Skip to content

feat(cloud_monitoring): Add Cloud (Stackdriver) Monitoring security policies and documentation#374

Open
Faris-Alh4rbi wants to merge 13 commits into
devfrom
gcp/service/cloud_monitoring
Open

feat(cloud_monitoring): Add Cloud (Stackdriver) Monitoring security policies and documentation#374
Faris-Alh4rbi wants to merge 13 commits into
devfrom
gcp/service/cloud_monitoring

Conversation

@Faris-Alh4rbi
Copy link
Copy Markdown

@Faris-Alh4rbi Faris-Alh4rbi commented May 7, 2026
edited
Loading

Summary
Added security policies and documentation for the Cloud (Stackdriver) Monitoring service.

Policies Implemented

  • google_monitoring_notification_channel: sensitive_labels
  • google_monitoring_notification_channel: force_delete
  • google_monitoring_uptime_check_config: validate_ssl
  • google_monitoring_uptime_check_config: mask_headers
  • google_monitoring_alert_policy: enabled

Documentation
All 10 resources documented with argument reference tables, security justification for policies written, and rationale for attributes with no policy.

Testing

  • Compliant Terraform file: c.tf
  • Non-compliant Terraform file: nc.tf
  • All OPA policy checks passing
  • Pre-commit hooks passed

Faris A added 7 commits April 5, 2026 22:04
Add notification_channels_required policy for cloud monitoring
5576fa8
Remove unfinished notification channel placeholders
62a58b2
Replace alert policy with sensitive labels policy
3f72bb0
Add force delete policy for monitoring notification channel
2cd9ad7
Add validate ssl policy for monitoring uptime check config
ec8304d
Add mask headers policy for monitoring uptime check config
d73356f
feat(cloud_monitoring): complete service with policies, inputs and docs
7743538 
Policies (5 total, all tests passing, linter clean):
- google_monitoring_alert_policy: enabled_required
- google_monitoring_notification_channel: sensitive_labels_required, force_delete_false
- google_monitoring_uptime_check_config: validate_ssl_required, mask_headers_required_for_auth_headers

Docs (10 resources fully documented with argument reference and security justification)
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 7, 2026

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.cloud_monitoring.google_monitoring_uptime_check_config.validate_ssl_required.message
Total Google Monitoring Uptime Check Config detected: 2 
['Situation 1: http_check.validate_ssl is set to false on an HTTPS uptime_url check, which allows the check to run without SSL certificate validation', 'Non-Compliant Resources: nc', 'Potential Remedies: Set http_check.validate_ssl to true for HTTPS uptime_url checks']
Unique resource names in plan (google_monitoring_uptime_check_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_monitoring.google_monitoring_uptime_check_config.mask_headers_required_for_auth_headers.message
Total Google Monitoring Uptime Check Config detected: 2 
['Situation 1: An Authorization header is configured while mask_headers is disabled, which may expose authentication data when retrieving the uptime check configuration', 'Non-Compliant Resources: nc', 'Potential Remedies: Set http_check.mask_headers to true when using authentication-related headers such as Authorization']
Unique resource names in plan (google_monitoring_uptime_check_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_monitoring.google_monitoring_alert_policy.enabled_required.message
Total Google Monitoring Alert Policy detected: 2 
['Situation 1: enabled is set to false, which disables the alert policy and prevents it from triggering incidents or notifications', 'Non-Compliant Resources: nc', 'Potential Remedies: Set enabled to true to ensure the alert policy is active and can detect and respond to incidents']
Unique resource names in plan (google_monitoring_alert_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_monitoring.google_monitoring_notification_channel.sensitive_labels_required.message
Total Google Monitoring Notification Channel detected: 2 
['Situation 1: labels.auth_token is set directly, which may expose a sensitive token in normal labels', 'Non-Compliant Resources: nc', 'Potential Remedies: Move auth_token from labels to the sensitive_labels block']
['Situation 2: labels.password is set directly, which may expose a sensitive password in normal labels', 'Non-Compliant Resources: None - All passed']
['Situation 3: labels.service_key is set directly, which may expose a sensitive service key in normal labels', 'Non-Compliant Resources: None - All passed']
Unique resource names in plan (google_monitoring_notification_channel): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_monitoring.google_monitoring_notification_channel.force_delete_false.message
Total Google Monitoring Notification Channel detected: 2 
['Situation 1: force_delete is set to true, which allows the notification channel to be deleted even if alert policies still reference it', 'Non-Compliant Resources: nc', 'Potential Remedies: Set force_delete to false or remove the attribute']
Unique resource names in plan (google_monitoring_notification_channel): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: cloud_monitoring
  Resource: google_monitoring_alert_policy
    Policy: enabled_required - ✅
  Resource: google_monitoring_notification_channel
    Policy: sensitive_labels_required - ✅
    Policy: force_delete_false - ✅
  Resource: google_monitoring_uptime_check_config
    Policy: validate_ssl_required - ✅
    Policy: mask_headers_required_for_auth_headers - ✅

@s222244344 s222244344 self-assigned this May 10, 2026
@s222244344
Copy link
Copy Markdown
Contributor

s222244344 commented May 10, 2026

Very minor comments and changes I have, you are clearly very confident with your policy writing and clearly understand what you are doing, the biggest thing, and yet its a minor concern but important, just make sure your file naming structures are matching exactly to terraform, for example: "mask_headers_required_for_auth_users" just needs to be "mask_headers" the requirements for which users and what they relate to are all explained in your policy.rego file. Again this being the majority of changes is very positive, as I said, clearly you understand policy writing very well as it reflects in your PR. WELL DONE!

fix: rename mask_headers folder and add resource JSON documentation
5d3d3cb 
- Renamed mask_headers_required_for_auth_headers to mask_headers to match Terraform attribute naming (review feedback)
- Filled in security_impact, rationale, compliant and non-compliant fields in resource JSON files for monitoring_notification_channel, monitoring_uptime_check_config and monitoring_alert_policy
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 10, 2026

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.cloud_monitoring.google_monitoring_uptime_check_config.validate_ssl_required.message
Total Google Monitoring Uptime Check Config detected: 2 
['Situation 1: http_check.validate_ssl is set to false on an HTTPS uptime_url check, which allows the check to run without SSL certificate validation', 'Non-Compliant Resources: nc', 'Potential Remedies: Set http_check.validate_ssl to true for HTTPS uptime_url checks']
Unique resource names in plan (google_monitoring_uptime_check_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_monitoring.google_monitoring_uptime_check_config.mask_headers.message
Total Google Monitoring Uptime Check Config detected: 2 
['Situation 1: An Authorization header is configured while mask_headers is disabled, which may expose authentication data when retrieving the uptime check configuration', 'Non-Compliant Resources: nc', 'Potential Remedies: Set http_check.mask_headers to true when using authentication-related headers such as Authorization']
Unique resource names in plan (google_monitoring_uptime_check_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_monitoring.google_monitoring_alert_policy.enabled_required.message
Total Google Monitoring Alert Policy detected: 2 
['Situation 1: enabled is set to false, which disables the alert policy and prevents it from triggering incidents or notifications', 'Non-Compliant Resources: nc', 'Potential Remedies: Set enabled to true to ensure the alert policy is active and can detect and respond to incidents']
Unique resource names in plan (google_monitoring_alert_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_monitoring.google_monitoring_notification_channel.sensitive_labels_required.message
Total Google Monitoring Notification Channel detected: 2 
['Situation 1: labels.auth_token is set directly, which may expose a sensitive token in normal labels', 'Non-Compliant Resources: nc', 'Potential Remedies: Move auth_token from labels to the sensitive_labels block']
['Situation 2: labels.password is set directly, which may expose a sensitive password in normal labels', 'Non-Compliant Resources: None - All passed']
['Situation 3: labels.service_key is set directly, which may expose a sensitive service key in normal labels', 'Non-Compliant Resources: None - All passed']
Unique resource names in plan (google_monitoring_notification_channel): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_monitoring.google_monitoring_notification_channel.force_delete_false.message
Total Google Monitoring Notification Channel detected: 2 
['Situation 1: force_delete is set to true, which allows the notification channel to be deleted even if alert policies still reference it', 'Non-Compliant Resources: nc', 'Potential Remedies: Set force_delete to false or remove the attribute']
Unique resource names in plan (google_monitoring_notification_channel): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: cloud_monitoring
  Resource: google_monitoring_alert_policy
    Policy: enabled_required - ✅
  Resource: google_monitoring_notification_channel
    Policy: sensitive_labels_required - ✅
    Policy: force_delete_false - ✅
  Resource: google_monitoring_uptime_check_config
    Policy: validate_ssl_required - ✅
    Policy: mask_headers - ✅

