ["address"], - "values": ["cloudresourcemanager.googleapis.com/projects/*"], + "attribute_path": ["parent"], + "values": ["cloudresourcemanager.googleapis.com/projects/"], "policy_type": "pattern whitelist" } ] diff --git a/policies/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/policy.rego index 557e8c54c..b8bf22bfc 100644 --- a/policies/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/policy.rego +++ b/policies/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/policy.rego @@ -11,7 +11,7 @@ conditions := [ }, { "condition": "Validate deny policy name", - "attribute_path": ["address"], + "attribute_path": ["name"], "values": ["pde-*"], "policy_type": "pattern whitelist" } diff --git a/policies/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/policy.rego index 9720ef22c..5c29e7de7 100644 --- a/policies/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/policy.rego +++ b/policies/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/policy.rego @@ -10,7 +10,7 @@ conditions := [ }, { "condition": "Validate parent format", - "attribute_path": ["address"], + "attribute_path": ["parent"], "values": ["cloudresourcemanager.googleapis.com/projects/*"], "policy_type": "pattern whitelist" } diff --git a/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/policy.rego index 33e8927ee..aad6bb7ee 100644 --- a/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/policy.rego +++ b/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/policy.rego @@ -14,7 +14,7 @@ conditions := [ }, { "condition": "Validate folder format using pattern", - "attribute_path": ["address"], + "attribute_path": ["folder"], "values": ["^[0-9]+$"], "policy_type": "pattern whitelist" } diff --git a/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/policy.rego index c447e4c93..70bc1f211 100644 --- a/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/policy.rego +++ b/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/policy.rego @@ -13,7 +13,7 @@ conditions := [ }, { "condition": "Validate allowed location", - "attribute_path": ["address"], + "attribute_path": ["location"], "values": ["global"], "policy_type": "whitelist" } diff --git a/policies/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/policy.rego index 6db1c53be..d8a9624f4 100644 --- a/policies/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/policy.rego +++ b/policies/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/policy.rego @@ -11,7 +11,7 @@ conditions := [ }, { "condition": "Validate client_type", - "attribute_path": ["address"], + "attribute_path": ["client_type"], "values": ["PUBLIC_CLIENT", "CONFIDENTIAL_CLIENT"], "policy_type": "whitelist" } diff --git a/policies/gcp/Cloud_IAM/google_iam_oauth_client/location_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_oauth_client/location_validation/policy.rego index 7ae41d2f8..6af2691b2 100644 --- a/policies/gcp/Cloud_IAM/google_iam_oauth_client/location_validation/policy.rego +++ b/policies/gcp/Cloud_IAM/google_iam_oauth_client/location_validation/policy.rego @@ -10,7 +10,7 @@ conditions := [ }, { "condition": "Validate location", - "attribute_path": ["address"], + "attribute_path": ["location"], "values": ["global"], "policy_type": "whitelist" } diff --git a/policies/gcp/Cloud_IAM/google_iam_oauth_client_credential/credential_id_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_oauth_client_credential/credential_id_validation/policy.rego index 7bc18e49f..1b5a6f287 100644 --- a/policies/gcp/Cloud_IAM/google_iam_oauth_client_credential/credential_id_validation/policy.rego +++ b/policies/gcp/Cloud_IAM/google_iam_oauth_client_credential/credential_id_validation/policy.rego @@ -15,7 +15,7 @@ conditions := [ }, { "condition": "Validate oauth_client_credential_id format", - "attribute_path": ["address"], + "attribute_path": ["oauth_client_credential_id"], "values": ["^[a-z][a-z0-9-]{2,30}[a-z0-9]$"], "policy_type": "pattern whitelist" } diff --git a/policies/gcp/Cloud_IAM/google_iam_oauth_client_credential/location_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_oauth_client_credential/location_validation/policy.rego index 9bd1fa7ef..46ecc25cb 100644 --- a/policies/gcp/Cloud_IAM/google_iam_oauth_client_credential/location_validation/policy.rego +++ b/policies/gcp/Cloud_IAM/google_iam_oauth_client_credential/location_validation/policy.rego @@ -11,7 +11,7 @@ conditions := [ }, { "condition": "Validate location whitelist", - "attribute_path": ["address"], + "attribute_path": ["location"], "values": ["global"], "policy_type": "whitelist" } diff --git a/policies/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/policy.rego index 30f7110d7..3bc705a52 100644 --- a/policies/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/policy.rego +++ b/policies/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/policy.rego @@ -13,7 +13,7 @@ conditions := [ }, { "condition": "Validate location whitelist", - "attribute_path": ["address"], + "attribute_path": ["location"], "values": ["global"], "policy_type": "whitelist" } diff --git a/policies/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/policy.rego index 710c40a94..37f7976c4 100644 --- a/policies/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/policy.rego +++ b/policies/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/policy.rego @@ -14,7 +14,7 @@ conditions := [ }, { "condition": "Validate organization ID pattern", - "attribute_path": ["address"], + "attribute_path": ["organization"], "values": ["^[0-9]+$"], "policy_type": "pattern whitelist" } diff --git a/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/location_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/location_validation/policy.rego index f114fd29b..3c7fed739 100644 --- a/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/location_validation/policy.rego +++ b/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/location_validation/policy.rego @@ -12,7 +12,7 @@ conditions := [ }, { "condition": "Validate location whitelist", - "attribute_path": ["address"], + "attribute_path": ["location"], "values": ["global"], "policy_type": "whitelist" } diff --git a/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/policy.rego index 14fafb0f0..f443e2d33 100644 --- a/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/policy.rego +++ b/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/policy.rego @@ -14,7 +14,7 @@ conditions := [ }, { "condition": "Validate organization format", - "attribute_path": ["address"], + "attribute_path": ["organization"], "values": ["^[0-9]+$"], "policy_type": "pattern whitelist" } diff --git a/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/policy.rego index 98a73414e..d47b87992 100644 --- a/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/policy.rego +++ b/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/policy.rego @@ -11,7 +11,7 @@ conditions := [ }, { "condition": "Validate location whitelist", - "attribute_path": ["address"], + "attribute_path": ["location"], "values": ["global"], "policy_type": "whitelist" } diff --git a/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_validation/policy.rego index f715a1521..599f62655 100644 --- a/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_validation/policy.rego +++ b/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_validation/policy.rego @@ -11,7 +11,7 @@ conditions := [ }, { "condition": "Validate project format", - "attribute_path": ["address"], + "attribute_path": ["project"], "values": ["^[a-z][a-z0-9-]{4,28}[a-z0-9]$"], "policy_type": "pattern whitelist" } From b857fafaa0b499adf4e1523268fb8ea3e269f382 Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Wed, 29 Apr 2026 00:17:36 +1000 Subject: [PATCH 04/91] Cloud IAM --- .../google_iam_access_boundary_policy/name_validation/nc.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf index 49ad9a89a..23efe5bb8 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf @@ -1,5 +1,5 @@ resource "google_iam_access_boundary_policy" "nc" { - name = "my-ab-policy" + name = "" parent = "cloudresourcemanager.googleapis.com/projects/my-project-id" display_name = "My AB policy" rules { From 4b66dc76e8884bce1282d6653cb8478618df7379 Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Wed, 29 Apr 2026 01:03:14 +1000 Subject: [PATCH 05/91] Cloud IAM --- .../gcp/Cloud_IAM/google_iam_folders_policy_binding/vars.rego | 2 +- policies/gcp/Cloud_IAM/google_iam_oauth_client/vars.rego | 2 +- .../gcp/Cloud_IAM/google_iam_oauth_client_credential/vars.rego | 2 +- .../Cloud_IAM/google_iam_organizations_policy_binding/vars.rego | 2 +- .../google_iam_principal_access_boundary_policy/vars.rego | 2 +- .../gcp/Cloud_IAM/google_iam_projects_policy_binding/vars.rego | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/vars.rego b/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/vars.rego index 23d310bbc..b28d6831a 100644 --- a/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/vars.rego +++ b/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/vars.rego @@ -3,5 +3,5 @@ package terraform.gcp.security.Cloud_IAM.google_iam_folders_policy_binding.vars variables := { "friendly_resource_name": "Cloud_IAM folder policy binding", "resource_type": "google_iam_folders_policy_binding", - "resource_value_name": "folder" + "resource_value_name": "name" } \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_oauth_client/vars.rego b/policies/gcp/Cloud_IAM/google_iam_oauth_client/vars.rego index 5e447d206..beeea456e 100644 --- a/policies/gcp/Cloud_IAM/google_iam_oauth_client/vars.rego +++ b/policies/gcp/Cloud_IAM/google_iam_oauth_client/vars.rego @@ -3,5 +3,5 @@ package terraform.gcp.security.Cloud_IAM.google_iam_oauth_client.vars variables := { "friendly_resource_name": "Cloud_IAM OAuth client", "resource_type": "google_iam_oauth_client", - "resource_value_name": "oauth_client_id" + "resource_value_name": "name" } \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_oauth_client_credential/vars.rego b/policies/gcp/Cloud_IAM/google_iam_oauth_client_credential/vars.rego index 77e64f598..e83477cdd 100644 --- a/policies/gcp/Cloud_IAM/google_iam_oauth_client_credential/vars.rego +++ b/policies/gcp/Cloud_IAM/google_iam_oauth_client_credential/vars.rego @@ -3,5 +3,5 @@ package terraform.gcp.security.Cloud_IAM.google_iam_oauth_client_credential.vars variables := { "friendly_resource_name": "Cloud_IAM OAuth client credential", "resource_type": "google_iam_oauth_client_credential", - "resource_value_name": "oauth_client_credential_id" + "resource_value_name": "name" } \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_organizations_policy_binding/vars.rego b/policies/gcp/Cloud_IAM/google_iam_organizations_policy_binding/vars.rego index b8c203bb8..93cc20959 100644 --- a/policies/gcp/Cloud_IAM/google_iam_organizations_policy_binding/vars.rego +++ b/policies/gcp/Cloud_IAM/google_iam_organizations_policy_binding/vars.rego @@ -3,5 +3,5 @@ package terraform.gcp.security.Cloud_IAM.google_iam_organizations_policy_binding variables := { "friendly_resource_name": "Cloud_IAM organization policy binding", "resource_type": "google_iam_organizations_policy_binding", - "resource_value_name": "policy_binding_id" + "resource_value_name": "name" } \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/vars.rego b/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/vars.rego index a78d145f3..7e8458ee6 100644 --- a/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/vars.rego +++ b/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/vars.rego @@ -3,5 +3,5 @@ package terraform.gcp.security.Cloud_IAM.google_iam_principal_access_boundary_po variables := { "friendly_resource_name": "Cloud_IAM principal access boundary policy", "resource_type": "google_iam_principal_access_boundary_policy", - "resource_value_name": "principal_access_boundary_policy_id" + "resource_value_name": "name" } \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/vars.rego b/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/vars.rego index a0e2db25a..fb7500c44 100644 --- a/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/vars.rego +++ b/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/vars.rego @@ -3,5 +3,5 @@ package terraform.gcp.security.Cloud_IAM.google_iam_projects_policy_binding.vars variables := { "friendly_resource_name": "Cloud_IAM project policy binding", "resource_type": "google_iam_projects_policy_binding", - "resource_value_name": "policy_binding_id" + "resource_value_name": "name" } \ No newline at end of file From f6df04aea5e28f2e504a62af00e93d39c1bf5923 Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Wed, 29 Apr 2026 01:13:11 +1000 Subject: [PATCH 06/91] Cloud IAM --- .../organization_validation/c.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/c.tf index f87f21045..08b5cfec7 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/c.tf @@ -1,5 +1,5 @@ resource "google_iam_organizations_policy_binding" "c" { - organization = "123456789" + organization = "12345678" location = "global" display_name = "Compliant Org Policy Binding" policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" From 9c94aafaef725f8fa1bcacf8ad4da74f11eb2356 Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Wed, 29 Apr 2026 01:21:04 +1000 Subject: [PATCH 07/91] Cloud IAM --- .../organization_validation/nc.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/nc.tf index 5db077a60..f4f6fcf0e 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/nc.tf @@ -1,5 +1,5 @@ resource "google_iam_organizations_policy_binding" "nc" { - organization = "org-123abc" + organization = "" location = "global" display_name = "Non Compliant Org Policy Binding" policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" From b1ac2d64af572d48fbbd522a7a7bf7eeabea7ae9 Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Thu, 30 Apr 2026 13:21:25 +1000 Subject: [PATCH 08/91] Cloud IAM --- .../organization_validation/c.tf | 3 +-- .../organization_validation/nc.tf | 2 +- .../google_iam_organizations_policy_binding/vars.rego | 2 +- 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/c.tf index 08b5cfec7..ac20522bc 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/c.tf @@ -1,6 +1,5 @@ resource "google_iam_organizations_policy_binding" "c" { - organization = "12345678" - location = "global" + organization = "123456789" display_name = "Compliant Org Policy Binding" policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" policy_binding_id = "org-binding-c" diff --git a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/nc.tf index f4f6fcf0e..5db077a60 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/nc.tf @@ -1,5 +1,5 @@ resource "google_iam_organizations_policy_binding" "nc" { - organization = "" + organization = "org-123abc" location = "global" display_name = "Non Compliant Org Policy Binding" policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" diff --git a/policies/gcp/Cloud_IAM/google_iam_organizations_policy_binding/vars.rego b/policies/gcp/Cloud_IAM/google_iam_organizations_policy_binding/vars.rego index 93cc20959..b8c203bb8 100644 --- a/policies/gcp/Cloud_IAM/google_iam_organizations_policy_binding/vars.rego +++ b/policies/gcp/Cloud_IAM/google_iam_organizations_policy_binding/vars.rego @@ -3,5 +3,5 @@ package terraform.gcp.security.Cloud_IAM.google_iam_organizations_policy_binding variables := { "friendly_resource_name": "Cloud_IAM organization policy binding", "resource_type": "google_iam_organizations_policy_binding", - "resource_value_name": "name" + "resource_value_name": "policy_binding_id" } \ No newline at end of file From a03af00bef899ffdb4e86cb3757a1e8617acba1d Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Thu, 30 Apr 2026 13:30:25 +1000 Subject: [PATCH 09/91] Cloud IAM --- .../Location_Validation/c.tf | 1 + .../Location_Validation/nc.tf | 1 + .../organization_validation/c.tf | 2 ++ .../organization_validation/nc.tf | 1 + 4 files changed, 5 insertions(+) diff --git a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/c.tf index f87f21045..dde174516 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/c.tf @@ -1,4 +1,5 @@ resource "google_iam_organizations_policy_binding" "c" { + name = "c" organization = "123456789" location = "global" display_name = "Compliant Org Policy Binding" diff --git a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/nc.tf index 920afa31b..b50aad4e0 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/nc.tf @@ -1,4 +1,5 @@ resource "google_iam_organizations_policy_binding" "nc" { + name = "nc" organization = "123456789" location = "australia-southeast1" display_name = "Non-Compliant Org Policy Binding" diff --git a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/c.tf index ac20522bc..dde174516 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/c.tf @@ -1,5 +1,7 @@ resource "google_iam_organizations_policy_binding" "c" { + name = "c" organization = "123456789" + location = "global" display_name = "Compliant Org Policy Binding" policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" policy_binding_id = "org-binding-c" diff --git a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/nc.tf index 5db077a60..10b0b3636 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/nc.tf @@ -1,4 +1,5 @@ resource "google_iam_organizations_policy_binding" "nc" { + name = "nc" organization = "org-123abc" location = "global" display_name = "Non Compliant Org Policy Binding" From c759522f5708cf6f4b31726aa618cddf9b385c90 Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Thu, 30 Apr 2026 13:35:59 +1000 Subject: [PATCH 10/91] Cloud IAM --- .../Cloud_IAM/google_iam_organizations_policy_binding/vars.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policies/gcp/Cloud_IAM/google_iam_organizations_policy_binding/vars.rego b/policies/gcp/Cloud_IAM/google_iam_organizations_policy_binding/vars.rego index b8c203bb8..93cc20959 100644 --- a/policies/gcp/Cloud_IAM/google_iam_organizations_policy_binding/vars.rego +++ b/policies/gcp/Cloud_IAM/google_iam_organizations_policy_binding/vars.rego @@ -3,5 +3,5 @@ package terraform.gcp.security.Cloud_IAM.google_iam_organizations_policy_binding variables := { "friendly_resource_name": "Cloud_IAM organization policy binding", "resource_type": "google_iam_organizations_policy_binding", - "resource_value_name": "policy_binding_id" + "resource_value_name": "name" } \ No newline at end of file From dc1eb220135356c5160a664fa3644d48265fecc8 Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Thu, 30 Apr 2026 13:39:08 +1000 Subject: [PATCH 11/91] Cloud IAM --- .../Location_Validation/c.tf | 1 - .../Location_Validation/nc.tf | 2 +- .../organization_validation/c.tf | 1 - .../organization_validation/nc.tf | 1 - 4 files changed, 1 insertion(+), 4 deletions(-) diff --git a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/c.tf index dde174516..f87f21045 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/c.tf @@ -1,5 +1,4 @@ resource "google_iam_organizations_policy_binding" "c" { - name = "c" organization = "123456789" location = "global" display_name = "Compliant Org Policy Binding" diff --git a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/nc.tf index b50aad4e0..672e5f451 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/nc.tf @@ -1,5 +1,5 @@ resource "google_iam_organizations_policy_binding" "nc" { - name = "nc" + organization = "123456789" location = "australia-southeast1" display_name = "Non-Compliant Org Policy Binding" diff --git a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/c.tf index dde174516..f87f21045 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/c.tf @@ -1,5 +1,4 @@ resource "google_iam_organizations_policy_binding" "c" { - name = "c" organization = "123456789" location = "global" display_name = "Compliant Org Policy Binding" diff --git a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/nc.tf index 10b0b3636..5db077a60 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/nc.tf @@ -1,5 +1,4 @@ resource "google_iam_organizations_policy_binding" "nc" { - name = "nc" organization = "org-123abc" location = "global" display_name = "Non Compliant Org Policy Binding" From 30358bbdae8fef4c0294a6a7d3e939462a95b569 Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Thu, 30 Apr 2026 13:47:38 +1000 Subject: [PATCH 12/91] Cloud IAM --- .../Location_Validation/c.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/c.tf index f87f21045..92f6591cf 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/c.tf @@ -1,6 +1,6 @@ resource "google_iam_organizations_policy_binding" "c" { organization = "123456789" - location = "global" + location = "global" display_name = "Compliant Org Policy Binding" policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" policy_binding_id = "org-binding-c" From db7da0c73d991a21b816a334bcadc2f75365d74d Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Thu, 30 Apr 2026 13:51:37 +1000 Subject: [PATCH 13/91] Cloud IAM --- .../Location_Validation/.terraform.lock.hcl | 21 ------------------- 1 file changed, 21 deletions(-) delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/.terraform.lock.hcl diff --git a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/.terraform.lock.hcl deleted file mode 100644 index 3247f9b34..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/.terraform.lock.hcl +++ /dev/null @@ -1,21 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/google" { - version = "7.27.0" - hashes = [ - "h1:yWX9RsPIemhUiN5JswiS4n+o51eLF81ZOpRw6hbqOiA=", - "zh:240605f01c575a32378b96634a7bbe17462051320fa7df064dae8d81e9c9c471", - "zh:41ffa473e08379de494c7beb4bc1ee98631c2657355dacd15fe75f52eb2ffd99", - "zh:4b813338a275c7d5bbd69f8a9d4fbd97b7672064ee42e98f1f01699f7b8ced77", - "zh:7f582320ea0578e3eaf4ec54fc370b1eac684972afe0728a94a961a52a037053", - "zh:84f53702ba1c8d912236d1911b90db2b1dbc011127831ae67dfcd280710334d8", - "zh:85d775e3c42f3b88914d059bd11c46e25a1cb9cce912c9fbc35428114b099d47", - "zh:93a2a30bc254706525eaa5e0a35d2122377b735fe1f3dccd887c35b3755b32d3", - "zh:a921d2ab38464bce393e8fd2aa11a140ed56632f94895d93bb272e204931c8c6", - "zh:c221992557de048b40a4fae102dfa5200c32715b21c0a251c1e931eafbc6a698", - "zh:cef310150cdf62a6a49e45f049f21077c58971c6197b70528a69b572dbf218fd", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - "zh:f630cf936bbbadc67a374329cc80fbe9d706fa2fb1556e130bc7a3f0386697fb", - ] -} From 75c27af53f9246d7659f73f5b3ab4071159bfd2f Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Thu, 30 Apr 2026 13:52:22 +1000 Subject: [PATCH 14/91] Cloud IAM --- .../Location_Validation/.terraform.lock.hcl | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/.terraform.lock.hcl diff --git a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/.terraform.lock.hcl new file mode 100644 index 000000000..1f00f27db --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.30.0" + hashes = [ + "h1:3Qxi6Pj4WeqzgKsejGqwx0S3XxYDlC0ykBU6SQ6t25A=", + "zh:0cda2cc03f7bf000d9bc66bc0fab621de4c104b329cab348e0ceb6146ab27251", + "zh:2c75a1ea53b21646681e49fbdf0a599817c2f400f1e73d7779f0e3e1d230e6f3", + "zh:34ab9dab67230adaee6a9cd6861cba969555777ca6eb0ae1d2ac7b1f3cb73832", + "zh:45d5d7ee38fb7bf58dd19b774dd637f3cb9caef1d1930dde594467dde7fdea50", + "zh:651ffd36697d8268471d50d0fae664549b7f1e627c03d6e90f80172947f7b1d4", + "zh:8557db0beb201ba8ba70a7a38ba8d1ce9ffb9e98c616b89f6e3c2203e0528803", + "zh:b6a2e53809e0827cb7c47b1279c3511223898f7e3c1536f74ba057d99c72c2e9", + "zh:bf4aea9d1eb663df9d458c974d2e3f9ca7f724280a103706d0a2b1597593c7af", + "zh:c5f0160e0658d75b4a339b18f7a544e721f3750e26b97fc4887e98b8e085ffff", + "zh:e41a215491c64b535eda5585139dab0a32836e631b470cc520ceef4aa9ce7748", + "zh:e490061ab15c6053c651a7996a9c77cacdb83528ed49d0460c9621e93ad7d0cf", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} From 54462f05a8c074caacf96be6c5f22cf9fab6f0a2 Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Thu, 30 Apr 2026 14:05:55 +1000 Subject: [PATCH 15/91] Cloud IAM --- .../credential_id_validation/nc.tf | 2 +- .../Location_Validation/c.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/credential_id_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/credential_id_validation/nc.tf index b222420dd..e24175001 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/credential_id_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/credential_id_validation/nc.tf @@ -1,7 +1,7 @@ resource "google_iam_oauth_client_credential" "nc" { oauthclient = "example-client-id" location = "global" - oauth_client_credential_id = "gcp-cred-01a" + oauth_client_credential_id = "gcp23424sdresdfscred!@01a" disabled = false display_name = "Invalid Credential" project = "smooth-verve-467716-v1" diff --git a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/c.tf index 92f6591cf..f87f21045 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/c.tf @@ -1,6 +1,6 @@ resource "google_iam_organizations_policy_binding" "c" { organization = "123456789" - location = "global" + location = "global" display_name = "Compliant Org Policy Binding" policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" policy_binding_id = "org-binding-c" From 0ebd47217f6051aa2d51e250db0bdf7ae7e30482 Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sat, 2 May 2026 12:36:36 +1000 Subject: [PATCH 16/91] Cloud IAM --- .../name_validation/.terraform.lock.hcl | 26 +++++++++---------- .../name_validation/c.tf | 10 ++++--- .../name_validation/nc.tf | 10 ++++--- 3 files changed, 27 insertions(+), 19 deletions(-) diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/.terraform.lock.hcl index 3247f9b34..1f00f27db 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/.terraform.lock.hcl +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/.terraform.lock.hcl @@ -2,20 +2,20 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/google" { - version = "7.27.0" + version = "7.30.0" hashes = [ - "h1:yWX9RsPIemhUiN5JswiS4n+o51eLF81ZOpRw6hbqOiA=", - "zh:240605f01c575a32378b96634a7bbe17462051320fa7df064dae8d81e9c9c471", - "zh:41ffa473e08379de494c7beb4bc1ee98631c2657355dacd15fe75f52eb2ffd99", - "zh:4b813338a275c7d5bbd69f8a9d4fbd97b7672064ee42e98f1f01699f7b8ced77", - "zh:7f582320ea0578e3eaf4ec54fc370b1eac684972afe0728a94a961a52a037053", - "zh:84f53702ba1c8d912236d1911b90db2b1dbc011127831ae67dfcd280710334d8", - "zh:85d775e3c42f3b88914d059bd11c46e25a1cb9cce912c9fbc35428114b099d47", - "zh:93a2a30bc254706525eaa5e0a35d2122377b735fe1f3dccd887c35b3755b32d3", - "zh:a921d2ab38464bce393e8fd2aa11a140ed56632f94895d93bb272e204931c8c6", - "zh:c221992557de048b40a4fae102dfa5200c32715b21c0a251c1e931eafbc6a698", - "zh:cef310150cdf62a6a49e45f049f21077c58971c6197b70528a69b572dbf218fd", + "h1:3Qxi6Pj4WeqzgKsejGqwx0S3XxYDlC0ykBU6SQ6t25A=", + "zh:0cda2cc03f7bf000d9bc66bc0fab621de4c104b329cab348e0ceb6146ab27251", + "zh:2c75a1ea53b21646681e49fbdf0a599817c2f400f1e73d7779f0e3e1d230e6f3", + "zh:34ab9dab67230adaee6a9cd6861cba969555777ca6eb0ae1d2ac7b1f3cb73832", + "zh:45d5d7ee38fb7bf58dd19b774dd637f3cb9caef1d1930dde594467dde7fdea50", + "zh:651ffd36697d8268471d50d0fae664549b7f1e627c03d6e90f80172947f7b1d4", + "zh:8557db0beb201ba8ba70a7a38ba8d1ce9ffb9e98c616b89f6e3c2203e0528803", + "zh:b6a2e53809e0827cb7c47b1279c3511223898f7e3c1536f74ba057d99c72c2e9", + "zh:bf4aea9d1eb663df9d458c974d2e3f9ca7f724280a103706d0a2b1597593c7af", + "zh:c5f0160e0658d75b4a339b18f7a544e721f3750e26b97fc4887e98b8e085ffff", + "zh:e41a215491c64b535eda5585139dab0a32836e631b470cc520ceef4aa9ce7748", + "zh:e490061ab15c6053c651a7996a9c77cacdb83528ed49d0460c9621e93ad7d0cf", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - "zh:f630cf936bbbadc67a374329cc80fbe9d706fa2fb1556e130bc7a3f0386697fb", ] } diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf index 9e774aa7a..3cd459a93 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf @@ -1,10 +1,14 @@ resource "google_iam_access_boundary_policy" "c" { - name = "pde-my-ab-policy" - parent = "cloudresourcemanager.googleapis.com/projects/my-project-id" - display_name = "My AB policy" + parent = urlencode("cloudresourcemanager.googleapis.com/projects/my-gcp-project") + name = "my-ab-policy" + display_name = "My Compliant AB policy" + rules { description = "AB rule" access_boundary_rule { + available_resource = "*" + available_permissions = ["*"] + availability_condition { title = "Access level expr" expression = "request.matchAccessLevels('123456789', ['accessPolicies/123/accessLevels/chromeos_no_lock'])" diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf index 23efe5bb8..695221fe7 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf @@ -1,10 +1,14 @@ resource "google_iam_access_boundary_policy" "nc" { - name = "" - parent = "cloudresourcemanager.googleapis.com/projects/my-project-id" - display_name = "My AB policy" + parent = urlencode("cloudresourcemanager.googleapis.com/projects/my-gcp-project") + name = "" + display_name = "My Non-Compliant AB policy" + rules { description = "AB rule" access_boundary_rule { + available_resource = "*" + available_permissions = ["*"] + availability_condition { title = "Access level expr" expression = "request.matchAccessLevels('123456789', ['accessPolicies/123/accessLevels/chromeos_no_lock'])" From c8b2e0253bdba88c5fa291dc9322e1b4d030b85e Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sat, 2 May 2026 12:43:43 +1000 Subject: [PATCH 17/91] Cloud IAM --- .../name_validation/policy.rego | 29 +++++++++---------- 1 file changed, 13 insertions(+), 16 deletions(-) diff --git a/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego index 502659d59..b82d6c162 100644 --- a/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego +++ b/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego @@ -1,24 +1,21 @@ package terraform.gcp.security.Cloud_IAM.google_iam_access_boundary_policy.name_validation + import data.terraform.helpers -import data.terraform.gcp.security.Cloud_IAM.google_iam_access_boundary_policy.vars +import data.terraform.gcp.security.Cloud_IAM.vars conditions := [ - [ - { - "situation_description": "Policy name is missing or not properly defined", - "remedies": [ - "Provide a valid policy name", - "Use meaningful naming (e.g., pde-access-boundary)" - ] - }, - { - "condition": "Validate policy name format", - "attribute_path": ["name"], - "values": ["pde-*"], - "policy_type": "pattern whitelist" - } - ] + { + "situation_description": "Policy name is missing or not properly defined.", + "remedies": ["Ensure the name parameter is specified and is not empty."] + }, + { + "condition": "name is not empty or null", + "attribute_path": ["name"], + "values": ["", null], + "policy_type": "blacklist" + } + ] ] result := helpers.get_multi_summary(conditions, vars.variables) From 995beb1df0a97bbc2d4b43ff54554f06614133d0 Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sat, 2 May 2026 12:51:16 +1000 Subject: [PATCH 18/91] Cloud IAM --- .../name_validation/c.tf | 10 ++----- .../name_validation/nc.tf | 10 ++----- .../name_validation/policy.rego | 29 ++++++++++--------- 3 files changed, 22 insertions(+), 27 deletions(-) diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf index 3cd459a93..9e774aa7a 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf @@ -1,14 +1,10 @@ resource "google_iam_access_boundary_policy" "c" { - parent = urlencode("cloudresourcemanager.googleapis.com/projects/my-gcp-project") - name = "my-ab-policy" - display_name = "My Compliant AB policy" - + name = "pde-my-ab-policy" + parent = "cloudresourcemanager.googleapis.com/projects/my-project-id" + display_name = "My AB policy" rules { description = "AB rule" access_boundary_rule { - available_resource = "*" - available_permissions = ["*"] - availability_condition { title = "Access level expr" expression = "request.matchAccessLevels('123456789', ['accessPolicies/123/accessLevels/chromeos_no_lock'])" diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf index 695221fe7..23efe5bb8 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf @@ -1,14 +1,10 @@ resource "google_iam_access_boundary_policy" "nc" { - parent = urlencode("cloudresourcemanager.googleapis.com/projects/my-gcp-project") - name = "" - display_name = "My Non-Compliant AB policy" - + name = "" + parent = "cloudresourcemanager.googleapis.com/projects/my-project-id" + display_name = "My AB policy" rules { description = "AB rule" access_boundary_rule { - available_resource = "*" - available_permissions = ["*"] - availability_condition { title = "Access level expr" expression = "request.matchAccessLevels('123456789', ['accessPolicies/123/accessLevels/chromeos_no_lock'])" diff --git a/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego index b82d6c162..502659d59 100644 --- a/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego +++ b/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego @@ -1,21 +1,24 @@ package terraform.gcp.security.Cloud_IAM.google_iam_access_boundary_policy.name_validation - import data.terraform.helpers -import data.terraform.gcp.security.Cloud_IAM.vars +import data.terraform.gcp.security.Cloud_IAM.google_iam_access_boundary_policy.vars conditions := [ + [ - { - "situation_description": "Policy name is missing or not properly defined.", - "remedies": ["Ensure the name parameter is specified and is not empty."] - }, - { - "condition": "name is not empty or null", - "attribute_path": ["name"], - "values": ["", null], - "policy_type": "blacklist" - } - ] + { + "situation_description": "Policy name is missing or not properly defined", + "remedies": [ + "Provide a valid policy name", + "Use meaningful naming (e.g., pde-access-boundary)" + ] + }, + { + "condition": "Validate policy name format", + "attribute_path": ["name"], + "values": ["pde-*"], + "policy_type": "pattern whitelist" + } + ] ] result := helpers.get_multi_summary(conditions, vars.variables) From 6f710b84cdd7ec2e91814353ebafce0104f8028a Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sat, 2 May 2026 12:54:01 +1000 Subject: [PATCH 19/91] Cloud IAM --- .../google_iam_access_boundary_policy/name_validation/nc.tf | 2 +- .../google_iam_access_boundary_policy/parent_validation/nc.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf index 23efe5bb8..462709d6c 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf @@ -1,6 +1,6 @@ resource "google_iam_access_boundary_policy" "nc" { name = "" - parent = "cloudresourcemanager.googleapis.com/projects/my-project-id" + parent = "invalid-parent" display_name = "My AB policy" rules { description = "AB rule" diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf index b9a6d296a..840bf431c 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf @@ -1,5 +1,5 @@ resource "google_iam_access_boundary_policy" "nc" { - name = "also-valid-name" + name = "" parent = "invalid-parent" display_name = "Invalid parent policy" From 7ce58f5df9552153d8d7c85243e16489cca3166e Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sat, 2 May 2026 13:03:03 +1000 Subject: [PATCH 20/91] Cloud IAM --- .../project_validation/nc.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_validation/nc.tf index 025addfc5..91a462365 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_validation/nc.tf @@ -1,5 +1,5 @@ resource "google_iam_projects_policy_binding" "nc" { - project = "INVALID_PROJECT_ID!!!" + project = "123" location = "global" display_name = "Invalid Project Binding" policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" @@ -8,6 +8,6 @@ resource "google_iam_projects_policy_binding" "nc" { policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pab-policy" target { - principal_set = "//cloudresourcemanager.googleapis.com/projects/INVALID_PROJECT_ID!!!" + principal_set = "//cloudresourcemanager.googleapis.com/projects/123" } } \ No newline at end of file From ca784ed6fb66389e03fc6f21b3d61127f2514105 Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sat, 2 May 2026 13:18:09 +1000 Subject: [PATCH 21/91] Cloud IAM --- .../name_validation/.terraform.lock.hcl | 21 --------------- .../name_validation/c.tf | 14 ---------- .../name_validation/config.tf | 11 -------- .../name_validation/nc.tf | 14 ---------- .../parent_validation/.terraform.lock.hcl | 21 --------------- .../parent_validation/c.tf | 16 ----------- .../parent_validation/config.tf | 11 -------- .../parent_validation/nc.tf | 16 ----------- .../name_validation/.terraform.lock.hcl | 21 --------------- .../name_validation/c.tf | 23 ---------------- .../name_validation/config.tf | 11 -------- .../name_validation/nc.tf | 23 ---------------- .../parent_validation/.terraform.lock.hcl | 21 --------------- .../parent_validation/c.tf | 20 -------------- .../parent_validation/config.tf | 11 -------- .../parent_validation/nc.tf | 20 -------------- .../folder_validation/.terraform.lock.hcl | 21 --------------- .../folder_validation/c.tf | 11 -------- .../folder_validation/config.tf | 11 -------- .../folder_validation/nc.tf | 11 -------- .../.terraform.lock.hcl | 21 --------------- .../credential_id_validation/c.tf | 8 ------ .../credential_id_validation/config.tf | 11 -------- .../credential_id_validation/nc.tf | 8 ------ .../.terraform.lock.hcl | 21 --------------- .../organization_validation/c.tf | 13 --------- .../organization_validation/config.tf | 11 -------- .../organization_validation/nc.tf | 13 --------- .../.terraform.lock.hcl | 21 --------------- .../organization_validation/c.tf | 15 ----------- .../organization_validation/config.tf | 11 -------- .../organization_validation/nc.tf | 15 ----------- .../project_validation/.terraform.lock.hcl | 21 --------------- .../project_validation/c.tf | 13 --------- .../project_validation/config.tf | 11 -------- .../project_validation/nc.tf | 13 --------- .../name_validation/policy.rego | 26 ------------------ .../parent_validation/policy.rego | 27 ------------------- .../vars.rego | 8 ------ .../name_validation/policy.rego | 23 ---------------- .../parent_validation/policy.rego | 22 --------------- .../google_iam_deny_policy/vars.rego | 7 ----- .../folder_validation/policy.rego | 26 ------------------ .../credential_id_validation/policy.rego | 27 ------------------- .../organization_validation/policy.rego | 26 ------------------ .../organization_validation/policy.rego | 26 ------------------ .../project_validation/policy.rego | 23 ---------------- 47 files changed, 795 deletions(-) delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/.terraform.lock.hcl delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/config.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/.terraform.lock.hcl delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/config.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/.terraform.lock.hcl delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/c.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/config.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/nc.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/.terraform.lock.hcl delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/c.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/config.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/nc.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/.terraform.lock.hcl delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/c.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/config.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/nc.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/credential_id_validation/.terraform.lock.hcl delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/credential_id_validation/c.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/credential_id_validation/config.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/credential_id_validation/nc.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/.terraform.lock.hcl delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/c.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/config.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/nc.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/.terraform.lock.hcl delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/c.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/config.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/nc.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_validation/.terraform.lock.hcl delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_validation/c.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_validation/config.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_validation/nc.tf delete mode 100644 policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego delete mode 100644 policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/policy.rego delete mode 100644 policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/vars.rego delete mode 100644 policies/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/policy.rego delete mode 100644 policies/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/policy.rego delete mode 100644 policies/gcp/Cloud_IAM/google_iam_deny_policy/vars.rego delete mode 100644 policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/policy.rego delete mode 100644 policies/gcp/Cloud_IAM/google_iam_oauth_client_credential/credential_id_validation/policy.rego delete mode 100644 policies/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/policy.rego delete mode 100644 policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/policy.rego delete mode 100644 policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_validation/policy.rego diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/.terraform.lock.hcl deleted file mode 100644 index 1f00f27db..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/.terraform.lock.hcl +++ /dev/null @@ -1,21 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/google" { - version = "7.30.0" - hashes = [ - "h1:3Qxi6Pj4WeqzgKsejGqwx0S3XxYDlC0ykBU6SQ6t25A=", - "zh:0cda2cc03f7bf000d9bc66bc0fab621de4c104b329cab348e0ceb6146ab27251", - "zh:2c75a1ea53b21646681e49fbdf0a599817c2f400f1e73d7779f0e3e1d230e6f3", - "zh:34ab9dab67230adaee6a9cd6861cba969555777ca6eb0ae1d2ac7b1f3cb73832", - "zh:45d5d7ee38fb7bf58dd19b774dd637f3cb9caef1d1930dde594467dde7fdea50", - "zh:651ffd36697d8268471d50d0fae664549b7f1e627c03d6e90f80172947f7b1d4", - "zh:8557db0beb201ba8ba70a7a38ba8d1ce9ffb9e98c616b89f6e3c2203e0528803", - "zh:b6a2e53809e0827cb7c47b1279c3511223898f7e3c1536f74ba057d99c72c2e9", - "zh:bf4aea9d1eb663df9d458c974d2e3f9ca7f724280a103706d0a2b1597593c7af", - "zh:c5f0160e0658d75b4a339b18f7a544e721f3750e26b97fc4887e98b8e085ffff", - "zh:e41a215491c64b535eda5585139dab0a32836e631b470cc520ceef4aa9ce7748", - "zh:e490061ab15c6053c651a7996a9c77cacdb83528ed49d0460c9621e93ad7d0cf", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf deleted file mode 100644 index 9e774aa7a..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf +++ /dev/null @@ -1,14 +0,0 @@ -resource "google_iam_access_boundary_policy" "c" { - name = "pde-my-ab-policy" - parent = "cloudresourcemanager.googleapis.com/projects/my-project-id" - display_name = "My AB policy" - rules { - description = "AB rule" - access_boundary_rule { - availability_condition { - title = "Access level expr" - expression = "request.matchAccessLevels('123456789', ['accessPolicies/123/accessLevels/chromeos_no_lock'])" - } - } - } -} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/config.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/config.tf deleted file mode 100644 index 9f4356520..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/config.tf +++ /dev/null @@ -1,11 +0,0 @@ -##### DO NOT EDIT ###### - -terraform { - required_providers { - google = { - source = "hashicorp/google" - } - } -} - -provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf deleted file mode 100644 index 462709d6c..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf +++ /dev/null @@ -1,14 +0,0 @@ -resource "google_iam_access_boundary_policy" "nc" { - name = "" - parent = "invalid-parent" - display_name = "My AB policy" - rules { - description = "AB rule" - access_boundary_rule { - availability_condition { - title = "Access level expr" - expression = "request.matchAccessLevels('123456789', ['accessPolicies/123/accessLevels/chromeos_no_lock'])" - } - } - } -} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/.terraform.lock.hcl deleted file mode 100644 index 3247f9b34..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/.terraform.lock.hcl +++ /dev/null @@ -1,21 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/google" { - version = "7.27.0" - hashes = [ - "h1:yWX9RsPIemhUiN5JswiS4n+o51eLF81ZOpRw6hbqOiA=", - "zh:240605f01c575a32378b96634a7bbe17462051320fa7df064dae8d81e9c9c471", - "zh:41ffa473e08379de494c7beb4bc1ee98631c2657355dacd15fe75f52eb2ffd99", - "zh:4b813338a275c7d5bbd69f8a9d4fbd97b7672064ee42e98f1f01699f7b8ced77", - "zh:7f582320ea0578e3eaf4ec54fc370b1eac684972afe0728a94a961a52a037053", - "zh:84f53702ba1c8d912236d1911b90db2b1dbc011127831ae67dfcd280710334d8", - "zh:85d775e3c42f3b88914d059bd11c46e25a1cb9cce912c9fbc35428114b099d47", - "zh:93a2a30bc254706525eaa5e0a35d2122377b735fe1f3dccd887c35b3755b32d3", - "zh:a921d2ab38464bce393e8fd2aa11a140ed56632f94895d93bb272e204931c8c6", - "zh:c221992557de048b40a4fae102dfa5200c32715b21c0a251c1e931eafbc6a698", - "zh:cef310150cdf62a6a49e45f049f21077c58971c6197b70528a69b572dbf218fd", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - "zh:f630cf936bbbadc67a374329cc80fbe9d706fa2fb1556e130bc7a3f0386697fb", - ] -} diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf deleted file mode 100644 index 81cbbd792..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf +++ /dev/null @@ -1,16 +0,0 @@ -resource "google_iam_access_boundary_policy" "c" { - name = "valid-policy-name" - parent = "cloudresourcemanager.googleapis.com/projects/123456789" - display_name = "Valid AB policy" - - rules { - description = "Valid rule" - - access_boundary_rule { - availability_condition { - title = "Access level expr" - expression = "true" - } - } - } -} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/config.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/config.tf deleted file mode 100644 index 9f4356520..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/config.tf +++ /dev/null @@ -1,11 +0,0 @@ -##### DO NOT EDIT ###### - -terraform { - required_providers { - google = { - source = "hashicorp/google" - } - } -} - -provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf deleted file mode 100644 index 840bf431c..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf +++ /dev/null @@ -1,16 +0,0 @@ -resource "google_iam_access_boundary_policy" "nc" { - name = "" - parent = "invalid-parent" - display_name = "Invalid parent policy" - - rules { - description = "Invalid rule" - - access_boundary_rule { - availability_condition { - title = "Bad expr" - expression = "false" - } - } - } -} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/.terraform.lock.hcl deleted file mode 100644 index 3247f9b34..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/.terraform.lock.hcl +++ /dev/null @@ -1,21 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/google" { - version = "7.27.0" - hashes = [ - "h1:yWX9RsPIemhUiN5JswiS4n+o51eLF81ZOpRw6hbqOiA=", - "zh:240605f01c575a32378b96634a7bbe17462051320fa7df064dae8d81e9c9c471", - "zh:41ffa473e08379de494c7beb4bc1ee98631c2657355dacd15fe75f52eb2ffd99", - "zh:4b813338a275c7d5bbd69f8a9d4fbd97b7672064ee42e98f1f01699f7b8ced77", - "zh:7f582320ea0578e3eaf4ec54fc370b1eac684972afe0728a94a961a52a037053", - "zh:84f53702ba1c8d912236d1911b90db2b1dbc011127831ae67dfcd280710334d8", - "zh:85d775e3c42f3b88914d059bd11c46e25a1cb9cce912c9fbc35428114b099d47", - "zh:93a2a30bc254706525eaa5e0a35d2122377b735fe1f3dccd887c35b3755b32d3", - "zh:a921d2ab38464bce393e8fd2aa11a140ed56632f94895d93bb272e204931c8c6", - "zh:c221992557de048b40a4fae102dfa5200c32715b21c0a251c1e931eafbc6a698", - "zh:cef310150cdf62a6a49e45f049f21077c58971c6197b70528a69b572dbf218fd", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - "zh:f630cf936bbbadc67a374329cc80fbe9d706fa2fb1556e130bc7a3f0386697fb", - ] -} diff --git a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/c.tf deleted file mode 100644 index eef74600d..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/c.tf +++ /dev/null @@ -1,23 +0,0 @@ -resource "google_iam_deny_policy" "c" { - name = "pde-deny-policy" - parent = "cloudresourcemanager.googleapis.com/projects/my-project-id" - - display_name = "Deny policy" - - rules { - description = "Deny rule" - - deny_rule { - denied_principals = ["principal://goog/subject/user@example.com"] - - denied_permissions = [ - "cloudresourcemanager.googleapis.com/projects.update" - ] - - denial_condition { - title = "Condition" - expression = "true" - } - } - } -} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/config.tf b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/config.tf deleted file mode 100644 index 9f4356520..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/config.tf +++ /dev/null @@ -1,11 +0,0 @@ -##### DO NOT EDIT ###### - -terraform { - required_providers { - google = { - source = "hashicorp/google" - } - } -} - -provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/nc.tf deleted file mode 100644 index 6697a35f5..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/nc.tf +++ /dev/null @@ -1,23 +0,0 @@ -resource "google_iam_deny_policy" "nc" { - name = "deny-policy" - parent = "cloudresourcemanager.googleapis.com/projects/my-project-id" - - display_name = "Deny policy" - - rules { - description = "Deny rule" - - deny_rule { - denied_principals = ["principal://goog/subject/user@example.com"] - - denied_permissions = [ - "cloudresourcemanager.googleapis.com/projects.update" - ] - - denial_condition { - title = "Condition" - expression = "true" - } - } - } -} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/.terraform.lock.hcl deleted file mode 100644 index 3247f9b34..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/.terraform.lock.hcl +++ /dev/null @@ -1,21 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/google" { - version = "7.27.0" - hashes = [ - "h1:yWX9RsPIemhUiN5JswiS4n+o51eLF81ZOpRw6hbqOiA=", - "zh:240605f01c575a32378b96634a7bbe17462051320fa7df064dae8d81e9c9c471", - "zh:41ffa473e08379de494c7beb4bc1ee98631c2657355dacd15fe75f52eb2ffd99", - "zh:4b813338a275c7d5bbd69f8a9d4fbd97b7672064ee42e98f1f01699f7b8ced77", - "zh:7f582320ea0578e3eaf4ec54fc370b1eac684972afe0728a94a961a52a037053", - "zh:84f53702ba1c8d912236d1911b90db2b1dbc011127831ae67dfcd280710334d8", - "zh:85d775e3c42f3b88914d059bd11c46e25a1cb9cce912c9fbc35428114b099d47", - "zh:93a2a30bc254706525eaa5e0a35d2122377b735fe1f3dccd887c35b3755b32d3", - "zh:a921d2ab38464bce393e8fd2aa11a140ed56632f94895d93bb272e204931c8c6", - "zh:c221992557de048b40a4fae102dfa5200c32715b21c0a251c1e931eafbc6a698", - "zh:cef310150cdf62a6a49e45f049f21077c58971c6197b70528a69b572dbf218fd", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - "zh:f630cf936bbbadc67a374329cc80fbe9d706fa2fb1556e130bc7a3f0386697fb", - ] -} diff --git a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/c.tf deleted file mode 100644 index 2c1e74122..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/c.tf +++ /dev/null @@ -1,20 +0,0 @@ -resource "google_iam_deny_policy" "c" { - name = "pde-deny-policy" - parent = "cloudresourcemanager.googleapis.com/projects/my-project-id" - - display_name = "PDE Deny Policy" - - rules { - description = "Prevent unauthorized project updates" - - deny_rule { - denied_principals = ["principalSet://goog/public:all"] - denied_permissions = ["cloudresourcemanager.googleapis.com/projects.update"] - - denial_condition { - title = "Only allow test environments" - expression = "!resource.matchTag('project/env', 'production')" - } - } - } -} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/config.tf b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/config.tf deleted file mode 100644 index 9f4356520..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/config.tf +++ /dev/null @@ -1,11 +0,0 @@ -##### DO NOT EDIT ###### - -terraform { - required_providers { - google = { - source = "hashicorp/google" - } - } -} - -provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/nc.tf deleted file mode 100644 index 2a20b1b59..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/nc.tf +++ /dev/null @@ -1,20 +0,0 @@ -resource "google_iam_deny_policy" "nc" { - name = "pde-deny-policy" - parent = "projects/my-project-id" # Invalid format - - display_name = "PDE Deny Policy" - - rules { - description = "Prevent unauthorized project updates" - - deny_rule { - denied_principals = ["principalSet://goog/public:all"] - denied_permissions = ["cloudresourcemanager.googleapis.com/projects.update"] - - denial_condition { - title = "Only allow test environments" - expression = "!resource.matchTag('project/env', 'production')" - } - } - } -} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/.terraform.lock.hcl deleted file mode 100644 index 3247f9b34..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/.terraform.lock.hcl +++ /dev/null @@ -1,21 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/google" { - version = "7.27.0" - hashes = [ - "h1:yWX9RsPIemhUiN5JswiS4n+o51eLF81ZOpRw6hbqOiA=", - "zh:240605f01c575a32378b96634a7bbe17462051320fa7df064dae8d81e9c9c471", - "zh:41ffa473e08379de494c7beb4bc1ee98631c2657355dacd15fe75f52eb2ffd99", - "zh:4b813338a275c7d5bbd69f8a9d4fbd97b7672064ee42e98f1f01699f7b8ced77", - "zh:7f582320ea0578e3eaf4ec54fc370b1eac684972afe0728a94a961a52a037053", - "zh:84f53702ba1c8d912236d1911b90db2b1dbc011127831ae67dfcd280710334d8", - "zh:85d775e3c42f3b88914d059bd11c46e25a1cb9cce912c9fbc35428114b099d47", - "zh:93a2a30bc254706525eaa5e0a35d2122377b735fe1f3dccd887c35b3755b32d3", - "zh:a921d2ab38464bce393e8fd2aa11a140ed56632f94895d93bb272e204931c8c6", - "zh:c221992557de048b40a4fae102dfa5200c32715b21c0a251c1e931eafbc6a698", - "zh:cef310150cdf62a6a49e45f049f21077c58971c6197b70528a69b572dbf218fd", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - "zh:f630cf936bbbadc67a374329cc80fbe9d706fa2fb1556e130bc7a3f0386697fb", - ] -} diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/c.tf deleted file mode 100644 index 9ab80c2c7..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/c.tf +++ /dev/null @@ -1,11 +0,0 @@ -resource "google_iam_folders_policy_binding" "c" { - folder = "123456789" - location = "global" - policy_binding_id = "folder-binding-c" - - policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pab-policy" - - target { - principal_set = "//cloudresourcemanager.googleapis.com/folders/123456789" - } -} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/config.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/config.tf deleted file mode 100644 index 9f4356520..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/config.tf +++ /dev/null @@ -1,11 +0,0 @@ -##### DO NOT EDIT ###### - -terraform { - required_providers { - google = { - source = "hashicorp/google" - } - } -} - -provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/nc.tf deleted file mode 100644 index bc66d6185..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/nc.tf +++ /dev/null @@ -1,11 +0,0 @@ -resource "google_iam_folders_policy_binding" "nc" { - folder = "" - location = "global" - policy_binding_id = "folder-binding-nc" - - policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pab-policy" - - target { - principal_set = "//cloudresourcemanager.googleapis.com/folders/123456789" - } -} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/credential_id_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/credential_id_validation/.terraform.lock.hcl deleted file mode 100644 index 3247f9b34..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/credential_id_validation/.terraform.lock.hcl +++ /dev/null @@ -1,21 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/google" { - version = "7.27.0" - hashes = [ - "h1:yWX9RsPIemhUiN5JswiS4n+o51eLF81ZOpRw6hbqOiA=", - "zh:240605f01c575a32378b96634a7bbe17462051320fa7df064dae8d81e9c9c471", - "zh:41ffa473e08379de494c7beb4bc1ee98631c2657355dacd15fe75f52eb2ffd99", - "zh:4b813338a275c7d5bbd69f8a9d4fbd97b7672064ee42e98f1f01699f7b8ced77", - "zh:7f582320ea0578e3eaf4ec54fc370b1eac684972afe0728a94a961a52a037053", - "zh:84f53702ba1c8d912236d1911b90db2b1dbc011127831ae67dfcd280710334d8", - "zh:85d775e3c42f3b88914d059bd11c46e25a1cb9cce912c9fbc35428114b099d47", - "zh:93a2a30bc254706525eaa5e0a35d2122377b735fe1f3dccd887c35b3755b32d3", - "zh:a921d2ab38464bce393e8fd2aa11a140ed56632f94895d93bb272e204931c8c6", - "zh:c221992557de048b40a4fae102dfa5200c32715b21c0a251c1e931eafbc6a698", - "zh:cef310150cdf62a6a49e45f049f21077c58971c6197b70528a69b572dbf218fd", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - "zh:f630cf936bbbadc67a374329cc80fbe9d706fa2fb1556e130bc7a3f0386697fb", - ] -} diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/credential_id_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/credential_id_validation/c.tf deleted file mode 100644 index 9da6360ea..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/credential_id_validation/c.tf +++ /dev/null @@ -1,8 +0,0 @@ -resource "google_iam_oauth_client_credential" "c" { - oauthclient = "example-client-id" - location = "global" - oauth_client_credential_id = "cred-01a" - disabled = false - display_name = "Valid Credential" - project = "smooth-verve-467716-v1" -} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/credential_id_validation/config.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/credential_id_validation/config.tf deleted file mode 100644 index 9f4356520..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/credential_id_validation/config.tf +++ /dev/null @@ -1,11 +0,0 @@ -##### DO NOT EDIT ###### - -terraform { - required_providers { - google = { - source = "hashicorp/google" - } - } -} - -provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/credential_id_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/credential_id_validation/nc.tf deleted file mode 100644 index e24175001..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/credential_id_validation/nc.tf +++ /dev/null @@ -1,8 +0,0 @@ -resource "google_iam_oauth_client_credential" "nc" { - oauthclient = "example-client-id" - location = "global" - oauth_client_credential_id = "gcp23424sdresdfscred!@01a" - disabled = false - display_name = "Invalid Credential" - project = "smooth-verve-467716-v1" -} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/.terraform.lock.hcl deleted file mode 100644 index 3247f9b34..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/.terraform.lock.hcl +++ /dev/null @@ -1,21 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/google" { - version = "7.27.0" - hashes = [ - "h1:yWX9RsPIemhUiN5JswiS4n+o51eLF81ZOpRw6hbqOiA=", - "zh:240605f01c575a32378b96634a7bbe17462051320fa7df064dae8d81e9c9c471", - "zh:41ffa473e08379de494c7beb4bc1ee98631c2657355dacd15fe75f52eb2ffd99", - "zh:4b813338a275c7d5bbd69f8a9d4fbd97b7672064ee42e98f1f01699f7b8ced77", - "zh:7f582320ea0578e3eaf4ec54fc370b1eac684972afe0728a94a961a52a037053", - "zh:84f53702ba1c8d912236d1911b90db2b1dbc011127831ae67dfcd280710334d8", - "zh:85d775e3c42f3b88914d059bd11c46e25a1cb9cce912c9fbc35428114b099d47", - "zh:93a2a30bc254706525eaa5e0a35d2122377b735fe1f3dccd887c35b3755b32d3", - "zh:a921d2ab38464bce393e8fd2aa11a140ed56632f94895d93bb272e204931c8c6", - "zh:c221992557de048b40a4fae102dfa5200c32715b21c0a251c1e931eafbc6a698", - "zh:cef310150cdf62a6a49e45f049f21077c58971c6197b70528a69b572dbf218fd", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - "zh:f630cf936bbbadc67a374329cc80fbe9d706fa2fb1556e130bc7a3f0386697fb", - ] -} diff --git a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/c.tf deleted file mode 100644 index f87f21045..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/c.tf +++ /dev/null @@ -1,13 +0,0 @@ -resource "google_iam_organizations_policy_binding" "c" { - organization = "123456789" - location = "global" - display_name = "Compliant Org Policy Binding" - policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" - policy_binding_id = "org-binding-c" - - policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/my-pab-policy" - - target { - principal_set = "//cloudresourcemanager.googleapis.com/organizations/123456789" - } -} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/config.tf b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/config.tf deleted file mode 100644 index 9f4356520..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/config.tf +++ /dev/null @@ -1,11 +0,0 @@ -##### DO NOT EDIT ###### - -terraform { - required_providers { - google = { - source = "hashicorp/google" - } - } -} - -provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/nc.tf deleted file mode 100644 index 5db077a60..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/nc.tf +++ /dev/null @@ -1,13 +0,0 @@ -resource "google_iam_organizations_policy_binding" "nc" { - organization = "org-123abc" - location = "global" - display_name = "Non Compliant Org Policy Binding" - policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" - policy_binding_id = "org-binding-nc" - - policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/my-pab-policy" - - target { - principal_set = "//cloudresourcemanager.googleapis.com/organizations/123456789" - } -} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/.terraform.lock.hcl deleted file mode 100644 index 830cad037..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/.terraform.lock.hcl +++ /dev/null @@ -1,21 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/google" { - version = "7.29.0" - hashes = [ - "h1:xM/PrKzyMDI6sHYmnpB7od1OqFkmdDK3ZCon7pc2pMk=", - "zh:0e1057526f44cbb5462fd103f022743bbfe13aa33a460dc3adf76408b766a845", - "zh:207a6de17871088d907bf11854419fbc9793fa832f4bbdcc1aa0d63d18f87dcf", - "zh:2afdb8530b53edb1ea39aa3736e0a28eb8413d042296e01026c027e3b5abf12f", - "zh:2b920672181a115a72c901a0f121b4a5425d9977b05c0231e84a669f3c8ac731", - "zh:38112b22bb9e8ab3c45caa6ff084b2a288ce609335688c11666c637e4f0c335f", - "zh:3996360bf8f3a17819183df69fc6dad750e8661cbf8f24b1ef96f2db5632f92d", - "zh:68a6e45fe1c2bd2d5261a45f88fc7a99f45ba86133d1a6e9921a61a2a32a5720", - "zh:b301dab9f82659564ee82e3df4f860af3c1577f5e1836815ef4242f2a7f2758d", - "zh:b4358fc2c02d4352349b07efd255ee63b7f8adc68ecf4e4ec976bfa1782003cf", - "zh:d1545abb633519b7ff86d37fac822b2a624aa573b34228a2ea63fb925005cae2", - "zh:e8f17a3f2b9fdd352e9e88524af91c8938345f996b303a29239c65edaf1c25a8", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} diff --git a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/c.tf deleted file mode 100644 index 59e66340a..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/c.tf +++ /dev/null @@ -1,15 +0,0 @@ -resource "google_iam_principal_access_boundary_policy" "c" { - organization = "123456789" - location = "global" - display_name = "Compliant PAB Policy" - principal_access_boundary_policy_id = "pab-org-c" - - details { - rules { - effect = "ALLOW" - resources = [ - "//cloudresourcemanager.googleapis.com/organizations/123456789" - ] - } - } -} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/config.tf b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/config.tf deleted file mode 100644 index 9f4356520..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/config.tf +++ /dev/null @@ -1,11 +0,0 @@ -##### DO NOT EDIT ###### - -terraform { - required_providers { - google = { - source = "hashicorp/google" - } - } -} - -provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/nc.tf deleted file mode 100644 index 76d0f11af..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/nc.tf +++ /dev/null @@ -1,15 +0,0 @@ -resource "google_iam_principal_access_boundary_policy" "nc" { - organization = "org-123abc" - location = "global" - display_name = "Non-Compliant PAB Policy" - principal_access_boundary_policy_id = "pab-org-nc" - - details { - rules { - effect = "ALLOW" - resources = [ - "//cloudresourcemanager.googleapis.com/organizations/123456789" - ] - } - } -} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_validation/.terraform.lock.hcl deleted file mode 100644 index 830cad037..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_validation/.terraform.lock.hcl +++ /dev/null @@ -1,21 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/google" { - version = "7.29.0" - hashes = [ - "h1:xM/PrKzyMDI6sHYmnpB7od1OqFkmdDK3ZCon7pc2pMk=", - "zh:0e1057526f44cbb5462fd103f022743bbfe13aa33a460dc3adf76408b766a845", - "zh:207a6de17871088d907bf11854419fbc9793fa832f4bbdcc1aa0d63d18f87dcf", - "zh:2afdb8530b53edb1ea39aa3736e0a28eb8413d042296e01026c027e3b5abf12f", - "zh:2b920672181a115a72c901a0f121b4a5425d9977b05c0231e84a669f3c8ac731", - "zh:38112b22bb9e8ab3c45caa6ff084b2a288ce609335688c11666c637e4f0c335f", - "zh:3996360bf8f3a17819183df69fc6dad750e8661cbf8f24b1ef96f2db5632f92d", - "zh:68a6e45fe1c2bd2d5261a45f88fc7a99f45ba86133d1a6e9921a61a2a32a5720", - "zh:b301dab9f82659564ee82e3df4f860af3c1577f5e1836815ef4242f2a7f2758d", - "zh:b4358fc2c02d4352349b07efd255ee63b7f8adc68ecf4e4ec976bfa1782003cf", - "zh:d1545abb633519b7ff86d37fac822b2a624aa573b34228a2ea63fb925005cae2", - "zh:e8f17a3f2b9fdd352e9e88524af91c8938345f996b303a29239c65edaf1c25a8", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} diff --git a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_validation/c.tf deleted file mode 100644 index 141f6f557..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_validation/c.tf +++ /dev/null @@ -1,13 +0,0 @@ -resource "google_iam_projects_policy_binding" "c" { - project = "smooth-verve-467716-v1" - location = "global" - display_name = "Valid Project Binding" - policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" - policy_binding_id = "binding-project-c" - - policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pab-policy" - - target { - principal_set = "//cloudresourcemanager.googleapis.com/projects/smooth-verve-467716-v1" - } -} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_validation/config.tf b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_validation/config.tf deleted file mode 100644 index 9f4356520..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_validation/config.tf +++ /dev/null @@ -1,11 +0,0 @@ -##### DO NOT EDIT ###### - -terraform { - required_providers { - google = { - source = "hashicorp/google" - } - } -} - -provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_validation/nc.tf deleted file mode 100644 index 91a462365..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_validation/nc.tf +++ /dev/null @@ -1,13 +0,0 @@ -resource "google_iam_projects_policy_binding" "nc" { - project = "123" - location = "global" - display_name = "Invalid Project Binding" - policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" - policy_binding_id = "binding-project-nc" - - policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pab-policy" - - target { - principal_set = "//cloudresourcemanager.googleapis.com/projects/123" - } -} \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego deleted file mode 100644 index 502659d59..000000000 --- a/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego +++ /dev/null @@ -1,26 +0,0 @@ -package terraform.gcp.security.Cloud_IAM.google_iam_access_boundary_policy.name_validation -import data.terraform.helpers -import data.terraform.gcp.security.Cloud_IAM.google_iam_access_boundary_policy.vars - -conditions := [ - - [ - { - "situation_description": "Policy name is missing or not properly defined", - "remedies": [ - "Provide a valid policy name", - "Use meaningful naming (e.g., pde-access-boundary)" - ] - }, - { - "condition": "Validate policy name format", - "attribute_path": ["name"], - "values": ["pde-*"], - "policy_type": "pattern whitelist" - } - ] -] - -result := helpers.get_multi_summary(conditions, vars.variables) -message := result.message -details := result.details \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/policy.rego deleted file mode 100644 index dc75974bf..000000000 --- a/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/policy.rego +++ /dev/null @@ -1,27 +0,0 @@ -package terraform.gcp.security.Cloud_IAM.google_iam_access_boundary_policy.parent_validation - -import data.terraform.helpers -import data.terraform.gcp.security.Cloud_IAM.google_iam_access_boundary_policy.vars - -conditions := [ - - [ - { - "situation_description": "Parent is not properly defined or not URL encoded", - "remedies": [ - "Ensure parent uses URL-encoded format", - "Use format: cloudresourcemanager.googleapis.com/projects/" - ] - }, - { - "condition": "Validate parent format", - "attribute_path": ["parent"], - "values": ["cloudresourcemanager.googleapis.com/projects/"], - "policy_type": "pattern whitelist" - } - ] -] - -result := helpers.get_multi_summary(conditions, vars.variables) -message := result.message -details := result.details \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/vars.rego b/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/vars.rego deleted file mode 100644 index cf3bba0e0..000000000 --- a/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/vars.rego +++ /dev/null @@ -1,8 +0,0 @@ -package terraform.gcp.security.Cloud_IAM.google_iam_access_boundary_policy.vars - - -variables := { - "friendly_resource_name": "Cloud_IAM access boundary policy ", - "resource_type": "google_iam_access_boundary_policy", - "resource_value_name": "name" -} diff --git a/policies/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/policy.rego deleted file mode 100644 index b8bf22bfc..000000000 --- a/policies/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/policy.rego +++ /dev/null @@ -1,23 +0,0 @@ -package terraform.gcp.security.Cloud_IAM.google_iam_deny_policy.name_validation - -import data.terraform.helpers -import data.terraform.gcp.security.Cloud_IAM.google_iam_deny_policy.vars - -conditions := [ - [ - { - "situation_description": "Deny policy name is not following naming convention", - "remedies": ["Use prefix 'pde-' for deny policies"] - }, - { - "condition": "Validate deny policy name", - "attribute_path": ["name"], - "values": ["pde-*"], - "policy_type": "pattern whitelist" - } - ] -] - -result := helpers.get_multi_summary(conditions, vars.variables) -message := result.message -details := result.details \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/policy.rego deleted file mode 100644 index 5c29e7de7..000000000 --- a/policies/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/policy.rego +++ /dev/null @@ -1,22 +0,0 @@ -package terraform.gcp.security.Cloud_IAM.google_iam_deny_policy.parent_validation -import data.terraform.helpers -import data.terraform.gcp.security.Cloud_IAM.google_iam_deny_policy.vars - -conditions := [ - [ - { - "situation_description": "Parent is not correctly defined", - "remedies": ["Use format: cloudresourcemanager.googleapis.com/projects/"] - }, - { - "condition": "Validate parent format", - "attribute_path": ["parent"], - "values": ["cloudresourcemanager.googleapis.com/projects/*"], - "policy_type": "pattern whitelist" - } - ] -] - -result := helpers.get_multi_summary(conditions, vars.variables) -message := result.message -details := result.details \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_deny_policy/vars.rego b/policies/gcp/Cloud_IAM/google_iam_deny_policy/vars.rego deleted file mode 100644 index a53e0000c..000000000 --- a/policies/gcp/Cloud_IAM/google_iam_deny_policy/vars.rego +++ /dev/null @@ -1,7 +0,0 @@ -package terraform.gcp.security.Cloud_IAM.google_iam_deny_policy.vars - -variables := { - "friendly_resource_name": "Cloud_IAM deny policy", - "resource_type": "google_iam_deny_policy", - "resource_value_name": "name" -} \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/policy.rego deleted file mode 100644 index aad6bb7ee..000000000 --- a/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/policy.rego +++ /dev/null @@ -1,26 +0,0 @@ -package terraform.gcp.security.Cloud_IAM.google_iam_folders_policy_binding.folder_validation - -import data.terraform.helpers -import data.terraform.gcp.security.Cloud_IAM.google_iam_folders_policy_binding.vars - -conditions := [ - [ - { - "situation_description": "Folder must be a valid numeric GCP folder ID", - "remedies": [ - "Provide a valid numeric folder ID", - "Example: 224774388" - ] - }, - { - "condition": "Validate folder format using pattern", - "attribute_path": ["folder"], - "values": ["^[0-9]+$"], - "policy_type": "pattern whitelist" - } - ] -] - -result := helpers.get_multi_summary(conditions, vars.variables) -message := result.message -details := result.details \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_oauth_client_credential/credential_id_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_oauth_client_credential/credential_id_validation/policy.rego deleted file mode 100644 index 1b5a6f287..000000000 --- a/policies/gcp/Cloud_IAM/google_iam_oauth_client_credential/credential_id_validation/policy.rego +++ /dev/null @@ -1,27 +0,0 @@ -package terraform.gcp.security.Cloud_IAM.google_iam_oauth_client_credential.credential_id_validation - -import data.terraform.helpers -import data.terraform.gcp.security.Cloud_IAM.google_iam_oauth_client_credential.vars - -conditions := [ - [ - { - "situation_description": "Credential ID must follow secure naming rules (4–32 chars, lowercase, digits, hyphen allowed)", - "remedies": [ - "Use lowercase letters, numbers, hyphens", - "Length 4–32 characters", - "Do not use gcp- prefix" - ] - }, - { - "condition": "Validate oauth_client_credential_id format", - "attribute_path": ["oauth_client_credential_id"], - "values": ["^[a-z][a-z0-9-]{2,30}[a-z0-9]$"], - "policy_type": "pattern whitelist" - } - ] -] - -result := helpers.get_multi_summary(conditions, vars.variables) -message := result.message -details := result.details \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/policy.rego deleted file mode 100644 index 37f7976c4..000000000 --- a/policies/gcp/Cloud_IAM/google_iam_organizations_policy_binding/organization_validation/policy.rego +++ /dev/null @@ -1,26 +0,0 @@ -package terraform.gcp.security.Cloud_IAM.google_iam_organizations_policy_binding.organization_validation - -import data.terraform.helpers -import data.terraform.gcp.security.Cloud_IAM.google_iam_organizations_policy_binding.vars - -conditions := [ - [ - { - "situation_description": "Organization ID must be numeric", - "remedies": [ - "Use valid numeric organization ID", - "Example: 224774388" - ] - }, - { - "condition": "Validate organization ID pattern", - "attribute_path": ["organization"], - "values": ["^[0-9]+$"], - "policy_type": "pattern whitelist" - } - ] -] - -result := helpers.get_multi_summary(conditions, vars.variables) -message := result.message -details := result.details \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/policy.rego deleted file mode 100644 index f443e2d33..000000000 --- a/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/policy.rego +++ /dev/null @@ -1,26 +0,0 @@ -package terraform.gcp.security.Cloud_IAM.google_iam_principal_access_boundary_policy.organization_validation - -import data.terraform.helpers -import data.terraform.gcp.security.Cloud_IAM.google_iam_principal_access_boundary_policy.vars - -conditions := [ - [ - { - "situation_description": "Organization ID must be numeric only", - "remedies": [ - "Use a valid GCP organization ID", - "Example: 123456789" - ] - }, - { - "condition": "Validate organization format", - "attribute_path": ["organization"], - "values": ["^[0-9]+$"], - "policy_type": "pattern whitelist" - } - ] -] - -result := helpers.get_multi_summary(conditions, vars.variables) -message := result.message -details := result.details \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_validation/policy.rego deleted file mode 100644 index 599f62655..000000000 --- a/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_validation/policy.rego +++ /dev/null @@ -1,23 +0,0 @@ -package terraform.gcp.security.Cloud_IAM.google_iam_projects_policy_binding.project_validation - -import data.terraform.helpers -import data.terraform.gcp.security.Cloud_IAM.google_iam_projects_policy_binding.vars - -conditions := [ - [ - { - "situation_description": "Project ID must be valid format (alphanumeric and hyphen allowed)", - "remedies": ["Use valid GCP project ID format"] - }, - { - "condition": "Validate project format", - "attribute_path": ["project"], - "values": ["^[a-z][a-z0-9-]{4,28}[a-z0-9]$"], - "policy_type": "pattern whitelist" - } - ] -] - -result := helpers.get_multi_summary(conditions, vars.variables) -message := result.message -details := result.details \ No newline at end of file From cbc6835b0a40b6df9f4b61ff2ebbf46928be324e Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sat, 2 May 2026 13:26:41 +1000 Subject: [PATCH 22/91] fix folder policy validation --- .../target_validation/.terraform.lock.hcl | 21 +++++++++++++++++++ .../target_validation/c.tf | 13 ++++++++++++ .../target_validation/config.tf | 11 ++++++++++ .../target_validation/nc.tf | 14 +++++++++++++ 4 files changed, 59 insertions(+) create mode 100644 inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/target_validation/.terraform.lock.hcl create mode 100644 inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/target_validation/c.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/target_validation/config.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/target_validation/nc.tf diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/target_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/target_validation/.terraform.lock.hcl new file mode 100644 index 000000000..1f00f27db --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/target_validation/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.30.0" + hashes = [ + "h1:3Qxi6Pj4WeqzgKsejGqwx0S3XxYDlC0ykBU6SQ6t25A=", + "zh:0cda2cc03f7bf000d9bc66bc0fab621de4c104b329cab348e0ceb6146ab27251", + "zh:2c75a1ea53b21646681e49fbdf0a599817c2f400f1e73d7779f0e3e1d230e6f3", + "zh:34ab9dab67230adaee6a9cd6861cba969555777ca6eb0ae1d2ac7b1f3cb73832", + "zh:45d5d7ee38fb7bf58dd19b774dd637f3cb9caef1d1930dde594467dde7fdea50", + "zh:651ffd36697d8268471d50d0fae664549b7f1e627c03d6e90f80172947f7b1d4", + "zh:8557db0beb201ba8ba70a7a38ba8d1ce9ffb9e98c616b89f6e3c2203e0528803", + "zh:b6a2e53809e0827cb7c47b1279c3511223898f7e3c1536f74ba057d99c72c2e9", + "zh:bf4aea9d1eb663df9d458c974d2e3f9ca7f724280a103706d0a2b1597593c7af", + "zh:c5f0160e0658d75b4a339b18f7a544e721f3750e26b97fc4887e98b8e085ffff", + "zh:e41a215491c64b535eda5585139dab0a32836e631b470cc520ceef4aa9ce7748", + "zh:e490061ab15c6053c651a7996a9c77cacdb83528ed49d0460c9621e93ad7d0cf", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/target_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/target_validation/c.tf new file mode 100644 index 000000000..be4a4aa1e --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/target_validation/c.tf @@ -0,0 +1,13 @@ +resource "google_iam_folders_policy_binding" "c" { + folder = "123456789" + location = "global" + display_name = "Valid Folder Binding" + policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" + policy_binding_id = "binding-folder-c" + + policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pab-policy" + + target { + principal_set = "//cloudresourcemanager.googleapis.com/folders/123456789" + } +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/target_validation/config.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/target_validation/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/target_validation/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/target_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/target_validation/nc.tf new file mode 100644 index 000000000..2336d713b --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/target_validation/nc.tf @@ -0,0 +1,14 @@ +resource "google_iam_folders_policy_binding" "nc" { + folder = "123456789" + location = "global" + display_name = "Invalid Folder Binding" + policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" + policy_binding_id = "binding-folder-nc" + + policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pab-policy" + + target { + + principal_set = "//cloudresourcemanager.googleapis.com/projects/123456789" + } +} \ No newline at end of file From f7ab7f72d260d31cb4d92cfd92de2e6a0625babc Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sat, 2 May 2026 13:29:14 +1000 Subject: [PATCH 23/91] fix folder policy validation --- .../target_validation/policy.rego | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/target_validation/policy.rego diff --git a/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/target_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/target_validation/policy.rego new file mode 100644 index 000000000..aa5fa5c5c --- /dev/null +++ b/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/target_validation/policy.rego @@ -0,0 +1,23 @@ +package terraform.gcp.security.Cloud_IAM.google_iam_folders_policy_binding.target_validation + +import data.terraform.helpers +import data.terraform.gcp.security.Cloud_IAM.google_iam_folders_policy_binding.vars + +conditions := [ + [ + { + "situation_description": "Target must be a valid folder principal_set format", + "remedies": ["Must use //cloudresourcemanager.googleapis.com/folders/{folder_id}"] + }, + { + "condition": "Validate principal_set format", + "attribute_path": ["target", "principal_set"], + "values": ["^//cloudresourcemanager\\.googleapis\\.com/folders/[0-9]+$"], + "policy_type": "pattern whitelist" + } + ] +] + +result := helpers.get_multi_summary(conditions, vars.variables) +message := result.message +details := result.details \ No newline at end of file From 6fcc19ec2042f178206d354923b6a7e1f8bccaec Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sat, 2 May 2026 13:34:12 +1000 Subject: [PATCH 24/91] Cloud IAM --- .../target_validation/policy.rego | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/target_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/target_validation/policy.rego index aa5fa5c5c..dc7aa2e3a 100644 --- a/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/target_validation/policy.rego +++ b/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/target_validation/policy.rego @@ -6,12 +6,13 @@ import data.terraform.gcp.security.Cloud_IAM.google_iam_folders_policy_binding.v conditions := [ [ { - "situation_description": "Target must be a valid folder principal_set format", + "situation_description": "Target principal_set must match folder format", "remedies": ["Must use //cloudresourcemanager.googleapis.com/folders/{folder_id}"] }, { "condition": "Validate principal_set format", - "attribute_path": ["target", "principal_set"], + "attribute_path": ["target"], + "field": "principal_set", "values": ["^//cloudresourcemanager\\.googleapis\\.com/folders/[0-9]+$"], "policy_type": "pattern whitelist" } From 53b50f1045e8410acfa657d494e9a60abe29dcd3 Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sat, 2 May 2026 13:59:26 +1000 Subject: [PATCH 25/91] Cloud IAM --- .../folder_validation/.terraform.lock.hcl | 21 +++++++++++++++ .../c.tf | 8 +++--- .../config.tf | 0 .../folder_validation/nc.tf | 11 ++++++++ .../target_validation/.terraform.lock.hcl | 21 --------------- .../target_validation/nc.tf | 14 ---------- .../folder_validation/policy.rego | 26 +++++++++++++++++++ .../target_validation/policy.rego | 24 ----------------- .../vars.rego | 2 +- 9 files changed, 62 insertions(+), 65 deletions(-) create mode 100644 inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/.terraform.lock.hcl rename inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/{target_validation => folder_validation}/c.tf (54%) rename inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/{target_validation => folder_validation}/config.tf (100%) create mode 100644 inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/nc.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/target_validation/.terraform.lock.hcl delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/target_validation/nc.tf create mode 100644 policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/policy.rego delete mode 100644 policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/target_validation/policy.rego diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/.terraform.lock.hcl new file mode 100644 index 000000000..3247f9b34 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.27.0" + hashes = [ + "h1:yWX9RsPIemhUiN5JswiS4n+o51eLF81ZOpRw6hbqOiA=", + "zh:240605f01c575a32378b96634a7bbe17462051320fa7df064dae8d81e9c9c471", + "zh:41ffa473e08379de494c7beb4bc1ee98631c2657355dacd15fe75f52eb2ffd99", + "zh:4b813338a275c7d5bbd69f8a9d4fbd97b7672064ee42e98f1f01699f7b8ced77", + "zh:7f582320ea0578e3eaf4ec54fc370b1eac684972afe0728a94a961a52a037053", + "zh:84f53702ba1c8d912236d1911b90db2b1dbc011127831ae67dfcd280710334d8", + "zh:85d775e3c42f3b88914d059bd11c46e25a1cb9cce912c9fbc35428114b099d47", + "zh:93a2a30bc254706525eaa5e0a35d2122377b735fe1f3dccd887c35b3755b32d3", + "zh:a921d2ab38464bce393e8fd2aa11a140ed56632f94895d93bb272e204931c8c6", + "zh:c221992557de048b40a4fae102dfa5200c32715b21c0a251c1e931eafbc6a698", + "zh:cef310150cdf62a6a49e45f049f21077c58971c6197b70528a69b572dbf218fd", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:f630cf936bbbadc67a374329cc80fbe9d706fa2fb1556e130bc7a3f0386697fb", + ] +} diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/target_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/c.tf similarity index 54% rename from inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/target_validation/c.tf rename to inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/c.tf index be4a4aa1e..9ab80c2c7 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/target_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/c.tf @@ -1,9 +1,7 @@ resource "google_iam_folders_policy_binding" "c" { - folder = "123456789" - location = "global" - display_name = "Valid Folder Binding" - policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" - policy_binding_id = "binding-folder-c" + folder = "123456789" + location = "global" + policy_binding_id = "folder-binding-c" policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pab-policy" diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/target_validation/config.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/config.tf similarity index 100% rename from inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/target_validation/config.tf rename to inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/config.tf diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/nc.tf new file mode 100644 index 000000000..bc66d6185 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/nc.tf @@ -0,0 +1,11 @@ +resource "google_iam_folders_policy_binding" "nc" { + folder = "" + location = "global" + policy_binding_id = "folder-binding-nc" + + policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pab-policy" + + target { + principal_set = "//cloudresourcemanager.googleapis.com/folders/123456789" + } +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/target_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/target_validation/.terraform.lock.hcl deleted file mode 100644 index 1f00f27db..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/target_validation/.terraform.lock.hcl +++ /dev/null @@ -1,21 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/google" { - version = "7.30.0" - hashes = [ - "h1:3Qxi6Pj4WeqzgKsejGqwx0S3XxYDlC0ykBU6SQ6t25A=", - "zh:0cda2cc03f7bf000d9bc66bc0fab621de4c104b329cab348e0ceb6146ab27251", - "zh:2c75a1ea53b21646681e49fbdf0a599817c2f400f1e73d7779f0e3e1d230e6f3", - "zh:34ab9dab67230adaee6a9cd6861cba969555777ca6eb0ae1d2ac7b1f3cb73832", - "zh:45d5d7ee38fb7bf58dd19b774dd637f3cb9caef1d1930dde594467dde7fdea50", - "zh:651ffd36697d8268471d50d0fae664549b7f1e627c03d6e90f80172947f7b1d4", - "zh:8557db0beb201ba8ba70a7a38ba8d1ce9ffb9e98c616b89f6e3c2203e0528803", - "zh:b6a2e53809e0827cb7c47b1279c3511223898f7e3c1536f74ba057d99c72c2e9", - "zh:bf4aea9d1eb663df9d458c974d2e3f9ca7f724280a103706d0a2b1597593c7af", - "zh:c5f0160e0658d75b4a339b18f7a544e721f3750e26b97fc4887e98b8e085ffff", - "zh:e41a215491c64b535eda5585139dab0a32836e631b470cc520ceef4aa9ce7748", - "zh:e490061ab15c6053c651a7996a9c77cacdb83528ed49d0460c9621e93ad7d0cf", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/target_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/target_validation/nc.tf deleted file mode 100644 index 2336d713b..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/target_validation/nc.tf +++ /dev/null @@ -1,14 +0,0 @@ -resource "google_iam_folders_policy_binding" "nc" { - folder = "123456789" - location = "global" - display_name = "Invalid Folder Binding" - policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" - policy_binding_id = "binding-folder-nc" - - policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pab-policy" - - target { - - principal_set = "//cloudresourcemanager.googleapis.com/projects/123456789" - } -} \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/policy.rego new file mode 100644 index 000000000..aad6bb7ee --- /dev/null +++ b/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/policy.rego @@ -0,0 +1,26 @@ +package terraform.gcp.security.Cloud_IAM.google_iam_folders_policy_binding.folder_validation + +import data.terraform.helpers +import data.terraform.gcp.security.Cloud_IAM.google_iam_folders_policy_binding.vars + +conditions := [ + [ + { + "situation_description": "Folder must be a valid numeric GCP folder ID", + "remedies": [ + "Provide a valid numeric folder ID", + "Example: 224774388" + ] + }, + { + "condition": "Validate folder format using pattern", + "attribute_path": ["folder"], + "values": ["^[0-9]+$"], + "policy_type": "pattern whitelist" + } + ] +] + +result := helpers.get_multi_summary(conditions, vars.variables) +message := result.message +details := result.details \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/target_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/target_validation/policy.rego deleted file mode 100644 index dc7aa2e3a..000000000 --- a/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/target_validation/policy.rego +++ /dev/null @@ -1,24 +0,0 @@ -package terraform.gcp.security.Cloud_IAM.google_iam_folders_policy_binding.target_validation - -import data.terraform.helpers -import data.terraform.gcp.security.Cloud_IAM.google_iam_folders_policy_binding.vars - -conditions := [ - [ - { - "situation_description": "Target principal_set must match folder format", - "remedies": ["Must use //cloudresourcemanager.googleapis.com/folders/{folder_id}"] - }, - { - "condition": "Validate principal_set format", - "attribute_path": ["target"], - "field": "principal_set", - "values": ["^//cloudresourcemanager\\.googleapis\\.com/folders/[0-9]+$"], - "policy_type": "pattern whitelist" - } - ] -] - -result := helpers.get_multi_summary(conditions, vars.variables) -message := result.message -details := result.details \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/vars.rego b/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/vars.rego index b28d6831a..157fce905 100644 --- a/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/vars.rego +++ b/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/vars.rego @@ -3,5 +3,5 @@ package terraform.gcp.security.Cloud_IAM.google_iam_folders_policy_binding.vars variables := { "friendly_resource_name": "Cloud_IAM folder policy binding", "resource_type": "google_iam_folders_policy_binding", - "resource_value_name": "name" + "resource_value_name": "policy_binding_id" } \ No newline at end of file From ce0f0ab0b237bc176d9dcaf6a693ac2c8456785b Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sat, 2 May 2026 14:02:42 +1000 Subject: [PATCH 26/91] Cloud IAM --- .../google_iam_folders_policy_binding/folder_validation/c.tf | 1 + .../google_iam_folders_policy_binding/folder_validation/nc.tf | 1 + .../google_iam_folders_policy_binding/location_validation/c.tf | 1 + .../google_iam_folders_policy_binding/location_validation/nc.tf | 1 + .../gcp/Cloud_IAM/google_iam_folders_policy_binding/vars.rego | 2 +- 5 files changed, 5 insertions(+), 1 deletion(-) diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/c.tf index 9ab80c2c7..97331cd47 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/c.tf @@ -1,4 +1,5 @@ resource "google_iam_folders_policy_binding" "c" { + name = "c" folder = "123456789" location = "global" policy_binding_id = "folder-binding-c" diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/nc.tf index bc66d6185..1f00ef9b0 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/nc.tf @@ -1,4 +1,5 @@ resource "google_iam_folders_policy_binding" "nc" { + name = "nc" folder = "" location = "global" policy_binding_id = "folder-binding-nc" diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/c.tf index a86f841df..7a153a084 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/c.tf @@ -1,4 +1,5 @@ resource "google_iam_folders_policy_binding" "c" { + name = "c" folder = "123456789" location = "global" policy_binding_id = "binding-c" diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/nc.tf index 5b8375b13..9264587f0 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/nc.tf @@ -1,4 +1,5 @@ resource "google_iam_folders_policy_binding" "nc" { + name = "nc" folder = "123456789" location = "australia-southeast1" policy_binding_id = "binding-nc" diff --git a/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/vars.rego b/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/vars.rego index 157fce905..b28d6831a 100644 --- a/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/vars.rego +++ b/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/vars.rego @@ -3,5 +3,5 @@ package terraform.gcp.security.Cloud_IAM.google_iam_folders_policy_binding.vars variables := { "friendly_resource_name": "Cloud_IAM folder policy binding", "resource_type": "google_iam_folders_policy_binding", - "resource_value_name": "policy_binding_id" + "resource_value_name": "name" } \ No newline at end of file From 5d63843ec84214d3c24bbd59fe27782118be6b9d Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sat, 2 May 2026 14:05:35 +1000 Subject: [PATCH 27/91] Cloud IAM --- .../folder_validation/.terraform.lock.hcl | 26 +++++++++---------- .../folder_validation/c.tf | 1 - .../folder_validation/nc.tf | 1 - .../location_validation/c.tf | 1 - .../location_validation/nc.tf | 1 - 5 files changed, 13 insertions(+), 17 deletions(-) diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/.terraform.lock.hcl index 3247f9b34..1f00f27db 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/.terraform.lock.hcl +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/.terraform.lock.hcl @@ -2,20 +2,20 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/google" { - version = "7.27.0" + version = "7.30.0" hashes = [ - "h1:yWX9RsPIemhUiN5JswiS4n+o51eLF81ZOpRw6hbqOiA=", - "zh:240605f01c575a32378b96634a7bbe17462051320fa7df064dae8d81e9c9c471", - "zh:41ffa473e08379de494c7beb4bc1ee98631c2657355dacd15fe75f52eb2ffd99", - "zh:4b813338a275c7d5bbd69f8a9d4fbd97b7672064ee42e98f1f01699f7b8ced77", - "zh:7f582320ea0578e3eaf4ec54fc370b1eac684972afe0728a94a961a52a037053", - "zh:84f53702ba1c8d912236d1911b90db2b1dbc011127831ae67dfcd280710334d8", - "zh:85d775e3c42f3b88914d059bd11c46e25a1cb9cce912c9fbc35428114b099d47", - "zh:93a2a30bc254706525eaa5e0a35d2122377b735fe1f3dccd887c35b3755b32d3", - "zh:a921d2ab38464bce393e8fd2aa11a140ed56632f94895d93bb272e204931c8c6", - "zh:c221992557de048b40a4fae102dfa5200c32715b21c0a251c1e931eafbc6a698", - "zh:cef310150cdf62a6a49e45f049f21077c58971c6197b70528a69b572dbf218fd", + "h1:3Qxi6Pj4WeqzgKsejGqwx0S3XxYDlC0ykBU6SQ6t25A=", + "zh:0cda2cc03f7bf000d9bc66bc0fab621de4c104b329cab348e0ceb6146ab27251", + "zh:2c75a1ea53b21646681e49fbdf0a599817c2f400f1e73d7779f0e3e1d230e6f3", + "zh:34ab9dab67230adaee6a9cd6861cba969555777ca6eb0ae1d2ac7b1f3cb73832", + "zh:45d5d7ee38fb7bf58dd19b774dd637f3cb9caef1d1930dde594467dde7fdea50", + "zh:651ffd36697d8268471d50d0fae664549b7f1e627c03d6e90f80172947f7b1d4", + "zh:8557db0beb201ba8ba70a7a38ba8d1ce9ffb9e98c616b89f6e3c2203e0528803", + "zh:b6a2e53809e0827cb7c47b1279c3511223898f7e3c1536f74ba057d99c72c2e9", + "zh:bf4aea9d1eb663df9d458c974d2e3f9ca7f724280a103706d0a2b1597593c7af", + "zh:c5f0160e0658d75b4a339b18f7a544e721f3750e26b97fc4887e98b8e085ffff", + "zh:e41a215491c64b535eda5585139dab0a32836e631b470cc520ceef4aa9ce7748", + "zh:e490061ab15c6053c651a7996a9c77cacdb83528ed49d0460c9621e93ad7d0cf", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - "zh:f630cf936bbbadc67a374329cc80fbe9d706fa2fb1556e130bc7a3f0386697fb", ] } diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/c.tf index 97331cd47..9ab80c2c7 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/c.tf @@ -1,5 +1,4 @@ resource "google_iam_folders_policy_binding" "c" { - name = "c" folder = "123456789" location = "global" policy_binding_id = "folder-binding-c" diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/nc.tf index 1f00ef9b0..bc66d6185 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/nc.tf @@ -1,5 +1,4 @@ resource "google_iam_folders_policy_binding" "nc" { - name = "nc" folder = "" location = "global" policy_binding_id = "folder-binding-nc" diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/c.tf index 7a153a084..a86f841df 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/c.tf @@ -1,5 +1,4 @@ resource "google_iam_folders_policy_binding" "c" { - name = "c" folder = "123456789" location = "global" policy_binding_id = "binding-c" diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/nc.tf index 9264587f0..5b8375b13 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/nc.tf @@ -1,5 +1,4 @@ resource "google_iam_folders_policy_binding" "nc" { - name = "nc" folder = "123456789" location = "australia-southeast1" policy_binding_id = "binding-nc" From cf1922b5d117b9eee28fe7028467f12b0514a9f8 Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sat, 2 May 2026 14:14:56 +1000 Subject: [PATCH 28/91] Cloud IAM --- .../folder_validation/c.tf | 11 -------- .../folder_validation/nc.tf | 11 -------- .../.terraform.lock.hcl | 0 .../display_name_validation/c.tf | 12 +++++++++ .../display_name_validation}/config.tf | 0 .../display_name_validation/nc.tf | 12 +++++++++ .../folder_validation/policy.rego | 26 ------------------- .../display_name_validation/policy.rego | 26 +++++++++++++++++++ 8 files changed, 50 insertions(+), 48 deletions(-) delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/c.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/nc.tf rename inputs/gcp/Cloud_IAM/{google_iam_folders_policy_binding/folder_validation => google_iam_oauth_client/display_name_validation}/.terraform.lock.hcl (100%) create mode 100644 inputs/gcp/Cloud_IAM/google_iam_oauth_client/display_name_validation/c.tf rename inputs/gcp/Cloud_IAM/{google_iam_folders_policy_binding/folder_validation => google_iam_oauth_client/display_name_validation}/config.tf (100%) create mode 100644 inputs/gcp/Cloud_IAM/google_iam_oauth_client/display_name_validation/nc.tf delete mode 100644 policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/policy.rego create mode 100644 policies/gcp/Cloud_IAM/google_iam_oauth_client/display_name_validation/policy.rego diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/c.tf deleted file mode 100644 index 9ab80c2c7..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/c.tf +++ /dev/null @@ -1,11 +0,0 @@ -resource "google_iam_folders_policy_binding" "c" { - folder = "123456789" - location = "global" - policy_binding_id = "folder-binding-c" - - policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pab-policy" - - target { - principal_set = "//cloudresourcemanager.googleapis.com/folders/123456789" - } -} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/nc.tf deleted file mode 100644 index bc66d6185..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/nc.tf +++ /dev/null @@ -1,11 +0,0 @@ -resource "google_iam_folders_policy_binding" "nc" { - folder = "" - location = "global" - policy_binding_id = "folder-binding-nc" - - policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pab-policy" - - target { - principal_set = "//cloudresourcemanager.googleapis.com/folders/123456789" - } -} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/display_name_validation/.terraform.lock.hcl similarity index 100% rename from inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/.terraform.lock.hcl rename to inputs/gcp/Cloud_IAM/google_iam_oauth_client/display_name_validation/.terraform.lock.hcl diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/display_name_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/display_name_validation/c.tf new file mode 100644 index 000000000..25fa31340 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/display_name_validation/c.tf @@ -0,0 +1,12 @@ +resource "google_iam_oauth_client" "c" { + oauth_client_id = "example-client-id" + display_name = "Valid OAuth Client" + description = "Valid description" + location = "global" + disabled = false + allowed_grant_types = ["AUTHORIZATION_CODE_GRANT"] + allowed_redirect_uris = ["https://example.com"] + allowed_scopes = ["https://www.googleapis.com/auth/cloud-platform"] + client_type = "CONFIDENTIAL_CLIENT" + project = "smooth-verve-467716-v1" +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/config.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/display_name_validation/config.tf similarity index 100% rename from inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/config.tf rename to inputs/gcp/Cloud_IAM/google_iam_oauth_client/display_name_validation/config.tf diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/display_name_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/display_name_validation/nc.tf new file mode 100644 index 000000000..76d5af76e --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/display_name_validation/nc.tf @@ -0,0 +1,12 @@ +resource "google_iam_oauth_client" "nc" { + oauth_client_id = "example-client-id" + display_name = "" + description = "Invalid OAuth Client" + location = "global" + disabled = false + allowed_grant_types = ["AUTHORIZATION_CODE_GRANT"] + allowed_redirect_uris = ["https://example.com"] + allowed_scopes = ["https://www.googleapis.com/auth/cloud-platform"] + client_type = "CONFIDENTIAL_CLIENT" + project = "smooth-verve-467716-v1" +} \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/policy.rego deleted file mode 100644 index aad6bb7ee..000000000 --- a/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/folder_validation/policy.rego +++ /dev/null @@ -1,26 +0,0 @@ -package terraform.gcp.security.Cloud_IAM.google_iam_folders_policy_binding.folder_validation - -import data.terraform.helpers -import data.terraform.gcp.security.Cloud_IAM.google_iam_folders_policy_binding.vars - -conditions := [ - [ - { - "situation_description": "Folder must be a valid numeric GCP folder ID", - "remedies": [ - "Provide a valid numeric folder ID", - "Example: 224774388" - ] - }, - { - "condition": "Validate folder format using pattern", - "attribute_path": ["folder"], - "values": ["^[0-9]+$"], - "policy_type": "pattern whitelist" - } - ] -] - -result := helpers.get_multi_summary(conditions, vars.variables) -message := result.message -details := result.details \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_oauth_client/display_name_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_oauth_client/display_name_validation/policy.rego new file mode 100644 index 000000000..47f950dbb --- /dev/null +++ b/policies/gcp/Cloud_IAM/google_iam_oauth_client/display_name_validation/policy.rego @@ -0,0 +1,26 @@ +package terraform.gcp.security.Cloud_IAM.google_iam_oauth_client.display_name_validation + +import data.terraform.helpers +import data.terraform.gcp.security.Cloud_IAM.google_iam_oauth_client.vars + +conditions := [ + [ + { + "situation_description": "OAuth client display_name must be 1–32 characters", + "remedies": [ + "Provide display_name", + "Ensure length ≤ 32 characters" + ] + }, + { + "condition": "Validate display_name format", + "attribute_path": ["display_name"], + "values": ["^.{1,32}$"], + "policy_type": "pattern whitelist" + } + ] +] + +result := helpers.get_multi_summary(conditions, vars.variables) +message := result.message +details := result.details \ No newline at end of file From 0a84bd5eba0ed400107dae2e5853d990bb8af6c4 Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sat, 2 May 2026 14:21:38 +1000 Subject: [PATCH 29/91] fix folder policy validation --- .../google_iam_oauth_client/display_name_validation/nc.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/display_name_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/display_name_validation/nc.tf index 76d5af76e..5f9d4021c 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/display_name_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/display_name_validation/nc.tf @@ -1,6 +1,6 @@ resource "google_iam_oauth_client" "nc" { oauth_client_id = "example-client-id" - display_name = "" + display_name = "23424asd" description = "Invalid OAuth Client" location = "global" disabled = false From c7462880041bcf8c52825f9c9149b3cbcd8fb75d Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sat, 2 May 2026 14:31:29 +1000 Subject: [PATCH 30/91] fix folder policy validation --- .../location_validation/c.tf | 2 ++ .../location_validation/nc.tf | 2 ++ .../.terraform.lock.hcl | 21 --------------- .../display_name_validation/c.tf | 12 --------- .../display_name_validation/config.tf | 11 -------- .../display_name_validation/nc.tf | 12 --------- .../display_name_validation/policy.rego | 26 ------------------- 7 files changed, 4 insertions(+), 82 deletions(-) delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_oauth_client/display_name_validation/.terraform.lock.hcl delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_oauth_client/display_name_validation/c.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_oauth_client/display_name_validation/config.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_oauth_client/display_name_validation/nc.tf delete mode 100644 policies/gcp/Cloud_IAM/google_iam_oauth_client/display_name_validation/policy.rego diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/c.tf index a86f841df..0e2bc8c03 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/c.tf @@ -1,4 +1,6 @@ resource "google_iam_folders_policy_binding" "c" { + name = "c" + project = "PDE" folder = "123456789" location = "global" policy_binding_id = "binding-c" diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/nc.tf index 5b8375b13..d970b0a48 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/nc.tf @@ -1,4 +1,6 @@ resource "google_iam_folders_policy_binding" "nc" { + name = "c" + project = "PDE" folder = "123456789" location = "australia-southeast1" policy_binding_id = "binding-nc" diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/display_name_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/display_name_validation/.terraform.lock.hcl deleted file mode 100644 index 1f00f27db..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/display_name_validation/.terraform.lock.hcl +++ /dev/null @@ -1,21 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/google" { - version = "7.30.0" - hashes = [ - "h1:3Qxi6Pj4WeqzgKsejGqwx0S3XxYDlC0ykBU6SQ6t25A=", - "zh:0cda2cc03f7bf000d9bc66bc0fab621de4c104b329cab348e0ceb6146ab27251", - "zh:2c75a1ea53b21646681e49fbdf0a599817c2f400f1e73d7779f0e3e1d230e6f3", - "zh:34ab9dab67230adaee6a9cd6861cba969555777ca6eb0ae1d2ac7b1f3cb73832", - "zh:45d5d7ee38fb7bf58dd19b774dd637f3cb9caef1d1930dde594467dde7fdea50", - "zh:651ffd36697d8268471d50d0fae664549b7f1e627c03d6e90f80172947f7b1d4", - "zh:8557db0beb201ba8ba70a7a38ba8d1ce9ffb9e98c616b89f6e3c2203e0528803", - "zh:b6a2e53809e0827cb7c47b1279c3511223898f7e3c1536f74ba057d99c72c2e9", - "zh:bf4aea9d1eb663df9d458c974d2e3f9ca7f724280a103706d0a2b1597593c7af", - "zh:c5f0160e0658d75b4a339b18f7a544e721f3750e26b97fc4887e98b8e085ffff", - "zh:e41a215491c64b535eda5585139dab0a32836e631b470cc520ceef4aa9ce7748", - "zh:e490061ab15c6053c651a7996a9c77cacdb83528ed49d0460c9621e93ad7d0cf", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/display_name_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/display_name_validation/c.tf deleted file mode 100644 index 25fa31340..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/display_name_validation/c.tf +++ /dev/null @@ -1,12 +0,0 @@ -resource "google_iam_oauth_client" "c" { - oauth_client_id = "example-client-id" - display_name = "Valid OAuth Client" - description = "Valid description" - location = "global" - disabled = false - allowed_grant_types = ["AUTHORIZATION_CODE_GRANT"] - allowed_redirect_uris = ["https://example.com"] - allowed_scopes = ["https://www.googleapis.com/auth/cloud-platform"] - client_type = "CONFIDENTIAL_CLIENT" - project = "smooth-verve-467716-v1" -} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/display_name_validation/config.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/display_name_validation/config.tf deleted file mode 100644 index 9f4356520..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/display_name_validation/config.tf +++ /dev/null @@ -1,11 +0,0 @@ -##### DO NOT EDIT ###### - -terraform { - required_providers { - google = { - source = "hashicorp/google" - } - } -} - -provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/display_name_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/display_name_validation/nc.tf deleted file mode 100644 index 5f9d4021c..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/display_name_validation/nc.tf +++ /dev/null @@ -1,12 +0,0 @@ -resource "google_iam_oauth_client" "nc" { - oauth_client_id = "example-client-id" - display_name = "23424asd" - description = "Invalid OAuth Client" - location = "global" - disabled = false - allowed_grant_types = ["AUTHORIZATION_CODE_GRANT"] - allowed_redirect_uris = ["https://example.com"] - allowed_scopes = ["https://www.googleapis.com/auth/cloud-platform"] - client_type = "CONFIDENTIAL_CLIENT" - project = "smooth-verve-467716-v1" -} \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_oauth_client/display_name_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_oauth_client/display_name_validation/policy.rego deleted file mode 100644 index 47f950dbb..000000000 --- a/policies/gcp/Cloud_IAM/google_iam_oauth_client/display_name_validation/policy.rego +++ /dev/null @@ -1,26 +0,0 @@ -package terraform.gcp.security.Cloud_IAM.google_iam_oauth_client.display_name_validation - -import data.terraform.helpers -import data.terraform.gcp.security.Cloud_IAM.google_iam_oauth_client.vars - -conditions := [ - [ - { - "situation_description": "OAuth client display_name must be 1–32 characters", - "remedies": [ - "Provide display_name", - "Ensure length ≤ 32 characters" - ] - }, - { - "condition": "Validate display_name format", - "attribute_path": ["display_name"], - "values": ["^.{1,32}$"], - "policy_type": "pattern whitelist" - } - ] -] - -result := helpers.get_multi_summary(conditions, vars.variables) -message := result.message -details := result.details \ No newline at end of file From d5f36ef0835226c02479c49fb971ada752e59c5a Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sat, 2 May 2026 14:32:29 +1000 Subject: [PATCH 31/91] fix folder policy validation --- .../google_iam_folders_policy_binding/location_validation/c.tf | 3 +-- .../location_validation/nc.tf | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/c.tf index 0e2bc8c03..76efb4566 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/c.tf @@ -1,6 +1,5 @@ resource "google_iam_folders_policy_binding" "c" { - name = "c" - project = "PDE" + folder = "123456789" location = "global" policy_binding_id = "binding-c" diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/nc.tf index d970b0a48..e2531296e 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/nc.tf @@ -1,6 +1,5 @@ resource "google_iam_folders_policy_binding" "nc" { - name = "c" - project = "PDE" + folder = "123456789" location = "australia-southeast1" policy_binding_id = "binding-nc" From 21ab590b085c9e53f91868192e65ee435b87c643 Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sat, 2 May 2026 14:45:50 +1000 Subject: [PATCH 32/91] fix folder policy validation --- .../pool_id_validation/.terraform.lock.hcl | 21 +++++++++++++++ .../pool_id_validation/c.tf | 5 ++++ .../pool_id_validation/config.tf | 11 ++++++++ .../pool_id_validation/nc.tf | 5 ++++ .../pool_id_validation/policy.rego | 27 +++++++++++++++++++ .../vars.rego | 7 +++++ 6 files changed, 76 insertions(+) create mode 100644 inputs/gcp/Cloud_IAM/Cloud_IAM.google_iam_workforce_pool/pool_id_validation/.terraform.lock.hcl create mode 100644 inputs/gcp/Cloud_IAM/Cloud_IAM.google_iam_workforce_pool/pool_id_validation/c.tf create mode 100644 inputs/gcp/Cloud_IAM/Cloud_IAM.google_iam_workforce_pool/pool_id_validation/config.tf create mode 100644 inputs/gcp/Cloud_IAM/Cloud_IAM.google_iam_workforce_pool/pool_id_validation/nc.tf create mode 100644 policies/gcp/Cloud_IAM/Cloud_IAM.google_iam_workforce_pool/pool_id_validation/policy.rego create mode 100644 policies/gcp/Cloud_IAM/Cloud_IAM.google_iam_workforce_pool/vars.rego diff --git a/inputs/gcp/Cloud_IAM/Cloud_IAM.google_iam_workforce_pool/pool_id_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/Cloud_IAM.google_iam_workforce_pool/pool_id_validation/.terraform.lock.hcl new file mode 100644 index 000000000..1f00f27db --- /dev/null +++ b/inputs/gcp/Cloud_IAM/Cloud_IAM.google_iam_workforce_pool/pool_id_validation/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.30.0" + hashes = [ + "h1:3Qxi6Pj4WeqzgKsejGqwx0S3XxYDlC0ykBU6SQ6t25A=", + "zh:0cda2cc03f7bf000d9bc66bc0fab621de4c104b329cab348e0ceb6146ab27251", + "zh:2c75a1ea53b21646681e49fbdf0a599817c2f400f1e73d7779f0e3e1d230e6f3", + "zh:34ab9dab67230adaee6a9cd6861cba969555777ca6eb0ae1d2ac7b1f3cb73832", + "zh:45d5d7ee38fb7bf58dd19b774dd637f3cb9caef1d1930dde594467dde7fdea50", + "zh:651ffd36697d8268471d50d0fae664549b7f1e627c03d6e90f80172947f7b1d4", + "zh:8557db0beb201ba8ba70a7a38ba8d1ce9ffb9e98c616b89f6e3c2203e0528803", + "zh:b6a2e53809e0827cb7c47b1279c3511223898f7e3c1536f74ba057d99c72c2e9", + "zh:bf4aea9d1eb663df9d458c974d2e3f9ca7f724280a103706d0a2b1597593c7af", + "zh:c5f0160e0658d75b4a339b18f7a544e721f3750e26b97fc4887e98b8e085ffff", + "zh:e41a215491c64b535eda5585139dab0a32836e631b470cc520ceef4aa9ce7748", + "zh:e490061ab15c6053c651a7996a9c77cacdb83528ed49d0460c9621e93ad7d0cf", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/Cloud_IAM/Cloud_IAM.google_iam_workforce_pool/pool_id_validation/c.tf b/inputs/gcp/Cloud_IAM/Cloud_IAM.google_iam_workforce_pool/pool_id_validation/c.tf new file mode 100644 index 000000000..eadeb9431 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/Cloud_IAM.google_iam_workforce_pool/pool_id_validation/c.tf @@ -0,0 +1,5 @@ +resource "google_iam_workforce_pool" "c" { + workforce_pool_id = "valid-pool-123" + parent = "organizations/123456789" + location = "global" +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/Cloud_IAM.google_iam_workforce_pool/pool_id_validation/config.tf b/inputs/gcp/Cloud_IAM/Cloud_IAM.google_iam_workforce_pool/pool_id_validation/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/Cloud_IAM.google_iam_workforce_pool/pool_id_validation/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/Cloud_IAM.google_iam_workforce_pool/pool_id_validation/nc.tf b/inputs/gcp/Cloud_IAM/Cloud_IAM.google_iam_workforce_pool/pool_id_validation/nc.tf new file mode 100644 index 000000000..572ca04f3 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/Cloud_IAM.google_iam_workforce_pool/pool_id_validation/nc.tf @@ -0,0 +1,5 @@ +resource "google_iam_workforce_pool" "nc" { + workforce_pool_id = "invalid-pool-123" + parent = "organizations/123456789" + location = "global" +} \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/Cloud_IAM.google_iam_workforce_pool/pool_id_validation/policy.rego b/policies/gcp/Cloud_IAM/Cloud_IAM.google_iam_workforce_pool/pool_id_validation/policy.rego new file mode 100644 index 000000000..2e9832da3 --- /dev/null +++ b/policies/gcp/Cloud_IAM/Cloud_IAM.google_iam_workforce_pool/pool_id_validation/policy.rego @@ -0,0 +1,27 @@ +package terraform.gcp.security.Cloud_IAM.google_iam_workforce_pool.pool_id_validation + +import data.terraform.helpers +import data.terraform.gcp.security.Cloud_IAM.google_iam_workforce_pool.vars + +conditions := [ + [ + { + "situation_description": "Workforce pool ID must be 6–63 chars, lowercase, hyphens allowed, no trailing hyphen", + "remedies": [ + "Use lowercase letters only", + "Ensure 6–63 characters", + "Do not end with hyphen" + ] + }, + { + "condition": "Validate workforce_pool_id format", + "attribute_path": ["workforce_pool_id"], + "values": ["^[a-z][a-z0-9-]{4,61}[a-z0-9]$"], + "policy_type": "pattern whitelist" + } + ] +] + +result := helpers.get_multi_summary(conditions, vars.variables) +message := result.message +details := result.details \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/Cloud_IAM.google_iam_workforce_pool/vars.rego b/policies/gcp/Cloud_IAM/Cloud_IAM.google_iam_workforce_pool/vars.rego new file mode 100644 index 000000000..2e8c52ed5 --- /dev/null +++ b/policies/gcp/Cloud_IAM/Cloud_IAM.google_iam_workforce_pool/vars.rego @@ -0,0 +1,7 @@ +package terraform.gcp.security.Cloud_IAM.google_iam_workforce_pool.vars + +variables := { + "friendly_resource_name": "Cloud_IAM Workforce Pool", + "resource_type": "google_iam_workforce_pool", + "resource_value_name": "name" +} \ No newline at end of file From ec11752211e8c486eaa15660111f59bf0458a75c Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sat, 2 May 2026 15:38:37 +1000 Subject: [PATCH 33/91] fix folder policy validation --- .../pool_id_validation/c.tf | 5 ---- .../pool_id_validation/nc.tf | 5 ---- .../name_validation}/.terraform.lock.hcl | 0 .../name_validation/c.tf | 12 +++++++++ .../name_validation}/config.tf | 0 .../name_validation/nc.tf | 11 ++++++++ .../pool_id_validation/policy.rego | 27 ------------------- .../vars.rego | 7 ----- .../name_validation/policy.rego | 25 +++++++++++++++++ .../vars.rego | 7 +++++ 10 files changed, 55 insertions(+), 44 deletions(-) delete mode 100644 inputs/gcp/Cloud_IAM/Cloud_IAM.google_iam_workforce_pool/pool_id_validation/c.tf delete mode 100644 inputs/gcp/Cloud_IAM/Cloud_IAM.google_iam_workforce_pool/pool_id_validation/nc.tf rename inputs/gcp/Cloud_IAM/{Cloud_IAM.google_iam_workforce_pool/pool_id_validation => google_iam_access_boundary_policy/name_validation}/.terraform.lock.hcl (100%) create mode 100644 inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf rename inputs/gcp/Cloud_IAM/{Cloud_IAM.google_iam_workforce_pool/pool_id_validation => google_iam_access_boundary_policy/name_validation}/config.tf (100%) create mode 100644 inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf delete mode 100644 policies/gcp/Cloud_IAM/Cloud_IAM.google_iam_workforce_pool/pool_id_validation/policy.rego delete mode 100644 policies/gcp/Cloud_IAM/Cloud_IAM.google_iam_workforce_pool/vars.rego create mode 100644 policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego create mode 100644 policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/vars.rego diff --git a/inputs/gcp/Cloud_IAM/Cloud_IAM.google_iam_workforce_pool/pool_id_validation/c.tf b/inputs/gcp/Cloud_IAM/Cloud_IAM.google_iam_workforce_pool/pool_id_validation/c.tf deleted file mode 100644 index eadeb9431..000000000 --- a/inputs/gcp/Cloud_IAM/Cloud_IAM.google_iam_workforce_pool/pool_id_validation/c.tf +++ /dev/null @@ -1,5 +0,0 @@ -resource "google_iam_workforce_pool" "c" { - workforce_pool_id = "valid-pool-123" - parent = "organizations/123456789" - location = "global" -} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/Cloud_IAM.google_iam_workforce_pool/pool_id_validation/nc.tf b/inputs/gcp/Cloud_IAM/Cloud_IAM.google_iam_workforce_pool/pool_id_validation/nc.tf deleted file mode 100644 index 572ca04f3..000000000 --- a/inputs/gcp/Cloud_IAM/Cloud_IAM.google_iam_workforce_pool/pool_id_validation/nc.tf +++ /dev/null @@ -1,5 +0,0 @@ -resource "google_iam_workforce_pool" "nc" { - workforce_pool_id = "invalid-pool-123" - parent = "organizations/123456789" - location = "global" -} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/Cloud_IAM.google_iam_workforce_pool/pool_id_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/.terraform.lock.hcl similarity index 100% rename from inputs/gcp/Cloud_IAM/Cloud_IAM.google_iam_workforce_pool/pool_id_validation/.terraform.lock.hcl rename to inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/.terraform.lock.hcl diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf new file mode 100644 index 000000000..cd235fc9d --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf @@ -0,0 +1,12 @@ +resource "google_iam_access_boundary_policy" "c" { + parent = urlencode("cloudresourcemanager.googleapis.com/projects/my-project") + name = "restricted-storage-ab-policy" + display_name = "Restricted Storage Access Boundary Policy" + + rules { + access_boundary_rule { + available_resource = "//storage.googleapis.com/projects/_/buckets/my-bucket" + available_permissions = ["inRole:roles/storage.objectViewer"] + } + } +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/Cloud_IAM.google_iam_workforce_pool/pool_id_validation/config.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/config.tf similarity index 100% rename from inputs/gcp/Cloud_IAM/Cloud_IAM.google_iam_workforce_pool/pool_id_validation/config.tf rename to inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/config.tf diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf new file mode 100644 index 000000000..65e04a909 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf @@ -0,0 +1,11 @@ +resource "google_iam_access_boundary_policy" "nc" { + parent = urlencode("cloudresourcemanager.googleapis.com/projects/my-project") + name = "" + + rules { + access_boundary_rule { + available_resource = "//storage.googleapis.com/projects/_/buckets/my-bucket" + available_permissions = ["inRole:roles/storage.objectViewer"] + } + } +} \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/Cloud_IAM.google_iam_workforce_pool/pool_id_validation/policy.rego b/policies/gcp/Cloud_IAM/Cloud_IAM.google_iam_workforce_pool/pool_id_validation/policy.rego deleted file mode 100644 index 2e9832da3..000000000 --- a/policies/gcp/Cloud_IAM/Cloud_IAM.google_iam_workforce_pool/pool_id_validation/policy.rego +++ /dev/null @@ -1,27 +0,0 @@ -package terraform.gcp.security.Cloud_IAM.google_iam_workforce_pool.pool_id_validation - -import data.terraform.helpers -import data.terraform.gcp.security.Cloud_IAM.google_iam_workforce_pool.vars - -conditions := [ - [ - { - "situation_description": "Workforce pool ID must be 6–63 chars, lowercase, hyphens allowed, no trailing hyphen", - "remedies": [ - "Use lowercase letters only", - "Ensure 6–63 characters", - "Do not end with hyphen" - ] - }, - { - "condition": "Validate workforce_pool_id format", - "attribute_path": ["workforce_pool_id"], - "values": ["^[a-z][a-z0-9-]{4,61}[a-z0-9]$"], - "policy_type": "pattern whitelist" - } - ] -] - -result := helpers.get_multi_summary(conditions, vars.variables) -message := result.message -details := result.details \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/Cloud_IAM.google_iam_workforce_pool/vars.rego b/policies/gcp/Cloud_IAM/Cloud_IAM.google_iam_workforce_pool/vars.rego deleted file mode 100644 index 2e8c52ed5..000000000 --- a/policies/gcp/Cloud_IAM/Cloud_IAM.google_iam_workforce_pool/vars.rego +++ /dev/null @@ -1,7 +0,0 @@ -package terraform.gcp.security.Cloud_IAM.google_iam_workforce_pool.vars - -variables := { - "friendly_resource_name": "Cloud_IAM Workforce Pool", - "resource_type": "google_iam_workforce_pool", - "resource_value_name": "name" -} \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego new file mode 100644 index 000000000..2d0405795 --- /dev/null +++ b/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego @@ -0,0 +1,25 @@ +package terraform.gcp.security.Cloud_IAM.google_iam_access_boundary_policy.name_validation + +import data.terraform.helpers +import data.terraform.gcp.security.Cloud_IAM.google_iam_access_boundary_policy.vars + +conditions := [ + [ + { + "situation_description": "Ensure the access boundary policy has a non-empty name defined.", + "remedies": [ + "Set the 'name' attribute to a descriptive, non-empty string that clearly identifies the policy's purpose." + ] + }, + { + "condition": "name must not be null or empty", + "attribute_path": ["name"], + "values": null, + "policy_type": "blacklist" + } + ] +] + +result := helpers.get_multi_summary(conditions, vars.variables) +message := result.message +details := result.details \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/vars.rego b/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/vars.rego new file mode 100644 index 000000000..1cfc6293d --- /dev/null +++ b/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/vars.rego @@ -0,0 +1,7 @@ +package terraform.gcp.security.Cloud_IAM.google_iam_access_boundary_policy.vars + +variables := { + "friendly_resource_name": "Cloud_IAM Access Boundary Policy", + "resource_type": "google_iam_access_boundary_policy", + "resource_value_name": "name" +} \ No newline at end of file From 227165467677fe6ec87b6d7ee5d75f8b39c98f4b Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sat, 2 May 2026 15:44:35 +1000 Subject: [PATCH 34/91] fix folder policy validation --- .../parent_validation/.terraform.lock.hcl | 21 +++++++++++++++++++ .../parent_validation/c.tf | 12 +++++++++++ .../parent_validation/config.tf | 11 ++++++++++ .../parent_validation/nc.tf | 12 +++++++++++ 4 files changed, 56 insertions(+) create mode 100644 inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/.terraform.lock.hcl create mode 100644 inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/config.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/.terraform.lock.hcl new file mode 100644 index 000000000..1f00f27db --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.30.0" + hashes = [ + "h1:3Qxi6Pj4WeqzgKsejGqwx0S3XxYDlC0ykBU6SQ6t25A=", + "zh:0cda2cc03f7bf000d9bc66bc0fab621de4c104b329cab348e0ceb6146ab27251", + "zh:2c75a1ea53b21646681e49fbdf0a599817c2f400f1e73d7779f0e3e1d230e6f3", + "zh:34ab9dab67230adaee6a9cd6861cba969555777ca6eb0ae1d2ac7b1f3cb73832", + "zh:45d5d7ee38fb7bf58dd19b774dd637f3cb9caef1d1930dde594467dde7fdea50", + "zh:651ffd36697d8268471d50d0fae664549b7f1e627c03d6e90f80172947f7b1d4", + "zh:8557db0beb201ba8ba70a7a38ba8d1ce9ffb9e98c616b89f6e3c2203e0528803", + "zh:b6a2e53809e0827cb7c47b1279c3511223898f7e3c1536f74ba057d99c72c2e9", + "zh:bf4aea9d1eb663df9d458c974d2e3f9ca7f724280a103706d0a2b1597593c7af", + "zh:c5f0160e0658d75b4a339b18f7a544e721f3750e26b97fc4887e98b8e085ffff", + "zh:e41a215491c64b535eda5585139dab0a32836e631b470cc520ceef4aa9ce7748", + "zh:e490061ab15c6053c651a7996a9c77cacdb83528ed49d0460c9621e93ad7d0cf", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf new file mode 100644 index 000000000..dbd5b48e5 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf @@ -0,0 +1,12 @@ +resource "google_iam_access_boundary_policy" "c" { + parent = urlencode("cloudresourcemanager.googleapis.com/projects/my-project") + name = "restricted-ab-policy" + display_name = "Restricted Access Boundary Policy" + + rules { + access_boundary_rule { + available_resource = "//storage.googleapis.com/projects/_/buckets/my-bucket" + available_permissions = ["inRole:roles/storage.objectViewer"] + } + } +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/config.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf new file mode 100644 index 000000000..8bd177748 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf @@ -0,0 +1,12 @@ +resource "google_iam_access_boundary_policy" "nc" { + parent = "" + name = "restricted-ab-policy" + display_name = "Restricted Access Boundary Policy" + + rules { + access_boundary_rule { + available_resource = "//storage.googleapis.com/projects/_/buckets/my-bucket" + available_permissions = ["inRole:roles/storage.objectViewer"] + } + } +} \ No newline at end of file From 52184b0b654ad45711b2123e9a699be3a4d1c4b0 Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sat, 2 May 2026 16:04:46 +1000 Subject: [PATCH 35/91] fix folder policy validation --- .../name_validation/c.tf | 14 +++++---- .../name_validation/nc.tf | 13 +++++--- .../parent_validation/c.tf | 8 +++-- .../parent_validation/nc.tf | 8 +++-- .../name_validation/.terraform.lock.hcl | 21 +++++++++++++ .../name_validation/c.tf | 23 ++++++++++++++ .../name_validation/config.tf | 11 +++++++ .../name_validation/nc.tf | 23 ++++++++++++++ .../parent_validation/.terraform.lock.hcl | 21 +++++++++++++ .../parent_validation/c.tf | 20 ++++++++++++ .../parent_validation/config.tf | 11 +++++++ .../parent_validation/nc.tf | 20 ++++++++++++ .../name_validation/policy.rego | 31 ++++++++++--------- .../parent_validation/policy.rego | 28 +++++++++++++++++ .../name_validation/policy.rego | 23 ++++++++++++++ .../parent_validation/policy.rego | 22 +++++++++++++ .../google_iam_deny_policy/vars.rego | 7 +++++ 17 files changed, 273 insertions(+), 31 deletions(-) create mode 100644 inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/.terraform.lock.hcl create mode 100644 inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/c.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/config.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/nc.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/.terraform.lock.hcl create mode 100644 inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/c.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/config.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/nc.tf create mode 100644 policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/policy.rego create mode 100644 policies/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/policy.rego create mode 100644 policies/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/policy.rego create mode 100644 policies/gcp/Cloud_IAM/google_iam_deny_policy/vars.rego diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf index cd235fc9d..9e774aa7a 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf @@ -1,12 +1,14 @@ resource "google_iam_access_boundary_policy" "c" { - parent = urlencode("cloudresourcemanager.googleapis.com/projects/my-project") - name = "restricted-storage-ab-policy" - display_name = "Restricted Storage Access Boundary Policy" - + name = "pde-my-ab-policy" + parent = "cloudresourcemanager.googleapis.com/projects/my-project-id" + display_name = "My AB policy" rules { + description = "AB rule" access_boundary_rule { - available_resource = "//storage.googleapis.com/projects/_/buckets/my-bucket" - available_permissions = ["inRole:roles/storage.objectViewer"] + availability_condition { + title = "Access level expr" + expression = "request.matchAccessLevels('123456789', ['accessPolicies/123/accessLevels/chromeos_no_lock'])" + } } } } \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf index 65e04a909..49ad9a89a 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf @@ -1,11 +1,14 @@ resource "google_iam_access_boundary_policy" "nc" { - parent = urlencode("cloudresourcemanager.googleapis.com/projects/my-project") - name = "" - + name = "my-ab-policy" + parent = "cloudresourcemanager.googleapis.com/projects/my-project-id" + display_name = "My AB policy" rules { + description = "AB rule" access_boundary_rule { - available_resource = "//storage.googleapis.com/projects/_/buckets/my-bucket" - available_permissions = ["inRole:roles/storage.objectViewer"] + availability_condition { + title = "Access level expr" + expression = "request.matchAccessLevels('123456789', ['accessPolicies/123/accessLevels/chromeos_no_lock'])" + } } } } \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf index dbd5b48e5..dfc6fcdac 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf @@ -1,7 +1,9 @@ resource "google_iam_access_boundary_policy" "c" { - parent = urlencode("cloudresourcemanager.googleapis.com/projects/my-project") - name = "restricted-ab-policy" - display_name = "Restricted Access Boundary Policy" + parent = urlencode("cloudresourcemanager.googleapis.com/projects/my-project") + + name = "pde-my-ab-policy" + + display_name = "Valid Access Boundary Policy" rules { access_boundary_rule { diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf index 8bd177748..245f56637 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf @@ -1,7 +1,9 @@ resource "google_iam_access_boundary_policy" "nc" { - parent = "" - name = "restricted-ab-policy" - display_name = "Restricted Access Boundary Policy" + parent = "invalid-parent-format" + + name = "pde-my-ab-policy" + + display_name = "Invalid Access Boundary Policy" rules { access_boundary_rule { diff --git a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/.terraform.lock.hcl new file mode 100644 index 000000000..3247f9b34 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.27.0" + hashes = [ + "h1:yWX9RsPIemhUiN5JswiS4n+o51eLF81ZOpRw6hbqOiA=", + "zh:240605f01c575a32378b96634a7bbe17462051320fa7df064dae8d81e9c9c471", + "zh:41ffa473e08379de494c7beb4bc1ee98631c2657355dacd15fe75f52eb2ffd99", + "zh:4b813338a275c7d5bbd69f8a9d4fbd97b7672064ee42e98f1f01699f7b8ced77", + "zh:7f582320ea0578e3eaf4ec54fc370b1eac684972afe0728a94a961a52a037053", + "zh:84f53702ba1c8d912236d1911b90db2b1dbc011127831ae67dfcd280710334d8", + "zh:85d775e3c42f3b88914d059bd11c46e25a1cb9cce912c9fbc35428114b099d47", + "zh:93a2a30bc254706525eaa5e0a35d2122377b735fe1f3dccd887c35b3755b32d3", + "zh:a921d2ab38464bce393e8fd2aa11a140ed56632f94895d93bb272e204931c8c6", + "zh:c221992557de048b40a4fae102dfa5200c32715b21c0a251c1e931eafbc6a698", + "zh:cef310150cdf62a6a49e45f049f21077c58971c6197b70528a69b572dbf218fd", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:f630cf936bbbadc67a374329cc80fbe9d706fa2fb1556e130bc7a3f0386697fb", + ] +} diff --git a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/c.tf new file mode 100644 index 000000000..eef74600d --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/c.tf @@ -0,0 +1,23 @@ +resource "google_iam_deny_policy" "c" { + name = "pde-deny-policy" + parent = "cloudresourcemanager.googleapis.com/projects/my-project-id" + + display_name = "Deny policy" + + rules { + description = "Deny rule" + + deny_rule { + denied_principals = ["principal://goog/subject/user@example.com"] + + denied_permissions = [ + "cloudresourcemanager.googleapis.com/projects.update" + ] + + denial_condition { + title = "Condition" + expression = "true" + } + } + } +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/config.tf b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/nc.tf new file mode 100644 index 000000000..6697a35f5 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/nc.tf @@ -0,0 +1,23 @@ +resource "google_iam_deny_policy" "nc" { + name = "deny-policy" + parent = "cloudresourcemanager.googleapis.com/projects/my-project-id" + + display_name = "Deny policy" + + rules { + description = "Deny rule" + + deny_rule { + denied_principals = ["principal://goog/subject/user@example.com"] + + denied_permissions = [ + "cloudresourcemanager.googleapis.com/projects.update" + ] + + denial_condition { + title = "Condition" + expression = "true" + } + } + } +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/.terraform.lock.hcl new file mode 100644 index 000000000..3247f9b34 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.27.0" + hashes = [ + "h1:yWX9RsPIemhUiN5JswiS4n+o51eLF81ZOpRw6hbqOiA=", + "zh:240605f01c575a32378b96634a7bbe17462051320fa7df064dae8d81e9c9c471", + "zh:41ffa473e08379de494c7beb4bc1ee98631c2657355dacd15fe75f52eb2ffd99", + "zh:4b813338a275c7d5bbd69f8a9d4fbd97b7672064ee42e98f1f01699f7b8ced77", + "zh:7f582320ea0578e3eaf4ec54fc370b1eac684972afe0728a94a961a52a037053", + "zh:84f53702ba1c8d912236d1911b90db2b1dbc011127831ae67dfcd280710334d8", + "zh:85d775e3c42f3b88914d059bd11c46e25a1cb9cce912c9fbc35428114b099d47", + "zh:93a2a30bc254706525eaa5e0a35d2122377b735fe1f3dccd887c35b3755b32d3", + "zh:a921d2ab38464bce393e8fd2aa11a140ed56632f94895d93bb272e204931c8c6", + "zh:c221992557de048b40a4fae102dfa5200c32715b21c0a251c1e931eafbc6a698", + "zh:cef310150cdf62a6a49e45f049f21077c58971c6197b70528a69b572dbf218fd", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:f630cf936bbbadc67a374329cc80fbe9d706fa2fb1556e130bc7a3f0386697fb", + ] +} diff --git a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/c.tf new file mode 100644 index 000000000..2c1e74122 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/c.tf @@ -0,0 +1,20 @@ +resource "google_iam_deny_policy" "c" { + name = "pde-deny-policy" + parent = "cloudresourcemanager.googleapis.com/projects/my-project-id" + + display_name = "PDE Deny Policy" + + rules { + description = "Prevent unauthorized project updates" + + deny_rule { + denied_principals = ["principalSet://goog/public:all"] + denied_permissions = ["cloudresourcemanager.googleapis.com/projects.update"] + + denial_condition { + title = "Only allow test environments" + expression = "!resource.matchTag('project/env', 'production')" + } + } + } +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/config.tf b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/nc.tf new file mode 100644 index 000000000..3c5c7682f --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/nc.tf @@ -0,0 +1,20 @@ +resource "google_iam_deny_policy" "nc" { + name = "pde-deny-policy" + parent = "projects/my-project-id" + + display_name = "PDE Deny Policy" + + rules { + description = "Prevent unauthorized project updates" + + deny_rule { + denied_principals = ["principalSet://goog/public:all"] + denied_permissions = ["cloudresourcemanager.googleapis.com/projects.update"] + + denial_condition { + title = "Only allow test environments" + expression = "!resource.matchTag('project/env', 'production')" + } + } + } +} \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego index 2d0405795..85bf56578 100644 --- a/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego +++ b/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego @@ -4,22 +4,25 @@ import data.terraform.helpers import data.terraform.gcp.security.Cloud_IAM.google_iam_access_boundary_policy.vars conditions := [ - [ - { - "situation_description": "Ensure the access boundary policy has a non-empty name defined.", - "remedies": [ - "Set the 'name' attribute to a descriptive, non-empty string that clearly identifies the policy's purpose." - ] - }, - { - "condition": "name must not be null or empty", - "attribute_path": ["name"], - "values": null, - "policy_type": "blacklist" - } - ] + + [ + { + "situation_description": "Policy name is missing or not properly defined", + "remedies": [ + "Provide a valid policy name", + "Use meaningful naming (e.g., pde-access-boundary)" + ] + }, + { + "condition": "Validate policy name format", + "attribute_path": ["address"], + "values": ["pde-*"], + "policy_type": "pattern whitelist" + } + ] ] + result := helpers.get_multi_summary(conditions, vars.variables) message := result.message details := result.details \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/policy.rego new file mode 100644 index 000000000..88bfc1a48 --- /dev/null +++ b/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/policy.rego @@ -0,0 +1,28 @@ +package terraform.gcp.security.Cloud_IAM.google_iam_access_boundary_policy.parent_validation + +import data.terraform.helpers +import data.terraform.gcp.security.Cloud_IAM.google_iam_access_boundary_policy.vars + +conditions := [ + [ + { + "situation_description": "Parent must be a valid Cloud Resource Manager project path (URL encoded allowed)", + "remedies": [ + "Use correct format: cloudresourcemanager.googleapis.com/projects/", + "Ensure value is URL encoded if using urlencode()" + ] + }, + { + "condition": "Validate parent format", + "attribute_path": ["parent"], + "values": [ + "^cloudresourcemanager\\.googleapis\\.com/projects/.+" + ], + "policy_type": "pattern whitelist" + } + ] +] + +result := helpers.get_multi_summary(conditions, vars.variables) +message := result.message +details := result.details \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/policy.rego new file mode 100644 index 000000000..b8bf22bfc --- /dev/null +++ b/policies/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/policy.rego @@ -0,0 +1,23 @@ +package terraform.gcp.security.Cloud_IAM.google_iam_deny_policy.name_validation + +import data.terraform.helpers +import data.terraform.gcp.security.Cloud_IAM.google_iam_deny_policy.vars + +conditions := [ + [ + { + "situation_description": "Deny policy name is not following naming convention", + "remedies": ["Use prefix 'pde-' for deny policies"] + }, + { + "condition": "Validate deny policy name", + "attribute_path": ["name"], + "values": ["pde-*"], + "policy_type": "pattern whitelist" + } + ] +] + +result := helpers.get_multi_summary(conditions, vars.variables) +message := result.message +details := result.details \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/policy.rego new file mode 100644 index 000000000..5c29e7de7 --- /dev/null +++ b/policies/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/policy.rego @@ -0,0 +1,22 @@ +package terraform.gcp.security.Cloud_IAM.google_iam_deny_policy.parent_validation +import data.terraform.helpers +import data.terraform.gcp.security.Cloud_IAM.google_iam_deny_policy.vars + +conditions := [ + [ + { + "situation_description": "Parent is not correctly defined", + "remedies": ["Use format: cloudresourcemanager.googleapis.com/projects/"] + }, + { + "condition": "Validate parent format", + "attribute_path": ["parent"], + "values": ["cloudresourcemanager.googleapis.com/projects/*"], + "policy_type": "pattern whitelist" + } + ] +] + +result := helpers.get_multi_summary(conditions, vars.variables) +message := result.message +details := result.details \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_deny_policy/vars.rego b/policies/gcp/Cloud_IAM/google_iam_deny_policy/vars.rego new file mode 100644 index 000000000..a53e0000c --- /dev/null +++ b/policies/gcp/Cloud_IAM/google_iam_deny_policy/vars.rego @@ -0,0 +1,7 @@ +package terraform.gcp.security.Cloud_IAM.google_iam_deny_policy.vars + +variables := { + "friendly_resource_name": "Cloud_IAM deny policy", + "resource_type": "google_iam_deny_policy", + "resource_value_name": "name" +} \ No newline at end of file From 3cedd818fe83e6432cf2e113cd1b303aa0354e05 Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sat, 2 May 2026 17:50:48 +1000 Subject: [PATCH 36/91] fix folder policy validation --- .../name_validation/c.tf | 17 +++--- .../name_validation/nc.tf | 17 +++--- .../name_validation/policy.rego | 52 +++++++++++++------ 3 files changed, 58 insertions(+), 28 deletions(-) diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf index 9e774aa7a..063afe138 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf @@ -1,13 +1,18 @@ resource "google_iam_access_boundary_policy" "c" { - name = "pde-my-ab-policy" - parent = "cloudresourcemanager.googleapis.com/projects/my-project-id" - display_name = "My AB policy" + parent = urlencode("cloudresourcemanager.googleapis.com/projects/my-project") + name = "pde-secure-boundary-01" + display_name = "Production Access Boundary Policy" + rules { - description = "AB rule" + description = "Secure rule" + access_boundary_rule { + available_resource = "*" + available_permissions = ["*"] + availability_condition { - title = "Access level expr" - expression = "request.matchAccessLevels('123456789', ['accessPolicies/123/accessLevels/chromeos_no_lock'])" + title = "condition" + expression = "true" } } } diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf index 49ad9a89a..916e8b54f 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf @@ -1,13 +1,18 @@ resource "google_iam_access_boundary_policy" "nc" { - name = "my-ab-policy" - parent = "cloudresourcemanager.googleapis.com/projects/my-project-id" - display_name = "My AB policy" + parent = urlencode("cloudresourcemanager.googleapis.com/projects/my-project") + name = "pde-test-policy" + display_name = "Bad Policy" + rules { - description = "AB rule" + description = "Weak rule" + access_boundary_rule { + available_resource = "*" + available_permissions = ["*"] + availability_condition { - title = "Access level expr" - expression = "request.matchAccessLevels('123456789', ['accessPolicies/123/accessLevels/chromeos_no_lock'])" + title = "condition" + expression = "true" } } } diff --git a/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego index 85bf56578..fcecb00a4 100644 --- a/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego +++ b/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego @@ -5,23 +5,43 @@ import data.terraform.gcp.security.Cloud_IAM.google_iam_access_boundary_policy.v conditions := [ - [ - { - "situation_description": "Policy name is missing or not properly defined", - "remedies": [ - "Provide a valid policy name", - "Use meaningful naming (e.g., pde-access-boundary)" - ] - }, - { - "condition": "Validate policy name format", - "attribute_path": ["address"], - "values": ["pde-*"], - "policy_type": "pattern whitelist" - } - ] -] + #format validation + [ + { + "situation_description": "Policy name must follow secure naming convention", + "remedies": [ + "Start with 'pde-'", + "Use only lowercase letters, numbers, and hyphens", + "Length must be between 6 and 63 characters", + "Do not end with hyphen" + ] + }, + { + "condition": "Validate naming format", + "attribute_path": ["name"], + "values": ["^pde-[a-z0-9-]{3,59}[a-z0-9]$"], + "policy_type": "pattern whitelist" + } + ], + + #Block weak names + [ + { + "situation_description": "Policy name must not contain weak or temporary keywords", + "remedies": [ + "Avoid using words like test, temp, demo", + "Use meaningful production-ready names" + ] + }, + { + "condition": "Disallow weak keywords", + "attribute_path": ["name"], + "values": ["test", "temp", "demo"], + "policy_type": "blacklist" + } + ] +] result := helpers.get_multi_summary(conditions, vars.variables) message := result.message From 768cdb8f329aba3d402f9ca272a45fe13487be1b Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sat, 2 May 2026 17:53:48 +1000 Subject: [PATCH 37/91] fix folder policy validation --- .../parent_validation/nc.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf index 245f56637..5159f01bd 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf @@ -1,14 +1,14 @@ resource "google_iam_access_boundary_policy" "nc" { parent = "invalid-parent-format" - name = "pde-my-ab-policy" + name = "allmost" - display_name = "Invalid Access Boundary Policy" + display_name = "safsdd" rules { access_boundary_rule { - available_resource = "//storage.googleapis.com/projects/_/buckets/my-bucket" - available_permissions = ["inRole:roles/storage.objectViewer"] + available_resource = "//storagsde.googleapis.com/projects/_/buckets/my-bucket" + available_permissions = ["inRole:rsdaoles/storage.objectViewer"] } } } \ No newline at end of file From 13498e13e6653bf7a96d5211d72f1d158ca22626 Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sat, 2 May 2026 17:55:28 +1000 Subject: [PATCH 38/91] fix folder policy validation --- .../parent_validation/nc.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf index 5159f01bd..245f56637 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf @@ -1,14 +1,14 @@ resource "google_iam_access_boundary_policy" "nc" { parent = "invalid-parent-format" - name = "allmost" + name = "pde-my-ab-policy" - display_name = "safsdd" + display_name = "Invalid Access Boundary Policy" rules { access_boundary_rule { - available_resource = "//storagsde.googleapis.com/projects/_/buckets/my-bucket" - available_permissions = ["inRole:rsdaoles/storage.objectViewer"] + available_resource = "//storage.googleapis.com/projects/_/buckets/my-bucket" + available_permissions = ["inRole:roles/storage.objectViewer"] } } } \ No newline at end of file From 92edd8b4687bf50b1a9fab940dd3abe2a55b9f5c Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sat, 2 May 2026 18:17:22 +1000 Subject: [PATCH 39/91] fix folder policy validation --- .../google_iam_access_boundary_policy/name_validation/c.tf | 7 +++++-- .../name_validation/nc.tf | 2 +- .../parent_validation/c.tf | 2 +- .../parent_validation/nc.tf | 2 +- 4 files changed, 8 insertions(+), 5 deletions(-) diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf index 063afe138..666876009 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf @@ -1,7 +1,9 @@ + resource "google_iam_access_boundary_policy" "c" { + parent = urlencode("cloudresourcemanager.googleapis.com/projects/my-project") name = "pde-secure-boundary-01" - display_name = "Production Access Boundary Policy" + display_name = "c" rules { description = "Secure rule" @@ -16,4 +18,5 @@ resource "google_iam_access_boundary_policy" "c" { } } } -} \ No newline at end of file +} + diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf index 916e8b54f..204f35ebb 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf @@ -1,7 +1,7 @@ resource "google_iam_access_boundary_policy" "nc" { parent = urlencode("cloudresourcemanager.googleapis.com/projects/my-project") name = "pde-test-policy" - display_name = "Bad Policy" + display_name = "nc" rules { description = "Weak rule" diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf index dfc6fcdac..753ade8eb 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf @@ -3,7 +3,7 @@ resource "google_iam_access_boundary_policy" "c" { name = "pde-my-ab-policy" - display_name = "Valid Access Boundary Policy" + display_name = "c" rules { access_boundary_rule { diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf index 245f56637..c9ad33496 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf @@ -3,7 +3,7 @@ resource "google_iam_access_boundary_policy" "nc" { name = "pde-my-ab-policy" - display_name = "Invalid Access Boundary Policy" + display_name = "nc" rules { access_boundary_rule { From 39ae3044e6168137e6cdd1905cc7cd2c03108492 Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sat, 2 May 2026 18:21:24 +1000 Subject: [PATCH 40/91] fix folder policy validation --- .../google_iam_access_boundary_policy/name_validation/c.tf | 2 +- .../google_iam_access_boundary_policy/name_validation/nc.tf | 4 ++-- .../google_iam_access_boundary_policy/parent_validation/c.tf | 2 +- .../google_iam_access_boundary_policy/parent_validation/nc.tf | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf index 666876009..14440602a 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf @@ -3,7 +3,7 @@ resource "google_iam_access_boundary_policy" "c" { parent = urlencode("cloudresourcemanager.googleapis.com/projects/my-project") name = "pde-secure-boundary-01" - display_name = "c" + display_name = "Production Access Boundary Policy" rules { description = "Secure rule" diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf index 204f35ebb..398fb7655 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf @@ -1,7 +1,7 @@ resource "google_iam_access_boundary_policy" "nc" { parent = urlencode("cloudresourcemanager.googleapis.com/projects/my-project") - name = "pde-test-policy" - display_name = "nc" + name = "!^%&@GSD" + display_name = "Bad Policy" rules { description = "Weak rule" diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf index 753ade8eb..dfc6fcdac 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf @@ -3,7 +3,7 @@ resource "google_iam_access_boundary_policy" "c" { name = "pde-my-ab-policy" - display_name = "c" + display_name = "Valid Access Boundary Policy" rules { access_boundary_rule { diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf index c9ad33496..245f56637 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf @@ -3,7 +3,7 @@ resource "google_iam_access_boundary_policy" "nc" { name = "pde-my-ab-policy" - display_name = "nc" + display_name = "Invalid Access Boundary Policy" rules { access_boundary_rule { From 7b6f9b60efb20f7aca02cb37fe9873ff3897316d Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sun, 3 May 2026 02:52:11 +1000 Subject: [PATCH 41/91] fix folder policy validation --- .../policy_validation/.terraform.lock.hcl | 21 +++++++++ .../policy_validation/c.tf | 13 ++++++ .../policy_validation/config.tf | 11 +++++ .../policy_validation/nc.tf | 13 ++++++ .../policy_validation/policy.rego | 43 +++++++++++++++++++ 5 files changed, 101 insertions(+) create mode 100644 inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_validation/.terraform.lock.hcl create mode 100644 inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_validation/c.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_validation/config.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_validation/nc.tf create mode 100644 policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_validation/policy.rego diff --git a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_validation/.terraform.lock.hcl new file mode 100644 index 000000000..1f00f27db --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_validation/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.30.0" + hashes = [ + "h1:3Qxi6Pj4WeqzgKsejGqwx0S3XxYDlC0ykBU6SQ6t25A=", + "zh:0cda2cc03f7bf000d9bc66bc0fab621de4c104b329cab348e0ceb6146ab27251", + "zh:2c75a1ea53b21646681e49fbdf0a599817c2f400f1e73d7779f0e3e1d230e6f3", + "zh:34ab9dab67230adaee6a9cd6861cba969555777ca6eb0ae1d2ac7b1f3cb73832", + "zh:45d5d7ee38fb7bf58dd19b774dd637f3cb9caef1d1930dde594467dde7fdea50", + "zh:651ffd36697d8268471d50d0fae664549b7f1e627c03d6e90f80172947f7b1d4", + "zh:8557db0beb201ba8ba70a7a38ba8d1ce9ffb9e98c616b89f6e3c2203e0528803", + "zh:b6a2e53809e0827cb7c47b1279c3511223898f7e3c1536f74ba057d99c72c2e9", + "zh:bf4aea9d1eb663df9d458c974d2e3f9ca7f724280a103706d0a2b1597593c7af", + "zh:c5f0160e0658d75b4a339b18f7a544e721f3750e26b97fc4887e98b8e085ffff", + "zh:e41a215491c64b535eda5585139dab0a32836e631b470cc520ceef4aa9ce7748", + "zh:e490061ab15c6053c651a7996a9c77cacdb83528ed49d0460c9621e93ad7d0cf", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_validation/c.tf new file mode 100644 index 000000000..ce50302b5 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_validation/c.tf @@ -0,0 +1,13 @@ +resource "google_iam_projects_policy_binding" "c" { + project = "my-project" + location = "global" + display_name = "valid binding" + policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" + policy_binding_id = "binding-c" + + policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/my-pab-policy" + + target { + principal_set = "//cloudresourcemanager.googleapis.com/projects/my-project" + } +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_validation/config.tf b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_validation/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_validation/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_validation/nc.tf new file mode 100644 index 000000000..6d9dc28b4 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_validation/nc.tf @@ -0,0 +1,13 @@ +resource "google_iam_projects_policy_binding" "nc" { + project = "my-project" + location = "global" + display_name = "invalid binding" + policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" + policy_binding_id = "binding-nc" + + policy = "" + + target { + principal_set = "//cloudresourcemanager.googleapis.com/projects/my-project" + } +} \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_validation/policy.rego new file mode 100644 index 000000000..1fce80eac --- /dev/null +++ b/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_validation/policy.rego @@ -0,0 +1,43 @@ +package terraform.gcp.security.Cloud_IAM.google_iam_projects_policy_binding.policy_validation + +import data.terraform.helpers +import data.terraform.gcp.security.Cloud_IAM.google_iam_projects_policy_binding.vars + +conditions := [ + + [ + { + "situation_description": "Policy must be provided and follow valid GCP IAM policy binding format", + "remedies": [ + "Provide a valid policy path", + "Ensure format: organizations//locations/global/principalAccessBoundaryPolicies/", + "Do not leave policy empty" + ] + }, + { + "condition": "Policy must not be empty", + "attribute_path": ["policy"], + "values": ["^.+$"], + "policy_type": "pattern whitelist" + } + ], + + [ + { + "situation_description": "Policy must follow valid IAM policy binding structure", + "remedies": [ + "Use correct organization-based policy resource path" + ] + }, + { + "condition": "Validate policy format", + "attribute_path": ["policy"], + "values": ["^organizations/[0-9]+/locations/global/principalAccessBoundaryPolicies/[a-zA-Z0-9-]+$"], + "policy_type": "pattern whitelist" + } + ] +] + +result := helpers.get_multi_summary(conditions, vars.variables) +message := result.message +details := result.details \ No newline at end of file From 796f2fec4f4eb87cf39c47b38eb8551b818c4e51 Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sun, 3 May 2026 02:54:13 +1000 Subject: [PATCH 42/91] fix folder policy validation --- .../gcp/Cloud_IAM/google_iam_projects_policy_binding/vars.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/vars.rego b/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/vars.rego index fb7500c44..ee5142fc4 100644 --- a/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/vars.rego +++ b/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/vars.rego @@ -3,5 +3,5 @@ package terraform.gcp.security.Cloud_IAM.google_iam_projects_policy_binding.vars variables := { "friendly_resource_name": "Cloud_IAM project policy binding", "resource_type": "google_iam_projects_policy_binding", - "resource_value_name": "name" + "resource_value_name": "policy" } \ No newline at end of file From c649b185aaa1aefad04b0156f92026ad0d6ca4e0 Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sun, 3 May 2026 02:55:54 +1000 Subject: [PATCH 43/91] fix folder policy validation --- .../gcp/Cloud_IAM/google_iam_projects_policy_binding/vars.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/vars.rego b/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/vars.rego index ee5142fc4..fb7500c44 100644 --- a/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/vars.rego +++ b/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/vars.rego @@ -3,5 +3,5 @@ package terraform.gcp.security.Cloud_IAM.google_iam_projects_policy_binding.vars variables := { "friendly_resource_name": "Cloud_IAM project policy binding", "resource_type": "google_iam_projects_policy_binding", - "resource_value_name": "policy" + "resource_value_name": "name" } \ No newline at end of file From f2d2d5debc8b2bbb545da6f560b2855ccf1aaa70 Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sun, 3 May 2026 11:54:24 +1000 Subject: [PATCH 44/91] fix folder policy validation --- .../name_validation/.terraform.lock.hcl | 26 +++++------ .../name_validation/c.tf | 19 +++----- .../name_validation/nc.tf | 19 +++----- .../policy_validation/.terraform.lock.hcl | 21 --------- .../policy_validation/c.tf | 13 ------ .../policy_validation/config.tf | 11 ----- .../policy_validation/nc.tf | 13 ------ .../name_validation/policy.rego | 31 +++++++++++-- .../policy_validation/policy.rego | 43 ------------------- 9 files changed, 52 insertions(+), 144 deletions(-) delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_validation/.terraform.lock.hcl delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_validation/c.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_validation/config.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_validation/nc.tf delete mode 100644 policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_validation/policy.rego diff --git a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/.terraform.lock.hcl index 3247f9b34..1f00f27db 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/.terraform.lock.hcl +++ b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/.terraform.lock.hcl @@ -2,20 +2,20 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/google" { - version = "7.27.0" + version = "7.30.0" hashes = [ - "h1:yWX9RsPIemhUiN5JswiS4n+o51eLF81ZOpRw6hbqOiA=", - "zh:240605f01c575a32378b96634a7bbe17462051320fa7df064dae8d81e9c9c471", - "zh:41ffa473e08379de494c7beb4bc1ee98631c2657355dacd15fe75f52eb2ffd99", - "zh:4b813338a275c7d5bbd69f8a9d4fbd97b7672064ee42e98f1f01699f7b8ced77", - "zh:7f582320ea0578e3eaf4ec54fc370b1eac684972afe0728a94a961a52a037053", - "zh:84f53702ba1c8d912236d1911b90db2b1dbc011127831ae67dfcd280710334d8", - "zh:85d775e3c42f3b88914d059bd11c46e25a1cb9cce912c9fbc35428114b099d47", - "zh:93a2a30bc254706525eaa5e0a35d2122377b735fe1f3dccd887c35b3755b32d3", - "zh:a921d2ab38464bce393e8fd2aa11a140ed56632f94895d93bb272e204931c8c6", - "zh:c221992557de048b40a4fae102dfa5200c32715b21c0a251c1e931eafbc6a698", - "zh:cef310150cdf62a6a49e45f049f21077c58971c6197b70528a69b572dbf218fd", + "h1:3Qxi6Pj4WeqzgKsejGqwx0S3XxYDlC0ykBU6SQ6t25A=", + "zh:0cda2cc03f7bf000d9bc66bc0fab621de4c104b329cab348e0ceb6146ab27251", + "zh:2c75a1ea53b21646681e49fbdf0a599817c2f400f1e73d7779f0e3e1d230e6f3", + "zh:34ab9dab67230adaee6a9cd6861cba969555777ca6eb0ae1d2ac7b1f3cb73832", + "zh:45d5d7ee38fb7bf58dd19b774dd637f3cb9caef1d1930dde594467dde7fdea50", + "zh:651ffd36697d8268471d50d0fae664549b7f1e627c03d6e90f80172947f7b1d4", + "zh:8557db0beb201ba8ba70a7a38ba8d1ce9ffb9e98c616b89f6e3c2203e0528803", + "zh:b6a2e53809e0827cb7c47b1279c3511223898f7e3c1536f74ba057d99c72c2e9", + "zh:bf4aea9d1eb663df9d458c974d2e3f9ca7f724280a103706d0a2b1597593c7af", + "zh:c5f0160e0658d75b4a339b18f7a544e721f3750e26b97fc4887e98b8e085ffff", + "zh:e41a215491c64b535eda5585139dab0a32836e631b470cc520ceef4aa9ce7748", + "zh:e490061ab15c6053c651a7996a9c77cacdb83528ed49d0460c9621e93ad7d0cf", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - "zh:f630cf936bbbadc67a374329cc80fbe9d706fa2fb1556e130bc7a3f0386697fb", ] } diff --git a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/c.tf index eef74600d..d1ccbe0e1 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/c.tf @@ -1,23 +1,16 @@ resource "google_iam_deny_policy" "c" { - name = "pde-deny-policy" - parent = "cloudresourcemanager.googleapis.com/projects/my-project-id" - - display_name = "Deny policy" + name = "pde-secure-policy1" + parent = "cloudresourcemanager.googleapis.com/projects/my-project" rules { - description = "Deny rule" - deny_rule { - denied_principals = ["principal://goog/subject/user@example.com"] - denied_permissions = [ - "cloudresourcemanager.googleapis.com/projects.update" + "resourcemanager.projects.delete" ] - denial_condition { - title = "Condition" - expression = "true" - } + denied_principals = [ + "principal://goog/subject/user@example.com" + ] } } } \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/nc.tf index 6697a35f5..bcbc5746a 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/nc.tf @@ -1,23 +1,16 @@ resource "google_iam_deny_policy" "nc" { - name = "deny-policy" - parent = "cloudresourcemanager.googleapis.com/projects/my-project-id" - - display_name = "Deny policy" + name = "Invalid-Policy!" + parent = "cloudresourcemanager.googleapis.com/projects/my-project" rules { - description = "Deny rule" - deny_rule { - denied_principals = ["principal://goog/subject/user@example.com"] - denied_permissions = [ - "cloudresourcemanager.googleapis.com/projects.update" + "resourcemanager.projects.delete" ] - denial_condition { - title = "Condition" - expression = "true" - } + denied_principals = [ + "principal://goog/subject/user@example.com" + ] } } } \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_validation/.terraform.lock.hcl deleted file mode 100644 index 1f00f27db..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_validation/.terraform.lock.hcl +++ /dev/null @@ -1,21 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/google" { - version = "7.30.0" - hashes = [ - "h1:3Qxi6Pj4WeqzgKsejGqwx0S3XxYDlC0ykBU6SQ6t25A=", - "zh:0cda2cc03f7bf000d9bc66bc0fab621de4c104b329cab348e0ceb6146ab27251", - "zh:2c75a1ea53b21646681e49fbdf0a599817c2f400f1e73d7779f0e3e1d230e6f3", - "zh:34ab9dab67230adaee6a9cd6861cba969555777ca6eb0ae1d2ac7b1f3cb73832", - "zh:45d5d7ee38fb7bf58dd19b774dd637f3cb9caef1d1930dde594467dde7fdea50", - "zh:651ffd36697d8268471d50d0fae664549b7f1e627c03d6e90f80172947f7b1d4", - "zh:8557db0beb201ba8ba70a7a38ba8d1ce9ffb9e98c616b89f6e3c2203e0528803", - "zh:b6a2e53809e0827cb7c47b1279c3511223898f7e3c1536f74ba057d99c72c2e9", - "zh:bf4aea9d1eb663df9d458c974d2e3f9ca7f724280a103706d0a2b1597593c7af", - "zh:c5f0160e0658d75b4a339b18f7a544e721f3750e26b97fc4887e98b8e085ffff", - "zh:e41a215491c64b535eda5585139dab0a32836e631b470cc520ceef4aa9ce7748", - "zh:e490061ab15c6053c651a7996a9c77cacdb83528ed49d0460c9621e93ad7d0cf", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} diff --git a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_validation/c.tf deleted file mode 100644 index ce50302b5..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_validation/c.tf +++ /dev/null @@ -1,13 +0,0 @@ -resource "google_iam_projects_policy_binding" "c" { - project = "my-project" - location = "global" - display_name = "valid binding" - policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" - policy_binding_id = "binding-c" - - policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/my-pab-policy" - - target { - principal_set = "//cloudresourcemanager.googleapis.com/projects/my-project" - } -} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_validation/config.tf b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_validation/config.tf deleted file mode 100644 index 9f4356520..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_validation/config.tf +++ /dev/null @@ -1,11 +0,0 @@ -##### DO NOT EDIT ###### - -terraform { - required_providers { - google = { - source = "hashicorp/google" - } - } -} - -provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_validation/nc.tf deleted file mode 100644 index 6d9dc28b4..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_validation/nc.tf +++ /dev/null @@ -1,13 +0,0 @@ -resource "google_iam_projects_policy_binding" "nc" { - project = "my-project" - location = "global" - display_name = "invalid binding" - policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" - policy_binding_id = "binding-nc" - - policy = "" - - target { - principal_set = "//cloudresourcemanager.googleapis.com/projects/my-project" - } -} \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/policy.rego index b8bf22bfc..2e434aadd 100644 --- a/policies/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/policy.rego +++ b/policies/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/policy.rego @@ -4,15 +4,38 @@ import data.terraform.helpers import data.terraform.gcp.security.Cloud_IAM.google_iam_deny_policy.vars conditions := [ + + [ + { + "situation_description": "Deny policy name must not be empty", + "remedies": [ + "Provide a valid deny policy name" + ] + }, + { + "condition": "Name must be present", + "attribute_path": ["name"], + "values": ["^.+$"], + "policy_type": "pattern whitelist" + } + ], + [ { - "situation_description": "Deny policy name is not following naming convention", - "remedies": ["Use prefix 'pde-' for deny policies"] + "situation_description": "Deny policy name must follow required naming convention", + "remedies": [ + "Start with 'pde-' prefix", + "Use only lowercase letters, numbers, and hyphens", + "Do not end with a hyphen", + "Keep length between 6 and 63 characters" + ] }, { - "condition": "Validate deny policy name", + "condition": "Strict deny policy name validation", "attribute_path": ["name"], - "values": ["pde-*"], + "values": [ + "^pde-[a-z0-9]([a-z0-9-]{4,61}[a-z0-9])$" + ], "policy_type": "pattern whitelist" } ] diff --git a/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_validation/policy.rego deleted file mode 100644 index 1fce80eac..000000000 --- a/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_validation/policy.rego +++ /dev/null @@ -1,43 +0,0 @@ -package terraform.gcp.security.Cloud_IAM.google_iam_projects_policy_binding.policy_validation - -import data.terraform.helpers -import data.terraform.gcp.security.Cloud_IAM.google_iam_projects_policy_binding.vars - -conditions := [ - - [ - { - "situation_description": "Policy must be provided and follow valid GCP IAM policy binding format", - "remedies": [ - "Provide a valid policy path", - "Ensure format: organizations//locations/global/principalAccessBoundaryPolicies/", - "Do not leave policy empty" - ] - }, - { - "condition": "Policy must not be empty", - "attribute_path": ["policy"], - "values": ["^.+$"], - "policy_type": "pattern whitelist" - } - ], - - [ - { - "situation_description": "Policy must follow valid IAM policy binding structure", - "remedies": [ - "Use correct organization-based policy resource path" - ] - }, - { - "condition": "Validate policy format", - "attribute_path": ["policy"], - "values": ["^organizations/[0-9]+/locations/global/principalAccessBoundaryPolicies/[a-zA-Z0-9-]+$"], - "policy_type": "pattern whitelist" - } - ] -] - -result := helpers.get_multi_summary(conditions, vars.variables) -message := result.message -details := result.details \ No newline at end of file From ba72612a14be4edebc7ca07da6713c51cdb0c91b Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sun, 3 May 2026 12:08:38 +1000 Subject: [PATCH 45/91] fix folder policy validation --- .../google_iam_access_boundary_policy/parent_validation/c.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf index dfc6fcdac..17d7247a2 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf @@ -1,7 +1,7 @@ resource "google_iam_access_boundary_policy" "c" { - parent = urlencode("cloudresourcemanager.googleapis.com/projects/my-project") + parent = "cloudresourcemanager.googleapis.com/projects/my-project" - name = "pde-my-ab-policy" + name = "pde-my-ab-policy" display_name = "Valid Access Boundary Policy" From 31c084a37d207c4b572f1fdba7cf5ce315c062da Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sun, 3 May 2026 12:36:27 +1000 Subject: [PATCH 46/91] fix folder policy validation --- .../name_validation/c.tf | 10 +++------- .../name_validation/nc.tf | 7 +++---- .../parent_validation/c.tf | 4 ++-- .../parent_validation/nc.tf | 2 +- .../name_validation/policy.rego | 12 +++--------- .../google_iam_access_boundary_policy/vars.rego | 6 +++--- 6 files changed, 15 insertions(+), 26 deletions(-) diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf index 14440602a..819ef7461 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf @@ -1,13 +1,10 @@ - resource "google_iam_access_boundary_policy" "c" { - parent = urlencode("cloudresourcemanager.googleapis.com/projects/my-project") + parent = "cloudresourcemanager.googleapis.com/projects/my-project" name = "pde-secure-boundary-01" - display_name = "Production Access Boundary Policy" + display_name = "Production Policy" rules { - description = "Secure rule" - access_boundary_rule { available_resource = "*" available_permissions = ["*"] @@ -18,5 +15,4 @@ resource "google_iam_access_boundary_policy" "c" { } } } -} - +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf index 398fb7655..08983c9a0 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf @@ -1,11 +1,10 @@ resource "google_iam_access_boundary_policy" "nc" { - parent = urlencode("cloudresourcemanager.googleapis.com/projects/my-project") - name = "!^%&@GSD" + + parent = "cloudresourcemanager.googleapis.com/projects/my-project" + name = "temp-policy" display_name = "Bad Policy" rules { - description = "Weak rule" - access_boundary_rule { available_resource = "*" available_permissions = ["*"] diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf index 17d7247a2..dfc6fcdac 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf @@ -1,7 +1,7 @@ resource "google_iam_access_boundary_policy" "c" { - parent = "cloudresourcemanager.googleapis.com/projects/my-project" + parent = urlencode("cloudresourcemanager.googleapis.com/projects/my-project") - name = "pde-my-ab-policy" + name = "pde-my-ab-policy" display_name = "Valid Access Boundary Policy" diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf index 245f56637..cca0fc5a3 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf @@ -1,7 +1,7 @@ resource "google_iam_access_boundary_policy" "nc" { parent = "invalid-parent-format" - name = "pde-my-ab-policy" + name = "my-ab-policy" display_name = "Invalid Access Boundary Policy" diff --git a/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego index fcecb00a4..68355781d 100644 --- a/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego +++ b/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego @@ -4,8 +4,6 @@ import data.terraform.helpers import data.terraform.gcp.security.Cloud_IAM.google_iam_access_boundary_policy.vars conditions := [ - - #format validation [ { "situation_description": "Policy name must follow secure naming convention", @@ -23,14 +21,11 @@ conditions := [ "policy_type": "pattern whitelist" } ], - - #Block weak names [ { - "situation_description": "Policy name must not contain weak or temporary keywords", + "situation_description": "Policy name must not contain weak keywords", "remedies": [ - "Avoid using words like test, temp, demo", - "Use meaningful production-ready names" + "Avoid using words like test, temp, demo" ] }, { @@ -40,9 +35,8 @@ conditions := [ "policy_type": "blacklist" } ] - ] -result := helpers.get_multi_summary(conditions, vars.variables) +result := helpers.get_multi_summary(conditions, vars.variables) message := result.message details := result.details \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/vars.rego b/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/vars.rego index 1cfc6293d..a4823eca1 100644 --- a/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/vars.rego +++ b/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/vars.rego @@ -1,7 +1,7 @@ package terraform.gcp.security.Cloud_IAM.google_iam_access_boundary_policy.vars variables := { - "friendly_resource_name": "Cloud_IAM Access Boundary Policy", - "resource_type": "google_iam_access_boundary_policy", - "resource_value_name": "name" + "friendly_resource_name": "Cloud_IAM Access Boundary Policy", + "resource_type": "google_iam_access_boundary_policy", + "resource_value_name": "name" } \ No newline at end of file From 8e0d8c67be261960dd08801469fb23c46c37a97f Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sun, 3 May 2026 12:39:50 +1000 Subject: [PATCH 47/91] fix folder policy validation --- .../google_iam_access_boundary_policy/parent_validation/c.tf | 2 +- .../google_iam_access_boundary_policy/parent_validation/nc.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf index dfc6fcdac..1e8987e5f 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf @@ -1,7 +1,7 @@ resource "google_iam_access_boundary_policy" "c" { parent = urlencode("cloudresourcemanager.googleapis.com/projects/my-project") - name = "pde-my-ab-policy" + name = "c" display_name = "Valid Access Boundary Policy" diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf index cca0fc5a3..c8efecd1d 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf @@ -1,7 +1,7 @@ resource "google_iam_access_boundary_policy" "nc" { parent = "invalid-parent-format" - name = "my-ab-policy" + name = "nc" display_name = "Invalid Access Boundary Policy" From 924aacd674ea9e4f51562a40a6e8afaff703e59c Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sun, 3 May 2026 20:28:32 +1000 Subject: [PATCH 48/91] fix folder policy validation --- .../parent_validation/c.tf | 2 +- .../parent_validation/nc.tf | 2 +- .../name_validation/policy.rego | 17 ++++++++++++++--- 3 files changed, 16 insertions(+), 5 deletions(-) diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf index 1e8987e5f..dfc6fcdac 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf @@ -1,7 +1,7 @@ resource "google_iam_access_boundary_policy" "c" { parent = urlencode("cloudresourcemanager.googleapis.com/projects/my-project") - name = "c" + name = "pde-my-ab-policy" display_name = "Valid Access Boundary Policy" diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf index c8efecd1d..cca0fc5a3 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf @@ -1,7 +1,7 @@ resource "google_iam_access_boundary_policy" "nc" { parent = "invalid-parent-format" - name = "nc" + name = "my-ab-policy" display_name = "Invalid Access Boundary Policy" diff --git a/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego index 68355781d..0d8967abb 100644 --- a/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego +++ b/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego @@ -3,7 +3,10 @@ package terraform.gcp.security.Cloud_IAM.google_iam_access_boundary_policy.name_ import data.terraform.helpers import data.terraform.gcp.security.Cloud_IAM.google_iam_access_boundary_policy.vars +# STEP 2: CREATE SCENARIOS conditions := [ + + # ✅ Scenario 1: Naming convention [ { "situation_description": "Policy name must follow secure naming convention", @@ -21,6 +24,8 @@ conditions := [ "policy_type": "pattern whitelist" } ], + + # ✅ Scenario 2: Weak keyword detection (FIXED) [ { "situation_description": "Policy name must not contain weak keywords", @@ -31,12 +36,18 @@ conditions := [ { "condition": "Disallow weak keywords", "attribute_path": ["name"], - "values": ["test", "temp", "demo"], - "policy_type": "blacklist" + "values": [".*(test|temp|demo).*"], + "policy_type": "pattern blacklist" } ] ] +# ✅ IMPORTANT FIX: ensure resources are always mentioned result := helpers.get_multi_summary(conditions, vars.variables) -message := result.message + +message := sprintf( + "%s | Checked Resources: %v", + [result.message, helpers.get_all_resource_names(vars.variables)] +) + details := result.details \ No newline at end of file From ca7b9760a00321d4c1b285a9c3af858e25e13e4e Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sun, 3 May 2026 20:31:05 +1000 Subject: [PATCH 49/91] fix folder policy validation --- .../name_validation/.terraform.lock.hcl | 21 -------- .../name_validation/c.tf | 18 ------- .../name_validation/config.tf | 11 ---- .../name_validation/nc.tf | 18 ------- .../name_validation/policy.rego | 53 ------------------- 5 files changed, 121 deletions(-) delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/.terraform.lock.hcl delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/config.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf delete mode 100644 policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/.terraform.lock.hcl deleted file mode 100644 index 1f00f27db..