Update remaining org policies
This commit is contained in:
Julio Castillo
parent
62834ca83a
commit
a5e905cb80
|
|
@ -1,4 +1,4 @@
|
|||
# Copyright 2022 Google LLC
|
||||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
|
|
@ -83,8 +83,8 @@ module "project" {
|
|||
}
|
||||
|
||||
org_policies = {
|
||||
# "constraints/compute.requireOsLogin" = {
|
||||
# enforce = false
|
||||
# "compute.requireOsLogin" = {
|
||||
# rules = [{ enforce = false }]
|
||||
# }
|
||||
# Example of applying a project wide policy, mainly useful for Composer 1
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
/**
|
||||
* Copyright 2022 Google LLC
|
||||
* Copyright 2023 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
|
|
@ -112,7 +112,7 @@ module "gcs-bucket" {
|
|||
encryption_key = try(local.service_encryption_keys.storage, null)
|
||||
}
|
||||
|
||||
# Default bucket for Cloud Build to prevent error: "'us' violates constraint ‘constraints/gcp.resourceLocations’"
|
||||
# Default bucket for Cloud Build to prevent error: "'us' violates constraint ‘gcp.resourceLocations’"
|
||||
# https://stackoverflow.com/questions/53206667/cloud-build-fails-with-resource-location-constraint
|
||||
module "gcs-bucket-cloudbuild" {
|
||||
source = "../../../modules/gcs"
|
||||
|
|
@ -230,8 +230,8 @@ module "project" {
|
|||
|
||||
org_policies = {
|
||||
# Example of applying a project wide policy
|
||||
# "constraints/compute.requireOsLogin" = {
|
||||
# enforce = false
|
||||
# "compute.requireOsLogin" = {
|
||||
# rules = [{ enforce = false }]
|
||||
# }
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -156,15 +156,18 @@ labels:
|
|||
|
||||
# [opt] Org policy overrides defined at project level
|
||||
org_policies:
|
||||
constraints/compute.disableGuestAttributesAccess:
|
||||
enforce: true
|
||||
constraints/compute.trustedImageProjects:
|
||||
allow:
|
||||
values:
|
||||
compute.disableGuestAttributesAccess:
|
||||
rules:
|
||||
- enforce: true
|
||||
compute.trustedImageProjects:
|
||||
rules:
|
||||
- allow:
|
||||
values:
|
||||
- projects/fast-dev-iac-core-0
|
||||
constraints/compute.vmExternalIpAccess:
|
||||
deny:
|
||||
all: true
|
||||
compute.vmExternalIpAccess:
|
||||
rules:
|
||||
- deny:
|
||||
all: true
|
||||
|
||||
# [opt] Service account to create for the project and their roles on the project
|
||||
# in name => [roles] format
|
||||
|
|
@ -223,8 +226,8 @@ vpc:
|
|||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| [billing_account_id](variables.tf#L17) | Billing account id. | <code>string</code> | ✓ | |
|
||||
| [prefix](variables.tf#L157) | Prefix used for resource names. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L166) | Project id. | <code>string</code> | ✓ | |
|
||||
| [prefix](variables.tf#L145) | Prefix used for resource names. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L154) | Project id. | <code>string</code> | ✓ | |
|
||||
| [billing_alert](variables.tf#L22) | Billing alert configuration. | <code title="object({ amount = number thresholds = object({ current = list(number) forecasted = list(number) }) credit_treatment = string })">object({…})</code> | | <code>null</code> |
|
||||
| [defaults](variables.tf#L35) | Project factory default values. | <code title="object({ billing_account_id = string billing_alert = object({ amount = number thresholds = object({ current = list(number) forecasted = list(number) }) credit_treatment = string }) environment_dns_zone = string essential_contacts = list(string) labels = map(string) notification_channels = list(string) shared_vpc_self_link = string vpc_host_project = string })">object({…})</code> | | <code>null</code> |
|
||||
| [descriptive_name](variables.tf#L57) | Name of the project name. Used for project name instead of `name` variable. | <code>string</code> | | <code>null</code> |
|
||||
|
|
@ -237,15 +240,15 @@ vpc:
|
|||
| [iam_additive](variables.tf#L99) | Custom additive IAM settings in role => [principal] format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [kms_service_agents](variables.tf#L105) | KMS IAM configuration in as service => [key]. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [labels](variables.tf#L111) | Labels to be assigned at project level. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [org_policies](variables.tf#L117) | Org-policy overrides at project level. | <code title="map(object({ inherit_from_parent = optional(bool) # for list policies only. reset = optional(bool) allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool, true) # for boolean policies only. rules = optional(list(object({ allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool, true) # for boolean policies only. condition = object({ description = optional(string) expression = optional(string) location = optional(string) title = optional(string) }) })), []) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [service_accounts](variables.tf#L171) | Service accounts to be created, and roles assigned them on the project. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [service_accounts_additive](variables.tf#L177) | Service accounts to be created, and roles assigned them on the project additively. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [service_accounts_iam](variables.tf#L183) | IAM bindings on service account resources. Format is KEY => {ROLE => [MEMBERS]}. | <code>map(map(list(string)))</code> | | <code>{}</code> |
|
||||
| [service_accounts_iam_additive](variables.tf#L190) | IAM additive bindings on service account resources. Format is KEY => {ROLE => [MEMBERS]}. | <code>map(map(list(string)))</code> | | <code>{}</code> |
|
||||
| [service_identities_iam](variables.tf#L197) | Custom IAM settings for service identities in service => [role] format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [service_identities_iam_additive](variables.tf#L204) | Custom additive IAM settings for service identities in service => [role] format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [services](variables.tf#L211) | Services to be enabled for the project. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [vpc](variables.tf#L218) | VPC configuration for the project. | <code title="object({ host_project = string gke_setup = object({ enable_security_admin = bool enable_host_service_agent = bool }) subnets_iam = map(list(string)) })">object({…})</code> | | <code>null</code> |
|
||||
| [org_policies](variables.tf#L117) | Org-policy overrides at project level. | <code title="map(object({ inherit_from_parent = optional(bool) # for list policies only. reset = optional(bool) rules = optional(list(object({ allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool) # for boolean policies only. condition = object({ description = optional(string) expression = optional(string) location = optional(string) title = optional(string) }) })), []) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [service_accounts](variables.tf#L159) | Service accounts to be created, and roles assigned them on the project. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [service_accounts_additive](variables.tf#L165) | Service accounts to be created, and roles assigned them on the project additively. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [service_accounts_iam](variables.tf#L171) | IAM bindings on service account resources. Format is KEY => {ROLE => [MEMBERS]}. | <code>map(map(list(string)))</code> | | <code>{}</code> |
|
||||
| [service_accounts_iam_additive](variables.tf#L178) | IAM additive bindings on service account resources. Format is KEY => {ROLE => [MEMBERS]}. | <code>map(map(list(string)))</code> | | <code>{}</code> |
|
||||
| [service_identities_iam](variables.tf#L185) | Custom IAM settings for service identities in service => [role] format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [service_identities_iam_additive](variables.tf#L192) | Custom additive IAM settings for service identities in service => [role] format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [services](variables.tf#L199) | Services to be enabled for the project. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [vpc](variables.tf#L206) | VPC configuration for the project. | <code title="object({ host_project = string gke_setup = object({ enable_security_admin = bool enable_host_service_agent = bool }) subnets_iam = map(list(string)) })">object({…})</code> | | <code>null</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
|
|
|||
|
|
@ -48,15 +48,18 @@ labels:
|
|||
|
||||
# [opt] Org policy overrides defined at project level
|
||||
org_policies:
|
||||
constraints/compute.disableGuestAttributesAccess:
|
||||
enforce: true
|
||||
constraints/compute.trustedImageProjects:
|
||||
allow:
|
||||
values:
|
||||
compute.disableGuestAttributesAccess:
|
||||
rules:
|
||||
- enforce: true
|
||||
compute.trustedImageProjects:
|
||||
rules:
|
||||
- allow:
|
||||
values:
|
||||
- projects/fast-dev-iac-core-0
|
||||
constraints/compute.vmExternalIpAccess:
|
||||
deny:
|
||||
all: true
|
||||
compute.vmExternalIpAccess:
|
||||
rules:
|
||||
- deny:
|
||||
all: true
|
||||
|
||||
# [opt] Prefix - overrides default if set
|
||||
prefix: test1
|
||||
|
|
|
|||
|
|
@ -119,18 +119,6 @@ variable "org_policies" {
|
|||
type = map(object({
|
||||
inherit_from_parent = optional(bool) # for list policies only.
