﻿2025-11-28T06:49:42.7197659Z ##[group]Run bridgecrewio/checkov-action@master
2025-11-28T06:49:42.7197970Z with:
2025-11-28T06:49:42.7198147Z   directory: terraform/
2025-11-28T06:49:42.7198354Z   framework: terraform
2025-11-28T06:49:42.7198540Z   soft_fail: true
2025-11-28T06:49:42.7198724Z   output_format: sarif
2025-11-28T06:49:42.7198934Z   output_file_path: checkov-results.sarif
2025-11-28T06:49:42.7199186Z   log_level: WARNING
2025-11-28T06:49:42.7199368Z   container_user: 0
2025-11-28T06:49:42.7199915Z ##[endgroup]
2025-11-28T06:49:42.7279192Z ##[command]/usr/bin/docker run --name ghcriobridgecrewiocheckov32495_25036e --label 1fa1db --workdir /github/workspace --rm -e "INPUT_DIRECTORY" -e "INPUT_FRAMEWORK" -e "INPUT_SOFT_FAIL" -e "INPUT_OUTPUT_FORMAT" -e "INPUT_OUTPUT_FILE_PATH" -e "INPUT_FILE" -e "INPUT_CHECK" -e "INPUT_SKIP_CHECK" -e "INPUT_COMPACT" -e "INPUT_QUIET" -e "INPUT_API-KEY" -e "INPUT_OUTPUT_BC_IDS" -e "INPUT_USE_ENFORCEMENT_RULES" -e "INPUT_SKIP_RESULTS_UPLOAD" -e "INPUT_SKIP_FRAMEWORK" -e "INPUT_EXTERNAL_CHECKS_DIRS" -e "INPUT_EXTERNAL_CHECKS_REPOS" -e "INPUT_DOWNLOAD_EXTERNAL_MODULES" -e "INPUT_ENABLE_SECRETS_SCAN_ALL_FILES" -e "INPUT_LOG_LEVEL" -e "INPUT_CONFIG_FILE" -e "INPUT_BASELINE" -e "INPUT_SOFT_FAIL_ON" -e "INPUT_HARD_FAIL_ON" -e "INPUT_CONTAINER_USER" -e "INPUT_DOCKER_IMAGE" -e "INPUT_DOCKERFILE_PATH" -e "INPUT_VAR_FILE" -e "INPUT_GITHUB_PAT" -e "INPUT_TFC_TOKEN" -e "INPUT_TF_REGISTRY_TOKEN" -e "INPUT_CKV_VALIDATE_SECRETS" -e "INPUT_VCS_BASE_URL" -e "INPUT_VCS_USERNAME" -e "INPUT_VCS_TOKEN" -e "INPUT_BITBUCKET_TOKEN" -e "INPUT_BITBUCKET_APP_PASSWORD" -e "INPUT_BITBUCKET_USERNAME" -e "INPUT_REPO_ROOT_FOR_PLAN_ENRICHMENT" -e "INPUT_DEEP_ANALYSIS" -e "INPUT_POLICY_METADATA_FILTER" -e "INPUT_POLICY_METADATA_FILTER_EXCEPTION" -e "INPUT_SKIP_PATH" -e "INPUT_SKIP_CVE_PACKAGE" -e "INPUT_SKIP_DOWNLOAD" -e "INPUT_PRISMA-API-URL" -e "API_KEY_VARIABLE" -e "GITHUB_PAT" -e "TFC_TOKEN" -e "TF_REGISTRY_TOKEN" -e "VCS_USERNAME" -e "VCS_BASE_URL" -e "VCS_TOKEN" -e "BITBUCKET_TOKEN" -e "BITBUCKET_USERNAME" -e "BITBUCKET_APP_PASSWORD" -e "PRISMA_API_URL" -e "CKV_VALIDATE_SECRETS" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_REPOSITORY_OWNER_ID" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_ACTOR_ID" -e "GITHUB_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKFLOW_REF" -e "GITHUB_WORKFLOW_SHA" -e "GITHUB_REPOSITORY_ID" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_ENVIRONMENT" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e "ACTIONS_RESULTS_URL" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp":"/github/runner_temp" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/archie-platform-v3/archie-platform-v3":"/github/workspace" ghcr.io/bridgecrewio/checkov:3.2.495  "" "terraform/" "" "" "" "" "true" "" "" "" "terraform" "" "" "" "sarif" "checkov-results.sarif" "" "" "WARNING" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "--user 0"
2025-11-28T06:49:42.9058999Z BC_FROM_BRANCH=feat/security-service-consolidation
2025-11-28T06:49:42.9060969Z BC_TO_BRANCH=main
2025-11-28T06:49:42.9085035Z BC_PR_ID=175
2025-11-28T06:49:42.9087234Z BC_PR_URL=https://github.com/heyarchie-ai/archie-platform-v3/pull/175
2025-11-28T06:49:42.9089219Z BC_COMMIT_HASH=08dee3a63c06007d7f2dd1d4ce09aa92c8f43e09
2025-11-28T06:49:42.9091167Z BC_COMMIT_URL=https://github.com/heyarchie-ai/archie-platform-v3/commit/08dee3a63c06007d7f2dd1d4ce09aa92c8f43e09
2025-11-28T06:49:42.9092025Z BC_AUTHOR_NAME=smcleodau
2025-11-28T06:49:42.9092445Z BC_AUTHOR_URL=https://github.com/smcleodau
2025-11-28T06:49:42.9092879Z BC_RUN_ID=3
2025-11-28T06:49:42.9093553Z BC_RUN_URL=https://github.com/heyarchie-ai/archie-platform-v3/actions/runs/19756337639
2025-11-28T06:49:42.9094379Z BC_REPOSITORY_URL=https://github.com/heyarchie-ai/archie-platform-v3
2025-11-28T06:49:42.9095021Z running checkov on directory: terraform/
2025-11-28T06:49:42.9095965Z checkov -d terraform/     --soft-fail        --output sarif --output-file-path checkov-results.sarif      --framework terraform         
2025-11-28T06:49:46.2574292Z 2025-11-28 06:49:46,256 [MainThread  ] [WARNI]  Module /github/workspace/terraform/modules/artifact-registry/modules/artifact-registry:latest failed to load via <class 'checkov.terraform.module_loading.loaders.local_path_loader.LocalPathLoader'> due to: /github/workspace/terraform/modules/artifact-registry/modules/artifact-registry
2025-11-28T06:49:46.2591776Z 2025-11-28 06:49:46,256 [MainThread  ] [WARNI]  Unable to load module - source: /github/workspace/terraform/modules/artifact-registry/modules/artifact-registry, version: latest, error: /github/workspace/terraform/modules/artifact-registry/modules/artifact-registry
2025-11-28T06:49:46.2596784Z 2025-11-28 06:49:46,256 [MainThread  ] [WARNI]  Module /github/workspace/terraform/modules/artifact-registry/modules/artifact-registry:latest failed to load via <class 'checkov.terraform.module_loading.loaders.local_path_loader.LocalPathLoader'> due to: /github/workspace/terraform/modules/artifact-registry/modules/artifact-registry
2025-11-28T06:49:46.2601550Z 2025-11-28 06:49:46,257 [MainThread  ] [WARNI]  Unable to load module - source: /github/workspace/terraform/modules/artifact-registry/modules/artifact-registry, version: latest, error: /github/workspace/terraform/modules/artifact-registry/modules/artifact-registry
2025-11-28T06:49:46.2605044Z 2025-11-28 06:49:46,257 [MainThread  ] [WARNI]  Module /github/workspace/terraform/modules/artifact-registry/modules/artifact-registry:latest failed to load via <class 'checkov.terraform.module_loading.loaders.local_path_loader.LocalPathLoader'> due to: /github/workspace/terraform/modules/artifact-registry/modules/artifact-registry
2025-11-28T06:49:46.2608555Z 2025-11-28 06:49:46,257 [MainThread  ] [WARNI]  Unable to load module - source: /github/workspace/terraform/modules/artifact-registry/modules/artifact-registry, version: latest, error: /github/workspace/terraform/modules/artifact-registry/modules/artifact-registry
2025-11-28T06:49:46.2612219Z 2025-11-28 06:49:46,257 [MainThread  ] [WARNI]  Module /github/workspace/terraform/modules/artifact-registry/modules/artifact-registry:latest failed to load via <class 'checkov.terraform.module_loading.loaders.local_path_loader.LocalPathLoader'> due to: /github/workspace/terraform/modules/artifact-registry/modules/artifact-registry
2025-11-28T06:49:46.2615694Z 2025-11-28 06:49:46,257 [MainThread  ] [WARNI]  Unable to load module - source: /github/workspace/terraform/modules/artifact-registry/modules/artifact-registry, version: latest, error: /github/workspace/terraform/modules/artifact-registry/modules/artifact-registry
2025-11-28T06:49:46.2619131Z 2025-11-28 06:49:46,257 [MainThread  ] [WARNI]  Module /github/workspace/terraform/modules/artifact-registry/modules/artifact-registry:latest failed to load via <class 'checkov.terraform.module_loading.loaders.local_path_loader.LocalPathLoader'> due to: /github/workspace/terraform/modules/artifact-registry/modules/artifact-registry
2025-11-28T06:49:46.2622696Z 2025-11-28 06:49:46,257 [MainThread  ] [WARNI]  Unable to load module - source: /github/workspace/terraform/modules/artifact-registry/modules/artifact-registry, version: latest, error: /github/workspace/terraform/modules/artifact-registry/modules/artifact-registry
2025-11-28T06:49:50.6235468Z 
2025-11-28T06:49:50.6239968Z 
2025-11-28T06:49:50.6240515Z        _               _
2025-11-28T06:49:50.6240953Z    ___| |__   ___  ___| | _______   __
2025-11-28T06:49:50.6241371Z   / __| '_ \ / _ \/ __| |/ / _ \ \ / /
2025-11-28T06:49:50.6241784Z  | (__| | | |  __/ (__|   < (_) \ V /
2025-11-28T06:49:50.6242183Z   \___|_| |_|\___|\___|_|\_\___/ \_/
2025-11-28T06:49:50.6242457Z 
2025-11-28T06:49:50.6242615Z By Prisma Cloud | version: 3.2.494 
2025-11-28T06:49:50.6243058Z Update available 3.2.494 -> 3.2.495
2025-11-28T06:49:50.6243504Z Run pip3 install -U checkov to update 
2025-11-28T06:49:50.6243818Z 
2025-11-28T06:49:50.6243967Z terraform scan results:
2025-11-28T06:49:50.6244195Z 
2025-11-28T06:49:50.6244432Z Passed checks: 44, Failed checks: 28, Skipped checks: 0
2025-11-28T06:49:50.6244832Z 
2025-11-28T06:49:50.6254860Z Check: CKV_GCP_84: "Ensure Artifact Registry Repositories are encrypted with Customer Supplied Encryption Keys (CSEK)"
2025-11-28T06:49:50.6255978Z 	PASSED for resource: google_artifact_registry_repository.main
2025-11-28T06:49:50.6256666Z 	File: /modules/artifact-registry/main.tf:34-88
2025-11-28T06:49:50.6258581Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-artifact-registry-repositories-are-encrypted-with-customer-supplied-encryption-keys-csek
2025-11-28T06:49:50.6264426Z Check: CKV_GCP_101: "Ensure that Artifact Registry repositories are not anonymously or publicly accessible"
2025-11-28T06:49:50.6265483Z 	PASSED for resource: google_artifact_registry_repository_iam_member.cloudbuild_writer
2025-11-28T06:49:50.6266334Z 	File: /modules/artifact-registry/main.tf:139-147
2025-11-28T06:49:50.6267968Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-public-policies/ensure-gcp-artifact-registry-repository-is-not-anonymously-or-publicly-accessible
2025-11-28T06:49:50.6270421Z Check: CKV_GCP_101: "Ensure that Artifact Registry repositories are not anonymously or publicly accessible"
2025-11-28T06:49:50.6271479Z 	PASSED for resource: google_artifact_registry_repository_iam_member.cloudrun_reader
2025-11-28T06:49:50.6272199Z 	File: /modules/artifact-registry/main.tf:150-158
2025-11-28T06:49:50.6273802Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-public-policies/ensure-gcp-artifact-registry-repository-is-not-anonymously-or-publicly-accessible
2025-11-28T06:49:50.6275764Z Check: CKV_GCP_101: "Ensure that Artifact Registry repositories are not anonymously or publicly accessible"
2025-11-28T06:49:50.6276805Z 	PASSED for resource: google_artifact_registry_repository_iam_member.custom_readers
2025-11-28T06:49:50.6277525Z 	File: /modules/artifact-registry/main.tf:161-169
2025-11-28T06:49:50.6279307Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-public-policies/ensure-gcp-artifact-registry-repository-is-not-anonymously-or-publicly-accessible
2025-11-28T06:49:50.6281507Z Check: CKV_GCP_101: "Ensure that Artifact Registry repositories are not anonymously or publicly accessible"
2025-11-28T06:49:50.6282536Z 	PASSED for resource: google_artifact_registry_repository_iam_member.custom_writers
2025-11-28T06:49:50.6283271Z 	File: /modules/artifact-registry/main.tf:172-180
2025-11-28T06:49:50.6284905Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-public-policies/ensure-gcp-artifact-registry-repository-is-not-anonymously-or-publicly-accessible
2025-11-28T06:49:50.6287094Z Check: CKV_GCP_11: "Ensure that Cloud SQL database Instances are not open to the world"
2025-11-28T06:49:50.6287930Z 	PASSED for resource: google_sql_database_instance.main
2025-11-28T06:49:50.6288481Z 	File: /modules/cloudsql/main.tf:4-74
2025-11-28T06:49:50.6289849Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-4
2025-11-28T06:49:50.6291626Z Check: CKV_GCP_55: "Ensure PostgreSQL database 'log_min_messages' flag is set to a valid value"
2025-11-28T06:49:50.6292965Z 	PASSED for resource: google_sql_database_instance.main
2025-11-28T06:49:50.6293523Z 	File: /modules/cloudsql/main.tf:4-74
2025-11-28T06:49:50.6294495Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/cloud-sql-policies/bc-gcp-sql-6
2025-11-28T06:49:50.6295393Z Check: CKV_GCP_56: "Ensure PostgreSQL database 'log_temp_files flag is set to '0'"
2025-11-28T06:49:50.6295835Z 	PASSED for resource: google_sql_database_instance.main
2025-11-28T06:49:50.6296145Z 	File: /modules/cloudsql/main.tf:4-74
2025-11-28T06:49:50.6296713Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/cloud-sql-policies/bc-gcp-sql-7
2025-11-28T06:49:50.6297361Z Check: CKV_GCP_60: "Ensure Cloud SQL database does not have public IP"
2025-11-28T06:49:50.6297742Z 	PASSED for resource: google_sql_database_instance.main
2025-11-28T06:49:50.6298046Z 	File: /modules/cloudsql/main.tf:4-74
2025-11-28T06:49:50.6298599Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/cloud-sql-policies/bc-gcp-sql-11
2025-11-28T06:49:50.6299328Z Check: CKV_GCP_6: "Ensure all Cloud SQL database instance requires all incoming connections to use SSL"
2025-11-28T06:49:50.6300426Z 	PASSED for resource: google_sql_database_instance.main
2025-11-28T06:49:50.6300936Z 	File: /modules/cloudsql/main.tf:4-74
2025-11-28T06:49:50.6302002Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-1
2025-11-28T06:49:50.6303379Z Check: CKV_GCP_14: "Ensure all Cloud SQL database instance have backup configuration enabled"
2025-11-28T06:49:50.6304413Z 	PASSED for resource: google_sql_database_instance.main
2025-11-28T06:49:50.6304905Z 	File: /modules/cloudsql/main.tf:4-74
2025-11-28T06:49:50.6305876Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-2
2025-11-28T06:49:50.6307008Z Check: CKV_GCP_57: "Ensure PostgreSQL database 'log_min_duration_statement' flag is set to '-1'"
2025-11-28T06:49:50.6307663Z 	PASSED for resource: google_sql_database_instance.main
2025-11-28T06:49:50.6308146Z 	File: /modules/cloudsql/main.tf:4-74
2025-11-28T06:49:50.6309070Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/cloud-sql-policies/bc-gcp-sql-8
2025-11-28T06:49:50.6310506Z Check: CKV_GCP_42: "Ensure that Service Account has no Admin privileges"
2025-11-28T06:49:50.6311318Z 	PASSED for resource: module.cost_management.google_project_iam_member.scheduler_roles
2025-11-28T06:49:50.6312022Z 	File: /modules/cost-management/main.tf:351-357
2025-11-28T06:49:50.6312632Z 	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
2025-11-28T06:49:50.6313779Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-4
2025-11-28T06:49:50.6314931Z Check: CKV_GCP_117: "Ensure basic roles are not used at project level."
2025-11-28T06:49:50.6315745Z 	PASSED for resource: module.cost_management.google_project_iam_member.scheduler_roles
2025-11-28T06:49:50.6316638Z 	File: /modules/cost-management/main.tf:351-357
2025-11-28T06:49:50.6317299Z 	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
2025-11-28T06:49:50.6318588Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-google-cloud-117
2025-11-28T06:49:50.6320803Z Check: CKV_GCP_49: "Ensure roles do not impersonate or manage Service Accounts used at project level"
2025-11-28T06:49:50.6321829Z 	PASSED for resource: module.cost_management.google_project_iam_member.scheduler_roles
2025-11-28T06:49:50.6322574Z 	File: /modules/cost-management/main.tf:351-357
2025-11-28T06:49:50.6323202Z 	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
2025-11-28T06:49:50.6324617Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-10
2025-11-28T06:49:50.6325845Z Check: CKV_GCP_46: "Ensure Default Service account is not used at a project level"
2025-11-28T06:49:50.6326698Z 	PASSED for resource: module.cost_management.google_project_iam_member.scheduler_roles
2025-11-28T06:49:50.6327393Z 	File: /modules/cost-management/main.tf:351-357
2025-11-28T06:49:50.6328000Z 	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
2025-11-28T06:49:50.6329164Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-7
2025-11-28T06:49:50.6330866Z Check: CKV_GCP_41: "Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level"
2025-11-28T06:49:50.6332031Z 	PASSED for resource: module.cost_management.google_project_iam_member.scheduler_roles
2025-11-28T06:49:50.6332779Z 	File: /modules/cost-management/main.tf:351-357
2025-11-28T06:49:50.6333390Z 	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
2025-11-28T06:49:50.6334569Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-3
2025-11-28T06:49:50.6335846Z Check: CKV_GCP_29: "Ensure that Cloud Storage buckets have uniform bucket-level access enabled"
2025-11-28T06:49:50.6336768Z 	PASSED for resource: module.cost_management.google_storage_bucket.log_archive[0]
2025-11-28T06:49:50.6337473Z 	File: /modules/cost-management/main.tf:181-215
2025-11-28T06:49:50.6338076Z 	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
2025-11-28T06:49:50.6339849Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-gcs-2
2025-11-28T06:49:50.6341153Z Check: CKV_GCP_28: "Ensure that Cloud Storage bucket is not anonymously or publicly accessible"
2025-11-28T06:49:50.6356385Z 	PASSED for resource: module.cost_management.google_storage_bucket_iam_member.log_writer[0]
2025-11-28T06:49:50.6357356Z 	File: /modules/cost-management/main.tf:218-224
2025-11-28T06:49:50.6358206Z 	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
2025-11-28T06:49:50.6359967Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-public-policies/bc-gcp-public-1
2025-11-28T06:49:50.6361782Z Check: CKV_GCP_15: "Ensure that BigQuery datasets are not anonymously or publicly accessible"
2025-11-28T06:49:50.6363127Z 	PASSED for resource: module.cost_management.google_bigquery_dataset.cost_export[0]
2025-11-28T06:49:50.6364092Z 	File: /modules/cost-management/main.tf:371-386
2025-11-28T06:49:50.6364896Z 	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
2025-11-28T06:49:50.6366513Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-3
2025-11-28T06:49:50.6368113Z Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
2025-11-28T06:49:50.6369030Z 	PASSED for resource: module.logging.google_storage_bucket.audit_logs
2025-11-28T06:49:50.6369817Z 	File: /modules/logging/main.tf:49-76
2025-11-28T06:49:50.6370372Z 	Calling File: /modules/logging/examples/production/main.tf:26-97
2025-11-28T06:49:50.6371733Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled
2025-11-28T06:49:50.6373918Z Check: CKV_GCP_29: "Ensure that Cloud Storage buckets have uniform bucket-level access enabled"
2025-11-28T06:49:50.6374713Z 	PASSED for resource: module.logging.google_storage_bucket.audit_logs
2025-11-28T06:49:50.6375317Z 	File: /modules/logging/main.tf:49-76
2025-11-28T06:49:50.6375800Z 	Calling File: /modules/logging/examples/production/main.tf:26-97
2025-11-28T06:49:50.6377181Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-gcs-2
2025-11-28T06:49:50.6378349Z Check: CKV_GCP_29: "Ensure that Cloud Storage buckets have uniform bucket-level access enabled"
2025-11-28T06:49:50.6379136Z 	PASSED for resource: module.logging.google_storage_bucket.error_logs_storage
2025-11-28T06:49:50.6379974Z 	File: /modules/logging/main.tf:79-102
2025-11-28T06:49:50.6380472Z 	Calling File: /modules/logging/examples/production/main.tf:26-97
