[Bug] Missing Deletion Protection and Versioning on Storage Services

[aghassemlouei]

Bug Description

Object versioning is disabled on various Cloud Storage buckets, and BigQuery datasets/tables lack deletion protection.

Environment and Deployment Context

Please provide details about your deployment to help us reproduce the issue.

• Stellar Engine Version/Commit: main
• Deployment Type:
  • US Region Restricted (e.g., Access Policy constraint)
  • FedRAMP Medium
  • FedRAMP High
  • DoD IL4
  • DoD IL5
  • Stand-alone / Custom
• FAST Stage (if applicable):
  • Stage 0 (Bootstrap)
  • Stage 1 (Resource Management)
  • Stage 2 (Network Creation)
  • Stage 3 (Security and Audit)
• Affected Component: modules/gcs/main.tf and modules/bigquery-dataset/main.tf.
• Terraform Version: 1.5.7
• GCP Provider Version: 5.10.0

Steps to Reproduce

Steps to reproduce the behavior:

1. Review the google_storage_bucket and google_bigquery_table resource definitions.
2. Notice missing versioning blocks and missing deletion_protection attributes.

Expected Behavior

Cloud Storage buckets should have object versioning enabled to prevent permanent data loss, and BigQuery tables should explicitly set deletion_protection = true.

Actual Behavior

These safety guardrails are missing, creating a high risk of accidental infrastructure teardowns destroying critical datasets.

Relevant Logs and Errors

N/A

Additional Context

Checkov Alert IDs: CKV_GCP_78, CKV_GCP_121.

[Calvin-Cheng1]

The gcs module defaults versioning to null/false:

stellar-engine/modules/gcs/variables.tf

Line 351 in 8a001b6

default = null

However in Stellar Engine module deployments, true is explicitly set on every gcs bucket created.

deletion_protection is a valid suggestion. Will create a PR to address this and explicitly set it for any Stellar Engine code that references this module