Skip to content

feat: Add Cloud (Stackdriver) Logging security policies#367

Open
HarshPandya7 wants to merge 4 commits into
devfrom
gcp/service/cloud-stackdriver-logging
Open

feat: Add Cloud (Stackdriver) Logging security policies#367
HarshPandya7 wants to merge 4 commits into
devfrom
gcp/service/cloud-stackdriver-logging

Conversation

@HarshPandya7
Copy link
Copy Markdown
Contributor

@HarshPandya7 HarshPandya7 commented May 5, 2026

Summary

Add 12 security policies for Cloud (Stackdriver) Logging service

Changes

  • 12 Security Policies for logging resources:

    • CMEK encryption for log buckets
    • Retention days (30-day minimum, 90-day recommended)
    • Bucket locked for compliance
    • Exclusion filter and disabled checks
    • Sink destination and unique writer identity
    • Log scope resource names
    • Log view IAM members and role
    • Metric disabled check
    • Organization CMEK settings

  • Complete Documentation for all logging resources with security impact assessments

  • Test Configurations (compliant and non-compliant) for all policies

Testing Status

✅ Linter: 0 errors
✅ Pre-commit: All checks passed
✅ OPA evaluations: All policies working correctly

Files Changed

  • inputs/gcp/cloud_stackdriver_logging/ - Test configurations (100+ files)
  • policies/gcp/cloud_stackdriver_logging/ - Security policies (30+ files)
  • docs/gcp/cloud_stackdriver_logging/ - Documentation (40+ files)

@HarshPandya7
feat: Add Cloud (Stackdriver) Logging security policies
31cb0a7 
- Add 13 security policies for logging resources
- Includes CMEK encryption, retention days, bucket locked
- Includes exclusion filter, exclusion disabled
- Includes sink destination, unique writer identity
- Includes log scope, log view IAM members and role
- Includes metric disabled, organization CMEK
- All linter checks passed
- All OPA evaluations working
@HarshPandya7
fix: update destination and unique_writer_identity policies
7b03d35
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 5, 2026

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.cloud_stackdriver_logging.google_logging_project_bucket_config.cmek_encryption.message
Total Stackdriver Logging Bucket Config detected: 2 
['Situation 1: Log bucket is not encrypted with Customer-Managed Encryption Key (CMEK)', 'Non-Compliant Resources: nc', 'Potential Remedies: Add cmek_settings block with a valid KMS key name, Use format: projects/YOUR_PROJECT/locations/REGION/keyRings/KEYRING_NAME/cryptoKeys/KEY_NAME']
Unique resource names in plan (google_logging_project_bucket_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_stackdriver_logging.google_logging_project_bucket_config.retention_days.message
Total Stackdriver Logging Bucket Config detected: 2 
['Situation 1: Log retention period is insufficient for compliance requirements', 'Non-Compliant Resources: nc', 'Potential Remedies: Set retention_days to at least 30 days (minimum compliance requirement), Recommended: 90+ days for audit logs, Maximum: 3650 days']
['Situation 2: Audit log retention period is below recommended 90 days', 'Non-Compliant Resources: nc', 'Potential Remedies: Set retention_days to 90 days or higher for audit logs, CIS GCP Benchmark recommends 90+ days for audit log retention']
Unique resource names in plan (google_logging_project_bucket_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_stackdriver_logging.google_logging_project_bucket_config.locked.message
Total Stackdriver Logging Bucket Config detected: 4 
['Situation 1: Log bucket is not locked - retention can be reduced or bucket can be deleted, compromising audit trail integrity', 'Non-Compliant Resources: nc1, nc2', 'Potential Remedies: Set locked = true to prevent retention reduction and bucket deletion, Note: This setting is permanent and cannot be undone once applied, Required for compliance with legal hold and audit log preservation']
Unique resource names in plan (google_logging_project_bucket_config): 4
Names mentioned in output: 2
 Missing mentions: c1, c2
Check passed

OPA check: data.terraform.gcp.security.cloud_stackdriver_logging.google_logging_project_exclusion.disabled.message
Total Stackdriver Logging Exclusion Filter detected: 4 
['Situation 1: Log exclusion is disabled - not actively filtering logs', 'Non-Compliant Resources: nc1, nc2', 'Potential Remedies: Set disabled = false to activate the exclusion, Or remove the disabled attribute entirely (default is false), If the exclusion is no longer needed, consider removing it completely']
Unique resource names in plan (google_logging_project_exclusion): 4
Names mentioned in output: 2
 Missing mentions: c1, c2
Check passed

OPA check: data.terraform.gcp.security.cloud_stackdriver_logging.google_logging_project_exclusion.filter.message
Total Stackdriver Logging Exclusion Filter detected: 3 
['Situation 1: Stackdriver log exclusion filter is blocking security-relevant audit events', 'Non-Compliant Resources: nc', 'Potential Remedies: Remove exclusions that block cloudaudit.googleapis.com logs, Remove exclusions that block high severity logs (ERROR, CRITICAL, ALERT, EMERGENCY), Only exclude non-security logs like health checks or debug logs from development']
Unique resource names in plan (google_logging_project_exclusion): 3
Names mentioned in output: 1
 Missing mentions: c1, c2
Check passed

OPA check: data.terraform.gcp.security.cloud_stackdriver_logging.google_logging_organization_settings.cmek.message
Total Stackdriver Logging Organization Settings detected: 4 
['Situation 1: Organization logging settings do not use Customer-Managed Encryption Key (CMEK)', 'Non-Compliant Resources: nc1, nc2', 'Potential Remedies: Set kms_key_name to a valid CMEK key, Format: projects/KEY_PROJECT_ID/locations/LOCATION/keyRings/KEYRING_NAME/cryptoKeys/KEY_NAME, Ensure the key exists and the logging service account has permissions']
Unique resource names in plan (google_logging_organization_settings): 4
Names mentioned in output: 2
 Missing mentions: c1, c2
Check passed

OPA check: data.terraform.gcp.security.cloud_stackdriver_logging.google_logging_log_scope.resource_names.message
Total Stackdriver Logging Log Scope detected: 2 
['Situation 1: Log scope includes unauthorized projects or excludes critical security projects', 'Non-Compliant Resources: nc', 'Potential Remedies: Only include production projects that require security monitoring, Exclude development, testing, and external projects, Ensure all critical audit projects are included, Maximum 50 projects and 100 total resources']
Unique resource names in plan (google_logging_log_scope): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_stackdriver_logging.google_logging_log_view_iam_binding.members.message
Total Stackdriver Logging Log View IAM detected: 2 
['Situation 1: Log view IAM includes public or authenticated users which exposes sensitive logs', 'Non-Compliant Resources: nc', 'Potential Remedies: Remove \'allUsers\' and \'allAuthenticatedUsers\' from members, Use specific service accounts or user emails instead, Example: ["serviceAccount:security-auditor@project.iam.gserviceaccount.com"]']
Unique resource names in plan (google_logging_log_view_iam_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_stackdriver_logging.google_logging_log_view_iam_binding.role.message
Total Stackdriver Logging Log View IAM detected: 2 
['Situation 1: Log view IAM role is overly permissive - should use viewAccessor only', 'Non-Compliant Resources: nc', 'Potential Remedies: Use roles/logging.viewAccessor for read-only access, Avoid roles/logging.logWriter (allows log modification), Avoid roles/logging.privateLogViewer (may expose sensitive data)']
Unique resource names in plan (google_logging_log_view_iam_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_stackdriver_logging.google_logging_metric.disabled.message
Total Stackdriver Logging Metric detected: 4 
['Situation 1: Security metric is disabled - critical security events will not be monitored', 'Non-Compliant Resources: nc1, nc2', 'Potential Remedies: Set disabled = false to enable the metric, Remove the disabled attribute entirely (default is false), Ensure all security metrics remain active for continuous monitoring']
Unique resource names in plan (google_logging_metric): 4
Names mentioned in output: 2
 Missing mentions: c1, c2
Check passed

OPA check: data.terraform.gcp.security.cloud_stackdriver_logging.google_logging_project_sink.destination.message
Total Stackdriver Logging Project Sink detected: 2 
["Situation 1: Stackdriver log sink destination is not within the organization's approved domains/buckets", 'Non-Compliant Resources: nc', "Potential Remedies: Use approved destination patterns: storage.googleapis.com/YOUR_BUCKET, bigquery.googleapis.com/projects/YOUR_PROJECT/datasets/YOUR_DATASET, or pubsub.googleapis.com/projects/YOUR_PROJECT/topics/YOUR_TOPIC, logging.googleapis.com/projects/YOUR_PROJECT/locations/global/buckets/YOUR_BUCKET, Ensure destination is within your organization's GCP project"]
Unique resource names in plan (google_logging_project_sink): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_stackdriver_logging.google_logging_project_sink.unique_writer_identity.message
Total Stackdriver Logging Project Sink detected: 4 
['Situation 1: Log sink does not use unique writer identity - using default Logging service account', 'Non-Compliant Resources: nc1, nc2', 'Potential Remedies: Set unique_writer_identity = true to create a dedicated service account for this sink, Required for cross-project log exports and BigQuery options, Provides better security isolation and auditability']
Unique resource names in plan (google_logging_project_sink): 4
Names mentioned in output: 2
 Missing mentions: c1, c2
Check passed


Summary of policy checks:
Service: cloud_stackdriver_logging
  Resource: google_logging_log_scope
    Policy: resource_names - ✅
  Resource: google_logging_log_view_iam_binding
    Policy: members - ✅
    Policy: role - ✅
  Resource: google_logging_metric
    Policy: disabled - ✅
  Resource: google_logging_organization_settings
    Policy: cmek - ✅
  Resource: google_logging_project_bucket_config
    Policy: cmek_encryption - ✅
    Policy: retention_days - ✅
    Policy: locked - ✅
  Resource: google_logging_project_exclusion
    Policy: disabled - ✅
    Policy: filter - ✅
  Resource: google_logging_project_sink
    Policy: destination - ✅
    Policy: unique_writer_identity - ✅

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 11, 2026

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.cloud_stackdriver_logging.google_logging_project_bucket_config.cmek_encryption.message
Total Stackdriver Logging Bucket Config detected: 2 
['Situation 1: Log bucket is not encrypted with Customer-Managed Encryption Key (CMEK)', 'Non-Compliant Resources: nc', 'Potential Remedies: Add cmek_settings block with a valid KMS key name, Use format: projects/YOUR_PROJECT/locations/REGION/keyRings/KEYRING_NAME/cryptoKeys/KEY_NAME']
Unique resource names in plan (google_logging_project_bucket_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_stackdriver_logging.google_logging_project_bucket_config.retention_days.message
Total Stackdriver Logging Bucket Config detected: 2 
['Situation 1: Log retention period is insufficient for compliance requirements', 'Non-Compliant Resources: nc', 'Potential Remedies: Set retention_days to at least 30 days (minimum compliance requirement), Recommended: 90+ days for audit logs, Maximum: 3650 days']
['Situation 2: Audit log retention period is below recommended 90 days', 'Non-Compliant Resources: nc', 'Potential Remedies: Set retention_days to 90 days or higher for audit logs, CIS GCP Benchmark recommends 90+ days for audit log retention']
Unique resource names in plan (google_logging_project_bucket_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_stackdriver_logging.google_logging_project_bucket_config.locked.message
Total Stackdriver Logging Bucket Config detected: 4 
['Situation 1: Log bucket is not locked - retention can be reduced or bucket can be deleted, compromising audit trail integrity', 'Non-Compliant Resources: nc1, nc2', 'Potential Remedies: Set locked = true to prevent retention reduction and bucket deletion, Note: This setting is permanent and cannot be undone once applied, Required for compliance with legal hold and audit log preservation']
Unique resource names in plan (google_logging_project_bucket_config): 4
Names mentioned in output: 2
 Missing mentions: c1, c2
Check passed

