{"results":[{"id":"ar-cleanup-dry-run-requires-data-access-logs","text":"Artifact Registry cleanup dry run results appear in Data Access audit logs, which must be explicitly enabled with \"data write\" type to see results.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"ar-cleanup-requires-admin-role","text":"Artifact Registry cleanup policies require `roles/artifactregistry.admin` (needs `artifactregistry.repositories.update` and `artifactregistry.versions.delete` permissions).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"ar-cloudrun-cross-project-service-agent","text":"Cloud Run cross-project Artifact Registry access requires granting roles to the Cloud Run Service Agent (`service-PROJECT-NUMBER@serverless-robot-prod.iam.gserviceaccount.com`), not just the runtime service account.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"ar-cross-project-requires-explicit-grant","text":"Artifact Registry cross-project access is not automatic — roles must be explicitly granted in the Artifact Registry project.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"ar-image-streaming-requires-same-region","text":"Artifact Registry image streaming only works when images are in the same region (or corresponding multi-region) as workloads.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"ar-public-repo-allUsers-reader-plus-quota","text":"Making an Artifact Registry repository public requires granting `roles/artifactregistry.reader` to `allUsers` and capping per-user quotas to prevent abuse.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"ar-virtual-repo-requires-sa-grant-to-upstreams","text":"Virtual repositories require explicit grants for the Artifact Registry service account to access upstream repositories.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloud-armor-adaptive-protection-requires-enterprise","text":"Adaptive Protection requires a Cloud Armor Enterprise subscription and is enabled per-security policy.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloud-dns-dns64-well-known-prefix","text":"DNS64 synthesizes IPv6 addresses using the Well-Known Prefix `64:ff9b::/96` per RFC 6052 and requires NAT64 via Cloud NAT.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloud-nat-serverless-requires-vpc-egress","text":"Serverless resources (Cloud Run, Cloud Run functions, App Engine) require Direct VPC egress or Serverless VPC Access to use Cloud NAT.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudbuild-global-region-default-pool-only","text":"Cloud Build `global` region uses default pools; specifying a specific region requires a private pool in that region.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudrun-deploy-required-roles","text":"Deploying to Cloud Run requires `roles/run.developer`, `roles/iam.serviceAccountUser`, and `roles/artifactregistry.reader`; cross-project additionally needs `roles/iam.serviceAccountTokenCreator`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudrun-internet-egress-requires-vpc-plus-nat-chain","text":"Cloud Run internet egress for VPC-connected workloads requires chaining two regional constructs: Direct VPC egress (preferred over connector VMs) for outbound-only VPC access, then Cloud NAT on Cloud Router for internet-bound traffic — neither alone is sufficient for serverless-to-internet connectivity.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudrun-scale-from-zero-requires-request","text":"Cloud Run scaling from zero can only be triggered by a request, not by CPU; CPU-only workloads with instance-based billing cannot self-wake without min instances > 0 or a wake-up request.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudrun-secret-requires-secret-accessor-role","text":"The Cloud Run service account needs `roles/secretmanager.secretAccessor` on each referenced secret, verified at deployment time.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudrun-vpc-egress-direct-over-connector","text":"Cloud Run VPC egress should use Direct VPC egress over Serverless VPC Access connectors: direct egress requires no connector VMs (avoiding Compute Engine cost and maintenance), has lower latency, and both methods handle only outbound traffic.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudsql-ha-replicas-complementary-not-alternative","text":"Cloud SQL HA and read replicas are complementary, not interchangeable: HA doubles cost with an idle standby for automatic failover, while replicas are strictly read-only without failover capability or independent backups — achieving both availability and read scaling requires deploying both patterns, ideally with replicas in a third zone.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudsql-private-ip-requires-compute-network-admin","text":"Cloud SQL private IP setup requires `roles/compute.networkAdmin` for managing private services access and the Service Networking API must be enabled.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudsql-private-ip-requires-vpc","text":"Cloud SQL private IP connectivity requires a VPC network; public IP is internet-accessible.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudsql-private-networking-doubly-constrained-by-peering","text":"Cloud SQL private IP connectivity inherits VPC peering constraints (non-transitivity, 25 peering limit, non-RFC1918 allocation restrictions) from private services access, adding networking complexity beyond what the database service itself requires.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null}],"count":90,"limit":20,"offset":0}