Skip to content

Gcp/service/access context manager#358

Open
Saul154575 wants to merge 18 commits into
devfrom
gcp/service/access_context_manager
Open

Gcp/service/access context manager#358
Saul154575 wants to merge 18 commits into
devfrom
gcp/service/access_context_manager

Conversation

@Saul154575
Copy link
Copy Markdown

@Saul154575 Saul154575 commented May 2, 2026
edited
Loading

Implemented policies for the following resources:
google_access_context_manager_access_level
google_access_context_manager_access_level_condition
google_access_context_manager_access_levels
google_access_context_manager_ingress_policy
google_access_context_manager_service_perimeter
google_access_context_manager_service_perimeter_dry_run_resource
google_access_context_manager_service_perimeter_resource

Each policy includes:
policy.rego & vars.rego
Compliant (c.tf) and non-compliant (nc.tf) test cases

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 2, 2026

🔍 Policy Check Results

Status: ❌ CHECKS FAILED

⚠️ Your PR will not be reviewed until you fix all policy check failures below:

Test Output

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.members.message
Total access_levels detected: 2 
['Situation 1: An allowed list of members.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update members to include authorized users only.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.allowed_device_management_levels.message
Total access_levels detected: 2 
['Situation 1: A list of allowed device management levels.', 'Non-Compliant Resources: nc', "Potential Remedies: Update allowed_device_management_levels to ['COMPLETE']."]
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.region.message
Total access_levels detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.ip_subnetworks.message
Total access_levels detected: 2 
['Situation 1: A list of allowed IP subnetworks.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update ip_subnetworks to allowed CIDR blocks.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_screen_lock.message
Total access_levels detected: 2 
['Situation 1: EWhether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_screen_lock to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.os_type.message
Total access_levels detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_corp_owned.message
Total access_levels detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.required_access_levels.message
Total access_levels detected: 2 
['Situation 1: A list of required access levels.', 'Non-Compliant Resources: c, nc', 'Potential Remedies: Update required_access_levels to match authorized base levels.']
Check failed: Resources in output other than 'nc' found: c

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.negate.message
Total access_levels detected: 2 
['Situation 1: Whether to negate the Condition.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update negate to false.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.minimum_version.message
Total access_levels detected: 2 
['Situation 1: The minimum allowed OS version constraint.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update minimum_version to 10.0.0.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_admin_approval.message
Total access_levels detected: 2 
['Situation 1: Whether administrator approval is required.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.members.message
Total access_level_condition detected: 2 
['Situation 1: An allowed list of members.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update members to include authorized users only.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.allowed_device_management_levels.message
Total access_level_condition detected: 2 
['Situation 1: A list of allowed device management levels.', 'Non-Compliant Resources: nc', "Potential Remedies: Update allowed_device_management_levels to ['COMPLETE']."]
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.region.message
Total access_level_condition detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.ip_subnetworks.message
Total access_level_condition detected: 2 
['Situation 1: Ensure Access Context Manager level condition restricts IP subnetworks and does not allow full internet access (0.0.0.0/0).', 'Non-Compliant Resources: nc', 'Potential Remedies: Update ip_subnetworks to only include specific and trusted CIDR blocks.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_screen_lock.message
Total access_level_condition detected: 2 
['Situation 1: EWhether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_screen_lock to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.os_type.message
Total access_level_condition detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_corp_owned.message
Total access_level_condition detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.required_access_levels.message
Total access_level_condition detected: 2 
['Situation 1: A list of required access levels.', 'Non-Compliant Resources: c, nc', 'Potential Remedies: Update required_access_levels to match authorized base levels.']
Check failed: Resources in output other than 'nc' found: c

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.negate.message
Total access_level_condition detected: 2 
['Situation 1: Whether to negate the Condition.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update negate to false.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.minimum_version.message
Total access_level_condition detected: 2 
['Situation 1: The minimum allowed OS version constraint.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update minimum_version to 10.0.0.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_admin_approval.message
Total access_level_condition detected: 2 
['Situation 1: Whether the device needs to be approved by the customer admin.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.allowed_encryption_statuses.message
Total access_level_condition detected: 2 
['Situation 1: Ensure Access Context Manager level condition requires device encryption.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_encryption_statuses to explicitly include only ENCRYPTED.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.allowed_device_management_levels.message
Total access_level detected: 2 
['Situation 1: A list of allowed device management levels. An empty list allows all management levels. Each value may be one of: MANAGEMENT_UNSPECIFIED, NONE, BASIC, COMPLETE', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_device_management_levels to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.region.message
Total access_level detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_screen_lock.message
Total access_level detected: 2 
['Situation 1: Whether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update screen lock requirement in device policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.os_type.message
Total access_level detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_corp_owned.message
Total access_level detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_admin_approval.message
Total access_level detected: 2 
['Situation 1: Whether the device needs to be approved by the customer admin.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.allowed_encryption_statuses.message
Total access_level detected: 2 
['Situation 1: A list of allowed encryptions statuses. An empty list allows all statuses. Each value may be one of: ENCRYPTION_UNSPECIFIED, ENCRYPTION_UNSUPPORTED, UNENCRYPTED, ENCRYPTED.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_encryption_statuses to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter.status.message
Total service_perimeter detected: 3 
['Situation 1: Ensure restricted services is not empty (no protection) or to general.', 'Non-Compliant Resources: nc1, nc2', 'Potential Remedies: Update status/restricted_services to explicitly include only required service calls.']
Unique resource names in plan (google_access_context_manager_service_perimeter): 3
Names mentioned in output: 2
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: access_context_manager_vpc_service_controls
  Resource: google_access_context_manager_access_level
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: require_admin_approval - ✅
    Policy: allowed_encryption_statuses - ✅
  Resource: google_access_context_manager_access_level_condition
    Policy: members - ✅
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: ip_subnetworks - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: required_access_levels - ❌
    Policy: negate - ✅
    Policy: minimum_version - ✅
    Policy: require_admin_approval - ✅
    Policy: allowed_encryption_statuses - ✅
  Resource: google_access_context_manager_access_levels
    Policy: members - ✅
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: ip_subnetworks - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: required_access_levels - ❌
    Policy: negate - ✅
    Policy: minimum_version - ✅
    Policy: require_admin_approval - ✅
  Resource: google_access_context_manager_service_perimeter
    Policy: status - ✅


Failures:
Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_access_level_condition | Policy: required_access_levels
Resources in output other than 'nc' found: c

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_access_levels | Policy: required_access_levels
Resources in output other than 'nc' found: c

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 3, 2026

🔍 Policy Check Results

Status: ❌ CHECKS FAILED

⚠️ Your PR will not be reviewed until you fix all policy check failures below:

Test Output

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.members.message
Total access_levels detected: 2 
['Situation 1: An allowed list of members.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update members to include authorized users only.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.allowed_device_management_levels.message
Total access_levels detected: 2 
['Situation 1: A list of allowed device management levels.', 'Non-Compliant Resources: nc', "Potential Remedies: Update allowed_device_management_levels to ['COMPLETE']."]
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.region.message
Total access_levels detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.ip_subnetworks.message
Total access_levels detected: 2 
['Situation 1: A list of allowed IP subnetworks.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update ip_subnetworks to allowed CIDR blocks.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_screen_lock.message
Total access_levels detected: 2 
['Situation 1: EWhether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_screen_lock to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.os_type.message
Total access_levels detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_corp_owned.message
Total access_levels detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.required_access_levels.message
Total access_levels detected: 2 
['Situation 1: A list of required access levels.', 'Non-Compliant Resources: c, nc', 'Potential Remedies: Update required_access_levels to match authorized base levels.']
Check failed: Resources in output other than 'nc' found: c

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.negate.message
Total access_levels detected: 2 
['Situation 1: Whether to negate the Condition.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update negate to false.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.minimum_version.message
Total access_levels detected: 2 
['Situation 1: The minimum allowed OS version constraint.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update minimum_version to 10.0.0.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_admin_approval.message
Total access_levels detected: 2 
['Situation 1: Whether administrator approval is required.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.members.message
Total access_level_condition detected: 2 
['Situation 1: An allowed list of members.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update members to include authorized users only.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.allowed_device_management_levels.message
Total access_level_condition detected: 2 
['Situation 1: A list of allowed device management levels.', 'Non-Compliant Resources: nc', "Potential Remedies: Update allowed_device_management_levels to ['COMPLETE']."]
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.region.message
Total access_level_condition detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.ip_subnetworks.message
Total access_level_condition detected: 2 
['Situation 1: Ensure Access Context Manager level condition restricts IP subnetworks and does not allow full internet access (0.0.0.0/0).', 'Non-Compliant Resources: nc', 'Potential Remedies: Update ip_subnetworks to only include specific and trusted CIDR blocks.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_screen_lock.message
Total access_level_condition detected: 2 
['Situation 1: EWhether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_screen_lock to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.os_type.message
Total access_level_condition detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_corp_owned.message
Total access_level_condition detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.required_access_levels.message
Total access_level_condition detected: 2 
['Situation 1: A list of required access levels.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update required_access_levels to match authorized base levels.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.negate.message
Total access_level_condition detected: 2 
['Situation 1: Whether to negate the Condition.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update negate to false.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.minimum_version.message
Total access_level_condition detected: 2 
['Situation 1: The minimum allowed OS version constraint.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update minimum_version to 10.0.0.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_admin_approval.message
Total access_level_condition detected: 2 
['Situation 1: Whether the device needs to be approved by the customer admin.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.allowed_encryption_statuses.message
Total access_level_condition detected: 2 
['Situation 1: Ensure Access Context Manager level condition requires device encryption.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_encryption_statuses to explicitly include only ENCRYPTED.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.allowed_device_management_levels.message
Total access_level detected: 2 
['Situation 1: A list of allowed device management levels. An empty list allows all management levels. Each value may be one of: MANAGEMENT_UNSPECIFIED, NONE, BASIC, COMPLETE', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_device_management_levels to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.region.message
Total access_level detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_screen_lock.message
Total access_level detected: 2 
['Situation 1: Whether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update screen lock requirement in device policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.os_type.message
Total access_level detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_corp_owned.message
Total access_level detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_admin_approval.message
Total access_level detected: 2 
['Situation 1: Whether the device needs to be approved by the customer admin.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.allowed_encryption_statuses.message
Total access_level detected: 2 
['Situation 1: A list of allowed encryptions statuses. An empty list allows all statuses. Each value may be one of: ENCRYPTION_UNSPECIFIED, ENCRYPTION_UNSUPPORTED, UNENCRYPTED, ENCRYPTED.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_encryption_statuses to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter.status.message
Total service_perimeter detected: 3 
['Situation 1: Ensure restricted services is not empty (no protection) or to general.', 'Non-Compliant Resources: nc1, nc2', 'Potential Remedies: Update status/restricted_services to explicitly include only required service calls.']
Unique resource names in plan (google_access_context_manager_service_perimeter): 3
Names mentioned in output: 2
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: access_context_manager_vpc_service_controls
  Resource: google_access_context_manager_access_level
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: require_admin_approval - ✅
    Policy: allowed_encryption_statuses - ✅
  Resource: google_access_context_manager_access_level_condition
    Policy: members - ✅
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: ip_subnetworks - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: required_access_levels - ✅
    Policy: negate - ✅
    Policy: minimum_version - ✅
    Policy: require_admin_approval - ✅
    Policy: allowed_encryption_statuses - ✅
  Resource: google_access_context_manager_access_levels
    Policy: members - ✅
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: ip_subnetworks - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: required_access_levels - ❌
    Policy: negate - ✅
    Policy: minimum_version - ✅
    Policy: require_admin_approval - ✅
  Resource: google_access_context_manager_service_perimeter
    Policy: status - ✅


Failures:
Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_access_levels | Policy: required_access_levels
Resources in output other than 'nc' found: c

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 3, 2026

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.members.message
Total access_levels detected: 2 
['Situation 1: An allowed list of members.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update members to include authorized users only.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.allowed_device_management_levels.message
Total access_levels detected: 2 
['Situation 1: A list of allowed device management levels.', 'Non-Compliant Resources: nc', "Potential Remedies: Update allowed_device_management_levels to ['COMPLETE']."]
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.region.message
Total access_levels detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.ip_subnetworks.message
Total access_levels detected: 2 
['Situation 1: A list of allowed IP subnetworks.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update ip_subnetworks to allowed CIDR blocks.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_screen_lock.message
Total access_levels detected: 2 
['Situation 1: EWhether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_screen_lock to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.os_type.message
Total access_levels detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_corp_owned.message
Total access_levels detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.required_access_levels.message
Total access_levels detected: 2 
['Situation 1: A list of required access levels.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update required_access_levels to match authorized base levels.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.negate.message
Total access_levels detected: 2 
['Situation 1: Whether to negate the Condition.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update negate to false.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.minimum_version.message
Total access_levels detected: 2 
['Situation 1: The minimum allowed OS version constraint.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update minimum_version to 10.0.0.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_admin_approval.message
Total access_levels detected: 2 
['Situation 1: Whether administrator approval is required.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.members.message
Total access_level_condition detected: 2 
['Situation 1: An allowed list of members.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update members to include authorized users only.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.allowed_device_management_levels.message
Total access_level_condition detected: 2 
['Situation 1: A list of allowed device management levels.', 'Non-Compliant Resources: nc', "Potential Remedies: Update allowed_device_management_levels to ['COMPLETE']."]
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.region.message
Total access_level_condition detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.ip_subnetworks.message
Total access_level_condition detected: 2 
['Situation 1: Ensure Access Context Manager level condition restricts IP subnetworks and does not allow full internet access (0.0.0.0/0).', 'Non-Compliant Resources: nc', 'Potential Remedies: Update ip_subnetworks to only include specific and trusted CIDR blocks.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_screen_lock.message
Total access_level_condition detected: 2 
['Situation 1: EWhether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_screen_lock to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.os_type.message
Total access_level_condition detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_corp_owned.message
Total access_level_condition detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.required_access_levels.message
Total access_level_condition detected: 2 
['Situation 1: A list of required access levels.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update required_access_levels to match authorized base levels.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.negate.message
Total access_level_condition detected: 2 
['Situation 1: Whether to negate the Condition.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update negate to false.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.minimum_version.message
Total access_level_condition detected: 2 
['Situation 1: The minimum allowed OS version constraint.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update minimum_version to 10.0.0.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_admin_approval.message
Total access_level_condition detected: 2 
['Situation 1: Whether the device needs to be approved by the customer admin.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.allowed_encryption_statuses.message
Total access_level_condition detected: 2 
['Situation 1: Ensure Access Context Manager level condition requires device encryption.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_encryption_statuses to explicitly include only ENCRYPTED.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.allowed_device_management_levels.message
Total access_level detected: 2 
['Situation 1: A list of allowed device management levels. An empty list allows all management levels. Each value may be one of: MANAGEMENT_UNSPECIFIED, NONE, BASIC, COMPLETE', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_device_management_levels to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.region.message
Total access_level detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_screen_lock.message
Total access_level detected: 2 
['Situation 1: Whether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update screen lock requirement in device policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.os_type.message
Total access_level detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_corp_owned.message
Total access_level detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_admin_approval.message
Total access_level detected: 2 
['Situation 1: Whether the device needs to be approved by the customer admin.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.allowed_encryption_statuses.message
Total access_level detected: 2 
['Situation 1: A list of allowed encryptions statuses. An empty list allows all statuses. Each value may be one of: ENCRYPTION_UNSPECIFIED, ENCRYPTION_UNSUPPORTED, UNENCRYPTED, ENCRYPTED.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_encryption_statuses to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter.status.message
Total service_perimeter detected: 3 
['Situation 1: Ensure restricted services is not empty (no protection) or to general.', 'Non-Compliant Resources: nc1, nc2', 'Potential Remedies: Update status/restricted_services to explicitly include only required service calls.']
Unique resource names in plan (google_access_context_manager_service_perimeter): 3
Names mentioned in output: 2
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: access_context_manager_vpc_service_controls
  Resource: google_access_context_manager_access_level
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: require_admin_approval - ✅
    Policy: allowed_encryption_statuses - ✅
  Resource: google_access_context_manager_access_level_condition
    Policy: members - ✅
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: ip_subnetworks - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: required_access_levels - ✅
    Policy: negate - ✅
    Policy: minimum_version - ✅
    Policy: require_admin_approval - ✅
    Policy: allowed_encryption_statuses - ✅
  Resource: google_access_context_manager_access_levels
    Policy: members - ✅
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: ip_subnetworks - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: required_access_levels - ✅
    Policy: negate - ✅
    Policy: minimum_version - ✅
    Policy: require_admin_approval - ✅
  Resource: google_access_context_manager_service_perimeter
    Policy: status - ✅