OPA check: data.terraform.gcp.security.cloud_stackdriver_logging.google_logging_project_exclusion.disabled.message
Total Stackdriver Logging Exclusion Filter detected: 4 
['Situation 1: Log exclusion is disabled - not actively filtering logs', 'Non-Compliant Resources: nc1, nc2', 'Potential Remedies: Set disabled = false to activate the exclusion, Or remove the disabled attribute entirely (default is false), If the exclusion is no longer needed, consider removing it completely']
Unique resource names in plan (google_logging_project_exclusion): 4
Names mentioned in output: 2
 Missing mentions: c1, c2
Check passed

OPA check: data.terraform.gcp.security.cloud_stackdriver_logging.google_logging_project_exclusion.filter.message
Total Stackdriver Logging Exclusion Filter detected: 3 
['Situation 1: Stackdriver log exclusion filter is blocking security-relevant audit events', 'Non-Compliant Resources: nc', 'Potential Remedies: Remove exclusions that block cloudaudit.googleapis.com logs, Remove exclusions that block high severity logs (ERROR, CRITICAL, ALERT, EMERGENCY), Only exclude non-security logs like health checks or debug logs from development']
Unique resource names in plan (google_logging_project_exclusion): 3
Names mentioned in output: 1
 Missing mentions: c1, c2
Check passed

OPA check: data.terraform.gcp.security.cloud_stackdriver_logging.google_logging_organization_settings.cmek.message
Total Stackdriver Logging Organization Settings detected: 4 
['Situation 1: Organization logging settings do not use Customer-Managed Encryption Key (CMEK)', 'Non-Compliant Resources: nc1, nc2', 'Potential Remedies: Set kms_key_name to a valid CMEK key, Format: projects/KEY_PROJECT_ID/locations/LOCATION/keyRings/KEYRING_NAME/cryptoKeys/KEY_NAME, Ensure the key exists and the logging service account has permissions']
Unique resource names in plan (google_logging_organization_settings): 4
Names mentioned in output: 2
 Missing mentions: c1, c2
Check passed

OPA check: data.terraform.gcp.security.cloud_stackdriver_logging.google_logging_log_scope.resource_names.message
Total Stackdriver Logging Log Scope detected: 2 
['Situation 1: Log scope includes unauthorized projects or excludes critical security projects', 'Non-Compliant Resources: nc', 'Potential Remedies: Only include production projects that require security monitoring, Exclude development, testing, and external projects, Ensure all critical audit projects are included, Maximum 50 projects and 100 total resources']
Unique resource names in plan (google_logging_log_scope): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_stackdriver_logging.google_logging_log_view_iam_binding.members.message
Total Stackdriver Logging Log View IAM detected: 2 
['Situation 1: Log view IAM includes public or authenticated users which exposes sensitive logs', 'Non-Compliant Resources: nc', 'Potential Remedies: Remove \'allUsers\' and \'allAuthenticatedUsers\' from members, Use specific service accounts or user emails instead, Example: ["serviceAccount:security-auditor@project.iam.gserviceaccount.com"]']
Unique resource names in plan (google_logging_log_view_iam_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_stackdriver_logging.google_logging_log_view_iam_binding.role.message
Total Stackdriver Logging Log View IAM detected: 2 
['Situation 1: Log view IAM role is overly permissive - should use viewAccessor only', 'Non-Compliant Resources: nc', 'Potential Remedies: Use roles/logging.viewAccessor for read-only access, Avoid roles/logging.logWriter (allows log modification), Avoid roles/logging.privateLogViewer (may expose sensitive data)']
Unique resource names in plan (google_logging_log_view_iam_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_stackdriver_logging.google_logging_metric.disabled.message
Total Stackdriver Logging Metric detected: 4 
['Situation 1: Security metric is disabled - critical security events will not be monitored', 'Non-Compliant Resources: nc1, nc2', 'Potential Remedies: Set disabled = false to enable the metric, Remove the disabled attribute entirely (default is false), Ensure all security metrics remain active for continuous monitoring']
Unique resource names in plan (google_logging_metric): 4
Names mentioned in output: 2
 Missing mentions: c1, c2
Check passed