2025-11-28T06:49:50.6381543Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-gcs-2
2025-11-28T06:49:50.6382797Z Check: CKV_GCP_28: "Ensure that Cloud Storage bucket is not anonymously or publicly accessible"
2025-11-28T06:49:50.6383623Z 	PASSED for resource: module.logging.google_storage_bucket_iam_member.error_logs_writer
2025-11-28T06:49:50.6384299Z 	File: /modules/logging/main.tf:144-150
2025-11-28T06:49:50.6384847Z 	Calling File: /modules/logging/examples/production/main.tf:26-97
2025-11-28T06:49:50.6386010Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-public-policies/bc-gcp-public-1
2025-11-28T06:49:50.6387305Z Check: CKV_GCP_28: "Ensure that Cloud Storage bucket is not anonymously or publicly accessible"
2025-11-28T06:49:50.6388187Z 	PASSED for resource: module.logging.google_storage_bucket_iam_member.audit_logs_writer
2025-11-28T06:49:50.6388860Z 	File: /modules/logging/main.tf:172-178
2025-11-28T06:49:50.6389383Z 	Calling File: /modules/logging/examples/production/main.tf:26-97
2025-11-28T06:49:50.6390992Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-public-policies/bc-gcp-public-1
2025-11-28T06:49:50.6392246Z Check: CKV_GCP_15: "Ensure that BigQuery datasets are not anonymously or publicly accessible"
2025-11-28T06:49:50.6393036Z 	PASSED for resource: module.logging.google_bigquery_dataset.logs[0]
2025-11-28T06:49:50.6393595Z 	File: /modules/logging/main.tf:181-197
2025-11-28T06:49:50.6394127Z 	Calling File: /modules/logging/examples/production/main.tf:26-97
2025-11-28T06:49:50.6395322Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-3
2025-11-28T06:49:50.6396630Z Check: CKV_GCP_97: "Ensure Memorystore for Redis uses intransit encryption"
2025-11-28T06:49:50.6397476Z 	PASSED for resource: google_redis_instance.main
2025-11-28T06:49:50.6397975Z 	File: /modules/redis/main.tf:4-47
2025-11-28T06:49:50.6399335Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-memorystore-for-redis-uses-intransit-encryption
2025-11-28T06:49:50.6401150Z Check: CKV_GCP_95: "Ensure Memorystore for Redis has AUTH enabled"
2025-11-28T06:49:50.6401758Z 	PASSED for resource: google_redis_instance.main
2025-11-28T06:49:50.6402801Z 	File: /modules/redis/main.tf:4-47
2025-11-28T06:49:50.6404001Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-memorystore-for-redis-is-auth-enabled
2025-11-28T06:49:50.6410704Z Check: CKV2_GCP_4: "Ensure that retention policies on log buckets are configured using Bucket Lock"
2025-11-28T06:49:50.6413037Z 	PASSED for resource: module.cost_management.google_logging_project_sink.storage_export[0]
2025-11-28T06:49:50.6416088Z 	File: /modules/cost-management/main.tf:168-178
2025-11-28T06:49:50.6419190Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/ensure-that-retention-policies-on-log-buckets-are-configured-using-bucket-lock
2025-11-28T06:49:50.6421287Z Check: CKV2_GCP_4: "Ensure that retention policies on log buckets are configured using Bucket Lock"
2025-11-28T06:49:50.6422566Z 	PASSED for resource: module.logging.google_logging_project_sink.all_logs
2025-11-28T06:49:50.6466304Z 	File: /modules/logging/main.tf:109-122
2025-11-28T06:49:50.6468579Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/ensure-that-retention-policies-on-log-buckets-are-configured-using-bucket-lock
2025-11-28T06:49:50.6471153Z Check: CKV2_GCP_4: "Ensure that retention policies on log buckets are configured using Bucket Lock"
2025-11-28T06:49:50.6472500Z 	PASSED for resource: module.logging.google_logging_project_sink.bigquery
2025-11-28T06:49:50.6473373Z 	File: /modules/logging/main.tf:199-220
2025-11-28T06:49:50.6474982Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/ensure-that-retention-policies-on-log-buckets-are-configured-using-bucket-lock
2025-11-28T06:49:50.6476898Z Check: CKV2_GCP_4: "Ensure that retention policies on log buckets are configured using Bucket Lock"
2025-11-28T06:49:50.6477888Z 	PASSED for resource: module.logging.google_logging_project_sink.bigquery[0]
2025-11-28T06:49:50.6478550Z 	File: /modules/logging/main.tf:199-220
2025-11-28T06:49:50.6480460Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/ensure-that-retention-policies-on-log-buckets-are-configured-using-bucket-lock
2025-11-28T06:49:50.6483041Z Check: CKV2_GCP_20: "Ensure MySQL DB instance has point-in-time recovery backup configured"
2025-11-28T06:49:50.6484293Z 	PASSED for resource: google_sql_database_instance.main
2025-11-28T06:49:50.6485024Z 	File: /modules/cloudsql/main.tf:4-74
2025-11-28T06:49:50.6486276Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-2-20
2025-11-28T06:49:50.6488969Z Check: CKV2_GCP_20: "Ensure MySQL DB instance has point-in-time recovery backup configured"
2025-11-28T06:49:50.6490734Z 	PASSED for resource: google_sql_database_instance.read_replica
2025-11-28T06:49:50.6491662Z 	File: /modules/cloudsql/main.tf:92-120
2025-11-28T06:49:50.6493603Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-2-20
2025-11-28T06:49:50.6494572Z Check: CKV2_GCP_7: "Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges"
2025-11-28T06:49:50.6495112Z 	PASSED for resource: google_sql_database_instance.main
2025-11-28T06:49:50.6495431Z 	File: /modules/cloudsql/main.tf:4-74
2025-11-28T06:49:50.6496422Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-iam-policies/ensure-that-a-mysql-database-instance-does-not-allow-anyone-to-connect-with-administrative-privileges
2025-11-28T06:49:50.6497676Z Check: CKV2_GCP_7: "Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges"
2025-11-28T06:49:50.6498237Z 	PASSED for resource: google_sql_database_instance.read_replica
2025-11-28T06:49:50.6498572Z 	File: /modules/cloudsql/main.tf:92-120
2025-11-28T06:49:50.6501732Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-iam-policies/ensure-that-a-mysql-database-instance-does-not-allow-anyone-to-connect-with-administrative-privileges
2025-11-28T06:49:50.6506692Z Check: CKV2_GCP_14: "Ensure PostgreSQL database flag 'log_executor_stats' is set to 'off'"
2025-11-28T06:49:50.6507532Z 	PASSED for resource: google_sql_database_instance.main
2025-11-28T06:49:50.6508895Z 	File: /modules/cloudsql/main.tf:4-74
2025-11-28T06:49:50.6511473Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-2-14
2025-11-28T06:49:50.6514637Z Check: CKV2_GCP_14: "Ensure PostgreSQL database flag 'log_executor_stats' is set to 'off'"
2025-11-28T06:49:50.6515533Z 	PASSED for resource: google_sql_database_instance.read_replica
2025-11-28T06:49:50.6516547Z 	File: /modules/cloudsql/main.tf:92-120
2025-11-28T06:49:50.6518611Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-2-14
2025-11-28T06:49:50.6519389Z Check: CKV2_GCP_16: "Ensure PostgreSQL database flag 'log_planner_stats' is set to 'off'"
2025-11-28T06:49:50.6520430Z 	PASSED for resource: google_sql_database_instance.main
2025-11-28T06:49:50.6520995Z 	File: /modules/cloudsql/main.tf:4-74
2025-11-28T06:49:50.6522011Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-2-16
2025-11-28T06:49:50.6523247Z Check: CKV2_GCP_16: "Ensure PostgreSQL database flag 'log_planner_stats' is set to 'off'"
2025-11-28T06:49:50.6524034Z 	PASSED for resource: google_sql_database_instance.read_replica
2025-11-28T06:49:50.6524634Z 	File: /modules/cloudsql/main.tf:92-120
2025-11-28T06:49:50.6525613Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-2-16
2025-11-28T06:49:50.6526951Z Check: CKV2_GCP_15: "Ensure PostgreSQL database flag 'log_parser_stats' is set to 'off'"
2025-11-28T06:49:50.6527739Z 	PASSED for resource: google_sql_database_instance.main
2025-11-28T06:49:50.6528291Z 	File: /modules/cloudsql/main.tf:4-74
2025-11-28T06:49:50.6529324Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-2-15
2025-11-28T06:49:50.6530762Z Check: CKV2_GCP_15: "Ensure PostgreSQL database flag 'log_parser_stats' is set to 'off'"
2025-11-28T06:49:50.6531596Z 	PASSED for resource: google_sql_database_instance.read_replica
2025-11-28T06:49:50.6532160Z 	File: /modules/cloudsql/main.tf:92-120
2025-11-28T06:49:50.6533263Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-2-15
2025-11-28T06:49:50.6534018Z Check: CKV2_GCP_17: "Ensure PostgreSQL database flag 'log_statement_stats' is set to 'off'"
2025-11-28T06:49:50.6534522Z 	PASSED for resource: google_sql_database_instance.main
2025-11-28T06:49:50.6534828Z 	File: /modules/cloudsql/main.tf:4-74
2025-11-28T06:49:50.6535383Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-2-17
2025-11-28T06:49:50.6536087Z Check: CKV2_GCP_17: "Ensure PostgreSQL database flag 'log_statement_stats' is set to 'off'"
2025-11-28T06:49:50.6536552Z 	PASSED for resource: google_sql_database_instance.read_replica
2025-11-28T06:49:50.6536884Z 	File: /modules/cloudsql/main.tf:92-120
2025-11-28T06:49:50.6537444Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-2-17
2025-11-28T06:49:50.6538245Z Check: CKV_GCP_84: "Ensure Artifact Registry Repositories are encrypted with Customer Supplied Encryption Keys (CSEK)"
2025-11-28T06:49:50.6540935Z 	FAILED for resource: google_artifact_registry_repository.replicas
2025-11-28T06:49:50.6566957Z ##[error]	File: /modules/artifact-registry/main.tf:91-136
2025-11-28T06:49:50.6584715Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-artifact-registry-repositories-are-encrypted-with-customer-supplied-encryption-keys-csek
2025-11-28T06:49:50.6586402Z 
2025-11-28T06:49:50.6586677Z 		91  | resource "google_artifact_registry_repository" "replicas" {
2025-11-28T06:49:50.6587274Z 		92  |   for_each = toset(var.replication_regions)
2025-11-28T06:49:50.6587721Z 		93  | 
2025-11-28T06:49:50.6588021Z 		94  |   location      = each.value
2025-11-28T06:49:50.6588445Z 		95  |   repository_id = var.repository_id
2025-11-28T06:49:50.6588923Z 		96  |   project       = var.project_id
2025-11-28T06:49:50.6594870Z 		97  |   description   = "${var.description} (Replica in ${each.value})"
2025-11-28T06:49:50.6595569Z 		98  |   format        = "DOCKER"
2025-11-28T06:49:50.6595975Z 		99  | 
2025-11-28T06:49:50.6596553Z 		100 |   # Match primary repository configuration
2025-11-28T06:49:50.6596966Z 		101 |   docker_config {
2025-11-28T06:49:50.6597365Z 		102 |     immutable_tags = var.immutable_tags
2025-11-28T06:49:50.6597830Z 		103 |   }
2025-11-28T06:49:50.6598113Z 		104 | 
2025-11-28T06:49:50.6598742Z 		105 |   cleanup_policies {
2025-11-28T06:49:50.6599177Z 		106 |     id     = "keep-last-n-versions"
2025-11-28T06:49:50.6600107Z 		107 |     action = "DELETE"
2025-11-28T06:49:50.6600483Z 		108 | 
2025-11-28T06:49:50.6600786Z 		109 |     condition {
2025-11-28T06:49:50.6601151Z 		110 |       tag_state  = "ANY"
2025-11-28T06:49:50.6601723Z 		111 |       older_than = var.retention_days > 0 ? "${var.retention_days}d" : null
2025-11-28T06:49:50.6602295Z 		112 |     }
2025-11-28T06:49:50.6602615Z 		113 | 
2025-11-28T06:49:50.6602924Z 		114 |     most_recent_versions {
2025-11-28T06:49:50.6603369Z 		115 |       keep_count = var.keep_image_count
2025-11-28T06:49:50.6603816Z 		116 |     }
2025-11-28T06:49:50.6604194Z 		117 |   }
2025-11-28T06:49:50.6604511Z 		118 | 
2025-11-28T06:49:50.6604859Z 		119 |   cleanup_policies {
2025-11-28T06:49:50.6605322Z 		120 |     id     = "delete-old-untagged"
2025-11-28T06:49:50.6605812Z 		121 |     action = "DELETE"
2025-11-28T06:49:50.6606201Z 		122 | 
2025-11-28T06:49:50.6606497Z 		123 |     condition {
2025-11-28T06:49:50.6606861Z 		124 |       tag_state  = "UNTAGGED"
2025-11-28T06:49:50.6607345Z 		125 |       older_than = "${var.untagged_retention_days}d"
2025-11-28T06:49:50.6607820Z 		126 |     }
2025-11-28T06:49:50.6608102Z 		127 |   }
2025-11-28T06:49:50.6608382Z 		128 | 
2025-11-28T06:49:50.6608693Z 		129 |   labels = merge(var.labels, {
2025-11-28T06:49:50.6609115Z 		130 |     replica_of = var.location
2025-11-28T06:49:50.6610084Z 		131 |   })
2025-11-28T06:49:50.6610353Z 		132 | 
2025-11-28T06:49:50.6610643Z 		133 |   depends_on = [
2025-11-28T06:49:50.6611260Z 		134 |     google_project_service.artifact_registry
2025-11-28T06:49:50.6612192Z 		135 |   ]
2025-11-28T06:49:50.6612517Z 		136 | }
2025-11-28T06:49:50.6612687Z 
2025-11-28T06:49:50.6613351Z Check: CKV_GCP_84: "Ensure Artifact Registry Repositories are encrypted with Customer Supplied Encryption Keys (CSEK)"
2025-11-28T06:49:50.6614393Z 	FAILED for resource: google_artifact_registry_repository.remote
2025-11-28T06:49:50.6616208Z ##[error]	File: /modules/artifact-registry/main.tf:290-315
2025-11-28T06:49:50.6618934Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-artifact-registry-repositories-are-encrypted-with-customer-supplied-encryption-keys-csek
2025-11-28T06:49:50.6620912Z 
2025-11-28T06:49:50.6621196Z 		290 | resource "google_artifact_registry_repository" "remote" {
2025-11-28T06:49:50.6621792Z 		291 |   for_each = var.remote_repositories
2025-11-28T06:49:50.6622197Z 		292 | 
2025-11-28T06:49:50.6622487Z 		293 |   location      = var.location
2025-11-28T06:49:50.6622984Z 		294 |   repository_id = "${var.repository_id}-${each.key}"
2025-11-28T06:49:50.6623494Z 		295 |   project       = var.project_id
2025-11-28T06:49:50.6623995Z 		296 |   description   = "Remote repository for ${each.key}"
2025-11-28T06:49:50.6624504Z 		297 |   format        = "DOCKER"
2025-11-28T06:49:50.6624902Z 		298 |   mode          = "REMOTE_REPOSITORY"
2025-11-28T06:49:50.6625321Z 		299 | 
2025-11-28T06:49:50.6625620Z 		300 |   remote_repository_config {
2025-11-28T06:49:50.6626131Z 		301 |     description = "Mirror of ${each.value.upstream_url}"
2025-11-28T06:49:50.6626626Z 		302 | 
2025-11-28T06:49:50.6626921Z 		303 |     docker_repository {
2025-11-28T06:49:50.6627370Z 		304 |       public_repository = each.value.upstream_url
2025-11-28T06:49:50.6627827Z 		305 |     }
2025-11-28T06:49:50.6628113Z 		306 |   }
2025-11-28T06:49:50.6628579Z 		307 | 
2025-11-28T06:49:50.6628902Z 		308 |   labels = merge(var.labels, {
2025-11-28T06:49:50.6632135Z 		309 |     remote_source = each.key
2025-11-28T06:49:50.6632628Z 		310 |   })
2025-11-28T06:49:50.6632921Z 		311 | 
2025-11-28T06:49:50.6633535Z 		312 |   depends_on = [
2025-11-28T06:49:50.6633998Z 		313 |     google_project_service.artifact_registry
2025-11-28T06:49:50.6634489Z 		314 |   ]
2025-11-28T06:49:50.6634776Z 		315 | }
2025-11-28T06:49:50.6634970Z 
2025-11-28T06:49:50.6635256Z Check: CKV_GCP_51: "Ensure PostgreSQL database 'log_checkpoints' flag is set to 'on'"
2025-11-28T06:49:50.6635838Z 	FAILED for resource: google_sql_database_instance.main
2025-11-28T06:49:50.6636722Z ##[error]	File: /modules/cloudsql/main.tf:4-74
2025-11-28T06:49:50.6638029Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/cloud-sql-policies/bc-gcp-sql-2
2025-11-28T06:49:50.6638601Z 
2025-11-28T06:49:50.6638895Z 		Code lines for this resource are too many. Please use IDE of your choice to review the file.
2025-11-28T06:49:50.6640062Z Check: CKV_GCP_79: "Ensure SQL database is using latest Major version"
2025-11-28T06:49:50.6640807Z 	FAILED for resource: google_sql_database_instance.main
2025-11-28T06:49:50.6641758Z ##[error]	File: /modules/cloudsql/main.tf:4-74
2025-11-28T06:49:50.6643794Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-sql-database-uses-the-latest-major-version
2025-11-28T06:49:50.6645072Z 
2025-11-28T06:49:50.6645506Z 		Code lines for this resource are too many. Please use IDE of your choice to review the file.
2025-11-28T06:49:50.6646367Z Check: CKV_GCP_111: "Ensure GCP PostgreSQL logs SQL statements"
2025-11-28T06:49:50.6647046Z 	FAILED for resource: google_sql_database_instance.main
2025-11-28T06:49:50.6648391Z ##[error]	File: /modules/cloudsql/main.tf:4-74
2025-11-28T06:49:50.6651061Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-google-cloud-111
2025-11-28T06:49:50.6652241Z 
2025-11-28T06:49:50.6652674Z 		Code lines for this resource are too many. Please use IDE of your choice to review the file.
2025-11-28T06:49:50.6653690Z Check: CKV_GCP_108: "Ensure hostnames are logged for GCP PostgreSQL databases"
2025-11-28T06:49:50.6654398Z 	FAILED for resource: google_sql_database_instance.main
2025-11-28T06:49:50.6655423Z ##[error]	File: /modules/cloudsql/main.tf:4-74
2025-11-28T06:49:50.6657234Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-google-cloud-108
2025-11-28T06:49:50.6658110Z 
2025-11-28T06:49:50.6658508Z 		Code lines for this resource are too many. Please use IDE of your choice to review the file.
2025-11-28T06:49:50.6659649Z Check: CKV_GCP_109: "Ensure the GCP PostgreSQL database log levels are set to ERROR or lower"
2025-11-28T06:49:50.6660576Z 	FAILED for resource: google_sql_database_instance.main
2025-11-28T06:49:50.6661606Z ##[error]	File: /modules/cloudsql/main.tf:4-74
2025-11-28T06:49:50.6663348Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-google-cloud-109
2025-11-28T06:49:50.6664239Z 
2025-11-28T06:49:50.6664636Z 		Code lines for this resource are too many. Please use IDE of your choice to review the file.
2025-11-28T06:49:50.6665549Z Check: CKV_GCP_110: "Ensure pgAudit is enabled for your GCP PostgreSQL database"
2025-11-28T06:49:50.6666267Z 	FAILED for resource: google_sql_database_instance.main
2025-11-28T06:49:50.6667241Z ##[error]	File: /modules/cloudsql/main.tf:4-74
2025-11-28T06:49:50.6668950Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-google-cloud-110
2025-11-28T06:49:50.6670093Z 
2025-11-28T06:49:50.6670523Z 		Code lines for this resource are too many. Please use IDE of your choice to review the file.
2025-11-28T06:49:50.6671505Z Check: CKV_GCP_52: "Ensure PostgreSQL database 'log_connections' flag is set to 'on'"
2025-11-28T06:49:50.6672336Z 	FAILED for resource: google_sql_database_instance.main
2025-11-28T06:49:50.6673522Z ##[error]	File: /modules/cloudsql/main.tf:4-74
2025-11-28T06:49:50.6678258Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/cloud-sql-policies/bc-gcp-sql-3
2025-11-28T06:49:50.6679159Z 
2025-11-28T06:49:50.6679837Z 		Code lines for this resource are too many. Please use IDE of your choice to review the file.
2025-11-28T06:49:50.6680806Z Check: CKV_GCP_54: "Ensure PostgreSQL database 'log_lock_waits' flag is set to 'on'"
2025-11-28T06:49:50.6681635Z 	FAILED for resource: google_sql_database_instance.main
2025-11-28T06:49:50.6682774Z ##[error]	File: /modules/cloudsql/main.tf:4-74
2025-11-28T06:49:50.6684595Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/cloud-sql-policies/bc-gcp-sql-5
2025-11-28T06:49:50.6685476Z 
2025-11-28T06:49:50.6685894Z 		Code lines for this resource are too many. Please use IDE of your choice to review the file.