1 similar comment
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 3, 2026

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.members.message
Total access_levels detected: 2 
['Situation 1: An allowed list of members.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update members to include authorized users only.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.allowed_device_management_levels.message
Total access_levels detected: 2 
['Situation 1: A list of allowed device management levels.', 'Non-Compliant Resources: nc', "Potential Remedies: Update allowed_device_management_levels to ['COMPLETE']."]
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.region.message
Total access_levels detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.ip_subnetworks.message
Total access_levels detected: 2 
['Situation 1: A list of allowed IP subnetworks.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update ip_subnetworks to allowed CIDR blocks.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_screen_lock.message
Total access_levels detected: 2 
['Situation 1: EWhether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_screen_lock to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.os_type.message
Total access_levels detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_corp_owned.message
Total access_levels detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.required_access_levels.message
Total access_levels detected: 2 
['Situation 1: A list of required access levels.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update required_access_levels to match authorized base levels.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.negate.message
Total access_levels detected: 2 
['Situation 1: Whether to negate the Condition.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update negate to false.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.minimum_version.message
Total access_levels detected: 2 
['Situation 1: The minimum allowed OS version constraint.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update minimum_version to 10.0.0.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_admin_approval.message
Total access_levels detected: 2 
['Situation 1: Whether administrator approval is required.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.members.message
Total access_level_condition detected: 2 
['Situation 1: An allowed list of members.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update members to include authorized users only.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.allowed_device_management_levels.message
Total access_level_condition detected: 2 
['Situation 1: A list of allowed device management levels.', 'Non-Compliant Resources: nc', "Potential Remedies: Update allowed_device_management_levels to ['COMPLETE']."]
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.region.message
Total access_level_condition detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.ip_subnetworks.message
Total access_level_condition detected: 2 
['Situation 1: Ensure Access Context Manager level condition restricts IP subnetworks and does not allow full internet access (0.0.0.0/0).', 'Non-Compliant Resources: nc', 'Potential Remedies: Update ip_subnetworks to only include specific and trusted CIDR blocks.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_screen_lock.message
Total access_level_condition detected: 2 
['Situation 1: EWhether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_screen_lock to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.os_type.message
Total access_level_condition detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_corp_owned.message
Total access_level_condition detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.required_access_levels.message
Total access_level_condition detected: 2 
['Situation 1: A list of required access levels.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update required_access_levels to match authorized base levels.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.negate.message
Total access_level_condition detected: 2 
['Situation 1: Whether to negate the Condition.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update negate to false.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.minimum_version.message
Total access_level_condition detected: 2 
['Situation 1: The minimum allowed OS version constraint.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update minimum_version to 10.0.0.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_admin_approval.message
Total access_level_condition detected: 2 
['Situation 1: Whether the device needs to be approved by the customer admin.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.allowed_encryption_statuses.message
Total access_level_condition detected: 2 
['Situation 1: Ensure Access Context Manager level condition requires device encryption.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_encryption_statuses to explicitly include only ENCRYPTED.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.allowed_device_management_levels.message
Total access_level detected: 2 
['Situation 1: A list of allowed device management levels. An empty list allows all management levels. Each value may be one of: MANAGEMENT_UNSPECIFIED, NONE, BASIC, COMPLETE', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_device_management_levels to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.region.message
Total access_level detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_screen_lock.message
Total access_level detected: 2 
['Situation 1: Whether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update screen lock requirement in device policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.os_type.message
Total access_level detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_corp_owned.message
Total access_level detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_admin_approval.message
Total access_level detected: 2 
['Situation 1: Whether the device needs to be approved by the customer admin.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.allowed_encryption_statuses.message
Total access_level detected: 2 
['Situation 1: A list of allowed encryptions statuses. An empty list allows all statuses. Each value may be one of: ENCRYPTION_UNSPECIFIED, ENCRYPTION_UNSUPPORTED, UNENCRYPTED, ENCRYPTED.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_encryption_statuses to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter.status.message
Total service_perimeter detected: 3 
['Situation 1: Ensure restricted services is not empty (no protection) or to general.', 'Non-Compliant Resources: nc1, nc2', 'Potential Remedies: Update status/restricted_services to explicitly include only required service calls.']
Unique resource names in plan (google_access_context_manager_service_perimeter): 3
Names mentioned in output: 2
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: access_context_manager_vpc_service_controls
  Resource: google_access_context_manager_access_level
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: require_admin_approval - ✅
    Policy: allowed_encryption_statuses - ✅
  Resource: google_access_context_manager_access_level_condition
    Policy: members - ✅
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: ip_subnetworks - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: required_access_levels - ✅
    Policy: negate - ✅
    Policy: minimum_version - ✅
    Policy: require_admin_approval - ✅
    Policy: allowed_encryption_statuses - ✅
  Resource: google_access_context_manager_access_levels
    Policy: members - ✅
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: ip_subnetworks - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: required_access_levels - ✅
    Policy: negate - ✅
    Policy: minimum_version - ✅
    Policy: require_admin_approval - ✅
  Resource: google_access_context_manager_service_perimeter
    Policy: status - ✅

@Saul154575 Saul154575 changed the title Gcp/service/access context manager(15 policies for access context manager(VPC)) Gcp/service/access context manager (VPC) May 5, 2026
@Saul154575 Saul154575 changed the title Gcp/service/access context manager (VPC) Gcp/service/access context manager May 11, 2026
@Saul154575 Saul154575 changed the title Gcp/service/access context manager Gcp/service/access context manager May 11, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 11, 2026

🔍 Documentation Check Failed

Status: ❌ CHECKS FAILED

⚠️ Your PR does not include documentation updates:

❌ No documentation changes found - please update docs for your assigned service

Please add or update documentation in the docs/gcp/ folder for your changes before this PR can be reviewed.

@github-actions github-actions Bot added the CI-Review-Required PR requires review due to failed CI checks label May 11, 2026
@Saul154575 Saul154575 force-pushed the gcp/service/access_context_manager branch from 1074ae7 to c6508c2 Compare May 11, 2026 09:31
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 11, 2026

🔍 Documentation Check Failed

Status: ❌ CHECKS FAILED

⚠️ Your PR does not include documentation updates:

❌ No documentation changes found - please update docs for your assigned service

Please add or update documentation in the docs/gcp/ folder for your changes before this PR can be reviewed.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 11, 2026

🔍 Documentation Check Failed

Status: ❌ CHECKS FAILED

⚠️ Your PR does not include documentation updates:

❌ No documentation changes found - please update docs for your assigned service

Please add or update documentation in the docs/gcp/ folder for your changes before this PR can be reviewed.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 12, 2026

🔍 Policy Check Results

Status: ❌ CHECKS FAILED

⚠️ Your PR will not be reviewed until you fix all policy check failures below:

Test Output

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.members.message
Total access_levels detected: 2 
['Situation 1: An allowed list of members.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update members to include authorized users only.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.allowed_device_management_levels.message
Total access_levels detected: 2 
['Situation 1: A list of allowed device management levels.', 'Non-Compliant Resources: nc', "Potential Remedies: Update allowed_device_management_levels to ['COMPLETE']."]
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.region.message
Total access_levels detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.ip_subnetworks.message
Total access_levels detected: 2 
['Situation 1: A list of allowed IP subnetworks.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update ip_subnetworks to allowed CIDR blocks.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_screen_lock.message
Total access_levels detected: 2 
['Situation 1: EWhether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_screen_lock to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.os_type.message
Total access_levels detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_corp_owned.message
Total access_levels detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.required_access_levels.message
Total access_levels detected: 2 
['Situation 1: A list of required access levels.', 'Non-Compliant Resources: c, nc', 'Potential Remedies: Update required_access_levels to match authorized base levels.']
Check failed: Resources in output other than 'nc' found: c

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.negate.message
Total access_levels detected: 2 
['Situation 1: Whether to negate the Condition.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update negate to false.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.minimum_version.message
Total access_levels detected: 2 
['Situation 1: The minimum allowed OS version constraint.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update minimum_version to 10.0.0.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_admin_approval.message
Total access_levels detected: 2 
['Situation 1: Whether administrator approval is required.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.members.message
Total access_level_condition detected: 2 
['Situation 1: An allowed list of members.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update members to include authorized users only.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.allowed_device_management_levels.message
Total access_level_condition detected: 2 
['Situation 1: A list of allowed device management levels.', 'Non-Compliant Resources: nc', "Potential Remedies: Update allowed_device_management_levels to ['COMPLETE']."]
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.region.message
Total access_level_condition detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.ip_subnetworks.message
Total access_level_condition detected: 2 
['Situation 1: Ensure Access Context Manager level condition restricts IP subnetworks and does not allow full internet access (0.0.0.0/0).', 'Non-Compliant Resources: nc', 'Potential Remedies: Update ip_subnetworks to only include specific and trusted CIDR blocks.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_screen_lock.message
Total access_level_condition detected: 2 
['Situation 1: EWhether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_screen_lock to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.os_type.message
Total access_level_condition detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_corp_owned.message
Total access_level_condition detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.required_access_levels.message
Total access_level_condition detected: 2 
['Situation 1: A list of required access levels.', 'Non-Compliant Resources: c, nc', 'Potential Remedies: Update required_access_levels to match authorized base levels.']
Check failed: Resources in output other than 'nc' found: c

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.negate.message
Total access_level_condition detected: 2 
['Situation 1: Whether to negate the Condition.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update negate to false.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.minimum_version.message
Total access_level_condition detected: 2 
['Situation 1: The minimum allowed OS version constraint.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update minimum_version to 10.0.0.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_admin_approval.message
Total access_level_condition detected: 2 
['Situation 1: Whether the device needs to be approved by the customer admin.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.allowed_encryption_statuses.message
Total access_level_condition detected: 2 
['Situation 1: Ensure Access Context Manager level condition requires device encryption.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_encryption_statuses to explicitly include only ENCRYPTED.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.allowed_device_management_levels.message
Total access_level detected: 2 
['Situation 1: A list of allowed device management levels. An empty list allows all management levels. Each value may be one of: MANAGEMENT_UNSPECIFIED, NONE, BASIC, COMPLETE', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_device_management_levels to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.region.message
Total access_level detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_screen_lock.message
Total access_level detected: 2 
['Situation 1: Whether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update screen lock requirement in device policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.os_type.message
Total access_level detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_corp_owned.message
Total access_level detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_admin_approval.message
Total access_level detected: 2 
['Situation 1: Whether the device needs to be approved by the customer admin.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.allowed_encryption_statuses.message
Total access_level detected: 2 
['Situation 1: A list of allowed encryptions statuses. An empty list allows all statuses. Each value may be one of: ENCRYPTION_UNSPECIFIED, ENCRYPTION_UNSUPPORTED, UNENCRYPTED, ENCRYPTED.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_encryption_statuses to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter.status.message
Total service_perimeter detected: 3 
['Situation 1: Ensure restricted services is not empty (no protection) or to general.', 'Non-Compliant Resources: nc1, nc2', 'Potential Remedies: Update status/restricted_services to explicitly include only required service calls.']
Unique resource names in plan (google_access_context_manager_service_perimeter): 3
Names mentioned in output: 2
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: access_context_manager_vpc_service_controls
  Resource: google_access_context_manager_access_level
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: require_admin_approval - ✅
    Policy: allowed_encryption_statuses - ✅
  Resource: google_access_context_manager_access_level_condition
    Policy: members - ✅
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: ip_subnetworks - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: required_access_levels - ❌
    Policy: negate - ✅
    Policy: minimum_version - ✅
    Policy: require_admin_approval - ✅
    Policy: allowed_encryption_statuses - ✅
  Resource: google_access_context_manager_access_levels
    Policy: members - ✅
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: ip_subnetworks - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: required_access_levels - ❌
    Policy: negate - ✅
    Policy: minimum_version - ✅
    Policy: require_admin_approval - ✅
  Resource: google_access_context_manager_ingress_policy
    Policy: resource - ❌
    Policy: ingress_policy_name - ❌
  Resource: google_access_context_manager_service_perimeter
    Policy: status - ✅
  Resource: google_access_context_manager_service_perimeter_dry_run_resource
    Policy: resource - ❌
    Policy: perimeter_name - ❌
  Resource: google_access_context_manager_service_perimeter_resource
    Policy: resource - ❌
    Policy: perimeter_name - ❌


Failures:
Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_access_level_condition | Policy: required_access_levels
Resources in output other than 'nc' found: c

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_access_levels | Policy: required_access_levels
Resources in output other than 'nc' found: c

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_ingress_policy | Policy: resource
Could not find any resources!

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_ingress_policy | Policy: ingress_policy_name
Could not find any resources!

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_service_perimeter_dry_run_resource | Policy: resource
Could not find any resources!

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_service_perimeter_dry_run_resource | Policy: perimeter_name
Could not find any resources!

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_service_perimeter_resource | Policy: resource
Could not find any resources!

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_service_perimeter_resource | Policy: perimeter_name
Could not find any resources!

