Built-in scenario

gcp/sample_gcp_lb_compute_sql_plan.json

GCP Load Balancer / Compute / SQL Demo

Analyzed sample_gcp_lb_compute_sql_plan.json with 11 normalized resources and 2 trust boundaries.

Analyze another plan

Active findings

2

Trust boundaries

2

Resources

11

Observations

0
High 0
Medium 2
Low 0

Analysis coverage

Audit trail for this run

Terraform resources 11
Unsupported 0
Enabled rules 78
Unresolved refs 0

Resource coverage

Provider resources considered
11
Normalized resources
11

No unsupported GCP resource types were encountered.

Rule coverage

Registered rules
78
Disabled rules
0
  • gcp-cloud-sql-zonal-availability1
  • gcp-subnetwork-flow-logs-not-configured1

Findings

Severity bands

High

0

No high findings.

Medium

2

Cloud SQL instance uses zonal availability

gcp-cloud-sql-zonal-availability

google_sql_database_instance.app uses zonal Cloud SQL availability. A zonal failure or maintenance disruption can leave the database unavailable longer than a regional high-availability deployment.

Category
Denial of Service
Boundary
not-applicable
Resources
google_sql_database_instance.app
Evidence
  • availability posture: availability_type=ZONAL; engine=POSTGRES_15

GCP subnetwork Flow Logs are not configured

gcp-subnetwork-flow-logs-not-configured

google_compute_subnetwork.app does not configure VPC Flow Logs in this Terraform plan. Without subnetwork flow telemetry, network investigation, lateral-movement review, and egress analysis can lack packet-flow evidence for workloads attached to this subnet.

Category
Repudiation
Boundary
not-applicable
Resources
google_compute_subnetwork.app
Evidence
  • subnetwork flow log posture: address=google_compute_subnetwork.app; type=google_compute_subnetwork; name=app; identifier=tfstride-app; flow_log_state=not_configured; network=google_compute_network.main.id; project=tfstride-demo

Low

0

No low findings.

Observations

Controls and mitigating signals

No observations were recorded for this plan.

Trust boundaries

Crossings that drive the model

internet-to-service

internet -> google_compute_forwarding_rule.web

The resource is directly reachable or intentionally exposed to unauthenticated network clients.

workload-to-data-store

google_compute_instance.web -> google_sql_database_instance.app

Application or function workloads cross into a higher-sensitivity data plane when they share a VPC with the database and the plan does not provide tighter security-group evidence.

