Gcp/service/cloud endpoint by Mohmaed-AA00 · Pull Request #397 · Hardhat-Enterprises/Policy-Deployment-Engine

Mohmaed-AA00 · 2026-05-12T05:09:06Z

OPA check: data.terraform.gcp.security.google_Endpoints.google_endpoints_service_iam.allowed_members.message
["Total Google Cloud Endpoints service IAM binding detected: 2 ", ["Situation 1: Google Cloud Endpoints service IAM role uses a forbidden service agent role.", "Non-Compliant Resources: None - All passed"]]
Resources checked: nc
Unique resource names in plan (google_endpoints_service_iam_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.google_Endpoints.google_endpoints_service_iam.role.message
Total Google Cloud Endpoints service IAM binding detected: 2 
['Situation 1: Google Cloud Endpoints service IAM role uses a forbidden service agent role.', 'Non-Compliant Resources: None - All passed']
Unique resource names in plan (google_endpoints_service_iam_binding): 2
Names mentioned in output: 0
 Missing mentions: c, nc
Check failed: Unmentioned resources other than 'c' found: nc

OPA check: data.terraform.gcp.security.google_Endpoints.google_endpoints_service.grpc_config.message
["Total Google Cloud Endpoints service detected: 2 ", ["Situation 1: Google Cloud Endpoints service grpc_config is set without protoc_output_base64.", "Non-Compliant Resources: None - All passed"]]
Resources checked: nc
Unique resource names in plan (google_endpoints_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.google_Endpoints.google_endpoints_service.openapi_config.message
["Total Google Cloud Endpoints service detected: 2 ", ["Situation 1: Google Cloud Endpoints service openapi_config does not enforce HTTPS.", "Non-Compliant Resources: None - All passed"]]
Resources checked: nc
Unique resource names in plan (google_endpoints_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.google_Endpoints.google_endpoints_service.service_name.message
["Total Google Cloud Endpoints service detected: 2 ", ["Situation 1: Google Cloud Endpoints service service_name does not follow the approved value.", "Non-Compliant Resources: None - All passed"]]
Resources checked: nc
Unique resource names in plan (google_endpoints_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.google_Endpoints.google_endpoints_consumers_iam.members.message
Total Google Cloud Endpoints consumers IAM binding detected: 0 
['Situation 1: Google Cloud Endpoints consumers IAM members includes a principal outside the approved member types.', 'Non-Compliant Resources: None - All passed']
Unique resource names in plan (google_endpoints_consumers_iam_binding): 0
Names mentioned in output: 0
Check passed

OPA check: data.terraform.gcp.security.google_Endpoints.google_endpoints_consumers_iam.role.message
Total Google Cloud Endpoints consumers IAM binding detected: 0 
['Situation 1: Google Cloud Endpoints consumers IAM role is not set to the approved service consumer role.', 'Non-Compliant Resources: None - All passed']
Unique resource names in plan (google_endpoints_consumers_iam_binding): 0
Names mentioned in output: 0
Check passed


Summary of policy checks:
Service: google_Endpoints
  Resource: google_endpoints_consumers_iam
    Policy: members - ✅
    Policy: role - ✅
  Resource: google_endpoints_service
    Policy: grpc_config - ✅
    Policy: openapi_config - ✅
    Policy: service_name - ✅
  Resource: google_endpoints_service_iam
    Policy: allowed_members - ✅
    Policy: role - ❌


Failures:
Service: google_Endpoints | Resource: google_endpoints_service_iam | Policy: role
Unmentioned resources other than 'c' found: nc

github-actions · 2026-05-12T08:31:47Z

🔍 Policy Check Results

Status: ✅ All checks passed

Test Output

OPA check: data.terraform.gcp.security.google_Endpoints.google_endpoints_service_iam.allowed_members.message
["Total Google Cloud Endpoints service IAM binding detected: 2 ", ["Situation 1: Google Cloud Endpoints service IAM role uses a forbidden service agent role.", "Non-Compliant Resources: None - All passed"]]
Resources checked: nc
Unique resource names in plan (google_endpoints_service_iam_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.google_Endpoints.google_endpoints_service_iam.role.message
["Total Google Cloud Endpoints service IAM binding detected: 2 ", ["Situation 1: Google Cloud Endpoints service IAM role uses a forbidden service agent role.", "Non-Compliant Resources: None - All passed"]]
Resources checked: nc
Unique resource names in plan (google_endpoints_service_iam_binding): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.google_Endpoints.google_endpoints_service.grpc_config.message
["Total Google Cloud Endpoints service detected: 2 ", ["Situation 1: Google Cloud Endpoints service grpc_config is set without protoc_output_base64.", "Non-Compliant Resources: None - All passed"]]
Resources checked: nc
Unique resource names in plan (google_endpoints_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.google_Endpoints.google_endpoints_service.openapi_config.message
["Total Google Cloud Endpoints service detected: 2 ", ["Situation 1: Google Cloud Endpoints service openapi_config does not enforce HTTPS.", "Non-Compliant Resources: None - All passed"]]
Resources checked: nc
Unique resource names in plan (google_endpoints_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.google_Endpoints.google_endpoints_service.service_name.message
["Total Google Cloud Endpoints service detected: 2 ", ["Situation 1: Google Cloud Endpoints service service_name does not follow the approved value.", "Non-Compliant Resources: None - All passed"]]
Resources checked: nc
Unique resource names in plan (google_endpoints_service): 2
Names mentioned in output: 1
 Missing mentions: c
Only compliant resources are unmentioned; ignoring
Check passed

