# Copyright 2023 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. values: module.test.module.firewall-policy.google_compute_firewall_policy.hierarchical[0]: description: null short_name: default timeouts: null module.test.module.firewall-policy.google_compute_firewall_policy_rule.hierarchical["egress/allow-admins"]: action: allow description: Access from the admin subnet to all subnets direction: INGRESS disabled: false enable_logging: null match: - dest_address_groups: null dest_fqdns: null dest_ip_ranges: null dest_region_codes: null dest_threat_intelligences: null layer4_configs: - ip_protocol: all ports: null src_address_groups: null src_fqdns: null src_ip_ranges: - 10.0.0.0/8 - 172.16.0.0/12 - 192.168.0.0/16 src_region_codes: null src_threat_intelligences: null priority: 1000 target_resources: null target_service_accounts: null timeouts: null module.test.module.firewall-policy.google_compute_firewall_policy_rule.hierarchical["egress/allow-healthchecks"]: action: allow description: Enable HTTP and HTTPS healthchecks direction: INGRESS disabled: false enable_logging: null match: - dest_address_groups: null dest_fqdns: null dest_ip_ranges: null dest_region_codes: null dest_threat_intelligences: null layer4_configs: - ip_protocol: all ports: null src_address_groups: null src_fqdns: null src_ip_ranges: - 35.191.0.0/16 - 130.211.0.0/22 - 209.85.152.0/22 - 209.85.204.0/22 src_region_codes: null src_threat_intelligences: null priority: 1001 target_resources: null target_service_accounts: null timeouts: null module.test.module.firewall-policy.google_compute_firewall_policy_rule.hierarchical["egress/allow-icmp"]: action: allow description: Enable ICMP direction: INGRESS disabled: false enable_logging: null match: - dest_address_groups: null dest_fqdns: null dest_ip_ranges: null dest_region_codes: null dest_threat_intelligences: null layer4_configs: - ip_protocol: all ports: null src_address_groups: null src_fqdns: null src_ip_ranges: - 0.0.0.0/0 src_region_codes: null src_threat_intelligences: null priority: 1003 target_resources: null target_service_accounts: null timeouts: null module.test.module.firewall-policy.google_compute_firewall_policy_rule.hierarchical["egress/allow-ssh-from-iap"]: action: allow description: Enable SSH from IAP direction: INGRESS disabled: false enable_logging: null match: - dest_address_groups: null dest_fqdns: null dest_ip_ranges: null dest_region_codes: null dest_threat_intelligences: null layer4_configs: - ip_protocol: all ports: null src_address_groups: null src_fqdns: null src_ip_ranges: - 35.235.240.0/20 src_region_codes: null src_threat_intelligences: null priority: 1002 target_resources: null target_service_accounts: null timeouts: null module.test.module.folder-workload.google_folder.folder[0]: display_name: prefix-workload timeouts: null module.test.module.folder.google_bigquery_dataset_iam_member.bq-sinks-binding["audit-logs"]: condition: [] role: roles/bigquery.dataEditor module.test.module.folder.google_bigquery_dataset_iam_member.bq-sinks-binding["vpc-sc"]: condition: [] role: roles/bigquery.dataEditor module.test.module.folder.google_folder.folder[0]: display_name: ShieldedMVP parent: organizations/1234567890123 timeouts: null module.test.module.folder.google_folder_iam_binding.authoritative["roles/editor"]: condition: [] members: - group:gcp-data-engineers@example.com role: roles/editor module.test.module.folder.google_folder_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: condition: [] members: - group:gcp-data-engineers@example.com role: roles/iam.serviceAccountTokenCreator module.test.module.folder.google_logging_folder_sink.sink["audit-logs"]: description: audit-logs (Terraform-managed). disabled: false exclusions: [] filter: logName:"/logs/cloudaudit.googleapis.com%2Factivity" OR logName:"/logs/cloudaudit.googleapis.com%2Fsystem_event" include_children: true name: audit-logs module.test.module.folder.google_logging_folder_sink.sink["vpc-sc"]: description: vpc-sc (Terraform-managed). disabled: false exclusions: [] filter: protoPayload.metadata.@type="type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata" include_children: true name: vpc-sc module.test.module.folder.google_org_policy_policy.default["compute.disableGuestAttributesAccess"]: spec: - inherit_from_parent: null reset: null rules: - allow_all: null condition: [] deny_all: null enforce: 'TRUE' values: [] timeouts: null module.test.module.folder.google_org_policy_policy.default["compute.requireOsLogin"]: spec: - inherit_from_parent: null reset: null rules: - allow_all: null condition: [] deny_all: null enforce: 'TRUE' values: [] timeouts: null module.test.module.folder.google_org_policy_policy.default["compute.restrictLoadBalancerCreationForTypes"]: spec: - inherit_from_parent: null reset: null rules: - allow_all: null condition: [] deny_all: null enforce: null values: - allowed_values: - in:INTERNAL denied_values: null timeouts: null module.test.module.folder.google_org_policy_policy.default["compute.skipDefaultNetworkCreation"]: spec: - inherit_from_parent: null reset: null rules: - allow_all: null condition: [] deny_all: null enforce: 'TRUE' values: [] timeouts: null module.test.module.folder.google_org_policy_policy.default["compute.vmExternalIpAccess"]: spec: - inherit_from_parent: null reset: null rules: - allow_all: null condition: [] deny_all: 'TRUE' enforce: null values: [] timeouts: null module.test.module.folder.google_org_policy_policy.default["iam.automaticIamGrantsForDefaultServiceAccounts"]: spec: - inherit_from_parent: null reset: null rules: - allow_all: null condition: [] deny_all: null enforce: 'TRUE' values: [] timeouts: null module.test.module.folder.google_org_policy_policy.default["iam.disableServiceAccountKeyCreation"]: spec: - inherit_from_parent: null reset: null rules: - allow_all: null condition: [] deny_all: null enforce: 'TRUE' values: [] timeouts: null module.test.module.folder.google_org_policy_policy.default["iam.disableServiceAccountKeyUpload"]: spec: - inherit_from_parent: null reset: null rules: - allow_all: null condition: [] deny_all: null enforce: 'TRUE' values: [] timeouts: null module.test.module.folder.google_org_policy_policy.default["run.allowedIngress"]: spec: - inherit_from_parent: null reset: null rules: - allow_all: null condition: [] deny_all: null enforce: null values: - allowed_values: - is:internal denied_values: null timeouts: null module.test.module.folder.google_org_policy_policy.default["sql.restrictAuthorizedNetworks"]: spec: - inherit_from_parent: null reset: null rules: - allow_all: null condition: [] deny_all: null enforce: 'TRUE' values: [] timeouts: null module.test.module.folder.google_org_policy_policy.default["sql.restrictPublicIp"]: spec: - inherit_from_parent: null reset: null rules: - allow_all: null condition: [] deny_all: null enforce: 'TRUE' values: [] timeouts: null module.test.module.folder.google_org_policy_policy.default["storage.uniformBucketLevelAccess"]: spec: - inherit_from_parent: null reset: null rules: - allow_all: null condition: [] deny_all: null enforce: 'TRUE' values: [] timeouts: null module.test.module.log-export-dataset[0].google_bigquery_dataset.default: dataset_id: prefix_audit_export default_encryption_configuration: [] default_partition_expiration_ms: null default_table_expiration_ms: null delete_contents_on_destroy: false description: Terraform managed. friendly_name: Audit logs export. location: EU max_time_travel_hours: '168' project: prefix-audit-logs timeouts: null module.test.module.log-export-project[0].data.google_bigquery_default_service_account.bq_sa[0]: project: prefix-audit-logs module.test.module.log-export-project[0].data.google_storage_project_service_account.gcs_sa[0]: project: prefix-audit-logs user_project: null module.test.module.log-export-project[0].google_project.project[0]: auto_create_network: false billing_account: 123456-123456-123456 labels: null name: prefix-audit-logs project_id: prefix-audit-logs skip_delete: false timeouts: null module.test.module.log-export-project[0].google_project_iam_binding.authoritative["roles/editor"]: condition: [] members: - group:gcp-data-security@example.com project: prefix-audit-logs role: roles/editor module.test.module.log-export-project[0].google_project_service.project_services["bigquery.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false project: prefix-audit-logs service: bigquery.googleapis.com timeouts: null module.test.module.log-export-project[0].google_project_service.project_services["pubsub.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false project: prefix-audit-logs service: pubsub.googleapis.com timeouts: null module.test.module.log-export-project[0].google_project_service.project_services["stackdriver.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false project: prefix-audit-logs service: stackdriver.googleapis.com timeouts: null module.test.module.log-export-project[0].google_project_service.project_services["storage.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false project: prefix-audit-logs service: storage.googleapis.com timeouts: null module.test.module.log-export-project[0].google_project_service_identity.jit_si["pubsub.googleapis.com"]: project: prefix-audit-logs service: pubsub.googleapis.com timeouts: null module.test.module.vpc-sc[0].google_access_context_manager_access_policy.default[0]: parent: organizations/1122334455 timeouts: null title: shielded-folder module.test.module.vpc-sc[0].google_access_context_manager_service_perimeter.regular["shielded"]: description: null perimeter_type: PERIMETER_TYPE_REGULAR spec: - access_levels: [] egress_policies: [] ingress_policies: - ingress_from: - identity_type: null sources: - access_level: '*' resource: null ingress_to: - operations: - method_selectors: [] service_name: '*' restricted_services: - accessapproval.googleapis.com - adsdatahub.googleapis.com - aiplatform.googleapis.com - alloydb.googleapis.com - alpha-documentai.googleapis.com - analyticshub.googleapis.com - apigee.googleapis.com - apigeeconnect.googleapis.com - artifactregistry.googleapis.com - assuredworkloads.googleapis.com - automl.googleapis.com - baremetalsolution.googleapis.com - batch.googleapis.com - beyondcorp.googleapis.com - bigquery.googleapis.com - bigquerydatapolicy.googleapis.com - bigquerydatatransfer.googleapis.com - bigquerymigration.googleapis.com - bigqueryreservation.googleapis.com - bigtable.googleapis.com - binaryauthorization.googleapis.com - cloudasset.googleapis.com - cloudbuild.googleapis.com - clouddebugger.googleapis.com - clouderrorreporting.googleapis.com - cloudfunctions.googleapis.com - cloudkms.googleapis.com - cloudprofiler.googleapis.com - cloudresourcemanager.googleapis.com - cloudsearch.googleapis.com - cloudtrace.googleapis.com - composer.googleapis.com - compute.googleapis.com - connectgateway.googleapis.com - contactcenterinsights.googleapis.com - container.googleapis.com - containeranalysis.googleapis.com - containerfilesystem.googleapis.com - containerregistry.googleapis.com - containerthreatdetection.googleapis.com - contentwarehouse.googleapis.com - datacatalog.googleapis.com - dataflow.googleapis.com - datafusion.googleapis.com - datalineage.googleapis.com - datamigration.googleapis.com - datapipelines.googleapis.com - dataplex.googleapis.com - dataproc.googleapis.com - datastream.googleapis.com - dialogflow.googleapis.com - dlp.googleapis.com - dns.googleapis.com - documentai.googleapis.com - domains.googleapis.com - essentialcontacts.googleapis.com - eventarc.googleapis.com - file.googleapis.com - firebaseappcheck.googleapis.com - firebaserules.googleapis.com - firestore.googleapis.com - gameservices.googleapis.com - gkebackup.googleapis.com - gkeconnect.googleapis.com - gkehub.googleapis.com - gkemulticloud.googleapis.com - healthcare.googleapis.com - iam.googleapis.com - iamcredentials.googleapis.com - iaptunnel.googleapis.com - ids.googleapis.com - integrations.googleapis.com - language.googleapis.com - lifesciences.googleapis.com - logging.googleapis.com - managedidentities.googleapis.com - memcache.googleapis.com - meshca.googleapis.com - metastore.googleapis.com - ml.googleapis.com - monitoring.googleapis.com - networkconnectivity.googleapis.com - networkmanagement.googleapis.com - networksecurity.googleapis.com - networkservices.googleapis.com - notebooks.googleapis.com - opsconfigmonitoring.googleapis.com - osconfig.googleapis.com - oslogin.googleapis.com - policytroubleshooter.googleapis.com - privateca.googleapis.com - pubsub.googleapis.com - pubsublite.googleapis.com - recaptchaenterprise.googleapis.com - recommender.googleapis.com - redis.googleapis.com - retail.googleapis.com - run.googleapis.com - secretmanager.googleapis.com - servicecontrol.googleapis.com - servicedirectory.googleapis.com - spanner.googleapis.com - speakerid.googleapis.com - speech.googleapis.com - sqladmin.googleapis.com - storage.googleapis.com - storagetransfer.googleapis.com - texttospeech.googleapis.com - tpu.googleapis.com - trafficdirector.googleapis.com - transcoder.googleapis.com - translate.googleapis.com - videointelligence.googleapis.com - vision.googleapis.com - visionai.googleapis.com - vpcaccess.googleapis.com - workstations.googleapis.com vpc_accessible_services: - allowed_services: - accessapproval.googleapis.com - adsdatahub.googleapis.com - aiplatform.googleapis.com - alloydb.googleapis.com - alpha-documentai.googleapis.com - analyticshub.googleapis.com - apigee.googleapis.com - apigeeconnect.googleapis.com - artifactregistry.googleapis.com - assuredworkloads.googleapis.com - automl.googleapis.com - baremetalsolution.googleapis.com - batch.googleapis.com - beyondcorp.googleapis.com - bigquery.googleapis.com - bigquerydatapolicy.googleapis.com - bigquerydatatransfer.googleapis.com - bigquerymigration.googleapis.com - bigqueryreservation.googleapis.com - bigtable.googleapis.com - binaryauthorization.googleapis.com - cloudasset.googleapis.com - cloudbuild.googleapis.com - clouddebugger.googleapis.com - clouderrorreporting.googleapis.com - cloudfunctions.googleapis.com - cloudkms.googleapis.com - cloudprofiler.googleapis.com - cloudresourcemanager.googleapis.com - cloudsearch.googleapis.com - cloudtrace.googleapis.com - composer.googleapis.com - compute.googleapis.com - connectgateway.googleapis.com - contactcenterinsights.googleapis.com - container.googleapis.com - containeranalysis.googleapis.com - containerfilesystem.googleapis.com - containerregistry.googleapis.com - containerthreatdetection.googleapis.com - contentwarehouse.googleapis.com - datacatalog.googleapis.com - dataflow.googleapis.com - datafusion.googleapis.com - datalineage.googleapis.com - datamigration.googleapis.com - datapipelines.googleapis.com - dataplex.googleapis.com - dataproc.googleapis.com - datastream.googleapis.com - dialogflow.googleapis.com - dlp.googleapis.com - dns.googleapis.com - documentai.googleapis.com - domains.googleapis.com - essentialcontacts.googleapis.com - eventarc.googleapis.com - file.googleapis.com - firebaseappcheck.googleapis.com - firebaserules.googleapis.com - firestore.googleapis.com - gameservices.googleapis.com - gkebackup.googleapis.com - gkeconnect.googleapis.com - gkehub.googleapis.com - gkemulticloud.googleapis.com - healthcare.googleapis.com - iam.googleapis.com - iamcredentials.googleapis.com - iaptunnel.googleapis.com - ids.googleapis.com - integrations.googleapis.com - language.googleapis.com - lifesciences.googleapis.com - logging.googleapis.com - managedidentities.googleapis.com - memcache.googleapis.com - meshca.googleapis.com - metastore.googleapis.com - ml.googleapis.com - monitoring.googleapis.com - networkconnectivity.googleapis.com - networkmanagement.googleapis.com - networksecurity.googleapis.com - networkservices.googleapis.com - notebooks.googleapis.com - opsconfigmonitoring.googleapis.com - osconfig.googleapis.com - oslogin.googleapis.com - policytroubleshooter.googleapis.com - privateca.googleapis.com - pubsub.googleapis.com - pubsublite.googleapis.com - recaptchaenterprise.googleapis.com - recommender.googleapis.com - redis.googleapis.com - retail.googleapis.com - run.googleapis.com - secretmanager.googleapis.com - servicecontrol.googleapis.com - servicedirectory.googleapis.com - spanner.googleapis.com - speakerid.googleapis.com - speech.googleapis.com - sqladmin.googleapis.com - storage.googleapis.com - storagetransfer.googleapis.com - texttospeech.googleapis.com - tpu.googleapis.com - trafficdirector.googleapis.com - transcoder.googleapis.com - translate.googleapis.com - videointelligence.googleapis.com - vision.googleapis.com - visionai.googleapis.com - vpcaccess.googleapis.com - workstations.googleapis.com enable_restriction: true status: [] timeouts: null title: shielded use_explicit_dry_run_spec: true counts: google_access_context_manager_access_policy: 1 google_access_context_manager_service_perimeter: 1 google_bigquery_dataset: 1 google_bigquery_dataset_iam_member: 2 google_bigquery_default_service_account: 1 google_compute_firewall_policy: 1 google_compute_firewall_policy_rule: 4 google_folder: 2 google_folder_iam_binding: 2 google_logging_folder_sink: 2 google_org_policy_policy: 12 google_project: 1 google_project_iam_binding: 1 google_project_service: 4 google_project_service_identity: 1 google_projects: 1 google_storage_project_service_account: 1 modules: 7 resources: 38 outputs: {}