search

GoogleCloudPlatform / document-ai-samples

Sample applications and demos for Document AI, the end-to-end document processing platform on Google Cloud
https://cloud.google.com/document-ai
Apache License 2.0
242 stars 105 forks source link

Fix Checkov errors in `document-processing-workflows` #748

Open holtskinner opened 9 months ago

holtskinner commented 9 months ago

Blocking #747

document-processing-workflows

2024-02-15T12:38:48.9347428Z 2024-02-15 12:38:48 [ERROR]   Errors found in CHECKOV
2024-02-15T12:38:48.9448561Z 2024-02-15 12:38:48 [ERROR]   Command output for CHECKOV:
2024-02-15T12:38:48.9449968Z ------
2024-02-15T12:38:48.9450551Z terraform scan results:
2024-02-15T12:38:48.9450952Z 
2024-02-15T12:38:48.9451458Z Passed checks: 46, Failed checks: 19, Skipped checks: 0
2024-02-15T12:38:48.9452296Z 
2024-02-15T12:38:48.9453100Z Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
2024-02-15T12:38:48.9454449Z    FAILED for resource: google_storage_bucket.source
2024-02-15T12:38:48.9455995Z    File: /document-processing-workflows/main.tf:138-144
2024-02-15T12:38:48.9458344Z    Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/bc-google-cloud-114
2024-02-15T12:38:48.9462527Z 
2024-02-15T12:38:48.9462884Z        138 | resource "google_storage_bucket" "source" {
2024-02-15T12:38:48.9464258Z        139 |   name                        = "${var.project_id}-source"
2024-02-15T12:38:48.9465286Z        140 |   location                    = var.region
2024-02-15T12:38:48.9466289Z        141 |   force_destroy               = true
2024-02-15T12:38:48.9467100Z        142 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9468246Z        143 |   depends_on                  = [google_project_service.storage]
2024-02-15T12:38:48.9470343Z        144 | }
2024-02-15T12:38:48.9470921Z 
2024-02-15T12:38:48.9471271Z Check: CKV_GCP_62: "Bucket should log access"
2024-02-15T12:38:48.9472520Z    FAILED for resource: google_storage_bucket.source
2024-02-15T12:38:48.9474575Z    File: /document-processing-workflows/main.tf:138-144
2024-02-15T12:38:48.9476805Z    Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2
2024-02-15T12:38:48.9478159Z 
2024-02-15T12:38:48.9478750Z        138 | resource "google_storage_bucket" "source" {
2024-02-15T12:38:48.9479717Z        139 |   name                        = "${var.project_id}-source"
2024-02-15T12:38:48.9480650Z        140 |   location                    = var.region
2024-02-15T12:38:48.9481379Z        141 |   force_destroy               = true
2024-02-15T12:38:48.9482069Z        142 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9482990Z        143 |   depends_on                  = [google_project_service.storage]
2024-02-15T12:38:48.9483779Z        144 | }
2024-02-15T12:38:48.9484037Z 
2024-02-15T12:38:48.9484409Z Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
2024-02-15T12:38:48.9485403Z    FAILED for resource: google_storage_bucket.source
2024-02-15T12:38:48.9486370Z    File: /document-processing-workflows/main.tf:138-144
2024-02-15T12:38:48.9488773Z    Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled
2024-02-15T12:38:48.9490388Z 
2024-02-15T12:38:48.9490765Z        138 | resource "google_storage_bucket" "source" {
2024-02-15T12:38:48.9491737Z        139 |   name                        = "${var.project_id}-source"
2024-02-15T12:38:48.9492549Z        140 |   location                    = var.region
2024-02-15T12:38:48.9493313Z        141 |   force_destroy               = true
2024-02-15T12:38:48.9494054Z        142 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9494899Z        143 |   depends_on                  = [google_project_service.storage]
2024-02-15T12:38:48.9495872Z        144 | }
2024-02-15T12:38:48.9496229Z 
2024-02-15T12:38:48.9496779Z Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
2024-02-15T12:38:48.9497880Z    FAILED for resource: google_storage_bucket.uploads
2024-02-15T12:38:48.9498860Z    File: /document-processing-workflows/main.tf:146-152
2024-02-15T12:38:48.9500708Z    Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/bc-google-cloud-114
2024-02-15T12:38:48.9502041Z 
2024-02-15T12:38:48.9502329Z        146 | resource "google_storage_bucket" "uploads" {
2024-02-15T12:38:48.9503403Z        147 |   name                        = "${var.project_id}-uploads"
2024-02-15T12:38:48.9504180Z        148 |   location                    = var.region
2024-02-15T12:38:48.9504906Z        149 |   force_destroy               = true
2024-02-15T12:38:48.9505721Z        150 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9506527Z        151 |   depends_on                  = [google_project_service.storage]
2024-02-15T12:38:48.9507314Z        152 | }
2024-02-15T12:38:48.9507578Z 
2024-02-15T12:38:48.9507955Z Check: CKV_GCP_62: "Bucket should log access"
2024-02-15T12:38:48.9508700Z    FAILED for resource: google_storage_bucket.uploads
2024-02-15T12:38:48.9509637Z    File: /document-processing-workflows/main.tf:146-152
2024-02-15T12:38:48.9511575Z    Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2
2024-02-15T12:38:48.9512941Z 
2024-02-15T12:38:48.9513271Z        146 | resource "google_storage_bucket" "uploads" {
2024-02-15T12:38:48.9514187Z        147 |   name                        = "${var.project_id}-uploads"
2024-02-15T12:38:48.9515095Z        148 |   location                    = var.region
2024-02-15T12:38:48.9515823Z        149 |   force_destroy               = true
2024-02-15T12:38:48.9516513Z        150 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9517434Z        151 |   depends_on                  = [google_project_service.storage]
2024-02-15T12:38:48.9518221Z        152 | }
2024-02-15T12:38:48.9518695Z 
2024-02-15T12:38:48.9519071Z Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
2024-02-15T12:38:48.9520079Z    FAILED for resource: google_storage_bucket.uploads
2024-02-15T12:38:48.9521041Z    File: /document-processing-workflows/main.tf:146-152
2024-02-15T12:38:48.9523272Z    Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled
2024-02-15T12:38:48.9525023Z 
2024-02-15T12:38:48.9525314Z        146 | resource "google_storage_bucket" "uploads" {
2024-02-15T12:38:48.9526283Z        147 |   name                        = "${var.project_id}-uploads"
2024-02-15T12:38:48.9527513Z        148 |   location                    = var.region
2024-02-15T12:38:48.9528316Z        149 |   force_destroy               = true
2024-02-15T12:38:48.9529057Z        150 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9529949Z        151 |   depends_on                  = [google_project_service.storage]
2024-02-15T12:38:48.9530805Z        152 | }
2024-02-15T12:38:48.9531080Z 
2024-02-15T12:38:48.9531628Z Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
2024-02-15T12:38:48.9532747Z    FAILED for resource: google_storage_bucket.processing
2024-02-15T12:38:48.9533771Z    File: /document-processing-workflows/main.tf:154-160
2024-02-15T12:38:48.9535592Z    Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/bc-google-cloud-114
2024-02-15T12:38:48.9538093Z 
2024-02-15T12:38:48.9538548Z        154 | resource "google_storage_bucket" "processing" {
2024-02-15T12:38:48.9539550Z        155 |   name                        = "${var.project_id}-processing"
2024-02-15T12:38:48.9540397Z        156 |   location                    = var.region
2024-02-15T12:38:48.9541277Z        157 |   force_destroy               = true
2024-02-15T12:38:48.9542023Z        158 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9543215Z        159 |   depends_on                  = [google_project_service.storage]
2024-02-15T12:38:48.9598501Z        160 | }
2024-02-15T12:38:48.9598827Z 
2024-02-15T12:38:48.9599292Z Check: CKV_GCP_62: "Bucket should log access"
2024-02-15T12:38:48.9599990Z    FAILED for resource: google_storage_bucket.processing
2024-02-15T12:38:48.9600998Z    File: /document-processing-workflows/main.tf:154-160
2024-02-15T12:38:48.9602611Z    Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2
2024-02-15T12:38:48.9603600Z 
2024-02-15T12:38:48.9603800Z        154 | resource "google_storage_bucket" "processing" {
2024-02-15T12:38:48.9604451Z        155 |   name                        = "${var.project_id}-processing"
2024-02-15T12:38:48.9605078Z        156 |   location                    = var.region
2024-02-15T12:38:48.9605682Z        157 |   force_destroy               = true
2024-02-15T12:38:48.9606132Z        158 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9606751Z        159 |   depends_on                  = [google_project_service.storage]
2024-02-15T12:38:48.9607524Z        160 | }
2024-02-15T12:38:48.9607705Z 
2024-02-15T12:38:48.9608010Z Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
2024-02-15T12:38:48.9608691Z    FAILED for resource: google_storage_bucket.processing
2024-02-15T12:38:48.9609337Z    File: /document-processing-workflows/main.tf:154-160
2024-02-15T12:38:48.9610589Z    Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled
2024-02-15T12:38:48.9611596Z 
2024-02-15T12:38:48.9611800Z        154 | resource "google_storage_bucket" "processing" {
2024-02-15T12:38:48.9612437Z        155 |   name                        = "${var.project_id}-processing"
2024-02-15T12:38:48.9613033Z        156 |   location                    = var.region
2024-02-15T12:38:48.9613483Z        157 |   force_destroy               = true
2024-02-15T12:38:48.9613962Z        158 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9614785Z        159 |   depends_on                  = [google_project_service.storage]
2024-02-15T12:38:48.9615256Z        160 | }
2024-02-15T12:38:48.9615471Z 
2024-02-15T12:38:48.9615869Z Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
2024-02-15T12:38:48.9616615Z    FAILED for resource: google_storage_bucket.results
2024-02-15T12:38:48.9617359Z    File: /document-processing-workflows/main.tf:162-185
2024-02-15T12:38:48.9618468Z    Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/bc-google-cloud-114
2024-02-15T12:38:48.9619216Z 
2024-02-15T12:38:48.9619505Z        162 | resource "google_storage_bucket" "results" {
2024-02-15T12:38:48.9620063Z        163 |   for_each                    = google_document_ai_processor.processor
2024-02-15T12:38:48.9620765Z        164 |   name                        = "${var.project_id}-results-${each.value.name}"
2024-02-15T12:38:48.9621393Z        165 |   location                    = var.region
2024-02-15T12:38:48.9621892Z        166 |   force_destroy               = true
2024-02-15T12:38:48.9622319Z        167 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9622810Z        168 | 
2024-02-15T12:38:48.9623127Z        169 |   dynamic "cors" {
2024-02-15T12:38:48.9623600Z        170 |     for_each = var.proxy_storage_requests ? [] : [1]
2024-02-15T12:38:48.9624157Z        171 |     content {
2024-02-15T12:38:48.9624581Z        172 |       origin          = ["https://${var.domain}"]
2024-02-15T12:38:48.9625120Z        173 |       method          = ["GET", "HEAD", "PUT", "POST", "DELETE"]
2024-02-15T12:38:48.9625713Z        174 |       response_header = ["*"]
2024-02-15T12:38:48.9626132Z        175 |       max_age_seconds = 3600
2024-02-15T12:38:48.9626491Z        176 |     }
2024-02-15T12:38:48.9626885Z        177 |   }
2024-02-15T12:38:48.9627195Z        178 | 
2024-02-15T12:38:48.9627540Z        179 |   depends_on = [google_project_service.storage]
2024-02-15T12:38:48.9628085Z        180 | 
2024-02-15T12:38:48.9628673Z        181 |   # as results may stay in the bucket longer, enable autoclass by default to reduce cost
2024-02-15T12:38:48.9629268Z        182 |   autoclass {
2024-02-15T12:38:48.9629701Z        183 |     enabled = true
2024-02-15T12:38:48.9630060Z        184 |   }
2024-02-15T12:38:48.9630340Z        185 | }
2024-02-15T12:38:48.9630529Z 
2024-02-15T12:38:48.9630774Z Check: CKV_GCP_62: "Bucket should log access"
2024-02-15T12:38:48.9631286Z    FAILED for resource: google_storage_bucket.results
2024-02-15T12:38:48.9631873Z    File: /document-processing-workflows/main.tf:162-185
2024-02-15T12:38:48.9633034Z    Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2
2024-02-15T12:38:48.9633889Z 
2024-02-15T12:38:48.9634115Z        162 | resource "google_storage_bucket" "results" {
2024-02-15T12:38:48.9634683Z        163 |   for_each                    = google_document_ai_processor.processor
2024-02-15T12:38:48.9635447Z        164 |   name                        = "${var.project_id}-results-${each.value.name}"
2024-02-15T12:38:48.9636080Z        165 |   location                    = var.region
2024-02-15T12:38:48.9636566Z        166 |   force_destroy               = true
2024-02-15T12:38:48.9637052Z        167 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9637486Z        168 | 
2024-02-15T12:38:48.9637798Z        169 |   dynamic "cors" {
2024-02-15T12:38:48.9638272Z        170 |     for_each = var.proxy_storage_requests ? [] : [1]
2024-02-15T12:38:48.9638811Z        171 |     content {
2024-02-15T12:38:48.9639225Z        172 |       origin          = ["https://${var.domain}"]
2024-02-15T12:38:48.9639817Z        173 |       method          = ["GET", "HEAD", "PUT", "POST", "DELETE"]
2024-02-15T12:38:48.9640349Z        174 |       response_header = ["*"]
2024-02-15T12:38:48.9640768Z        175 |       max_age_seconds = 3600
2024-02-15T12:38:48.9641185Z        176 |     }
2024-02-15T12:38:48.9641572Z        177 |   }
2024-02-15T12:38:48.9641871Z        178 | 
2024-02-15T12:38:48.9642272Z        179 |   depends_on = [google_project_service.storage]
2024-02-15T12:38:48.9642895Z        180 | 
2024-02-15T12:38:48.9643438Z        181 |   # as results may stay in the bucket longer, enable autoclass by default to reduce cost
2024-02-15T12:38:48.9644105Z        182 |   autoclass {
2024-02-15T12:38:48.9644460Z        183 |     enabled = true
2024-02-15T12:38:48.9644813Z        184 |   }
2024-02-15T12:38:48.9645153Z        185 | }
2024-02-15T12:38:48.9645341Z 
2024-02-15T12:38:48.9645697Z Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
2024-02-15T12:38:48.9646304Z    FAILED for resource: google_storage_bucket.results
2024-02-15T12:38:48.9647002Z    File: /document-processing-workflows/main.tf:162-185
2024-02-15T12:38:48.9648956Z    Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled
2024-02-15T12:38:48.9649868Z 
2024-02-15T12:38:48.9650112Z        162 | resource "google_storage_bucket" "results" {
2024-02-15T12:38:48.9650741Z        163 |   for_each                    = google_document_ai_processor.processor
2024-02-15T12:38:48.9651459Z        164 |   name                        = "${var.project_id}-results-${each.value.name}"
2024-02-15T12:38:48.9652041Z        165 |   location                    = var.region
2024-02-15T12:38:48.9652568Z        166 |   force_destroy               = true
2024-02-15T12:38:48.9652994Z        167 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9653435Z        168 | 
2024-02-15T12:38:48.9653811Z        169 |   dynamic "cors" {
2024-02-15T12:38:48.9654223Z        170 |     for_each = var.proxy_storage_requests ? [] : [1]
2024-02-15T12:38:48.9654715Z        171 |     content {
2024-02-15T12:38:48.9655238Z        172 |       origin          = ["https://${var.domain}"]
2024-02-15T12:38:48.9655783Z        173 |       method          = ["GET", "HEAD", "PUT", "POST", "DELETE"]
2024-02-15T12:38:48.9656297Z        174 |       response_header = ["*"]
2024-02-15T12:38:48.9656772Z        175 |       max_age_seconds = 3600
2024-02-15T12:38:48.9657147Z        176 |     }
2024-02-15T12:38:48.9657456Z        177 |   }
2024-02-15T12:38:48.9657822Z        178 | 
2024-02-15T12:38:48.9658181Z        179 |   depends_on = [google_project_service.storage]
2024-02-15T12:38:48.9658635Z        180 | 
2024-02-15T12:38:48.9659220Z        181 |   # as results may stay in the bucket longer, enable autoclass by default to reduce cost
2024-02-15T12:38:48.9659823Z        182 |   autoclass {
2024-02-15T12:38:48.9660172Z        183 |     enabled = true
2024-02-15T12:38:48.9660651Z        184 |   }
2024-02-15T12:38:48.9660918Z        185 | }
2024-02-15T12:38:48.9661105Z 
2024-02-15T12:38:48.9661444Z Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
2024-02-15T12:38:48.9662197Z    FAILED for resource: google_storage_bucket.failed
2024-02-15T12:38:48.9662758Z    File: /document-processing-workflows/main.tf:187-198
2024-02-15T12:38:48.9663930Z    Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/bc-google-cloud-114
2024-02-15T12:38:48.9664682Z 
2024-02-15T12:38:48.9664984Z        187 | resource "google_storage_bucket" "failed" {
2024-02-15T12:38:48.9665552Z        188 |   name                        = "${var.project_id}-failed"
2024-02-15T12:38:48.9666074Z        189 |   location                    = var.region
2024-02-15T12:38:48.9666621Z        190 |   force_destroy               = true
2024-02-15T12:38:48.9667044Z        191 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9667680Z        192 |   depends_on                  = [google_project_service.storage]
2024-02-15T12:38:48.9668259Z        193 | 
2024-02-15T12:38:48.9668838Z        194 |   # as results may stay in the bucket longer, enable autoclass by default to reduce cost
2024-02-15T12:38:48.9669419Z        195 |   autoclass {
2024-02-15T12:38:48.9669852Z        196 |     enabled = true
2024-02-15T12:38:48.9670207Z        197 |   }
2024-02-15T12:38:48.9670489Z        198 | }
2024-02-15T12:38:48.9670737Z 
2024-02-15T12:38:48.9670906Z Check: CKV_GCP_62: "Bucket should log access"
2024-02-15T12:38:48.9671404Z    FAILED for resource: google_storage_bucket.failed
2024-02-15T12:38:48.9671977Z    File: /document-processing-workflows/main.tf:187-198
2024-02-15T12:38:48.9673342Z    Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2
2024-02-15T12:38:48.9674109Z 
2024-02-15T12:38:48.9674343Z        187 | resource "google_storage_bucket" "failed" {
2024-02-15T12:38:48.9675154Z        188 |   name                        = "${var.project_id}-failed"
2024-02-15T12:38:48.9675762Z        189 |   location                    = var.region
2024-02-15T12:38:48.9676251Z        190 |   force_destroy               = true
2024-02-15T12:38:48.9676676Z        191 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9677282Z        192 |   depends_on                  = [google_project_service.storage]
2024-02-15T12:38:48.9677800Z        193 | 
2024-02-15T12:38:48.9678285Z        194 |   # as results may stay in the bucket longer, enable autoclass by default to reduce cost
2024-02-15T12:38:48.9678967Z        195 |   autoclass {
2024-02-15T12:38:48.9679335Z        196 |     enabled = true
2024-02-15T12:38:48.9679657Z        197 |   }
2024-02-15T12:38:48.9680029Z        198 | }
2024-02-15T12:38:48.9680185Z 
2024-02-15T12:38:48.9680520Z Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
2024-02-15T12:38:48.9681098Z    FAILED for resource: google_storage_bucket.failed
2024-02-15T12:38:48.9681731Z    File: /document-processing-workflows/main.tf:187-198
2024-02-15T12:38:48.9682971Z    Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled
2024-02-15T12:38:48.9683861Z 
2024-02-15T12:38:48.9684076Z        187 | resource "google_storage_bucket" "failed" {
2024-02-15T12:38:48.9684707Z        188 |   name                        = "${var.project_id}-failed"
2024-02-15T12:38:48.9685226Z        189 |   location                    = var.region
2024-02-15T12:38:48.9685696Z        190 |   force_destroy               = true
2024-02-15T12:38:48.9686210Z        191 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9686747Z        192 |   depends_on                  = [google_project_service.storage]
2024-02-15T12:38:48.9687464Z        193 | 
2024-02-15T12:38:48.9688039Z        194 |   # as results may stay in the bucket longer, enable autoclass by default to reduce cost
2024-02-15T12:38:48.9688725Z        195 |   autoclass {
