Description
When bucket_policy_only is set to true, constraint set to storage_bucket_policy_only.yaml, and template set to gcp_storage_bucket_policy_only_v1.yaml, terraform-validator should return find NO violation. But testing at my end DOES return violation.

Terraform Testing File: main.tf

provider "google" {
  project = "some-gcp-project"
}

resource "google_storage_bucket" "sample" {
  name = "test_bucket"
  bucket_policy_only = "true"
}

Possible Cause
The CAI file converted by terraform-validator is shown below.

[  
  {  
    "name":"//storage.googleapis.com/test_bucket",
    "asset_type":"storage.googleapis.com/Bucket",
    "ancestry_path":"organization/../folder/../folder/../project/some-gcp-project",
    "resource":{  
      "version":"v1",
      "discovery_document_uri":"https://www.googleapis.com/discovery/v1/apis/storage/v1/rest",
      "discovery_name":"Bucket",
      "parent":"//cloudresourcemanager.googleapis.com/projects/some-gcp-project",
      "data":{  
        "lifecycle":{  
          "rule":[  

          ]
        },
        "location":"US",
        "name":"test_bucket",
        "project":"some-gcp-project",
        "storageClass":"STANDARD"
      }
    }
  }
]

It lacks the field "resource.data.iamConfiguration.bucketPolicyOnly.enabled", which I presume is required by the rego code in gcp_storage_bucket_policy_only_v1.yaml to do the evaluation. Specifically, since the said field doesn't exist, this rego code

bucket_policy_enabled := lib.get_default(bucket_policy_only, "enabled", null)

leads to the bucket_policy_enabled(bucket) function returning false, which causes the rule to pass, i.e. violation is triggered.

If, in the above-mentioned code, we switch null to true, then no violation is triggered. This further suggests that the cause of the issue is most likely the disappearance of the "resource.data.iamConfiguration.bucketPolicyOnly.enabled" field.

The integration test relies on terraform v0.11 to generate tfplan file for runningTestConvert but the Dockerfile bundles the v0.12 which does not support tfplan generation.

My understanding about the convert command is that it would generate the CAI version of the TF plan. This is actually useful as the convert command perfoms ancestry discovery and the result of that is more comprehensive than the TF plan. However, validate command has no interface taking the result from convert which makes it redundant.

Please consider extending the validate command to accept the result from convert, possibly via a flag like --with-asset-json.

The latest binary build does not contain the fixes that allow for Terraform 0.12 plan output support:

gs://terraform-validator/releases/2019-06-19/

Forgive me if this not the right place to reach the maintainers of that bucket.

We should add Cloud Build support to test pull requests.

The configurations of compute_disk and compute_instance contain the image field which would trigger a call to resolveImageImageExists and resolveImageFamilyExists for images in the form of xyz/xyz.

The logic on resolveImage is described in https://github.com/GoogleCloudPlatform/terraform-google-conversion/blob/af8ba4e287cf4b1f5b631dc16ed7b74fb4aff136/google/image.go#L73

// If the given name is a URL, return it.
// If it's in the form projects/{project}/global/images/{image}, return it
// If it's in the form projects/{project}/global/images/family/{family}, return it
// If it's in the form global/images/{image}, return it
// If it's in the form global/images/family/{family}, return it
// If it's in the form family/{family}, check if it's a family in the current project. If it is, return it as global/images/family/{family}.
//    If not, check if it could be a GCP-provided family, and if it exists. If it does, return it as projects/{project}/global/images/family/{family}.
// If it's in the form {project}/{family-or-image}, check if it's an image in the named project. If it is, return it as projects/{project}/global/images/{image}.
//    If not, check if it's a family in the named project. If it is, return it as projects/{project}/global/images/family/{family}.
// If it's in the form {family-or-image}, check if it's an image in the current project. If it is, return it as global/images/{image}.
//    If not, check if it could be a GCP-provided image, and if it exists. If it does, return it as projects/{project}/global/images/{image}.
//    If not, check if it's a family in the current project. If it is, return it as global/images/family/{family}.
//    If not, check if it could be a GCP-provided family, and if it exists. If it does, return it as projects/{project}/global/images/family/{family}

Since GCP API direct fetching in terraform-google-conversion is being discouraged (@danawillow , @chrisst please correct me if I am wrong), terraform-validator currently does not have the service client initialized, and will cause a panic when the resolveImage*Exists calls are triggered.