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/.terraform.lock.hcl +++ /dev/null @@ -1,21 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/google" { - version = "7.30.0" - hashes = [ - "h1:3Qxi6Pj4WeqzgKsejGqwx0S3XxYDlC0ykBU6SQ6t25A=", - "zh:0cda2cc03f7bf000d9bc66bc0fab621de4c104b329cab348e0ceb6146ab27251", - "zh:2c75a1ea53b21646681e49fbdf0a599817c2f400f1e73d7779f0e3e1d230e6f3", - "zh:34ab9dab67230adaee6a9cd6861cba969555777ca6eb0ae1d2ac7b1f3cb73832", - "zh:45d5d7ee38fb7bf58dd19b774dd637f3cb9caef1d1930dde594467dde7fdea50", - "zh:651ffd36697d8268471d50d0fae664549b7f1e627c03d6e90f80172947f7b1d4", - "zh:8557db0beb201ba8ba70a7a38ba8d1ce9ffb9e98c616b89f6e3c2203e0528803", - "zh:b6a2e53809e0827cb7c47b1279c3511223898f7e3c1536f74ba057d99c72c2e9", - "zh:bf4aea9d1eb663df9d458c974d2e3f9ca7f724280a103706d0a2b1597593c7af", - "zh:c5f0160e0658d75b4a339b18f7a544e721f3750e26b97fc4887e98b8e085ffff", - "zh:e41a215491c64b535eda5585139dab0a32836e631b470cc520ceef4aa9ce7748", - "zh:e490061ab15c6053c651a7996a9c77cacdb83528ed49d0460c9621e93ad7d0cf", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf deleted file mode 100644 index 819ef7461..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf +++ /dev/null @@ -1,18 +0,0 @@ -resource "google_iam_access_boundary_policy" "c" { - - parent = "cloudresourcemanager.googleapis.com/projects/my-project" - name = "pde-secure-boundary-01" - display_name = "Production Policy" - - rules { - access_boundary_rule { - available_resource = "*" - available_permissions = ["*"] - - availability_condition { - title = "condition" - expression = "true" - } - } - } -} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/config.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/config.tf deleted file mode 100644 index 9f4356520..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/config.tf +++ /dev/null @@ -1,11 +0,0 @@ -##### DO NOT EDIT ###### - -terraform { - required_providers { - google = { - source = "hashicorp/google" - } - } -} - -provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf deleted file mode 100644 index 08983c9a0..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf +++ /dev/null @@ -1,18 +0,0 @@ -resource "google_iam_access_boundary_policy" "nc" { - - parent = "cloudresourcemanager.googleapis.com/projects/my-project" - name = "temp-policy" - display_name = "Bad Policy" - - rules { - access_boundary_rule { - available_resource = "*" - available_permissions = ["*"] - - availability_condition { - title = "condition" - expression = "true" - } - } - } -} \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego deleted file mode 100644 index 0d8967abb..000000000 --- a/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego +++ /dev/null @@ -1,53 +0,0 @@ -package terraform.gcp.security.Cloud_IAM.google_iam_access_boundary_policy.name_validation - -import data.terraform.helpers -import data.terraform.gcp.security.Cloud_IAM.google_iam_access_boundary_policy.vars - -# STEP 2: CREATE SCENARIOS -conditions := [ - - # ✅ Scenario 1: Naming convention - [ - { - "situation_description": "Policy name must follow secure naming convention", - "remedies": [ - "Start with 'pde-'", - "Use only lowercase letters, numbers, and hyphens", - "Length must be between 6 and 63 characters", - "Do not end with hyphen" - ] - }, - { - "condition": "Validate naming format", - "attribute_path": ["name"], - "values": ["^pde-[a-z0-9-]{3,59}[a-z0-9]$"], - "policy_type": "pattern whitelist" - } - ], - - # ✅ Scenario 2: Weak keyword detection (FIXED) - [ - { - "situation_description": "Policy name must not contain weak keywords", - "remedies": [ - "Avoid using words like test, temp, demo" - ] - }, - { - "condition": "Disallow weak keywords", - "attribute_path": ["name"], - "values": [".*(test|temp|demo).*"], - "policy_type": "pattern blacklist" - } - ] -] - -# ✅ IMPORTANT FIX: ensure resources are always mentioned -result := helpers.get_multi_summary(conditions, vars.variables) - -message := sprintf( - "%s | Checked Resources: %v", - [result.message, helpers.get_all_resource_names(vars.variables)] -) - -details := result.details \ No newline at end of file From 1983efa907fc3a1c07db762251bec4db4ba4ca75 Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sun, 3 May 2026 21:17:37 +1000 Subject: [PATCH 50/91] fix folder policy validation --- .../google_iam_access_boundary_policy/parent_validation/c.tf | 4 +--- .../google_iam_access_boundary_policy/parent_validation/nc.tf | 2 +- .../gcp/Cloud_IAM/google_iam_access_boundary_policy/vars.rego | 2 +- 3 files changed, 3 insertions(+), 5 deletions(-) diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf index dfc6fcdac..e86ccbb09 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf @@ -1,9 +1,7 @@ resource "google_iam_access_boundary_policy" "c" { parent = urlencode("cloudresourcemanager.googleapis.com/projects/my-project") - name = "pde-my-ab-policy" - - display_name = "Valid Access Boundary Policy" + display_name = "c" rules { access_boundary_rule { diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf index cca0fc5a3..dd5eb9b7f 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf @@ -3,7 +3,7 @@ resource "google_iam_access_boundary_policy" "nc" { name = "my-ab-policy" - display_name = "Invalid Access Boundary Policy" + display_name = "nc" rules { access_boundary_rule { diff --git a/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/vars.rego b/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/vars.rego index a4823eca1..c29e003f6 100644 --- a/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/vars.rego +++ b/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/vars.rego @@ -3,5 +3,5 @@ package terraform.gcp.security.Cloud_IAM.google_iam_access_boundary_policy.vars variables := { "friendly_resource_name": "Cloud_IAM Access Boundary Policy", "resource_type": "google_iam_access_boundary_policy", - "resource_value_name": "name" + "resource_value_name": "display_name" } \ No newline at end of file From 11e89644f844179d79d8d2a0b0120bf572904b8f Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sun, 3 May 2026 21:27:18 +1000 Subject: [PATCH 51/91] fix folder policy validation --- .../.terraform.lock.hcl | 21 +++++++++++++++++++ .../policy_kind_validation/c.tf | 13 ++++++++++++ .../policy_kind_validation/config.tf | 11 ++++++++++ .../policy_kind_validation/nc.tf | 13 ++++++++++++ 4 files changed, 58 insertions(+) create mode 100644 inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/.terraform.lock.hcl create mode 100644 inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/c.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/config.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/nc.tf diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/.terraform.lock.hcl new file mode 100644 index 000000000..1f00f27db --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.30.0" + hashes = [ + "h1:3Qxi6Pj4WeqzgKsejGqwx0S3XxYDlC0ykBU6SQ6t25A=", + "zh:0cda2cc03f7bf000d9bc66bc0fab621de4c104b329cab348e0ceb6146ab27251", + "zh:2c75a1ea53b21646681e49fbdf0a599817c2f400f1e73d7779f0e3e1d230e6f3", + "zh:34ab9dab67230adaee6a9cd6861cba969555777ca6eb0ae1d2ac7b1f3cb73832", + "zh:45d5d7ee38fb7bf58dd19b774dd637f3cb9caef1d1930dde594467dde7fdea50", + "zh:651ffd36697d8268471d50d0fae664549b7f1e627c03d6e90f80172947f7b1d4", + "zh:8557db0beb201ba8ba70a7a38ba8d1ce9ffb9e98c616b89f6e3c2203e0528803", + "zh:b6a2e53809e0827cb7c47b1279c3511223898f7e3c1536f74ba057d99c72c2e9", + "zh:bf4aea9d1eb663df9d458c974d2e3f9ca7f724280a103706d0a2b1597593c7af", + "zh:c5f0160e0658d75b4a339b18f7a544e721f3750e26b97fc4887e98b8e085ffff", + "zh:e41a215491c64b535eda5585139dab0a32836e631b470cc520ceef4aa9ce7748", + "zh:e490061ab15c6053c651a7996a9c77cacdb83528ed49d0460c9621e93ad7d0cf", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/c.tf new file mode 100644 index 000000000..516e91d9d --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/c.tf @@ -0,0 +1,13 @@ +resource "google_iam_folders_policy_binding" "c" { + folder = "folders/123456789" + location = "global" + display_name = "valid binding" + policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" + policy_binding_id = "c" + + policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/policy-1" + + target { + principal_set = "//cloudresourcemanager.googleapis.com/folders/123456789" + } +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/config.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/nc.tf new file mode 100644 index 000000000..7a02af67e --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/nc.tf @@ -0,0 +1,13 @@ +resource "google_iam_folders_policy_binding" "nc" { + folder = "folders/123456789" + location = "global" + display_name = "invalid binding" + policy_kind = "ACCESS" # ❌ Not allowed + policy_binding_id = "nc" + + policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/policy-1" + + target { + principal_set = "//cloudresourcemanager.googleapis.com/folders/123456789" + } +} \ No newline at end of file From a61404526214b61254c73d1b790a261899d757bc Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sun, 3 May 2026 21:30:33 +1000 Subject: [PATCH 52/91] fix folder policy validation --- .../parent_validation/c.tf | 2 +- .../parent_validation/nc.tf | 2 +- .../vars.rego | 2 +- .../policy_kind_validation/policy.rego | 26 +++++++++++++++++++ 4 files changed, 29 insertions(+), 3 deletions(-) create mode 100644 policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/policy.rego diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf index e86ccbb09..7b1bb9404 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf @@ -1,7 +1,7 @@ resource "google_iam_access_boundary_policy" "c" { parent = urlencode("cloudresourcemanager.googleapis.com/projects/my-project") name = "pde-my-ab-policy" - display_name = "c" + display_name = "Valid Access Boundary Policy" rules { access_boundary_rule { diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf index dd5eb9b7f..cca0fc5a3 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf @@ -3,7 +3,7 @@ resource "google_iam_access_boundary_policy" "nc" { name = "my-ab-policy" - display_name = "nc" + display_name = "Invalid Access Boundary Policy" rules { access_boundary_rule { diff --git a/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/vars.rego b/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/vars.rego index c29e003f6..a4823eca1 100644 --- a/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/vars.rego +++ b/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/vars.rego @@ -3,5 +3,5 @@ package terraform.gcp.security.Cloud_IAM.google_iam_access_boundary_policy.vars variables := { "friendly_resource_name": "Cloud_IAM Access Boundary Policy", "resource_type": "google_iam_access_boundary_policy", - "resource_value_name": "display_name" + "resource_value_name": "name" } \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/policy.rego new file mode 100644 index 000000000..a297d2411 --- /dev/null +++ b/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/policy.rego @@ -0,0 +1,26 @@ +package terraform.gcp.security.cloud_iam.google_iam_folders_policy_binding.policy_kind_validation + +import data.terraform.helpers +import data.terraform.gcp.security.cloud_iam.google_iam_folders_policy_binding.vars + +conditions := [ + [ + { + "situation_description": "Folders Policy Binding must use an approved policy kind.", + "remedies": [ + "Set policy_kind to PRINCIPAL_ACCESS_BOUNDARY" + ] + }, + { + "condition": "Validate policy_kind", + "attribute_path": ["policy_kind"], + "values": ["PRINCIPAL_ACCESS_BOUNDARY"], + "policy_type": "whitelist" + } + ] +] + +result := helpers.get_multi_summary(conditions, vars.variables) + +message := result.message +details := result.details \ No newline at end of file From 1298f504aec8fae8aca5b007ea5c0437a63e98f8 Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sun, 3 May 2026 21:36:49 +1000 Subject: [PATCH 53/91] fix folder policy validation --- .../policy_kind_validation/c.tf | 2 +- .../policy_kind_validation/nc.tf | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/c.tf index 516e91d9d..352dd34d6 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/c.tf @@ -3,7 +3,7 @@ resource "google_iam_folders_policy_binding" "c" { location = "global" display_name = "valid binding" policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" - policy_binding_id = "c" + policy_binding_id = "binding-for-all-folder-principals" policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/policy-1" diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/nc.tf index 7a02af67e..259252dc0 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/nc.tf @@ -2,8 +2,8 @@ resource "google_iam_folders_policy_binding" "nc" { folder = "folders/123456789" location = "global" display_name = "invalid binding" - policy_kind = "ACCESS" # ❌ Not allowed - policy_binding_id = "nc" + policy_kind = "ACCESS" + policy_binding_id = "binding-for-all-folder-principals" policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/policy-1" From eb2197446b04601aa61855dad68c3094b5b1a6ae Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sun, 3 May 2026 22:01:13 +1000 Subject: [PATCH 54/91] fix folder policy validation --- .../gcp/Cloud_IAM/google_iam_deny_policy/name_validation/c.tf | 2 +- .../Cloud_IAM/google_iam_deny_policy/name_validation/nc.tf | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/c.tf index d1ccbe0e1..ba61daf11 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/c.tf @@ -1,4 +1,4 @@ -resource "google_iam_deny_policy" "c" { +resource "google_iam_deny_policy" "c1" { name = "pde-secure-policy1" parent = "cloudresourcemanager.googleapis.com/projects/my-project" diff --git a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/nc.tf index bcbc5746a..802f8e62b 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/nc.tf @@ -1,5 +1,5 @@ -resource "google_iam_deny_policy" "nc" { - name = "Invalid-Policy!" +resource "google_iam_deny_policy" "nc1" { + name = "nc1" parent = "cloudresourcemanager.googleapis.com/projects/my-project" rules { From d07fabb340f981f71981e6223eff9fc466b67bad Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sun, 3 May 2026 22:04:40 +1000 Subject: [PATCH 55/91] fix folder policy validation --- .../policy_kind_validation/c.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/c.tf index 352dd34d6..aa5dd5fb7 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/c.tf @@ -1,4 +1,4 @@ -resource "google_iam_folders_policy_binding" "c" { +resource "google_iam_folders_policy_binding" "c1" { folder = "folders/123456789" location = "global" display_name = "valid binding" From 692b904e83d885de7169aa65258ba45f369b75be Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sun, 3 May 2026 22:21:14 +1000 Subject: [PATCH 56/91] fix folder policy validation --- .../google_iam_access_boundary_policy/parent_validation/c.tf | 4 ++-- .../google_iam_access_boundary_policy/parent_validation/nc.tf | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf index 7b1bb9404..9e9a105c4 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf @@ -1,6 +1,6 @@ -resource "google_iam_access_boundary_policy" "c" { +resource "google_iam_access_boundary_policy" "c1" { parent = urlencode("cloudresourcemanager.googleapis.com/projects/my-project") - name = "pde-my-ab-policy" + name = "c1" display_name = "Valid Access Boundary Policy" rules { diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf index cca0fc5a3..658cccf2e 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf @@ -1,7 +1,7 @@ -resource "google_iam_access_boundary_policy" "nc" { +resource "google_iam_access_boundary_policy" "nc1" { parent = "invalid-parent-format" - name = "my-ab-policy" + name = "nc1" display_name = "Invalid Access Boundary Policy" From 4ce93ba3ae3fabbefc51af46c66cb7daa94a0c0a Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sun, 3 May 2026 22:32:03 +1000 Subject: [PATCH 57/91] fix folder policy validation --- .../parent_validation/plan.json | Bin 0 -> 9082 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/plan.json diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/plan.json b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/plan.json new file mode 100644 index 0000000000000000000000000000000000000000..9323a54e1793d681eca3f51828247c6f83900959 GIT binary patch literal 9082 zcmeHNOK;Oa5S}v<|Dm$PtxeKa^pG1Ikhmd)dZ4Nz=h;HyM0RMYQ2#pceLJ4)+IfpK zO_5c_iFbE)=e4un&h*dkUlK`Q#*)fNVwp-y?xcseOm5Mdptp(7snp~Q-^ch&U4M$v zMz@^iRL(*9Hm97(5L5~NdeU_(#c26~w+thiLS9m=I(B@F@ZCl45dFTFW5;Msr8A?u za+EPfchSxfI$tCMH`~C?(Sk%Vq-^2Y$*D8EwcUIPXk$=6pk;!VAx3xbR>Si&=U+Ke zZX&0z1T+Jz*v&^wK{3hs-Novvajr6&&FcA?IBng5(=K{ba9$iqT@28hL7$YYw!n5Z z^pB-3H&`RXlTyI1jl)Z`rP0$A@|VbzJ21(os;3BYB54 z)V3Mk-j}R%B%cE7tkVxI+QV8?=RpzX9lH6F7H`ogw z&_-YVhWR^~Kg(N3(DO;DPq|EUUsm5VpY^gX@}yZQJw-pK*NiZlJ4R`Yy9n=ze8!v{+jO$>R|dbJKha0j_iOmwp6THd zbUnFuGe;}d)_v;ruW_cnVD?p(sFyTN?ppY?q3e!(2N$$V9Wv4?VQVChId|MU^y?Iy zPYSwAoW+K-k<=^qA-U$f5dDx~OC{`}c*ulYp{a zJ6%w7kN7)&(zu(zCWjSyLyrER*!vM4t3JA$_*>LcIRZ1P_|+IG{fLtpq978fqULpa$eNod&neG7;= z0Ul3)o$v9qeL#H9TLj;EM`bR6JBCQ4-1f3OW^weVY+Q*rZKHgtO=WtHF>K;;MZ=N@MQ=M1k98Yy#*=f4`yi)wH+1EZI_W&q{ zxly|}7}lB37=<)8D#UlzR=oKXN6B>QkfYU+|GA^Uzu|86fbAoJ=|}13W5FizYnxhvu2aR9V#Rfn zxVP^-)b_E(XVk4itEb)wr>CBDXVO5;{sJ}N2L2m`&vW^L>f#yBLH0G#+K{gp&3MLo sKmSwV0l(V#){JhLpJF`b?CjGla4~ Date: Sun, 3 May 2026 22:43:52 +1000 Subject: [PATCH 58/91] fix folder policy validation --- .../google_iam_access_boundary_policy/parent_validation/c.tf | 4 ++-- .../google_iam_access_boundary_policy/parent_validation/nc.tf | 4 ++-- .../gcp/Cloud_IAM/google_iam_deny_policy/name_validation/c.tf | 2 +- .../Cloud_IAM/google_iam_deny_policy/name_validation/nc.tf | 4 ++-- .../policy_kind_validation/c.tf | 2 +- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf index 9e9a105c4..7b1bb9404 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf @@ -1,6 +1,6 @@ -resource "google_iam_access_boundary_policy" "c1" { +resource "google_iam_access_boundary_policy" "c" { parent = urlencode("cloudresourcemanager.googleapis.com/projects/my-project") - name = "c1" + name = "pde-my-ab-policy" display_name = "Valid Access Boundary Policy" rules { diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf index 658cccf2e..cca0fc5a3 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf @@ -1,7 +1,7 @@ -resource "google_iam_access_boundary_policy" "nc1" { +resource "google_iam_access_boundary_policy" "nc" { parent = "invalid-parent-format" - name = "nc1" + name = "my-ab-policy" display_name = "Invalid Access Boundary Policy" diff --git a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/c.tf index ba61daf11..d1ccbe0e1 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/c.tf @@ -1,4 +1,4 @@ -resource "google_iam_deny_policy" "c1" { +resource "google_iam_deny_policy" "c" { name = "pde-secure-policy1" parent = "cloudresourcemanager.googleapis.com/projects/my-project" diff --git a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/nc.tf index 802f8e62b..bcbc5746a 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/nc.tf @@ -1,5 +1,5 @@ -resource "google_iam_deny_policy" "nc1" { - name = "nc1" +resource "google_iam_deny_policy" "nc" { + name = "Invalid-Policy!" parent = "cloudresourcemanager.googleapis.com/projects/my-project" rules { diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/c.tf index aa5dd5fb7..352dd34d6 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/c.tf @@ -1,4 +1,4 @@ -resource "google_iam_folders_policy_binding" "c1" { +resource "google_iam_folders_policy_binding" "c" { folder = "folders/123456789" location = "global" display_name = "valid binding" From 1e0cf594759a733d1b405502bcf8efca7461cb17 Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sun, 3 May 2026 22:56:52 +1000 Subject: [PATCH 59/91] fix folder policy validation --- .../parent_validation/c.tf | 15 +++++++++------ .../parent_validation/nc.tf | 10 ++++------ .../parent_validation/plan.json | Bin 9082 -> 9228 bytes .../parent_validation/policy.rego | 12 +++++++----- 4 files changed, 20 insertions(+), 17 deletions(-) diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf index 7b1bb9404..ec746e0b6 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf @@ -1,12 +1,15 @@ resource "google_iam_access_boundary_policy" "c" { - parent = urlencode("cloudresourcemanager.googleapis.com/projects/my-project") - name = "pde-my-ab-policy" - display_name = "Valid Access Boundary Policy" + parent = "cloudresourcemanager.googleapis.com/projects/my-valid-project" + name = "example-policy" rules { + description = "Allow access to storage" access_boundary_rule { - available_resource = "//storage.googleapis.com/projects/_/buckets/my-bucket" - available_permissions = ["inRole:roles/storage.objectViewer"] + available_resource = "//storage.googleapis.com/projects/_/buckets/example-bucket" + available_permissions = [ + "inRole:roles/storage.objectViewer" + ] } } -} \ No newline at end of file +} + diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf index cca0fc5a3..86449bfa2 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf @@ -1,13 +1,11 @@ resource "google_iam_access_boundary_policy" "nc" { - parent = "invalid-parent-format" - - name = "my-ab-policy" - - display_name = "Invalid Access Boundary Policy" + parent = "projects/my-valid-project" + name = "nc-policy-1" rules { + description = "NC rule" access_boundary_rule { - available_resource = "//storage.googleapis.com/projects/_/buckets/my-bucket" + available_resource = "//storage.googleapis.com/projects/_/buckets/nc-bucket" available_permissions = ["inRole:roles/storage.objectViewer"] } } diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/plan.json b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/plan.json index 9323a54e1793d681eca3f51828247c6f83900959..bd8ac710ce58af10cec9e188440a8d5360df58b2 100644 GIT binary patch delta 859 zcmez6*5k23jdAiKwjRdh$?@`%lP@rCW6xtKWyoR3nY@ruSUQ!Vf+3M1m!SYClFFb9 zr1OESOon8J%E=E!Bqx7ha+`dBMT9?>p%N%t22=}@P1zjEJeiRfMe}4uE@ML_21k(5 zKtswI6o878fiRV!7zh;@N`RsYKo*ED0?MTWWt28Yb4fBzwqr{Ix^cqf1bGP*7dmo? z^P{+lL3i?f5$VZ?ScI^;h&hiT8RQN@B?dnRXP|9GV6Q^#S&kYG36ptvI|fx)OpfN# z-W(?|g9#}tP+dvA@BrJzC%%gro;H#vUy?V%n;z;F>|yCa5iLD{Q%(^uVzYpenhcC$ zrOmxEQ_)jMqmuY!GcLKwOJvmyNlYgUwUe#oCPD)y3FK5^U|gdnSYYBPl#!i0OF;#c mK!|iAILRP6Ob{*MfGyUad`!uX)0DxK!HU6%!DKS8axMU8bkcMH delta 886 zcmeD2_~o`ijgirC@_+7rAQ>nvIXQuSo4yi57(*gM4nrnG3WEZJBSSI}rZN-*p#p;w zLq0<(Lmp5jk)ep85-1Wd*-%<>@+lFi$rqU1Irpc>>lEAJ(4JxpU1~j;Uu6xRi6i&&Lf3eF?3YbQ_Sh}_(uXa$L?SUK^@ujD461qR$&N0L(xHmjNQ7(kXg5}lG1 a6=x!xr=^_3X~bZ_V8vj{U@&>UaxMV2bk(W= diff --git a/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/policy.rego index 88bfc1a48..e08e8b634 100644 --- a/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/policy.rego +++ b/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/policy.rego @@ -6,17 +6,19 @@ import data.terraform.gcp.security.Cloud_IAM.google_iam_access_boundary_policy.v conditions := [ [ { - "situation_description": "Parent must be a valid Cloud Resource Manager project path (URL encoded allowed)", + "situation_description": "Parent must be a valid Cloud Resource Manager project path (URL encoding allowed)", "remedies": [ - "Use correct format: cloudresourcemanager.googleapis.com/projects/", - "Ensure value is URL encoded if using urlencode()" + "Use the correct format: cloudresourcemanager.googleapis.com/projects/", + "Project ID must be 6–30 characters, lowercase letters, digits, and hyphens only", + "Must start with a letter and not end with a hyphen", + "If using urlencode(), ensure the decoded value matches the required format" ] }, { - "condition": "Validate parent format", + "condition": "Validate parent format against CRM project path pattern", "attribute_path": ["parent"], "values": [ - "^cloudresourcemanager\\.googleapis\\.com/projects/.+" + "^cloudresourcemanager\\.googleapis\\.com/projects/[a-z][a-z0-9\\-]{4,28}[a-z0-9]$" ], "policy_type": "pattern whitelist" } From b1d1aa0272e0e5adbfc4fb7b857e53925fa5c14d Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sun, 3 May 2026 22:59:00 +1000 Subject: [PATCH 60/91] fix folder policy validation --- .../google_iam_access_boundary_policy/parent_validation/c.tf | 2 +- .../google_iam_access_boundary_policy/parent_validation/nc.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf index ec746e0b6..9791ffb55 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf @@ -1,6 +1,6 @@ resource "google_iam_access_boundary_policy" "c" { parent = "cloudresourcemanager.googleapis.com/projects/my-valid-project" - name = "example-policy" + name = "c" rules { description = "Allow access to storage" diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf index 86449bfa2..012e1b699 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf @@ -1,6 +1,6 @@ resource "google_iam_access_boundary_policy" "nc" { parent = "projects/my-valid-project" - name = "nc-policy-1" + name = "nc" rules { description = "NC rule" From c2cc53a78e069c4dcb58cf29cf3b89b621b5eeb9 Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sun, 3 May 2026 23:32:35 +1000 Subject: [PATCH 61/91] fix folder policy validation --- .../.terraform.lock.hcl | 21 +++++++++++++++++++ .../organization_validation/c.tf | 6 ++++++ .../organization_validation/config.tf | 11 ++++++++++ .../organization_validation/nc.tf | 6 ++++++ .../organization_validation/policy.rego | 20 ++++++++++++++++++ 5 files changed, 64 insertions(+) create mode 100644 inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/.terraform.lock.hcl create mode 100644 inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/c.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/config.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/nc.tf create mode 100644 policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/policy.rego diff --git a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/.terraform.lock.hcl new file mode 100644 index 000000000..1f00f27db --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.30.0" + hashes = [ + "h1:3Qxi6Pj4WeqzgKsejGqwx0S3XxYDlC0ykBU6SQ6t25A=", + "zh:0cda2cc03f7bf000d9bc66bc0fab621de4c104b329cab348e0ceb6146ab27251", + "zh:2c75a1ea53b21646681e49fbdf0a599817c2f400f1e73d7779f0e3e1d230e6f3", + "zh:34ab9dab67230adaee6a9cd6861cba969555777ca6eb0ae1d2ac7b1f3cb73832", + "zh:45d5d7ee38fb7bf58dd19b774dd637f3cb9caef1d1930dde594467dde7fdea50", + "zh:651ffd36697d8268471d50d0fae664549b7f1e627c03d6e90f80172947f7b1d4", + "zh:8557db0beb201ba8ba70a7a38ba8d1ce9ffb9e98c616b89f6e3c2203e0528803", + "zh:b6a2e53809e0827cb7c47b1279c3511223898f7e3c1536f74ba057d99c72c2e9", + "zh:bf4aea9d1eb663df9d458c974d2e3f9ca7f724280a103706d0a2b1597593c7af", + "zh:c5f0160e0658d75b4a339b18f7a544e721f3750e26b97fc4887e98b8e085ffff", + "zh:e41a215491c64b535eda5585139dab0a32836e631b470cc520ceef4aa9ce7748", + "zh:e490061ab15c6053c651a7996a9c77cacdb83528ed49d0460c9621e93ad7d0cf", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/c.tf new file mode 100644 index 000000000..76c3541a8 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/c.tf @@ -0,0 +1,6 @@ +resource "google_iam_principal_access_boundary_policy" "c" { + organization = "123456789" + location = "global" + display_name = "PAB policy for Organization" + principal_access_boundary_policy_id = "pab-policy-for-org" +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/config.tf b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/nc.tf new file mode 100644 index 000000000..0533be17b --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/nc.tf @@ -0,0 +1,6 @@ +resource "google_iam_principal_access_boundary_policy" "nc" { + organization = "pde123" + location = "global" + display_name = "PAB policy for Organization" + principal_access_boundary_policy_id = "pab-policy-for-org" +} \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/policy.rego new file mode 100644 index 000000000..24cedc7c4 --- /dev/null +++ b/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/policy.rego @@ -0,0 +1,20 @@ +package terraform.gcp.security.Cloud_IAM.google_iam_principal_access_boundary_policy.organization_validation + +import data.terraform.helpers +import data.terraform.gcp.security.Cloud_IAM.google_iam_principal_access_boundary_policy.vars + +conditions := [ + [ + {"situation_description" : "must use an approved organization", + "remedies":[ "Use only approved organization IDs (e.g., 123456789)"]}, + { + "condition": "Validate organization field", + "attribute_path" : ["organization"], + "values" : ["123456789"], + "policy_type" : "whitelist" + } + ] +] +result := helpers.get_multi_summary(conditions, vars.variables) +message := result.message +details := result.details \ No newline at end of file From d94b789a7beccaf900706a2206fa3e53bf75f052 Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sun, 3 May 2026 23:41:46 +1000 Subject: [PATCH 62/91] fix folder policy validation --- .../organization_validation/c.tf | 2 +- .../organization_validation/nc.tf | 2 +- .../organization_validation/policy.rego | 22 ++++++++++++------- 3 files changed, 16 insertions(+), 10 deletions(-) diff --git a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/c.tf index 76c3541a8..ceb54a4a4 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/c.tf @@ -1,5 +1,5 @@ resource "google_iam_principal_access_boundary_policy" "c" { - organization = "123456789" + organization = "PDE123" location = "global" display_name = "PAB policy for Organization" principal_access_boundary_policy_id = "pab-policy-for-org" diff --git a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/nc.tf index 0533be17b..94220e61b 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/nc.tf @@ -1,5 +1,5 @@ resource "google_iam_principal_access_boundary_policy" "nc" { - organization = "pde123" + organization = "p123" location = "global" display_name = "PAB policy for Organization" principal_access_boundary_policy_id = "pab-policy-for-org" diff --git a/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/policy.rego index 24cedc7c4..47e021bc4 100644 --- a/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/policy.rego +++ b/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/policy.rego @@ -5,16 +5,22 @@ import data.terraform.gcp.security.Cloud_IAM.google_iam_principal_access_boundar conditions := [ [ - {"situation_description" : "must use an approved organization", - "remedies":[ "Use only approved organization IDs (e.g., 123456789)"]}, - { - "condition": "Validate organization field", - "attribute_path" : ["organization"], - "values" : ["123456789"], - "policy_type" : "whitelist" - } + { + "situation_description": "Organization must start with PDE and contain only letters or numbers after it.", + "remedies": [ + "Use organization IDs like PDE123 or PDE-A1 (must start with PDE)" + ] + }, + { + "condition": "Validate organization format", + "attribute_path": ["organization"], + "values": ["^PDE[a-zA-Z0-9-]*$"], + "policy_type": "pattern whitelist" + } ] ] + + result := helpers.get_multi_summary(conditions, vars.variables) message := result.message details := result.details \ No newline at end of file From c7469182347c2d7c9e925702bed03553ea833905 Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sun, 3 May 2026 23:45:24 +1000 Subject: [PATCH 63/91] fix folder policy validation --- .../organization_validation/c.tf | 2 +- .../organization_validation/policy.rego | 13 ++++++------- 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/c.tf index ceb54a4a4..0a5c6e6a6 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/c.tf @@ -1,5 +1,5 @@ resource "google_iam_principal_access_boundary_policy" "c" { - organization = "PDE123" + organization = "PDE1" location = "global" display_name = "PAB policy for Organization" principal_access_boundary_policy_id = "pab-policy-for-org" diff --git a/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/policy.rego index 47e021bc4..e60596e34 100644 --- a/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/policy.rego +++ b/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/policy.rego @@ -3,24 +3,23 @@ package terraform.gcp.security.Cloud_IAM.google_iam_principal_access_boundary_po import data.terraform.helpers import data.terraform.gcp.security.Cloud_IAM.google_iam_principal_access_boundary_policy.vars -conditions := [ +cconditions := [ [ { - "situation_description": "Organization must start with PDE and contain only letters or numbers after it.", + "situation_description": "Organization must be from the approved whitelist list.", "remedies": [ - "Use organization IDs like PDE123 or PDE-A1 (must start with PDE)" + "Use only approved organization IDs" ] }, { - "condition": "Validate organization format", + "condition": "Validate organization against whitelist", "attribute_path": ["organization"], - "values": ["^PDE[a-zA-Z0-9-]*$"], - "policy_type": "pattern whitelist" + "values": ["PDE1", "PDE2", "PDE3"], + "policy_type": "whitelist" } ] ] - result := helpers.get_multi_summary(conditions, vars.variables) message := result.message details := result.details \ No newline at end of file From 51c2393aaf93d2c4b07e83266cb5b50b6fc38fdd Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sun, 3 May 2026 23:49:56 +1000 Subject: [PATCH 64/91] fix folder policy validation --- .../organization_validation/c.tf | 2 +- .../organization_validation/nc.tf | 2 +- .../organization_validation/policy.rego | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/c.tf index 0a5c6e6a6..0dfe994fc 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/c.tf @@ -1,5 +1,5 @@ resource "google_iam_principal_access_boundary_policy" "c" { - organization = "PDE1" + organization = "123" location = "global" display_name = "PAB policy for Organization" principal_access_boundary_policy_id = "pab-policy-for-org" diff --git a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/nc.tf index 94220e61b..7cc00c60f 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/nc.tf @@ -1,5 +1,5 @@ resource "google_iam_principal_access_boundary_policy" "nc" { - organization = "p123" + organization = "1123" location = "global" display_name = "PAB policy for Organization" principal_access_boundary_policy_id = "pab-policy-for-org" diff --git a/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/policy.rego index e60596e34..35b4aadf6 100644 --- a/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/policy.rego +++ b/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/policy.rego @@ -14,7 +14,7 @@ cconditions := [ { "condition": "Validate organization against whitelist", "attribute_path": ["organization"], - "values": ["PDE1", "PDE2", "PDE3"], + "values": ["123"], "policy_type": "whitelist" } ] From e9613d94e8ff1d267db9b4e10542b2568a0fc232 Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sun, 3 May 2026 23:55:36 +1000 Subject: [PATCH 65/91] fix folder policy validation --- .../organization_validation/c.tf | 2 +- .../organization_validation/nc.tf | 2 +- .../organization_validation/policy.rego | 23 ++++++++----------- 3 files changed, 11 insertions(+), 16 deletions(-) diff --git a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/c.tf index 0dfe994fc..0a5c6e6a6 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/c.tf @@ -1,5 +1,5 @@ resource "google_iam_principal_access_boundary_policy" "c" { - organization = "123" + organization = "PDE1" location = "global" display_name = "PAB policy for Organization" principal_access_boundary_policy_id = "pab-policy-for-org" diff --git a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/nc.tf index 7cc00c60f..1e51b3543 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/nc.tf @@ -1,5 +1,5 @@ resource "google_iam_principal_access_boundary_policy" "nc" { - organization = "1123" + organization = "234" location = "global" display_name = "PAB policy for Organization" principal_access_boundary_policy_id = "pab-policy-for-org" diff --git a/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/policy.rego index 35b4aadf6..201beb677 100644 --- a/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/policy.rego +++ b/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/policy.rego @@ -3,23 +3,18 @@ package terraform.gcp.security.Cloud_IAM.google_iam_principal_access_boundary_po import data.terraform.helpers import data.terraform.gcp.security.Cloud_IAM.google_iam_principal_access_boundary_policy.vars -cconditions := [ +conditions := [ [ - { - "situation_description": "Organization must be from the approved whitelist list.", - "remedies": [ - "Use only approved organization IDs" - ] - }, - { - "condition": "Validate organization against whitelist", - "attribute_path": ["organization"], - "values": ["123"], - "policy_type": "whitelist" - } + {"situation_description" : "must use an approved organization", + "remedies":[ "Use only approved organization IDs"]}, + { + "condition": "Validate organization field", + "attribute_path" : ["organization"], + "values": ["PDE1"], + "policy_type" : "whitelist" + } ] ] - result := helpers.get_multi_summary(conditions, vars.variables) message := result.message details := result.details \ No newline at end of file From 14f4addd9d75235bef93e20d69f44821af042978 Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Mon, 4 May 2026 00:11:31 +1000 Subject: [PATCH 66/91] fix folder policy validation --- .../.terraform.lock.hcl | 0 .../name_validation/c.tf | 18 ++++++ .../config.tf | 0 .../name_validation/nc.tf | 17 ++++++ .../parent_validation/c.tf | 15 ----- .../parent_validation/nc.tf | 12 ---- .../parent_validation/plan.json | Bin 9228 -> 0 bytes .../rules_validation/.terraform.lock.hcl | 21 +++++++ .../rules_validation/c.tf | 18 ++++++ .../rules_validation/config.tf | 11 ++++ .../rules_validation/nc.tf | 57 ++++++++++++++++++ .../name_validation/policy.rego | 21 +++++++ .../parent_validation/policy.rego | 30 --------- .../rules_validation/policy.rego | 24 ++++++++ .../organization_validation/policy.rego | 2 +- 15 files changed, 188 insertions(+), 58 deletions(-) rename inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/{parent_validation => name_validation}/.terraform.lock.hcl (100%) create mode 100644 inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf rename inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/{parent_validation => name_validation}/config.tf (100%) create mode 100644 inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/plan.json create mode 100644 inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/rules_validation/.terraform.lock.hcl create mode 100644 inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/rules_validation/c.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/rules_validation/config.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/rules_validation/nc.tf create mode 100644 policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego delete mode 100644 policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/policy.rego create mode 100644 policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/rules_validation/policy.rego diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/.terraform.lock.hcl similarity index 100% rename from inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/.terraform.lock.hcl rename to inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/.terraform.lock.hcl diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf new file mode 100644 index 000000000..bc6be53f1 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf @@ -0,0 +1,18 @@ +resource "google_iam_access_boundary_policy" "c" { + parent = "cloudresourcemanager.googleapis.com/projects/my-project" + name = "pde-ab-policy" + display_name = "PDE Access Boundary Policy" + + rules { + description = "AB rule" + access_boundary_rule { + available_resource = "*" + available_permissions = ["*"] + + availability_condition { + title = "PDE condition" + expression = "true" + } + } + } +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/config.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/config.tf similarity index 100% rename from inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/config.tf rename to inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/config.tf diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf new file mode 100644 index 000000000..122f1a28d --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf @@ -0,0 +1,17 @@ +resource "google_iam_access_boundary_policy" "nc" { + parent = "cloudresourcemanager.googleapis.com/projects/my-project" + name = "test-ab-policy" + display_name = "Bad AB Policy" + + rules { + access_boundary_rule { + available_resource = "*" + available_permissions = ["*"] + + availability_condition { + title = "test condition" + expression = "true" + } + } + } +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf deleted file mode 100644 index 9791ffb55..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/c.tf +++ /dev/null @@ -1,15 +0,0 @@ -resource "google_iam_access_boundary_policy" "c" { - parent = "cloudresourcemanager.googleapis.com/projects/my-valid-project" - name = "c" - - rules { - description = "Allow access to storage" - access_boundary_rule { - available_resource = "//storage.googleapis.com/projects/_/buckets/example-bucket" - available_permissions = [ - "inRole:roles/storage.objectViewer" - ] - } - } -} - diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf deleted file mode 100644 index 012e1b699..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/nc.tf +++ /dev/null @@ -1,12 +0,0 @@ -resource "google_iam_access_boundary_policy" "nc" { - parent = "projects/my-valid-project" - name = "nc" - - rules { - description = "NC rule" - access_boundary_rule { - available_resource = "//storage.googleapis.com/projects/_/buckets/nc-bucket" - available_permissions = ["inRole:roles/storage.objectViewer"] - } - } -} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/plan.json b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/plan.json deleted file mode 100644 index bd8ac710ce58af10cec9e188440a8d5360df58b2..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 9228 zcmeHNOHbQC5T0|T{s-hUgjeYyx2pFZs;Y+~6gf|56DP7M6jk}_ZNG2F!|ob~1R6p> zR+NW#cV_3cv-8N`KffiBp-d&0iKKEV9l4SLo(j3ZXolG~-iOkXBYf}Ted*?NtTwpC zFo$vs$deLsCSyQlcnzfQc1khw6Hf(Jw1u?f*mdgYnBcpQ*)it*EZ0sknoI8%?$kl1 zSl!1sS17(jMh@G^;pl*)6kK-j*(;$7Jarwu46rGnZ!j{$$QY}8cxvHO`Br+Amc&Ub z1H=gX^~)8PSU)SNUB}+KFL#;TVl`@JPEuE(vX8kORLAQmhY@BA$dX*OYV_8^{8aYk z96J>FB*(Ob8OB1%DIEo7&w-V8Qm63)XB}6Vt?IPz=uqubz9FTV)9~2AhT{o#`sFw$ z+(7msttdq^%#+Uyys4e`u$I zW?#MMo-&zcw|q{>-WjzHTJ}Nhz%Bb9U*K|W1RvB^5m_TPq07V_F_Ih)Tynp>$_$7yaQiz)oQ8|QMC<7!oQi1=iLScNrH z%N#7~zgrm!VQf`c1+}rbCLXV#hKAUYRm-@luG!`K>i>EJH{F@AGo)3oSU*;oykFlP zSGB%zv25HYQk<-06N7fL!kRrJx^PE6t0l2s&)R`@@T{^-D_Yh`(F%37m$Dk>=j^vA z-A@tUF6*4EBAZjleLdY3<+HB0Q>`GG&sc5|&((u5kGZ%Dvx;mV)2Y$k1U=^RJ|-nj zI-aVd%;@H&bTGnuYSVseQJnuj9_ukZiN@1xpQowM5Z2{i?shXC=0ALu-})bVKTmM4 z>z#Zg2lz+Ldvwzd@c$To9?KW>(vEOrpWxNTuXpmT^b@QD@_!IF@JU^KYo$4?jq#ik cJLj}I9oNqIF97~uftu7RnvZJd@>br+KZUTN$p8QV diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/rules_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/rules_validation/.terraform.lock.hcl new file mode 100644 index 000000000..1f00f27db --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/rules_validation/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.30.0" + hashes = [ + "h1:3Qxi6Pj4WeqzgKsejGqwx0S3XxYDlC0ykBU6SQ6t25A=", + "zh:0cda2cc03f7bf000d9bc66bc0fab621de4c104b329cab348e0ceb6146ab27251", + "zh:2c75a1ea53b21646681e49fbdf0a599817c2f400f1e73d7779f0e3e1d230e6f3", + "zh:34ab9dab67230adaee6a9cd6861cba969555777ca6eb0ae1d2ac7b1f3cb73832", + "zh:45d5d7ee38fb7bf58dd19b774dd637f3cb9caef1d1930dde594467dde7fdea50", + "zh:651ffd36697d8268471d50d0fae664549b7f1e627c03d6e90f80172947f7b1d4", + "zh:8557db0beb201ba8ba70a7a38ba8d1ce9ffb9e98c616b89f6e3c2203e0528803", + "zh:b6a2e53809e0827cb7c47b1279c3511223898f7e3c1536f74ba057d99c72c2e9", + "zh:bf4aea9d1eb663df9d458c974d2e3f9ca7f724280a103706d0a2b1597593c7af", + "zh:c5f0160e0658d75b4a339b18f7a544e721f3750e26b97fc4887e98b8e085ffff", + "zh:e41a215491c64b535eda5585139dab0a32836e631b470cc520ceef4aa9ce7748", + "zh:e490061ab15c6053c651a7996a9c77cacdb83528ed49d0460c9621e93ad7d0cf", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/rules_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/rules_validation/c.tf new file mode 100644 index 000000000..ee4ba0f42 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/rules_validation/c.tf @@ -0,0 +1,18 @@ +resource "google_iam_access_boundary_policy" "c" { + parent = "cloudresourcemanager.googleapis.com/projects/my-project" + name = "my-ab-policy" + display_name = "AB Policy" + + rules { + description = "rule 1" + access_boundary_rule { + available_resource = "*" + available_permissions = ["*"] + + availability_condition { + title = "condition" + expression = "true" + } + } + } +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/rules_validation/config.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/rules_validation/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/rules_validation/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/rules_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/rules_validation/nc.tf new file mode 100644 index 000000000..75fa0f215 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/rules_validation/nc.tf @@ -0,0 +1,57 @@ +resource "google_iam_access_boundary_policy" "nc" { + parent = "cloudresourcemanager.googleapis.com/projects/my-project" + name = "my-ab-policy" + display_name = "AB Policy" + + rules { + description = "rule 1" + access_boundary_rule { + available_resource = "*" + available_permissions = ["*"] + + availability_condition { + title = "c1" + expression = "true" + } + } + } + + rules { + description = "rule 2" + access_boundary_rule { + available_resource = "*" + available_permissions = ["*"] + + availability_condition { + title = "c2" + expression = "true" + } + } + } + + rules { + description = "rule 3" + access_boundary_rule { + available_resource = "*" + available_permissions = ["*"] + + availability_condition { + title = "c3" + expression = "true" + } + } + } + + rules { + description = "rule 4" + access_boundary_rule { + available_resource = "*" + available_permissions = ["*"] + + availability_condition { + title = "c4" + expression = "true" + } + } + } +} \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego new file mode 100644 index 000000000..280519d7c --- /dev/null +++ b/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego @@ -0,0 +1,21 @@ +package terraform.gcp.security.Cloud_IAM.google_iam_access_boundary_policy.name_validation +import data.terraform.helpers +import data.terraform.gcp.security.Cloud_IAM.google_iam_access_boundary_policy.vars + +conditions := [ + [ + {"situation_description" : "PDE Access Boundary Policy must use only approved secure policy names.", + "remedies":[ "Use only approved PDE policy names such as pde-ab-policy, secure-ab-policy, or prod-ab-policy"]}, + { + "condition": "Whitelist validation for AB policy name", + "attribute_path" : ["name"], + "values": ["pde-ab-policy", + "secure-ab-policy", + "prod-ab-policy"], + "policy_type" : "whitelist" + } + ] +] +result := helpers.get_multi_summary(conditions, vars.variables) +message := result.message +details := result.details \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/policy.rego deleted file mode 100644 index e08e8b634..000000000 --- a/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/parent_validation/policy.rego +++ /dev/null @@ -1,30 +0,0 @@ -package terraform.gcp.security.Cloud_IAM.google_iam_access_boundary_policy.parent_validation - -import data.terraform.helpers -import data.terraform.gcp.security.Cloud_IAM.google_iam_access_boundary_policy.vars - -conditions := [ - [ - { - "situation_description": "Parent must be a valid Cloud Resource Manager project path (URL encoding allowed)", - "remedies": [ - "Use the correct format: cloudresourcemanager.googleapis.com/projects/", - "Project ID must be 6–30 characters, lowercase letters, digits, and hyphens only", - "Must start with a letter and not end with a hyphen", - "If using urlencode(), ensure the decoded value matches the required format" - ] - }, - { - "condition": "Validate parent format against CRM project path pattern", - "attribute_path": ["parent"], - "values": [ - "^cloudresourcemanager\\.googleapis\\.com/projects/[a-z][a-z0-9\\-]{4,28}[a-z0-9]$" - ], - "policy_type": "pattern whitelist" - } - ] -] - -result := helpers.get_multi_summary(conditions, vars.variables) -message := result.message -details := result.details \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/rules_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/rules_validation/policy.rego new file mode 100644 index 000000000..db7591700 --- /dev/null +++ b/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/rules_validation/policy.rego @@ -0,0 +1,24 @@ +package terraform.gcp.security.Cloud_IAM.google_iam_access_boundary_policy.rules_validation + +import data.terraform.helpers +import data.terraform.gcp.security.Cloud_IAM.google_iam_access_boundary_policy.vars + +conditions := [ + [ + { + "situation_description": "Access Boundary Policy must contain a safe number of rules (1 to 3) to reduce misconfiguration risk.", + "remedies": [ + "Ensure rules block count is between 1 and 3" + ] + }, + { + "condition": "Validate rules count range", + "attribute_path": ["rules"], + "values": [1, 3], + "policy_type": "range" + } + ] +] +result := helpers.get_multi_summary(conditions, vars.variables) +message := result.message +details := result.details \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/policy.rego index 201beb677..02c08f9f2 100644 --- a/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/policy.rego +++ b/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/policy.rego @@ -10,7 +10,7 @@ conditions := [ { "condition": "Validate organization field", "attribute_path" : ["organization"], - "values": ["PDE1"], + "values": ["PDE1", "PDE2", "PDE3"], "policy_type" : "whitelist" } ] From cb07990e53d1c270bc93800c6ca2b9894ef55609 Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Mon, 4 May 2026 00:26:30 +1000 Subject: [PATCH 67/91] fix folder policy validation --- .../name_validation/c.tf | 7 +-- .../name_validation/nc.tf | 8 ++-- .../name_validation/.terraform.lock.hcl | 21 --------- .../name_validation/c.tf | 16 ------- .../name_validation/config.tf | 11 ----- .../name_validation/nc.tf | 16 ------- .../parent_validation/.terraform.lock.hcl | 21 --------- .../parent_validation/c.tf | 20 -------- .../parent_validation/config.tf | 11 ----- .../parent_validation/nc.tf | 20 -------- .../.terraform.lock.hcl | 21 --------- .../policy_kind_validation/c.tf | 13 ------ .../policy_kind_validation/config.tf | 11 ----- .../policy_kind_validation/nc.tf | 13 ------ .../name_validation/policy.rego | 46 ------------------- .../parent_validation/policy.rego | 22 --------- .../google_iam_deny_policy/vars.rego | 7 --- .../policy_kind_validation/policy.rego | 26 ----------- 18 files changed, 9 insertions(+), 301 deletions(-) delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/.terraform.lock.hcl delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/c.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/config.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/nc.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/.terraform.lock.hcl delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/c.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/config.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/nc.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/.terraform.lock.hcl delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/c.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/config.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/nc.tf delete mode 100644 policies/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/policy.rego delete mode 100644 policies/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/policy.rego delete mode 100644 policies/gcp/Cloud_IAM/google_iam_deny_policy/vars.rego delete mode 100644 policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/policy.rego diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf index bc6be53f1..db2af02b8 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf @@ -1,17 +1,18 @@ resource "google_iam_access_boundary_policy" "c" { parent = "cloudresourcemanager.googleapis.com/projects/my-project" name = "pde-ab-policy" - display_name = "PDE Access Boundary Policy" + display_name = "My AB policy" rules { description = "AB rule" + access_boundary_rule { available_resource = "*" available_permissions = ["*"] availability_condition { - title = "PDE condition" - expression = "true" + title = "Access level expr" + expression = "true" } } } diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf index 122f1a28d..66cf03ee9 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf @@ -1,15 +1,17 @@ resource "google_iam_access_boundary_policy" "nc" { parent = "cloudresourcemanager.googleapis.com/projects/my-project" - name = "test-ab-policy" - display_name = "Bad AB Policy" + name = "test1234ab-policy" + display_name = "Bad AB policy" rules { + description = "AB rule" + access_boundary_rule { available_resource = "*" available_permissions = ["*"] availability_condition { - title = "test condition" + title = "Access level expr" expression = "true" } } diff --git a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/.terraform.lock.hcl deleted file mode 100644 index 1f00f27db..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/.terraform.lock.hcl +++ /dev/null @@ -1,21 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/google" { - version = "7.30.0" - hashes = [ - "h1:3Qxi6Pj4WeqzgKsejGqwx0S3XxYDlC0ykBU6SQ6t25A=", - "zh:0cda2cc03f7bf000d9bc66bc0fab621de4c104b329cab348e0ceb6146ab27251", - "zh:2c75a1ea53b21646681e49fbdf0a599817c2f400f1e73d7779f0e3e1d230e6f3", - "zh:34ab9dab67230adaee6a9cd6861cba969555777ca6eb0ae1d2ac7b1f3cb73832", - "zh:45d5d7ee38fb7bf58dd19b774dd637f3cb9caef1d1930dde594467dde7fdea50", - "zh:651ffd36697d8268471d50d0fae664549b7f1e627c03d6e90f80172947f7b1d4", - "zh:8557db0beb201ba8ba70a7a38ba8d1ce9ffb9e98c616b89f6e3c2203e0528803", - "zh:b6a2e53809e0827cb7c47b1279c3511223898f7e3c1536f74ba057d99c72c2e9", - "zh:bf4aea9d1eb663df9d458c974d2e3f9ca7f724280a103706d0a2b1597593c7af", - "zh:c5f0160e0658d75b4a339b18f7a544e721f3750e26b97fc4887e98b8e085ffff", - "zh:e41a215491c64b535eda5585139dab0a32836e631b470cc520ceef4aa9ce7748", - "zh:e490061ab15c6053c651a7996a9c77cacdb83528ed49d0460c9621e93ad7d0cf", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} diff --git a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/c.tf deleted file mode 100644 index d1ccbe0e1..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/c.tf +++ /dev/null @@ -1,16 +0,0 @@ -resource "google_iam_deny_policy" "c" { - name = "pde-secure-policy1" - parent = "cloudresourcemanager.googleapis.com/projects/my-project" - - rules { - deny_rule { - denied_permissions = [ - "resourcemanager.projects.delete" - ] - - denied_principals = [ - "principal://goog/subject/user@example.com" - ] - } - } -} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/config.tf b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/config.tf deleted file mode 100644 index 9f4356520..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/config.tf +++ /dev/null @@ -1,11 +0,0 @@ -##### DO NOT EDIT ###### - -terraform { - required_providers { - google = { - source = "hashicorp/google" - } - } -} - -provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/nc.tf deleted file mode 100644 index bcbc5746a..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/nc.tf +++ /dev/null @@ -1,16 +0,0 @@ -resource "google_iam_deny_policy" "nc" { - name = "Invalid-Policy!" - parent = "cloudresourcemanager.googleapis.com/projects/my-project" - - rules { - deny_rule { - denied_permissions = [ - "resourcemanager.projects.delete" - ] - - denied_principals = [ - "principal://goog/subject/user@example.com" - ] - } - } -} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/.terraform.lock.hcl deleted file mode 100644 index 3247f9b34..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/.terraform.lock.hcl +++ /dev/null @@ -1,21 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/google" { - version = "7.27.0" - hashes = [ - "h1:yWX9RsPIemhUiN5JswiS4n+o51eLF81ZOpRw6hbqOiA=", - "zh:240605f01c575a32378b96634a7bbe17462051320fa7df064dae8d81e9c9c471", - "zh:41ffa473e08379de494c7beb4bc1ee98631c2657355dacd15fe75f52eb2ffd99", - "zh:4b813338a275c7d5bbd69f8a9d4fbd97b7672064ee42e98f1f01699f7b8ced77", - "zh:7f582320ea0578e3eaf4ec54fc370b1eac684972afe0728a94a961a52a037053", - "zh:84f53702ba1c8d912236d1911b90db2b1dbc011127831ae67dfcd280710334d8", - "zh:85d775e3c42f3b88914d059bd11c46e25a1cb9cce912c9fbc35428114b099d47", - "zh:93a2a30bc254706525eaa5e0a35d2122377b735fe1f3dccd887c35b3755b32d3", - "zh:a921d2ab38464bce393e8fd2aa11a140ed56632f94895d93bb272e204931c8c6", - "zh:c221992557de048b40a4fae102dfa5200c32715b21c0a251c1e931eafbc6a698", - "zh:cef310150cdf62a6a49e45f049f21077c58971c6197b70528a69b572dbf218fd", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - "zh:f630cf936bbbadc67a374329cc80fbe9d706fa2fb1556e130bc7a3f0386697fb", - ] -} diff --git a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/c.tf deleted file mode 100644 index 2c1e74122..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/c.tf +++ /dev/null @@ -1,20 +0,0 @@ -resource "google_iam_deny_policy" "c" { - name = "pde-deny-policy" - parent = "cloudresourcemanager.googleapis.com/projects/my-project-id" - - display_name = "PDE Deny Policy" - - rules { - description = "Prevent unauthorized project updates" - - deny_rule { - denied_principals = ["principalSet://goog/public:all"] - denied_permissions = ["cloudresourcemanager.googleapis.com/projects.update"] - - denial_condition { - title = "Only allow test environments" - expression = "!resource.matchTag('project/env', 'production')" - } - } - } -} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/config.tf b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/config.tf deleted file mode 100644 index 9f4356520..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/config.tf +++ /dev/null @@ -1,11 +0,0 @@ -##### DO NOT EDIT ###### - -terraform { - required_providers { - google = { - source = "hashicorp/google" - } - } -} - -provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/nc.tf deleted file mode 100644 index 3c5c7682f..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/nc.tf +++ /dev/null @@ -1,20 +0,0 @@ -resource "google_iam_deny_policy" "nc" { - name = "pde-deny-policy" - parent = "projects/my-project-id" - - display_name = "PDE Deny Policy" - - rules { - description = "Prevent unauthorized project updates" - - deny_rule { - denied_principals = ["principalSet://goog/public:all"] - denied_permissions = ["cloudresourcemanager.googleapis.com/projects.update"] - - denial_condition { - title = "Only allow test environments" - expression = "!resource.matchTag('project/env', 'production')" - } - } - } -} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/.terraform.lock.hcl deleted file mode 100644 index 1f00f27db..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/.terraform.lock.hcl +++ /dev/null @@ -1,21 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/google" { - version = "7.30.0" - hashes = [ - "h1:3Qxi6Pj4WeqzgKsejGqwx0S3XxYDlC0ykBU6SQ6t25A=", - "zh:0cda2cc03f7bf000d9bc66bc0fab621de4c104b329cab348e0ceb6146ab27251", - "zh:2c75a1ea53b21646681e49fbdf0a599817c2f400f1e73d7779f0e3e1d230e6f3", - "zh:34ab9dab67230adaee6a9cd6861cba969555777ca6eb0ae1d2ac7b1f3cb73832", - "zh:45d5d7ee38fb7bf58dd19b774dd637f3cb9caef1d1930dde594467dde7fdea50", - "zh:651ffd36697d8268471d50d0fae664549b7f1e627c03d6e90f80172947f7b1d4", - "zh:8557db0beb201ba8ba70a7a38ba8d1ce9ffb9e98c616b89f6e3c2203e0528803", - "zh:b6a2e53809e0827cb7c47b1279c3511223898f7e3c1536f74ba057d99c72c2e9", - "zh:bf4aea9d1eb663df9d458c974d2e3f9ca7f724280a103706d0a2b1597593c7af", - "zh:c5f0160e0658d75b4a339b18f7a544e721f3750e26b97fc4887e98b8e085ffff", - "zh:e41a215491c64b535eda5585139dab0a32836e631b470cc520ceef4aa9ce7748", - "zh:e490061ab15c6053c651a7996a9c77cacdb83528ed49d0460c9621e93ad7d0cf", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/c.tf deleted file mode 100644 index 352dd34d6..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/c.tf +++ /dev/null @@ -1,13 +0,0 @@ -resource "google_iam_folders_policy_binding" "c" { - folder = "folders/123456789" - location = "global" - display_name = "valid binding" - policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" - policy_binding_id = "binding-for-all-folder-principals" - - policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/policy-1" - - target { - principal_set = "//cloudresourcemanager.googleapis.com/folders/123456789" - } -} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/config.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/config.tf deleted file mode 100644 index 9f4356520..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/config.tf +++ /dev/null @@ -1,11 +0,0 @@ -##### DO NOT EDIT ###### - -terraform { - required_providers { - google = { - source = "hashicorp/google" - } - } -} - -provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/nc.tf deleted file mode 100644 index 259252dc0..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/nc.tf +++ /dev/null @@ -1,13 +0,0 @@ -resource "google_iam_folders_policy_binding" "nc" { - folder = "folders/123456789" - location = "global" - display_name = "invalid binding" - policy_kind = "ACCESS" - policy_binding_id = "binding-for-all-folder-principals" - - policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/policy-1" - - target { - principal_set = "//cloudresourcemanager.googleapis.com/folders/123456789" - } -} \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/policy.rego deleted file mode 100644 index 2e434aadd..000000000 --- a/policies/gcp/Cloud_IAM/google_iam_deny_policy/name_validation/policy.rego +++ /dev/null @@ -1,46 +0,0 @@ -package terraform.gcp.security.Cloud_IAM.google_iam_deny_policy.name_validation - -import data.terraform.helpers -import data.terraform.gcp.security.Cloud_IAM.google_iam_deny_policy.vars - -conditions := [ - - [ - { - "situation_description": "Deny policy name must not be empty", - "remedies": [ - "Provide a valid deny policy name" - ] - }, - { - "condition": "Name must be present", - "attribute_path": ["name"], - "values": ["^.+$"], - "policy_type": "pattern whitelist" - } - ], - - [ - { - "situation_description": "Deny policy name must follow required naming convention", - "remedies": [ - "Start with 'pde-' prefix", - "Use only lowercase letters, numbers, and hyphens", - "Do not end with a hyphen", - "Keep length between 6 and 63 characters" - ] - }, - { - "condition": "Strict deny policy name validation", - "attribute_path": ["name"], - "values": [ - "^pde-[a-z0-9]([a-z0-9-]{4,61}[a-z0-9])$" - ], - "policy_type": "pattern whitelist" - } - ] -] - -result := helpers.get_multi_summary(conditions, vars.variables) -message := result.message -details := result.details \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/policy.rego deleted file mode 100644 index 5c29e7de7..000000000 --- a/policies/gcp/Cloud_IAM/google_iam_deny_policy/parent_validation/policy.rego +++ /dev/null @@ -1,22 +0,0 @@ -package terraform.gcp.security.Cloud_IAM.google_iam_deny_policy.parent_validation -import data.terraform.helpers -import data.terraform.gcp.security.Cloud_IAM.google_iam_deny_policy.vars - -conditions := [ - [ - { - "situation_description": "Parent is not correctly defined", - "remedies": ["Use format: cloudresourcemanager.googleapis.com/projects/"] - }, - { - "condition": "Validate parent format", - "attribute_path": ["parent"], - "values": ["cloudresourcemanager.googleapis.com/projects/*"], - "policy_type": "pattern whitelist" - } - ] -] - -result := helpers.get_multi_summary(conditions, vars.variables) -message := result.message -details := result.details \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_deny_policy/vars.rego b/policies/gcp/Cloud_IAM/google_iam_deny_policy/vars.rego deleted file mode 100644 index a53e0000c..000000000 --- a/policies/gcp/Cloud_IAM/google_iam_deny_policy/vars.rego +++ /dev/null @@ -1,7 +0,0 @@ -package terraform.gcp.security.Cloud_IAM.google_iam_deny_policy.vars - -variables := { - "friendly_resource_name": "Cloud_IAM deny policy", - "resource_type": "google_iam_deny_policy", - "resource_value_name": "name" -} \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/policy.rego deleted file mode 100644 index a297d2411..000000000 --- a/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/policy.rego +++ /dev/null @@ -1,26 +0,0 @@ -package terraform.gcp.security.cloud_iam.google_iam_folders_policy_binding.policy_kind_validation - -import data.terraform.helpers -import data.terraform.gcp.security.cloud_iam.google_iam_folders_policy_binding.vars - -conditions := [ - [ - { - "situation_description": "Folders Policy Binding must use an approved policy kind.", - "remedies": [ - "Set policy_kind to PRINCIPAL_ACCESS_BOUNDARY" - ] - }, - { - "condition": "Validate policy_kind", - "attribute_path": ["policy_kind"], - "values": ["PRINCIPAL_ACCESS_BOUNDARY"], - "policy_type": "whitelist" - } - ] -] - -result := helpers.get_multi_summary(conditions, vars.variables) - -message := result.message -details := result.details \ No newline at end of file From 9f422885f1e220e3d1ec5618f1051c76c0a9973c Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Mon, 4 May 2026 00:42:49 +1000 Subject: [PATCH 68/91] fix folder policy validation --- .../name_validation/c.tf | 19 ------- .../name_validation/nc.tf | 19 ------- .../rules_validation/.terraform.lock.hcl | 21 ------- .../rules_validation/c.tf | 18 ------ .../rules_validation/config.tf | 11 ---- .../rules_validation/nc.tf | 57 ------------------- .../.terraform.lock.hcl | 0 .../client_type_validation/c.tf | 18 ++++++ .../client_type_validation}/config.tf | 0 .../client_type_validation/nc.tf | 18 ++++++ .../name_validation/policy.rego | 21 ------- .../rules_validation/policy.rego | 24 -------- .../vars.rego | 7 --- .../client_type_validation/policy.rego | 20 +++++++ 14 files changed, 56 insertions(+), 197 deletions(-) delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/rules_validation/.terraform.lock.hcl delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/rules_validation/c.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/rules_validation/config.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/rules_validation/nc.tf rename inputs/gcp/Cloud_IAM/{google_iam_access_boundary_policy/name_validation => google_iam_oauth_client_credential/client_type_validation}/.terraform.lock.hcl (100%) create mode 100644 inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/client_type_validation/c.tf rename inputs/gcp/Cloud_IAM/{google_iam_access_boundary_policy/name_validation => google_iam_oauth_client_credential/client_type_validation}/config.tf (100%) create mode 100644 inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/client_type_validation/nc.tf delete mode 100644 policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego delete mode 100644 policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/rules_validation/policy.rego delete mode 100644 policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/vars.rego create mode 100644 policies/gcp/Cloud_IAM/google_iam_oauth_client_credential/client_type_validation/policy.rego diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf deleted file mode 100644 index db2af02b8..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/c.tf +++ /dev/null @@ -1,19 +0,0 @@ -resource "google_iam_access_boundary_policy" "c" { - parent = "cloudresourcemanager.googleapis.com/projects/my-project" - name = "pde-ab-policy" - display_name = "My AB policy" - - rules { - description = "AB rule" - - access_boundary_rule { - available_resource = "*" - available_permissions = ["*"] - - availability_condition { - title = "Access level expr" - expression = "true" - } - } - } -} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf deleted file mode 100644 index 66cf03ee9..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/nc.tf +++ /dev/null @@ -1,19 +0,0 @@ -resource "google_iam_access_boundary_policy" "nc" { - parent = "cloudresourcemanager.googleapis.com/projects/my-project" - name = "test1234ab-policy" - display_name = "Bad AB policy" - - rules { - description = "AB rule" - - access_boundary_rule { - available_resource = "*" - available_permissions = ["*"] - - availability_condition { - title = "Access level expr" - expression = "true" - } - } - } -} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/rules_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/rules_validation/.terraform.lock.hcl deleted file mode 100644 index 1f00f27db..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/rules_validation/.terraform.lock.hcl +++ /dev/null @@ -1,21 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/google" { - version = "7.30.0" - hashes = [ - "h1:3Qxi6Pj4WeqzgKsejGqwx0S3XxYDlC0ykBU6SQ6t25A=", - "zh:0cda2cc03f7bf000d9bc66bc0fab621de4c104b329cab348e0ceb6146ab27251", - "zh:2c75a1ea53b21646681e49fbdf0a599817c2f400f1e73d7779f0e3e1d230e6f3", - "zh:34ab9dab67230adaee6a9cd6861cba969555777ca6eb0ae1d2ac7b1f3cb73832", - "zh:45d5d7ee38fb7bf58dd19b774dd637f3cb9caef1d1930dde594467dde7fdea50", - "zh:651ffd36697d8268471d50d0fae664549b7f1e627c03d6e90f80172947f7b1d4", - "zh:8557db0beb201ba8ba70a7a38ba8d1ce9ffb9e98c616b89f6e3c2203e0528803", - "zh:b6a2e53809e0827cb7c47b1279c3511223898f7e3c1536f74ba057d99c72c2e9", - "zh:bf4aea9d1eb663df9d458c974d2e3f9ca7f724280a103706d0a2b1597593c7af", - "zh:c5f0160e0658d75b4a339b18f7a544e721f3750e26b97fc4887e98b8e085ffff", - "zh:e41a215491c64b535eda5585139dab0a32836e631b470cc520ceef4aa9ce7748", - "zh:e490061ab15c6053c651a7996a9c77cacdb83528ed49d0460c9621e93ad7d0cf", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/rules_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/rules_validation/c.tf deleted file mode 100644 index ee4ba0f42..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/rules_validation/c.tf +++ /dev/null @@ -1,18 +0,0 @@ -resource "google_iam_access_boundary_policy" "c" { - parent = "cloudresourcemanager.googleapis.com/projects/my-project" - name = "my-ab-policy" - display_name = "AB Policy" - - rules { - description = "rule 1" - access_boundary_rule { - available_resource = "*" - available_permissions = ["*"] - - availability_condition { - title = "condition" - expression = "true" - } - } - } -} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/rules_validation/config.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/rules_validation/config.tf deleted file mode 100644 index 9f4356520..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/rules_validation/config.tf +++ /dev/null @@ -1,11 +0,0 @@ -##### DO NOT EDIT ###### - -terraform { - required_providers { - google = { - source = "hashicorp/google" - } - } -} - -provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/rules_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/rules_validation/nc.tf deleted file mode 100644 index 75fa0f215..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/rules_validation/nc.tf +++ /dev/null @@ -1,57 +0,0 @@ -resource "google_iam_access_boundary_policy" "nc" { - parent = "cloudresourcemanager.googleapis.com/projects/my-project" - name = "my-ab-policy" - display_name = "AB Policy" - - rules { - description = "rule 1" - access_boundary_rule { - available_resource = "*" - available_permissions = ["*"] - - availability_condition { - title = "c1" - expression = "true" - } - } - } - - rules { - description = "rule 2" - access_boundary_rule { - available_resource = "*" - available_permissions = ["*"] - - availability_condition { - title = "c2" - expression = "true" - } - } - } - - rules { - description = "rule 3" - access_boundary_rule { - available_resource = "*" - available_permissions = ["*"] - - availability_condition { - title = "c3" - expression = "true" - } - } - } - - rules { - description = "rule 4" - access_boundary_rule { - available_resource = "*" - available_permissions = ["*"] - - availability_condition { - title = "c4" - expression = "true" - } - } - } -} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/client_type_validation/.terraform.lock.hcl similarity index 100% rename from inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/.terraform.lock.hcl rename to inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/client_type_validation/.terraform.lock.hcl diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/client_type_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/client_type_validation/c.tf new file mode 100644 index 000000000..7f10e7aca --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/client_type_validation/c.tf @@ -0,0 +1,18 @@ +resource "google_iam_oauth_client" "oauth_client1" { + oauth_client_id = "example-client-id" + location = "global" + allowed_grant_types = ["AUTHORIZATION_CODE_GRANT"] + allowed_redirect_uris = ["https://www.example.com"] + allowed_scopes = ["https://www.googleapis.com/auth/cloud-platform"] + client_type = "CONFIDENTIAL_CLIENT" + project = "smooth-verve-467716-v1" +} + +resource "google_iam_oauth_client_credential" "c" { + oauthclient = google_iam_oauth_client.oauth_client1.oauth_client_id + location = "global" + oauth_client_credential_id = "cred-id" + disabled = true + display_name = "Display Name of credential" + project = "smooth-verve-467716-v1" +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/config.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/client_type_validation/config.tf similarity index 100% rename from inputs/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/config.tf rename to inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/client_type_validation/config.tf diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/client_type_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/client_type_validation/nc.tf new file mode 100644 index 000000000..ed0c22c90 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/client_type_validation/nc.tf @@ -0,0 +1,18 @@ +resource "google_iam_oauth_client" "oauth_client12" { + oauth_client_id = "example-client-id" + location = "global" + allowed_grant_types = ["AUTHORIZATION_CODE_GRANT"] + allowed_redirect_uris = ["https://www.example.com"] + allowed_scopes = ["https://www.googleapis.com/auth/cloud-platform"] + client_type = "CONFIDENTIAL_CLIENT" + project = "smooth-verve-467716-v1" +} + +resource "google_iam_oauth_client_credential" "nc" { + oauthclient = google_iam_oauth_client.oauth_client12.oauth_client_id + location = "global" + oauth_client_credential_id = "cred-id" + disabled = true + display_name = "Display Name of credential" + project = "smooth-verve-467716-v1" +} \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego deleted file mode 100644 index 280519d7c..000000000 --- a/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/name_validation/policy.rego +++ /dev/null @@ -1,21 +0,0 @@ -package terraform.gcp.security.Cloud_IAM.google_iam_access_boundary_policy.name_validation -import data.terraform.helpers -import data.terraform.gcp.security.Cloud_IAM.google_iam_access_boundary_policy.vars - -conditions := [ - [ - {"situation_description" : "PDE Access Boundary Policy must use only approved secure policy names.", - "remedies":[ "Use only approved PDE policy names such as pde-ab-policy, secure-ab-policy, or prod-ab-policy"]}, - { - "condition": "Whitelist validation for AB policy name", - "attribute_path" : ["name"], - "values": ["pde-ab-policy", - "secure-ab-policy", - "prod-ab-policy"], - "policy_type" : "whitelist" - } - ] -] -result := helpers.get_multi_summary(conditions, vars.variables) -message := result.message -details := result.details \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/rules_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/rules_validation/policy.rego deleted file mode 100644 index db7591700..000000000 --- a/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/rules_validation/policy.rego +++ /dev/null @@ -1,24 +0,0 @@ -package terraform.gcp.security.Cloud_IAM.google_iam_access_boundary_policy.rules_validation - -import data.terraform.helpers -import data.terraform.gcp.security.Cloud_IAM.google_iam_access_boundary_policy.vars - -conditions := [ - [ - { - "situation_description": "Access Boundary Policy must contain a safe number of rules (1 to 3) to reduce misconfiguration risk.", - "remedies": [ - "Ensure rules block count is between 1 and 3" - ] - }, - { - "condition": "Validate rules count range", - "attribute_path": ["rules"], - "values": [1, 3], - "policy_type": "range" - } - ] -] -result := helpers.get_multi_summary(conditions, vars.variables) -message := result.message -details := result.details \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/vars.rego b/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/vars.rego deleted file mode 100644 index a4823eca1..000000000 --- a/policies/gcp/Cloud_IAM/google_iam_access_boundary_policy/vars.rego +++ /dev/null @@ -1,7 +0,0 @@ -package terraform.gcp.security.Cloud_IAM.google_iam_access_boundary_policy.vars - -variables := { - "friendly_resource_name": "Cloud_IAM Access Boundary Policy", - "resource_type": "google_iam_access_boundary_policy", - "resource_value_name": "name" -} \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_oauth_client_credential/client_type_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_oauth_client_credential/client_type_validation/policy.rego new file mode 100644 index 000000000..a4afd72dc --- /dev/null +++ b/policies/gcp/Cloud_IAM/google_iam_oauth_client_credential/client_type_validation/policy.rego @@ -0,0 +1,20 @@ +package terraform.gcp.security.Cloud_IAM.google_iam_oauth_client_credential.client_type_validation +import data.terraform.helpers +import data.terraform.gcp.security.Cloud_IAM.google_iam_oauth_client_credential.vars + +conditions := [ + [ + {"situation_description" : "OAuth client credentials must use approved client types only.", + "remedies":[ "Use only CONFIDENTIAL_CLIENT or PUBLIC_CLIENT OAuth configurations"]}, + { + "condition": "Whitelist OAuth client type", + "attribute_path" : ["client_type"], + "values" : ["CONFIDENTIAL_CLIENT","PUBLIC_CLIENT"], + "policy_type" : "whitelist" + } + ] +] + +result := helpers.get_multi_summary(conditions, vars.variables) +message := result.message +details := result.details \ No newline at end of file From 65ce4f61076dc051823fbcb277c7035c3f76635c Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Mon, 4 May 2026 00:46:48 +1000 Subject: [PATCH 69/91] fix folder policy validation --- .../client_type_validation/nc.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/client_type_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/client_type_validation/nc.tf index ed0c22c90..091b7cbb1 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/client_type_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/client_type_validation/nc.tf @@ -4,7 +4,7 @@ resource "google_iam_oauth_client" "oauth_client12" { allowed_grant_types = ["AUTHORIZATION_CODE_GRANT"] allowed_redirect_uris = ["https://www.example.com"] allowed_scopes = ["https://www.googleapis.com/auth/cloud-platform"] - client_type = "CONFIDENTIAL_CLIENT" + client_type = "INTERNAL_CLIENT" project = "smooth-verve-467716-v1" } From 6fa870ad80e77fc3032d461fa06d5c3c90f98029 Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Mon, 4 May 2026 00:53:38 +1000 Subject: [PATCH 70/91] fix folder policy validation --- .../.terraform.lock.hcl | 21 ------------------- .../client_type_validation/c.tf | 18 ---------------- .../client_type_validation/config.tf | 11 ---------- .../client_type_validation/nc.tf | 18 ---------------- .../client_type_validation/policy.rego | 20 ------------------ 5 files changed, 88 deletions(-) delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/client_type_validation/.terraform.lock.hcl delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/client_type_validation/c.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/client_type_validation/config.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/client_type_validation/nc.tf delete mode 100644 policies/gcp/Cloud_IAM/google_iam_oauth_client_credential/client_type_validation/policy.rego diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/client_type_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/client_type_validation/.terraform.lock.hcl deleted file mode 100644 index 1f00f27db..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/client_type_validation/.terraform.lock.hcl +++ /dev/null @@ -1,21 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/google" { - version = "7.30.0" - hashes = [ - "h1:3Qxi6Pj4WeqzgKsejGqwx0S3XxYDlC0ykBU6SQ6t25A=", - "zh:0cda2cc03f7bf000d9bc66bc0fab621de4c104b329cab348e0ceb6146ab27251", - "zh:2c75a1ea53b21646681e49fbdf0a599817c2f400f1e73d7779f0e3e1d230e6f3", - "zh:34ab9dab67230adaee6a9cd6861cba969555777ca6eb0ae1d2ac7b1f3cb73832", - "zh:45d5d7ee38fb7bf58dd19b774dd637f3cb9caef1d1930dde594467dde7fdea50", - "zh:651ffd36697d8268471d50d0fae664549b7f1e627c03d6e90f80172947f7b1d4", - "zh:8557db0beb201ba8ba70a7a38ba8d1ce9ffb9e98c616b89f6e3c2203e0528803", - "zh:b6a2e53809e0827cb7c47b1279c3511223898f7e3c1536f74ba057d99c72c2e9", - "zh:bf4aea9d1eb663df9d458c974d2e3f9ca7f724280a103706d0a2b1597593c7af", - "zh:c5f0160e0658d75b4a339b18f7a544e721f3750e26b97fc4887e98b8e085ffff", - "zh:e41a215491c64b535eda5585139dab0a32836e631b470cc520ceef4aa9ce7748", - "zh:e490061ab15c6053c651a7996a9c77cacdb83528ed49d0460c9621e93ad7d0cf", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/client_type_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/client_type_validation/c.tf deleted file mode 100644 index 7f10e7aca..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/client_type_validation/c.tf +++ /dev/null @@ -1,18 +0,0 @@ -resource "google_iam_oauth_client" "oauth_client1" { - oauth_client_id = "example-client-id" - location = "global" - allowed_grant_types = ["AUTHORIZATION_CODE_GRANT"] - allowed_redirect_uris = ["https://www.example.com"] - allowed_scopes = ["https://www.googleapis.com/auth/cloud-platform"] - client_type = "CONFIDENTIAL_CLIENT" - project = "smooth-verve-467716-v1" -} - -resource "google_iam_oauth_client_credential" "c" { - oauthclient = google_iam_oauth_client.oauth_client1.oauth_client_id - location = "global" - oauth_client_credential_id = "cred-id" - disabled = true - display_name = "Display Name of credential" - project = "smooth-verve-467716-v1" -} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/client_type_validation/config.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/client_type_validation/config.tf deleted file mode 100644 index 9f4356520..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/client_type_validation/config.tf +++ /dev/null @@ -1,11 +0,0 @@ -##### DO NOT EDIT ###### - -terraform { - required_providers { - google = { - source = "hashicorp/google" - } - } -} - -provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/client_type_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/client_type_validation/nc.tf deleted file mode 100644 index 091b7cbb1..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/client_type_validation/nc.tf +++ /dev/null @@ -1,18 +0,0 @@ -resource "google_iam_oauth_client" "oauth_client12" { - oauth_client_id = "example-client-id" - location = "global" - allowed_grant_types = ["AUTHORIZATION_CODE_GRANT"] - allowed_redirect_uris = ["https://www.example.com"] - allowed_scopes = ["https://www.googleapis.com/auth/cloud-platform"] - client_type = "INTERNAL_CLIENT" - project = "smooth-verve-467716-v1" -} - -resource "google_iam_oauth_client_credential" "nc" { - oauthclient = google_iam_oauth_client.oauth_client12.oauth_client_id - location = "global" - oauth_client_credential_id = "cred-id" - disabled = true - display_name = "Display Name of credential" - project = "smooth-verve-467716-v1" -} \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_oauth_client_credential/client_type_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_oauth_client_credential/client_type_validation/policy.rego deleted file mode 100644 index a4afd72dc..000000000 --- a/policies/gcp/Cloud_IAM/google_iam_oauth_client_credential/client_type_validation/policy.rego +++ /dev/null @@ -1,20 +0,0 @@ -package terraform.gcp.security.Cloud_IAM.google_iam_oauth_client_credential.client_type_validation -import data.terraform.helpers -import data.terraform.gcp.security.Cloud_IAM.google_iam_oauth_client_credential.vars - -conditions := [ - [ - {"situation_description" : "OAuth client credentials must use approved client types only.", - "remedies":[ "Use only CONFIDENTIAL_CLIENT or PUBLIC_CLIENT OAuth configurations"]}, - { - "condition": "Whitelist OAuth client type", - "attribute_path" : ["client_type"], - "values" : ["CONFIDENTIAL_CLIENT","PUBLIC_CLIENT"], - "policy_type" : "whitelist" - } - ] -] - -result := helpers.get_multi_summary(conditions, vars.variables) -message := result.message -details := result.details \ No newline at end of file From 4d81f4aa88a0289effb257d276fff409ca5590bf Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Mon, 4 May 2026 01:06:57 +1000 Subject: [PATCH 71/91] fix folder policy validation --- .../.terraform.lock.hcl | 21 +++++++++++++++++++ .../policy_kind_validation/c.tf | 12 +++++++++++ .../policy_kind_validation/config.tf | 11 ++++++++++ .../policy_kind_validation/nc.tf | 12 +++++++++++ 4 files changed, 56 insertions(+) create mode 100644 inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/.terraform.lock.hcl create mode 100644 inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/c.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/config.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/nc.tf diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/.terraform.lock.hcl new file mode 100644 index 000000000..1f00f27db --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.30.0" + hashes = [ + "h1:3Qxi6Pj4WeqzgKsejGqwx0S3XxYDlC0ykBU6SQ6t25A=", + "zh:0cda2cc03f7bf000d9bc66bc0fab621de4c104b329cab348e0ceb6146ab27251", + "zh:2c75a1ea53b21646681e49fbdf0a599817c2f400f1e73d7779f0e3e1d230e6f3", + "zh:34ab9dab67230adaee6a9cd6861cba969555777ca6eb0ae1d2ac7b1f3cb73832", + "zh:45d5d7ee38fb7bf58dd19b774dd637f3cb9caef1d1930dde594467dde7fdea50", + "zh:651ffd36697d8268471d50d0fae664549b7f1e627c03d6e90f80172947f7b1d4", + "zh:8557db0beb201ba8ba70a7a38ba8d1ce9ffb9e98c616b89f6e3c2203e0528803", + "zh:b6a2e53809e0827cb7c47b1279c3511223898f7e3c1536f74ba057d99c72c2e9", + "zh:bf4aea9d1eb663df9d458c974d2e3f9ca7f724280a103706d0a2b1597593c7af", + "zh:c5f0160e0658d75b4a339b18f7a544e721f3750e26b97fc4887e98b8e085ffff", + "zh:e41a215491c64b535eda5585139dab0a32836e631b470cc520ceef4aa9ce7748", + "zh:e490061ab15c6053c651a7996a9c77cacdb83528ed49d0460c9621e93ad7d0cf", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/c.tf new file mode 100644 index 000000000..76189e648 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/c.tf @@ -0,0 +1,12 @@ +resource "google_iam_folders_policy_binding" "c" { + folder = "folders/123456789" + location = "global" + policy_binding_id = "pde-binding-01" + display_name = "Valid binding" + policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" + policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pde-policy" + + target { + principal_set = "//cloudresourcemanager.googleapis.com/folders/123456789" + } +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/config.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/nc.tf new file mode 100644 index 000000000..1a6ef1a68 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/nc.tf @@ -0,0 +1,12 @@ +resource "google_iam_folders_policy_binding" "nc" { + folder = "folders/123456789" + location = "global" + policy_binding_id = "bad-binding" + display_name = "Invalid binding" + policy_kind = "ACCESS" + policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pde-policy" + + target { + principal_set = "//cloudresourcemanager.googleapis.com/folders/123456789" + } +} \ No newline at end of file From 109adab6646124c3a1bd2e993eb157380dc4c36e Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Mon, 4 May 2026 01:08:47 +1000 Subject: [PATCH 72/91] fix folder policy validation --- .../policy_kind_validation/policy.rego | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/policy.rego diff --git a/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/policy.rego new file mode 100644 index 000000000..3cf3bf86e --- /dev/null +++ b/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/policy.rego @@ -0,0 +1,27 @@ +package terraform.gcp.security.Cloud_IAM.google_iam_folders_policy_binding.policy_kind_validation + +import data.terraform.helpers +import data.terraform.gcp.security.Cloud_IAM.google_iam_folders_policy_binding.vars + +conditions := [ + [ + { + "situation_description": "Only approved policy kinds are allowed for folder policy bindings", + "remedies": [ + "Use PRINCIPAL_ACCESS_BOUNDARY as the policy_kind", + "Avoid using ACCESS or unspecified policy kinds" + ] + }, + { + "condition": "Validate policy_kind field", + "attribute_path": ["policy_kind"], + "values": ["PRINCIPAL_ACCESS_BOUNDARY"], + "policy_type": "whitelist" + } + ] +] + +result := helpers.get_multi_summary(conditions, vars.variables) + +message := result.message +details := result.details \ No newline at end of file From fc6786a116efa012b2fd77947c110e8e54f30fc4 Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Mon, 4 May 2026 01:21:54 +1000 Subject: [PATCH 73/91] fix folder policy validation --- .../policy_validation/.terraform.lock.hcl | 21 +++++++++++++ .../policy_validation/c.tf | 13 ++++++++ .../policy_validation/config.tf | 11 +++++++ .../policy_validation/nc.tf | 13 ++++++++ .../policy_validation/policy.rego | 30 +++++++++++++++++++ 5 files changed, 88 insertions(+) create mode 100644 inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_validation/.terraform.lock.hcl create mode 100644 inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_validation/c.