Gcp/service/cloud iam

docs/gcp/Cloud_IAM/iam_access_boundary_policy.md

@@ -0,0 +1,42 @@
+## 🛡️ Policy Deployment Engine: `iam_access_boundary_policy`
+
+This section provides a concise policy evaluation for the `iam_access_boundary_policy` resource in GCP.
+
+Reference: [Terraform Registry – iam_access_boundary_policy](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_access_boundary_policy)
+
+---
+
+## Argument Reference  
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `name` | The name of the policy. | true | false | None | None | None |
+| `parent` | The attachment point is identified by its URL-encoded full resource name. | true | false | None | None | None |
+| `rules` | Rules to be applied. Structure is [documented below](#nested_rules). | true | false | None | None | None |
+| `display_name` | The display name of the rule. | false | false | None | None | None |
+| `access_boundary_rule` |  | false | false | None | None | None |
+| `availability_condition` |  | false | false | None | None | None |
+
+### rules Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `description` | The description of the rule. | false | false | None | None | None |
+| `access_boundary_rule` | An access boundary rule in an IAM policy. Structure is [documented below](#nested_rules_rules_access_boundary_rule). | false | false | None | None | None |
+
+### access_boundary_rule Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `available_resource` | The full resource name of a Google Cloud resource entity. | false | false | None | None | None |
+| `available_permissions` | A list of permissions that may be allowed for use on the specified resource. | false | false | None | None | None |
+| `availability_condition` | The availability condition further constrains the access allowed by the access boundary rule. Structure is [documented below](#nested_rules_rules_access_boundary_rule_availability_condition). | false | false | None | None | None |
+
+### availability_condition Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `expression` | Textual representation of an expression in Common Expression Language syntax. | true | false | None | None | None |
+| `title` | Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. | false | false | None | None | None |
+| `description` | Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. | false | false | None | None | None |
+| `location` | String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. | false | false | None | None | None |

docs/gcp/Cloud_IAM/iam_deny_policy.md

@@ -0,0 +1,44 @@
+## 🛡️ Policy Deployment Engine: `iam_deny_policy`
+
+This section provides a concise policy evaluation for the `iam_deny_policy` resource in GCP.
+
+Reference: [Terraform Registry – iam_deny_policy](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_deny_policy)
+
+---
+
+## Argument Reference  
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `name` | The name of the policy. | true | false | None | None | None |
+| `parent` | The attachment point is identified by its URL-encoded full resource name. | true | false | None | None | None |
+| `rules` | Rules to be applied. Structure is [documented below](#nested_rules). | true | false | None | None | None |
+| `display_name` | The display name of the rule. | false | false | None | None | None |
+| `deny_rule` |  | false | false | None | None | None |
+| `denial_condition` |  | false | false | None | None | None |
+
+### rules Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `description` | The description of the rule. | false | false | None | None | None |
+| `deny_rule` | A deny rule in an IAM deny policy. Structure is [documented below](#nested_rules_rules_deny_rule). | false | false | None | None | None |
+
+### deny_rule Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `denied_principals` | The identities that are prevented from using one or more permissions on Google Cloud resources. | false | false | None | None | None |
+| `exception_principals` | The identities that are excluded from the deny rule, even if they are listed in the deniedPrincipals. For example, you could add a Google group to the deniedPrincipals, then exclude specific users who belong to that group. | false | false | None | None | None |
+| `denied_permissions` | The permissions that are explicitly denied by this rule. Each permission uses the format `{service-fqdn}/{resource}.{verb}`, where `{service-fqdn}` is the fully qualified domain name for the service. For example, `iam.googleapis.com/roles.list`. | false | false | None | None | None |
+| `exception_permissions` | Specifies the permissions that this rule excludes from the set of denied permissions given by deniedPermissions. If a permission appears in deniedPermissions and in exceptionPermissions then it will not be denied. The excluded permissions can be specified using the same syntax as deniedPermissions. | false | false | None | None | None |
+| `denial_condition` | User defined CEVAL expression. A CEVAL expression is used to specify match criteria such as origin.ip, source.region_code and contents in the request header. Structure is [documented below](#nested_rules_rules_deny_rule_denial_condition). | false | false | None | None | None |
+
+### denial_condition Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `expression` | Textual representation of an expression in Common Expression Language syntax. | true | false | None | None | None |
+| `title` | Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. | false | false | None | None | None |
+| `description` | Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. | false | false | None | None | None |
+| `location` | String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. | false | false | None | None | None |

docs/gcp/Cloud_IAM/iam_folders_policy_binding.md

@@ -0,0 +1,36 @@
+## 🛡️ Policy Deployment Engine: `iam_folders_policy_binding`
+
+This section provides a concise policy evaluation for the `iam_folders_policy_binding` resource in GCP.
+
+Reference: [Terraform Registry – iam_folders_policy_binding](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_folders_policy_binding)
+
+---
+
+## Argument Reference  
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `target` | Target is the full resource name of the resource to which the policy will be bound. Immutable once set. Structure is [documented below](#nested_target). | true | false | None | None | None |
+| `policy` | Required. Immutable. The resource name of the policy to be bound. The binding parent and policy must belong to the same Organization (or Project). | true | true | Ensures only approved organization-level IAM policies are attached to folder bindings. | organizations/123456789/locations/australia-southeast2/principalAccessBoundaryPolicies/pde-policy-1 | organizations/999999999/locations/australia-southeast2/principalAccessBoundaryPolicies/unknown-policy |
+| `folder` | The parent folder for the PolicyBinding. | true | false | None | None | None |
+| `location` | The location of the PolicyBinding. | true | true | IAM folder policy bindings must be deployed only in approved Australian regions to meet organizational residency and compliance requirements. | australia-southeast2 | global |
+| `policy_binding_id` | The Policy Binding ID. | true | false | None | None | None |
+| `display_name` | Optional. The description of the policy binding. Must be less than or equal to 63 characters. | false | false | None | None | None |
+| `annotations` | Optional. User defined annotations. See https://google.aip.dev/148#annotations for more details such as format and size limitations **Note**: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field `effective_annotations` for all of the annotations present on the resource. | false | false | None | None | None |
+| `policy_kind` | Immutable. The kind of the policy to attach in this binding. This field must be one of the following:  - Left empty (will be automatically set to the policy kind) - The input policy kind   Possible values:  POLICY_KIND_UNSPECIFIED PRINCIPAL_ACCESS_BOUNDARY ACCESS | false | true | Restricting policy kind prevents misuse of non-boundary IAM policies and reduces privilege escalation risk. | PRINCIPAL_ACCESS_BOUNDARY | ACCESS |
+| `condition` | Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: \"Summary size limit\" description: \"Determines if a summary is less than 100 chars\" expression: \"document.summary.size() < 100\" Example (Equality): title: \"Requestor is owner\" description: \"Determines if requestor is the document owner\" expression: \"document.owner == request.auth.claims.email\"  Example (Logic): title: \"Public documents\" description: \"Determine whether the document should be publicly visible\" expression: \"document.type != 'private' && document.type != 'internal'\" Example (Data Manipulation): title: \"Notification string\" description: \"Create a notification string with a timestamp.\" expression: \"'New message received at ' + string(document.create_time)\" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information. Structure is [documented below](#nested_condition). | false | false | None | None | None |
+
+### target Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `principal_set` | Required. Immutable. Full Resource Name of the principal set used for principal access boundary policy bindings. Examples for each one of the following supported principal set types: * Folder: `//cloudresourcemanager.googleapis.com/folders/FOLDER_ID` It must be parent by the policy binding's parent (the folder). | false | false | None | None | None |
+
+### condition Block
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `expression` | Textual representation of an expression in Common Expression Language syntax. | false | false | None | None | None |
+| `title` | Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. | false | false | None | None | None |
+| `description` | Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. | false | false | None | None | None |
+| `location` | Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. | false | false | None | None | None |

