Appearance

Google Cloud Support

Released: April 15, 2026

Controlinfra now supports Google Cloud at full parity with AWS and Azure. Shipped over seven sprints (April 13–15) covering credentials, discovery, drift checks, attribution, and remediation.

New

  • GCP credential helper. OIDC + service-account key auth; multi-project orgs configure per-project credentials via the CloudAccount model (now multi-provider).
  • Cloud Asset discovery. Full inventory scan of GCP resources (Compute, Cloud SQL, GKE, Cloud Run, GCS, IAM, more) via the Cloud Asset Inventory API. Returns the same shape AWS / Azure discovery does, so downstream code is provider-agnostic.
  • GCS state-file scanner. Discovers Terraform state files in Cloud Storage buckets, parses them, and matches resources back to discovery output for drift detection.
  • Cloud Audit Logs attribution. Drift Watch events on GCP resources now carry actor data resolved from Cloud Audit Logs — principal, method (console vs API), source IP, and timestamp of the change.
  • Firewall auto-revert. Newly-opened firewall rules to 0.0.0.0/0 ingress are automatically reverted (patched to remove the open source range, or deleted if it was the only source). Same semantics as AWS security group + Azure NSG auto-revert.
  • Org Policy guardrails. Cross-cloud guardrail templates now generate GCP Org Policy constraints (alongside AWS SCPs and Azure Policy assignments). Time-window enforcement, break-glass exceptions, and principal exception lists work the same across all three clouds.
  • GCP drift watch in the runner. Self-hosted runner script now supports drift checks against GCP resources, alongside AWS and Azure.

Improved

  • CloudAccount model is now multi-provider. Previously AWS-only; now stores aws, azure, and gcp credential blobs in a single document with provider-specific encryption.
  • Severity classifier v2 with GCP resource types — firewall rules, IAM bindings, KMS keys, and Cloud SQL all get correct severity classification.
  • Demo data and cost display include GCP resources so new users see a representative multi-cloud picture in the demo.

Fixed

  • Edge cases caught during pre-release review: OIDC orgId handling, attribute-detection robustness on partial Cloud Asset responses, actor user-agent parsing, credential-resolution null guards.