Update yaml org policies
This commit is contained in:
Julio Castillo
parent
6b767c9035
commit
d3bcf625f9
|
|
@ -3,71 +3,90 @@
|
|||
# sample subset of useful organization policies, edit to suit requirements
|
||||
|
||||
compute.disableGuestAttributesAccess:
|
||||
enforce: true
|
||||
rules:
|
||||
- enforce: true
|
||||
|
||||
compute.requireOsLogin:
|
||||
enforce: true
|
||||
rules:
|
||||
- enforce: true
|
||||
|
||||
compute.restrictLoadBalancerCreationForTypes:
|
||||
allow:
|
||||
values:
|
||||
- in:INTERNAL
|
||||
rules:
|
||||
- allow:
|
||||
values:
|
||||
- in:INTERNAL
|
||||
|
||||
compute.skipDefaultNetworkCreation:
|
||||
enforce: true
|
||||
rules:
|
||||
- enforce: true
|
||||
|
||||
compute.vmExternalIpAccess:
|
||||
deny:
|
||||
all: true
|
||||
rules:
|
||||
- deny:
|
||||
all: true
|
||||
|
||||
|
||||
# compute.disableInternetNetworkEndpointGroup:
|
||||
# enforce: true
|
||||
# rules:
|
||||
# - enforce: true
|
||||
|
||||
# compute.disableNestedVirtualization:
|
||||
# enforce: true
|
||||
# rules:
|
||||
# - enforce: true
|
||||
|
||||
# compute.disableSerialPortAccess:
|
||||
# enforce: true
|
||||
# rules:
|
||||
# - enforce: true
|
||||
|
||||
# compute.restrictCloudNATUsage:
|
||||
# deny:
|
||||
# all: true
|
||||
# rules:
|
||||
# - deny:
|
||||
# all: true
|
||||
|
||||
# compute.restrictDedicatedInterconnectUsage:
|
||||
# deny:
|
||||
# all: true
|
||||
# rules:
|
||||
# - deny:
|
||||
# all: true
|
||||
|
||||
# compute.restrictPartnerInterconnectUsage:
|
||||
# deny:
|
||||
# all: true
|
||||
# rules:
|
||||
# - deny:
|
||||
# all: true
|
||||
|
||||
# compute.restrictProtocolForwardingCreationForTypes:
|
||||
# deny:
|
||||
# all: true
|
||||
# rules:
|
||||
# - deny:
|
||||
# all: true
|
||||
|
||||
# compute.restrictSharedVpcHostProjects:
|
||||
# deny:
|
||||
# all: true
|
||||
# rules:
|
||||
# - deny:
|
||||
# all: true
|
||||
|
||||
# compute.restrictSharedVpcSubnetworks:
|
||||
# deny:
|
||||
# all: true
|
||||
# rules:
|
||||
# - deny:
|
||||
# all: true
|
||||
|
||||
# compute.restrictVpcPeering:
|
||||
# deny:
|
||||
# all: true
|
||||
# rules:
|
||||
# - deny:
|
||||
# all: true
|
||||
|
||||
# compute.restrictVpnPeerIPs:
|
||||
# deny:
|
||||
# all: true
|
||||
# rules:
|
||||
# - deny:
|
||||
# all: true
|
||||
|
||||
# compute.restrictXpnProjectLienRemoval:
|
||||
# enforce: true
|
||||
# rules:
|
||||
# - enforce: true
|
||||
|
||||
# compute.setNewProjectDefaultToZonalDNSOnly:
|
||||
# enforce: true
|
||||
# rules:
|
||||
# - enforce: true
|
||||
|
||||
# compute.vmCanIpForward:
|
||||
# deny:
|
||||
# all: true
|
||||
# rules:
|
||||
# - deny:
|
||||
# all: true
|
||||
|
|
|
|||
|
|
@ -3,10 +3,13 @@
|
|||
# sample subset of useful organization policies, edit to suit requirements
|
||||
|
||||
iam.automaticIamGrantsForDefaultServiceAccounts:
|
||||
enforce: true
|
||||
rules:
|
||||
- enforce: true
|
||||
|
||||
iam.disableServiceAccountKeyCreation:
|
||||
enforce: true
|
||||
rules:
|
||||
- enforce: true
|
||||
|
||||
iam.disableServiceAccountKeyUpload:
|
||||
enforce: true
|
||||
rules:
|
||||
- enforce: true
|
||||
|
|
|
|||
|
|
@ -3,24 +3,29 @@
|
|||
# sample subset of useful organization policies, edit to suit requirements
|
||||
|
||||
run.allowedIngress:
|
||||
allow:
|
||||
values:
|
||||
- is:internal
|
||||
rules:
|
||||
- allow:
|
||||
values:
|
||||
- is:internal
|
||||
|
||||
# run.allowedVPCEgress:
|
||||
# allow:
|
||||
# values:
|
||||
# rules:
|
||||
# - allow:
|
||||
# values:
|
||||
# - is:private-ranges-only
|
||||
|
||||
# cloudfunctions.allowedIngressSettings:
|
||||
# allow:
|
||||
# values:
|
||||
# - is:ALLOW_INTERNAL_ONLY
|
||||
# rules:
|
||||
# - allow:
|
||||
# values:
|
||||
# - is:ALLOW_INTERNAL_ONLY
|
||||
|
||||
# cloudfunctions.allowedVpcConnectorEgressSettings:
|
||||
# allow:
|
||||
# values:
|
||||
# - is:PRIVATE_RANGES_ONLY
|
||||
# rules:
|
||||
# - allow:
|
||||
# values:
|
||||
# - is:PRIVATE_RANGES_ONLY
|
||||
|
||||
# cloudfunctions.requireVPCConnector:
|
||||
# enforce: true
|
||||
# rules:
|
||||
# - enforce: true
|
||||
|
|
|
|||
|
|
@ -3,7 +3,9 @@
|
|||
# sample subset of useful organization policies, edit to suit requirements
|
||||
|
||||
sql.restrictAuthorizedNetworks:
|
||||
enforce: true
|
||||
rules:
|
||||
- enforce: true
|
||||
|
||||
sql.restrictPublicIp:
|
||||
enforce: true
|
||||
rules:
|
||||
- enforce: true
|
||||
|
|
|
|||
|
|
@ -3,4 +3,5 @@
|
|||
# sample subset of useful organization policies, edit to suit requirements
|
||||
|
||||
storage.uniformBucketLevelAccess:
|
||||
enforce: true
|
||||
rules:
|
||||
- enforce: true
|
||||
|
|
|
|||
|
|
@ -3,71 +3,90 @@
|
|||
# sample subset of useful organization policies, edit to suit requirements
|
||||
|
||||
compute.disableGuestAttributesAccess:
|
||||
enforce: true
|
||||
rules:
|
||||
- enforce: true
|
||||
|
||||
compute.requireOsLogin:
|
||||
enforce: true
|
||||
rules:
|
||||
- enforce: true
|
||||
|
||||
compute.restrictLoadBalancerCreationForTypes:
|
||||
allow:
|
||||
values:
|
||||
- in:INTERNAL
|
||||
rules:
|
||||
- allow:
|
||||
values:
|
||||
- in:INTERNAL
|
||||
|
||||
compute.skipDefaultNetworkCreation:
|
||||
enforce: true
|
||||
rules:
|
||||
- enforce: true
|
||||
|
||||
compute.vmExternalIpAccess:
|
||||
deny:
|
||||
all: true
|
||||
rules:
|
||||
- deny:
|
||||
all: true
|
||||
|
||||
|
||||
# compute.disableInternetNetworkEndpointGroup:
|
||||
# enforce: true
|
||||
# rules:
|
||||
# - enforce: true
|
||||
|
||||
# compute.disableNestedVirtualization:
|
||||
# enforce: true
|
||||
# rules:
|
||||
# - enforce: true
|
||||
|
||||
# compute.disableSerialPortAccess:
|
||||
# enforce: true
|
||||
# rules:
|
||||
# - enforce: true
|
||||
|
||||
# compute.restrictCloudNATUsage:
|
||||
# deny:
|
||||
# all: true
|
||||
# rules:
|
||||
# - deny:
|
||||
# all: true
|
||||
|
||||
# compute.restrictDedicatedInterconnectUsage:
|
||||
# deny:
|
||||
# all: true
|
||||
# rules:
|
||||
# - deny:
|
||||
# all: true
|
||||
|
||||
# compute.restrictPartnerInterconnectUsage:
|
||||
# deny:
|
||||
# all: true
|
||||
# rules:
|
||||
# - deny:
|
||||
# all: true
|
||||
|
||||
# compute.restrictProtocolForwardingCreationForTypes:
|
||||
# deny:
|
||||
# all: true
|
||||
# rules:
|
||||
# - deny:
|
||||
# all: true
|
||||
|
||||
# compute.restrictSharedVpcHostProjects:
|
||||
# deny:
|
||||
# all: true
|
||||
# rules:
|
||||
# - deny:
|
||||
# all: true
|
||||
|
||||
# compute.restrictSharedVpcSubnetworks:
|
||||
# deny:
|
||||
# all: true
|
||||
# rules:
|
||||
# - deny:
|
||||
# all: true
|
||||
|
||||
# compute.restrictVpcPeering:
|
||||
# deny:
|
||||
# all: true
|
||||
# rules:
|
||||
# - deny:
|
||||
# all: true
|
||||
|
||||
# compute.restrictVpnPeerIPs:
|
||||
# deny:
|
||||
# all: true
|
||||
# rules:
|
||||
# - deny:
|
||||
# all: true
|
||||
|
||||
# compute.restrictXpnProjectLienRemoval:
|
||||
# enforce: true
|
||||
# rules:
|
||||
# - enforce: true
|
||||
|
||||
# compute.setNewProjectDefaultToZonalDNSOnly:
|
||||
# enforce: true
|
||||
# rules:
|
||||
# - enforce: true
|
||||
|
||||
# compute.vmCanIpForward:
|
||||
# deny:
|
||||
# all: true
|
||||
# rules:
|
||||
# - deny:
|
||||
# all: true
|
||||
|
|
|
|||
|
|
@ -3,10 +3,13 @@
|
|||
# sample subset of useful organization policies, edit to suit requirements
|
||||
|
||||
iam.automaticIamGrantsForDefaultServiceAccounts:
|
||||
enforce: true
|
||||
rules:
|
||||
- enforce: true
|
||||
|
||||
iam.disableServiceAccountKeyCreation:
|
||||
enforce: true
|
||||
rules:
|
||||
- enforce: true
|
||||
|
||||
iam.disableServiceAccountKeyUpload:
|
||||
enforce: true
|
||||
rules:
|
||||
- enforce: true
|
||||
|
|
|
|||
|
|
@ -3,24 +3,29 @@
|
|||
# sample subset of useful organization policies, edit to suit requirements
|
||||
|
||||
run.allowedIngress:
|
||||
allow:
|
||||
values:
|
||||
- is:internal
|
||||
rules:
|
||||
- allow:
|
||||
values:
|
||||
- is:internal
|
||||
|
||||
# run.allowedVPCEgress:
|
||||
# allow:
|
||||
# values:
|
||||
# rules:
|
||||
# - allow:
|
||||
# values:
|
||||
# - is:private-ranges-only
|
||||
|
||||
# cloudfunctions.allowedIngressSettings:
|
||||
# allow:
|
||||
# values:
|