OPA check: data.terraform.gcp.security.cloud_stackdriver_logging.google_logging_project_sink.destination.message
Total Stackdriver Logging Project Sink detected: 2 
["Situation 1: Stackdriver log sink destination is not within the organization's approved domains/buckets", 'Non-Compliant Resources: nc', "Potential Remedies: Use approved destination patterns: storage.googleapis.com/YOUR_BUCKET, bigquery.googleapis.com/projects/YOUR_PROJECT/datasets/YOUR_DATASET, or pubsub.googleapis.com/projects/YOUR_PROJECT/topics/YOUR_TOPIC, logging.googleapis.com/projects/YOUR_PROJECT/locations/global/buckets/YOUR_BUCKET, Ensure destination is within your organization's GCP project"]
Unique resource names in plan (google_logging_project_sink): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_stackdriver_logging.google_logging_project_sink.unique_writer_identity.message
Total Stackdriver Logging Project Sink detected: 4 
['Situation 1: Log sink does not use unique writer identity - using default Logging service account', 'Non-Compliant Resources: nc1, nc2', 'Potential Remedies: Set unique_writer_identity = true to create a dedicated service account for this sink, Required for cross-project log exports and BigQuery options, Provides better security isolation and auditability']
Unique resource names in plan (google_logging_project_sink): 4
Names mentioned in output: 2
 Missing mentions: c1, c2
Check passed


Summary of policy checks:
Service: cloud_stackdriver_logging
  Resource: google_logging_log_scope
    Policy: resource_names - ✅
  Resource: google_logging_log_view_iam_binding
    Policy: members - ✅
    Policy: role - ✅
  Resource: google_logging_metric
    Policy: disabled - ✅
  Resource: google_logging_organization_settings
    Policy: cmek - ✅
  Resource: google_logging_project_bucket_config
    Policy: cmek_encryption - ✅
    Policy: retention_days - ✅
    Policy: locked - ✅
  Resource: google_logging_project_exclusion
    Policy: disabled - ✅
    Policy: filter - ✅
  Resource: google_logging_project_sink
    Policy: destination - ✅
    Policy: unique_writer_identity - ✅

@github-actions github-actions Bot added the CI-Approved PR approved by CI checks label May 11, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 12, 2026

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.cloud_stackdriver_logging.google_logging_project_bucket_config.cmek_encryption.message
Total Stackdriver Logging Bucket Config detected: 2 
['Situation 1: Log bucket is not encrypted with Customer-Managed Encryption Key (CMEK)', 'Non-Compliant Resources: nc', 'Potential Remedies: Add cmek_settings block with a valid KMS key name, Use format: projects/YOUR_PROJECT/locations/REGION/keyRings/KEYRING_NAME/cryptoKeys/KEY_NAME']
Unique resource names in plan (google_logging_project_bucket_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_stackdriver_logging.google_logging_project_bucket_config.retention_days.message
Total Stackdriver Logging Bucket Config detected: 2 
['Situation 1: Log retention period is insufficient for compliance requirements', 'Non-Compliant Resources: nc', 'Potential Remedies: Set retention_days to at least 30 days (minimum compliance requirement), Recommended: 90+ days for audit logs, Maximum: 3650 days']
['Situation 2: Audit log retention period is below recommended 90 days', 'Non-Compliant Resources: nc', 'Potential Remedies: Set retention_days to 90 days or higher for audit logs, CIS GCP Benchmark recommends 90+ days for audit log retention']
Unique resource names in plan (google_logging_project_bucket_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_stackdriver_logging.google_logging_project_bucket_config.locked.message
Total Stackdriver Logging Bucket Config detected: 4 
['Situation 1: Log bucket is not locked - retention can be reduced or bucket can be deleted, compromising audit trail integrity', 'Non-Compliant Resources: nc1, nc2', 'Potential Remedies: Set locked = true to prevent retention reduction and bucket deletion, Note: This setting is permanent and cannot be undone once applied, Required for compliance with legal hold and audit log preservation']
Unique resource names in plan (google_logging_project_bucket_config): 4
Names mentioned in output: 2
 Missing mentions: c1, c2
Check passed

OPA check: data.terraform.gcp.security.cloud_stackdriver_logging.google_logging_project_exclusion.disabled.message
Total Stackdriver Logging Exclusion Filter detected: 4 
['Situation 1: Log exclusion is disabled - not actively filtering logs', 'Non-Compliant Resources: nc1, nc2', 'Potential Remedies: Set disabled = false to activate the exclusion, Or remove the disabled attribute entirely (default is false), If the exclusion is no longer needed, consider removing it completely']
Unique resource names in plan (google_logging_project_exclusion): 4
Names mentioned in output: 2
 Missing mentions: c1, c2
Check passed

OPA check: data.terraform.gcp.security.cloud_stackdriver_logging.google_logging_project_exclusion.filter.message
Total Stackdriver Logging Exclusion Filter detected: 3 
['Situation 1: Stackdriver log exclusion filter is blocking security-relevant audit events', 'Non-Compliant Resources: nc', 'Potential Remedies: Remove exclusions that block cloudaudit.googleapis.com logs, Remove exclusions that block high severity logs (ERROR, CRITICAL, ALERT, EMERGENCY), Only exclude non-security logs like health checks or debug logs from development']
Unique resource names in plan (google_logging_project_exclusion): 3
Names mentioned in output: 1
 Missing mentions: c1, c2
Check passed

OPA check: data.terraform.gcp.security.cloud_stackdriver_logging.google_logging_organization_settings.cmek.message
Total Stackdriver Logging Organization Settings detected: 4 
['Situation 1: Organization logging settings do not use Customer-Managed Encryption Key (CMEK)', 'Non-Compliant Resources: nc1, nc2', 'Potential Remedies: Set kms_key_name to a valid CMEK key, Format: projects/KEY_PROJECT_ID/locations/LOCATION/keyRings/KEYRING_NAME/cryptoKeys/KEY_NAME, Ensure the key exists and the logging service account has permissions']
Unique resource names in plan (google_logging_organization_settings): 4
Names mentioned in output: 2
 Missing mentions: c1, c2
Check passed

OPA check: data.terraform.gcp.security.cloud_stackdriver_logging.google_logging_log_scope.resource_names.message
Total Stackdriver Logging Log Scope detected: 2 
['Situation 1: Log scope includes unauthorized projects or excludes critical security projects', 'Non-Compliant Resources: nc', 'Potential Remedies: Only include production projects that require security monitoring, Exclude development, testing, and external projects, Ensure all critical audit projects are included, Maximum 50 projects and 100 total resources']
Unique resource names in plan (google_logging_log_scope): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_stackdriver_logging.google_logging_log_view_iam_binding.members.message
Total Stackdriver Logging Log View IAM detected: 2 
['Situation 1: Log view IAM includes public or authenticated users which exposes sensitive logs', 'Non-Compliant Resources: nc', 'Potential Remedies: Remove \'allUsers\' and \'allAuthenticatedUsers\' from members, Use specific service accounts or user emails instead, Example: ["serviceAccount:security-auditor@project.iam.gserviceaccount.com"]']
Unique resource names in plan (google_logging_log_view_iam_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_stackdriver_logging.google_logging_log_view_iam_binding.role.message
Total Stackdriver Logging Log View IAM detected: 2 
['Situation 1: Log view IAM role is overly permissive - should use viewAccessor only', 'Non-Compliant Resources: nc', 'Potential Remedies: Use roles/logging.viewAccessor for read-only access, Avoid roles/logging.logWriter (allows log modification), Avoid roles/logging.privateLogViewer (may expose sensitive data)']
Unique resource names in plan (google_logging_log_view_iam_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_stackdriver_logging.google_logging_metric.disabled.message
Total Stackdriver Logging Metric detected: 4 
['Situation 1: Security metric is disabled - critical security events will not be monitored', 'Non-Compliant Resources: nc1, nc2', 'Potential Remedies: Set disabled = false to enable the metric, Remove the disabled attribute entirely (default is false), Ensure all security metrics remain active for continuous monitoring']
Unique resource names in plan (google_logging_metric): 4
Names mentioned in output: 2
 Missing mentions: c1, c2
Check passed

OPA check: data.terraform.gcp.security.cloud_stackdriver_logging.google_logging_project_sink.destination.message
Total Stackdriver Logging Project Sink detected: 2 
["Situation 1: Stackdriver log sink destination is not within the organization's approved domains/buckets", 'Non-Compliant Resources: nc', "Potential Remedies: Use approved destination patterns: storage.googleapis.com/YOUR_BUCKET, bigquery.googleapis.com/projects/YOUR_PROJECT/datasets/YOUR_DATASET, or pubsub.googleapis.com/projects/YOUR_PROJECT/topics/YOUR_TOPIC, logging.googleapis.com/projects/YOUR_PROJECT/locations/global/buckets/YOUR_BUCKET, Ensure destination is within your organization's GCP project"]
Unique resource names in plan (google_logging_project_sink): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_stackdriver_logging.google_logging_project_sink.unique_writer_identity.message
Total Stackdriver Logging Project Sink detected: 4 
['Situation 1: Log sink does not use unique writer identity - using default Logging service account', 'Non-Compliant Resources: nc1, nc2', 'Potential Remedies: Set unique_writer_identity = true to create a dedicated service account for this sink, Required for cross-project log exports and BigQuery options, Provides better security isolation and auditability']
Unique resource names in plan (google_logging_project_sink): 4
Names mentioned in output: 2
 Missing mentions: c1, c2
Check passed


Summary of policy checks:
Service: cloud_stackdriver_logging
  Resource: google_logging_log_scope
    Policy: resource_names - ✅
  Resource: google_logging_log_view_iam_binding
    Policy: members - ✅
    Policy: role - ✅
  Resource: google_logging_metric
    Policy: disabled - ✅
  Resource: google_logging_organization_settings
    Policy: cmek - ✅
  Resource: google_logging_project_bucket_config
    Policy: cmek_encryption - ✅
    Policy: retention_days - ✅
    Policy: locked - ✅
  Resource: google_logging_project_exclusion
    Policy: disabled - ✅
    Policy: filter - ✅
  Resource: google_logging_project_sink
    Policy: destination - ✅
    Policy: unique_writer_identity - ✅

Shani1116
Shani1116 reviewed May 12, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@Shani1116 Shani1116 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@HarshPandya7 You have followed the correct TF / policy format with well written policies. Good job!

I have one question before I approve - Is there a reason behind renaming the resource_json file?

@Shani1116 Shani1116 self-assigned this May 12, 2026
@HarshPandya7
Copy link
Copy Markdown
Contributor Author

HarshPandya7 commented May 13, 2026

The resource_json files were renamed to align with the new service name cloud_stackdriver_logging for consistency across all directories (inputs, policies, and docs).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Shani1116 Shani1116 Shani1116 left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@Shani1116 Shani1116

Labels

CI-Approved PR approved by CI checks

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@HarshPandya7 @Shani1116