Gcp/service/cloud workstations - security policies and documentation by Jayy130 · Pull Request #384 · Hardhat-Enterprises/Policy-Deployment-Engine

Jayy130 · 2026-05-10T15:17:50Z

This PR adds GCP Cloud Workstations security policies, Terraform input examples, generated plan files, and documentation for supported Cloud Workstations resources.

Included resources:

google_workstations_workstation
google_workstations_workstation_cluster
google_workstations_workstation_config
google_workstations_workstation_config_iam_policy
google_workstations_workstation_config_iam_binding
google_workstations_workstation_config_iam_member
google_workstations_workstation_iam_policy

The policies were tested locally using OPA eval, and the project pre-commit checks passed successfully before pushing.

github-actions · 2026-05-10T15:19:53Z

🔍 Policy Check Results

Status: ❌ CHECKS FAILED

⚠️ Your PR will not be reviewed until you fix all policy check failures below:

Test Output

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_cluster.location.message
Total cloud workstation cluster detected: 2 
['Situation 1: is  deployed in a location outside of the approved region ', 'Non-Compliant Resources: workstation-cluster', 'Potential Remedies: change the location to us-central1 ']
Unique resource names in plan (google_workstations_workstation_cluster): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_cluster.project.message
Total cloud workstation cluster detected: 2 
['Situation 1: is deployed in an unapproved project ', 'Non-Compliant Resources: nc', 'Potential Remedies: change the project 925810350503']
Unique resource names in plan (google_workstations_workstation_cluster): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_cluster.workstation_cluster_id.message
Total cloud workstation cluster detected: 2 
['Situation 1: is using an unapproved workstation cluster id ', 'Non-Compliant Resources: wrong-cluster', 'Potential Remedies: change the workstation_cluster_id to workstation-cluster ']
Unique resource names in plan (google_workstations_workstation_cluster): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_cluster.network.message
Total cloud workstation cluster detected: 2 
['Situation 1: is  deployed in an unapproved network ', 'Non-Compliant Resources: nc', 'Potential Remedies: change the network to an approved vpc network ']
Unique resource names in plan (google_workstations_workstation_cluster): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_cluster.labels.message
Total cloud workstation cluster detected: 2 
['Situation 1: is missing or has an invalid label value  ', 'Non-Compliant Resources: workstation-cluster', "Potential Remedies: set labels.label to 'key'  "]
Unique resource names in plan (google_workstations_workstation_cluster): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_config_iam_binding.member.message
Total cloud workstation config iam binding detected: 2 
['Situation 1: grants access to broad IAM principals', 'Non-Compliant Resources: workstation-config', 'Potential Remedies: remove allUsers and allAuthenticatedUsers from member']
Unique resource names in plan (google_workstations_workstation_config_iam_binding): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_config_iam_binding.role.message
Total cloud workstation config iam binding detected: 2 
['Situation 1: grants access using a role that is not approved for Workstation Config IAM binding', 'Non-Compliant Resources: workstation-config', 'Potential Remedies: use least privilege role such as role/viewer']
Unique resource names in plan (google_workstations_workstation_config_iam_binding): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_config_iam_policy.policy_data.message
Total cloud workstation config iam policy detected: 2 
['Situation 1: policy_data grants access to broad IAM principals ', 'Non-Compliant Resources: nc', 'Potential Remedies: remove allUsers and allAuthenticatedUsers from policy_data']
Unique resource names in plan (google_workstations_workstation_config_iam_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_config_iam_policy.role.message
Total cloud workstation config iam policy detected: 2 
['Situation 1: policy_data grants access to broad IAM roles ', 'Non-Compliant Resources: workstation-config', 'Potential Remedies: remove roles/owner and roles/editor from IAM policy ']
Unique resource names in plan (google_workstations_workstation_config_iam_policy): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation.location.message
Total cloud workstation detected: 2 
['Situation 1: is deployed in a location outside of the approved region', 'Non-Compliant Resources: nc', 'Potential Remedies: change the location to us-central1']
Unique resource names in plan (google_workstations_workstation): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation.workstation_cluster_id.message
Total cloud workstation detected: 2 