OPA check: data.terraform.gcp.security.google_Endpoints.google_endpoints_consumers_iam.members.message
Total Google Cloud Endpoints consumers IAM binding detected: 0 
['Situation 1: Google Cloud Endpoints consumers IAM members includes a principal outside the approved member types.', 'Non-Compliant Resources: None - All passed']
Unique resource names in plan (google_endpoints_consumers_iam_binding): 0
Names mentioned in output: 0
Check passed

OPA check: data.terraform.gcp.security.google_Endpoints.google_endpoints_consumers_iam.role.message
Total Google Cloud Endpoints consumers IAM binding detected: 0 
['Situation 1: Google Cloud Endpoints consumers IAM role is not set to the approved service consumer role.', 'Non-Compliant Resources: None - All passed']
Unique resource names in plan (google_endpoints_consumers_iam_binding): 0
Names mentioned in output: 0
Check passed


Summary of policy checks:
Service: google_Endpoints
  Resource: google_endpoints_consumers_iam
    Policy: members - ✅
    Policy: role - ✅
  Resource: google_endpoints_service
    Policy: grpc_config - ✅
    Policy: openapi_config - ✅
    Policy: service_name - ✅
  Resource: google_endpoints_service_iam
    Policy: allowed_members - ✅
    Policy: role - ✅

Chhunly-TAING

Hi Mohamed,

I can see you have covered google_endpoints_service, google_endpoints_service_consumers_iam, and google_endpoints_service_iam.

However, I think there are some issues that need to be addressed:

Please check the service folder naming. The current folder uses google_Endpoints with a capital E.
The documentation is still incomplete. Some markdown files only contain the table header, and the IAM attributes such as member/members and role are marked as having no security impact, even though they are security-related.
The allowed_members policy for google_endpoints_service_iam appears to check the role attribute instead of members. Please remove role if not needed.
Some policies are manually excluding the compliant resource using resource.name != "c", for example like openapi_config, graph_config. Please confirm the policies pass naturally using the helper output.
Please confirm if protoc_output_base64 policy is needed.

Thanks,

Mohmaed-AA00 added 3 commits May 6, 2026 17:46

Add Google Endpoints policies inputs and documentation

aa2a009

Fix Google Endpoints review feedback

94ff47e

Merge branch 'dev' into gcp/service/cloud-endpoint

e2457c8

github-actions Bot added the CI-Review-Required PR requires review due to failed CI checks label May 12, 2026

Rename Cloud Endpoints docs folder to google_Endpoints

c8c7209

Rename Cloud Endpoints consumers IAM policy folder

5f0b979

Fix Cloud Endpoints failing policy outputs

7dce331

Regenerate Cloud Endpoints plans and fix policy folder typo

ffd1818

Fix Cloud Endpoints failing policy checks

f66af17

Merge branch 'dev' into gcp/service/cloud-endpoint

1ca5977

Fix Cloud Endpoints policy checks

070f7c7

Regenerate Cloud Endpoints plans

eb662ae

Update Cloud Endpoints vars and regenerate plans

85a5750

Update Cloud Endpoints policy checks

04561b9

Fix Cloud Endpoints IAM package names

fb15cad

Fix Cloud Endpoints IAM role policy output

8c0b68f

github-actions Bot added CI-Approved PR approved by CI checks and removed CI-Review-Required PR requires review due to failed CI checks labels May 12, 2026

Chhunly-TAING self-assigned this May 12, 2026

Chhunly-TAING requested changes May 12, 2026

View reviewed changes

Conversation

Mohmaed-AA00 commented May 12, 2026

Uh oh!

github-actions Bot commented May 12, 2026

🔍 Policy Check Results

Test Output

Uh oh!

github-actions Bot commented May 12, 2026

🔍 Policy Check Results

Test Output

Uh oh!

github-actions Bot commented May 12, 2026

🔍 Policy Check Results

Test Output

Uh oh!

github-actions Bot commented May 12, 2026

🔍 Policy Check Results

Test Output

Uh oh!

github-actions Bot commented May 12, 2026

🔍 Policy Check Results

Test Output

Uh oh!

github-actions Bot commented May 12, 2026

🔍 Policy Check Results

Test Output

Uh oh!

github-actions Bot commented May 12, 2026

🔍 Policy Check Results

Test Output

Uh oh!

github-actions Bot commented May 12, 2026

🔍 Policy Check Results

Test Output

Uh oh!

github-actions Bot commented May 12, 2026

🔍 Policy Check Results

Test Output

Uh oh!

github-actions Bot commented May 12, 2026

🔍 Policy Check Results

Test Output

Uh oh!

github-actions Bot commented May 12, 2026

🔍 Policy Check Results

Test Output

Uh oh!

github-actions Bot commented May 12, 2026

🔍 Policy Check Results

Test Output

Uh oh!

github-actions Bot commented May 12, 2026

🔍 Policy Check Results

Test Output

Uh oh!

github-actions Bot commented May 12, 2026

🔍 Policy Check Results

Test Output

Uh oh!

Chhunly-TAING left a comment

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants