✨ Add GCP Backup & DR, Vertex AI, and Cloud Armor enhancements

Add three new GCP service categories and enhance existing Cloud Armor resources:

- Backup & DR: management servers, backup vaults, data sources, backup plans
- Vertex AI: models, endpoints, pipeline jobs, datasets, feature online stores
- Cloud Armor: add fingerprint and userDefinedFields to security policies

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: tas50

providers/gcp/go.mod

@@ -6,8 +6,10 @@ go 1.25.6
 
 require (
 	cloud.google.com/go/accessapproval v1.8.8
+	cloud.google.com/go/aiplatform v1.120.0
 	cloud.google.com/go/alloydb v1.21.0
 	cloud.google.com/go/artifactregistry v1.20.0
+	cloud.google.com/go/backupdr v1.8.0
 	cloud.google.com/go/bigquery v1.74.0
 	cloud.google.com/go/bigtable v1.42.0
 	cloud.google.com/go/cloudtasks v1.13.7
@@ -41,7 +43,7 @@ require (
 	go.mondoo.com/mql/v13 v13.0.0-rc7
 	go.mondoo.com/ranger-rpc v0.8.0
 	golang.org/x/oauth2 v0.36.0
-	google.golang.org/api v0.269.0
+	google.golang.org/api v0.270.0
 	google.golang.org/genproto v0.0.0-20260226221140-a57be14db171
 	google.golang.org/protobuf v1.36.11
 )

providers/gcp/go.sum

@@ -33,6 +33,8 @@ cloud.google.com/go v0.123.0 h1:2NAUJwPR47q+E35uaJeYoNhuNEM9kM8SjgRgdeOJUSE=
 cloud.google.com/go v0.123.0/go.mod h1:xBoMV08QcqUGuPW65Qfm1o9Y4zKZBpGS+7bImXLTAZU=
 cloud.google.com/go/accessapproval v1.8.8 h1:gq8OS+rQWgGRo91D2qztN+ion6AZ2T1CxBIu0ifCmVo=
 cloud.google.com/go/accessapproval v1.8.8/go.mod h1:RFwPY9JDKseP4gJrX1BlAVsP5O6kI8NdGlTmaeDefmk=
+cloud.google.com/go/aiplatform v1.120.0 h1:jKWTpEs+xoUhDa1FMdSuhMcEQYyUiMdufGyX3zvtLVQ=
+cloud.google.com/go/aiplatform v1.120.0/go.mod h1:6mDthfmy0oS1EQhVFdijoxkVdI2+HIZkpuGTBpedeCg=
 cloud.google.com/go/alloydb v1.21.0 h1:f8udyaV5PmAKcsTOOsIlgJdLBf4DrO+ML5o/iJvdCLY=
 cloud.google.com/go/alloydb v1.21.0/go.mod h1:efq3vWn7CuGn+BHuts4QxyvcAR8qZ0+H+I43ebguhzY=
 cloud.google.com/go/artifactregistry v1.20.0 h1:j/XQiQfaeTyQeNj3HNk4iDFREVnY/fxkHIjsxpaDs8A=
@@ -41,6 +43,8 @@ cloud.google.com/go/auth v0.18.2 h1:+Nbt5Ev0xEqxlNjd6c+yYUeosQ5TtEUaNcN/3FozlaM=
 cloud.google.com/go/auth v0.18.2/go.mod h1:xD+oY7gcahcu7G2SG2DsBerfFxgPAJz17zz2joOFF3M=
 cloud.google.com/go/auth/oauth2adapt v0.2.8 h1:keo8NaayQZ6wimpNSmW5OPc283g65QNIiLpZnkHRbnc=
 cloud.google.com/go/auth/oauth2adapt v0.2.8/go.mod h1:XQ9y31RkqZCcwJWNSx2Xvric3RrU88hAYYbjDWYDL+c=
+cloud.google.com/go/backupdr v1.8.0 h1:J7aSguR1XRhdyBpc2Sa0hWLxH14K3aJrwftYrjhobTw=
+cloud.google.com/go/backupdr v1.8.0/go.mod h1:iZd2+yYgMibQGfH+IAlitdUfuFa4aYM/Eruxpj2Tz+0=
 cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
 cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
 cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc=
@@ -1352,8 +1356,8 @@ google.golang.org/api v0.57.0/go.mod h1:dVPlbZyBo2/OjBpmvNdpn2GRm6rPy75jyU7bmhdr
 google.golang.org/api v0.59.0/go.mod h1:sT2boj7M9YJxZzgeZqXogmhfmRWDtPzT31xkieUbuZU=
 google.golang.org/api v0.61.0/go.mod h1:xQRti5UdCmoCEqFxcz93fTl338AVqDgyaDRuOZ3hg9I=
 google.golang.org/api v0.62.0/go.mod h1:dKmwPCydfsad4qCH08MSdgWjfHOyfpd4VtDGgRFdavw=
-google.golang.org/api v0.269.0 h1:qDrTOxKUQ/P0MveH6a7vZ+DNHxJQjtGm/uvdbdGXCQg=
-google.golang.org/api v0.269.0/go.mod h1:N8Wpcu23Tlccl0zSHEkcAZQKDLdquxK+l9r2LkwAauE=
+google.golang.org/api v0.270.0 h1:4rJZbIuWSTohczG9mG2ukSDdt9qKx4sSSHIydTN26L4=
+google.golang.org/api v0.270.0/go.mod h1:5+H3/8DlXpQWrSz4RjGGwz5HfJAQSEI8Bc6JqQNH77U=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=

