zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update yaml org policies

This commit is contained in:
Julio Castillo 2023-02-21 13:58:08 +01:00
parent 6b767c9035
commit d3bcf625f9
15 changed files with 233 additions and 146 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

81
blueprints/data-solutions/shielded-folder/data/org-policies/compute.yaml
View File

@ -3,71 +3,90 @@
# sample subset of useful organization policies, edit to suit requirements # sample subset of useful organization policies, edit to suit requirements
compute.disableGuestAttributesAccess: compute.disableGuestAttributesAccess:
enforce: true rules:
- enforce: true
compute.requireOsLogin: compute.requireOsLogin:
enforce: true rules:
- enforce: true
compute.restrictLoadBalancerCreationForTypes: compute.restrictLoadBalancerCreationForTypes:
allow: rules:
values: - allow:
- in:INTERNAL values:
- in:INTERNAL
compute.skipDefaultNetworkCreation: compute.skipDefaultNetworkCreation:
enforce: true rules:
- enforce: true
compute.vmExternalIpAccess: compute.vmExternalIpAccess:
deny: rules:
all: true - deny:
all: true
# compute.disableInternetNetworkEndpointGroup: # compute.disableInternetNetworkEndpointGroup:
# enforce: true # rules:
# - enforce: true
# compute.disableNestedVirtualization: # compute.disableNestedVirtualization:
# enforce: true # rules:
# - enforce: true
# compute.disableSerialPortAccess: # compute.disableSerialPortAccess:
# enforce: true # rules:
# - enforce: true
# compute.restrictCloudNATUsage: # compute.restrictCloudNATUsage:
# deny: # rules:
# all: true # - deny:
# all: true
# compute.restrictDedicatedInterconnectUsage: # compute.restrictDedicatedInterconnectUsage:
# deny: # rules:
# all: true # - deny:
# all: true
# compute.restrictPartnerInterconnectUsage: # compute.restrictPartnerInterconnectUsage:
# deny: # rules:
# all: true # - deny:
# all: true
# compute.restrictProtocolForwardingCreationForTypes: # compute.restrictProtocolForwardingCreationForTypes:
# deny: # rules:
# all: true # - deny:
# all: true
# compute.restrictSharedVpcHostProjects: # compute.restrictSharedVpcHostProjects:
# deny: # rules:
# all: true # - deny:
# all: true
# compute.restrictSharedVpcSubnetworks: # compute.restrictSharedVpcSubnetworks:
# deny: # rules:
# all: true # - deny:
# all: true
# compute.restrictVpcPeering: # compute.restrictVpcPeering:
# deny: # rules:
# all: true # - deny:
# all: true
# compute.restrictVpnPeerIPs: # compute.restrictVpnPeerIPs:
# deny: # rules:
# all: true # - deny:
# all: true
# compute.restrictXpnProjectLienRemoval: # compute.restrictXpnProjectLienRemoval:
# enforce: true # rules:
# - enforce: true
# compute.setNewProjectDefaultToZonalDNSOnly: # compute.setNewProjectDefaultToZonalDNSOnly:
# enforce: true # rules:
# - enforce: true
# compute.vmCanIpForward: # compute.vmCanIpForward:
# deny: # rules:
# all: true # - deny:
# all: true

9
blueprints/data-solutions/shielded-folder/data/org-policies/iam.yaml
View File

@ -3,10 +3,13 @@
# sample subset of useful organization policies, edit to suit requirements # sample subset of useful organization policies, edit to suit requirements
iam.automaticIamGrantsForDefaultServiceAccounts: iam.automaticIamGrantsForDefaultServiceAccounts:
enforce: true rules:
- enforce: true
iam.disableServiceAccountKeyCreation: iam.disableServiceAccountKeyCreation:
enforce: true rules:
- enforce: true
iam.disableServiceAccountKeyUpload: iam.disableServiceAccountKeyUpload:
enforce: true rules:
- enforce: true

29
blueprints/data-solutions/shielded-folder/data/org-policies/serverless.yaml
View File

@ -3,24 +3,29 @@
# sample subset of useful organization policies, edit to suit requirements # sample subset of useful organization policies, edit to suit requirements
run.allowedIngress: run.allowedIngress:
allow: rules:
values: - allow:
- is:internal values:
- is:internal
# run.allowedVPCEgress: # run.allowedVPCEgress:
# allow: # rules:
# values: # - allow:
# values:
# - is:private-ranges-only # - is:private-ranges-only
# cloudfunctions.allowedIngressSettings: # cloudfunctions.allowedIngressSettings:
# allow: # rules:
# values: # - allow:
# - is:ALLOW_INTERNAL_ONLY # values:
# - is:ALLOW_INTERNAL_ONLY
# cloudfunctions.allowedVpcConnectorEgressSettings: # cloudfunctions.allowedVpcConnectorEgressSettings:
# allow: # rules:
# values: # - allow:
# - is:PRIVATE_RANGES_ONLY # values:
# - is:PRIVATE_RANGES_ONLY
# cloudfunctions.requireVPCConnector: # cloudfunctions.requireVPCConnector:
# enforce: true # rules:
# - enforce: true

6
blueprints/data-solutions/shielded-folder/data/org-policies/sql.yaml
View File

@ -3,7 +3,9 @@
# sample subset of useful organization policies, edit to suit requirements # sample subset of useful organization policies, edit to suit requirements
sql.restrictAuthorizedNetworks: sql.restrictAuthorizedNetworks:
enforce: true rules:
- enforce: true
sql.restrictPublicIp: sql.restrictPublicIp:
enforce: true rules:
- enforce: true

3
blueprints/data-solutions/shielded-folder/data/org-policies/storage.yaml
View File

@ -3,4 +3,5 @@
# sample subset of useful organization policies, edit to suit requirements # sample subset of useful organization policies, edit to suit requirements
storage.uniformBucketLevelAccess: storage.uniformBucketLevelAccess:
enforce: true rules:
- enforce: true

81
fast/stages-multitenant/1-resman-tenant/data/org-policies/compute.yaml
View File

@ -3,71 +3,90 @@
# sample subset of useful organization policies, edit to suit requirements # sample subset of useful organization policies, edit to suit requirements
compute.disableGuestAttributesAccess: compute.disableGuestAttributesAccess:
enforce: true rules:
- enforce: true
compute.requireOsLogin: compute.requireOsLogin:
enforce: true rules:
- enforce: true
compute.restrictLoadBalancerCreationForTypes: compute.restrictLoadBalancerCreationForTypes:
allow: rules:
values: - allow:
- in:INTERNAL values:
- in:INTERNAL
compute.skipDefaultNetworkCreation: compute.skipDefaultNetworkCreation:
enforce: true rules:
- enforce: true
compute.vmExternalIpAccess: compute.vmExternalIpAccess:
deny: rules:
all: true - deny:
all: true
# compute.disableInternetNetworkEndpointGroup: # compute.disableInternetNetworkEndpointGroup:
# enforce: true # rules:
# - enforce: true
# compute.disableNestedVirtualization: # compute.disableNestedVirtualization:
# enforce: true # rules:
# - enforce: true
# compute.disableSerialPortAccess: # compute.disableSerialPortAccess:
# enforce: true # rules:
# - enforce: true
# compute.restrictCloudNATUsage: # compute.restrictCloudNATUsage:
# deny: # rules:
# all: true # - deny:
# all: true
# compute.restrictDedicatedInterconnectUsage: # compute.restrictDedicatedInterconnectUsage:
# deny: # rules:
# all: true # - deny:
# all: true
# compute.restrictPartnerInterconnectUsage: # compute.restrictPartnerInterconnectUsage:
# deny: # rules:
# all: true # - deny:
# all: true
# compute.restrictProtocolForwardingCreationForTypes: # compute.restrictProtocolForwardingCreationForTypes:
# deny: # rules:
# all: true # - deny:
# all: true
# compute.restrictSharedVpcHostProjects: # compute.restrictSharedVpcHostProjects:
# deny: # rules:
# all: true # - deny:
# all: true
# compute.restrictSharedVpcSubnetworks: # compute.restrictSharedVpcSubnetworks:
# deny: # rules:
# all: true # - deny:
# all: true
# compute.restrictVpcPeering: # compute.restrictVpcPeering:
# deny: # rules:
# all: true # - deny:
# all: true
# compute.restrictVpnPeerIPs: # compute.restrictVpnPeerIPs:
# deny: # rules:
# all: true # - deny:
# all: true
# compute.restrictXpnProjectLienRemoval: # compute.restrictXpnProjectLienRemoval:
# enforce: true # rules:
# - enforce: true
# compute.setNewProjectDefaultToZonalDNSOnly: # compute.setNewProjectDefaultToZonalDNSOnly:
# enforce: true # rules:
# - enforce: true
# compute.vmCanIpForward: # compute.vmCanIpForward:
# deny: # rules:
# all: true # - deny:
# all: true

