2022-11-03 05:07:27 -07:00
|
|
|
# skip boilerplate check
|
|
|
|
#
|
|
|
|
# sample subset of useful organization policies, edit to suit requirements
|
|
|
|
|
2023-10-25 07:16:05 -07:00
|
|
|
---
|
|
|
|
# Terraform will be unable to decode this file if it does not contain valid YAML
|
|
|
|
# You can retain `---` (start of the document) to indicate an empty document.
|
|
|
|
|
2022-11-03 05:07:27 -07:00
|
|
|
compute.disableGuestAttributesAccess:
|
2023-02-21 04:58:08 -08:00
|
|
|
rules:
|
2023-10-25 07:16:05 -07:00
|
|
|
- enforce: true
|
2022-11-03 05:07:27 -07:00
|
|
|
|
|
|
|
compute.requireOsLogin:
|
2023-02-21 04:58:08 -08:00
|
|
|
rules:
|
2023-10-25 07:16:05 -07:00
|
|
|
- enforce: true
|
2022-11-03 05:07:27 -07:00
|
|
|
|
|
|
|
compute.restrictLoadBalancerCreationForTypes:
|
2023-02-21 04:58:08 -08:00
|
|
|
rules:
|
2023-10-25 07:16:05 -07:00
|
|
|
- allow:
|
|
|
|
values:
|
|
|
|
- in:INTERNAL
|
2022-11-03 05:07:27 -07:00
|
|
|
|
|
|
|
compute.skipDefaultNetworkCreation:
|
2023-02-21 04:58:08 -08:00
|
|
|
rules:
|
2023-10-25 07:16:05 -07:00
|
|
|
- enforce: true
|
2022-11-03 05:07:27 -07:00
|
|
|
|
|
|
|
compute.vmExternalIpAccess:
|
2023-02-21 04:58:08 -08:00
|
|
|
rules:
|
2023-10-25 07:16:05 -07:00
|
|
|
- deny:
|
|
|
|
all: true
|
2024-01-26 02:14:44 -08:00
|
|
|
|
|
|
|
# only allow GCP images by default
|
|
|
|
compute.trustedImageProjects:
|
|
|
|
rules:
|
|
|
|
- allow:
|
|
|
|
values:
|
2024-02-19 00:29:37 -08:00
|
|
|
- "is:projects/centos-cloud"
|
|
|
|
- "is:projects/cos-cloud"
|
|
|
|
- "is:projects/debian-cloud"
|
|
|
|
- "is:projects/fedora-cloud"
|
|
|
|
- "is:projects/fedora-coreos-cloud"
|
|
|
|
- "is:projects/opensuse-cloud"
|
|
|
|
- "is:projects/rhel-cloud"
|
|
|
|
- "is:projects/rhel-sap-cloud"
|
|
|
|
- "is:projects/rocky-linux-cloud"
|
|
|
|
- "is:projects/suse-cloud"
|
|
|
|
- "is:projects/suse-sap-cloud"
|
|
|
|
- "is:projects/ubuntu-os-cloud"
|
|
|
|
- "is:projects/ubuntu-os-pro-cloud"
|
|
|
|
- "is:projects/windows-cloud"
|
|
|
|
- "is:projects/windows-sql-cloud"
|
|
|
|
- "is:projects/confidential-vm-images"
|
|
|
|
- "is:projects/backupdr-images"
|
|
|
|
- "is:projects/deeplearning-platform-release"
|
|
|
|
- "is:projects/serverless-vpc-access-images"
|
2024-01-26 02:14:44 -08:00
|
|
|
|
2022-11-03 05:07:27 -07:00
|
|
|
# compute.disableInternetNetworkEndpointGroup:
|
2023-02-21 04:58:08 -08:00
|
|
|
# rules:
|
|
|
|
# - enforce: true
|
2022-11-03 05:07:27 -07:00
|
|
|
|
2024-02-05 01:46:37 -08:00
|
|
|
compute.disableNestedVirtualization:
|
|
|
|
rules:
|
|
|
|
- enforce: true
|
2022-11-03 05:07:27 -07:00
|
|
|
|
2024-02-05 01:46:37 -08:00
|
|
|
compute.disableSerialPortAccess:
|
|
|
|
rules:
|
|
|
|
- enforce: true
|
2022-11-03 05:07:27 -07:00
|
|
|
|
|
|
|
# compute.restrictCloudNATUsage:
|
2023-02-21 04:58:08 -08:00
|
|
|
# rules:
|
|
|
|
# - deny:
|
|
|
|
# all: true
|
2022-11-03 05:07:27 -07:00
|
|
|
|
|
|
|
# compute.restrictDedicatedInterconnectUsage:
|
2023-02-21 04:58:08 -08:00
|
|
|
# rules:
|
|
|
|
# - deny:
|
|
|
|
# all: true
|
2022-11-03 05:07:27 -07:00
|
|
|
|
|
|
|
# compute.restrictPartnerInterconnectUsage:
|
2023-02-21 04:58:08 -08:00
|
|
|
# rules:
|
|
|
|
# - deny:
|
|
|
|
# all: true
|
2022-11-03 05:07:27 -07:00
|
|
|
|
|
|
|
# compute.restrictProtocolForwardingCreationForTypes:
|
2023-02-21 04:58:08 -08:00
|
|
|
# rules:
|
|
|
|
# - deny:
|
|
|
|
# all: true
|
2022-11-03 05:07:27 -07:00
|
|
|
|
|
|
|
# compute.restrictSharedVpcHostProjects:
|
2023-02-21 04:58:08 -08:00
|
|
|
# rules:
|
|
|
|
# - deny:
|
|
|
|
# all: true
|
2022-11-03 05:07:27 -07:00
|
|
|
|
|
|
|
# compute.restrictSharedVpcSubnetworks:
|
2023-02-21 04:58:08 -08:00
|
|
|
# rules:
|
|
|
|
# - deny:
|
|
|
|
# all: true
|
2022-11-03 05:07:27 -07:00
|
|
|
|
|
|
|
# compute.restrictVpcPeering:
|
2023-02-21 04:58:08 -08:00
|
|
|
# rules:
|
|
|
|
# - deny:
|
|
|
|
# all: true
|
2022-11-03 05:07:27 -07:00
|
|
|
|
|
|
|
# compute.restrictVpnPeerIPs:
|
2023-02-21 04:58:08 -08:00
|
|
|
# rules:
|
|
|
|
# - deny:
|
|
|
|
# all: true
|
2022-11-03 05:07:27 -07:00
|
|
|
|
|
|
|
# compute.restrictXpnProjectLienRemoval:
|
2023-02-21 04:58:08 -08:00
|
|
|
# rules:
|
|
|
|
# - enforce: true
|
2022-11-03 05:07:27 -07:00
|
|
|
|
|
|
|
# compute.setNewProjectDefaultToZonalDNSOnly:
|
2023-02-21 04:58:08 -08:00
|
|
|
# rules:
|
|
|
|
# - enforce: true
|
2022-11-03 05:07:27 -07:00
|
|
|
|
|
|
|
# compute.vmCanIpForward:
|
2023-02-21 04:58:08 -08:00
|
|
|
# rules:
|
|
|
|
# - deny:
|
|
|
|
# all: true
|