Raw outputs

Stable contract and markdown

JSON report
{
  "kind": "tfstride-report",
  "version": "1.1",
  "tool": {
    "name": "tfstride",
    "version": "0.4.23"
  },
  "title": "GCP Load Balancer / Compute / SQL Demo",
  "analyzed_file": "sample_gcp_lb_compute_sql_plan.json",
  "analyzed_path": "sample_gcp_lb_compute_sql_plan.json",
  "summary": {
    "normalized_resources": 11,
    "unsupported_resources": 0,
    "trust_boundaries": 2,
    "active_findings": 2,
    "total_findings": 2,
    "suppressed_findings": 0,
    "baselined_findings": 0,
    "severity_counts": {
      "high": 0,
      "medium": 2,
      "low": 0
    }
  },
  "filtering": {
    "total_findings": 2,
    "active_findings": 2,
    "suppressed_findings": 0,
    "baselined_findings": 0,
    "suppressions_path": null,
    "baseline_path": null
  },
  "analysis_coverage": {
    "resources": {
      "total_resources": 11,
      "provider_resources": 11,
      "normalized_resources": 11,
      "unsupported_resources": 0,
      "unsupported_resource_types": {}
    },
    "rules": {
      "registered_rule_count": 78,
      "enabled_rules": [
        "gcp-sensitive-resource-iam-external-access",
        "gcp-pubsub-public-access",
        "gcp-pubsub-topic-customer-managed-encryption-missing",
        "gcp-pubsub-message-retention-insufficient",
        "gcp-pubsub-subscription-dead-letter-policy-missing",
        "gcp-bigquery-public-access",
        "gcp-cloud-sql-public-authorized-network",
        "gcp-cloud-sql-backup-disabled",
        "gcp-cloud-sql-public-ip-without-private-network",
        "gcp-cloud-sql-ssl-not-required",
        "gcp-cloud-sql-point-in-time-recovery-disabled",
        "gcp-cloud-sql-deletion-protection-disabled",
        "gcp-cloud-sql-zonal-availability",
        "gcp-cloud-sql-query-insights-disabled",
        "gcp-cloud-sql-connector-enforcement-not-required",
        "gcp-cloud-sql-private-connectivity-not-modeled",
        "gcp-private-workload-private-google-access-disabled",
        "gcp-gcs-public-access",
        "gcp-gcs-uniform-bucket-level-access-disabled",
        "gcp-gcs-public-access-prevention-not-enforced",
        "gcp-gcs-versioning-disabled",
        "gcp-gcs-customer-managed-encryption-missing",
        "gcp-gcs-retention-policy-insufficient",
        "gcp-artifact-registry-docker-tags-mutable",
        "gcp-artifact-registry-customer-managed-encryption-missing",
        "gcp-artifact-registry-vulnerability-scanning-disabled",
        "gcp-secret-manager-customer-managed-encryption-missing",
        "gcp-secret-manager-lifecycle-posture-incomplete",
        "gcp-kms-key-rotation-not-configured-or-too-long",
        "gcp-kms-key-destroy-scheduled-duration-too-short",
        "gcp-public-compute-broad-ingress",
        "gcp-public-load-balanced-workload",
        "gcp-load-balancer-http-public-proxy",
        "gcp-load-balancer-ssl-policy-missing-or-weak",
        "gcp-public-load-balancer-cloud-armor-missing",
        "gcp-compute-os-login-disabled",
        "gcp-gke-public-control-plane",
        "gcp-gke-broad-authorized-networks",
        "gcp-gke-workload-identity-disabled",
        "gcp-gke-legacy-metadata-endpoints-enabled",
        "gcp-gke-broad-node-service-account",
        "gcp-gke-control-plane-logging-incomplete",
        "gcp-scc-asset-discovery-disabled",
        "gcp-logging-exclusion-drops-audit-security-logs",
        "gcp-logging-sink-audit-export-incomplete",
        "gcp-central-audit-sink-not-modeled",
        "gcp-subnetwork-flow-logs-not-configured",
        "gcp-subnetwork-flow-log-capture-incomplete",
        "gcp-gke-network-policy-disabled",
        "gcp-gke-secrets-encryption-not-configured",
        "gcp-gke-legacy-abac-enabled-or-unknown",
        "gcp-gke-client-certificate-auth-enabled-or-unknown",
        "gcp-gke-shielded-nodes-disabled-or-unknown",
        "gcp-gke-binary-authorization-not-enabled",
        "gcp-cloud-run-public-invoker",
        "gcp-cloud-functions-public-invoker",
        "gcp-cloud-run-image-not-digest-pinned",
        "gcp-cloud-run-artifact-registry-mutable-tag",
        "gcp-cloud-run-can-modify-image-repository",
        "gcp-cloud-run-sensitive-environment-value-inline",
        "gcp-cloud-run-secret-access-blast-radius",
        "gcp-public-cloud-run-gcs-mutation-access",
        "gcp-public-cloud-run-pubsub-mutation-access",
        "gcp-service-account-iam-broad-principal",
        "gcp-service-account-iam-privileged-role",
        "gcp-service-account-key-hygiene",
        "gcp-service-account-key-effective-access",
        "gcp-workload-identity-pool-wide-impersonation",
        "gcp-workload-identity-provider-unconditioned-broad-trust",
        "gcp-workload-identity-privileged-service-account-access",
        "gcp-org-folder-iam-broad-principal",
        "gcp-org-folder-iam-privileged-role",
        "gcp-project-iam-broad-principal",
        "gcp-project-iam-privileged-role",
        "gcp-iam-privileged-assignment",
        "gcp-inherited-iam-sensitive-resource-access",
        "gcp-inherited-iam-blast-radius",
        "gcp-public-workload-sensitive-data-access"
      ],
      "disabled_rules": [],
      "severity_overrides": {},
      "finding_counts_by_rule": {
        "gcp-sensitive-resource-iam-external-access": 0,