providers/gcp/resources/backupdr.go

@@ -0,0 +1,321 @@
+// Copyright (c) Mondoo, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package resources
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	backupdr "cloud.google.com/go/backupdr/apiv1"
+	"cloud.google.com/go/backupdr/apiv1/backupdrpb"
+	"go.mondoo.com/mql/v13/llx"
+	"go.mondoo.com/mql/v13/providers-sdk/v1/plugin"
+	"go.mondoo.com/mql/v13/providers-sdk/v1/util/convert"
+	"go.mondoo.com/mql/v13/providers/gcp/connection"
+	"go.mondoo.com/mql/v13/types"
+	"google.golang.org/api/iterator"
+	"google.golang.org/api/option"
+)
+
+func (g *mqlGcpProject) backupdr() (*mqlGcpProjectBackupdrService, error) {
+	if g.Id.Error != nil {
+		return nil, g.Id.Error
+	}
+	res, err := CreateResource(g.MqlRuntime, "gcp.project.backupdrService", map[string]*llx.RawData{
+		"projectId": llx.StringData(g.Id.Data),
+	})
+	if err != nil {
+		return nil, err
+	}
+	return res.(*mqlGcpProjectBackupdrService), nil
+}
+
+func initGcpProjectBackupdrService(runtime *plugin.Runtime, args map[string]*llx.RawData) (map[string]*llx.RawData, plugin.Resource, error) {
+	if len(args) > 0 {
+		return args, nil, nil
+	}
+	conn, ok := runtime.Connection.(*connection.GcpConnection)
+	if !ok {
+		return nil, nil, errors.New("invalid connection provided, it is not a GCP connection")
+	}
+	args["projectId"] = llx.StringData(conn.ResourceID())
+	return args, nil, nil
+}
+
+func (g *mqlGcpProjectBackupdrService) id() (string, error) {
+	if g.ProjectId.Error != nil {
+		return "", g.ProjectId.Error
+	}
+	return fmt.Sprintf("gcp.project/%s/backupdrService", g.ProjectId.Data), nil
+}
+
+func (g *mqlGcpProjectBackupdrService) managementServers() ([]any, error) {
+	if g.ProjectId.Error != nil {
+		return nil, g.ProjectId.Error
+	}
+	projectId := g.ProjectId.Data
+
+	conn := g.MqlRuntime.Connection.(*connection.GcpConnection)
+	creds, err := conn.Credentials(backupdr.DefaultAuthScopes()...)
+	if err != nil {
+		return nil, err
+	}
+
+	ctx := context.Background()
+	client, err := backupdr.NewClient(ctx, option.WithCredentials(creds))
+	if err != nil {
+		return nil, err
+	}
+	defer client.Close()
+
+	it := client.ListManagementServers(ctx, &backupdrpb.ListManagementServersRequest{
+		Parent: fmt.Sprintf("projects/%s/locations/-", projectId),
+	})
+
+	var res []any
+	for {
+		server, err := it.Next()
+		if err == iterator.Done {
+			break
+		}
+		if err != nil {
+			return nil, err
+		}
+
+		networks := make([]any, 0, len(server.Networks))
+		for _, n := range server.Networks {
+			d, err := protoToDict(n)
+			if err != nil {
+				return nil, err
+			}
+			networks = append(networks, d)
+		}
+
+		managementUri, err := protoToDict(server.ManagementUri)
+		if err != nil {
+			return nil, err
+		}
+
+		mqlServer, err := CreateResource(g.MqlRuntime, "gcp.project.backupdrService.managementServer", map[string]*llx.RawData{
+			"name":           llx.StringData(server.Name),
+			"description":    llx.StringData(server.Description),
+			"state":          llx.StringData(server.State.String()),
+			"type":           llx.StringData(server.Type.String()),
+			"networks":       llx.ArrayData(networks, types.Dict),
+			"managementUri":  llx.DictData(managementUri),
+			"oauth2ClientId": llx.StringData(server.Oauth2ClientId),
+			"satisfiesPzs":   llx.BoolData(server.GetSatisfiesPzs().GetValue()),
+			"etag":           llx.StringData(server.Etag),
+			"labels":         llx.MapData(convert.MapToInterfaceMap(server.Labels), types.String),
+			"createdAt":      llx.TimeDataPtr(timestampAsTimePtr(server.CreateTime)),
+			"updatedAt":      llx.TimeDataPtr(timestampAsTimePtr(server.UpdateTime)),
+		})
+		if err != nil {
+			return nil, err
+		}
+		res = append(res, mqlServer)
+	}
+	return res, nil
+}
+
+func (g *mqlGcpProjectBackupdrServiceManagementServer) id() (string, error) {
+	return g.Name.Data, g.Name.Error
+}
+
+func (g *mqlGcpProjectBackupdrService) backupVaults() ([]any, error) {
+	if g.ProjectId.Error != nil {
+		return nil, g.ProjectId.Error
+	}
+	projectId := g.ProjectId.Data
+
+	conn := g.MqlRuntime.Connection.(*connection.GcpConnection)
+	creds, err := conn.Credentials(backupdr.DefaultAuthScopes()...)
+	if err != nil {
+		return nil, err
+	}
+
+	ctx := context.Background()
+	client, err := backupdr.NewClient(ctx, option.WithCredentials(creds))
+	if err != nil {
+		return nil, err
+	}
+	defer client.Close()
+
+	it := client.ListBackupVaults(ctx, &backupdrpb.ListBackupVaultsRequest{
+		Parent: fmt.Sprintf("projects/%s/locations/-", projectId),
+	})
+
+	var res []any
+	for {
+		vault, err := it.Next()
+		if err == iterator.Done {
+			break
+		}
+		if err != nil {
+			return nil, err
+		}
+
+		mqlVault, err := CreateResource(g.MqlRuntime, "gcp.project.backupdrService.backupVault", map[string]*llx.RawData{
+			"name":                                  llx.StringData(vault.Name),
+			"description":                           llx.StringData(vault.GetDescription()),
+			"state":                                  llx.StringData(vault.State.String()),
+			"backupMinimumEnforcedRetentionDuration": llx.StringData(vault.BackupMinimumEnforcedRetentionDuration.String()),
+			"deletable":                              llx.BoolData(vault.GetDeletable()),
+			"etag":                                   llx.StringData(vault.GetEtag()),
+			"effectiveTime":                          llx.TimeDataPtr(timestampAsTimePtr(vault.EffectiveTime)),
+			"backupCount":                            llx.IntData(vault.GetBackupCount()),
+			"serviceAccount":                         llx.StringData(vault.ServiceAccount),
+			"totalStoredBytes":                       llx.IntData(vault.GetTotalStoredBytes()),
+			"accessRestriction":                      llx.StringData(vault.AccessRestriction.String()),
+			"annotations":                            llx.MapData(convert.MapToInterfaceMap(vault.Annotations), types.String),
+			"labels":                                 llx.MapData(convert.MapToInterfaceMap(vault.Labels), types.String),
+			"createdAt":                              llx.TimeDataPtr(timestampAsTimePtr(vault.CreateTime)),
+			"updatedAt":                              llx.TimeDataPtr(timestampAsTimePtr(vault.UpdateTime)),
+		})
+		if err != nil {
+			return nil, err
+		}
+		res = append(res, mqlVault)
+	}
+	return res, nil
+}
+
+func (g *mqlGcpProjectBackupdrServiceBackupVault) id() (string, error) {
+	return g.Name.Data, g.Name.Error
+}
+
+func (g *mqlGcpProjectBackupdrServiceBackupVault) dataSources() ([]any, error) {
+	if g.Name.Error != nil {
+		return nil, g.Name.Error
+	}
+	vaultName := g.Name.Data
+
+	conn := g.MqlRuntime.Connection.(*connection.GcpConnection)
+	creds, err := conn.Credentials(backupdr.DefaultAuthScopes()...)
+	if err != nil {
+		return nil, err
+	}
+
+	ctx := context.Background()
+	client, err := backupdr.NewClient(ctx, option.WithCredentials(creds))
+	if err != nil {
+		return nil, err
+	}
+	defer client.Close()
+
+	it := client.ListDataSources(ctx, &backupdrpb.ListDataSourcesRequest{
+		Parent: vaultName,
+	})
+
+	var res []any
+	for {
+		ds, err := it.Next()
+		if err == iterator.Done {
+			break
+		}
+		if err != nil {
+			return nil, err
+		}
+
+		gcpResource, err := protoToDict(ds.GetDataSourceGcpResource())
+		if err != nil {
+			return nil, err
+		}
+		backupApplianceApp, err := protoToDict(ds.GetDataSourceBackupApplianceApplication())
+		if err != nil {
+			return nil, err
+		}
+
+		mqlDs, err := CreateResource(g.MqlRuntime, "gcp.project.backupdrService.dataSource", map[string]*llx.RawData{
+			"name":                                  llx.StringData(ds.Name),
+			"state":                                 llx.StringData(ds.State.String()),
+			"labels":                                llx.MapData(convert.MapToInterfaceMap(ds.Labels), types.String),
+			"dataSourceGcpResource":                 llx.DictData(gcpResource),
+			"dataSourceBackupApplianceApplication":  llx.DictData(backupApplianceApp),
+			"totalStoredBytes":                      llx.IntData(ds.GetTotalStoredBytes()),
+			"backupCount":                           llx.IntData(ds.GetBackupCount()),
+			"etag":                                  llx.StringData(ds.GetEtag()),
+			"configState":                           llx.StringData(ds.ConfigState.String()),
+			"createdAt":                             llx.TimeDataPtr(timestampAsTimePtr(ds.CreateTime)),
+			"updatedAt":                             llx.TimeDataPtr(timestampAsTimePtr(ds.UpdateTime)),
+		})
+		if err != nil {
+			return nil, err
+		}
+		res = append(res, mqlDs)
+	}
+	return res, nil
+}
+
+func (g *mqlGcpProjectBackupdrServiceDataSource) id() (string, error) {
+	return g.Name.Data, g.Name.Error
+}
+
+func (g *mqlGcpProjectBackupdrService) backupPlans() ([]any, error) {
+	if g.ProjectId.Error != nil {
+		return nil, g.ProjectId.Error
+	}
+	projectId := g.ProjectId.Data
+
+	conn := g.MqlRuntime.Connection.(*connection.GcpConnection)
+	creds, err := conn.Credentials(backupdr.DefaultAuthScopes()...)
+	if err != nil {
+		return nil, err
+	}
+
+	ctx := context.Background()
+	client, err := backupdr.NewClient(ctx, option.WithCredentials(creds))
+	if err != nil {
+		return nil, err
+	}
+	defer client.Close()
+
+	it := client.ListBackupPlans(ctx, &backupdrpb.ListBackupPlansRequest{
+		Parent: fmt.Sprintf("projects/%s/locations/-", projectId),
+	})
+
+	var res []any
+	for {
+		plan, err := it.Next()
+		if err == iterator.Done {
+			break
+		}
+		if err != nil {
+			return nil, err
+		}
+
+		backupRules := make([]any, 0, len(plan.BackupRules))
+		for _, rule := range plan.BackupRules {
+			d, err := protoToDict(rule)
+			if err != nil {
+				return nil, err
+			}
+			backupRules = append(backupRules, d)
+		}
+
+		mqlPlan, err := CreateResource(g.MqlRuntime, "gcp.project.backupdrService.backupPlan", map[string]*llx.RawData{
+			"name":                    llx.StringData(plan.Name),
+			"description":             llx.StringData(plan.Description),
+			"state":                   llx.StringData(plan.State.String()),
+			"resourceType":            llx.StringData(plan.ResourceType),
+			"backupVault":             llx.StringData(plan.BackupVault),
+			"backupVaultServiceAccount": llx.StringData(plan.BackupVaultServiceAccount),
+			"labels":                  llx.MapData(convert.MapToInterfaceMap(plan.Labels), types.String),
+			"backupRules":             llx.ArrayData(backupRules, types.Dict),
+			"etag":                    llx.StringData(plan.Etag),
+			"createdAt":               llx.TimeDataPtr(timestampAsTimePtr(plan.CreateTime)),
+			"updatedAt":               llx.TimeDataPtr(timestampAsTimePtr(plan.UpdateTime)),
+		})
+		if err != nil {
+			return nil, err
+		}
+		res = append(res, mqlPlan)
+	}
+	return res, nil
+}
+
+func (g *mqlGcpProjectBackupdrServiceBackupPlan) id() (string, error) {
+	return g.Name.Data, g.Name.Error
+}