I understand that developers may found it useful if image path can be provided using shorthand. But on the other hand, to make a analyser (terraform-validator) to be deterministic against a configuration, I think it is important to guide the developers to provide the full path of an image.

Consider the fact that an image like debian-8-jessie-v20170523 could mean an image in the project or an image in projects/debian-cloud/global/images/debian-8-jessie-v20170523, a potential attacker to the system can create an image inside the project with the same name and then override all the potential deployments afterwards. I think it is important to make the image resolution be deterministic to encourage developers to put a full path there. It is possible to do that by making resolveImage*Exists returns an error if c.clientCompute is not configured, and prompt the user to change the image path to full path format.

I want to understand if this is the way to go because this may break existing users (but from the fact that no one reported the issues, I suspect this path is not hit by most users). If so, I can provide the pull request to the upstream dependencies.

Hi

I get this error when running the validator against a plan file that has a google_storage_bucket resource in it.

panic: runtime error: index out of range [0] with length 0

goroutine 1 [running]:
github.com/GoogleCloudPlatform/terraform-google-conversion/google.GetStorageBucketApiObject(0x285e000, 0xc000121d20, 0xc0000fcf00, 0x2470baf, 0x21, 0xc000c8d320)
        /home/jens_hornstrom_seb_se/terraform-validator/vendor/github.com/GoogleCloudPlatform/terraform-google-conversion/google/storage_bucket.go:80 +0x10e4
github.com/GoogleCloudPlatform/terraform-google-conversion/google.GetStorageBucketCaiObject(0x285e000, 0xc000121d20, 0xc0000fcf00, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
        /home/jens_hornstrom_seb_se/terraform-validator/vendor/github.com/GoogleCloudPlatform/terraform-google-conversion/google/storage_bucket.go:25 +0xdc
github.com/GoogleCloudPlatform/terraform-validator/converters/google.(*Converter).AddResource(0xc000393bf0, 0x2854e80, 0xc00025d980, 0x0, 0x0)
        /home/jens_hornstrom_seb_se/terraform-validator/converters/google/convert.go:157 +0x14c
github.com/GoogleCloudPlatform/terraform-validator/tfgcv.ReadPlannedAssets(0x7fff8c0e872e, 0x16, 0x0, 0x0, 0x0, 0x0, 0xc000229c00, 0x0, 0x0, 0x0, ...)
        /home/jens_hornstrom_seb_se/terraform-validator/tfgcv/planned_assets.go:101 +0x516
github.com/GoogleCloudPlatform/terraform-validator/cmd.glob..func6(0x36f1ce0, 0xc000329520, 0x1, 0x2, 0x0, 0x0)
        /home/jens_hornstrom_seb_se/terraform-validator/cmd/validate.go:52 +0x9b
github.com/spf13/cobra.(*Command).execute(0x36f1ce0, 0xc0003294e0, 0x2, 0x2, 0x36f1ce0, 0xc0003294e0)
        /home/jens_hornstrom_seb_se/terraform-validator/vendor/github.com/spf13/cobra/command.go:762 +0x460
github.com/spf13/cobra.(*Command).ExecuteC(0x36f1a80, 0x0, 0x0, 0x0)
        /home/jens_hornstrom_seb_se/terraform-validator/vendor/github.com/spf13/cobra/command.go:850 +0x2fb
github.com/spf13/cobra.(*Command).Execute(...)
        /home/jens_hornstrom_seb_se/terraform-validator/vendor/github.com/spf13/cobra/command.go:800
github.com/GoogleCloudPlatform/terraform-validator/cmd.Execute()
        /home/jens_hornstrom_seb_se/terraform-validator/cmd/root.go:77 +0x2d
main.main()
        /home/jens_hornstrom_seb_se/terraform-validator/main.go:20 +0x20

Im running this version of validator:

Build version: 2019-10-02

This is my simple terraform script:

### SET FW RULES FOR GOOGLE LB (DEMO)
resource "google_compute_firewall" "allow-gcp-lb" {
  project     = "core-******"
  name        = "allow-gcp-lb-to"
  network     = "core-vpc"
  disabled    = true
  description = "This is a Dummy FW rule to show how to open for gcp load-balancer"
  target_tags = ["dummy"]
  allow {
    protocol = "tcp"
    ports    = ["443"]
  }
  source_ranges = ["130.211.0.0/22", "35.191.0.0/16"]
}

resource "google_storage_bucket" "test-bucket" {
  name     = "test-unti-us-bucket"
  location = "US"
  project = "testproject234-*****"
  labels = {
    "ownerteam"     = "jens"
    "costcenter"    = "apa"

  }

}

User agent will say something like "terraform-validator/version #" so that we can get an idea of usage.
Example of how this is done in Forseti:
https://github.com/GoogleCloudPlatform/forseti-security/blob/8a0ca24b724b2028d6aee5015c2f10e849eeed62/google/cloud/forseti/common/util/http_helpers.py#L34

#88 introduced tests which are very similar to existing integration tests.

Instead of maintaining these separately, we should:

1. Make a unified test/ folder which combines this with the existing test data
2. Provide two modes:
   • In unit test mode, it uses pre-generated plan JSON to validate the CAI conversion (like what you have in this PR)
   • In integration test mode, it uses the provided HCL to generate the plan, then proceeds to the unit tests from (1)

Ancestry discovery (https://github.com/GoogleCloudPlatform/terraform-validator/blob/master/converters/google/convert.go#L220) use Google APIs to retrieve the ancestry path. In scenario that validation could be run in an isolated environment, it would be desirable to provide an option to suppress such behavior. It would be great if the tool can use a flag like --folder (as in --project) such that it can provide the information needed instead of dynamic ancestry discovery.

Per https://www.terraform.io/docs/internals/json-format.html#plan-representation

    "child_modules": [
      // Each entry in "child_modules" has the same structure as the root_module
      // object, with the additional "address" property shown below.
      {
        // [Other fields omitted] 
       
        // Each module object can optionally have its own
        // nested "child_modules", recursively describing the
        // full module tree.
        "child_modules": [ ... ],
      }

However,

Currently asset.ancestry_path assumes the resource lives within a project. This does not work for folders, etc.

Related to GoogleCloudPlatform/policy-library#121

validator is not returning the zone when parsing compute instances.

Template: gcp_compute_zone_v1.yaml

Constraint:

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPComputeZoneConstraintV1
metadata:
  name: compute_zone_denylist_one
spec:
  severity: high
  match:
    target: ["organization/*"]
  parameters:
    mode: "denylist"
    zones:
      - asia-east1-b

tf code:

variable project {}

provider "google" {
  project = "${var.project}"
  region = "asia-east1"
}

resource "google_compute_instance" "common" {
    name         = "test-instance"
    machine_type = "n1-standard-1"
    zone = "asia-east1-b"

    boot_disk {
      initialize_params {
        image = "debian-cloud/debian-9"
      }
    }

    network_interface {
      network = "default"
    }
}

This might be something odd with my setup, but running terraform-validator version returns:

Build version:

It looks like this is not properly propagated during the install.

Resources:

• google_storage_bucket_iam_binding
• google_storage_bucket_iam_policy

go.mod requires github.com/hashicorp/terraform v0.11.11 thus blocking updates

This is related to issue #68. In order to update the dependency terraform-providers/terraform-provider-google to the latest version, dependency on hashicorp/terraform needs to be upgraded to v0.12+. However, the code here is still using hashicorp/terraform v0.11. I tried upgraded to v0.12 and it would complaint about missing struct terraform.Plan, which seems to be removed from v0.12.

Without terraform-providers/terraform-provider-google be upgraded, pulling changes on GoogleCloudPlatform/terraform-google-conversion would create panic (as described in #68).

// cc @morgante @t12g

Hi,

whenever projects in my templates raise violations from my constraint, their names are wrongly set to the Provider project (--project option). It also appears that if I have more than one project in violation, I only get one project violating in the output.

This seems to be a terraform-validator issue, as this works well with the Forseti config_validator scanner.

The terraform-google-vm module uses google_compute_instance_from_template and thus validator will not detect any violations from it.

If a plan contains a google_project that has not yet been created and there are other resources to be created under that project in the plan all of the resource's will fail on an ancestry lookup.

The value of r is taken from the for loop.