@Faris-Alh4rbi
Copy link
Copy Markdown
Author

Faris-Alh4rbi commented May 10, 2026

Thanks for the feedback. I've renamed mask_headers_required_for_auth_headers to mask_headers to match the Terraform attribute name. I've also added security impact documentation to the resource JSON files. All OPA checks still passing.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 11, 2026

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.cloud_monitoring.google_monitoring_uptime_check_config.validate_ssl_required.message
Total Google Monitoring Uptime Check Config detected: 2 
['Situation 1: http_check.validate_ssl is set to false on an HTTPS uptime_url check, which allows the check to run without SSL certificate validation', 'Non-Compliant Resources: nc', 'Potential Remedies: Set http_check.validate_ssl to true for HTTPS uptime_url checks']
Unique resource names in plan (google_monitoring_uptime_check_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_monitoring.google_monitoring_uptime_check_config.mask_headers.message
Total Google Monitoring Uptime Check Config detected: 2 
['Situation 1: An Authorization header is configured while mask_headers is disabled, which may expose authentication data when retrieving the uptime check configuration', 'Non-Compliant Resources: nc', 'Potential Remedies: Set http_check.mask_headers to true when using authentication-related headers such as Authorization']
Unique resource names in plan (google_monitoring_uptime_check_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_monitoring.google_monitoring_alert_policy.enabled_required.message
Total Google Monitoring Alert Policy detected: 2 
['Situation 1: enabled is set to false, which disables the alert policy and prevents it from triggering incidents or notifications', 'Non-Compliant Resources: nc', 'Potential Remedies: Set enabled to true to ensure the alert policy is active and can detect and respond to incidents']
Unique resource names in plan (google_monitoring_alert_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_monitoring.google_monitoring_notification_channel.sensitive_labels_required.message
Total Google Monitoring Notification Channel detected: 2 
['Situation 1: labels.auth_token is set directly, which may expose a sensitive token in normal labels', 'Non-Compliant Resources: nc', 'Potential Remedies: Move auth_token from labels to the sensitive_labels block']
['Situation 2: labels.password is set directly, which may expose a sensitive password in normal labels', 'Non-Compliant Resources: None - All passed']
['Situation 3: labels.service_key is set directly, which may expose a sensitive service key in normal labels', 'Non-Compliant Resources: None - All passed']
Unique resource names in plan (google_monitoring_notification_channel): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_monitoring.google_monitoring_notification_channel.force_delete_false.message
Total Google Monitoring Notification Channel detected: 2 
['Situation 1: force_delete is set to true, which allows the notification channel to be deleted even if alert policies still reference it', 'Non-Compliant Resources: nc', 'Potential Remedies: Set force_delete to false or remove the attribute']
Unique resource names in plan (google_monitoring_notification_channel): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: cloud_monitoring
  Resource: google_monitoring_alert_policy
    Policy: enabled_required - ✅
  Resource: google_monitoring_notification_channel
    Policy: sensitive_labels_required - ✅
    Policy: force_delete_false - ✅
  Resource: google_monitoring_uptime_check_config
    Policy: validate_ssl_required - ✅
    Policy: mask_headers - ✅

@github-actions github-actions Bot added the CI-Approved PR approved by CI checks label May 11, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 11, 2026

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.cloud_monitoring.google_monitoring_uptime_check_config.validate_ssl_required.message
Total Google Monitoring Uptime Check Config detected: 2 
['Situation 1: http_check.validate_ssl is set to false on an HTTPS uptime_url check, which allows the check to run without SSL certificate validation', 'Non-Compliant Resources: nc', 'Potential Remedies: Set http_check.validate_ssl to true for HTTPS uptime_url checks']
Unique resource names in plan (google_monitoring_uptime_check_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_monitoring.google_monitoring_uptime_check_config.mask_headers.message
Total Google Monitoring Uptime Check Config detected: 2 
['Situation 1: An Authorization header is configured while mask_headers is disabled, which may expose authentication data when retrieving the uptime check configuration', 'Non-Compliant Resources: nc', 'Potential Remedies: Set http_check.mask_headers to true when using authentication-related headers such as Authorization']
Unique resource names in plan (google_monitoring_uptime_check_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_monitoring.google_monitoring_alert_policy.enabled_required.message
Total Google Monitoring Alert Policy detected: 2 
['Situation 1: enabled is set to false, which disables the alert policy and prevents it from triggering incidents or notifications', 'Non-Compliant Resources: nc', 'Potential Remedies: Set enabled to true to ensure the alert policy is active and can detect and respond to incidents']
Unique resource names in plan (google_monitoring_alert_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_monitoring.google_monitoring_notification_channel.sensitive_labels_required.message
Total Google Monitoring Notification Channel detected: 2 
['Situation 1: labels.auth_token is set directly, which may expose a sensitive token in normal labels', 'Non-Compliant Resources: nc', 'Potential Remedies: Move auth_token from labels to the sensitive_labels block']
['Situation 2: labels.password is set directly, which may expose a sensitive password in normal labels', 'Non-Compliant Resources: None - All passed']
['Situation 3: labels.service_key is set directly, which may expose a sensitive service key in normal labels', 'Non-Compliant Resources: None - All passed']
Unique resource names in plan (google_monitoring_notification_channel): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_monitoring.google_monitoring_notification_channel.force_delete_false.message
Total Google Monitoring Notification Channel detected: 2 
['Situation 1: force_delete is set to true, which allows the notification channel to be deleted even if alert policies still reference it', 'Non-Compliant Resources: nc', 'Potential Remedies: Set force_delete to false or remove the attribute']
Unique resource names in plan (google_monitoring_notification_channel): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: cloud_monitoring
  Resource: google_monitoring_alert_policy
    Policy: enabled_required - ✅
  Resource: google_monitoring_notification_channel
    Policy: sensitive_labels_required - ✅
    Policy: force_delete_false - ✅
  Resource: google_monitoring_uptime_check_config
    Policy: validate_ssl_required - ✅
    Policy: mask_headers - ✅

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 13, 2026

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.cloud_monitoring.google_monitoring_uptime_check_config.validate_ssl_required.message
Total Google Monitoring Uptime Check Config detected: 2 
['Situation 1: http_check.validate_ssl is set to false on an HTTPS uptime_url check, which allows the check to run without SSL certificate validation', 'Non-Compliant Resources: nc', 'Potential Remedies: Set http_check.validate_ssl to true for HTTPS uptime_url checks']
Unique resource names in plan (google_monitoring_uptime_check_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_monitoring.google_monitoring_uptime_check_config.mask_headers.message
Total Google Monitoring Uptime Check Config detected: 2 
['Situation 1: An Authorization header is configured while mask_headers is disabled, which may expose authentication data when retrieving the uptime check configuration', 'Non-Compliant Resources: nc', 'Potential Remedies: Set http_check.mask_headers to true when using authentication-related headers such as Authorization']
Unique resource names in plan (google_monitoring_uptime_check_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_monitoring.google_monitoring_alert_policy.enabled_required.message
Total Google Monitoring Alert Policy detected: 2 
['Situation 1: enabled is set to false, which disables the alert policy and prevents it from triggering incidents or notifications', 'Non-Compliant Resources: nc', 'Potential Remedies: Set enabled to true to ensure the alert policy is active and can detect and respond to incidents']
Unique resource names in plan (google_monitoring_alert_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_monitoring.google_monitoring_notification_channel.sensitive_labels_required.message
Total Google Monitoring Notification Channel detected: 2 
['Situation 1: labels.auth_token is set directly, which may expose a sensitive token in normal labels', 'Non-Compliant Resources: nc', 'Potential Remedies: Move auth_token from labels to the sensitive_labels block']
['Situation 2: labels.password is set directly, which may expose a sensitive password in normal labels', 'Non-Compliant Resources: None - All passed']
['Situation 3: labels.service_key is set directly, which may expose a sensitive service key in normal labels', 'Non-Compliant Resources: None - All passed']
Unique resource names in plan (google_monitoring_notification_channel): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_monitoring.google_monitoring_notification_channel.force_delete_false.message
Total Google Monitoring Notification Channel detected: 2 
['Situation 1: force_delete is set to true, which allows the notification channel to be deleted even if alert policies still reference it', 'Non-Compliant Resources: nc', 'Potential Remedies: Set force_delete to false or remove the attribute']
Unique resource names in plan (google_monitoring_notification_channel): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: cloud_monitoring
  Resource: google_monitoring_alert_policy
    Policy: enabled_required - ✅
  Resource: google_monitoring_notification_channel
    Policy: sensitive_labels_required - ✅
    Policy: force_delete_false - ✅
  Resource: google_monitoring_uptime_check_config
    Policy: validate_ssl_required - ✅
    Policy: mask_headers - ✅

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 13, 2026

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.cloud_monitoring.google_monitoring_uptime_check_config.validate_ssl_required.message
Total Google Monitoring Uptime Check Config detected: 2 
['Situation 1: http_check.validate_ssl is set to false on an HTTPS uptime_url check, which allows the check to run without SSL certificate validation', 'Non-Compliant Resources: nc', 'Potential Remedies: Set http_check.validate_ssl to true for HTTPS uptime_url checks']
Unique resource names in plan (google_monitoring_uptime_check_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_monitoring.google_monitoring_uptime_check_config.mask_headers.message
Total Google Monitoring Uptime Check Config detected: 2 
['Situation 1: An Authorization header is configured while mask_headers is disabled, which may expose authentication data when retrieving the uptime check configuration', 'Non-Compliant Resources: nc', 'Potential Remedies: Set http_check.mask_headers to true when using authentication-related headers such as Authorization']
Unique resource names in plan (google_monitoring_uptime_check_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_monitoring.google_monitoring_alert_policy.enabled_required.message
Total Google Monitoring Alert Policy detected: 2 
['Situation 1: enabled is set to false, which disables the alert policy and prevents it from triggering incidents or notifications', 'Non-Compliant Resources: nc', 'Potential Remedies: Set enabled to true to ensure the alert policy is active and can detect and respond to incidents']
Unique resource names in plan (google_monitoring_alert_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_monitoring.google_monitoring_notification_channel.sensitive_labels_required.message
Total Google Monitoring Notification Channel detected: 2 
['Situation 1: labels.auth_token is set directly, which may expose a sensitive token in normal labels', 'Non-Compliant Resources: nc', 'Potential Remedies: Move auth_token from labels to the sensitive_labels block']
['Situation 2: labels.password is set directly, which may expose a sensitive password in normal labels', 'Non-Compliant Resources: None - All passed']
['Situation 3: labels.service_key is set directly, which may expose a sensitive service key in normal labels', 'Non-Compliant Resources: None - All passed']
Unique resource names in plan (google_monitoring_notification_channel): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_monitoring.google_monitoring_notification_channel.force_delete_false.message
Total Google Monitoring Notification Channel detected: 2 
['Situation 1: force_delete is set to true, which allows the notification channel to be deleted even if alert policies still reference it', 'Non-Compliant Resources: nc', 'Potential Remedies: Set force_delete to false or remove the attribute']
Unique resource names in plan (google_monitoring_notification_channel): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: cloud_monitoring
  Resource: google_monitoring_alert_policy
    Policy: enabled_required - ✅
  Resource: google_monitoring_notification_channel
    Policy: sensitive_labels_required - ✅
    Policy: force_delete_false - ✅
  Resource: google_monitoring_uptime_check_config
    Policy: validate_ssl_required - ✅
    Policy: mask_headers - ✅

s222244344
s222244344 requested changes May 13, 2026
View reviewed changes
Comment thread ...s/gcp/cloud_monitoring/google_monitoring_notification_channel/force_delete_false/policy.rego Outdated
Comment thread inputs/gcp/cloud_monitoring/google_monitoring_notification_channel/sensitive_labels/c.tf
Comment thread inputs/gcp/cloud_monitoring/google_monitoring_notification_channel/sensitive_labels/c.tf
Comment thread inputs/gcp/cloud_monitoring/google_monitoring_uptime_check_config/validate_ssl/nc.tf
Comment thread docs/gcp/Cloud_(Stackdriver)_Monitoring/resource_json/monitoring_notification_channel.json Outdated
Comment thread docs/gcp/Cloud_(Stackdriver)_Monitoring/resource_json/monitoring_notification_channel.json Outdated
Comment thread docs/gcp/Cloud_(Stackdriver)_Monitoring/resource_json/monitoring_notification_channel.json Outdated
@Faris-Alh4rbi
fix(cloud_monitoring): rename policies to match Terraform attribute n…
427dda5 
…ames, remove null from force_delete whitelist, clean up sensitive_labels children compliant examples
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 14, 2026

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.cloud_monitoring.google_monitoring_uptime_check_config.validate_ssl.message
Total Google Monitoring Uptime Check Config detected: 2 
['Situation 1: http_check.validate_ssl is set to false on an HTTPS uptime_url check, which allows the check to run without SSL certificate validation', 'Non-Compliant Resources: nc', 'Potential Remedies: Set http_check.validate_ssl to true for HTTPS uptime_url checks']
Unique resource names in plan (google_monitoring_uptime_check_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_monitoring.google_monitoring_uptime_check_config.mask_headers.message
Total Google Monitoring Uptime Check Config detected: 2 
['Situation 1: An Authorization header is configured while mask_headers is disabled, which may expose authentication data when retrieving the uptime check configuration', 'Non-Compliant Resources: nc', 'Potential Remedies: Set http_check.mask_headers to true when using authentication-related headers such as Authorization']
Unique resource names in plan (google_monitoring_uptime_check_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_monitoring.google_monitoring_alert_policy.enabled.message
Total Google Monitoring Alert Policy detected: 2 
['Situation 1: enabled is set to false, which disables the alert policy and prevents it from triggering incidents or notifications', 'Non-Compliant Resources: nc', 'Potential Remedies: Set enabled to true to ensure the alert policy is active and can detect and respond to incidents']
Unique resource names in plan (google_monitoring_alert_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_monitoring.google_monitoring_notification_channel.sensitive_labels.message
Total Google Monitoring Notification Channel detected: 2 
['Situation 1: labels.auth_token is set directly, which may expose a sensitive token in normal labels', 'Non-Compliant Resources: nc', 'Potential Remedies: Move auth_token from labels to the sensitive_labels block']
['Situation 2: labels.password is set directly, which may expose a sensitive password in normal labels', 'Non-Compliant Resources: None - All passed']
['Situation 3: labels.service_key is set directly, which may expose a sensitive service key in normal labels', 'Non-Compliant Resources: None - All passed']
Unique resource names in plan (google_monitoring_notification_channel): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_monitoring.google_monitoring_notification_channel.force_delete.message
Total Google Monitoring Notification Channel detected: 2 
['Situation 1: force_delete is set to true, which allows the notification channel to be deleted even if alert policies still reference it', 'Non-Compliant Resources: nc', 'Potential Remedies: Set force_delete to false or remove the attribute']
Unique resource names in plan (google_monitoring_notification_channel): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: cloud_monitoring
  Resource: google_monitoring_alert_policy
    Policy: enabled - ✅
  Resource: google_monitoring_notification_channel
    Policy: sensitive_labels - ✅
    Policy: force_delete - ✅
  Resource: google_monitoring_uptime_check_config
    Policy: validate_ssl - ✅
    Policy: mask_headers - ✅

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@s222244344 s222244344 s222244344 requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@s222244344 s222244344

Labels

CI-Approved PR approved by CI checks

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Faris-Alh4rbi @s222244344 @Shani1116