zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
cloud-foundation-fabric/fast/stages/0-bootstrap/data/org-policies/compute.yaml

121 lines
2.5 KiB
YAML
Raw Blame History

# skip boilerplate check
#
# sample subset of useful organization policies, edit to suit requirements
---
# Terraform will be unable to decode this file if it does not contain valid YAML
# You can retain `---` (start of the document) to indicate an empty document.
compute.disableGuestAttributesAccess:
rules:
- enforce: true
compute.requireOsLogin:
rules:
- enforce: true
compute.restrictLoadBalancerCreationForTypes:
rules:
- allow:
values:
- in:INTERNAL
compute.skipDefaultNetworkCreation:
rules:
- enforce: true
compute.vmExternalIpAccess:
rules:
- deny:
all: true
# only allow GCP images by default
compute.trustedImageProjects:
rules:
- allow:
values:
- "is:projects/centos-cloud"
- "is:projects/cos-cloud"
- "is:projects/debian-cloud"
- "is:projects/fedora-cloud"
- "is:projects/fedora-coreos-cloud"
- "is:projects/opensuse-cloud"
- "is:projects/rhel-cloud"
- "is:projects/rhel-sap-cloud"
- "is:projects/rocky-linux-cloud"
- "is:projects/suse-cloud"
- "is:projects/suse-sap-cloud"
- "is:projects/ubuntu-os-cloud"
- "is:projects/ubuntu-os-pro-cloud"
- "is:projects/windows-cloud"
- "is:projects/windows-sql-cloud"
- "is:projects/confidential-vm-images"
- "is:projects/backupdr-images"
- "is:projects/deeplearning-platform-release"
- "is:projects/serverless-vpc-access-images"
# compute.disableInternetNetworkEndpointGroup:
# rules:
# - enforce: true
compute.disableNestedVirtualization:
rules:
- enforce: true
compute.disableSerialPortAccess:
rules:
- enforce: true
# compute.restrictCloudNATUsage:
# rules:
# - deny:
# all: true
# compute.restrictDedicatedInterconnectUsage:
# rules:
# - deny:
# all: true
# compute.restrictPartnerInterconnectUsage:
# rules:
# - deny:
# all: true
# compute.restrictProtocolForwardingCreationForTypes:
# rules:
# - deny:
# all: true
# compute.restrictSharedVpcHostProjects:
# rules:
# - deny:
# all: true
# compute.restrictSharedVpcSubnetworks:
# rules:
# - deny:
# all: true
# compute.restrictVpcPeering:
# rules:
# - deny:
# all: true
# compute.restrictVpnPeerIPs:
# rules:
# - deny:
# all: true
# compute.restrictXpnProjectLienRemoval:
# rules:
# - enforce: true
# compute.setNewProjectDefaultToZonalDNSOnly:
# rules:
# - enforce: true
# compute.vmCanIpForward:
# rules:
# - deny:
# all: true
Reference in New Issue View Git Blame Copy Permalink