['Situation 1: is in an unaproved workstation cluster', 'Non-Compliant Resources: nc', 'Potential Remedies: change workstation_cluster_id to workstation-cluster ']
Unique resource names in plan (google_workstations_workstation): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation.workstation_id.message
Total cloud workstation detected: 2 
['Situation 1: is using an unapproved workstation_id', 'Non-Compliant Resources: work-station1', 'Potential Remedies: change workstation_id to work-station ']
Unique resource names in plan (google_workstations_workstation): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation.workstation_config_id.message
Total cloud workstation detected: 2 
['Situation 1: is linked to an unapproved workstation config', 'Non-Compliant Resources: nc', 'Potential Remedies: change workstation_config_id to workstation-config ']
Unique resource names in plan (google_workstations_workstation): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_iam_policy.workstation_cluster_id.message
Total cloud workstation iam policy detected: 2 
['Situation 1: IAM policy must be in a correct workstation cluster', 'Non-Compliant Resources: work-station', 'Potential Remedies: change workstation_cluster_id to workstation-cluster ']
Unique resource names in plan (google_workstations_workstation_iam_policy): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_iam_policy.role.message
Total cloud workstation iam policy detected: 2 
['Situation 1: IAM policy must not grant overly broad roles like Owner or Editor', 'Non-Compliant Resources: work-station', 'Potential Remedies: remove roles/owner and roles/editor from IAM policy ']
Unique resource names in plan (google_workstations_workstation_iam_policy): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_iam_policy.workstation_config_id.message
Total cloud workstation iam policy detected: 2 
['Situation 1: IAM policy must be in a correct workstation config', 'Non-Compliant Resources: work-station', 'Potential Remedies: change workstation_config_id to workstation-config ']
Unique resource names in plan (google_workstations_workstation_iam_policy): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_config.location.message
Total cloud workstation config detected: 2 
['Situation 1: is deployed in a location outside of the approved region ', 'Non-Compliant Resources: workstation-config', 'Potential Remedies: change the location to us-central1']
Unique resource names in plan (google_workstations_workstation_config): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_config.workstation_cluster_id.message
Total cloud workstation config detected: 2 
['Situation 1: is linked to an unapproved workstation cluster id ', 'Non-Compliant Resources: workstation-config', 'Potential Remedies: change the workstation_cluster_id to workstation-cluster']
Unique resource names in plan (google_workstations_workstation_config): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_config.disable_public_ip_addresses.message
Total cloud workstation config detected: 2 
['Situation 1: has public IP addresses enabled ', 'Non-Compliant Resources: workstation-config', 'Potential Remedies: set disable_public_ip_addresses to true  ']
Unique resource names in plan (google_workstations_workstation_config): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_config.machine_type.message
Total cloud workstation config detected: 2 
['Situation 1: is using an unapproved machine type ', 'Non-Compliant Resources: workstation-config', 'Potential Remedies: change the machine_type to e2-standard-4']
Unique resource names in plan (google_workstations_workstation_config): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_config.workstation_config_id.message
Total cloud workstation config detected: 2 
['Situation 1: is using an unapproved workstation config id ', 'Non-Compliant Resources: wrong-config', 'Potential Remedies: change the workstation_config_id to workstation-config']
Unique resource names in plan (google_workstations_workstation_config): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_config_iam_member.member.message
Total cloud workstation config iam member detected: 2 
['Situation 1: grants access to broad IAM principals', 'Non-Compliant Resources: workstation-config', 'Potential Remedies: remove allUsers and allAuthenticatedUsers from member']
Unique resource names in plan (google_workstations_workstation_config_iam_member): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_config_iam_member.role.message
Total cloud workstation config iam member detected: 2 
['Situation 1:  grants access to broad IAM roles ', 'Non-Compliant Resources: workstation-config', 'Potential Remedies: use least privilege role such as role/viewer']
Unique resource names in plan (google_workstations_workstation_config_iam_member): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc


Summary of policy checks:
Service: cloud_workstations
  Resource: google_workstations_workstation
    Policy: location - ✅
    Policy: workstation_cluster_id - ✅
    Policy: workstation_id - ❌
    Policy: workstation_config_id - ✅
  Resource: google_workstations_workstation_cluster
    Policy: location - ❌
    Policy: project - ✅
    Policy: workstation_cluster_id - ❌
    Policy: network - ✅
    Policy: labels - ❌
  Resource: google_workstations_workstation_config
    Policy: location - ❌
    Policy: workstation_cluster_id - ❌
    Policy: disable_public_ip_addresses - ❌
    Policy: machine_type - ❌
    Policy: workstation_config_id - ❌
  Resource: google_workstations_workstation_config_iam_binding
    Policy: member - ❌
    Policy: role - ❌
  Resource: google_workstations_workstation_config_iam_member
    Policy: member - ❌
    Policy: role - ❌
  Resource: google_workstations_workstation_config_iam_policy
    Policy: policy_data - ✅
    Policy: role - ❌
  Resource: google_workstations_workstation_iam_policy
    Policy: workstation_cluster_id - ❌
    Policy: role - ❌
    Policy: workstation_config_id - ❌


Failures:
Service: cloud_workstations | Resource: google_workstations_workstation | Policy: workstation_id
Unmentioned resources other than 'c' found: nc

Service: cloud_workstations | Resource: google_workstations_workstation_cluster | Policy: location
Unmentioned resources other than 'c' found: nc

Service: cloud_workstations | Resource: google_workstations_workstation_cluster | Policy: workstation_cluster_id
Unmentioned resources other than 'c' found: nc

Service: cloud_workstations | Resource: google_workstations_workstation_cluster | Policy: labels
Unmentioned resources other than 'c' found: nc

Service: cloud_workstations | Resource: google_workstations_workstation_config | Policy: location
Unmentioned resources other than 'c' found: nc

Service: cloud_workstations | Resource: google_workstations_workstation_config | Policy: workstation_cluster_id
Unmentioned resources other than 'c' found: nc

Service: cloud_workstations | Resource: google_workstations_workstation_config | Policy: disable_public_ip_addresses
Unmentioned resources other than 'c' found: nc

Service: cloud_workstations | Resource: google_workstations_workstation_config | Policy: machine_type
Unmentioned resources other than 'c' found: nc

Service: cloud_workstations | Resource: google_workstations_workstation_config | Policy: workstation_config_id
Unmentioned resources other than 'c' found: nc

Service: cloud_workstations | Resource: google_workstations_workstation_config_iam_binding | Policy: member
Unmentioned resources other than 'c' found: nc

Service: cloud_workstations | Resource: google_workstations_workstation_config_iam_binding | Policy: role
Unmentioned resources other than 'c' found: nc

Service: cloud_workstations | Resource: google_workstations_workstation_config_iam_member | Policy: member
Unmentioned resources other than 'c' found: nc

Service: cloud_workstations | Resource: google_workstations_workstation_config_iam_member | Policy: role
Unmentioned resources other than 'c' found: nc

Service: cloud_workstations | Resource: google_workstations_workstation_config_iam_policy | Policy: role
Unmentioned resources other than 'c' found: nc

Service: cloud_workstations | Resource: google_workstations_workstation_iam_policy | Policy: workstation_cluster_id
Unmentioned resources other than 'c' found: nc

Service: cloud_workstations | Resource: google_workstations_workstation_iam_policy | Policy: role
Unmentioned resources other than 'c' found: nc

Service: cloud_workstations | Resource: google_workstations_workstation_iam_policy | Policy: workstation_config_id
Unmentioned resources other than 'c' found: nc

github-actions · 2026-05-11T00:47:02Z

🔍 Policy Check Results

Status: ❌ CHECKS FAILED

⚠️ Your PR will not be reviewed until you fix all policy check failures below:

Test Output

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_cluster.location.message
Total cloud workstation cluster detected: 2 
['Situation 1: is  deployed in a location outside of the approved region ', 'Non-Compliant Resources: workstation-cluster', 'Potential Remedies: change the location to us-central1 ']
Unique resource names in plan (google_workstations_workstation_cluster): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_cluster.project.message
Total cloud workstation cluster detected: 2 
['Situation 1: is deployed in an unapproved project ', 'Non-Compliant Resources: nc', 'Potential Remedies: change the project 925810350503']
Unique resource names in plan (google_workstations_workstation_cluster): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_cluster.workstation_cluster_id.message
Total cloud workstation cluster detected: 2 
['Situation 1: is using an unapproved workstation cluster id ', 'Non-Compliant Resources: wrong-cluster', 'Potential Remedies: change the workstation_cluster_id to workstation-cluster ']
Unique resource names in plan (google_workstations_workstation_cluster): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_cluster.network.message
Total cloud workstation cluster detected: 2 
['Situation 1: is  deployed in an unapproved network ', 'Non-Compliant Resources: nc', 'Potential Remedies: change the network to an approved vpc network ']
Unique resource names in plan (google_workstations_workstation_cluster): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_cluster.labels.message
Total cloud workstation cluster detected: 2 
['Situation 1: is missing or has an invalid label value  ', 'Non-Compliant Resources: workstation-cluster', "Potential Remedies: set labels.label to 'key'  "]
Unique resource names in plan (google_workstations_workstation_cluster): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_config_iam_binding.member.message
Total cloud workstation config iam binding detected: 2 
['Situation 1: grants access to broad IAM principals', 'Non-Compliant Resources: workstation-config', 'Potential Remedies: remove allUsers and allAuthenticatedUsers from member']
Unique resource names in plan (google_workstations_workstation_config_iam_binding): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_config_iam_binding.role.message
Total cloud workstation config iam binding detected: 2 
['Situation 1: grants access using a role that is not approved for Workstation Config IAM binding', 'Non-Compliant Resources: workstation-config', 'Potential Remedies: use least privilege role such as role/viewer']
Unique resource names in plan (google_workstations_workstation_config_iam_binding): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_config_iam_policy.policy_data.message
Total cloud workstation config iam policy detected: 2 
['Situation 1: policy_data grants access to broad IAM principals ', 'Non-Compliant Resources: nc', 'Potential Remedies: remove allUsers and allAuthenticatedUsers from policy_data']
Unique resource names in plan (google_workstations_workstation_config_iam_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_config_iam_policy.role.message
Total cloud workstation config iam policy detected: 2 
['Situation 1: policy_data grants access to broad IAM roles ', 'Non-Compliant Resources: workstation-config', 'Potential Remedies: remove roles/owner and roles/editor from IAM policy ']
Unique resource names in plan (google_workstations_workstation_config_iam_policy): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation.location.message
Total cloud workstation detected: 2 
['Situation 1: is deployed in a location outside of the approved region', 'Non-Compliant Resources: nc', 'Potential Remedies: change the location to us-central1']
Unique resource names in plan (google_workstations_workstation): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation.workstation_cluster_id.message
Total cloud workstation detected: 2 
['Situation 1: is in an unaproved workstation cluster', 'Non-Compliant Resources: nc', 'Potential Remedies: change workstation_cluster_id to workstation-cluster ']
Unique resource names in plan (google_workstations_workstation): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation.workstation_id.message
Total cloud workstation detected: 2 
['Situation 1: is using an unapproved workstation_id', 'Non-Compliant Resources: work-station1', 'Potential Remedies: change workstation_id to work-station ']
Unique resource names in plan (google_workstations_workstation): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation.workstation_config_id.message
Total cloud workstation detected: 2 
['Situation 1: is linked to an unapproved workstation config', 'Non-Compliant Resources: nc', 'Potential Remedies: change workstation_config_id to workstation-config ']
Unique resource names in plan (google_workstations_workstation): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_iam_policy.workstation_cluster_id.message
Total cloud workstation iam policy detected: 2 
['Situation 1: IAM policy must be in a correct workstation cluster', 'Non-Compliant Resources: work-station', 'Potential Remedies: change workstation_cluster_id to workstation-cluster ']
Unique resource names in plan (google_workstations_workstation_iam_policy): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_iam_policy.role.message
Total cloud workstation iam policy detected: 2 
['Situation 1: IAM policy must not grant overly broad roles like Owner or Editor', 'Non-Compliant Resources: work-station', 'Potential Remedies: remove roles/owner and roles/editor from IAM policy ']
Unique resource names in plan (google_workstations_workstation_iam_policy): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_iam_policy.workstation_config_id.message
Total cloud workstation iam policy detected: 2 
['Situation 1: IAM policy must be in a correct workstation config', 'Non-Compliant Resources: work-station', 'Potential Remedies: change workstation_config_id to workstation-config ']
Unique resource names in plan (google_workstations_workstation_iam_policy): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_config.location.message
Total cloud workstation config detected: 2 
['Situation 1: is deployed in a location outside of the approved region ', 'Non-Compliant Resources: workstation-config', 'Potential Remedies: change the location to us-central1']
Unique resource names in plan (google_workstations_workstation_config): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_config.workstation_cluster_id.message
Total cloud workstation config detected: 2 
['Situation 1: is linked to an unapproved workstation cluster id ', 'Non-Compliant Resources: workstation-config', 'Potential Remedies: change the workstation_cluster_id to workstation-cluster']
Unique resource names in plan (google_workstations_workstation_config): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_config.disable_public_ip_addresses.message
Total cloud workstation config detected: 2 
['Situation 1: has public IP addresses enabled ', 'Non-Compliant Resources: workstation-config', 'Potential Remedies: set disable_public_ip_addresses to true  ']
Unique resource names in plan (google_workstations_workstation_config): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_config.machine_type.message
Total cloud workstation config detected: 2 
['Situation 1: is using an unapproved machine type ', 'Non-Compliant Resources: workstation-config', 'Potential Remedies: change the machine_type to e2-standard-4']
Unique resource names in plan (google_workstations_workstation_config): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_config.workstation_config_id.message
Total cloud workstation config detected: 2 
['Situation 1: is using an unapproved workstation config id ', 'Non-Compliant Resources: wrong-config', 'Potential Remedies: change the workstation_config_id to workstation-config']
Unique resource names in plan (google_workstations_workstation_config): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_config_iam_member.member.message
Total cloud workstation config iam member detected: 2 
['Situation 1: grants access to broad IAM principals', 'Non-Compliant Resources: workstation-config', 'Potential Remedies: remove allUsers and allAuthenticatedUsers from member']
Unique resource names in plan (google_workstations_workstation_config_iam_member): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_config_iam_member.role.message
Total cloud workstation config iam member detected: 2 
['Situation 1:  grants access to broad IAM roles ', 'Non-Compliant Resources: workstation-config', 'Potential Remedies: use least privilege role such as role/viewer']
Unique resource names in plan (google_workstations_workstation_config_iam_member): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc


Summary of policy checks:
Service: cloud_workstations
  Resource: google_workstations_workstation
    Policy: location - ✅
    Policy: workstation_cluster_id - ✅
    Policy: workstation_id - ❌
    Policy: workstation_config_id - ✅
  Resource: google_workstations_workstation_cluster
    Policy: location - ❌
    Policy: project - ✅
    Policy: workstation_cluster_id - ❌
    Policy: network - ✅
    Policy: labels - ❌
  Resource: google_workstations_workstation_config
    Policy: location - ❌
    Policy: workstation_cluster_id - ❌
    Policy: disable_public_ip_addresses - ❌
    Policy: machine_type - ❌
    Policy: workstation_config_id - ❌
  Resource: google_workstations_workstation_config_iam_binding
    Policy: member - ❌
    Policy: role - ❌
  Resource: google_workstations_workstation_config_iam_member
    Policy: member - ❌
    Policy: role - ❌
  Resource: google_workstations_workstation_config_iam_policy
    Policy: policy_data - ✅
    Policy: role - ❌
  Resource: google_workstations_workstation_iam_policy
    Policy: workstation_cluster_id - ❌
    Policy: role - ❌
    Policy: workstation_config_id - ❌


Failures:
Service: cloud_workstations | Resource: google_workstations_workstation | Policy: workstation_id
Unmentioned resources other than 'c' found: nc

Service: cloud_workstations | Resource: google_workstations_workstation_cluster | Policy: location
Unmentioned resources other than 'c' found: nc

Service: cloud_workstations | Resource: google_workstations_workstation_cluster | Policy: workstation_cluster_id
Unmentioned resources other than 'c' found: nc

Service: cloud_workstations | Resource: google_workstations_workstation_cluster | Policy: labels
Unmentioned resources other than 'c' found: nc

Service: cloud_workstations | Resource: google_workstations_workstation_config | Policy: location
Unmentioned resources other than 'c' found: nc

Service: cloud_workstations | Resource: google_workstations_workstation_config | Policy: workstation_cluster_id
Unmentioned resources other than 'c' found: nc

Service: cloud_workstations | Resource: google_workstations_workstation_config | Policy: disable_public_ip_addresses
Unmentioned resources other than 'c' found: nc

Service: cloud_workstations | Resource: google_workstations_workstation_config | Policy: machine_type
Unmentioned resources other than 'c' found: nc

Service: cloud_workstations | Resource: google_workstations_workstation_config | Policy: workstation_config_id
Unmentioned resources other than 'c' found: nc

Service: cloud_workstations | Resource: google_workstations_workstation_config_iam_binding | Policy: member
Unmentioned resources other than 'c' found: nc

Service: cloud_workstations | Resource: google_workstations_workstation_config_iam_binding | Policy: role
Unmentioned resources other than 'c' found: nc

Service: cloud_workstations | Resource: google_workstations_workstation_config_iam_member | Policy: member
Unmentioned resources other than 'c' found: nc

Service: cloud_workstations | Resource: google_workstations_workstation_config_iam_member | Policy: role
Unmentioned resources other than 'c' found: nc

Service: cloud_workstations | Resource: google_workstations_workstation_config_iam_policy | Policy: role
Unmentioned resources other than 'c' found: nc

Service: cloud_workstations | Resource: google_workstations_workstation_iam_policy | Policy: workstation_cluster_id
Unmentioned resources other than 'c' found: nc

Service: cloud_workstations | Resource: google_workstations_workstation_iam_policy | Policy: role
Unmentioned resources other than 'c' found: nc

Service: cloud_workstations | Resource: google_workstations_workstation_iam_policy | Policy: workstation_config_id
Unmentioned resources other than 'c' found: nc

github-actions · 2026-05-11T05:24:51Z

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_cluster.location.message
Total cloud workstation cluster detected: 2 
['Situation 1: is  deployed in a location outside of the approved region ', 'Non-Compliant Resources: nc', 'Potential Remedies: change the location to us-central1 ']
Unique resource names in plan (google_workstations_workstation_cluster): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_cluster.project.message
Total cloud workstation cluster detected: 2 
['Situation 1: is deployed in an unapproved project ', 'Non-Compliant Resources: nc', 'Potential Remedies: change the project 925810350503']
Unique resource names in plan (google_workstations_workstation_cluster): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_cluster.workstation_cluster_id.message
Total cloud workstation cluster detected: 2 
['Situation 1: is using an unapproved workstation cluster id ', 'Non-Compliant Resources: nc', 'Potential Remedies: change the workstation_cluster_id to workstation-cluster ']
Unique resource names in plan (google_workstations_workstation_cluster): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_cluster.network.message
Total cloud workstation cluster detected: 2 
['Situation 1: is  deployed in an unapproved network ', 'Non-Compliant Resources: nc', 'Potential Remedies: change the network to an approved vpc network ']
Unique resource names in plan (google_workstations_workstation_cluster): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_cluster.labels.message
Total cloud workstation cluster detected: 2 
['Situation 1: is missing or has an invalid label value  ', 'Non-Compliant Resources: nc', "Potential Remedies: set labels.label to 'key'  "]
Unique resource names in plan (google_workstations_workstation_cluster): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_config_iam_binding.member.message
Total cloud workstation config iam binding detected: 2 
['Situation 1: grants access to broad IAM principals', 'Non-Compliant Resources: nc', 'Potential Remedies: remove allUsers and allAuthenticatedUsers from member']
Unique resource names in plan (google_workstations_workstation_config_iam_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_config_iam_binding.role.message
Total cloud workstation config iam binding detected: 2 
['Situation 1: grants access using a role that is not approved for Workstation Config IAM binding', 'Non-Compliant Resources: nc', 'Potential Remedies: use least privilege role such as role/viewer']
Unique resource names in plan (google_workstations_workstation_config_iam_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_config_iam_policy.policy_data.message
Total cloud workstation config iam policy detected: 2 
['Situation 1: policy_data grants access to broad IAM principals ', 'Non-Compliant Resources: nc', 'Potential Remedies: remove allUsers and allAuthenticatedUsers from policy_data']
Unique resource names in plan (google_workstations_workstation_config_iam_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_config_iam_policy.role.message
Total cloud workstation config iam policy detected: 2 
['Situation 1: policy_data grants access to broad IAM roles ', 'Non-Compliant Resources: nc', 'Potential Remedies: remove roles/owner and roles/editor from IAM policy ']
Unique resource names in plan (google_workstations_workstation_config_iam_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation.location.message
Total cloud workstation detected: 2 
['Situation 1: is deployed in a location outside of the approved region', 'Non-Compliant Resources: nc', 'Potential Remedies: change the location to us-central1']
Unique resource names in plan (google_workstations_workstation): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation.workstation_cluster_id.message
Total cloud workstation detected: 2 
['Situation 1: is in an unaproved workstation cluster', 'Non-Compliant Resources: nc', 'Potential Remedies: change workstation_cluster_id to workstation-cluster ']
Unique resource names in plan (google_workstations_workstation): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation.workstation_id.message
Total cloud workstation detected: 2 
['Situation 1: is using an unapproved workstation_id', 'Non-Compliant Resources: nc', 'Potential Remedies: change workstation_id to work-station ']
Unique resource names in plan (google_workstations_workstation): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation.workstation_config_id.message
Total cloud workstation detected: 2 
['Situation 1: is linked to an unapproved workstation config', 'Non-Compliant Resources: nc', 'Potential Remedies: change workstation_config_id to workstation-config ']
Unique resource names in plan (google_workstations_workstation): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_iam_policy.workstation_cluster_id.message
Total cloud workstation iam policy detected: 2 
['Situation 1: IAM policy must be in a correct workstation cluster', 'Non-Compliant Resources: nc', 'Potential Remedies: change workstation_cluster_id to workstation-cluster ']
Unique resource names in plan (google_workstations_workstation_iam_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_iam_policy.role.message
Total cloud workstation iam policy detected: 2 
['Situation 1: IAM policy must not grant overly broad roles like Owner or Editor', 'Non-Compliant Resources: nc', 'Potential Remedies: remove roles/owner and roles/editor from IAM policy ']
Unique resource names in plan (google_workstations_workstation_iam_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_iam_policy.workstation_config_id.message
Total cloud workstation iam policy detected: 2 
['Situation 1: IAM policy must be in a correct workstation config', 'Non-Compliant Resources: nc', 'Potential Remedies: change workstation_config_id to workstation-config ']
Unique resource names in plan (google_workstations_workstation_iam_policy): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_config.location.message
Total cloud workstation config detected: 2 
['Situation 1: is deployed in a location outside of the approved region ', 'Non-Compliant Resources: nc', 'Potential Remedies: change the location to us-central1']
Unique resource names in plan (google_workstations_workstation_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_config.workstation_cluster_id.message
Total cloud workstation config detected: 2 
['Situation 1: is linked to an unapproved workstation cluster id ', 'Non-Compliant Resources: nc', 'Potential Remedies: change the workstation_cluster_id to workstation-cluster']
Unique resource names in plan (google_workstations_workstation_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_config.disable_public_ip_addresses.message
Total cloud workstation config detected: 2 
['Situation 1: has public IP addresses enabled ', 'Non-Compliant Resources: nc', 'Potential Remedies: set disable_public_ip_addresses to true  ']
Unique resource names in plan (google_workstations_workstation_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_config.machine_type.message
Total cloud workstation config detected: 2 
['Situation 1: is using an unapproved machine type ', 'Non-Compliant Resources: nc', 'Potential Remedies: change the machine_type to e2-standard-4']
Unique resource names in plan (google_workstations_workstation_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_config.workstation_config_id.message
Total cloud workstation config detected: 2 
['Situation 1: is using an unapproved workstation config id ', 'Non-Compliant Resources: nc', 'Potential Remedies: change the workstation_config_id to workstation-config']
Unique resource names in plan (google_workstations_workstation_config): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_config_iam_member.member.message
Total cloud workstation config iam member detected: 2 
['Situation 1: grants access to broad IAM principals', 'Non-Compliant Resources: nc', 'Potential Remedies: remove allUsers and allAuthenticatedUsers from member']
Unique resource names in plan (google_workstations_workstation_config_iam_member): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.cloud_workstations.google_workstations_workstation_config_iam_member.role.message
Total cloud workstation config iam member detected: 2 
['Situation 1:  grants access to broad IAM roles ', 'Non-Compliant Resources: nc', 'Potential Remedies: use least privilege role such as role/viewer']
Unique resource names in plan (google_workstations_workstation_config_iam_member): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed


Summary of policy checks:
Service: cloud_workstations
  Resource: google_workstations_workstation
    Policy: location - ✅
    Policy: workstation_cluster_id - ✅
    Policy: workstation_id - ✅
    Policy: workstation_config_id - ✅
  Resource: google_workstations_workstation_cluster
    Policy: location - ✅
    Policy: project - ✅
    Policy: workstation_cluster_id - ✅
    Policy: network - ✅
    Policy: labels - ✅
  Resource: google_workstations_workstation_config
    Policy: location - ✅
    Policy: workstation_cluster_id - ✅
    Policy: disable_public_ip_addresses - ✅
    Policy: machine_type - ✅
    Policy: workstation_config_id - ✅
  Resource: google_workstations_workstation_config_iam_binding
    Policy: member - ✅
    Policy: role - ✅
  Resource: google_workstations_workstation_config_iam_member
    Policy: member - ✅
    Policy: role - ✅
  Resource: google_workstations_workstation_config_iam_policy
    Policy: policy_data - ✅
    Policy: role - ✅
  Resource: google_workstations_workstation_iam_policy
    Policy: workstation_cluster_id - ✅
    Policy: role - ✅
    Policy: workstation_config_id - ✅

Jayy130 added 2 commits May 10, 2026 22:21

commit

44012ae

Add cloud workstations policies and documentation

b2f22ee

Merge branch 'dev' into gcp/service/cloud_workstations

c9acc7d

github-actions Bot added the CI-Review-Required PR requires review due to failed CI checks label May 11, 2026

Fix cloud workstations policy output resource names

68150bc

github-actions Bot added CI-Approved PR approved by CI checks and removed CI-Review-Required PR requires review due to failed CI checks labels May 11, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Gcp/service/cloud workstations - security policies and documentation#384

Gcp/service/cloud workstations - security policies and documentation#384
Jayy130 wants to merge 4 commits into
devfrom
gcp/service/cloud_workstations

Jayy130 commented May 10, 2026

Uh oh!

github-actions Bot commented May 10, 2026

Uh oh!

github-actions Bot commented May 11, 2026

Uh oh!

github-actions Bot commented May 11, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

Jayy130 commented May 10, 2026

Uh oh!

github-actions Bot commented May 10, 2026

🔍 Policy Check Results

Test Output

Uh oh!

github-actions Bot commented May 11, 2026

🔍 Policy Check Results

Test Output

Uh oh!

github-actions Bot commented May 11, 2026

🔍 Policy Check Results

Test Output

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants