Ancestry path does not work at resource (bucket, bigquery, vm, etc) level

[xingao267]

match block works with ancestry path, which most granularly at project level. For resource level matching, it is handle via parameters and within the template logic, which depends on whether the template supports that or not.

This implies some limitation, and an example is what's supported by the current legacy bigquery rule cannot be achieved in policy library. The closet thing I can find in the policy library is gcp_iam_allowed_bindings_v1.yaml, but you can't specify the dataset id in that constraint.

[gkowalski-google]

@hshin-g Are you aware of this limitation? Sounds like this is something we should add into the existing BigQuery templates to have feature parity with the Python scanners.

[morgante]

To be clear, this is an enhancement and not a bug. At present, match is only meant to apply to the project level.