2024-02-15T12:38:48.9689094Z        196 |     enabled = true
2024-02-15T12:38:48.9689476Z        197 |   }
2024-02-15T12:38:48.9689779Z        198 | }
2024-02-15T12:38:48.9689932Z 
2024-02-15T12:38:48.9690323Z Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
2024-02-15T12:38:48.9691072Z    FAILED for resource: google_storage_bucket.datasets
2024-02-15T12:38:48.9691653Z    File: /document-processing-workflows/main.tf:200-206
2024-02-15T12:38:48.9692753Z    Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/bc-google-cloud-114
2024-02-15T12:38:48.9693564Z 
2024-02-15T12:38:48.9693792Z        200 | resource "google_storage_bucket" "datasets" {
2024-02-15T12:38:48.9694364Z        201 |   name                        = "${var.project_id}-datasets"
2024-02-15T12:38:48.9694906Z        202 |   location                    = var.region
2024-02-15T12:38:48.9695497Z        203 |   force_destroy               = true
2024-02-15T12:38:48.9695919Z        204 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9696476Z        205 |   depends_on                  = [google_project_service.storage]
2024-02-15T12:38:48.9697035Z        206 | }
2024-02-15T12:38:48.9697191Z 
2024-02-15T12:38:48.9697375Z Check: CKV_GCP_62: "Bucket should log access"
2024-02-15T12:38:48.9697923Z    FAILED for resource: google_storage_bucket.datasets
2024-02-15T12:38:48.9698575Z    File: /document-processing-workflows/main.tf:200-206
2024-02-15T12:38:48.9699678Z    Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2
2024-02-15T12:38:48.9700432Z 
2024-02-15T12:38:48.9700618Z        200 | resource "google_storage_bucket" "datasets" {
2024-02-15T12:38:48.9701482Z        201 |   name                        = "${var.project_id}-datasets"
2024-02-15T12:38:48.9702005Z        202 |   location                    = var.region
2024-02-15T12:38:48.9702440Z        203 |   force_destroy               = true
2024-02-15T12:38:48.9703046Z        204 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9703961Z        205 |   depends_on                  = [google_project_service.storage]
2024-02-15T12:38:48.9704447Z        206 | }
2024-02-15T12:38:48.9704720Z 
2024-02-15T12:38:48.9704969Z Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
2024-02-15T12:38:48.9705553Z    FAILED for resource: google_storage_bucket.datasets
2024-02-15T12:38:48.9706112Z    File: /document-processing-workflows/main.tf:200-206
2024-02-15T12:38:48.9707496Z    Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled
2024-02-15T12:38:48.9708421Z 
2024-02-15T12:38:48.9708617Z        200 | resource "google_storage_bucket" "datasets" {
2024-02-15T12:38:48.9709285Z        201 |   name                        = "${var.project_id}-datasets"
2024-02-15T12:38:48.9709781Z        202 |   location                    = var.region
2024-02-15T12:38:48.9710256Z        203 |   force_destroy               = true
2024-02-15T12:38:48.9710865Z        204 |   uniform_bucket_level_access = true
2024-02-15T12:38:48.9711365Z        205 |   depends_on                  = [google_project_service.storage]
2024-02-15T12:38:48.9711879Z        206 | }
2024-02-15T12:38:48.9712035Z 
2024-02-15T12:38:48.9712524Z Check: CKV2_GCP_22: "Ensure Document AI Processors are encrypted with a Customer Managed Key (CMK)"
2024-02-15T12:38:48.9713260Z    FAILED for resource: google_document_ai_processor.processor
2024-02-15T12:38:48.9713912Z    File: /document-processing-workflows/main.tf:210-216
2024-02-15T12:38:48.9714331Z 
2024-02-15T12:38:48.9714554Z        210 | resource "google_document_ai_processor" "processor" {
2024-02-15T12:38:48.9715074Z        211 |   for_each     = var.processors
2024-02-15T12:38:48.9715503Z        212 |   location     = each.value.location
2024-02-15T12:38:48.9716044Z        213 |   display_name = each.value.display_name
2024-02-15T12:38:48.9716514Z        214 |   type         = each.value.type
2024-02-15T12:38:48.9716991Z        215 |   depends_on   = [google_project_service.documentai]
2024-02-15T12:38:48.9717585Z        216 | }