Fix readme examples
This commit is contained in:
parent
f44f4a74dc
commit
ad420138ad
|
@ -67,8 +67,10 @@ module "orch-project" {
|
|||
"roles/storage.objectViewer" = [module.load-sa-df-0.iam_email]
|
||||
}
|
||||
oslogin = false
|
||||
policy_boolean = {
|
||||
"constraints/compute.requireOsLogin" = false
|
||||
org_policies = {
|
||||
"constraints/compute.requireOsLogin" = {
|
||||
enforce = false
|
||||
}
|
||||
}
|
||||
services = concat(var.project_services, [
|
||||
"artifactregistry.googleapis.com",
|
||||
|
|
|
@ -40,8 +40,10 @@ module "project" {
|
|||
"storage.googleapis.com",
|
||||
"storage-component.googleapis.com"
|
||||
]
|
||||
policy_boolean = {
|
||||
# "constraints/compute.requireOsLogin" = false
|
||||
org_policies = {
|
||||
# "constraints/compute.requireOsLogin" = {
|
||||
# enforce = false
|
||||
# }
|
||||
# Example of applying a project wide policy, mainly useful for Composer
|
||||
}
|
||||
service_encryption_key_ids = {
|
||||
|
|
|
@ -226,13 +226,10 @@ module "folder-apps" {
|
|||
source = "../../../modules/folder"
|
||||
parent = var.root_node
|
||||
name = "apps"
|
||||
policy_list = {
|
||||
org_policies = {
|
||||
# prevent VMs with public IPs in the apps folder
|
||||
"constraints/compute.vmExternalIpAccess" = {
|
||||
inherit_from_parent = false
|
||||
suggested_value = null
|
||||
status = false
|
||||
values = []
|
||||
deny = { all = true }
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -31,20 +31,46 @@ module "folder" {
|
|||
source = "./fabric/modules/folder"
|
||||
parent = "organizations/1234567890"
|
||||
name = "Folder name"
|
||||
policy_boolean = {
|
||||
"constraints/compute.disableGuestAttributesAccess" = true
|
||||
"constraints/compute.skipDefaultNetworkCreation" = true
|
||||
}
|
||||
policy_list = {
|
||||
org_policies = {
|
||||
"compute.disableGuestAttributesAccess" = {
|
||||
enforce = true
|
||||
}
|
||||
"constraints/compute.skipDefaultNetworkCreation" = {
|
||||
enforce = true
|
||||
}
|
||||
"iam.disableServiceAccountKeyCreation" = {
|
||||
enforce = true
|
||||
}
|
||||
"iam.disableServiceAccountKeyUpload" = {
|
||||
enforce = false
|
||||
rules = [
|
||||
{
|
||||
condition = {
|
||||
expression = "resource.matchTagId(\"tagKeys/1234\", \"tagValues/1234\")"
|
||||
title = "condition"
|
||||
description = "test condition"
|
||||
location = "somewhere"
|
||||
}
|
||||
enforce = true
|
||||
}
|
||||
]
|
||||
}
|
||||
"constraints/iam.allowedPolicyMemberDomains" = {
|
||||
allow = {
|
||||
values = ["C0xxxxxxx", "C0yyyyyyy"]
|
||||
}
|
||||
}
|
||||
"constraints/compute.trustedImageProjects" = {
|
||||
inherit_from_parent = null
|
||||
suggested_value = null
|
||||
status = true
|
||||
values = ["projects/my-project"]
|
||||
allow = {
|
||||
values = ["projects/my-project"]
|
||||
}
|
||||
}
|
||||
"constraints/compute.vmExternalIpAccess" = {
|
||||
deny = { all = true }
|
||||
}
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=4
|
||||
# tftest modules=1 resources=8
|
||||
```
|
||||
|
||||
### Firewall policy factory
|
||||
|
|
|
@ -19,20 +19,47 @@ module "org" {
|
|||
iam = {
|
||||
"roles/resourcemanager.projectCreator" = ["group:cloud-admins@example.org"]
|
||||
}
|
||||
policy_boolean = {
|
||||
"constraints/compute.disableGuestAttributesAccess" = true
|
||||
"constraints/compute.skipDefaultNetworkCreation" = true
|
||||
}
|
||||
policy_list = {
|
||||
|
||||
org_policies = {
|
||||
"compute.disableGuestAttributesAccess" = {
|
||||
enforce = true
|
||||
}
|
||||
"constraints/compute.skipDefaultNetworkCreation" = {
|
||||
enforce = true
|
||||
}
|
||||
"iam.disableServiceAccountKeyCreation" = {
|
||||
enforce = true
|
||||
}
|
||||
"iam.disableServiceAccountKeyUpload" = {
|
||||
enforce = false
|
||||
rules = [
|
||||
{
|
||||
condition = {
|
||||
expression = "resource.matchTagId(\"tagKeys/1234\", \"tagValues/1234\")"
|
||||
title = "condition"
|
||||
description = "test condition"
|
||||
location = "somewhere"
|
||||
}
|
||||
enforce = true
|
||||
}
|
||||
]
|
||||
}
|
||||
"constraints/iam.allowedPolicyMemberDomains" = {
|
||||
allow = {
|
||||
values = ["C0xxxxxxx", "C0yyyyyyy"]
|
||||
}
|
||||
}
|
||||
"constraints/compute.trustedImageProjects" = {
|
||||
inherit_from_parent = null
|
||||
suggested_value = null
|
||||
status = true
|
||||
values = ["projects/my-project"]
|
||||
allow = {
|
||||
values = ["projects/my-project"]
|
||||
}
|
||||
}
|
||||
"constraints/compute.vmExternalIpAccess" = {
|
||||
deny = { all = true }
|
||||
}
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=6
|
||||
# tftest modules=1 resources=10
|
||||
```
|
||||
|
||||
## IAM
|
||||
|
|
|
@ -167,20 +167,46 @@ module "project" {
|
|||
"container.googleapis.com",
|
||||
"stackdriver.googleapis.com"
|
||||
]
|
||||
policy_boolean = {
|
||||
"constraints/compute.disableGuestAttributesAccess" = true
|
||||
"constraints/compute.skipDefaultNetworkCreation" = true
|
||||
}
|
||||
policy_list = {
|
||||
org_policies = {
|
||||
"compute.disableGuestAttributesAccess" = {
|
||||
enforce = true
|
||||
}
|
||||
"constraints/compute.skipDefaultNetworkCreation" = {
|
||||
enforce = true
|
||||
}
|
||||
"iam.disableServiceAccountKeyCreation" = {
|
||||
enforce = true
|
||||
}
|
||||
"iam.disableServiceAccountKeyUpload" = {
|
||||
enforce = false
|
||||
rules = [
|
||||
{
|
||||
condition = {
|
||||
expression = "resource.matchTagId(\"tagKeys/1234\", \"tagValues/1234\")"
|
||||
title = "condition"
|
||||
description = "test condition"
|
||||
location = "somewhere"
|
||||
}
|
||||
enforce = true
|
||||
}
|
||||
]
|
||||
}
|
||||
"constraints/iam.allowedPolicyMemberDomains" = {
|
||||
allow = {
|
||||
values = ["C0xxxxxxx", "C0yyyyyyy"]
|
||||
}
|
||||
}
|
||||
"constraints/compute.trustedImageProjects" = {
|
||||
inherit_from_parent = null
|
||||
suggested_value = null
|
||||
status = true
|
||||
values = ["projects/my-project"]
|
||||
allow = {
|
||||
values = ["projects/my-project"]
|
||||
}
|
||||
}
|
||||
"constraints/compute.vmExternalIpAccess" = {
|
||||
deny = { all = true }
|
||||
}
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=6
|
||||
# tftest modules=1 resources=10
|
||||
```
|
||||
|
||||
## Logging Sinks
|
||||
|
|
Loading…
Reference in New Issue