9
fast/stages-multitenant/1-resman-tenant/data/org-policies/iam.yaml
View File

@ -3,10 +3,13 @@
# sample subset of useful organization policies, edit to suit requirements # sample subset of useful organization policies, edit to suit requirements
iam.automaticIamGrantsForDefaultServiceAccounts: iam.automaticIamGrantsForDefaultServiceAccounts:
enforce: true rules:
- enforce: true
iam.disableServiceAccountKeyCreation: iam.disableServiceAccountKeyCreation:
enforce: true rules:
- enforce: true
iam.disableServiceAccountKeyUpload: iam.disableServiceAccountKeyUpload:
enforce: true rules:
- enforce: true

29
fast/stages-multitenant/1-resman-tenant/data/org-policies/serverless.yaml
View File

@ -3,24 +3,29 @@
# sample subset of useful organization policies, edit to suit requirements # sample subset of useful organization policies, edit to suit requirements
run.allowedIngress: run.allowedIngress:
allow: rules:
values: - allow:
- is:internal values:
- is:internal
# run.allowedVPCEgress: # run.allowedVPCEgress:
# allow: # rules:
# values: # - allow:
# values:
# - is:private-ranges-only # - is:private-ranges-only
# cloudfunctions.allowedIngressSettings: # cloudfunctions.allowedIngressSettings:
# allow: # rules:
# values: # - allow:
# - is:ALLOW_INTERNAL_ONLY # values:
# - is:ALLOW_INTERNAL_ONLY
# cloudfunctions.allowedVpcConnectorEgressSettings: # cloudfunctions.allowedVpcConnectorEgressSettings:
# allow: # rules:
# values: # - allow:
# - is:PRIVATE_RANGES_ONLY # values:
# - is:PRIVATE_RANGES_ONLY
# cloudfunctions.requireVPCConnector: # cloudfunctions.requireVPCConnector:
# enforce: true # rules:
# - enforce: true

3
fast/stages-multitenant/1-resman-tenant/data/org-policies/storage.yaml
View File

@ -3,4 +3,5 @@
# sample subset of useful organization policies, edit to suit requirements # sample subset of useful organization policies, edit to suit requirements
storage.uniformBucketLevelAccess: storage.uniformBucketLevelAccess:
enforce: true rules:
- enforce: true

81
fast/stages/1-resman/data/org-policies/compute.yaml
View File

@ -3,71 +3,90 @@
# sample subset of useful organization policies, edit to suit requirements # sample subset of useful organization policies, edit to suit requirements
compute.disableGuestAttributesAccess: compute.disableGuestAttributesAccess:
enforce: true rules:
- enforce: true
compute.requireOsLogin: compute.requireOsLogin:
enforce: true rules:
- enforce: true
compute.restrictLoadBalancerCreationForTypes: compute.restrictLoadBalancerCreationForTypes:
allow: rules:
values: - allow:
- in:INTERNAL values:
- in:INTERNAL
compute.skipDefaultNetworkCreation: compute.skipDefaultNetworkCreation:
enforce: true rules:
- enforce: true
compute.vmExternalIpAccess: compute.vmExternalIpAccess:
deny: rules:
all: true - deny:
all: true
# compute.disableInternetNetworkEndpointGroup: # compute.disableInternetNetworkEndpointGroup:
# enforce: true # rules:
# - enforce: true
# compute.disableNestedVirtualization: # compute.disableNestedVirtualization:
# enforce: true # rules:
# - enforce: true
# compute.disableSerialPortAccess: # compute.disableSerialPortAccess:
# enforce: true # rules:
# - enforce: true
# compute.restrictCloudNATUsage: # compute.restrictCloudNATUsage:
# deny: # rules:
# all: true # - deny:
# all: true
# compute.restrictDedicatedInterconnectUsage: # compute.restrictDedicatedInterconnectUsage:
# deny: # rules:
# all: true # - deny:
# all: true
# compute.restrictPartnerInterconnectUsage: # compute.restrictPartnerInterconnectUsage:
# deny: # rules:
# all: true # - deny:
# all: true
# compute.restrictProtocolForwardingCreationForTypes: # compute.restrictProtocolForwardingCreationForTypes:
# deny: # rules:
# all: true # - deny:
# all: true
# compute.restrictSharedVpcHostProjects: # compute.restrictSharedVpcHostProjects:
# deny: # rules:
# all: true # - deny:
# all: true
# compute.restrictSharedVpcSubnetworks: # compute.restrictSharedVpcSubnetworks:
# deny: # rules:
# all: true # - deny:
# all: true
# compute.restrictVpcPeering: # compute.restrictVpcPeering:
# deny: # rules:
# all: true # - deny:
# all: true
# compute.restrictVpnPeerIPs: # compute.restrictVpnPeerIPs:
# deny: # rules:
# all: true # - deny:
# all: true
# compute.restrictXpnProjectLienRemoval: # compute.restrictXpnProjectLienRemoval:
# enforce: true # rules:
# - enforce: true
# compute.setNewProjectDefaultToZonalDNSOnly: # compute.setNewProjectDefaultToZonalDNSOnly:
# enforce: true # rules:
# - enforce: true
# compute.vmCanIpForward: # compute.vmCanIpForward:
# deny: # rules:
# all: true # - deny:
# all: true