2025-11-28T06:49:50.6686928Z Check: CKV_GCP_53: "Ensure PostgreSQL database 'log_disconnections' flag is set to 'on'"
2025-11-28T06:49:50.6687762Z 	FAILED for resource: google_sql_database_instance.main
2025-11-28T06:49:50.6688891Z ##[error]	File: /modules/cloudsql/main.tf:4-74
2025-11-28T06:49:50.6691038Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/cloud-sql-policies/bc-gcp-sql-4
2025-11-28T06:49:50.6691926Z 
2025-11-28T06:49:50.6692350Z 		Code lines for this resource are too many. Please use IDE of your choice to review the file.
2025-11-28T06:49:50.6693472Z Check: CKV_GCP_84: "Ensure Artifact Registry Repositories are encrypted with Customer Supplied Encryption Keys (CSEK)"
2025-11-28T06:49:50.6694616Z 	FAILED for resource: module.cost_management.google_artifact_registry_repository.images[0]
2025-11-28T06:49:50.6696122Z ##[error]	File: /modules/cost-management/main.tf:227-271
2025-11-28T06:49:50.6697791Z 	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
2025-11-28T06:49:50.6699978Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-artifact-registry-repositories-are-encrypted-with-customer-supplied-encryption-keys-csek
2025-11-28T06:49:50.6701702Z 
2025-11-28T06:49:50.6701988Z 		227 | resource "google_artifact_registry_repository" "images" {
2025-11-28T06:49:50.6702623Z 		228 |   count = var.configure_artifact_registry ? 1 : 0
2025-11-28T06:49:50.6703105Z 		229 | 
2025-11-28T06:49:50.6703424Z 		230 |   location      = var.region
2025-11-28T06:49:50.6703977Z 		231 |   repository_id = "${var.project_name}-${var.environment}-images"
2025-11-28T06:49:50.6704681Z 		232 |   description   = "Container images with lifecycle policies"
2025-11-28T06:49:50.6705242Z 		233 |   format        = "DOCKER"
2025-11-28T06:49:50.6705597Z 		234 | 
2025-11-28T06:49:50.6705899Z 		235 |   cleanup_policies {
2025-11-28T06:49:50.6706295Z 		236 |     id     = "delete-old-untagged"
2025-11-28T06:49:50.6706728Z 		237 |     action = "DELETE"
2025-11-28T06:49:50.6707085Z 		238 | 
2025-11-28T06:49:50.6707372Z 		239 |     condition {
2025-11-28T06:49:50.6707708Z 		240 |       tag_state  = "UNTAGGED"
2025-11-28T06:49:50.6708174Z 		241 |       older_than = "${var.artifact_untagged_retention_days}d"
2025-11-28T06:49:50.6708669Z 		242 |     }
2025-11-28T06:49:50.6708941Z 		243 |   }
2025-11-28T06:49:50.6709213Z 		244 | 
2025-11-28T06:49:50.6709676Z 		245 |   cleanup_policies {
2025-11-28T06:49:50.6710199Z 		246 |     id     = "keep-minimum-versions"
2025-11-28T06:49:50.6710624Z 		247 |     action = "KEEP"
2025-11-28T06:49:50.6710954Z 		248 | 
2025-11-28T06:49:50.6711254Z 		249 |     most_recent_versions {
2025-11-28T06:49:50.6711703Z 		250 |       keep_count = var.artifact_minimum_versions
2025-11-28T06:49:50.6712145Z 		251 |     }
2025-11-28T06:49:50.6712412Z 		252 |   }
2025-11-28T06:49:50.6712694Z 		253 | 
2025-11-28T06:49:50.6712981Z 		254 |   cleanup_policies {
2025-11-28T06:49:50.6713368Z 		255 |     id     = "delete-old-tagged"
2025-11-28T06:49:50.6713979Z 		256 |     action = "DELETE"
2025-11-28T06:49:50.6714908Z 		257 | 
2025-11-28T06:49:50.6715193Z 		258 |     condition {
2025-11-28T06:49:50.6715558Z 		259 |       tag_state    = "TAGGED"
2025-11-28T06:49:50.6716008Z 		260 |       tag_prefixes = var.artifact_delete_tag_prefixes
2025-11-28T06:49:50.6716579Z 		261 |       older_than   = "${var.artifact_tagged_retention_days}d"
2025-11-28T06:49:50.6717353Z 		262 |     }
2025-11-28T06:49:50.6717637Z 		263 |   }
2025-11-28T06:49:50.6717893Z 		264 | 
2025-11-28T06:49:50.6718189Z 		265 |   labels = merge(
2025-11-28T06:49:50.6718610Z 		266 |     var.cost_labels,
2025-11-28T06:49:50.6718970Z 		267 |     {
2025-11-28T06:49:50.6719289Z 		268 |       purpose = "container-images"
2025-11-28T06:49:50.6719983Z 		269 |     }
2025-11-28T06:49:50.6720260Z 		270 |   )
2025-11-28T06:49:50.6720562Z 		271 | }
2025-11-28T06:49:50.6720715Z 
2025-11-28T06:49:50.6721821Z Check: CKV_GCP_83: "Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)"
2025-11-28T06:49:50.6722830Z 	FAILED for resource: module.cost_management.google_pubsub_topic.budget_alerts[0]
2025-11-28T06:49:50.6724233Z ##[error]	File: /modules/cost-management/main.tf:75-86
2025-11-28T06:49:50.6725710Z 	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
2025-11-28T06:49:50.6727500Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-pubsub-topics-are-encrypted-with-customer-supplied-encryption-keys-csek
2025-11-28T06:49:50.6729018Z 
2025-11-28T06:49:50.6729247Z 		75 | resource "google_pubsub_topic" "budget_alerts" {
2025-11-28T06:49:50.6729901Z 		76 |   count = var.create_pubsub_topic ? 1 : 0
2025-11-28T06:49:50.6730340Z 		77 | 
2025-11-28T06:49:50.6730930Z 		78 |   name = "${var.project_name}-${var.environment}-budget-alerts"
2025-11-28T06:49:50.6732006Z 		79 | 
2025-11-28T06:49:50.6732309Z 		80 |   labels = merge(
2025-11-28T06:49:50.6732647Z 		81 |     var.cost_labels,
2025-11-28T06:49:50.6733003Z 		82 |     {
2025-11-28T06:49:50.6733314Z 		83 |       purpose = "budget-alerts"
2025-11-28T06:49:50.6733737Z 		84 |     }
2025-11-28T06:49:50.6734041Z 		85 |   )
2025-11-28T06:49:50.6734325Z 		86 | }
2025-11-28T06:49:50.6734493Z 
2025-11-28T06:49:50.6734808Z Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
2025-11-28T06:49:50.6735613Z 	FAILED for resource: module.cost_management.google_storage_bucket.log_archive[0]
2025-11-28T06:49:50.6736736Z ##[error]	File: /modules/cost-management/main.tf:181-215
2025-11-28T06:49:50.6738668Z 	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
2025-11-28T06:49:50.6740760Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled
2025-11-28T06:49:50.6742451Z 
2025-11-28T06:49:50.6742672Z 		181 | resource "google_storage_bucket" "log_archive" {
2025-11-28T06:49:50.6743173Z 		182 |   count = var.export_logs_to_storage ? 1 : 0
2025-11-28T06:49:50.6743622Z 		183 | 
2025-11-28T06:49:50.6744035Z 		184 |   name          = "${var.project_id}-${var.environment}-log-archive"
2025-11-28T06:49:50.6744586Z 		185 |   location      = var.region
2025-11-28T06:49:50.6745108Z 		186 |   storage_class = "COLDLINE" # Cost-effective for infrequent access
2025-11-28T06:49:50.6745629Z 		187 | 
2025-11-28T06:49:50.6745985Z 		188 |   uniform_bucket_level_access = true
2025-11-28T06:49:50.6746582Z 		189 | 
2025-11-28T06:49:50.6746913Z 		190 |   lifecycle_rule {
2025-11-28T06:49:50.6747265Z 		191 |     condition {
2025-11-28T06:49:50.6747673Z 		192 |       age = var.log_archive_retention_days
2025-11-28T06:49:50.6748061Z 		193 |     }
2025-11-28T06:49:50.6748364Z 		194 |     action {
2025-11-28T06:49:50.6748873Z 		195 |       type = "Delete"
2025-11-28T06:49:50.6749438Z 		196 |     }
2025-11-28T06:49:50.6749884Z 		197 |   }
2025-11-28T06:49:50.6750292Z 		198 | 
2025-11-28T06:49:50.6750898Z 		199 |   lifecycle_rule {
2025-11-28T06:49:50.6751301Z 		200 |     condition {
2025-11-28T06:49:50.6751700Z 		201 |       age = 90 # Move to archive after 90 days
2025-11-28T06:49:50.6753419Z 		202 |     }
2025-11-28T06:49:50.6753799Z 		203 |     action {
2025-11-28T06:49:50.6754199Z 		204 |       type          = "SetStorageClass"
2025-11-28T06:49:50.6754698Z 		205 |       storage_class = "ARCHIVE"
2025-11-28T06:49:50.6755141Z 		206 |     }
2025-11-28T06:49:50.6755427Z 		207 |   }
2025-11-28T06:49:50.6755710Z 		208 | 
2025-11-28T06:49:50.6756019Z 		209 |   labels = merge(
2025-11-28T06:49:50.6756356Z 		210 |     var.cost_labels,
2025-11-28T06:49:50.6756724Z 		211 |     {
2025-11-28T06:49:50.6757080Z 		212 |       purpose = "log-archive"
2025-11-28T06:49:50.6757484Z 		213 |     }
2025-11-28T06:49:50.6757801Z 		214 |   )
2025-11-28T06:49:50.6758102Z 		215 | }
2025-11-28T06:49:50.6758312Z 
2025-11-28T06:49:50.6758548Z Check: CKV_GCP_62: "Bucket should log access"
2025-11-28T06:49:50.6759284Z 	FAILED for resource: module.cost_management.google_storage_bucket.log_archive[0]
2025-11-28T06:49:50.6760824Z ##[error]	File: /modules/cost-management/main.tf:181-215
2025-11-28T06:49:50.6762330Z 	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
2025-11-28T06:49:50.6763569Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2
2025-11-28T06:49:50.6764550Z 
2025-11-28T06:49:50.6764763Z 		181 | resource "google_storage_bucket" "log_archive" {
2025-11-28T06:49:50.6765296Z 		182 |   count = var.export_logs_to_storage ? 1 : 0
2025-11-28T06:49:50.6765733Z 		183 | 
2025-11-28T06:49:50.6766126Z 		184 |   name          = "${var.project_id}-${var.environment}-log-archive"
2025-11-28T06:49:50.6766651Z 		185 |   location      = var.region
2025-11-28T06:49:50.6767200Z 		186 |   storage_class = "COLDLINE" # Cost-effective for infrequent access
2025-11-28T06:49:50.6767987Z 		187 | 
2025-11-28T06:49:50.6768308Z 		188 |   uniform_bucket_level_access = true
2025-11-28T06:49:50.6768717Z 		189 | 
2025-11-28T06:49:50.6768995Z 		190 |   lifecycle_rule {
2025-11-28T06:49:50.6769352Z 		191 |     condition {
2025-11-28T06:49:50.6769993Z 		192 |       age = var.log_archive_retention_days
2025-11-28T06:49:50.6770496Z 		193 |     }
2025-11-28T06:49:50.6770787Z 		194 |     action {
2025-11-28T06:49:50.6771105Z 		195 |       type = "Delete"
2025-11-28T06:49:50.6771452Z 		196 |     }
2025-11-28T06:49:50.6771727Z 		197 |   }
2025-11-28T06:49:50.6771998Z 		198 | 
2025-11-28T06:49:50.6772277Z 		199 |   lifecycle_rule {
2025-11-28T06:49:50.6772625Z 		200 |     condition {
2025-11-28T06:49:50.6772997Z 		201 |       age = 90 # Move to archive after 90 days
2025-11-28T06:49:50.6773430Z 		202 |     }
2025-11-28T06:49:50.6773717Z 		203 |     action {
2025-11-28T06:49:50.6774058Z 		204 |       type          = "SetStorageClass"
2025-11-28T06:49:50.6774506Z 		205 |       storage_class = "ARCHIVE"
2025-11-28T06:49:50.6774888Z 		206 |     }
2025-11-28T06:49:50.6775165Z 		207 |   }
2025-11-28T06:49:50.6775428Z 		208 | 
2025-11-28T06:49:50.6775708Z 		209 |   labels = merge(
2025-11-28T06:49:50.6776053Z 		210 |     var.cost_labels,
2025-11-28T06:49:50.6776395Z 		211 |     {
2025-11-28T06:49:50.6776705Z 		212 |       purpose = "log-archive"
2025-11-28T06:49:50.6777088Z 		213 |     }
2025-11-28T06:49:50.6777359Z 		214 |   )
2025-11-28T06:49:50.6777627Z 		215 | }
2025-11-28T06:49:50.6777784Z 
2025-11-28T06:49:50.6778199Z Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
2025-11-28T06:49:50.6779085Z 	FAILED for resource: module.cost_management.google_storage_bucket.log_archive[0]
2025-11-28T06:49:50.6780422Z ##[error]	File: /modules/cost-management/main.tf:181-215
2025-11-28T06:49:50.6781747Z 	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
2025-11-28T06:49:50.6783008Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/bc-google-cloud-114
2025-11-28T06:49:50.6783979Z 
2025-11-28T06:49:50.6784187Z 		181 | resource "google_storage_bucket" "log_archive" {
2025-11-28T06:49:50.6784900Z 		182 |   count = var.export_logs_to_storage ? 1 : 0
2025-11-28T06:49:50.6785329Z 		183 | 
2025-11-28T06:49:50.6785723Z 		184 |   name          = "${var.project_id}-${var.environment}-log-archive"
2025-11-28T06:49:50.6786247Z 		185 |   location      = var.region
2025-11-28T06:49:50.6786793Z 		186 |   storage_class = "COLDLINE" # Cost-effective for infrequent access
2025-11-28T06:49:50.6787329Z 		187 | 
2025-11-28T06:49:50.6787648Z 		188 |   uniform_bucket_level_access = true
2025-11-28T06:49:50.6788055Z 		189 | 
2025-11-28T06:49:50.6788335Z 		190 |   lifecycle_rule {
2025-11-28T06:49:50.6788696Z 		191 |     condition {
2025-11-28T06:49:50.6789059Z 		192 |       age = var.log_archive_retention_days
2025-11-28T06:49:50.6789647Z 		193 |     }
2025-11-28T06:49:50.6789935Z 		194 |     action {
2025-11-28T06:49:50.6790256Z 		195 |       type = "Delete"
2025-11-28T06:49:50.6790597Z 		196 |     }
2025-11-28T06:49:50.6790901Z 		197 |   }
2025-11-28T06:49:50.6791175Z 		198 | 
2025-11-28T06:49:50.6791465Z 		199 |   lifecycle_rule {
2025-11-28T06:49:50.6791809Z 		200 |     condition {
2025-11-28T06:49:50.6792184Z 		201 |       age = 90 # Move to archive after 90 days
2025-11-28T06:49:50.6792609Z 		202 |     }
2025-11-28T06:49:50.6792891Z 		203 |     action {
2025-11-28T06:49:50.6793241Z 		204 |       type          = "SetStorageClass"
2025-11-28T06:49:50.6793684Z 		205 |       storage_class = "ARCHIVE"
2025-11-28T06:49:50.6794064Z 		206 |     }
2025-11-28T06:49:50.6794341Z 		207 |   }
2025-11-28T06:49:50.6794604Z 		208 | 
2025-11-28T06:49:50.6794884Z 		209 |   labels = merge(
2025-11-28T06:49:50.6795227Z 		210 |     var.cost_labels,
2025-11-28T06:49:50.6795562Z 		211 |     {
2025-11-28T06:49:50.6795871Z 		212 |       purpose = "log-archive"
2025-11-28T06:49:50.6796424Z 		213 |     }
2025-11-28T06:49:50.6796704Z 		214 |   )
2025-11-28T06:49:50.6796968Z 		215 | }
2025-11-28T06:49:50.6797131Z 
2025-11-28T06:49:50.6797612Z Check: CKV_GCP_81: "Ensure Big Query Datasets are encrypted with Customer Supplied Encryption Keys (CSEK)"
2025-11-28T06:49:50.6798612Z 	FAILED for resource: module.cost_management.google_bigquery_dataset.cost_export[0]
2025-11-28T06:49:50.6800005Z ##[error]	File: /modules/cost-management/main.tf:371-386
2025-11-28T06:49:50.6801309Z 	Calling File: /modules/cost-management/examples/staging/main.tf:19-112
2025-11-28T06:49:50.6803134Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-big-query-tables-are-encrypted-with-customer-supplied-encryption-keys-csek-1
2025-11-28T06:49:50.6804656Z 
2025-11-28T06:49:50.6804874Z 		371 | resource "google_bigquery_dataset" "cost_export" {
2025-11-28T06:49:50.6805435Z 		372 |   count = var.enable_bigquery_cost_export ? 1 : 0
2025-11-28T06:49:50.6805898Z 		373 | 
2025-11-28T06:49:50.6806407Z 		374 |   dataset_id                  = "${replace(var.project_name, "-", "_")}_${var.environment}_cost_data"
2025-11-28T06:49:50.6807203Z 		375 |   friendly_name               = "${var.project_name} ${var.environment} Cost Data"
2025-11-28T06:49:50.6807890Z 		376 |   description                 = "Cost and usage data for analysis"
2025-11-28T06:49:50.6808483Z 		377 |   location                    = var.bigquery_location
2025-11-28T06:49:50.6809098Z 		378 |   default_table_expiration_ms = var.bigquery_table_expiration_ms
2025-11-28T06:49:50.6809770Z 		379 | 
2025-11-28T06:49:50.6810060Z 		380 |   labels = merge(
2025-11-28T06:49:50.6810403Z 		381 |     var.cost_labels,
2025-11-28T06:49:50.6810746Z 		382 |     {
2025-11-28T06:49:50.6811057Z 		383 |       purpose = "cost-analysis"
2025-11-28T06:49:50.6811448Z 		384 |     }
2025-11-28T06:49:50.6811722Z 		385 |   )
2025-11-28T06:49:50.6811993Z 		386 | }
2025-11-28T06:49:50.6812150Z 
2025-11-28T06:49:50.6812346Z Check: CKV_GCP_62: "Bucket should log access"
2025-11-28T06:49:50.6812968Z 	FAILED for resource: module.logging.google_storage_bucket.audit_logs
2025-11-28T06:49:50.6813822Z ##[error]	File: /modules/logging/main.tf:49-76
2025-11-28T06:49:50.6815186Z 	Calling File: /modules/logging/examples/production/main.tf:26-97
2025-11-28T06:49:50.6816424Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2
2025-11-28T06:49:50.6817383Z 
2025-11-28T06:49:50.6817586Z 		49 | resource "google_storage_bucket" "audit_logs" {
2025-11-28T06:49:50.6818100Z 		50 |   name          = "${var.project_id}-audit-logs"
2025-11-28T06:49:50.6818625Z 		51 |   location      = var.region
2025-11-28T06:49:50.6819032Z 		52 |   project       = var.project_id
2025-11-28T06:49:50.6819443Z 		53 |   force_destroy = false
2025-11-28T06:49:50.6819940Z 		54 | 
2025-11-28T06:49:50.6820247Z 		55 |   uniform_bucket_level_access = true
2025-11-28T06:49:50.6820661Z 		56 | 
2025-11-28T06:49:50.6820939Z 		57 |   lifecycle_rule {
2025-11-28T06:49:50.6821288Z 		58 |     condition {
2025-11-28T06:49:50.6821602Z 		59 |       age = 400
2025-11-28T06:49:50.6821910Z 		60 |     }
2025-11-28T06:49:50.6822195Z 		61 |     action {
2025-11-28T06:49:50.6822510Z 		62 |       type = "Delete"
2025-11-28T06:49:50.6822843Z 		63 |     }
2025-11-28T06:49:50.6823118Z 		64 |   }
2025-11-28T06:49:50.6823379Z 		65 | 
2025-11-28T06:49:50.6823653Z 		66 |   versioning {
2025-11-28T06:49:50.6823975Z 		67 |     enabled = true
2025-11-28T06:49:50.6824294Z 		68 |   }
2025-11-28T06:49:50.6824561Z 		69 | 
2025-11-28T06:49:50.6824850Z 		70 |   labels = merge(var.labels, {
2025-11-28T06:49:50.6825268Z 		71 |     purpose   = "audit-logs"
2025-11-28T06:49:50.6825660Z 		72 |     retention = "400-days"
2025-11-28T06:49:50.6826021Z 		73 |   })
2025-11-28T06:49:50.6826286Z 		74 | 
2025-11-28T06:49:50.6826628Z 		75 |   depends_on = [google_project_service.logging]
2025-11-28T06:49:50.6827242Z 		76 | }
2025-11-28T06:49:50.6827406Z 
2025-11-28T06:49:50.6827800Z Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
2025-11-28T06:49:50.6828635Z 	FAILED for resource: module.logging.google_storage_bucket.audit_logs
2025-11-28T06:49:50.6829819Z ##[error]	File: /modules/logging/main.tf:49-76
2025-11-28T06:49:50.6831016Z 	Calling File: /modules/logging/examples/production/main.tf:26-97
2025-11-28T06:49:50.6832254Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/bc-google-cloud-114
2025-11-28T06:49:50.6833208Z 
2025-11-28T06:49:50.6833404Z 		49 | resource "google_storage_bucket" "audit_logs" {
2025-11-28T06:49:50.6833917Z 		50 |   name          = "${var.project_id}-audit-logs"
2025-11-28T06:49:50.6834380Z 		51 |   location      = var.region
2025-11-28T06:49:50.6834777Z 		52 |   project       = var.project_id
2025-11-28T06:49:50.6835187Z 		53 |   force_destroy = false
2025-11-28T06:49:50.6835542Z 		54 | 
2025-11-28T06:49:50.6835850Z 		55 |   uniform_bucket_level_access = true
2025-11-28T06:49:50.6836249Z 		56 | 
2025-11-28T06:49:50.6836533Z 		57 |   lifecycle_rule {
2025-11-28T06:49:50.6836867Z 		58 |     condition {
2025-11-28T06:49:50.6837190Z 		59 |       age = 400
2025-11-28T06:49:50.6837499Z 		60 |     }
2025-11-28T06:49:50.6837776Z 		61 |     action {
2025-11-28T06:49:50.6838085Z 		62 |       type = "Delete"
2025-11-28T06:49:50.6838426Z 		63 |     }
2025-11-28T06:49:50.6838708Z 		64 |   }
2025-11-28T06:49:50.6838971Z 		65 | 
2025-11-28T06:49:50.6839247Z 		66 |   versioning {
2025-11-28T06:49:50.6839694Z 		67 |     enabled = true
2025-11-28T06:49:50.6840023Z 		68 |   }
2025-11-28T06:49:50.6840286Z 		69 | 
2025-11-28T06:49:50.6840585Z 		70 |   labels = merge(var.labels, {
2025-11-28T06:49:50.6840989Z 		71 |     purpose   = "audit-logs"
2025-11-28T06:49:50.6841386Z 		72 |     retention = "400-days"
2025-11-28T06:49:50.6841749Z 		73 |   })
2025-11-28T06:49:50.6842012Z 		74 | 
2025-11-28T06:49:50.6842358Z 		75 |   depends_on = [google_project_service.logging]
2025-11-28T06:49:50.6842797Z 		76 | }
2025-11-28T06:49:50.6842956Z 
2025-11-28T06:49:50.6843225Z Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
2025-11-28T06:49:50.6844214Z 	FAILED for resource: module.logging.google_storage_bucket.error_logs_storage
2025-11-28T06:49:50.6845192Z ##[error]	File: /modules/logging/main.tf:79-102
2025-11-28T06:49:50.6846388Z 	Calling File: /modules/logging/examples/production/main.tf:26-97
2025-11-28T06:49:50.6847814Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled
2025-11-28T06:49:50.6848981Z 
2025-11-28T06:49:50.6849214Z 		79  | resource "google_storage_bucket" "error_logs_storage" {
2025-11-28T06:49:50.6849919Z 		80  |   name          = "${var.project_id}-error-logs"
2025-11-28T06:49:50.6850374Z 		81  |   location      = var.region
2025-11-28T06:49:50.6850787Z 		82  |   project       = var.project_id
2025-11-28T06:49:50.6851206Z 		83  |   force_destroy = false
2025-11-28T06:49:50.6851560Z 		84  | 
2025-11-28T06:49:50.6851872Z 		85  |   uniform_bucket_level_access = true
2025-11-28T06:49:50.6852273Z 		86  | 
2025-11-28T06:49:50.6852563Z 		87  |   lifecycle_rule {
2025-11-28T06:49:50.6852906Z 		88  |     condition {
2025-11-28T06:49:50.6853226Z 		89  |       age = 30
2025-11-28T06:49:50.6853529Z 		90  |     }
2025-11-28T06:49:50.6853819Z 		91  |     action {
2025-11-28T06:49:50.6854130Z 		92  |       type = "Delete"
2025-11-28T06:49:50.6854475Z 		93  |     }
2025-11-28T06:49:50.6854747Z 		94  |   }
2025-11-28T06:49:50.6855020Z 		95  | 
2025-11-28T06:49:50.6855315Z 		96  |   labels = merge(var.labels, {
2025-11-28T06:49:50.6855732Z 		97  |     purpose   = "error-logs"
2025-11-28T06:49:50.6856131Z 		98  |     retention = "30-days"
2025-11-28T06:49:50.6856489Z 		99  |   })
2025-11-28T06:49:50.6856764Z 		100 | 
2025-11-28T06:49:50.6857111Z 		101 |   depends_on = [google_project_service.logging]
2025-11-28T06:49:50.6857731Z 		102 | }
2025-11-28T06:49:50.6857891Z 
2025-11-28T06:49:50.6858082Z Check: CKV_GCP_62: "Bucket should log access"
2025-11-28T06:49:50.6858732Z 	FAILED for resource: module.logging.google_storage_bucket.error_logs_storage
2025-11-28T06:49:50.6859778Z ##[error]	File: /modules/logging/main.tf:79-102
2025-11-28T06:49:50.6860973Z 	Calling File: /modules/logging/examples/production/main.tf:26-97
2025-11-28T06:49:50.6862211Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2
2025-11-28T06:49:50.6863174Z 
2025-11-28T06:49:50.6863408Z 		79  | resource "google_storage_bucket" "error_logs_storage" {
2025-11-28T06:49:50.6864094Z 		80  |   name          = "${var.project_id}-error-logs"
2025-11-28T06:49:50.6864550Z 		81  |   location      = var.region
2025-11-28T06:49:50.6864952Z 		82  |   project       = var.project_id
2025-11-28T06:49:50.6865361Z 		83  |   force_destroy = false
2025-11-28T06:49:50.6865705Z 		84  | 
2025-11-28T06:49:50.6865999Z 		85  |   uniform_bucket_level_access = true
2025-11-28T06:49:50.6866416Z 		86  | 
2025-11-28T06:49:50.6866724Z 		87  |   lifecycle_rule {
2025-11-28T06:49:50.6867101Z 		88  |     condition {
2025-11-28T06:49:50.6867433Z 		89  |       age = 30
2025-11-28T06:49:50.6867777Z 		90  |     }
2025-11-28T06:49:50.6868067Z 		91  |     action {
2025-11-28T06:49:50.6868397Z 		92  |       type = "Delete"
2025-11-28T06:49:50.6868741Z 		93  |     }
2025-11-28T06:49:50.6869022Z 		94  |   }
2025-11-28T06:49:50.6869287Z 		95  | 
2025-11-28T06:49:50.6869719Z 		96  |   labels = merge(var.labels, {
2025-11-28T06:49:50.6870141Z 		97  |     purpose   = "error-logs"
2025-11-28T06:49:50.6870533Z 		98  |     retention = "30-days"
2025-11-28T06:49:50.6870897Z 		99  |   })
2025-11-28T06:49:50.6871170Z 		100 | 
2025-11-28T06:49:50.6871519Z 		101 |   depends_on = [google_project_service.logging]
2025-11-28T06:49:50.6871963Z 		102 | }
2025-11-28T06:49:50.6872126Z 
2025-11-28T06:49:50.6872543Z Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
2025-11-28T06:49:50.6873416Z 	FAILED for resource: module.logging.google_storage_bucket.error_logs_storage
2025-11-28T06:49:50.6874551Z ##[error]	File: /modules/logging/main.tf:79-102
2025-11-28T06:49:50.6876019Z 	Calling File: /modules/logging/examples/production/main.tf:26-97
2025-11-28T06:49:50.6877249Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/bc-google-cloud-114
2025-11-28T06:49:50.6878215Z 
2025-11-28T06:49:50.6878434Z 		79  | resource "google_storage_bucket" "error_logs_storage" {
2025-11-28T06:49:50.6878971Z 		80  |   name          = "${var.project_id}-error-logs"
2025-11-28T06:49:50.6879439Z 		81  |   location      = var.region
2025-11-28T06:49:50.6885952Z 		82  |   project       = var.project_id
2025-11-28T06:49:50.6886405Z 		83  |   force_destroy = false
2025-11-28T06:49:50.6886762Z 		84  | 
2025-11-28T06:49:50.6887105Z 		85  |   uniform_bucket_level_access = true
2025-11-28T06:49:50.6887521Z 		86  | 
2025-11-28T06:49:50.6887823Z 		87  |   lifecycle_rule {
2025-11-28T06:49:50.6888177Z 		88  |     condition {
2025-11-28T06:49:50.6888519Z 		89  |       age = 30
2025-11-28T06:49:50.6888836Z 		90  |     }
2025-11-28T06:49:50.6889122Z 		91  |     action {
2025-11-28T06:49:50.6889448Z 		92  |       type = "Delete"
2025-11-28T06:49:50.6889919Z 		93  |     }
2025-11-28T06:49:50.6890203Z 		94  |   }
2025-11-28T06:49:50.6890479Z 		95  | 
2025-11-28T06:49:50.6890786Z 		96  |   labels = merge(var.labels, {
2025-11-28T06:49:50.6891202Z 		97  |     purpose   = "error-logs"
2025-11-28T06:49:50.6891600Z 		98  |     retention = "30-days"
2025-11-28T06:49:50.6891942Z 		99  |   })
2025-11-28T06:49:50.6892239Z 		100 | 
2025-11-28T06:49:50.6892598Z 		101 |   depends_on = [google_project_service.logging]
2025-11-28T06:49:50.6893062Z 		102 | }
2025-11-28T06:49:50.6893223Z 
2025-11-28T06:49:50.6893656Z Check: CKV_GCP_81: "Ensure Big Query Datasets are encrypted with Customer Supplied Encryption Keys (CSEK)"
2025-11-28T06:49:50.6894860Z 	FAILED for resource: module.logging.google_bigquery_dataset.logs[0]
2025-11-28T06:49:50.6896091Z ##[error]	File: /modules/logging/main.tf:181-197
2025-11-28T06:49:50.6897575Z 	Calling File: /modules/logging/examples/production/main.tf:26-97
2025-11-28T06:49:50.6901258Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-big-query-tables-are-encrypted-with-customer-supplied-encryption-keys-csek-1
2025-11-28T06:49:50.6902700Z 
2025-11-28T06:49:50.6902897Z 		181 | resource "google_bigquery_dataset" "logs" {
2025-11-28T06:49:50.6906892Z 		182 |   count = var.enable_bigquery_export ? 1 : 0
2025-11-28T06:49:50.6907426Z 		183 | 
2025-11-28T06:49:50.6907751Z 		184 |   dataset_id    = "cloud_logs"
2025-11-28T06:49:50.6908180Z 		185 |   project       = var.project_id
2025-11-28T06:49:50.6908623Z 		186 |   location      = var.region
2025-11-28T06:49:50.6909095Z 		187 |   friendly_name = "Cloud Logs Dataset"
2025-11-28T06:49:50.6909854Z 		188 |   description   = "Dataset for exported Cloud Logs"
2025-11-28T06:49:50.6910303Z 		189 | 
2025-11-28T06:49:50.6910650Z 		190 |   default_table_expiration_ms = 2592000000 # 30 days
2025-11-28T06:49:50.6911091Z 		191 | 
2025-11-28T06:49:50.6911391Z 		192 |   labels = merge(var.labels, {
2025-11-28T06:49:50.6911795Z 		193 |     purpose = "log-analysis"
2025-11-28T06:49:50.6912152Z 		194 |   })
2025-11-28T06:49:50.6912398Z 		195 | 
2025-11-28T06:49:50.6912722Z 		196 |   depends_on = [google_project_service.logging]
2025-11-28T06:49:50.6913140Z 		197 | }
2025-11-28T06:49:50.6913287Z 
2025-11-28T06:49:50.6913674Z Check: CKV2_GCP_13: "Ensure PostgreSQL database flag 'log_duration' is set to 'on'"
2025-11-28T06:49:50.6914479Z 	FAILED for resource: google_sql_database_instance.main
2025-11-28T06:49:50.6915577Z ##[error]	File: /modules/cloudsql/main.tf:4-74
2025-11-28T06:49:50.6917513Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-2-13
2025-11-28T06:49:50.6918482Z 
2025-11-28T06:49:50.6918948Z 		Code lines for this resource are too many. Please use IDE of your choice to review the file.
2025-11-28T06:49:50.6920827Z Check: CKV2_GCP_13: "Ensure PostgreSQL database flag 'log_duration' is set to 'on'"
2025-11-28T06:49:50.6921399Z 	FAILED for resource: google_sql_database_instance.read_replica
2025-11-28T06:49:50.6922185Z ##[error]	File: /modules/cloudsql/main.tf:92-120
2025-11-28T06:49:50.6923443Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-2-13
2025-11-28T06:49:50.6923949Z 
2025-11-28T06:49:50.6924119Z 		92  | resource "google_sql_database_instance" "read_replica" {
2025-11-28T06:49:50.6924551Z 		93  |   count = var.create_read_replica ? 1 : 0
2025-11-28T06:49:50.6924816Z 		94  | 
2025-11-28T06:49:50.6925114Z 		95  |   name                 = "${var.instance_name}-read-replica"
2025-11-28T06:49:50.6925452Z 		96  |   database_version     = var.database_version
2025-11-28T06:49:50.6925884Z 		97  |   region               = var.replica_region != null ? var.replica_region : var.region
2025-11-28T06:49:50.6926339Z 		98  |   master_instance_name = google_sql_database_instance.main.name
2025-11-28T06:49:50.6926766Z 		99  |   project              = var.project_id
2025-11-28T06:49:50.6927015Z 		100 | 
2025-11-28T06:49:50.6927207Z 		101 |   replica_configuration {
2025-11-28T06:49:50.6927521Z 		102 |     failover_target = false
2025-11-28T06:49:50.6927763Z 		103 |   }
2025-11-28T06:49:50.6927922Z 		104 | 
2025-11-28T06:49:50.6928096Z 		105 |   settings {
2025-11-28T06:49:50.6928455Z 		106 |     tier              = var.replica_tier != null ? var.replica_tier : var.tier
2025-11-28T06:49:50.6928803Z 		107 |     availability_type = "ZONAL"
2025-11-28T06:49:50.6929117Z 		108 |     disk_size         = var.disk_size
2025-11-28T06:49:50.6929399Z 		109 |     disk_type         = var.disk_type
2025-11-28T06:49:50.6930262Z 		110 |     disk_autoresize   = var.disk_autoresize
2025-11-28T06:49:50.6930526Z 		111 | 
2025-11-28T06:49:50.6930773Z 		112 |     ip_configuration {
2025-11-28T06:49:50.6931054Z 		113 |       ipv4_enabled    = var.ipv4_enabled
2025-11-28T06:49:50.6931354Z 		114 |       private_network = var.private_network
2025-11-28T06:49:50.6931720Z 		115 |       require_ssl     = var.require_ssl
2025-11-28T06:49:50.6931982Z 		116 |     }
2025-11-28T06:49:50.6932155Z 		117 |   }
2025-11-28T06:49:50.6932341Z 		118 | 
2025-11-28T06:49:50.6932616Z 		119 |   deletion_protection = var.deletion_protection
2025-11-28T06:49:50.6932880Z 		120 | }
2025-11-28T06:49:50.6932978Z 
2025-11-28T06:49:50.6933358Z Check: CKV2_GCP_4: "Ensure that retention policies on log buckets are configured using Bucket Lock"
2025-11-28T06:49:50.6933970Z 	FAILED for resource: module.cost_management.google_logging_project_sink.storage_export
2025-11-28T06:49:50.6935117Z ##[error]	File: /modules/cost-management/main.tf:168-178
2025-11-28T06:49:50.6938413Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/ensure-that-retention-policies-on-log-buckets-are-configured-using-bucket-lock
2025-11-28T06:49:50.6940070Z 
2025-11-28T06:49:50.6940365Z 		168 | resource "google_logging_project_sink" "storage_export" {
2025-11-28T06:49:50.6940962Z 		169 |   count = var.export_logs_to_storage ? 1 : 0
2025-11-28T06:49:50.6941430Z 		170 | 
2025-11-28T06:49:50.6941836Z 		171 |   name        = "${var.project_name}-${var.environment}-log-export"
2025-11-28T06:49:50.6942696Z 		172 |   destination = "storage.googleapis.com/${google_storage_bucket.log_archive[0].name}"
2025-11-28T06:49:50.6943372Z 		173 | 
2025-11-28T06:49:50.6943746Z 		174 |   # Export only specific log types to reduce costs
2025-11-28T06:49:50.6944289Z 		175 |   filter = var.log_export_filter
2025-11-28T06:49:50.6944721Z 		176 | 
2025-11-28T06:49:50.6944997Z 		177 |   unique_writer_identity = true
2025-11-28T06:49:50.6945391Z 		178 | }
2025-11-28T06:49:50.6945552Z 
2025-11-28T06:49:50.6946010Z Check: CKV2_GCP_4: "Ensure that retention policies on log buckets are configured using Bucket Lock"
2025-11-28T06:49:50.6946979Z 	FAILED for resource: module.logging.google_logging_project_sink.error_logs
2025-11-28T06:49:50.6948516Z ##[error]	File: /modules/logging/main.tf:125-141
2025-11-28T06:49:50.6951132Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/ensure-that-retention-policies-on-log-buckets-are-configured-using-bucket-lock
2025-11-28T06:49:50.6952583Z 
2025-11-28T06:49:50.6952828Z 		125 | resource "google_logging_project_sink" "error_logs" {
2025-11-28T06:49:50.6953355Z 		126 |   name        = "error-logs-sink"
2025-11-28T06:49:50.6953802Z 		127 |   project     = var.project_id
2025-11-28T06:49:50.6954503Z 		128 |   destination = "storage.googleapis.com/${google_storage_bucket.error_logs_storage.name}"
2025-11-28T06:49:50.6955206Z 		129 | 
2025-11-28T06:49:50.6955517Z 		130 |   filter = <<-EOT
2025-11-28T06:49:50.6955871Z 		131 |     severity >= ERROR
2025-11-28T06:49:50.6956307Z 		132 |     NOT (${join(" OR ", var.excluded_log_filters)})
2025-11-28T06:49:50.6956761Z 		133 |   EOT
2025-11-28T06:49:50.6957059Z 		134 | 
2025-11-28T06:49:50.6957354Z 		135 |   unique_writer_identity = true
2025-11-28T06:49:50.6957749Z 		136 | 
2025-11-28T06:49:50.6958033Z 		137 |   depends_on = [
2025-11-28T06:49:50.6958415Z 		138 |     google_project_service.logging,
2025-11-28T06:49:50.6958890Z 		139 |     google_storage_bucket.error_logs_storage
2025-11-28T06:49:50.6959301Z 		140 |   ]
2025-11-28T06:49:50.6959718Z 		141 | }
2025-11-28T06:49:50.6959874Z 
2025-11-28T06:49:50.6960331Z Check: CKV2_GCP_4: "Ensure that retention policies on log buckets are configured using Bucket Lock"
2025-11-28T06:49:50.6961291Z 	FAILED for resource: module.logging.google_logging_project_sink.audit_logs
2025-11-28T06:49:50.6962531Z ##[error]	File: /modules/logging/main.tf:153-169
2025-11-28T06:49:50.6965036Z 	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/ensure-that-retention-policies-on-log-buckets-are-configured-using-bucket-lock
2025-11-28T06:49:50.6966450Z 
2025-11-28T06:49:50.6966696Z 		153 | resource "google_logging_project_sink" "audit_logs" {
2025-11-28T06:49:50.6967211Z 		154 |   name        = "audit-logs-sink"
2025-11-28T06:49:50.6967620Z 		155 |   project     = var.project_id
2025-11-28T06:49:50.6968216Z 		156 |   destination = "storage.googleapis.com/${google_storage_bucket.audit_logs.name}"
2025-11-28T06:49:50.6968825Z 		157 | 
2025-11-28T06:49:50.6969105Z 		158 |   filter = <<-EOT
2025-11-28T06:49:50.6969841Z 		159 |     logName =~ "projects/${var.project_id}/logs/cloudaudit.googleapis.com"
2025-11-28T06:49:50.6970710Z 		160 |     OR protoPayload.@type = "type.googleapis.com/google.cloud.audit.AuditLog"
2025-11-28T06:49:50.6971383Z 		161 |   EOT
2025-11-28T06:49:50.6971717Z 		162 | 
2025-11-28T06:49:50.6972105Z 		163 |   unique_writer_identity = true
2025-11-28T06:49:50.6972519Z 		164 | 
2025-11-28T06:49:50.6972845Z 		165 |   depends_on = [
2025-11-28T06:49:50.6973251Z 		166 |     google_project_service.logging,
2025-11-28T06:49:50.6973745Z 		167 |     google_storage_bucket.audit_logs
2025-11-28T06:49:50.6974213Z 		168 |   ]
2025-11-28T06:49:50.6974552Z 		169 | }