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_validation/config.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_validation/nc.tf create mode 100644 policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_validation/policy.rego diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_validation/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_validation/.terraform.lock.hcl new file mode 100644 index 000000000..1f00f27db --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_validation/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.30.0" + hashes = [ + "h1:3Qxi6Pj4WeqzgKsejGqwx0S3XxYDlC0ykBU6SQ6t25A=", + "zh:0cda2cc03f7bf000d9bc66bc0fab621de4c104b329cab348e0ceb6146ab27251", + "zh:2c75a1ea53b21646681e49fbdf0a599817c2f400f1e73d7779f0e3e1d230e6f3", + "zh:34ab9dab67230adaee6a9cd6861cba969555777ca6eb0ae1d2ac7b1f3cb73832", + "zh:45d5d7ee38fb7bf58dd19b774dd637f3cb9caef1d1930dde594467dde7fdea50", + "zh:651ffd36697d8268471d50d0fae664549b7f1e627c03d6e90f80172947f7b1d4", + "zh:8557db0beb201ba8ba70a7a38ba8d1ce9ffb9e98c616b89f6e3c2203e0528803", + "zh:b6a2e53809e0827cb7c47b1279c3511223898f7e3c1536f74ba057d99c72c2e9", + "zh:bf4aea9d1eb663df9d458c974d2e3f9ca7f724280a103706d0a2b1597593c7af", + "zh:c5f0160e0658d75b4a339b18f7a544e721f3750e26b97fc4887e98b8e085ffff", + "zh:e41a215491c64b535eda5585139dab0a32836e631b470cc520ceef4aa9ce7748", + "zh:e490061ab15c6053c651a7996a9c77cacdb83528ed49d0460c9621e93ad7d0cf", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_validation/c.tf new file mode 100644 index 000000000..fc747ec85 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_validation/c.tf @@ -0,0 +1,13 @@ +resource "google_iam_folders_policy_binding" "c" { + folder = "folders/123456789" + location = "global" + policy_binding_id = "pde-binding-03" + display_name = "Valid binding" + policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" + + policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pde-policy-1" + + target { + principal_set = "//cloudresourcemanager.googleapis.com/folders/123456789" + } +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_validation/config.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_validation/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_validation/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_validation/nc.tf new file mode 100644 index 000000000..fcd77c393 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_validation/nc.tf @@ -0,0 +1,13 @@ +resource "google_iam_folders_policy_binding" "nc" { + folder = "folders/123456789" + location = "global" + policy_binding_id = "bad-binding-03" + display_name = "Invalid binding" + policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" + + policy = "organizations/999999999/locations/global/principalAccessBoundaryPolicies/unknown-policy" + + target { + principal_set = "//cloudresourcemanager.googleapis.com/folders/123456789" + } +} \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_validation/policy.rego new file mode 100644 index 000000000..c9e0f93c8 --- /dev/null +++ b/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_validation/policy.rego @@ -0,0 +1,30 @@ +package terraform.gcp.security.Cloud_IAM.google_iam_folders_policy_binding.policy_validation + +import data.terraform.helpers +import data.terraform.gcp.security.Cloud_IAM.google_iam_folders_policy_binding.vars + +conditions := [ + [ + { + "situation_description": "Folder policy binding must use an approved policy", + "remedies": [ + "Use only approved Principal Access Boundary policies", + "Ensure policy belongs to your organization" + ] + }, + { + "condition": "Validate policy field", + "attribute_path": ["policy"], + "values": [ + "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pde-policy-1", + "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pde-policy-2" + ], + "policy_type": "whitelist" + } + ] +] + +result := helpers.get_multi_summary(conditions, vars.variables) + +message := result.message +details := result.details \ No newline at end of file From ce6c59b07833daeb50cfbfe1032878a4fc735e2e Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Mon, 4 May 2026 01:36:20 +1000 Subject: [PATCH 74/91] fix folder policy validation --- .../scope_restriction/.terraform.lock.hcl | 21 ++++++++++++++ .../scope_restriction/c.tf | 18 ++++++++++++ .../scope_restriction/config.tf | 11 ++++++++ .../scope_restriction/nc.tf | 20 +++++++++++++ .../resource_limit/.terraform.lock.hcl | 21 ++++++++++++++ .../resource_limit/c.tf | 21 ++++++++++++++ .../resource_limit/config.tf | 11 ++++++++ .../resource_limit/nc.tf | 25 +++++++++++++++++ .../scope_restriction/policy.rego | 27 ++++++++++++++++++ .../resource_limit/policy.rego | 28 +++++++++++++++++++ 10 files changed, 203 insertions(+) create mode 100644 inputs/gcp/Cloud_IAM/google_iam_oauth_client/scope_restriction/.terraform.lock.hcl create mode 100644 inputs/gcp/Cloud_IAM/google_iam_oauth_client/scope_restriction/c.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_oauth_client/scope_restriction/config.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_oauth_client/scope_restriction/nc.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/resource_limit/.terraform.lock.hcl create mode 100644 inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/resource_limit/c.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/resource_limit/config.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/resource_limit/nc.tf create mode 100644 policies/gcp/Cloud_IAM/google_iam_oauth_client/scope_restriction/policy.rego create mode 100644 policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/resource_limit/policy.rego diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/scope_restriction/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/scope_restriction/.terraform.lock.hcl new file mode 100644 index 000000000..1f00f27db --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/scope_restriction/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.30.0" + hashes = [ + "h1:3Qxi6Pj4WeqzgKsejGqwx0S3XxYDlC0ykBU6SQ6t25A=", + "zh:0cda2cc03f7bf000d9bc66bc0fab621de4c104b329cab348e0ceb6146ab27251", + "zh:2c75a1ea53b21646681e49fbdf0a599817c2f400f1e73d7779f0e3e1d230e6f3", + "zh:34ab9dab67230adaee6a9cd6861cba969555777ca6eb0ae1d2ac7b1f3cb73832", + "zh:45d5d7ee38fb7bf58dd19b774dd637f3cb9caef1d1930dde594467dde7fdea50", + "zh:651ffd36697d8268471d50d0fae664549b7f1e627c03d6e90f80172947f7b1d4", + "zh:8557db0beb201ba8ba70a7a38ba8d1ce9ffb9e98c616b89f6e3c2203e0528803", + "zh:b6a2e53809e0827cb7c47b1279c3511223898f7e3c1536f74ba057d99c72c2e9", + "zh:bf4aea9d1eb663df9d458c974d2e3f9ca7f724280a103706d0a2b1597593c7af", + "zh:c5f0160e0658d75b4a339b18f7a544e721f3750e26b97fc4887e98b8e085ffff", + "zh:e41a215491c64b535eda5585139dab0a32836e631b470cc520ceef4aa9ce7748", + "zh:e490061ab15c6053c651a7996a9c77cacdb83528ed49d0460c9621e93ad7d0cf", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/scope_restriction/c.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/scope_restriction/c.tf new file mode 100644 index 000000000..4fc34af7b --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/scope_restriction/c.tf @@ -0,0 +1,18 @@ +resource "google_iam_oauth_client" "c" { + project = "smooth-verve-467716-v1" + oauth_client_id = "secure-client-01" + location = "global" + + client_type = "CONFIDENTIAL_CLIENT" + + allowed_grant_types = ["AUTHORIZATION_CODE_GRANT"] + + allowed_redirect_uris = [ + "https://app.example.com/callback" + ] + + allowed_scopes = [ + "openid", + "email" + ] +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/scope_restriction/config.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/scope_restriction/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/scope_restriction/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/scope_restriction/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/scope_restriction/nc.tf new file mode 100644 index 000000000..b10dea308 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/scope_restriction/nc.tf @@ -0,0 +1,20 @@ +resource "google_iam_oauth_client" "nc" { + project = "smooth-verve-467716-v1" + oauth_client_id = "insecure-client-01" + location = "global" + + client_type = "CONFIDENTIAL_CLIENT" + + allowed_grant_types = ["AUTHORIZATION_CODE_GRANT"] + + allowed_redirect_uris = [ + "http://malicious.example.com/callback" + ] + + allowed_scopes = [ + "https://www.googleapis.com/auth/cloud-platform" + ] + + display_name = "Insecure OAuth Client" + description = "Uses overly broad scope" +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/resource_limit/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/resource_limit/.terraform.lock.hcl new file mode 100644 index 000000000..1f00f27db --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/resource_limit/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.30.0" + hashes = [ + "h1:3Qxi6Pj4WeqzgKsejGqwx0S3XxYDlC0ykBU6SQ6t25A=", + "zh:0cda2cc03f7bf000d9bc66bc0fab621de4c104b329cab348e0ceb6146ab27251", + "zh:2c75a1ea53b21646681e49fbdf0a599817c2f400f1e73d7779f0e3e1d230e6f3", + "zh:34ab9dab67230adaee6a9cd6861cba969555777ca6eb0ae1d2ac7b1f3cb73832", + "zh:45d5d7ee38fb7bf58dd19b774dd637f3cb9caef1d1930dde594467dde7fdea50", + "zh:651ffd36697d8268471d50d0fae664549b7f1e627c03d6e90f80172947f7b1d4", + "zh:8557db0beb201ba8ba70a7a38ba8d1ce9ffb9e98c616b89f6e3c2203e0528803", + "zh:b6a2e53809e0827cb7c47b1279c3511223898f7e3c1536f74ba057d99c72c2e9", + "zh:bf4aea9d1eb663df9d458c974d2e3f9ca7f724280a103706d0a2b1597593c7af", + "zh:c5f0160e0658d75b4a339b18f7a544e721f3750e26b97fc4887e98b8e085ffff", + "zh:e41a215491c64b535eda5585139dab0a32836e631b470cc520ceef4aa9ce7748", + "zh:e490061ab15c6053c651a7996a9c77cacdb83528ed49d0460c9621e93ad7d0cf", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/resource_limit/c.tf b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/resource_limit/c.tf new file mode 100644 index 000000000..ac83a5b4f --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/resource_limit/c.tf @@ -0,0 +1,21 @@ +resource "google_iam_principal_access_boundary_policy" "c" { + organization = "123456789" + location = "global" + + principal_access_boundary_policy_id = "pde-pab-policy-c" + display_name = "Compliant PAB Policy" + + details { + rules { + effect = "ALLOW" + + resources = [ + "//cloudresourcemanager.googleapis.com/projects/123", + "//cloudresourcemanager.googleapis.com/projects/456", + "//cloudresourcemanager.googleapis.com/folders/789" + ] + + description = "Safe scoped access boundary" + } + } +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/resource_limit/config.tf b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/resource_limit/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/resource_limit/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/resource_limit/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/resource_limit/nc.tf new file mode 100644 index 000000000..9ba795e3c --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/resource_limit/nc.tf @@ -0,0 +1,25 @@ +resource "google_iam_principal_access_boundary_policy" "nc" { + organization = "123456789" + location = "global" + + principal_access_boundary_policy_id = "pde-pab-policy-nc" + display_name = "Non-Compliant PAB Policy" + + details { + rules { + effect = "ALLOW" + + resources = [ + "//cloudresourcemanager.googleapis.com/projects/111", + "//cloudresourcemanager.googleapis.com/projects/222", + "//cloudresourcemanager.googleapis.com/projects/333", + "//cloudresourcemanager.googleapis.com/projects/444", + "//cloudresourcemanager.googleapis.com/projects/555", + "//cloudresourcemanager.googleapis.com/projects/666", + "//cloudresourcemanager.googleapis.com/projects/777" + ] + + description = "Too many resources in one boundary rule" + } + } +} \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_oauth_client/scope_restriction/policy.rego b/policies/gcp/Cloud_IAM/google_iam_oauth_client/scope_restriction/policy.rego new file mode 100644 index 000000000..3c4b9a31b --- /dev/null +++ b/policies/gcp/Cloud_IAM/google_iam_oauth_client/scope_restriction/policy.rego @@ -0,0 +1,27 @@ +package terraform.gcp.security.Cloud_IAM.google_iam_oauth_client.scope_restriction + +import data.terraform.helpers +import data.terraform.gcp.security.Cloud_IAM.google_iam_oauth_client.vars + +conditions := [ + [ + { + "situation_description": "OAuth client must not request overly broad scopes", + "remedies": [ + "Avoid using cloud-platform scope", + "Use least privilege scopes like email or openid" + ] + }, + { + "condition": "Disallow broad scopes", + "attribute_path": ["allowed_scopes"], + "values": ["https://www.googleapis.com/auth/cloud-platform"], + "policy_type": "blacklist" + } + ] +] + +result := helpers.get_multi_summary(conditions, vars.variables) + +message := result.message +details := result.details \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/resource_limit/policy.rego b/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/resource_limit/policy.rego new file mode 100644 index 000000000..a3edb5924 --- /dev/null +++ b/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/resource_limit/policy.rego @@ -0,0 +1,28 @@ +package terraform.gcp.security.Cloud_IAM.google_iam_principal_access_boundary_policy.resource_limit + +import data.terraform.helpers +import data.terraform.gcp.security.Cloud_IAM.google_iam_principal_access_boundary_policy.vars + +conditions := [ + [ + { + "situation_description": "Principal Access Boundary must not include too many resources per rule", + "remedies": [ + "Limit resources per rule to reduce attack surface", + "Split large policies into smaller scoped boundaries", + "Ensure least privilege access by minimizing resource scope" + ] + }, + { + "condition": "Restrict maximum number of resources in access boundary rule", + "attribute_path": ["details", 0, "rules", 0, "resources"], + "values": [0, 5], + "policy_type": "range" + } + ] +] + +result := helpers.get_multi_summary(conditions, vars.variables) + +message := result.message +details := result.details \ No newline at end of file From 54a6f64fedc2aea7b09438ecba292be4e5d602d5 Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Mon, 4 May 2026 01:59:36 +1000 Subject: [PATCH 75/91] fix folder policy --- .../.terraform.lock.hcl | 0 .../oauth_scope_whitelist/c.tf | 18 +++++++++++ .../oauth_scope_whitelist}/config.tf | 0 .../oauth_scope_whitelist/nc.tf | 19 +++++++++++ .../resource_limit/c.tf | 21 ------------ .../resource_limit/nc.tf | 25 --------------- .../.terraform.lock.hcl | 21 ++++++++++++ .../policy_kind_restriction/c.tf | 13 ++++++++ .../policy_kind_restriction/config.tf | 11 +++++++ .../policy_kind_restriction/nc.tf | 14 ++++++++ .../.terraform.lock.hcl | 21 ++++++++++++ .../project_principal_whitelist/c.tf | 13 ++++++++ .../project_principal_whitelist/config.tf | 11 +++++++ .../project_principal_whitelist/nc.tf | 13 ++++++++ .../oauth_scope_whitelist/policy.rego | 32 +++++++++++++++++++ .../resource_limit/policy.rego | 28 ---------------- .../policy_kind_restriction/policy.rego | 28 ++++++++++++++++ .../project_principal_whitelist/policy.rego | 31 ++++++++++++++++++ 18 files changed, 245 insertions(+), 74 deletions(-) rename inputs/gcp/Cloud_IAM/{google_iam_principal_access_boundary_policy/resource_limit => google_iam_oauth_client/oauth_scope_whitelist}/.terraform.lock.hcl (100%) create mode 100644 inputs/gcp/Cloud_IAM/google_iam_oauth_client/oauth_scope_whitelist/c.tf rename inputs/gcp/Cloud_IAM/{google_iam_principal_access_boundary_policy/resource_limit => google_iam_oauth_client/oauth_scope_whitelist}/config.tf (100%) create mode 100644 inputs/gcp/Cloud_IAM/google_iam_oauth_client/oauth_scope_whitelist/nc.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/resource_limit/c.tf delete mode 100644 inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/resource_limit/nc.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/policy_kind_restriction/.terraform.lock.hcl create mode 100644 inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/policy_kind_restriction/c.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/policy_kind_restriction/config.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/policy_kind_restriction/nc.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_principal_whitelist/.terraform.lock.hcl create mode 100644 inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_principal_whitelist/c.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_principal_whitelist/config.tf create mode 100644 inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_principal_whitelist/nc.tf create mode 100644 policies/gcp/Cloud_IAM/google_iam_oauth_client/oauth_scope_whitelist/policy.rego delete mode 100644 policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/resource_limit/policy.rego create mode 100644 policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_kind_restriction/policy.rego create mode 100644 policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_principal_whitelist/policy.rego diff --git a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/resource_limit/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/oauth_scope_whitelist/.terraform.lock.hcl similarity index 100% rename from inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/resource_limit/.terraform.lock.hcl rename to inputs/gcp/Cloud_IAM/google_iam_oauth_client/oauth_scope_whitelist/.terraform.lock.hcl diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/oauth_scope_whitelist/c.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/oauth_scope_whitelist/c.tf new file mode 100644 index 000000000..5965b7191 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/oauth_scope_whitelist/c.tf @@ -0,0 +1,18 @@ +resource "google_iam_oauth_client" "c" { + project = "smooth-verve-467716-v1" + oauth_client_id = "example-client-id" + display_name = "Secure OAuth Client" + description = "Uses least privilege scopes" + location = "global" + disabled = false + + allowed_grant_types = ["AUTHORIZATION_CODE_GRANT"] + allowed_redirect_uris = ["https://www.example.com"] + + allowed_scopes = [ + "openid", + "email" + ] + + client_type = "CONFIDENTIAL_CLIENT" +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/resource_limit/config.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/oauth_scope_whitelist/config.tf similarity index 100% rename from inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/resource_limit/config.tf rename to inputs/gcp/Cloud_IAM/google_iam_oauth_client/oauth_scope_whitelist/config.tf diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/oauth_scope_whitelist/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/oauth_scope_whitelist/nc.tf new file mode 100644 index 000000000..ee6a28992 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/oauth_scope_whitelist/nc.tf @@ -0,0 +1,19 @@ +resource "google_iam_oauth_client" "nc" { + project = "smooth-verve-467716-v1" + oauth_client_id = "example-client-id" + display_name = "Unsafe OAuth Client" + description = "Uses overly broad scope" + location = "global" + disabled = false + + allowed_grant_types = ["AUTHORIZATION_CODE_GRANT"] + allowed_redirect_uris = ["https://www.example.com"] + + + allowed_scopes = [ + "https://www.googleapis.com/auth/cloud-platform", + "openid" + ] + + client_type = "CONFIDENTIAL_CLIENT" +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/resource_limit/c.tf b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/resource_limit/c.tf deleted file mode 100644 index ac83a5b4f..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/resource_limit/c.tf +++ /dev/null @@ -1,21 +0,0 @@ -resource "google_iam_principal_access_boundary_policy" "c" { - organization = "123456789" - location = "global" - - principal_access_boundary_policy_id = "pde-pab-policy-c" - display_name = "Compliant PAB Policy" - - details { - rules { - effect = "ALLOW" - - resources = [ - "//cloudresourcemanager.googleapis.com/projects/123", - "//cloudresourcemanager.googleapis.com/projects/456", - "//cloudresourcemanager.googleapis.com/folders/789" - ] - - description = "Safe scoped access boundary" - } - } -} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/resource_limit/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/resource_limit/nc.tf deleted file mode 100644 index 9ba795e3c..000000000 --- a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/resource_limit/nc.tf +++ /dev/null @@ -1,25 +0,0 @@ -resource "google_iam_principal_access_boundary_policy" "nc" { - organization = "123456789" - location = "global" - - principal_access_boundary_policy_id = "pde-pab-policy-nc" - display_name = "Non-Compliant PAB Policy" - - details { - rules { - effect = "ALLOW" - - resources = [ - "//cloudresourcemanager.googleapis.com/projects/111", - "//cloudresourcemanager.googleapis.com/projects/222", - "//cloudresourcemanager.googleapis.com/projects/333", - "//cloudresourcemanager.googleapis.com/projects/444", - "//cloudresourcemanager.googleapis.com/projects/555", - "//cloudresourcemanager.googleapis.com/projects/666", - "//cloudresourcemanager.googleapis.com/projects/777" - ] - - description = "Too many resources in one boundary rule" - } - } -} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/policy_kind_restriction/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/policy_kind_restriction/.terraform.lock.hcl new file mode 100644 index 000000000..1f00f27db --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/policy_kind_restriction/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.30.0" + hashes = [ + "h1:3Qxi6Pj4WeqzgKsejGqwx0S3XxYDlC0ykBU6SQ6t25A=", + "zh:0cda2cc03f7bf000d9bc66bc0fab621de4c104b329cab348e0ceb6146ab27251", + "zh:2c75a1ea53b21646681e49fbdf0a599817c2f400f1e73d7779f0e3e1d230e6f3", + "zh:34ab9dab67230adaee6a9cd6861cba969555777ca6eb0ae1d2ac7b1f3cb73832", + "zh:45d5d7ee38fb7bf58dd19b774dd637f3cb9caef1d1930dde594467dde7fdea50", + "zh:651ffd36697d8268471d50d0fae664549b7f1e627c03d6e90f80172947f7b1d4", + "zh:8557db0beb201ba8ba70a7a38ba8d1ce9ffb9e98c616b89f6e3c2203e0528803", + "zh:b6a2e53809e0827cb7c47b1279c3511223898f7e3c1536f74ba057d99c72c2e9", + "zh:bf4aea9d1eb663df9d458c974d2e3f9ca7f724280a103706d0a2b1597593c7af", + "zh:c5f0160e0658d75b4a339b18f7a544e721f3750e26b97fc4887e98b8e085ffff", + "zh:e41a215491c64b535eda5585139dab0a32836e631b470cc520ceef4aa9ce7748", + "zh:e490061ab15c6053c651a7996a9c77cacdb83528ed49d0460c9621e93ad7d0cf", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/policy_kind_restriction/c.tf b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/policy_kind_restriction/c.tf new file mode 100644 index 000000000..f2889d23c --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/policy_kind_restriction/c.tf @@ -0,0 +1,13 @@ +resource "google_iam_projects_policy_binding" "c" { + project = "smooth-verve-467716-v1" + location = "global" + display_name = "secure-pab-binding" + policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" + policy_binding_id = "pde-secure-binding" + + policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pab-policy" + + target { + principal_set = "//cloudresourcemanager.googleapis.com/projects/smooth-verve-467716-v1" + } +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/policy_kind_restriction/config.tf b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/policy_kind_restriction/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/policy_kind_restriction/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/policy_kind_restriction/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/policy_kind_restriction/nc.tf new file mode 100644 index 000000000..f43f4115e --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/policy_kind_restriction/nc.tf @@ -0,0 +1,14 @@ +resource "google_iam_projects_policy_binding" "nc" { + project = "smooth-verve-467716-v1" + location = "global" + display_name = "insecure-access-binding" + policy_kind = "ACCESS" + + policy_binding_id = "pde-insecure-binding" + + policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pab-policy" + + target { + principal_set = "//cloudresourcemanager.googleapis.com/projects/smooth-verve-467716-v1" + } +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_principal_whitelist/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_principal_whitelist/.terraform.lock.hcl new file mode 100644 index 000000000..1f00f27db --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_principal_whitelist/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "7.30.0" + hashes = [ + "h1:3Qxi6Pj4WeqzgKsejGqwx0S3XxYDlC0ykBU6SQ6t25A=", + "zh:0cda2cc03f7bf000d9bc66bc0fab621de4c104b329cab348e0ceb6146ab27251", + "zh:2c75a1ea53b21646681e49fbdf0a599817c2f400f1e73d7779f0e3e1d230e6f3", + "zh:34ab9dab67230adaee6a9cd6861cba969555777ca6eb0ae1d2ac7b1f3cb73832", + "zh:45d5d7ee38fb7bf58dd19b774dd637f3cb9caef1d1930dde594467dde7fdea50", + "zh:651ffd36697d8268471d50d0fae664549b7f1e627c03d6e90f80172947f7b1d4", + "zh:8557db0beb201ba8ba70a7a38ba8d1ce9ffb9e98c616b89f6e3c2203e0528803", + "zh:b6a2e53809e0827cb7c47b1279c3511223898f7e3c1536f74ba057d99c72c2e9", + "zh:bf4aea9d1eb663df9d458c974d2e3f9ca7f724280a103706d0a2b1597593c7af", + "zh:c5f0160e0658d75b4a339b18f7a544e721f3750e26b97fc4887e98b8e085ffff", + "zh:e41a215491c64b535eda5585139dab0a32836e631b470cc520ceef4aa9ce7748", + "zh:e490061ab15c6053c651a7996a9c77cacdb83528ed49d0460c9621e93ad7d0cf", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_principal_whitelist/c.tf b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_principal_whitelist/c.tf new file mode 100644 index 000000000..075f5f52e --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_principal_whitelist/c.tf @@ -0,0 +1,13 @@ +resource "google_iam_projects_policy_binding" "c" { + project = "smooth-verve-467716-v1" + location = "global" + display_name = "approved-project-binding" + policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" + policy_binding_id = "pde-approved-binding" + + policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pab-policy" + + target { + principal_set = "//cloudresourcemanager.googleapis.com/projects/approved-project-1" + } +} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_principal_whitelist/config.tf b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_principal_whitelist/config.tf new file mode 100644 index 000000000..9f4356520 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_principal_whitelist/config.tf @@ -0,0 +1,11 @@ +##### DO NOT EDIT ###### + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + } +} + +provider "google" {} \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_principal_whitelist/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_principal_whitelist/nc.tf new file mode 100644 index 000000000..d3a86f758 --- /dev/null +++ b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_principal_whitelist/nc.tf @@ -0,0 +1,13 @@ +resource "google_iam_projects_policy_binding" "nc" { + project = "smooth-verve-467716-v1" + location = "global" + display_name = "unapproved-project-binding" + policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" + policy_binding_id = "pde-unapproved-binding" + + policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pab-policy" + + target { + principal_set = "//cloudresourcemanager.googleapis.com/projects/random-external-project" + } +} \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_oauth_client/oauth_scope_whitelist/policy.rego b/policies/gcp/Cloud_IAM/google_iam_oauth_client/oauth_scope_whitelist/policy.rego new file mode 100644 index 000000000..d038ea6bf --- /dev/null +++ b/policies/gcp/Cloud_IAM/google_iam_oauth_client/oauth_scope_whitelist/policy.rego @@ -0,0 +1,32 @@ +package terraform.gcp.security.Cloud_IAM.google_iam_oauth_client.oauth_scope_whitelist + +import data.terraform.helpers +import data.terraform.gcp.security.Cloud_IAM.google_iam_oauth_client.vars + +conditions := [ + [ + { + "situation_description": "OAuth client must only request approved least-privilege scopes to prevent over-permissioned identity access", + "remedies": [ + "Remove cloud-platform scope if not strictly required", + "Prefer openid, email, or groups scopes", + "Follow least privilege OAuth design" + ] + }, + { + "condition": "Whitelist approved OAuth scopes", + "attribute_path": ["allowed_scopes"], + "values": [ + "openid", + "email", + "groups" + ], + "policy_type": "whitelist" + } + ] +] + +result := helpers.get_multi_summary(conditions, vars.variables) + +message := result.message +details := result.details \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/resource_limit/policy.rego b/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/resource_limit/policy.rego deleted file mode 100644 index a3edb5924..000000000 --- a/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/resource_limit/policy.rego +++ /dev/null @@ -1,28 +0,0 @@ -package terraform.gcp.security.Cloud_IAM.google_iam_principal_access_boundary_policy.resource_limit - -import data.terraform.helpers -import data.terraform.gcp.security.Cloud_IAM.google_iam_principal_access_boundary_policy.vars - -conditions := [ - [ - { - "situation_description": "Principal Access Boundary must not include too many resources per rule", - "remedies": [ - "Limit resources per rule to reduce attack surface", - "Split large policies into smaller scoped boundaries", - "Ensure least privilege access by minimizing resource scope" - ] - }, - { - "condition": "Restrict maximum number of resources in access boundary rule", - "attribute_path": ["details", 0, "rules", 0, "resources"], - "values": [0, 5], - "policy_type": "range" - } - ] -] - -result := helpers.get_multi_summary(conditions, vars.variables) - -message := result.message -details := result.details \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_kind_restriction/policy.rego b/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_kind_restriction/policy.rego new file mode 100644 index 000000000..d2344c038 --- /dev/null +++ b/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_kind_restriction/policy.rego @@ -0,0 +1,28 @@ +package terraform.gcp.security.Cloud_IAM.google_iam_projects_policy_binding.policy_kind_restriction + +import data.terraform.helpers +import data.terraform.gcp.security.Cloud_IAM.google_iam_projects_policy_binding.vars + +conditions := [ + [ + { + "situation_description": "Policy binding must enforce only Principal Access Boundary to prevent privilege escalation via access policies", + "remedies": [ + "Set policy_kind strictly to PRINCIPAL_ACCESS_BOUNDARY", + "Avoid using ACCESS or unspecified policy kinds", + "Standardize IAM boundary enforcement across all projects" + ] + }, + { + "condition": "Enforce secure policy kind usage", + "attribute_path": ["policy_kind"], + "values": ["PRINCIPAL_ACCESS_BOUNDARY"], + "policy_type": "whitelist" + } + ] +] + +result := helpers.get_multi_summary(conditions, vars.variables) + +message := result.message +details := result.details \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_principal_whitelist/policy.rego b/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_principal_whitelist/policy.rego new file mode 100644 index 000000000..55937f163 --- /dev/null +++ b/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_principal_whitelist/policy.rego @@ -0,0 +1,31 @@ +package terraform.gcp.security.Cloud_IAM.google_iam_projects_policy_binding.project_principal_whitelist + +import data.terraform.helpers +import data.terraform.gcp.security.Cloud_IAM.google_iam_projects_policy_binding.vars + +conditions := [ + [ + { + "situation_description": "Project policy binding must only allow approved project-level principals to reduce unauthorized access exposure", + "remedies": [ + "Restrict bindings to approved project IDs only", + "Remove wildcard or external project principals", + "Ensure only enterprise-managed projects are included" + ] + }, + { + "condition": "Whitelist approved project principal sets", + "attribute_path": ["target", "principal_set"], + "values": [ + "//cloudresourcemanager.googleapis.com/projects/approved-project-1", + "//cloudresourcemanager.googleapis.com/projects/approved-project-2" + ], + "policy_type": "whitelist" + } + ] +] + +result := helpers.get_multi_summary(conditions, vars.variables) + +message := result.message +details := result.details \ No newline at end of file From c9be9f97c1adff9de4a12caf9b22534e701a0700 Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Mon, 4 May 2026 02:03:21 +1000 Subject: [PATCH 76/91] fix folder policy --- .../policy_kind_restriction/.terraform.lock.hcl | 0 .../{location_validation => }/policy_kind_restriction/c.tf | 0 .../{location_validation => }/policy_kind_restriction/config.tf | 0 .../{location_validation => }/policy_kind_restriction/nc.tf | 0 4 files changed, 0 insertions(+), 0 deletions(-) rename inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/{location_validation => }/policy_kind_restriction/.terraform.lock.hcl (100%) rename inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/{location_validation => }/policy_kind_restriction/c.tf (100%) rename inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/{location_validation => }/policy_kind_restriction/config.tf (100%) rename inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/{location_validation => }/policy_kind_restriction/nc.tf (100%) diff --git a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/policy_kind_restriction/.terraform.lock.hcl b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_kind_restriction/.terraform.lock.hcl similarity index 100% rename from inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/policy_kind_restriction/.terraform.lock.hcl rename to inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_kind_restriction/.terraform.lock.hcl diff --git a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/policy_kind_restriction/c.tf b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_kind_restriction/c.tf similarity index 100% rename from inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/policy_kind_restriction/c.tf rename to inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_kind_restriction/c.tf diff --git a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/policy_kind_restriction/config.tf b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_kind_restriction/config.tf similarity index 100% rename from inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/policy_kind_restriction/config.tf rename to inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_kind_restriction/config.tf diff --git a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/policy_kind_restriction/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_kind_restriction/nc.tf similarity index 100% rename from inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/policy_kind_restriction/nc.tf rename to inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_kind_restriction/nc.tf From 876ffa39ee3cf255d0c78785f2a52802a5c60bec Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Mon, 4 May 2026 02:26:53 +1000 Subject: [PATCH 77/91] fix folder policy --- .../Cloud_IAM/iam_access_boundary_policy.md | 38 +++- docs/gcp/Cloud_IAM/iam_deny_policy.md | 40 +++- .../Cloud_IAM/iam_folders_policy_binding.md | 25 +-- docs/gcp/Cloud_IAM/iam_oauth_client.md | 20 +- .../Cloud_IAM/iam_oauth_client_credential.md | 12 +- .../iam_organizations_policy_binding.md | 30 ++- .../iam_principal_access_boundary_policy.md | 27 ++- .../Cloud_IAM/iam_projects_policy_binding.md | 27 +-- .../iam_access_boundary_policy.json | 179 +++++++++++------ .../resource_json/iam_deny_policy.json | 189 ++++++++++++------ .../iam_folders_policy_binding.json | 161 +++++---------- .../resource_json/iam_oauth_client.json | 94 ++++----- .../iam_oauth_client_credential.json | 24 +-- .../iam_organizations_policy_binding.json | 115 +++++++++-- .../iam_principal_access_boundary_policy.json | 105 ++++++++-- .../iam_projects_policy_binding.json | 154 +++++++------- 16 files changed, 757 insertions(+), 483 deletions(-) diff --git a/docs/gcp/Cloud_IAM/iam_access_boundary_policy.md b/docs/gcp/Cloud_IAM/iam_access_boundary_policy.md index 4250def1e..c5cb83659 100644 --- a/docs/gcp/Cloud_IAM/iam_access_boundary_policy.md +++ b/docs/gcp/Cloud_IAM/iam_access_boundary_policy.md @@ -10,11 +10,33 @@ Reference: [Terraform Registry – iam_access_boundary_policy](https://registry. | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `name` | The name of the policy. | true | false | We enforce a simple naming rule (pde-*) so all policies follow the same pattern and are easy to identify. | pde-access-boundary-prod | myPolicy123 | -| `parent` | The resource where this policy is attached. | true | false | Parent must always be a valid GCP project or organization path so the policy applies correctly. | cloudresourcemanager.googleapis.com/projects/123456789 | projects/test-project | -| `rules` | Rules that define what resources and permissions are allowed. | true | false | We use rules to enforce least privilege and limit access only to required resources. | None | None | -| `display_name` | A simple name shown in the console. | false | false | Used for readability and easier management. | Production Access Boundary Policy | test | -| `access_boundary_rule` | Defines which resources and permissions are allowed. | false | false | We use this to enforce least privilege access in GCP. | None | None | -| `available_resource` | The GCP resource that is allowed. | false | false | Avoids access to wrong or sensitive projects. | //cloudresourcemanager.googleapis.com/projects/123456789 | //cloudresourcemanager.googleapis.com/projects/random-project | -| `available_permissions` | Permissions allowed for the resource. | false | false | We only allow required permissions instead of full access. | ['resourcemanager.projects.get'] | ['*'] | -| `availability_condition` | Extra condition to control when access is allowed. | false | false | Used to restrict access under specific conditions only. | {'expression': "request.time < timestamp('2026-12-31T00:00:00Z')", 'title': 'Time limit', 'description': 'Access allowed only before expiry date', 'location': 'global'} | {'expression': 'true'} | +| `name` | The name of the policy. | true | false | None | None | None | +| `parent` | The attachment point is identified by its URL-encoded full resource name. | true | false | None | None | None | +| `rules` | Rules to be applied. Structure is [documented below](#nested_rules). | true | false | None | None | None | +| `display_name` | The display name of the rule. | false | false | None | None | None | +| `access_boundary_rule` | | false | false | None | None | None | +| `availability_condition` | | false | false | None | None | None | + +### rules Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `description` | The description of the rule. | false | false | None | None | None | +| `access_boundary_rule` | An access boundary rule in an IAM policy. Structure is [documented below](#nested_rules_rules_access_boundary_rule). | false | false | None | None | None | + +### access_boundary_rule Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `available_resource` | The full resource name of a Google Cloud resource entity. | false | false | None | None | None | +| `available_permissions` | A list of permissions that may be allowed for use on the specified resource. | false | false | None | None | None | +| `availability_condition` | The availability condition further constrains the access allowed by the access boundary rule. Structure is [documented below](#nested_rules_rules_access_boundary_rule_availability_condition). | false | false | None | None | None | + +### availability_condition Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `expression` | Textual representation of an expression in Common Expression Language syntax. | true | false | None | None | None | +| `title` | Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. | false | false | None | None | None | +| `description` | Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. | false | false | None | None | None | +| `location` | String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. | false | false | None | None | None | diff --git a/docs/gcp/Cloud_IAM/iam_deny_policy.md b/docs/gcp/Cloud_IAM/iam_deny_policy.md index 0a819320e..dcf2a50d9 100644 --- a/docs/gcp/Cloud_IAM/iam_deny_policy.md +++ b/docs/gcp/Cloud_IAM/iam_deny_policy.md @@ -10,11 +10,35 @@ Reference: [Terraform Registry – iam_deny_policy](https://registry.terraform.i | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `name` | The name of the policy. | true | false | We enforce a simple naming rule using prefix 'pde-' so all deny policies are consistent and easy to track. | pde-deny-policy-prod | denyPolicy123 | -| `parent` | The attachment point is identified by its URL-encoded full resource name. | true | false | Parent must always follow valid GCP resource format so the deny policy is applied to the correct scope. | cloudresourcemanager.googleapis.com/projects/123456789 | projects/test-project | -| `rules` | Rules to be applied. | true | false | Rules are used to enforce strict deny controls on sensitive resources. | None | None | -| `display_name` | The display name of the rule. | false | false | Used for readability and easier management of policies. | Production Deny Policy | test123 | -| `deny_rule` | | false | false | Used to enforce security restrictions and prevent unauthorized actions. | None | None | -| `denied_principals` | Users or identities that are blocked from access. | false | false | We block risky or unwanted identities using deny rules. | ['user:blocked-user@example.com'] | ['allUsers'] | -| `denied_permissions` | Permissions that are explicitly denied. | false | false | We deny high-risk permissions to enforce least privilege. | ['iam.googleapis.com/roles.list'] | ['*'] | -| `denial_condition` | Condition when the deny rule should apply. | false | false | Used to apply deny rules only in specific situations. | {'expression': "request.time < timestamp('2026-12-31T00:00:00Z')", 'title': 'Time restriction', 'description': 'Deny access after expiry date', 'location': 'global'} | {'expression': 'true'} | +| `name` | The name of the policy. | true | false | None | None | None | +| `parent` | The attachment point is identified by its URL-encoded full resource name. | true | false | None | None | None | +| `rules` | Rules to be applied. Structure is [documented below](#nested_rules). | true | false | None | None | None | +| `display_name` | The display name of the rule. | false | false | None | None | None | +| `deny_rule` | | false | false | None | None | None | +| `denial_condition` | | false | false | None | None | None | + +### rules Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `description` | The description of the rule. | false | false | None | None | None | +| `deny_rule` | A deny rule in an IAM deny policy. Structure is [documented below](#nested_rules_rules_deny_rule). | false | false | None | None | None | + +### deny_rule Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `denied_principals` | The identities that are prevented from using one or more permissions on Google Cloud resources. | false | false | None | None | None | +| `exception_principals` | The identities that are excluded from the deny rule, even if they are listed in the deniedPrincipals. For example, you could add a Google group to the deniedPrincipals, then exclude specific users who belong to that group. | false | false | None | None | None | +| `denied_permissions` | The permissions that are explicitly denied by this rule. Each permission uses the format `{service-fqdn}/{resource}.{verb}`, where `{service-fqdn}` is the fully qualified domain name for the service. For example, `iam.googleapis.com/roles.list`. | false | false | None | None | None | +| `exception_permissions` | Specifies the permissions that this rule excludes from the set of denied permissions given by deniedPermissions. If a permission appears in deniedPermissions and in exceptionPermissions then it will not be denied. The excluded permissions can be specified using the same syntax as deniedPermissions. | false | false | None | None | None | +| `denial_condition` | User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. Structure is [documented below](#nested_rules_rules_deny_rule_denial_condition). | false | false | None | None | None | + +### denial_condition Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `expression` | Textual representation of an expression in Common Expression Language syntax. | true | false | None | None | None | +| `title` | Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. | false | false | None | None | None | +| `description` | Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. | false | false | None | None | None | +| `location` | String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. | false | false | None | None | None | diff --git a/docs/gcp/Cloud_IAM/iam_folders_policy_binding.md b/docs/gcp/Cloud_IAM/iam_folders_policy_binding.md index e31fe9734..49b44bdfa 100644 --- a/docs/gcp/Cloud_IAM/iam_folders_policy_binding.md +++ b/docs/gcp/Cloud_IAM/iam_folders_policy_binding.md @@ -10,26 +10,15 @@ Reference: [Terraform Registry – iam_folders_policy_binding](https://registry. | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `folder` | The parent folder for the IAM policy binding. Must be a valid numeric GCP folder ID. | true | true | Ensures IAM policy is applied only at a valid folder scope. | 224774388 | my-folder | -| `location` | The location of the policy binding. Must always be global for folder IAM bindings. | true | true | IAM folder bindings are global to ensure consistent access control. | global | us-central1 | -| `policy_binding_id` | Unique identifier for the policy binding. | true | true | Ensures each binding is uniquely identifiable. | folder-binding-01 | Folder Binding 01 | -| `display_name` | Optional human-readable name for the policy binding (max 63 characters). | false | false | Used only for display purposes. | Folder IAM Binding | This name is way too long and not valid for IAM folder binding display name usage | -| `annotations` | Optional metadata used for tagging and classification. | false | false | Does not affect IAM security enforcement. | {'environment': 'dev', 'team': 'security'} | {'notes': 'this is an invalid overly long annotation example used for testing purposes and should not be used in production environments because it violates expected size constraints'} | -| `policy_kind` | Type of IAM policy being applied (e.g., ACCESS or PRINCIPAL_ACCESS_BOUNDARY). | false | true | Defines how IAM policy is enforced. | ACCESS | INVALID_TYPE | -| `target` | Full resource name of the target folder where the policy is applied. | true | true | Defines the exact scope of IAM enforcement. | //cloudresourcemanager.googleapis.com/folders/224774388 | //invalid/resource | -| `condition` | Optional CEL condition for conditional IAM access control. | false | true | Enables fine-grained access control rules. | {'expression': "resource.name.startsWith('folders/')", 'title': 'Folder access rule', 'description': 'Allows access only to folder resources'} | {'expression': 'true'} | +| `location` | The location of the PolicyBinding. | true | false | IAM folder policy bindings must be deployed only in a controlled location to ensure consistent enforcement. | global | us-central1 | +| `policy_kind` | The kind of the policy to attach in this binding. | false | false | Only Principal Access Boundary policies are allowed in folder-level bindings to enforce least privilege. | PRINCIPAL_ACCESS_BOUNDARY | ACCESS | +| `policy` | The resource name of the policy to be bound. | true | false | Binding must reference only approved Principal Access Boundary policies created by the organization security team. | ['organizations/123456789/locations/global/principalAccessBoundaryPolicies/pde-policy-1', 'organizations/123456789/locations/global/principalAccessBoundaryPolicies/pde-policy-2'] | ['organizations/999999999/locations/global/principalAccessBoundaryPolicies/unapproved-policy'] | +| `target` | Target is the full resource name of the resource to which the policy will be bound. | true | false | Ensures policy bindings apply only to controlled folder-level resources. | //cloudresourcemanager.googleapis.com/folders/123456789 | //cloudresourcemanager.googleapis.com/folders/external-folder | +| `policy_binding_id` | The Policy Binding ID. | true | false | Each binding must have a unique controlled identifier. | pde-folder-binding-1 | test-binding | +| `display_name` | Optional description of the policy binding. | false | false | Standard naming improves traceability in enterprise IAM systems. | pde-secure-folder-binding | test | ### target Block | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `principal_set` | Principal set used for access boundary enforcement within the folder. | false | true | Restricts access to approved identities within folder boundary. | //cloudresourcemanager.googleapis.com/folders/224774388 | //cloudresourcemanager.googleapis.com/projects/123 | - -### condition Block - -| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | -|----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `expression` | CEL expression defining IAM condition logic. | false | true | Controls conditional access behavior. | resource.name.startsWith('folders/') | true | -| `title` | Short title for the condition. | false | false | For readability only. | Folder Condition | | -| `description` | Detailed explanation of the condition. | false | false | Documentation purpose only. | Restricts access to folder-level resources | | -| `location` | Debug location for condition evaluation. | false | false | Used for error tracing. | global | | +| `principal_set` | Full Resource Name of the principal set used for policy bindings. | false | false | Only folder-level principal sets should be allowed for IAM folder policy bindings. | //cloudresourcemanager.googleapis.com/folders/123456789 | //cloudresourcemanager.googleapis.com/folders/999999999 | diff --git a/docs/gcp/Cloud_IAM/iam_oauth_client.md b/docs/gcp/Cloud_IAM/iam_oauth_client.md index 996c52354..d771448bf 100644 --- a/docs/gcp/Cloud_IAM/iam_oauth_client.md +++ b/docs/gcp/Cloud_IAM/iam_oauth_client.md @@ -10,13 +10,13 @@ Reference: [Terraform Registry – iam_oauth_client](https://registry.terraform. | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `location` | Location where the OAuth client is deployed. Must always be global. | true | true | Ensures OAuth configuration consistency across GCP IAM services. | global | us-central1 | -| `oauth_client_id` | Unique OAuth client ID. Must be 6–63 characters, lowercase letters, digits, or hyphens. Cannot start or end with hyphen and cannot use 'gcp-' prefix. | true | true | Prevents insecure or invalid OAuth client identifiers. | example-client-01 | gcp-client-01- | -| `client_type` | Type of OAuth client. Only PUBLIC_CLIENT or CONFIDENTIAL_CLIENT are allowed. | false | true | Restricts OAuth client types to approved security models. | CONFIDENTIAL_CLIENT | UNKNOWN_CLIENT | -| `allowed_scopes` | List of OAuth scopes allowed for authentication flows. | true | true | Restricting scopes reduces access exposure and privilege escalation risk. | ['openid', 'email'] | ['*'] | -| `allowed_grant_types` | OAuth grant types allowed for the client. | true | true | Controls authentication flow security. | ['AUTHORIZATION_CODE_GRANT'] | [] | -| `allowed_redirect_uris` | List of allowed redirect URIs after authentication. | true | true | Prevents redirect attacks and phishing risks. | ['https://example.com'] | ['http://evil.com'] | -| `disabled` | Indicates whether the OAuth client is disabled. | false | true | Disabled clients cannot be used for authentication. | False | True | -| `display_name` | Human-readable name for the OAuth client. | false | false | None | Valid OAuth Client | Invalid Client | -| `description` | Optional description of the OAuth client. | false | false | None | OAuth client for production app | | -| `project` | GCP project where the OAuth client is created. | false | true | Ensures correct project-level isolation. | smooth-verve-467716-v1 | | +| `allowed_scopes` | Required. The list of scopes that the OauthClient is allowed to request during OAuth flows. | true | true | Restricting scopes enforces least privilege OAuth access and prevents over-permissioned identity delegation. | ['openid', 'email', 'groups'] | ['https://www.googleapis.com/auth/cloud-platform'] | +| `allowed_grant_types` | Required. The list of OAuth grant types is allowed for the OauthClient. | true | true | Ensures only approved OAuth flows are used to prevent insecure authentication mechanisms. | ['AUTHORIZATION_CODE_GRANT'] | ['IMPLICIT_GRANT'] | +| `allowed_redirect_uris` | Required. The list of redirect URIs allowed after OAuth authentication. | true | true | Prevents open redirect attacks and ensures tokens are only sent to trusted endpoints. | ['https://www.example.com/callback'] | ['http://evil.com'] | +| `location` | Resource ID segment making up resource name. | true | true | OAuth clients must be deployed in global scope to ensure consistent IAM enforcement. | global | us-central1 | +| `oauth_client_id` | Required. The ID used for the OauthClient resource. | true | true | Ensures predictable naming and avoids reserved prefix misuse. | example-client-01 | gcp-client-01 | +| `disabled` | Whether the OauthClient is disabled. | false | true | Disabled clients cannot be used, reducing attack surface when not in use. | False | True | +| `display_name` | Human-readable name of the OAuth client. | false | false | Used only for identification purposes. | Enterprise OAuth Client | Very Long Invalid Name That Exceeds Limits | +| `description` | Description of the OAuth client. | false | false | Provides documentation for audit and governance. | OAuth client for enterprise login | test | +| `client_type` | Type of OAuth client. | false | true | Restricts OAuth clients to approved secure types only. | ['PUBLIC_CLIENT', 'CONFIDENTIAL_CLIENT'] | ['INTERNAL_CLIENT'] | +| `project` | Project where the resource is created. | false | true | Ensures correct project-level IAM isolation. | smooth-verve-467716-v1 | | diff --git a/docs/gcp/Cloud_IAM/iam_oauth_client_credential.md b/docs/gcp/Cloud_IAM/iam_oauth_client_credential.md index a14251e0c..2d5256215 100644 --- a/docs/gcp/Cloud_IAM/iam_oauth_client_credential.md +++ b/docs/gcp/Cloud_IAM/iam_oauth_client_credential.md @@ -10,9 +10,9 @@ Reference: [Terraform Registry – iam_oauth_client_credential](https://registry | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `location` | Location where the OAuth client credential is created. Must always be global. | true | true | Restricting location to global ensures consistent IAM control and avoids regional misconfiguration. | global | us-central1 | -| `oauthclient` | Parent OAuth client identifier used to associate the credential. | true | true | Invalid client associations can lead to unauthorized credential binding. | example-client-id | invalid-client | -| `oauth_client_credential_id` | Unique credential ID. Must follow 4–32 chars, lowercase letters, numbers, and hyphens. Cannot start with 'gcp-'. | true | true | Strict naming prevents insecure or reserved prefix usage. | cred-01a | gcp-cred-01a | -| `disabled` | Indicates whether the credential is disabled. | false | true | Disabled credentials cannot be used for authentication. | False | True | -| `display_name` | Human-readable name for the credential. | false | false | None | Valid Credential | Invalid Credential | -| `project` | GCP project where the resource is created. If not set, provider project is used. | false | true | Ensures correct project scoping for IAM isolation. | smooth-verve-467716-v1 | | +| `location` | Resource ID segment making up resource `name`. It identifies the resource within its parent collection as described in https://google.aip.dev/122. | true | true | Restricting location to global ensures consistent IAM control and avoids regional misconfiguration. | global | us-central1 | +| `oauthclient` | Resource ID segment making up resource `name`. It identifies the resource within its parent collection as described in https://google.aip.dev/122. | true | true | Ensures OAuth credential is correctly linked to a valid parent OAuth client to prevent unauthorized binding. | example-client-id | invalid-client | +| `oauth_client_credential_id` | Required. The ID to use for the OauthClientCredential, which becomes the final component of the resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix `gcp-` is reserved for use by Google, and may not be specified. | true | true | Prevents use of reserved prefixes and ensures predictable, secure naming conventions. | cred-01a | gcp-cred-01a | +| `disabled` | Whether the OauthClientCredential is disabled. You cannot use a disabled OauthClientCredential. | false | true | Disabled credentials reduce risk of unauthorized authentication usage. | False | True | +| `display_name` | A user-specified display name of the OauthClientCredential. Cannot exceed 32 characters. | false | false | Used for readability and operational clarity only. | Valid Credential | Invalid Credential With Very Long Name Exceeding Limit | +| `project` | If it is not provided, the provider project is used. | false | true | Ensures correct project scoping for IAM isolation and prevents cross-project credential leakage. | smooth-verve-467716-v1 | | diff --git a/docs/gcp/Cloud_IAM/iam_organizations_policy_binding.md b/docs/gcp/Cloud_IAM/iam_organizations_policy_binding.md index 6a3b37d5a..f45a57e49 100644 --- a/docs/gcp/Cloud_IAM/iam_organizations_policy_binding.md +++ b/docs/gcp/Cloud_IAM/iam_organizations_policy_binding.md @@ -10,9 +10,27 @@ Reference: [Terraform Registry – iam_organizations_policy_binding](https://reg | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `organization` | Numeric organization ID for binding. | true | true | Ensures policy is attached to correct organization boundary. | 123456789 | org-name | -| `location` | Must always be global. | true | true | IAM bindings must be globally consistent. | global | us-central1 | -| `policy_binding_id` | Unique identifier for policy binding. | true | true | Ensures unique tracking of bindings. | binding-001 | binding#1 | -| `display_name` | Human readable name for policy binding. | false | false | No security impact. | Org Binding | | -| `annotations` | User-defined metadata annotations. | false | false | Used for tagging only. | {} | {} | -| `policy_kind` | Type of policy: PRINCIPAL_ACCESS_BOUNDARY or ACCESS. | false | true | Controls IAM enforcement behavior. | ACCESS | UNKNOWN | +| `target` | Target is the full resource name of the resource to which the policy will be bound. Immutable once set. | true | true | Defines the exact principal scope for IAM binding enforcement, preventing unauthorized identity expansion. | //cloudresourcemanager.googleapis.com/organizations/123456789 | //cloudresourcemanager.googleapis.com/projects/untrusted-project | +| `policy` | Required. Immutable. The resource name of the policy to be bound. | true | true | Ensures binding only approved Principal Access Boundary policies within the organization. | organizations/123456789/locations/global/principalAccessBoundaryPolicies/pde-policy-1 | organizations/123456789/locations/global/principalAccessBoundaryPolicies/unknown-policy | +| `organization` | Parent organization of the Policy Binding. | true | true | Ensures IAM governance is enforced at the correct organizational boundary. | 123456789 | 999999999 | +| `location` | The location of the Policy Binding | true | true | Enforces centralized IAM policy binding control. | global | us-central1 | +| `policy_binding_id` | The Policy Binding ID. | true | true | Ensures unique identification of IAM policy bindings. | org-binding-001 | invalid binding id!! | +| `display_name` | Optional description of the policy binding. | false | false | Improves readability and auditability. | Org Access Boundary Binding | x | +| `annotations` | User-defined annotations for metadata tagging. | false | false | Used for governance and tracking only. | {'env': 'prod'} | {'env': 'test'} | +| `policy_kind` | Type of policy attached in this binding. | false | true | Restricts IAM binding to secure boundary enforcement policies. | PRINCIPAL_ACCESS_BOUNDARY | ACCESS | +| `condition` | CEL condition for fine-grained policy enforcement. | false | true | Allows conditional IAM enforcement based on attributes. | | | + +### target Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `principal_set` | Full Resource Name of the principal set used for principal access boundary policy bindings. | false | true | Ensures only approved identity domains (org/workforce/workspace) are used. | //cloudresourcemanager.googleapis.com/organizations/123456789 | //cloudresourcemanager.googleapis.com/organizations/000000000 | + +### condition Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `expression` | CEL expression controlling IAM access. | false | false | | request.time < timestamp('2026-12-31T00:00:00Z') | true | +| `title` | Short title of the condition. | false | false | | Time Restricted Access | | +| `description` | Description of the condition logic. | false | false | | Restricts access based on time window | | +| `location` | Error reporting location metadata. | false | false | | global | unknown | diff --git a/docs/gcp/Cloud_IAM/iam_principal_access_boundary_policy.md b/docs/gcp/Cloud_IAM/iam_principal_access_boundary_policy.md index 3438032f0..8b2198034 100644 --- a/docs/gcp/Cloud_IAM/iam_principal_access_boundary_policy.md +++ b/docs/gcp/Cloud_IAM/iam_principal_access_boundary_policy.md @@ -10,8 +10,25 @@ Reference: [Terraform Registry – iam_principal_access_boundary_policy](https:/ | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `organization` | Numeric organization ID. | true | true | Defines IAM boundary scope at organization level. | 123456789 | org-name | -| `location` | Must always be global. | true | true | Ensures centralized IAM enforcement. | global | us-central1 | -| `principal_access_boundary_policy_id` | Policy ID (2–62 chars, lowercase, numbers, hyphen, dot allowed). | true | true | Ensures valid IAM naming standard. | pab-policy-01 | INVALID_ID | -| `display_name` | Display name of policy. | false | false | No security impact. | PAB Policy | | -| `annotations` | Metadata tags for policy. | false | false | Only metadata. | {} | {} | +| `organization` | The parent organization of the principal access boundary policy. | true | true | Restricting policies to approved organizations ensures IAM governance boundaries and prevents cross-tenant privilege escalation. | PDE1, PDE2, PDE3 | random-org-123 | +| `location` | The location the principal access boundary policy is in. | true | true | Enforcing global location ensures consistent IAM policy enforcement and avoids regional misconfiguration risks. | global | us-central1 | +| `principal_access_boundary_policy_id` | The ID to use to create the principal access boundary policy. This value must start with a lowercase letter followed by up to 62 lowercase letters, numbers, hyphens, or dots. | true | false | Ensures consistent naming conventions for policy identification and avoids invalid resource creation. | pab-policy-01 | PAB_POLICY_01 | +| `display_name` | The description of the principal access boundary policy. Must be less than or equal to 63 characters. | false | false | None | Standard Access Boundary Policy | Very long or unclear name exceeding limits | +| `annotations` | User defined annotations for metadata tagging and governance tracking. | false | false | Used for auditability and classification of IAM policies. | env=prod, owner=security-team | free-form or unstructured metadata | +| `details` | Principal access boundary policy details. | false | true | Defines enforcement rules that restrict principal access to approved resources. | | | +| `rules` | Policy rules defining access boundaries for principals. | true | true | Rules define the actual enforcement of access boundaries across resources. | | | + +### details Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `rules` | A list of principal access boundary policy rules. | true | true | Rules define which resources principals can access under the boundary policy. | ALLOW only approved organizations/projects/folders | ALLOW all or overly broad resources | +| `enforcement_version` | Version of enforcement for Google Cloud services included in policy. | false | false | Ensures controlled rollout of enforcement changes across services. | latest or pinned version | empty or unmanaged versioning | + +### rules Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `description` | The description of the principal access boundary policy rule. | false | false | None | Allow access to approved project set only | Unrestricted or vague rule description | +| `resources` | Cloud Resource Manager resources included in this rule. | true | true | Restricts access to approved organizations, folders, or projects only. | ['//cloudresourcemanager.googleapis.com/organizations/123', '//cloudresourcemanager.googleapis.com/folders/123', '//cloudresourcemanager.googleapis.com/projects/approved-project'] | ['//cloudresourcemanager.googleapis.com/projects/*'] | +| `effect` | The access relationship of principals to resources. | true | true | Defines whether access is allowed under the boundary policy. | ALLOW | DENY or undefined behavior | diff --git a/docs/gcp/Cloud_IAM/iam_projects_policy_binding.md b/docs/gcp/Cloud_IAM/iam_projects_policy_binding.md index 64a7d901a..feca64061 100644 --- a/docs/gcp/Cloud_IAM/iam_projects_policy_binding.md +++ b/docs/gcp/Cloud_IAM/iam_projects_policy_binding.md @@ -10,26 +10,27 @@ Reference: [Terraform Registry – iam_projects_policy_binding](https://registry | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `project` | GCP project ID where the policy binding is applied. Must follow valid project naming rules (lowercase letters, numbers, and hyphens). | false | true | Ensures IAM policy is attached to a valid and controlled project scope. | my-project-123 | Invalid_Project | -| `location` | Location of the policy binding. Must always be global for IAM project policy bindings. | true | true | IAM bindings must be globally consistent for proper access control enforcement. | global | us-central1 | -| `policy_binding_id` | Unique identifier for the policy binding within the project. | true | true | Ensures each IAM binding can be uniquely tracked and managed. | project-binding-01 | Project Binding #1 | -| `display_name` | Optional human-readable name for the policy binding (maximum 63 characters). | false | false | Used only for identification and has no security impact. | Project IAM Binding | This is an extremely long invalid display name that exceeds allowed character limits for IAM resources | -| `annotations` | Optional metadata used to tag and classify the policy binding. | false | false | Annotations are informational only and do not affect IAM enforcement. | {'environment': 'prod', 'team': 'security'} | {'note': 'This annotation contains excessive invalid metadata that should not be used in production IAM configurations because it violates expected structure and readability standards'} | -| `policy_kind` | Type of policy being applied. Possible values include ACCESS or PRINCIPAL_ACCESS_BOUNDARY. | false | true | Determines IAM enforcement behavior and access model. | ACCESS | UNKNOWN_TYPE | -| `target` | Full resource name of the target project where the policy binding is applied. | true | true | Defines exact IAM enforcement scope at project level. | //cloudresourcemanager.googleapis.com/projects/my-project-123 | //invalid/resource/name | -| `condition` | Optional IAM condition using Common Expression Language (CEL) for conditional access control. | false | true | Allows fine-grained access control based on logical conditions. | {'expression': "resource.name.startsWith('projects/')", 'title': 'Project access rule', 'description': 'Allows access only to project resources'} | {'expression': 'true'} | +| `target` | Target is the full resource name of the resource to which the policy will be bound. Immutable once set. | true | true | Restricts policy binding scope to approved project principals only, preventing unauthorized identity binding. | ['//cloudresourcemanager.googleapis.com/projects/approved-project-1', '//cloudresourcemanager.googleapis.com/projects/approved-project-2'] | ['//cloudresourcemanager.googleapis.com/projects/*', '//cloudresourcemanager.googleapis.com/projects/external-project'] | +| `policy` | The resource name of the policy to be bound. | true | true | Ensures only approved IAM boundary policies are attached to projects. | organizations/123456789/locations/global/principalAccessBoundaryPolicies/approved-policy | organizations/123456789/locations/global/principalAccessBoundaryPolicies/unapproved-policy | +| `location` | The location of the Policy Binding. | true | true | Enforcing global location ensures consistent IAM policy application across projects and prevents regional drift. | global | us-central1 | +| `policy_binding_id` | The Policy Binding ID. | true | false | Ensures consistent naming and traceability of policy bindings. | project-binding-01 | INVALID_BINDING | +| `display_name` | Optional description of the policy binding. | false | false | Used for human-readable identification only. | Project IAM Binding Policy | Very long or unclear name exceeding limits | +| `annotations` | User-defined metadata annotations. | false | false | Used for tagging, auditing, and governance tracking. | env=prod, team=security | random unstructured metadata | +| `policy_kind` | The kind of policy to attach in this binding. | false | true | Ensures only Principal Access Boundary policies are enforced for security isolation. | PRINCIPAL_ACCESS_BOUNDARY | ACCESS, POLICY_KIND_UNSPECIFIED | +| `condition` | CEL expression controlling conditional policy binding. | false | true | Allows fine-grained IAM control based on runtime conditions. | document.type != 'internal' | true (unrestricted access) | +| `project` | The project where the policy binding is applied. | false | true | Ensures correct project-level IAM isolation and prevents cross-project misconfiguration. | approved-project-id | external-project-id | ### target Block | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `principal_set` | Principal set defining which identities are allowed within the project scope. | false | true | Restricts access to approved identities within project boundary. | //cloudresourcemanager.googleapis.com/projects/123456789 | //cloudresourcemanager.googleapis.com/folders/123 | +| `principal_set` | Full resource name of the principal set used for IAM policy binding. | false | true | Ensures only approved project-level principals can be assigned IAM boundaries. | ['//cloudresourcemanager.googleapis.com/projects/approved-project-1', '//cloudresourcemanager.googleapis.com/projects/approved-project-2'] | ['//cloudresourcemanager.googleapis.com/projects/*', '//cloudresourcemanager.googleapis.com/projects/external-*'] | ### condition Block | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `expression` | CEL expression used to define IAM conditional logic. | false | true | Controls when IAM policy is applied. | resource.name.startsWith('projects/') | true | -| `title` | Short title describing the IAM condition. | false | false | Used for readability only. | Project Condition | | -| `description` | Detailed explanation of the IAM condition. | false | false | Documentation purpose only. | Restricts access to project-level resources only | | -| `location` | Debugging reference for IAM condition evaluation. | false | false | Used for error tracing and debugging. | global | | +| `expression` | CEL expression for conditional logic. | false | true | Controls conditional IAM enforcement. | | | +| `title` | Title of the condition. | false | false | | | | +| `description` | Description of the condition. | false | false | | | | +| `location` | Location of expression for debugging. | false | false | | | | diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_access_boundary_policy.json b/docs/gcp/Cloud_IAM/resource_json/iam_access_boundary_policy.json index 9e3fa084b..f5e78fb01 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_access_boundary_policy.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_access_boundary_policy.json @@ -5,88 +5,143 @@ "name": { "description": "The name of the policy.", "required": true, - "security_impact": "If naming is not consistent, it becomes hard to manage or track policies in GCP.", - "rationale": "We enforce a simple naming rule (pde-*) so all policies follow the same pattern and are easy to identify.", - "compliant": "pde-access-boundary-prod", - "non-compliant": "myPolicy123", + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, "parent": null }, - "parent": { - "description": "The resource where this policy is attached.", + "description": "The attachment point is identified by its URL-encoded full resource name.", "required": true, - "security_impact": "If parent is wrong, policy may be applied to the wrong project or not applied at all.", - "rationale": "Parent must always be a valid GCP project or organization path so the policy applies correctly.", - "compliant": "cloudresourcemanager.googleapis.com/projects/123456789", - "non-compliant": "projects/test-project", + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, "parent": null }, - "rules": { - "description": "Rules that define what resources and permissions are allowed.", + "description": "Rules to be applied. Structure is [documented below](#nested_rules).", "required": true, - "security_impact": "Rules control access. Wrong rules can give too much access or block needed access.", - "rationale": "We use rules to enforce least privilege and limit access only to required resources.", + "security_impact": null, + "rationale": null, "compliant": null, "non-compliant": null, - "parent": null + "parent": null, + "arguments": { + "description": { + "description": "The description of the rule.", + "required": false, + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, + "parent": "rules" + }, + "access_boundary_rule": { + "description": "An access boundary rule in an IAM policy. Structure is [documented below](#nested_rules_rules_access_boundary_rule).", + "required": false, + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, + "parent": "rules" + } + } }, - "display_name": { - "description": "A simple name shown in the console.", + "description": "The display name of the rule.", "required": false, - "security_impact": "Helps identify policies easily in UI.", - "rationale": "Used for readability and easier management.", - "compliant": "Production Access Boundary Policy", - "non-compliant": "test", + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, "parent": null }, - "access_boundary_rule": { - "description": "Defines which resources and permissions are allowed.", - "required": false, - "security_impact": "Prevents users from accessing unauthorized resources.", - "rationale": "We use this to enforce least privilege access in GCP.", + "description": "", + "required": null, + "security_impact": null, + "rationale": null, "compliant": null, "non-compliant": null, - "parent": null - }, - - "available_resource": { - "description": "The GCP resource that is allowed.", - "required": false, - "security_impact": "Restricts access to only approved projects or resources.", - "rationale": "Avoids access to wrong or sensitive projects.", - "compliant": "//cloudresourcemanager.googleapis.com/projects/123456789", - "non-compliant": "//cloudresourcemanager.googleapis.com/projects/random-project", - "parent": "access_boundary_rule" - }, - - "available_permissions": { - "description": "Permissions allowed for the resource.", - "required": false, - "security_impact": "Prevents giving full admin access accidentally.", - "rationale": "We only allow required permissions instead of full access.", - "compliant": ["resourcemanager.projects.get"], - "non-compliant": ["*"], - "parent": "access_boundary_rule" + "parent": null, + "arguments": { + "available_resource": { + "description": "The full resource name of a Google Cloud resource entity.", + "required": false, + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, + "parent": "access_boundary_rule" + }, + "available_permissions": { + "description": "A list of permissions that may be allowed for use on the specified resource.", + "required": false, + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, + "parent": "access_boundary_rule" + }, + "availability_condition": { + "description": "The availability condition further constrains the access allowed by the access boundary rule. Structure is [documented below](#nested_rules_rules_access_boundary_rule_availability_condition).", + "required": false, + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, + "parent": "access_boundary_rule" + } + } }, - "availability_condition": { - "description": "Extra condition to control when access is allowed.", - "required": false, - "security_impact": "Adds extra safety like time-based or condition-based access control.", - "rationale": "Used to restrict access under specific conditions only.", - "compliant": { - "expression": "request.time < timestamp('2026-12-31T00:00:00Z')", - "title": "Time limit", - "description": "Access allowed only before expiry date", - "location": "global" - }, - "non-compliant": { - "expression": "true" - }, - "parent": "access_boundary_rule" + "description": "", + "required": null, + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, + "parent": null, + "arguments": { + "expression": { + "description": "Textual representation of an expression in Common Expression Language syntax.", + "required": true, + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, + "parent": "availability_condition" + }, + "title": { + "description": "Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.", + "required": false, + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, + "parent": "availability_condition" + }, + "description": { + "description": "Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.", + "required": false, + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, + "parent": "availability_condition" + }, + "location": { + "description": "String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.", + "required": false, + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, + "parent": "availability_condition" + } + } } } } \ No newline at end of file diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_deny_policy.json b/docs/gcp/Cloud_IAM/resource_json/iam_deny_policy.json index 621d7ed27..656e17ee7 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_deny_policy.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_deny_policy.json @@ -5,88 +5,161 @@ "name": { "description": "The name of the policy.", "required": true, - "security_impact": "If naming is not controlled, deny policies become hard to identify and manage, which can cause security confusion.", - "rationale": "We enforce a simple naming rule using prefix 'pde-' so all deny policies are consistent and easy to track.", - "compliant": "pde-deny-policy-prod", - "non-compliant": "denyPolicy123", + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, "parent": null }, - "parent": { "description": "The attachment point is identified by its URL-encoded full resource name.", "required": true, - "security_impact": "If parent is wrong, deny policy may be applied to the wrong project or not applied at all, which is a major security risk.", - "rationale": "Parent must always follow valid GCP resource format so the deny policy is applied to the correct scope.", - "compliant": "cloudresourcemanager.googleapis.com/projects/123456789", - "non-compliant": "projects/test-project", + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, "parent": null }, - "rules": { - "description": "Rules to be applied.", + "description": "Rules to be applied. Structure is [documented below](#nested_rules).", "required": true, - "security_impact": "Rules define what access is denied. Incorrect rules can either block valid users or allow unauthorized access.", - "rationale": "Rules are used to enforce strict deny controls on sensitive resources.", + "security_impact": null, + "rationale": null, "compliant": null, "non-compliant": null, - "parent": null + "parent": null, + "arguments": { + "description": { + "description": "The description of the rule.", + "required": false, + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, + "parent": "rules" + }, + "deny_rule": { + "description": "A deny rule in an IAM deny policy. Structure is [documented below](#nested_rules_rules_deny_rule).", + "required": false, + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, + "parent": "rules" + } + } }, - "display_name": { "description": "The display name of the rule.", "required": false, - "security_impact": "Helps identify the deny policy in console and audit logs.", - "rationale": "Used for readability and easier management of policies.", - "compliant": "Production Deny Policy", - "non-compliant": "test123", + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, "parent": null }, - "deny_rule": { "description": "", "required": null, - "security_impact": "Controls which users and permissions are explicitly blocked from accessing resources.", - "rationale": "Used to enforce security restrictions and prevent unauthorized actions.", + "security_impact": null, + "rationale": null, "compliant": null, "non-compliant": null, - "parent": null + "parent": null, + "arguments": { + "denied_principals": { + "description": "The identities that are prevented from using one or more permissions on Google Cloud resources.", + "required": false, + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, + "parent": "deny_rule" + }, + "exception_principals": { + "description": "The identities that are excluded from the deny rule, even if they are listed in the deniedPrincipals. For example, you could add a Google group to the deniedPrincipals, then exclude specific users who belong to that group.", + "required": false, + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, + "parent": "deny_rule" + }, + "denied_permissions": { + "description": "The permissions that are explicitly denied by this rule. Each permission uses the format `{service-fqdn}/{resource}.{verb}`, where `{service-fqdn}` is the fully qualified domain name for the service. For example, `iam.googleapis.com/roles.list`.", + "required": false, + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, + "parent": "deny_rule" + }, + "exception_permissions": { + "description": "Specifies the permissions that this rule excludes from the set of denied permissions given by deniedPermissions. If a permission appears in deniedPermissions and in exceptionPermissions then it will not be denied. The excluded permissions can be specified using the same syntax as deniedPermissions.", + "required": false, + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, + "parent": "deny_rule" + }, + "denial_condition": { + "description": "User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. Structure is [documented below](#nested_rules_rules_deny_rule_denial_condition).", + "required": false, + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, + "parent": "deny_rule" + } + } }, - - "denied_principals": { - "description": "Users or identities that are blocked from access.", - "required": false, - "security_impact": "Prevents unauthorized users from accessing sensitive resources.", - "rationale": "We block risky or unwanted identities using deny rules.", - "compliant": ["user:blocked-user@example.com"], - "non-compliant": ["allUsers"], - "parent": "deny_rule" - }, - - "denied_permissions": { - "description": "Permissions that are explicitly denied.", - "required": false, - "security_impact": "Prevents execution of sensitive or admin-level operations.", - "rationale": "We deny high-risk permissions to enforce least privilege.", - "compliant": ["iam.googleapis.com/roles.list"], - "non-compliant": ["*"], - "parent": "deny_rule" - }, - "denial_condition": { - "description": "Condition when the deny rule should apply.", - "required": false, - "security_impact": "Adds conditional security checks (like time, IP, or context-based restrictions).", - "rationale": "Used to apply deny rules only in specific situations.", - "compliant": { - "expression": "request.time < timestamp('2026-12-31T00:00:00Z')", - "title": "Time restriction", - "description": "Deny access after expiry date", - "location": "global" - }, - "non-compliant": { - "expression": "true" - }, - "parent": "deny_rule" + "description": "", + "required": null, + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, + "parent": null, + "arguments": { + "expression": { + "description": "Textual representation of an expression in Common Expression Language syntax.", + "required": true, + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, + "parent": "denial_condition" + }, + "title": { + "description": "Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.", + "required": false, + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, + "parent": "denial_condition" + }, + "description": { + "description": "Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.", + "required": false, + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, + "parent": "denial_condition" + }, + "location": { + "description": "String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.", + "required": false, + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, + "parent": "denial_condition" + } + } } } } \ No newline at end of file diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_folders_policy_binding.json b/docs/gcp/Cloud_IAM/resource_json/iam_folders_policy_binding.json index a551fe373..480e43f6b 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_folders_policy_binding.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_folders_policy_binding.json @@ -1,147 +1,82 @@ { "resource_name": "iam_folders_policy_binding", "subcategory": "Cloud IAM", - "arguments": { - "folder": { - "description": "The parent folder for the IAM policy binding. Must be a valid numeric GCP folder ID.", - "required": true, - "security_impact": true, - "rationale": "Ensures IAM policy is applied only at a valid folder scope.", - "compliant": "224774388", - "non-compliant": "my-folder", - "parent": null - }, + "arguments": { "location": { - "description": "The location of the policy binding. Must always be global for folder IAM bindings.", + "description": "The location of the PolicyBinding.", "required": true, - "security_impact": true, - "rationale": "IAM folder bindings are global to ensure consistent access control.", + "security_impact": "Restricting location prevents cross-region policy sprawl and enforces governance boundaries.", + "rationale": "IAM folder policy bindings must be deployed only in a controlled location to ensure consistent enforcement.", "compliant": "global", "non-compliant": "us-central1", "parent": null }, - "policy_binding_id": { - "description": "Unique identifier for the policy binding.", - "required": true, - "security_impact": true, - "rationale": "Ensures each binding is uniquely identifiable.", - "compliant": "folder-binding-01", - "non-compliant": "Folder Binding 01", - "parent": null - }, - - "display_name": { - "description": "Optional human-readable name for the policy binding (max 63 characters).", - "required": false, - "security_impact": false, - "rationale": "Used only for display purposes.", - "compliant": "Folder IAM Binding", - "non-compliant": "This name is way too long and not valid for IAM folder binding display name usage", - "parent": null - }, - - "annotations": { - "description": "Optional metadata used for tagging and classification.", + "policy_kind": { + "description": "The kind of the policy to attach in this binding.", "required": false, - "security_impact": false, - "rationale": "Does not affect IAM security enforcement.", - "compliant": { - "environment": "dev", - "team": "security" - }, - "non-compliant": { - "notes": "this is an invalid overly long annotation example used for testing purposes and should not be used in production environments because it violates expected size constraints" - }, + "security_impact": "Restricting policy kind prevents misuse of non-boundary IAM policies and reduces privilege escalation risk.", + "rationale": "Only Principal Access Boundary policies are allowed in folder-level bindings to enforce least privilege.", + "compliant": "PRINCIPAL_ACCESS_BOUNDARY", + "non-compliant": "ACCESS", "parent": null }, - "policy_kind": { - "description": "Type of IAM policy being applied (e.g., ACCESS or PRINCIPAL_ACCESS_BOUNDARY).", - "required": false, - "security_impact": true, - "rationale": "Defines how IAM policy is enforced.", - "compliant": "ACCESS", - "non-compliant": "INVALID_TYPE", + "policy": { + "description": "The resource name of the policy to be bound.", + "required": true, + "security_impact": "Ensures only approved enterprise IAM boundary policies are enforced at folder level.", + "rationale": "Binding must reference only approved Principal Access Boundary policies created by the organization security team.", + "compliant": [ + "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pde-policy-1", + "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pde-policy-2" + ], + "non-compliant": [ + "organizations/999999999/locations/global/principalAccessBoundaryPolicies/unapproved-policy" + ], "parent": null }, "target": { - "description": "Full resource name of the target folder where the policy is applied.", + "description": "Target is the full resource name of the resource to which the policy will be bound.", "required": true, - "security_impact": true, - "rationale": "Defines the exact scope of IAM enforcement.", - "compliant": "//cloudresourcemanager.googleapis.com/folders/224774388", - "non-compliant": "//invalid/resource", + "security_impact": "Restricts IAM enforcement scope to approved folder-level principals only.", + "rationale": "Ensures policy bindings apply only to controlled folder-level resources.", + "compliant": "//cloudresourcemanager.googleapis.com/folders/123456789", + "non-compliant": "//cloudresourcemanager.googleapis.com/folders/external-folder", "parent": null, "arguments": { "principal_set": { - "description": "Principal set used for access boundary enforcement within the folder.", + "description": "Full Resource Name of the principal set used for policy bindings.", "required": false, - "security_impact": true, - "rationale": "Restricts access to approved identities within folder boundary.", - "compliant": "//cloudresourcemanager.googleapis.com/folders/224774388", - "non-compliant": "//cloudresourcemanager.googleapis.com/projects/123", + "security_impact": "Prevents unauthorized principal escalation by restricting access scope.", + "rationale": "Only folder-level principal sets should be allowed for IAM folder policy bindings.", + "compliant": "//cloudresourcemanager.googleapis.com/folders/123456789", + "non-compliant": "//cloudresourcemanager.googleapis.com/folders/999999999", "parent": "target" } } }, - "condition": { - "description": "Optional CEL condition for conditional IAM access control.", - "required": false, - "security_impact": true, - "rationale": "Enables fine-grained access control rules.", - "compliant": { - "expression": "resource.name.startsWith('folders/')", - "title": "Folder access rule", - "description": "Allows access only to folder resources" - }, - "non-compliant": { - "expression": "true" - }, - "parent": null, + "policy_binding_id": { + "description": "The Policy Binding ID.", + "required": true, + "security_impact": "Ensures traceability and prevents duplicate or rogue bindings.", + "rationale": "Each binding must have a unique controlled identifier.", + "compliant": "pde-folder-binding-1", + "non-compliant": "test-binding", + "parent": null + }, - "arguments": { - "expression": { - "description": "CEL expression defining IAM condition logic.", - "required": false, - "security_impact": true, - "rationale": "Controls conditional access behavior.", - "compliant": "resource.name.startsWith('folders/')", - "non-compliant": "true", - "parent": "condition" - }, - "title": { - "description": "Short title for the condition.", - "required": false, - "security_impact": false, - "rationale": "For readability only.", - "compliant": "Folder Condition", - "non-compliant": "", - "parent": "condition" - }, - "description": { - "description": "Detailed explanation of the condition.", - "required": false, - "security_impact": false, - "rationale": "Documentation purpose only.", - "compliant": "Restricts access to folder-level resources", - "non-compliant": "", - "parent": "condition" - }, - "location": { - "description": "Debug location for condition evaluation.", - "required": false, - "security_impact": false, - "rationale": "Used for error tracing.", - "compliant": "global", - "non-compliant": "", - "parent": "condition" - } - } + "display_name": { + "description": "Optional description of the policy binding.", + "required": false, + "security_impact": "Helps identify IAM bindings for auditing and governance.", + "rationale": "Standard naming improves traceability in enterprise IAM systems.", + "compliant": "pde-secure-folder-binding", + "non-compliant": "test" } } } \ No newline at end of file diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client.json b/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client.json index b8c6c6ab3..904fcfa6e 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client.json @@ -2,101 +2,101 @@ "resource_name": "iam_oauth_client", "subcategory": "Cloud IAM", "arguments": { - "location": { - "description": "Location where the OAuth client is deployed. Must always be global.", + "allowed_scopes": { + "description": "Required. The list of scopes that the OauthClient is allowed to request during OAuth flows.", "required": true, "security_impact": true, - "rationale": "Ensures OAuth configuration consistency across GCP IAM services.", - "compliant": "global", - "non-compliant": "us-central1", + "rationale": "Restricting scopes enforces least privilege OAuth access and prevents over-permissioned identity delegation.", + "compliant": ["openid", "email", "groups"], + "non-compliant": ["https://www.googleapis.com/auth/cloud-platform"], "parent": null }, - "oauth_client_id": { - "description": "Unique OAuth client ID. Must be 6–63 characters, lowercase letters, digits, or hyphens. Cannot start or end with hyphen and cannot use 'gcp-' prefix.", + "allowed_grant_types": { + "description": "Required. The list of OAuth grant types is allowed for the OauthClient.", "required": true, "security_impact": true, - "rationale": "Prevents insecure or invalid OAuth client identifiers.", - "compliant": "example-client-01", - "non-compliant": "gcp-client-01-", - "parent": null - }, - - "client_type": { - "description": "Type of OAuth client. Only PUBLIC_CLIENT or CONFIDENTIAL_CLIENT are allowed.", - "required": false, - "security_impact": true, - "rationale": "Restricts OAuth client types to approved security models.", - "compliant": "CONFIDENTIAL_CLIENT", - "non-compliant": "UNKNOWN_CLIENT", + "rationale": "Ensures only approved OAuth flows are used to prevent insecure authentication mechanisms.", + "compliant": ["AUTHORIZATION_CODE_GRANT"], + "non-compliant": ["IMPLICIT_GRANT"], "parent": null }, - "allowed_scopes": { - "description": "List of OAuth scopes allowed for authentication flows.", + "allowed_redirect_uris": { + "description": "Required. The list of redirect URIs allowed after OAuth authentication.", "required": true, "security_impact": true, - "rationale": "Restricting scopes reduces access exposure and privilege escalation risk.", - "compliant": ["openid", "email"], - "non-compliant": ["*"], + "rationale": "Prevents open redirect attacks and ensures tokens are only sent to trusted endpoints.", + "compliant": ["https://www.example.com/callback"], + "non-compliant": ["http://evil.com"], "parent": null }, - "allowed_grant_types": { - "description": "OAuth grant types allowed for the client.", + "location": { + "description": "Resource ID segment making up resource name.", "required": true, "security_impact": true, - "rationale": "Controls authentication flow security.", - "compliant": ["AUTHORIZATION_CODE_GRANT"], - "non-compliant": [], + "rationale": "OAuth clients must be deployed in global scope to ensure consistent IAM enforcement.", + "compliant": "global", + "non-compliant": "us-central1", "parent": null }, - "allowed_redirect_uris": { - "description": "List of allowed redirect URIs after authentication.", + "oauth_client_id": { + "description": "Required. The ID used for the OauthClient resource.", "required": true, "security_impact": true, - "rationale": "Prevents redirect attacks and phishing risks.", - "compliant": ["https://example.com"], - "non-compliant": ["http://evil.com"], + "rationale": "Ensures predictable naming and avoids reserved prefix misuse.", + "compliant": "example-client-01", + "non-compliant": "gcp-client-01", "parent": null }, "disabled": { - "description": "Indicates whether the OAuth client is disabled.", + "description": "Whether the OauthClient is disabled.", "required": false, "security_impact": true, - "rationale": "Disabled clients cannot be used for authentication.", + "rationale": "Disabled clients cannot be used, reducing attack surface when not in use.", "compliant": false, "non-compliant": true, "parent": null }, "display_name": { - "description": "Human-readable name for the OAuth client.", + "description": "Human-readable name of the OAuth client.", "required": false, "security_impact": false, - "rationale": null, - "compliant": "Valid OAuth Client", - "non-compliant": "Invalid Client", + "rationale": "Used only for identification purposes.", + "compliant": "Enterprise OAuth Client", + "non-compliant": "Very Long Invalid Name That Exceeds Limits", "parent": null }, "description": { - "description": "Optional description of the OAuth client.", + "description": "Description of the OAuth client.", "required": false, "security_impact": false, - "rationale": null, - "compliant": "OAuth client for production app", - "non-compliant": "", + "rationale": "Provides documentation for audit and governance.", + "compliant": "OAuth client for enterprise login", + "non-compliant": "test", + "parent": null + }, + + "client_type": { + "description": "Type of OAuth client.", + "required": false, + "security_impact": true, + "rationale": "Restricts OAuth clients to approved secure types only.", + "compliant": ["PUBLIC_CLIENT", "CONFIDENTIAL_CLIENT"], + "non-compliant": ["INTERNAL_CLIENT"], "parent": null }, "project": { - "description": "GCP project where the OAuth client is created.", + "description": "Project where the resource is created.", "required": false, "security_impact": true, - "rationale": "Ensures correct project-level isolation.", + "rationale": "Ensures correct project-level IAM isolation.", "compliant": "smooth-verve-467716-v1", "non-compliant": "", "parent": null diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client_credential.json b/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client_credential.json index c60d88c5f..7c10d74b8 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client_credential.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client_credential.json @@ -3,7 +3,7 @@ "subcategory": "Cloud IAM", "arguments": { "location": { - "description": "Location where the OAuth client credential is created. Must always be global.", + "description": "Resource ID segment making up resource `name`. It identifies the resource within its parent collection as described in https://google.aip.dev/122.", "required": true, "security_impact": true, "rationale": "Restricting location to global ensures consistent IAM control and avoids regional misconfiguration.", @@ -13,50 +13,50 @@ }, "oauthclient": { - "description": "Parent OAuth client identifier used to associate the credential.", + "description": "Resource ID segment making up resource `name`. It identifies the resource within its parent collection as described in https://google.aip.dev/122.", "required": true, "security_impact": true, - "rationale": "Invalid client associations can lead to unauthorized credential binding.", + "rationale": "Ensures OAuth credential is correctly linked to a valid parent OAuth client to prevent unauthorized binding.", "compliant": "example-client-id", "non-compliant": "invalid-client", "parent": null }, "oauth_client_credential_id": { - "description": "Unique credential ID. Must follow 4–32 chars, lowercase letters, numbers, and hyphens. Cannot start with 'gcp-'.", + "description": "Required. The ID to use for the OauthClientCredential, which becomes the final component of the resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix `gcp-` is reserved for use by Google, and may not be specified.", "required": true, "security_impact": true, - "rationale": "Strict naming prevents insecure or reserved prefix usage.", + "rationale": "Prevents use of reserved prefixes and ensures predictable, secure naming conventions.", "compliant": "cred-01a", "non-compliant": "gcp-cred-01a", "parent": null }, "disabled": { - "description": "Indicates whether the credential is disabled.", + "description": "Whether the OauthClientCredential is disabled. You cannot use a disabled OauthClientCredential.", "required": false, "security_impact": true, - "rationale": "Disabled credentials cannot be used for authentication.", + "rationale": "Disabled credentials reduce risk of unauthorized authentication usage.", "compliant": false, "non-compliant": true, "parent": null }, "display_name": { - "description": "Human-readable name for the credential.", + "description": "A user-specified display name of the OauthClientCredential. Cannot exceed 32 characters.", "required": false, "security_impact": false, - "rationale": null, + "rationale": "Used for readability and operational clarity only.", "compliant": "Valid Credential", - "non-compliant": "Invalid Credential", + "non-compliant": "Invalid Credential With Very Long Name Exceeding Limit", "parent": null }, "project": { - "description": "GCP project where the resource is created. If not set, provider project is used.", + "description": "If it is not provided, the provider project is used.", "required": false, "security_impact": true, - "rationale": "Ensures correct project scoping for IAM isolation.", + "rationale": "Ensures correct project scoping for IAM isolation and prevents cross-project credential leakage.", "compliant": "smooth-verve-467716-v1", "non-compliant": "", "parent": null diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_organizations_policy_binding.json b/docs/gcp/Cloud_IAM/resource_json/iam_organizations_policy_binding.json index 05453ca6b..0b8ada754 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_organizations_policy_binding.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_organizations_policy_binding.json @@ -2,59 +2,132 @@ "resource_name": "iam_organizations_policy_binding", "subcategory": "Cloud IAM", "arguments": { + "target": { + "description": "Target is the full resource name of the resource to which the policy will be bound. Immutable once set.", + "required": true, + "security_impact": true, + "rationale": "Defines the exact principal scope for IAM binding enforcement, preventing unauthorized identity expansion.", + "compliant": "//cloudresourcemanager.googleapis.com/organizations/123456789", + "non-compliant": "//cloudresourcemanager.googleapis.com/projects/untrusted-project", + "parent": null, + "arguments": { + "principal_set": { + "description": "Full Resource Name of the principal set used for principal access boundary policy bindings.", + "required": false, + "security_impact": true, + "rationale": "Ensures only approved identity domains (org/workforce/workspace) are used.", + "compliant": "//cloudresourcemanager.googleapis.com/organizations/123456789", + "non-compliant": "//cloudresourcemanager.googleapis.com/organizations/000000000", + "parent": "target" + } + } + }, + + "policy": { + "description": "Required. Immutable. The resource name of the policy to be bound.", + "required": true, + "security_impact": true, + "rationale": "Ensures binding only approved Principal Access Boundary policies within the organization.", + "compliant": "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pde-policy-1", + "non-compliant": "organizations/123456789/locations/global/principalAccessBoundaryPolicies/unknown-policy", + "parent": null + }, + "organization": { - "description": "Numeric organization ID for binding.", + "description": "Parent organization of the Policy Binding.", "required": true, "security_impact": true, - "rationale": "Ensures policy is attached to correct organization boundary.", + "rationale": "Ensures IAM governance is enforced at the correct organizational boundary.", "compliant": "123456789", - "non-compliant": "org-name", + "non-compliant": "999999999", "parent": null }, + "location": { - "description": "Must always be global.", + "description": "The location of the Policy Binding", "required": true, "security_impact": true, - "rationale": "IAM bindings must be globally consistent.", + "rationale": "Enforces centralized IAM policy binding control.", "compliant": "global", "non-compliant": "us-central1", "parent": null }, + "policy_binding_id": { - "description": "Unique identifier for policy binding.", + "description": "The Policy Binding ID.", "required": true, "security_impact": true, - "rationale": "Ensures unique tracking of bindings.", - "compliant": "binding-001", - "non-compliant": "binding#1", + "rationale": "Ensures unique identification of IAM policy bindings.", + "compliant": "org-binding-001", + "non-compliant": "invalid binding id!!", "parent": null }, + "display_name": { - "description": "Human readable name for policy binding.", + "description": "Optional description of the policy binding.", "required": false, "security_impact": false, - "rationale": "No security impact.", - "compliant": "Org Binding", - "non-compliant": "", + "rationale": "Improves readability and auditability.", + "compliant": "Org Access Boundary Binding", + "non-compliant": "x", "parent": null }, + "annotations": { - "description": "User-defined metadata annotations.", + "description": "User-defined annotations for metadata tagging.", "required": false, "security_impact": false, - "rationale": "Used for tagging only.", - "compliant": {}, - "non-compliant": {}, + "rationale": "Used for governance and tracking only.", + "compliant": { "env": "prod" }, + "non-compliant": { "env": "test" }, "parent": null }, + "policy_kind": { - "description": "Type of policy: PRINCIPAL_ACCESS_BOUNDARY or ACCESS.", + "description": "Type of policy attached in this binding.", "required": false, "security_impact": true, - "rationale": "Controls IAM enforcement behavior.", - "compliant": "ACCESS", - "non-compliant": "UNKNOWN", + "rationale": "Restricts IAM binding to secure boundary enforcement policies.", + "compliant": "PRINCIPAL_ACCESS_BOUNDARY", + "non-compliant": "ACCESS", "parent": null + }, + + "condition": { + "description": "CEL condition for fine-grained policy enforcement.", + "required": false, + "security_impact": true, + "rationale": "Allows conditional IAM enforcement based on attributes.", + "arguments": { + "expression": { + "description": "CEL expression controlling IAM access.", + "required": false, + "compliant": "request.time < timestamp('2026-12-31T00:00:00Z')", + "non-compliant": "true", + "parent": "condition" + }, + "title": { + "description": "Short title of the condition.", + "required": false, + "compliant": "Time Restricted Access", + "non-compliant": "", + "parent": "condition" + }, + "description": { + "description": "Description of the condition logic.", + "required": false, + "compliant": "Restricts access based on time window", + "non-compliant": "", + "parent": "condition" + }, + "location": { + "description": "Error reporting location metadata.", + "required": false, + "compliant": "global", + "non-compliant": "unknown", + "parent": "condition" + } + } } } } \ No newline at end of file diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_principal_access_boundary_policy.json b/docs/gcp/Cloud_IAM/resource_json/iam_principal_access_boundary_policy.json index d336f019f..2f36bbfbe 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_principal_access_boundary_policy.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_principal_access_boundary_policy.json @@ -3,49 +3,118 @@ "subcategory": "Cloud IAM", "arguments": { "organization": { - "description": "Numeric organization ID.", + "description": "The parent organization of the principal access boundary policy.", "required": true, "security_impact": true, - "rationale": "Defines IAM boundary scope at organization level.", - "compliant": "123456789", - "non-compliant": "org-name", + "rationale": "Restricting policies to approved organizations ensures IAM governance boundaries and prevents cross-tenant privilege escalation.", + "compliant": "PDE1, PDE2, PDE3", + "non-compliant": "random-org-123", "parent": null }, "location": { - "description": "Must always be global.", + "description": "The location the principal access boundary policy is in.", "required": true, "security_impact": true, - "rationale": "Ensures centralized IAM enforcement.", + "rationale": "Enforcing global location ensures consistent IAM policy enforcement and avoids regional misconfiguration risks.", "compliant": "global", "non-compliant": "us-central1", "parent": null }, "principal_access_boundary_policy_id": { - "description": "Policy ID (2–62 chars, lowercase, numbers, hyphen, dot allowed).", + "description": "The ID to use to create the principal access boundary policy. This value must start with a lowercase letter followed by up to 62 lowercase letters, numbers, hyphens, or dots.", "required": true, - "security_impact": true, - "rationale": "Ensures valid IAM naming standard.", + "security_impact": false, + "rationale": "Ensures consistent naming conventions for policy identification and avoids invalid resource creation.", "compliant": "pab-policy-01", - "non-compliant": "INVALID_ID", + "non-compliant": "PAB_POLICY_01", "parent": null }, "display_name": { - "description": "Display name of policy.", + "description": "The description of the principal access boundary policy. Must be less than or equal to 63 characters.", "required": false, "security_impact": false, - "rationale": "No security impact.", - "compliant": "PAB Policy", - "non-compliant": "", + "rationale": null, + "compliant": "Standard Access Boundary Policy", + "non-compliant": "Very long or unclear name exceeding limits", "parent": null }, "annotations": { - "description": "Metadata tags for policy.", + "description": "User defined annotations for metadata tagging and governance tracking.", "required": false, "security_impact": false, - "rationale": "Only metadata.", - "compliant": {}, - "non-compliant": {}, + "rationale": "Used for auditability and classification of IAM policies.", + "compliant": "env=prod, owner=security-team", + "non-compliant": "free-form or unstructured metadata", "parent": null + }, + "details": { + "description": "Principal access boundary policy details.", + "required": false, + "security_impact": true, + "rationale": "Defines enforcement rules that restrict principal access to approved resources.", + "parent": null, + "arguments": { + "rules": { + "description": "A list of principal access boundary policy rules.", + "required": true, + "security_impact": true, + "rationale": "Rules define which resources principals can access under the boundary policy.", + "compliant": "ALLOW only approved organizations/projects/folders", + "non-compliant": "ALLOW all or overly broad resources", + "parent": "details" + }, + "enforcement_version": { + "description": "Version of enforcement for Google Cloud services included in policy.", + "required": false, + "security_impact": false, + "rationale": "Ensures controlled rollout of enforcement changes across services.", + "compliant": "latest or pinned version", + "non-compliant": "empty or unmanaged versioning", + "parent": "details" + } + } + }, + "rules": { + "description": "Policy rules defining access boundaries for principals.", + "required": true, + "security_impact": true, + "rationale": "Rules define the actual enforcement of access boundaries across resources.", + "parent": null, + "arguments": { + "description": { + "description": "The description of the principal access boundary policy rule.", + "required": false, + "security_impact": false, + "rationale": null, + "compliant": "Allow access to approved project set only", + "non-compliant": "Unrestricted or vague rule description", + "parent": "rules" + }, + "resources": { + "description": "Cloud Resource Manager resources included in this rule.", + "required": true, + "security_impact": true, + "rationale": "Restricts access to approved organizations, folders, or projects only.", + "compliant": [ + "//cloudresourcemanager.googleapis.com/organizations/123", + "//cloudresourcemanager.googleapis.com/folders/123", + "//cloudresourcemanager.googleapis.com/projects/approved-project" + ], + "non-compliant": [ + "//cloudresourcemanager.googleapis.com/projects/*" + ], + "parent": "rules" + }, + "effect": { + "description": "The access relationship of principals to resources.", + "required": true, + "security_impact": true, + "rationale": "Defines whether access is allowed under the boundary policy.", + "compliant": "ALLOW", + "non-compliant": "DENY or undefined behavior", + "parent": "rules" + } + } } } } \ No newline at end of file diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_projects_policy_binding.json b/docs/gcp/Cloud_IAM/resource_json/iam_projects_policy_binding.json index 62767e11d..1a60799cf 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_projects_policy_binding.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_projects_policy_binding.json @@ -2,146 +2,144 @@ "resource_name": "iam_projects_policy_binding", "subcategory": "Cloud IAM", "arguments": { - "project": { - "description": "GCP project ID where the policy binding is applied. Must follow valid project naming rules (lowercase letters, numbers, and hyphens).", - "required": false, + "target": { + "description": "Target is the full resource name of the resource to which the policy will be bound. Immutable once set.", + "required": true, + "security_impact": true, + "rationale": "Restricts policy binding scope to approved project principals only, preventing unauthorized identity binding.", + "compliant": [ + "//cloudresourcemanager.googleapis.com/projects/approved-project-1", + "//cloudresourcemanager.googleapis.com/projects/approved-project-2" + ], + "non-compliant": [ + "//cloudresourcemanager.googleapis.com/projects/*", + "//cloudresourcemanager.googleapis.com/projects/external-project" + ], + "parent": null, + "arguments": { + "principal_set": { + "description": "Full resource name of the principal set used for IAM policy binding.", + "required": false, + "security_impact": true, + "rationale": "Ensures only approved project-level principals can be assigned IAM boundaries.", + "compliant": [ + "//cloudresourcemanager.googleapis.com/projects/approved-project-1", + "//cloudresourcemanager.googleapis.com/projects/approved-project-2" + ], + "non-compliant": [ + "//cloudresourcemanager.googleapis.com/projects/*", + "//cloudresourcemanager.googleapis.com/projects/external-*" + ], + "parent": "target" + } + } + }, + + "policy": { + "description": "The resource name of the policy to be bound.", + "required": true, "security_impact": true, - "rationale": "Ensures IAM policy is attached to a valid and controlled project scope.", - "compliant": "my-project-123", - "non-compliant": "Invalid_Project", + "rationale": "Ensures only approved IAM boundary policies are attached to projects.", + "compliant": "organizations/123456789/locations/global/principalAccessBoundaryPolicies/approved-policy", + "non-compliant": "organizations/123456789/locations/global/principalAccessBoundaryPolicies/unapproved-policy", "parent": null }, "location": { - "description": "Location of the policy binding. Must always be global for IAM project policy bindings.", + "description": "The location of the Policy Binding.", "required": true, "security_impact": true, - "rationale": "IAM bindings must be globally consistent for proper access control enforcement.", + "rationale": "Enforcing global location ensures consistent IAM policy application across projects and prevents regional drift.", "compliant": "global", "non-compliant": "us-central1", "parent": null }, "policy_binding_id": { - "description": "Unique identifier for the policy binding within the project.", + "description": "The Policy Binding ID.", "required": true, - "security_impact": true, - "rationale": "Ensures each IAM binding can be uniquely tracked and managed.", + "security_impact": false, + "rationale": "Ensures consistent naming and traceability of policy bindings.", "compliant": "project-binding-01", - "non-compliant": "Project Binding #1", + "non-compliant": "INVALID_BINDING", "parent": null }, "display_name": { - "description": "Optional human-readable name for the policy binding (maximum 63 characters).", + "description": "Optional description of the policy binding.", "required": false, "security_impact": false, - "rationale": "Used only for identification and has no security impact.", - "compliant": "Project IAM Binding", - "non-compliant": "This is an extremely long invalid display name that exceeds allowed character limits for IAM resources", + "rationale": "Used for human-readable identification only.", + "compliant": "Project IAM Binding Policy", + "non-compliant": "Very long or unclear name exceeding limits", "parent": null }, "annotations": { - "description": "Optional metadata used to tag and classify the policy binding.", + "description": "User-defined metadata annotations.", "required": false, "security_impact": false, - "rationale": "Annotations are informational only and do not affect IAM enforcement.", - "compliant": { - "environment": "prod", - "team": "security" - }, - "non-compliant": { - "note": "This annotation contains excessive invalid metadata that should not be used in production IAM configurations because it violates expected structure and readability standards" - }, + "rationale": "Used for tagging, auditing, and governance tracking.", + "compliant": "env=prod, team=security", + "non-compliant": "random unstructured metadata", "parent": null }, "policy_kind": { - "description": "Type of policy being applied. Possible values include ACCESS or PRINCIPAL_ACCESS_BOUNDARY.", + "description": "The kind of policy to attach in this binding.", "required": false, "security_impact": true, - "rationale": "Determines IAM enforcement behavior and access model.", - "compliant": "ACCESS", - "non-compliant": "UNKNOWN_TYPE", + "rationale": "Ensures only Principal Access Boundary policies are enforced for security isolation.", + "compliant": "PRINCIPAL_ACCESS_BOUNDARY", + "non-compliant": "ACCESS, POLICY_KIND_UNSPECIFIED", "parent": null }, - "target": { - "description": "Full resource name of the target project where the policy binding is applied.", - "required": true, - "security_impact": true, - "rationale": "Defines exact IAM enforcement scope at project level.", - "compliant": "//cloudresourcemanager.googleapis.com/projects/my-project-123", - "non-compliant": "//invalid/resource/name", - "parent": null, - - "arguments": { - "principal_set": { - "description": "Principal set defining which identities are allowed within the project scope.", - "required": false, - "security_impact": true, - "rationale": "Restricts access to approved identities within project boundary.", - "compliant": "//cloudresourcemanager.googleapis.com/projects/123456789", - "non-compliant": "//cloudresourcemanager.googleapis.com/folders/123", - "parent": "target" - } - } - }, - "condition": { - "description": "Optional IAM condition using Common Expression Language (CEL) for conditional access control.", + "description": "CEL expression controlling conditional policy binding.", "required": false, "security_impact": true, - "rationale": "Allows fine-grained access control based on logical conditions.", - "compliant": { - "expression": "resource.name.startsWith('projects/')", - "title": "Project access rule", - "description": "Allows access only to project resources" - }, - "non-compliant": { - "expression": "true" - }, + "rationale": "Allows fine-grained IAM control based on runtime conditions.", + "compliant": "document.type != 'internal'", + "non-compliant": "true (unrestricted access)", "parent": null, - "arguments": { "expression": { - "description": "CEL expression used to define IAM conditional logic.", + "description": "CEL expression for conditional logic.", "required": false, "security_impact": true, - "rationale": "Controls when IAM policy is applied.", - "compliant": "resource.name.startsWith('projects/')", - "non-compliant": "true", + "rationale": "Controls conditional IAM enforcement.", "parent": "condition" }, "title": { - "description": "Short title describing the IAM condition.", + "description": "Title of the condition.", "required": false, "security_impact": false, - "rationale": "Used for readability only.", - "compliant": "Project Condition", - "non-compliant": "", "parent": "condition" }, "description": { - "description": "Detailed explanation of the IAM condition.", + "description": "Description of the condition.", "required": false, "security_impact": false, - "rationale": "Documentation purpose only.", - "compliant": "Restricts access to project-level resources only", - "non-compliant": "", "parent": "condition" }, "location": { - "description": "Debugging reference for IAM condition evaluation.", + "description": "Location of expression for debugging.", "required": false, "security_impact": false, - "rationale": "Used for error tracing and debugging.", - "compliant": "global", - "non-compliant": "", "parent": "condition" } } + }, + + "project": { + "description": "The project where the policy binding is applied.", + "required": false, + "security_impact": true, + "rationale": "Ensures correct project-level IAM isolation and prevents cross-project misconfiguration.", + "compliant": "approved-project-id", + "non-compliant": "external-project-id", + "parent": null } } } \ No newline at end of file From 84c5ed598818bd3661f6745b39b1a23ff3b21ff4 Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sun, 17 May 2026 13:36:33 +1000 Subject: [PATCH 78/91] fix folder policy --- .../Cloud_IAM/iam_folders_policy_binding.md | 26 ++- .../Cloud_IAM/iam_oauth_client_credential.md | 2 +- .../iam_organizations_policy_binding.md | 24 +-- .../iam_folders_policy_binding.json | 156 ++++++++++++------ .../iam_oauth_client_credential.json | 2 - .../iam_organizations_policy_binding.json | 56 ++++--- .../location_validation/c.tf | 2 +- .../location_validation/nc.tf | 2 +- .../policy_kind_validation/c.tf | 2 +- .../policy_kind_validation/nc.tf | 2 +- .../policy_validation/c.tf | 2 +- .../policy_validation/nc.tf | 2 +- .../client_type_validation/c.tf | 2 +- .../client_type_validation/nc.tf | 2 +- .../location_validation/c.tf | 2 +- .../location_validation/nc.tf | 2 +- .../location_validation/c.tf | 2 +- .../location_validation/nc.tf | 2 +- .../Location_Validation/c.tf | 2 +- .../Location_Validation/nc.tf | 2 +- .../vars.rego | 2 +- .../google_iam_oauth_client/vars.rego | 2 +- .../vars.rego | 2 +- .../vars.rego | 2 +- 24 files changed, 186 insertions(+), 116 deletions(-) diff --git a/docs/gcp/Cloud_IAM/iam_folders_policy_binding.md b/docs/gcp/Cloud_IAM/iam_folders_policy_binding.md index 49b44bdfa..a20106813 100644 --- a/docs/gcp/Cloud_IAM/iam_folders_policy_binding.md +++ b/docs/gcp/Cloud_IAM/iam_folders_policy_binding.md @@ -10,15 +10,27 @@ Reference: [Terraform Registry – iam_folders_policy_binding](https://registry. | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `location` | The location of the PolicyBinding. | true | false | IAM folder policy bindings must be deployed only in a controlled location to ensure consistent enforcement. | global | us-central1 | -| `policy_kind` | The kind of the policy to attach in this binding. | false | false | Only Principal Access Boundary policies are allowed in folder-level bindings to enforce least privilege. | PRINCIPAL_ACCESS_BOUNDARY | ACCESS | -| `policy` | The resource name of the policy to be bound. | true | false | Binding must reference only approved Principal Access Boundary policies created by the organization security team. | ['organizations/123456789/locations/global/principalAccessBoundaryPolicies/pde-policy-1', 'organizations/123456789/locations/global/principalAccessBoundaryPolicies/pde-policy-2'] | ['organizations/999999999/locations/global/principalAccessBoundaryPolicies/unapproved-policy'] | -| `target` | Target is the full resource name of the resource to which the policy will be bound. | true | false | Ensures policy bindings apply only to controlled folder-level resources. | //cloudresourcemanager.googleapis.com/folders/123456789 | //cloudresourcemanager.googleapis.com/folders/external-folder | -| `policy_binding_id` | The Policy Binding ID. | true | false | Each binding must have a unique controlled identifier. | pde-folder-binding-1 | test-binding | -| `display_name` | Optional description of the policy binding. | false | false | Standard naming improves traceability in enterprise IAM systems. | pde-secure-folder-binding | test | +| `target` | Target is the full resource name of the resource to which the policy will be bound. Immutable once set. Structure is [documented below](#nested_target). | true | true | Restricts IAM enforcement scope to approved folder-level resources and prevents unauthorized policy attachment. | //cloudresourcemanager.googleapis.com/folders/123456789 | //cloudresourcemanager.googleapis.com/folders/external-folder | +| `policy` | Required. Immutable. The resource name of the policy to be bound. The binding parent and policy must belong to the same Organization (or Project). | true | true | Ensures only approved organization-level IAM policies are attached to folder bindings. | organizations/123456789/locations/global/principalAccessBoundaryPolicies/pde-policy-1 | organizations/999999999/locations/global/principalAccessBoundaryPolicies/unapproved-policy | +| `folder` | The parent folder for the PolicyBinding. | true | true | Restricts policy bindings to approved enterprise-managed folders. | folders/123456789 | folders/external-folder | +| `location` | The location of the PolicyBinding. | true | true | Restricting location prevents cross-region policy sprawl and enforces governance boundaries. | global | us-central1 | +| `policy_binding_id` | The Policy Binding ID. | true | true | Ensures traceability and prevents duplicate or unauthorized policy bindings. | pde-folder-binding-1 | test-binding | +| `display_name` | Optional. The description of the policy binding. Must be less than or equal to 63 characters. | false | false | Display name is used for operational readability and auditing purposes only. | | | +| `annotations` | Optional. User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations **Note**: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field `effective_annotations` for all of the annotations present on the resource. | false | false | Annotations are metadata used for organization and tracking purposes and do not directly affect IAM enforcement. | | | +| `policy_kind` | Immutable. The kind of the policy to attach in this binding. This field must be one of the following: - Left empty (will be automatically set to the policy kind) - The input policy kind Possible values: POLICY_KIND_UNSPECIFIED PRINCIPAL_ACCESS_BOUNDARY ACCESS | false | true | Restricting policy kind prevents misuse of non-boundary IAM policies and reduces privilege escalation risk. | PRINCIPAL_ACCESS_BOUNDARY | ACCESS | +| `condition` | Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: \"Summary size limit\" description: \"Determines if a summary is less than 100 chars\" expression: \"document.summary.size() < 100\" Example (Equality): title: \"Requestor is owner\" description: \"Determines if requestor is the document owner\" expression: \"document.owner == request.auth.claims.email\" Example (Logic): title: \"Public documents\" description: \"Determine whether the document should be publicly visible\" expression: \"document.type != 'private' && document.type != 'internal'\" Example (Data Manipulation): title: \"Notification string\" description: \"Create a notification string with a timestamp.\" expression: \"'New message received at ' + string(document.create_time)\" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. Structure is [documented below](#nested_condition). | false | true | Conditions can affect IAM authorization logic and access enforcement. | request.time < timestamp('2026-12-31T23:59:59Z') | true | ### target Block | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `principal_set` | Full Resource Name of the principal set used for policy bindings. | false | false | Only folder-level principal sets should be allowed for IAM folder policy bindings. | //cloudresourcemanager.googleapis.com/folders/123456789 | //cloudresourcemanager.googleapis.com/folders/999999999 | +| `principal_set` | Required. Immutable. Full Resource Name of the principal set used for principal access boundary policy bindings. Examples for each one of the following supported principal set types: * Folder: `//cloudresourcemanager.googleapis.com/folders/FOLDER_ID` It must be parent by the policy binding's parent (the folder). | false | true | Restricts policy bindings to approved folder-level principal sets to prevent unauthorized privilege escalation. | //cloudresourcemanager.googleapis.com/folders/123456789 | //cloudresourcemanager.googleapis.com/folders/999999999 | + +### condition Block + +| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | +|----------|-------------|----------|-----------------|-----------|-----------|---------------| +| `expression` | Textual representation of an expression in Common Expression Language syntax. | false | true | Controls authorization logic and access restrictions through CEL expressions. | request.auth != null | true | +| `title` | Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. | false | false | Title is informational metadata only and does not affect IAM behavior. | | | +| `description` | Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. | false | false | Description is informational metadata only and does not affect IAM enforcement. | | | +| `location` | Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. | false | false | Location metadata is used only for debugging and error reporting. | | | diff --git a/docs/gcp/Cloud_IAM/iam_oauth_client_credential.md b/docs/gcp/Cloud_IAM/iam_oauth_client_credential.md index 2d5256215..8564fb682 100644 --- a/docs/gcp/Cloud_IAM/iam_oauth_client_credential.md +++ b/docs/gcp/Cloud_IAM/iam_oauth_client_credential.md @@ -14,5 +14,5 @@ Reference: [Terraform Registry – iam_oauth_client_credential](https://registry | `oauthclient` | Resource ID segment making up resource `name`. It identifies the resource within its parent collection as described in https://google.aip.dev/122. | true | true | Ensures OAuth credential is correctly linked to a valid parent OAuth client to prevent unauthorized binding. | example-client-id | invalid-client | | `oauth_client_credential_id` | Required. The ID to use for the OauthClientCredential, which becomes the final component of the resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix `gcp-` is reserved for use by Google, and may not be specified. | true | true | Prevents use of reserved prefixes and ensures predictable, secure naming conventions. | cred-01a | gcp-cred-01a | | `disabled` | Whether the OauthClientCredential is disabled. You cannot use a disabled OauthClientCredential. | false | true | Disabled credentials reduce risk of unauthorized authentication usage. | False | True | -| `display_name` | A user-specified display name of the OauthClientCredential. Cannot exceed 32 characters. | false | false | Used for readability and operational clarity only. | Valid Credential | Invalid Credential With Very Long Name Exceeding Limit | +| `display_name` | A user-specified display name of the OauthClientCredential. Cannot exceed 32 characters. | false | false | Used for readability and operational clarity only. | | | | `project` | If it is not provided, the provider project is used. | false | true | Ensures correct project scoping for IAM isolation and prevents cross-project credential leakage. | smooth-verve-467716-v1 | | diff --git a/docs/gcp/Cloud_IAM/iam_organizations_policy_binding.md b/docs/gcp/Cloud_IAM/iam_organizations_policy_binding.md index f45a57e49..7e0709976 100644 --- a/docs/gcp/Cloud_IAM/iam_organizations_policy_binding.md +++ b/docs/gcp/Cloud_IAM/iam_organizations_policy_binding.md @@ -10,27 +10,27 @@ Reference: [Terraform Registry – iam_organizations_policy_binding](https://reg | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `target` | Target is the full resource name of the resource to which the policy will be bound. Immutable once set. | true | true | Defines the exact principal scope for IAM binding enforcement, preventing unauthorized identity expansion. | //cloudresourcemanager.googleapis.com/organizations/123456789 | //cloudresourcemanager.googleapis.com/projects/untrusted-project | -| `policy` | Required. Immutable. The resource name of the policy to be bound. | true | true | Ensures binding only approved Principal Access Boundary policies within the organization. | organizations/123456789/locations/global/principalAccessBoundaryPolicies/pde-policy-1 | organizations/123456789/locations/global/principalAccessBoundaryPolicies/unknown-policy | -| `organization` | Parent organization of the Policy Binding. | true | true | Ensures IAM governance is enforced at the correct organizational boundary. | 123456789 | 999999999 | +| `target` | Target is the full resource name of the resource to which the policy will be bound. Immutable once set. Structure is [documented below](#nested_target). | true | true | Defines the exact principal scope for IAM binding enforcement and prevents unauthorized identity expansion. | //cloudresourcemanager.googleapis.com/organizations/123456789 | //cloudresourcemanager.googleapis.com/projects/untrusted-project | +| `policy` | Required. Immutable. The resource name of the policy to be bound. The binding parent and policy must belong to the same Organization (or Project). | true | true | Ensures binding only approved Principal Access Boundary policies within the organization. | organizations/123456789/locations/global/principalAccessBoundaryPolicies/pde-policy-1 | organizations/123456789/locations/global/principalAccessBoundaryPolicies/unknown-policy | +| `organization` | The parent organization of the Policy Binding. | true | true | Ensures IAM governance is enforced at the correct organizational boundary. | 123456789 | 999999999 | | `location` | The location of the Policy Binding | true | true | Enforces centralized IAM policy binding control. | global | us-central1 | | `policy_binding_id` | The Policy Binding ID. | true | true | Ensures unique identification of IAM policy bindings. | org-binding-001 | invalid binding id!! | -| `display_name` | Optional description of the policy binding. | false | false | Improves readability and auditability. | Org Access Boundary Binding | x | -| `annotations` | User-defined annotations for metadata tagging. | false | false | Used for governance and tracking only. | {'env': 'prod'} | {'env': 'test'} | -| `policy_kind` | Type of policy attached in this binding. | false | true | Restricts IAM binding to secure boundary enforcement policies. | PRINCIPAL_ACCESS_BOUNDARY | ACCESS | -| `condition` | CEL condition for fine-grained policy enforcement. | false | true | Allows conditional IAM enforcement based on attributes. | | | +| `display_name` | Optional. The description of the policy binding. Must be less than or equal to 63 characters. | false | false | Improves readability and auditability. | | | +| `annotations` | Optional. User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations **Note**: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field `effective_annotations` for all of the annotations present on the resource. | false | false | Used for governance, metadata tagging, and tracking purposes only. | | | +| `policy_kind` | Immutable. The kind of the policy to attach in this binding. This field must be one of the following: - Left empty (will be automatically set to the policy kind) - The input policy kind Possible values: POLICY_KIND_UNSPECIFIED PRINCIPAL_ACCESS_BOUNDARY ACCESS | false | true | Restricts IAM binding to secure boundary enforcement policies. | PRINCIPAL_ACCESS_BOUNDARY | ACCESS | +| `condition` | Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: \"Summary size limit\" description: \"Determines if a summary is less than 100 chars\" expression: \"document.summary.size() < 100\" Example (Equality): title: \"Requestor is owner\" description: \"Determines if requestor is the document owner\" expression: \"document.owner == request.auth.claims.email\" Example (Logic): title: \"Public documents\" description: \"Determine whether the document should be publicly visible\" expression: \"document.type != 'private' && document.type != 'internal'\" Example (Data Manipulation): title: \"Notification string\" description: \"Create a notification string with a timestamp.\" expression: \"'New message received at ' + string(document.create_time)\" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. Structure is [documented below](#nested_condition). | false | true | Allows conditional IAM enforcement based on attributes and contextual access restrictions. | request.time < timestamp('2026-12-31T00:00:00Z') | true | ### target Block | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `principal_set` | Full Resource Name of the principal set used for principal access boundary policy bindings. | false | true | Ensures only approved identity domains (org/workforce/workspace) are used. | //cloudresourcemanager.googleapis.com/organizations/123456789 | //cloudresourcemanager.googleapis.com/organizations/000000000 | +| `principal_set` | Required. Immutable. Full Resource Name of the principal set used for principal access boundary policy bindings. Examples for each one of the following supported principal set types: * Organization `//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID` * Workforce Identity: `//iam.googleapis.com/locations/global/workforcePools/WORKFORCE_POOL_ID` * Workspace Identity: `//iam.googleapis.com/locations/global/workspace/WORKSPACE_ID` It must be parent by the policy binding's parent (the organization). | false | true | Ensures only approved identity domains such as organization, workforce, or workspace identities are used. | //cloudresourcemanager.googleapis.com/organizations/123456789 | //cloudresourcemanager.googleapis.com/organizations/000000000 | ### condition Block | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `expression` | CEL expression controlling IAM access. | false | false | | request.time < timestamp('2026-12-31T00:00:00Z') | true | -| `title` | Short title of the condition. | false | false | | Time Restricted Access | | -| `description` | Description of the condition logic. | false | false | | Restricts access based on time window | | -| `location` | Error reporting location metadata. | false | false | | global | unknown | +| `expression` | Textual representation of an expression in Common Expression Language syntax. | false | true | Controls IAM access behavior through conditional authorization logic. | request.time < timestamp('2026-12-31T00:00:00Z') | true | +| `title` | Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. | false | false | Used only for readability and operational clarity. | | | +| `description` | Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. | false | false | Provides human-readable explanation of the CEL condition only. | | | +| `location` | Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. | false | false | Used for debugging and error reporting purposes only. | | | diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_folders_policy_binding.json b/docs/gcp/Cloud_IAM/resource_json/iam_folders_policy_binding.json index 480e43f6b..5d4b83240 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_folders_policy_binding.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_folders_policy_binding.json @@ -1,58 +1,21 @@ { "resource_name": "iam_folders_policy_binding", "subcategory": "Cloud IAM", - "arguments": { - "location": { - "description": "The location of the PolicyBinding.", - "required": true, - "security_impact": "Restricting location prevents cross-region policy sprawl and enforces governance boundaries.", - "rationale": "IAM folder policy bindings must be deployed only in a controlled location to ensure consistent enforcement.", - "compliant": "global", - "non-compliant": "us-central1", - "parent": null - }, - - "policy_kind": { - "description": "The kind of the policy to attach in this binding.", - "required": false, - "security_impact": "Restricting policy kind prevents misuse of non-boundary IAM policies and reduces privilege escalation risk.", - "rationale": "Only Principal Access Boundary policies are allowed in folder-level bindings to enforce least privilege.", - "compliant": "PRINCIPAL_ACCESS_BOUNDARY", - "non-compliant": "ACCESS", - "parent": null - }, - - "policy": { - "description": "The resource name of the policy to be bound.", - "required": true, - "security_impact": "Ensures only approved enterprise IAM boundary policies are enforced at folder level.", - "rationale": "Binding must reference only approved Principal Access Boundary policies created by the organization security team.", - "compliant": [ - "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pde-policy-1", - "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pde-policy-2" - ], - "non-compliant": [ - "organizations/999999999/locations/global/principalAccessBoundaryPolicies/unapproved-policy" - ], - "parent": null - }, - "target": { - "description": "Target is the full resource name of the resource to which the policy will be bound.", + "description": "Target is the full resource name of the resource to which the policy will be bound. Immutable once set. Structure is [documented below](#nested_target).", "required": true, - "security_impact": "Restricts IAM enforcement scope to approved folder-level principals only.", - "rationale": "Ensures policy bindings apply only to controlled folder-level resources.", + "security_impact": true, + "rationale": "Restricts IAM enforcement scope to approved folder-level resources and prevents unauthorized policy attachment.", "compliant": "//cloudresourcemanager.googleapis.com/folders/123456789", "non-compliant": "//cloudresourcemanager.googleapis.com/folders/external-folder", "parent": null, - "arguments": { "principal_set": { - "description": "Full Resource Name of the principal set used for policy bindings.", + "description": "Required. Immutable. Full Resource Name of the principal set used for principal access boundary policy bindings. Examples for each one of the following supported principal set types: * Folder: `//cloudresourcemanager.googleapis.com/folders/FOLDER_ID` It must be parent by the policy binding's parent (the folder).", "required": false, - "security_impact": "Prevents unauthorized principal escalation by restricting access scope.", - "rationale": "Only folder-level principal sets should be allowed for IAM folder policy bindings.", + "security_impact": true, + "rationale": "Restricts policy bindings to approved folder-level principal sets to prevent unauthorized privilege escalation.", "compliant": "//cloudresourcemanager.googleapis.com/folders/123456789", "non-compliant": "//cloudresourcemanager.googleapis.com/folders/999999999", "parent": "target" @@ -60,23 +23,116 @@ } }, + "policy": { + "description": "Required. Immutable. The resource name of the policy to be bound. The binding parent and policy must belong to the same Organization (or Project).", + "required": true, + "security_impact": true, + "rationale": "Ensures only approved organization-level IAM policies are attached to folder bindings.", + "compliant": "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pde-policy-1", + "non-compliant": "organizations/999999999/locations/global/principalAccessBoundaryPolicies/unapproved-policy", + "parent": null + }, + + "folder": { + "description": "The parent folder for the PolicyBinding.", + "required": true, + "security_impact": true, + "rationale": "Restricts policy bindings to approved enterprise-managed folders.", + "compliant": "folders/123456789", + "non-compliant": "folders/external-folder", + "parent": null + }, + + "location": { + "description": "The location of the PolicyBinding.", + "required": true, + "security_impact": true, + "rationale": "Restricting location prevents cross-region policy sprawl and enforces governance boundaries.", + "compliant": "global", + "non-compliant": "us-central1", + "parent": null + }, + "policy_binding_id": { "description": "The Policy Binding ID.", "required": true, - "security_impact": "Ensures traceability and prevents duplicate or rogue bindings.", - "rationale": "Each binding must have a unique controlled identifier.", + "security_impact": true, + "rationale": "Ensures traceability and prevents duplicate or unauthorized policy bindings.", "compliant": "pde-folder-binding-1", "non-compliant": "test-binding", "parent": null }, "display_name": { - "description": "Optional description of the policy binding.", + "description": "Optional. The description of the policy binding. Must be less than or equal to 63 characters.", "required": false, - "security_impact": "Helps identify IAM bindings for auditing and governance.", - "rationale": "Standard naming improves traceability in enterprise IAM systems.", - "compliant": "pde-secure-folder-binding", - "non-compliant": "test" + "security_impact": false, + "rationale": "Display name is used for operational readability and auditing purposes only.", + "parent": null + }, + + "annotations": { + "description": "Optional. User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations **Note**: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field `effective_annotations` for all of the annotations present on the resource.", + "required": false, + "security_impact": false, + "rationale": "Annotations are metadata used for organization and tracking purposes and do not directly affect IAM enforcement.", + "parent": null + }, + + "policy_kind": { + "description": "Immutable. The kind of the policy to attach in this binding. This field must be one of the following: - Left empty (will be automatically set to the policy kind) - The input policy kind Possible values: POLICY_KIND_UNSPECIFIED PRINCIPAL_ACCESS_BOUNDARY ACCESS", + "required": false, + "security_impact": true, + "rationale": "Restricting policy kind prevents misuse of non-boundary IAM policies and reduces privilege escalation risk.", + "compliant": "PRINCIPAL_ACCESS_BOUNDARY", + "non-compliant": "ACCESS", + "parent": null + }, + + "condition": { + "description": "Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: \\\"Summary size limit\\\" description: \\\"Determines if a summary is less than 100 chars\\\" expression: \\\"document.summary.size() < 100\\\" Example (Equality): title: \\\"Requestor is owner\\\" description: \\\"Determines if requestor is the document owner\\\" expression: \\\"document.owner == request.auth.claims.email\\\" Example (Logic): title: \\\"Public documents\\\" description: \\\"Determine whether the document should be publicly visible\\\" expression: \\\"document.type != 'private' && document.type != 'internal'\\\" Example (Data Manipulation): title: \\\"Notification string\\\" description: \\\"Create a notification string with a timestamp.\\\" expression: \\\"'New message received at ' + string(document.create_time)\\\" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. Structure is [documented below](#nested_condition).", + "required": false, + "security_impact": true, + "rationale": "Conditions can affect IAM authorization logic and access enforcement.", + "compliant": "request.time < timestamp('2026-12-31T23:59:59Z')", + "non-compliant": "true", + "parent": null, + + "arguments": { + "expression": { + "description": "Textual representation of an expression in Common Expression Language syntax.", + "required": false, + "security_impact": true, + "rationale": "Controls authorization logic and access restrictions through CEL expressions.", + "compliant": "request.auth != null", + "non-compliant": "true", + "parent": "condition" + }, + + "title": { + "description": "Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.", + "required": false, + "security_impact": false, + "rationale": "Title is informational metadata only and does not affect IAM behavior.", + "parent": "condition" + }, + + "description": { + "description": "Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.", + "required": false, + "security_impact": false, + "rationale": "Description is informational metadata only and does not affect IAM enforcement.", + "parent": "condition" + }, + + "location": { + "description": "Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.", + "required": false, + "security_impact": false, + "rationale": "Location metadata is used only for debugging and error reporting.", + "parent": "condition" + } + } } } } \ No newline at end of file diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client_credential.json b/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client_credential.json index 7c10d74b8..bc54531e3 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client_credential.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client_credential.json @@ -47,8 +47,6 @@ "required": false, "security_impact": false, "rationale": "Used for readability and operational clarity only.", - "compliant": "Valid Credential", - "non-compliant": "Invalid Credential With Very Long Name Exceeding Limit", "parent": null }, diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_organizations_policy_binding.json b/docs/gcp/Cloud_IAM/resource_json/iam_organizations_policy_binding.json index 0b8ada754..a200689e1 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_organizations_policy_binding.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_organizations_policy_binding.json @@ -3,19 +3,19 @@ "subcategory": "Cloud IAM", "arguments": { "target": { - "description": "Target is the full resource name of the resource to which the policy will be bound. Immutable once set.", + "description": "Target is the full resource name of the resource to which the policy will be bound. Immutable once set. Structure is [documented below](#nested_target).", "required": true, "security_impact": true, - "rationale": "Defines the exact principal scope for IAM binding enforcement, preventing unauthorized identity expansion.", + "rationale": "Defines the exact principal scope for IAM binding enforcement and prevents unauthorized identity expansion.", "compliant": "//cloudresourcemanager.googleapis.com/organizations/123456789", "non-compliant": "//cloudresourcemanager.googleapis.com/projects/untrusted-project", "parent": null, "arguments": { "principal_set": { - "description": "Full Resource Name of the principal set used for principal access boundary policy bindings.", + "description": "Required. Immutable. Full Resource Name of the principal set used for principal access boundary policy bindings. Examples for each one of the following supported principal set types: * Organization `//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID` * Workforce Identity: `//iam.googleapis.com/locations/global/workforcePools/WORKFORCE_POOL_ID` * Workspace Identity: `//iam.googleapis.com/locations/global/workspace/WORKSPACE_ID` It must be parent by the policy binding's parent (the organization).", "required": false, "security_impact": true, - "rationale": "Ensures only approved identity domains (org/workforce/workspace) are used.", + "rationale": "Ensures only approved identity domains such as organization, workforce, or workspace identities are used.", "compliant": "//cloudresourcemanager.googleapis.com/organizations/123456789", "non-compliant": "//cloudresourcemanager.googleapis.com/organizations/000000000", "parent": "target" @@ -24,7 +24,7 @@ }, "policy": { - "description": "Required. Immutable. The resource name of the policy to be bound.", + "description": "Required. Immutable. The resource name of the policy to be bound. The binding parent and policy must belong to the same Organization (or Project).", "required": true, "security_impact": true, "rationale": "Ensures binding only approved Principal Access Boundary policies within the organization.", @@ -34,7 +34,7 @@ }, "organization": { - "description": "Parent organization of the Policy Binding.", + "description": "The parent organization of the Policy Binding.", "required": true, "security_impact": true, "rationale": "Ensures IAM governance is enforced at the correct organizational boundary.", @@ -64,27 +64,23 @@ }, "display_name": { - "description": "Optional description of the policy binding.", + "description": "Optional. The description of the policy binding. Must be less than or equal to 63 characters.", "required": false, "security_impact": false, "rationale": "Improves readability and auditability.", - "compliant": "Org Access Boundary Binding", - "non-compliant": "x", "parent": null }, "annotations": { - "description": "User-defined annotations for metadata tagging.", + "description": "Optional. User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations **Note**: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field `effective_annotations` for all of the annotations present on the resource.", "required": false, "security_impact": false, - "rationale": "Used for governance and tracking only.", - "compliant": { "env": "prod" }, - "non-compliant": { "env": "test" }, + "rationale": "Used for governance, metadata tagging, and tracking purposes only.", "parent": null }, "policy_kind": { - "description": "Type of policy attached in this binding.", + "description": "Immutable. The kind of the policy to attach in this binding. This field must be one of the following: - Left empty (will be automatically set to the policy kind) - The input policy kind Possible values: POLICY_KIND_UNSPECIFIED PRINCIPAL_ACCESS_BOUNDARY ACCESS", "required": false, "security_impact": true, "rationale": "Restricts IAM binding to secure boundary enforcement policies.", @@ -94,37 +90,45 @@ }, "condition": { - "description": "CEL condition for fine-grained policy enforcement.", + "description": "Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: \\\"Summary size limit\\\" description: \\\"Determines if a summary is less than 100 chars\\\" expression: \\\"document.summary.size() < 100\\\" Example (Equality): title: \\\"Requestor is owner\\\" description: \\\"Determines if requestor is the document owner\\\" expression: \\\"document.owner == request.auth.claims.email\\\" Example (Logic): title: \\\"Public documents\\\" description: \\\"Determine whether the document should be publicly visible\\\" expression: \\\"document.type != 'private' && document.type != 'internal'\\\" Example (Data Manipulation): title: \\\"Notification string\\\" description: \\\"Create a notification string with a timestamp.\\\" expression: \\\"'New message received at ' + string(document.create_time)\\\" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. Structure is [documented below](#nested_condition).", "required": false, "security_impact": true, - "rationale": "Allows conditional IAM enforcement based on attributes.", + "rationale": "Allows conditional IAM enforcement based on attributes and contextual access restrictions.", + "compliant": "request.time < timestamp('2026-12-31T00:00:00Z')", + "non-compliant": "true", + "parent": null, "arguments": { "expression": { - "description": "CEL expression controlling IAM access.", + "description": "Textual representation of an expression in Common Expression Language syntax.", "required": false, + "security_impact": true, + "rationale": "Controls IAM access behavior through conditional authorization logic.", "compliant": "request.time < timestamp('2026-12-31T00:00:00Z')", "non-compliant": "true", "parent": "condition" }, + "title": { - "description": "Short title of the condition.", + "description": "Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.", "required": false, - "compliant": "Time Restricted Access", - "non-compliant": "", + "security_impact": false, + "rationale": "Used only for readability and operational clarity.", "parent": "condition" }, + "description": { - "description": "Description of the condition logic.", + "description": "Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.", "required": false, - "compliant": "Restricts access based on time window", - "non-compliant": "", + "security_impact": false, + "rationale": "Provides human-readable explanation of the CEL condition only.", "parent": "condition" }, + "location": { - "description": "Error reporting location metadata.", + "description": "Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.", "required": false, - "compliant": "global", - "non-compliant": "unknown", + "security_impact": false, + "rationale": "Used for debugging and error reporting purposes only.", "parent": "condition" } } diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/c.tf index 76efb4566..946544a06 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/c.tf @@ -2,7 +2,7 @@ resource "google_iam_folders_policy_binding" "c" { folder = "123456789" location = "global" - policy_binding_id = "binding-c" + policy_binding_id = "c" policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pab-policy" diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/nc.tf index e2531296e..d11a38abb 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/nc.tf @@ -2,7 +2,7 @@ resource "google_iam_folders_policy_binding" "nc" { folder = "123456789" location = "australia-southeast1" - policy_binding_id = "binding-nc" + policy_binding_id = "nc" policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pab-policy" diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/c.tf index 76189e648..ba879040a 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/c.tf @@ -1,7 +1,7 @@ resource "google_iam_folders_policy_binding" "c" { folder = "folders/123456789" location = "global" - policy_binding_id = "pde-binding-01" + policy_binding_id = "c" display_name = "Valid binding" policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pde-policy" diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/nc.tf index 1a6ef1a68..a8c68cad3 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/nc.tf @@ -1,7 +1,7 @@ resource "google_iam_folders_policy_binding" "nc" { folder = "folders/123456789" location = "global" - policy_binding_id = "bad-binding" + policy_binding_id = "nc" display_name = "Invalid binding" policy_kind = "ACCESS" policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pde-policy" diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_validation/c.tf index fc747ec85..b56feb1a7 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_validation/c.tf @@ -1,7 +1,7 @@ resource "google_iam_folders_policy_binding" "c" { folder = "folders/123456789" location = "global" - policy_binding_id = "pde-binding-03" + policy_binding_id = "c" display_name = "Valid binding" policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_validation/nc.tf index fcd77c393..20dd92284 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_validation/nc.tf @@ -1,7 +1,7 @@ resource "google_iam_folders_policy_binding" "nc" { folder = "folders/123456789" location = "global" - policy_binding_id = "bad-binding-03" + policy_binding_id = "nc" display_name = "Invalid binding" policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/c.tf index 998aa143a..77285331f 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/c.tf @@ -1,5 +1,5 @@ resource "google_iam_oauth_client" "c" { - oauth_client_id = "example-client-id" + oauth_client_id = "c" display_name = "Valid OAuth Client" description = "Compliant OAuth client configuration" location = "global" diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/nc.tf index 08a8f7664..1338e3474 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/nc.tf @@ -1,5 +1,5 @@ resource "google_iam_oauth_client" "nc" { - oauth_client_id = "example-client-id" + oauth_client_id = "nc" display_name = "Invalid OAuth Client" description = "Non-compliant OAuth client configuration" location = "global" diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/location_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/location_validation/c.tf index 62b500a41..1de544225 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/location_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/location_validation/c.tf @@ -1,5 +1,5 @@ resource "google_iam_oauth_client" "c" { - oauth_client_id = "example-client-id" + oauth_client_id = "c" display_name = "Valid OAuth Client" description = "Compliant OAuth client" location = "global" diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/location_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/location_validation/nc.tf index 8bf258aeb..22f14e8b0 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/location_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/location_validation/nc.tf @@ -1,5 +1,5 @@ resource "google_iam_oauth_client" "nc" { - oauth_client_id = "example-client-id" + oauth_client_id = "nc" display_name = "Invalid OAuth Client" description = "Non-compliant OAuth client" location = "australia-southeast1" diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/location_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/location_validation/c.tf index f1db18278..29ac3c88e 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/location_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/location_validation/c.tf @@ -1,7 +1,7 @@ resource "google_iam_oauth_client_credential" "c" { oauthclient = "example-client-id" location = "global" - oauth_client_credential_id = "cred01" + oauth_client_credential_id = "c" display_name = "Valid Credential" project = "smooth-verve-467716-v1" } \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/location_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/location_validation/nc.tf index c105a6caa..0c73a1c96 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/location_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/location_validation/nc.tf @@ -1,7 +1,7 @@ resource "google_iam_oauth_client_credential" "nc" { oauthclient = "example-client-id" location = "australia-southeast1" - oauth_client_credential_id = "cred02" + oauth_client_credential_id = "nc" display_name = "Invalid Credential" project = "smooth-verve-467716-v1" } \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/c.tf index f87f21045..7d87ac548 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/c.tf @@ -1,7 +1,7 @@ resource "google_iam_organizations_policy_binding" "c" { organization = "123456789" location = "global" - display_name = "Compliant Org Policy Binding" + display_name = "c" policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" policy_binding_id = "org-binding-c" diff --git a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/nc.tf index 672e5f451..307f93869 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/nc.tf @@ -2,7 +2,7 @@ resource "google_iam_organizations_policy_binding" "nc" { organization = "123456789" location = "australia-southeast1" - display_name = "Non-Compliant Org Policy Binding" + display_name = "nc" policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" policy_binding_id = "org-binding-nc" diff --git a/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/vars.rego b/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/vars.rego index b28d6831a..157fce905 100644 --- a/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/vars.rego +++ b/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/vars.rego @@ -3,5 +3,5 @@ package terraform.gcp.security.Cloud_IAM.google_iam_folders_policy_binding.vars variables := { "friendly_resource_name": "Cloud_IAM folder policy binding", "resource_type": "google_iam_folders_policy_binding", - "resource_value_name": "name" + "resource_value_name": "policy_binding_id" } \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_oauth_client/vars.rego b/policies/gcp/Cloud_IAM/google_iam_oauth_client/vars.rego index beeea456e..5e447d206 100644 --- a/policies/gcp/Cloud_IAM/google_iam_oauth_client/vars.rego +++ b/policies/gcp/Cloud_IAM/google_iam_oauth_client/vars.rego @@ -3,5 +3,5 @@ package terraform.gcp.security.Cloud_IAM.google_iam_oauth_client.vars variables := { "friendly_resource_name": "Cloud_IAM OAuth client", "resource_type": "google_iam_oauth_client", - "resource_value_name": "name" + "resource_value_name": "oauth_client_id" } \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_oauth_client_credential/vars.rego b/policies/gcp/Cloud_IAM/google_iam_oauth_client_credential/vars.rego index e83477cdd..77e64f598 100644 --- a/policies/gcp/Cloud_IAM/google_iam_oauth_client_credential/vars.rego +++ b/policies/gcp/Cloud_IAM/google_iam_oauth_client_credential/vars.rego @@ -3,5 +3,5 @@ package terraform.gcp.security.Cloud_IAM.google_iam_oauth_client_credential.vars variables := { "friendly_resource_name": "Cloud_IAM OAuth client credential", "resource_type": "google_iam_oauth_client_credential", - "resource_value_name": "name" + "resource_value_name": "oauth_client_credential_id" } \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_organizations_policy_binding/vars.rego b/policies/gcp/Cloud_IAM/google_iam_organizations_policy_binding/vars.rego index 93cc20959..0195e80e1 100644 --- a/policies/gcp/Cloud_IAM/google_iam_organizations_policy_binding/vars.rego +++ b/policies/gcp/Cloud_IAM/google_iam_organizations_policy_binding/vars.rego @@ -3,5 +3,5 @@ package terraform.gcp.security.Cloud_IAM.google_iam_organizations_policy_binding variables := { "friendly_resource_name": "Cloud_IAM organization policy binding", "resource_type": "google_iam_organizations_policy_binding", - "resource_value_name": "name" + "resource_value_name": "display_name" } \ No newline at end of file From 81028d762e430c93b346d02edc35d971f8a9fc12 Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sun, 17 May 2026 13:40:18 +1000 Subject: [PATCH 79/91] fix folder policy --- .../google_iam_oauth_client/oauth_scope_whitelist/c.tf | 2 +- .../google_iam_oauth_client/oauth_scope_whitelist/nc.tf | 2 +- .../Cloud_IAM/google_iam_oauth_client/scope_restriction/c.tf | 2 +- .../Cloud_IAM/google_iam_oauth_client/scope_restriction/nc.tf | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/oauth_scope_whitelist/c.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/oauth_scope_whitelist/c.tf index 5965b7191..d3c57855f 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/oauth_scope_whitelist/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/oauth_scope_whitelist/c.tf @@ -1,6 +1,6 @@ resource "google_iam_oauth_client" "c" { project = "smooth-verve-467716-v1" - oauth_client_id = "example-client-id" + oauth_client_id = "c" display_name = "Secure OAuth Client" description = "Uses least privilege scopes" location = "global" diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/oauth_scope_whitelist/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/oauth_scope_whitelist/nc.tf index ee6a28992..71b1ea382 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/oauth_scope_whitelist/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/oauth_scope_whitelist/nc.tf @@ -1,6 +1,6 @@ resource "google_iam_oauth_client" "nc" { project = "smooth-verve-467716-v1" - oauth_client_id = "example-client-id" + oauth_client_id = "nc" display_name = "Unsafe OAuth Client" description = "Uses overly broad scope" location = "global" diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/scope_restriction/c.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/scope_restriction/c.tf index 4fc34af7b..b93a02f29 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/scope_restriction/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/scope_restriction/c.tf @@ -1,6 +1,6 @@ resource "google_iam_oauth_client" "c" { project = "smooth-verve-467716-v1" - oauth_client_id = "secure-client-01" + oauth_client_id = "c" location = "global" client_type = "CONFIDENTIAL_CLIENT" diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/scope_restriction/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/scope_restriction/nc.tf index b10dea308..226fe2ad2 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/scope_restriction/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/scope_restriction/nc.tf @@ -1,6 +1,6 @@ resource "google_iam_oauth_client" "nc" { project = "smooth-verve-467716-v1" - oauth_client_id = "insecure-client-01" + oauth_client_id = "nc" location = "global" client_type = "CONFIDENTIAL_CLIENT" From 0185f7cd53cdabff2c89aa2e39f32cdcf23e2d46 Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sun, 17 May 2026 13:53:03 +1000 Subject: [PATCH 80/91] fix folder policy --- .../client_type_validation/c.tf | 6 ++---- .../client_type_validation/nc.tf | 12 +++++------- 2 files changed, 7 insertions(+), 11 deletions(-) diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/c.tf index 77285331f..53102e456 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/c.tf @@ -1,12 +1,10 @@ resource "google_iam_oauth_client" "c" { oauth_client_id = "c" - display_name = "Valid OAuth Client" - description = "Compliant OAuth client configuration" location = "global" - disabled = false + allowed_grant_types = ["AUTHORIZATION_CODE_GRANT"] allowed_redirect_uris = ["https://www.example.com"] allowed_scopes = ["https://www.googleapis.com/auth/cloud-platform"] + client_type = "CONFIDENTIAL_CLIENT" - project = "smooth-verve-467716-v1" } \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/nc.tf index 1338e3474..499d2a8a9 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/nc.tf @@ -1,12 +1,10 @@ -resource "google_iam_oauth_client" "nc" { +resource "google_iam_oauth_client" "c" { oauth_client_id = "nc" - display_name = "Invalid OAuth Client" - description = "Non-compliant OAuth client configuration" location = "global" - disabled = false + allowed_grant_types = ["AUTHORIZATION_CODE_GRANT"] allowed_redirect_uris = ["https://www.example.com"] allowed_scopes = ["https://www.googleapis.com/auth/cloud-platform"] - client_type = "INTERNAL_CLIENT" - project = "smooth-verve-467716-v1" -} \ No newline at end of file + + client_type = "CINTERNAL_CLIENT" +} From 02d35de993553edaa9b15323ccde2e9de21710dd Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sun, 17 May 2026 13:55:47 +1000 Subject: [PATCH 81/91] fix folder policy --- .../client_type_validation/c.tf | 6 ++++-- .../client_type_validation/nc.tf | 12 +++++++----- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/c.tf index 53102e456..77285331f 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/c.tf @@ -1,10 +1,12 @@ resource "google_iam_oauth_client" "c" { oauth_client_id = "c" + display_name = "Valid OAuth Client" + description = "Compliant OAuth client configuration" location = "global" - + disabled = false allowed_grant_types = ["AUTHORIZATION_CODE_GRANT"] allowed_redirect_uris = ["https://www.example.com"] allowed_scopes = ["https://www.googleapis.com/auth/cloud-platform"] - client_type = "CONFIDENTIAL_CLIENT" + project = "smooth-verve-467716-v1" } \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/nc.tf index 499d2a8a9..1338e3474 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/nc.tf @@ -1,10 +1,12 @@ -resource "google_iam_oauth_client" "c" { +resource "google_iam_oauth_client" "nc" { oauth_client_id = "nc" + display_name = "Invalid OAuth Client" + description = "Non-compliant OAuth client configuration" location = "global" - + disabled = false allowed_grant_types = ["AUTHORIZATION_CODE_GRANT"] allowed_redirect_uris = ["https://www.example.com"] allowed_scopes = ["https://www.googleapis.com/auth/cloud-platform"] - - client_type = "CINTERNAL_CLIENT" -} + client_type = "INTERNAL_CLIENT" + project = "smooth-verve-467716-v1" +} \ No newline at end of file From 62419882bcc0c96cd850d232db1a65e5558e3afc Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sun, 17 May 2026 14:01:25 +1000 Subject: [PATCH 82/91] fix folder policy --- .../location_validation/c.tf | 2 +- .../location_validation/nc.tf | 2 +- .../organization_validation/c.tf | 2 +- .../organization_validation/nc.tf | 2 +- .../google_iam_projects_policy_binding/location_validation/c.tf | 2 +- .../location_validation/nc.tf | 2 +- .../policy_kind_restriction/c.tf | 2 +- .../policy_kind_restriction/nc.tf | 2 +- .../project_principal_whitelist/c.tf | 2 +- .../project_principal_whitelist/nc.tf | 2 +- .../google_iam_principal_access_boundary_policy/vars.rego | 2 +- .../gcp/Cloud_IAM/google_iam_projects_policy_binding/vars.rego | 2 +- 12 files changed, 12 insertions(+), 12 deletions(-) diff --git a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/location_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/location_validation/c.tf index 875583dfa..e5f3bd2c2 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/location_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/location_validation/c.tf @@ -1,7 +1,7 @@ resource "google_iam_principal_access_boundary_policy" "c" { organization = "123456789" location = "global" - display_name = "Compliant PAB Policy" + display_name = "c" principal_access_boundary_policy_id = "pab-policy-c" details { diff --git a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/location_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/location_validation/nc.tf index abd5e3366..07ca0c121 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/location_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/location_validation/nc.tf @@ -1,7 +1,7 @@ resource "google_iam_principal_access_boundary_policy" "nc" { organization = "123456789" location = "australia-southeast1" - display_name = "Non-Compliant PAB Policy" + display_name = "nc" principal_access_boundary_policy_id = "pab-policy-nc" details { diff --git a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/c.tf index 0a5c6e6a6..fd39e2169 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/c.tf @@ -1,6 +1,6 @@ resource "google_iam_principal_access_boundary_policy" "c" { organization = "PDE1" location = "global" - display_name = "PAB policy for Organization" + display_name = "c" principal_access_boundary_policy_id = "pab-policy-for-org" } \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/nc.tf index 1e51b3543..16127f943 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/nc.tf @@ -1,6 +1,6 @@ resource "google_iam_principal_access_boundary_policy" "nc" { organization = "234" location = "global" - display_name = "PAB policy for Organization" + display_name = "nc" principal_access_boundary_policy_id = "pab-policy-for-org" } \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/c.tf index 987572b8f..1214f0350 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/c.tf @@ -3,7 +3,7 @@ resource "google_iam_projects_policy_binding" "c" { location = "global" display_name = "Valid Project Policy Binding" policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" - policy_binding_id = "binding-project-c" + policy_binding_id = "c" policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pab-policy" diff --git a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/nc.tf index 4b8458ec4..26cda994d 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/nc.tf @@ -3,7 +3,7 @@ resource "google_iam_projects_policy_binding" "nc" { location = "us-central1" display_name = "Invalid Project Policy Binding" policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" - policy_binding_id = "binding-project-nc" + policy_binding_id = "nc" policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pab-policy" diff --git a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_kind_restriction/c.tf b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_kind_restriction/c.tf index f2889d23c..2f6d537a9 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_kind_restriction/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_kind_restriction/c.tf @@ -3,7 +3,7 @@ resource "google_iam_projects_policy_binding" "c" { location = "global" display_name = "secure-pab-binding" policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" - policy_binding_id = "pde-secure-binding" + policy_binding_id = "c" policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pab-policy" diff --git a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_kind_restriction/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_kind_restriction/nc.tf index f43f4115e..0f53e0b0d 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_kind_restriction/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_kind_restriction/nc.tf @@ -4,7 +4,7 @@ resource "google_iam_projects_policy_binding" "nc" { display_name = "insecure-access-binding" policy_kind = "ACCESS" - policy_binding_id = "pde-insecure-binding" + policy_binding_id = "nc" policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pab-policy" diff --git a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_principal_whitelist/c.tf b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_principal_whitelist/c.tf index 075f5f52e..951a29540 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_principal_whitelist/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_principal_whitelist/c.tf @@ -3,7 +3,7 @@ resource "google_iam_projects_policy_binding" "c" { location = "global" display_name = "approved-project-binding" policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" - policy_binding_id = "pde-approved-binding" + policy_binding_id = "c" policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pab-policy" diff --git a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_principal_whitelist/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_principal_whitelist/nc.tf index d3a86f758..e62724c2d 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_principal_whitelist/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_principal_whitelist/nc.tf @@ -3,7 +3,7 @@ resource "google_iam_projects_policy_binding" "nc" { location = "global" display_name = "unapproved-project-binding" policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" - policy_binding_id = "pde-unapproved-binding" + policy_binding_id = "nc" policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pab-policy" diff --git a/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/vars.rego b/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/vars.rego index 7e8458ee6..8d65cc266 100644 --- a/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/vars.rego +++ b/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/vars.rego @@ -3,5 +3,5 @@ package terraform.gcp.security.Cloud_IAM.google_iam_principal_access_boundary_po variables := { "friendly_resource_name": "Cloud_IAM principal access boundary policy", "resource_type": "google_iam_principal_access_boundary_policy", - "resource_value_name": "name" + "resource_value_name": "display_name" } \ No newline at end of file diff --git a/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/vars.rego b/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/vars.rego index fb7500c44..129d38066 100644 --- a/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/vars.rego +++ b/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/vars.rego @@ -3,5 +3,5 @@ package terraform.gcp.security.Cloud_IAM.google_iam_projects_policy_binding.vars variables := { "friendly_resource_name": "Cloud_IAM project policy binding", "resource_type": "google_iam_projects_policy_binding", - "resource_value_name": "name" + "resource_value_name": " policy_binding_id" } \ No newline at end of file From bad6194b533594c4ef29f1d0c230a4876ccf6969 Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sun, 17 May 2026 14:04:10 +1000 Subject: [PATCH 83/91] fix folder policy --- .../gcp/Cloud_IAM/google_iam_projects_policy_binding/vars.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/vars.rego b/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/vars.rego index 129d38066..a0e2db25a 100644 --- a/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/vars.rego +++ b/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/vars.rego @@ -3,5 +3,5 @@ package terraform.gcp.security.Cloud_IAM.google_iam_projects_policy_binding.vars variables := { "friendly_resource_name": "Cloud_IAM project policy binding", "resource_type": "google_iam_projects_policy_binding", - "resource_value_name": " policy_binding_id" + "resource_value_name": "policy_binding_id" } \ No newline at end of file From 373a7d058da180d097f84c595e916bc406c2ed7b Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Wed, 20 May 2026 23:26:30 +1000 Subject: [PATCH 84/91] fix Json files --- .../gcp/Cloud_IAM/iam_folders_policy_binding.md | 10 +++++----- .../Cloud_IAM/iam_oauth_client_credential.md | 2 +- .../iam_organizations_policy_binding.md | 10 +++++----- .../Cloud_IAM/iam_projects_policy_binding.md | 8 ++++---- .../iam_folders_policy_binding.json | 10 ++++++++++ .../iam_oauth_client_credential.json | 2 ++ .../iam_organizations_policy_binding.json | 10 ++++++++++ .../iam_projects_policy_binding.json | 17 ++++++++++++++--- 8 files changed, 51 insertions(+), 18 deletions(-) diff --git a/docs/gcp/Cloud_IAM/iam_folders_policy_binding.md b/docs/gcp/Cloud_IAM/iam_folders_policy_binding.md index a20106813..1ed76e216 100644 --- a/docs/gcp/Cloud_IAM/iam_folders_policy_binding.md +++ b/docs/gcp/Cloud_IAM/iam_folders_policy_binding.md @@ -15,8 +15,8 @@ Reference: [Terraform Registry – iam_folders_policy_binding](https://registry. | `folder` | The parent folder for the PolicyBinding. | true | true | Restricts policy bindings to approved enterprise-managed folders. | folders/123456789 | folders/external-folder | | `location` | The location of the PolicyBinding. | true | true | Restricting location prevents cross-region policy sprawl and enforces governance boundaries. | global | us-central1 | | `policy_binding_id` | The Policy Binding ID. | true | true | Ensures traceability and prevents duplicate or unauthorized policy bindings. | pde-folder-binding-1 | test-binding | -| `display_name` | Optional. The description of the policy binding. Must be less than or equal to 63 characters. | false | false | Display name is used for operational readability and auditing purposes only. | | | -| `annotations` | Optional. User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations **Note**: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field `effective_annotations` for all of the annotations present on the resource. | false | false | Annotations are metadata used for organization and tracking purposes and do not directly affect IAM enforcement. | | | +| `display_name` | Optional. The description of the policy binding. Must be less than or equal to 63 characters. | false | false | Display name is used for operational readability and auditing purposes only. | None | None | +| `annotations` | Optional. User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations **Note**: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field `effective_annotations` for all of the annotations present on the resource. | false | false | Annotations are metadata used for organization and tracking purposes and do not directly affect IAM enforcement. | None | None | | `policy_kind` | Immutable. The kind of the policy to attach in this binding. This field must be one of the following: - Left empty (will be automatically set to the policy kind) - The input policy kind Possible values: POLICY_KIND_UNSPECIFIED PRINCIPAL_ACCESS_BOUNDARY ACCESS | false | true | Restricting policy kind prevents misuse of non-boundary IAM policies and reduces privilege escalation risk. | PRINCIPAL_ACCESS_BOUNDARY | ACCESS | | `condition` | Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: \"Summary size limit\" description: \"Determines if a summary is less than 100 chars\" expression: \"document.summary.size() < 100\" Example (Equality): title: \"Requestor is owner\" description: \"Determines if requestor is the document owner\" expression: \"document.owner == request.auth.claims.email\" Example (Logic): title: \"Public documents\" description: \"Determine whether the document should be publicly visible\" expression: \"document.type != 'private' && document.type != 'internal'\" Example (Data Manipulation): title: \"Notification string\" description: \"Create a notification string with a timestamp.\" expression: \"'New message received at ' + string(document.create_time)\" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. Structure is [documented below](#nested_condition). | false | true | Conditions can affect IAM authorization logic and access enforcement. | request.time < timestamp('2026-12-31T23:59:59Z') | true | @@ -31,6 +31,6 @@ Reference: [Terraform Registry – iam_folders_policy_binding](https://registry. | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `expression` | Textual representation of an expression in Common Expression Language syntax. | false | true | Controls authorization logic and access restrictions through CEL expressions. | request.auth != null | true | -| `title` | Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. | false | false | Title is informational metadata only and does not affect IAM behavior. | | | -| `description` | Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. | false | false | Description is informational metadata only and does not affect IAM enforcement. | | | -| `location` | Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. | false | false | Location metadata is used only for debugging and error reporting. | | | +| `title` | Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. | false | false | Title is informational metadata only and does not affect IAM behavior. | None | None | +| `description` | Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. | false | false | Description is informational metadata only and does not affect IAM enforcement. | None | None | +| `location` | Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. | false | false | Location metadata is used only for debugging and error reporting. | None | None | diff --git a/docs/gcp/Cloud_IAM/iam_oauth_client_credential.md b/docs/gcp/Cloud_IAM/iam_oauth_client_credential.md index 8564fb682..922023cb4 100644 --- a/docs/gcp/Cloud_IAM/iam_oauth_client_credential.md +++ b/docs/gcp/Cloud_IAM/iam_oauth_client_credential.md @@ -14,5 +14,5 @@ Reference: [Terraform Registry – iam_oauth_client_credential](https://registry | `oauthclient` | Resource ID segment making up resource `name`. It identifies the resource within its parent collection as described in https://google.aip.dev/122. | true | true | Ensures OAuth credential is correctly linked to a valid parent OAuth client to prevent unauthorized binding. | example-client-id | invalid-client | | `oauth_client_credential_id` | Required. The ID to use for the OauthClientCredential, which becomes the final component of the resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix `gcp-` is reserved for use by Google, and may not be specified. | true | true | Prevents use of reserved prefixes and ensures predictable, secure naming conventions. | cred-01a | gcp-cred-01a | | `disabled` | Whether the OauthClientCredential is disabled. You cannot use a disabled OauthClientCredential. | false | true | Disabled credentials reduce risk of unauthorized authentication usage. | False | True | -| `display_name` | A user-specified display name of the OauthClientCredential. Cannot exceed 32 characters. | false | false | Used for readability and operational clarity only. | | | +| `display_name` | A user-specified display name of the OauthClientCredential. Cannot exceed 32 characters. | false | false | Used for readability and operational clarity only. | None | None | | `project` | If it is not provided, the provider project is used. | false | true | Ensures correct project scoping for IAM isolation and prevents cross-project credential leakage. | smooth-verve-467716-v1 | | diff --git a/docs/gcp/Cloud_IAM/iam_organizations_policy_binding.md b/docs/gcp/Cloud_IAM/iam_organizations_policy_binding.md index 7e0709976..56d3c3ede 100644 --- a/docs/gcp/Cloud_IAM/iam_organizations_policy_binding.md +++ b/docs/gcp/Cloud_IAM/iam_organizations_policy_binding.md @@ -15,8 +15,8 @@ Reference: [Terraform Registry – iam_organizations_policy_binding](https://reg | `organization` | The parent organization of the Policy Binding. | true | true | Ensures IAM governance is enforced at the correct organizational boundary. | 123456789 | 999999999 | | `location` | The location of the Policy Binding | true | true | Enforces centralized IAM policy binding control. | global | us-central1 | | `policy_binding_id` | The Policy Binding ID. | true | true | Ensures unique identification of IAM policy bindings. | org-binding-001 | invalid binding id!! | -| `display_name` | Optional. The description of the policy binding. Must be less than or equal to 63 characters. | false | false | Improves readability and auditability. | | | -| `annotations` | Optional. User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations **Note**: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field `effective_annotations` for all of the annotations present on the resource. | false | false | Used for governance, metadata tagging, and tracking purposes only. | | | +| `display_name` | Optional. The description of the policy binding. Must be less than or equal to 63 characters. | false | false | Improves readability and auditability. | None | None | +| `annotations` | Optional. User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations **Note**: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field `effective_annotations` for all of the annotations present on the resource. | false | false | Used for governance, metadata tagging, and tracking purposes only. | None | None | | `policy_kind` | Immutable. The kind of the policy to attach in this binding. This field must be one of the following: - Left empty (will be automatically set to the policy kind) - The input policy kind Possible values: POLICY_KIND_UNSPECIFIED PRINCIPAL_ACCESS_BOUNDARY ACCESS | false | true | Restricts IAM binding to secure boundary enforcement policies. | PRINCIPAL_ACCESS_BOUNDARY | ACCESS | | `condition` | Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: \"Summary size limit\" description: \"Determines if a summary is less than 100 chars\" expression: \"document.summary.size() < 100\" Example (Equality): title: \"Requestor is owner\" description: \"Determines if requestor is the document owner\" expression: \"document.owner == request.auth.claims.email\" Example (Logic): title: \"Public documents\" description: \"Determine whether the document should be publicly visible\" expression: \"document.type != 'private' && document.type != 'internal'\" Example (Data Manipulation): title: \"Notification string\" description: \"Create a notification string with a timestamp.\" expression: \"'New message received at ' + string(document.create_time)\" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. Structure is [documented below](#nested_condition). | false | true | Allows conditional IAM enforcement based on attributes and contextual access restrictions. | request.time < timestamp('2026-12-31T00:00:00Z') | true | @@ -31,6 +31,6 @@ Reference: [Terraform Registry – iam_organizations_policy_binding](https://reg | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `expression` | Textual representation of an expression in Common Expression Language syntax. | false | true | Controls IAM access behavior through conditional authorization logic. | request.time < timestamp('2026-12-31T00:00:00Z') | true | -| `title` | Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. | false | false | Used only for readability and operational clarity. | | | -| `description` | Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. | false | false | Provides human-readable explanation of the CEL condition only. | | | -| `location` | Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. | false | false | Used for debugging and error reporting purposes only. | | | +| `title` | Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. | false | false | Used only for readability and operational clarity. | None | None | +| `description` | Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. | false | false | Provides human-readable explanation of the CEL condition only. | None | None | +| `location` | Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. | false | false | Used for debugging and error reporting purposes only. | None | None | diff --git a/docs/gcp/Cloud_IAM/iam_projects_policy_binding.md b/docs/gcp/Cloud_IAM/iam_projects_policy_binding.md index feca64061..b284a8acf 100644 --- a/docs/gcp/Cloud_IAM/iam_projects_policy_binding.md +++ b/docs/gcp/Cloud_IAM/iam_projects_policy_binding.md @@ -30,7 +30,7 @@ Reference: [Terraform Registry – iam_projects_policy_binding](https://registry | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `expression` | CEL expression for conditional logic. | false | true | Controls conditional IAM enforcement. | | | -| `title` | Title of the condition. | false | false | | | | -| `description` | Description of the condition. | false | false | | | | -| `location` | Location of expression for debugging. | false | false | | | | +| `expression` | CEL expression for conditional logic. | false | true | Controls conditional IAM enforcement. | None | None | +| `title` | Title of the condition. | false | false | None | None | None | +| `description` | Description of the condition. | false | false | None | None | None | +| `location` | Location of expression for debugging. | false | false | None | None | None | diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_folders_policy_binding.json b/docs/gcp/Cloud_IAM/resource_json/iam_folders_policy_binding.json index 5d4b83240..3efa6c188 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_folders_policy_binding.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_folders_policy_binding.json @@ -68,6 +68,8 @@ "required": false, "security_impact": false, "rationale": "Display name is used for operational readability and auditing purposes only.", + "compliant": null, + "non-compliant": null, "parent": null }, @@ -76,6 +78,8 @@ "required": false, "security_impact": false, "rationale": "Annotations are metadata used for organization and tracking purposes and do not directly affect IAM enforcement.", + "compliant": null, + "non-compliant": null, "parent": null }, @@ -114,6 +118,8 @@ "required": false, "security_impact": false, "rationale": "Title is informational metadata only and does not affect IAM behavior.", + "compliant": null, + "non-compliant": null, "parent": "condition" }, @@ -122,6 +128,8 @@ "required": false, "security_impact": false, "rationale": "Description is informational metadata only and does not affect IAM enforcement.", + "compliant": null, + "non-compliant": null, "parent": "condition" }, @@ -130,6 +138,8 @@ "required": false, "security_impact": false, "rationale": "Location metadata is used only for debugging and error reporting.", + "compliant": null, + "non-compliant": null, "parent": "condition" } } diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client_credential.json b/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client_credential.json index bc54531e3..982ab6f95 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client_credential.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client_credential.json @@ -47,6 +47,8 @@ "required": false, "security_impact": false, "rationale": "Used for readability and operational clarity only.", + "compliant": null, + "non-compliant": null, "parent": null }, diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_organizations_policy_binding.json b/docs/gcp/Cloud_IAM/resource_json/iam_organizations_policy_binding.json index a200689e1..fba33985f 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_organizations_policy_binding.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_organizations_policy_binding.json @@ -68,6 +68,8 @@ "required": false, "security_impact": false, "rationale": "Improves readability and auditability.", + "compliant": null, + "non-compliant": null, "parent": null }, @@ -76,6 +78,8 @@ "required": false, "security_impact": false, "rationale": "Used for governance, metadata tagging, and tracking purposes only.", + "compliant": null, + "non-compliant": null, "parent": null }, @@ -113,6 +117,8 @@ "required": false, "security_impact": false, "rationale": "Used only for readability and operational clarity.", + "compliant": null, + "non-compliant": null, "parent": "condition" }, @@ -121,6 +127,8 @@ "required": false, "security_impact": false, "rationale": "Provides human-readable explanation of the CEL condition only.", + "compliant": null, + "non-compliant": null, "parent": "condition" }, @@ -129,6 +137,8 @@ "required": false, "security_impact": false, "rationale": "Used for debugging and error reporting purposes only.", + "compliant": null, + "non-compliant": null, "parent": "condition" } } diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_projects_policy_binding.json b/docs/gcp/Cloud_IAM/resource_json/iam_projects_policy_binding.json index 1a60799cf..888d893d3 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_projects_policy_binding.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_projects_policy_binding.json @@ -109,24 +109,35 @@ "required": false, "security_impact": true, "rationale": "Controls conditional IAM enforcement.", + "compliant": null, + "non-compliant": null, "parent": "condition" }, "title": { "description": "Title of the condition.", - "required": false, - "security_impact": false, + "required": false, + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, "parent": "condition" }, "description": { "description": "Description of the condition.", "required": false, - "security_impact": false, + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, "parent": "condition" }, "location": { "description": "Location of expression for debugging.", "required": false, "security_impact": false, + "rationale": null, + "compliant": null, + "non-compliant": null, "parent": "condition" } } From c6a620954aca25e9d547b31a8262c4d1041f6f0e Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Thu, 21 May 2026 00:17:31 +1000 Subject: [PATCH 85/91] fix Json files --- docs/gcp/Cloud_IAM/iam_oauth_client.md | 18 ++++----- .../iam_principal_access_boundary_policy.md | 18 ++++----- .../Cloud_IAM/iam_projects_policy_binding.md | 26 ++++++------ .../iam_folders_policy_binding.json | 12 ------ .../resource_json/iam_oauth_client.json | 29 +++++--------- .../iam_oauth_client_credential.json | 7 +--- .../iam_organizations_policy_binding.json | 13 +----- .../iam_principal_access_boundary_policy.json | 22 +++++----- .../iam_projects_policy_binding.json | 40 ++++++++----------- 9 files changed, 72 insertions(+), 113 deletions(-) diff --git a/docs/gcp/Cloud_IAM/iam_oauth_client.md b/docs/gcp/Cloud_IAM/iam_oauth_client.md index d771448bf..ae332d132 100644 --- a/docs/gcp/Cloud_IAM/iam_oauth_client.md +++ b/docs/gcp/Cloud_IAM/iam_oauth_client.md @@ -10,13 +10,13 @@ Reference: [Terraform Registry – iam_oauth_client](https://registry.terraform. | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `allowed_scopes` | Required. The list of scopes that the OauthClient is allowed to request during OAuth flows. | true | true | Restricting scopes enforces least privilege OAuth access and prevents over-permissioned identity delegation. | ['openid', 'email', 'groups'] | ['https://www.googleapis.com/auth/cloud-platform'] | +| `allowed_scopes` | Required. The list of scopes that the OauthClient is allowed to request during OAuth flows. The following scopes are supported: * `https://www.googleapis.com/auth/cloud-platform`: See, edit, configure, and delete your Google Cloud data and see the email address for your Google Account. * `openid`: The OAuth client can associate you with your personal information on Google Cloud. * `email`: The OAuth client can read a federated identity's email address. * `groups`: The OAuth client can read a federated identity's groups. | true | true | Restricting scopes enforces least privilege OAuth access and prevents over-permissioned identity delegation. | ['openid', 'email', 'groups'] | ['https://www.googleapis.com/auth/cloud-platform'] | | `allowed_grant_types` | Required. The list of OAuth grant types is allowed for the OauthClient. | true | true | Ensures only approved OAuth flows are used to prevent insecure authentication mechanisms. | ['AUTHORIZATION_CODE_GRANT'] | ['IMPLICIT_GRANT'] | -| `allowed_redirect_uris` | Required. The list of redirect URIs allowed after OAuth authentication. | true | true | Prevents open redirect attacks and ensures tokens are only sent to trusted endpoints. | ['https://www.example.com/callback'] | ['http://evil.com'] | -| `location` | Resource ID segment making up resource name. | true | true | OAuth clients must be deployed in global scope to ensure consistent IAM enforcement. | global | us-central1 | -| `oauth_client_id` | Required. The ID used for the OauthClient resource. | true | true | Ensures predictable naming and avoids reserved prefix misuse. | example-client-01 | gcp-client-01 | -| `disabled` | Whether the OauthClient is disabled. | false | true | Disabled clients cannot be used, reducing attack surface when not in use. | False | True | -| `display_name` | Human-readable name of the OAuth client. | false | false | Used only for identification purposes. | Enterprise OAuth Client | Very Long Invalid Name That Exceeds Limits | -| `description` | Description of the OAuth client. | false | false | Provides documentation for audit and governance. | OAuth client for enterprise login | test | -| `client_type` | Type of OAuth client. | false | true | Restricts OAuth clients to approved secure types only. | ['PUBLIC_CLIENT', 'CONFIDENTIAL_CLIENT'] | ['INTERNAL_CLIENT'] | -| `project` | Project where the resource is created. | false | true | Ensures correct project-level IAM isolation. | smooth-verve-467716-v1 | | +| `allowed_redirect_uris` | Required. The list of redirect uris that is allowed to redirect back when authorization process is completed. | true | true | Prevents open redirect attacks and ensures tokens are only sent to trusted endpoints. | ['https://www.example.com/callback'] | ['http://evil.com'] | +| `location` | Resource ID segment making up resource `name`. It identifies the resource within its parent collection as described in https://google.aip.dev/122. | true | true | OAuth clients must be deployed in global scope to ensure consistent IAM enforcement. | global | us-central1 | +| `oauth_client_id` | Required. The ID to use for the OauthClient, which becomes the final component of the resource name. This value should be a string of 6 to 63 lowercase letters, digits, or hyphens. It must start with a letter, and cannot have a trailing hyphen. The prefix `gcp-` is reserved for use by Google, and may not be specified. | true | true | Ensures predictable naming and avoids reserved prefix misuse. | example-client-01 | gcp-client-01 | +| `disabled` | Whether the OauthClient is disabled. You cannot use a disabled OAuth client. | false | true | Disabled clients cannot be used, reducing attack surface when not in use. | False | True | +| `display_name` | A user-specified display name of the OauthClient. Cannot exceed 32 characters. | false | false | Used only for identification purposes. | Enterprise OAuth Client | Very Long Invalid Name That Exceeds Limits | +| `description` | A user-specified description of the OauthClient. Cannot exceed 256 characters. | false | false | Provides documentation for audit and governance. | OAuth client for enterprise login | test | +| `client_type` | Immutable. The type of OauthClient. Either public or private. For private clients, the client secret can be managed using the dedicated OauthClientCredential resource. Possible values: CLIENT_TYPE_UNSPECIFIED PUBLIC_CLIENT CONFIDENTIAL_CLIENT | false | true | Restricts OAuth clients to approved secure types only. | ['PUBLIC_CLIENT', 'CONFIDENTIAL_CLIENT'] | ['INTERNAL_CLIENT'] | +| `project` | If it is not provided, the provider project is used. | false | true | Ensures correct project-level IAM isolation. | smooth-verve-467716-v1 | | diff --git a/docs/gcp/Cloud_IAM/iam_principal_access_boundary_policy.md b/docs/gcp/Cloud_IAM/iam_principal_access_boundary_policy.md index 8b2198034..1efdf670a 100644 --- a/docs/gcp/Cloud_IAM/iam_principal_access_boundary_policy.md +++ b/docs/gcp/Cloud_IAM/iam_principal_access_boundary_policy.md @@ -12,23 +12,23 @@ Reference: [Terraform Registry – iam_principal_access_boundary_policy](https:/ |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `organization` | The parent organization of the principal access boundary policy. | true | true | Restricting policies to approved organizations ensures IAM governance boundaries and prevents cross-tenant privilege escalation. | PDE1, PDE2, PDE3 | random-org-123 | | `location` | The location the principal access boundary policy is in. | true | true | Enforcing global location ensures consistent IAM policy enforcement and avoids regional misconfiguration risks. | global | us-central1 | -| `principal_access_boundary_policy_id` | The ID to use to create the principal access boundary policy. This value must start with a lowercase letter followed by up to 62 lowercase letters, numbers, hyphens, or dots. | true | false | Ensures consistent naming conventions for policy identification and avoids invalid resource creation. | pab-policy-01 | PAB_POLICY_01 | +| `principal_access_boundary_policy_id` | The ID to use to create the principal access boundary policy. This value must start with a lowercase letter followed by up to 62 lowercase letters, numbers, hyphens, or dots. Pattern, /a-z{2,62}/. | true | false | Ensures consistent naming conventions for policy identification and avoids invalid resource creation. | pab-policy-01 | PAB_POLICY_01 | | `display_name` | The description of the principal access boundary policy. Must be less than or equal to 63 characters. | false | false | None | Standard Access Boundary Policy | Very long or unclear name exceeding limits | -| `annotations` | User defined annotations for metadata tagging and governance tracking. | false | false | Used for auditability and classification of IAM policies. | env=prod, owner=security-team | free-form or unstructured metadata | -| `details` | Principal access boundary policy details. | false | true | Defines enforcement rules that restrict principal access to approved resources. | | | -| `rules` | Policy rules defining access boundaries for principals. | true | true | Rules define the actual enforcement of access boundaries across resources. | | | +| `annotations` | User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations **Note**: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field `effective_annotations` for all of the annotations present on the resource. | false | false | Used for auditability and classification of IAM policies. | env=prod, owner=security-team | free-form or unstructured metadata | +| `details` | Principal access boundary policy details Structure is [documented below](#nested_details). | false | true | Defines enforcement rules that restrict principal access to approved resources. | None | None | +| `rules` | | true | true | Rules define the actual enforcement of access boundaries across resources. | None | None | ### details Block | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `rules` | A list of principal access boundary policy rules. | true | true | Rules define which resources principals can access under the boundary policy. | ALLOW only approved organizations/projects/folders | ALLOW all or overly broad resources | -| `enforcement_version` | Version of enforcement for Google Cloud services included in policy. | false | false | Ensures controlled rollout of enforcement changes across services. | latest or pinned version | empty or unmanaged versioning | +| `rules` | A list of principal access boundary policy rules. The number of rules in a policy is limited to 500. Structure is [documented below](#nested_details_rules). | true | true | Rules define which resources principals can access under the boundary policy. | ALLOW only approved organizations/projects/folders | ALLOW all or overly broad resources | +| `enforcement_version` | The version number that indicates which Google Cloud services are included in the enforcement (e.g. \"latest\", \"1\", ...). If empty, the PAB policy version will be set to the current latest version, and this version won't get updated when new versions are released. | false | false | Ensures controlled rollout of enforcement changes across services. | latest or pinned version | empty or unmanaged versioning | ### rules Block | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `description` | The description of the principal access boundary policy rule. | false | false | None | Allow access to approved project set only | Unrestricted or vague rule description | -| `resources` | Cloud Resource Manager resources included in this rule. | true | true | Restricts access to approved organizations, folders, or projects only. | ['//cloudresourcemanager.googleapis.com/organizations/123', '//cloudresourcemanager.googleapis.com/folders/123', '//cloudresourcemanager.googleapis.com/projects/approved-project'] | ['//cloudresourcemanager.googleapis.com/projects/*'] | -| `effect` | The access relationship of principals to resources. | true | true | Defines whether access is allowed under the boundary policy. | ALLOW | DENY or undefined behavior | +| `description` | The description of the principal access boundary policy rule. Must be less than or equal to 256 characters. | false | false | None | Allow access to approved project set only | Unrestricted or vague rule description | +| `resources` | A list of Cloud Resource Manager resources. The resource and all the descendants are included. The number of resources in a policy is limited to 500 across all rules. The following resource types are supported: * Organizations, such as `//cloudresourcemanager.googleapis.com/organizations/123`. * Folders, such as `//cloudresourcemanager.googleapis.com/folders/123`. * Projects, such as `//cloudresourcemanager.googleapis.com/projects/123` or `//cloudresourcemanager.googleapis.com/projects/my-project-id`. | true | true | Restricts access to approved organizations, folders, or projects only. | ['//cloudresourcemanager.googleapis.com/organizations/123', '//cloudresourcemanager.googleapis.com/folders/123', '//cloudresourcemanager.googleapis.com/projects/approved-project'] | ['//cloudresourcemanager.googleapis.com/projects/*'] | +| `effect` | The access relationship of principals to the resources in this rule. Possible values: ALLOW | true | true | Defines whether access is allowed under the boundary policy. | ALLOW | DENY or undefined behavior | diff --git a/docs/gcp/Cloud_IAM/iam_projects_policy_binding.md b/docs/gcp/Cloud_IAM/iam_projects_policy_binding.md index b284a8acf..df6503a6a 100644 --- a/docs/gcp/Cloud_IAM/iam_projects_policy_binding.md +++ b/docs/gcp/Cloud_IAM/iam_projects_policy_binding.md @@ -10,27 +10,27 @@ Reference: [Terraform Registry – iam_projects_policy_binding](https://registry | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `target` | Target is the full resource name of the resource to which the policy will be bound. Immutable once set. | true | true | Restricts policy binding scope to approved project principals only, preventing unauthorized identity binding. | ['//cloudresourcemanager.googleapis.com/projects/approved-project-1', '//cloudresourcemanager.googleapis.com/projects/approved-project-2'] | ['//cloudresourcemanager.googleapis.com/projects/*', '//cloudresourcemanager.googleapis.com/projects/external-project'] | -| `policy` | The resource name of the policy to be bound. | true | true | Ensures only approved IAM boundary policies are attached to projects. | organizations/123456789/locations/global/principalAccessBoundaryPolicies/approved-policy | organizations/123456789/locations/global/principalAccessBoundaryPolicies/unapproved-policy | -| `location` | The location of the Policy Binding. | true | true | Enforcing global location ensures consistent IAM policy application across projects and prevents regional drift. | global | us-central1 | +| `target` | Target is the full resource name of the resource to which the policy will be bound. Immutable once set. Structure is [documented below](#nested_target). | true | true | Restricts policy binding scope to approved project principals only, preventing unauthorized identity binding. | ['//cloudresourcemanager.googleapis.com/projects/approved-project-1', '//cloudresourcemanager.googleapis.com/projects/approved-project-2'] | ['//cloudresourcemanager.googleapis.com/projects/*', '//cloudresourcemanager.googleapis.com/projects/external-project'] | +| `policy` | Required. Immutable. The resource name of the policy to be bound. The binding parent and policy must belong to the same Organization (or Project). | true | true | Ensures only approved IAM boundary policies are attached to projects. | organizations/123456789/locations/global/principalAccessBoundaryPolicies/approved-policy | organizations/123456789/locations/global/principalAccessBoundaryPolicies/unapproved-policy | +| `location` | The location of the Policy Binding | true | true | Enforcing global location ensures consistent IAM policy application across projects and prevents regional drift. | global | us-central1 | | `policy_binding_id` | The Policy Binding ID. | true | false | Ensures consistent naming and traceability of policy bindings. | project-binding-01 | INVALID_BINDING | -| `display_name` | Optional description of the policy binding. | false | false | Used for human-readable identification only. | Project IAM Binding Policy | Very long or unclear name exceeding limits | -| `annotations` | User-defined metadata annotations. | false | false | Used for tagging, auditing, and governance tracking. | env=prod, team=security | random unstructured metadata | -| `policy_kind` | The kind of policy to attach in this binding. | false | true | Ensures only Principal Access Boundary policies are enforced for security isolation. | PRINCIPAL_ACCESS_BOUNDARY | ACCESS, POLICY_KIND_UNSPECIFIED | -| `condition` | CEL expression controlling conditional policy binding. | false | true | Allows fine-grained IAM control based on runtime conditions. | document.type != 'internal' | true (unrestricted access) | -| `project` | The project where the policy binding is applied. | false | true | Ensures correct project-level IAM isolation and prevents cross-project misconfiguration. | approved-project-id | external-project-id | +| `display_name` | Optional. The description of the policy binding. Must be less than or equal to 63 characters. | false | false | Used for human-readable identification only. | Project IAM Binding Policy | Very long or unclear name exceeding limits | +| `annotations` | Optional. User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations **Note**: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field `effective_annotations` for all of the annotations present on the resource. | false | false | Used for tagging, auditing, and governance tracking. | env=prod, team=security | random unstructured metadata | +| `policy_kind` | Immutable. The kind of the policy to attach in this binding. This field must be one of the following: - Left empty (will be automatically set to the policy kind) - The input policy kind Possible values: POLICY_KIND_UNSPECIFIED PRINCIPAL_ACCESS_BOUNDARY ACCESS | false | true | Ensures only Principal Access Boundary policies are enforced for security isolation. | PRINCIPAL_ACCESS_BOUNDARY | ACCESS, POLICY_KIND_UNSPECIFIED | +| `condition` | Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: \"Summary size limit\" description: \"Determines if a summary is less than 100 chars\" expression: \"document.summary.size() < 100\" Example (Equality): title: \"Requestor is owner\" description: \"Determines if requestor is the document owner\" expression: \"document.owner == request.auth.claims.email\" Example (Logic): title: \"Public documents\" description: \"Determine whether the document should be publicly visible\" expression: \"document.type != 'private' && document.type != 'internal'\" Example (Data Manipulation): title: \"Notification string\" description: \"Create a notification string with a timestamp.\" expression: \"'New message received at ' + string(document.create_time)\" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. Structure is [documented below](#nested_condition). | false | true | Allows fine-grained IAM control based on runtime conditions. | document.type != 'internal' | true (unrestricted access) | +| `project` | If it is not provided, the provider project is used. | false | true | Ensures correct project-level IAM isolation and prevents cross-project misconfiguration. | approved-project-id | external-project-id | ### target Block | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `principal_set` | Full resource name of the principal set used for IAM policy binding. | false | true | Ensures only approved project-level principals can be assigned IAM boundaries. | ['//cloudresourcemanager.googleapis.com/projects/approved-project-1', '//cloudresourcemanager.googleapis.com/projects/approved-project-2'] | ['//cloudresourcemanager.googleapis.com/projects/*', '//cloudresourcemanager.googleapis.com/projects/external-*'] | +| `principal_set` | Required. Immutable. Full Resource Name of the principal set used for principal access boundary policy bindings. Examples for each one of the following supported principal set types: * Project: * `//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER` * `//cloudresourcemanager.googleapis.com/projects/PROJECT_ID` * Workload Identity Pool: `//iam.googleapis.com/projects/PROJECT_NUMBER/locations/LOCATION/workloadIdentityPools/WORKLOAD_POOL_ID` It must be parent by the policy binding's parent (the project). | false | true | Ensures only approved project-level principals can be assigned IAM boundaries. | ['//cloudresourcemanager.googleapis.com/projects/approved-project-1', '//cloudresourcemanager.googleapis.com/projects/approved-project-2'] | ['//cloudresourcemanager.googleapis.com/projects/*', '//cloudresourcemanager.googleapis.com/projects/external-*'] | ### condition Block | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `expression` | CEL expression for conditional logic. | false | true | Controls conditional IAM enforcement. | None | None | -| `title` | Title of the condition. | false | false | None | None | None | -| `description` | Description of the condition. | false | false | None | None | None | -| `location` | Location of expression for debugging. | false | false | None | None | None | +| `expression` | Textual representation of an expression in Common Expression Language syntax. | false | true | Controls conditional IAM enforcement. | None | None | +| `title` | Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. | false | false | None | None | None | +| `description` | Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. | false | false | None | None | None | +| `location` | Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. | false | false | None | None | None | diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_folders_policy_binding.json b/docs/gcp/Cloud_IAM/resource_json/iam_folders_policy_binding.json index 3efa6c188..79f35e43b 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_folders_policy_binding.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_folders_policy_binding.json @@ -22,7 +22,6 @@ } } }, - "policy": { "description": "Required. Immutable. The resource name of the policy to be bound. The binding parent and policy must belong to the same Organization (or Project).", "required": true, @@ -32,7 +31,6 @@ "non-compliant": "organizations/999999999/locations/global/principalAccessBoundaryPolicies/unapproved-policy", "parent": null }, - "folder": { "description": "The parent folder for the PolicyBinding.", "required": true, @@ -42,7 +40,6 @@ "non-compliant": "folders/external-folder", "parent": null }, - "location": { "description": "The location of the PolicyBinding.", "required": true, @@ -52,7 +49,6 @@ "non-compliant": "us-central1", "parent": null }, - "policy_binding_id": { "description": "The Policy Binding ID.", "required": true, @@ -62,7 +58,6 @@ "non-compliant": "test-binding", "parent": null }, - "display_name": { "description": "Optional. The description of the policy binding. Must be less than or equal to 63 characters.", "required": false, @@ -72,7 +67,6 @@ "non-compliant": null, "parent": null }, - "annotations": { "description": "Optional. User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations **Note**: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field `effective_annotations` for all of the annotations present on the resource.", "required": false, @@ -82,7 +76,6 @@ "non-compliant": null, "parent": null }, - "policy_kind": { "description": "Immutable. The kind of the policy to attach in this binding. This field must be one of the following: - Left empty (will be automatically set to the policy kind) - The input policy kind Possible values: POLICY_KIND_UNSPECIFIED PRINCIPAL_ACCESS_BOUNDARY ACCESS", "required": false, @@ -92,7 +85,6 @@ "non-compliant": "ACCESS", "parent": null }, - "condition": { "description": "Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: \\\"Summary size limit\\\" description: \\\"Determines if a summary is less than 100 chars\\\" expression: \\\"document.summary.size() < 100\\\" Example (Equality): title: \\\"Requestor is owner\\\" description: \\\"Determines if requestor is the document owner\\\" expression: \\\"document.owner == request.auth.claims.email\\\" Example (Logic): title: \\\"Public documents\\\" description: \\\"Determine whether the document should be publicly visible\\\" expression: \\\"document.type != 'private' && document.type != 'internal'\\\" Example (Data Manipulation): title: \\\"Notification string\\\" description: \\\"Create a notification string with a timestamp.\\\" expression: \\\"'New message received at ' + string(document.create_time)\\\" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. Structure is [documented below](#nested_condition).", "required": false, @@ -101,7 +93,6 @@ "compliant": "request.time < timestamp('2026-12-31T23:59:59Z')", "non-compliant": "true", "parent": null, - "arguments": { "expression": { "description": "Textual representation of an expression in Common Expression Language syntax.", @@ -112,7 +103,6 @@ "non-compliant": "true", "parent": "condition" }, - "title": { "description": "Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.", "required": false, @@ -122,7 +112,6 @@ "non-compliant": null, "parent": "condition" }, - "description": { "description": "Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.", "required": false, @@ -132,7 +121,6 @@ "non-compliant": null, "parent": "condition" }, - "location": { "description": "Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.", "required": false, diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client.json b/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client.json index 904fcfa6e..7f2296277 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client.json @@ -3,7 +3,7 @@ "subcategory": "Cloud IAM", "arguments": { "allowed_scopes": { - "description": "Required. The list of scopes that the OauthClient is allowed to request during OAuth flows.", + "description": "Required. The list of scopes that the OauthClient is allowed to request during OAuth flows. The following scopes are supported: * `https://www.googleapis.com/auth/cloud-platform`: See, edit, configure, and delete your Google Cloud data and see the email address for your Google Account. * `openid`: The OAuth client can associate you with your personal information on Google Cloud. * `email`: The OAuth client can read a federated identity's email address. * `groups`: The OAuth client can read a federated identity's groups.", "required": true, "security_impact": true, "rationale": "Restricting scopes enforces least privilege OAuth access and prevents over-permissioned identity delegation.", @@ -11,7 +11,6 @@ "non-compliant": ["https://www.googleapis.com/auth/cloud-platform"], "parent": null }, - "allowed_grant_types": { "description": "Required. The list of OAuth grant types is allowed for the OauthClient.", "required": true, @@ -21,9 +20,8 @@ "non-compliant": ["IMPLICIT_GRANT"], "parent": null }, - "allowed_redirect_uris": { - "description": "Required. The list of redirect URIs allowed after OAuth authentication.", + "description": "Required. The list of redirect uris that is allowed to redirect back when authorization process is completed.", "required": true, "security_impact": true, "rationale": "Prevents open redirect attacks and ensures tokens are only sent to trusted endpoints.", @@ -31,9 +29,8 @@ "non-compliant": ["http://evil.com"], "parent": null }, - "location": { - "description": "Resource ID segment making up resource name.", + "description": "Resource ID segment making up resource `name`. It identifies the resource within its parent collection as described in https://google.aip.dev/122.", "required": true, "security_impact": true, "rationale": "OAuth clients must be deployed in global scope to ensure consistent IAM enforcement.", @@ -41,9 +38,8 @@ "non-compliant": "us-central1", "parent": null }, - "oauth_client_id": { - "description": "Required. The ID used for the OauthClient resource.", + "description": "Required. The ID to use for the OauthClient, which becomes the final component of the resource name. This value should be a string of 6 to 63 lowercase letters, digits, or hyphens. It must start with a letter, and cannot have a trailing hyphen. The prefix `gcp-` is reserved for use by Google, and may not be specified.", "required": true, "security_impact": true, "rationale": "Ensures predictable naming and avoids reserved prefix misuse.", @@ -51,9 +47,8 @@ "non-compliant": "gcp-client-01", "parent": null }, - "disabled": { - "description": "Whether the OauthClient is disabled.", + "description": "Whether the OauthClient is disabled. You cannot use a disabled OAuth client.", "required": false, "security_impact": true, "rationale": "Disabled clients cannot be used, reducing attack surface when not in use.", @@ -61,9 +56,8 @@ "non-compliant": true, "parent": null }, - "display_name": { - "description": "Human-readable name of the OAuth client.", + "description": "A user-specified display name of the OauthClient. Cannot exceed 32 characters.", "required": false, "security_impact": false, "rationale": "Used only for identification purposes.", @@ -71,9 +65,8 @@ "non-compliant": "Very Long Invalid Name That Exceeds Limits", "parent": null }, - "description": { - "description": "Description of the OAuth client.", + "description": "A user-specified description of the OauthClient. Cannot exceed 256 characters.", "required": false, "security_impact": false, "rationale": "Provides documentation for audit and governance.", @@ -81,9 +74,8 @@ "non-compliant": "test", "parent": null }, - "client_type": { - "description": "Type of OAuth client.", + "description": "Immutable. The type of OauthClient. Either public or private. For private clients, the client secret can be managed using the dedicated OauthClientCredential resource. Possible values: CLIENT_TYPE_UNSPECIFIED PUBLIC_CLIENT CONFIDENTIAL_CLIENT", "required": false, "security_impact": true, "rationale": "Restricts OAuth clients to approved secure types only.", @@ -91,10 +83,9 @@ "non-compliant": ["INTERNAL_CLIENT"], "parent": null }, - "project": { - "description": "Project where the resource is created.", - "required": false, + "description": "If it is not provided, the provider project is used.", + "required": null, "security_impact": true, "rationale": "Ensures correct project-level IAM isolation.", "compliant": "smooth-verve-467716-v1", diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client_credential.json b/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client_credential.json index 982ab6f95..7dbbd3d65 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client_credential.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client_credential.json @@ -11,7 +11,6 @@ "non-compliant": "us-central1", "parent": null }, - "oauthclient": { "description": "Resource ID segment making up resource `name`. It identifies the resource within its parent collection as described in https://google.aip.dev/122.", "required": true, @@ -21,7 +20,6 @@ "non-compliant": "invalid-client", "parent": null }, - "oauth_client_credential_id": { "description": "Required. The ID to use for the OauthClientCredential, which becomes the final component of the resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix `gcp-` is reserved for use by Google, and may not be specified.", "required": true, @@ -31,7 +29,6 @@ "non-compliant": "gcp-cred-01a", "parent": null }, - "disabled": { "description": "Whether the OauthClientCredential is disabled. You cannot use a disabled OauthClientCredential.", "required": false, @@ -41,7 +38,6 @@ "non-compliant": true, "parent": null }, - "display_name": { "description": "A user-specified display name of the OauthClientCredential. Cannot exceed 32 characters.", "required": false, @@ -51,10 +47,9 @@ "non-compliant": null, "parent": null }, - "project": { "description": "If it is not provided, the provider project is used.", - "required": false, + "required": null, "security_impact": true, "rationale": "Ensures correct project scoping for IAM isolation and prevents cross-project credential leakage.", "compliant": "smooth-verve-467716-v1", diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_organizations_policy_binding.json b/docs/gcp/Cloud_IAM/resource_json/iam_organizations_policy_binding.json index fba33985f..f00a93b2c 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_organizations_policy_binding.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_organizations_policy_binding.json @@ -22,7 +22,6 @@ } } }, - "policy": { "description": "Required. Immutable. The resource name of the policy to be bound. The binding parent and policy must belong to the same Organization (or Project).", "required": true, @@ -32,7 +31,6 @@ "non-compliant": "organizations/123456789/locations/global/principalAccessBoundaryPolicies/unknown-policy", "parent": null }, - "organization": { "description": "The parent organization of the Policy Binding.", "required": true, @@ -42,7 +40,6 @@ "non-compliant": "999999999", "parent": null }, - "location": { "description": "The location of the Policy Binding", "required": true, @@ -52,7 +49,6 @@ "non-compliant": "us-central1", "parent": null }, - "policy_binding_id": { "description": "The Policy Binding ID.", "required": true, @@ -62,7 +58,6 @@ "non-compliant": "invalid binding id!!", "parent": null }, - "display_name": { "description": "Optional. The description of the policy binding. Must be less than or equal to 63 characters.", "required": false, @@ -72,7 +67,6 @@ "non-compliant": null, "parent": null }, - "annotations": { "description": "Optional. User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations **Note**: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field `effective_annotations` for all of the annotations present on the resource.", "required": false, @@ -82,7 +76,6 @@ "non-compliant": null, "parent": null }, - "policy_kind": { "description": "Immutable. The kind of the policy to attach in this binding. This field must be one of the following: - Left empty (will be automatically set to the policy kind) - The input policy kind Possible values: POLICY_KIND_UNSPECIFIED PRINCIPAL_ACCESS_BOUNDARY ACCESS", "required": false, @@ -92,7 +85,6 @@ "non-compliant": "ACCESS", "parent": null }, - "condition": { "description": "Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: \\\"Summary size limit\\\" description: \\\"Determines if a summary is less than 100 chars\\\" expression: \\\"document.summary.size() < 100\\\" Example (Equality): title: \\\"Requestor is owner\\\" description: \\\"Determines if requestor is the document owner\\\" expression: \\\"document.owner == request.auth.claims.email\\\" Example (Logic): title: \\\"Public documents\\\" description: \\\"Determine whether the document should be publicly visible\\\" expression: \\\"document.type != 'private' && document.type != 'internal'\\\" Example (Data Manipulation): title: \\\"Notification string\\\" description: \\\"Create a notification string with a timestamp.\\\" expression: \\\"'New message received at ' + string(document.create_time)\\\" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. Structure is [documented below](#nested_condition).", "required": false, @@ -111,7 +103,6 @@ "non-compliant": "true", "parent": "condition" }, - "title": { "description": "Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.", "required": false, @@ -121,17 +112,15 @@ "non-compliant": null, "parent": "condition" }, - "description": { "description": "Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.", "required": false, - "security_impact": false, + "security_impact": false, "rationale": "Provides human-readable explanation of the CEL condition only.", "compliant": null, "non-compliant": null, "parent": "condition" }, - "location": { "description": "Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.", "required": false, diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_principal_access_boundary_policy.json b/docs/gcp/Cloud_IAM/resource_json/iam_principal_access_boundary_policy.json index 2f36bbfbe..fd11f7e9b 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_principal_access_boundary_policy.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_principal_access_boundary_policy.json @@ -21,7 +21,7 @@ "parent": null }, "principal_access_boundary_policy_id": { - "description": "The ID to use to create the principal access boundary policy. This value must start with a lowercase letter followed by up to 62 lowercase letters, numbers, hyphens, or dots.", + "description": "The ID to use to create the principal access boundary policy. This value must start with a lowercase letter followed by up to 62 lowercase letters, numbers, hyphens, or dots. Pattern, /a-z{2,62}/.", "required": true, "security_impact": false, "rationale": "Ensures consistent naming conventions for policy identification and avoids invalid resource creation.", @@ -39,7 +39,7 @@ "parent": null }, "annotations": { - "description": "User defined annotations for metadata tagging and governance tracking.", + "description": "User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations **Note**: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field `effective_annotations` for all of the annotations present on the resource.", "required": false, "security_impact": false, "rationale": "Used for auditability and classification of IAM policies.", @@ -48,14 +48,16 @@ "parent": null }, "details": { - "description": "Principal access boundary policy details.", + "description": "Principal access boundary policy details Structure is [documented below](#nested_details).", "required": false, "security_impact": true, "rationale": "Defines enforcement rules that restrict principal access to approved resources.", + "compliant": null, + "non-compliant": null, "parent": null, "arguments": { "rules": { - "description": "A list of principal access boundary policy rules.", + "description": "A list of principal access boundary policy rules. The number of rules in a policy is limited to 500. Structure is [documented below](#nested_details_rules).", "required": true, "security_impact": true, "rationale": "Rules define which resources principals can access under the boundary policy.", @@ -64,7 +66,7 @@ "parent": "details" }, "enforcement_version": { - "description": "Version of enforcement for Google Cloud services included in policy.", + "description": "The version number that indicates which Google Cloud services are included in the enforcement (e.g. \\\"latest\\\", \\\"1\\\", ...). If empty, the PAB policy version will be set to the current latest version, and this version won't get updated when new versions are released.", "required": false, "security_impact": false, "rationale": "Ensures controlled rollout of enforcement changes across services.", @@ -75,14 +77,16 @@ } }, "rules": { - "description": "Policy rules defining access boundaries for principals.", + "description": "", "required": true, "security_impact": true, "rationale": "Rules define the actual enforcement of access boundaries across resources.", + "compliant": null, + "non-compliant": null, "parent": null, "arguments": { "description": { - "description": "The description of the principal access boundary policy rule.", + "description": "The description of the principal access boundary policy rule. Must be less than or equal to 256 characters.", "required": false, "security_impact": false, "rationale": null, @@ -91,7 +95,7 @@ "parent": "rules" }, "resources": { - "description": "Cloud Resource Manager resources included in this rule.", + "description": "A list of Cloud Resource Manager resources. The resource and all the descendants are included. The number of resources in a policy is limited to 500 across all rules. The following resource types are supported: * Organizations, such as `//cloudresourcemanager.googleapis.com/organizations/123`. * Folders, such as `//cloudresourcemanager.googleapis.com/folders/123`. * Projects, such as `//cloudresourcemanager.googleapis.com/projects/123` or `//cloudresourcemanager.googleapis.com/projects/my-project-id`.", "required": true, "security_impact": true, "rationale": "Restricts access to approved organizations, folders, or projects only.", @@ -106,7 +110,7 @@ "parent": "rules" }, "effect": { - "description": "The access relationship of principals to resources.", + "description": "The access relationship of principals to the resources in this rule. Possible values: ALLOW", "required": true, "security_impact": true, "rationale": "Defines whether access is allowed under the boundary policy.", diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_projects_policy_binding.json b/docs/gcp/Cloud_IAM/resource_json/iam_projects_policy_binding.json index 888d893d3..83f4abcfd 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_projects_policy_binding.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_projects_policy_binding.json @@ -3,7 +3,7 @@ "subcategory": "Cloud IAM", "arguments": { "target": { - "description": "Target is the full resource name of the resource to which the policy will be bound. Immutable once set.", + "description": "Target is the full resource name of the resource to which the policy will be bound. Immutable once set. Structure is [documented below](#nested_target).", "required": true, "security_impact": true, "rationale": "Restricts policy binding scope to approved project principals only, preventing unauthorized identity binding.", @@ -18,7 +18,7 @@ "parent": null, "arguments": { "principal_set": { - "description": "Full resource name of the principal set used for IAM policy binding.", + "description": "Required. Immutable. Full Resource Name of the principal set used for principal access boundary policy bindings. Examples for each one of the following supported principal set types: * Project: * `//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER` * `//cloudresourcemanager.googleapis.com/projects/PROJECT_ID` * Workload Identity Pool: `//iam.googleapis.com/projects/PROJECT_NUMBER/locations/LOCATION/workloadIdentityPools/WORKLOAD_POOL_ID` It must be parent by the policy binding's parent (the project).", "required": false, "security_impact": true, "rationale": "Ensures only approved project-level principals can be assigned IAM boundaries.", @@ -34,9 +34,8 @@ } } }, - "policy": { - "description": "The resource name of the policy to be bound.", + "description": "Required. Immutable. The resource name of the policy to be bound. The binding parent and policy must belong to the same Organization (or Project).", "required": true, "security_impact": true, "rationale": "Ensures only approved IAM boundary policies are attached to projects.", @@ -44,9 +43,8 @@ "non-compliant": "organizations/123456789/locations/global/principalAccessBoundaryPolicies/unapproved-policy", "parent": null }, - "location": { - "description": "The location of the Policy Binding.", + "description": "The location of the Policy Binding", "required": true, "security_impact": true, "rationale": "Enforcing global location ensures consistent IAM policy application across projects and prevents regional drift.", @@ -54,7 +52,6 @@ "non-compliant": "us-central1", "parent": null }, - "policy_binding_id": { "description": "The Policy Binding ID.", "required": true, @@ -64,9 +61,8 @@ "non-compliant": "INVALID_BINDING", "parent": null }, - "display_name": { - "description": "Optional description of the policy binding.", + "description": "Optional. The description of the policy binding. Must be less than or equal to 63 characters.", "required": false, "security_impact": false, "rationale": "Used for human-readable identification only.", @@ -74,9 +70,8 @@ "non-compliant": "Very long or unclear name exceeding limits", "parent": null }, - "annotations": { - "description": "User-defined metadata annotations.", + "description": "Optional. User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations **Note**: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field `effective_annotations` for all of the annotations present on the resource.", "required": false, "security_impact": false, "rationale": "Used for tagging, auditing, and governance tracking.", @@ -84,9 +79,8 @@ "non-compliant": "random unstructured metadata", "parent": null }, - "policy_kind": { - "description": "The kind of policy to attach in this binding.", + "description": "Immutable. The kind of the policy to attach in this binding. This field must be one of the following: - Left empty (will be automatically set to the policy kind) - The input policy kind Possible values: POLICY_KIND_UNSPECIFIED PRINCIPAL_ACCESS_BOUNDARY ACCESS", "required": false, "security_impact": true, "rationale": "Ensures only Principal Access Boundary policies are enforced for security isolation.", @@ -94,9 +88,8 @@ "non-compliant": "ACCESS, POLICY_KIND_UNSPECIFIED", "parent": null }, - "condition": { - "description": "CEL expression controlling conditional policy binding.", + "description": "Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: \\\"Summary size limit\\\" description: \\\"Determines if a summary is less than 100 chars\\\" expression: \\\"document.summary.size() < 100\\\" Example (Equality): title: \\\"Requestor is owner\\\" description: \\\"Determines if requestor is the document owner\\\" expression: \\\"document.owner == request.auth.claims.email\\\" Example (Logic): title: \\\"Public documents\\\" description: \\\"Determine whether the document should be publicly visible\\\" expression: \\\"document.type != 'private' && document.type != 'internal'\\\" Example (Data Manipulation): title: \\\"Notification string\\\" description: \\\"Create a notification string with a timestamp.\\\" expression: \\\"'New message received at ' + string(document.create_time)\\\" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. Structure is [documented below](#nested_condition).", "required": false, "security_impact": true, "rationale": "Allows fine-grained IAM control based on runtime conditions.", @@ -105,7 +98,7 @@ "parent": null, "arguments": { "expression": { - "description": "CEL expression for conditional logic.", + "description": "Textual representation of an expression in Common Expression Language syntax.", "required": false, "security_impact": true, "rationale": "Controls conditional IAM enforcement.", @@ -114,8 +107,8 @@ "parent": "condition" }, "title": { - "description": "Title of the condition.", - "required": false, + "description": "Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.", + "required": false, "security_impact": null, "rationale": null, "compliant": null, @@ -123,7 +116,7 @@ "parent": "condition" }, "description": { - "description": "Description of the condition.", + "description": "Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.", "required": false, "security_impact": null, "rationale": null, @@ -132,9 +125,9 @@ "parent": "condition" }, "location": { - "description": "Location of expression for debugging.", + "description": "Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.", "required": false, - "security_impact": false, + "security_impact": null, "rationale": null, "compliant": null, "non-compliant": null, @@ -142,10 +135,9 @@ } } }, - "project": { - "description": "The project where the policy binding is applied.", - "required": false, + "description": "If it is not provided, the provider project is used.", + "required": null, "security_impact": true, "rationale": "Ensures correct project-level IAM isolation and prevents cross-project misconfiguration.", "compliant": "approved-project-id", From f24c19a0f136d2aae8440586504de88c57171072 Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Thu, 21 May 2026 00:26:28 +1000 Subject: [PATCH 86/91] fix Json files --- docs/gcp/Cloud_IAM/iam_oauth_client.md | 2 +- docs/gcp/Cloud_IAM/resource_json/iam_oauth_client.json | 6 +++--- .../google_iam_oauth_client/location_validation/c.tf | 8 ++++---- .../google_iam_oauth_client/location_validation/nc.tf | 2 +- .../location_validation/policy.rego | 2 +- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/docs/gcp/Cloud_IAM/iam_oauth_client.md b/docs/gcp/Cloud_IAM/iam_oauth_client.md index ae332d132..da2264108 100644 --- a/docs/gcp/Cloud_IAM/iam_oauth_client.md +++ b/docs/gcp/Cloud_IAM/iam_oauth_client.md @@ -13,7 +13,7 @@ Reference: [Terraform Registry – iam_oauth_client](https://registry.terraform. | `allowed_scopes` | Required. The list of scopes that the OauthClient is allowed to request during OAuth flows. The following scopes are supported: * `https://www.googleapis.com/auth/cloud-platform`: See, edit, configure, and delete your Google Cloud data and see the email address for your Google Account. * `openid`: The OAuth client can associate you with your personal information on Google Cloud. * `email`: The OAuth client can read a federated identity's email address. * `groups`: The OAuth client can read a federated identity's groups. | true | true | Restricting scopes enforces least privilege OAuth access and prevents over-permissioned identity delegation. | ['openid', 'email', 'groups'] | ['https://www.googleapis.com/auth/cloud-platform'] | | `allowed_grant_types` | Required. The list of OAuth grant types is allowed for the OauthClient. | true | true | Ensures only approved OAuth flows are used to prevent insecure authentication mechanisms. | ['AUTHORIZATION_CODE_GRANT'] | ['IMPLICIT_GRANT'] | | `allowed_redirect_uris` | Required. The list of redirect uris that is allowed to redirect back when authorization process is completed. | true | true | Prevents open redirect attacks and ensures tokens are only sent to trusted endpoints. | ['https://www.example.com/callback'] | ['http://evil.com'] | -| `location` | Resource ID segment making up resource `name`. It identifies the resource within its parent collection as described in https://google.aip.dev/122. | true | true | OAuth clients must be deployed in global scope to ensure consistent IAM enforcement. | global | us-central1 | +| `location` | Resource ID segment making up resource `name`. It identifies the resource within its parent collection as described in https://google.aip.dev/122. | true | true | OAuth clients must be deployed only in approved Australian regions to meet organizational residency and compliance requirements. | ['australia-southeast1', 'australia-southeast2'] | global | | `oauth_client_id` | Required. The ID to use for the OauthClient, which becomes the final component of the resource name. This value should be a string of 6 to 63 lowercase letters, digits, or hyphens. It must start with a letter, and cannot have a trailing hyphen. The prefix `gcp-` is reserved for use by Google, and may not be specified. | true | true | Ensures predictable naming and avoids reserved prefix misuse. | example-client-01 | gcp-client-01 | | `disabled` | Whether the OauthClient is disabled. You cannot use a disabled OAuth client. | false | true | Disabled clients cannot be used, reducing attack surface when not in use. | False | True | | `display_name` | A user-specified display name of the OauthClient. Cannot exceed 32 characters. | false | false | Used only for identification purposes. | Enterprise OAuth Client | Very Long Invalid Name That Exceeds Limits | diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client.json b/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client.json index 7f2296277..71a128b52 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client.json @@ -33,9 +33,9 @@ "description": "Resource ID segment making up resource `name`. It identifies the resource within its parent collection as described in https://google.aip.dev/122.", "required": true, "security_impact": true, - "rationale": "OAuth clients must be deployed in global scope to ensure consistent IAM enforcement.", - "compliant": "global", - "non-compliant": "us-central1", + "rationale": "OAuth clients must be deployed only in approved Australian regions to meet organizational residency and compliance requirements.", + "compliant": ["australia-southeast1", "australia-southeast2"], + "non-compliant": "global", "parent": null }, "oauth_client_id": { diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/location_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/location_validation/c.tf index 1de544225..bf7d40497 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/location_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/location_validation/c.tf @@ -1,12 +1,12 @@ resource "google_iam_oauth_client" "c" { - oauth_client_id = "c" + oauth_client_id = "example-client-01" display_name = "Valid OAuth Client" description = "Compliant OAuth client" - location = "global" + location = "australia-southeast2" disabled = false allowed_grant_types = ["AUTHORIZATION_CODE_GRANT"] - allowed_redirect_uris = ["https://www.example.com"] - allowed_scopes = ["https://www.googleapis.com/auth/cloud-platform"] + allowed_redirect_uris = ["https://www.example.com/callback"] + allowed_scopes = ["openid", "email", "groups"] client_type = "CONFIDENTIAL_CLIENT" project = "smooth-verve-467716-v1" } \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/location_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/location_validation/nc.tf index 22f14e8b0..5bd46a700 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/location_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/location_validation/nc.tf @@ -2,7 +2,7 @@ resource "google_iam_oauth_client" "nc" { oauth_client_id = "nc" display_name = "Invalid OAuth Client" description = "Non-compliant OAuth client" - location = "australia-southeast1" + location = "global" disabled = false allowed_grant_types = ["AUTHORIZATION_CODE_GRANT"] allowed_redirect_uris = ["https://www.example.com"] diff --git a/policies/gcp/Cloud_IAM/google_iam_oauth_client/location_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_oauth_client/location_validation/policy.rego index 6af2691b2..111729392 100644 --- a/policies/gcp/Cloud_IAM/google_iam_oauth_client/location_validation/policy.rego +++ b/policies/gcp/Cloud_IAM/google_iam_oauth_client/location_validation/policy.rego @@ -11,7 +11,7 @@ conditions := [ { "condition": "Validate location", "attribute_path": ["location"], - "values": ["global"], + "values": ["australia-southeast1", "australia-southeast2"], "policy_type": "whitelist" } ] From 18294e8b946559737d9e317711e8eccbf1c73583 Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Thu, 21 May 2026 00:29:06 +1000 Subject: [PATCH 87/91] fix Json files --- .../organization_validation/policy.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/policy.rego index 02c08f9f2..1d66c9bc4 100644 --- a/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/policy.rego +++ b/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/policy.rego @@ -5,7 +5,7 @@ import data.terraform.gcp.security.Cloud_IAM.google_iam_principal_access_boundar conditions := [ [ - {"situation_description" : "must use an approved organization", + {"situation_description" : "Principal Access Boundary policies must use only approved organization IDs to ensure proper IAM governance and organizational compliance.", "remedies":[ "Use only approved organization IDs"]}, { "condition": "Validate organization field", From 09ccc1f325dce5c8bb5ede30dcce35a6276ae1bc Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Fri, 22 May 2026 00:52:28 +1000 Subject: [PATCH 88/91] fix folder policy --- .../iam_folders_policy_binding.json | 80 ++++++++--------- .../resource_json/iam_oauth_client.json | 60 ++++++------- .../iam_oauth_client_credential.json | 42 ++++----- .../iam_organizations_policy_binding.json | 90 +++++++++---------- .../iam_principal_access_boundary_policy.json | 88 +++++++++--------- .../iam_projects_policy_binding.json | 89 +++++++++--------- .../location_validation/c.tf | 4 +- .../location_validation/nc.tf | 2 +- .../policy_kind_validation/c.tf | 4 +- .../policy_kind_validation/nc.tf | 4 +- .../policy_validation/c.tf | 4 +- .../policy_validation/nc.tf | 4 +- .../client_type_validation/c.tf | 2 +- .../client_type_validation/nc.tf | 4 +- .../oauth_scope_whitelist/c.tf | 2 +- .../oauth_scope_whitelist/nc.tf | 2 +- .../scope_restriction/c.tf | 2 +- .../scope_restriction/nc.tf | 2 +- .../location_validation/c.tf | 2 +- .../location_validation/nc.tf | 2 +- .../Location_Validation/c.tf | 4 +- .../Location_Validation/nc.tf | 2 +- .../location_validation/c.tf | 2 +- .../location_validation/nc.tf | 2 +- .../organization_validation/c.tf | 2 +- .../organization_validation/nc.tf | 2 +- .../location_validation/c.tf | 4 +- .../location_validation/nc.tf | 2 +- .../policy_kind_restriction/c.tf | 4 +- .../policy_kind_restriction/nc.tf | 4 +- .../project_principal_whitelist/c.tf | 4 +- .../project_principal_whitelist/nc.tf | 4 +- .../location_validation/policy.rego | 6 +- .../client_type_validation/policy.rego | 7 +- .../location_validation/policy.rego | 7 +- .../location_validation/policy.rego | 8 +- .../Location_Validation/policy.rego | 6 +- .../location_validation/policy.rego | 7 +- .../location_validation/policy.rego | 8 +- 39 files changed, 286 insertions(+), 288 deletions(-) diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_folders_policy_binding.json b/docs/gcp/Cloud_IAM/resource_json/iam_folders_policy_binding.json index 79f35e43b..ed6780224 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_folders_policy_binding.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_folders_policy_binding.json @@ -2,22 +2,22 @@ "resource_name": "iam_folders_policy_binding", "subcategory": "Cloud IAM", "arguments": { - "target": { + "target": { "description": "Target is the full resource name of the resource to which the policy will be bound. Immutable once set. Structure is [documented below](#nested_target).", "required": true, - "security_impact": true, - "rationale": "Restricts IAM enforcement scope to approved folder-level resources and prevents unauthorized policy attachment.", - "compliant": "//cloudresourcemanager.googleapis.com/folders/123456789", - "non-compliant": "//cloudresourcemanager.googleapis.com/folders/external-folder", + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, "parent": null, "arguments": { "principal_set": { "description": "Required. Immutable. Full Resource Name of the principal set used for principal access boundary policy bindings. Examples for each one of the following supported principal set types: * Folder: `//cloudresourcemanager.googleapis.com/folders/FOLDER_ID` It must be parent by the policy binding's parent (the folder).", "required": false, - "security_impact": true, - "rationale": "Restricts policy bindings to approved folder-level principal sets to prevent unauthorized privilege escalation.", - "compliant": "//cloudresourcemanager.googleapis.com/folders/123456789", - "non-compliant": "//cloudresourcemanager.googleapis.com/folders/999999999", + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, "parent": "target" } } @@ -27,42 +27,42 @@ "required": true, "security_impact": true, "rationale": "Ensures only approved organization-level IAM policies are attached to folder bindings.", - "compliant": "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pde-policy-1", - "non-compliant": "organizations/999999999/locations/global/principalAccessBoundaryPolicies/unapproved-policy", + "compliant": "organizations/123456789/locations/australia-southeast2/principalAccessBoundaryPolicies/pde-policy-1", + "non-compliant": "organizations/999999999/locations/australia-southeast2/principalAccessBoundaryPolicies/unknown-policy", "parent": null }, "folder": { "description": "The parent folder for the PolicyBinding.", "required": true, - "security_impact": true, - "rationale": "Restricts policy bindings to approved enterprise-managed folders.", - "compliant": "folders/123456789", - "non-compliant": "folders/external-folder", + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, "parent": null }, "location": { "description": "The location of the PolicyBinding.", "required": true, "security_impact": true, - "rationale": "Restricting location prevents cross-region policy sprawl and enforces governance boundaries.", - "compliant": "global", - "non-compliant": "us-central1", + "rationale": "IAM folder policy bindings must be deployed only in approved Australian regions to meet organizational residency and compliance requirements.", + "compliant": "australia-southeast2", + "non-compliant": "global", "parent": null }, "policy_binding_id": { "description": "The Policy Binding ID.", "required": true, - "security_impact": true, - "rationale": "Ensures traceability and prevents duplicate or unauthorized policy bindings.", - "compliant": "pde-folder-binding-1", - "non-compliant": "test-binding", + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, "parent": null }, "display_name": { "description": "Optional. The description of the policy binding. Must be less than or equal to 63 characters.", "required": false, - "security_impact": false, - "rationale": "Display name is used for operational readability and auditing purposes only.", + "security_impact": null, + "rationale": null, "compliant": null, "non-compliant": null, "parent": null @@ -70,8 +70,8 @@ "annotations": { "description": "Optional. User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations **Note**: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field `effective_annotations` for all of the annotations present on the resource.", "required": false, - "security_impact": false, - "rationale": "Annotations are metadata used for organization and tracking purposes and do not directly affect IAM enforcement.", + "security_impact": null, + "rationale": null, "compliant": null, "non-compliant": null, "parent": null @@ -88,26 +88,26 @@ "condition": { "description": "Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: \\\"Summary size limit\\\" description: \\\"Determines if a summary is less than 100 chars\\\" expression: \\\"document.summary.size() < 100\\\" Example (Equality): title: \\\"Requestor is owner\\\" description: \\\"Determines if requestor is the document owner\\\" expression: \\\"document.owner == request.auth.claims.email\\\" Example (Logic): title: \\\"Public documents\\\" description: \\\"Determine whether the document should be publicly visible\\\" expression: \\\"document.type != 'private' && document.type != 'internal'\\\" Example (Data Manipulation): title: \\\"Notification string\\\" description: \\\"Create a notification string with a timestamp.\\\" expression: \\\"'New message received at ' + string(document.create_time)\\\" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. Structure is [documented below](#nested_condition).", "required": false, - "security_impact": true, - "rationale": "Conditions can affect IAM authorization logic and access enforcement.", - "compliant": "request.time < timestamp('2026-12-31T23:59:59Z')", - "non-compliant": "true", + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, "parent": null, "arguments": { "expression": { "description": "Textual representation of an expression in Common Expression Language syntax.", "required": false, - "security_impact": true, - "rationale": "Controls authorization logic and access restrictions through CEL expressions.", - "compliant": "request.auth != null", - "non-compliant": "true", + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, "parent": "condition" }, "title": { "description": "Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.", "required": false, - "security_impact": false, - "rationale": "Title is informational metadata only and does not affect IAM behavior.", + "security_impact": null, + "rationale": null, "compliant": null, "non-compliant": null, "parent": "condition" @@ -115,8 +115,8 @@ "description": { "description": "Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.", "required": false, - "security_impact": false, - "rationale": "Description is informational metadata only and does not affect IAM enforcement.", + "security_impact": null, + "rationale": null, "compliant": null, "non-compliant": null, "parent": "condition" @@ -124,8 +124,8 @@ "location": { "description": "Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.", "required": false, - "security_impact": false, - "rationale": "Location metadata is used only for debugging and error reporting.", + "security_impact": null, + "rationale": null, "compliant": null, "non-compliant": null, "parent": "condition" diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client.json b/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client.json index 71a128b52..cedc535c0 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client.json @@ -6,7 +6,7 @@ "description": "Required. The list of scopes that the OauthClient is allowed to request during OAuth flows. The following scopes are supported: * `https://www.googleapis.com/auth/cloud-platform`: See, edit, configure, and delete your Google Cloud data and see the email address for your Google Account. * `openid`: The OAuth client can associate you with your personal information on Google Cloud. * `email`: The OAuth client can read a federated identity's email address. * `groups`: The OAuth client can read a federated identity's groups.", "required": true, "security_impact": true, - "rationale": "Restricting scopes enforces least privilege OAuth access and prevents over-permissioned identity delegation.", + "rationale": "OAuth clients must only request approved least-privilege scopes and must not use overly broad scopes such as cloud-platform to reduce excessive access risks.", "compliant": ["openid", "email", "groups"], "non-compliant": ["https://www.googleapis.com/auth/cloud-platform"], "parent": null @@ -14,19 +14,19 @@ "allowed_grant_types": { "description": "Required. The list of OAuth grant types is allowed for the OauthClient.", "required": true, - "security_impact": true, - "rationale": "Ensures only approved OAuth flows are used to prevent insecure authentication mechanisms.", - "compliant": ["AUTHORIZATION_CODE_GRANT"], - "non-compliant": ["IMPLICIT_GRANT"], + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, "parent": null }, "allowed_redirect_uris": { "description": "Required. The list of redirect uris that is allowed to redirect back when authorization process is completed.", "required": true, - "security_impact": true, - "rationale": "Prevents open redirect attacks and ensures tokens are only sent to trusted endpoints.", - "compliant": ["https://www.example.com/callback"], - "non-compliant": ["http://evil.com"], + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, "parent": null }, "location": { @@ -41,37 +41,37 @@ "oauth_client_id": { "description": "Required. The ID to use for the OauthClient, which becomes the final component of the resource name. This value should be a string of 6 to 63 lowercase letters, digits, or hyphens. It must start with a letter, and cannot have a trailing hyphen. The prefix `gcp-` is reserved for use by Google, and may not be specified.", "required": true, - "security_impact": true, - "rationale": "Ensures predictable naming and avoids reserved prefix misuse.", - "compliant": "example-client-01", - "non-compliant": "gcp-client-01", + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, "parent": null }, "disabled": { "description": "Whether the OauthClient is disabled. You cannot use a disabled OAuth client.", "required": false, - "security_impact": true, - "rationale": "Disabled clients cannot be used, reducing attack surface when not in use.", - "compliant": false, - "non-compliant": true, + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, "parent": null }, "display_name": { "description": "A user-specified display name of the OauthClient. Cannot exceed 32 characters.", "required": false, - "security_impact": false, - "rationale": "Used only for identification purposes.", - "compliant": "Enterprise OAuth Client", - "non-compliant": "Very Long Invalid Name That Exceeds Limits", + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, "parent": null }, "description": { "description": "A user-specified description of the OauthClient. Cannot exceed 256 characters.", "required": false, - "security_impact": false, - "rationale": "Provides documentation for audit and governance.", - "compliant": "OAuth client for enterprise login", - "non-compliant": "test", + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, "parent": null }, "client_type": { @@ -80,16 +80,16 @@ "security_impact": true, "rationale": "Restricts OAuth clients to approved secure types only.", "compliant": ["PUBLIC_CLIENT", "CONFIDENTIAL_CLIENT"], - "non-compliant": ["INTERNAL_CLIENT"], + "non-compliant": ["CLIENT_TYPE_UNSPECIFIED"], "parent": null }, "project": { "description": "If it is not provided, the provider project is used.", "required": null, - "security_impact": true, - "rationale": "Ensures correct project-level IAM isolation.", - "compliant": "smooth-verve-467716-v1", - "non-compliant": "", + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, "parent": null } } diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client_credential.json b/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client_credential.json index 7dbbd3d65..e275c0a0f 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client_credential.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client_credential.json @@ -6,43 +6,43 @@ "description": "Resource ID segment making up resource `name`. It identifies the resource within its parent collection as described in https://google.aip.dev/122.", "required": true, "security_impact": true, - "rationale": "Restricting location to global ensures consistent IAM control and avoids regional misconfiguration.", - "compliant": "global", - "non-compliant": "us-central1", + "rationale": "OAuth client credentials must be deployed only in approved Australian regions to meet organizational residency and compliance requirements.", + "compliant": "australia-southeast2", + "non-compliant": "global", "parent": null }, "oauthclient": { "description": "Resource ID segment making up resource `name`. It identifies the resource within its parent collection as described in https://google.aip.dev/122.", "required": true, - "security_impact": true, - "rationale": "Ensures OAuth credential is correctly linked to a valid parent OAuth client to prevent unauthorized binding.", - "compliant": "example-client-id", - "non-compliant": "invalid-client", + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, "parent": null }, "oauth_client_credential_id": { "description": "Required. The ID to use for the OauthClientCredential, which becomes the final component of the resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix `gcp-` is reserved for use by Google, and may not be specified.", "required": true, - "security_impact": true, - "rationale": "Prevents use of reserved prefixes and ensures predictable, secure naming conventions.", - "compliant": "cred-01a", - "non-compliant": "gcp-cred-01a", + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, "parent": null }, "disabled": { "description": "Whether the OauthClientCredential is disabled. You cannot use a disabled OauthClientCredential.", "required": false, - "security_impact": true, - "rationale": "Disabled credentials reduce risk of unauthorized authentication usage.", - "compliant": false, - "non-compliant": true, + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, "parent": null }, "display_name": { "description": "A user-specified display name of the OauthClientCredential. Cannot exceed 32 characters.", "required": false, - "security_impact": false, - "rationale": "Used for readability and operational clarity only.", + "security_impact": null, + "rationale": null, "compliant": null, "non-compliant": null, "parent": null @@ -50,10 +50,10 @@ "project": { "description": "If it is not provided, the provider project is used.", "required": null, - "security_impact": true, - "rationale": "Ensures correct project scoping for IAM isolation and prevents cross-project credential leakage.", - "compliant": "smooth-verve-467716-v1", - "non-compliant": "", + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, "parent": null } } diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_organizations_policy_binding.json b/docs/gcp/Cloud_IAM/resource_json/iam_organizations_policy_binding.json index f00a93b2c..708fc3e4e 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_organizations_policy_binding.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_organizations_policy_binding.json @@ -5,19 +5,19 @@ "target": { "description": "Target is the full resource name of the resource to which the policy will be bound. Immutable once set. Structure is [documented below](#nested_target).", "required": true, - "security_impact": true, - "rationale": "Defines the exact principal scope for IAM binding enforcement and prevents unauthorized identity expansion.", - "compliant": "//cloudresourcemanager.googleapis.com/organizations/123456789", - "non-compliant": "//cloudresourcemanager.googleapis.com/projects/untrusted-project", + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, "parent": null, "arguments": { "principal_set": { "description": "Required. Immutable. Full Resource Name of the principal set used for principal access boundary policy bindings. Examples for each one of the following supported principal set types: * Organization `//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID` * Workforce Identity: `//iam.googleapis.com/locations/global/workforcePools/WORKFORCE_POOL_ID` * Workspace Identity: `//iam.googleapis.com/locations/global/workspace/WORKSPACE_ID` It must be parent by the policy binding's parent (the organization).", "required": false, - "security_impact": true, - "rationale": "Ensures only approved identity domains such as organization, workforce, or workspace identities are used.", - "compliant": "//cloudresourcemanager.googleapis.com/organizations/123456789", - "non-compliant": "//cloudresourcemanager.googleapis.com/organizations/000000000", + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, "parent": "target" } } @@ -25,44 +25,44 @@ "policy": { "description": "Required. Immutable. The resource name of the policy to be bound. The binding parent and policy must belong to the same Organization (or Project).", "required": true, - "security_impact": true, - "rationale": "Ensures binding only approved Principal Access Boundary policies within the organization.", - "compliant": "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pde-policy-1", - "non-compliant": "organizations/123456789/locations/global/principalAccessBoundaryPolicies/unknown-policy", + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, "parent": null }, "organization": { "description": "The parent organization of the Policy Binding.", "required": true, - "security_impact": true, - "rationale": "Ensures IAM governance is enforced at the correct organizational boundary.", - "compliant": "123456789", - "non-compliant": "999999999", + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, "parent": null }, "location": { "description": "The location of the Policy Binding", "required": true, "security_impact": true, - "rationale": "Enforces centralized IAM policy binding control.", - "compliant": "global", - "non-compliant": "us-central1", + "rationale": "Organization policy bindings must be deployed only in approved Australian regions to meet organizational residency and compliance requirements.", + "compliant": "australia-southeast2", + "non-compliant": "global", "parent": null }, "policy_binding_id": { "description": "The Policy Binding ID.", "required": true, - "security_impact": true, - "rationale": "Ensures unique identification of IAM policy bindings.", - "compliant": "org-binding-001", - "non-compliant": "invalid binding id!!", + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, "parent": null }, "display_name": { "description": "Optional. The description of the policy binding. Must be less than or equal to 63 characters.", "required": false, - "security_impact": false, - "rationale": "Improves readability and auditability.", + "security_impact": null, + "rationale": null, "compliant": null, "non-compliant": null, "parent": null @@ -70,8 +70,8 @@ "annotations": { "description": "Optional. User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations **Note**: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field `effective_annotations` for all of the annotations present on the resource.", "required": false, - "security_impact": false, - "rationale": "Used for governance, metadata tagging, and tracking purposes only.", + "security_impact": null, + "rationale": null, "compliant": null, "non-compliant": null, "parent": null @@ -79,35 +79,35 @@ "policy_kind": { "description": "Immutable. The kind of the policy to attach in this binding. This field must be one of the following: - Left empty (will be automatically set to the policy kind) - The input policy kind Possible values: POLICY_KIND_UNSPECIFIED PRINCIPAL_ACCESS_BOUNDARY ACCESS", "required": false, - "security_impact": true, - "rationale": "Restricts IAM binding to secure boundary enforcement policies.", - "compliant": "PRINCIPAL_ACCESS_BOUNDARY", - "non-compliant": "ACCESS", + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, "parent": null }, "condition": { "description": "Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: \\\"Summary size limit\\\" description: \\\"Determines if a summary is less than 100 chars\\\" expression: \\\"document.summary.size() < 100\\\" Example (Equality): title: \\\"Requestor is owner\\\" description: \\\"Determines if requestor is the document owner\\\" expression: \\\"document.owner == request.auth.claims.email\\\" Example (Logic): title: \\\"Public documents\\\" description: \\\"Determine whether the document should be publicly visible\\\" expression: \\\"document.type != 'private' && document.type != 'internal'\\\" Example (Data Manipulation): title: \\\"Notification string\\\" description: \\\"Create a notification string with a timestamp.\\\" expression: \\\"'New message received at ' + string(document.create_time)\\\" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. Structure is [documented below](#nested_condition).", "required": false, - "security_impact": true, - "rationale": "Allows conditional IAM enforcement based on attributes and contextual access restrictions.", - "compliant": "request.time < timestamp('2026-12-31T00:00:00Z')", - "non-compliant": "true", + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, "parent": null, "arguments": { "expression": { "description": "Textual representation of an expression in Common Expression Language syntax.", "required": false, - "security_impact": true, - "rationale": "Controls IAM access behavior through conditional authorization logic.", - "compliant": "request.time < timestamp('2026-12-31T00:00:00Z')", - "non-compliant": "true", + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, "parent": "condition" }, "title": { "description": "Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.", "required": false, - "security_impact": false, - "rationale": "Used only for readability and operational clarity.", + "security_impact": null, + "rationale": null, "compliant": null, "non-compliant": null, "parent": "condition" @@ -115,8 +115,8 @@ "description": { "description": "Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.", "required": false, - "security_impact": false, - "rationale": "Provides human-readable explanation of the CEL condition only.", + "security_impact": null, + "rationale": null, "compliant": null, "non-compliant": null, "parent": "condition" @@ -124,8 +124,8 @@ "location": { "description": "Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.", "required": false, - "security_impact": false, - "rationale": "Used for debugging and error reporting purposes only.", + "security_impact": null, + "rationale": null, "compliant": null, "non-compliant": null, "parent": "condition" diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_principal_access_boundary_policy.json b/docs/gcp/Cloud_IAM/resource_json/iam_principal_access_boundary_policy.json index fd11f7e9b..799381242 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_principal_access_boundary_policy.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_principal_access_boundary_policy.json @@ -6,52 +6,52 @@ "description": "The parent organization of the principal access boundary policy.", "required": true, "security_impact": true, - "rationale": "Restricting policies to approved organizations ensures IAM governance boundaries and prevents cross-tenant privilege escalation.", - "compliant": "PDE1, PDE2, PDE3", - "non-compliant": "random-org-123", + "rationale": "Principal Access Boundary policies must use only approved organization IDs to ensure proper IAM governance and organizational compliance.", + "compliant": ["PDE1", "PDE2", "PDE3"], + "non-compliant": "234", "parent": null }, "location": { "description": "The location the principal access boundary policy is in.", "required": true, "security_impact": true, - "rationale": "Enforcing global location ensures consistent IAM policy enforcement and avoids regional misconfiguration risks.", - "compliant": "global", - "non-compliant": "us-central1", + "rationale": "Principal access boundary policies must be deployed only in approved Australian regions to meet organizational residency and compliance requirements.", + "compliant": ["australia-southeast1", "australia-southeast2"], + "non-compliant": "global", "parent": null }, "principal_access_boundary_policy_id": { "description": "The ID to use to create the principal access boundary policy. This value must start with a lowercase letter followed by up to 62 lowercase letters, numbers, hyphens, or dots. Pattern, /a-z{2,62}/.", "required": true, - "security_impact": false, - "rationale": "Ensures consistent naming conventions for policy identification and avoids invalid resource creation.", - "compliant": "pab-policy-01", - "non-compliant": "PAB_POLICY_01", + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, "parent": null }, "display_name": { "description": "The description of the principal access boundary policy. Must be less than or equal to 63 characters.", "required": false, - "security_impact": false, + "security_impact": null, "rationale": null, - "compliant": "Standard Access Boundary Policy", - "non-compliant": "Very long or unclear name exceeding limits", + "compliant": null, + "non-compliant": null, "parent": null }, "annotations": { "description": "User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations **Note**: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field `effective_annotations` for all of the annotations present on the resource.", "required": false, - "security_impact": false, - "rationale": "Used for auditability and classification of IAM policies.", - "compliant": "env=prod, owner=security-team", - "non-compliant": "free-form or unstructured metadata", + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, "parent": null }, "details": { "description": "Principal access boundary policy details Structure is [documented below](#nested_details).", "required": false, - "security_impact": true, - "rationale": "Defines enforcement rules that restrict principal access to approved resources.", + "security_impact": null, + "rationale": null, "compliant": null, "non-compliant": null, "parent": null, @@ -59,28 +59,28 @@ "rules": { "description": "A list of principal access boundary policy rules. The number of rules in a policy is limited to 500. Structure is [documented below](#nested_details_rules).", "required": true, - "security_impact": true, - "rationale": "Rules define which resources principals can access under the boundary policy.", - "compliant": "ALLOW only approved organizations/projects/folders", - "non-compliant": "ALLOW all or overly broad resources", + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, "parent": "details" }, "enforcement_version": { "description": "The version number that indicates which Google Cloud services are included in the enforcement (e.g. \\\"latest\\\", \\\"1\\\", ...). If empty, the PAB policy version will be set to the current latest version, and this version won't get updated when new versions are released.", "required": false, - "security_impact": false, - "rationale": "Ensures controlled rollout of enforcement changes across services.", - "compliant": "latest or pinned version", - "non-compliant": "empty or unmanaged versioning", + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, "parent": "details" } } }, "rules": { "description": "", - "required": true, - "security_impact": true, - "rationale": "Rules define the actual enforcement of access boundaries across resources.", + "required": null, + "security_impact": null, + "rationale": null, "compliant": null, "non-compliant": null, "parent": null, @@ -88,34 +88,28 @@ "description": { "description": "The description of the principal access boundary policy rule. Must be less than or equal to 256 characters.", "required": false, - "security_impact": false, + "security_impact": null, "rationale": null, - "compliant": "Allow access to approved project set only", - "non-compliant": "Unrestricted or vague rule description", + "compliant": null, + "non-compliant": null, "parent": "rules" }, "resources": { "description": "A list of Cloud Resource Manager resources. The resource and all the descendants are included. The number of resources in a policy is limited to 500 across all rules. The following resource types are supported: * Organizations, such as `//cloudresourcemanager.googleapis.com/organizations/123`. * Folders, such as `//cloudresourcemanager.googleapis.com/folders/123`. * Projects, such as `//cloudresourcemanager.googleapis.com/projects/123` or `//cloudresourcemanager.googleapis.com/projects/my-project-id`.", "required": true, - "security_impact": true, - "rationale": "Restricts access to approved organizations, folders, or projects only.", - "compliant": [ - "//cloudresourcemanager.googleapis.com/organizations/123", - "//cloudresourcemanager.googleapis.com/folders/123", - "//cloudresourcemanager.googleapis.com/projects/approved-project" - ], - "non-compliant": [ - "//cloudresourcemanager.googleapis.com/projects/*" - ], + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, "parent": "rules" }, "effect": { "description": "The access relationship of principals to the resources in this rule. Possible values: ALLOW", "required": true, - "security_impact": true, - "rationale": "Defines whether access is allowed under the boundary policy.", - "compliant": "ALLOW", - "non-compliant": "DENY or undefined behavior", + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, "parent": "rules" } } diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_projects_policy_binding.json b/docs/gcp/Cloud_IAM/resource_json/iam_projects_policy_binding.json index 83f4abcfd..ed22726f5 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_projects_policy_binding.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_projects_policy_binding.json @@ -7,29 +7,17 @@ "required": true, "security_impact": true, "rationale": "Restricts policy binding scope to approved project principals only, preventing unauthorized identity binding.", - "compliant": [ - "//cloudresourcemanager.googleapis.com/projects/approved-project-1", - "//cloudresourcemanager.googleapis.com/projects/approved-project-2" - ], - "non-compliant": [ - "//cloudresourcemanager.googleapis.com/projects/*", - "//cloudresourcemanager.googleapis.com/projects/external-project" - ], + "compliant": "//cloudresourcemanager.googleapis.com/projects/approved-project-1", + "non-compliant": "//cloudresourcemanager.googleapis.com/projects/random-external-project", "parent": null, "arguments": { "principal_set": { - "description": "Required. Immutable. Full Resource Name of the principal set used for principal access boundary policy bindings. Examples for each one of the following supported principal set types: * Project: * `//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER` * `//cloudresourcemanager.googleapis.com/projects/PROJECT_ID` * Workload Identity Pool: `//iam.googleapis.com/projects/PROJECT_NUMBER/locations/LOCATION/workloadIdentityPools/WORKLOAD_POOL_ID` It must be parent by the policy binding's parent (the project).", + "description": "Required. Immutable. Full Resource Name of the principal set used for principal access boundary policy bindings.", "required": false, "security_impact": true, - "rationale": "Ensures only approved project-level principals can be assigned IAM boundaries.", - "compliant": [ - "//cloudresourcemanager.googleapis.com/projects/approved-project-1", - "//cloudresourcemanager.googleapis.com/projects/approved-project-2" - ], - "non-compliant": [ - "//cloudresourcemanager.googleapis.com/projects/*", - "//cloudresourcemanager.googleapis.com/projects/external-*" - ], + "rationale": "Project policy binding must only allow approved project-level principals to reduce unauthorized access exposure.", + "compliant": "//cloudresourcemanager.googleapis.com/projects/approved-project-1", + "non-compliant": "//cloudresourcemanager.googleapis.com/projects/random-external-project", "parent": "target" } } @@ -37,46 +25,48 @@ "policy": { "description": "Required. Immutable. The resource name of the policy to be bound. The binding parent and policy must belong to the same Organization (or Project).", "required": true, - "security_impact": true, - "rationale": "Ensures only approved IAM boundary policies are attached to projects.", - "compliant": "organizations/123456789/locations/global/principalAccessBoundaryPolicies/approved-policy", - "non-compliant": "organizations/123456789/locations/global/principalAccessBoundaryPolicies/unapproved-policy", + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, "parent": null }, "location": { "description": "The location of the Policy Binding", "required": true, "security_impact": true, - "rationale": "Enforcing global location ensures consistent IAM policy application across projects and prevents regional drift.", - "compliant": "global", - "non-compliant": "us-central1", + "rationale": "Project policy binding location must be restricted to approved Australia regions to meet organizational residency and compliance requirements.", + "compliant": [ + "australia-southeast1", + "australia-southeast2"], + "non-compliant": "global", "parent": null }, "policy_binding_id": { "description": "The Policy Binding ID.", "required": true, - "security_impact": false, - "rationale": "Ensures consistent naming and traceability of policy bindings.", - "compliant": "project-binding-01", - "non-compliant": "INVALID_BINDING", + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, "parent": null }, "display_name": { "description": "Optional. The description of the policy binding. Must be less than or equal to 63 characters.", "required": false, - "security_impact": false, - "rationale": "Used for human-readable identification only.", - "compliant": "Project IAM Binding Policy", - "non-compliant": "Very long or unclear name exceeding limits", + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, "parent": null }, "annotations": { "description": "Optional. User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations **Note**: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field `effective_annotations` for all of the annotations present on the resource.", "required": false, - "security_impact": false, - "rationale": "Used for tagging, auditing, and governance tracking.", - "compliant": "env=prod, team=security", - "non-compliant": "random unstructured metadata", + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, "parent": null }, "policy_kind": { @@ -85,23 +75,26 @@ "security_impact": true, "rationale": "Ensures only Principal Access Boundary policies are enforced for security isolation.", "compliant": "PRINCIPAL_ACCESS_BOUNDARY", - "non-compliant": "ACCESS, POLICY_KIND_UNSPECIFIED", + "non-compliant": [ + "ACCESS", + "POLICY_KIND_UNSPECIFIED" + ], "parent": null }, "condition": { "description": "Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: \\\"Summary size limit\\\" description: \\\"Determines if a summary is less than 100 chars\\\" expression: \\\"document.summary.size() < 100\\\" Example (Equality): title: \\\"Requestor is owner\\\" description: \\\"Determines if requestor is the document owner\\\" expression: \\\"document.owner == request.auth.claims.email\\\" Example (Logic): title: \\\"Public documents\\\" description: \\\"Determine whether the document should be publicly visible\\\" expression: \\\"document.type != 'private' && document.type != 'internal'\\\" Example (Data Manipulation): title: \\\"Notification string\\\" description: \\\"Create a notification string with a timestamp.\\\" expression: \\\"'New message received at ' + string(document.create_time)\\\" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. Structure is [documented below](#nested_condition).", "required": false, - "security_impact": true, - "rationale": "Allows fine-grained IAM control based on runtime conditions.", - "compliant": "document.type != 'internal'", - "non-compliant": "true (unrestricted access)", + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, "parent": null, "arguments": { "expression": { "description": "Textual representation of an expression in Common Expression Language syntax.", "required": false, - "security_impact": true, - "rationale": "Controls conditional IAM enforcement.", + "security_impact": null, + "rationale": null, "compliant": null, "non-compliant": null, "parent": "condition" @@ -138,10 +131,10 @@ "project": { "description": "If it is not provided, the provider project is used.", "required": null, - "security_impact": true, - "rationale": "Ensures correct project-level IAM isolation and prevents cross-project misconfiguration.", - "compliant": "approved-project-id", - "non-compliant": "external-project-id", + "security_impact": null, + "rationale": null, + "compliant": null, + "non-compliant": null, "parent": null } } diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/c.tf index 946544a06..e588a3710 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/c.tf @@ -1,10 +1,10 @@ resource "google_iam_folders_policy_binding" "c" { folder = "123456789" - location = "global" + location = "australia-southeast2" policy_binding_id = "c" - policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pab-policy" + policy = "organizations/123456789/locations/australia-southeast2/principalAccessBoundaryPolicies/pab-policy" target { principal_set = "//cloudresourcemanager.googleapis.com/folders/123456789" diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/nc.tf index d11a38abb..6d7acc28f 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/nc.tf @@ -1,7 +1,7 @@ resource "google_iam_folders_policy_binding" "nc" { folder = "123456789" - location = "australia-southeast1" + location = "global" policy_binding_id = "nc" policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pab-policy" diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/c.tf index ba879040a..7a38b8eaa 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/c.tf @@ -1,10 +1,10 @@ resource "google_iam_folders_policy_binding" "c" { folder = "folders/123456789" - location = "global" + location = "australia-southeast2" policy_binding_id = "c" display_name = "Valid binding" policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" - policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pde-policy" + policy = "organizations/123456789/locations/australia-southeast2/principalAccessBoundaryPolicies/pde-policy" target { principal_set = "//cloudresourcemanager.googleapis.com/folders/123456789" diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/nc.tf index a8c68cad3..e3c8fc6fe 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_kind_validation/nc.tf @@ -1,10 +1,10 @@ resource "google_iam_folders_policy_binding" "nc" { folder = "folders/123456789" - location = "global" + location = "australia-southeast2" policy_binding_id = "nc" display_name = "Invalid binding" policy_kind = "ACCESS" - policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pde-policy" + policy = "organizations/123456789/locations/australia-southeast2/principalAccessBoundaryPolicies/pde-policy" target { principal_set = "//cloudresourcemanager.googleapis.com/folders/123456789" diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_validation/c.tf index b56feb1a7..6a0f4d68f 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_validation/c.tf @@ -1,11 +1,11 @@ resource "google_iam_folders_policy_binding" "c" { folder = "folders/123456789" - location = "global" + location = "australia-southeast2" policy_binding_id = "c" display_name = "Valid binding" policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" - policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pde-policy-1" + policy = "organizations/123456789/locations/australia-southeast2/principalAccessBoundaryPolicies/pde-policy-1" target { principal_set = "//cloudresourcemanager.googleapis.com/folders/123456789" diff --git a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_validation/nc.tf index 20dd92284..dce79fab9 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_validation/nc.tf @@ -1,11 +1,11 @@ resource "google_iam_folders_policy_binding" "nc" { folder = "folders/123456789" - location = "global" + location = "australia-southeast2" policy_binding_id = "nc" display_name = "Invalid binding" policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" - policy = "organizations/999999999/locations/global/principalAccessBoundaryPolicies/unknown-policy" + policy = "organizations/999999999/locations/australia-southeast2/principalAccessBoundaryPolicies/unknown-policy" target { principal_set = "//cloudresourcemanager.googleapis.com/folders/123456789" diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/c.tf index 77285331f..defb39894 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/c.tf @@ -2,7 +2,7 @@ resource "google_iam_oauth_client" "c" { oauth_client_id = "c" display_name = "Valid OAuth Client" description = "Compliant OAuth client configuration" - location = "global" + location = "australia-southeast2" disabled = false allowed_grant_types = ["AUTHORIZATION_CODE_GRANT"] allowed_redirect_uris = ["https://www.example.com"] diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/nc.tf index 1338e3474..2885fe45b 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/nc.tf @@ -2,11 +2,11 @@ resource "google_iam_oauth_client" "nc" { oauth_client_id = "nc" display_name = "Invalid OAuth Client" description = "Non-compliant OAuth client configuration" - location = "global" + location = "australia-southeast2" disabled = false allowed_grant_types = ["AUTHORIZATION_CODE_GRANT"] allowed_redirect_uris = ["https://www.example.com"] allowed_scopes = ["https://www.googleapis.com/auth/cloud-platform"] - client_type = "INTERNAL_CLIENT" + client_type = "CLIENT_TYPE_UNSPECIFIED" project = "smooth-verve-467716-v1" } \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/oauth_scope_whitelist/c.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/oauth_scope_whitelist/c.tf index d3c57855f..9a08c54a5 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/oauth_scope_whitelist/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/oauth_scope_whitelist/c.tf @@ -3,7 +3,7 @@ resource "google_iam_oauth_client" "c" { oauth_client_id = "c" display_name = "Secure OAuth Client" description = "Uses least privilege scopes" - location = "global" + location = "australia-southeast2" disabled = false allowed_grant_types = ["AUTHORIZATION_CODE_GRANT"] diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/oauth_scope_whitelist/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/oauth_scope_whitelist/nc.tf index 71b1ea382..ca7966a5c 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/oauth_scope_whitelist/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/oauth_scope_whitelist/nc.tf @@ -3,7 +3,7 @@ resource "google_iam_oauth_client" "nc" { oauth_client_id = "nc" display_name = "Unsafe OAuth Client" description = "Uses overly broad scope" - location = "global" + location = "australia-southeast2" disabled = false allowed_grant_types = ["AUTHORIZATION_CODE_GRANT"] diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/scope_restriction/c.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/scope_restriction/c.tf index b93a02f29..5db65c881 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/scope_restriction/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/scope_restriction/c.tf @@ -1,7 +1,7 @@ resource "google_iam_oauth_client" "c" { project = "smooth-verve-467716-v1" oauth_client_id = "c" - location = "global" + location = "australia-southeast2" client_type = "CONFIDENTIAL_CLIENT" diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/scope_restriction/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/scope_restriction/nc.tf index 226fe2ad2..0e10271e5 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_oauth_client/scope_restriction/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client/scope_restriction/nc.tf @@ -1,7 +1,7 @@ resource "google_iam_oauth_client" "nc" { project = "smooth-verve-467716-v1" oauth_client_id = "nc" - location = "global" + location = "australia-southeast2" client_type = "CONFIDENTIAL_CLIENT" diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/location_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/location_validation/c.tf index 29ac3c88e..2696473c2 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/location_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/location_validation/c.tf @@ -1,6 +1,6 @@ resource "google_iam_oauth_client_credential" "c" { oauthclient = "example-client-id" - location = "global" + location = "australia-southeast2" oauth_client_credential_id = "c" display_name = "Valid Credential" project = "smooth-verve-467716-v1" diff --git a/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/location_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/location_validation/nc.tf index 0c73a1c96..5dda05a9d 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/location_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_oauth_client_credential/location_validation/nc.tf @@ -1,6 +1,6 @@ resource "google_iam_oauth_client_credential" "nc" { oauthclient = "example-client-id" - location = "australia-southeast1" + location = "global" oauth_client_credential_id = "nc" display_name = "Invalid Credential" project = "smooth-verve-467716-v1" diff --git a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/c.tf index 7d87ac548..e236529ef 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/c.tf @@ -1,11 +1,11 @@ resource "google_iam_organizations_policy_binding" "c" { organization = "123456789" - location = "global" + location = "australia-southeast2" display_name = "c" policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" policy_binding_id = "org-binding-c" - policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/my-pab-policy" + policy = "organizations/123456789/locations/australia-southeast2/principalAccessBoundaryPolicies/my-pab-policy" target { principal_set = "//cloudresourcemanager.googleapis.com/organizations/123456789" diff --git a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/nc.tf index 307f93869..8b33de019 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/nc.tf @@ -1,7 +1,7 @@ resource "google_iam_organizations_policy_binding" "nc" { organization = "123456789" - location = "australia-southeast1" + location = "global" display_name = "nc" policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" policy_binding_id = "org-binding-nc" diff --git a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/location_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/location_validation/c.tf index e5f3bd2c2..ba9088250 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/location_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/location_validation/c.tf @@ -1,6 +1,6 @@ resource "google_iam_principal_access_boundary_policy" "c" { organization = "123456789" - location = "global" + location = "australia-southeast2" display_name = "c" principal_access_boundary_policy_id = "pab-policy-c" diff --git a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/location_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/location_validation/nc.tf index 07ca0c121..2cf29db4a 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/location_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/location_validation/nc.tf @@ -1,6 +1,6 @@ resource "google_iam_principal_access_boundary_policy" "nc" { organization = "123456789" - location = "australia-southeast1" + location = "global" display_name = "nc" principal_access_boundary_policy_id = "pab-policy-nc" diff --git a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/c.tf index fd39e2169..9c9dac3bc 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/c.tf @@ -1,6 +1,6 @@ resource "google_iam_principal_access_boundary_policy" "c" { organization = "PDE1" - location = "global" + location = "australia-southeast2" display_name = "c" principal_access_boundary_policy_id = "pab-policy-for-org" } \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/nc.tf index 16127f943..02e131c25 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/organization_validation/nc.tf @@ -1,6 +1,6 @@ resource "google_iam_principal_access_boundary_policy" "nc" { organization = "234" - location = "global" + location = "australia-southeast2" display_name = "nc" principal_access_boundary_policy_id = "pab-policy-for-org" } \ No newline at end of file diff --git a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/c.tf b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/c.tf index 1214f0350..854e58a00 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/c.tf @@ -1,11 +1,11 @@ resource "google_iam_projects_policy_binding" "c" { project = "smooth-verve-467716-v1" - location = "global" + location = "australia-southeast2" display_name = "Valid Project Policy Binding" policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" policy_binding_id = "c" - policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pab-policy" + policy = "organizations/123456789/locations/australia-southeast2/principalAccessBoundaryPolicies/pab-policy" target { principal_set = "//cloudresourcemanager.googleapis.com/projects/123456789" diff --git a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/nc.tf index 26cda994d..f2b8f51d9 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/nc.tf @@ -1,6 +1,6 @@ resource "google_iam_projects_policy_binding" "nc" { project = "smooth-verve-467716-v1" - location = "us-central1" + location = "global" display_name = "Invalid Project Policy Binding" policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" policy_binding_id = "nc" diff --git a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_kind_restriction/c.tf b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_kind_restriction/c.tf index 2f6d537a9..c88cdc84a 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_kind_restriction/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_kind_restriction/c.tf @@ -1,11 +1,11 @@ resource "google_iam_projects_policy_binding" "c" { project = "smooth-verve-467716-v1" - location = "global" + location = "australia-southeast2" display_name = "secure-pab-binding" policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" policy_binding_id = "c" - policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pab-policy" + policy = "organizations/123456789/locations/australia-southeast2/principalAccessBoundaryPolicies/pab-policy" target { principal_set = "//cloudresourcemanager.googleapis.com/projects/smooth-verve-467716-v1" diff --git a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_kind_restriction/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_kind_restriction/nc.tf index 0f53e0b0d..4ac2d4165 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_kind_restriction/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/policy_kind_restriction/nc.tf @@ -1,12 +1,12 @@ resource "google_iam_projects_policy_binding" "nc" { project = "smooth-verve-467716-v1" - location = "global" + location = "australia-southeast2" display_name = "insecure-access-binding" policy_kind = "ACCESS" policy_binding_id = "nc" - policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pab-policy" + policy = "organizations/123456789/locations/australia-southeast2/principalAccessBoundaryPolicies/pab-policy" target { principal_set = "//cloudresourcemanager.googleapis.com/projects/smooth-verve-467716-v1" diff --git a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_principal_whitelist/c.tf b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_principal_whitelist/c.tf index 951a29540..ce057c6e9 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_principal_whitelist/c.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_principal_whitelist/c.tf @@ -1,11 +1,11 @@ resource "google_iam_projects_policy_binding" "c" { project = "smooth-verve-467716-v1" - location = "global" + location = "australia-southeast2" display_name = "approved-project-binding" policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" policy_binding_id = "c" - policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pab-policy" + policy = "organizations/123456789/locations/australia-southeast2/principalAccessBoundaryPolicies/pab-policy" target { principal_set = "//cloudresourcemanager.googleapis.com/projects/approved-project-1" diff --git a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_principal_whitelist/nc.tf b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_principal_whitelist/nc.tf index e62724c2d..e62e9f630 100644 --- a/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_principal_whitelist/nc.tf +++ b/inputs/gcp/Cloud_IAM/google_iam_projects_policy_binding/project_principal_whitelist/nc.tf @@ -1,11 +1,11 @@ resource "google_iam_projects_policy_binding" "nc" { project = "smooth-verve-467716-v1" - location = "global" + location = "australia-southeast2" display_name = "unapproved-project-binding" policy_kind = "PRINCIPAL_ACCESS_BOUNDARY" policy_binding_id = "nc" - policy = "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pab-policy" + policy = "organizations/123456789/locations/australia-southeast2/principalAccessBoundaryPolicies/pab-policy" target { principal_set = "//cloudresourcemanager.googleapis.com/projects/random-external-project" diff --git a/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/policy.rego index 70bc1f211..fd55c4b5e 100644 --- a/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/policy.rego +++ b/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/location_validation/policy.rego @@ -6,15 +6,15 @@ import data.terraform.gcp.security.Cloud_IAM.google_iam_folders_policy_binding.v conditions := [ [ { - "situation_description": "Location must strictly be global for IAM folder policy bindings", + "situation_description": "ocation must be restricted to approved Australia regions for IAM folder policy bindings", "remedies": [ - "Set location = global" + "Set location to an approved Australia region such as australia-southeast1 or australia-southeast2" ] }, { "condition": "Validate allowed location", "attribute_path": ["location"], - "values": ["global"], + "values": ["australia-southeast1", "australia-southeast2"], "policy_type": "whitelist" } ] diff --git a/policies/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/policy.rego index d8a9624f4..5267cf771 100644 --- a/policies/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/policy.rego +++ b/policies/gcp/Cloud_IAM/google_iam_oauth_client/client_type_validation/policy.rego @@ -6,8 +6,11 @@ import data.terraform.gcp.security.Cloud_IAM.google_iam_oauth_client.vars conditions := [ [ { - "situation_description": "Only approved OAuth client types are allowed", - "remedies": ["Use PUBLIC_CLIENT or CONFIDENTIAL_CLIENT"] + "situation_description": "OAuth clients must use approved secure client types", + "remedies": [ + "Use PUBLIC_CLIENT or CONFIDENTIAL_CLIENT", + "Do not use CLIENT_TYPE_UNSPECIFIED" + ] }, { "condition": "Validate client_type", diff --git a/policies/gcp/Cloud_IAM/google_iam_oauth_client/location_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_oauth_client/location_validation/policy.rego index 111729392..2067899a2 100644 --- a/policies/gcp/Cloud_IAM/google_iam_oauth_client/location_validation/policy.rego +++ b/policies/gcp/Cloud_IAM/google_iam_oauth_client/location_validation/policy.rego @@ -1,12 +1,15 @@ package terraform.gcp.security.Cloud_IAM.google_iam_oauth_client.location_validation + import data.terraform.helpers import data.terraform.gcp.security.Cloud_IAM.google_iam_oauth_client.vars conditions := [ [ { - "situation_description": "OAuth client must only be deployed in global location", - "remedies": ["Set location to global"] + "situation_description": "OAuth client location must be restricted to approved Australia regions", + "remedies": [ + "Set location to australia-southeast1 or australia-southeast2" + ] }, { "condition": "Validate location", diff --git a/policies/gcp/Cloud_IAM/google_iam_oauth_client_credential/location_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_oauth_client_credential/location_validation/policy.rego index 46ecc25cb..4212e079e 100644 --- a/policies/gcp/Cloud_IAM/google_iam_oauth_client_credential/location_validation/policy.rego +++ b/policies/gcp/Cloud_IAM/google_iam_oauth_client_credential/location_validation/policy.rego @@ -6,13 +6,15 @@ import data.terraform.gcp.security.Cloud_IAM.google_iam_oauth_client_credential. conditions := [ [ { - "situation_description": "OAuth client credential must use global location only", - "remedies": ["Set location = global"] + "situation_description": "OAuth client credential location must be restricted to approved Australia regions", + "remedies": [ + "Set location to australia-southeast1 or australia-southeast2" + ] }, { "condition": "Validate location whitelist", "attribute_path": ["location"], - "values": ["global"], + "values": ["australia-southeast1", "australia-southeast2"], "policy_type": "whitelist" } ] diff --git a/policies/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/policy.rego index 3bc705a52..57ac19bea 100644 --- a/policies/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/policy.rego +++ b/policies/gcp/Cloud_IAM/google_iam_organizations_policy_binding/Location_Validation/policy.rego @@ -6,15 +6,15 @@ import data.terraform.gcp.security.Cloud_IAM.google_iam_organizations_policy_bin conditions := [ [ { - "situation_description": "Organization policy binding must use global location", + "situation_description": "Organization policy binding location must be restricted to approved Australia regions", "remedies": [ - "Set location = global" + "Set location to australia-southeast1 or australia-southeast2" ] }, { "condition": "Validate location whitelist", "attribute_path": ["location"], - "values": ["global"], + "values": ["australia-southeast1", "australia-southeast2"], "policy_type": "whitelist" } ] diff --git a/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/location_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/location_validation/policy.rego index 3c7fed739..3f43a8f02 100644 --- a/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/location_validation/policy.rego +++ b/policies/gcp/Cloud_IAM/google_iam_principal_access_boundary_policy/location_validation/policy.rego @@ -1,19 +1,20 @@ package terraform.gcp.security.Cloud_IAM.google_iam_principal_access_boundary_policy.location_validation + import data.terraform.helpers import data.terraform.gcp.security.Cloud_IAM.google_iam_principal_access_boundary_policy.vars conditions := [ [ { - "situation_description": "Location must always be global for PAB policy", + "situation_description": "Principal access boundary policy location must be restricted to approved Australia regions", "remedies": [ - "Set location = global" + "Set location to australia-southeast1 or australia-southeast2" ] }, { "condition": "Validate location whitelist", "attribute_path": ["location"], - "values": ["global"], + "values": ["australia-southeast1", "australia-southeast2"], "policy_type": "whitelist" } ] diff --git a/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/policy.rego index d47b87992..90eaf4f1b 100644 --- a/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/policy.rego +++ b/policies/gcp/Cloud_IAM/google_iam_projects_policy_binding/location_validation/policy.rego @@ -6,13 +6,15 @@ import data.terraform.gcp.security.Cloud_IAM.google_iam_projects_policy_binding. conditions := [ [ { - "situation_description": "Project policy binding must use global location only", - "remedies": ["Set location = global"] + "situation_description": "Project policy binding location must be restricted to approved Australia regions", + "remedies": [ + "Set location to australia-southeast1 or australia-southeast2" + ] }, { "condition": "Validate location whitelist", "attribute_path": ["location"], - "values": ["global"], + "values": ["australia-southeast1", "australia-southeast2"], "policy_type": "whitelist" } ] From 4f6eff5b02c407f5334391b6fcf36788a51def59 Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Fri, 22 May 2026 00:52:48 +1000 Subject: [PATCH 89/91] fix folder policy --- .../Cloud_IAM/iam_folders_policy_binding.md | 26 ++++++++--------- docs/gcp/Cloud_IAM/iam_oauth_client.md | 18 ++++++------ .../Cloud_IAM/iam_oauth_client_credential.md | 12 ++++---- .../iam_organizations_policy_binding.md | 28 +++++++++---------- .../iam_principal_access_boundary_policy.md | 24 ++++++++-------- .../Cloud_IAM/iam_projects_policy_binding.md | 22 +++++++-------- 6 files changed, 65 insertions(+), 65 deletions(-) diff --git a/docs/gcp/Cloud_IAM/iam_folders_policy_binding.md b/docs/gcp/Cloud_IAM/iam_folders_policy_binding.md index 1ed76e216..2d5f6cbbc 100644 --- a/docs/gcp/Cloud_IAM/iam_folders_policy_binding.md +++ b/docs/gcp/Cloud_IAM/iam_folders_policy_binding.md @@ -10,27 +10,27 @@ Reference: [Terraform Registry – iam_folders_policy_binding](https://registry. | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `target` | Target is the full resource name of the resource to which the policy will be bound. Immutable once set. Structure is [documented below](#nested_target). | true | true | Restricts IAM enforcement scope to approved folder-level resources and prevents unauthorized policy attachment. | //cloudresourcemanager.googleapis.com/folders/123456789 | //cloudresourcemanager.googleapis.com/folders/external-folder | -| `policy` | Required. Immutable. The resource name of the policy to be bound. The binding parent and policy must belong to the same Organization (or Project). | true | true | Ensures only approved organization-level IAM policies are attached to folder bindings. | organizations/123456789/locations/global/principalAccessBoundaryPolicies/pde-policy-1 | organizations/999999999/locations/global/principalAccessBoundaryPolicies/unapproved-policy | -| `folder` | The parent folder for the PolicyBinding. | true | true | Restricts policy bindings to approved enterprise-managed folders. | folders/123456789 | folders/external-folder | -| `location` | The location of the PolicyBinding. | true | true | Restricting location prevents cross-region policy sprawl and enforces governance boundaries. | global | us-central1 | -| `policy_binding_id` | The Policy Binding ID. | true | true | Ensures traceability and prevents duplicate or unauthorized policy bindings. | pde-folder-binding-1 | test-binding | -| `display_name` | Optional. The description of the policy binding. Must be less than or equal to 63 characters. | false | false | Display name is used for operational readability and auditing purposes only. | None | None | -| `annotations` | Optional. User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations **Note**: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field `effective_annotations` for all of the annotations present on the resource. | false | false | Annotations are metadata used for organization and tracking purposes and do not directly affect IAM enforcement. | None | None | +| `target` | Target is the full resource name of the resource to which the policy will be bound. Immutable once set. Structure is [documented below](#nested_target). | true | false | None | None | None | +| `policy` | Required. Immutable. The resource name of the policy to be bound. The binding parent and policy must belong to the same Organization (or Project). | true | true | Ensures only approved organization-level IAM policies are attached to folder bindings. | organizations/123456789/locations/australia-southeast2/principalAccessBoundaryPolicies/pde-policy-1 | organizations/999999999/locations/australia-southeast2/principalAccessBoundaryPolicies/unknown-policy | +| `folder` | The parent folder for the PolicyBinding. | true | false | None | None | None | +| `location` | The location of the PolicyBinding. | true | true | IAM folder policy bindings must be deployed only in approved Australian regions to meet organizational residency and compliance requirements. | australia-southeast2 | global | +| `policy_binding_id` | The Policy Binding ID. | true | false | None | None | None | +| `display_name` | Optional. The description of the policy binding. Must be less than or equal to 63 characters. | false | false | None | None | None | +| `annotations` | Optional. User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations **Note**: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field `effective_annotations` for all of the annotations present on the resource. | false | false | None | None | None | | `policy_kind` | Immutable. The kind of the policy to attach in this binding. This field must be one of the following: - Left empty (will be automatically set to the policy kind) - The input policy kind Possible values: POLICY_KIND_UNSPECIFIED PRINCIPAL_ACCESS_BOUNDARY ACCESS | false | true | Restricting policy kind prevents misuse of non-boundary IAM policies and reduces privilege escalation risk. | PRINCIPAL_ACCESS_BOUNDARY | ACCESS | -| `condition` | Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: \"Summary size limit\" description: \"Determines if a summary is less than 100 chars\" expression: \"document.summary.size() < 100\" Example (Equality): title: \"Requestor is owner\" description: \"Determines if requestor is the document owner\" expression: \"document.owner == request.auth.claims.email\" Example (Logic): title: \"Public documents\" description: \"Determine whether the document should be publicly visible\" expression: \"document.type != 'private' && document.type != 'internal'\" Example (Data Manipulation): title: \"Notification string\" description: \"Create a notification string with a timestamp.\" expression: \"'New message received at ' + string(document.create_time)\" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. Structure is [documented below](#nested_condition). | false | true | Conditions can affect IAM authorization logic and access enforcement. | request.time < timestamp('2026-12-31T23:59:59Z') | true | +| `condition` | Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: \"Summary size limit\" description: \"Determines if a summary is less than 100 chars\" expression: \"document.summary.size() < 100\" Example (Equality): title: \"Requestor is owner\" description: \"Determines if requestor is the document owner\" expression: \"document.owner == request.auth.claims.email\" Example (Logic): title: \"Public documents\" description: \"Determine whether the document should be publicly visible\" expression: \"document.type != 'private' && document.type != 'internal'\" Example (Data Manipulation): title: \"Notification string\" description: \"Create a notification string with a timestamp.\" expression: \"'New message received at ' + string(document.create_time)\" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. Structure is [documented below](#nested_condition). | false | false | None | None | None | ### target Block | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `principal_set` | Required. Immutable. Full Resource Name of the principal set used for principal access boundary policy bindings. Examples for each one of the following supported principal set types: * Folder: `//cloudresourcemanager.googleapis.com/folders/FOLDER_ID` It must be parent by the policy binding's parent (the folder). | false | true | Restricts policy bindings to approved folder-level principal sets to prevent unauthorized privilege escalation. | //cloudresourcemanager.googleapis.com/folders/123456789 | //cloudresourcemanager.googleapis.com/folders/999999999 | +| `principal_set` | Required. Immutable. Full Resource Name of the principal set used for principal access boundary policy bindings. Examples for each one of the following supported principal set types: * Folder: `//cloudresourcemanager.googleapis.com/folders/FOLDER_ID` It must be parent by the policy binding's parent (the folder). | false | false | None | None | None | ### condition Block | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `expression` | Textual representation of an expression in Common Expression Language syntax. | false | true | Controls authorization logic and access restrictions through CEL expressions. | request.auth != null | true | -| `title` | Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. | false | false | Title is informational metadata only and does not affect IAM behavior. | None | None | -| `description` | Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. | false | false | Description is informational metadata only and does not affect IAM enforcement. | None | None | -| `location` | Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. | false | false | Location metadata is used only for debugging and error reporting. | None | None | +| `expression` | Textual representation of an expression in Common Expression Language syntax. | false | false | None | None | None | +| `title` | Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. | false | false | None | None | None | +| `description` | Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. | false | false | None | None | None | +| `location` | Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. | false | false | None | None | None | diff --git a/docs/gcp/Cloud_IAM/iam_oauth_client.md b/docs/gcp/Cloud_IAM/iam_oauth_client.md index da2264108..d9772a59d 100644 --- a/docs/gcp/Cloud_IAM/iam_oauth_client.md +++ b/docs/gcp/Cloud_IAM/iam_oauth_client.md @@ -10,13 +10,13 @@ Reference: [Terraform Registry – iam_oauth_client](https://registry.terraform. | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `allowed_scopes` | Required. The list of scopes that the OauthClient is allowed to request during OAuth flows. The following scopes are supported: * `https://www.googleapis.com/auth/cloud-platform`: See, edit, configure, and delete your Google Cloud data and see the email address for your Google Account. * `openid`: The OAuth client can associate you with your personal information on Google Cloud. * `email`: The OAuth client can read a federated identity's email address. * `groups`: The OAuth client can read a federated identity's groups. | true | true | Restricting scopes enforces least privilege OAuth access and prevents over-permissioned identity delegation. | ['openid', 'email', 'groups'] | ['https://www.googleapis.com/auth/cloud-platform'] | -| `allowed_grant_types` | Required. The list of OAuth grant types is allowed for the OauthClient. | true | true | Ensures only approved OAuth flows are used to prevent insecure authentication mechanisms. | ['AUTHORIZATION_CODE_GRANT'] | ['IMPLICIT_GRANT'] | -| `allowed_redirect_uris` | Required. The list of redirect uris that is allowed to redirect back when authorization process is completed. | true | true | Prevents open redirect attacks and ensures tokens are only sent to trusted endpoints. | ['https://www.example.com/callback'] | ['http://evil.com'] | +| `allowed_scopes` | Required. The list of scopes that the OauthClient is allowed to request during OAuth flows. The following scopes are supported: * `https://www.googleapis.com/auth/cloud-platform`: See, edit, configure, and delete your Google Cloud data and see the email address for your Google Account. * `openid`: The OAuth client can associate you with your personal information on Google Cloud. * `email`: The OAuth client can read a federated identity's email address. * `groups`: The OAuth client can read a federated identity's groups. | true | true | OAuth clients must only request approved least-privilege scopes and must not use overly broad scopes such as cloud-platform to reduce excessive access risks. | ['openid', 'email', 'groups'] | ['https://www.googleapis.com/auth/cloud-platform'] | +| `allowed_grant_types` | Required. The list of OAuth grant types is allowed for the OauthClient. | true | false | None | None | None | +| `allowed_redirect_uris` | Required. The list of redirect uris that is allowed to redirect back when authorization process is completed. | true | false | None | None | None | | `location` | Resource ID segment making up resource `name`. It identifies the resource within its parent collection as described in https://google.aip.dev/122. | true | true | OAuth clients must be deployed only in approved Australian regions to meet organizational residency and compliance requirements. | ['australia-southeast1', 'australia-southeast2'] | global | -| `oauth_client_id` | Required. The ID to use for the OauthClient, which becomes the final component of the resource name. This value should be a string of 6 to 63 lowercase letters, digits, or hyphens. It must start with a letter, and cannot have a trailing hyphen. The prefix `gcp-` is reserved for use by Google, and may not be specified. | true | true | Ensures predictable naming and avoids reserved prefix misuse. | example-client-01 | gcp-client-01 | -| `disabled` | Whether the OauthClient is disabled. You cannot use a disabled OAuth client. | false | true | Disabled clients cannot be used, reducing attack surface when not in use. | False | True | -| `display_name` | A user-specified display name of the OauthClient. Cannot exceed 32 characters. | false | false | Used only for identification purposes. | Enterprise OAuth Client | Very Long Invalid Name That Exceeds Limits | -| `description` | A user-specified description of the OauthClient. Cannot exceed 256 characters. | false | false | Provides documentation for audit and governance. | OAuth client for enterprise login | test | -| `client_type` | Immutable. The type of OauthClient. Either public or private. For private clients, the client secret can be managed using the dedicated OauthClientCredential resource. Possible values: CLIENT_TYPE_UNSPECIFIED PUBLIC_CLIENT CONFIDENTIAL_CLIENT | false | true | Restricts OAuth clients to approved secure types only. | ['PUBLIC_CLIENT', 'CONFIDENTIAL_CLIENT'] | ['INTERNAL_CLIENT'] | -| `project` | If it is not provided, the provider project is used. | false | true | Ensures correct project-level IAM isolation. | smooth-verve-467716-v1 | | +| `oauth_client_id` | Required. The ID to use for the OauthClient, which becomes the final component of the resource name. This value should be a string of 6 to 63 lowercase letters, digits, or hyphens. It must start with a letter, and cannot have a trailing hyphen. The prefix `gcp-` is reserved for use by Google, and may not be specified. | true | false | None | None | None | +| `disabled` | Whether the OauthClient is disabled. You cannot use a disabled OAuth client. | false | false | None | None | None | +| `display_name` | A user-specified display name of the OauthClient. Cannot exceed 32 characters. | false | false | None | None | None | +| `description` | A user-specified description of the OauthClient. Cannot exceed 256 characters. | false | false | None | None | None | +| `client_type` | Immutable. The type of OauthClient. Either public or private. For private clients, the client secret can be managed using the dedicated OauthClientCredential resource. Possible values: CLIENT_TYPE_UNSPECIFIED PUBLIC_CLIENT CONFIDENTIAL_CLIENT | false | true | Restricts OAuth clients to approved secure types only. | ['PUBLIC_CLIENT', 'CONFIDENTIAL_CLIENT'] | ['CLIENT_TYPE_UNSPECIFIED'] | +| `project` | If it is not provided, the provider project is used. | false | false | None | None | None | diff --git a/docs/gcp/Cloud_IAM/iam_oauth_client_credential.md b/docs/gcp/Cloud_IAM/iam_oauth_client_credential.md index 922023cb4..927c23549 100644 --- a/docs/gcp/Cloud_IAM/iam_oauth_client_credential.md +++ b/docs/gcp/Cloud_IAM/iam_oauth_client_credential.md @@ -10,9 +10,9 @@ Reference: [Terraform Registry – iam_oauth_client_credential](https://registry | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `location` | Resource ID segment making up resource `name`. It identifies the resource within its parent collection as described in https://google.aip.dev/122. | true | true | Restricting location to global ensures consistent IAM control and avoids regional misconfiguration. | global | us-central1 | -| `oauthclient` | Resource ID segment making up resource `name`. It identifies the resource within its parent collection as described in https://google.aip.dev/122. | true | true | Ensures OAuth credential is correctly linked to a valid parent OAuth client to prevent unauthorized binding. | example-client-id | invalid-client | -| `oauth_client_credential_id` | Required. The ID to use for the OauthClientCredential, which becomes the final component of the resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix `gcp-` is reserved for use by Google, and may not be specified. | true | true | Prevents use of reserved prefixes and ensures predictable, secure naming conventions. | cred-01a | gcp-cred-01a | -| `disabled` | Whether the OauthClientCredential is disabled. You cannot use a disabled OauthClientCredential. | false | true | Disabled credentials reduce risk of unauthorized authentication usage. | False | True | -| `display_name` | A user-specified display name of the OauthClientCredential. Cannot exceed 32 characters. | false | false | Used for readability and operational clarity only. | None | None | -| `project` | If it is not provided, the provider project is used. | false | true | Ensures correct project scoping for IAM isolation and prevents cross-project credential leakage. | smooth-verve-467716-v1 | | +| `location` | Resource ID segment making up resource `name`. It identifies the resource within its parent collection as described in https://google.aip.dev/122. | true | true | OAuth client credentials must be deployed only in approved Australian regions to meet organizational residency and compliance requirements. | australia-southeast2 | global | +| `oauthclient` | Resource ID segment making up resource `name`. It identifies the resource within its parent collection as described in https://google.aip.dev/122. | true | false | None | None | None | +| `oauth_client_credential_id` | Required. The ID to use for the OauthClientCredential, which becomes the final component of the resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix `gcp-` is reserved for use by Google, and may not be specified. | true | false | None | None | None | +| `disabled` | Whether the OauthClientCredential is disabled. You cannot use a disabled OauthClientCredential. | false | false | None | None | None | +| `display_name` | A user-specified display name of the OauthClientCredential. Cannot exceed 32 characters. | false | false | None | None | None | +| `project` | If it is not provided, the provider project is used. | false | false | None | None | None | diff --git a/docs/gcp/Cloud_IAM/iam_organizations_policy_binding.md b/docs/gcp/Cloud_IAM/iam_organizations_policy_binding.md index 56d3c3ede..4595c0f8c 100644 --- a/docs/gcp/Cloud_IAM/iam_organizations_policy_binding.md +++ b/docs/gcp/Cloud_IAM/iam_organizations_policy_binding.md @@ -10,27 +10,27 @@ Reference: [Terraform Registry – iam_organizations_policy_binding](https://reg | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `target` | Target is the full resource name of the resource to which the policy will be bound. Immutable once set. Structure is [documented below](#nested_target). | true | true | Defines the exact principal scope for IAM binding enforcement and prevents unauthorized identity expansion. | //cloudresourcemanager.googleapis.com/organizations/123456789 | //cloudresourcemanager.googleapis.com/projects/untrusted-project | -| `policy` | Required. Immutable. The resource name of the policy to be bound. The binding parent and policy must belong to the same Organization (or Project). | true | true | Ensures binding only approved Principal Access Boundary policies within the organization. | organizations/123456789/locations/global/principalAccessBoundaryPolicies/pde-policy-1 | organizations/123456789/locations/global/principalAccessBoundaryPolicies/unknown-policy | -| `organization` | The parent organization of the Policy Binding. | true | true | Ensures IAM governance is enforced at the correct organizational boundary. | 123456789 | 999999999 | -| `location` | The location of the Policy Binding | true | true | Enforces centralized IAM policy binding control. | global | us-central1 | -| `policy_binding_id` | The Policy Binding ID. | true | true | Ensures unique identification of IAM policy bindings. | org-binding-001 | invalid binding id!! | -| `display_name` | Optional. The description of the policy binding. Must be less than or equal to 63 characters. | false | false | Improves readability and auditability. | None | None | -| `annotations` | Optional. User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations **Note**: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field `effective_annotations` for all of the annotations present on the resource. | false | false | Used for governance, metadata tagging, and tracking purposes only. | None | None | -| `policy_kind` | Immutable. The kind of the policy to attach in this binding. This field must be one of the following: - Left empty (will be automatically set to the policy kind) - The input policy kind Possible values: POLICY_KIND_UNSPECIFIED PRINCIPAL_ACCESS_BOUNDARY ACCESS | false | true | Restricts IAM binding to secure boundary enforcement policies. | PRINCIPAL_ACCESS_BOUNDARY | ACCESS | -| `condition` | Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: \"Summary size limit\" description: \"Determines if a summary is less than 100 chars\" expression: \"document.summary.size() < 100\" Example (Equality): title: \"Requestor is owner\" description: \"Determines if requestor is the document owner\" expression: \"document.owner == request.auth.claims.email\" Example (Logic): title: \"Public documents\" description: \"Determine whether the document should be publicly visible\" expression: \"document.type != 'private' && document.type != 'internal'\" Example (Data Manipulation): title: \"Notification string\" description: \"Create a notification string with a timestamp.\" expression: \"'New message received at ' + string(document.create_time)\" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. Structure is [documented below](#nested_condition). | false | true | Allows conditional IAM enforcement based on attributes and contextual access restrictions. | request.time < timestamp('2026-12-31T00:00:00Z') | true | +| `target` | Target is the full resource name of the resource to which the policy will be bound. Immutable once set. Structure is [documented below](#nested_target). | true | false | None | None | None | +| `policy` | Required. Immutable. The resource name of the policy to be bound. The binding parent and policy must belong to the same Organization (or Project). | true | false | None | None | None | +| `organization` | The parent organization of the Policy Binding. | true | false | None | None | None | +| `location` | The location of the Policy Binding | true | true | Organization policy bindings must be deployed only in approved Australian regions to meet organizational residency and compliance requirements. | australia-southeast2 | global | +| `policy_binding_id` | The Policy Binding ID. | true | false | None | None | None | +| `display_name` | Optional. The description of the policy binding. Must be less than or equal to 63 characters. | false | false | None | None | None | +| `annotations` | Optional. User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations **Note**: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field `effective_annotations` for all of the annotations present on the resource. | false | false | None | None | None | +| `policy_kind` | Immutable. The kind of the policy to attach in this binding. This field must be one of the following: - Left empty (will be automatically set to the policy kind) - The input policy kind Possible values: POLICY_KIND_UNSPECIFIED PRINCIPAL_ACCESS_BOUNDARY ACCESS | false | false | None | None | None | +| `condition` | Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: \"Summary size limit\" description: \"Determines if a summary is less than 100 chars\" expression: \"document.summary.size() < 100\" Example (Equality): title: \"Requestor is owner\" description: \"Determines if requestor is the document owner\" expression: \"document.owner == request.auth.claims.email\" Example (Logic): title: \"Public documents\" description: \"Determine whether the document should be publicly visible\" expression: \"document.type != 'private' && document.type != 'internal'\" Example (Data Manipulation): title: \"Notification string\" description: \"Create a notification string with a timestamp.\" expression: \"'New message received at ' + string(document.create_time)\" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. Structure is [documented below](#nested_condition). | false | false | None | None | None | ### target Block | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `principal_set` | Required. Immutable. Full Resource Name of the principal set used for principal access boundary policy bindings. Examples for each one of the following supported principal set types: * Organization `//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID` * Workforce Identity: `//iam.googleapis.com/locations/global/workforcePools/WORKFORCE_POOL_ID` * Workspace Identity: `//iam.googleapis.com/locations/global/workspace/WORKSPACE_ID` It must be parent by the policy binding's parent (the organization). | false | true | Ensures only approved identity domains such as organization, workforce, or workspace identities are used. | //cloudresourcemanager.googleapis.com/organizations/123456789 | //cloudresourcemanager.googleapis.com/organizations/000000000 | +| `principal_set` | Required. Immutable. Full Resource Name of the principal set used for principal access boundary policy bindings. Examples for each one of the following supported principal set types: * Organization `//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID` * Workforce Identity: `//iam.googleapis.com/locations/global/workforcePools/WORKFORCE_POOL_ID` * Workspace Identity: `//iam.googleapis.com/locations/global/workspace/WORKSPACE_ID` It must be parent by the policy binding's parent (the organization). | false | false | None | None | None | ### condition Block | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `expression` | Textual representation of an expression in Common Expression Language syntax. | false | true | Controls IAM access behavior through conditional authorization logic. | request.time < timestamp('2026-12-31T00:00:00Z') | true | -| `title` | Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. | false | false | Used only for readability and operational clarity. | None | None | -| `description` | Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. | false | false | Provides human-readable explanation of the CEL condition only. | None | None | -| `location` | Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. | false | false | Used for debugging and error reporting purposes only. | None | None | +| `expression` | Textual representation of an expression in Common Expression Language syntax. | false | false | None | None | None | +| `title` | Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. | false | false | None | None | None | +| `description` | Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. | false | false | None | None | None | +| `location` | Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. | false | false | None | None | None | diff --git a/docs/gcp/Cloud_IAM/iam_principal_access_boundary_policy.md b/docs/gcp/Cloud_IAM/iam_principal_access_boundary_policy.md index 1efdf670a..92a7853dd 100644 --- a/docs/gcp/Cloud_IAM/iam_principal_access_boundary_policy.md +++ b/docs/gcp/Cloud_IAM/iam_principal_access_boundary_policy.md @@ -10,25 +10,25 @@ Reference: [Terraform Registry – iam_principal_access_boundary_policy](https:/ | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `organization` | The parent organization of the principal access boundary policy. | true | true | Restricting policies to approved organizations ensures IAM governance boundaries and prevents cross-tenant privilege escalation. | PDE1, PDE2, PDE3 | random-org-123 | -| `location` | The location the principal access boundary policy is in. | true | true | Enforcing global location ensures consistent IAM policy enforcement and avoids regional misconfiguration risks. | global | us-central1 | -| `principal_access_boundary_policy_id` | The ID to use to create the principal access boundary policy. This value must start with a lowercase letter followed by up to 62 lowercase letters, numbers, hyphens, or dots. Pattern, /a-z{2,62}/. | true | false | Ensures consistent naming conventions for policy identification and avoids invalid resource creation. | pab-policy-01 | PAB_POLICY_01 | -| `display_name` | The description of the principal access boundary policy. Must be less than or equal to 63 characters. | false | false | None | Standard Access Boundary Policy | Very long or unclear name exceeding limits | -| `annotations` | User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations **Note**: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field `effective_annotations` for all of the annotations present on the resource. | false | false | Used for auditability and classification of IAM policies. | env=prod, owner=security-team | free-form or unstructured metadata | -| `details` | Principal access boundary policy details Structure is [documented below](#nested_details). | false | true | Defines enforcement rules that restrict principal access to approved resources. | None | None | -| `rules` | | true | true | Rules define the actual enforcement of access boundaries across resources. | None | None | +| `organization` | The parent organization of the principal access boundary policy. | true | true | Principal Access Boundary policies must use only approved organization IDs to ensure proper IAM governance and organizational compliance. | ['PDE1', 'PDE2', 'PDE3'] | 234 | +| `location` | The location the principal access boundary policy is in. | true | true | Principal access boundary policies must be deployed only in approved Australian regions to meet organizational residency and compliance requirements. | ['australia-southeast1', 'australia-southeast2'] | global | +| `principal_access_boundary_policy_id` | The ID to use to create the principal access boundary policy. This value must start with a lowercase letter followed by up to 62 lowercase letters, numbers, hyphens, or dots. Pattern, /a-z{2,62}/. | true | false | None | None | None | +| `display_name` | The description of the principal access boundary policy. Must be less than or equal to 63 characters. | false | false | None | None | None | +| `annotations` | User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations **Note**: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field `effective_annotations` for all of the annotations present on the resource. | false | false | None | None | None | +| `details` | Principal access boundary policy details Structure is [documented below](#nested_details). | false | false | None | None | None | +| `rules` | | false | false | None | None | None | ### details Block | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `rules` | A list of principal access boundary policy rules. The number of rules in a policy is limited to 500. Structure is [documented below](#nested_details_rules). | true | true | Rules define which resources principals can access under the boundary policy. | ALLOW only approved organizations/projects/folders | ALLOW all or overly broad resources | -| `enforcement_version` | The version number that indicates which Google Cloud services are included in the enforcement (e.g. \"latest\", \"1\", ...). If empty, the PAB policy version will be set to the current latest version, and this version won't get updated when new versions are released. | false | false | Ensures controlled rollout of enforcement changes across services. | latest or pinned version | empty or unmanaged versioning | +| `rules` | A list of principal access boundary policy rules. The number of rules in a policy is limited to 500. Structure is [documented below](#nested_details_rules). | true | false | None | None | None | +| `enforcement_version` | The version number that indicates which Google Cloud services are included in the enforcement (e.g. \"latest\", \"1\", ...). If empty, the PAB policy version will be set to the current latest version, and this version won't get updated when new versions are released. | false | false | None | None | None | ### rules Block | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `description` | The description of the principal access boundary policy rule. Must be less than or equal to 256 characters. | false | false | None | Allow access to approved project set only | Unrestricted or vague rule description | -| `resources` | A list of Cloud Resource Manager resources. The resource and all the descendants are included. The number of resources in a policy is limited to 500 across all rules. The following resource types are supported: * Organizations, such as `//cloudresourcemanager.googleapis.com/organizations/123`. * Folders, such as `//cloudresourcemanager.googleapis.com/folders/123`. * Projects, such as `//cloudresourcemanager.googleapis.com/projects/123` or `//cloudresourcemanager.googleapis.com/projects/my-project-id`. | true | true | Restricts access to approved organizations, folders, or projects only. | ['//cloudresourcemanager.googleapis.com/organizations/123', '//cloudresourcemanager.googleapis.com/folders/123', '//cloudresourcemanager.googleapis.com/projects/approved-project'] | ['//cloudresourcemanager.googleapis.com/projects/*'] | -| `effect` | The access relationship of principals to the resources in this rule. Possible values: ALLOW | true | true | Defines whether access is allowed under the boundary policy. | ALLOW | DENY or undefined behavior | +| `description` | The description of the principal access boundary policy rule. Must be less than or equal to 256 characters. | false | false | None | None | None | +| `resources` | A list of Cloud Resource Manager resources. The resource and all the descendants are included. The number of resources in a policy is limited to 500 across all rules. The following resource types are supported: * Organizations, such as `//cloudresourcemanager.googleapis.com/organizations/123`. * Folders, such as `//cloudresourcemanager.googleapis.com/folders/123`. * Projects, such as `//cloudresourcemanager.googleapis.com/projects/123` or `//cloudresourcemanager.googleapis.com/projects/my-project-id`. | true | false | None | None | None | +| `effect` | The access relationship of principals to the resources in this rule. Possible values: ALLOW | true | false | None | None | None | diff --git a/docs/gcp/Cloud_IAM/iam_projects_policy_binding.md b/docs/gcp/Cloud_IAM/iam_projects_policy_binding.md index df6503a6a..5d2fc461e 100644 --- a/docs/gcp/Cloud_IAM/iam_projects_policy_binding.md +++ b/docs/gcp/Cloud_IAM/iam_projects_policy_binding.md @@ -10,27 +10,27 @@ Reference: [Terraform Registry – iam_projects_policy_binding](https://registry | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `target` | Target is the full resource name of the resource to which the policy will be bound. Immutable once set. Structure is [documented below](#nested_target). | true | true | Restricts policy binding scope to approved project principals only, preventing unauthorized identity binding. | ['//cloudresourcemanager.googleapis.com/projects/approved-project-1', '//cloudresourcemanager.googleapis.com/projects/approved-project-2'] | ['//cloudresourcemanager.googleapis.com/projects/*', '//cloudresourcemanager.googleapis.com/projects/external-project'] | -| `policy` | Required. Immutable. The resource name of the policy to be bound. The binding parent and policy must belong to the same Organization (or Project). | true | true | Ensures only approved IAM boundary policies are attached to projects. | organizations/123456789/locations/global/principalAccessBoundaryPolicies/approved-policy | organizations/123456789/locations/global/principalAccessBoundaryPolicies/unapproved-policy | -| `location` | The location of the Policy Binding | true | true | Enforcing global location ensures consistent IAM policy application across projects and prevents regional drift. | global | us-central1 | -| `policy_binding_id` | The Policy Binding ID. | true | false | Ensures consistent naming and traceability of policy bindings. | project-binding-01 | INVALID_BINDING | -| `display_name` | Optional. The description of the policy binding. Must be less than or equal to 63 characters. | false | false | Used for human-readable identification only. | Project IAM Binding Policy | Very long or unclear name exceeding limits | -| `annotations` | Optional. User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations **Note**: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field `effective_annotations` for all of the annotations present on the resource. | false | false | Used for tagging, auditing, and governance tracking. | env=prod, team=security | random unstructured metadata | -| `policy_kind` | Immutable. The kind of the policy to attach in this binding. This field must be one of the following: - Left empty (will be automatically set to the policy kind) - The input policy kind Possible values: POLICY_KIND_UNSPECIFIED PRINCIPAL_ACCESS_BOUNDARY ACCESS | false | true | Ensures only Principal Access Boundary policies are enforced for security isolation. | PRINCIPAL_ACCESS_BOUNDARY | ACCESS, POLICY_KIND_UNSPECIFIED | -| `condition` | Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: \"Summary size limit\" description: \"Determines if a summary is less than 100 chars\" expression: \"document.summary.size() < 100\" Example (Equality): title: \"Requestor is owner\" description: \"Determines if requestor is the document owner\" expression: \"document.owner == request.auth.claims.email\" Example (Logic): title: \"Public documents\" description: \"Determine whether the document should be publicly visible\" expression: \"document.type != 'private' && document.type != 'internal'\" Example (Data Manipulation): title: \"Notification string\" description: \"Create a notification string with a timestamp.