This may not be a bug but would make the code flakey. Currently &r is taken as an argument to pass to AddResource and it is depending on AddResource to clone the values. &r would always be the same through the loop. Here is an example.

package main

import (
	"fmt"
)

func main() {
	foo := []string{"foo", "bar"}
	for _, r := range foo {
		fmt.Printf("%q %v %p\n", r, &r, &r)
	}
}
Prints
"foo" 0x40c138 0x40c138
"bar" 0x40c138 0x40c138

I think the code should be changed to take the reference address of the slice instead.

#73 (review)

We are encountering an issue with deploying the google_project resource in our pipelines. The error we encounter is as follows:

Error: converting tfplan to CAI assets: converting resource google_project: augmenting asset: project: required field is not set

I understand that generally there would be nothing this resource could violate by itself however for our CI/CD pipelines there will be times when users will simply be deploying just a single project (or folder). Is there currently a way for us to bypass the project field when the TFPlan only contains the google_project or google_folder resource?

I apologize ahead of time if this has already been addressed I just was unable to find anything in my searches.

Google Project TF: https://www.terraform.io/docs/providers/google/r/google_project.html
Google Folder TF: https://www.terraform.io/docs/providers/google/r/google_folder.html

Relocate merge function from #17 into Magic Modules.

https://github.com/forseti-security/config-validator/blob/87b4ae546420814b2a6766a1b4569278f5e1627e/api/validator.proto#L44

  // Ancestor list as returned by CAI (added sometime around Oct 2019)
  repeated string ancestors = 6;

I have also verified that CAI now do not return ancestry_path. Instead it returns ancestors, which is a list of strings instead of a single string. For example,

		"ancestors": [
			"folders/12345",
			"organizations/67890"
		]

I think this will make the logic on generating ancestry be easier.

Step to reproduce:

• Create a simple Terraform configuration like the one in documentation.

resource "google_folder" "department1" {
  display_name = "Department 1"
  parent       = "organizations/1234567"
}

resource "google_folder_iam_member" "admin" {
  folder  = "${google_folder.department1.name}"
  role    = "roles/editor"
  member  = "user:[email protected]"
}

• run terraform plan, terraform show.
• add a debug statement around

  terraform-validator/cmd/validate.go

  Line 52 in 1fe01ae

  assets, err := tfgcv.ReadPlannedAssets(args[0], flags.validate.project, flags.validate.ancestry, flags.validate.offline)

  to print the assets
• notice that the name of the assets is in the form of //cloudresourcemanager.googleapis.com/placeholder-qbilI01z"

Currently when constraint violation is detected tool returns message like this:

Found Violations:
[rego message]

It would be useful to include also policy metadata in this message.
Forseti Config Vaildator includes this data in violation report.

Context: GoogleCloudPlatform/magic-modules#2235 (review).
Originally reported in https://github.com/GoogleCloudPlatform/magic-modules/issues/2234.

The code does not support v0.11 after the commit on #84 and #90. The changes on #84 touches on github.com/hashicorp/terraform-plugin-sdk/helper which poses a challenge for backward compatibility to v0.11.

Since Terraform v0.12 is becoming a popular choice, I suggest removing the support v0.11. Also, README.md should be updated to provide a branch name which points to the last commit with v0.11 support.

The unit test for terraform v0.11 depends on tf11plan.tfplan which does not exist in the repository.

Adding this file back should enhance the completeness of the unit test.

This would faciliate the use of pipe with terraform-validator. Consider the case for terraform show, this would remove the step of storing the intermediate artifacts on local disk.

See: hashicorp/terraform#20155

Currently end-to-end tests in test/ only run against non-existant/planned resources. By adding a terraform apply + a change to the configs, and rerunning terraform plan, we could test against updates as well as creates.

The integration tests should be updated to also tests with v0.12.

Note: this should reuse the same .tf and .json templates. But the v0.12 version will use v0.12 to generate the plan.

Removing parent for these types should make the result more aligning with CAI.

Specifically:

• App Engine
• Cloud Functions
• Firestore (Native) / Firebase

Error: converting tfplan to CAI assets: converting resource google_organization_iam_member: augmenting asset: project: required field is not set

Field project is not required for this resource (cf. https://www.terraform.io/docs/providers/google/r/google_organization_iam_member.html)

Strategy: vendor a policies dir (see: https://github.com/forseti-security/policy-library) and run terraform-validator validate --output-json ... against it, asserting on expected violations.