        "gcp-pubsub-public-access": 0,
        "gcp-pubsub-topic-customer-managed-encryption-missing": 0,
        "gcp-pubsub-message-retention-insufficient": 0,
        "gcp-pubsub-subscription-dead-letter-policy-missing": 0,
        "gcp-bigquery-public-access": 0,
        "gcp-cloud-sql-public-authorized-network": 0,
        "gcp-cloud-sql-backup-disabled": 0,
        "gcp-cloud-sql-public-ip-without-private-network": 0,
        "gcp-cloud-sql-ssl-not-required": 0,
        "gcp-cloud-sql-point-in-time-recovery-disabled": 0,
        "gcp-cloud-sql-deletion-protection-disabled": 0,
        "gcp-cloud-sql-zonal-availability": 1,
        "gcp-cloud-sql-query-insights-disabled": 0,
        "gcp-cloud-sql-connector-enforcement-not-required": 0,
        "gcp-cloud-sql-private-connectivity-not-modeled": 0,
        "gcp-private-workload-private-google-access-disabled": 0,
        "gcp-gcs-public-access": 0,
        "gcp-gcs-uniform-bucket-level-access-disabled": 0,
        "gcp-gcs-public-access-prevention-not-enforced": 0,
        "gcp-gcs-versioning-disabled": 0,
        "gcp-gcs-customer-managed-encryption-missing": 0,
        "gcp-gcs-retention-policy-insufficient": 0,
        "gcp-artifact-registry-docker-tags-mutable": 0,
        "gcp-artifact-registry-customer-managed-encryption-missing": 0,
        "gcp-artifact-registry-vulnerability-scanning-disabled": 0,
        "gcp-secret-manager-customer-managed-encryption-missing": 0,
        "gcp-secret-manager-lifecycle-posture-incomplete": 0,
        "gcp-kms-key-rotation-not-configured-or-too-long": 0,
        "gcp-kms-key-destroy-scheduled-duration-too-short": 0,
        "gcp-public-compute-broad-ingress": 0,
        "gcp-public-load-balanced-workload": 0,
        "gcp-load-balancer-http-public-proxy": 0,
        "gcp-load-balancer-ssl-policy-missing-or-weak": 0,
        "gcp-public-load-balancer-cloud-armor-missing": 0,
        "gcp-compute-os-login-disabled": 0,
        "gcp-gke-public-control-plane": 0,
        "gcp-gke-broad-authorized-networks": 0,
        "gcp-gke-workload-identity-disabled": 0,
        "gcp-gke-legacy-metadata-endpoints-enabled": 0,
        "gcp-gke-broad-node-service-account": 0,
        "gcp-gke-control-plane-logging-incomplete": 0,
        "gcp-scc-asset-discovery-disabled": 0,
        "gcp-logging-exclusion-drops-audit-security-logs": 0,
        "gcp-logging-sink-audit-export-incomplete": 0,
        "gcp-central-audit-sink-not-modeled": 0,
        "gcp-subnetwork-flow-logs-not-configured": 1,
        "gcp-subnetwork-flow-log-capture-incomplete": 0,
        "gcp-gke-network-policy-disabled": 0,
        "gcp-gke-secrets-encryption-not-configured": 0,
        "gcp-gke-legacy-abac-enabled-or-unknown": 0,
        "gcp-gke-client-certificate-auth-enabled-or-unknown": 0,
        "gcp-gke-shielded-nodes-disabled-or-unknown": 0,
        "gcp-gke-binary-authorization-not-enabled": 0,
        "gcp-cloud-run-public-invoker": 0,
        "gcp-cloud-functions-public-invoker": 0,
        "gcp-cloud-run-image-not-digest-pinned": 0,
        "gcp-cloud-run-artifact-registry-mutable-tag": 0,
        "gcp-cloud-run-can-modify-image-repository": 0,
        "gcp-cloud-run-sensitive-environment-value-inline": 0,
        "gcp-cloud-run-secret-access-blast-radius": 0,
        "gcp-public-cloud-run-gcs-mutation-access": 0,
        "gcp-public-cloud-run-pubsub-mutation-access": 0,
        "gcp-service-account-iam-broad-principal": 0,
        "gcp-service-account-iam-privileged-role": 0,
        "gcp-service-account-key-hygiene": 0,
        "gcp-service-account-key-effective-access": 0,
        "gcp-workload-identity-pool-wide-impersonation": 0,
        "gcp-workload-identity-provider-unconditioned-broad-trust": 0,
        "gcp-workload-identity-privileged-service-account-access": 0,
        "gcp-org-folder-iam-broad-principal": 0,
        "gcp-org-folder-iam-privileged-role": 0,
        "gcp-project-iam-broad-principal": 0,
        "gcp-project-iam-privileged-role": 0,
        "gcp-iam-privileged-assignment": 0,
        "gcp-inherited-iam-sensitive-resource-access": 0,
        "gcp-inherited-iam-blast-radius": 0,
        "gcp-public-workload-sensitive-data-access": 0
      }
    },
    "references": {
      "unresolved_reference_count": 0,
      "unresolved_references": []
    }
  },
  "inventory": {
    "provider": "gcp",
    "unsupported_resources": [],
    "metadata": {
      "supported_resource_types": [
        "google_artifact_registry_repository",
        "google_artifact_registry_repository_iam_binding",
        "google_artifact_registry_repository_iam_member",
        "google_artifact_registry_repository_iam_policy",
        "google_bigquery_dataset",
        "google_bigquery_dataset_iam_binding",
        "google_bigquery_dataset_iam_member",
        "google_bigquery_dataset_iam_policy",
        "google_bigquery_table",
        "google_bigquery_table_iam_binding",
        "google_bigquery_table_iam_member",
        "google_bigquery_table_iam_policy",
        "google_cloud_run_service",
        "google_cloud_run_service_iam_binding",
        "google_cloud_run_service_iam_member",
        "google_cloud_run_service_iam_policy",
        "google_cloud_run_v2_service",
        "google_cloud_run_v2_service_iam_binding",
        "google_cloud_run_v2_service_iam_member",
        "google_cloud_run_v2_service_iam_policy",
        "google_cloudfunctions2_function",
        "google_cloudfunctions2_function_iam_binding",
        "google_cloudfunctions2_function_iam_member",
        "google_cloudfunctions2_function_iam_policy",
        "google_cloudfunctions_function",
        "google_cloudfunctions_function_iam_binding",
        "google_cloudfunctions_function_iam_member",
        "google_cloudfunctions_function_iam_policy",
        "google_compute_backend_bucket",
        "google_compute_backend_service",
        "google_compute_firewall",
        "google_compute_firewall_policy",
        "google_compute_firewall_policy_association",
        "google_compute_firewall_policy_rule",
        "google_compute_forwarding_rule",
        "google_compute_global_address",
        "google_compute_global_forwarding_rule",
        "google_compute_instance",
        "google_compute_managed_ssl_certificate",
        "google_compute_network",
        "google_compute_network_endpoint_group",
        "google_compute_region_backend_service",
        "google_compute_region_network_endpoint_group",
        "google_compute_region_security_policy",
        "google_compute_region_target_http_proxy",
        "google_compute_region_target_https_proxy",
        "google_compute_region_url_map",
        "google_compute_route",
        "google_compute_router",
        "google_compute_router_nat",
        "google_compute_security_policy",
        "google_compute_service_attachment",
        "google_compute_ssl_policy",
        "google_compute_subnetwork",
        "google_compute_target_http_proxy",
        "google_compute_target_https_proxy",
        "google_compute_url_map",
        "google_container_cluster",
        "google_container_node_pool",
        "google_folder_iam_binding",
        "google_folder_iam_member",
        "google_folder_iam_policy",
        "google_folder_organization_policy",
        "google_iam_workload_identity_pool",
        "google_iam_workload_identity_pool_provider",
        "google_kms_crypto_key",
        "google_kms_crypto_key_iam_binding",
        "google_kms_crypto_key_iam_member",
        "google_kms_crypto_key_iam_policy",
        "google_kms_key_ring_iam_binding",
        "google_kms_key_ring_iam_member",
        "google_kms_key_ring_iam_policy",
        "google_logging_organization_exclusion",
        "google_logging_organization_sink",
        "google_logging_project_exclusion",
        "google_logging_project_sink",
        "google_network_connectivity_service_connection_policy",
        "google_org_policy_policy",
        "google_organization_iam_binding",
        "google_organization_iam_custom_role",
        "google_organization_iam_member",
        "google_organization_iam_policy",
        "google_organization_policy",
        "google_project_iam_binding",
        "google_project_iam_custom_role",
        "google_project_iam_member",
        "google_project_iam_policy",
        "google_project_organization_policy",
        "google_pubsub_subscription",
        "google_pubsub_subscription_iam_binding",
        "google_pubsub_subscription_iam_member",
        "google_pubsub_subscription_iam_policy",
        "google_pubsub_topic",
        "google_pubsub_topic_iam_binding",
        "google_pubsub_topic_iam_member",
        "google_pubsub_topic_iam_policy",
        "google_scc_organization_settings",
        "google_secret_manager_secret",
        "google_secret_manager_secret_iam_binding",
        "google_secret_manager_secret_iam_member",
        "google_secret_manager_secret_iam_policy",
        "google_service_account",
        "google_service_account_iam_binding",
        "google_service_account_iam_member",
        "google_service_account_iam_policy",
        "google_service_account_key",
        "google_service_networking_connection",
        "google_sql_database_instance",
        "google_storage_bucket",
        "google_storage_bucket_iam_binding",
        "google_storage_bucket_iam_member",
        "google_storage_bucket_iam_policy"
      ],
      "total_input_resources": 11,
      "provider_resource_count": 11,
      "normalized_resource_count": 11,
      "unsupported_resource_types": {}
    },
    "resources": [
      {
        "address": "google_compute_firewall.public_https",
        "provider": "gcp",
        "resource_type": "google_compute_firewall",
        "name": "public_https",
        "category": "network",
        "identifier": "tfstride-public-https",
        "arn": null,
        "vpc_id": "google_compute_network.main.name",
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [
          {
            "direction": "ingress",
            "protocol": "tcp",
            "from_port": 443,
            "to_port": 443,
            "cidr_blocks": [
              "0.0.0.0/0"
            ],
            "ipv6_cidr_blocks": [],
            "referenced_security_group_ids": [],
            "description": null
          }
        ],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "name": "tfstride-public-https",
          "project": "tfstride-demo",
          "network": "google_compute_network.main.name",
          "allow": [
            {
              "protocol": "tcp",
              "ports": [
                "443"
              ]
            }
          ],
          "deny": [],
          "source_ranges": [
            "0.0.0.0/0"
          ],
          "destination_ranges": [],
          "target_tags": [
            "web"
          ],
          "source_tags": [],
          "target_service_accounts": [],
          "source_service_accounts": [],
          "firewall_direction": "ingress",
          "firewall_disabled": false
        }
      },
      {
        "address": "google_compute_forwarding_rule.web",
        "provider": "gcp",
        "resource_type": "google_compute_forwarding_rule",
        "name": "web",
        "category": "edge",
        "identifier": "tfstride-web-forwarding",
        "arn": null,
        "vpc_id": "google_compute_network.main.id",
        "subnet_ids": [
          "google_compute_subnetwork.app.id"
        ],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": true,
        "public_exposure": true,
        "data_sensitivity": "standard",
        "metadata": {
          "name": "tfstride-web-forwarding",
          "project": "tfstride-demo",
          "region": "us-central1",
          "network": "google_compute_network.main.id",
          "subnetwork": "google_compute_subnetwork.app.id",
          "forwarding_rule_ip_address": "35.2.3.4",
          "forwarding_rule_load_balancing_scheme": "EXTERNAL",
          "forwarding_rule_target": "google_compute_target_pool.web.id",
          "forwarding_rule_ports": [
            "443"
          ],
          "forwarding_rule_source_ip_ranges": [],
          "ip_protocol": null,
          "port_range": null,
          "all_ports": false,
          "allow_global_access": false,
          "public_access_reasons": [
            "forwarding rule uses an external load balancing scheme"
          ],
          "direct_internet_reachable": true,
          "internet_ingress_capable": true,
          "internet_ingress_reasons": [
            "forwarding rule uses an external load balancing scheme"
          ],
          "public_exposure_reasons": [
            "forwarding rule uses an external load balancing scheme"
          ],
          "in_public_subnet": false,
          "has_nat_gateway_egress": true,
          "has_public_route": false
        }
      },
      {
        "address": "google_compute_instance.web",
        "provider": "gcp",
        "resource_type": "google_compute_instance",
        "name": "web",
        "category": "compute",
        "identifier": "tfstride-web",
        "arn": null,
        "vpc_id": "google_compute_network.main.id",
        "subnet_ids": [
          "google_compute_subnetwork.app.id"
        ],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "name": "tfstride-web",
          "project": "tfstride-demo",
          "zone": "us-central1-a",
          "machine_type": "e2-medium",
          "network_tags": [
            "web"
          ],
          "network_interfaces": [
            {
              "subnetwork": "google_compute_subnetwork.app.id"
            }
          ],
          "service_accounts": [
            {
              "email": "tfstride-web@example.iam.gserviceaccount.com",
              "scopes": [
                "https://www.googleapis.com/auth/logging.write"
              ]
            }
          ],
          "labels": {},
          "metadata": {
            "enable-oslogin": "true"
          },
          "can_ip_forward": false,
          "os_login_enabled": true,
          "public_access_reasons": [],
          "in_public_subnet": false,
          "has_nat_gateway_egress": true,
          "has_public_route": true,
          "internet_ingress_capable": true,
          "internet_ingress_reasons": [
            "google_compute_firewall.public_https ingress tcp 443 from 0.0.0.0/0"
          ],
          "internet_ingress_firewalls": [
            "google_compute_firewall.public_https"
          ],
          "direct_internet_reachable": false
        }
      },
      {
        "address": "google_compute_network.main",
        "provider": "gcp",
        "resource_type": "google_compute_network",
        "name": "main",
        "category": "network",
        "identifier": "tfstride-main",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "name": "tfstride-main",
          "project": "tfstride-demo",
          "auto_create_subnetworks": false,
          "routing_mode": "REGIONAL",
          "description": null
        }
      },
      {
        "address": "google_compute_route.default_internet",
        "provider": "gcp",
        "resource_type": "google_compute_route",
        "name": "default_internet",
        "category": "network",
        "identifier": "tfstride-default-internet",
        "arn": null,
        "vpc_id": "google_compute_network.main.id",
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "name": "tfstride-default-internet",
          "project": "tfstride-demo",
          "network": "google_compute_network.main.id",
          "route_dest_range": "0.0.0.0/0",
          "route_next_hop_gateway": "default-internet-gateway",
          "route_tags": [
            "web"
          ],
          "route_priority": 1000,
          "description": null
        }
      },
      {
        "address": "google_compute_router.main",
        "provider": "gcp",
        "resource_type": "google_compute_router",
        "name": "main",
        "category": "network",
        "identifier": "tfstride-router",
        "arn": null,
        "vpc_id": "google_compute_network.main.id",
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "name": "tfstride-router",
          "project": "tfstride-demo",
          "region": "us-central1",
          "network": "google_compute_network.main.id",
          "bgp": {},
          "description": null,
          "encrypted_interconnect_router": false
        }
      },
      {
        "address": "google_compute_router_nat.main",
        "provider": "gcp",
        "resource_type": "google_compute_router_nat",
        "name": "main",
        "category": "network",
        "identifier": "tfstride-nat",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "name": "tfstride-nat",
          "project": "tfstride-demo",
          "region": "us-central1",
          "router_reference": "google_compute_router.main.name",
          "nat_subnetworks": [],
          "nat_ip_allocate_option": null,
          "source_subnetwork_ip_ranges_to_nat": "ALL_SUBNETWORKS_ALL_IP_RANGES",
          "min_ports_per_vm": null,
          "enable_endpoint_independent_mapping": false,
          "log_config": {}
        }
      },
      {
        "address": "google_compute_subnetwork.app",
        "provider": "gcp",
        "resource_type": "google_compute_subnetwork",
        "name": "app",
        "category": "network",
        "identifier": "tfstride-app",
        "arn": null,
        "vpc_id": "google_compute_network.main.id",
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "name": "tfstride-app",
          "project": "tfstride-demo",
          "region": "us-central1",
          "network": "google_compute_network.main.id",
          "cidr_range": "10.10.1.0/24",
          "private_ip_google_access": true,
          "purpose": null,
          "stack_type": null,
          "secondary_ip_ranges": [],
          "subnetwork_flow_log_state": "not_configured",
          "subnetwork_flow_log_config": {},
          "subnetwork_flow_log_metadata_fields": [],
          "network_telemetry_posture_uncertainties": [],
          "has_public_route": false,
          "is_public_subnet": false,
          "has_nat_gateway_egress": true
        }
      },
      {
        "address": "google_service_account.web",
        "provider": "gcp",
        "resource_type": "google_service_account",
        "name": "web",
        "category": "iam",
        "identifier": "tfstride-web@example.iam.gserviceaccount.com",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "name": "projects/tfstride-demo/serviceAccounts/tfstride-web@example.iam.gserviceaccount.com",
          "project": "tfstride-demo",
          "service_account_account_id": "tfstride-web",
          "service_account_email": "tfstride-web@example.iam.gserviceaccount.com",
          "service_account_member": "serviceAccount:tfstride-web@example.iam.gserviceaccount.com",
          "service_account_unique_id": "100000000000000000001",
          "service_account_disabled": false,
          "display_name": "tfSTRIDE web workload",
          "description": "Service account used by the sample web workload."
        }
      },
      {
        "address": "google_service_networking_connection.private_services",
        "provider": "gcp",
        "resource_type": "google_service_networking_connection",
        "name": "private_services",
        "category": "network",
        "identifier": "servicenetworking-googleapis-com",
        "arn": null,
        "vpc_id": "google_compute_network.main.id",
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "name": "private_services",
          "network": "google_compute_network.main.id",
          "private_connectivity_service": "servicenetworking.googleapis.com",
          "private_connectivity_reserved_ranges": [
            "private-services-range"
          ],
          "private_connectivity_peering": "servicenetworking-googleapis-com",
          "deletion_policy": null,
          "private_connectivity_uncertainties": []
        }
      },
      {
        "address": "google_sql_database_instance.app",
        "provider": "gcp",
        "resource_type": "google_sql_database_instance",
        "name": "app",
        "category": "data",
        "identifier": "tfstride-app-db",
        "arn": null,
        "vpc_id": "google_compute_network.main.id",
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "sensitive",
        "metadata": {
          "name": "tfstride-app-db",
          "project": "tfstride-demo",
          "region": "us-central1",
          "database_version": "POSTGRES_15",
          "cloud_sql_private_network": "google_compute_network.main.id",
          "availability_type": "ZONAL",
          "cloud_sql_query_insights_state": "not_configured",
          "cloud_sql_insights_config": {},
          "cloud_sql_deletion_protection_state": "unknown",
          "cloud_sql_posture_uncertainties": [],
          "cloud_sql_ipv4_enabled": false,
          "cloud_sql_backup_enabled": true,
          "cloud_sql_point_in_time_recovery_enabled": true,
          "cloud_sql_require_ssl": true,
          "cloud_sql_authorized_networks": [],
          "cloud_sql_backup_configuration": {
