diff --git a/blueprints/data-solutions/shielded-folder/data/org-policies/compute.yaml b/blueprints/data-solutions/shielded-folder/data/org-policies/compute.yaml index 0d27ac42..a3f96b1b 100644 --- a/blueprints/data-solutions/shielded-folder/data/org-policies/compute.yaml +++ b/blueprints/data-solutions/shielded-folder/data/org-policies/compute.yaml @@ -3,71 +3,90 @@ # sample subset of useful organization policies, edit to suit requirements compute.disableGuestAttributesAccess: - enforce: true + rules: + - enforce: true compute.requireOsLogin: - enforce: true + rules: + - enforce: true compute.restrictLoadBalancerCreationForTypes: - allow: - values: - - in:INTERNAL + rules: + - allow: + values: + - in:INTERNAL compute.skipDefaultNetworkCreation: - enforce: true + rules: + - enforce: true compute.vmExternalIpAccess: - deny: - all: true + rules: + - deny: + all: true # compute.disableInternetNetworkEndpointGroup: -# enforce: true +# rules: +# - enforce: true # compute.disableNestedVirtualization: -# enforce: true +# rules: +# - enforce: true # compute.disableSerialPortAccess: -# enforce: true +# rules: +# - enforce: true # compute.restrictCloudNATUsage: -# deny: -# all: true +# rules: +# - deny: +# all: true # compute.restrictDedicatedInterconnectUsage: -# deny: -# all: true +# rules: +# - deny: +# all: true # compute.restrictPartnerInterconnectUsage: -# deny: -# all: true +# rules: +# - deny: +# all: true # compute.restrictProtocolForwardingCreationForTypes: -# deny: -# all: true +# rules: +# - deny: +# all: true # compute.restrictSharedVpcHostProjects: -# deny: -# all: true +# rules: +# - deny: +# all: true # compute.restrictSharedVpcSubnetworks: -# deny: -# all: true +# rules: +# - deny: +# all: true # compute.restrictVpcPeering: -# deny: -# all: true +# rules: +# - deny: +# all: true # compute.restrictVpnPeerIPs: -# deny: -# all: true +# rules: +# - deny: +# all: true # compute.restrictXpnProjectLienRemoval: -# enforce: true +# rules: +# - enforce: true # compute.setNewProjectDefaultToZonalDNSOnly: -# enforce: true +# rules: +# - enforce: true # compute.vmCanIpForward: -# deny: -# all: true +# rules: +# - deny: +# all: true diff --git a/blueprints/data-solutions/shielded-folder/data/org-policies/iam.yaml b/blueprints/data-solutions/shielded-folder/data/org-policies/iam.yaml index 4d83f827..58e0032c 100644 --- a/blueprints/data-solutions/shielded-folder/data/org-policies/iam.yaml +++ b/blueprints/data-solutions/shielded-folder/data/org-policies/iam.yaml @@ -3,10 +3,13 @@ # sample subset of useful organization policies, edit to suit requirements iam.automaticIamGrantsForDefaultServiceAccounts: - enforce: true + rules: + - enforce: true iam.disableServiceAccountKeyCreation: - enforce: true + rules: + - enforce: true iam.disableServiceAccountKeyUpload: - enforce: true + rules: + - enforce: true diff --git a/blueprints/data-solutions/shielded-folder/data/org-policies/serverless.yaml b/blueprints/data-solutions/shielded-folder/data/org-policies/serverless.yaml index de62e6c7..3efb23cd 100644 --- a/blueprints/data-solutions/shielded-folder/data/org-policies/serverless.yaml +++ b/blueprints/data-solutions/shielded-folder/data/org-policies/serverless.yaml @@ -3,24 +3,29 @@ # sample subset of useful organization policies, edit to suit requirements run.allowedIngress: - allow: - values: - - is:internal + rules: + - allow: + values: + - is:internal # run.allowedVPCEgress: -# allow: -# values: +# rules: +# - allow: +# values: # - is:private-ranges-only # cloudfunctions.allowedIngressSettings: -# allow: -# values: -# - is:ALLOW_INTERNAL_ONLY +# rules: +# - allow: +# values: +# - is:ALLOW_INTERNAL_ONLY # cloudfunctions.allowedVpcConnectorEgressSettings: -# allow: -# values: -# - is:PRIVATE_RANGES_ONLY +# rules: +# - allow: +# values: +# - is:PRIVATE_RANGES_ONLY # cloudfunctions.requireVPCConnector: -# enforce: true +# rules: +# - enforce: true diff --git a/blueprints/data-solutions/shielded-folder/data/org-policies/sql.yaml b/blueprints/data-solutions/shielded-folder/data/org-policies/sql.yaml index 88b84d9d..0eee8045 100644 --- a/blueprints/data-solutions/shielded-folder/data/org-policies/sql.yaml +++ b/blueprints/data-solutions/shielded-folder/data/org-policies/sql.yaml @@ -3,7 +3,9 @@ # sample subset of useful organization policies, edit to suit requirements sql.restrictAuthorizedNetworks: - enforce: true + rules: + - enforce: true sql.restrictPublicIp: - enforce: true + rules: + - enforce: true diff --git a/blueprints/data-solutions/shielded-folder/data/org-policies/storage.yaml b/blueprints/data-solutions/shielded-folder/data/org-policies/storage.yaml index 6c0a673f..448357b8 100644 --- a/blueprints/data-solutions/shielded-folder/data/org-policies/storage.yaml +++ b/blueprints/data-solutions/shielded-folder/data/org-policies/storage.yaml @@ -3,4 +3,5 @@ # sample subset of useful organization policies, edit to suit requirements storage.uniformBucketLevelAccess: - enforce: true + rules: + - enforce: true diff --git a/fast/stages-multitenant/1-resman-tenant/data/org-policies/compute.yaml b/fast/stages-multitenant/1-resman-tenant/data/org-policies/compute.yaml index 0d27ac42..a3f96b1b 100644 --- a/fast/stages-multitenant/1-resman-tenant/data/org-policies/compute.yaml +++ b/fast/stages-multitenant/1-resman-tenant/data/org-policies/compute.yaml @@ -3,71 +3,90 @@ # sample subset of useful organization policies, edit to suit requirements compute.disableGuestAttributesAccess: - enforce: true + rules: + - enforce: true compute.requireOsLogin: - enforce: true + rules: + - enforce: true compute.restrictLoadBalancerCreationForTypes: - allow: - values: - - in:INTERNAL + rules: + - allow: + values: + - in:INTERNAL compute.skipDefaultNetworkCreation: - enforce: true + rules: + - enforce: true compute.vmExternalIpAccess: - deny: - all: true + rules: + - deny: + all: true # compute.disableInternetNetworkEndpointGroup: -# enforce: true +# rules: +# - enforce: true # compute.disableNestedVirtualization: -# enforce: true +# rules: +# - enforce: true # compute.disableSerialPortAccess: -# enforce: true +# rules: +# - enforce: true # compute.restrictCloudNATUsage: -# deny: -# all: true +# rules: +# - deny: +# all: true # compute.restrictDedicatedInterconnectUsage: -# deny: -# all: true +# rules: +# - deny: +# all: true # compute.restrictPartnerInterconnectUsage: -# deny: -# all: true +# rules: +# - deny: +# all: true # compute.restrictProtocolForwardingCreationForTypes: -# deny: -# all: true +# rules: +# - deny: +# all: true # compute.restrictSharedVpcHostProjects: -# deny: -# all: true +# rules: +# - deny: +# all: true # compute.restrictSharedVpcSubnetworks: -# deny: -# all: true +# rules: +# - deny: +# all: true # compute.restrictVpcPeering: -# deny: -# all: true +# rules: +# - deny: +# all: true # compute.restrictVpnPeerIPs: -# deny: -# all: true +# rules: +# - deny: +# all: true # compute.restrictXpnProjectLienRemoval: -# enforce: true +# rules: +# - enforce: true # compute.setNewProjectDefaultToZonalDNSOnly: -# enforce: true +# rules: +# - enforce: true # compute.vmCanIpForward: -# deny: -# all: true +# rules: +# - deny: +# all: true diff --git a/fast/stages-multitenant/1-resman-tenant/data/org-policies/iam.yaml b/fast/stages-multitenant/1-resman-tenant/data/org-policies/iam.yaml index 4d83f827..58e0032c 100644 --- a/fast/stages-multitenant/1-resman-tenant/data/org-policies/iam.yaml +++ b/fast/stages-multitenant/1-resman-tenant/data/org-policies/iam.yaml @@ -3,10 +3,13 @@ # sample subset of useful organization policies, edit to suit requirements iam.automaticIamGrantsForDefaultServiceAccounts: - enforce: true + rules: + - enforce: true iam.disableServiceAccountKeyCreation: - enforce: true + rules: + - enforce: true iam.disableServiceAccountKeyUpload: - enforce: true + rules: + - enforce: true diff --git a/fast/stages-multitenant/1-resman-tenant/data/org-policies/serverless.yaml b/fast/stages-multitenant/1-resman-tenant/data/org-policies/serverless.yaml index de62e6c7..3efb23cd 100644 --- a/fast/stages-multitenant/1-resman-tenant/data/org-policies/serverless.yaml +++ b/fast/stages-multitenant/1-resman-tenant/data/org-policies/serverless.yaml @@ -3,24 +3,29 @@ # sample subset of useful organization policies, edit to suit requirements run.allowedIngress: - allow: - values: - - is:internal + rules: + - allow: + values: + - is:internal # run.allowedVPCEgress: -# allow: -# values: +# rules: +# - allow: +# values: # - is:private-ranges-only # cloudfunctions.allowedIngressSettings: -# allow: -# values: -# - is:ALLOW_INTERNAL_ONLY +# rules: +# - allow: +# values: +# - is:ALLOW_INTERNAL_ONLY # cloudfunctions.allowedVpcConnectorEgressSettings: -# allow: -# values: -# - is:PRIVATE_RANGES_ONLY +# rules: +# - allow: +# values: +# - is:PRIVATE_RANGES_ONLY # cloudfunctions.requireVPCConnector: -# enforce: true +# rules: +# - enforce: true diff --git a/fast/stages-multitenant/1-resman-tenant/data/org-policies/storage.yaml b/fast/stages-multitenant/1-resman-tenant/data/org-policies/storage.yaml index 6c0a673f..448357b8 100644 --- a/fast/stages-multitenant/1-resman-tenant/data/org-policies/storage.yaml +++ b/fast/stages-multitenant/1-resman-tenant/data/org-policies/storage.yaml @@ -3,4 +3,5 @@ # sample subset of useful organization policies, edit to suit requirements storage.uniformBucketLevelAccess: - enforce: true + rules: + - enforce: true diff --git a/fast/stages/1-resman/data/org-policies/compute.yaml b/fast/stages/1-resman/data/org-policies/compute.yaml index 0d27ac42..a3f96b1b 100644 --- a/fast/stages/1-resman/data/org-policies/compute.yaml +++ b/fast/stages/1-resman/data/org-policies/compute.yaml @@ -3,71 +3,90 @@ # sample subset of useful organization policies, edit to suit requirements compute.disableGuestAttributesAccess: - enforce: true + rules: + - enforce: true compute.requireOsLogin: - enforce: true + rules: + - enforce: true compute.restrictLoadBalancerCreationForTypes: - allow: - values: - - in:INTERNAL + rules: + - allow: + values: + - in:INTERNAL compute.skipDefaultNetworkCreation: - enforce: true + rules: + - enforce: true compute.vmExternalIpAccess: - deny: - all: true + rules: + - deny: + all: true # compute.disableInternetNetworkEndpointGroup: -# enforce: true +# rules: +# - enforce: true # compute.disableNestedVirtualization: -# enforce: true +# rules: +# - enforce: true # compute.disableSerialPortAccess: -# enforce: true +# rules: +# - enforce: true # compute.restrictCloudNATUsage: -# deny: -# all: true +# rules: +# - deny: +# all: true # compute.restrictDedicatedInterconnectUsage: -# deny: -# all: true +# rules: +# - deny: +# all: true # compute.restrictPartnerInterconnectUsage: -# deny: -# all: true +# rules: +# - deny: +# all: true # compute.restrictProtocolForwardingCreationForTypes: -# deny: -# all: true +# rules: +# - deny: +# all: true # compute.restrictSharedVpcHostProjects: -# deny: -# all: true +# rules: +# - deny: +# all: true # compute.restrictSharedVpcSubnetworks: -# deny: -# all: true +# rules: +# - deny: +# all: true # compute.restrictVpcPeering: -# deny: -# all: true +# rules: +# - deny: +# all: true # compute.restrictVpnPeerIPs: -# deny: -# all: true +# rules: +# - deny: +# all: true # compute.restrictXpnProjectLienRemoval: -# enforce: true +# rules: +# - enforce: true # compute.setNewProjectDefaultToZonalDNSOnly: -# enforce: true +# rules: +# - enforce: true # compute.vmCanIpForward: -# deny: -# all: true +# rules: +# - deny: +# all: true diff --git a/fast/stages/1-resman/data/org-policies/iam.yaml b/fast/stages/1-resman/data/org-policies/iam.yaml index 4d83f827..58e0032c 100644 --- a/fast/stages/1-resman/data/org-policies/iam.yaml +++ b/fast/stages/1-resman/data/org-policies/iam.yaml @@ -3,10 +3,13 @@ # sample subset of useful organization policies, edit to suit requirements iam.automaticIamGrantsForDefaultServiceAccounts: - enforce: true + rules: + - enforce: true iam.disableServiceAccountKeyCreation: - enforce: true + rules: + - enforce: true iam.disableServiceAccountKeyUpload: - enforce: true + rules: + - enforce: true diff --git a/fast/stages/1-resman/data/org-policies/serverless.yaml b/fast/stages/1-resman/data/org-policies/serverless.yaml index de62e6c7..3efb23cd 100644 --- a/fast/stages/1-resman/data/org-policies/serverless.yaml +++ b/fast/stages/1-resman/data/org-policies/serverless.yaml @@ -3,24 +3,29 @@ # sample subset of useful organization policies, edit to suit requirements run.allowedIngress: - allow: - values: - - is:internal + rules: + - allow: + values: + - is:internal # run.allowedVPCEgress: -# allow: -# values: +# rules: +# - allow: +# values: # - is:private-ranges-only # cloudfunctions.allowedIngressSettings: -# allow: -# values: -# - is:ALLOW_INTERNAL_ONLY +# rules: +# - allow: +# values: +# - is:ALLOW_INTERNAL_ONLY # cloudfunctions.allowedVpcConnectorEgressSettings: -# allow: -# values: -# - is:PRIVATE_RANGES_ONLY +# rules: +# - allow: +# values: +# - is:PRIVATE_RANGES_ONLY # cloudfunctions.requireVPCConnector: -# enforce: true +# rules: +# - enforce: true diff --git a/fast/stages/1-resman/data/org-policies/sql.yaml b/fast/stages/1-resman/data/org-policies/sql.yaml index 88b84d9d..0eee8045 100644 --- a/fast/stages/1-resman/data/org-policies/sql.yaml +++ b/fast/stages/1-resman/data/org-policies/sql.yaml @@ -3,7 +3,9 @@ # sample subset of useful organization policies, edit to suit requirements sql.restrictAuthorizedNetworks: - enforce: true + rules: + - enforce: true sql.restrictPublicIp: - enforce: true + rules: + - enforce: true diff --git a/fast/stages/1-resman/data/org-policies/storage.yaml b/fast/stages/1-resman/data/org-policies/storage.yaml index 6c0a673f..448357b8 100644 --- a/fast/stages/1-resman/data/org-policies/storage.yaml +++ b/fast/stages/1-resman/data/org-policies/storage.yaml @@ -3,4 +3,5 @@ # sample subset of useful organization policies, edit to suit requirements storage.uniformBucketLevelAccess: - enforce: true + rules: + - enforce: true diff --git a/tests/modules/project/org_policies_list.tfvars b/tests/modules/project/org_policies_list.tfvars index 617c5bf0..4889547d 100644 --- a/tests/modules/project/org_policies_list.tfvars +++ b/tests/modules/project/org_policies_list.tfvars @@ -11,7 +11,6 @@ org_policies = { }] } "compute.restrictLoadBalancerCreationForTypes" = { - rules = [ { condition = {