Add org policy factory example
This commit is contained in:
parent
3e18575fad
commit
f64c43e893
|
@ -75,6 +75,10 @@ module "folder" {
|
||||||
# tftest modules=1 resources=8
|
# tftest modules=1 resources=8
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Organization policy factory
|
||||||
|
|
||||||
|
See the [organization policy factory in the project module](../project#Organization-policy-factory).
|
||||||
|
|
||||||
### Firewall policy factory
|
### Firewall policy factory
|
||||||
|
|
||||||
In the same way as for the [organization](../organization) module, the in-built factory allows you to define a single policy, using one file for rules, and an optional file for CIDR range substitution variables. Remember that non-absolute paths are relative to the root module (the folder where you run `terraform`).
|
In the same way as for the [organization](../organization) module, the in-built factory allows you to define a single policy, using one file for rules, and an optional file for CIDR range substitution variables. Remember that non-absolute paths are relative to the root module (the folder where you run `terraform`).
|
||||||
|
|
|
@ -76,6 +76,10 @@ If you set audit policies via the `iam_audit_config_authoritative` variable, be
|
||||||
|
|
||||||
Some care must also be takend with the `groups_iam` variable (and in some situations with the additive variables) to ensure that variable keys are static values, so that Terraform is able to compute the dependency graph.
|
Some care must also be takend with the `groups_iam` variable (and in some situations with the additive variables) to ensure that variable keys are static values, so that Terraform is able to compute the dependency graph.
|
||||||
|
|
||||||
|
### Organization policy factory
|
||||||
|
|
||||||
|
See the [organization policy factory in the project module](../project#Organization-policy-factory).
|
||||||
|
|
||||||
## Hierarchical firewall policies
|
## Hierarchical firewall policies
|
||||||
|
|
||||||
Hirerarchical firewall policies can be managed in two ways:
|
Hirerarchical firewall policies can be managed in two ways:
|
||||||
|
|
|
@ -211,6 +211,69 @@ module "project" {
|
||||||
# tftest modules=1 resources=10
|
# tftest modules=1 resources=10
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Organization policy factory
|
||||||
|
|
||||||
|
Organization policies can be loaded from a directory containing YAML files where each file defines one or more constraints. The structure of the YAML files is exactly the same as the `org_policies` variable.
|
||||||
|
|
||||||
|
The example below deploys the same organization policies shown in the previous section using two YAML files.
|
||||||
|
|
||||||
|
```hcl
|
||||||
|
module "folder" {
|
||||||
|
source = "./fabric/modules/folder"
|
||||||
|
parent = "organizations/1234567890"
|
||||||
|
name = "Folder name"
|
||||||
|
org_policies_data_path = "/my/path"
|
||||||
|
}
|
||||||
|
# tftest skip
|
||||||
|
```
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
# /my/path/boolean.yaml
|
||||||
|
iam.disableServiceAccountKeyCreation:
|
||||||
|
enforce: true
|
||||||
|
|
||||||
|
iam.disableServiceAccountKeyUpload:
|
||||||
|
enforce: false
|
||||||
|
rules:
|
||||||
|
- condition:
|
||||||
|
expression: resource.matchTagId("tagKeys/1234", "tagValues/1234")
|
||||||
|
title: condition
|
||||||
|
description: test condition
|
||||||
|
location: xxx
|
||||||
|
enforce: true
|
||||||
|
```
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
# /my/path/list.yaml
|
||||||
|
compute.vmExternalIpAccess:
|
||||||
|
deny:
|
||||||
|
all: true
|
||||||
|
|
||||||
|
iam.allowedPolicyMemberDomains:
|
||||||
|
allow:
|
||||||
|
values:
|
||||||
|
- C0xxxxxxx
|
||||||
|
- C0yyyyyyy
|
||||||
|
|
||||||
|
compute.restrictLoadBalancerCreationForTypes:
|
||||||
|
deny:
|
||||||
|
values: ["in:EXTERNAL"]
|
||||||
|
rules:
|
||||||
|
- condition:
|
||||||
|
expression: resource.matchTagId("tagKeys/1234", "tagValues/1234")
|
||||||
|
title: condition
|
||||||
|
description: test condition
|
||||||
|
allow:
|
||||||
|
values: ["in:EXTERNAL"]
|
||||||
|
- condition:
|
||||||
|
expression: resource.matchTagId("tagKeys/12345", "tagValues/12345")
|
||||||
|
title: condition2
|
||||||
|
description: test condition2
|
||||||
|
allow:
|
||||||
|
all: true
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## Logging Sinks
|
## Logging Sinks
|
||||||
|
|
||||||
```hcl
|
```hcl
|
||||||
|
|
Loading…
Reference in New Issue