            "enabled": true,
            "point_in_time_recovery_enabled": true
          },
          "cloud_sql_ip_configuration": {
            "ipv4_enabled": false,
            "require_ssl": true,
            "authorized_networks": [],
            "private_network": "google_compute_network.main.id"
          },
          "deletion_protection": true,
          "labels": {},
          "tier": "db-f1-micro",
          "disk_type": "PD_SSD",
          "disk_size": 20,
          "public_access_reasons": [],
          "direct_internet_reachable": false,
          "internet_ingress_capable": false,
          "internet_ingress_reasons": [],
          "public_exposure_reasons": [],
          "publicly_accessible": false,
          "storage_encrypted": true
        }
      }
    ]
  },
  "trust_boundaries": [
    {
      "identifier": "internet-to-service:internet->google_compute_forwarding_rule.web",
      "boundary_type": "internet-to-service",
      "source": "internet",
      "target": "google_compute_forwarding_rule.web",
      "description": "Traffic can cross from the public internet to google_compute_forwarding_rule.web.",
      "rationale": "The resource is directly reachable or intentionally exposed to unauthenticated network clients."
    },
    {
      "identifier": "workload-to-data-store:google_compute_instance.web->google_sql_database_instance.app",
      "boundary_type": "workload-to-data-store",
      "source": "google_compute_instance.web",
      "target": "google_sql_database_instance.app",
      "description": "google_compute_instance.web can interact with google_sql_database_instance.app.",
      "rationale": "Application or function workloads cross into a higher-sensitivity data plane when they share a VPC with the database and the plan does not provide tighter security-group evidence."
    }
  ],
  "findings": [
    {
      "fingerprint": "sha256:a9a311adbcdee8161de2e4e8e8247dee5c199db0555e662a89c4626bb18a2a24",
      "title": "Cloud SQL instance uses zonal availability",
      "rule_id": "gcp-cloud-sql-zonal-availability",
      "category": "Denial of Service",
      "severity": "medium",
      "affected_resources": [
        "google_sql_database_instance.app"
      ],
      "trust_boundary_id": null,
      "rationale": "google_sql_database_instance.app uses zonal Cloud SQL availability. A zonal failure or maintenance disruption can leave the database unavailable longer than a regional high-availability deployment.",
      "recommended_mitigation": "Use `REGIONAL` availability for production Cloud SQL instances that require higher availability, then validate application failover behavior and recovery objectives.",
      "evidence": [
        {
          "key": "availability_posture",
          "values": [
            "availability_type=ZONAL",
            "engine=POSTGRES_15"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 0,
        "privilege_breadth": 0,
        "data_sensitivity": 2,
        "lateral_movement": 0,
        "blast_radius": 1,
        "final_score": 3,
        "severity": "medium",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:d7380b4b3e19c2f29c68019a1757075b9455a4465c9cf613a0fd4a3a2d8dc9e9",
      "title": "GCP subnetwork Flow Logs are not configured",
      "rule_id": "gcp-subnetwork-flow-logs-not-configured",
      "category": "Repudiation",
      "severity": "medium",
      "affected_resources": [
        "google_compute_subnetwork.app"
      ],
      "trust_boundary_id": null,
      "rationale": "google_compute_subnetwork.app does not configure VPC Flow Logs in this Terraform plan. Without subnetwork flow telemetry, network investigation, lateral-movement review, and egress analysis can lack packet-flow evidence for workloads attached to this subnet.",
      "recommended_mitigation": "Enable VPC Flow Logs on subnetworks that host workloads, keep the flow log configuration in Terraform, and export or retain those logs according to investigation and monitoring requirements.",
      "evidence": [
        {
          "key": "subnetwork_flow_log_posture",
          "values": [
            "address=google_compute_subnetwork.app",
            "type=google_compute_subnetwork",
            "name=app",
            "identifier=tfstride-app",
            "flow_log_state=not_configured",
            "network=google_compute_network.main.id",
            "project=tfstride-demo"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 0,
        "privilege_breadth": 0,
        "data_sensitivity": 0,
        "lateral_movement": 2,
        "blast_radius": 1,
        "final_score": 3,
        "severity": "medium",
        "computed_severity": null
      }
    }
  ],
  "suppressed_findings": [],
  "baselined_findings": [],
  "observations": [],
  "limitations": [
    "GCP support covers a curated set of compute, serverless, data, IAM, Kubernetes, networking, audit, private-connectivity, messaging, registry, and key-management resources. Analysis is plan-local and does not model every provider resource, runtime drift, or every organization-level control; provider-specific positive observations remain more limited than finding coverage.",
    "The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity."
  ]
}
Markdown report
# GCP Load Balancer / Compute / SQL Demo