|
||||
reset = optional(bool)
|
||||
|
||||
# default (unconditional) values
|
||||
allow = optional(object({
|
||||
all = optional(bool)
|
||||
values = optional(list(string))
|
||||
}))
|
||||
deny = optional(object({
|
||||
all = optional(bool)
|
||||
values = optional(list(string))
|
||||
}))
|
||||
enforce = optional(bool, true) # for boolean policies only.
|
||||
|
||||
# conditional values
|
||||
rules = optional(list(object({
|
||||
allow = optional(object({
|
||||
|
|
@ -141,7 +129,7 @@ variable "org_policies" {
|
|||
all = optional(bool)
|
||||
values = optional(list(string))
|
||||
}))
|
||||
enforce = optional(bool, true) # for boolean policies only.
|
||||
enforce = optional(bool) # for boolean policies only.
|
||||
condition = object({
|
||||
description = optional(string)
|
||||
expression = optional(string)
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
/**
|
||||
* Copyright 2022 Google LLC
|
||||
* Copyright 2023 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
|
|
@ -64,10 +64,10 @@ module "gke-project-0" {
|
|||
}
|
||||
# specify project-level org policies here if you need them
|
||||
# policy_boolean = {
|
||||
# "constraints/compute.disableGuestAttributesAccess" = true
|
||||
# "compute.disableGuestAttributesAccess" = true
|
||||
# }
|
||||
# policy_list = {
|
||||
# "constraints/compute.trustedImageProjects" = {
|
||||
# "compute.trustedImageProjects" = {
|
||||
# inherit_from_parent = null
|
||||
# suggested_value = null
|
||||
# status = true
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
/**
|
||||
* Copyright 2022 Google LLC
|
||||
* Copyright 2023 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
|
|
@ -227,8 +227,8 @@ module "folder-apps" {
|
|||
name = "apps"
|
||||
org_policies = {
|
||||
# prevent VMs with public IPs in the apps folder
|
||||
"constraints/compute.vmExternalIpAccess" = {
|
||||
deny = { all = true }
|
||||
"compute.vmExternalIpAccess" = {
|
||||
rules = [{ deny = { all = true } }]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -28,8 +28,8 @@ module "branch-sandbox-folder" {
|
|||
"roles/resourcemanager.projectCreator" = [local.automation_sas_iam.sandbox]
|
||||
}
|
||||
org_policies = {
|
||||
"constraints/sql.restrictPublicIp" = { enforce = false }
|
||||
"constraints/compute.vmExternalIpAccess" = { allow = { all = true } }
|
||||
"sql.restrictPublicIp" = { rules = [{ enforce = false }] }
|
||||
"compute.vmExternalIpAccess" = { rules = [{ allow = { all = true } }] }
|
||||
}
|
||||
tag_bindings = {
|
||||
context = var.tags.values["${var.tags.names.context}/sandbox"]
|
||||
|
|
|
|||
|
|
@ -3,7 +3,9 @@
|
|||
# sample subset of useful organization policies, edit to suit requirements
|
||||
|
||||
sql.restrictAuthorizedNetworks:
|
||||
enforce: true
|
||||
rules:
|
||||
- enforce: true
|
||||
|
||||
sql.restrictPublicIp:
|
||||
enforce: true
|
||||
rules:
|
||||
- enforce: true
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
/**
|
||||
* Copyright 2022 Google LLC
|
||||
* Copyright 2023 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
|
|
@ -33,8 +33,8 @@ module "branch-sandbox-folder" {
|
|||
"roles/resourcemanager.projectCreator" = [module.branch-sandbox-sa.0.iam_email]
|
||||
}
|
||||
org_policies = {
|
||||
"constraints/sql.restrictPublicIp" = { enforce = false }
|
||||
"constraints/compute.vmExternalIpAccess" = { allow = { all = true } }
|
||||
"sql.restrictPublicIp" = { rules = [{ enforce = false }] }
|
||||
"compute.vmExternalIpAccess" = { rules = [{ allow = { all = true } }] }
|
||||
}
|
||||
tag_bindings = {
|
||||
context = try(
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
/**
|
||||
* Copyright 2022 Google LLC
|
||||
* Copyright 2023 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
|
|
@ -68,7 +68,11 @@ module "organization" {
|
|||
|
||||
# sample subset of useful organization policies, edit to suit requirements
|
||||
org_policies = {
|
||||
"iam.allowedPolicyMemberDomains" = { allow = { values = local.all_drs_domains } }
|
||||
"iam.allowedPolicyMemberDomains" = {
|
||||
rules = [
|
||||
{ allow = { values = local.all_drs_domains } }
|
||||
]
|
||||
}
|
||||
|
||||
#"gcp.resourceLocations" = {
|
||||
# allow = { values = local.allowed_regions }
|
||||
|
|
|
|||
|
|
@ -48,15 +48,18 @@ labels:
|
|||
|
||||
# [opt] Org policy overrides defined at project level
|
||||
org_policies:
|
||||
constraints/compute.disableGuestAttributesAccess:
|
||||
enforce: true
|
||||
constraints/compute.trustedImageProjects:
|
||||
allow:
|
||||
values:
|
||||
compute.disableGuestAttributesAccess:
|
||||
rules:
|
||||
- enforce: true
|
||||
compute.trustedImageProjects:
|
||||
rules:
|
||||
- allow:
|
||||
values:
|
||||
- projects/fast-dev-iac-core-0
|
||||
constraints/compute.vmExternalIpAccess:
|
||||
deny:
|
||||
all: true
|
||||
compute.vmExternalIpAccess:
|
||||
rules:
|
||||
- deny:
|
||||
all: true
|
||||
|
||||
# [opt] Service account to create for the project and their roles on the project
|
||||
# in name => [roles] format
|
||||
|
|
|
|||
|
|
@ -44,7 +44,7 @@ module "folder" {
|
|||
"compute.disableGuestAttributesAccess" = {
|
||||
rules = [{ enforce = true }]
|
||||
}
|
||||
"constraints/compute.skipDefaultNetworkCreation" = {
|
||||
"compute.skipDefaultNetworkCreation" = {
|
||||
rules = [{ enforce = true }]
|
||||
}
|
||||
"iam.disableServiceAccountKeyCreation" = {
|
||||
|
|
@ -66,21 +66,21 @@ module "folder" {
|
|||
}
|
||||
]
|
||||
}
|
||||
"constraints/iam.allowedPolicyMemberDomains" = {
|
||||
"iam.allowedPolicyMemberDomains" = {
|
||||
rules = [{
|
||||
allow = {
|
||||
values = ["C0xxxxxxx", "C0yyyyyyy"]
|
||||
}
|
||||
}]
|
||||
}
|
||||
"constraints/compute.trustedImageProjects" = {
|
||||
"compute.trustedImageProjects" = {
|
||||
rules = [{
|
||||
allow = {
|
||||
values = ["projects/my-project"]
|
||||
}
|
||||
}]
|
||||
}
|
||||
"constraints/compute.vmExternalIpAccess" = {
|
||||
"compute.vmExternalIpAccess" = {
|
||||
rules = [{ deny = { all = true } }]
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -40,7 +40,7 @@ module "org" {
|
|||
"compute.disableGuestAttributesAccess" = {
|
||||
rules = [{ enforce = true }]
|
||||
}
|
||||
"constraints/compute.skipDefaultNetworkCreation" = {
|
||||
"compute.skipDefaultNetworkCreation" = {
|
||||
rules = [{ enforce = true }]
|
||||
}
|
||||
"iam.disableServiceAccountKeyCreation" = {
|
||||
|
|
@ -62,7 +62,7 @@ module "org" {
|
|||
}
|
||||
]
|
||||
}
|
||||
"constraints/iam.allowedPolicyMemberDomains" = {
|
||||
"iam.allowedPolicyMemberDomains" = {
|
||||
rules = [
|
||||
{
|
||||
allow = { all = true }
|
||||
|
|
@ -83,14 +83,14 @@ module "org" {
|
|||
]
|
||||
}
|
||||
|
||||
"constraints/compute.trustedImageProjects" = {
|
||||
"compute.trustedImageProjects" = {
|
||||
rules = [{
|
||||
allow = {
|
||||
values = ["projects/my-project"]
|
||||
}
|
||||
}]
|
||||
}
|
||||
"constraints/compute.vmExternalIpAccess" = {
|
||||
"compute.vmExternalIpAccess" = {
|
||||
rules = [{ deny = { all = true } }]
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -245,7 +245,7 @@ module "project" {
|
|||
"compute.disableGuestAttributesAccess" = {
|
||||
rules = [{ enforce = true }]
|
||||
}
|
||||
"constraints/compute.skipDefaultNetworkCreation" = {
|
||||
"compute.skipDefaultNetworkCreation" = {
|
||||
rules = [{ enforce = true }]
|
||||
}
|
||||
"iam.disableServiceAccountKeyCreation" = {
|
||||
|
|
@ -267,21 +267,21 @@ module "project" {
|
|||
}
|
||||
]
|
||||
}
|
||||
"constraints/iam.allowedPolicyMemberDomains" = {
|
||||
"iam.allowedPolicyMemberDomains" = {
|
||||
rules = [{
|
||||
allow = {
|
||||
values = ["C0xxxxxxx", "C0yyyyyyy"]
|
||||
}
|
||||
}]
|
||||
}
|
||||
"constraints/compute.trustedImageProjects" = {
|
||||
"compute.trustedImageProjects" = {
|
||||
rules = [{
|
||||
allow = {
|
||||
values = ["projects/my-project"]
|
||||
}
|
||||
}]
|
||||
}
|
||||
"constraints/compute.vmExternalIpAccess" = {
|
||||
"compute.vmExternalIpAccess" = {
|
||||
rules = [{ deny = { all = true } }]
|
||||
}
|
||||
}
|
||||
|
|
@ -314,7 +314,7 @@ module "project" {
|
|||
compute.disableGuestAttributesAccess:
|
||||
rules:
|
||||
- enforce: true
|
||||
constraints/compute.skipDefaultNetworkCreation:
|
||||
compute.skipDefaultNetworkCreation:
|
||||
rules:
|
||||
- enforce: true
|
||||
iam.disableServiceAccountKeyCreation:
|
||||
|
|
@ -333,16 +333,16 @@ iam.disableServiceAccountKeyUpload:
|
|||
|
||||
```yaml
|
||||
# tftest-file id=list path=configs/org-policies/list.yaml
|
||||
constraints/compute.trustedImageProjects:
|
||||
compute.trustedImageProjects:
|
||||
rules:
|
||||
- allow:
|
||||
values:
|
||||
- projects/my-project
|
||||
constraints/compute.vmExternalIpAccess:
|
||||
compute.vmExternalIpAccess:
|
||||
rules:
|
||||
- deny:
|
||||
all: true
|
||||
constraints/iam.allowedPolicyMemberDomains:
|
||||
iam.allowedPolicyMemberDomains:
|
||||
rules:
|
||||
- allow:
|
||||
values:
|
||||
|
|
|
|||
|
|
@ -48,15 +48,14 @@ labels:
|
|||
|
||||
# [opt] Org policy overrides defined at project level
|
||||
org_policies:
|
||||
policy_boolean:
|
||||
constraints/compute.disableGuestAttributesAccess: true
|
||||
policy_list:
|
||||
constraints/compute.trustedImageProjects:
|
||||
inherit_from_parent: null
|
||||
status: true
|
||||
suggested_value: null
|
||||
values:
|
||||
- projects/fast-prod-iac-core-0
|
||||
compute.disableGuestAttributesAccess:
|
||||
rules:
|
||||
- enforce: true
|
||||
compute.trustedImageProjects:
|
||||
rules:
|
||||
- allow:
|
||||
values:
|
||||
- projects/fast-prod-iac-core-0
|
||||
|
||||
# [opt] Prefix - overrides default if set
|
||||
prefix: test1
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# Copyright 2022 Google LLC
|
||||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
|
|
@ -60,15 +60,14 @@ labels:
|
|||
|
||||
# [opt] Org policy overrides defined at project level
|
||||
org_policies:
|
||||
policy_boolean:
|
||||
constraints/compute.disableGuestAttributesAccess: true
|
||||
