﻿2025-11-28T06:49:19.1755275Z Current runner version: '2.329.0'
2025-11-28T06:49:19.1786802Z ##[group]Runner Image Provisioner
2025-11-28T06:49:19.1787746Z Hosted Compute Agent
2025-11-28T06:49:19.1788296Z Version: 20251016.436
2025-11-28T06:49:19.1788914Z Commit: 8ab8ac8bfd662a3739dab9fe09456aba92132568
2025-11-28T06:49:19.1789982Z Build Date: 2025-10-15T20:44:12Z
2025-11-28T06:49:19.1790648Z ##[endgroup]
2025-11-28T06:49:19.1791201Z ##[group]Operating System
2025-11-28T06:49:19.1791863Z Ubuntu
2025-11-28T06:49:19.1792354Z 24.04.3
2025-11-28T06:49:19.1792846Z LTS
2025-11-28T06:49:19.1793328Z ##[endgroup]
2025-11-28T06:49:19.1793864Z ##[group]Runner Image
2025-11-28T06:49:19.1794465Z Image: ubuntu-24.04
2025-11-28T06:49:19.1795004Z Version: 20251112.124.1
2025-11-28T06:49:19.1796100Z Included Software: https://github.com/actions/runner-images/blob/ubuntu24/20251112.124/images/ubuntu/Ubuntu2404-Readme.md
2025-11-28T06:49:19.1797665Z Image Release: https://github.com/actions/runner-images/releases/tag/ubuntu24%2F20251112.124
2025-11-28T06:49:19.1798715Z ##[endgroup]
2025-11-28T06:49:19.1801674Z ##[group]GITHUB_TOKEN Permissions
2025-11-28T06:49:19.1804160Z Actions: write
2025-11-28T06:49:19.1804771Z ArtifactMetadata: write
2025-11-28T06:49:19.1805416Z Attestations: write
2025-11-28T06:49:19.1805938Z Checks: write
2025-11-28T06:49:19.1806454Z Contents: write
2025-11-28T06:49:19.1806930Z Deployments: write
2025-11-28T06:49:19.1807567Z Discussions: write
2025-11-28T06:49:19.1808063Z Issues: write
2025-11-28T06:49:19.1808565Z Metadata: read
2025-11-28T06:49:19.1809109Z Models: read
2025-11-28T06:49:19.1810002Z Packages: write
2025-11-28T06:49:19.1810600Z Pages: write
2025-11-28T06:49:19.1811243Z PullRequests: write
2025-11-28T06:49:19.1811812Z RepositoryProjects: write
2025-11-28T06:49:19.1812484Z SecurityEvents: write
2025-11-28T06:49:19.1813122Z Statuses: write
2025-11-28T06:49:19.1813622Z ##[endgroup]
2025-11-28T06:49:19.1816261Z Secret source: Actions
2025-11-28T06:49:19.1817454Z Prepare workflow directory
2025-11-28T06:49:19.2279257Z Prepare all required actions
2025-11-28T06:49:19.2335581Z Getting action download info
2025-11-28T06:49:19.6062689Z Download action repository 'actions/checkout@v4' (SHA:34e114876b0b11c390a56381ad16ebd13914f8d5)
2025-11-28T06:49:20.1189358Z Download action repository 'aquasecurity/tfsec-action@v1.0.0' (SHA:a73ebc46fba54691e25cbe901656e7b205fb9bf2)
2025-11-28T06:49:20.4628562Z Download action repository 'bridgecrewio/checkov-action@master' (SHA:02a4c5d6a02367e5ea493c34c26b094302fd3f61)
2025-11-28T06:49:20.8088908Z Download action repository 'github/codeql-action@v3' (SHA:d3ced5c96c16c4332e2a61eb6f3649d6f1b20bb8)
2025-11-28T06:49:21.7351293Z Complete job name: Terraform Security Scan
2025-11-28T06:49:21.7807182Z ##[group]Pull down action image 'ghcr.io/bridgecrewio/checkov:3.2.495'
2025-11-28T06:49:21.7862850Z ##[command]/usr/bin/docker pull ghcr.io/bridgecrewio/checkov:3.2.495
2025-11-28T06:49:22.2130601Z 3.2.495: Pulling from bridgecrewio/checkov
2025-11-28T06:49:22.3080480Z 0e4bc2bd6656: Pulling fs layer
2025-11-28T06:49:22.3081627Z 22b63e76fde1: Pulling fs layer
2025-11-28T06:49:22.3082707Z b3dd773c3296: Pulling fs layer
2025-11-28T06:49:22.3083342Z 1771569cc129: Pulling fs layer
2025-11-28T06:49:22.3084223Z 24ee49b6eccf: Pulling fs layer
2025-11-28T06:49:22.3084993Z e493ee3bf4e4: Pulling fs layer
2025-11-28T06:49:22.3085834Z a88b025f9a88: Pulling fs layer
2025-11-28T06:49:22.3086563Z c773ac00d371: Pulling fs layer
2025-11-28T06:49:22.3087380Z 13a7011ba4ec: Pulling fs layer
2025-11-28T06:49:22.3088092Z 1771569cc129: Waiting
2025-11-28T06:49:22.3088980Z 24ee49b6eccf: Waiting
2025-11-28T06:49:22.3090171Z e493ee3bf4e4: Waiting
2025-11-28T06:49:22.3091080Z a88b025f9a88: Waiting
2025-11-28T06:49:22.3092190Z c773ac00d371: Waiting
2025-11-28T06:49:22.3093029Z 13a7011ba4ec: Waiting
2025-11-28T06:49:22.5039405Z 22b63e76fde1: Verifying Checksum
2025-11-28T06:49:22.5052845Z 22b63e76fde1: Download complete
2025-11-28T06:49:22.5060117Z 1771569cc129: Verifying Checksum
2025-11-28T06:49:22.5061234Z 1771569cc129: Download complete
2025-11-28T06:49:22.5066448Z b3dd773c3296: Verifying Checksum
2025-11-28T06:49:22.5066934Z b3dd773c3296: Download complete
2025-11-28T06:49:22.5697506Z 0e4bc2bd6656: Verifying Checksum
2025-11-28T06:49:22.5704651Z 0e4bc2bd6656: Download complete
2025-11-28T06:49:22.7303753Z a88b025f9a88: Verifying Checksum
2025-11-28T06:49:22.7310248Z a88b025f9a88: Download complete
2025-11-28T06:49:22.8765052Z c773ac00d371: Verifying Checksum
2025-11-28T06:49:22.8770218Z c773ac00d371: Download complete
2025-11-28T06:49:22.9841500Z 13a7011ba4ec: Verifying Checksum
2025-11-28T06:49:22.9843215Z 13a7011ba4ec: Download complete
2025-11-28T06:49:23.0198210Z 24ee49b6eccf: Verifying Checksum
2025-11-28T06:49:23.0200393Z 24ee49b6eccf: Download complete
2025-11-28T06:49:23.0742631Z e493ee3bf4e4: Verifying Checksum
2025-11-28T06:49:23.0745244Z e493ee3bf4e4: Download complete
2025-11-28T06:49:24.2910269Z 0e4bc2bd6656: Pull complete
2025-11-28T06:49:27.1972989Z 22b63e76fde1: Pull complete
2025-11-28T06:49:28.0894093Z b3dd773c3296: Pull complete
2025-11-28T06:49:28.1110106Z 1771569cc129: Pull complete
2025-11-28T06:49:31.1480950Z 24ee49b6eccf: Pull complete
2025-11-28T06:49:37.2895923Z e493ee3bf4e4: Pull complete
2025-11-28T06:49:37.3037057Z a88b025f9a88: Pull complete
2025-11-28T06:49:37.3247334Z c773ac00d371: Pull complete
2025-11-28T06:49:37.3370739Z 13a7011ba4ec: Pull complete
2025-11-28T06:49:37.3476117Z Digest: sha256:4c2c3b67f09867ef2843a03d8ba82adf712eb93ea3584c1708c24ed584f6da17
2025-11-28T06:49:37.3485149Z Status: Downloaded newer image for ghcr.io/bridgecrewio/checkov:3.2.495
2025-11-28T06:49:37.3496079Z ghcr.io/bridgecrewio/checkov:3.2.495
2025-11-28T06:49:37.3520857Z ##[endgroup]
2025-11-28T06:49:37.3564223Z ##[group]Build container for action use: '/home/runner/work/_actions/aquasecurity/tfsec-action/v1.0.0/Dockerfile'.
2025-11-28T06:49:37.3570700Z ##[command]/usr/bin/docker build -t 1fa1db:fe7ec714ff194168a49b728d842b089d -f "/home/runner/work/_actions/aquasecurity/tfsec-action/v1.0.0/Dockerfile" "/home/runner/work/_actions/aquasecurity/tfsec-action/v1.0.0"
2025-11-28T06:49:37.7956932Z #0 building with "default" instance using docker driver
2025-11-28T06:49:37.7958090Z 
2025-11-28T06:49:37.7958351Z #1 [internal] load build definition from Dockerfile
2025-11-28T06:49:37.7958861Z #1 transferring dockerfile: 197B done
2025-11-28T06:49:37.7959282Z #1 DONE 0.0s
2025-11-28T06:49:37.7959672Z 
2025-11-28T06:49:37.7959925Z #2 [auth] library/alpine:pull token for registry-1.docker.io
2025-11-28T06:49:37.9461839Z #2 DONE 0.0s
2025-11-28T06:49:37.9462260Z 
2025-11-28T06:49:37.9480948Z #3 [internal] load metadata for docker.io/library/alpine:3.12
2025-11-28T06:49:38.2090011Z #3 DONE 0.5s
2025-11-28T06:49:38.3258731Z 
2025-11-28T06:49:38.3266989Z #4 [internal] load .dockerignore
2025-11-28T06:49:38.3267592Z #4 transferring context: 2B done
2025-11-28T06:49:38.3268103Z #4 DONE 0.0s
2025-11-28T06:49:38.3268352Z 
2025-11-28T06:49:38.3268519Z #5 [internal] load build context
2025-11-28T06:49:38.3268933Z #5 transferring context: 739B done
2025-11-28T06:49:38.3269359Z #5 DONE 0.0s
2025-11-28T06:49:38.3269773Z 
2025-11-28T06:49:38.3270372Z #6 [1/3] FROM docker.io/library/alpine:3.12@sha256:c75ac27b49326926b803b9ed43bf088bc220d22556de1bc5f72d742c91398f69
2025-11-28T06:49:38.3271709Z #6 resolve docker.io/library/alpine:3.12@sha256:c75ac27b49326926b803b9ed43bf088bc220d22556de1bc5f72d742c91398f69 done
2025-11-28T06:49:38.3272938Z #6 extracting sha256:1b7ca6aea1ddfe716f3694edb811ab35114db9e93f3ce38d7dab6b4d9270cb0c
2025-11-28T06:49:38.3274055Z #6 sha256:24c8ece58a1aa807c0d8ea121f91cee2efba99624d0a8aed732155fb31f28993 1.47kB / 1.47kB done
2025-11-28T06:49:38.3275261Z #6 sha256:1b7ca6aea1ddfe716f3694edb811ab35114db9e93f3ce38d7dab6b4d9270cb0c 2.81MB / 2.81MB 0.1s done
2025-11-28T06:49:38.3276436Z #6 sha256:c75ac27b49326926b803b9ed43bf088bc220d22556de1bc5f72d742c91398f69 1.64kB / 1.64kB done
2025-11-28T06:49:38.3277523Z #6 sha256:cb64bbe7fa613666c234e1090e91427314ee18ec6420e9426cf4e7f314056813 528B / 528B done
2025-11-28T06:49:38.5762407Z #6 extracting sha256:1b7ca6aea1ddfe716f3694edb811ab35114db9e93f3ce38d7dab6b4d9270cb0c 0.1s done
2025-11-28T06:49:38.5763662Z #6 DONE 0.2s
2025-11-28T06:49:38.5763845Z 
2025-11-28T06:49:38.5764182Z #7 [2/3] RUN apk --no-cache --update add bash git     && rm -rf /var/cache/apk/*
2025-11-28T06:49:38.6040789Z #7 0.179 fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/main/x86_64/APKINDEX.tar.gz
2025-11-28T06:49:38.7435395Z #7 0.215 fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/community/x86_64/APKINDEX.tar.gz
2025-11-28T06:49:38.7439344Z #7 0.319 (1/10) Installing ncurses-terminfo-base (6.2_p20200523-r1)
2025-11-28T06:49:38.9312537Z #7 0.326 (2/10) Installing ncurses-libs (6.2_p20200523-r1)
2025-11-28T06:49:38.9315506Z #7 0.336 (3/10) Installing readline (8.0.4-r0)
2025-11-28T06:49:38.9316231Z #7 0.340 (4/10) Installing bash (5.0.17-r0)
2025-11-28T06:49:38.9317052Z #7 0.351 Executing bash-5.0.17-r0.post-install
2025-11-28T06:49:38.9317810Z #7 0.354 (5/10) Installing ca-certificates (20220614-r0)
2025-11-28T06:49:38.9318327Z #7 0.375 (6/10) Installing nghttp2-libs (1.41.0-r0)
2025-11-28T06:49:38.9318851Z #7 0.378 (7/10) Installing libcurl (7.79.1-r1)
2025-11-28T06:49:38.9319308Z #7 0.385 (8/10) Installing expat (2.2.10-r4)
2025-11-28T06:49:38.9322991Z #7 0.388 (9/10) Installing pcre2 (10.35-r0)
2025-11-28T06:49:38.9323659Z #7 0.395 (10/10) Installing git (2.26.3-r1)
2025-11-28T06:49:38.9324139Z #7 0.506 Executing busybox-1.31.1-r22.trigger
2025-11-28T06:49:39.0312921Z #7 0.513 Executing ca-certificates-20220614-r0.trigger
2025-11-28T06:49:39.0313688Z #7 0.549 OK: 24 MiB in 24 packages
2025-11-28T06:49:39.0315284Z #7 DONE 0.6s
2025-11-28T06:49:39.0315483Z 
2025-11-28T06:49:39.0316842Z #8 [3/3] COPY entrypoint.sh /entrypoint.sh
2025-11-28T06:49:39.2170574Z #8 DONE 0.0s
2025-11-28T06:49:39.2193870Z 
2025-11-28T06:49:39.2194350Z #9 exporting to image
2025-11-28T06:49:39.2195285Z #9 exporting layers
2025-11-28T06:49:40.0071006Z #9 exporting layers 0.9s done
2025-11-28T06:49:40.0235684Z #9 writing image sha256:7a419ea0663e50165cacd44262cf96ed141492d9adc8c2cfec608ce3db65a4a9 done
2025-11-28T06:49:40.0241327Z #9 naming to docker.io/library/1fa1db:fe7ec714ff194168a49b728d842b089d done
2025-11-28T06:49:40.0242767Z #9 DONE 1.0s
2025-11-28T06:49:40.0337452Z ##[endgroup]
2025-11-28T06:49:40.0591359Z ##[group]Run actions/checkout@v4
2025-11-28T06:49:40.0591988Z with:
2025-11-28T06:49:40.0592234Z   repository: heyarchie-ai/archie-platform-v3
2025-11-28T06:49:40.0592714Z   token: ***
2025-11-28T06:49:40.0592903Z   ssh-strict: true
2025-11-28T06:49:40.0593098Z   ssh-user: git
2025-11-28T06:49:40.0593297Z   persist-credentials: true
2025-11-28T06:49:40.0593513Z   clean: true
2025-11-28T06:49:40.0593714Z   sparse-checkout-cone-mode: true
2025-11-28T06:49:40.0593952Z   fetch-depth: 1
2025-11-28T06:49:40.0594142Z   fetch-tags: false
2025-11-28T06:49:40.0594331Z   show-progress: true
2025-11-28T06:49:40.0594531Z   lfs: false
2025-11-28T06:49:40.0594702Z   submodules: false
2025-11-28T06:49:40.0594896Z   set-safe-directory: true
2025-11-28T06:49:40.0595283Z ##[endgroup]
2025-11-28T06:49:40.1847812Z Syncing repository: heyarchie-ai/archie-platform-v3
2025-11-28T06:49:40.1850068Z ##[group]Getting Git version info
2025-11-28T06:49:40.1850904Z Working directory is '/home/runner/work/archie-platform-v3/archie-platform-v3'
2025-11-28T06:49:40.1853009Z [command]/usr/bin/git version
2025-11-28T06:49:40.1894941Z git version 2.51.2
2025-11-28T06:49:40.1922989Z ##[endgroup]
2025-11-28T06:49:40.1938595Z Temporarily overriding HOME='/home/runner/work/_temp/8c07b123-b8bd-4b7f-9cee-6fb3ece3628b' before making global git config changes
2025-11-28T06:49:40.1941034Z Adding repository directory to the temporary git global config as a safe directory
2025-11-28T06:49:40.1945731Z [command]/usr/bin/git config --global --add safe.directory /home/runner/work/archie-platform-v3/archie-platform-v3
2025-11-28T06:49:40.1990951Z Deleting the contents of '/home/runner/work/archie-platform-v3/archie-platform-v3'
2025-11-28T06:49:40.1995984Z ##[group]Initializing the repository
2025-11-28T06:49:40.2002154Z [command]/usr/bin/git init /home/runner/work/archie-platform-v3/archie-platform-v3
2025-11-28T06:49:40.2126283Z hint: Using 'master' as the name for the initial branch. This default branch name
2025-11-28T06:49:40.2128621Z hint: is subject to change. To configure the initial branch name to use in all
2025-11-28T06:49:40.2129680Z hint: of your new repositories, which will suppress this warning, call:
2025-11-28T06:49:40.2130317Z hint:
2025-11-28T06:49:40.2130823Z hint: 	git config --global init.defaultBranch <name>
2025-11-28T06:49:40.2131865Z hint:
2025-11-28T06:49:40.2132361Z hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and
2025-11-28T06:49:40.2133151Z hint: 'development'. The just-created branch can be renamed via this command:
2025-11-28T06:49:40.2133756Z hint:
2025-11-28T06:49:40.2134095Z hint: 	git branch -m <name>
2025-11-28T06:49:40.2134451Z hint:
2025-11-28T06:49:40.2134957Z hint: Disable this message with "git config set advice.defaultBranchName false"
2025-11-28T06:49:40.2135952Z Initialized empty Git repository in /home/runner/work/archie-platform-v3/archie-platform-v3/.git/
2025-11-28T06:49:40.2141108Z [command]/usr/bin/git remote add origin https://github.com/heyarchie-ai/archie-platform-v3
2025-11-28T06:49:40.2195867Z ##[endgroup]
2025-11-28T06:49:40.2196508Z ##[group]Disabling automatic garbage collection
2025-11-28T06:49:40.2197090Z [command]/usr/bin/git config --local gc.auto 0
2025-11-28T06:49:40.2229911Z ##[endgroup]
2025-11-28T06:49:40.2231461Z ##[group]Setting up auth
2025-11-28T06:49:40.2237888Z [command]/usr/bin/git config --local --name-only --get-regexp core\.sshCommand
2025-11-28T06:49:40.2271855Z [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'core\.sshCommand' && git config --local --unset-all 'core.sshCommand' || :"
2025-11-28T06:49:40.2653711Z [command]/usr/bin/git config --local --name-only --get-regexp http\.https\:\/\/github\.com\/\.extraheader
2025-11-28T06:49:40.2687463Z [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'http\.https\:\/\/github\.com\/\.extraheader' && git config --local --unset-all 'http.https://github.com/.extraheader' || :"
2025-11-28T06:49:40.2955534Z [command]/usr/bin/git config --local --name-only --get-regexp ^includeIf\.gitdir:
2025-11-28T06:49:40.2993120Z [command]/usr/bin/git submodule foreach --recursive git config --local --show-origin --name-only --get-regexp remote.origin.url
2025-11-28T06:49:40.3246963Z [command]/usr/bin/git config --local http.https://github.com/.extraheader AUTHORIZATION: basic ***
2025-11-28T06:49:40.3293204Z ##[endgroup]
2025-11-28T06:49:40.3294868Z ##[group]Fetching the repository
2025-11-28T06:49:40.3303419Z [command]/usr/bin/git -c protocol.version=2 fetch --no-tags --prune --no-recurse-submodules --depth=1 origin +08dee3a63c06007d7f2dd1d4ce09aa92c8f43e09:refs/remotes/pull/175/merge
2025-11-28T06:49:40.7811252Z From https://github.com/heyarchie-ai/archie-platform-v3
2025-11-28T06:49:40.7830454Z  * [new ref]         08dee3a63c06007d7f2dd1d4ce09aa92c8f43e09 -> pull/175/merge
2025-11-28T06:49:40.7855517Z ##[endgroup]
2025-11-28T06:49:40.7857396Z ##[group]Determining the checkout info
2025-11-28T06:49:40.7859259Z ##[endgroup]
2025-11-28T06:49:40.7862896Z [command]/usr/bin/git sparse-checkout disable
2025-11-28T06:49:40.7904815Z [command]/usr/bin/git config --local --unset-all extensions.worktreeConfig
2025-11-28T06:49:40.7934471Z ##[group]Checking out the ref
2025-11-28T06:49:40.7938618Z [command]/usr/bin/git checkout --progress --force refs/remotes/pull/175/merge
2025-11-28T06:49:40.8393020Z Note: switching to 'refs/remotes/pull/175/merge'.
2025-11-28T06:49:40.8401094Z 
2025-11-28T06:49:40.8401471Z You are in 'detached HEAD' state. You can look around, make experimental
2025-11-28T06:49:40.8402319Z changes and commit them, and you can discard any commits you make in this
2025-11-28T06:49:40.8403072Z state without impacting any branches by switching back to a branch.
2025-11-28T06:49:40.8403500Z 
2025-11-28T06:49:40.8404093Z If you want to create a new branch to retain commits you create, you may
2025-11-28T06:49:40.8404791Z do so (now or later) by using -c with the switch command. Example:
2025-11-28T06:49:40.8405630Z 
2025-11-28T06:49:40.8405815Z   git switch -c <new-branch-name>
2025-11-28T06:49:40.8406085Z 
2025-11-28T06:49:40.8406234Z Or undo this operation with:
2025-11-28T06:49:40.8406483Z 
2025-11-28T06:49:40.8406609Z   git switch -
2025-11-28T06:49:40.8406932Z 
2025-11-28T06:49:40.8407257Z Turn off this advice by setting config variable advice.detachedHead to false
2025-11-28T06:49:40.8407724Z 
2025-11-28T06:49:40.8408280Z HEAD is now at 08dee3a Merge 05d6d4f1f3ed583db0d618775b3806e4c1c948c8 into 57252f590e22b28209a166f542301e795e138302
2025-11-28T06:49:40.8420185Z ##[endgroup]
2025-11-28T06:49:40.8465986Z [command]/usr/bin/git log -1 --format=%H
2025-11-28T06:49:40.8495167Z 08dee3a63c06007d7f2dd1d4ce09aa92c8f43e09
2025-11-28T06:49:40.8703522Z ##[group]Run aquasecurity/tfsec-action@v1.0.0
2025-11-28T06:49:40.8703873Z with:
2025-11-28T06:49:40.8704067Z   working_directory: terraform/
2025-11-28T06:49:40.8704293Z   soft_fail: true
2025-11-28T06:49:40.8704479Z   version: latest
2025-11-28T06:49:40.8704649Z   format: default
2025-11-28T06:49:40.8704833Z ##[endgroup]
2025-11-28T06:49:40.8798778Z ##[command]/usr/bin/docker run --name fa1dbfe7ec714ff194168a49b728d842b089d_cf527b --label 1fa1db --workdir /github/workspace --rm -e "INPUT_WORKING_DIRECTORY" -e "INPUT_SOFT_FAIL" -e "INPUT_VERSION" -e "INPUT_FORMAT" -e "INPUT_ADDITIONAL_ARGS" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_REPOSITORY_OWNER_ID" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_ACTOR_ID" -e "GITHUB_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKFLOW_REF" -e "GITHUB_WORKFLOW_SHA" -e "GITHUB_REPOSITORY_ID" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_ENVIRONMENT" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e "ACTIONS_RESULTS_URL" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp":"/github/runner_temp" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/archie-platform-v3/archie-platform-v3":"/github/workspace" 1fa1db:fe7ec714ff194168a49b728d842b089d
2025-11-28T06:49:41.0958183Z + TFSEC_VERSION=latest
2025-11-28T06:49:41.0959786Z + '[' latest '!=' latest ']'
2025-11-28T06:49:41.0994078Z ++ wget -q https://api.github.com/repos/aquasecurity/tfsec/releases/latest -O -
2025-11-28T06:49:41.0997844Z ++ grep -o -E 'https://.+?tfsec-linux-amd64'
2025-11-28T06:49:41.1012444Z ++ head -n1
2025-11-28T06:49:41.3157370Z + wget -O - -q https://github.com/aquasecurity/tfsec/releases/download/v1.28.14/tfsec-linux-amd64
2025-11-28T06:49:41.6243286Z + install tfsec /usr/local/bin/
2025-11-28T06:49:41.6585733Z + '[' -n /github/workspace ']'
2025-11-28T06:49:41.6586440Z + cd /github/workspace
2025-11-28T06:49:41.6593956Z + '[' -n '' ']'
2025-11-28T06:49:41.6594343Z + '[' -n true ']'
2025-11-28T06:49:41.6595514Z + SOFT_FAIL=--soft-fail
2025-11-28T06:49:41.6595853Z + FORMAT=default
2025-11-28T06:49:41.6596246Z + tfsec --format=default --soft-fail terraform/
2025-11-28T06:49:42.0540438Z 
2025-11-28T06:49:42.0541602Z ======================================================
2025-11-28T06:49:42.0542684Z tfsec is joining the Trivy family
2025-11-28T06:49:42.0543122Z 
2025-11-28T06:49:42.0543509Z tfsec will continue to remain available 
2025-11-28T06:49:42.0544254Z for the time being, although our engineering 
2025-11-28T06:49:42.0560725Z attention will be directed at Trivy going forward.
2025-11-28T06:49:42.0561343Z 
2025-11-28T06:49:42.0561663Z You can read more here: 
2025-11-28T06:49:42.0562321Z https://github.com/aquasecurity/tfsec/discussions/1994
2025-11-28T06:49:42.0563018Z ======================================================
2025-11-28T06:49:42.4155986Z [0m  [1mtimings[0m
2025-11-28T06:49:42.4156513Z   ──────────────────────────────────────────
2025-11-28T06:49:42.4158274Z [0m[0m  [2mdisk i/o            [0m 44.372µs
2025-11-28T06:49:42.4163440Z [0m[0m  [2mparsing             [0m 246.2µs
2025-11-28T06:49:42.4165328Z [0m[0m  [2madaptation          [0m 76.483µs
2025-11-28T06:49:42.4167616Z [0m[0m  [2mchecks              [0m 5.322814ms
2025-11-28T06:49:42.4170238Z [0m[0m  [2mtotal               [0m 5.689869ms
2025-11-28T06:49:42.4170713Z [0m
2025-11-28T06:49:42.4171029Z [0m  [1mcounts[0m
2025-11-28T06:49:42.4171476Z   ──────────────────────────────────────────
2025-11-28T06:49:42.4171966Z [0m[0m  [2mmodules downloaded  [0m 0
2025-11-28T06:49:42.4172465Z [0m[0m  [2mmodules processed   [0m 1
2025-11-28T06:49:42.4172944Z [0m[0m  [2mblocks processed    [0m 8
2025-11-28T06:49:42.4173413Z [0m[0m  [2mfiles read          [0m 2
2025-11-28T06:49:42.4173801Z [0m
2025-11-28T06:49:42.4174107Z [0m  [1mresults[0m
2025-11-28T06:49:42.4174536Z   ──────────────────────────────────────────
2025-11-28T06:49:42.4175001Z [0m[0m  [2mpassed              [0m 0
2025-11-28T06:49:42.4175442Z [0m[0m  [2mignored             [0m 0
2025-11-28T06:49:42.4175877Z [0m[0m  [2mcritical            [0m 0
2025-11-28T06:49:42.4176316Z [0m[0m  [2mhigh                [0m 0
2025-11-28T06:49:42.4176768Z [0m[0m  [2mmedium              [0m 0
2025-11-28T06:49:42.4177215Z [0m[0m  [2mlow                 [0m 0
2025-11-28T06:49:42.4177606Z [0m
2025-11-28T06:49:42.4177875Z [0m
2025-11-28T06:49:42.4178208Z [32m[1mNo problems detected!
2025-11-28T06:49:42.4178461Z 
2025-11-28T06:49:42.7085653Z [0m
2025-11-28T06:49:42.7197673Z ##[group]Run bridgecrewio/checkov-action@master
2025-11-28T06:49:42.7197973Z with:
2025-11-28T06:49:42.7198150Z   directory: terraform/
2025-11-28T06:49:42.7198356Z   framework: terraform
2025-11-28T06:49:42.7198542Z   soft_fail: true
2025-11-28T06:49:42.7198726Z   output_format: sarif
2025-11-28T06:49:42.7198937Z   output_file_path: checkov-results.sarif
2025-11-28T06:49:42.7199188Z   log_level: WARNING
2025-11-28T06:49:42.7199370Z   container_user: 0
2025-11-28T06:49:42.7199921Z ##[endgroup]
2025-11-28T06:49:42.7279283Z ##[command]/usr/bin/docker run --name ghcriobridgecrewiocheckov32495_25036e --label 1fa1db --workdir /github/workspace --rm -e "INPUT_DIRECTORY" -e "INPUT_FRAMEWORK" -e "INPUT_SOFT_FAIL" -e "INPUT_OUTPUT_FORMAT" -e "INPUT_OUTPUT_FILE_PATH" -e "INPUT_FILE" -e "INPUT_CHECK" -e "INPUT_SKIP_CHECK" -e "INPUT_COMPACT" -e "INPUT_QUIET" -e "INPUT_API-KEY" -e "INPUT_OUTPUT_BC_IDS" -e "INPUT_USE_ENFORCEMENT_RULES" -e "INPUT_SKIP_RESULTS_UPLOAD" -e "INPUT_SKIP_FRAMEWORK" -e "INPUT_EXTERNAL_CHECKS_DIRS" -e "INPUT_EXTERNAL_CHECKS_REPOS" -e "INPUT_DOWNLOAD_EXTERNAL_MODULES" -e "INPUT_ENABLE_SECRETS_SCAN_ALL_FILES" -e "INPUT_LOG_LEVEL" -e "INPUT_CONFIG_FILE" -e "INPUT_BASELINE" -e "INPUT_SOFT_FAIL_ON" -e "INPUT_HARD_FAIL_ON" -e "INPUT_CONTAINER_USER" -e "INPUT_DOCKER_IMAGE" -e "INPUT_DOCKERFILE_PATH" -e "INPUT_VAR_FILE" -e "INPUT_GITHUB_PAT" -e "INPUT_TFC_TOKEN" -e "INPUT_TF_REGISTRY_TOKEN" -e "INPUT_CKV_VALIDATE_SECRETS" -e "INPUT_VCS_BASE_URL" -e "INPUT_VCS_USERNAME" -e "INPUT_VCS_TOKEN" -e "INPUT_BITBUCKET_TOKEN" -e "INPUT_BITBUCKET_APP_PASSWORD" -e "INPUT_BITBUCKET_USERNAME" -e "INPUT_REPO_ROOT_FOR_PLAN_ENRICHMENT" -e "INPUT_DEEP_ANALYSIS" -e "INPUT_POLICY_METADATA_FILTER" -e "INPUT_POLICY_METADATA_FILTER_EXCEPTION" -e "INPUT_SKIP_PATH" -e "INPUT_SKIP_CVE_PACKAGE" -e "INPUT_SKIP_DOWNLOAD" -e "INPUT_PRISMA-API-URL" -e "API_KEY_VARIABLE" -e "GITHUB_PAT" -e "TFC_TOKEN" -e "TF_REGISTRY_TOKEN" -e "VCS_USERNAME" -e "VCS_BASE_URL" -e "VCS_TOKEN" -e "BITBUCKET_TOKEN" -e "BITBUCKET_USERNAME" -e "BITBUCKET_APP_PASSWORD" -e "PRISMA_API_URL" -e "CKV_VALIDATE_SECRETS" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_REPOSITORY_OWNER_ID" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_ACTOR_ID" -e "GITHUB_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKFLOW_REF" -e "GITHUB_WORKFLOW_SHA" -e "GITHUB_REPOSITORY_ID" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_ENVIRONMENT" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e "ACTIONS_RESULTS_URL" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp":"/github/runner_temp" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/archie-platform-v3/archie-platform-v3":"/github/workspace" ghcr.io/bridgecrewio/checkov:3.2.495  "" "terraform/" "" "" "" "" "true" "" "" "" "terraform" "" "" "" "sarif" "checkov-results.sarif" "" "" "WARNING" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "--user 0"
2025-11-28T06:49:42.9059036Z BC_FROM_BRANCH=feat/security-service-consolidation
2025-11-28T06:49:42.9060980Z BC_TO_BRANCH=main
2025-11-28T06:49:42.9085052Z BC_PR_ID=175
2025-11-28T06:49:42.9087247Z BC_PR_URL=https://github.com/heyarchie-ai/archie-platform-v3/pull/175
2025-11-28T06:49:42.9090171Z BC_COMMIT_HASH=08dee3a63c06007d7f2dd1d4ce09aa92c8f43e09
2025-11-28T06:49:42.9091174Z BC_COMMIT_URL=https://github.com/heyarchie-ai/archie-platform-v3/commit/08dee3a63c06007d7f2dd1d4ce09aa92c8f43e09
2025-11-28T06:49:42.9092030Z BC_AUTHOR_NAME=smcleodau
2025-11-28T06:49:42.9092451Z BC_AUTHOR_URL=https://github.com/smcleodau
2025-11-28T06:49:42.9092883Z BC_RUN_ID=3
2025-11-28T06:49:42.9093558Z BC_RUN_URL=https://github.com/heyarchie-ai/archie-platform-v3/actions/runs/19756337639
2025-11-28T06:49:42.9094385Z BC_REPOSITORY_URL=https://github.com/heyarchie-ai/archie-platform-v3
2025-11-28T06:49:42.9095026Z running checkov on directory: terraform/
2025-11-28T06:49:42.9095973Z checkov -d terraform/     --soft-fail        --output sarif --output-file-path checkov-results.sarif      --framework terraform         
2025-11-28T06:49:46.2574374Z 2025-11-28 06:49:46,256 [MainThread  ] [WARNI]  Module /github/workspace/terraform/modules/artifact-registry/modules/artifact-registry:latest failed to load via <class 'checkov.terraform.module_loading.loaders.local_path_loader.LocalPathLoader'> due to: /github/workspace/terraform/modules/artifact-registry/modules/artifact-registry
2025-11-28T06:49:46.2591807Z 2025-11-28 06:49:46,256 [MainThread  ] [WARNI]  Unable to load module - source: /github/workspace/terraform/modules/artifact-registry/modules/artifact-registry, version: latest, error: /github/workspace/terraform/modules/artifact-registry/modules/artifact-registry
2025-11-28T06:49:46.2596812Z 2025-11-28 06:49:46,256 [MainThread  ] [WARNI]  Module /github/workspace/terraform/modules/artifact-registry/modules/artifact-registry:latest failed to load via <class 'checkov.terraform.module_loading.loaders.local_path_loader.LocalPathLoader'> due to: /github/workspace/terraform/modules/artifact-registry/modules/artifact-registry
2025-11-28T06:49:46.2601583Z 2025-11-28 06:49:46,257 [MainThread  ] [WARNI]  Unable to load module - source: /github/workspace/terraform/modules/artifact-registry/modules/artifact-registry, version: latest, error: /github/workspace/terraform/modules/artifact-registry/modules/artifact-registry
2025-11-28T06:49:46.2605051Z 2025-11-28 06:49:46,257 [MainThread  ] [WARNI]  Module /github/workspace/terraform/modules/artifact-registry/modules/artifact-registry:latest failed to load via <class 'checkov.terraform.module_loading.loaders.local_path_loader.LocalPathLoader'> due to: /github/workspace/terraform/modules/artifact-registry/modules/artifact-registry
2025-11-28T06:49:46.2608563Z 2025-11-28 06:49:46,257 [MainThread  ] [WARNI]  Unable to load module - source: /github/workspace/terraform/modules/artifact-registry/modules/artifact-registry, version: latest, error: /github/workspace/terraform/modules/artifact-registry/modules/artifact-registry
2025-11-28T06:49:46.2612238Z 2025-11-28 06:49:46,257 [MainThread  ] [WARNI]  Module /github/workspace/terraform/modules/artifact-registry/modules/artifact-registry:latest failed to load via <class 'checkov.terraform.module_loading.loaders.local_path_loader.LocalPathLoader'> due to: /github/workspace/terraform/modules/artifact-registry/modules/artifact-registry
2025-11-28T06:49:46.2615699Z 2025-11-28 06:49:46,257 [MainThread  ] [WARNI]  Unable to load module - source: /github/workspace/terraform/modules/artifact-registry/modules/artifact-registry, version: latest, error: /github/workspace/terraform/modules/artifact-registry/modules/artifact-registry
2025-11-28T06:49:46.2619136Z 2025-11-28 06:49:46,257 [MainThread  ] [WARNI]  Module /github/workspace/terraform/modules/artifact-registry/modules/artifact-registry:latest failed to load via <class 'checkov.terraform.module_loading.loaders.local_path_loader.LocalPathLoader'> due to: /github/workspace/terraform/modules/artifact-registry/modules/artifact-registry
2025-11-28T06:49:46.2622703Z 2025-11-28 06:49:46,257 [MainThread  ] [WARNI]  Unable to load module - source: /github/workspace/terraform/modules/artifact-registry/modules/artifact-registry, version: latest, error: /github/workspace/terraform/modules/artifact-registry/modules/artifact-registry
2025-11-28T06:49:50.6239932Z 
2025-11-28T06:49:50.6239972Z 
2025-11-28T06:49:50.6240520Z        _               _
2025-11-28T06:49:50.6240959Z    ___| |__   ___  ___| | _______   __
2025-11-28T06:49:50.6241379Z   / __| '_ \ / _ \/ __| |/ / _ \ \ / /
2025-11-28T06:49:50.6241788Z  | (__| | | |  __/ (__|   < (_) \ V /
2025-11-28T06:49:50.6242187Z   \___|_| |_|\___|\___|_|\_\___/ \_/
2025-11-28T06:49:50.6242462Z 
2025-11-28T06:49:50.6242619Z By Prisma Cloud | version: 3.2.494 
2025-11-28T06:49:50.6243061Z Update available 3.2.494 -> 3.2.495
2025-11-28T06:49:50.6243509Z Run pip3 install -U checkov to update 
2025-11-28T06:49:50.6243822Z 
2025-11-28T06:49:50.6243972Z terraform scan results:
2025-11-28T06:49:50.6244199Z 
2025-11-28T06:49:50.6244435Z Passed checks: 44, Failed checks: 28, Skipped checks: 0
2025-11-28T06:49:50.6244837Z 
2025-11-28T06:49:50.6254877Z Check: CKV_GCP_84: "Ensure Artifact Registry Repositories are encrypted with Customer Supplied Encryption Keys (CSEK)"
2025-11-28T06:49:50.6255996Z 	PASSED for resource: google_artifact_registry_repository.main
2025-11-28T06:49:50.6256673Z 	File: /modules/artifact-registry/main.tf:34-88
2025-11-28T06:49:50.6258589Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-artifact-registry-repositories-are-encrypted-with-customer-supplied-encryption-keys-csek
2025-11-28T06:49:50.6264438Z Check: CKV_GCP_101: "Ensure that Artifact Registry repositories are not anonymously or publicly accessible"
2025-11-28T06:49:50.6265491Z 	PASSED for resource: google_artifact_registry_repository_iam_member.cloudbuild_writer
2025-11-28T06:49:50.6266339Z 	File: /modules/artifact-registry/main.tf:139-147
2025-11-28T06:49:50.6267978Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-public-policies/ensure-gcp-artifact-registry-repository-is-not-anonymously-or-publicly-accessible
2025-11-28T06:49:50.6270444Z Check: CKV_GCP_101: "Ensure that Artifact Registry repositories are not anonymously or publicly accessible"
2025-11-28T06:49:50.6271486Z 	PASSED for resource: google_artifact_registry_repository_iam_member.cloudrun_reader
2025-11-28T06:49:50.6272203Z 	File: /modules/artifact-registry/main.tf:150-158
2025-11-28T06:49:50.6273806Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-public-policies/ensure-gcp-artifact-registry-repository-is-not-anonymously-or-publicly-accessible
2025-11-28T06:49:50.6275774Z Check: CKV_GCP_101: "Ensure that Artifact Registry repositories are not anonymously or publicly accessible"
2025-11-28T06:49:50.6276810Z 	PASSED for resource: google_artifact_registry_repository_iam_member.custom_readers
2025-11-28T06:49:50.6277531Z 	File: /modules/artifact-registry/main.tf:161-169
2025-11-28T06:49:50.6279326Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-public-policies/ensure-gcp-artifact-registry-repository-is-not-anonymously-or-publicly-accessible
2025-11-28T06:49:50.6281527Z Check: CKV_GCP_101: "Ensure that Artifact Registry repositories are not anonymously or publicly accessible"
2025-11-28T06:49:50.6282543Z 	PASSED for resource: google_artifact_registry_repository_iam_member.custom_writers
2025-11-28T06:49:50.6283276Z 	File: /modules/artifact-registry/main.tf:172-180
2025-11-28T06:49:50.6284911Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-public-policies/ensure-gcp-artifact-registry-repository-is-not-anonymously-or-publicly-accessible
2025-11-28T06:49:50.6287104Z Check: CKV_GCP_11: "Ensure that Cloud SQL database Instances are not open to the world"
2025-11-28T06:49:50.6287937Z 	PASSED for resource: google_sql_database_instance.main
2025-11-28T06:49:50.6288486Z 	File: /modules/cloudsql/main.tf:4-74
2025-11-28T06:49:50.6290095Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-4
2025-11-28T06:49:50.6291637Z Check: CKV_GCP_55: "Ensure PostgreSQL database 'log_min_messages' flag is set to a valid value"
2025-11-28T06:49:50.6292980Z 	PASSED for resource: google_sql_database_instance.main
2025-11-28T06:49:50.6293527Z 	File: /modules/cloudsql/main.tf:4-74
2025-11-28T06:49:50.6294500Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/cloud-sql-policies/bc-gcp-sql-6
2025-11-28T06:49:50.6295398Z Check: CKV_GCP_56: "Ensure PostgreSQL database 'log_temp_files flag is set to '0'"
2025-11-28T06:49:50.6295838Z 	PASSED for resource: google_sql_database_instance.main
2025-11-28T06:49:50.6296147Z 	File: /modules/cloudsql/main.tf:4-74
2025-11-28T06:49:50.6296715Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/cloud-sql-policies/bc-gcp-sql-7
2025-11-28T06:49:50.6297365Z Check: CKV_GCP_60: "Ensure Cloud SQL database does not have public IP"
2025-11-28T06:49:50.6297750Z 	PASSED for resource: google_sql_database_instance.main
2025-11-28T06:49:50.6298049Z 	File: /modules/cloudsql/main.tf:4-74
2025-11-28T06:49:50.6298602Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/cloud-sql-policies/bc-gcp-sql-11
2025-11-28T06:49:50.6299331Z Check: CKV_GCP_6: "Ensure all Cloud SQL database instance requires all incoming connections to use SSL"
2025-11-28T06:49:50.6300441Z 	PASSED for resource: google_sql_database_instance.main
2025-11-28T06:49:50.6300941Z 	File: /modules/cloudsql/main.tf:4-74
2025-11-28T06:49:50.6302008Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-1
2025-11-28T06:49:50.6303384Z Check: CKV_GCP_14: "Ensure all Cloud SQL database instance have backup configuration enabled"
2025-11-28T06:49:50.6304417Z 	PASSED for resource: google_sql_database_instance.main
2025-11-28T06:49:50.6304909Z 	File: /modules/cloudsql/main.tf:4-74
2025-11-28T06:49:50.6305885Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-2
2025-11-28T06:49:50.6307019Z Check: CKV_GCP_57: "Ensure PostgreSQL database 'log_min_duration_statement' flag is set to '-1'"
2025-11-28T06:49:50.6307667Z 	PASSED for resource: google_sql_database_instance.main
2025-11-28T06:49:50.6308150Z 	File: /modules/cloudsql/main.tf:4-74
2025-11-28T06:49:50.6309074Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/cloud-sql-policies/bc-gcp-sql-8
2025-11-28T06:49:50.6310512Z Check: CKV_GCP_42: "Ensure that Service Account has no Admin privileges"
2025-11-28T06:49:50.6311323Z 	PASSED for resource: module.cost_management.google_project_iam_member.scheduler_roles
2025-11-28T06:49:50.6312026Z 	File: /modules/cost-management/main.tf:351-357
2025-11-28T06:49:50.6312636Z 	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
2025-11-28T06:49:50.6313789Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-4
2025-11-28T06:49:50.6314936Z Check: CKV_GCP_117: "Ensure basic roles are not used at project level."
2025-11-28T06:49:50.6315750Z 	PASSED for resource: module.cost_management.google_project_iam_member.scheduler_roles
2025-11-28T06:49:50.6316642Z 	File: /modules/cost-management/main.tf:351-357
2025-11-28T06:49:50.6317303Z 	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
2025-11-28T06:49:50.6318592Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-google-cloud-117
2025-11-28T06:49:50.6320811Z Check: CKV_GCP_49: "Ensure roles do not impersonate or manage Service Accounts used at project level"
2025-11-28T06:49:50.6321841Z 	PASSED for resource: module.cost_management.google_project_iam_member.scheduler_roles
2025-11-28T06:49:50.6322579Z 	File: /modules/cost-management/main.tf:351-357
2025-11-28T06:49:50.6323398Z 	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
2025-11-28T06:49:50.6324621Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-10
2025-11-28T06:49:50.6325849Z Check: CKV_GCP_46: "Ensure Default Service account is not used at a project level"
2025-11-28T06:49:50.6326701Z 	PASSED for resource: module.cost_management.google_project_iam_member.scheduler_roles
2025-11-28T06:49:50.6327397Z 	File: /modules/cost-management/main.tf:351-357
2025-11-28T06:49:50.6328003Z 	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
2025-11-28T06:49:50.6329169Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-7
2025-11-28T06:49:50.6330872Z Check: CKV_GCP_41: "Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level"
2025-11-28T06:49:50.6332044Z 	PASSED for resource: module.cost_management.google_project_iam_member.scheduler_roles
2025-11-28T06:49:50.6332783Z 	File: /modules/cost-management/main.tf:351-357
2025-11-28T06:49:50.6333394Z 	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
2025-11-28T06:49:50.6334572Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-3
2025-11-28T06:49:50.6335853Z Check: CKV_GCP_29: "Ensure that Cloud Storage buckets have uniform bucket-level access enabled"
2025-11-28T06:49:50.6336772Z 	PASSED for resource: module.cost_management.google_storage_bucket.log_archive[0]
2025-11-28T06:49:50.6337477Z 	File: /modules/cost-management/main.tf:181-215
2025-11-28T06:49:50.6338079Z 	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
2025-11-28T06:49:50.6339859Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-gcs-2
2025-11-28T06:49:50.6341166Z Check: CKV_GCP_28: "Ensure that Cloud Storage bucket is not anonymously or publicly accessible"
2025-11-28T06:49:50.6356411Z 	PASSED for resource: module.cost_management.google_storage_bucket_iam_member.log_writer[0]
2025-11-28T06:49:50.6357362Z 	File: /modules/cost-management/main.tf:218-224
2025-11-28T06:49:50.6358212Z 	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
2025-11-28T06:49:50.6359977Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-public-policies/bc-gcp-public-1
2025-11-28T06:49:50.6361790Z Check: CKV_GCP_15: "Ensure that BigQuery datasets are not anonymously or publicly accessible"
2025-11-28T06:49:50.6363135Z 	PASSED for resource: module.cost_management.google_bigquery_dataset.cost_export[0]
2025-11-28T06:49:50.6364100Z 	File: /modules/cost-management/main.tf:371-386
2025-11-28T06:49:50.6364902Z 	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
2025-11-28T06:49:50.6366533Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-3
2025-11-28T06:49:50.6368121Z Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
2025-11-28T06:49:50.6369039Z 	PASSED for resource: module.logging.google_storage_bucket.audit_logs
2025-11-28T06:49:50.6369824Z 	File: /modules/logging/main.tf:49-76
2025-11-28T06:49:50.6370376Z 	Calling File: /modules/logging/examples/production/main.tf:26-97
2025-11-28T06:49:50.6371738Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled
2025-11-28T06:49:50.6373925Z Check: CKV_GCP_29: "Ensure that Cloud Storage buckets have uniform bucket-level access enabled"
2025-11-28T06:49:50.6374716Z 	PASSED for resource: module.logging.google_storage_bucket.audit_logs
2025-11-28T06:49:50.6375321Z 	File: /modules/logging/main.tf:49-76
2025-11-28T06:49:50.6376105Z 	Calling File: /modules/logging/examples/production/main.tf:26-97
2025-11-28T06:49:50.6377186Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-gcs-2
2025-11-28T06:49:50.6378358Z Check: CKV_GCP_29: "Ensure that Cloud Storage buckets have uniform bucket-level access enabled"
2025-11-28T06:49:50.6379140Z 	PASSED for resource: module.logging.google_storage_bucket.error_logs_storage
2025-11-28T06:49:50.6379978Z 	File: /modules/logging/main.tf:79-102
2025-11-28T06:49:50.6380476Z 	Calling File: /modules/logging/examples/production/main.tf:26-97
2025-11-28T06:49:50.6381547Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-gcs-2
2025-11-28T06:49:50.6382807Z Check: CKV_GCP_28: "Ensure that Cloud Storage bucket is not anonymously or publicly accessible"
2025-11-28T06:49:50.6383634Z 	PASSED for resource: module.logging.google_storage_bucket_iam_member.error_logs_writer
2025-11-28T06:49:50.6384303Z 	File: /modules/logging/main.tf:144-150
2025-11-28T06:49:50.6384851Z 	Calling File: /modules/logging/examples/production/main.tf:26-97
2025-11-28T06:49:50.6386015Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-public-policies/bc-gcp-public-1
2025-11-28T06:49:50.6387309Z Check: CKV_GCP_28: "Ensure that Cloud Storage bucket is not anonymously or publicly accessible"
2025-11-28T06:49:50.6388191Z 	PASSED for resource: module.logging.google_storage_bucket_iam_member.audit_logs_writer
2025-11-28T06:49:50.6388863Z 	File: /modules/logging/main.tf:172-178
2025-11-28T06:49:50.6389386Z 	Calling File: /modules/logging/examples/production/main.tf:26-97
2025-11-28T06:49:50.6390998Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-public-policies/bc-gcp-public-1
2025-11-28T06:49:50.6392257Z Check: CKV_GCP_15: "Ensure that BigQuery datasets are not anonymously or publicly accessible"
2025-11-28T06:49:50.6393040Z 	PASSED for resource: module.logging.google_bigquery_dataset.logs[0]
2025-11-28T06:49:50.6393599Z 	File: /modules/logging/main.tf:181-197
2025-11-28T06:49:50.6394131Z 	Calling File: /modules/logging/examples/production/main.tf:26-97
2025-11-28T06:49:50.6395330Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-3
2025-11-28T06:49:50.6396639Z Check: CKV_GCP_97: "Ensure Memorystore for Redis uses intransit encryption"
2025-11-28T06:49:50.6397484Z 	PASSED for resource: google_redis_instance.main
2025-11-28T06:49:50.6397979Z 	File: /modules/redis/main.tf:4-47
2025-11-28T06:49:50.6399349Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-memorystore-for-redis-uses-intransit-encryption
2025-11-28T06:49:50.6401169Z Check: CKV_GCP_95: "Ensure Memorystore for Redis has AUTH enabled"
2025-11-28T06:49:50.6401762Z 	PASSED for resource: google_redis_instance.main
2025-11-28T06:49:50.6402809Z 	File: /modules/redis/main.tf:4-47
2025-11-28T06:49:50.6404018Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-memorystore-for-redis-is-auth-enabled
2025-11-28T06:49:50.6410723Z Check: CKV2_GCP_4: "Ensure that retention policies on log buckets are configured using Bucket Lock"
2025-11-28T06:49:50.6413056Z 	PASSED for resource: module.cost_management.google_logging_project_sink.storage_export[0]
2025-11-28T06:49:50.6416102Z 	File: /modules/cost-management/main.tf:168-178
2025-11-28T06:49:50.6419204Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/ensure-that-retention-policies-on-log-buckets-are-configured-using-bucket-lock
2025-11-28T06:49:50.6421623Z Check: CKV2_GCP_4: "Ensure that retention policies on log buckets are configured using Bucket Lock"
2025-11-28T06:49:50.6422573Z 	PASSED for resource: module.logging.google_logging_project_sink.all_logs
2025-11-28T06:49:50.6466348Z 	File: /modules/logging/main.tf:109-122
2025-11-28T06:49:50.6468589Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/ensure-that-retention-policies-on-log-buckets-are-configured-using-bucket-lock
2025-11-28T06:49:50.6471359Z Check: CKV2_GCP_4: "Ensure that retention policies on log buckets are configured using Bucket Lock"
2025-11-28T06:49:50.6472507Z 	PASSED for resource: module.logging.google_logging_project_sink.bigquery
2025-11-28T06:49:50.6473380Z 	File: /modules/logging/main.tf:199-220
2025-11-28T06:49:50.6474989Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/ensure-that-retention-policies-on-log-buckets-are-configured-using-bucket-lock
2025-11-28T06:49:50.6476914Z Check: CKV2_GCP_4: "Ensure that retention policies on log buckets are configured using Bucket Lock"
2025-11-28T06:49:50.6477892Z 	PASSED for resource: module.logging.google_logging_project_sink.bigquery[0]
2025-11-28T06:49:50.6478553Z 	File: /modules/logging/main.tf:199-220
2025-11-28T06:49:50.6480472Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/ensure-that-retention-policies-on-log-buckets-are-configured-using-bucket-lock
2025-11-28T06:49:50.6483052Z Check: CKV2_GCP_20: "Ensure MySQL DB instance has point-in-time recovery backup configured"
2025-11-28T06:49:50.6484298Z 	PASSED for resource: google_sql_database_instance.main
2025-11-28T06:49:50.6485028Z 	File: /modules/cloudsql/main.tf:4-74
2025-11-28T06:49:50.6486284Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-2-20
2025-11-28T06:49:50.6488980Z Check: CKV2_GCP_20: "Ensure MySQL DB instance has point-in-time recovery backup configured"
2025-11-28T06:49:50.6490759Z 	PASSED for resource: google_sql_database_instance.read_replica
2025-11-28T06:49:50.6491670Z 	File: /modules/cloudsql/main.tf:92-120
2025-11-28T06:49:50.6493616Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-2-20
2025-11-28T06:49:50.6494575Z Check: CKV2_GCP_7: "Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges"
2025-11-28T06:49:50.6495114Z 	PASSED for resource: google_sql_database_instance.main
2025-11-28T06:49:50.6495434Z 	File: /modules/cloudsql/main.tf:4-74
2025-11-28T06:49:50.6496426Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-iam-policies/ensure-that-a-mysql-database-instance-does-not-allow-anyone-to-connect-with-administrative-privileges
2025-11-28T06:49:50.6497684Z Check: CKV2_GCP_7: "Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges"
2025-11-28T06:49:50.6498248Z 	PASSED for resource: google_sql_database_instance.read_replica
2025-11-28T06:49:50.6498574Z 	File: /modules/cloudsql/main.tf:92-120
2025-11-28T06:49:50.6501747Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-iam-policies/ensure-that-a-mysql-database-instance-does-not-allow-anyone-to-connect-with-administrative-privileges
2025-11-28T06:49:50.6506707Z Check: CKV2_GCP_14: "Ensure PostgreSQL database flag 'log_executor_stats' is set to 'off'"
2025-11-28T06:49:50.6507538Z 	PASSED for resource: google_sql_database_instance.main
2025-11-28T06:49:50.6508908Z 	File: /modules/cloudsql/main.tf:4-74
2025-11-28T06:49:50.6511486Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-2-14
2025-11-28T06:49:50.6514653Z Check: CKV2_GCP_14: "Ensure PostgreSQL database flag 'log_executor_stats' is set to 'off'"
2025-11-28T06:49:50.6515874Z 	PASSED for resource: google_sql_database_instance.read_replica
2025-11-28T06:49:50.6516555Z 	File: /modules/cloudsql/main.tf:92-120
2025-11-28T06:49:50.6518622Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-2-14
2025-11-28T06:49:50.6519392Z Check: CKV2_GCP_16: "Ensure PostgreSQL database flag 'log_planner_stats' is set to 'off'"
2025-11-28T06:49:50.6520439Z 	PASSED for resource: google_sql_database_instance.main
2025-11-28T06:49:50.6521001Z 	File: /modules/cloudsql/main.tf:4-74
2025-11-28T06:49:50.6522021Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-2-16
2025-11-28T06:49:50.6523253Z Check: CKV2_GCP_16: "Ensure PostgreSQL database flag 'log_planner_stats' is set to 'off'"
2025-11-28T06:49:50.6524043Z 	PASSED for resource: google_sql_database_instance.read_replica
2025-11-28T06:49:50.6524642Z 	File: /modules/cloudsql/main.tf:92-120
2025-11-28T06:49:50.6525632Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-2-16
2025-11-28T06:49:50.6526960Z Check: CKV2_GCP_15: "Ensure PostgreSQL database flag 'log_parser_stats' is set to 'off'"
2025-11-28T06:49:50.6527747Z 	PASSED for resource: google_sql_database_instance.main
2025-11-28T06:49:50.6528298Z 	File: /modules/cloudsql/main.tf:4-74
2025-11-28T06:49:50.6529333Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-2-15
2025-11-28T06:49:50.6530771Z Check: CKV2_GCP_15: "Ensure PostgreSQL database flag 'log_parser_stats' is set to 'off'"
2025-11-28T06:49:50.6531606Z 	PASSED for resource: google_sql_database_instance.read_replica
2025-11-28T06:49:50.6532165Z 	File: /modules/cloudsql/main.tf:92-120
2025-11-28T06:49:50.6533269Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-2-15
2025-11-28T06:49:50.6534028Z Check: CKV2_GCP_17: "Ensure PostgreSQL database flag 'log_statement_stats' is set to 'off'"
2025-11-28T06:49:50.6534524Z 	PASSED for resource: google_sql_database_instance.main
2025-11-28T06:49:50.6534830Z 	File: /modules/cloudsql/main.tf:4-74
2025-11-28T06:49:50.6535386Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-2-17
2025-11-28T06:49:50.6536090Z Check: CKV2_GCP_17: "Ensure PostgreSQL database flag 'log_statement_stats' is set to 'off'"
2025-11-28T06:49:50.6536555Z 	PASSED for resource: google_sql_database_instance.read_replica
2025-11-28T06:49:50.6536887Z 	File: /modules/cloudsql/main.tf:92-120
2025-11-28T06:49:50.6537447Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-2-17
2025-11-28T06:49:50.6538247Z Check: CKV_GCP_84: "Ensure Artifact Registry Repositories are encrypted with Customer Supplied Encryption Keys (CSEK)"
2025-11-28T06:49:50.6540954Z 	FAILED for resource: google_artifact_registry_repository.replicas
2025-11-28T06:49:50.6566975Z ##[error]	File: /modules/artifact-registry/main.tf:91-136
2025-11-28T06:49:50.6584730Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-artifact-registry-repositories-are-encrypted-with-customer-supplied-encryption-keys-csek
2025-11-28T06:49:50.6586407Z 
2025-11-28T06:49:50.6586682Z 		91  | resource "google_artifact_registry_repository" "replicas" {
2025-11-28T06:49:50.6587278Z 		92  |   for_each = toset(var.replication_regions)
2025-11-28T06:49:50.6587725Z 		93  | 
2025-11-28T06:49:50.6588024Z 		94  |   location      = each.value
2025-11-28T06:49:50.6588450Z 		95  |   repository_id = var.repository_id
2025-11-28T06:49:50.6588928Z 		96  |   project       = var.project_id
2025-11-28T06:49:50.6594887Z 		97  |   description   = "${var.description} (Replica in ${each.value})"
2025-11-28T06:49:50.6595574Z 		98  |   format        = "DOCKER"
2025-11-28T06:49:50.6596243Z 		99  | 
2025-11-28T06:49:50.6596557Z 		100 |   # Match primary repository configuration
2025-11-28T06:49:50.6596971Z 		101 |   docker_config {
2025-11-28T06:49:50.6597370Z 		102 |     immutable_tags = var.immutable_tags
2025-11-28T06:49:50.6597837Z 		103 |   }
2025-11-28T06:49:50.6598118Z 		104 | 
2025-11-28T06:49:50.6598750Z 		105 |   cleanup_policies {
2025-11-28T06:49:50.6599183Z 		106 |     id     = "keep-last-n-versions"
2025-11-28T06:49:50.6600118Z 		107 |     action = "DELETE"
2025-11-28T06:49:50.6600487Z 		108 | 
2025-11-28T06:49:50.6600793Z 		109 |     condition {
2025-11-28T06:49:50.6601157Z 		110 |       tag_state  = "ANY"
2025-11-28T06:49:50.6601728Z 		111 |       older_than = var.retention_days > 0 ? "${var.retention_days}d" : null
2025-11-28T06:49:50.6602299Z 		112 |     }
2025-11-28T06:49:50.6602621Z 		113 | 
2025-11-28T06:49:50.6602929Z 		114 |     most_recent_versions {
2025-11-28T06:49:50.6603373Z 		115 |       keep_count = var.keep_image_count
2025-11-28T06:49:50.6603834Z 		116 |     }
2025-11-28T06:49:50.6604203Z 		117 |   }
2025-11-28T06:49:50.6604519Z 		118 | 
2025-11-28T06:49:50.6604871Z 		119 |   cleanup_policies {
2025-11-28T06:49:50.6605329Z 		120 |     id     = "delete-old-untagged"
2025-11-28T06:49:50.6605817Z 		121 |     action = "DELETE"
2025-11-28T06:49:50.6606205Z 		122 | 
2025-11-28T06:49:50.6606501Z 		123 |     condition {
2025-11-28T06:49:50.6606865Z 		124 |       tag_state  = "UNTAGGED"
2025-11-28T06:49:50.6607349Z 		125 |       older_than = "${var.untagged_retention_days}d"
2025-11-28T06:49:50.6607824Z 		126 |     }
2025-11-28T06:49:50.6608106Z 		127 |   }
2025-11-28T06:49:50.6608386Z 		128 | 
2025-11-28T06:49:50.6608697Z 		129 |   labels = merge(var.labels, {
2025-11-28T06:49:50.6609121Z 		130 |     replica_of = var.location
2025-11-28T06:49:50.6610093Z 		131 |   })
2025-11-28T06:49:50.6610357Z 		132 | 
2025-11-28T06:49:50.6610647Z 		133 |   depends_on = [
2025-11-28T06:49:50.6611270Z 		134 |     google_project_service.artifact_registry
2025-11-28T06:49:50.6612214Z 		135 |   ]
2025-11-28T06:49:50.6612522Z 		136 | }
2025-11-28T06:49:50.6612691Z 
2025-11-28T06:49:50.6613358Z Check: CKV_GCP_84: "Ensure Artifact Registry Repositories are encrypted with Customer Supplied Encryption Keys (CSEK)"
2025-11-28T06:49:50.6614399Z 	FAILED for resource: google_artifact_registry_repository.remote
2025-11-28T06:49:50.6616218Z ##[error]	File: /modules/artifact-registry/main.tf:290-315
2025-11-28T06:49:50.6618945Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-artifact-registry-repositories-are-encrypted-with-customer-supplied-encryption-keys-csek
2025-11-28T06:49:50.6620920Z 
2025-11-28T06:49:50.6621203Z 		290 | resource "google_artifact_registry_repository" "remote" {
2025-11-28T06:49:50.6621796Z 		291 |   for_each = var.remote_repositories
2025-11-28T06:49:50.6622201Z 		292 | 
2025-11-28T06:49:50.6622490Z 		293 |   location      = var.location
2025-11-28T06:49:50.6622995Z 		294 |   repository_id = "${var.repository_id}-${each.key}"
2025-11-28T06:49:50.6623506Z 		295 |   project       = var.project_id
2025-11-28T06:49:50.6623999Z 		296 |   description   = "Remote repository for ${each.key}"
2025-11-28T06:49:50.6624509Z 		297 |   format        = "DOCKER"
2025-11-28T06:49:50.6624907Z 		298 |   mode          = "REMOTE_REPOSITORY"
2025-11-28T06:49:50.6625325Z 		299 | 
2025-11-28T06:49:50.6625625Z 		300 |   remote_repository_config {
2025-11-28T06:49:50.6626136Z 		301 |     description = "Mirror of ${each.value.upstream_url}"
2025-11-28T06:49:50.6626634Z 		302 | 
2025-11-28T06:49:50.6626925Z 		303 |     docker_repository {
2025-11-28T06:49:50.6627383Z 		304 |       public_repository = each.value.upstream_url
2025-11-28T06:49:50.6627831Z 		305 |     }
2025-11-28T06:49:50.6628119Z 		306 |   }
2025-11-28T06:49:50.6628584Z 		307 | 
2025-11-28T06:49:50.6628907Z 		308 |   labels = merge(var.labels, {
2025-11-28T06:49:50.6632152Z 		309 |     remote_source = each.key
2025-11-28T06:49:50.6632633Z 		310 |   })
2025-11-28T06:49:50.6633204Z 		311 | 
2025-11-28T06:49:50.6633542Z 		312 |   depends_on = [
2025-11-28T06:49:50.6634005Z 		313 |     google_project_service.artifact_registry
2025-11-28T06:49:50.6634495Z 		314 |   ]
2025-11-28T06:49:50.6634781Z 		315 | }
2025-11-28T06:49:50.6634975Z 
2025-11-28T06:49:50.6635259Z Check: CKV_GCP_51: "Ensure PostgreSQL database 'log_checkpoints' flag is set to 'on'"
2025-11-28T06:49:50.6635841Z 	FAILED for resource: google_sql_database_instance.main
2025-11-28T06:49:50.6636726Z ##[error]	File: /modules/cloudsql/main.tf:4-74
2025-11-28T06:49:50.6638041Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/cloud-sql-policies/bc-gcp-sql-2
2025-11-28T06:49:50.6638604Z 
2025-11-28T06:49:50.6638900Z 		Code lines for this resource are too many. Please use IDE of your choice to review the file.
2025-11-28T06:49:50.6640072Z Check: CKV_GCP_79: "Ensure SQL database is using latest Major version"
2025-11-28T06:49:50.6640822Z 	FAILED for resource: google_sql_database_instance.main
2025-11-28T06:49:50.6641763Z ##[error]	File: /modules/cloudsql/main.tf:4-74
2025-11-28T06:49:50.6643805Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-sql-database-uses-the-latest-major-version
2025-11-28T06:49:50.6645081Z 
2025-11-28T06:49:50.6645513Z 		Code lines for this resource are too many. Please use IDE of your choice to review the file.
2025-11-28T06:49:50.6646374Z Check: CKV_GCP_111: "Ensure GCP PostgreSQL logs SQL statements"
2025-11-28T06:49:50.6647053Z 	FAILED for resource: google_sql_database_instance.main
2025-11-28T06:49:50.6648400Z ##[error]	File: /modules/cloudsql/main.tf:4-74
2025-11-28T06:49:50.6651072Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-google-cloud-111
2025-11-28T06:49:50.6652249Z 
2025-11-28T06:49:50.6652692Z 		Code lines for this resource are too many. Please use IDE of your choice to review the file.
2025-11-28T06:49:50.6653696Z Check: CKV_GCP_108: "Ensure hostnames are logged for GCP PostgreSQL databases"
2025-11-28T06:49:50.6654407Z 	FAILED for resource: google_sql_database_instance.main
2025-11-28T06:49:50.6655430Z ##[error]	File: /modules/cloudsql/main.tf:4-74
2025-11-28T06:49:50.6657242Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-google-cloud-108
2025-11-28T06:49:50.6658116Z 
2025-11-28T06:49:50.6658512Z 		Code lines for this resource are too many. Please use IDE of your choice to review the file.
2025-11-28T06:49:50.6659654Z Check: CKV_GCP_109: "Ensure the GCP PostgreSQL database log levels are set to ERROR or lower"
2025-11-28T06:49:50.6660583Z 	FAILED for resource: google_sql_database_instance.main
2025-11-28T06:49:50.6661612Z ##[error]	File: /modules/cloudsql/main.tf:4-74
2025-11-28T06:49:50.6663362Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-google-cloud-109
2025-11-28T06:49:50.6664245Z 
2025-11-28T06:49:50.6664650Z 		Code lines for this resource are too many. Please use IDE of your choice to review the file.
2025-11-28T06:49:50.6665554Z Check: CKV_GCP_110: "Ensure pgAudit is enabled for your GCP PostgreSQL database"
2025-11-28T06:49:50.6666271Z 	FAILED for resource: google_sql_database_instance.main
2025-11-28T06:49:50.6667246Z ##[error]	File: /modules/cloudsql/main.tf:4-74
2025-11-28T06:49:50.6668960Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-google-cloud-110
2025-11-28T06:49:50.6670104Z 
2025-11-28T06:49:50.6670529Z 		Code lines for this resource are too many. Please use IDE of your choice to review the file.
2025-11-28T06:49:50.6671534Z Check: CKV_GCP_52: "Ensure PostgreSQL database 'log_connections' flag is set to 'on'"
2025-11-28T06:49:50.6672344Z 	FAILED for resource: google_sql_database_instance.main
2025-11-28T06:49:50.6673862Z ##[error]	File: /modules/cloudsql/main.tf:4-74
2025-11-28T06:49:50.6678272Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/cloud-sql-policies/bc-gcp-sql-3
2025-11-28T06:49:50.6679167Z 
2025-11-28T06:49:50.6679845Z 		Code lines for this resource are too many. Please use IDE of your choice to review the file.
2025-11-28T06:49:50.6680816Z Check: CKV_GCP_54: "Ensure PostgreSQL database 'log_lock_waits' flag is set to 'on'"
2025-11-28T06:49:50.6681644Z 	FAILED for resource: google_sql_database_instance.main
2025-11-28T06:49:50.6682781Z ##[error]	File: /modules/cloudsql/main.tf:4-74
2025-11-28T06:49:50.6684604Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/cloud-sql-policies/bc-gcp-sql-5
2025-11-28T06:49:50.6685483Z 
2025-11-28T06:49:50.6685902Z 		Code lines for this resource are too many. Please use IDE of your choice to review the file.
2025-11-28T06:49:50.6686948Z Check: CKV_GCP_53: "Ensure PostgreSQL database 'log_disconnections' flag is set to 'on'"
2025-11-28T06:49:50.6687772Z 	FAILED for resource: google_sql_database_instance.main
2025-11-28T06:49:50.6688901Z ##[error]	File: /modules/cloudsql/main.tf:4-74
2025-11-28T06:49:50.6691053Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/cloud-sql-policies/bc-gcp-sql-4
2025-11-28T06:49:50.6691935Z 
2025-11-28T06:49:50.6692356Z 		Code lines for this resource are too many. Please use IDE of your choice to review the file.
2025-11-28T06:49:50.6693481Z Check: CKV_GCP_84: "Ensure Artifact Registry Repositories are encrypted with Customer Supplied Encryption Keys (CSEK)"
2025-11-28T06:49:50.6694624Z 	FAILED for resource: module.cost_management.google_artifact_registry_repository.images[0]
2025-11-28T06:49:50.6696129Z ##[error]	File: /modules/cost-management/main.tf:227-271
2025-11-28T06:49:50.6697800Z 	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
2025-11-28T06:49:50.6699999Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-artifact-registry-repositories-are-encrypted-with-customer-supplied-encryption-keys-csek
2025-11-28T06:49:50.6701711Z 
2025-11-28T06:49:50.6701994Z 		227 | resource "google_artifact_registry_repository" "images" {
2025-11-28T06:49:50.6702629Z 		228 |   count = var.configure_artifact_registry ? 1 : 0
2025-11-28T06:49:50.6703110Z 		229 | 
2025-11-28T06:49:50.6703429Z 		230 |   location      = var.region
2025-11-28T06:49:50.6703983Z 		231 |   repository_id = "${var.project_name}-${var.environment}-images"
2025-11-28T06:49:50.6704687Z 		232 |   description   = "Container images with lifecycle policies"
2025-11-28T06:49:50.6705246Z 		233 |   format        = "DOCKER"
2025-11-28T06:49:50.6705608Z 		234 | 
2025-11-28T06:49:50.6705902Z 		235 |   cleanup_policies {
2025-11-28T06:49:50.6706298Z 		236 |     id     = "delete-old-untagged"
2025-11-28T06:49:50.6706731Z 		237 |     action = "DELETE"
2025-11-28T06:49:50.6707102Z 		238 | 
2025-11-28T06:49:50.6707376Z 		239 |     condition {
2025-11-28T06:49:50.6707711Z 		240 |       tag_state  = "UNTAGGED"
2025-11-28T06:49:50.6708178Z 		241 |       older_than = "${var.artifact_untagged_retention_days}d"
2025-11-28T06:49:50.6708672Z 		242 |     }
2025-11-28T06:49:50.6708944Z 		243 |   }
2025-11-28T06:49:50.6709216Z 		244 | 
2025-11-28T06:49:50.6709782Z 		245 |   cleanup_policies {
2025-11-28T06:49:50.6710204Z 		246 |     id     = "keep-minimum-versions"
2025-11-28T06:49:50.6710627Z 		247 |     action = "KEEP"
2025-11-28T06:49:50.6710958Z 		248 | 
2025-11-28T06:49:50.6711257Z 		249 |     most_recent_versions {
2025-11-28T06:49:50.6711707Z 		250 |       keep_count = var.artifact_minimum_versions
2025-11-28T06:49:50.6712148Z 		251 |     }
2025-11-28T06:49:50.6712415Z 		252 |   }
2025-11-28T06:49:50.6712697Z 		253 | 
2025-11-28T06:49:50.6712985Z 		254 |   cleanup_policies {
2025-11-28T06:49:50.6713372Z 		255 |     id     = "delete-old-tagged"
2025-11-28T06:49:50.6714498Z 		256 |     action = "DELETE"
2025-11-28T06:49:50.6714914Z 		257 | 
2025-11-28T06:49:50.6715197Z 		258 |     condition {
2025-11-28T06:49:50.6715562Z 		259 |       tag_state    = "TAGGED"
2025-11-28T06:49:50.6716011Z 		260 |       tag_prefixes = var.artifact_delete_tag_prefixes
2025-11-28T06:49:50.6716586Z 		261 |       older_than   = "${var.artifact_tagged_retention_days}d"
2025-11-28T06:49:50.6717362Z 		262 |     }
2025-11-28T06:49:50.6717641Z 		263 |   }
2025-11-28T06:49:50.6717896Z 		264 | 
2025-11-28T06:49:50.6718194Z 		265 |   labels = merge(
2025-11-28T06:49:50.6718615Z 		266 |     var.cost_labels,
2025-11-28T06:49:50.6718975Z 		267 |     {
2025-11-28T06:49:50.6719293Z 		268 |       purpose = "container-images"
2025-11-28T06:49:50.6719991Z 		269 |     }
2025-11-28T06:49:50.6720264Z 		270 |   )
2025-11-28T06:49:50.6720568Z 		271 | }
2025-11-28T06:49:50.6720719Z 
2025-11-28T06:49:50.6721830Z Check: CKV_GCP_83: "Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)"
2025-11-28T06:49:50.6722846Z 	FAILED for resource: module.cost_management.google_pubsub_topic.budget_alerts[0]
2025-11-28T06:49:50.6724238Z ##[error]	File: /modules/cost-management/main.tf:75-86
2025-11-28T06:49:50.6725723Z 	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
2025-11-28T06:49:50.6727506Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-pubsub-topics-are-encrypted-with-customer-supplied-encryption-keys-csek
2025-11-28T06:49:50.6729034Z 
2025-11-28T06:49:50.6729251Z 		75 | resource "google_pubsub_topic" "budget_alerts" {
2025-11-28T06:49:50.6729906Z 		76 |   count = var.create_pubsub_topic ? 1 : 0
2025-11-28T06:49:50.6730345Z 		77 | 
2025-11-28T06:49:50.6730937Z 		78 |   name = "${var.project_name}-${var.environment}-budget-alerts"
2025-11-28T06:49:50.6732013Z 		79 | 
2025-11-28T06:49:50.6732313Z 		80 |   labels = merge(
2025-11-28T06:49:50.6732651Z 		81 |     var.cost_labels,
2025-11-28T06:49:50.6733006Z 		82 |     {
2025-11-28T06:49:50.6733329Z 		83 |       purpose = "budget-alerts"
2025-11-28T06:49:50.6733743Z 		84 |     }
2025-11-28T06:49:50.6734045Z 		85 |   )
2025-11-28T06:49:50.6734329Z 		86 | }
2025-11-28T06:49:50.6734497Z 
2025-11-28T06:49:50.6734815Z Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
2025-11-28T06:49:50.6735622Z 	FAILED for resource: module.cost_management.google_storage_bucket.log_archive[0]
2025-11-28T06:49:50.6736743Z ##[error]	File: /modules/cost-management/main.tf:181-215
2025-11-28T06:49:50.6738680Z 	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
2025-11-28T06:49:50.6740779Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled
2025-11-28T06:49:50.6742462Z 
2025-11-28T06:49:50.6742676Z 		181 | resource "google_storage_bucket" "log_archive" {
2025-11-28T06:49:50.6743176Z 		182 |   count = var.export_logs_to_storage ? 1 : 0
2025-11-28T06:49:50.6743640Z 		183 | 
2025-11-28T06:49:50.6744049Z 		184 |   name          = "${var.project_id}-${var.environment}-log-archive"
2025-11-28T06:49:50.6744592Z 		185 |   location      = var.region
2025-11-28T06:49:50.6745113Z 		186 |   storage_class = "COLDLINE" # Cost-effective for infrequent access
2025-11-28T06:49:50.6745634Z 		187 | 
2025-11-28T06:49:50.6745991Z 		188 |   uniform_bucket_level_access = true
2025-11-28T06:49:50.6746589Z 		189 | 
2025-11-28T06:49:50.6746917Z 		190 |   lifecycle_rule {
2025-11-28T06:49:50.6747270Z 		191 |     condition {
2025-11-28T06:49:50.6747678Z 		192 |       age = var.log_archive_retention_days
2025-11-28T06:49:50.6748072Z 		193 |     }
2025-11-28T06:49:50.6748369Z 		194 |     action {
2025-11-28T06:49:50.6748881Z 		195 |       type = "Delete"
2025-11-28T06:49:50.6749445Z 		196 |     }
2025-11-28T06:49:50.6749889Z 		197 |   }
2025-11-28T06:49:50.6750298Z 		198 | 
2025-11-28T06:49:50.6750911Z 		199 |   lifecycle_rule {
2025-11-28T06:49:50.6751306Z 		200 |     condition {
2025-11-28T06:49:50.6751980Z 		201 |       age = 90 # Move to archive after 90 days
2025-11-28T06:49:50.6753432Z 		202 |     }
2025-11-28T06:49:50.6753806Z 		203 |     action {
2025-11-28T06:49:50.6754205Z 		204 |       type          = "SetStorageClass"
2025-11-28T06:49:50.6754704Z 		205 |       storage_class = "ARCHIVE"
2025-11-28T06:49:50.6755146Z 		206 |     }
2025-11-28T06:49:50.6755432Z 		207 |   }
2025-11-28T06:49:50.6755714Z 		208 | 
2025-11-28T06:49:50.6756024Z 		209 |   labels = merge(
2025-11-28T06:49:50.6756360Z 		210 |     var.cost_labels,
2025-11-28T06:49:50.6756729Z 		211 |     {
2025-11-28T06:49:50.6757086Z 		212 |       purpose = "log-archive"
2025-11-28T06:49:50.6757489Z 		213 |     }
2025-11-28T06:49:50.6757807Z 		214 |   )
2025-11-28T06:49:50.6758108Z 		215 | }
2025-11-28T06:49:50.6758318Z 
2025-11-28T06:49:50.6758555Z Check: CKV_GCP_62: "Bucket should log access"
2025-11-28T06:49:50.6759293Z 	FAILED for resource: module.cost_management.google_storage_bucket.log_archive[0]
2025-11-28T06:49:50.6760842Z ##[error]	File: /modules/cost-management/main.tf:181-215
2025-11-28T06:49:50.6762341Z 	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
2025-11-28T06:49:50.6763576Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2
2025-11-28T06:49:50.6764554Z 
2025-11-28T06:49:50.6764766Z 		181 | resource "google_storage_bucket" "log_archive" {
2025-11-28T06:49:50.6765299Z 		182 |   count = var.export_logs_to_storage ? 1 : 0
2025-11-28T06:49:50.6765736Z 		183 | 
2025-11-28T06:49:50.6766129Z 		184 |   name          = "${var.project_id}-${var.environment}-log-archive"
2025-11-28T06:49:50.6766654Z 		185 |   location      = var.region
2025-11-28T06:49:50.6767203Z 		186 |   storage_class = "COLDLINE" # Cost-effective for infrequent access
2025-11-28T06:49:50.6767991Z 		187 | 
2025-11-28T06:49:50.6768311Z 		188 |   uniform_bucket_level_access = true
2025-11-28T06:49:50.6768720Z 		189 | 
2025-11-28T06:49:50.6769004Z 		190 |   lifecycle_rule {
2025-11-28T06:49:50.6769355Z 		191 |     condition {
2025-11-28T06:49:50.6770005Z 		192 |       age = var.log_archive_retention_days
2025-11-28T06:49:50.6770500Z 		193 |     }
2025-11-28T06:49:50.6770790Z 		194 |     action {
2025-11-28T06:49:50.6771109Z 		195 |       type = "Delete"
2025-11-28T06:49:50.6771455Z 		196 |     }
2025-11-28T06:49:50.6771730Z 		197 |   }
2025-11-28T06:49:50.6772001Z 		198 | 
2025-11-28T06:49:50.6772280Z 		199 |   lifecycle_rule {
2025-11-28T06:49:50.6772628Z 		200 |     condition {
2025-11-28T06:49:50.6773000Z 		201 |       age = 90 # Move to archive after 90 days
2025-11-28T06:49:50.6773433Z 		202 |     }
2025-11-28T06:49:50.6773720Z 		203 |     action {
2025-11-28T06:49:50.6774061Z 		204 |       type          = "SetStorageClass"
2025-11-28T06:49:50.6774509Z 		205 |       storage_class = "ARCHIVE"
2025-11-28T06:49:50.6774891Z 		206 |     }
2025-11-28T06:49:50.6775168Z 		207 |   }
2025-11-28T06:49:50.6775431Z 		208 | 
2025-11-28T06:49:50.6775716Z 		209 |   labels = merge(
2025-11-28T06:49:50.6776056Z 		210 |     var.cost_labels,
2025-11-28T06:49:50.6776398Z 		211 |     {
2025-11-28T06:49:50.6776708Z 		212 |       purpose = "log-archive"
2025-11-28T06:49:50.6777091Z 		213 |     }
2025-11-28T06:49:50.6777367Z 		214 |   )
2025-11-28T06:49:50.6777630Z 		215 | }
2025-11-28T06:49:50.6777787Z 
2025-11-28T06:49:50.6778202Z Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
2025-11-28T06:49:50.6779088Z 	FAILED for resource: module.cost_management.google_storage_bucket.log_archive[0]
2025-11-28T06:49:50.6780427Z ##[error]	File: /modules/cost-management/main.tf:181-215
2025-11-28T06:49:50.6781751Z 	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
2025-11-28T06:49:50.6783011Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/bc-google-cloud-114
2025-11-28T06:49:50.6783982Z 
2025-11-28T06:49:50.6784362Z 		181 | resource "google_storage_bucket" "log_archive" {
2025-11-28T06:49:50.6784903Z 		182 |   count = var.export_logs_to_storage ? 1 : 0
2025-11-28T06:49:50.6785332Z 		183 | 
2025-11-28T06:49:50.6785727Z 		184 |   name          = "${var.project_id}-${var.environment}-log-archive"
2025-11-28T06:49:50.6786250Z 		185 |   location      = var.region
2025-11-28T06:49:50.6786796Z 		186 |   storage_class = "COLDLINE" # Cost-effective for infrequent access
2025-11-28T06:49:50.6787332Z 		187 | 
2025-11-28T06:49:50.6787651Z 		188 |   uniform_bucket_level_access = true
2025-11-28T06:49:50.6788058Z 		189 | 
2025-11-28T06:49:50.6788338Z 		190 |   lifecycle_rule {
2025-11-28T06:49:50.6788699Z 		191 |     condition {
2025-11-28T06:49:50.6789062Z 		192 |       age = var.log_archive_retention_days
2025-11-28T06:49:50.6789651Z 		193 |     }
2025-11-28T06:49:50.6789938Z 		194 |     action {
2025-11-28T06:49:50.6790259Z 		195 |       type = "Delete"
2025-11-28T06:49:50.6790600Z 		196 |     }
2025-11-28T06:49:50.6790912Z 		197 |   }
2025-11-28T06:49:50.6791185Z 		198 | 
2025-11-28T06:49:50.6791468Z 		199 |   lifecycle_rule {
2025-11-28T06:49:50.6791812Z 		200 |     condition {
2025-11-28T06:49:50.6792188Z 		201 |       age = 90 # Move to archive after 90 days
2025-11-28T06:49:50.6792612Z 		202 |     }
2025-11-28T06:49:50.6792894Z 		203 |     action {
2025-11-28T06:49:50.6793244Z 		204 |       type          = "SetStorageClass"
2025-11-28T06:49:50.6793687Z 		205 |       storage_class = "ARCHIVE"
2025-11-28T06:49:50.6794067Z 		206 |     }
2025-11-28T06:49:50.6794344Z 		207 |   }
2025-11-28T06:49:50.6794613Z 		208 | 
2025-11-28T06:49:50.6794887Z 		209 |   labels = merge(
2025-11-28T06:49:50.6795230Z 		210 |     var.cost_labels,
2025-11-28T06:49:50.6795565Z 		211 |     {
2025-11-28T06:49:50.6795874Z 		212 |       purpose = "log-archive"
2025-11-28T06:49:50.6796428Z 		213 |     }
2025-11-28T06:49:50.6796707Z 		214 |   )
2025-11-28T06:49:50.6796971Z 		215 | }
2025-11-28T06:49:50.6797134Z 
2025-11-28T06:49:50.6797621Z Check: CKV_GCP_81: "Ensure Big Query Datasets are encrypted with Customer Supplied Encryption Keys (CSEK)"
2025-11-28T06:49:50.6798616Z 	FAILED for resource: module.cost_management.google_bigquery_dataset.cost_export[0]
2025-11-28T06:49:50.6800010Z ##[error]	File: /modules/cost-management/main.tf:371-386
2025-11-28T06:49:50.6801313Z 	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
2025-11-28T06:49:50.6803139Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-big-query-tables-are-encrypted-with-customer-supplied-encryption-keys-csek-1
2025-11-28T06:49:50.6804659Z 
2025-11-28T06:49:50.6804877Z 		371 | resource "google_bigquery_dataset" "cost_export" {
2025-11-28T06:49:50.6805438Z 		372 |   count = var.enable_bigquery_cost_export ? 1 : 0
2025-11-28T06:49:50.6805901Z 		373 | 
2025-11-28T06:49:50.6806410Z 		374 |   dataset_id                  = "${replace(var.project_name, "-", "_")}_${var.environment}_cost_data"
2025-11-28T06:49:50.6807211Z 		375 |   friendly_name               = "${var.project_name} ${var.environment} Cost Data"
2025-11-28T06:49:50.6807893Z 		376 |   description                 = "Cost and usage data for analysis"
2025-11-28T06:49:50.6808487Z 		377 |   location                    = var.bigquery_location
2025-11-28T06:49:50.6809101Z 		378 |   default_table_expiration_ms = var.bigquery_table_expiration_ms
2025-11-28T06:49:50.6809773Z 		379 | 
2025-11-28T06:49:50.6810063Z 		380 |   labels = merge(
2025-11-28T06:49:50.6810406Z 		381 |     var.cost_labels,
2025-11-28T06:49:50.6810749Z 		382 |     {
2025-11-28T06:49:50.6811060Z 		383 |       purpose = "cost-analysis"
2025-11-28T06:49:50.6811451Z 		384 |     }
2025-11-28T06:49:50.6811725Z 		385 |   )
2025-11-28T06:49:50.6811996Z 		386 | }
2025-11-28T06:49:50.6812153Z 
2025-11-28T06:49:50.6812350Z Check: CKV_GCP_62: "Bucket should log access"
2025-11-28T06:49:50.6812972Z 	FAILED for resource: module.logging.google_storage_bucket.audit_logs
2025-11-28T06:49:50.6813986Z ##[error]	File: /modules/logging/main.tf:49-76
2025-11-28T06:49:50.6815198Z 	Calling File: /modules/logging/examples/production/main.tf:26-97
2025-11-28T06:49:50.6816428Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2
2025-11-28T06:49:50.6817386Z 
2025-11-28T06:49:50.6817589Z 		49 | resource "google_storage_bucket" "audit_logs" {
2025-11-28T06:49:50.6818103Z 		50 |   name          = "${var.project_id}-audit-logs"
2025-11-28T06:49:50.6818629Z 		51 |   location      = var.region
2025-11-28T06:49:50.6819035Z 		52 |   project       = var.project_id
2025-11-28T06:49:50.6819446Z 		53 |   force_destroy = false
2025-11-28T06:49:50.6819943Z 		54 | 
2025-11-28T06:49:50.6820250Z 		55 |   uniform_bucket_level_access = true
2025-11-28T06:49:50.6820664Z 		56 | 
2025-11-28T06:49:50.6820942Z 		57 |   lifecycle_rule {
2025-11-28T06:49:50.6821291Z 		58 |     condition {
2025-11-28T06:49:50.6821605Z 		59 |       age = 400
2025-11-28T06:49:50.6821918Z 		60 |     }
2025-11-28T06:49:50.6822198Z 		61 |     action {
2025-11-28T06:49:50.6822512Z 		62 |       type = "Delete"
2025-11-28T06:49:50.6822846Z 		63 |     }
2025-11-28T06:49:50.6823121Z 		64 |   }
2025-11-28T06:49:50.6823382Z 		65 | 
2025-11-28T06:49:50.6823655Z 		66 |   versioning {
2025-11-28T06:49:50.6823978Z 		67 |     enabled = true
2025-11-28T06:49:50.6824297Z 		68 |   }
2025-11-28T06:49:50.6824564Z 		69 | 
2025-11-28T06:49:50.6824853Z 		70 |   labels = merge(var.labels, {
2025-11-28T06:49:50.6825271Z 		71 |     purpose   = "audit-logs"
2025-11-28T06:49:50.6825663Z 		72 |     retention = "400-days"
2025-11-28T06:49:50.6826024Z 		73 |   })
2025-11-28T06:49:50.6826289Z 		74 | 
2025-11-28T06:49:50.6826631Z 		75 |   depends_on = [google_project_service.logging]
2025-11-28T06:49:50.6827245Z 		76 | }
2025-11-28T06:49:50.6827409Z 
2025-11-28T06:49:50.6827803Z Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
2025-11-28T06:49:50.6828643Z 	FAILED for resource: module.logging.google_storage_bucket.audit_logs
2025-11-28T06:49:50.6829824Z ##[error]	File: /modules/logging/main.tf:49-76
2025-11-28T06:49:50.6831021Z 	Calling File: /modules/logging/examples/production/main.tf:26-97
2025-11-28T06:49:50.6832257Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/bc-google-cloud-114
2025-11-28T06:49:50.6833211Z 
2025-11-28T06:49:50.6833406Z 		49 | resource "google_storage_bucket" "audit_logs" {
2025-11-28T06:49:50.6833920Z 		50 |   name          = "${var.project_id}-audit-logs"
2025-11-28T06:49:50.6834383Z 		51 |   location      = var.region
2025-11-28T06:49:50.6834780Z 		52 |   project       = var.project_id
2025-11-28T06:49:50.6835190Z 		53 |   force_destroy = false
2025-11-28T06:49:50.6835544Z 		54 | 
2025-11-28T06:49:50.6835853Z 		55 |   uniform_bucket_level_access = true
2025-11-28T06:49:50.6836252Z 		56 | 
2025-11-28T06:49:50.6836536Z 		57 |   lifecycle_rule {
2025-11-28T06:49:50.6836875Z 		58 |     condition {
2025-11-28T06:49:50.6837193Z 		59 |       age = 400
2025-11-28T06:49:50.6837502Z 		60 |     }
2025-11-28T06:49:50.6837779Z 		61 |     action {
2025-11-28T06:49:50.6838088Z 		62 |       type = "Delete"
2025-11-28T06:49:50.6838429Z 		63 |     }
2025-11-28T06:49:50.6838711Z 		64 |   }
2025-11-28T06:49:50.6838974Z 		65 | 
2025-11-28T06:49:50.6839250Z 		66 |   versioning {
2025-11-28T06:49:50.6839698Z 		67 |     enabled = true
2025-11-28T06:49:50.6840026Z 		68 |   }
2025-11-28T06:49:50.6840289Z 		69 | 
2025-11-28T06:49:50.6840588Z 		70 |   labels = merge(var.labels, {
2025-11-28T06:49:50.6840992Z 		71 |     purpose   = "audit-logs"
2025-11-28T06:49:50.6841389Z 		72 |     retention = "400-days"
2025-11-28T06:49:50.6841752Z 		73 |   })
2025-11-28T06:49:50.6842015Z 		74 | 
2025-11-28T06:49:50.6842361Z 		75 |   depends_on = [google_project_service.logging]
2025-11-28T06:49:50.6842800Z 		76 | }
2025-11-28T06:49:50.6842958Z 
2025-11-28T06:49:50.6843472Z Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
2025-11-28T06:49:50.6844217Z 	FAILED for resource: module.logging.google_storage_bucket.error_logs_storage
2025-11-28T06:49:50.6845202Z ##[error]	File: /modules/logging/main.tf:79-102
2025-11-28T06:49:50.6846392Z 	Calling File: /modules/logging/examples/production/main.tf:26-97
2025-11-28T06:49:50.6847823Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled
2025-11-28T06:49:50.6848984Z 
2025-11-28T06:49:50.6849217Z 		79  | resource "google_storage_bucket" "error_logs_storage" {
2025-11-28T06:49:50.6849923Z 		80  |   name          = "${var.project_id}-error-logs"
2025-11-28T06:49:50.6850377Z 		81  |   location      = var.region
2025-11-28T06:49:50.6850790Z 		82  |   project       = var.project_id
2025-11-28T06:49:50.6851210Z 		83  |   force_destroy = false
2025-11-28T06:49:50.6851563Z 		84  | 
2025-11-28T06:49:50.6851875Z 		85  |   uniform_bucket_level_access = true
2025-11-28T06:49:50.6852281Z 		86  | 
2025-11-28T06:49:50.6852566Z 		87  |   lifecycle_rule {
2025-11-28T06:49:50.6852909Z 		88  |     condition {
2025-11-28T06:49:50.6853229Z 		89  |       age = 30
2025-11-28T06:49:50.6853532Z 		90  |     }
2025-11-28T06:49:50.6853822Z 		91  |     action {
2025-11-28T06:49:50.6854133Z 		92  |       type = "Delete"
2025-11-28T06:49:50.6854477Z 		93  |     }
2025-11-28T06:49:50.6854750Z 		94  |   }
2025-11-28T06:49:50.6855023Z 		95  | 
2025-11-28T06:49:50.6855319Z 		96  |   labels = merge(var.labels, {
2025-11-28T06:49:50.6855735Z 		97  |     purpose   = "error-logs"
2025-11-28T06:49:50.6856134Z 		98  |     retention = "30-days"
2025-11-28T06:49:50.6856492Z 		99  |   })
2025-11-28T06:49:50.6856767Z 		100 | 
2025-11-28T06:49:50.6857114Z 		101 |   depends_on = [google_project_service.logging]
2025-11-28T06:49:50.6857734Z 		102 | }
2025-11-28T06:49:50.6857893Z 
2025-11-28T06:49:50.6858085Z Check: CKV_GCP_62: "Bucket should log access"
2025-11-28T06:49:50.6858741Z 	FAILED for resource: module.logging.google_storage_bucket.error_logs_storage
2025-11-28T06:49:50.6859784Z ##[error]	File: /modules/logging/main.tf:79-102
2025-11-28T06:49:50.6860983Z 	Calling File: /modules/logging/examples/production/main.tf:26-97
2025-11-28T06:49:50.6862215Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2
2025-11-28T06:49:50.6863177Z 
2025-11-28T06:49:50.6863411Z 		79  | resource "google_storage_bucket" "error_logs_storage" {
2025-11-28T06:49:50.6864099Z 		80  |   name          = "${var.project_id}-error-logs"
2025-11-28T06:49:50.6864555Z 		81  |   location      = var.region
2025-11-28T06:49:50.6864956Z 		82  |   project       = var.project_id
2025-11-28T06:49:50.6865365Z 		83  |   force_destroy = false
2025-11-28T06:49:50.6865708Z 		84  | 
2025-11-28T06:49:50.6866003Z 		85  |   uniform_bucket_level_access = true
2025-11-28T06:49:50.6866421Z 		86  | 
2025-11-28T06:49:50.6866730Z 		87  |   lifecycle_rule {
2025-11-28T06:49:50.6867115Z 		88  |     condition {
2025-11-28T06:49:50.6867438Z 		89  |       age = 30
2025-11-28T06:49:50.6867781Z 		90  |     }
2025-11-28T06:49:50.6868070Z 		91  |     action {
2025-11-28T06:49:50.6868401Z 		92  |       type = "Delete"
2025-11-28T06:49:50.6868744Z 		93  |     }
2025-11-28T06:49:50.6869025Z 		94  |   }
2025-11-28T06:49:50.6869296Z 		95  | 
2025-11-28T06:49:50.6869723Z 		96  |   labels = merge(var.labels, {
2025-11-28T06:49:50.6870144Z 		97  |     purpose   = "error-logs"
2025-11-28T06:49:50.6870536Z 		98  |     retention = "30-days"
2025-11-28T06:49:50.6870900Z 		99  |   })
2025-11-28T06:49:50.6871173Z 		100 | 
2025-11-28T06:49:50.6871522Z 		101 |   depends_on = [google_project_service.logging]
2025-11-28T06:49:50.6871966Z 		102 | }
2025-11-28T06:49:50.6872130Z 
2025-11-28T06:49:50.6872546Z Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
2025-11-28T06:49:50.6873419Z 	FAILED for resource: module.logging.google_storage_bucket.error_logs_storage
2025-11-28T06:49:50.6874742Z ##[error]	File: /modules/logging/main.tf:79-102
2025-11-28T06:49:50.6876024Z 	Calling File: /modules/logging/examples/production/main.tf:26-97
2025-11-28T06:49:50.6877253Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/bc-google-cloud-114
2025-11-28T06:49:50.6878220Z 
2025-11-28T06:49:50.6878438Z 		79  | resource "google_storage_bucket" "error_logs_storage" {
2025-11-28T06:49:50.6878975Z 		80  |   name          = "${var.project_id}-error-logs"
2025-11-28T06:49:50.6879445Z 		81  |   location      = var.region
2025-11-28T06:49:50.6885958Z 		82  |   project       = var.project_id
2025-11-28T06:49:50.6886410Z 		83  |   force_destroy = false
2025-11-28T06:49:50.6886766Z 		84  | 
2025-11-28T06:49:50.6887108Z 		85  |   uniform_bucket_level_access = true
2025-11-28T06:49:50.6887525Z 		86  | 
2025-11-28T06:49:50.6887827Z 		87  |   lifecycle_rule {
2025-11-28T06:49:50.6888180Z 		88  |     condition {
2025-11-28T06:49:50.6888529Z 		89  |       age = 30
2025-11-28T06:49:50.6888839Z 		90  |     }
2025-11-28T06:49:50.6889125Z 		91  |     action {
2025-11-28T06:49:50.6889564Z 		92  |       type = "Delete"
2025-11-28T06:49:50.6889922Z 		93  |     }
2025-11-28T06:49:50.6890206Z 		94  |   }
2025-11-28T06:49:50.6890483Z 		95  | 
2025-11-28T06:49:50.6890790Z 		96  |   labels = merge(var.labels, {
2025-11-28T06:49:50.6891206Z 		97  |     purpose   = "error-logs"
2025-11-28T06:49:50.6891604Z 		98  |     retention = "30-days"
2025-11-28T06:49:50.6891946Z 		99  |   })
2025-11-28T06:49:50.6892244Z 		100 | 
2025-11-28T06:49:50.6892604Z 		101 |   depends_on = [google_project_service.logging]
2025-11-28T06:49:50.6893067Z 		102 | }
2025-11-28T06:49:50.6893227Z 
2025-11-28T06:49:50.6893659Z Check: CKV_GCP_81: "Ensure Big Query Datasets are encrypted with Customer Supplied Encryption Keys (CSEK)"
2025-11-28T06:49:50.6894870Z 	FAILED for resource: module.logging.google_bigquery_dataset.logs[0]
2025-11-28T06:49:50.6896113Z ##[error]	File: /modules/logging/main.tf:181-197
2025-11-28T06:49:50.6897585Z 	Calling File: /modules/logging/examples/production/main.tf:26-97
2025-11-28T06:49:50.6901274Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-big-query-tables-are-encrypted-with-customer-supplied-encryption-keys-csek-1
2025-11-28T06:49:50.6902708Z 
2025-11-28T06:49:50.6902901Z 		181 | resource "google_bigquery_dataset" "logs" {
2025-11-28T06:49:50.6906909Z 		182 |   count = var.enable_bigquery_export ? 1 : 0
2025-11-28T06:49:50.6907431Z 		183 | 
2025-11-28T06:49:50.6907756Z 		184 |   dataset_id    = "cloud_logs"
2025-11-28T06:49:50.6908186Z 		185 |   project       = var.project_id
2025-11-28T06:49:50.6908628Z 		186 |   location      = var.region
2025-11-28T06:49:50.6909100Z 		187 |   friendly_name = "Cloud Logs Dataset"
2025-11-28T06:49:50.6909863Z 		188 |   description   = "Dataset for exported Cloud Logs"
2025-11-28T06:49:50.6910308Z 		189 | 
2025-11-28T06:49:50.6910662Z 		190 |   default_table_expiration_ms = 2592000000 # 30 days
2025-11-28T06:49:50.6911095Z 		191 | 
2025-11-28T06:49:50.6911395Z 		192 |   labels = merge(var.labels, {
2025-11-28T06:49:50.6911800Z 		193 |     purpose = "log-analysis"
2025-11-28T06:49:50.6912157Z 		194 |   })
2025-11-28T06:49:50.6912401Z 		195 | 
2025-11-28T06:49:50.6912726Z 		196 |   depends_on = [google_project_service.logging]
2025-11-28T06:49:50.6913144Z 		197 | }
2025-11-28T06:49:50.6913293Z 
2025-11-28T06:49:50.6913681Z Check: CKV2_GCP_13: "Ensure PostgreSQL database flag 'log_duration' is set to 'on'"
2025-11-28T06:49:50.6914488Z 	FAILED for resource: google_sql_database_instance.main
2025-11-28T06:49:50.6915584Z ##[error]	File: /modules/cloudsql/main.tf:4-74
2025-11-28T06:49:50.6917525Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-2-13
2025-11-28T06:49:50.6918491Z 
2025-11-28T06:49:50.6919287Z 		Code lines for this resource are too many. Please use IDE of your choice to review the file.
2025-11-28T06:49:50.6920838Z Check: CKV2_GCP_13: "Ensure PostgreSQL database flag 'log_duration' is set to 'on'"
2025-11-28T06:49:50.6921402Z 	FAILED for resource: google_sql_database_instance.read_replica
2025-11-28T06:49:50.6922189Z ##[error]	File: /modules/cloudsql/main.tf:92-120
2025-11-28T06:49:50.6923450Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-2-13
2025-11-28T06:49:50.6923952Z 
2025-11-28T06:49:50.6924123Z 		92  | resource "google_sql_database_instance" "read_replica" {
2025-11-28T06:49:50.6924554Z 		93  |   count = var.create_read_replica ? 1 : 0
2025-11-28T06:49:50.6924819Z 		94  | 
2025-11-28T06:49:50.6925117Z 		95  |   name                 = "${var.instance_name}-read-replica"
2025-11-28T06:49:50.6925455Z 		96  |   database_version     = var.database_version
2025-11-28T06:49:50.6925897Z 		97  |   region               = var.replica_region != null ? var.replica_region : var.region
2025-11-28T06:49:50.6926342Z 		98  |   master_instance_name = google_sql_database_instance.main.name
2025-11-28T06:49:50.6926769Z 		99  |   project              = var.project_id
2025-11-28T06:49:50.6927018Z 		100 | 
2025-11-28T06:49:50.6927210Z 		101 |   replica_configuration {
2025-11-28T06:49:50.6927525Z 		102 |     failover_target = false
2025-11-28T06:49:50.6927765Z 		103 |   }
2025-11-28T06:49:50.6927924Z 		104 | 
2025-11-28T06:49:50.6928099Z 		105 |   settings {
2025-11-28T06:49:50.6928459Z 		106 |     tier              = var.replica_tier != null ? var.replica_tier : var.tier
2025-11-28T06:49:50.6928805Z 		107 |     availability_type = "ZONAL"
2025-11-28T06:49:50.6929121Z 		108 |     disk_size         = var.disk_size
2025-11-28T06:49:50.6929402Z 		109 |     disk_type         = var.disk_type
2025-11-28T06:49:50.6930269Z 		110 |     disk_autoresize   = var.disk_autoresize
2025-11-28T06:49:50.6930529Z 		111 | 
2025-11-28T06:49:50.6930777Z 		112 |     ip_configuration {
2025-11-28T06:49:50.6931063Z 		113 |       ipv4_enabled    = var.ipv4_enabled
2025-11-28T06:49:50.6931356Z 		114 |       private_network = var.private_network
2025-11-28T06:49:50.6931723Z 		115 |       require_ssl     = var.require_ssl
2025-11-28T06:49:50.6931985Z 		116 |     }
2025-11-28T06:49:50.6932157Z 		117 |   }
2025-11-28T06:49:50.6932344Z 		118 | 
2025-11-28T06:49:50.6932619Z 		119 |   deletion_protection = var.deletion_protection
2025-11-28T06:49:50.6932882Z 		120 | }
2025-11-28T06:49:50.6932981Z 
2025-11-28T06:49:50.6933362Z Check: CKV2_GCP_4: "Ensure that retention policies on log buckets are configured using Bucket Lock"
2025-11-28T06:49:50.6933986Z 	FAILED for resource: module.cost_management.google_logging_project_sink.storage_export
2025-11-28T06:49:50.6935124Z ##[error]	File: /modules/cost-management/main.tf:168-178
2025-11-28T06:49:50.6938437Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/ensure-that-retention-policies-on-log-buckets-are-configured-using-bucket-lock
2025-11-28T06:49:50.6940081Z 
2025-11-28T06:49:50.6940371Z 		168 | resource "google_logging_project_sink" "storage_export" {
2025-11-28T06:49:50.6940968Z 		169 |   count = var.export_logs_to_storage ? 1 : 0
2025-11-28T06:49:50.6941435Z 		170 | 
2025-11-28T06:49:50.6941840Z 		171 |   name        = "${var.project_name}-${var.environment}-log-export"
2025-11-28T06:49:50.6942702Z 		172 |   destination = "storage.googleapis.com/${google_storage_bucket.log_archive[0].name}"
2025-11-28T06:49:50.6943378Z 		173 | 
2025-11-28T06:49:50.6943752Z 		174 |   # Export only specific log types to reduce costs
2025-11-28T06:49:50.6944294Z 		175 |   filter = var.log_export_filter
2025-11-28T06:49:50.6944727Z 		176 | 
2025-11-28T06:49:50.6945001Z 		177 |   unique_writer_identity = true
2025-11-28T06:49:50.6945396Z 		178 | }
2025-11-28T06:49:50.6945556Z 
2025-11-28T06:49:50.6946015Z Check: CKV2_GCP_4: "Ensure that retention policies on log buckets are configured using Bucket Lock"
2025-11-28T06:49:50.6947216Z 	FAILED for resource: module.logging.google_logging_project_sink.error_logs
2025-11-28T06:49:50.6948523Z ##[error]	File: /modules/logging/main.tf:125-141
2025-11-28T06:49:50.6951142Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/ensure-that-retention-policies-on-log-buckets-are-configured-using-bucket-lock
2025-11-28T06:49:50.6952589Z 
2025-11-28T06:49:50.6952832Z 		125 | resource "google_logging_project_sink" "error_logs" {
2025-11-28T06:49:50.6953359Z 		126 |   name        = "error-logs-sink"
2025-11-28T06:49:50.6953806Z 		127 |   project     = var.project_id
2025-11-28T06:49:50.6954517Z 		128 |   destination = "storage.googleapis.com/${google_storage_bucket.error_logs_storage.name}"
2025-11-28T06:49:50.6955210Z 		129 | 
2025-11-28T06:49:50.6955520Z 		130 |   filter = <<-EOT
2025-11-28T06:49:50.6955874Z 		131 |     severity >= ERROR
2025-11-28T06:49:50.6956311Z 		132 |     NOT (${join(" OR ", var.excluded_log_filters)})
2025-11-28T06:49:50.6956771Z 		133 |   EOT
2025-11-28T06:49:50.6957063Z 		134 | 
2025-11-28T06:49:50.6957358Z 		135 |   unique_writer_identity = true
2025-11-28T06:49:50.6957753Z 		136 | 
2025-11-28T06:49:50.6958037Z 		137 |   depends_on = [
2025-11-28T06:49:50.6958418Z 		138 |     google_project_service.logging,
2025-11-28T06:49:50.6958894Z 		139 |     google_storage_bucket.error_logs_storage
2025-11-28T06:49:50.6959304Z 		140 |   ]
2025-11-28T06:49:50.6959722Z 		141 | }
2025-11-28T06:49:50.6959877Z 
2025-11-28T06:49:50.6960335Z Check: CKV2_GCP_4: "Ensure that retention policies on log buckets are configured using Bucket Lock"
2025-11-28T06:49:50.6961298Z 	FAILED for resource: module.logging.google_logging_project_sink.audit_logs
2025-11-28T06:49:50.6962537Z ##[error]	File: /modules/logging/main.tf:153-169
2025-11-28T06:49:50.6965044Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/ensure-that-retention-policies-on-log-buckets-are-configured-using-bucket-lock
2025-11-28T06:49:50.6966462Z 
2025-11-28T06:49:50.6966701Z 		153 | resource "google_logging_project_sink" "audit_logs" {
2025-11-28T06:49:50.6967215Z 		154 |   name        = "audit-logs-sink"
2025-11-28T06:49:50.6967624Z 		155 |   project     = var.project_id
2025-11-28T06:49:50.6968219Z 		156 |   destination = "storage.googleapis.com/${google_storage_bucket.audit_logs.name}"
2025-11-28T06:49:50.6968829Z 		157 | 
2025-11-28T06:49:50.6969108Z 		158 |   filter = <<-EOT
2025-11-28T06:49:50.6969863Z 		159 |     logName =~ "projects/${var.project_id}/logs/cloudaudit.googleapis.com"
2025-11-28T06:49:50.6970721Z 		160 |     OR protoPayload.@type = "type.googleapis.com/google.cloud.audit.AuditLog"
2025-11-28T06:49:50.6971392Z 		161 |   EOT
2025-11-28T06:49:50.6971726Z 		162 | 
2025-11-28T06:49:50.6972115Z 		163 |   unique_writer_identity = true
2025-11-28T06:49:50.6972527Z 		164 | 
2025-11-28T06:49:50.6972852Z 		165 |   depends_on = [
2025-11-28T06:49:50.6973256Z 		166 |     google_project_service.logging,
2025-11-28T06:49:50.6973786Z 		167 |     google_storage_bucket.audit_logs
2025-11-28T06:49:50.6974218Z 		168 |   ]
2025-11-28T06:49:50.6974562Z 		169 | }
2025-11-28T06:49:50.7691428Z ##[group]Run github/codeql-action/upload-sarif@v3
2025-11-28T06:49:50.7691744Z with:
2025-11-28T06:49:50.7691931Z   sarif_file: checkov-results.sarif
2025-11-28T06:49:50.7692300Z   checkout_path: /home/runner/work/archie-platform-v3/archie-platform-v3
2025-11-28T06:49:50.7692781Z   token: ***
2025-11-28T06:49:50.7692959Z   matrix: null
2025-11-28T06:49:50.7693151Z   wait-for-processing: true
2025-11-28T06:49:50.7693358Z env:
2025-11-28T06:49:50.7816905Z   CHECKOV_RESULTS: 

       _               _
   ___| |__   ___  ___| | _______   __
  / __| '_ \ / _ \/ __| |/ / _ \ \ / /
 | (__| | | |  __/ (__|   < (_) \ V /
  \___|_| |_|\___|\___|_|\_\___/ \_/

By Prisma Cloud | version: 3.2.494 
Update available 3.2.494 -> 3.2.495
Run pip3 install -U checkov to update 

terraform scan results:

Passed checks: 44, Failed checks: 28, Skipped checks: 0

Check: CKV_GCP_84: "Ensure Artifact Registry Repositories are encrypted with Customer Supplied Encryption Keys (CSEK)"
	PASSED for resource: google_artifact_registry_repository.main
	File: /modules/artifact-registry/main.tf:34-88
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-artifact-registry-repositories-are-encrypted-with-customer-supplied-encryption-keys-csek
Check: CKV_GCP_101: "Ensure that Artifact Registry repositories are not anonymously or publicly accessible"
	PASSED for resource: google_artifact_registry_repository_iam_member.cloudbuild_writer
	File: /modules/artifact-registry/main.tf:139-147
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-public-policies/ensure-gcp-artifact-registry-repository-is-not-anonymously-or-publicly-accessible
Check: CKV_GCP_101: "Ensure that Artifact Registry repositories are not anonymously or publicly accessible"
	PASSED for resource: google_artifact_registry_repository_iam_member.cloudrun_reader
	File: /modules/artifact-registry/main.tf:150-158
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-public-policies/ensure-gcp-artifact-registry-repository-is-not-anonymously-or-publicly-accessible
Check: CKV_GCP_101: "Ensure that Artifact Registry repositories are not anonymously or publicly accessible"
	PASSED for resource: google_artifact_registry_repository_iam_member.custom_readers
	File: /modules/artifact-registry/main.tf:161-169
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-public-policies/ensure-gcp-artifact-registry-repository-is-not-anonymously-or-publicly-accessible
Check: CKV_GCP_101: "Ensure that Artifact Registry repositories are not anonymously or publicly accessible"
	PASSED for resource: google_artifact_registry_repository_iam_member.custom_writers
	File: /modules/artifact-registry/main.tf:172-180
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-public-policies/ensure-gcp-artifact-registry-repository-is-not-anonymously-or-publicly-accessible
Check: CKV_GCP_11: "Ensure that Cloud SQL database Instances are not open to the world"
	PASSED for resource: google_sql_database_instance.main
	File: /modules/cloudsql/main.tf:4-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-4
Check: CKV_GCP_55: "Ensure PostgreSQL database 'log_min_messages' flag is set to a valid value"
	PASSED for resource: google_sql_database_instance.main
	File: /modules/cloudsql/main.tf:4-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/cloud-sql-policies/bc-gcp-sql-6
Check: CKV_GCP_56: "Ensure PostgreSQL database 'log_temp_files flag is set to '0'"
	PASSED for resource: google_sql_database_instance.main
	File: /modules/cloudsql/main.tf:4-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/cloud-sql-policies/bc-gcp-sql-7
Check: CKV_GCP_60: "Ensure Cloud SQL database does not have public IP"
	PASSED for resource: google_sql_database_instance.main
	File: /modules/cloudsql/main.tf:4-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/cloud-sql-policies/bc-gcp-sql-11
Check: CKV_GCP_6: "Ensure all Cloud SQL database instance requires all incoming connections to use SSL"
	PASSED for resource: google_sql_database_instance.main
	File: /modules/cloudsql/main.tf:4-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-1
Check: CKV_GCP_14: "Ensure all Cloud SQL database instance have backup configuration enabled"
	PASSED for resource: google_sql_database_instance.main
	File: /modules/cloudsql/main.tf:4-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-2
Check: CKV_GCP_57: "Ensure PostgreSQL database 'log_min_duration_statement' flag is set to '-1'"
	PASSED for resource: google_sql_database_instance.main
	File: /modules/cloudsql/main.tf:4-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/cloud-sql-policies/bc-gcp-sql-8
Check: CKV_GCP_42: "Ensure that Service Account has no Admin privileges"
	PASSED for resource: module.cost_management.google_project_iam_member.scheduler_roles
	File: /modules/cost-management/main.tf:351-357
	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-4
Check: CKV_GCP_117: "Ensure basic roles are not used at project level."
	PASSED for resource: module.cost_management.google_project_iam_member.scheduler_roles
	File: /modules/cost-management/main.tf:351-357
	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-google-cloud-117
Check: CKV_GCP_49: "Ensure roles do not impersonate or manage Service Accounts used at project level"
	PASSED for resource: module.cost_management.google_project_iam_member.scheduler_roles
	File: /modules/cost-management/main.tf:351-357
	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-10
Check: CKV_GCP_46: "Ensure Default Service account is not used at a project level"
	PASSED for resource: module.cost_management.google_project_iam_member.scheduler_roles
	File: /modules/cost-management/main.tf:351-357
	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-7
Check: CKV_GCP_41: "Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level"
	PASSED for resource: module.cost_management.google_project_iam_member.scheduler_roles
	File: /modules/cost-management/main.tf:351-357
	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-3
Check: CKV_GCP_29: "Ensure that Cloud Storage buckets have uniform bucket-level access enabled"
	PASSED for resource: module.cost_management.google_storage_bucket.log_archive[0]
	File: /modules/cost-management/main.tf:181-215
	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-gcs-2
Check: CKV_GCP_28: "Ensure that Cloud Storage bucket is not anonymously or publicly accessible"
	PASSED for resource: module.cost_management.google_storage_bucket_iam_member.log_writer[0]
	File: /modules/cost-management/main.tf:218-224
	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-public-policies/bc-gcp-public-1
Check: CKV_GCP_15: "Ensure that BigQuery datasets are not anonymously or publicly accessible"
	PASSED for resource: module.cost_management.google_bigquery_dataset.cost_export[0]
	File: /modules/cost-management/main.tf:371-386
	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-3
Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
	PASSED for resource: module.logging.google_storage_bucket.audit_logs
	File: /modules/logging/main.tf:49-76
	Calling File: /modules/logging/examples/production/main.tf:26-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled
Check: CKV_GCP_29: "Ensure that Cloud Storage buckets have uniform bucket-level access enabled"
	PASSED for resource: module.logging.google_storage_bucket.audit_logs
	File: /modules/logging/main.tf:49-76
	Calling File: /modules/logging/examples/production/main.tf:26-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-gcs-2
Check: CKV_GCP_29: "Ensure that Cloud Storage buckets have uniform bucket-level access enabled"
	PASSED for resource: module.logging.google_storage_bucket.error_logs_storage
	File: /modules/logging/main.tf:79-102
	Calling File: /modules/logging/examples/production/main.tf:26-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-gcs-2
Check: CKV_GCP_28: "Ensure that Cloud Storage bucket is not anonymously or publicly accessible"
	PASSED for resource: module.logging.google_storage_bucket_iam_member.error_logs_writer
	File: /modules/logging/main.tf:144-150
	Calling File: /modules/logging/examples/production/main.tf:26-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-public-policies/bc-gcp-public-1
Check: CKV_GCP_28: "Ensure that Cloud Storage bucket is not anonymously or publicly accessible"
	PASSED for resource: module.logging.google_storage_bucket_iam_member.audit_logs_writer
	File: /modules/logging/main.tf:172-178
	Calling File: /modules/logging/examples/production/main.tf:26-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-public-policies/bc-gcp-public-1
Check: CKV_GCP_15: "Ensure that BigQuery datasets are not anonymously or publicly accessible"
	PASSED for resource: module.logging.google_bigquery_dataset.logs[0]
	File: /modules/logging/main.tf:181-197
	Calling File: /modules/logging/examples/production/main.tf:26-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-3
Check: CKV_GCP_97: "Ensure Memorystore for Redis uses intransit encryption"
	PASSED for resource: google_redis_instance.main
	File: /modules/redis/main.tf:4-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-memorystore-for-redis-uses-intransit-encryption
Check: CKV_GCP_95: "Ensure Memorystore for Redis has AUTH enabled"
	PASSED for resource: google_redis_instance.main
	File: /modules/redis/main.tf:4-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-memorystore-for-redis-is-auth-enabled
Check: CKV2_GCP_4: "Ensure that retention policies on log buckets are configured using Bucket Lock"
	PASSED for resource: module.cost_management.google_logging_project_sink.storage_export[0]
	File: /modules/cost-management/main.tf:168-178
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/ensure-that-retention-policies-on-log-buckets-are-configured-using-bucket-lock
Check: CKV2_GCP_4: "Ensure that retention policies on log buckets are configured using Bucket Lock"
	PASSED for resource: module.logging.google_logging_project_sink.all_logs
	File: /modules/logging/main.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/ensure-that-retention-policies-on-log-buckets-are-configured-using-bucket-lock
Check: CKV2_GCP_4: "Ensure that retention policies on log buckets are configured using Bucket Lock"
	PASSED for resource: module.logging.google_logging_project_sink.bigquery
	File: /modules/logging/main.tf:199-220
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/ensure-that-retention-policies-on-log-buckets-are-configured-using-bucket-lock
Check: CKV2_GCP_4: "Ensure that retention policies on log buckets are configured using Bucket Lock"
	PASSED for resource: module.logging.google_logging_project_sink.bigquery[0]
	File: /modules/logging/main.tf:199-220
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/ensure-that-retention-policies-on-log-buckets-are-configured-using-bucket-lock
Check: CKV2_GCP_20: "Ensure MySQL DB instance has point-in-time recovery backup configured"
	PASSED for resource: google_sql_database_instance.main
	File: /modules/cloudsql/main.tf:4-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-2-20
Check: CKV2_GCP_20: "Ensure MySQL DB instance has point-in-time recovery backup configured"
	PASSED for resource: google_sql_database_instance.read_replica
	File: /modules/cloudsql/main.tf:92-120
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-2-20
Check: CKV2_GCP_7: "Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges"
	PASSED for resource: google_sql_database_instance.main
	File: /modules/cloudsql/main.tf:4-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-iam-policies/ensure-that-a-mysql-database-instance-does-not-allow-anyone-to-connect-with-administrative-privileges
Check: CKV2_GCP_7: "Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges"
	PASSED for resource: google_sql_database_instance.read_replica
	File: /modules/cloudsql/main.tf:92-120
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-iam-policies/ensure-that-a-mysql-database-instance-does-not-allow-anyone-to-connect-with-administrative-privileges
Check: CKV2_GCP_14: "Ensure PostgreSQL database flag 'log_executor_stats' is set to 'off'"
	PASSED for resource: google_sql_database_instance.main
	File: /modules/cloudsql/main.tf:4-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-2-14
Check: CKV2_GCP_14: "Ensure PostgreSQL database flag 'log_executor_stats' is set to 'off'"
	PASSED for resource: google_sql_database_instance.read_replica
	File: /modules/cloudsql/main.tf:92-120
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-2-14
Check: CKV2_GCP_16: "Ensure PostgreSQL database flag 'log_planner_stats' is set to 'off'"
	PASSED for resource: google_sql_database_instance.main
	File: /modules/cloudsql/main.tf:4-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-2-16
Check: CKV2_GCP_16: "Ensure PostgreSQL database flag 'log_planner_stats' is set to 'off'"
	PASSED for resource: google_sql_database_instance.read_replica
	File: /modules/cloudsql/main.tf:92-120
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-2-16
Check: CKV2_GCP_15: "Ensure PostgreSQL database flag 'log_parser_stats' is set to 'off'"
	PASSED for resource: google_sql_database_instance.main
	File: /modules/cloudsql/main.tf:4-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-2-15
Check: CKV2_GCP_15: "Ensure PostgreSQL database flag 'log_parser_stats' is set to 'off'"
	PASSED for resource: google_sql_database_instance.read_replica
	File: /modules/cloudsql/main.tf:92-120
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-2-15
Check: CKV2_GCP_17: "Ensure PostgreSQL database flag 'log_statement_stats' is set to 'off'"
	PASSED for resource: google_sql_database_instance.main
	File: /modules/cloudsql/main.tf:4-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-2-17
Check: CKV2_GCP_17: "Ensure PostgreSQL database flag 'log_statement_stats' is set to 'off'"
	PASSED for resource: google_sql_database_instance.read_replica
	File: /modules/cloudsql/main.tf:92-120
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-2-17
Check: CKV_GCP_84: "Ensure Artifact Registry Repositories are encrypted with Customer Supplied Encryption Keys (CSEK)"
	FAILED for resource: google_artifact_registry_repository.replicas
	File: /modules/artifact-registry/main.tf:91-136
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-artifact-registry-repositories-are-encrypted-with-customer-supplied-encryption-keys-csek

		91  | resource "google_artifact_registry_repository" "replicas" {
		92  |   for_each = toset(var.replication_regions)
		93  | 
		94  |   location      = each.value
		95  |   repository_id = var.repository_id
		96  |   project       = var.project_id
		97  |   description   = "${var.description} (Replica in ${each.value})"
		98  |   format        = "DOCKER"
		99  | 
		100 |   # Match primary repository configuration
		101 |   docker_config {
		102 |     immutable_tags = var.immutable_tags
		103 |   }
		104 | 
		105 |   cleanup_policies {
		106 |     id     = "keep-last-n-versions"
		107 |     action = "DELETE"
		108 | 
		109 |     condition {
		110 |       tag_state  = "ANY"
		111 |       older_than = var.retention_days > 0 ? "${var.retention_days}d" : null
		112 |     }
		113 | 
		114 |     most_recent_versions {
		115 |       keep_count = var.keep_image_count
		116 |     }
		117 |   }
		118 | 
		119 |   cleanup_policies {
		120 |     id     = "delete-old-untagged"
		121 |     action = "DELETE"
		122 | 
		123 |     condition {
		124 |       tag_state  = "UNTAGGED"
		125 |       older_than = "${var.untagged_retention_days}d"
		126 |     }
		127 |   }
		128 | 
		129 |   labels = merge(var.labels, {
		130 |     replica_of = var.location
		131 |   })
		132 | 
		133 |   depends_on = [
		134 |     google_project_service.artifact_registry
		135 |   ]
		136 | }

Check: CKV_GCP_84: "Ensure Artifact Registry Repositories are encrypted with Customer Supplied Encryption Keys (CSEK)"
	FAILED for resource: google_artifact_registry_repository.remote
	File: /modules/artifact-registry/main.tf:290-315
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-artifact-registry-repositories-are-encrypted-with-customer-supplied-encryption-keys-csek

		290 | resource "google_artifact_registry_repository" "remote" {
		291 |   for_each = var.remote_repositories
		292 | 
		293 |   location      = var.location
		294 |   repository_id = "${var.repository_id}-${each.key}"
		295 |   project       = var.project_id
		296 |   description   = "Remote repository for ${each.key}"
		297 |   format        = "DOCKER"
		298 |   mode          = "REMOTE_REPOSITORY"
		299 | 
		300 |   remote_repository_config {
		301 |     description = "Mirror of ${each.value.upstream_url}"
		302 | 
		303 |     docker_repository {
		304 |       public_repository = each.value.upstream_url
		305 |     }
		306 |   }
		307 | 
		308 |   labels = merge(var.labels, {
		309 |     remote_source = each.key
		310 |   })
		311 | 
		312 |   depends_on = [
		313 |     google_project_service.artifact_registry
		314 |   ]
		315 | }

Check: CKV_GCP_51: "Ensure PostgreSQL database 'log_checkpoints' flag is set to 'on'"
	FAILED for resource: google_sql_database_instance.main
	File: /modules/cloudsql/main.tf:4-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/cloud-sql-policies/bc-gcp-sql-2

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_79: "Ensure SQL database is using latest Major version"
	FAILED for resource: google_sql_database_instance.main
	File: /modules/cloudsql/main.tf:4-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-sql-database-uses-the-latest-major-version

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_111: "Ensure GCP PostgreSQL logs SQL statements"
	FAILED for resource: google_sql_database_instance.main
	File: /modules/cloudsql/main.tf:4-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-google-cloud-111

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_108: "Ensure hostnames are logged for GCP PostgreSQL databases"
	FAILED for resource: google_sql_database_instance.main
	File: /modules/cloudsql/main.tf:4-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-google-cloud-108

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_109: "Ensure the GCP PostgreSQL database log levels are set to ERROR or lower"
	FAILED for resource: google_sql_database_instance.main
	File: /modules/cloudsql/main.tf:4-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-google-cloud-109

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_110: "Ensure pgAudit is enabled for your GCP PostgreSQL database"
	FAILED for resource: google_sql_database_instance.main
	File: /modules/cloudsql/main.tf:4-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-google-cloud-110

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_52: "Ensure PostgreSQL database 'log_connections' flag is set to 'on'"
	FAILED for resource: google_sql_database_instance.main
	File: /modules/cloudsql/main.tf:4-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/cloud-sql-policies/bc-gcp-sql-3

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_54: "Ensure PostgreSQL database 'log_lock_waits' flag is set to 'on'"
	FAILED for resource: google_sql_database_instance.main
	File: /modules/cloudsql/main.tf:4-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/cloud-sql-policies/bc-gcp-sql-5

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_53: "Ensure PostgreSQL database 'log_disconnections' flag is set to 'on'"
	FAILED for resource: google_sql_database_instance.main
	File: /modules/cloudsql/main.tf:4-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/cloud-sql-policies/bc-gcp-sql-4

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_84: "Ensure Artifact Registry Repositories are encrypted with Customer Supplied Encryption Keys (CSEK)"
	FAILED for resource: module.cost_management.google_artifact_registry_repository.images[0]
	File: /modules/cost-management/main.tf:227-271
	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-artifact-registry-repositories-are-encrypted-with-customer-supplied-encryption-keys-csek

		227 | resource "google_artifact_registry_repository" "images" {
		228 |   count = var.configure_artifact_registry ? 1 : 0
		229 | 
		230 |   location      = var.region
		231 |   repository_id = "${var.project_name}-${var.environment}-images"
		232 |   description   = "Container images with lifecycle policies"
		233 |   format        = "DOCKER"
		234 | 
		235 |   cleanup_policies {
		236 |     id     = "delete-old-untagged"
		237 |     action = "DELETE"
		238 | 
		239 |     condition {
		240 |       tag_state  = "UNTAGGED"
		241 |       older_than = "${var.artifact_untagged_retention_days}d"
		242 |     }
		243 |   }
		244 | 
		245 |   cleanup_policies {
		246 |     id     = "keep-minimum-versions"
		247 |     action = "KEEP"
		248 | 
		249 |     most_recent_versions {
		250 |       keep_count = var.artifact_minimum_versions
		251 |     }
		252 |   }
		253 | 
		254 |   cleanup_policies {
		255 |     id     = "delete-old-tagged"
		256 |     action = "DELETE"
		257 | 
		258 |     condition {
		259 |       tag_state    = "TAGGED"
		260 |       tag_prefixes = var.artifact_delete_tag_prefixes
		261 |       older_than   = "${var.artifact_tagged_retention_days}d"
		262 |     }
		263 |   }
		264 | 
		265 |   labels = merge(
		266 |     var.cost_labels,
		267 |     {
		268 |       purpose = "container-images"
		269 |     }
		270 |   )
		271 | }

Check: CKV_GCP_83: "Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)"
	FAILED for resource: module.cost_management.google_pubsub_topic.budget_alerts[0]
	File: /modules/cost-management/main.tf:75-86
	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-pubsub-topics-are-encrypted-with-customer-supplied-encryption-keys-csek

		75 | resource "google_pubsub_topic" "budget_alerts" {
		76 |   count = var.create_pubsub_topic ? 1 : 0
		77 | 
		78 |   name = "${var.project_name}-${var.environment}-budget-alerts"
		79 | 
		80 |   labels = merge(
		81 |     var.cost_labels,
		82 |     {
		83 |       purpose = "budget-alerts"
		84 |     }
		85 |   )
		86 | }

Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
	FAILED for resource: module.cost_management.google_storage_bucket.log_archive[0]
	File: /modules/cost-management/main.tf:181-215
	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled

		181 | resource "google_storage_bucket" "log_archive" {
		182 |   count = var.export_logs_to_storage ? 1 : 0
		183 | 
		184 |   name          = "${var.project_id}-${var.environment}-log-archive"
		185 |   location      = var.region
		186 |   storage_class = "COLDLINE" # Cost-effective for infrequent access
		187 | 
		188 |   uniform_bucket_level_access = true
		189 | 
		190 |   lifecycle_rule {
		191 |     condition {
		192 |       age = var.log_archive_retention_days
		193 |     }
		194 |     action {
		195 |       type = "Delete"
		196 |     }
		197 |   }
		198 | 
		199 |   lifecycle_rule {
		200 |     condition {
		201 |       age = 90 # Move to archive after 90 days
		202 |     }
		203 |     action {
		204 |       type          = "SetStorageClass"
		205 |       storage_class = "ARCHIVE"
		206 |     }
		207 |   }
		208 | 
		209 |   labels = merge(
		210 |     var.cost_labels,
		211 |     {
		212 |       purpose = "log-archive"
		213 |     }
		214 |   )
		215 | }

Check: CKV_GCP_62: "Bucket should log access"
	FAILED for resource: module.cost_management.google_storage_bucket.log_archive[0]
	File: /modules/cost-management/main.tf:181-215
	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2

		181 | resource "google_storage_bucket" "log_archive" {
		182 |   count = var.export_logs_to_storage ? 1 : 0
		183 | 
		184 |   name          = "${var.project_id}-${var.environment}-log-archive"
		185 |   location      = var.region
		186 |   storage_class = "COLDLINE" # Cost-effective for infrequent access
		187 | 
		188 |   uniform_bucket_level_access = true
		189 | 
		190 |   lifecycle_rule {
		191 |     condition {
		192 |       age = var.log_archive_retention_days
		193 |     }
		194 |     action {
		195 |       type = "Delete"
		196 |     }
		197 |   }
		198 | 
		199 |   lifecycle_rule {
		200 |     condition {
		201 |       age = 90 # Move to archive after 90 days
		202 |     }
		203 |     action {
		204 |       type          = "SetStorageClass"
		205 |       storage_class = "ARCHIVE"
		206 |     }
		207 |   }
		208 | 
		209 |   labels = merge(
		210 |     var.cost_labels,
		211 |     {
		212 |       purpose = "log-archive"
		213 |     }
		214 |   )
		215 | }

Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
	FAILED for resource: module.cost_management.google_storage_bucket.log_archive[0]
	File: /modules/cost-management/main.tf:181-215
	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/bc-google-cloud-114

		181 | resource "google_storage_bucket" "log_archive" {
		182 |   count = var.export_logs_to_storage ? 1 : 0
		183 | 
		184 |   name          = "${var.project_id}-${var.environment}-log-archive"
		185 |   location      = var.region
		186 |   storage_class = "COLDLINE" # Cost-effective for infrequent access
		187 | 
		188 |   uniform_bucket_level_access = true
		189 | 
		190 |   lifecycle_rule {
		191 |     condition {
		192 |       age = var.log_archive_retention_days
		193 |     }
		194 |     action {
		195 |       type = "Delete"
		196 |     }
		197 |   }
		198 | 
		199 |   lifecycle_rule {
		200 |     condition {
		201 |       age = 90 # Move to archive after 90 days
		202 |     }
		203 |     action {
		204 |       type          = "SetStorageClass"
		205 |       storage_class = "ARCHIVE"
		206 |     }
		207 |   }
		208 | 
		209 |   labels = merge(
		210 |     var.cost_labels,
		211 |     {
		212 |       purpose = "log-archive"
		213 |     }
		214 |   )
		215 | }

Check: CKV_GCP_81: "Ensure Big Query Datasets are encrypted with Customer Supplied Encryption Keys (CSEK)"
	FAILED for resource: module.cost_management.google_bigquery_dataset.cost_export[0]
	File: /modules/cost-management/main.tf:371-386
	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-big-query-tables-are-encrypted-with-customer-supplied-encryption-keys-csek-1

		371 | resource "google_bigquery_dataset" "cost_export" {
		372 |   count = var.enable_bigquery_cost_export ? 1 : 0
		373 | 
		374 |   dataset_id                  = "${replace(var.project_name, "-", "_")}_${var.environment}_cost_data"
		375 |   friendly_name               = "${var.project_name} ${var.environment} Cost Data"
		376 |   description                 = "Cost and usage data for analysis"
		377 |   location                    = var.bigquery_location
		378 |   default_table_expiration_ms = var.bigquery_table_expiration_ms
		379 | 
		380 |   labels = merge(
		381 |     var.cost_labels,
		382 |     {
		383 |       purpose = "cost-analysis"
		384 |     }
		385 |   )
		386 | }

Check: CKV_GCP_62: "Bucket should log access"
	FAILED for resource: module.logging.google_storage_bucket.audit_logs
	File: /modules/logging/main.tf:49-76
	Calling File: /modules/logging/examples/production/main.tf:26-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2

		49 | resource "google_storage_bucket" "audit_logs" {
		50 |   name          = "${var.project_id}-audit-logs"
		51 |   location      = var.region
		52 |   project       = var.project_id
		53 |   force_destroy = false
		54 | 
		55 |   uniform_bucket_level_access = true
		56 | 
		57 |   lifecycle_rule {
		58 |     condition {
		59 |       age = 400
		60 |     }
		61 |     action {
		62 |       type = "Delete"
		63 |     }
		64 |   }
		65 | 
		66 |   versioning {
		67 |     enabled = true
		68 |   }
		69 | 
		70 |   labels = merge(var.labels, {
		71 |     purpose   = "audit-logs"
		72 |     retention = "400-days"
		73 |   })
		74 | 
		75 |   depends_on = [google_project_service.logging]
		76 | }

Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
	FAILED for resource: module.logging.google_storage_bucket.audit_logs
	File: /modules/logging/main.tf:49-76
	Calling File: /modules/logging/examples/production/main.tf:26-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/bc-google-cloud-114

		49 | resource "google_storage_bucket" "audit_logs" {
		50 |   name          = "${var.project_id}-audit-logs"
		51 |   location      = var.region
		52 |   project       = var.project_id
		53 |   force_destroy = false
		54 | 
		55 |   uniform_bucket_level_access = true
		56 | 
		57 |   lifecycle_rule {
		58 |     condition {
		59 |       age = 400
		60 |     }
		61 |     action {
		62 |       type = "Delete"
		63 |     }
		64 |   }
		65 | 
		66 |   versioning {
		67 |     enabled = true
		68 |   }
		69 | 
		70 |   labels = merge(var.labels, {
		71 |     purpose   = "audit-logs"
		72 |     retention = "400-days"
		73 |   })
		74 | 
		75 |   depends_on = [google_project_service.logging]
		76 | }

Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
	FAILED for resource: module.logging.google_storage_bucket.error_logs_storage
	File: /modules/logging/main.tf:79-102
	Calling File: /modules/logging/examples/production/main.tf:26-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled

		79  | resource "google_storage_bucket" "error_logs_storage" {
		80  |   name          = "${var.project_id}-error-logs"
		81  |   location      = var.region
		82  |   project       = var.project_id
		83  |   force_destroy = false
		84  | 
		85  |   uniform_bucket_level_access = true
		86  | 
		87  |   lifecycle_rule {
		88  |     condition {
		89  |       age = 30
		90  |     }
		91  |     action {
		92  |       type = "Delete"
		93  |     }
		94  |   }
		95  | 
		96  |   labels = merge(var.labels, {
		97  |     purpose   = "error-logs"
		98  |     retention = "30-days"
		99  |   })
		100 | 
		101 |   depends_on = [google_project_service.logging]
		102 | }

Check: CKV_GCP_62: "Bucket should log access"
	FAILED for resource: module.logging.google_storage_bucket.error_logs_storage
	File: /modules/logging/main.tf:79-102
	Calling File: /modules/logging/examples/production/main.tf:26-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2

		79  | resource "google_storage_bucket" "error_logs_storage" {
		80  |   name          = "${var.project_id}-error-logs"
		81  |   location      = var.region
		82  |   project       = var.project_id
		83  |   force_destroy = false
		84  | 
		85  |   uniform_bucket_level_access = true
		86  | 
		87  |   lifecycle_rule {
		88  |     condition {
		89  |       age = 30
		90  |     }
		91  |     action {
		92  |       type = "Delete"
		93  |     }
		94  |   }
		95  | 
		96  |   labels = merge(var.labels, {
		97  |     purpose   = "error-logs"
		98  |     retention = "30-days"
		99  |   })
		100 | 
		101 |   depends_on = [google_project_service.logging]
		102 | }

Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
	FAILED for resource: module.logging.google_storage_bucket.error_logs_storage
	File: /modules/logging/main.tf:79-102
	Calling File: /modules/logging/examples/production/main.tf:26-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/bc-google-cloud-114

		79  | resource "google_storage_bucket" "error_logs_storage" {
		80  |   name          = "${var.project_id}-error-logs"
		81  |   location      = var.region
		82  |   project       = var.project_id
		83  |   force_destroy = false
		84  | 
		85  |   uniform_bucket_level_access = true
		86  | 
		87  |   lifecycle_rule {
		88  |     condition {
		89  |       age = 30
		90  |     }
		91  |     action {
		92  |       type = "Delete"
		93  |     }
		94  |   }
		95  | 
		96  |   labels = merge(var.labels, {
		97  |     purpose   = "error-logs"
		98  |     retention = "30-days"
		99  |   })
		100 | 
		101 |   depends_on = [google_project_service.logging]
		102 | }

Check: CKV_GCP_81: "Ensure Big Query Datasets are encrypted with Customer Supplied Encryption Keys (CSEK)"
	FAILED for resource: module.logging.google_bigquery_dataset.logs[0]
	File: /modules/logging/main.tf:181-197
	Calling File: /modules/logging/examples/production/main.tf:26-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-big-query-tables-are-encrypted-with-customer-supplied-encryption-keys-csek-1

		181 | resource "google_bigquery_dataset" "logs" {
		182 |   count = var.enable_bigquery_export ? 1 : 0
		183 | 
		184 |   dataset_id    = "cloud_logs"
		185 |   project       = var.project_id
		186 |   location      = var.region
		187 |   friendly_name = "Cloud Logs Dataset"
		188 |   description   = "Dataset for exported Cloud Logs"
		189 | 
		190 |   default_table_expiration_ms = 2592000000 # 30 days
		191 | 
		192 |   labels = merge(var.labels, {
		193 |     purpose = "log-analysis"
		194 |   })
		195 | 
		196 |   depends_on = [google_project_service.logging]
		197 | }

Check: CKV2_GCP_13: "Ensure PostgreSQL database flag 'log_duration' is set to 'on'"
	FAILED for resource: google_sql_database_instance.main
	File: /modules/cloudsql/main.tf:4-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-2-13

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_GCP_13: "Ensure PostgreSQL database flag 'log_duration' is set to 'on'"
	FAILED for resource: google_sql_database_instance.read_replica
	File: /modules/cloudsql/main.tf:92-120
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-2-13

		92  | resource "google_sql_database_instance" "read_replica" {
		93  |   count = var.create_read_replica ? 1 : 0
		94  | 
		95  |   name                 = "${var.instance_name}-read-replica"
		96  |   database_version     = var.database_version
		97  |   region               = var.replica_region != null ? var.replica_region : var.region
		98  |   master_instance_name = google_sql_database_instance.main.name
		99  |   project              = var.project_id
		100 | 
		101 |   replica_configuration {
		102 |     failover_target = false
		103 |   }
		104 | 
		105 |   settings {
		106 |     tier              = var.replica_tier != null ? var.replica_tier : var.tier
		107 |     availability_type = "ZONAL"
		108 |     disk_size         = var.disk_size
		109 |     disk_type         = var.disk_type
		110 |     disk_autoresize   = var.disk_autoresize
		111 | 
		112 |     ip_configuration {
		113 |       ipv4_enabled    = var.ipv4_enabled
		114 |       private_network = var.private_network
		115 |       require_ssl     = var.require_ssl
		116 |     }
		117 |   }
		118 | 
		119 |   deletion_protection = var.deletion_protection
		120 | }

Check: CKV2_GCP_4: "Ensure that retention policies on log buckets are configured using Bucket Lock"
	FAILED for resource: module.cost_management.google_logging_project_sink.storage_export
	File: /modules/cost-management/main.tf:168-178
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/ensure-that-retention-policies-on-log-buckets-are-configured-using-bucket-lock

		168 | resource "google_logging_project_sink" "storage_export" {
		169 |   count = var.export_logs_to_storage ? 1 : 0
		170 | 
		171 |   name        = "${var.project_name}-${var.environment}-log-export"
		172 |   destination = "storage.googleapis.com/${google_storage_bucket.log_archive[0].name}"
		173 | 
		174 |   # Export only specific log types to reduce costs
		175 |   filter = var.log_export_filter
		176 | 
		177 |   unique_writer_identity = true
		178 | }

Check: CKV2_GCP_4: "Ensure that retention policies on log buckets are configured using Bucket Lock"
	FAILED for resource: module.logging.google_logging_project_sink.error_logs
	File: /modules/logging/main.tf:125-141
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/ensure-that-retention-policies-on-log-buckets-are-configured-using-bucket-lock

		125 | resource "google_logging_project_sink" "error_logs" {
		126 |   name        = "error-logs-sink"
		127 |   project     = var.project_id
		128 |   destination = "storage.googleapis.com/${google_storage_bucket.error_logs_storage.name}"
		129 | 
		130 |   filter = <<-EOT
		131 |     severity >= ERROR
		132 |     NOT (${join(" OR ", var.excluded_log_filters)})
		133 |   EOT
		134 | 
		135 |   unique_writer_identity = true
		136 | 
		137 |   depends_on = [
		138 |     google_project_service.logging,
		139 |     google_storage_bucket.error_logs_storage
		140 |   ]
		141 | }

Check: CKV2_GCP_4: "Ensure that retention policies on log buckets are configured using Bucket Lock"
	FAILED for resource: module.logging.google_logging_project_sink.audit_logs
	File: /modules/logging/main.tf:153-169
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/ensure-that-retention-policies-on-log-buckets-are-configured-using-bucket-lock

		153 | resource "google_logging_project_sink" "audit_logs" {
		154 |   name        = "audit-logs-sink"
		155 |   project     = var.project_id
		156 |   destination = "storage.googleapis.com/${google_storage_bucket.audit_logs.name}"
		157 | 
		158 |   filter = <<-EOT
		159 |     logName =~ "projects/${var.project_id}/logs/cloudaudit.googleapis.com"
		160 |     OR protoPayload.@type = "type.googleapis.com/google.cloud.audit.AuditLog"
		161 |   EOT
		162 | 
		163 |   unique_writer_identity = true
		164 | 
		165 |   depends_on = [
		166 |     google_project_service.logging,
		167 |     google_storage_bucket.audit_logs
		168 |   ]
		169 | }
2025-11-28T06:49:50.7940545Z ##[endgroup]
2025-11-28T06:49:50.9545935Z ##[warning]CodeQL Action v3 will be deprecated in December 2026. Please update all occurrences of the CodeQL Action in your workflow files to v4. For more information, see https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/
2025-11-28T06:49:51.5413765Z Post-processing sarif files: ["/home/runner/work/archie-platform-v3/archie-platform-v3/checkov-results.sarif/results_sarif.sarif"]
2025-11-28T06:49:51.5418947Z Validating /home/runner/work/archie-platform-v3/archie-platform-v3/checkov-results.sarif/results_sarif.sarif
2025-11-28T06:49:51.6633506Z Adding fingerprints to SARIF file. See https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#providing-data-to-track-code-scanning-alerts-across-runs for more information.
2025-11-28T06:49:51.7120582Z ##[group]Uploading code scanning results
2025-11-28T06:49:51.7400764Z Uploading results
2025-11-28T06:49:51.8627004Z ##[warning]Code Security must be enabled for this repository to use code scanning. - https://docs.github.com/rest
2025-11-28T06:49:51.8633816Z ##[error]Please verify that the necessary features are enabled: Code Security must be enabled for this repository to use code scanning. - https://docs.github.com/rest
2025-11-28T06:49:52.0205737Z Post job cleanup.
2025-11-28T06:49:52.2192282Z ##[group]Uploading combined SARIF debug artifact
2025-11-28T06:49:52.2202014Z ##[endgroup]
2025-11-28T06:49:52.2311720Z Post job cleanup.
2025-11-28T06:49:52.3365887Z [command]/usr/bin/git version
2025-11-28T06:49:52.3446626Z git version 2.51.2
2025-11-28T06:49:52.3531439Z Temporarily overriding HOME='/home/runner/work/_temp/694713c3-d023-43e6-bd13-60c18ff4eafc' before making global git config changes
2025-11-28T06:49:52.3532711Z Adding repository directory to the temporary git global config as a safe directory
2025-11-28T06:49:52.3541130Z [command]/usr/bin/git config --global --add safe.directory /home/runner/work/archie-platform-v3/archie-platform-v3
2025-11-28T06:49:52.3636189Z [command]/usr/bin/git config --local --name-only --get-regexp core\.sshCommand
2025-11-28T06:49:52.3702622Z [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'core\.sshCommand' && git config --local --unset-all 'core.sshCommand' || :"
2025-11-28T06:49:52.4015257Z [command]/usr/bin/git config --local --name-only --get-regexp http\.https\:\/\/github\.com\/\.extraheader
2025-11-28T06:49:52.4040831Z http.https://github.com/.extraheader
2025-11-28T06:49:52.4056646Z [command]/usr/bin/git config --local --unset-all http.https://github.com/.extraheader
2025-11-28T06:49:52.4102177Z [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'http\.https\:\/\/github\.com\/\.extraheader' && git config --local --unset-all 'http.https://github.com/.extraheader' || :"
2025-11-28T06:49:52.4358934Z [command]/usr/bin/git config --local --name-only --get-regexp ^includeIf\.gitdir:
2025-11-28T06:49:52.4395715Z [command]/usr/bin/git submodule foreach --recursive git config --local --show-origin --name-only --get-regexp remote.origin.url
2025-11-28T06:49:52.4757405Z Cleaning up orphan processes