- Analyzed file: `sample_gcp_lb_compute_sql_plan.json`
- Provider: `gcp`
- Normalized resources: `11`
- Unsupported resources: `0`

## Summary

This run identified **2 trust boundaries** and **2 findings** across **11 normalized resources**.

- High severity findings: `0`
- Medium severity findings: `2`
- Low severity findings: `0`

## Analysis Coverage

- Terraform resources seen: `11`
- Provider resources considered: `11`
- Normalized resources: `11`
- Unsupported resources: `0`
- Registered provider rules (GCP): `78`
- Enabled provider rules (GCP): `78`
- Disabled rules: `0`
- Severity overrides: `0`
- Unresolved in-plan references: `0`
- Findings by rule:
  - `gcp-cloud-sql-zonal-availability`: `1`
  - `gcp-subnetwork-flow-logs-not-configured`: `1`

## Discovered Trust Boundaries

### `internet-to-service`

- Source: `internet`
- Target: `google_compute_forwarding_rule.web`
- Description: Traffic can cross from the public internet to google_compute_forwarding_rule.web.
- Rationale: The resource is directly reachable or intentionally exposed to unauthenticated network clients.

### `workload-to-data-store`

- Source: `google_compute_instance.web`
- Target: `google_sql_database_instance.app`
- Description: google_compute_instance.web can interact with google_sql_database_instance.app.
- Rationale: Application or function workloads cross into a higher-sensitivity data plane when they share a VPC with the database and the plan does not provide tighter security-group evidence.

## Findings

### High

No findings in this severity band.

### Medium

#### Cloud SQL instance uses zonal availability

- STRIDE category: Denial of Service
- Affected resources: `google_sql_database_instance.app`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +0, data_sensitivity +2, lateral_movement +0, blast_radius +1, final_score 3 => medium
- Rationale: google_sql_database_instance.app uses zonal Cloud SQL availability. A zonal failure or maintenance disruption can leave the database unavailable longer than a regional high-availability deployment.
- Recommended mitigation: Use `REGIONAL` availability for production Cloud SQL instances that require higher availability, then validate application failover behavior and recovery objectives.
- Evidence:
  - availability posture: availability_type=ZONAL; engine=POSTGRES_15

#### GCP subnetwork Flow Logs are not configured

- STRIDE category: Repudiation
- Affected resources: `google_compute_subnetwork.app`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +0, data_sensitivity +0, lateral_movement +2, blast_radius +1, final_score 3 => medium
- Rationale: google_compute_subnetwork.app does not configure VPC Flow Logs in this Terraform plan. Without subnetwork flow telemetry, network investigation, lateral-movement review, and egress analysis can lack packet-flow evidence for workloads attached to this subnet.
- Recommended mitigation: Enable VPC Flow Logs on subnetworks that host workloads, keep the flow log configuration in Terraform, and export or retain those logs according to investigation and monitoring requirements.
- Evidence:
  - subnetwork flow log posture: address=google_compute_subnetwork.app; type=google_compute_subnetwork; name=app; identifier=tfstride-app; flow_log_state=not_configured; network=google_compute_network.main.id; project=tfstride-demo

### Low

No findings in this severity band.

## Limitations / Unsupported Resources

- GCP support covers a curated set of compute, serverless, data, IAM, Kubernetes, networking, audit, private-connectivity, messaging, registry, and key-management resources. Analysis is plan-local and does not model every provider resource, runtime drift, or every organization-level control; provider-specific positive observations remain more limited than finding coverage.
- The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity.

Limits

Unsupported or intentionally scoped areas

  • GCP support covers a curated set of compute, serverless, data, IAM, Kubernetes, networking, audit, private-connectivity, messaging, registry, and key-management resources. Analysis is plan-local and does not model every provider resource, runtime drift, or every organization-level control; provider-specific positive observations remain more limited than finding coverage.
  • The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity.