Skip to content

⭐ GCP: Add Cloud Armor, SSL, Cloud NAT, CAS, Audit Config, and Org Policy resources#6685

Merged
chris-rock merged 1 commit intomainfrom
tas50/more_gcp
Feb 26, 2026
Merged

⭐ GCP: Add Cloud Armor, SSL, Cloud NAT, CAS, Audit Config, and Org Policy resources#6685
chris-rock merged 1 commit intomainfrom
tas50/more_gcp

Conversation

@tas50
Copy link
Copy Markdown
Member

@tas50 tas50 commented Feb 26, 2026

Add security-focused resources to the GCP provider covering WAF/DDoS protection, TLS configuration, NAT auditing, private PKI, audit logging, and org policy enforcement.

New resources:

Cloud Armor:

  • gcp.project.computeService.securityPolicy: id, name, description, type, labels, adaptiveProtectionConfig, advancedOptionsConfig, ddosProtectionConfig, recaptchaOptionsConfig, regionUrl, selfLink, createdAt, rules()
  • gcp.project.computeService.securityPolicy.rule: id, action, description, priority, preview, match, networkMatch, rateLimitOptions, redirectOptions, headerAction, preconfiguredWafConfig

SSL Policies:

  • gcp.project.computeService.sslPolicy: id, name, description, profile, minTlsVersion, customFeatures, enabledFeatures, regionUrl, selfLink, warnings, createdAt

SSL Certificates:

  • gcp.project.computeService.sslCertificate: id, name, description, type, subjectAlternativeNames, managed, regionUrl, selfLink, expireTime, createdAt

Cloud NAT:

  • gcp.project.computeService.router.nat: id, name, natIpAllocateOption, sourceSubnetworkIpRangesToNat, enableDynamicPortAllocation, enableEndpointIndependentMapping, minPortsPerVm, maxPortsPerVm, natIps, subnetworks, rules, logConfig, endpointTypes, autoNetworkTier, icmpIdleTimeoutSec, tcpEstablishedIdleTimeoutSec, tcpTransitoryIdleTimeoutSec, tcpTimeWaitTimeoutSec, udpIdleTimeoutSec
  • router.natServices field added (router.nats []dict preserved as deprecated)

Certificate Authority Service:

  • gcp.project.certificateAuthorityService: projectId, caPools()
  • gcp.project.certificateAuthorityService.caPool: projectId, resourcePath, name, location, tier, issuancePolicy, publishingOptions, labels, certificateAuthorities(), certificates()
  • gcp.project.certificateAuthorityService.certificateAuthority: projectId, resourcePath, name, location, caPool, type, state, keySpec, config, lifetime, pemCaCertificates, subordinateConfig, labels, gcsBucket, accessUrls, createdAt, updatedAt, deletedAt, expireTime
  • gcp.project.certificateAuthorityService.certificate: projectId, resourcePath, name, location, caPool, issuerCertificateAuthority, lifetime, subjectDescription, certDescription, pemCertificate, pemCertificateChain, revocationDetails, labels, createdAt, updatedAt

Audit Logging Configuration:

  • gcp.resourcemanager.auditConfig: id, service, auditLogConfigs
  • gcp.resourcemanager.auditConfig.logConfig: id, logType, exemptedMembers
  • Exposed on both gcp.organization and gcp.project

Organization Policies:

  • gcp.orgPolicy: id, name, constraintName, spec, dryRunSpec, etag, updatedAt
  • Exposed on both gcp.organization and gcp.project

@github-actions

This comment has been minimized.

Sign in to view
mondoo-code-review[bot]
mondoo-code-review bot approved these changes Feb 26, 2026
View reviewed changes
Copy link
Copy Markdown

@mondoo-code-review mondoo-code-review bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well-structured additions with comprehensive security resource coverage; pagination not handled but consistent with existing patterns

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Feb 26, 2026
edited
Loading

Test Results

5 136 tests  +24   5 132 ✅ +24   1m 57s ⏱️ -2s
  409 suites ± 0       4 💤 ± 0 
   31 files   ± 0       0 ❌ ± 0 

Results for commit 2ef100b. ± Comparison against base commit 2a19947.

♻️ This comment has been updated with latest results.

@tas50
⭐ GCP: Add Cloud Armor, SSL, Cloud NAT, CAS, Audit Config, and Org Po…
2ef100b 
…licy resources

Add security-focused resources to the GCP provider covering WAF/DDoS protection,
TLS configuration, NAT auditing, private PKI, audit logging, and org policy enforcement.

New resources:

Cloud Armor:
- gcp.project.computeService.securityPolicy: id, name, description, type, labels,
  adaptiveProtectionConfig, advancedOptionsConfig, ddosProtectionConfig,
  recaptchaOptionsConfig, regionUrl, selfLink, createdAt, rules()
- gcp.project.computeService.securityPolicy.rule: id, action, description, priority,
  preview, match, networkMatch, rateLimitOptions, redirectOptions, headerAction,
  preconfiguredWafConfig

SSL Policies:
- gcp.project.computeService.sslPolicy: id, name, description, profile, minTlsVersion,
  customFeatures, enabledFeatures, regionUrl, selfLink, warnings, createdAt

SSL Certificates:
- gcp.project.computeService.sslCertificate: id, name, description, type,
  subjectAlternativeNames, managed, regionUrl, selfLink, expireTime, createdAt

Cloud NAT:
- gcp.project.computeService.router.nat: id, name, natIpAllocateOption,
  sourceSubnetworkIpRangesToNat, enableDynamicPortAllocation,
  enableEndpointIndependentMapping, minPortsPerVm, maxPortsPerVm, natIps,
  subnetworks, rules, logConfig, endpointTypes, autoNetworkTier,
  icmpIdleTimeoutSec, tcpEstablishedIdleTimeoutSec, tcpTransitoryIdleTimeoutSec,
  tcpTimeWaitTimeoutSec, udpIdleTimeoutSec
- router.natServices field added (router.nats []dict preserved as deprecated)

Certificate Authority Service:
- gcp.project.certificateAuthorityService: projectId, caPools()
- gcp.project.certificateAuthorityService.caPool: projectId, resourcePath, name,
  location, tier, issuancePolicy, publishingOptions, labels,
  certificateAuthorities(), certificates()
- gcp.project.certificateAuthorityService.certificateAuthority: projectId,
  resourcePath, name, location, caPool, type, state, keySpec, config, lifetime,
  pemCaCertificates, subordinateConfig, labels, gcsBucket, accessUrls,
  createdAt, updatedAt, deletedAt, expireTime
- gcp.project.certificateAuthorityService.certificate: projectId, resourcePath,
  name, location, caPool, issuerCertificateAuthority, lifetime,
  subjectDescription, certDescription, pemCertificate, pemCertificateChain,
  revocationDetails, labels, createdAt, updatedAt

Audit Logging Configuration:
- gcp.resourcemanager.auditConfig: id, service, auditLogConfigs
- gcp.resourcemanager.auditConfig.logConfig: id, logType, exemptedMembers
- Exposed on both gcp.organization and gcp.project

Organization Policies:
- gcp.orgPolicy: id, name, constraintName, spec, dryRunSpec, etag, updatedAt
- Exposed on both gcp.organization and gcp.project

Signed-off-by: Tim Smith <tsmith84@gmail.com>
@chris-rock chris-rock merged commit ca573e9 into main Feb 26, 2026
21 checks passed
@chris-rock chris-rock deleted the tas50/more_gcp branch February 26, 2026 17:21
@github-actions github-actions bot locked and limited conversation to collaborators Feb 26, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@chris-rock chris-rock chris-rock approved these changes

@mondoo-code-review mondoo-code-review[bot] mondoo-code-review[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tas50 @chris-rock