GCP Certificate Authority Service - OPA Security Policies by alrigi9 · Pull Request #369 · Hardhat-Enterprises/Policy-Deployment-Engine

alrigi9 · 2026-05-05T10:51:59Z

Added 10 OPA security policies for GCP Certificate Authority Service.

Policies for google_privateca_ca_pool:

location, tier, allowed_key_types, publish_ca_cert, publish_crl, maximum_lifetime, allow_csr_based_issuance

Policies for google_privateca_certificate_authority:

key_spec_algorithm, deletion_protection

Each policy includes policy.rego, c.tf, nc.tf, config.tf, and input.json generated via terraform plan. Documentation has been completed.

github-actions · 2026-05-05T10:53:04Z

🔍 Policy Check Results

Status: ❌ CHECKS FAILED

⚠️ Your PR will not be reviewed until you fix all policy check failures below:

Test Output

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.location.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must be deployed in an approved geographic region.', 'Non-Compliant Resources: nc', "Potential Remedies: Set the location field to an approved region such as 'australia-southeast1' or 'australia-southeast2'., Run 'gcloud privateca locations list' to see all available regions."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.publish_ca_cert.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must publish CA certificates to allow clients to establish trust with the CA hierarchy.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set publishing_options.publish_ca_cert to true., Publishing CA certificates is required for clients to validate the chain of trust.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.publish_crl.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must publish certificate revocation lists to enable revocation checking by relying parties.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set publishing_options.publish_crl to true., Publishing CRLs is required to support certificate revocation and prevent use of compromised certificates.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.allow_csr_based_issuance.message
Total CA Pool detected: 2 
['Situation 1: CA Pool issuance policy must allow CSR-based certificate issuance to support standard certificate request workflows.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set issuance_policy.allowed_issuance_modes.allow_csr_based_issuance to true., CSR-based issuance is the standard method for certificate requests and must be enabled.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.allowed_key_types.message
Total CA Pool detected: 2 
['Situation 1: CA Pool issuance policy must restrict elliptic curve signing algorithms to OS-approved types only.', 'Non-Compliant Resources: nc', "Potential Remedies: Set issuance_policy.allowed_key_types.elliptic_curve.signature_algorithm to 'ECDSA_P384' or 'ECDSA_P256'., Avoid 'EDDSA_25519' unless explicitly approved by the security team., Remove any unspecified or legacy key type entries."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.tier.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must use the ENTERPRISE tier to enforce admin approval controls and audit logging for all certificate operations.', 'Non-Compliant Resources: nc', "Potential Remedies: Set tier to 'ENTERPRISE'., The DEVOPS tier lacks HSM-backed keys and granular audit logging required by organisational policy."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.maximum_lifetime.message
Total CA Pool detected: 2 
['Situation 1: CA Pool maximum certificate lifetime must not exceed 87600h (10 years) to limit exposure from long-lived certificates.', 'Non-Compliant Resources: None - All passed']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_certificate_authority.type.message
Total Certificate Authority detected: 2 
['Situation 1: Certificate Authority type must be SELF_SIGNED or SUBORDINATE to ensure only approved CA configurations are deployed.', 'Non-Compliant Resources: None - All passed']
Unique resource names in plan (google_privateca_certificate_authority): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_certificate_authority.deletion_protection.message
Total Certificate Authority detected: 2 
['Situation 1: Certificate Authority deletion protection must be enabled to prevent accidental or unauthorised deletion of the CA.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set deletion_protection to true., Deletion protection prevents accidental destruction of a CA which would invalidate all certificates it has issued.']
Unique resource names in plan (google_privateca_certificate_authority): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_certificate_authority.key_spec_algorithm.message
Total Certificate Authority detected: 2 
['Situation 1: Certificate Authority key algorithm must use an approved cryptographic standard to enforce encryption compliance.', 'Non-Compliant Resources: nc', "Potential Remedies: Set key_spec.algorithm to one of the approved values: 'EC_P384_SHA384', 'RSA_PSS_4096_SHA256', or 'RSA_PKCS1_4096_SHA256'., Avoid weaker algorithms such as 'RSA_PSS_2048_SHA256' or 'RSA_PKCS1_2048_SHA256'., When using a Cloud KMS key, ensure the underlying key version uses an approved algorithm."]
Unique resource names in plan (google_privateca_certificate_authority): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: certificate_authority_service
  Resource: google_privateca_ca_pool
    Policy: location - ✅
    Policy: publish_ca_cert - ✅
    Policy: publish_crl - ✅
    Policy: allow_csr_based_issuance - ✅
    Policy: allowed_key_types - ✅
    Policy: tier - ✅
    Policy: maximum_lifetime - ❌
  Resource: google_privateca_certificate_authority
    Policy: type - ❌
    Policy: deletion_protection - ✅
    Policy: key_spec_algorithm - ✅


Failures:
Service: certificate_authority_service | Resource: google_privateca_ca_pool | Policy: maximum_lifetime
Unmentioned resources other than 'c' found: nc

Service: certificate_authority_service | Resource: google_privateca_certificate_authority | Policy: type
Unmentioned resources other than 'c' found: nc

github-actions · 2026-05-05T11:07:49Z

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.location.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must be deployed in an approved geographic region.', 'Non-Compliant Resources: nc', "Potential Remedies: Set the location field to an approved region such as 'australia-southeast1' or 'australia-southeast2'., Run 'gcloud privateca locations list' to see all available regions."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.publish_ca_cert.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must publish CA certificates to allow clients to establish trust with the CA hierarchy.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set publishing_options.publish_ca_cert to true., Publishing CA certificates is required for clients to validate the chain of trust.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.publish_crl.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must publish certificate revocation lists to enable revocation checking by relying parties.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set publishing_options.publish_crl to true., Publishing CRLs is required to support certificate revocation and prevent use of compromised certificates.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.allow_csr_based_issuance.message
Total CA Pool detected: 2 
['Situation 1: CA Pool issuance policy must allow CSR-based certificate issuance to support standard certificate request workflows.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set issuance_policy.allowed_issuance_modes.allow_csr_based_issuance to true., CSR-based issuance is the standard method for certificate requests and must be enabled.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.allowed_key_types.message
Total CA Pool detected: 2 
['Situation 1: CA Pool issuance policy must restrict elliptic curve signing algorithms to OS-approved types only.', 'Non-Compliant Resources: nc', "Potential Remedies: Set issuance_policy.allowed_key_types.elliptic_curve.signature_algorithm to 'ECDSA_P384' or 'ECDSA_P256'., Avoid 'EDDSA_25519' unless explicitly approved by the security team., Remove any unspecified or legacy key type entries."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.tier.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must use the ENTERPRISE tier to enforce admin approval controls and audit logging for all certificate operations.', 'Non-Compliant Resources: nc', "Potential Remedies: Set tier to 'ENTERPRISE'., The DEVOPS tier lacks HSM-backed keys and granular audit logging required by organisational policy."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.maximum_lifetime.message
Total CA Pool detected: 2 
['Situation 1: CA Pool maximum certificate lifetime must not exceed 87600h (10 years) to limit exposure from long-lived certificates.', 'Non-Compliant Resources: nc', "Potential Remedies: Set issuance_policy.maximum_lifetime to a value no greater than '315360000s' (87600h / 10 years)., Shorter lifetimes reduce the window of exposure if a certificate is compromised."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_certificate_authority.deletion_protection.message
Total Certificate Authority detected: 2 
['Situation 1: Certificate Authority deletion protection must be enabled to prevent accidental or unauthorised deletion of the CA.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set deletion_protection to true., Deletion protection prevents accidental destruction of a CA which would invalidate all certificates it has issued.']
Unique resource names in plan (google_privateca_certificate_authority): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_certificate_authority.key_spec_algorithm.message
Total Certificate Authority detected: 2 
['Situation 1: Certificate Authority key algorithm must use an approved cryptographic standard to enforce encryption compliance.', 'Non-Compliant Resources: nc', "Potential Remedies: Set key_spec.algorithm to one of the approved values: 'EC_P384_SHA384', 'RSA_PSS_4096_SHA256', or 'RSA_PKCS1_4096_SHA256'., Avoid weaker algorithms such as 'RSA_PSS_2048_SHA256' or 'RSA_PKCS1_2048_SHA256'., When using a Cloud KMS key, ensure the underlying key version uses an approved algorithm."]
Unique resource names in plan (google_privateca_certificate_authority): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: certificate_authority_service
  Resource: google_privateca_ca_pool
    Policy: location - ✅
    Policy: publish_ca_cert - ✅
    Policy: publish_crl - ✅
    Policy: allow_csr_based_issuance - ✅
    Policy: allowed_key_types - ✅
    Policy: tier - ✅
    Policy: maximum_lifetime - ✅
  Resource: google_privateca_certificate_authority
    Policy: deletion_protection - ✅
    Policy: key_spec_algorithm - ✅

github-actions · 2026-05-05T11:08:31Z

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.location.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must be deployed in an approved geographic region.', 'Non-Compliant Resources: nc', "Potential Remedies: Set the location field to an approved region such as 'australia-southeast1' or 'australia-southeast2'., Run 'gcloud privateca locations list' to see all available regions."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.publish_ca_cert.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must publish CA certificates to allow clients to establish trust with the CA hierarchy.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set publishing_options.publish_ca_cert to true., Publishing CA certificates is required for clients to validate the chain of trust.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.publish_crl.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must publish certificate revocation lists to enable revocation checking by relying parties.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set publishing_options.publish_crl to true., Publishing CRLs is required to support certificate revocation and prevent use of compromised certificates.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.allow_csr_based_issuance.message
Total CA Pool detected: 2 
['Situation 1: CA Pool issuance policy must allow CSR-based certificate issuance to support standard certificate request workflows.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set issuance_policy.allowed_issuance_modes.allow_csr_based_issuance to true., CSR-based issuance is the standard method for certificate requests and must be enabled.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.allowed_key_types.message
Total CA Pool detected: 2 
['Situation 1: CA Pool issuance policy must restrict elliptic curve signing algorithms to OS-approved types only.', 'Non-Compliant Resources: nc', "Potential Remedies: Set issuance_policy.allowed_key_types.elliptic_curve.signature_algorithm to 'ECDSA_P384' or 'ECDSA_P256'., Avoid 'EDDSA_25519' unless explicitly approved by the security team., Remove any unspecified or legacy key type entries."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.tier.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must use the ENTERPRISE tier to enforce admin approval controls and audit logging for all certificate operations.', 'Non-Compliant Resources: nc', "Potential Remedies: Set tier to 'ENTERPRISE'., The DEVOPS tier lacks HSM-backed keys and granular audit logging required by organisational policy."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.maximum_lifetime.message
Total CA Pool detected: 2 
['Situation 1: CA Pool maximum certificate lifetime must not exceed 87600h (10 years) to limit exposure from long-lived certificates.', 'Non-Compliant Resources: nc', "Potential Remedies: Set issuance_policy.maximum_lifetime to a value no greater than '315360000s' (87600h / 10 years)., Shorter lifetimes reduce the window of exposure if a certificate is compromised."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_certificate_authority.deletion_protection.message
Total Certificate Authority detected: 2 
['Situation 1: Certificate Authority deletion protection must be enabled to prevent accidental or unauthorised deletion of the CA.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set deletion_protection to true., Deletion protection prevents accidental destruction of a CA which would invalidate all certificates it has issued.']
Unique resource names in plan (google_privateca_certificate_authority): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_certificate_authority.key_spec_algorithm.message
Total Certificate Authority detected: 2 
['Situation 1: Certificate Authority key algorithm must use an approved cryptographic standard to enforce encryption compliance.', 'Non-Compliant Resources: nc', "Potential Remedies: Set key_spec.algorithm to one of the approved values: 'EC_P384_SHA384', 'RSA_PSS_4096_SHA256', or 'RSA_PKCS1_4096_SHA256'., Avoid weaker algorithms such as 'RSA_PSS_2048_SHA256' or 'RSA_PKCS1_2048_SHA256'., When using a Cloud KMS key, ensure the underlying key version uses an approved algorithm."]
Unique resource names in plan (google_privateca_certificate_authority): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: certificate_authority_service
  Resource: google_privateca_ca_pool
    Policy: location - ✅
    Policy: publish_ca_cert - ✅
    Policy: publish_crl - ✅
    Policy: allow_csr_based_issuance - ✅
    Policy: allowed_key_types - ✅
    Policy: tier - ✅
    Policy: maximum_lifetime - ✅
  Resource: google_privateca_certificate_authority
    Policy: deletion_protection - ✅
    Policy: key_spec_algorithm - ✅

github-actions · 2026-05-05T11:11:24Z

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.location.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must be deployed in an approved geographic region.', 'Non-Compliant Resources: nc', "Potential Remedies: Set the location field to an approved region such as 'australia-southeast1' or 'australia-southeast2'., Run 'gcloud privateca locations list' to see all available regions."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.publish_ca_cert.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must publish CA certificates to allow clients to establish trust with the CA hierarchy.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set publishing_options.publish_ca_cert to true., Publishing CA certificates is required for clients to validate the chain of trust.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.publish_crl.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must publish certificate revocation lists to enable revocation checking by relying parties.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set publishing_options.publish_crl to true., Publishing CRLs is required to support certificate revocation and prevent use of compromised certificates.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.allow_csr_based_issuance.message
Total CA Pool detected: 2 
['Situation 1: CA Pool issuance policy must allow CSR-based certificate issuance to support standard certificate request workflows.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set issuance_policy.allowed_issuance_modes.allow_csr_based_issuance to true., CSR-based issuance is the standard method for certificate requests and must be enabled.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.allowed_key_types.message
Total CA Pool detected: 2 
['Situation 1: CA Pool issuance policy must restrict elliptic curve signing algorithms to OS-approved types only.', 'Non-Compliant Resources: nc', "Potential Remedies: Set issuance_policy.allowed_key_types.elliptic_curve.signature_algorithm to 'ECDSA_P384' or 'ECDSA_P256'., Avoid 'EDDSA_25519' unless explicitly approved by the security team., Remove any unspecified or legacy key type entries."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.tier.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must use the ENTERPRISE tier to enforce admin approval controls and audit logging for all certificate operations.', 'Non-Compliant Resources: nc', "Potential Remedies: Set tier to 'ENTERPRISE'., The DEVOPS tier lacks HSM-backed keys and granular audit logging required by organisational policy."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.maximum_lifetime.message
Total CA Pool detected: 2 
['Situation 1: CA Pool maximum certificate lifetime must not exceed 87600h (10 years) to limit exposure from long-lived certificates.', 'Non-Compliant Resources: nc', "Potential Remedies: Set issuance_policy.maximum_lifetime to a value no greater than '315360000s' (87600h / 10 years)., Shorter lifetimes reduce the window of exposure if a certificate is compromised."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_certificate_authority.deletion_protection.message
Total Certificate Authority detected: 2 
['Situation 1: Certificate Authority deletion protection must be enabled to prevent accidental or unauthorised deletion of the CA.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set deletion_protection to true., Deletion protection prevents accidental destruction of a CA which would invalidate all certificates it has issued.']
Unique resource names in plan (google_privateca_certificate_authority): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_certificate_authority.key_spec_algorithm.message
Total Certificate Authority detected: 2 
['Situation 1: Certificate Authority key algorithm must use an approved cryptographic standard to enforce encryption compliance.', 'Non-Compliant Resources: nc', "Potential Remedies: Set key_spec.algorithm to one of the approved values: 'EC_P384_SHA384', 'RSA_PSS_4096_SHA256', or 'RSA_PKCS1_4096_SHA256'., Avoid weaker algorithms such as 'RSA_PSS_2048_SHA256' or 'RSA_PKCS1_2048_SHA256'., When using a Cloud KMS key, ensure the underlying key version uses an approved algorithm."]
Unique resource names in plan (google_privateca_certificate_authority): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: certificate_authority_service
  Resource: google_privateca_ca_pool
    Policy: location - ✅
    Policy: publish_ca_cert - ✅
    Policy: publish_crl - ✅
    Policy: allow_csr_based_issuance - ✅
    Policy: allowed_key_types - ✅
    Policy: tier - ✅
    Policy: maximum_lifetime - ✅
  Resource: google_privateca_certificate_authority
    Policy: deletion_protection - ✅
    Policy: key_spec_algorithm - ✅

github-actions · 2026-05-05T11:14:33Z

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.location.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must be deployed in an approved geographic region.', 'Non-Compliant Resources: nc', "Potential Remedies: Set the location field to an approved region such as 'australia-southeast1' or 'australia-southeast2'., Run 'gcloud privateca locations list' to see all available regions."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.publish_ca_cert.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must publish CA certificates to allow clients to establish trust with the CA hierarchy.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set publishing_options.publish_ca_cert to true., Publishing CA certificates is required for clients to validate the chain of trust.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.publish_crl.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must publish certificate revocation lists to enable revocation checking by relying parties.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set publishing_options.publish_crl to true., Publishing CRLs is required to support certificate revocation and prevent use of compromised certificates.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.allow_csr_based_issuance.message
Total CA Pool detected: 2 
['Situation 1: CA Pool issuance policy must allow CSR-based certificate issuance to support standard certificate request workflows.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set issuance_policy.allowed_issuance_modes.allow_csr_based_issuance to true., CSR-based issuance is the standard method for certificate requests and must be enabled.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.allowed_key_types.message
Total CA Pool detected: 2 
['Situation 1: CA Pool issuance policy must restrict elliptic curve signing algorithms to OS-approved types only.', 'Non-Compliant Resources: nc', "Potential Remedies: Set issuance_policy.allowed_key_types.elliptic_curve.signature_algorithm to 'ECDSA_P384' or 'ECDSA_P256'., Avoid 'EDDSA_25519' unless explicitly approved by the security team., Remove any unspecified or legacy key type entries."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.tier.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must use the ENTERPRISE tier to enforce admin approval controls and audit logging for all certificate operations.', 'Non-Compliant Resources: nc', "Potential Remedies: Set tier to 'ENTERPRISE'., The DEVOPS tier lacks HSM-backed keys and granular audit logging required by organisational policy."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.maximum_lifetime.message
Total CA Pool detected: 2 
['Situation 1: CA Pool maximum certificate lifetime must not exceed 87600h (10 years) to limit exposure from long-lived certificates.', 'Non-Compliant Resources: nc', "Potential Remedies: Set issuance_policy.maximum_lifetime to a value no greater than '315360000s' (87600h / 10 years)., Shorter lifetimes reduce the window of exposure if a certificate is compromised."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_certificate_authority.deletion_protection.message
Total Certificate Authority detected: 2 
['Situation 1: Certificate Authority deletion protection must be enabled to prevent accidental or unauthorised deletion of the CA.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set deletion_protection to true., Deletion protection prevents accidental destruction of a CA which would invalidate all certificates it has issued.']
Unique resource names in plan (google_privateca_certificate_authority): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_certificate_authority.key_spec_algorithm.message
Total Certificate Authority detected: 2 
['Situation 1: Certificate Authority key algorithm must use an approved cryptographic standard to enforce encryption compliance.', 'Non-Compliant Resources: nc', "Potential Remedies: Set key_spec.algorithm to one of the approved values: 'EC_P384_SHA384', 'RSA_PSS_4096_SHA256', or 'RSA_PKCS1_4096_SHA256'., Avoid weaker algorithms such as 'RSA_PSS_2048_SHA256' or 'RSA_PKCS1_2048_SHA256'., When using a Cloud KMS key, ensure the underlying key version uses an approved algorithm."]
Unique resource names in plan (google_privateca_certificate_authority): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: certificate_authority_service
  Resource: google_privateca_ca_pool
    Policy: location - ✅
    Policy: publish_ca_cert - ✅
    Policy: publish_crl - ✅
    Policy: allow_csr_based_issuance - ✅
    Policy: allowed_key_types - ✅
    Policy: tier - ✅
    Policy: maximum_lifetime - ✅
  Resource: google_privateca_certificate_authority
    Policy: deletion_protection - ✅
    Policy: key_spec_algorithm - ✅

github-actions · 2026-05-05T11:15:23Z

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.location.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must be deployed in an approved geographic region.', 'Non-Compliant Resources: nc', "Potential Remedies: Set the location field to an approved region such as 'australia-southeast1' or 'australia-southeast2'., Run 'gcloud privateca locations list' to see all available regions."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.publish_ca_cert.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must publish CA certificates to allow clients to establish trust with the CA hierarchy.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set publishing_options.publish_ca_cert to true., Publishing CA certificates is required for clients to validate the chain of trust.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.publish_crl.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must publish certificate revocation lists to enable revocation checking by relying parties.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set publishing_options.publish_crl to true., Publishing CRLs is required to support certificate revocation and prevent use of compromised certificates.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.allow_csr_based_issuance.message
Total CA Pool detected: 2 
['Situation 1: CA Pool issuance policy must allow CSR-based certificate issuance to support standard certificate request workflows.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set issuance_policy.allowed_issuance_modes.allow_csr_based_issuance to true., CSR-based issuance is the standard method for certificate requests and must be enabled.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.allowed_key_types.message
Total CA Pool detected: 2 
['Situation 1: CA Pool issuance policy must restrict elliptic curve signing algorithms to OS-approved types only.', 'Non-Compliant Resources: nc', "Potential Remedies: Set issuance_policy.allowed_key_types.elliptic_curve.signature_algorithm to 'ECDSA_P384' or 'ECDSA_P256'., Avoid 'EDDSA_25519' unless explicitly approved by the security team., Remove any unspecified or legacy key type entries."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.tier.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must use the ENTERPRISE tier to enforce admin approval controls and audit logging for all certificate operations.', 'Non-Compliant Resources: nc', "Potential Remedies: Set tier to 'ENTERPRISE'., The DEVOPS tier lacks HSM-backed keys and granular audit logging required by organisational policy."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.maximum_lifetime.message
Total CA Pool detected: 2 
['Situation 1: CA Pool maximum certificate lifetime must not exceed 87600h (10 years) to limit exposure from long-lived certificates.', 'Non-Compliant Resources: nc', "Potential Remedies: Set issuance_policy.maximum_lifetime to a value no greater than '315360000s' (87600h / 10 years)., Shorter lifetimes reduce the window of exposure if a certificate is compromised."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_certificate_authority.deletion_protection.message
Total Certificate Authority detected: 2 
['Situation 1: Certificate Authority deletion protection must be enabled to prevent accidental or unauthorised deletion of the CA.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set deletion_protection to true., Deletion protection prevents accidental destruction of a CA which would invalidate all certificates it has issued.']
Unique resource names in plan (google_privateca_certificate_authority): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_certificate_authority.key_spec_algorithm.message
Total Certificate Authority detected: 2 
['Situation 1: Certificate Authority key algorithm must use an approved cryptographic standard to enforce encryption compliance.', 'Non-Compliant Resources: nc', "Potential Remedies: Set key_spec.algorithm to one of the approved values: 'EC_P384_SHA384', 'RSA_PSS_4096_SHA256', or 'RSA_PKCS1_4096_SHA256'., Avoid weaker algorithms such as 'RSA_PSS_2048_SHA256' or 'RSA_PKCS1_2048_SHA256'., When using a Cloud KMS key, ensure the underlying key version uses an approved algorithm."]
Unique resource names in plan (google_privateca_certificate_authority): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: certificate_authority_service
  Resource: google_privateca_ca_pool
    Policy: location - ✅
    Policy: publish_ca_cert - ✅
    Policy: publish_crl - ✅
    Policy: allow_csr_based_issuance - ✅
    Policy: allowed_key_types - ✅
    Policy: tier - ✅
    Policy: maximum_lifetime - ✅
  Resource: google_privateca_certificate_authority
    Policy: deletion_protection - ✅
    Policy: key_spec_algorithm - ✅

github-actions · 2026-05-05T11:16:26Z

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.location.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must be deployed in an approved geographic region.', 'Non-Compliant Resources: nc', "Potential Remedies: Set the location field to an approved region such as 'australia-southeast1' or 'australia-southeast2'., Run 'gcloud privateca locations list' to see all available regions."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.publish_ca_cert.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must publish CA certificates to allow clients to establish trust with the CA hierarchy.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set publishing_options.publish_ca_cert to true., Publishing CA certificates is required for clients to validate the chain of trust.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.publish_crl.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must publish certificate revocation lists to enable revocation checking by relying parties.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set publishing_options.publish_crl to true., Publishing CRLs is required to support certificate revocation and prevent use of compromised certificates.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.allow_csr_based_issuance.message
Total CA Pool detected: 2 
['Situation 1: CA Pool issuance policy must allow CSR-based certificate issuance to support standard certificate request workflows.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set issuance_policy.allowed_issuance_modes.allow_csr_based_issuance to true., CSR-based issuance is the standard method for certificate requests and must be enabled.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.allowed_key_types.message
Total CA Pool detected: 2 
['Situation 1: CA Pool issuance policy must restrict elliptic curve signing algorithms to OS-approved types only.', 'Non-Compliant Resources: nc', "Potential Remedies: Set issuance_policy.allowed_key_types.elliptic_curve.signature_algorithm to 'ECDSA_P384' or 'ECDSA_P256'., Avoid 'EDDSA_25519' unless explicitly approved by the security team., Remove any unspecified or legacy key type entries."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.tier.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must use the ENTERPRISE tier to enforce admin approval controls and audit logging for all certificate operations.', 'Non-Compliant Resources: nc', "Potential Remedies: Set tier to 'ENTERPRISE'., The DEVOPS tier lacks HSM-backed keys and granular audit logging required by organisational policy."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.maximum_lifetime.message
Total CA Pool detected: 2 
['Situation 1: CA Pool maximum certificate lifetime must not exceed 87600h (10 years) to limit exposure from long-lived certificates.', 'Non-Compliant Resources: nc', "Potential Remedies: Set issuance_policy.maximum_lifetime to a value no greater than '315360000s' (87600h / 10 years)., Shorter lifetimes reduce the window of exposure if a certificate is compromised."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_certificate_authority.deletion_protection.message
Total Certificate Authority detected: 2 
['Situation 1: Certificate Authority deletion protection must be enabled to prevent accidental or unauthorised deletion of the CA.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set deletion_protection to true., Deletion protection prevents accidental destruction of a CA which would invalidate all certificates it has issued.']
Unique resource names in plan (google_privateca_certificate_authority): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_certificate_authority.key_spec_algorithm.message
Total Certificate Authority detected: 2 
['Situation 1: Certificate Authority key algorithm must use an approved cryptographic standard to enforce encryption compliance.', 'Non-Compliant Resources: nc', "Potential Remedies: Set key_spec.algorithm to one of the approved values: 'EC_P384_SHA384', 'RSA_PSS_4096_SHA256', or 'RSA_PKCS1_4096_SHA256'., Avoid weaker algorithms such as 'RSA_PSS_2048_SHA256' or 'RSA_PKCS1_2048_SHA256'., When using a Cloud KMS key, ensure the underlying key version uses an approved algorithm."]
Unique resource names in plan (google_privateca_certificate_authority): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: certificate_authority_service
  Resource: google_privateca_ca_pool
    Policy: location - ✅
    Policy: publish_ca_cert - ✅
    Policy: publish_crl - ✅
    Policy: allow_csr_based_issuance - ✅
    Policy: allowed_key_types - ✅
    Policy: tier - ✅
    Policy: maximum_lifetime - ✅
  Resource: google_privateca_certificate_authority
    Policy: deletion_protection - ✅
    Policy: key_spec_algorithm - ✅

github-actions · 2026-05-05T11:17:44Z

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.location.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must be deployed in an approved geographic region.', 'Non-Compliant Resources: nc', "Potential Remedies: Set the location field to an approved region such as 'australia-southeast1' or 'australia-southeast2'., Run 'gcloud privateca locations list' to see all available regions."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.publish_ca_cert.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must publish CA certificates to allow clients to establish trust with the CA hierarchy.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set publishing_options.publish_ca_cert to true., Publishing CA certificates is required for clients to validate the chain of trust.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.publish_crl.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must publish certificate revocation lists to enable revocation checking by relying parties.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set publishing_options.publish_crl to true., Publishing CRLs is required to support certificate revocation and prevent use of compromised certificates.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.allow_csr_based_issuance.message
Total CA Pool detected: 2 
['Situation 1: CA Pool issuance policy must allow CSR-based certificate issuance to support standard certificate request workflows.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set issuance_policy.allowed_issuance_modes.allow_csr_based_issuance to true., CSR-based issuance is the standard method for certificate requests and must be enabled.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.allowed_key_types.message
Total CA Pool detected: 2 
['Situation 1: CA Pool issuance policy must restrict elliptic curve signing algorithms to OS-approved types only.', 'Non-Compliant Resources: nc', "Potential Remedies: Set issuance_policy.allowed_key_types.elliptic_curve.signature_algorithm to 'ECDSA_P384' or 'ECDSA_P256'., Avoid 'EDDSA_25519' unless explicitly approved by the security team., Remove any unspecified or legacy key type entries."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.tier.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must use the ENTERPRISE tier to enforce admin approval controls and audit logging for all certificate operations.', 'Non-Compliant Resources: nc', "Potential Remedies: Set tier to 'ENTERPRISE'., The DEVOPS tier lacks HSM-backed keys and granular audit logging required by organisational policy."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.maximum_lifetime.message
Total CA Pool detected: 2 
['Situation 1: CA Pool maximum certificate lifetime must not exceed 87600h (10 years) to limit exposure from long-lived certificates.', 'Non-Compliant Resources: nc', "Potential Remedies: Set issuance_policy.maximum_lifetime to a value no greater than '315360000s' (87600h / 10 years)., Shorter lifetimes reduce the window of exposure if a certificate is compromised."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_certificate_authority.deletion_protection.message
Total Certificate Authority detected: 2 
['Situation 1: Certificate Authority deletion protection must be enabled to prevent accidental or unauthorised deletion of the CA.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set deletion_protection to true., Deletion protection prevents accidental destruction of a CA which would invalidate all certificates it has issued.']
Unique resource names in plan (google_privateca_certificate_authority): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_certificate_authority.key_spec_algorithm.message
Total Certificate Authority detected: 2 
['Situation 1: Certificate Authority key algorithm must use an approved cryptographic standard to enforce encryption compliance.', 'Non-Compliant Resources: nc', "Potential Remedies: Set key_spec.algorithm to one of the approved values: 'EC_P384_SHA384', 'RSA_PSS_4096_SHA256', or 'RSA_PKCS1_4096_SHA256'., Avoid weaker algorithms such as 'RSA_PSS_2048_SHA256' or 'RSA_PKCS1_2048_SHA256'., When using a Cloud KMS key, ensure the underlying key version uses an approved algorithm."]
Unique resource names in plan (google_privateca_certificate_authority): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: certificate_authority_service
  Resource: google_privateca_ca_pool
    Policy: location - ✅
    Policy: publish_ca_cert - ✅
    Policy: publish_crl - ✅
    Policy: allow_csr_based_issuance - ✅
    Policy: allowed_key_types - ✅
    Policy: tier - ✅
    Policy: maximum_lifetime - ✅
  Resource: google_privateca_certificate_authority
    Policy: deletion_protection - ✅
    Policy: key_spec_algorithm - ✅

github-actions · 2026-05-05T11:26:31Z

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.location.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must be deployed in an approved geographic region.', 'Non-Compliant Resources: nc', "Potential Remedies: Set the location field to an approved region such as 'australia-southeast1' or 'australia-southeast2'., Run 'gcloud privateca locations list' to see all available regions."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.publish_ca_cert.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must publish CA certificates to allow clients to establish trust with the CA hierarchy.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set publishing_options.publish_ca_cert to true., Publishing CA certificates is required for clients to validate the chain of trust.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.publish_crl.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must publish certificate revocation lists to enable revocation checking by relying parties.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set publishing_options.publish_crl to true., Publishing CRLs is required to support certificate revocation and prevent use of compromised certificates.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.allow_csr_based_issuance.message
Total CA Pool detected: 2 
['Situation 1: CA Pool issuance policy must allow CSR-based certificate issuance to support standard certificate request workflows.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set issuance_policy.allowed_issuance_modes.allow_csr_based_issuance to true., CSR-based issuance is the standard method for certificate requests and must be enabled.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.allowed_key_types.message
Total CA Pool detected: 2 
['Situation 1: CA Pool issuance policy must restrict elliptic curve signing algorithms to OS-approved types only.', 'Non-Compliant Resources: nc', "Potential Remedies: Set issuance_policy.allowed_key_types.elliptic_curve.signature_algorithm to 'ECDSA_P384' or 'ECDSA_P256'., Avoid 'EDDSA_25519' unless explicitly approved by the security team., Remove any unspecified or legacy key type entries."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.tier.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must use the ENTERPRISE tier to enforce admin approval controls and audit logging for all certificate operations.', 'Non-Compliant Resources: nc', "Potential Remedies: Set tier to 'ENTERPRISE'., The DEVOPS tier lacks HSM-backed keys and granular audit logging required by organisational policy."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.maximum_lifetime.message
Total CA Pool detected: 2 
['Situation 1: CA Pool maximum certificate lifetime must not exceed 87600h (10 years) to limit exposure from long-lived certificates.', 'Non-Compliant Resources: nc', "Potential Remedies: Set issuance_policy.maximum_lifetime to a value no greater than '315360000s' (87600h / 10 years)., Shorter lifetimes reduce the window of exposure if a certificate is compromised."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_certificate_authority.deletion_protection.message
Total Certificate Authority detected: 2 
['Situation 1: Certificate Authority deletion protection must be enabled to prevent accidental or unauthorised deletion of the CA.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set deletion_protection to true., Deletion protection prevents accidental destruction of a CA which would invalidate all certificates it has issued.']
Unique resource names in plan (google_privateca_certificate_authority): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_certificate_authority.key_spec_algorithm.message
Total Certificate Authority detected: 2 
['Situation 1: Certificate Authority key algorithm must use an approved cryptographic standard to enforce encryption compliance.', 'Non-Compliant Resources: nc', "Potential Remedies: Set key_spec.algorithm to one of the approved values: 'EC_P384_SHA384', 'RSA_PSS_4096_SHA256', or 'RSA_PKCS1_4096_SHA256'., Avoid weaker algorithms such as 'RSA_PSS_2048_SHA256' or 'RSA_PKCS1_2048_SHA256'., When using a Cloud KMS key, ensure the underlying key version uses an approved algorithm."]
Unique resource names in plan (google_privateca_certificate_authority): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: certificate_authority_service
  Resource: google_privateca_ca_pool
    Policy: location - ✅
    Policy: publish_ca_cert - ✅
    Policy: publish_crl - ✅
    Policy: allow_csr_based_issuance - ✅
    Policy: allowed_key_types - ✅
    Policy: tier - ✅
    Policy: maximum_lifetime - ✅
  Resource: google_privateca_certificate_authority
    Policy: deletion_protection - ✅
    Policy: key_spec_algorithm - ✅

github-actions · 2026-05-05T11:28:07Z

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.location.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must be deployed in an approved geographic region.', 'Non-Compliant Resources: nc', "Potential Remedies: Set the location field to an approved region such as 'australia-southeast1' or 'australia-southeast2'., Run 'gcloud privateca locations list' to see all available regions."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.publish_ca_cert.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must publish CA certificates to allow clients to establish trust with the CA hierarchy.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set publishing_options.publish_ca_cert to true., Publishing CA certificates is required for clients to validate the chain of trust.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.publish_crl.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must publish certificate revocation lists to enable revocation checking by relying parties.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set publishing_options.publish_crl to true., Publishing CRLs is required to support certificate revocation and prevent use of compromised certificates.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.allow_csr_based_issuance.message
Total CA Pool detected: 2 
['Situation 1: CA Pool issuance policy must allow CSR-based certificate issuance to support standard certificate request workflows.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set issuance_policy.allowed_issuance_modes.allow_csr_based_issuance to true., CSR-based issuance is the standard method for certificate requests and must be enabled.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.allowed_key_types.message
Total CA Pool detected: 2 
['Situation 1: CA Pool issuance policy must restrict elliptic curve signing algorithms to OS-approved types only.', 'Non-Compliant Resources: nc', "Potential Remedies: Set issuance_policy.allowed_key_types.elliptic_curve.signature_algorithm to 'ECDSA_P384' or 'ECDSA_P256'., Avoid 'EDDSA_25519' unless explicitly approved by the security team., Remove any unspecified or legacy key type entries."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.tier.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must use the ENTERPRISE tier to enforce admin approval controls and audit logging for all certificate operations.', 'Non-Compliant Resources: nc', "Potential Remedies: Set tier to 'ENTERPRISE'., The DEVOPS tier lacks HSM-backed keys and granular audit logging required by organisational policy."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.maximum_lifetime.message
Total CA Pool detected: 2 
['Situation 1: CA Pool maximum certificate lifetime must not exceed 87600h (10 years) to limit exposure from long-lived certificates.', 'Non-Compliant Resources: nc', "Potential Remedies: Set issuance_policy.maximum_lifetime to a value no greater than '315360000s' (87600h / 10 years)., Shorter lifetimes reduce the window of exposure if a certificate is compromised."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_certificate_authority.deletion_protection.message
Total Certificate Authority detected: 2 
['Situation 1: Certificate Authority deletion protection must be enabled to prevent accidental or unauthorised deletion of the CA.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set deletion_protection to true., Deletion protection prevents accidental destruction of a CA which would invalidate all certificates it has issued.']
Unique resource names in plan (google_privateca_certificate_authority): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_certificate_authority.key_spec_algorithm.message
Total Certificate Authority detected: 2 
['Situation 1: Certificate Authority key algorithm must use an approved cryptographic standard to enforce encryption compliance.', 'Non-Compliant Resources: nc', "Potential Remedies: Set key_spec.algorithm to one of the approved values: 'EC_P384_SHA384', 'RSA_PSS_4096_SHA256', or 'RSA_PKCS1_4096_SHA256'., Avoid weaker algorithms such as 'RSA_PSS_2048_SHA256' or 'RSA_PKCS1_2048_SHA256'., When using a Cloud KMS key, ensure the underlying key version uses an approved algorithm."]
Unique resource names in plan (google_privateca_certificate_authority): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: certificate_authority_service
  Resource: google_privateca_ca_pool
    Policy: location - ✅
    Policy: publish_ca_cert - ✅
    Policy: publish_crl - ✅
    Policy: allow_csr_based_issuance - ✅
    Policy: allowed_key_types - ✅
    Policy: tier - ✅
    Policy: maximum_lifetime - ✅
  Resource: google_privateca_certificate_authority
    Policy: deletion_protection - ✅
    Policy: key_spec_algorithm - ✅

- Fill in security_impact: false with rationale for all arguments in privateca_certificate, privateca_certificate_template, privateca_ca_pool_iam, and privateca_certificate_template_iam - Regenerate all markdown files - Revert .gitignore and range.rego to dev branch versions

github-actions · 2026-05-06T11:44:10Z

🔍 Policy Check Results

Status: ❌ CHECKS FAILED

⚠️ Your PR will not be reviewed until you fix all policy check failures below:

Test Output

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.location.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must be deployed in an approved geographic region.', 'Non-Compliant Resources: nc', "Potential Remedies: Set the location field to an approved region such as 'australia-southeast1' or 'australia-southeast2'., Run 'gcloud privateca locations list' to see all available regions."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.publish_ca_cert.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must publish CA certificates to allow clients to establish trust with the CA hierarchy.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set publishing_options.publish_ca_cert to true., Publishing CA certificates is required for clients to validate the chain of trust.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.publish_crl.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must publish certificate revocation lists to enable revocation checking by relying parties.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set publishing_options.publish_crl to true., Publishing CRLs is required to support certificate revocation and prevent use of compromised certificates.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.allow_csr_based_issuance.message
Total CA Pool detected: 2 
['Situation 1: CA Pool issuance policy must allow CSR-based certificate issuance to support standard certificate request workflows.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set issuance_policy.allowed_issuance_modes.allow_csr_based_issuance to true., CSR-based issuance is the standard method for certificate requests and must be enabled.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.allowed_key_types.message
Total CA Pool detected: 2 
['Situation 1: CA Pool issuance policy must restrict elliptic curve signing algorithms to OS-approved types only.', 'Non-Compliant Resources: nc', "Potential Remedies: Set issuance_policy.allowed_key_types.elliptic_curve.signature_algorithm to 'ECDSA_P384' or 'ECDSA_P256'., Avoid 'EDDSA_25519' unless explicitly approved by the security team., Remove any unspecified or legacy key type entries."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.tier.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must use the ENTERPRISE tier to enforce admin approval controls and audit logging for all certificate operations.', 'Non-Compliant Resources: nc', "Potential Remedies: Set tier to 'ENTERPRISE'., The DEVOPS tier lacks HSM-backed keys and granular audit logging required by organisational policy."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.maximum_lifetime.message
Total CA Pool detected: 2 
['Situation 1: CA Pool maximum certificate lifetime must not exceed 87600h (10 years) to limit exposure from long-lived certificates.', 'Non-Compliant Resources: None - All passed']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_certificate_authority.deletion_protection.message
Total Certificate Authority detected: 2 
['Situation 1: Certificate Authority deletion protection must be enabled to prevent accidental or unauthorised deletion of the CA.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set deletion_protection to true., Deletion protection prevents accidental destruction of a CA which would invalidate all certificates it has issued.']
Unique resource names in plan (google_privateca_certificate_authority): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_certificate_authority.key_spec_algorithm.message
Total Certificate Authority detected: 2 
['Situation 1: Certificate Authority key algorithm must use an approved cryptographic standard to enforce encryption compliance.', 'Non-Compliant Resources: nc', "Potential Remedies: Set key_spec.algorithm to one of the approved values: 'EC_P384_SHA384', 'RSA_PSS_4096_SHA256', or 'RSA_PKCS1_4096_SHA256'., Avoid weaker algorithms such as 'RSA_PSS_2048_SHA256' or 'RSA_PKCS1_2048_SHA256'., When using a Cloud KMS key, ensure the underlying key version uses an approved algorithm."]
Unique resource names in plan (google_privateca_certificate_authority): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: certificate_authority_service
  Resource: google_privateca_ca_pool
    Policy: location - ✅
    Policy: publish_ca_cert - ✅
    Policy: publish_crl - ✅
    Policy: allow_csr_based_issuance - ✅
    Policy: allowed_key_types - ✅
    Policy: tier - ✅
    Policy: maximum_lifetime - ❌
  Resource: google_privateca_certificate_authority
    Policy: deletion_protection - ✅
    Policy: key_spec_algorithm - ✅


Failures:
Service: certificate_authority_service | Resource: google_privateca_ca_pool | Policy: maximum_lifetime
Unmentioned resources other than 'c' found: nc

github-actions · 2026-05-06T11:51:14Z

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.location.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must be deployed in an approved geographic region.', 'Non-Compliant Resources: nc', "Potential Remedies: Set the location field to an approved region such as 'australia-southeast1' or 'australia-southeast2'., Run 'gcloud privateca locations list' to see all available regions."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.publish_ca_cert.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must publish CA certificates to allow clients to establish trust with the CA hierarchy.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set publishing_options.publish_ca_cert to true., Publishing CA certificates is required for clients to validate the chain of trust.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.publish_crl.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must publish certificate revocation lists to enable revocation checking by relying parties.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set publishing_options.publish_crl to true., Publishing CRLs is required to support certificate revocation and prevent use of compromised certificates.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.allow_csr_based_issuance.message
Total CA Pool detected: 2 
['Situation 1: CA Pool issuance policy must allow CSR-based certificate issuance to support standard certificate request workflows.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set issuance_policy.allowed_issuance_modes.allow_csr_based_issuance to true., CSR-based issuance is the standard method for certificate requests and must be enabled.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.allowed_key_types.message
Total CA Pool detected: 2 
['Situation 1: CA Pool issuance policy must restrict elliptic curve signing algorithms to OS-approved types only.', 'Non-Compliant Resources: nc', "Potential Remedies: Set issuance_policy.allowed_key_types.elliptic_curve.signature_algorithm to 'ECDSA_P384' or 'ECDSA_P256'., Avoid 'EDDSA_25519' unless explicitly approved by the security team., Remove any unspecified or legacy key type entries."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.tier.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must use the ENTERPRISE tier to enforce admin approval controls and audit logging for all certificate operations.', 'Non-Compliant Resources: nc', "Potential Remedies: Set tier to 'ENTERPRISE'., The DEVOPS tier lacks HSM-backed keys and granular audit logging required by organisational policy."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.maximum_lifetime.message
Total CA Pool detected: 2 
["Situation 1: CA Pool maximum certificate lifetime must not be set to an excessively long duration. '999999999s' (~31.7 years) far exceeds the recommended maximum of '315360000s' (10 years) and unnecessarily extends exposure if a certificate is compromised.", 'Non-Compliant Resources: nc', "Potential Remedies: Set issuance_policy.maximum_lifetime to a value no greater than '315360000s' (87600h / 10 years)., Shorter lifetimes reduce the window of exposure if a certificate or its issuing CA is compromised."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_certificate_authority.deletion_protection.message
Total Certificate Authority detected: 2 
['Situation 1: Certificate Authority deletion protection must be enabled to prevent accidental or unauthorised deletion of the CA.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set deletion_protection to true., Deletion protection prevents accidental destruction of a CA which would invalidate all certificates it has issued.']
Unique resource names in plan (google_privateca_certificate_authority): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_certificate_authority.key_spec_algorithm.message
Total Certificate Authority detected: 2 
['Situation 1: Certificate Authority key algorithm must use an approved cryptographic standard to enforce encryption compliance.', 'Non-Compliant Resources: nc', "Potential Remedies: Set key_spec.algorithm to one of the approved values: 'EC_P384_SHA384', 'RSA_PSS_4096_SHA256', or 'RSA_PKCS1_4096_SHA256'., Avoid weaker algorithms such as 'RSA_PSS_2048_SHA256' or 'RSA_PKCS1_2048_SHA256'., When using a Cloud KMS key, ensure the underlying key version uses an approved algorithm."]
Unique resource names in plan (google_privateca_certificate_authority): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: certificate_authority_service
  Resource: google_privateca_ca_pool
    Policy: location - ✅
    Policy: publish_ca_cert - ✅
    Policy: publish_crl - ✅
    Policy: allow_csr_based_issuance - ✅
    Policy: allowed_key_types - ✅
    Policy: tier - ✅
    Policy: maximum_lifetime - ✅
  Resource: google_privateca_certificate_authority
    Policy: deletion_protection - ✅
    Policy: key_spec_algorithm - ✅

github-actions · 2026-05-06T11:52:27Z

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.location.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must be deployed in an approved geographic region.', 'Non-Compliant Resources: nc', "Potential Remedies: Set the location field to an approved region such as 'australia-southeast1' or 'australia-southeast2'., Run 'gcloud privateca locations list' to see all available regions."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.publish_ca_cert.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must publish CA certificates to allow clients to establish trust with the CA hierarchy.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set publishing_options.publish_ca_cert to true., Publishing CA certificates is required for clients to validate the chain of trust.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.publish_crl.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must publish certificate revocation lists to enable revocation checking by relying parties.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set publishing_options.publish_crl to true., Publishing CRLs is required to support certificate revocation and prevent use of compromised certificates.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.allow_csr_based_issuance.message
Total CA Pool detected: 2 
['Situation 1: CA Pool issuance policy must allow CSR-based certificate issuance to support standard certificate request workflows.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set issuance_policy.allowed_issuance_modes.allow_csr_based_issuance to true., CSR-based issuance is the standard method for certificate requests and must be enabled.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.allowed_key_types.message
Total CA Pool detected: 2 
['Situation 1: CA Pool issuance policy must restrict elliptic curve signing algorithms to OS-approved types only.', 'Non-Compliant Resources: nc', "Potential Remedies: Set issuance_policy.allowed_key_types.elliptic_curve.signature_algorithm to 'ECDSA_P384' or 'ECDSA_P256'., Avoid 'EDDSA_25519' unless explicitly approved by the security team., Remove any unspecified or legacy key type entries."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.tier.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must use the ENTERPRISE tier to enforce admin approval controls and audit logging for all certificate operations.', 'Non-Compliant Resources: nc', "Potential Remedies: Set tier to 'ENTERPRISE'., The DEVOPS tier lacks HSM-backed keys and granular audit logging required by organisational policy."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.maximum_lifetime.message
Total CA Pool detected: 2 
["Situation 1: CA Pool maximum certificate lifetime must not be set to an excessively long duration. '999999999s' (~31.7 years) far exceeds the recommended maximum of '315360000s' (10 years) and unnecessarily extends exposure if a certificate is compromised.", 'Non-Compliant Resources: nc', "Potential Remedies: Set issuance_policy.maximum_lifetime to a value no greater than '315360000s' (87600h / 10 years)., Shorter lifetimes reduce the window of exposure if a certificate or its issuing CA is compromised."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_certificate_authority.deletion_protection.message
Total Certificate Authority detected: 2 
['Situation 1: Certificate Authority deletion protection must be enabled to prevent accidental or unauthorised deletion of the CA.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set deletion_protection to true., Deletion protection prevents accidental destruction of a CA which would invalidate all certificates it has issued.']
Unique resource names in plan (google_privateca_certificate_authority): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_certificate_authority.key_spec_algorithm.message
Total Certificate Authority detected: 2 
['Situation 1: Certificate Authority key algorithm must use an approved cryptographic standard to enforce encryption compliance.', 'Non-Compliant Resources: nc', "Potential Remedies: Set key_spec.algorithm to one of the approved values: 'EC_P384_SHA384', 'RSA_PSS_4096_SHA256', or 'RSA_PKCS1_4096_SHA256'., Avoid weaker algorithms such as 'RSA_PSS_2048_SHA256' or 'RSA_PKCS1_2048_SHA256'., When using a Cloud KMS key, ensure the underlying key version uses an approved algorithm."]
Unique resource names in plan (google_privateca_certificate_authority): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: certificate_authority_service
  Resource: google_privateca_ca_pool
    Policy: location - ✅
    Policy: publish_ca_cert - ✅
    Policy: publish_crl - ✅
    Policy: allow_csr_based_issuance - ✅
    Policy: allowed_key_types - ✅
    Policy: tier - ✅
    Policy: maximum_lifetime - ✅
  Resource: google_privateca_certificate_authority
    Policy: deletion_protection - ✅
    Policy: key_spec_algorithm - ✅

Chhunly-TAING · 2026-05-07T11:28:19Z

Many extra attributes are not required. For example, if you check against the allowed_key_type, the c.tf should contain resource, name, location, tier, and allowed_key_type, something like ECDSA_P256.

Fixed, thank you

Chhunly-TAING · 2026-05-07T11:31:32Z

I think you can remove publish_crl

Fixed, thank you

Chhunly-TAING · 2026-05-07T11:33:29Z

I think publishing_options and labels can be removed.

Fixed, thank you

github-actions · 2026-05-07T11:45:07Z

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.location.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must be deployed in an approved geographic region.', 'Non-Compliant Resources: nc', "Potential Remedies: Set the location field to an approved region such as 'australia-southeast1' or 'australia-southeast2'., Run 'gcloud privateca locations list' to see all available regions."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.publish_ca_cert.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must publish CA certificates to allow clients to establish trust with the CA hierarchy.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set publishing_options.publish_ca_cert to true., Publishing CA certificates is required for clients to validate the chain of trust.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.publish_crl.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must publish certificate revocation lists to enable revocation checking by relying parties.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set publishing_options.publish_crl to true., Publishing CRLs is required to support certificate revocation and prevent use of compromised certificates.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.allow_csr_based_issuance.message
Total CA Pool detected: 2 
['Situation 1: CA Pool issuance policy must allow CSR-based certificate issuance to support standard certificate request workflows.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set issuance_policy.allowed_issuance_modes.allow_csr_based_issuance to true., CSR-based issuance is the standard method for certificate requests and must be enabled.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.allowed_key_types.message
Total CA Pool detected: 2 
['Situation 1: CA Pool issuance policy must restrict elliptic curve signing algorithms to OS-approved types only.', 'Non-Compliant Resources: nc', "Potential Remedies: Set issuance_policy.allowed_key_types.elliptic_curve.signature_algorithm to 'ECDSA_P384' or 'ECDSA_P256'., Avoid 'EDDSA_25519' unless explicitly approved by the security team., Remove any unspecified or legacy key type entries."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.tier.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must use the ENTERPRISE tier to enforce admin approval controls and audit logging for all certificate operations.', 'Non-Compliant Resources: nc', "Potential Remedies: Set tier to 'ENTERPRISE'., The DEVOPS tier lacks HSM-backed keys and granular audit logging required by organisational policy."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.maximum_lifetime.message
Total CA Pool detected: 2 
["Situation 1: CA Pool maximum certificate lifetime must not be set to an excessively long duration. '999999999s' (~31.7 years) far exceeds the recommended maximum of '315360000s' (10 years) and unnecessarily extends exposure if a certificate is compromised.", 'Non-Compliant Resources: nc', "Potential Remedies: Set issuance_policy.maximum_lifetime to a value no greater than '315360000s' (87600h / 10 years)., Shorter lifetimes reduce the window of exposure if a certificate or its issuing CA is compromised."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_certificate_authority.deletion_protection.message
Total Certificate Authority detected: 2 
['Situation 1: Certificate Authority deletion protection must be enabled to prevent accidental or unauthorised deletion of the CA.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set deletion_protection to true., Deletion protection prevents accidental destruction of a CA which would invalidate all certificates it has issued.']
Unique resource names in plan (google_privateca_certificate_authority): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_certificate_authority.key_spec_algorithm.message
Total Certificate Authority detected: 2 
['Situation 1: Certificate Authority key algorithm must use an approved cryptographic standard to enforce encryption compliance.', 'Non-Compliant Resources: nc', "Potential Remedies: Set key_spec.algorithm to one of the approved values: 'EC_P384_SHA384', 'RSA_PSS_4096_SHA256', or 'RSA_PKCS1_4096_SHA256'., Avoid weaker algorithms such as 'RSA_PSS_2048_SHA256' or 'RSA_PKCS1_2048_SHA256'., When using a Cloud KMS key, ensure the underlying key version uses an approved algorithm."]
Unique resource names in plan (google_privateca_certificate_authority): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: certificate_authority_service
  Resource: google_privateca_ca_pool
    Policy: location - ✅
    Policy: publish_ca_cert - ✅
    Policy: publish_crl - ✅
    Policy: allow_csr_based_issuance - ✅
    Policy: allowed_key_types - ✅
    Policy: tier - ✅
    Policy: maximum_lifetime - ✅
  Resource: google_privateca_certificate_authority
    Policy: deletion_protection - ✅
    Policy: key_spec_algorithm - ✅

Chhunly-TAING

Hi Alri,

Please ensure that you push the changes from your local computer. Additionally, please update your nc.tf to reflect the c.tf of each resource type.

Thanks,

github-actions · 2026-05-11T01:03:44Z

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.location.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must be deployed in an approved geographic region.', 'Non-Compliant Resources: nc', "Potential Remedies: Set the location field to an approved region such as 'australia-southeast1' or 'australia-southeast2'., Run 'gcloud privateca locations list' to see all available regions."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.publish_ca_cert.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must publish CA certificates to allow clients to establish trust with the CA hierarchy.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set publishing_options.publish_ca_cert to true., Publishing CA certificates is required for clients to validate the chain of trust.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.publish_crl.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must publish certificate revocation lists to enable revocation checking by relying parties.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set publishing_options.publish_crl to true., Publishing CRLs is required to support certificate revocation and prevent use of compromised certificates.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.allow_csr_based_issuance.message
Total CA Pool detected: 2 
['Situation 1: CA Pool issuance policy must allow CSR-based certificate issuance to support standard certificate request workflows.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set issuance_policy.allowed_issuance_modes.allow_csr_based_issuance to true., CSR-based issuance is the standard method for certificate requests and must be enabled.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.allowed_key_types.message
Total CA Pool detected: 2 
['Situation 1: CA Pool issuance policy must restrict elliptic curve signing algorithms to OS-approved types only.', 'Non-Compliant Resources: nc', "Potential Remedies: Set issuance_policy.allowed_key_types.elliptic_curve.signature_algorithm to 'ECDSA_P384' or 'ECDSA_P256'., Avoid 'EDDSA_25519' unless explicitly approved by the security team., Remove any unspecified or legacy key type entries."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.tier.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must use the ENTERPRISE tier to enforce admin approval controls and audit logging for all certificate operations.', 'Non-Compliant Resources: nc', "Potential Remedies: Set tier to 'ENTERPRISE'., The DEVOPS tier lacks HSM-backed keys and granular audit logging required by organisational policy."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.maximum_lifetime.message
Total CA Pool detected: 2 
["Situation 1: CA Pool maximum certificate lifetime must not be set to an excessively long duration. '999999999s' (~31.7 years) far exceeds the recommended maximum of '315360000s' (10 years) and unnecessarily extends exposure if a certificate is compromised.", 'Non-Compliant Resources: nc', "Potential Remedies: Set issuance_policy.maximum_lifetime to a value no greater than '315360000s' (87600h / 10 years)., Shorter lifetimes reduce the window of exposure if a certificate or its issuing CA is compromised."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_certificate_authority.deletion_protection.message
Total Certificate Authority detected: 2 
['Situation 1: Certificate Authority deletion protection must be enabled to prevent accidental or unauthorised deletion of the CA.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set deletion_protection to true., Deletion protection prevents accidental destruction of a CA which would invalidate all certificates it has issued.']
Unique resource names in plan (google_privateca_certificate_authority): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_certificate_authority.key_spec_algorithm.message
Total Certificate Authority detected: 2 
['Situation 1: Certificate Authority key algorithm must use an approved cryptographic standard to enforce encryption compliance.', 'Non-Compliant Resources: nc', "Potential Remedies: Set key_spec.algorithm to one of the approved values: 'EC_P384_SHA384', 'RSA_PSS_4096_SHA256', or 'RSA_PKCS1_4096_SHA256'., Avoid weaker algorithms such as 'RSA_PSS_2048_SHA256' or 'RSA_PKCS1_2048_SHA256'., When using a Cloud KMS key, ensure the underlying key version uses an approved algorithm."]
Unique resource names in plan (google_privateca_certificate_authority): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: certificate_authority_service
  Resource: google_privateca_ca_pool
    Policy: location - ✅
    Policy: publish_ca_cert - ✅
    Policy: publish_crl - ✅
    Policy: allow_csr_based_issuance - ✅
    Policy: allowed_key_types - ✅
    Policy: tier - ✅
    Policy: maximum_lifetime - ✅
  Resource: google_privateca_certificate_authority
    Policy: deletion_protection - ✅
    Policy: key_spec_algorithm - ✅

github-actions · 2026-05-11T04:35:02Z

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.location.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must be deployed in an approved geographic region.', 'Non-Compliant Resources: nc', "Potential Remedies: Set the location field to an approved region such as 'australia-southeast1' or 'australia-southeast2'., Run 'gcloud privateca locations list' to see all available regions."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.publish_ca_cert.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must publish CA certificates to allow clients to establish trust with the CA hierarchy.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set publishing_options.publish_ca_cert to true., Publishing CA certificates is required for clients to validate the chain of trust.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.publish_crl.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must publish certificate revocation lists to enable revocation checking by relying parties.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set publishing_options.publish_crl to true., Publishing CRLs is required to support certificate revocation and prevent use of compromised certificates.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.allow_csr_based_issuance.message
Total CA Pool detected: 2 
['Situation 1: CA Pool issuance policy must allow CSR-based certificate issuance to support standard certificate request workflows.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set issuance_policy.allowed_issuance_modes.allow_csr_based_issuance to true., CSR-based issuance is the standard method for certificate requests and must be enabled.']
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.allowed_key_types.message
Total CA Pool detected: 2 
['Situation 1: CA Pool issuance policy must restrict elliptic curve signing algorithms to OS-approved types only.', 'Non-Compliant Resources: nc', "Potential Remedies: Set issuance_policy.allowed_key_types.elliptic_curve.signature_algorithm to 'ECDSA_P384' or 'ECDSA_P256'., Avoid 'EDDSA_25519' unless explicitly approved by the security team., Remove any unspecified or legacy key type entries."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.tier.message
Total CA Pool detected: 2 
['Situation 1: CA Pool must use the ENTERPRISE tier to enforce admin approval controls and audit logging for all certificate operations.', 'Non-Compliant Resources: nc', "Potential Remedies: Set tier to 'ENTERPRISE'., The DEVOPS tier lacks HSM-backed keys and granular audit logging required by organisational policy."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_ca_pool.maximum_lifetime.message
Total CA Pool detected: 2 
["Situation 1: CA Pool maximum certificate lifetime must not be set to an excessively long duration. '999999999s' (~31.7 years) far exceeds the recommended maximum of '315360000s' (10 years) and unnecessarily extends exposure if a certificate is compromised.", 'Non-Compliant Resources: nc', "Potential Remedies: Set issuance_policy.maximum_lifetime to a value no greater than '315360000s' (87600h / 10 years)., Shorter lifetimes reduce the window of exposure if a certificate or its issuing CA is compromised."]
Unique resource names in plan (google_privateca_ca_pool): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_certificate_authority.deletion_protection.message
Total Certificate Authority detected: 2 
['Situation 1: Certificate Authority deletion protection must be enabled to prevent accidental or unauthorised deletion of the CA.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set deletion_protection to true., Deletion protection prevents accidental destruction of a CA which would invalidate all certificates it has issued.']
Unique resource names in plan (google_privateca_certificate_authority): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.certificate_authority_service.google_privateca_certificate_authority.key_spec_algorithm.message
Total Certificate Authority detected: 2 
['Situation 1: Certificate Authority key algorithm must use an approved cryptographic standard to enforce encryption compliance.', 'Non-Compliant Resources: nc', "Potential Remedies: Set key_spec.algorithm to one of the approved values: 'EC_P384_SHA384', 'RSA_PSS_4096_SHA256', or 'RSA_PKCS1_4096_SHA256'., Avoid weaker algorithms such as 'RSA_PSS_2048_SHA256' or 'RSA_PKCS1_2048_SHA256'., When using a Cloud KMS key, ensure the underlying key version uses an approved algorithm."]
Unique resource names in plan (google_privateca_certificate_authority): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: certificate_authority_service
  Resource: google_privateca_ca_pool
    Policy: location - ✅
    Policy: publish_ca_cert - ✅
    Policy: publish_crl - ✅
    Policy: allow_csr_based_issuance - ✅
    Policy: allowed_key_types - ✅
    Policy: tier - ✅
    Policy: maximum_lifetime - ✅
  Resource: google_privateca_certificate_authority
    Policy: deletion_protection - ✅
    Policy: key_spec_algorithm - ✅

alrigi9 force-pushed the gcp/service/certificate_authority_service branch from 29aa2f7 to 26d0238 Compare May 5, 2026 11:07

alrigi9 force-pushed the gcp/service/certificate_authority_service branch from 9171a98 to 46aad96 Compare May 5, 2026 11:13

feat: implement GCP certificate authority service OPA security policies

32037ee

alrigi9 force-pushed the gcp/service/certificate_authority_service branch from ecbf772 to 32037ee Compare May 5, 2026 11:15

docs: remove type policy metadata from documentation

f5c415c

alrigi9 force-pushed the gcp/service/certificate_authority_service branch from 11cb58a to f5c415c Compare May 5, 2026 11:25

alrigi9 requested review from Shani1116 and paulJRCurtis May 5, 2026 11:32

alrigi9 force-pushed the gcp/service/certificate_authority_service branch from 9aa9f2d to f2f2b9a Compare May 6, 2026 11:43

fix: rewrite maximum_lifetime policy to use blacklist instead of range

07a8e6a

Chhunly-TAING self-assigned this May 7, 2026

Chhunly-TAING reviewed May 7, 2026

View reviewed changes

Comment thread inputs/gcp/certificate_authority_service/google_privateca_ca_pool/allow_csr_based_issuance/c.tf

Chhunly-TAING reviewed May 7, 2026

View reviewed changes

Comment thread inputs/gcp/certificate_authority_service/google_privateca_ca_pool/location/c.tf

Chhunly-TAING reviewed May 7, 2026

View reviewed changes

Comment thread inputs/gcp/certificate_authority_service/google_privateca_ca_pool/publish_crl/c.tf

Chhunly-TAING reviewed May 7, 2026

View reviewed changes

fix: simplify tf configs based on review feedback

c3434f0

alrigi9 force-pushed the gcp/service/certificate_authority_service branch from 305acc3 to c3434f0 Compare May 7, 2026 11:44

fix: pretty-print input.json files for certificate authority service

099abbd

Chhunly-TAING reviewed May 9, 2026

View reviewed changes

Comment thread inputs/gcp/certificate_authority_service/google_privateca_ca_pool/allowed_key_types/nc.tf

Chhunly-TAING requested changes May 9, 2026

View reviewed changes

fix: clean up tf configs to match c.tf structure in nc.tf files

9991217

alrigi9 force-pushed the gcp/service/certificate_authority_service branch from 32591a3 to 9991217 Compare May 9, 2026 17:13

alrigi9 requested a review from Chhunly-TAING May 9, 2026 17:14

alrigi9 and others added 2 commits May 10, 2026 03:14

Merge branch 'dev' into gcp/service/certificate_authority_service

fec5db1

Merge branch 'dev' into gcp/service/certificate_authority_service

16d0bb0

github-actions Bot added the CI-Approved PR approved by CI checks label May 11, 2026

Merge branch 'dev' into gcp/service/certificate_authority_service

12ae752

Conversation

alrigi9 commented May 5, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions Bot commented May 5, 2026

🔍 Policy Check Results

Test Output

Uh oh!

github-actions Bot commented May 5, 2026

🔍 Policy Check Results

Test Output

Uh oh!

github-actions Bot commented May 5, 2026

🔍 Policy Check Results

Test Output

Uh oh!

github-actions Bot commented May 5, 2026

🔍 Policy Check Results

Test Output

Uh oh!

github-actions Bot commented May 5, 2026

🔍 Policy Check Results

Test Output

Uh oh!

github-actions Bot commented May 5, 2026

🔍 Policy Check Results

Test Output

Uh oh!

github-actions Bot commented May 5, 2026

🔍 Policy Check Results

Test Output

Uh oh!

github-actions Bot commented May 5, 2026

🔍 Policy Check Results

Test Output

Uh oh!

github-actions Bot commented May 5, 2026

🔍 Policy Check Results

Test Output

Uh oh!

github-actions Bot commented May 5, 2026

🔍 Policy Check Results

Test Output

Uh oh!

github-actions Bot commented May 6, 2026

🔍 Policy Check Results

Test Output

Uh oh!

github-actions Bot commented May 6, 2026

🔍 Policy Check Results

Test Output

Uh oh!

github-actions Bot commented May 6, 2026

🔍 Policy Check Results

Test Output

Uh oh!

Uh oh!

Chhunly-TAING May 7, 2026

Choose a reason for hiding this comment

Uh oh!

alrigi9 May 8, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Chhunly-TAING May 7, 2026

Choose a reason for hiding this comment

Uh oh!

alrigi9 May 8, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Chhunly-TAING May 7, 2026

Choose a reason for hiding this comment

Uh oh!

alrigi9 May 8, 2026

Choose a reason for hiding this comment

Uh oh!

github-actions Bot commented May 7, 2026

🔍 Policy Check Results

Test Output

alrigi9 commented May 5, 2026 •

edited

Loading