docs/gcp/Cloud_IAM/iam_oauth_client.md

@@ -0,0 +1,22 @@
+## 🛡️ Policy Deployment Engine: `iam_oauth_client`
+
+This section provides a concise policy evaluation for the `iam_oauth_client` resource in GCP.
+
+Reference: [Terraform Registry – iam_oauth_client](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_oauth_client)
+
+---
+
+## Argument Reference  
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `allowed_scopes` | Required. The list of scopes that the OauthClient is allowed to request during OAuth flows. The following scopes are supported: * `https://www.googleapis.com/auth/cloud-platform`: See, edit, configure, and delete your Google Cloud data and see the email address for your Google Account. * `openid`: The OAuth client can associate you with your personal information on Google Cloud. * `email`: The OAuth client can read a federated identity's email address. * `groups`: The OAuth client can read a federated identity's groups. | true | true | OAuth clients must only request approved least-privilege scopes and must not use overly broad scopes such as cloud-platform to reduce excessive access risks. | ['openid', 'email', 'groups'] | ['https://www.googleapis.com/auth/cloud-platform'] |
+| `allowed_grant_types` | Required. The list of OAuth grant types is allowed for the OauthClient. | true | false | None | None | None |
+| `allowed_redirect_uris` | Required. The list of redirect uris that is allowed to redirect back when authorization process is completed. | true | false | None | None | None |
+| `location` | Resource ID segment making up resource `name`. It identifies the resource within its parent collection as described in https://google.aip.dev/122. | true | true | OAuth clients must be deployed only in approved Australian regions to meet organizational residency and compliance requirements. | ['australia-southeast1', 'australia-southeast2'] | global |
+| `oauth_client_id` | Required. The ID to use for the OauthClient, which becomes the final component of the resource name. This value should be a string of 6 to 63 lowercase letters, digits, or hyphens. It must start with a letter, and cannot have a trailing hyphen. The prefix `gcp-` is reserved for use by Google, and may not be specified. | true | false | None | None | None |
+| `disabled` | Whether the OauthClient is disabled. You cannot use a disabled OAuth client. | false | false | None | None | None |
+| `display_name` | A user-specified display name of the OauthClient. Cannot exceed 32 characters. | false | false | None | None | None |
+| `description` | A user-specified description of the OauthClient. Cannot exceed 256 characters. | false | false | None | None | None |
+| `client_type` | Immutable. The type of OauthClient. Either public or private. For private clients, the client secret can be managed using the dedicated OauthClientCredential resource. Possible values: CLIENT_TYPE_UNSPECIFIED PUBLIC_CLIENT CONFIDENTIAL_CLIENT | false | true | Restricts OAuth clients to approved secure types only. | ['PUBLIC_CLIENT', 'CONFIDENTIAL_CLIENT'] | ['CLIENT_TYPE_UNSPECIFIED'] |
+| `project` | If it is not provided, the provider project is used. | false | false | None | None | None |

docs/gcp/Cloud_IAM/iam_oauth_client_credential.md

@@ -0,0 +1,18 @@
+## 🛡️ Policy Deployment Engine: `iam_oauth_client_credential`
+
+This section provides a concise policy evaluation for the `iam_oauth_client_credential` resource in GCP.
+
+Reference: [Terraform Registry – iam_oauth_client_credential](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_oauth_client_credential)
+
+---
+
+## Argument Reference  
+
+| Argument | Description | Required | Security Impact | Rationale | Compliant | Non-Compliant |
+|----------|-------------|----------|-----------------|-----------|-----------|---------------|
+| `location` | Resource ID segment making up resource `name`. It identifies the resource within its parent collection as described in https://google.aip.dev/122. | true | true | OAuth client credentials must be deployed only in approved Australian regions to meet organizational residency and compliance requirements. | australia-southeast2 | global |
+| `oauthclient` | Resource ID segment making up resource `name`. It identifies the resource within its parent collection as described in https://google.aip.dev/122. | true | false | None | None | None |
+| `oauth_client_credential_id` | Required. The ID to use for the OauthClientCredential, which becomes the final component of the resource name. This value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix `gcp-` is reserved for use by Google, and may not be specified. | true | false | None | None | None |
+| `disabled` | Whether the OauthClientCredential is disabled. You cannot use a disabled OauthClientCredential. | false | false | None | None | None |
+| `display_name` | A user-specified display name of the OauthClientCredential. Cannot exceed 32 characters. | false | false | None | None | None |
+| `project` | If it is not provided, the provider project is used. | false | false | None | None | None |