Add org policy factory example
This commit is contained in:
parent
3e18575fad
commit
f64c43e893
|
@ -75,6 +75,10 @@ module "folder" {
|
|||
# tftest modules=1 resources=8
|
||||
```
|
||||
|
||||
### Organization policy factory
|
||||
|
||||
See the [organization policy factory in the project module](../project#Organization-policy-factory).
|
||||
|
||||
### Firewall policy factory
|
||||
|
||||
In the same way as for the [organization](../organization) module, the in-built factory allows you to define a single policy, using one file for rules, and an optional file for CIDR range substitution variables. Remember that non-absolute paths are relative to the root module (the folder where you run `terraform`).
|
||||
|
|
|
@ -76,6 +76,10 @@ If you set audit policies via the `iam_audit_config_authoritative` variable, be
|
|||
|
||||
Some care must also be takend with the `groups_iam` variable (and in some situations with the additive variables) to ensure that variable keys are static values, so that Terraform is able to compute the dependency graph.
|
||||
|
||||
### Organization policy factory
|
||||
|
||||
See the [organization policy factory in the project module](../project#Organization-policy-factory).
|
||||
|
||||
## Hierarchical firewall policies
|
||||
|
||||
Hirerarchical firewall policies can be managed in two ways:
|
||||
|
|
|
@ -211,6 +211,69 @@ module "project" {
|
|||
# tftest modules=1 resources=10
|
||||
```
|
||||
|
||||
### Organization policy factory
|
||||
|
||||
Organization policies can be loaded from a directory containing YAML files where each file defines one or more constraints. The structure of the YAML files is exactly the same as the `org_policies` variable.
|
||||
|
||||
The example below deploys the same organization policies shown in the previous section using two YAML files.
|
||||
|
||||
```hcl
|
||||
module "folder" {
|
||||
source = "./fabric/modules/folder"
|
||||
parent = "organizations/1234567890"
|
||||
name = "Folder name"
|
||||
org_policies_data_path = "/my/path"
|
||||
}
|
||||
# tftest skip
|
||||
```
|
||||
|
||||
```yaml
|
||||
# /my/path/boolean.yaml
|
||||
iam.disableServiceAccountKeyCreation:
|
||||
enforce: true
|
||||
|
||||
iam.disableServiceAccountKeyUpload:
|
||||
enforce: false
|
||||
rules:
|
||||
- condition:
|
||||
expression: resource.matchTagId("tagKeys/1234", "tagValues/1234")
|
||||
title: condition
|
||||
description: test condition
|
||||
location: xxx
|
||||
enforce: true
|
||||
```
|
||||
|
||||
```yaml
|
||||
# /my/path/list.yaml
|
||||
compute.vmExternalIpAccess:
|
||||
deny:
|
||||
all: true
|
||||
|
||||
iam.allowedPolicyMemberDomains:
|
||||
allow:
|
||||
values:
|
||||
- C0xxxxxxx
|
||||
- C0yyyyyyy
|
||||
|
||||
compute.restrictLoadBalancerCreationForTypes:
|
||||
deny:
|
||||
values: ["in:EXTERNAL"]
|
||||
rules:
|
||||
- condition:
|
||||
expression: resource.matchTagId("tagKeys/1234", "tagValues/1234")
|
||||
title: condition
|
||||
description: test condition
|
||||
allow:
|
||||
values: ["in:EXTERNAL"]
|
||||
- condition:
|
||||
expression: resource.matchTagId("tagKeys/12345", "tagValues/12345")
|
||||
title: condition2
|
||||
description: test condition2
|
||||
allow:
|
||||
all: true
|
||||
```
|
||||
|
||||
|
||||
## Logging Sinks
|
||||
|
||||
```hcl
|
||||
|
|
Loading…
Reference in New Issue