\" expression: \"'New message received at ' + string(document.create_time)\" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. Structure is [documented below](#nested_condition). | false | true | Allows fine-grained IAM control based on runtime conditions. | document.type != 'internal' | true (unrestricted access) | -| `project` | If it is not provided, the provider project is used. | false | true | Ensures correct project-level IAM isolation and prevents cross-project misconfiguration. | approved-project-id | external-project-id | +| `target` | Target is the full resource name of the resource to which the policy will be bound. Immutable once set. Structure is [documented below](#nested_target). | true | true | Restricts policy binding scope to approved project principals only, preventing unauthorized identity binding. | //cloudresourcemanager.googleapis.com/projects/approved-project-1 | //cloudresourcemanager.googleapis.com/projects/random-external-project | +| `policy` | Required. Immutable. The resource name of the policy to be bound. The binding parent and policy must belong to the same Organization (or Project). | true | false | None | None | None | +| `location` | The location of the Policy Binding | true | true | Project policy binding location must be restricted to approved Australia regions to meet organizational residency and compliance requirements. | ['australia-southeast1', 'australia-southeast2'] | global | +| `policy_binding_id` | The Policy Binding ID. | true | false | None | None | None | +| `display_name` | Optional. The description of the policy binding. Must be less than or equal to 63 characters. | false | false | None | None | None | +| `annotations` | Optional. User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations **Note**: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field `effective_annotations` for all of the annotations present on the resource. | false | false | None | None | None | +| `policy_kind` | Immutable. The kind of the policy to attach in this binding. This field must be one of the following: - Left empty (will be automatically set to the policy kind) - The input policy kind Possible values: POLICY_KIND_UNSPECIFIED PRINCIPAL_ACCESS_BOUNDARY ACCESS | false | true | Ensures only Principal Access Boundary policies are enforced for security isolation. | PRINCIPAL_ACCESS_BOUNDARY | ['ACCESS', 'POLICY_KIND_UNSPECIFIED'] | +| `condition` | Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: \"Summary size limit\" description: \"Determines if a summary is less than 100 chars\" expression: \"document.summary.size() < 100\" Example (Equality): title: \"Requestor is owner\" description: \"Determines if requestor is the document owner\" expression: \"document.owner == request.auth.claims.email\" Example (Logic): title: \"Public documents\" description: \"Determine whether the document should be publicly visible\" expression: \"document.type != 'private' && document.type != 'internal'\" Example (Data Manipulation): title: \"Notification string\" description: \"Create a notification string with a timestamp.\" expression: \"'New message received at ' + string(document.create_time)\" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. Structure is [documented below](#nested_condition). | false | false | None | None | None | +| `project` | If it is not provided, the provider project is used. | false | false | None | None | None | ### target Block | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `principal_set` | Required. Immutable. Full Resource Name of the principal set used for principal access boundary policy bindings. Examples for each one of the following supported principal set types: * Project: * `//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER` * `//cloudresourcemanager.googleapis.com/projects/PROJECT_ID` * Workload Identity Pool: `//iam.googleapis.com/projects/PROJECT_NUMBER/locations/LOCATION/workloadIdentityPools/WORKLOAD_POOL_ID` It must be parent by the policy binding's parent (the project). | false | true | Ensures only approved project-level principals can be assigned IAM boundaries. | ['//cloudresourcemanager.googleapis.com/projects/approved-project-1', '//cloudresourcemanager.googleapis.com/projects/approved-project-2'] | ['//cloudresourcemanager.googleapis.com/projects/*', '//cloudresourcemanager.googleapis.com/projects/external-*'] | +| `principal_set` | Required. Immutable. Full Resource Name of the principal set used for principal access boundary policy bindings. | false | true | Project policy binding must only allow approved project-level principals to reduce unauthorized access exposure. | //cloudresourcemanager.googleapis.com/projects/approved-project-1 | //cloudresourcemanager.googleapis.com/projects/random-external-project | ### condition Block | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `expression` | Textual representation of an expression in Common Expression Language syntax. | false | true | Controls conditional IAM enforcement. | None | None | +| `expression` | Textual representation of an expression in Common Expression Language syntax. | false | false | None | None | None | | `title` | Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. | false | false | None | None | None | | `description` | Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. | false | false | None | None | None | | `location` | Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. | false | false | None | None | None | From 158343ff578e0f9e41b45a8c83ea47276cd06745 Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Fri, 22 May 2026 00:58:21 +1000 Subject: [PATCH 90/91] fix folder policy --- .../policy_validation/policy.rego | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_validation/policy.rego b/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_validation/policy.rego index c9e0f93c8..00bda31a5 100644 --- a/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_validation/policy.rego +++ b/policies/gcp/Cloud_IAM/google_iam_folders_policy_binding/policy_validation/policy.rego @@ -16,8 +16,8 @@ conditions := [ "condition": "Validate policy field", "attribute_path": ["policy"], "values": [ - "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pde-policy-1", - "organizations/123456789/locations/global/principalAccessBoundaryPolicies/pde-policy-2" + "organizations/123456789/locations/australia-southeast2/principalAccessBoundaryPolicies/pde-policy-1", + "organizations/123456789/locations/australia-southeast2/principalAccessBoundaryPolicies/pde-policy-1" ], "policy_type": "whitelist" } From b2b0f7899eb326ca2f246282f7de7bdf893941c1 Mon Sep 17 00:00:00 2001 From: 224774388deakin Date: Sun, 24 May 2026 16:23:17 +1000 Subject: [PATCH 91/91] fix folder policy --- .../Cloud_IAM/iam_access_boundary_policy.md | 6 +-- docs/gcp/Cloud_IAM/iam_deny_policy.md | 6 +-- .../Cloud_IAM/iam_folders_policy_binding.md | 22 ++++---- docs/gcp/Cloud_IAM/iam_oauth_client.md | 14 ++--- .../Cloud_IAM/iam_oauth_client_credential.md | 10 ++-- .../iam_organizations_policy_binding.md | 26 ++++----- .../iam_principal_access_boundary_policy.md | 20 +++---- .../Cloud_IAM/iam_projects_policy_binding.md | 20 +++---- docs/gcp/Cloud_IAM/iam_workforce_pool.md | 6 +-- docs/gcp/Cloud_IAM/iam_workforce_pool_iam.md | 6 +-- .../Cloud_IAM/iam_workforce_pool_provider.md | 6 +-- .../iam_workforce_pool_provider_key.md | 6 +-- .../Cloud_IAM/iam_workload_identity_pool.md | 6 +-- .../iam_workload_identity_pool_iam.md | 6 +-- ...workload_identity_pool_managed_identity.md | 6 +-- .../iam_workload_identity_pool_namespace.md | 6 +-- .../iam_workload_identity_pool_provider.md | 6 +-- .../iam_access_boundary_policy.json | 4 +- .../resource_json/iam_deny_policy.json | 2 +- .../iam_folders_policy_binding.json | 44 +++++++-------- .../resource_json/iam_oauth_client.json | 28 +++++----- .../iam_oauth_client_credential.json | 20 +++---- .../iam_organizations_policy_binding.json | 54 +++++++++---------- .../iam_principal_access_boundary_policy.json | 40 +++++++------- .../iam_projects_policy_binding.json | 42 +++++++-------- .../resource_json/iam_workforce_pool.json | 2 +- .../resource_json/iam_workforce_pool_iam.json | 2 +- .../iam_workforce_pool_provider.json | 2 +- .../iam_workforce_pool_provider_key.json | 2 +- .../iam_workload_identity_pool.json | 2 +- .../iam_workload_identity_pool_iam.json | 2 +- ...rkload_identity_pool_managed_identity.json | 2 +- .../iam_workload_identity_pool_namespace.json | 2 +- .../iam_workload_identity_pool_provider.json | 2 +- 34 files changed, 215 insertions(+), 215 deletions(-) diff --git a/docs/gcp/Cloud_IAM/iam_access_boundary_policy.md b/docs/gcp/Cloud_IAM/iam_access_boundary_policy.md index c5cb83659..de3e20aa0 100644 --- a/docs/gcp/Cloud_IAM/iam_access_boundary_policy.md +++ b/docs/gcp/Cloud_IAM/iam_access_boundary_policy.md @@ -1,8 +1,8 @@ -## 🛡️ Policy Deployment Engine: `iam_access_boundary_policy` +## 🛡️ Policy Deployment Engine: `iam_access_boundary_policy - WILL NOT BE COMPLETED IN ONE TRIMESTER` -This section provides a concise policy evaluation for the `iam_access_boundary_policy` resource in GCP. +This section provides a concise policy evaluation for the `iam_access_boundary_policy - WILL NOT BE COMPLETED IN ONE TRIMESTER` resource in GCP. -Reference: [Terraform Registry – iam_access_boundary_policy](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_access_boundary_policy) +Reference: [Terraform Registry – iam_access_boundary_policy - WILL NOT BE COMPLETED IN ONE TRIMESTER](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_access_boundary_policy - WILL NOT BE COMPLETED IN ONE TRIMESTER) --- diff --git a/docs/gcp/Cloud_IAM/iam_deny_policy.md b/docs/gcp/Cloud_IAM/iam_deny_policy.md index dcf2a50d9..40ef6a601 100644 --- a/docs/gcp/Cloud_IAM/iam_deny_policy.md +++ b/docs/gcp/Cloud_IAM/iam_deny_policy.md @@ -1,8 +1,8 @@ -## 🛡️ Policy Deployment Engine: `iam_deny_policy` +## 🛡️ Policy Deployment Engine: `iam_deny_policy - WILL NOT BE COMPLETED IN ONE TRIMESTER` -This section provides a concise policy evaluation for the `iam_deny_policy` resource in GCP. +This section provides a concise policy evaluation for the `iam_deny_policy - WILL NOT BE COMPLETED IN ONE TRIMESTER` resource in GCP. -Reference: [Terraform Registry – iam_deny_policy](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_deny_policy) +Reference: [Terraform Registry – iam_deny_policy - WILL NOT BE COMPLETED IN ONE TRIMESTER](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_deny_policy - WILL NOT BE COMPLETED IN ONE TRIMESTER) --- diff --git a/docs/gcp/Cloud_IAM/iam_folders_policy_binding.md b/docs/gcp/Cloud_IAM/iam_folders_policy_binding.md index 2d5f6cbbc..6a02e0dc1 100644 --- a/docs/gcp/Cloud_IAM/iam_folders_policy_binding.md +++ b/docs/gcp/Cloud_IAM/iam_folders_policy_binding.md @@ -10,27 +10,27 @@ Reference: [Terraform Registry – iam_folders_policy_binding](https://registry. | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `target` | Target is the full resource name of the resource to which the policy will be bound. Immutable once set. Structure is [documented below](#nested_target). | true | false | None | None | None | +| `target` | Target is the full resource name of the resource to which the policy will be bound. Immutable once set. Structure is [documented below](#nested_target). | true | true | The target defines where the IAM policy is applied, which directly affects access control scope. | None | None | | `policy` | Required. Immutable. The resource name of the policy to be bound. The binding parent and policy must belong to the same Organization (or Project). | true | true | Ensures only approved organization-level IAM policies are attached to folder bindings. | organizations/123456789/locations/australia-southeast2/principalAccessBoundaryPolicies/pde-policy-1 | organizations/999999999/locations/australia-southeast2/principalAccessBoundaryPolicies/unknown-policy | -| `folder` | The parent folder for the PolicyBinding. | true | false | None | None | None | +| `folder` | The parent folder for the PolicyBinding. | true | true | Using the correct folder ensures IAM policies are applied only to approved organizational resources. | None | None | | `location` | The location of the PolicyBinding. | true | true | IAM folder policy bindings must be deployed only in approved Australian regions to meet organizational residency and compliance requirements. | australia-southeast2 | global | -| `policy_binding_id` | The Policy Binding ID. | true | false | None | None | None | -| `display_name` | Optional. The description of the policy binding. Must be less than or equal to 63 characters. | false | false | None | None | None | -| `annotations` | Optional. User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations **Note**: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field `effective_annotations` for all of the annotations present on the resource. | false | false | None | None | None | +| `policy_binding_id` | The Policy Binding ID. | true | false | This field identifies the policy binding resource but does not directly control security behavior. | None | None | +| `display_name` | Optional. The description of the policy binding. Must be less than or equal to 63 characters. | false | false | This field is used only for readability and identification purposes. | None | None | +| `annotations` | Optional. User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations **Note**: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field `effective_annotations` for all of the annotations present on the resource. | false | false | Annotations are metadata fields and do not directly affect IAM policy enforcement. | None | None | | `policy_kind` | Immutable. The kind of the policy to attach in this binding. This field must be one of the following: - Left empty (will be automatically set to the policy kind) - The input policy kind Possible values: POLICY_KIND_UNSPECIFIED PRINCIPAL_ACCESS_BOUNDARY ACCESS | false | true | Restricting policy kind prevents misuse of non-boundary IAM policies and reduces privilege escalation risk. | PRINCIPAL_ACCESS_BOUNDARY | ACCESS | -| `condition` | Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: \"Summary size limit\" description: \"Determines if a summary is less than 100 chars\" expression: \"document.summary.size() < 100\" Example (Equality): title: \"Requestor is owner\" description: \"Determines if requestor is the document owner\" expression: \"document.owner == request.auth.claims.email\" Example (Logic): title: \"Public documents\" description: \"Determine whether the document should be publicly visible\" expression: \"document.type != 'private' && document.type != 'internal'\" Example (Data Manipulation): title: \"Notification string\" description: \"Create a notification string with a timestamp.\" expression: \"'New message received at ' + string(document.create_time)\" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. Structure is [documented below](#nested_condition). | false | false | None | None | None | +| `condition` | Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: \"Summary size limit\" description: \"Determines if a summary is less than 100 chars\" expression: \"document.summary.size() < 100\" Example (Equality): title: \"Requestor is owner\" description: \"Determines if requestor is the document owner\" expression: \"document.owner == request.auth.claims.email\" Example (Logic): title: \"Public documents\" description: \"Determine whether the document should be publicly visible\" expression: \"document.type != 'private' && document.type != 'internal'\" Example (Data Manipulation): title: \"Notification string\" description: \"Create a notification string with a timestamp.\" expression: \"'New message received at ' + string(document.create_time)\" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. Structure is [documented below](#nested_condition). | false | true | Conditions control when and how access is granted, which directly affects IAM security enforcement. | None | None | ### target Block | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `principal_set` | Required. Immutable. Full Resource Name of the principal set used for principal access boundary policy bindings. Examples for each one of the following supported principal set types: * Folder: `//cloudresourcemanager.googleapis.com/folders/FOLDER_ID` It must be parent by the policy binding's parent (the folder). | false | false | None | None | None | +| `principal_set` | Required. Immutable. Full Resource Name of the principal set used for principal access boundary policy bindings. Examples for each one of the following supported principal set types: * Folder: `//cloudresourcemanager.googleapis.com/folders/FOLDER_ID` It must be parent by the policy binding's parent (the folder). | false | true | The principal set determines which identities are affected by the policy binding. | None | None | ### condition Block | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `expression` | Textual representation of an expression in Common Expression Language syntax. | false | false | None | None | None | -| `title` | Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. | false | false | None | None | None | -| `description` | Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. | false | false | None | None | None | -| `location` | Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. | false | false | None | None | None | +| `expression` | Textual representation of an expression in Common Expression Language syntax. | false | true | The expression defines the actual access restriction logic used by the IAM condition. | None | None | +| `title` | Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. | false | false | The title is only used for readability and documentation purposes. | None | None | +| `description` | Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. | false | false | The description provides documentation but does not affect policy behavior. | None | None | +| `location` | Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. | false | false | This field is used for debugging and error tracking only. | None | None | diff --git a/docs/gcp/Cloud_IAM/iam_oauth_client.md b/docs/gcp/Cloud_IAM/iam_oauth_client.md index d9772a59d..d06e93fd1 100644 --- a/docs/gcp/Cloud_IAM/iam_oauth_client.md +++ b/docs/gcp/Cloud_IAM/iam_oauth_client.md @@ -11,12 +11,12 @@ Reference: [Terraform Registry – iam_oauth_client](https://registry.terraform. | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `allowed_scopes` | Required. The list of scopes that the OauthClient is allowed to request during OAuth flows. The following scopes are supported: * `https://www.googleapis.com/auth/cloud-platform`: See, edit, configure, and delete your Google Cloud data and see the email address for your Google Account. * `openid`: The OAuth client can associate you with your personal information on Google Cloud. * `email`: The OAuth client can read a federated identity's email address. * `groups`: The OAuth client can read a federated identity's groups. | true | true | OAuth clients must only request approved least-privilege scopes and must not use overly broad scopes such as cloud-platform to reduce excessive access risks. | ['openid', 'email', 'groups'] | ['https://www.googleapis.com/auth/cloud-platform'] | -| `allowed_grant_types` | Required. The list of OAuth grant types is allowed for the OauthClient. | true | false | None | None | None | -| `allowed_redirect_uris` | Required. The list of redirect uris that is allowed to redirect back when authorization process is completed. | true | false | None | None | None | +| `allowed_grant_types` | Required. The list of OAuth grant types is allowed for the OauthClient. | true | true | Restricting grant types helps prevent insecure authentication flows and unauthorized token usage. | None | None | +| `allowed_redirect_uris` | Required. The list of redirect uris that is allowed to redirect back when authorization process is completed. | true | true | Restricting redirect URIs helps prevent token leakage and unauthorized redirection attacks. | None | None | | `location` | Resource ID segment making up resource `name`. It identifies the resource within its parent collection as described in https://google.aip.dev/122. | true | true | OAuth clients must be deployed only in approved Australian regions to meet organizational residency and compliance requirements. | ['australia-southeast1', 'australia-southeast2'] | global | -| `oauth_client_id` | Required. The ID to use for the OauthClient, which becomes the final component of the resource name. This value should be a string of 6 to 63 lowercase letters, digits, or hyphens. It must start with a letter, and cannot have a trailing hyphen. The prefix `gcp-` is reserved for use by Google, and may not be specified. | true | false | None | None | None | -| `disabled` | Whether the OauthClient is disabled. You cannot use a disabled OAuth client. | false | false | None | None | None | -| `display_name` | A user-specified display name of the OauthClient. Cannot exceed 32 characters. | false | false | None | None | None | -| `description` | A user-specified description of the OauthClient. Cannot exceed 256 characters. | false | false | None | None | None | +| `oauth_client_id` | Required. The ID to use for the OauthClient, which becomes the final component of the resource name. This value should be a string of 6 to 63 lowercase letters, digits, or hyphens. It must start with a letter, and cannot have a trailing hyphen. The prefix `gcp-` is reserved for use by Google, and may not be specified. | true | false | This field uniquely identifies the OAuth client resource but does not directly affect security enforcement. | None | None | +| `disabled` | Whether the OauthClient is disabled. You cannot use a disabled OAuth client. | false | true | Disabling unused or compromised OAuth clients helps prevent unauthorized access. | None | None | +| `display_name` | A user-specified display name of the OauthClient. Cannot exceed 32 characters. | false | false | This field is used only for readability and identification purposes. | None | None | +| `description` | A user-specified description of the OauthClient. Cannot exceed 256 characters. | false | false | This field provides additional documentation but does not affect security behavior. | None | None | | `client_type` | Immutable. The type of OauthClient. Either public or private. For private clients, the client secret can be managed using the dedicated OauthClientCredential resource. Possible values: CLIENT_TYPE_UNSPECIFIED PUBLIC_CLIENT CONFIDENTIAL_CLIENT | false | true | Restricts OAuth clients to approved secure types only. | ['PUBLIC_CLIENT', 'CONFIDENTIAL_CLIENT'] | ['CLIENT_TYPE_UNSPECIFIED'] | -| `project` | If it is not provided, the provider project is used. | false | false | None | None | None | +| `project` | If it is not provided, the provider project is used. | false | true | The project determines where the OAuth client is created and which resources it can access. | None | None | diff --git a/docs/gcp/Cloud_IAM/iam_oauth_client_credential.md b/docs/gcp/Cloud_IAM/iam_oauth_client_credential.md index 927c23549..ab4f3bf45 100644 --- a/docs/gcp/Cloud_IAM/iam_oauth_client_credential.md +++ b/docs/gcp/Cloud_IAM/iam_oauth_client_credential.md @@ -11,8 +11,8 @@ Reference: [Terraform Registry – iam_oauth_client_credential](https://registry | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `location` | Resource ID segment making up resource `name`. It identifies the resource within its parent collection as described in https://google.aip.dev/122. | true | true | OAuth client credentials must be deployed only in approved Australian regions to meet organizational residency and compliance requirements. | australia-southeast2 | global | -| `oauthclient` | Resource ID segment making up resource `name`. It identifies the resource within its parent collection as described in https://google.aip.dev/122. | true | false | None | None | None | -| `oauth_client_credential_id` | Required. The ID to use for the OauthClientCredential, which becomes the final component of the resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix `gcp-` is reserved for use by Google, and may not be specified. | true | false | None | None | None | -| `disabled` | Whether the OauthClientCredential is disabled. You cannot use a disabled OauthClientCredential. | false | false | None | None | None | -| `display_name` | A user-specified display name of the OauthClientCredential. Cannot exceed 32 characters. | false | false | None | None | None | -| `project` | If it is not provided, the provider project is used. | false | false | None | None | None | +| `oauthclient` | Resource ID segment making up resource `name`. It identifies the resource within its parent collection as described in https://google.aip.dev/122. | true | true | The OAuth client determines which application can use the credential for authentication and access. | None | None | +| `oauth_client_credential_id` | Required. The ID to use for the OauthClientCredential, which becomes the final component of the resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix `gcp-` is reserved for use by Google, and may not be specified. | true | false | This field is used to uniquely identify the OAuth credential resource. | None | None | +| `disabled` | Whether the OauthClientCredential is disabled. You cannot use a disabled OauthClientCredential. | false | true | Disabling unused or compromised credentials helps prevent unauthorized access. | None | None | +| `display_name` | A user-specified display name of the OauthClientCredential. Cannot exceed 32 characters. | false | false | This field is used only for readability and identification purposes. | None | None | +| `project` | If it is not provided, the provider project is used. | false | true | The project determines where the OAuth credential is created and which resources it can access. | None | None | diff --git a/docs/gcp/Cloud_IAM/iam_organizations_policy_binding.md b/docs/gcp/Cloud_IAM/iam_organizations_policy_binding.md index 4595c0f8c..8821ac33d 100644 --- a/docs/gcp/Cloud_IAM/iam_organizations_policy_binding.md +++ b/docs/gcp/Cloud_IAM/iam_organizations_policy_binding.md @@ -10,27 +10,27 @@ Reference: [Terraform Registry – iam_organizations_policy_binding](https://reg | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `target` | Target is the full resource name of the resource to which the policy will be bound. Immutable once set. Structure is [documented below](#nested_target). | true | false | None | None | None | -| `policy` | Required. Immutable. The resource name of the policy to be bound. The binding parent and policy must belong to the same Organization (or Project). | true | false | None | None | None | -| `organization` | The parent organization of the Policy Binding. | true | false | None | None | None | +| `target` | Target is the full resource name of the resource to which the policy will be bound. Immutable once set. Structure is [documented below](#nested_target). | true | true | The target defines where the IAM policy is applied, which directly affects access control scope. | None | None | +| `policy` | Required. Immutable. The resource name of the policy to be bound. The binding parent and policy must belong to the same Organization (or Project). | true | true | Ensures only approved IAM policies are attached to organization policy bindings. | None | None | +| `organization` | The parent organization of the Policy Binding. | true | true | Using the correct organization ensures IAM policies are applied only to approved organizational resources. | None | None | | `location` | The location of the Policy Binding | true | true | Organization policy bindings must be deployed only in approved Australian regions to meet organizational residency and compliance requirements. | australia-southeast2 | global | -| `policy_binding_id` | The Policy Binding ID. | true | false | None | None | None | -| `display_name` | Optional. The description of the policy binding. Must be less than or equal to 63 characters. | false | false | None | None | None | -| `annotations` | Optional. User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations **Note**: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field `effective_annotations` for all of the annotations present on the resource. | false | false | None | None | None | -| `policy_kind` | Immutable. The kind of the policy to attach in this binding. This field must be one of the following: - Left empty (will be automatically set to the policy kind) - The input policy kind Possible values: POLICY_KIND_UNSPECIFIED PRINCIPAL_ACCESS_BOUNDARY ACCESS | false | false | None | None | None | -| `condition` | Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: \"Summary size limit\" description: \"Determines if a summary is less than 100 chars\" expression: \"document.summary.size() < 100\" Example (Equality): title: \"Requestor is owner\" description: \"Determines if requestor is the document owner\" expression: \"document.owner == request.auth.claims.email\" Example (Logic): title: \"Public documents\" description: \"Determine whether the document should be publicly visible\" expression: \"document.type != 'private' && document.type != 'internal'\" Example (Data Manipulation): title: \"Notification string\" description: \"Create a notification string with a timestamp.\" expression: \"'New message received at ' + string(document.create_time)\" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. Structure is [documented below](#nested_condition). | false | false | None | None | None | +| `policy_binding_id` | The Policy Binding ID. | true | false | This field identifies the policy binding resource but does not directly affect security enforcement. | None | None | +| `display_name` | Optional. The description of the policy binding. Must be less than or equal to 63 characters. | false | false | This field is used only for readability and identification purposes. | None | None | +| `annotations` | Optional. User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations **Note**: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field `effective_annotations` for all of the annotations present on the resource. | false | false | Annotations are metadata fields and do not directly affect IAM policy enforcement. | None | None | +| `policy_kind` | Immutable. The kind of the policy to attach in this binding. This field must be one of the following: - Left empty (will be automatically set to the policy kind) - The input policy kind Possible values: POLICY_KIND_UNSPECIFIED PRINCIPAL_ACCESS_BOUNDARY ACCESS | false | true | Restricting policy kind prevents misuse of incorrect IAM policy types and reduces privilege escalation risk. | None | None | +| `condition` | Represents a textual expression in the Common Expression Language (CEL) syntax. | false | true | Conditions control when and how access is granted, which directly affects IAM security enforcement. | None | None | ### target Block | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `principal_set` | Required. Immutable. Full Resource Name of the principal set used for principal access boundary policy bindings. Examples for each one of the following supported principal set types: * Organization `//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID` * Workforce Identity: `//iam.googleapis.com/locations/global/workforcePools/WORKFORCE_POOL_ID` * Workspace Identity: `//iam.googleapis.com/locations/global/workspace/WORKSPACE_ID` It must be parent by the policy binding's parent (the organization). | false | false | None | None | None | +| `principal_set` | Required. Immutable. Full Resource Name of the principal set used for principal access boundary policy bindings. Examples for each one of the following supported principal set types: * Organization `//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID` * Workforce Identity: `//iam.googleapis.com/locations/global/workforcePools/WORKFORCE_POOL_ID` * Workspace Identity: `//iam.googleapis.com/locations/global/workspace/WORKSPACE_ID` It must be parent by the policy binding's parent (the organization). | false | true | The principal set determines which identities are affected by the policy binding. | None | None | ### condition Block | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `expression` | Textual representation of an expression in Common Expression Language syntax. | false | false | None | None | None | -| `title` | Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. | false | false | None | None | None | -| `description` | Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. | false | false | None | None | None | -| `location` | Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. | false | false | None | None | None | +| `expression` | Textual representation of an expression in Common Expression Language syntax. | false | true | The expression defines the actual access restriction logic used by the IAM condition. | None | None | +| `title` | Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. | false | false | The title is used only for readability and documentation purposes. | None | None | +| `description` | Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. | false | false | The description provides documentation but does not affect policy behavior. | None | None | +| `location` | Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. | false | false | This field is used for debugging and error tracking only. | None | None | diff --git a/docs/gcp/Cloud_IAM/iam_principal_access_boundary_policy.md b/docs/gcp/Cloud_IAM/iam_principal_access_boundary_policy.md index 92a7853dd..10d0898cd 100644 --- a/docs/gcp/Cloud_IAM/iam_principal_access_boundary_policy.md +++ b/docs/gcp/Cloud_IAM/iam_principal_access_boundary_policy.md @@ -12,23 +12,23 @@ Reference: [Terraform Registry – iam_principal_access_boundary_policy](https:/ |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `organization` | The parent organization of the principal access boundary policy. | true | true | Principal Access Boundary policies must use only approved organization IDs to ensure proper IAM governance and organizational compliance. | ['PDE1', 'PDE2', 'PDE3'] | 234 | | `location` | The location the principal access boundary policy is in. | true | true | Principal access boundary policies must be deployed only in approved Australian regions to meet organizational residency and compliance requirements. | ['australia-southeast1', 'australia-southeast2'] | global | -| `principal_access_boundary_policy_id` | The ID to use to create the principal access boundary policy. This value must start with a lowercase letter followed by up to 62 lowercase letters, numbers, hyphens, or dots. Pattern, /a-z{2,62}/. | true | false | None | None | None | -| `display_name` | The description of the principal access boundary policy. Must be less than or equal to 63 characters. | false | false | None | None | None | -| `annotations` | User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations **Note**: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field `effective_annotations` for all of the annotations present on the resource. | false | false | None | None | None | -| `details` | Principal access boundary policy details Structure is [documented below](#nested_details). | false | false | None | None | None | -| `rules` | | false | false | None | None | None | +| `principal_access_boundary_policy_id` | The ID to use to create the principal access boundary policy. This value must start with a lowercase letter followed by up to 62 lowercase letters, numbers, hyphens, or dots. Pattern, /a-z{2,62}/. | true | false | This field uniquely identifies the principal access boundary policy resource. | None | None | +| `display_name` | The description of the principal access boundary policy. Must be less than or equal to 63 characters. | false | false | This field is used only for readability and identification purposes. | None | None | +| `annotations` | User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations **Note**: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field `effective_annotations` for all of the annotations present on the resource. | false | false | Annotations are metadata fields and do not directly affect IAM policy enforcement. | None | None | +| `details` | Principal access boundary policy details Structure is [documented below](#nested_details). | false | true | The details section defines how the principal access boundary policy is enforced. | None | None | +| `rules` | | false | true | Rules define the allowed access boundaries for principals. | None | None | ### details Block | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `rules` | A list of principal access boundary policy rules. The number of rules in a policy is limited to 500. Structure is [documented below](#nested_details_rules). | true | false | None | None | None | -| `enforcement_version` | The version number that indicates which Google Cloud services are included in the enforcement (e.g. \"latest\", \"1\", ...). If empty, the PAB policy version will be set to the current latest version, and this version won't get updated when new versions are released. | false | false | None | None | None | +| `rules` | A list of principal access boundary policy rules. The number of rules in a policy is limited to 500. Structure is [documented below](#nested_details_rules). | true | true | Rules define which resources principals are allowed to access. | None | None | +| `enforcement_version` | The version number that indicates which Google Cloud services are included in the enforcement (e.g. \"latest\", \"1\", ...). If empty, the PAB policy version will be set to the current latest version, and this version won't get updated when new versions are released. | false | true | The enforcement version controls which services are covered by the security policy enforcement. | None | None | ### rules Block | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `description` | The description of the principal access boundary policy rule. Must be less than or equal to 256 characters. | false | false | None | None | None | -| `resources` | A list of Cloud Resource Manager resources. The resource and all the descendants are included. The number of resources in a policy is limited to 500 across all rules. The following resource types are supported: * Organizations, such as `//cloudresourcemanager.googleapis.com/organizations/123`. * Folders, such as `//cloudresourcemanager.googleapis.com/folders/123`. * Projects, such as `//cloudresourcemanager.googleapis.com/projects/123` or `//cloudresourcemanager.googleapis.com/projects/my-project-id`. | true | false | None | None | None | -| `effect` | The access relationship of principals to the resources in this rule. Possible values: ALLOW | true | false | None | None | None | +| `description` | The description of the principal access boundary policy rule. Must be less than or equal to 256 characters. | false | false | This field is used only for documentation and readability purposes. | None | None | +| `resources` | A list of Cloud Resource Manager resources. The resource and all the descendants are included. The number of resources in a policy is limited to 500 across all rules. The following resource types are supported: * Organizations, such as `//cloudresourcemanager.googleapis.com/organizations/123`. * Folders, such as `//cloudresourcemanager.googleapis.com/folders/123`. * Projects, such as `//cloudresourcemanager.googleapis.com/projects/123` or `//cloudresourcemanager.googleapis.com/projects/my-project-id`. | true | true | Resources define which cloud resources are included within the access boundary policy scope. | None | None | +| `effect` | The access relationship of principals to the resources in this rule. Possible values: ALLOW | true | true | The effect determines whether access to resources is permitted under the policy rule. | None | None | diff --git a/docs/gcp/Cloud_IAM/iam_projects_policy_binding.md b/docs/gcp/Cloud_IAM/iam_projects_policy_binding.md index 5d2fc461e..9e95f0efe 100644 --- a/docs/gcp/Cloud_IAM/iam_projects_policy_binding.md +++ b/docs/gcp/Cloud_IAM/iam_projects_policy_binding.md @@ -11,14 +11,14 @@ Reference: [Terraform Registry – iam_projects_policy_binding](https://registry | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| | `target` | Target is the full resource name of the resource to which the policy will be bound. Immutable once set. Structure is [documented below](#nested_target). | true | true | Restricts policy binding scope to approved project principals only, preventing unauthorized identity binding. | //cloudresourcemanager.googleapis.com/projects/approved-project-1 | //cloudresourcemanager.googleapis.com/projects/random-external-project | -| `policy` | Required. Immutable. The resource name of the policy to be bound. The binding parent and policy must belong to the same Organization (or Project). | true | false | None | None | None | +| `policy` | Required. Immutable. The resource name of the policy to be bound. The binding parent and policy must belong to the same Organization (or Project). | true | true | Ensures only approved IAM policies are attached to project policy bindings. | None | None | | `location` | The location of the Policy Binding | true | true | Project policy binding location must be restricted to approved Australia regions to meet organizational residency and compliance requirements. | ['australia-southeast1', 'australia-southeast2'] | global | -| `policy_binding_id` | The Policy Binding ID. | true | false | None | None | None | -| `display_name` | Optional. The description of the policy binding. Must be less than or equal to 63 characters. | false | false | None | None | None | -| `annotations` | Optional. User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations **Note**: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field `effective_annotations` for all of the annotations present on the resource. | false | false | None | None | None | +| `policy_binding_id` | The Policy Binding ID. | true | false | This field uniquely identifies the policy binding resource but does not directly affect security enforcement. | None | None | +| `display_name` | Optional. The description of the policy binding. Must be less than or equal to 63 characters. | false | false | This field is used only for readability and identification purposes. | None | None | +| `annotations` | Optional. User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations **Note**: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field `effective_annotations` for all of the annotations present on the resource. | false | false | Annotations are metadata fields and do not directly affect IAM policy enforcement. | None | None | | `policy_kind` | Immutable. The kind of the policy to attach in this binding. This field must be one of the following: - Left empty (will be automatically set to the policy kind) - The input policy kind Possible values: POLICY_KIND_UNSPECIFIED PRINCIPAL_ACCESS_BOUNDARY ACCESS | false | true | Ensures only Principal Access Boundary policies are enforced for security isolation. | PRINCIPAL_ACCESS_BOUNDARY | ['ACCESS', 'POLICY_KIND_UNSPECIFIED'] | -| `condition` | Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: \"Summary size limit\" description: \"Determines if a summary is less than 100 chars\" expression: \"document.summary.size() < 100\" Example (Equality): title: \"Requestor is owner\" description: \"Determines if requestor is the document owner\" expression: \"document.owner == request.auth.claims.email\" Example (Logic): title: \"Public documents\" description: \"Determine whether the document should be publicly visible\" expression: \"document.type != 'private' && document.type != 'internal'\" Example (Data Manipulation): title: \"Notification string\" description: \"Create a notification string with a timestamp.\" expression: \"'New message received at ' + string(document.create_time)\" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. Structure is [documented below](#nested_condition). | false | false | None | None | None | -| `project` | If it is not provided, the provider project is used. | false | false | None | None | None | +| `condition` | Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. | false | true | Conditions control when and how access is granted, which directly affects IAM security enforcement. | None | None | +| `project` | If it is not provided, the provider project is used. | false | true | The project determines where the policy binding is created and which resources are affected. | None | None | ### target Block @@ -30,7 +30,7 @@ Reference: [Terraform Registry – iam_projects_policy_binding](https://registry | Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant | |----------|-------------|----------|-----------------|-----------|-----------|---------------| -| `expression` | Textual representation of an expression in Common Expression Language syntax. | false | false | None | None | None | -| `title` | Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. | false | false | None | None | None | -| `description` | Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. | false | false | None | None | None | -| `location` | Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. | false | false | None | None | None | +| `expression` | Textual representation of an expression in Common Expression Language syntax. | false | true | The expression defines the actual access restriction logic used by the IAM condition. | None | None | +| `title` | Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. | false | false | The title is used only for readability and documentation purposes. | None | None | +| `description` | Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. | false | false | The description provides documentation but does not affect policy behavior. | None | None | +| `location` | Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. | false | false | This field is used for debugging and error tracking only. | None | None | diff --git a/docs/gcp/Cloud_IAM/iam_workforce_pool.md b/docs/gcp/Cloud_IAM/iam_workforce_pool.md index f5be42d82..54350fd73 100644 --- a/docs/gcp/Cloud_IAM/iam_workforce_pool.md +++ b/docs/gcp/Cloud_IAM/iam_workforce_pool.md @@ -1,8 +1,8 @@ -## 🛡️ Policy Deployment Engine: `iam_workforce_pool` +## 🛡️ Policy Deployment Engine: `iam_workforce_pool - WILL NOT BE COMPLETED IN ONE TRIMESTER` -This section provides a concise policy evaluation for the `iam_workforce_pool` resource in GCP. +This section provides a concise policy evaluation for the `iam_workforce_pool - WILL NOT BE COMPLETED IN ONE TRIMESTER` resource in GCP. -Reference: [Terraform Registry – iam_workforce_pool](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workforce_pool) +Reference: [Terraform Registry – iam_workforce_pool - WILL NOT BE COMPLETED IN ONE TRIMESTER](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workforce_pool - WILL NOT BE COMPLETED IN ONE TRIMESTER) --- diff --git a/docs/gcp/Cloud_IAM/iam_workforce_pool_iam.md b/docs/gcp/Cloud_IAM/iam_workforce_pool_iam.md index 6984accfa..8bb2598e9 100644 --- a/docs/gcp/Cloud_IAM/iam_workforce_pool_iam.md +++ b/docs/gcp/Cloud_IAM/iam_workforce_pool_iam.md @@ -1,8 +1,8 @@ -## 🛡️ Policy Deployment Engine: `iam_workforce_pool_iam` +## 🛡️ Policy Deployment Engine: `iam_workforce_pool_iam - WILL NOT BE COMPLETED IN ONE TRIMESTER` -This section provides a concise policy evaluation for the `iam_workforce_pool_iam` resource in GCP. +This section provides a concise policy evaluation for the `iam_workforce_pool_iam - WILL NOT BE COMPLETED IN ONE TRIMESTER` resource in GCP. -Reference: [Terraform Registry – iam_workforce_pool_iam](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workforce_pool_iam) +Reference: [Terraform Registry – iam_workforce_pool_iam - WILL NOT BE COMPLETED IN ONE TRIMESTER](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workforce_pool_iam - WILL NOT BE COMPLETED IN ONE TRIMESTER) --- diff --git a/docs/gcp/Cloud_IAM/iam_workforce_pool_provider.md b/docs/gcp/Cloud_IAM/iam_workforce_pool_provider.md index 4e97ed001..f40b5b530 100644 --- a/docs/gcp/Cloud_IAM/iam_workforce_pool_provider.md +++ b/docs/gcp/Cloud_IAM/iam_workforce_pool_provider.md @@ -1,8 +1,8 @@ -## 🛡️ Policy Deployment Engine: `iam_workforce_pool_provider` +## 🛡️ Policy Deployment Engine: `iam_workforce_pool_provider - WILL NOT BE COMPLETED IN ONE TRIMESTER` -This section provides a concise policy evaluation for the `iam_workforce_pool_provider` resource in GCP. +This section provides a concise policy evaluation for the `iam_workforce_pool_provider - WILL NOT BE COMPLETED IN ONE TRIMESTER` resource in GCP. -Reference: [Terraform Registry – iam_workforce_pool_provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workforce_pool_provider) +Reference: [Terraform Registry – iam_workforce_pool_provider - WILL NOT BE COMPLETED IN ONE TRIMESTER](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workforce_pool_provider - WILL NOT BE COMPLETED IN ONE TRIMESTER) --- diff --git a/docs/gcp/Cloud_IAM/iam_workforce_pool_provider_key.md b/docs/gcp/Cloud_IAM/iam_workforce_pool_provider_key.md index 91883b7b5..b7ad1b07d 100644 --- a/docs/gcp/Cloud_IAM/iam_workforce_pool_provider_key.md +++ b/docs/gcp/Cloud_IAM/iam_workforce_pool_provider_key.md @@ -1,8 +1,8 @@ -## 🛡️ Policy Deployment Engine: `iam_workforce_pool_provider_key` +## 🛡️ Policy Deployment Engine: `iam_workforce_pool_provider_key - WILL NOT BE COMPLETED IN ONE TRIMESTER` -This section provides a concise policy evaluation for the `iam_workforce_pool_provider_key` resource in GCP. +This section provides a concise policy evaluation for the `iam_workforce_pool_provider_key - WILL NOT BE COMPLETED IN ONE TRIMESTER` resource in GCP. -Reference: [Terraform Registry – iam_workforce_pool_provider_key](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workforce_pool_provider_key) +Reference: [Terraform Registry – iam_workforce_pool_provider_key - WILL NOT BE COMPLETED IN ONE TRIMESTER](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workforce_pool_provider_key - WILL NOT BE COMPLETED IN ONE TRIMESTER) --- diff --git a/docs/gcp/Cloud_IAM/iam_workload_identity_pool.md b/docs/gcp/Cloud_IAM/iam_workload_identity_pool.md index 5b51fdd84..6100ffc87 100644 --- a/docs/gcp/Cloud_IAM/iam_workload_identity_pool.md +++ b/docs/gcp/Cloud_IAM/iam_workload_identity_pool.md @@ -1,8 +1,8 @@ -## 🛡️ Policy Deployment Engine: `iam_workload_identity_pool` +## 🛡️ Policy Deployment Engine: `iam_workload_identity_pool - WILL NOT BE COMPLETED IN ONE TRIMESTER` -This section provides a concise policy evaluation for the `iam_workload_identity_pool` resource in GCP. +This section provides a concise policy evaluation for the `iam_workload_identity_pool - WILL NOT BE COMPLETED IN ONE TRIMESTER` resource in GCP. -Reference: [Terraform Registry – iam_workload_identity_pool](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool) +Reference: [Terraform Registry – iam_workload_identity_pool - WILL NOT BE COMPLETED IN ONE TRIMESTER](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool - WILL NOT BE COMPLETED IN ONE TRIMESTER) --- diff --git a/docs/gcp/Cloud_IAM/iam_workload_identity_pool_iam.md b/docs/gcp/Cloud_IAM/iam_workload_identity_pool_iam.md index ece2fba2c..e1f5ff89c 100644 --- a/docs/gcp/Cloud_IAM/iam_workload_identity_pool_iam.md +++ b/docs/gcp/Cloud_IAM/iam_workload_identity_pool_iam.md @@ -1,8 +1,8 @@ -## 🛡️ Policy Deployment Engine: `iam_workload_identity_pool_iam` +## 🛡️ Policy Deployment Engine: `iam_workload_identity_pool_iam - WILL NOT BE COMPLETED IN ONE TRIMESTER` -This section provides a concise policy evaluation for the `iam_workload_identity_pool_iam` resource in GCP. +This section provides a concise policy evaluation for the `iam_workload_identity_pool_iam - WILL NOT BE COMPLETED IN ONE TRIMESTER` resource in GCP. -Reference: [Terraform Registry – iam_workload_identity_pool_iam](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_iam) +Reference: [Terraform Registry – iam_workload_identity_pool_iam - WILL NOT BE COMPLETED IN ONE TRIMESTER](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_iam - WILL NOT BE COMPLETED IN ONE TRIMESTER) --- diff --git a/docs/gcp/Cloud_IAM/iam_workload_identity_pool_managed_identity.md b/docs/gcp/Cloud_IAM/iam_workload_identity_pool_managed_identity.md index a57a2e6d0..3affceebd 100644 --- a/docs/gcp/Cloud_IAM/iam_workload_identity_pool_managed_identity.md +++ b/docs/gcp/Cloud_IAM/iam_workload_identity_pool_managed_identity.md @@ -1,8 +1,8 @@ -## 🛡️ Policy Deployment Engine: `iam_workload_identity_pool_managed_identity` +## 🛡️ Policy Deployment Engine: `iam_workload_identity_pool_managed_identity - WILL NOT BE COMPLETED IN ONE TRIMESTER` -This section provides a concise policy evaluation for the `iam_workload_identity_pool_managed_identity` resource in GCP. +This section provides a concise policy evaluation for the `iam_workload_identity_pool_managed_identity - WILL NOT BE COMPLETED IN ONE TRIMESTER` resource in GCP. -Reference: [Terraform Registry – iam_workload_identity_pool_managed_identity](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_managed_identity) +Reference: [Terraform Registry – iam_workload_identity_pool_managed_identity - WILL NOT BE COMPLETED IN ONE TRIMESTER](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_managed_identity - WILL NOT BE COMPLETED IN ONE TRIMESTER) --- diff --git a/docs/gcp/Cloud_IAM/iam_workload_identity_pool_namespace.md b/docs/gcp/Cloud_IAM/iam_workload_identity_pool_namespace.md index c89e47163..d980d4e31 100644 --- a/docs/gcp/Cloud_IAM/iam_workload_identity_pool_namespace.md +++ b/docs/gcp/Cloud_IAM/iam_workload_identity_pool_namespace.md @@ -1,8 +1,8 @@ -## 🛡️ Policy Deployment Engine: `iam_workload_identity_pool_namespace` +## 🛡️ Policy Deployment Engine: `iam_workload_identity_pool_namespace - WILL NOT BE COMPLETED IN ONE TRIMESTER` -This section provides a concise policy evaluation for the `iam_workload_identity_pool_namespace` resource in GCP. +This section provides a concise policy evaluation for the `iam_workload_identity_pool_namespace - WILL NOT BE COMPLETED IN ONE TRIMESTER` resource in GCP. -Reference: [Terraform Registry – iam_workload_identity_pool_namespace](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_namespace) +Reference: [Terraform Registry – iam_workload_identity_pool_namespace - WILL NOT BE COMPLETED IN ONE TRIMESTER](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_namespace - WILL NOT BE COMPLETED IN ONE TRIMESTER) --- diff --git a/docs/gcp/Cloud_IAM/iam_workload_identity_pool_provider.md b/docs/gcp/Cloud_IAM/iam_workload_identity_pool_provider.md index d9e42c86a..9dff68d01 100644 --- a/docs/gcp/Cloud_IAM/iam_workload_identity_pool_provider.md +++ b/docs/gcp/Cloud_IAM/iam_workload_identity_pool_provider.md @@ -1,8 +1,8 @@ -## 🛡️ Policy Deployment Engine: `iam_workload_identity_pool_provider` +## 🛡️ Policy Deployment Engine: `iam_workload_identity_pool_provider - WILL NOT BE COMPLETED IN ONE TRIMESTER` -This section provides a concise policy evaluation for the `iam_workload_identity_pool_provider` resource in GCP. +This section provides a concise policy evaluation for the `iam_workload_identity_pool_provider - WILL NOT BE COMPLETED IN ONE TRIMESTER` resource in GCP. -Reference: [Terraform Registry – iam_workload_identity_pool_provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider) +Reference: [Terraform Registry – iam_workload_identity_pool_provider - WILL NOT BE COMPLETED IN ONE TRIMESTER](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider - WILL NOT BE COMPLETED IN ONE TRIMESTER) --- diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_access_boundary_policy.json b/docs/gcp/Cloud_IAM/resource_json/iam_access_boundary_policy.json index f5e78fb01..4543c5f51 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_access_boundary_policy.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_access_boundary_policy.json @@ -1,5 +1,5 @@ -{ - "resource_name": "iam_access_boundary_policy", +{ + "resource_name": "iam_access_boundary_policy - WILL NOT BE COMPLETED IN ONE TRIMESTER" , "subcategory": "Cloud IAM", "arguments": { "name": { diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_deny_policy.json b/docs/gcp/Cloud_IAM/resource_json/iam_deny_policy.json index 656e17ee7..0454ec214 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_deny_policy.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_deny_policy.json @@ -1,5 +1,5 @@ { - "resource_name": "iam_deny_policy", + "resource_name": "iam_deny_policy - WILL NOT BE COMPLETED IN ONE TRIMESTER", "subcategory": "Cloud IAM", "arguments": { "name": { diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_folders_policy_binding.json b/docs/gcp/Cloud_IAM/resource_json/iam_folders_policy_binding.json index ed6780224..eac3dc9b5 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_folders_policy_binding.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_folders_policy_binding.json @@ -5,8 +5,8 @@ "target": { "description": "Target is the full resource name of the resource to which the policy will be bound. Immutable once set. Structure is [documented below](#nested_target).", "required": true, - "security_impact": null, - "rationale": null, + "security_impact": true, + "rationale": "The target defines where the IAM policy is applied, which directly affects access control scope.", "compliant": null, "non-compliant": null, "parent": null, @@ -14,8 +14,8 @@ "principal_set": { "description": "Required. Immutable. Full Resource Name of the principal set used for principal access boundary policy bindings. Examples for each one of the following supported principal set types: * Folder: `//cloudresourcemanager.googleapis.com/folders/FOLDER_ID` It must be parent by the policy binding's parent (the folder).", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": true, + "rationale": "The principal set determines which identities are affected by the policy binding.", "compliant": null, "non-compliant": null, "parent": "target" @@ -34,8 +34,8 @@ "folder": { "description": "The parent folder for the PolicyBinding.", "required": true, - "security_impact": null, - "rationale": null, + "security_impact": true, + "rationale": "Using the correct folder ensures IAM policies are applied only to approved organizational resources.", "compliant": null, "non-compliant": null, "parent": null @@ -52,8 +52,8 @@ "policy_binding_id": { "description": "The Policy Binding ID.", "required": true, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "This field identifies the policy binding resource but does not directly control security behavior.", "compliant": null, "non-compliant": null, "parent": null @@ -61,8 +61,8 @@ "display_name": { "description": "Optional. The description of the policy binding. Must be less than or equal to 63 characters.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "This field is used only for readability and identification purposes.", "compliant": null, "non-compliant": null, "parent": null @@ -70,8 +70,8 @@ "annotations": { "description": "Optional. User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations **Note**: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field `effective_annotations` for all of the annotations present on the resource.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "Annotations are metadata fields and do not directly affect IAM policy enforcement.", "compliant": null, "non-compliant": null, "parent": null @@ -88,8 +88,8 @@ "condition": { "description": "Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: \\\"Summary size limit\\\" description: \\\"Determines if a summary is less than 100 chars\\\" expression: \\\"document.summary.size() < 100\\\" Example (Equality): title: \\\"Requestor is owner\\\" description: \\\"Determines if requestor is the document owner\\\" expression: \\\"document.owner == request.auth.claims.email\\\" Example (Logic): title: \\\"Public documents\\\" description: \\\"Determine whether the document should be publicly visible\\\" expression: \\\"document.type != 'private' && document.type != 'internal'\\\" Example (Data Manipulation): title: \\\"Notification string\\\" description: \\\"Create a notification string with a timestamp.\\\" expression: \\\"'New message received at ' + string(document.create_time)\\\" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. Structure is [documented below](#nested_condition).", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": true, + "rationale": "Conditions control when and how access is granted, which directly affects IAM security enforcement.", "compliant": null, "non-compliant": null, "parent": null, @@ -97,8 +97,8 @@ "expression": { "description": "Textual representation of an expression in Common Expression Language syntax.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": true, + "rationale": "The expression defines the actual access restriction logic used by the IAM condition.", "compliant": null, "non-compliant": null, "parent": "condition" @@ -106,8 +106,8 @@ "title": { "description": "Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "The title is only used for readability and documentation purposes.", "compliant": null, "non-compliant": null, "parent": "condition" @@ -115,8 +115,8 @@ "description": { "description": "Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "The description provides documentation but does not affect policy behavior.", "compliant": null, "non-compliant": null, "parent": "condition" @@ -124,8 +124,8 @@ "location": { "description": "Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "This field is used for debugging and error tracking only.", "compliant": null, "non-compliant": null, "parent": "condition" diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client.json b/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client.json index cedc535c0..41d4e086c 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client.json @@ -14,8 +14,8 @@ "allowed_grant_types": { "description": "Required. The list of OAuth grant types is allowed for the OauthClient.", "required": true, - "security_impact": null, - "rationale": null, + "security_impact": true, + "rationale": "Restricting grant types helps prevent insecure authentication flows and unauthorized token usage.", "compliant": null, "non-compliant": null, "parent": null @@ -23,8 +23,8 @@ "allowed_redirect_uris": { "description": "Required. The list of redirect uris that is allowed to redirect back when authorization process is completed.", "required": true, - "security_impact": null, - "rationale": null, + "security_impact": true, + "rationale": "Restricting redirect URIs helps prevent token leakage and unauthorized redirection attacks.", "compliant": null, "non-compliant": null, "parent": null @@ -41,8 +41,8 @@ "oauth_client_id": { "description": "Required. The ID to use for the OauthClient, which becomes the final component of the resource name. This value should be a string of 6 to 63 lowercase letters, digits, or hyphens. It must start with a letter, and cannot have a trailing hyphen. The prefix `gcp-` is reserved for use by Google, and may not be specified.", "required": true, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "This field uniquely identifies the OAuth client resource but does not directly affect security enforcement.", "compliant": null, "non-compliant": null, "parent": null @@ -50,8 +50,8 @@ "disabled": { "description": "Whether the OauthClient is disabled. You cannot use a disabled OAuth client.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": true, + "rationale": "Disabling unused or compromised OAuth clients helps prevent unauthorized access.", "compliant": null, "non-compliant": null, "parent": null @@ -59,8 +59,8 @@ "display_name": { "description": "A user-specified display name of the OauthClient. Cannot exceed 32 characters.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "This field is used only for readability and identification purposes.", "compliant": null, "non-compliant": null, "parent": null @@ -68,8 +68,8 @@ "description": { "description": "A user-specified description of the OauthClient. Cannot exceed 256 characters.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "This field provides additional documentation but does not affect security behavior.", "compliant": null, "non-compliant": null, "parent": null @@ -86,8 +86,8 @@ "project": { "description": "If it is not provided, the provider project is used.", "required": null, - "security_impact": null, - "rationale": null, + "security_impact": true, + "rationale": "The project determines where the OAuth client is created and which resources it can access.", "compliant": null, "non-compliant": null, "parent": null diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client_credential.json b/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client_credential.json index e275c0a0f..fba64fd3d 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client_credential.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_oauth_client_credential.json @@ -14,8 +14,8 @@ "oauthclient": { "description": "Resource ID segment making up resource `name`. It identifies the resource within its parent collection as described in https://google.aip.dev/122.", "required": true, - "security_impact": null, - "rationale": null, + "security_impact": true, + "rationale": "The OAuth client determines which application can use the credential for authentication and access.", "compliant": null, "non-compliant": null, "parent": null @@ -23,8 +23,8 @@ "oauth_client_credential_id": { "description": "Required. The ID to use for the OauthClientCredential, which becomes the final component of the resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix `gcp-` is reserved for use by Google, and may not be specified.", "required": true, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "This field is used to uniquely identify the OAuth credential resource.", "compliant": null, "non-compliant": null, "parent": null @@ -32,8 +32,8 @@ "disabled": { "description": "Whether the OauthClientCredential is disabled. You cannot use a disabled OauthClientCredential.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": true, + "rationale": "Disabling unused or compromised credentials helps prevent unauthorized access.", "compliant": null, "non-compliant": null, "parent": null @@ -41,8 +41,8 @@ "display_name": { "description": "A user-specified display name of the OauthClientCredential. Cannot exceed 32 characters.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "This field is used only for readability and identification purposes.", "compliant": null, "non-compliant": null, "parent": null @@ -50,8 +50,8 @@ "project": { "description": "If it is not provided, the provider project is used.", "required": null, - "security_impact": null, - "rationale": null, + "security_impact": true, + "rationale": "The project determines where the OAuth credential is created and which resources it can access.", "compliant": null, "non-compliant": null, "parent": null diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_organizations_policy_binding.json b/docs/gcp/Cloud_IAM/resource_json/iam_organizations_policy_binding.json index 708fc3e4e..ba3a01d3d 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_organizations_policy_binding.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_organizations_policy_binding.json @@ -5,8 +5,8 @@ "target": { "description": "Target is the full resource name of the resource to which the policy will be bound. Immutable once set. Structure is [documented below](#nested_target).", "required": true, - "security_impact": null, - "rationale": null, + "security_impact": true, + "rationale": "The target defines where the IAM policy is applied, which directly affects access control scope.", "compliant": null, "non-compliant": null, "parent": null, @@ -14,8 +14,8 @@ "principal_set": { "description": "Required. Immutable. Full Resource Name of the principal set used for principal access boundary policy bindings. Examples for each one of the following supported principal set types: * Organization `//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID` * Workforce Identity: `//iam.googleapis.com/locations/global/workforcePools/WORKFORCE_POOL_ID` * Workspace Identity: `//iam.googleapis.com/locations/global/workspace/WORKSPACE_ID` It must be parent by the policy binding's parent (the organization).", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": true, + "rationale": "The principal set determines which identities are affected by the policy binding.", "compliant": null, "non-compliant": null, "parent": "target" @@ -25,8 +25,8 @@ "policy": { "description": "Required. Immutable. The resource name of the policy to be bound. The binding parent and policy must belong to the same Organization (or Project).", "required": true, - "security_impact": null, - "rationale": null, + "security_impact": true, + "rationale": "Ensures only approved IAM policies are attached to organization policy bindings.", "compliant": null, "non-compliant": null, "parent": null @@ -34,8 +34,8 @@ "organization": { "description": "The parent organization of the Policy Binding.", "required": true, - "security_impact": null, - "rationale": null, + "security_impact": true, + "rationale": "Using the correct organization ensures IAM policies are applied only to approved organizational resources.", "compliant": null, "non-compliant": null, "parent": null @@ -52,8 +52,8 @@ "policy_binding_id": { "description": "The Policy Binding ID.", "required": true, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "This field identifies the policy binding resource but does not directly affect security enforcement.", "compliant": null, "non-compliant": null, "parent": null @@ -61,8 +61,8 @@ "display_name": { "description": "Optional. The description of the policy binding. Must be less than or equal to 63 characters.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "This field is used only for readability and identification purposes.", "compliant": null, "non-compliant": null, "parent": null @@ -70,8 +70,8 @@ "annotations": { "description": "Optional. User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations **Note**: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field `effective_annotations` for all of the annotations present on the resource.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "Annotations are metadata fields and do not directly affect IAM policy enforcement.", "compliant": null, "non-compliant": null, "parent": null @@ -79,17 +79,17 @@ "policy_kind": { "description": "Immutable. The kind of the policy to attach in this binding. This field must be one of the following: - Left empty (will be automatically set to the policy kind) - The input policy kind Possible values: POLICY_KIND_UNSPECIFIED PRINCIPAL_ACCESS_BOUNDARY ACCESS", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": true, + "rationale": "Restricting policy kind prevents misuse of incorrect IAM policy types and reduces privilege escalation risk.", "compliant": null, "non-compliant": null, "parent": null }, "condition": { - "description": "Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: \\\"Summary size limit\\\" description: \\\"Determines if a summary is less than 100 chars\\\" expression: \\\"document.summary.size() < 100\\\" Example (Equality): title: \\\"Requestor is owner\\\" description: \\\"Determines if requestor is the document owner\\\" expression: \\\"document.owner == request.auth.claims.email\\\" Example (Logic): title: \\\"Public documents\\\" description: \\\"Determine whether the document should be publicly visible\\\" expression: \\\"document.type != 'private' && document.type != 'internal'\\\" Example (Data Manipulation): title: \\\"Notification string\\\" description: \\\"Create a notification string with a timestamp.\\\" expression: \\\"'New message received at ' + string(document.create_time)\\\" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. Structure is [documented below](#nested_condition).", + "description": "Represents a textual expression in the Common Expression Language (CEL) syntax.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": true, + "rationale": "Conditions control when and how access is granted, which directly affects IAM security enforcement.", "compliant": null, "non-compliant": null, "parent": null, @@ -97,8 +97,8 @@ "expression": { "description": "Textual representation of an expression in Common Expression Language syntax.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": true, + "rationale": "The expression defines the actual access restriction logic used by the IAM condition.", "compliant": null, "non-compliant": null, "parent": "condition" @@ -106,8 +106,8 @@ "title": { "description": "Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "The title is used only for readability and documentation purposes.", "compliant": null, "non-compliant": null, "parent": "condition" @@ -115,8 +115,8 @@ "description": { "description": "Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "The description provides documentation but does not affect policy behavior.", "compliant": null, "non-compliant": null, "parent": "condition" @@ -124,8 +124,8 @@ "location": { "description": "Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "This field is used for debugging and error tracking only.", "compliant": null, "non-compliant": null, "parent": "condition" diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_principal_access_boundary_policy.json b/docs/gcp/Cloud_IAM/resource_json/iam_principal_access_boundary_policy.json index 799381242..fa80604b3 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_principal_access_boundary_policy.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_principal_access_boundary_policy.json @@ -23,8 +23,8 @@ "principal_access_boundary_policy_id": { "description": "The ID to use to create the principal access boundary policy. This value must start with a lowercase letter followed by up to 62 lowercase letters, numbers, hyphens, or dots. Pattern, /a-z{2,62}/.", "required": true, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "This field uniquely identifies the principal access boundary policy resource.", "compliant": null, "non-compliant": null, "parent": null @@ -32,8 +32,8 @@ "display_name": { "description": "The description of the principal access boundary policy. Must be less than or equal to 63 characters.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "This field is used only for readability and identification purposes.", "compliant": null, "non-compliant": null, "parent": null @@ -41,8 +41,8 @@ "annotations": { "description": "User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations **Note**: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field `effective_annotations` for all of the annotations present on the resource.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "Annotations are metadata fields and do not directly affect IAM policy enforcement.", "compliant": null, "non-compliant": null, "parent": null @@ -50,8 +50,8 @@ "details": { "description": "Principal access boundary policy details Structure is [documented below](#nested_details).", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": true, + "rationale": "The details section defines how the principal access boundary policy is enforced.", "compliant": null, "non-compliant": null, "parent": null, @@ -59,8 +59,8 @@ "rules": { "description": "A list of principal access boundary policy rules. The number of rules in a policy is limited to 500. Structure is [documented below](#nested_details_rules).", "required": true, - "security_impact": null, - "rationale": null, + "security_impact": true, + "rationale": "Rules define which resources principals are allowed to access.", "compliant": null, "non-compliant": null, "parent": "details" @@ -68,8 +68,8 @@ "enforcement_version": { "description": "The version number that indicates which Google Cloud services are included in the enforcement (e.g. \\\"latest\\\", \\\"1\\\", ...). If empty, the PAB policy version will be set to the current latest version, and this version won't get updated when new versions are released.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": true, + "rationale": "The enforcement version controls which services are covered by the security policy enforcement.", "compliant": null, "non-compliant": null, "parent": "details" @@ -79,8 +79,8 @@ "rules": { "description": "", "required": null, - "security_impact": null, - "rationale": null, + "security_impact": true, + "rationale": "Rules define the allowed access boundaries for principals.", "compliant": null, "non-compliant": null, "parent": null, @@ -88,8 +88,8 @@ "description": { "description": "The description of the principal access boundary policy rule. Must be less than or equal to 256 characters.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "This field is used only for documentation and readability purposes.", "compliant": null, "non-compliant": null, "parent": "rules" @@ -97,8 +97,8 @@ "resources": { "description": "A list of Cloud Resource Manager resources. The resource and all the descendants are included. The number of resources in a policy is limited to 500 across all rules. The following resource types are supported: * Organizations, such as `//cloudresourcemanager.googleapis.com/organizations/123`. * Folders, such as `//cloudresourcemanager.googleapis.com/folders/123`. * Projects, such as `//cloudresourcemanager.googleapis.com/projects/123` or `//cloudresourcemanager.googleapis.com/projects/my-project-id`.", "required": true, - "security_impact": null, - "rationale": null, + "security_impact": true, + "rationale": "Resources define which cloud resources are included within the access boundary policy scope.", "compliant": null, "non-compliant": null, "parent": "rules" @@ -106,8 +106,8 @@ "effect": { "description": "The access relationship of principals to the resources in this rule. Possible values: ALLOW", "required": true, - "security_impact": null, - "rationale": null, + "security_impact": true, + "rationale": "The effect determines whether access to resources is permitted under the policy rule.", "compliant": null, "non-compliant": null, "parent": "rules" diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_projects_policy_binding.json b/docs/gcp/Cloud_IAM/resource_json/iam_projects_policy_binding.json index ed22726f5..4a44c7517 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_projects_policy_binding.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_projects_policy_binding.json @@ -25,8 +25,8 @@ "policy": { "description": "Required. Immutable. The resource name of the policy to be bound. The binding parent and policy must belong to the same Organization (or Project).", "required": true, - "security_impact": null, - "rationale": null, + "security_impact": true, + "rationale": "Ensures only approved IAM policies are attached to project policy bindings.", "compliant": null, "non-compliant": null, "parent": null @@ -45,8 +45,8 @@ "policy_binding_id": { "description": "The Policy Binding ID.", "required": true, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "This field uniquely identifies the policy binding resource but does not directly affect security enforcement.", "compliant": null, "non-compliant": null, "parent": null @@ -54,8 +54,8 @@ "display_name": { "description": "Optional. The description of the policy binding. Must be less than or equal to 63 characters.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "This field is used only for readability and identification purposes.", "compliant": null, "non-compliant": null, "parent": null @@ -63,8 +63,8 @@ "annotations": { "description": "Optional. User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations **Note**: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field `effective_annotations` for all of the annotations present on the resource.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "Annotations are metadata fields and do not directly affect IAM policy enforcement.", "compliant": null, "non-compliant": null, "parent": null @@ -82,10 +82,10 @@ "parent": null }, "condition": { - "description": "Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: \\\"Summary size limit\\\" description: \\\"Determines if a summary is less than 100 chars\\\" expression: \\\"document.summary.size() < 100\\\" Example (Equality): title: \\\"Requestor is owner\\\" description: \\\"Determines if requestor is the document owner\\\" expression: \\\"document.owner == request.auth.claims.email\\\" Example (Logic): title: \\\"Public documents\\\" description: \\\"Determine whether the document should be publicly visible\\\" expression: \\\"document.type != 'private' && document.type != 'internal'\\\" Example (Data Manipulation): title: \\\"Notification string\\\" description: \\\"Create a notification string with a timestamp.\\\" expression: \\\"'New message received at ' + string(document.create_time)\\\" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. Structure is [documented below](#nested_condition).", + "description": "Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": true, + "rationale": "Conditions control when and how access is granted, which directly affects IAM security enforcement.", "compliant": null, "non-compliant": null, "parent": null, @@ -93,8 +93,8 @@ "expression": { "description": "Textual representation of an expression in Common Expression Language syntax.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": true, + "rationale": "The expression defines the actual access restriction logic used by the IAM condition.", "compliant": null, "non-compliant": null, "parent": "condition" @@ -102,8 +102,8 @@ "title": { "description": "Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "The title is used only for readability and documentation purposes.", "compliant": null, "non-compliant": null, "parent": "condition" @@ -111,8 +111,8 @@ "description": { "description": "Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "The description provides documentation but does not affect policy behavior.", "compliant": null, "non-compliant": null, "parent": "condition" @@ -120,8 +120,8 @@ "location": { "description": "Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.", "required": false, - "security_impact": null, - "rationale": null, + "security_impact": false, + "rationale": "This field is used for debugging and error tracking only.", "compliant": null, "non-compliant": null, "parent": "condition" @@ -131,8 +131,8 @@ "project": { "description": "If it is not provided, the provider project is used.", "required": null, - "security_impact": null, - "rationale": null, + "security_impact": true, + "rationale": "The project determines where the policy binding is created and which resources are affected.", "compliant": null, "non-compliant": null, "parent": null diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_workforce_pool.json b/docs/gcp/Cloud_IAM/resource_json/iam_workforce_pool.json index 0503c916d..16db768a2 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_workforce_pool.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_workforce_pool.json @@ -1,5 +1,5 @@ { - "resource_name": "iam_workforce_pool", + "resource_name": "iam_workforce_pool - WILL NOT BE COMPLETED IN ONE TRIMESTER", "subcategory": "Cloud IAM", "arguments": { "parent": { diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_workforce_pool_iam.json b/docs/gcp/Cloud_IAM/resource_json/iam_workforce_pool_iam.json index 78eff4955..ee84e6edb 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_workforce_pool_iam.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_workforce_pool_iam.json @@ -1,5 +1,5 @@ { - "resource_name": "iam_workforce_pool_iam", + "resource_name": "iam_workforce_pool_iam - WILL NOT BE COMPLETED IN ONE TRIMESTER", "subcategory": "Cloud IAM", "arguments": { "location": { diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_workforce_pool_provider.json b/docs/gcp/Cloud_IAM/resource_json/iam_workforce_pool_provider.json index c9a962f2a..e05cc1524 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_workforce_pool_provider.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_workforce_pool_provider.json @@ -1,5 +1,5 @@ { - "resource_name": "iam_workforce_pool_provider", + "resource_name": "iam_workforce_pool_provider - WILL NOT BE COMPLETED IN ONE TRIMESTER", "subcategory": "Cloud IAM", "arguments": { "location": { diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_workforce_pool_provider_key.json b/docs/gcp/Cloud_IAM/resource_json/iam_workforce_pool_provider_key.json index 407a876ba..bbdc298dc 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_workforce_pool_provider_key.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_workforce_pool_provider_key.json @@ -1,5 +1,5 @@ { - "resource_name": "iam_workforce_pool_provider_key", + "resource_name": "iam_workforce_pool_provider_key - WILL NOT BE COMPLETED IN ONE TRIMESTER", "subcategory": "Cloud IAM", "arguments": { "key_data": { diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_workload_identity_pool.json b/docs/gcp/Cloud_IAM/resource_json/iam_workload_identity_pool.json index 72c0f0e8b..3759d8c74 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_workload_identity_pool.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_workload_identity_pool.json @@ -1,5 +1,5 @@ { - "resource_name": "iam_workload_identity_pool", + "resource_name": "iam_workload_identity_pool - WILL NOT BE COMPLETED IN ONE TRIMESTER", "subcategory": "Cloud IAM", "arguments": { "workload_identity_pool_id": { diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_workload_identity_pool_iam.json b/docs/gcp/Cloud_IAM/resource_json/iam_workload_identity_pool_iam.json index 0ceec510a..d7757dfb9 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_workload_identity_pool_iam.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_workload_identity_pool_iam.json @@ -1,5 +1,5 @@ { - "resource_name": "iam_workload_identity_pool_iam", + "resource_name": "iam_workload_identity_pool_iam - WILL NOT BE COMPLETED IN ONE TRIMESTER", "subcategory": "Cloud IAM", "arguments": { "workload_identity_pool_id": { diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_workload_identity_pool_managed_identity.json b/docs/gcp/Cloud_IAM/resource_json/iam_workload_identity_pool_managed_identity.json index 82c1d2806..40b020245 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_workload_identity_pool_managed_identity.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_workload_identity_pool_managed_identity.json @@ -1,5 +1,5 @@ { - "resource_name": "iam_workload_identity_pool_managed_identity", + "resource_name": "iam_workload_identity_pool_managed_identity - WILL NOT BE COMPLETED IN ONE TRIMESTER", "subcategory": "Cloud IAM", "arguments": { "workload_identity_pool_id": { diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_workload_identity_pool_namespace.json b/docs/gcp/Cloud_IAM/resource_json/iam_workload_identity_pool_namespace.json index 26df12ab5..03b38097b 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_workload_identity_pool_namespace.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_workload_identity_pool_namespace.json @@ -1,5 +1,5 @@ { - "resource_name": "iam_workload_identity_pool_namespace", + "resource_name": "iam_workload_identity_pool_namespace - WILL NOT BE COMPLETED IN ONE TRIMESTER", "subcategory": "Cloud IAM", "arguments": { "workload_identity_pool_id": { diff --git a/docs/gcp/Cloud_IAM/resource_json/iam_workload_identity_pool_provider.json b/docs/gcp/Cloud_IAM/resource_json/iam_workload_identity_pool_provider.json index a3964cf10..7598ecb3a 100644 --- a/docs/gcp/Cloud_IAM/resource_json/iam_workload_identity_pool_provider.json +++ b/docs/gcp/Cloud_IAM/resource_json/iam_workload_identity_pool_provider.json @@ -1,5 +1,5 @@ { - "resource_name": "iam_workload_identity_pool_provider", + "resource_name": "iam_workload_identity_pool_provider - WILL NOT BE COMPLETED IN ONE TRIMESTER", "subcategory": "Cloud IAM", "arguments": { "workload_identity_pool_id": {