# skip boilerplate check
#
# sample subset of useful organization policies, edit to suit requirements

---
# Terraform will be unable to decode this file if it does not contain valid YAML
# You can retain `---` (start of the document) to indicate an empty document.

compute.disableGuestAttributesAccess:
  rules:
    - enforce: true

compute.requireOsLogin:
  rules:
    - enforce: true

compute.restrictLoadBalancerCreationForTypes:
  rules:
    - allow:
        values:
          - in:INTERNAL

compute.skipDefaultNetworkCreation:
  rules:
    - enforce: true

compute.vmExternalIpAccess:
  rules:
    - deny:
        all: true

# only allow GCP images by default
compute.trustedImageProjects:
  rules:
  - allow:
      values:
        - "is:projects/centos-cloud"
        - "is:projects/cos-cloud"
        - "is:projects/debian-cloud"
        - "is:projects/fedora-cloud"
        - "is:projects/fedora-coreos-cloud"
        - "is:projects/opensuse-cloud"
        - "is:projects/rhel-cloud"
        - "is:projects/rhel-sap-cloud"
        - "is:projects/rocky-linux-cloud"
        - "is:projects/suse-cloud"
        - "is:projects/suse-sap-cloud"
        - "is:projects/ubuntu-os-cloud"
        - "is:projects/ubuntu-os-pro-cloud"
        - "is:projects/windows-cloud"
        - "is:projects/windows-sql-cloud"
        - "is:projects/confidential-vm-images"
        - "is:projects/backupdr-images"
        - "is:projects/deeplearning-platform-release"
        - "is:projects/serverless-vpc-access-images"

# compute.disableInternetNetworkEndpointGroup:
#   rules:
#   - enforce: true

compute.disableNestedVirtualization:
  rules:
  - enforce: true

compute.disableSerialPortAccess:
  rules:
  - enforce: true

# compute.restrictCloudNATUsage:
#   rules:
#   - deny:
#       all: true

# compute.restrictDedicatedInterconnectUsage:
#   rules:
#   - deny:
#       all: true

# compute.restrictPartnerInterconnectUsage:
#   rules:
#   - deny:
#       all: true

# compute.restrictProtocolForwardingCreationForTypes:
#   rules:
#   - deny:
#       all: true

# compute.restrictSharedVpcHostProjects:
#   rules:
#   - deny:
#       all: true

# compute.restrictSharedVpcSubnetworks:
#   rules:
#   - deny:
#       all: true

# compute.restrictVpcPeering:
#   rules:
#   - deny:
#       all: true

# compute.restrictVpnPeerIPs:
#   rules:
#   - deny:
#       all: true

# compute.restrictXpnProjectLienRemoval:
#   rules:
#   - enforce: true

# compute.setNewProjectDefaultToZonalDNSOnly:
#   rules:
#   - enforce: true

# compute.vmCanIpForward:
#   rules:
#   - deny:
#       all: true