If terraform resource schemas are exposed through https://github.com/GoogleCloudPlatform/terraform-google-conversion we would be able to remove the dependency on the terraform provider. This would alleviate the version matching that currently has to occur between the two libraries.

Magic Modules has support.

I am running into an error while validating a Terraform 0.12 JSON plan file with the latest terraform-validator binary.

steps to reproduce:
Terraform v0.12.6

• provider.google v2.12.0
  terraform-validator Build version: 2019-08-08

main.tf with local state
resource "google_storage_bucket" "image-store-1" { name = "cf-random-test-image-store-bucket-1" location = "europe-north1" }

• terraform init
• terraform plan -out=plan.tfplan
• terraform show -json plan.tfplan > plan.json
• terraform-validator validate --tf-version 0.12 plan.json --policy-path=policy-library --project cf-gcp-challenge-test

plan.json

{"format_version":"0.1","terraform_version":"0.12.6","variables":{"app_project":{"value":"cf-gcp-challenge-dev"}},"planned_values":{"root_module":{"resources":[{"address":"google_app_engine_application.app","mode":"managed","type":"google_app_engine_application","name":"app","provider_name":"google","schema_version":0,"values":{"location_id":"us-central","project":"your-project-id"}},{"address":"google_project.my_project","mode":"managed","type":"google_project","name":"my_project","provider_name":"google","schema_version":1,"values":{"auto_create_network":true,"billing_account":null,"labels":null,"name":"My Project","org_id":"1234567","project_id":"your-project-id"}}]}},"resource_changes":[{"address":"google_app_engine_application.app","mode":"managed","type":"google_app_engine_application","name":"app","provider_name":"google","change":{"actions":["create"],"before":null,"after":{"location_id":"us-central","project":"your-project-id"},"after_unknown":{"auth_domain":true,"code_bucket":true,"default_bucket":true,"default_hostname":true,"feature_settings":true,"gcr_domain":true,"id":true,"name":true,"serving_status":true,"url_dispatch_rule":true}}},{"address":"google_project.my_project","mode":"managed","type":"google_project","name":"my_project","provider_name":"google","change":{"actions":["create"],"before":null,"after":{"auto_create_network":true,"billing_account":null,"labels":null,"name":"My Project","org_id":"1234567","project_id":"your-project-id"},"after_unknown":{"app_engine":true,"folder_id":true,"id":true,"number":true,"policy_data":true,"policy_etag":true,"skip_delete":true}}}],"configuration":{"provider_config":{"google":{"name":"google","expressions":{"project":{"constant_value":"cf-gcp-challenge-dev"}}}},"root_module":{"resources":[{"address":"google_app_engine_application.app","mode":"managed","type":"google_app_engine_application","name":"app","provider_config_key":"google","expressions":{"location_id":{"constant_value":"us-central"},"project":{"references":["google_project.my_project"]}},"schema_version":0},{"address":"google_project.my_project","mode":"managed","type":"google_project","name":"my_project","provider_config_key":"google","expressions":{"name":{"constant_value":"My Project"},"org_id":{"constant_value":"1234567"},"project_id":{"constant_value":"your-project-id"}},"schema_version":1}],"variables":{"app_project":{}}}}}

expected output: no violations found

actual output:

panic: Unknown type: TypeMap

goroutine 1 [running]:
github.com/GoogleCloudPlatform/terraform-validator/tfplan.jsonResourceFieldReader.ReadField(0x21ced49, 0x4, 0xc0005ecb10, 0xd, 0xc00003b080, 0x23, 0xc0005ecb00, 0x7, 0xc00041c8e0, 0x15,...)
/home/awalko/terraform-validator/tfplan/json_plan.go:110 +0x419
github.com/GoogleCloudPlatform/terraform-validator/tfplan.(*fieldGetter).GetOk(0xc0003382a0, 0x21d0bb6, 0x6, 0x0, 0x0, 0xc000227c00)
/home/awalko/terraform-validator/tfplan/fields.go:87 +0xac
github.com/GoogleCloudPlatform/terraform-google-conversion/google.expandStringMap(0x25b2a00, 0xc0003382c0, 0x21d0bb6, 0x6, 0xc000227c90)
/home/awalko/terraform-validator/vendor/github.com/GoogleCloudPlatform/terraform-google-conversion/google/utils.go:242 +0x49
github.com/GoogleCloudPlatform/terraform-google-conversion/google.expandLabels(...)
/home/awalko/terraform-validator/vendor/github.com/GoogleCloudPlatform/terraform-google-conversion/google/utils.go:232
github.com/GoogleCloudPlatform/terraform-google-conversion/google.GetStorageBucketApiObject(0x25b2a00, 0xc0003382c0, 0xc0000aa1a0, 0x21fce27, 0x21, 0xc00003f380)
/home/awalko/terraform-validator/vendor/github.com/GoogleCloudPlatform/terraform-google-conversion/google/storage_bucket.go:54 +0x188
github.com/GoogleCloudPlatform/terraform-google-conversion/google.GetStorageBucketCaiObject(0x25b2a00, 0xc0003382c0, 0xc0000aa1a0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
/home/awalko/terraform-validator/vendor/github.com/GoogleCloudPlatform/terraform-google-conversion/google/storage_bucket.go:25 +0xdc
github.com/GoogleCloudPlatform/terraform-validator/converters/google.(*Converter).AddResource(0xc0004a98f0, 0x25aa0c0, 0xc00048bf40, 0xc0004a9920, 0xc00048bf00)
/home/awalko/terraform-validator/converters/google/convert.go:154 +0x14c
github.com/GoogleCloudPlatform/terraform-validator/tfgcv.ReadPlannedAssets(0x7ffed96be21e, 0x9, 0x7ffed96be24f, 0x15, 0x0, 0x0, 0x7ffed96be219, 0x4, 0x0, 0x0, ...)
/home/awalko/terraform-validator/tfgcv/planned_assets.go:97 +0x6d8
github.com/GoogleCloudPlatform/terraform-validator/cmd.glob..func6(0x37038e0, 0xc00057a600, 0x1, 0x6, 0x0, 0x0)
/home/awalko/terraform-validator/cmd/validate.go:49 +0xa8
github.com/spf13/cobra.(*Command).execute(0x37038e0, 0xc00057a540, 0x6, 0x6, 0x37038e0, 0xc00057a540)
/home/awalko/terraform-validator/vendor/github.com/spf13/cobra/command.go:762 +0x465
github.com/spf13/cobra.(*Command).ExecuteC(0x3703680, 0x0, 0x0, 0x1ae9bc5)
/home/awalko/terraform-validator/vendor/github.com/spf13/cobra/command.go:850 +0x2bb
github.com/spf13/cobra.(*Command).Execute(...)
/home/awalko/terraform-validator/vendor/github.com/spf13/cobra/command.go:800
github.com/GoogleCloudPlatform/terraform-validator/cmd.Execute()
/home/awalko/terraform-validator/cmd/root.go:76 +0x2e
main.main()
/home/awalko/terraform-validator/main.go:20 +0x20

The external IP policy fails because the Validator returns a plurals for access config instead of singular.

The API and Terraform Validator both expect plural on network intefaces:

  "networkInterfaces": [
    {
      "network": string,
      "subnetwork": string,
      "networkIP": string,
      "name": string,
      "accessConfigs": [
        
      ],
      "aliasIpRanges": [
        
      ],
      "fingerprint": string,
      "kind": string
    }
  ],

Yet the CAI data has network interface and access config as a singular field:

{
      "data": {
        "networkInterface": [
          {
            "accessConfig": [
              {
                "name": "external-nat",
                "networkTier": "PREMIUM",
                "type": "ONE_TO_ONE_NAT"
              }
            ],
      }
    }
  }

Currently, adding support for new resources is a two-step process:

1. Updating the conversion library to add support for the resource
2. Updating the terraform-validator repo to support the resource, including adding it to mappers and adding appropriate test data.

We would like to consolidate this so new resource additions/changes can happen solely in the conversion library. This would likely include:

1. Moving mappers into the conversion library
2. Moving test data into the conversion library (the test execution could likely still happen in this repo, but the data itself should be upstreamed).

Currently asset.resource.parent assumes the resource lives within a project. This does not work for folders, etc.

- [ ] google_compute_network #211

• google_compute_subnetwork
• google_compute_firewall

Per #94 (comment)

Please consider upgrading the docker image to Go 1.13.

The violation for the constraint is always detected regardless of the spec.match.target field value.