providers/gcp/resources/compute.go

@@ -2567,6 +2567,15 @@ func (g *mqlGcpProjectComputeService) securityPolicies() ([]any, error) {
 					return err
 				}
 
+				userDefinedFields := make([]any, 0, len(policy.UserDefinedFields))
+				for _, udf := range policy.UserDefinedFields {
+					d, err := convert.JsonToDict(udf)
+					if err != nil {
+						return err
+					}
+					userDefinedFields = append(userDefinedFields, d)
+				}
+
 				policyId := strconv.FormatUint(policy.Id, 10)
 				mqlPolicy, err := CreateResource(g.MqlRuntime, "gcp.project.computeService.securityPolicy", map[string]*llx.RawData{
 					"id":                       llx.StringData(policyId),
@@ -2578,6 +2587,8 @@ func (g *mqlGcpProjectComputeService) securityPolicies() ([]any, error) {
 					"advancedOptionsConfig":    llx.DictData(advancedOptionsConfig),
 					"ddosProtectionConfig":     llx.DictData(ddosProtectionConfig),
 					"recaptchaOptionsConfig":   llx.DictData(recaptchaOptionsConfig),
+					"fingerprint":              llx.StringData(policy.Fingerprint),
+					"userDefinedFields":        llx.ArrayData(userDefinedFields, types.Dict),
 					"regionUrl":                llx.StringData(policy.Region),
 					"selfLink":                 llx.StringData(policy.SelfLink),
 					"createdAt":                llx.TimeDataPtr(parseTime(policy.CreationTimestamp)),