policy_list:
|
||||
constraints/compute.trustedImageProjects:
|
||||
inherit_from_parent: null
|
||||
status: true
|
||||
suggested_value: null
|
||||
values:
|
||||
- projects/fast-prod-iac-core-0
|
||||
compute.disableGuestAttributesAccess:
|
||||
rules:
|
||||
- enforce: true
|
||||
compute.trustedImageProjects:
|
||||
rules:
|
||||
- allow:
|
||||
values:
|
||||
- projects/fast-prod-iac-core-0
|
||||
|
||||
# [opt] Service account to create for the project and their roles on the project
|
||||
# in name => [roles] format
|
||||
|
|
|
|||
|
|
@ -26,7 +26,7 @@ values:
|
|||
deny_all: null
|
||||
enforce: 'TRUE'
|
||||
values: []
|
||||
module.folder.google_org_policy_policy.default["constraints/compute.skipDefaultNetworkCreation"]:
|
||||
module.folder.google_org_policy_policy.default["compute.skipDefaultNetworkCreation"]:
|
||||
spec:
|
||||
- inherit_from_parent: null
|
||||
reset: null
|
||||
|
|
@ -36,7 +36,7 @@ values:
|
|||
deny_all: null
|
||||
enforce: 'TRUE'
|
||||
values: []
|
||||
module.folder.google_org_policy_policy.default["constraints/compute.trustedImageProjects"]:
|
||||
module.folder.google_org_policy_policy.default["compute.trustedImageProjects"]:
|
||||
spec:
|
||||
- inherit_from_parent: null
|
||||
reset: null
|
||||
|
|
@ -49,7 +49,7 @@ values:
|
|||
- allowed_values:
|
||||
- projects/my-project
|
||||
denied_values: null
|
||||
module.folder.google_org_policy_policy.default["constraints/compute.vmExternalIpAccess"]:
|
||||
module.folder.google_org_policy_policy.default["compute.vmExternalIpAccess"]:
|
||||
spec:
|
||||
- inherit_from_parent: null
|
||||
reset: null
|
||||
|
|
@ -59,7 +59,7 @@ values:
|
|||
deny_all: 'TRUE'
|
||||
enforce: null
|
||||
values: []
|
||||
module.folder.google_org_policy_policy.default["constraints/iam.allowedPolicyMemberDomains"]:
|
||||
module.folder.google_org_policy_policy.default["iam.allowedPolicyMemberDomains"]:
|
||||
spec:
|
||||
- inherit_from_parent: null
|
||||
reset: null
|
||||
|
|
|
|||
|
|
@ -25,8 +25,8 @@ values:
|
|||
deny_all: null
|
||||
enforce: 'TRUE'
|
||||
values: []
|
||||
module.org.google_org_policy_policy.default["constraints/compute.skipDefaultNetworkCreation"]:
|
||||
name: organizations/1234567890/policies/constraints/compute.skipDefaultNetworkCreation
|
||||
module.org.google_org_policy_policy.default["compute.skipDefaultNetworkCreation"]:
|
||||
name: organizations/1234567890/policies/compute.skipDefaultNetworkCreation
|
||||
parent: organizations/1234567890
|
||||
spec:
|
||||
- inherit_from_parent: null
|
||||
|
|
@ -37,8 +37,8 @@ values:
|
|||
deny_all: null
|
||||
enforce: 'TRUE'
|
||||
values: []
|
||||
module.org.google_org_policy_policy.default["constraints/compute.trustedImageProjects"]:
|
||||
name: organizations/1234567890/policies/constraints/compute.trustedImageProjects
|
||||
module.org.google_org_policy_policy.default["compute.trustedImageProjects"]:
|
||||
name: organizations/1234567890/policies/compute.trustedImageProjects
|
||||
parent: organizations/1234567890
|
||||
spec:
|
||||
- inherit_from_parent: null
|
||||
|
|
@ -52,8 +52,8 @@ values:
|
|||
- allowed_values:
|
||||
- projects/my-project
|
||||
denied_values: null
|
||||
module.org.google_org_policy_policy.default["constraints/compute.vmExternalIpAccess"]:
|
||||
name: organizations/1234567890/policies/constraints/compute.vmExternalIpAccess
|
||||
module.org.google_org_policy_policy.default["compute.vmExternalIpAccess"]:
|
||||
name: organizations/1234567890/policies/compute.vmExternalIpAccess
|
||||
parent: organizations/1234567890
|
||||
spec:
|
||||
- inherit_from_parent: null
|
||||
|
|
@ -64,8 +64,8 @@ values:
|
|||
deny_all: 'TRUE'
|
||||
enforce: null
|
||||
values: []
|
||||
module.org.google_org_policy_policy.default["constraints/iam.allowedPolicyMemberDomains"]:
|
||||
name: organizations/1234567890/policies/constraints/iam.allowedPolicyMemberDomains
|
||||
module.org.google_org_policy_policy.default["iam.allowedPolicyMemberDomains"]:
|
||||
name: organizations/1234567890/policies/iam.allowedPolicyMemberDomains
|
||||
parent: organizations/1234567890
|
||||
spec:
|
||||
- inherit_from_parent: null
|
||||
|
|
|
|||
|
|
@ -3,7 +3,6 @@ org_policies = {
|
|||
rules = [{ enforce = true }]
|
||||
}
|
||||
"iam.disableServiceAccountKeyUpload" = {
|
||||
|
||||
rules = [
|
||||
{
|
||||
condition = {
|
||||
|
|
|
|||
|
|
@ -25,8 +25,8 @@ values:
|
|||
deny_all: null
|
||||
enforce: 'TRUE'
|
||||
values: []
|
||||
module.project.google_org_policy_policy.default["constraints/compute.skipDefaultNetworkCreation"]:
|
||||
name: projects/foo-project-example/policies/constraints/compute.skipDefaultNetworkCreation
|
||||
module.project.google_org_policy_policy.default["compute.skipDefaultNetworkCreation"]:
|
||||
name: projects/foo-project-example/policies/compute.skipDefaultNetworkCreation
|
||||
parent: projects/foo-project-example
|
||||
spec:
|
||||
- inherit_from_parent: null
|
||||
|
|
@ -37,8 +37,8 @@ values:
|
|||
deny_all: null
|
||||
enforce: 'TRUE'
|
||||
values: []
|
||||
module.project.google_org_policy_policy.default["constraints/compute.trustedImageProjects"]:
|
||||
name: projects/foo-project-example/policies/constraints/compute.trustedImageProjects
|
||||
module.project.google_org_policy_policy.default["compute.trustedImageProjects"]:
|
||||
name: projects/foo-project-example/policies/compute.trustedImageProjects
|
||||
parent: projects/foo-project-example
|
||||
spec:
|
||||
- inherit_from_parent: null
|
||||
|
|
@ -52,8 +52,8 @@ values:
|
|||
- allowed_values:
|
||||
- projects/my-project
|
||||
denied_values: null
|
||||
module.project.google_org_policy_policy.default["constraints/compute.vmExternalIpAccess"]:
|
||||
name: projects/foo-project-example/policies/constraints/compute.vmExternalIpAccess
|
||||
module.project.google_org_policy_policy.default["compute.vmExternalIpAccess"]:
|
||||
name: projects/foo-project-example/policies/compute.vmExternalIpAccess
|
||||
parent: projects/foo-project-example
|
||||
spec:
|
||||
- inherit_from_parent: null
|
||||
|
|
@ -64,8 +64,8 @@ values:
|
|||
deny_all: 'TRUE'
|
||||
enforce: null
|
||||
values: []
|
||||
module.project.google_org_policy_policy.default["constraints/iam.allowedPolicyMemberDomains"]:
|
||||
name: projects/foo-project-example/policies/constraints/iam.allowedPolicyMemberDomains
|
||||
module.project.google_org_policy_policy.default["iam.allowedPolicyMemberDomains"]:
|
||||
name: projects/foo-project-example/policies/iam.allowedPolicyMemberDomains
|
||||
parent: projects/foo-project-example
|
||||
spec:
|
||||
- inherit_from_parent: null
|
||||
|
|
|
|||
Loading…
Reference in New Issue