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 12, 2026

🔍 Policy Check Results

Status: ❌ CHECKS FAILED

⚠️ Your PR will not be reviewed until you fix all policy check failures below:

Test Output

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.members.message
Total access_levels detected: 2 
['Situation 1: An allowed list of members.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update members to include authorized users only.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.allowed_device_management_levels.message
Total access_levels detected: 2 
['Situation 1: A list of allowed device management levels.', 'Non-Compliant Resources: nc', "Potential Remedies: Update allowed_device_management_levels to ['COMPLETE']."]
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.region.message
Total access_levels detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.ip_subnetworks.message
Total access_levels detected: 2 
['Situation 1: A list of allowed IP subnetworks.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update ip_subnetworks to allowed CIDR blocks.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_screen_lock.message
Total access_levels detected: 2 
['Situation 1: EWhether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_screen_lock to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.os_type.message
Total access_levels detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_corp_owned.message
Total access_levels detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.required_access_levels.message
Total access_levels detected: 2 
['Situation 1: A list of required access levels.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update required_access_levels to match authorized base levels.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.negate.message
Total access_levels detected: 2 
['Situation 1: Whether to negate the Condition.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update negate to false.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.minimum_version.message
Total access_levels detected: 2 
['Situation 1: The minimum allowed OS version constraint.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update minimum_version to 10.0.0.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_admin_approval.message
Total access_levels detected: 2 
['Situation 1: Whether administrator approval is required.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.members.message
Total access_level_condition detected: 2 
['Situation 1: An allowed list of members.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update members to include authorized users only.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.allowed_device_management_levels.message
Total access_level_condition detected: 2 
['Situation 1: A list of allowed device management levels.', 'Non-Compliant Resources: nc', "Potential Remedies: Update allowed_device_management_levels to ['COMPLETE']."]
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.region.message
Total access_level_condition detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.ip_subnetworks.message
Total access_level_condition detected: 2 
['Situation 1: Ensure Access Context Manager level condition restricts IP subnetworks and does not allow full internet access (0.0.0.0/0).', 'Non-Compliant Resources: nc', 'Potential Remedies: Update ip_subnetworks to only include specific and trusted CIDR blocks.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_screen_lock.message
Total access_level_condition detected: 2 
['Situation 1: EWhether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_screen_lock to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.os_type.message
Total access_level_condition detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_corp_owned.message
Total access_level_condition detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.required_access_levels.message
Total access_level_condition detected: 2 
['Situation 1: A list of required access levels.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update required_access_levels to match authorized base levels.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.negate.message
Total access_level_condition detected: 2 
['Situation 1: Whether to negate the Condition.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update negate to false.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.minimum_version.message
Total access_level_condition detected: 2 
['Situation 1: The minimum allowed OS version constraint.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update minimum_version to 10.0.0.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_admin_approval.message
Total access_level_condition detected: 2 
['Situation 1: Whether the device needs to be approved by the customer admin.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.allowed_encryption_statuses.message
Total access_level_condition detected: 2 
['Situation 1: Ensure Access Context Manager level condition requires device encryption.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_encryption_statuses to explicitly include only ENCRYPTED.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.allowed_device_management_levels.message
Total access_level detected: 2 
['Situation 1: A list of allowed device management levels. An empty list allows all management levels. Each value may be one of: MANAGEMENT_UNSPECIFIED, NONE, BASIC, COMPLETE', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_device_management_levels to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.region.message
Total access_level detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_screen_lock.message
Total access_level detected: 2 
['Situation 1: Whether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update screen lock requirement in device policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.os_type.message
Total access_level detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_corp_owned.message
Total access_level detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_admin_approval.message
Total access_level detected: 2 
['Situation 1: Whether the device needs to be approved by the customer admin.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.allowed_encryption_statuses.message
Total access_level detected: 2 
['Situation 1: A list of allowed encryptions statuses. An empty list allows all statuses. Each value may be one of: ENCRYPTION_UNSPECIFIED, ENCRYPTION_UNSUPPORTED, UNENCRYPTED, ENCRYPTED.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_encryption_statuses to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter.status.message
Total service_perimeter detected: 3 
['Situation 1: Ensure restricted services is not empty (no protection) or to general.', 'Non-Compliant Resources: nc1, nc2', 'Potential Remedies: Update status/restricted_services to explicitly include only required service calls.']
Unique resource names in plan (google_access_context_manager_service_perimeter): 3
Names mentioned in output: 2
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: access_context_manager_vpc_service_controls
  Resource: google_access_context_manager_access_level
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: require_admin_approval - ✅
    Policy: allowed_encryption_statuses - ✅
  Resource: google_access_context_manager_access_level_condition
    Policy: members - ✅
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: ip_subnetworks - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: required_access_levels - ✅
    Policy: negate - ✅
    Policy: minimum_version - ✅
    Policy: require_admin_approval - ✅
    Policy: allowed_encryption_statuses - ✅
  Resource: google_access_context_manager_access_levels
    Policy: members - ✅
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: ip_subnetworks - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: required_access_levels - ✅
    Policy: negate - ✅
    Policy: minimum_version - ✅
    Policy: require_admin_approval - ✅
  Resource: google_access_context_manager_ingress_policy
    Policy: resource - ❌
    Policy: ingress_policy_name - ❌
  Resource: google_access_context_manager_service_perimeter
    Policy: status - ✅
  Resource: google_access_context_manager_service_perimeter_dry_run_resource
    Policy: resource - ❌
    Policy: perimeter_name - ❌
  Resource: google_access_context_manager_service_perimeter_resource
    Policy: resource - ❌
    Policy: perimeter_name - ❌


Failures:
Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_ingress_policy | Policy: resource
Could not find any resources!

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_ingress_policy | Policy: ingress_policy_name
Could not find any resources!

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_service_perimeter_dry_run_resource | Policy: resource
Could not find any resources!

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_service_perimeter_dry_run_resource | Policy: perimeter_name
Could not find any resources!

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_service_perimeter_resource | Policy: resource
Could not find any resources!

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_service_perimeter_resource | Policy: perimeter_name
Could not find any resources!

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 12, 2026

🔍 Policy Check Results

Status: ❌ CHECKS FAILED

⚠️ Your PR will not be reviewed until you fix all policy check failures below:

Test Output

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.members.message
Total access_levels detected: 2 
['Situation 1: An allowed list of members.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update members to include authorized users only.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.allowed_device_management_levels.message
Total access_levels detected: 2 
['Situation 1: A list of allowed device management levels.', 'Non-Compliant Resources: nc', "Potential Remedies: Update allowed_device_management_levels to ['COMPLETE']."]
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.region.message
Total access_levels detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.ip_subnetworks.message
Total access_levels detected: 2 
['Situation 1: A list of allowed IP subnetworks.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update ip_subnetworks to allowed CIDR blocks.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_screen_lock.message
Total access_levels detected: 2 
['Situation 1: EWhether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_screen_lock to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.os_type.message
Total access_levels detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_corp_owned.message
Total access_levels detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.required_access_levels.message
Total access_levels detected: 2 
['Situation 1: A list of required access levels.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update required_access_levels to match authorized base levels.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.negate.message
Total access_levels detected: 2 
['Situation 1: Whether to negate the Condition.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update negate to false.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.minimum_version.message
Total access_levels detected: 2 
['Situation 1: The minimum allowed OS version constraint.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update minimum_version to 10.0.0.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_admin_approval.message
Total access_levels detected: 2 
['Situation 1: Whether administrator approval is required.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.members.message
Total access_level_condition detected: 2 
['Situation 1: An allowed list of members.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update members to include authorized users only.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.allowed_device_management_levels.message
Total access_level_condition detected: 2 
['Situation 1: A list of allowed device management levels.', 'Non-Compliant Resources: nc', "Potential Remedies: Update allowed_device_management_levels to ['COMPLETE']."]
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.region.message
Total access_level_condition detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.ip_subnetworks.message
Total access_level_condition detected: 2 
['Situation 1: Ensure Access Context Manager level condition restricts IP subnetworks and does not allow full internet access (0.0.0.0/0).', 'Non-Compliant Resources: nc', 'Potential Remedies: Update ip_subnetworks to only include specific and trusted CIDR blocks.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_screen_lock.message
Total access_level_condition detected: 2 
['Situation 1: EWhether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_screen_lock to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.os_type.message
Total access_level_condition detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_corp_owned.message
Total access_level_condition detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.required_access_levels.message
Total access_level_condition detected: 2 
['Situation 1: A list of required access levels.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update required_access_levels to match authorized base levels.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.negate.message
Total access_level_condition detected: 2 
['Situation 1: Whether to negate the Condition.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update negate to false.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.minimum_version.message
Total access_level_condition detected: 2 
['Situation 1: The minimum allowed OS version constraint.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update minimum_version to 10.0.0.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_admin_approval.message
Total access_level_condition detected: 2 
['Situation 1: Whether the device needs to be approved by the customer admin.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.allowed_encryption_statuses.message
Total access_level_condition detected: 2 
['Situation 1: Ensure Access Context Manager level condition requires device encryption.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_encryption_statuses to explicitly include only ENCRYPTED.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.allowed_device_management_levels.message
Total access_level detected: 2 
['Situation 1: A list of allowed device management levels. An empty list allows all management levels. Each value may be one of: MANAGEMENT_UNSPECIFIED, NONE, BASIC, COMPLETE', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_device_management_levels to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.region.message
Total access_level detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_screen_lock.message
Total access_level detected: 2 
['Situation 1: Whether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update screen lock requirement in device policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.os_type.message
Total access_level detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_corp_owned.message
Total access_level detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_admin_approval.message
Total access_level detected: 2 
['Situation 1: Whether the device needs to be approved by the customer admin.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.allowed_encryption_statuses.message
Total access_level detected: 2 
['Situation 1: A list of allowed encryptions statuses. An empty list allows all statuses. Each value may be one of: ENCRYPTION_UNSPECIFIED, ENCRYPTION_UNSUPPORTED, UNENCRYPTED, ENCRYPTED.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_encryption_statuses to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter.status.message
Total service_perimeter detected: 3 
['Situation 1: Ensure restricted services is not empty (no protection) or to general.', 'Non-Compliant Resources: nc1, nc2', 'Potential Remedies: Update status/restricted_services to explicitly include only required service calls.']
Unique resource names in plan (google_access_context_manager_service_perimeter): 3
Names mentioned in output: 2
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: access_context_manager_vpc_service_controls
  Resource: google_access_context_manager_access_level
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: require_admin_approval - ✅
    Policy: allowed_encryption_statuses - ✅
  Resource: google_access_context_manager_access_level_condition
    Policy: members - ✅
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: ip_subnetworks - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: required_access_levels - ✅
    Policy: negate - ✅
    Policy: minimum_version - ✅
    Policy: require_admin_approval - ✅
    Policy: allowed_encryption_statuses - ✅
  Resource: google_access_context_manager_access_levels
    Policy: members - ✅
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: ip_subnetworks - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: required_access_levels - ✅
    Policy: negate - ✅
    Policy: minimum_version - ✅
    Policy: require_admin_approval - ✅
  Resource: google_access_context_manager_ingress_policy
    Policy: resource - ❌
    Policy: ingress_policy_name - ❌
  Resource: google_access_context_manager_service_perimeter
    Policy: status - ✅
  Resource: google_access_context_manager_service_perimeter_dry_run_resource
    Policy: resource - ❌
    Policy: perimeter_name - ❌
  Resource: google_access_context_manager_service_perimeter_resource
    Policy: resource - ❌
    Policy: perimeter_name - ❌


Failures:
Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_ingress_policy | Policy: resource
Could not find any resources!

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_ingress_policy | Policy: ingress_policy_name
Could not find any resources!

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_service_perimeter_dry_run_resource | Policy: resource
Could not find any resources!

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_service_perimeter_dry_run_resource | Policy: perimeter_name
Could not find any resources!

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_service_perimeter_resource | Policy: resource
Could not find any resources!

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_service_perimeter_resource | Policy: perimeter_name
Could not find any resources!

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 12, 2026

🔍 Policy Check Results

Status: ❌ CHECKS FAILED

⚠️ Your PR will not be reviewed until you fix all policy check failures below:

Test Output

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.members.message
Total access_levels detected: 2 
['Situation 1: An allowed list of members.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update members to include authorized users only.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.allowed_device_management_levels.message
Total access_levels detected: 2 
['Situation 1: A list of allowed device management levels.', 'Non-Compliant Resources: nc', "Potential Remedies: Update allowed_device_management_levels to ['COMPLETE']."]
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.region.message
Total access_levels detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.ip_subnetworks.message
Total access_levels detected: 2 
['Situation 1: A list of allowed IP subnetworks.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update ip_subnetworks to allowed CIDR blocks.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_screen_lock.message
Total access_levels detected: 2 
['Situation 1: EWhether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_screen_lock to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.os_type.message
Total access_levels detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_corp_owned.message
Total access_levels detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.required_access_levels.message
Total access_levels detected: 2 
['Situation 1: A list of required access levels.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update required_access_levels to match authorized base levels.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.negate.message
Total access_levels detected: 2 
['Situation 1: Whether to negate the Condition.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update negate to false.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.minimum_version.message
Total access_levels detected: 2 
['Situation 1: The minimum allowed OS version constraint.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update minimum_version to 10.0.0.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_admin_approval.message
Total access_levels detected: 2 
['Situation 1: Whether administrator approval is required.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.members.message
Total access_level_condition detected: 2 
['Situation 1: An allowed list of members.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update members to include authorized users only.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.allowed_device_management_levels.message
Total access_level_condition detected: 2 
['Situation 1: A list of allowed device management levels.', 'Non-Compliant Resources: nc', "Potential Remedies: Update allowed_device_management_levels to ['COMPLETE']."]
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.region.message
Total access_level_condition detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.ip_subnetworks.message
Total access_level_condition detected: 2 
['Situation 1: Ensure Access Context Manager level condition restricts IP subnetworks and does not allow full internet access (0.0.0.0/0).', 'Non-Compliant Resources: nc', 'Potential Remedies: Update ip_subnetworks to only include specific and trusted CIDR blocks.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_screen_lock.message
Total access_level_condition detected: 2 
['Situation 1: EWhether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_screen_lock to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.os_type.message
Total access_level_condition detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_corp_owned.message
Total access_level_condition detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.required_access_levels.message
Total access_level_condition detected: 2 
['Situation 1: A list of required access levels.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update required_access_levels to match authorized base levels.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.negate.message
Total access_level_condition detected: 2 
['Situation 1: Whether to negate the Condition.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update negate to false.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.minimum_version.message
Total access_level_condition detected: 2 
['Situation 1: The minimum allowed OS version constraint.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update minimum_version to 10.0.0.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_admin_approval.message
Total access_level_condition detected: 2 
['Situation 1: Whether the device needs to be approved by the customer admin.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.allowed_encryption_statuses.message
Total access_level_condition detected: 2 
['Situation 1: Ensure Access Context Manager level condition requires device encryption.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_encryption_statuses to explicitly include only ENCRYPTED.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.allowed_device_management_levels.message
Total access_level detected: 2 
['Situation 1: A list of allowed device management levels. An empty list allows all management levels. Each value may be one of: MANAGEMENT_UNSPECIFIED, NONE, BASIC, COMPLETE', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_device_management_levels to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.region.message
Total access_level detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_screen_lock.message
Total access_level detected: 2 
['Situation 1: Whether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update screen lock requirement in device policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.os_type.message
Total access_level detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_corp_owned.message
Total access_level detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_admin_approval.message
Total access_level detected: 2 
['Situation 1: Whether the device needs to be approved by the customer admin.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.allowed_encryption_statuses.message
Total access_level detected: 2 
['Situation 1: A list of allowed encryptions statuses. An empty list allows all statuses. Each value may be one of: ENCRYPTION_UNSPECIFIED, ENCRYPTION_UNSUPPORTED, UNENCRYPTED, ENCRYPTED.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_encryption_statuses to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter.status.message
Total service_perimeter detected: 3 
['Situation 1: Ensure restricted services is not empty (no protection) or to general.', 'Non-Compliant Resources: nc1, nc2', 'Potential Remedies: Update status/restricted_services to explicitly include only required service calls.']
Unique resource names in plan (google_access_context_manager_service_perimeter): 3
Names mentioned in output: 2
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: access_context_manager_vpc_service_controls
  Resource: google_access_context_manager_access_level
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: require_admin_approval - ✅
    Policy: allowed_encryption_statuses - ✅
  Resource: google_access_context_manager_access_level_condition
    Policy: members - ✅
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: ip_subnetworks - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: required_access_levels - ✅
    Policy: negate - ✅
    Policy: minimum_version - ✅
    Policy: require_admin_approval - ✅
    Policy: allowed_encryption_statuses - ✅
  Resource: google_access_context_manager_access_levels
    Policy: members - ✅
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: ip_subnetworks - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: required_access_levels - ✅
    Policy: negate - ✅
    Policy: minimum_version - ✅
    Policy: require_admin_approval - ✅
  Resource: google_access_context_manager_ingress_policy
    Policy: resource - ❌
    Policy: ingress_policy_name - ❌
  Resource: google_access_context_manager_service_perimeter
    Policy: status - ✅
  Resource: google_access_context_manager_service_perimeter_dry_run_resource
    Policy: resource - ❌
    Policy: perimeter_name - ❌
  Resource: google_access_context_manager_service_perimeter_resource
    Policy: resource - ❌
    Policy: perimeter_name - ❌


Failures:
Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_ingress_policy | Policy: resource
Could not run OPA query!

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_ingress_policy | Policy: ingress_policy_name
Could not run OPA query!

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_service_perimeter_dry_run_resource | Policy: resource
Could not run OPA query!

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_service_perimeter_dry_run_resource | Policy: perimeter_name
Could not run OPA query!

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_service_perimeter_resource | Policy: resource
Could not run OPA query!

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_service_perimeter_resource | Policy: perimeter_name
Could not run OPA query!

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 12, 2026

🔍 Policy Check Results

Status: ❌ CHECKS FAILED

⚠️ Your PR will not be reviewed until you fix all policy check failures below:

Test Output

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.members.message
Total access_levels detected: 2 
['Situation 1: An allowed list of members.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update members to include authorized users only.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.allowed_device_management_levels.message
Total access_levels detected: 2 
['Situation 1: A list of allowed device management levels.', 'Non-Compliant Resources: nc', "Potential Remedies: Update allowed_device_management_levels to ['COMPLETE']."]
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.region.message
Total access_levels detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.ip_subnetworks.message
Total access_levels detected: 2 
['Situation 1: A list of allowed IP subnetworks.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update ip_subnetworks to allowed CIDR blocks.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_screen_lock.message
Total access_levels detected: 2 
['Situation 1: EWhether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_screen_lock to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.os_type.message
Total access_levels detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_corp_owned.message
Total access_levels detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.required_access_levels.message
Total access_levels detected: 2 
['Situation 1: A list of required access levels.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update required_access_levels to match authorized base levels.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.negate.message
Total access_levels detected: 2 
['Situation 1: Whether to negate the Condition.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update negate to false.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.minimum_version.message
Total access_levels detected: 2 
['Situation 1: The minimum allowed OS version constraint.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update minimum_version to 10.0.0.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_admin_approval.message
Total access_levels detected: 2 
['Situation 1: Whether administrator approval is required.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.members.message
Total access_level_condition detected: 2 
['Situation 1: An allowed list of members.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update members to include authorized users only.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.allowed_device_management_levels.message
Total access_level_condition detected: 2 
['Situation 1: A list of allowed device management levels.', 'Non-Compliant Resources: nc', "Potential Remedies: Update allowed_device_management_levels to ['COMPLETE']."]
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.region.message
Total access_level_condition detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.ip_subnetworks.message
Total access_level_condition detected: 2 
['Situation 1: Ensure Access Context Manager level condition restricts IP subnetworks and does not allow full internet access (0.0.0.0/0).', 'Non-Compliant Resources: nc', 'Potential Remedies: Update ip_subnetworks to only include specific and trusted CIDR blocks.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_screen_lock.message
Total access_level_condition detected: 2 
['Situation 1: EWhether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_screen_lock to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.os_type.message
Total access_level_condition detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_corp_owned.message
Total access_level_condition detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.required_access_levels.message
Total access_level_condition detected: 2 
['Situation 1: A list of required access levels.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update required_access_levels to match authorized base levels.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.negate.message
Total access_level_condition detected: 2 
['Situation 1: Whether to negate the Condition.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update negate to false.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.minimum_version.message
Total access_level_condition detected: 2 
['Situation 1: The minimum allowed OS version constraint.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update minimum_version to 10.0.0.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_admin_approval.message
Total access_level_condition detected: 2 
['Situation 1: Whether the device needs to be approved by the customer admin.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.allowed_encryption_statuses.message
Total access_level_condition detected: 2 
['Situation 1: Ensure Access Context Manager level condition requires device encryption.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_encryption_statuses to explicitly include only ENCRYPTED.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.allowed_device_management_levels.message
Total access_level detected: 2 
['Situation 1: A list of allowed device management levels. An empty list allows all management levels. Each value may be one of: MANAGEMENT_UNSPECIFIED, NONE, BASIC, COMPLETE', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_device_management_levels to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.region.message
Total access_level detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_screen_lock.message
Total access_level detected: 2 
['Situation 1: Whether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update screen lock requirement in device policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.os_type.message
Total access_level detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_corp_owned.message
Total access_level detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_admin_approval.message
Total access_level detected: 2 
['Situation 1: Whether the device needs to be approved by the customer admin.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.allowed_encryption_statuses.message
Total access_level detected: 2 
['Situation 1: A list of allowed encryptions statuses. An empty list allows all statuses. Each value may be one of: ENCRYPTION_UNSPECIFIED, ENCRYPTION_UNSUPPORTED, UNENCRYPTED, ENCRYPTED.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_encryption_statuses to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter.status.message
Total service_perimeter detected: 3 
['Situation 1: Ensure restricted services is not empty (no protection) or to general.', 'Non-Compliant Resources: nc1, nc2', 'Potential Remedies: Update status/restricted_services to explicitly include only required service calls.']
Unique resource names in plan (google_access_context_manager_service_perimeter): 3
Names mentioned in output: 2
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: access_context_manager_vpc_service_controls
  Resource: google_access_context_manager_access_level
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: require_admin_approval - ✅
    Policy: allowed_encryption_statuses - ✅
  Resource: google_access_context_manager_access_level_condition
    Policy: members - ✅
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: ip_subnetworks - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: required_access_levels - ✅
    Policy: negate - ✅
    Policy: minimum_version - ✅
    Policy: require_admin_approval - ✅
    Policy: allowed_encryption_statuses - ✅
  Resource: google_access_context_manager_access_levels
    Policy: members - ✅
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: ip_subnetworks - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: required_access_levels - ✅
    Policy: negate - ✅
    Policy: minimum_version - ✅
    Policy: require_admin_approval - ✅
  Resource: google_access_context_manager_ingress_policy
    Policy: resource - ❌
    Policy: ingress_policy_name - ❌
  Resource: google_access_context_manager_service_perimeter
    Policy: status - ✅
  Resource: google_access_context_manager_service_perimeter_dry_run_resource
    Policy: resource - ❌
    Policy: perimeter_name - ❌
  Resource: google_access_context_manager_service_perimeter_resource
    Policy: resource - ❌
    Policy: perimeter_name - ❌


Failures:
Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_ingress_policy | Policy: resource
Could not run OPA query!

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_ingress_policy | Policy: ingress_policy_name
Could not run OPA query!

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_service_perimeter_dry_run_resource | Policy: resource
Could not run OPA query!

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_service_perimeter_dry_run_resource | Policy: perimeter_name
Could not run OPA query!

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_service_perimeter_resource | Policy: resource
Could not run OPA query!

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_service_perimeter_resource | Policy: perimeter_name
Could not run OPA query!

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 12, 2026

🔍 Policy Check Results

Status: ❌ CHECKS FAILED

⚠️ Your PR will not be reviewed until you fix all policy check failures below:

Test Output

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_ingress_policy.resource.message
Total ingress_policy detected: 2 
['Situation 1: Ensure only whitelisted project resources are associated with the ingress policy.', 'Non-Compliant Resources: accessPolicies/123456/servicePerimeters/my_perimeter', "Potential Remedies: Update resource to 'projects/123456789'."]
Unique resource names in plan (google_access_context_manager_ingress_policy): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_ingress_policy.ingress_policy_name.message
Total ingress_policy detected: 2 
['Situation 1: Ensure the ingress policy is attached to the correct authorized service perimeter.', 'Non-Compliant Resources: accessPolicies/123456/servicePerimeters/WRONG_PERIMETER', "Potential Remedies: Update ingress_policy_name to 'accessPolicies/123456/servicePerimeters/my_perimeter'."]
Unique resource names in plan (google_access_context_manager_ingress_policy): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.members.message
Total access_levels detected: 2 
['Situation 1: An allowed list of members.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update members to include authorized users only.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.allowed_device_management_levels.message
Total access_levels detected: 2 
['Situation 1: A list of allowed device management levels.', 'Non-Compliant Resources: nc', "Potential Remedies: Update allowed_device_management_levels to ['COMPLETE']."]
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.region.message
Total access_levels detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.ip_subnetworks.message
Total access_levels detected: 2 
['Situation 1: A list of allowed IP subnetworks.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update ip_subnetworks to allowed CIDR blocks.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_screen_lock.message
Total access_levels detected: 2 
['Situation 1: EWhether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_screen_lock to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.os_type.message
Total access_levels detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_corp_owned.message
Total access_levels detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.required_access_levels.message
Total access_levels detected: 2 
['Situation 1: A list of required access levels.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update required_access_levels to match authorized base levels.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.negate.message
Total access_levels detected: 2 
['Situation 1: Whether to negate the Condition.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update negate to false.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.minimum_version.message
Total access_levels detected: 2 
['Situation 1: The minimum allowed OS version constraint.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update minimum_version to 10.0.0.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_admin_approval.message
Total access_levels detected: 2 
['Situation 1: Whether administrator approval is required.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.members.message
Total access_level_condition detected: 2 
['Situation 1: An allowed list of members.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update members to include authorized users only.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.allowed_device_management_levels.message
Total access_level_condition detected: 2 
['Situation 1: A list of allowed device management levels.', 'Non-Compliant Resources: nc', "Potential Remedies: Update allowed_device_management_levels to ['COMPLETE']."]
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.region.message
Total access_level_condition detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.ip_subnetworks.message
Total access_level_condition detected: 2 
['Situation 1: Ensure Access Context Manager level condition restricts IP subnetworks and does not allow full internet access (0.0.0.0/0).', 'Non-Compliant Resources: nc', 'Potential Remedies: Update ip_subnetworks to only include specific and trusted CIDR blocks.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_screen_lock.message
Total access_level_condition detected: 2 
['Situation 1: EWhether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_screen_lock to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.os_type.message
Total access_level_condition detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_corp_owned.message
Total access_level_condition detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.required_access_levels.message
Total access_level_condition detected: 2 
['Situation 1: A list of required access levels.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update required_access_levels to match authorized base levels.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.negate.message
Total access_level_condition detected: 2 
['Situation 1: Whether to negate the Condition.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update negate to false.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.minimum_version.message
Total access_level_condition detected: 2 
['Situation 1: The minimum allowed OS version constraint.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update minimum_version to 10.0.0.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_admin_approval.message
Total access_level_condition detected: 2 
['Situation 1: Whether the device needs to be approved by the customer admin.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.allowed_encryption_statuses.message
Total access_level_condition detected: 2 
['Situation 1: Ensure Access Context Manager level condition requires device encryption.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_encryption_statuses to explicitly include only ENCRYPTED.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter_resource.resource.message
Total service_perimeter_resource detected: 2 
['Situation 1: Ensure only whitelisted projects are added as resources to the perimeter.', 'Non-Compliant Resources: accessPolicies/123456/servicePerimeters/my_perimeter', "Potential Remedies: Update resource to 'projects/123456789'."]
Unique resource names in plan (google_access_context_manager_service_perimeter_resource): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter_resource.perimeter_name.message
Total service_perimeter_resource detected: 2 
['Situation 1: Ensure the resource is attached to the correct authorized service perimeter.', 'Non-Compliant Resources: accessPolicies/123456/servicePerimeters/WRONG_PERIMETER', "Potential Remedies: Update perimeter_name to 'accessPolicies/123456/servicePerimeters/my_perimeter'."]
Unique resource names in plan (google_access_context_manager_service_perimeter_resource): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.allowed_device_management_levels.message
Total access_level detected: 2 
['Situation 1: A list of allowed device management levels. An empty list allows all management levels. Each value may be one of: MANAGEMENT_UNSPECIFIED, NONE, BASIC, COMPLETE', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_device_management_levels to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.region.message
Total access_level detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_screen_lock.message
Total access_level detected: 2 
['Situation 1: Whether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update screen lock requirement in device policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.os_type.message
Total access_level detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_corp_owned.message
Total access_level detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_admin_approval.message
Total access_level detected: 2 
['Situation 1: Whether the device needs to be approved by the customer admin.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.allowed_encryption_statuses.message
Total access_level detected: 2 
['Situation 1: A list of allowed encryptions statuses. An empty list allows all statuses. Each value may be one of: ENCRYPTION_UNSPECIFIED, ENCRYPTION_UNSUPPORTED, UNENCRYPTED, ENCRYPTED.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_encryption_statuses to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter_dry_run_resource.resource.message
Total service_perimeter_dry_run_resource detected: 2 
['Situation 1: Ensure only whitelisted projects are added as dry-run resources.', 'Non-Compliant Resources: accessPolicies/123456/servicePerimeters/my_perimeter', "Potential Remedies: Update resource to 'projects/123456789'."]
Unique resource names in plan (google_access_context_manager_service_perimeter_dry_run_resource): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter_dry_run_resource.perimeter_name.message
Total service_perimeter_dry_run_resource detected: 2 
['Situation 1: Ensure the dry-run resource is attached to the correct authorized service perimeter.', 'Non-Compliant Resources: accessPolicies/123456/servicePerimeters/WRONG_PERIMETER', "Potential Remedies: Update perimeter_name to 'accessPolicies/123456/servicePerimeters/my_perimeter'."]
Unique resource names in plan (google_access_context_manager_service_perimeter_dry_run_resource): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter.status.message
Total service_perimeter detected: 3 
['Situation 1: Ensure restricted services is not empty (no protection) or to general.', 'Non-Compliant Resources: nc1, nc2', 'Potential Remedies: Update status/restricted_services to explicitly include only required service calls.']
Unique resource names in plan (google_access_context_manager_service_perimeter): 3
Names mentioned in output: 2
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: access_context_manager_vpc_service_controls
  Resource: google_access_context_manager_access_level
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: require_admin_approval - ✅
    Policy: allowed_encryption_statuses - ✅
  Resource: google_access_context_manager_access_level_condition
    Policy: members - ✅
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: ip_subnetworks - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: required_access_levels - ✅
    Policy: negate - ✅
    Policy: minimum_version - ✅
    Policy: require_admin_approval - ✅
    Policy: allowed_encryption_statuses - ✅
  Resource: google_access_context_manager_access_levels
    Policy: members - ✅
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: ip_subnetworks - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: required_access_levels - ✅
    Policy: negate - ✅
    Policy: minimum_version - ✅
    Policy: require_admin_approval - ✅
  Resource: google_access_context_manager_ingress_policy
    Policy: resource - ❌
    Policy: ingress_policy_name - ❌
  Resource: google_access_context_manager_service_perimeter
    Policy: status - ✅
  Resource: google_access_context_manager_service_perimeter_dry_run_resource
    Policy: resource - ❌
    Policy: perimeter_name - ❌
  Resource: google_access_context_manager_service_perimeter_resource
    Policy: resource - ❌
    Policy: perimeter_name - ❌


Failures:
Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_ingress_policy | Policy: resource
Unmentioned resources other than 'c' found: nc

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_ingress_policy | Policy: ingress_policy_name
Unmentioned resources other than 'c' found: nc

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_service_perimeter_dry_run_resource | Policy: resource
Unmentioned resources other than 'c' found: nc

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_service_perimeter_dry_run_resource | Policy: perimeter_name
Unmentioned resources other than 'c' found: nc

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_service_perimeter_resource | Policy: resource
Unmentioned resources other than 'c' found: nc

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_service_perimeter_resource | Policy: perimeter_name
Unmentioned resources other than 'c' found: nc

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 12, 2026

🔍 Policy Check Results

Status: ❌ CHECKS FAILED

⚠️ Your PR will not be reviewed until you fix all policy check failures below:

Test Output

❌ Command failed: terraform init -backend=false
--- stdout ---
::error::Terraform exited with code 1.

--- stderr ---
�[31m╷�[0m�[0m
�[31m│�[0m �[0m�[1m�[31mError: �[0m�[0m�[1m�[0mTerraform encountered problems during initialisation, including problems
�[31m│�[0m �[0mwith the configuration, described below.
�[31m│�[0m �[0m
�[31m│�[0m �[0mThe Terraform configuration must be valid before initialization so that
�[31m│�[0m �[0mTerraform can determine which modules and providers need to be installed.�[0m�[0m
�[31m│�[0m �[0m
�[31m│�[0m �[0m�[0m
�[31m╵�[0m�[0m
�[31m╷�[0m�[0m
�[31m│�[0m �[0m�[1m�[31mError: �[0m�[0m�[1mDuplicate resource "google_access_context_manager_ingress_policy" configuration�[0m
�[31m│�[0m �[0m
�[31m│�[0m �[0m�[0m  on nc.tf line 1:
�[31m│�[0m �[0m   1: �[4mresource "google_access_context_manager_ingress_policy" "c"�[0m {�[0m
�[31m│�[0m �[0m
�[31m│�[0m �[0mA google_access_context_manager_ingress_policy resource named "c" was
�[31m│�[0m �[0malready declared at c.tf:1,1-60. Resource names must be unique per type in
�[31m│�[0m �[0meach module.
�[31m╵�[0m�[0m

❌ Command failed: terraform init -backend=false
--- stdout ---
::error::Terraform exited with code 1.

--- stderr ---
�[31m╷�[0m�[0m
�[31m│�[0m �[0m�[1m�[31mError: �[0m�[0m�[1m�[0mTerraform encountered problems during initialisation, including problems
�[31m│�[0m �[0mwith the configuration, described below.
�[31m│�[0m �[0m
�[31m│�[0m �[0mThe Terraform configuration must be valid before initialization so that
�[31m│�[0m �[0mTerraform can determine which modules and providers need to be installed.�[0m�[0m
�[31m│�[0m �[0m
�[31m│�[0m �[0m�[0m
�[31m╵�[0m�[0m
�[31m╷�[0m�[0m
�[31m│�[0m �[0m�[1m�[31mError: �[0m�[0m�[1mDuplicate resource "google_access_context_manager_ingress_policy" configuration�[0m
�[31m│�[0m �[0m
�[31m│�[0m �[0m�[0m  on nc.tf line 1:
�[31m│�[0m �[0m   1: �[4mresource "google_access_context_manager_ingress_policy" "c"�[0m {�[0m
�[31m│�[0m �[0m
�[31m│�[0m �[0mA google_access_context_manager_ingress_policy resource named "c" was
�[31m│�[0m �[0malready declared at c.tf:1,1-60. Resource names must be unique per type in
�[31m│�[0m �[0meach module.
�[31m╵�[0m�[0m

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.members.message
Total access_levels detected: 2 
['Situation 1: An allowed list of members.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update members to include authorized users only.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.allowed_device_management_levels.message
Total access_levels detected: 2 
['Situation 1: A list of allowed device management levels.', 'Non-Compliant Resources: nc', "Potential Remedies: Update allowed_device_management_levels to ['COMPLETE']."]
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.region.message
Total access_levels detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.ip_subnetworks.message
Total access_levels detected: 2 
['Situation 1: A list of allowed IP subnetworks.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update ip_subnetworks to allowed CIDR blocks.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_screen_lock.message
Total access_levels detected: 2 
['Situation 1: EWhether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_screen_lock to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.os_type.message
Total access_levels detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_corp_owned.message
Total access_levels detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.required_access_levels.message
Total access_levels detected: 2 
['Situation 1: A list of required access levels.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update required_access_levels to match authorized base levels.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.negate.message
Total access_levels detected: 2 
['Situation 1: Whether to negate the Condition.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update negate to false.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.minimum_version.message
Total access_levels detected: 2 
['Situation 1: The minimum allowed OS version constraint.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update minimum_version to 10.0.0.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_admin_approval.message
Total access_levels detected: 2 
['Situation 1: Whether administrator approval is required.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.members.message
Total access_level_condition detected: 2 
['Situation 1: An allowed list of members.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update members to include authorized users only.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.allowed_device_management_levels.message
Total access_level_condition detected: 2 
['Situation 1: A list of allowed device management levels.', 'Non-Compliant Resources: nc', "Potential Remedies: Update allowed_device_management_levels to ['COMPLETE']."]
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.region.message
Total access_level_condition detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.ip_subnetworks.message
Total access_level_condition detected: 2 
['Situation 1: Ensure Access Context Manager level condition restricts IP subnetworks and does not allow full internet access (0.0.0.0/0).', 'Non-Compliant Resources: nc', 'Potential Remedies: Update ip_subnetworks to only include specific and trusted CIDR blocks.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_screen_lock.message
Total access_level_condition detected: 2 
['Situation 1: EWhether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_screen_lock to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.os_type.message
Total access_level_condition detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_corp_owned.message
Total access_level_condition detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.required_access_levels.message
Total access_level_condition detected: 2 
['Situation 1: A list of required access levels.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update required_access_levels to match authorized base levels.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.negate.message
Total access_level_condition detected: 2 
['Situation 1: Whether to negate the Condition.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update negate to false.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.minimum_version.message
Total access_level_condition detected: 2 
['Situation 1: The minimum allowed OS version constraint.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update minimum_version to 10.0.0.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_admin_approval.message
Total access_level_condition detected: 2 
['Situation 1: Whether the device needs to be approved by the customer admin.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.allowed_encryption_statuses.message
Total access_level_condition detected: 2 
['Situation 1: Ensure Access Context Manager level condition requires device encryption.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_encryption_statuses to explicitly include only ENCRYPTED.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

❌ Command failed: terraform init -backend=false
--- stdout ---
::error::Terraform exited with code 1.

--- stderr ---
�[31m╷�[0m�[0m
�[31m│�[0m �[0m�[1m�[31mError: �[0m�[0m�[1m�[0mTerraform encountered problems during initialisation, including problems
�[31m│�[0m �[0mwith the configuration, described below.
�[31m│�[0m �[0m
�[31m│�[0m �[0mThe Terraform configuration must be valid before initialization so that
�[31m│�[0m �[0mTerraform can determine which modules and providers need to be installed.�[0m�[0m
�[31m│�[0m �[0m
�[31m│�[0m �[0m�[0m
�[31m╵�[0m�[0m
�[31m╷�[0m�[0m
�[31m│�[0m �[0m�[1m�[31mError: �[0m�[0m�[1mDuplicate resource "google_access_context_manager_service_perimeter_resource" configuration�[0m
�[31m│�[0m �[0m
�[31m│�[0m �[0m�[0m  on nc.tf line 1:
�[31m│�[0m �[0m   1: �[4mresource "google_access_context_manager_service_perimeter_resource" "c"�[0m {�[0m
�[31m│�[0m �[0m
�[31m│�[0m �[0mA google_access_context_manager_service_perimeter_resource resource named
�[31m│�[0m �[0m"c" was already declared at c.tf:1,1-72. Resource names must be unique per
�[31m│�[0m �[0mtype in each module.
�[31m╵�[0m�[0m

❌ Command failed: terraform init -backend=false
--- stdout ---
::error::Terraform exited with code 1.

--- stderr ---
�[31m╷�[0m�[0m
�[31m│�[0m �[0m�[1m�[31mError: �[0m�[0m�[1m�[0mTerraform encountered problems during initialisation, including problems
�[31m│�[0m �[0mwith the configuration, described below.
�[31m│�[0m �[0m
�[31m│�[0m �[0mThe Terraform configuration must be valid before initialization so that
�[31m│�[0m �[0mTerraform can determine which modules and providers need to be installed.�[0m�[0m
�[31m│�[0m �[0m
�[31m│�[0m �[0m�[0m
�[31m╵�[0m�[0m
�[31m╷�[0m�[0m
�[31m│�[0m �[0m�[1m�[31mError: �[0m�[0m�[1mDuplicate resource "google_access_context_manager_service_perimeter_resource" configuration�[0m
�[31m│�[0m �[0m
�[31m│�[0m �[0m�[0m  on nc.tf line 1:
�[31m│�[0m �[0m   1: �[4mresource "google_access_context_manager_service_perimeter_resource" "c"�[0m {�[0m
�[31m│�[0m �[0m
�[31m│�[0m �[0mA google_access_context_manager_service_perimeter_resource resource named
�[31m│�[0m �[0m"c" was already declared at c.tf:1,1-72. Resource names must be unique per
�[31m│�[0m �[0mtype in each module.
�[31m╵�[0m�[0m

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.allowed_device_management_levels.message
Total access_level detected: 2 
['Situation 1: A list of allowed device management levels. An empty list allows all management levels. Each value may be one of: MANAGEMENT_UNSPECIFIED, NONE, BASIC, COMPLETE', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_device_management_levels to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.region.message
Total access_level detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_screen_lock.message
Total access_level detected: 2 
['Situation 1: Whether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update screen lock requirement in device policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.os_type.message
Total access_level detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_corp_owned.message
Total access_level detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_admin_approval.message
Total access_level detected: 2 
['Situation 1: Whether the device needs to be approved by the customer admin.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.allowed_encryption_statuses.message
Total access_level detected: 2 
['Situation 1: A list of allowed encryptions statuses. An empty list allows all statuses. Each value may be one of: ENCRYPTION_UNSPECIFIED, ENCRYPTION_UNSUPPORTED, UNENCRYPTED, ENCRYPTED.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_encryption_statuses to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

❌ Command failed: terraform init -backend=false
--- stdout ---
::error::Terraform exited with code 1.

--- stderr ---
�[31m╷�[0m�[0m
�[31m│�[0m �[0m�[1m�[31mError: �[0m�[0m�[1m�[0mTerraform encountered problems during initialisation, including problems
�[31m│�[0m �[0mwith the configuration, described below.
�[31m│�[0m �[0m
�[31m│�[0m �[0mThe Terraform configuration must be valid before initialization so that
�[31m│�[0m �[0mTerraform can determine which modules and providers need to be installed.�[0m�[0m
�[31m│�[0m �[0m
�[31m│�[0m �[0m�[0m
�[31m╵�[0m�[0m
�[31m╷�[0m�[0m
�[31m│�[0m �[0m�[1m�[31mError: �[0m�[0m�[1mDuplicate resource "google_access_context_manager_service_perimeter_dry_run_resource" configuration�[0m
�[31m│�[0m �[0m
�[31m│�[0m �[0m�[0m  on nc.tf line 1:
�[31m│�[0m �[0m   1: �[4mresource "google_access_context_manager_service_perimeter_dry_run_resource" "c"�[0m {�[0m
�[31m│�[0m �[0m
�[31m│�[0m �[0mA google_access_context_manager_service_perimeter_dry_run_resource resource
�[31m│�[0m �[0mnamed "c" was already declared at c.tf:1,1-80. Resource names must be
�[31m│�[0m �[0munique per type in each module.
�[31m╵�[0m�[0m

❌ Command failed: terraform init -backend=false
--- stdout ---
::error::Terraform exited with code 1.

--- stderr ---
�[31m╷�[0m�[0m
�[31m│�[0m �[0m�[1m�[31mError: �[0m�[0m�[1m�[0mTerraform encountered problems during initialisation, including problems
�[31m│�[0m �[0mwith the configuration, described below.
�[31m│�[0m �[0m
�[31m│�[0m �[0mThe Terraform configuration must be valid before initialization so that
�[31m│�[0m �[0mTerraform can determine which modules and providers need to be installed.�[0m�[0m
�[31m│�[0m �[0m
�[31m│�[0m �[0m�[0m
�[31m╵�[0m�[0m
�[31m╷�[0m�[0m
�[31m│�[0m �[0m�[1m�[31mError: �[0m�[0m�[1mDuplicate resource "google_access_context_manager_service_perimeter_dry_run_resource" configuration�[0m
�[31m│�[0m �[0m
�[31m│�[0m �[0m�[0m  on nc.tf line 1:
�[31m│�[0m �[0m   1: �[4mresource "google_access_context_manager_service_perimeter_dry_run_resource" "c"�[0m {�[0m
�[31m│�[0m �[0m
�[31m│�[0m �[0mA google_access_context_manager_service_perimeter_dry_run_resource resource
�[31m│�[0m �[0mnamed "c" was already declared at c.tf:1,1-80. Resource names must be
�[31m│�[0m �[0munique per type in each module.
�[31m╵�[0m�[0m

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter.status.message
Total service_perimeter detected: 3 
['Situation 1: Ensure restricted services is not empty (no protection) or to general.', 'Non-Compliant Resources: nc1, nc2', 'Potential Remedies: Update status/restricted_services to explicitly include only required service calls.']
Unique resource names in plan (google_access_context_manager_service_perimeter): 3
Names mentioned in output: 2
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: access_context_manager_vpc_service_controls
  Resource: google_access_context_manager_access_level
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: require_admin_approval - ✅
    Policy: allowed_encryption_statuses - ✅
  Resource: google_access_context_manager_access_level_condition
    Policy: members - ✅
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: ip_subnetworks - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: required_access_levels - ✅
    Policy: negate - ✅
    Policy: minimum_version - ✅
    Policy: require_admin_approval - ✅
    Policy: allowed_encryption_statuses - ✅
  Resource: google_access_context_manager_access_levels
    Policy: members - ✅
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: ip_subnetworks - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: required_access_levels - ✅
    Policy: negate - ✅
    Policy: minimum_version - ✅
    Policy: require_admin_approval - ✅
  Resource: google_access_context_manager_ingress_policy
    Policy: resource - ❌
    Policy: ingress_policy_name - ❌
  Resource: google_access_context_manager_service_perimeter
    Policy: status - ✅
  Resource: google_access_context_manager_service_perimeter_dry_run_resource
    Policy: resource - ❌
    Policy: perimeter_name - ❌
  Resource: google_access_context_manager_service_perimeter_resource
    Policy: resource - ❌
    Policy: perimeter_name - ❌


Failures:
Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_ingress_policy | Policy: resource
Terraform failed to compile!

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_ingress_policy | Policy: ingress_policy_name
Terraform failed to compile!

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_service_perimeter_dry_run_resource | Policy: resource
Terraform failed to compile!

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_service_perimeter_dry_run_resource | Policy: perimeter_name
Terraform failed to compile!

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_service_perimeter_resource | Policy: resource
Terraform failed to compile!

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_service_perimeter_resource | Policy: perimeter_name
Terraform failed to compile!

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 12, 2026

🔍 Policy Check Results

Status: ❌ CHECKS FAILED

⚠️ Your PR will not be reviewed until you fix all policy check failures below:

Test Output

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_ingress_policy.resource.message
Total ingress_policy detected: 2 
['Situation 1: Ensure only whitelisted project resources are associated with the ingress policy.', 'Non-Compliant Resources: accessPolicies/123456/servicePerimeters/my_perimeter', "Potential Remedies: Update resource to 'projects/123456789'."]
Unique resource names in plan (google_access_context_manager_ingress_policy): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_ingress_policy.ingress_policy_name.message
Total ingress_policy detected: 2 
['Situation 1: Ensure the ingress policy is attached to the correct authorized service perimeter.', 'Non-Compliant Resources: accessPolicies/123456/servicePerimeters/WRONG_PERIMETER', "Potential Remedies: Update ingress_policy_name to 'accessPolicies/123456/servicePerimeters/my_perimeter'."]
Unique resource names in plan (google_access_context_manager_ingress_policy): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.members.message
Total access_levels detected: 2 
['Situation 1: An allowed list of members.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update members to include authorized users only.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.allowed_device_management_levels.message
Total access_levels detected: 2 
['Situation 1: A list of allowed device management levels.', 'Non-Compliant Resources: nc', "Potential Remedies: Update allowed_device_management_levels to ['COMPLETE']."]
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.region.message
Total access_levels detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.ip_subnetworks.message
Total access_levels detected: 2 
['Situation 1: A list of allowed IP subnetworks.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update ip_subnetworks to allowed CIDR blocks.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_screen_lock.message
Total access_levels detected: 2 
['Situation 1: EWhether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_screen_lock to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.os_type.message
Total access_levels detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_corp_owned.message
Total access_levels detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.required_access_levels.message
Total access_levels detected: 2 
['Situation 1: A list of required access levels.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update required_access_levels to match authorized base levels.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.negate.message
Total access_levels detected: 2 
['Situation 1: Whether to negate the Condition.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update negate to false.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.minimum_version.message
Total access_levels detected: 2 
['Situation 1: The minimum allowed OS version constraint.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update minimum_version to 10.0.0.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_admin_approval.message
Total access_levels detected: 2 
['Situation 1: Whether administrator approval is required.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.members.message
Total access_level_condition detected: 2 
['Situation 1: An allowed list of members.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update members to include authorized users only.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.allowed_device_management_levels.message
Total access_level_condition detected: 2 
['Situation 1: A list of allowed device management levels.', 'Non-Compliant Resources: nc', "Potential Remedies: Update allowed_device_management_levels to ['COMPLETE']."]
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.region.message
Total access_level_condition detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.ip_subnetworks.message
Total access_level_condition detected: 2 
['Situation 1: Ensure Access Context Manager level condition restricts IP subnetworks and does not allow full internet access (0.0.0.0/0).', 'Non-Compliant Resources: nc', 'Potential Remedies: Update ip_subnetworks to only include specific and trusted CIDR blocks.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_screen_lock.message
Total access_level_condition detected: 2 
['Situation 1: EWhether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_screen_lock to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.os_type.message
Total access_level_condition detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_corp_owned.message
Total access_level_condition detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.required_access_levels.message
Total access_level_condition detected: 2 
['Situation 1: A list of required access levels.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update required_access_levels to match authorized base levels.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.negate.message
Total access_level_condition detected: 2 
['Situation 1: Whether to negate the Condition.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update negate to false.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.minimum_version.message
Total access_level_condition detected: 2 
['Situation 1: The minimum allowed OS version constraint.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update minimum_version to 10.0.0.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_admin_approval.message
Total access_level_condition detected: 2 
['Situation 1: Whether the device needs to be approved by the customer admin.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.allowed_encryption_statuses.message
Total access_level_condition detected: 2 
['Situation 1: Ensure Access Context Manager level condition requires device encryption.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_encryption_statuses to explicitly include only ENCRYPTED.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter_resource.resource.message
Total service_perimeter_resource detected: 2 
['Situation 1: Ensure only whitelisted projects are added as resources to the perimeter.', 'Non-Compliant Resources: accessPolicies/123456/servicePerimeters/my_perimeter', "Potential Remedies: Update resource to 'projects/123456789'."]
Unique resource names in plan (google_access_context_manager_service_perimeter_resource): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter_resource.perimeter_name.message
Total service_perimeter_resource detected: 2 
['Situation 1: Ensure the resource is attached to the correct authorized service perimeter.', 'Non-Compliant Resources: accessPolicies/123456/servicePerimeters/WRONG_PERIMETER', "Potential Remedies: Update perimeter_name to 'accessPolicies/123456/servicePerimeters/my_perimeter'."]
Unique resource names in plan (google_access_context_manager_service_perimeter_resource): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.allowed_device_management_levels.message
Total access_level detected: 2 
['Situation 1: A list of allowed device management levels. An empty list allows all management levels. Each value may be one of: MANAGEMENT_UNSPECIFIED, NONE, BASIC, COMPLETE', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_device_management_levels to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.region.message
Total access_level detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_screen_lock.message
Total access_level detected: 2 
['Situation 1: Whether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update screen lock requirement in device policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.os_type.message
Total access_level detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_corp_owned.message
Total access_level detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_admin_approval.message
Total access_level detected: 2 
['Situation 1: Whether the device needs to be approved by the customer admin.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.allowed_encryption_statuses.message
Total access_level detected: 2 
['Situation 1: A list of allowed encryptions statuses. An empty list allows all statuses. Each value may be one of: ENCRYPTION_UNSPECIFIED, ENCRYPTION_UNSUPPORTED, UNENCRYPTED, ENCRYPTED.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_encryption_statuses to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter_dry_run_resource.resource.message
Total service_perimeter_dry_run_resource detected: 2 
['Situation 1: Ensure only whitelisted projects are added as dry-run resources.', 'Non-Compliant Resources: accessPolicies/123456/servicePerimeters/my_perimeter', "Potential Remedies: Update resource to 'projects/123456789'."]
Unique resource names in plan (google_access_context_manager_service_perimeter_dry_run_resource): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter_dry_run_resource.perimeter_name.message
Total service_perimeter_dry_run_resource detected: 2 
['Situation 1: Ensure the dry-run resource is attached to the correct authorized service perimeter.', 'Non-Compliant Resources: accessPolicies/123456/servicePerimeters/WRONG_PERIMETER', "Potential Remedies: Update perimeter_name to 'accessPolicies/123456/servicePerimeters/my_perimeter'."]
Unique resource names in plan (google_access_context_manager_service_perimeter_dry_run_resource): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter.status.message
Total service_perimeter detected: 3 
['Situation 1: Ensure restricted services is not empty (no protection) or to general.', 'Non-Compliant Resources: nc1, nc2', 'Potential Remedies: Update status/restricted_services to explicitly include only required service calls.']
Unique resource names in plan (google_access_context_manager_service_perimeter): 3
Names mentioned in output: 2
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: access_context_manager_vpc_service_controls
  Resource: google_access_context_manager_access_level
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: require_admin_approval - ✅
    Policy: allowed_encryption_statuses - ✅
  Resource: google_access_context_manager_access_level_condition
    Policy: members - ✅
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: ip_subnetworks - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: required_access_levels - ✅
    Policy: negate - ✅
    Policy: minimum_version - ✅
    Policy: require_admin_approval - ✅
    Policy: allowed_encryption_statuses - ✅
  Resource: google_access_context_manager_access_levels
    Policy: members - ✅
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: ip_subnetworks - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: required_access_levels - ✅
    Policy: negate - ✅
    Policy: minimum_version - ✅
    Policy: require_admin_approval - ✅
  Resource: google_access_context_manager_ingress_policy
    Policy: resource - ❌
    Policy: ingress_policy_name - ❌
  Resource: google_access_context_manager_service_perimeter
    Policy: status - ✅
  Resource: google_access_context_manager_service_perimeter_dry_run_resource
    Policy: resource - ❌
    Policy: perimeter_name - ❌
  Resource: google_access_context_manager_service_perimeter_resource
    Policy: resource - ❌
    Policy: perimeter_name - ❌


Failures:
Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_ingress_policy | Policy: resource
Unmentioned resources other than 'c' found: nc

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_ingress_policy | Policy: ingress_policy_name
Unmentioned resources other than 'c' found: nc

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_service_perimeter_dry_run_resource | Policy: resource
Unmentioned resources other than 'c' found: nc

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_service_perimeter_dry_run_resource | Policy: perimeter_name
Unmentioned resources other than 'c' found: nc

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_service_perimeter_resource | Policy: resource
Unmentioned resources other than 'c' found: nc

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_service_perimeter_resource | Policy: perimeter_name
Unmentioned resources other than 'c' found: nc

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 12, 2026

🔍 Policy Check Results

Status: ❌ CHECKS FAILED

⚠️ Your PR will not be reviewed until you fix all policy check failures below:

Test Output

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_ingress_policy.resource.message
Total ingress_policy detected: 2 
Unique resource names in plan (google_access_context_manager_ingress_policy): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_ingress_policy.ingress_policy_name.message
Total ingress_policy detected: 2 
Unique resource names in plan (google_access_context_manager_ingress_policy): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.members.message
Total access_levels detected: 2 
['Situation 1: An allowed list of members.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update members to include authorized users only.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.allowed_device_management_levels.message
Total access_levels detected: 2 
['Situation 1: A list of allowed device management levels.', 'Non-Compliant Resources: nc', "Potential Remedies: Update allowed_device_management_levels to ['COMPLETE']."]
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.region.message
Total access_levels detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.ip_subnetworks.message
Total access_levels detected: 2 
['Situation 1: A list of allowed IP subnetworks.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update ip_subnetworks to allowed CIDR blocks.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_screen_lock.message
Total access_levels detected: 2 
['Situation 1: EWhether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_screen_lock to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.os_type.message
Total access_levels detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_corp_owned.message
Total access_levels detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.required_access_levels.message
Total access_levels detected: 2 
['Situation 1: A list of required access levels.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update required_access_levels to match authorized base levels.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.negate.message
Total access_levels detected: 2 
['Situation 1: Whether to negate the Condition.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update negate to false.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.minimum_version.message
Total access_levels detected: 2 
['Situation 1: The minimum allowed OS version constraint.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update minimum_version to 10.0.0.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_admin_approval.message
Total access_levels detected: 2 
['Situation 1: Whether administrator approval is required.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.members.message
Total access_level_condition detected: 2 
['Situation 1: An allowed list of members.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update members to include authorized users only.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.allowed_device_management_levels.message
Total access_level_condition detected: 2 
['Situation 1: A list of allowed device management levels.', 'Non-Compliant Resources: nc', "Potential Remedies: Update allowed_device_management_levels to ['COMPLETE']."]
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.region.message
Total access_level_condition detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.ip_subnetworks.message
Total access_level_condition detected: 2 
['Situation 1: Ensure Access Context Manager level condition restricts IP subnetworks and does not allow full internet access (0.0.0.0/0).', 'Non-Compliant Resources: nc', 'Potential Remedies: Update ip_subnetworks to only include specific and trusted CIDR blocks.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_screen_lock.message
Total access_level_condition detected: 2 
['Situation 1: EWhether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_screen_lock to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.os_type.message
Total access_level_condition detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_corp_owned.message
Total access_level_condition detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.required_access_levels.message
Total access_level_condition detected: 2 
['Situation 1: A list of required access levels.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update required_access_levels to match authorized base levels.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.negate.message
Total access_level_condition detected: 2 
['Situation 1: Whether to negate the Condition.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update negate to false.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.minimum_version.message
Total access_level_condition detected: 2 
['Situation 1: The minimum allowed OS version constraint.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update minimum_version to 10.0.0.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_admin_approval.message
Total access_level_condition detected: 2 
['Situation 1: Whether the device needs to be approved by the customer admin.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.allowed_encryption_statuses.message
Total access_level_condition detected: 2 
['Situation 1: Ensure Access Context Manager level condition requires device encryption.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_encryption_statuses to explicitly include only ENCRYPTED.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter_resource.resource.message
Total service_perimeter_resource detected: 2 
Unique resource names in plan (google_access_context_manager_service_perimeter_resource): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter_resource.perimeter_name.message
Total service_perimeter_resource detected: 2 
Unique resource names in plan (google_access_context_manager_service_perimeter_resource): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.allowed_device_management_levels.message
Total access_level detected: 2 
['Situation 1: A list of allowed device management levels. An empty list allows all management levels. Each value may be one of: MANAGEMENT_UNSPECIFIED, NONE, BASIC, COMPLETE', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_device_management_levels to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.region.message
Total access_level detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_screen_lock.message
Total access_level detected: 2 
['Situation 1: Whether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update screen lock requirement in device policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.os_type.message
Total access_level detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_corp_owned.message
Total access_level detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_admin_approval.message
Total access_level detected: 2 
['Situation 1: Whether the device needs to be approved by the customer admin.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.allowed_encryption_statuses.message
Total access_level detected: 2 
['Situation 1: A list of allowed encryptions statuses. An empty list allows all statuses. Each value may be one of: ENCRYPTION_UNSPECIFIED, ENCRYPTION_UNSUPPORTED, UNENCRYPTED, ENCRYPTED.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_encryption_statuses to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter_dry_run_resource.resource.message
Total service_perimeter_dry_run_resource detected: 2 
Unique resource names in plan (google_access_context_manager_service_perimeter_dry_run_resource): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter_dry_run_resource.perimeter_name.message
Total service_perimeter_dry_run_resource detected: 2 
Unique resource names in plan (google_access_context_manager_service_perimeter_dry_run_resource): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter.status.message
Total service_perimeter detected: 3 
['Situation 1: Ensure restricted services is not empty (no protection) or to general.', 'Non-Compliant Resources: nc1, nc2', 'Potential Remedies: Update status/restricted_services to explicitly include only required service calls.']
Unique resource names in plan (google_access_context_manager_service_perimeter): 3
Names mentioned in output: 2
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: access_context_manager_vpc_service_controls
  Resource: google_access_context_manager_access_level
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: require_admin_approval - ✅
    Policy: allowed_encryption_statuses - ✅
  Resource: google_access_context_manager_access_level_condition
    Policy: members - ✅
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: ip_subnetworks - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: required_access_levels - ✅
    Policy: negate - ✅
    Policy: minimum_version - ✅
    Policy: require_admin_approval - ✅
    Policy: allowed_encryption_statuses - ✅
  Resource: google_access_context_manager_access_levels
    Policy: members - ✅
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: ip_subnetworks - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: required_access_levels - ✅
    Policy: negate - ✅
    Policy: minimum_version - ✅
    Policy: require_admin_approval - ✅
  Resource: google_access_context_manager_ingress_policy
    Policy: resource - ❌
    Policy: ingress_policy_name - ❌
  Resource: google_access_context_manager_service_perimeter
    Policy: status - ✅
  Resource: google_access_context_manager_service_perimeter_dry_run_resource
    Policy: resource - ❌
    Policy: perimeter_name - ❌
  Resource: google_access_context_manager_service_perimeter_resource
    Policy: resource - ❌
    Policy: perimeter_name - ❌


Failures:
Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_ingress_policy | Policy: resource
Unmentioned resources other than 'c' found: nc

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_ingress_policy | Policy: ingress_policy_name
Unmentioned resources other than 'c' found: nc

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_service_perimeter_dry_run_resource | Policy: resource
Unmentioned resources other than 'c' found: nc

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_service_perimeter_dry_run_resource | Policy: perimeter_name
Unmentioned resources other than 'c' found: nc

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_service_perimeter_resource | Policy: resource
Unmentioned resources other than 'c' found: nc

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_service_perimeter_resource | Policy: perimeter_name
Unmentioned resources other than 'c' found: nc

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 12, 2026

🔍 Policy Check Results

Status: ❌ CHECKS FAILED

⚠️ Your PR will not be reviewed until you fix all policy check failures below:

Test Output

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_ingress_policy.resource.message
Total ingress_policy detected: 2 
['Situation 1: Ensure only whitelisted project resources are associated with the ingress policy.', 'Non-Compliant Resources: accessPolicies/123456/servicePerimeters/my_perimeter', "Potential Remedies: Update resource to 'projects/123456789'."]
Unique resource names in plan (google_access_context_manager_ingress_policy): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_ingress_policy.ingress_policy_name.message
Total ingress_policy detected: 2 
['Situation 1: Ensure the ingress policy is attached to the correct authorized service perimeter.', 'Non-Compliant Resources: accessPolicies/123456/servicePerimeters/WRONG_PERIMETER', "Potential Remedies: Update ingress_policy_name to 'accessPolicies/123456/servicePerimeters/my_perimeter'."]
Unique resource names in plan (google_access_context_manager_ingress_policy): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.members.message
Total access_levels detected: 2 
['Situation 1: An allowed list of members.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update members to include authorized users only.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.allowed_device_management_levels.message
Total access_levels detected: 2 
['Situation 1: A list of allowed device management levels.', 'Non-Compliant Resources: nc', "Potential Remedies: Update allowed_device_management_levels to ['COMPLETE']."]
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.region.message
Total access_levels detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.ip_subnetworks.message
Total access_levels detected: 2 
['Situation 1: A list of allowed IP subnetworks.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update ip_subnetworks to allowed CIDR blocks.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_screen_lock.message
Total access_levels detected: 2 
['Situation 1: EWhether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_screen_lock to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.os_type.message
Total access_levels detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_corp_owned.message
Total access_levels detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.required_access_levels.message
Total access_levels detected: 2 
['Situation 1: A list of required access levels.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update required_access_levels to match authorized base levels.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.negate.message
Total access_levels detected: 2 
['Situation 1: Whether to negate the Condition.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update negate to false.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.minimum_version.message
Total access_levels detected: 2 
['Situation 1: The minimum allowed OS version constraint.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update minimum_version to 10.0.0.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_admin_approval.message
Total access_levels detected: 2 
['Situation 1: Whether administrator approval is required.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.members.message
Total access_level_condition detected: 2 
['Situation 1: An allowed list of members.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update members to include authorized users only.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.allowed_device_management_levels.message
Total access_level_condition detected: 2 
['Situation 1: A list of allowed device management levels.', 'Non-Compliant Resources: nc', "Potential Remedies: Update allowed_device_management_levels to ['COMPLETE']."]
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.region.message
Total access_level_condition detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.ip_subnetworks.message
Total access_level_condition detected: 2 
['Situation 1: Ensure Access Context Manager level condition restricts IP subnetworks and does not allow full internet access (0.0.0.0/0).', 'Non-Compliant Resources: nc', 'Potential Remedies: Update ip_subnetworks to only include specific and trusted CIDR blocks.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_screen_lock.message
Total access_level_condition detected: 2 
['Situation 1: EWhether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_screen_lock to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.os_type.message
Total access_level_condition detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_corp_owned.message
Total access_level_condition detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.required_access_levels.message
Total access_level_condition detected: 2 
['Situation 1: A list of required access levels.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update required_access_levels to match authorized base levels.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.negate.message
Total access_level_condition detected: 2 
['Situation 1: Whether to negate the Condition.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update negate to false.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.minimum_version.message
Total access_level_condition detected: 2 
['Situation 1: The minimum allowed OS version constraint.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update minimum_version to 10.0.0.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_admin_approval.message
Total access_level_condition detected: 2 
['Situation 1: Whether the device needs to be approved by the customer admin.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.allowed_encryption_statuses.message
Total access_level_condition detected: 2 
['Situation 1: Ensure Access Context Manager level condition requires device encryption.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_encryption_statuses to explicitly include only ENCRYPTED.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter_resource.resource.message
Total service_perimeter_resource detected: 2 
['Situation 1: Ensure only whitelisted projects are added as resources to the perimeter.', 'Non-Compliant Resources: accessPolicies/123456/servicePerimeters/my_perimeter', "Potential Remedies: Update resource to 'projects/123456789'."]
Unique resource names in plan (google_access_context_manager_service_perimeter_resource): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter_resource.perimeter_name.message
Total service_perimeter_resource detected: 2 
['Situation 1: Ensure the resource is attached to the correct authorized service perimeter.', 'Non-Compliant Resources: accessPolicies/123456/servicePerimeters/WRONG_PERIMETER', "Potential Remedies: Update perimeter_name to 'accessPolicies/123456/servicePerimeters/my_perimeter'."]
Unique resource names in plan (google_access_context_manager_service_perimeter_resource): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.allowed_device_management_levels.message
Total access_level detected: 2 
['Situation 1: A list of allowed device management levels. An empty list allows all management levels. Each value may be one of: MANAGEMENT_UNSPECIFIED, NONE, BASIC, COMPLETE', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_device_management_levels to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.region.message
Total access_level detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_screen_lock.message
Total access_level detected: 2 
['Situation 1: Whether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update screen lock requirement in device policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.os_type.message
Total access_level detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_corp_owned.message
Total access_level detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_admin_approval.message
Total access_level detected: 2 
['Situation 1: Whether the device needs to be approved by the customer admin.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.allowed_encryption_statuses.message
Total access_level detected: 2 
['Situation 1: A list of allowed encryptions statuses. An empty list allows all statuses. Each value may be one of: ENCRYPTION_UNSPECIFIED, ENCRYPTION_UNSUPPORTED, UNENCRYPTED, ENCRYPTED.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_encryption_statuses to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter_dry_run_resource.resource.message
Total service_perimeter_dry_run_resource detected: 2 
['Situation 1: Ensure only whitelisted projects are added as dry-run resources.', 'Non-Compliant Resources: accessPolicies/123456/servicePerimeters/my_perimeter', "Potential Remedies: Update resource to 'projects/123456789'."]
Unique resource names in plan (google_access_context_manager_service_perimeter_dry_run_resource): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter_dry_run_resource.perimeter_name.message
Total service_perimeter_dry_run_resource detected: 2 
['Situation 1: Ensure the dry-run resource is attached to the correct authorized service perimeter.', 'Non-Compliant Resources: accessPolicies/123456/servicePerimeters/WRONG_PERIMETER', "Potential Remedies: Update perimeter_name to 'accessPolicies/123456/servicePerimeters/my_perimeter'."]
Unique resource names in plan (google_access_context_manager_service_perimeter_dry_run_resource): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter.status.message
Total service_perimeter detected: 3 
['Situation 1: Ensure restricted services is not empty (no protection) or to general.', 'Non-Compliant Resources: nc1, nc2', 'Potential Remedies: Update status/restricted_services to explicitly include only required service calls.']
Unique resource names in plan (google_access_context_manager_service_perimeter): 3
Names mentioned in output: 2
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: access_context_manager_vpc_service_controls
  Resource: google_access_context_manager_access_level
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: require_admin_approval - ✅
    Policy: allowed_encryption_statuses - ✅
  Resource: google_access_context_manager_access_level_condition
    Policy: members - ✅
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: ip_subnetworks - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: required_access_levels - ✅
    Policy: negate - ✅
    Policy: minimum_version - ✅
    Policy: require_admin_approval - ✅
    Policy: allowed_encryption_statuses - ✅
  Resource: google_access_context_manager_access_levels
    Policy: members - ✅
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: ip_subnetworks - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: required_access_levels - ✅
    Policy: negate - ✅
    Policy: minimum_version - ✅
    Policy: require_admin_approval - ✅
  Resource: google_access_context_manager_ingress_policy
    Policy: resource - ❌
    Policy: ingress_policy_name - ❌
  Resource: google_access_context_manager_service_perimeter
    Policy: status - ✅
  Resource: google_access_context_manager_service_perimeter_dry_run_resource
    Policy: resource - ❌
    Policy: perimeter_name - ❌
  Resource: google_access_context_manager_service_perimeter_resource
    Policy: resource - ❌
    Policy: perimeter_name - ❌


Failures:
Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_ingress_policy | Policy: resource
Unmentioned resources other than 'c' found: nc

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_ingress_policy | Policy: ingress_policy_name
Unmentioned resources other than 'c' found: nc

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_service_perimeter_dry_run_resource | Policy: resource
Unmentioned resources other than 'c' found: nc

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_service_perimeter_dry_run_resource | Policy: perimeter_name
Unmentioned resources other than 'c' found: nc

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_service_perimeter_resource | Policy: resource
Unmentioned resources other than 'c' found: nc

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_service_perimeter_resource | Policy: perimeter_name
Unmentioned resources other than 'c' found: nc

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 12, 2026

🔍 Policy Check Results

Status: ❌ CHECKS FAILED

⚠️ Your PR will not be reviewed until you fix all policy check failures below:

Test Output

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_ingress_policy.resource.message
Total ingress_policy detected: 2 
['Situation 1: Ensure only whitelisted project resources are associated with the ingress policy.', 'Non-Compliant Resources: accessPolicies/123456/servicePerimeters/my_perimeter', "Potential Remedies: Update resource to 'projects/123456789'."]
Unique resource names in plan (google_access_context_manager_ingress_policy): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_ingress_policy.ingress_policy_name.message
Total ingress_policy detected: 2 
['Situation 1: Ensure the ingress policy is attached to the correct authorized service perimeter.', 'Non-Compliant Resources: accessPolicies/123456/servicePerimeters/WRONG_PERIMETER', "Potential Remedies: Update ingress_policy_name to 'accessPolicies/123456/servicePerimeters/my_perimeter'."]
Unique resource names in plan (google_access_context_manager_ingress_policy): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.members.message
Total access_levels detected: 2 
['Situation 1: An allowed list of members.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update members to include authorized users only.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.allowed_device_management_levels.message
Total access_levels detected: 2 
['Situation 1: A list of allowed device management levels.', 'Non-Compliant Resources: nc', "Potential Remedies: Update allowed_device_management_levels to ['COMPLETE']."]
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.region.message
Total access_levels detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.ip_subnetworks.message
Total access_levels detected: 2 
['Situation 1: A list of allowed IP subnetworks.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update ip_subnetworks to allowed CIDR blocks.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_screen_lock.message
Total access_levels detected: 2 
['Situation 1: EWhether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_screen_lock to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.os_type.message
Total access_levels detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_corp_owned.message
Total access_levels detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.required_access_levels.message
Total access_levels detected: 2 
['Situation 1: A list of required access levels.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update required_access_levels to match authorized base levels.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.negate.message
Total access_levels detected: 2 
['Situation 1: Whether to negate the Condition.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update negate to false.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.minimum_version.message
Total access_levels detected: 2 
['Situation 1: The minimum allowed OS version constraint.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update minimum_version to 10.0.0.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_admin_approval.message
Total access_levels detected: 2 
['Situation 1: Whether administrator approval is required.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.members.message
Total access_level_condition detected: 2 
['Situation 1: An allowed list of members.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update members to include authorized users only.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.allowed_device_management_levels.message
Total access_level_condition detected: 2 
['Situation 1: A list of allowed device management levels.', 'Non-Compliant Resources: nc', "Potential Remedies: Update allowed_device_management_levels to ['COMPLETE']."]
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.region.message
Total access_level_condition detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.ip_subnetworks.message
Total access_level_condition detected: 2 
['Situation 1: Ensure Access Context Manager level condition restricts IP subnetworks and does not allow full internet access (0.0.0.0/0).', 'Non-Compliant Resources: nc', 'Potential Remedies: Update ip_subnetworks to only include specific and trusted CIDR blocks.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_screen_lock.message
Total access_level_condition detected: 2 
['Situation 1: EWhether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_screen_lock to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.os_type.message
Total access_level_condition detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_corp_owned.message
Total access_level_condition detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.required_access_levels.message
Total access_level_condition detected: 2 
['Situation 1: A list of required access levels.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update required_access_levels to match authorized base levels.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.negate.message
Total access_level_condition detected: 2 
['Situation 1: Whether to negate the Condition.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update negate to false.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.minimum_version.message
Total access_level_condition detected: 2 
['Situation 1: The minimum allowed OS version constraint.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update minimum_version to 10.0.0.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_admin_approval.message
Total access_level_condition detected: 2 
['Situation 1: Whether the device needs to be approved by the customer admin.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.allowed_encryption_statuses.message
Total access_level_condition detected: 2 
['Situation 1: Ensure Access Context Manager level condition requires device encryption.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_encryption_statuses to explicitly include only ENCRYPTED.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter_resource.resource.message
Total service_perimeter_resource detected: 2 
['Situation 1: Ensure only whitelisted projects are added as resources to the perimeter.', 'Non-Compliant Resources: accessPolicies/123456/servicePerimeters/my_perimeter', "Potential Remedies: Update resource to 'projects/123456789'."]
Unique resource names in plan (google_access_context_manager_service_perimeter_resource): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter_resource.perimeter_name.message
Total service_perimeter_resource detected: 2 
['Situation 1: Ensure the resource is attached to the correct authorized service perimeter.', 'Non-Compliant Resources: accessPolicies/123456/servicePerimeters/WRONG_PERIMETER', "Potential Remedies: Update perimeter_name to 'accessPolicies/123456/servicePerimeters/my_perimeter'."]
Unique resource names in plan (google_access_context_manager_service_perimeter_resource): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.allowed_device_management_levels.message
Total access_level detected: 2 
['Situation 1: A list of allowed device management levels. An empty list allows all management levels. Each value may be one of: MANAGEMENT_UNSPECIFIED, NONE, BASIC, COMPLETE', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_device_management_levels to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.region.message
Total access_level detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_screen_lock.message
Total access_level detected: 2 
['Situation 1: Whether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update screen lock requirement in device policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.os_type.message
Total access_level detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_corp_owned.message
Total access_level detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_admin_approval.message
Total access_level detected: 2 
['Situation 1: Whether the device needs to be approved by the customer admin.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.allowed_encryption_statuses.message
Total access_level detected: 2 
['Situation 1: A list of allowed encryptions statuses. An empty list allows all statuses. Each value may be one of: ENCRYPTION_UNSPECIFIED, ENCRYPTION_UNSUPPORTED, UNENCRYPTED, ENCRYPTED.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_encryption_statuses to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter_dry_run_resource.resource.message
Total service_perimeter_dry_run_resource detected: 2 
['Situation 1: Ensure only whitelisted projects are added as dry-run resources.', 'Non-Compliant Resources: accessPolicies/123456/servicePerimeters/my_perimeter', "Potential Remedies: Update resource to 'projects/123456789'."]
Unique resource names in plan (google_access_context_manager_service_perimeter_dry_run_resource): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter_dry_run_resource.perimeter_name.message
Total service_perimeter_dry_run_resource detected: 2 
['Situation 1: Ensure the dry-run resource is attached to the correct authorized service perimeter.', 'Non-Compliant Resources: accessPolicies/123456/servicePerimeters/WRONG_PERIMETER', "Potential Remedies: Update perimeter_name to 'accessPolicies/123456/servicePerimeters/my_perimeter'."]
Unique resource names in plan (google_access_context_manager_service_perimeter_dry_run_resource): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter.status.message
Total service_perimeter detected: 3 
['Situation 1: Ensure restricted services is not empty (no protection) or to general.', 'Non-Compliant Resources: nc1, nc2', 'Potential Remedies: Update status/restricted_services to explicitly include only required service calls.']
Unique resource names in plan (google_access_context_manager_service_perimeter): 3
Names mentioned in output: 2
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: access_context_manager_vpc_service_controls
  Resource: google_access_context_manager_access_level
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: require_admin_approval - ✅
    Policy: allowed_encryption_statuses - ✅
  Resource: google_access_context_manager_access_level_condition
    Policy: members - ✅
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: ip_subnetworks - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: required_access_levels - ✅
    Policy: negate - ✅
    Policy: minimum_version - ✅
    Policy: require_admin_approval - ✅
    Policy: allowed_encryption_statuses - ✅
  Resource: google_access_context_manager_access_levels
    Policy: members - ✅
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: ip_subnetworks - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: required_access_levels - ✅
    Policy: negate - ✅
    Policy: minimum_version - ✅
    Policy: require_admin_approval - ✅
  Resource: google_access_context_manager_ingress_policy
    Policy: resource - ❌
    Policy: ingress_policy_name - ❌
  Resource: google_access_context_manager_service_perimeter
    Policy: status - ✅
  Resource: google_access_context_manager_service_perimeter_dry_run_resource
    Policy: resource - ❌
    Policy: perimeter_name - ❌
  Resource: google_access_context_manager_service_perimeter_resource
    Policy: resource - ❌
    Policy: perimeter_name - ❌


Failures:
Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_ingress_policy | Policy: resource
Unmentioned resources other than 'c' found: nc

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_ingress_policy | Policy: ingress_policy_name
Unmentioned resources other than 'c' found: nc

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_service_perimeter_dry_run_resource | Policy: resource
Unmentioned resources other than 'c' found: nc

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_service_perimeter_dry_run_resource | Policy: perimeter_name
Unmentioned resources other than 'c' found: nc

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_service_perimeter_resource | Policy: resource
Unmentioned resources other than 'c' found: nc

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_service_perimeter_resource | Policy: perimeter_name
Unmentioned resources other than 'c' found: nc

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 12, 2026

🔍 Policy Check Results

Status: ❌ CHECKS FAILED

⚠️ Your PR will not be reviewed until you fix all policy check failures below:

Test Output

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_ingress_policy.resource.message
Total ingress_policy detected: 2 
['Situation 1: Ensure only whitelisted project resources are associated with the ingress policy.', 'Non-Compliant Resources: accessPolicies/123456/servicePerimeters/my_perimeter', "Potential Remedies: Update resource to 'projects/123456789'."]
Unique resource names in plan (google_access_context_manager_ingress_policy): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_ingress_policy.ingress_policy_name.message
Total ingress_policy detected: 2 
['Situation 1: Ensure the ingress policy is attached to the correct authorized service perimeter.', 'Non-Compliant Resources: accessPolicies/123456/servicePerimeters/WRONG_PERIMETER', "Potential Remedies: Update ingress_policy_name to 'accessPolicies/123456/servicePerimeters/my_perimeter'."]
Unique resource names in plan (google_access_context_manager_ingress_policy): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.members.message
Total access_levels detected: 2 
['Situation 1: An allowed list of members.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update members to include authorized users only.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.allowed_device_management_levels.message
Total access_levels detected: 2 
['Situation 1: A list of allowed device management levels.', 'Non-Compliant Resources: nc', "Potential Remedies: Update allowed_device_management_levels to ['COMPLETE']."]
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.region.message
Total access_levels detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.ip_subnetworks.message
Total access_levels detected: 2 
['Situation 1: A list of allowed IP subnetworks.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update ip_subnetworks to allowed CIDR blocks.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_screen_lock.message
Total access_levels detected: 2 
['Situation 1: EWhether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_screen_lock to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.os_type.message
Total access_levels detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_corp_owned.message
Total access_levels detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.required_access_levels.message
Total access_levels detected: 2 
['Situation 1: A list of required access levels.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update required_access_levels to match authorized base levels.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.negate.message
Total access_levels detected: 2 
['Situation 1: Whether to negate the Condition.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update negate to false.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.minimum_version.message
Total access_levels detected: 2 
['Situation 1: The minimum allowed OS version constraint.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update minimum_version to 10.0.0.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_admin_approval.message
Total access_levels detected: 2 
['Situation 1: Whether administrator approval is required.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.members.message
Total access_level_condition detected: 2 
['Situation 1: An allowed list of members.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update members to include authorized users only.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.allowed_device_management_levels.message
Total access_level_condition detected: 2 
['Situation 1: A list of allowed device management levels.', 'Non-Compliant Resources: nc', "Potential Remedies: Update allowed_device_management_levels to ['COMPLETE']."]
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.region.message
Total access_level_condition detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.ip_subnetworks.message
Total access_level_condition detected: 2 
['Situation 1: Ensure Access Context Manager level condition restricts IP subnetworks and does not allow full internet access (0.0.0.0/0).', 'Non-Compliant Resources: nc', 'Potential Remedies: Update ip_subnetworks to only include specific and trusted CIDR blocks.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_screen_lock.message
Total access_level_condition detected: 2 
['Situation 1: EWhether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_screen_lock to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.os_type.message
Total access_level_condition detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_corp_owned.message
Total access_level_condition detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.required_access_levels.message
Total access_level_condition detected: 2 
['Situation 1: A list of required access levels.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update required_access_levels to match authorized base levels.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.negate.message
Total access_level_condition detected: 2 
['Situation 1: Whether to negate the Condition.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update negate to false.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.minimum_version.message
Total access_level_condition detected: 2 
['Situation 1: The minimum allowed OS version constraint.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update minimum_version to 10.0.0.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_admin_approval.message
Total access_level_condition detected: 2 
['Situation 1: Whether the device needs to be approved by the customer admin.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.allowed_encryption_statuses.message
Total access_level_condition detected: 2 
['Situation 1: Ensure Access Context Manager level condition requires device encryption.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_encryption_statuses to explicitly include only ENCRYPTED.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter_resource.resource.message
Total service_perimeter_resource detected: 2 
['Situation 1: Ensure only whitelisted projects are added as resources to the perimeter.', 'Non-Compliant Resources: accessPolicies/123456/servicePerimeters/my_perimeter', "Potential Remedies: Update resource to 'projects/123456789'."]
Unique resource names in plan (google_access_context_manager_service_perimeter_resource): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter_resource.perimeter_name.message
Total service_perimeter_resource detected: 2 
['Situation 1: Ensure the resource is attached to the correct authorized service perimeter.', 'Non-Compliant Resources: accessPolicies/123456/servicePerimeters/WRONG_PERIMETER', "Potential Remedies: Update perimeter_name to 'accessPolicies/123456/servicePerimeters/my_perimeter'."]
Unique resource names in plan (google_access_context_manager_service_perimeter_resource): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.allowed_device_management_levels.message
Total access_level detected: 2 
['Situation 1: A list of allowed device management levels. An empty list allows all management levels. Each value may be one of: MANAGEMENT_UNSPECIFIED, NONE, BASIC, COMPLETE', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_device_management_levels to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.region.message
Total access_level detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_screen_lock.message
Total access_level detected: 2 
['Situation 1: Whether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update screen lock requirement in device policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.os_type.message
Total access_level detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_corp_owned.message
Total access_level detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_admin_approval.message
Total access_level detected: 2 
['Situation 1: Whether the device needs to be approved by the customer admin.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.allowed_encryption_statuses.message
Total access_level detected: 2 
['Situation 1: A list of allowed encryptions statuses. An empty list allows all statuses. Each value may be one of: ENCRYPTION_UNSPECIFIED, ENCRYPTION_UNSUPPORTED, UNENCRYPTED, ENCRYPTED.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_encryption_statuses to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter_dry_run_resource.resource.message
Total service_perimeter_dry_run_resource detected: 2 
['Situation 1: Ensure only whitelisted projects are added as dry-run resources.', 'Non-Compliant Resources: accessPolicies/123456/servicePerimeters/my_perimeter', "Potential Remedies: Update resource to 'projects/123456789'."]
Unique resource names in plan (google_access_context_manager_service_perimeter_dry_run_resource): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter_dry_run_resource.perimeter_name.message
Total service_perimeter_dry_run_resource detected: 2 
['Situation 1: Ensure the dry-run resource is attached to the correct authorized service perimeter.', 'Non-Compliant Resources: accessPolicies/123456/servicePerimeters/WRONG_PERIMETER', "Potential Remedies: Update perimeter_name to 'accessPolicies/123456/servicePerimeters/my_perimeter'."]
Unique resource names in plan (google_access_context_manager_service_perimeter_dry_run_resource): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter.status.message
Total service_perimeter detected: 3 
['Situation 1: Ensure restricted services is not empty (no protection) or to general.', 'Non-Compliant Resources: nc1, nc2', 'Potential Remedies: Update status/restricted_services to explicitly include only required service calls.']
Unique resource names in plan (google_access_context_manager_service_perimeter): 3
Names mentioned in output: 2
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: access_context_manager_vpc_service_controls
  Resource: google_access_context_manager_access_level
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: require_admin_approval - ✅
    Policy: allowed_encryption_statuses - ✅
  Resource: google_access_context_manager_access_level_condition
    Policy: members - ✅
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: ip_subnetworks - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: required_access_levels - ✅
    Policy: negate - ✅
    Policy: minimum_version - ✅
    Policy: require_admin_approval - ✅
    Policy: allowed_encryption_statuses - ✅
  Resource: google_access_context_manager_access_levels
    Policy: members - ✅
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: ip_subnetworks - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: required_access_levels - ✅
    Policy: negate - ✅
    Policy: minimum_version - ✅
    Policy: require_admin_approval - ✅
  Resource: google_access_context_manager_ingress_policy
    Policy: resource - ❌
    Policy: ingress_policy_name - ❌
  Resource: google_access_context_manager_service_perimeter
    Policy: status - ✅
  Resource: google_access_context_manager_service_perimeter_dry_run_resource
    Policy: resource - ❌
    Policy: perimeter_name - ❌
  Resource: google_access_context_manager_service_perimeter_resource
    Policy: resource - ❌
    Policy: perimeter_name - ❌


Failures:
Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_ingress_policy | Policy: resource
Unmentioned resources other than 'c' found: nc

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_ingress_policy | Policy: ingress_policy_name
Unmentioned resources other than 'c' found: nc

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_service_perimeter_dry_run_resource | Policy: resource
Unmentioned resources other than 'c' found: nc

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_service_perimeter_dry_run_resource | Policy: perimeter_name
Unmentioned resources other than 'c' found: nc

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_service_perimeter_resource | Policy: resource
Unmentioned resources other than 'c' found: nc

Service: access_context_manager_vpc_service_controls | Resource: google_access_context_manager_service_perimeter_resource | Policy: perimeter_name
Unmentioned resources other than 'c' found: nc

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 12, 2026

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_ingress_policy.resource.message
Total ingress_policy detected: 2 
['Situation 1: Ensure only whitelisted project resources are associated with the ingress policy.', 'Non-Compliant Resources: nc', "Potential Remedies: Update resource to 'projects/123456789'."]
Unique resource names in plan (google_access_context_manager_ingress_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_ingress_policy.ingress_policy_name.message
Total ingress_policy detected: 2 
['Situation 1: Ensure the ingress policy is attached to the correct authorized service perimeter.', 'Non-Compliant Resources: nc', "Potential Remedies: Update ingress_policy_name to 'accessPolicies/123456/servicePerimeters/my_perimeter'."]
Unique resource names in plan (google_access_context_manager_ingress_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.members.message
Total access_levels detected: 2 
['Situation 1: An allowed list of members.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update members to include authorized users only.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.allowed_device_management_levels.message
Total access_levels detected: 2 
['Situation 1: A list of allowed device management levels.', 'Non-Compliant Resources: nc', "Potential Remedies: Update allowed_device_management_levels to ['COMPLETE']."]
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.region.message
Total access_levels detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.ip_subnetworks.message
Total access_levels detected: 2 
['Situation 1: A list of allowed IP subnetworks.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update ip_subnetworks to allowed CIDR blocks.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_screen_lock.message
Total access_levels detected: 2 
['Situation 1: EWhether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_screen_lock to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.os_type.message
Total access_levels detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_corp_owned.message
Total access_levels detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.required_access_levels.message
Total access_levels detected: 2 
['Situation 1: A list of required access levels.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update required_access_levels to match authorized base levels.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.negate.message
Total access_levels detected: 2 
['Situation 1: Whether to negate the Condition.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update negate to false.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.minimum_version.message
Total access_levels detected: 2 
['Situation 1: The minimum allowed OS version constraint.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update minimum_version to 10.0.0.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_levels.require_admin_approval.message
Total access_levels detected: 2 
['Situation 1: Whether administrator approval is required.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to true.']
Unique resource names in plan (google_access_context_manager_access_levels): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.members.message
Total access_level_condition detected: 2 
['Situation 1: An allowed list of members.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update members to include authorized users only.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.allowed_device_management_levels.message
Total access_level_condition detected: 2 
['Situation 1: A list of allowed device management levels.', 'Non-Compliant Resources: nc', "Potential Remedies: Update allowed_device_management_levels to ['COMPLETE']."]
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.region.message
Total access_level_condition detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.ip_subnetworks.message
Total access_level_condition detected: 2 
['Situation 1: Ensure Access Context Manager level condition restricts IP subnetworks and does not allow full internet access (0.0.0.0/0).', 'Non-Compliant Resources: nc', 'Potential Remedies: Update ip_subnetworks to only include specific and trusted CIDR blocks.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_screen_lock.message
Total access_level_condition detected: 2 
['Situation 1: EWhether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_screen_lock to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.os_type.message
Total access_level_condition detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_corp_owned.message
Total access_level_condition detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.required_access_levels.message
Total access_level_condition detected: 2 
['Situation 1: A list of required access levels.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update required_access_levels to match authorized base levels.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.negate.message
Total access_level_condition detected: 2 
['Situation 1: Whether to negate the Condition.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update negate to false.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.minimum_version.message
Total access_level_condition detected: 2 
['Situation 1: The minimum allowed OS version constraint.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update minimum_version to 10.0.0.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.require_admin_approval.message
Total access_level_condition detected: 2 
['Situation 1: Whether the device needs to be approved by the customer admin.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to true.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level_condition.allowed_encryption_statuses.message
Total access_level_condition detected: 2 
['Situation 1: Ensure Access Context Manager level condition requires device encryption.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_encryption_statuses to explicitly include only ENCRYPTED.']
Unique resource names in plan (google_access_context_manager_access_level_condition): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter_resource.resource.message
Total service_perimeter_resource detected: 2 
['Situation 1: Ensure only whitelisted projects are added as resources to the perimeter.', 'Non-Compliant Resources: nc', "Potential Remedies: Update resource to 'projects/123456789'."]
Unique resource names in plan (google_access_context_manager_service_perimeter_resource): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter_resource.perimeter_name.message
Total service_perimeter_resource detected: 2 
['Situation 1: Ensure the resource is attached to the correct authorized service perimeter.', 'Non-Compliant Resources: nc', "Potential Remedies: Update perimeter_name to 'accessPolicies/123456/servicePerimeters/my_perimeter'."]
Unique resource names in plan (google_access_context_manager_service_perimeter_resource): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.allowed_device_management_levels.message
Total access_level detected: 2 
['Situation 1: A list of allowed device management levels. An empty list allows all management levels. Each value may be one of: MANAGEMENT_UNSPECIFIED, NONE, BASIC, COMPLETE', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_device_management_levels to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.region.message
Total access_level detected: 2 
['Situation 1: Must be in Australia Region', 'Non-Compliant Resources: nc', 'Potential Remedies: Change regions to Aus']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_screen_lock.message
Total access_level detected: 2 
['Situation 1: Whether or not screenlock is required for the DevicePolicy to be true.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update screen lock requirement in device policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.os_type.message
Total access_level detected: 2 
['Situation 1: Ensure access is not granted to unspecified or unsupported OS types.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update os_constraints to explicitly include only supported OS types.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_corp_owned.message
Total access_level detected: 2 
['Situation 1: Whether the device needs to be corp owned.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_corp_owned to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.require_admin_approval.message
Total access_level detected: 2 
['Situation 1: Whether the device needs to be approved by the customer admin.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update require_admin_approval to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_access_level.allowed_encryption_statuses.message
Total access_level detected: 2 
['Situation 1: A list of allowed encryptions statuses. An empty list allows all statuses. Each value may be one of: ENCRYPTION_UNSPECIFIED, ENCRYPTION_UNSUPPORTED, UNENCRYPTED, ENCRYPTED.', 'Non-Compliant Resources: nc', 'Potential Remedies: Update allowed_encryption_statuses to include only allowed values as per organizational policy.']
Unique resource names in plan (google_access_context_manager_access_level): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter_dry_run_resource.resource.message
Total service_perimeter_dry_run_resource detected: 2 
['Situation 1: Ensure only whitelisted projects are added as dry-run resources.', 'Non-Compliant Resources: nc', "Potential Remedies: Update resource to 'projects/123456789'."]
Unique resource names in plan (google_access_context_manager_service_perimeter_dry_run_resource): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter_dry_run_resource.perimeter_name.message
Total service_perimeter_dry_run_resource detected: 2 
['Situation 1: Ensure the dry-run resource is attached to the correct authorized service perimeter.', 'Non-Compliant Resources: nc', "Potential Remedies: Update perimeter_name to 'accessPolicies/123456/servicePerimeters/my_perimeter'."]
Unique resource names in plan (google_access_context_manager_service_perimeter_dry_run_resource): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.access_context_manager_vpc_service_controls.google_access_context_manager_service_perimeter.status.message
Total service_perimeter detected: 3 
['Situation 1: Ensure restricted services is not empty (no protection) or to general.', 'Non-Compliant Resources: nc1, nc2', 'Potential Remedies: Update status/restricted_services to explicitly include only required service calls.']
Unique resource names in plan (google_access_context_manager_service_perimeter): 3
Names mentioned in output: 2
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: access_context_manager_vpc_service_controls
  Resource: google_access_context_manager_access_level
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: require_admin_approval - ✅
    Policy: allowed_encryption_statuses - ✅
  Resource: google_access_context_manager_access_level_condition
    Policy: members - ✅
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: ip_subnetworks - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: required_access_levels - ✅
    Policy: negate - ✅
    Policy: minimum_version - ✅
    Policy: require_admin_approval - ✅
    Policy: allowed_encryption_statuses - ✅
  Resource: google_access_context_manager_access_levels
    Policy: members - ✅
    Policy: allowed_device_management_levels - ✅
    Policy: region - ✅
    Policy: ip_subnetworks - ✅
    Policy: require_screen_lock - ✅
    Policy: os_type - ✅
    Policy: require_corp_owned - ✅
    Policy: required_access_levels - ✅
    Policy: negate - ✅
    Policy: minimum_version - ✅
    Policy: require_admin_approval - ✅
  Resource: google_access_context_manager_ingress_policy
    Policy: resource - ✅
    Policy: ingress_policy_name - ✅
  Resource: google_access_context_manager_service_perimeter
    Policy: status - ✅
  Resource: google_access_context_manager_service_perimeter_dry_run_resource
    Policy: resource - ✅
    Policy: perimeter_name - ✅
  Resource: google_access_context_manager_service_perimeter_resource
    Policy: resource - ✅
    Policy: perimeter_name - ✅

@github-actions github-actions Bot added CI-Approved PR approved by CI checks and removed CI-Review-Required PR requires review due to failed CI checks labels May 12, 2026
@Saul154575 Saul154575 assigned Saul154575 and unassigned Saul154575 May 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

CI-Approved PR approved by CI checks

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Saul154575