9
fast/stages/1-resman/data/org-policies/iam.yaml
View File

@ -3,10 +3,13 @@
# sample subset of useful organization policies, edit to suit requirements # sample subset of useful organization policies, edit to suit requirements
iam.automaticIamGrantsForDefaultServiceAccounts: iam.automaticIamGrantsForDefaultServiceAccounts:
enforce: true rules:
- enforce: true
iam.disableServiceAccountKeyCreation: iam.disableServiceAccountKeyCreation:
enforce: true rules:
- enforce: true
iam.disableServiceAccountKeyUpload: iam.disableServiceAccountKeyUpload:
enforce: true rules:
- enforce: true

29
fast/stages/1-resman/data/org-policies/serverless.yaml
View File

@ -3,24 +3,29 @@
# sample subset of useful organization policies, edit to suit requirements # sample subset of useful organization policies, edit to suit requirements
run.allowedIngress: run.allowedIngress:
allow: rules:
values: - allow:
- is:internal values:
- is:internal
# run.allowedVPCEgress: # run.allowedVPCEgress:
# allow: # rules:
# values: # - allow:
# values:
# - is:private-ranges-only # - is:private-ranges-only
# cloudfunctions.allowedIngressSettings: # cloudfunctions.allowedIngressSettings:
# allow: # rules:
# values: # - allow:
# - is:ALLOW_INTERNAL_ONLY # values:
# - is:ALLOW_INTERNAL_ONLY
# cloudfunctions.allowedVpcConnectorEgressSettings: # cloudfunctions.allowedVpcConnectorEgressSettings:
# allow: # rules:
# values: # - allow:
# - is:PRIVATE_RANGES_ONLY # values:
# - is:PRIVATE_RANGES_ONLY
# cloudfunctions.requireVPCConnector: # cloudfunctions.requireVPCConnector:
# enforce: true # rules:
# - enforce: true

6
fast/stages/1-resman/data/org-policies/sql.yaml
View File

@ -3,7 +3,9 @@
# sample subset of useful organization policies, edit to suit requirements # sample subset of useful organization policies, edit to suit requirements
sql.restrictAuthorizedNetworks: sql.restrictAuthorizedNetworks:
enforce: true rules:
- enforce: true
sql.restrictPublicIp: sql.restrictPublicIp:
enforce: true rules:
- enforce: true

3
fast/stages/1-resman/data/org-policies/storage.yaml
View File

@ -3,4 +3,5 @@
# sample subset of useful organization policies, edit to suit requirements # sample subset of useful organization policies, edit to suit requirements
storage.uniformBucketLevelAccess: storage.uniformBucketLevelAccess:
enforce: true rules:
- enforce: true

1
tests/modules/project/org_policies_list.tfvars
View File

@ -11,7 +11,6 @@ org_policies = {
}] }]
} }
"compute.restrictLoadBalancerCreationForTypes" = { "compute.restrictLoadBalancerCreationForTypes" = {
rules = [ rules = [
{ {
condition = { condition = {