Skip to content

Gcp/service/cloud tpu#372

Open
SOoONB52 wants to merge 9 commits into
devfrom
gcp/service/cloud_tpu
Open

Gcp/service/cloud tpu#372
SOoONB52 wants to merge 9 commits into
devfrom
gcp/service/cloud_tpu

Conversation

@SOoONB52
Copy link
Copy Markdown

@SOoONB52 SOoONB52 commented May 6, 2026

Add security policies for Cloud TPU V2 (google_tpu_v2_vm)

Policies implemented:

  • enable_secure_boot
  • no_external_ips
  • service_account_configured

Includes compliant and non-compliant Terraform test cases.
Documentation added for Cloud TPU V2 VM.

@Hardhat-Enterprises Hardhat-Enterprises deleted a comment from github-actions Bot May 6, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 6, 2026

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.cloud_tpu.google_tpu_v2_vm.no_external_ips.message
Total Cloud TPU V2 VM detected: 2 
['Situation 1: The Cloud TPU V2 VM has external IP addresses enabled, increasing the attack surface and exposing the TPU worker to the public internet.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set `network_config.enable_external_ips` to false and enable Private Google Access on the subnetwork instead.']
Unique resource names in plan (google_tpu_v2_vm): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_tpu.google_tpu_v2_vm.enable_secure_boot.message
Total Cloud TPU V2 VM detected: 2 
['Situation 1: Secure Boot is not enabled on the Cloud TPU V2 VM, leaving it vulnerable to boot-level malware and rootkits.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set `shielded_instance_config.enable_secure_boot` to true to enable Secure Boot on the TPU VM.']
Unique resource names in plan (google_tpu_v2_vm): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_tpu.google_tpu_v2_vm.service_account_configured.message
Total Cloud TPU V2 VM detected: 2 
['Situation 1: No dedicated service account is configured for the Cloud TPU V2 VM. Using the default compute service account violates the principle of least privilege.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set `service_account.email` to a dedicated service account with only the required IAM permissions.']
Unique resource names in plan (google_tpu_v2_vm): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: cloud_tpu
  Resource: google_tpu_v2_vm
    Policy: no_external_ips - ✅
    Policy: enable_secure_boot - ✅
    Policy: service_account_configured - ✅

@Hardhat-Enterprises Hardhat-Enterprises deleted a comment from github-actions Bot May 6, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 7, 2026

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.cloud_tpu.google_tpu_v2_vm.no_external_ips.message
Total Cloud TPU V2 VM detected: 2 
['Situation 1: The Cloud TPU V2 VM has external IP addresses enabled, increasing the attack surface and exposing the TPU worker to the public internet.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set `network_config.enable_external_ips` to false and enable Private Google Access on the subnetwork instead.']
Unique resource names in plan (google_tpu_v2_vm): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_tpu.google_tpu_v2_vm.enable_secure_boot.message
Total Cloud TPU V2 VM detected: 2 
['Situation 1: Secure Boot is not enabled on the Cloud TPU V2 VM, leaving it vulnerable to boot-level malware and rootkits.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set `shielded_instance_config.enable_secure_boot` to true to enable Secure Boot on the TPU VM.']
Unique resource names in plan (google_tpu_v2_vm): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_tpu.google_tpu_v2_vm.service_account_configured.message
Total Cloud TPU V2 VM detected: 2 
['Situation 1: No dedicated service account is configured for the Cloud TPU V2 VM. Using the default compute service account violates the principle of least privilege.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set `service_account.email` to a dedicated service account with only the required IAM permissions.']
Unique resource names in plan (google_tpu_v2_vm): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: cloud_tpu
  Resource: google_tpu_v2_vm
    Policy: no_external_ips - ✅
    Policy: enable_secure_boot - ✅
    Policy: service_account_configured - ✅

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 10, 2026

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.cloud_tpu.google_tpu_v2_vm.no_external_ips.message
Total Cloud TPU V2 VM detected: 2 
['Situation 1: The Cloud TPU V2 VM has external IP addresses enabled, increasing the attack surface and exposing the TPU worker to the public internet.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set `network_config.enable_external_ips` to false and enable Private Google Access on the subnetwork instead.']
Unique resource names in plan (google_tpu_v2_vm): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_tpu.google_tpu_v2_vm.enable_secure_boot.message
Total Cloud TPU V2 VM detected: 2 
['Situation 1: Secure Boot is not enabled on the Cloud TPU V2 VM, leaving it vulnerable to boot-level malware and rootkits.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set `shielded_instance_config.enable_secure_boot` to true to enable Secure Boot on the TPU VM.']
Unique resource names in plan (google_tpu_v2_vm): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_tpu.google_tpu_v2_vm.service_account_configured.message
Total Cloud TPU V2 VM detected: 2 
['Situation 1: No dedicated service account is configured for the Cloud TPU V2 VM. Using the default compute service account violates the principle of least privilege.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set `service_account.email` to a dedicated service account with only the required IAM permissions.']
Unique resource names in plan (google_tpu_v2_vm): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: cloud_tpu
  Resource: google_tpu_v2_vm
    Policy: no_external_ips - ✅
    Policy: enable_secure_boot - ✅
    Policy: service_account_configured - ✅

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 10, 2026

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.cloud_tpu.google_tpu_v2_vm.no_external_ips.message
Total Cloud TPU V2 VM detected: 2 
['Situation 1: The Cloud TPU V2 VM has external IP addresses enabled, increasing the attack surface and exposing the TPU worker to the public internet.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set `network_config.enable_external_ips` to false and enable Private Google Access on the subnetwork instead.']
Unique resource names in plan (google_tpu_v2_vm): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_tpu.google_tpu_v2_vm.enable_secure_boot.message
Total Cloud TPU V2 VM detected: 2 
['Situation 1: Secure Boot is not enabled on the Cloud TPU V2 VM, leaving it vulnerable to boot-level malware and rootkits.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set `shielded_instance_config.enable_secure_boot` to true to enable Secure Boot on the TPU VM.']
Unique resource names in plan (google_tpu_v2_vm): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_tpu.google_tpu_v2_vm.service_account_configured.message
Total Cloud TPU V2 VM detected: 2 
['Situation 1: No dedicated service account is configured for the Cloud TPU V2 VM. Using the default compute service account violates the principle of least privilege.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set `service_account.email` to a dedicated service account with only the required IAM permissions.']
Unique resource names in plan (google_tpu_v2_vm): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: cloud_tpu
  Resource: google_tpu_v2_vm
    Policy: no_external_ips - ✅
    Policy: enable_secure_boot - ✅
    Policy: service_account_configured - ✅

@jinglong857 jinglong857 self-assigned this May 10, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 11, 2026

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.cloud_tpu.google_tpu_v2_vm.no_external_ips.message
Total Cloud TPU V2 VM detected: 2 
['Situation 1: The Cloud TPU V2 VM has external IP addresses enabled, increasing the attack surface and exposing the TPU worker to the public internet.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set `network_config.enable_external_ips` to false and enable Private Google Access on the subnetwork instead.']
Unique resource names in plan (google_tpu_v2_vm): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_tpu.google_tpu_v2_vm.enable_secure_boot.message
Total Cloud TPU V2 VM detected: 2 
['Situation 1: Secure Boot is not enabled on the Cloud TPU V2 VM, leaving it vulnerable to boot-level malware and rootkits.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set `shielded_instance_config.enable_secure_boot` to true to enable Secure Boot on the TPU VM.']
Unique resource names in plan (google_tpu_v2_vm): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_tpu.google_tpu_v2_vm.service_account_configured.message
Total Cloud TPU V2 VM detected: 2 
['Situation 1: No dedicated service account is configured for the Cloud TPU V2 VM. Using the default compute service account violates the principle of least privilege.', 'Non-Compliant Resources: nc', 'Potential Remedies: Set `service_account.email` to a dedicated service account with only the required IAM permissions.']
Unique resource names in plan (google_tpu_v2_vm): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: cloud_tpu
  Resource: google_tpu_v2_vm
    Policy: no_external_ips - ✅
    Policy: enable_secure_boot - ✅
    Policy: service_account_configured - ✅

@github-actions github-actions Bot added the CI-Approved PR approved by CI checks label May 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@jinglong857 jinglong857

Labels

CI-Approved PR approved by CI checks

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@SOoONB52 @jinglong857