||||
# - is:ALLOW_INTERNAL_ONLY
|
||||
# rules:
|
||||
# - allow:
|
||||
# values:
|
||||
# - is:ALLOW_INTERNAL_ONLY
|
||||
|
||||
# cloudfunctions.allowedVpcConnectorEgressSettings:
|
||||
# allow:
|
||||
# values:
|
||||
# - is:PRIVATE_RANGES_ONLY
|
||||
# rules:
|
||||
# - allow:
|
||||
# values:
|
||||
# - is:PRIVATE_RANGES_ONLY
|
||||
|
||||
# cloudfunctions.requireVPCConnector:
|
||||
# enforce: true
|
||||
# rules:
|
||||
# - enforce: true
|
||||
|
|
|
|||
|
|
@ -3,4 +3,5 @@
|
|||
# sample subset of useful organization policies, edit to suit requirements
|
||||
|
||||
storage.uniformBucketLevelAccess:
|
||||
enforce: true
|
||||
rules:
|
||||
- enforce: true
|
||||
|
|
|
|||
|
|
@ -3,71 +3,90 @@
|
|||
# sample subset of useful organization policies, edit to suit requirements
|
||||
|
||||
compute.disableGuestAttributesAccess:
|
||||
enforce: true
|
||||
rules:
|
||||
- enforce: true
|
||||
|
||||
compute.requireOsLogin:
|
||||
enforce: true
|
||||
rules:
|
||||
- enforce: true
|
||||
|
||||
compute.restrictLoadBalancerCreationForTypes:
|
||||
allow:
|
||||
values:
|
||||
- in:INTERNAL
|
||||
rules:
|
||||
- allow:
|
||||
values:
|
||||
- in:INTERNAL
|
||||
|
||||
compute.skipDefaultNetworkCreation:
|
||||
enforce: true
|
||||
rules:
|
||||
- enforce: true
|
||||
|
||||
compute.vmExternalIpAccess:
|
||||
deny:
|
||||
all: true
|
||||
rules:
|
||||
- deny:
|
||||
all: true
|
||||
|
||||
|
||||
# compute.disableInternetNetworkEndpointGroup:
|
||||
# enforce: true
|
||||
# rules:
|
||||
# - enforce: true
|
||||
|
||||
# compute.disableNestedVirtualization:
|
||||
# enforce: true
|
||||
# rules:
|
||||
# - enforce: true
|
||||
|
||||
# compute.disableSerialPortAccess:
|
||||
# enforce: true
|
||||
# rules:
|
||||
# - enforce: true
|
||||
|
||||
# compute.restrictCloudNATUsage:
|
||||
# deny:
|
||||
# all: true
|
||||
# rules:
|
||||
# - deny:
|
||||
# all: true
|
||||
|
||||
# compute.restrictDedicatedInterconnectUsage:
|
||||
# deny:
|
||||
# all: true
|
||||
# rules:
|
||||
# - deny:
|
||||
# all: true
|
||||
|
||||
# compute.restrictPartnerInterconnectUsage:
|
||||
# deny:
|
||||
# all: true
|
||||
# rules:
|
||||
# - deny:
|
||||
# all: true
|
||||
|
||||
# compute.restrictProtocolForwardingCreationForTypes:
|
||||
# deny:
|
||||
# all: true
|
||||
# rules:
|
||||
# - deny:
|
||||
# all: true
|
||||
|
||||
# compute.restrictSharedVpcHostProjects:
|
||||
# deny:
|
||||
# all: true
|
||||
# rules:
|
||||
# - deny:
|
||||
# all: true
|
||||
|
||||
# compute.restrictSharedVpcSubnetworks:
|
||||
# deny:
|
||||
# all: true
|
||||
# rules:
|
||||
# - deny:
|
||||
# all: true
|
||||
|
||||
# compute.restrictVpcPeering:
|
||||
# deny:
|
||||
# all: true
|
||||
# rules:
|
||||
# - deny:
|
||||
# all: true
|
||||
|
||||
# compute.restrictVpnPeerIPs:
|
||||
# deny:
|
||||
# all: true
|
||||
# rules:
|
||||
# - deny:
|
||||
# all: true
|
||||
|
||||
# compute.restrictXpnProjectLienRemoval:
|
||||
# enforce: true
|
||||
# rules:
|
||||
# - enforce: true
|
||||
|
||||
# compute.setNewProjectDefaultToZonalDNSOnly:
|
||||
# enforce: true
|
||||
# rules:
|
||||
# - enforce: true
|
||||
|
||||
# compute.vmCanIpForward:
|
||||
# deny:
|
||||
# all: true
|
||||
# rules:
|
||||
# - deny:
|
||||
# all: true
|
||||
|
|
|
|||
|
|
@ -3,10 +3,13 @@
|
|||
# sample subset of useful organization policies, edit to suit requirements
|
||||
|
||||
iam.automaticIamGrantsForDefaultServiceAccounts:
|
||||
enforce: true
|
||||
rules:
|
||||
- enforce: true
|
||||
|
||||
iam.disableServiceAccountKeyCreation:
|
||||
enforce: true
|
||||
rules:
|
||||
- enforce: true
|
||||
|
||||
iam.disableServiceAccountKeyUpload:
|
||||
enforce: true
|
||||
rules:
|
||||
- enforce: true
|
||||
|
|
|
|||
|
|
@ -3,24 +3,29 @@
|
|||
# sample subset of useful organization policies, edit to suit requirements
|
||||
|
||||
run.allowedIngress:
|
||||
allow:
|
||||
values:
|
||||
- is:internal
|
||||
rules:
|
||||
- allow:
|
||||
values:
|
||||
- is:internal
|
||||
|
||||
# run.allowedVPCEgress:
|
||||
# allow:
|
||||
# values:
|
||||
# rules:
|
||||
# - allow:
|
||||
# values:
|
||||
# - is:private-ranges-only
|
||||
|
||||
# cloudfunctions.allowedIngressSettings:
|
||||
# allow:
|
||||
# values:
|
||||
# - is:ALLOW_INTERNAL_ONLY
|
||||
# rules:
|
||||
# - allow:
|
||||
# values:
|
||||
# - is:ALLOW_INTERNAL_ONLY
|
||||
|
||||
# cloudfunctions.allowedVpcConnectorEgressSettings:
|
||||
# allow:
|
||||
# values:
|
||||
# - is:PRIVATE_RANGES_ONLY
|
||||
# rules:
|
||||
# - allow:
|
||||
# values:
|
||||
# - is:PRIVATE_RANGES_ONLY
|
||||
|
||||
# cloudfunctions.requireVPCConnector:
|
||||
# enforce: true
|
||||
# rules:
|
||||
# - enforce: true
|
||||
|
|
|
|||
|
|
@ -3,7 +3,9 @@
|
|||
# sample subset of useful organization policies, edit to suit requirements
|
||||
|
||||
sql.restrictAuthorizedNetworks:
|
||||
enforce: true
|
||||
rules:
|
||||
- enforce: true
|
||||
|
||||
sql.restrictPublicIp:
|
||||
enforce: true
|
||||
rules:
|
||||
- enforce: true
|
||||
|
|
|
|||
|
|
@ -3,4 +3,5 @@
|
|||
# sample subset of useful organization policies, edit to suit requirements
|
||||
|
||||
storage.uniformBucketLevelAccess:
|
||||
enforce: true
|
||||
rules:
|
||||
- enforce: true
|
||||
|
|
|
|||
|
|
@ -11,7 +11,6 @@ org_policies = {
|
|||
}]
|
||||
}
|
||||
"compute.restrictLoadBalancerCreationForTypes" = {
|
||||
|
||||
rules = [
|
||||
{
|
||||
condition = {
|
||||
|
|
|
|||
Loading…
Reference in New Issue