zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add org policy factory example

This commit is contained in:
Julio Castillo 2022-11-03 12:12:50 +01:00
parent 3e18575fad
commit f64c43e893
3 changed files with 71 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
modules/folder/README.md
View File

@ -75,6 +75,10 @@ module "folder" {
# tftest modules=1 resources=8 # tftest modules=1 resources=8
``` ```
### Organization policy factory
See the [organization policy factory in the project module](../project#Organization-policy-factory).
### Firewall policy factory ### Firewall policy factory
In the same way as for the [organization](../organization) module, the in-built factory allows you to define a single policy, using one file for rules, and an optional file for CIDR range substitution variables. Remember that non-absolute paths are relative to the root module (the folder where you run `terraform`). In the same way as for the [organization](../organization) module, the in-built factory allows you to define a single policy, using one file for rules, and an optional file for CIDR range substitution variables. Remember that non-absolute paths are relative to the root module (the folder where you run `terraform`).

4
modules/organization/README.md
View File

@ -76,6 +76,10 @@ If you set audit policies via the `iam_audit_config_authoritative` variable, be
Some care must also be takend with the `groups_iam` variable (and in some situations with the additive variables) to ensure that variable keys are static values, so that Terraform is able to compute the dependency graph. Some care must also be takend with the `groups_iam` variable (and in some situations with the additive variables) to ensure that variable keys are static values, so that Terraform is able to compute the dependency graph.
### Organization policy factory
See the [organization policy factory in the project module](../project#Organization-policy-factory).
## Hierarchical firewall policies ## Hierarchical firewall policies
Hirerarchical firewall policies can be managed in two ways: Hirerarchical firewall policies can be managed in two ways:

63
modules/project/README.md
View File

@ -211,6 +211,69 @@ module "project" {
# tftest modules=1 resources=10 # tftest modules=1 resources=10
``` ```
### Organization policy factory
Organization policies can be loaded from a directory containing YAML files where each file defines one or more constraints. The structure of the YAML files is exactly the same as the `org_policies` variable.
The example below deploys the same organization policies shown in the previous section using two YAML files.
```hcl
module "folder" {
source = "./fabric/modules/folder"
parent = "organizations/1234567890"
name = "Folder name"
org_policies_data_path = "/my/path"
}
# tftest skip
```
```yaml
# /my/path/boolean.yaml
iam.disableServiceAccountKeyCreation:
enforce: true
iam.disableServiceAccountKeyUpload:
enforce: false
rules:
- condition:
expression: resource.matchTagId("tagKeys/1234", "tagValues/1234")
title: condition
description: test condition
location: xxx
enforce: true
```
```yaml
# /my/path/list.yaml
compute.vmExternalIpAccess:
deny:
all: true
iam.allowedPolicyMemberDomains:
allow:
values:
- C0xxxxxxx
- C0yyyyyyy
compute.restrictLoadBalancerCreationForTypes:
deny:
values: ["in:EXTERNAL"]
rules:
- condition:
expression: resource.matchTagId("tagKeys/1234", "tagValues/1234")
title: condition
description: test condition
allow:
values: ["in:EXTERNAL"]
- condition:
expression: resource.matchTagId("tagKeys/12345", "tagValues/12345")
title: condition2
description: test condition2
allow:
all: true
```
## Logging Sinks ## Logging Sinks
```hcl ```hcl