# Copyright 2021 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ######### # # GCP Organization Policies # Org policies that correspond with a Guardrail will container a label indicating what Guardrails it helps in enforcing # https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints # ######### # # Constraint: constraints/gcp.resourceLocations # This list constraint defines the set of locations where location-based GCP resources can be created. # apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: ResourceManagerPolicy metadata: name: restrict-resource-locations namespace: config-control # kpt-set: ${management-namespace} labels: guardrail: "true" guardrails-enforced: guardrail-05 annotations: config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/config-control/IAMPolicyMember/guardrails-project-id-sa-policy-admin # kpt-set: iam.cnrm.cloud.google.com/namespaces/config-control/IAMPolicyMember/${management-project-id}-org-policyadmin spec: constraint: "constraints/gcp.resourceLocations" listPolicy: allow: all: false values: # kpt-set: ${allowed-regions} - northamerica-northeast1 - northamerica-northeast2 organizationRef: # Replace "${ORG_ID?}" with the numeric ID for your organization external: "0000000000" # kpt-set: ${org-id} --- ######### # # Constraint: constraints/compute.disableVpcExternalIpv6 # This boolean constraint, when set to True, disables the # creation of or update to subnetworks with a stack_type of IPV4_IPV6 and ipv6_access_type of EXTERNAL. # ######### apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: ResourceManagerPolicy metadata: name: disable-vpc-external-ipv6 namespace: config-control # kpt-set: ${management-namespace} labels: guardrail: "true" guardrail-enforced: guardrail-09 annotations: config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/config-control/IAMPolicyMember/guardrails-project-id-sa-policy-admin # kpt-set: iam.cnrm.cloud.google.com/namespaces/config-control/IAMPolicyMember/${management-project-id}-org-policyadmin spec: constraint: "constraints/compute.disableVpcExternalIpv6" booleanPolicy: enforced: true organizationRef: # Replace "${ORG_ID?}" with the numeric ID for your organization external: "0000000000" # kpt-set: ${org-id} --- ######### # # Constraint: constraints/compute.requireShieldedVm # This boolean constraint, when set to True, requires that all new Compute Engine VM instances # use Shielded disk images with Secure Boot, vTPM, and Integrity Monitoring options enabled. # Secure Boot can be disabled after creation, if desired. Existing running instances will continue to work as usual. # ######### apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: ResourceManagerPolicy metadata: name: require-shielded-vm namespace: config-control # kpt-set: ${management-namespace} labels: guardrail: "false" annotations: config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/config-control/IAMPolicyMember/guardrails-project-id-sa-policy-admin # kpt-set: iam.cnrm.cloud.google.com/namespaces/config-control/IAMPolicyMember/${management-project-id}-org-policyadmin spec: constraint: "constraints/compute.requireShieldedVm" booleanPolicy: enforced: true organizationRef: # Replace "${ORG_ID?}" with the numeric ID for your organization external: "0000000000" # kpt-set: ${org-id} --- ######### # # Constraint: constraints/compute.trustedImageProjects # This list constraint defines the set of projects that can be used for image storage and disk instantiation for Compute Engine. # https://cloud.google.com/compute/docs/images/restricting-image-access # # List public images: gcloud compute images list ######### apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: ResourceManagerPolicy metadata: name: require-trusted-images namespace: config-control # kpt-set: ${management-namespace} labels: guardrail: "false" annotations: config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/config-control/IAMPolicyMember/guardrails-project-id-sa-policy-admin # kpt-set: iam.cnrm.cloud.google.com/namespaces/config-control/IAMPolicyMember/${management-project-id}-org-policyadmin spec: constraint: "constraints/compute.trustedImageProjects" listPolicy: allow: all: true values: # kpt-set: ${allowed-images} - "projects/debian-cloud" - "projects/cos-cloud" organizationRef: # Replace "${ORG_ID?}" with the numeric ID for your organization external: "0000000000" # kpt-set: ${org-id} --- ######### # # Constraint: constraints/compute.vmExternalIpAccess # This list constraint defines the set of Compute Engine VM instances that are allowed to use external IP addresses. # The allowed/denied list of VM instances must be identified by the VM instance name, # in the form: projects/PROJECT_ID/zones/ZONE/instances/INSTANCE # ######### apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: ResourceManagerPolicy metadata: name: restrict-vm-external-access namespace: config-control # kpt-set: ${management-namespace} labels: guardrail-enforced: guardrail-09 guardrail: "true" annotations: config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/config-control/IAMPolicyMember/guardrails-project-id-sa-policy-admin # kpt-set: iam.cnrm.cloud.google.com/namespaces/config-control/IAMPolicyMember/${management-project-id}-org-policyadmin spec: constraint: "constraints/compute.vmExternalIpAccess" listPolicy: deny: all: true organizationRef: # Replace "${ORG_ID?}" with the numeric ID for your organization external: "0000000000" # kpt-set: ${org-id} --- ######### # # Constraint: constraints/iam.disableServiceAccountKeyCreation # This boolean constraint disables the creation of service account external keys where this constraint is set to `True`. # ######### apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: ResourceManagerPolicy metadata: name: disable-serviceaccount-key-creation namespace: config-control # kpt-set: ${management-namespace} labels: guardrail: "true" guardrail-enforced: guardrail-02 annotations: config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/config-control/IAMPolicyMember/guardrails-project-id-sa-policy-admin # kpt-set: iam.cnrm.cloud.google.com/namespaces/config-control/IAMPolicyMember/${management-project-id}-org-policyadmin spec: constraint: "constraints/iam.disableServiceAccountKeyCreation" booleanPolicy: enforced: true organizationRef: # Replace "${ORG_ID?}" with the numeric ID for your organization external: "0000000000" # kpt-set: ${org-id} --- ######### # # Constraint: constraints/compute.restrictVpcPeering # This list constraint defines the set of VPC networks # that are allowed to be peered with the VPC networks belonging to this project, folder, or organization. # The allowed/denied list of networks must be identified in the form: # under:organizations/ORGANIZATION_ID, under:folders/FOLDER_ID, under:projects/PROJECT_ID, # or projects/PROJECT_ID/global/networks/NETWORK_NAME. # ######### apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: ResourceManagerPolicy metadata: name: restrict-vpc-peering namespace: config-control # kpt-set: ${management-namespace} labels: guardrail: "true" guardrail-enforced: guardrail-09 annotations: config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/config-control/IAMPolicyMember/guardrails-project-id-sa-policy-admin # kpt-set: iam.cnrm.cloud.google.com/namespaces/config-control/IAMPolicyMember/${management-project-id}-org-policyadmin spec: constraint: "constraints/compute.restrictVpcPeering" listPolicy: allow: all: true values: organizationRef: # Replace "${ORG_ID?}" with the numeric ID for your organization external: "0000000000" # kpt-set: ${org-id} --- ######### # # Constraint: constraints/storage.uniformBucketLevelAccess # # This boolean constraint requires buckets to use uniform bucket-level access # where this constraint is set to True. Any new bucket in the Organization resource # must have uniform bucket-level access enabled, and no existing buckets in the # organization resource can disable uniform bucket-level access. # ######### apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: ResourceManagerPolicy metadata: name: uniform-bucket-level-access namespace: config-control # kpt-set: ${management-namespace} labels: guardrail: "true" guardrail-enforced: guardrail-02 annotations: config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/config-control/IAMPolicyMember/guardrails-project-id-sa-policy-admin # kpt-set: iam.cnrm.cloud.google.com/namespaces/config-control/IAMPolicyMember/${management-project-id}-org-policyadmin spec: constraint: "constraints/storage.uniformBucketLevelAccess" booleanPolicy: enforced: true organizationRef: # Replace "${ORG_ID?}" with the numeric ID for your organization external: "0000000000" # kpt-set: ${org-id} --- ######### # # Constraint: constraints/compute.requireOsLogin # # This boolean constraint, when set to true, enables OS Login on all newly created Projects. # All VM instances created in new projects will have OS Login enabled. # On new and existing projects, this constraint prevents metadata updates that disable OS # Login at the project or instance level. # ######### apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: ResourceManagerPolicy metadata: name: restrict-os-login namespace: config-control # kpt-set: ${management-namespace} labels: guardrail: "true" guardrail-enforced: guardrail-06 annotations: config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/config-control/IAMPolicyMember/guardrails-project-id-sa-policy-admin # kpt-set: iam.cnrm.cloud.google.com/namespaces/config-control/IAMPolicyMember/${management-project-id}-org-policyadmin spec: constraint: "constraints/compute.requireOsLogin" booleanPolicy: enforced: true organizationRef: # Replace "${ORG_ID?}" with the numeric ID for your organization external: "0000000000" # kpt-set: ${org-id} --- ######### # # Constraint: constraints/compute.restrictLoadBalancerCreationForTypes # # This list constraint defines # the set of load balancer types which can be created for an organization, # folder, or project. Every load balancer type to be allowed or denied must be listed explicitly. # # Options: INTERNAL, EXTERNAL, INTERNAL_TCP_UDP, INTERNAL_HTTP_HTTPS, EXTERNAL_NETWORK_TCP_UDP # EXTERNAL_TCP_PROXY, EXTERNAL_SSL_PROXY, EXTERNAL_HTTP_HTTPS, EXTERNAL_MANAGED_HTTP_HTTPS # ######### apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: ResourceManagerPolicy metadata: name: restrict-loadbalancer-creation-types namespace: config-control # kpt-set: ${management-namespace} labels: guardrail: "true" guardrail-enforced: guardrail-06 annotations: config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/config-control/IAMPolicyMember/guardrails-project-id-sa-policy-admin # kpt-set: iam.cnrm.cloud.google.com/namespaces/config-control/IAMPolicyMember/${management-project-id}-org-policyadmin spec: constraint: "constraints/compute.restrictLoadBalancerCreationForTypes" listPolicy: allow: all: true values: # kpt-set: ${allowed-loadbalancers} - INTERNAL organizationRef: # Replace "${ORG_ID?}" with the numeric ID for your organization external: "0000000000" # kpt-set: ${org-id} --- ######### # # Constraint: constraints/essentialcontacts.allowedContactDomains # # This list constraint defines the set of domains that email addresses added to Essential Contacts can have. # By default, email addresses with any domain can be added to Essential Contacts. # The allowed/denied list must specify one or more domains of the form @example.com. # If this constraint is active and configured with allowed values, # only email addresses with a suffix matching one of the entries from the # list of allowed domains can be added in Essential Contacts. # ######### apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: ResourceManagerPolicy metadata: name: allowed-contact-domains namespace: config-control # kpt-set: ${management-namespace} labels: guardrail: "true" guardrail-enforced: guardrail-02 annotations: config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/config-control/IAMPolicyMember/guardrails-project-id-sa-policy-admin # kpt-set: iam.cnrm.cloud.google.com/namespaces/config-control/IAMPolicyMember/${management-project-id}-org-policyadmin spec: constraint: "constraints/essentialcontacts.allowedContactDomains" listPolicy: allow: all: true organizationRef: # Replace "${ORG_ID?}" with the numeric ID for your organization external: "0000000000" # kpt-set: ${org-id} --- ######### # # Constraint: constraints/iam.allowedPolicyMemberDomains # # This list constraint defines one or more Cloud Identity or # Google Workspace customer IDs whose principals can be added to IAM policies. # To get instructions workspace ID make sure you are logged in as the admin user for admin.google.com # In your Google Admin console (at admin.google.com)... # Go to Account settings > Profile. # Next to Customer ID, find your organization's unique ID. # ######### apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: ResourceManagerPolicy metadata: name: allowed-policy-member-domain namespace: config-control # kpt-set: ${management-namespace} labels: guardrail: "true" guardrail-enforced: guardrail-06 annotations: config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/config-control/IAMPolicyMember/guardrails-project-id-sa-policy-admin # kpt-set: iam.cnrm.cloud.google.com/namespaces/config-control/IAMPolicyMember/${management-project-id}-org-policyadmin spec: constraint: "constraints/iam.allowedPolicyMemberDomains" listPolicy: allow: all: true # values: # - "asdasda" organizationRef: # Replace "${ORG_ID?}" with the numeric ID for your organization external: "0000000000" # kpt-set: ${org-id} --- ######### # # Constraint: constraints/compute.disableSerialPortAccess # # This boolean constraint disables serial port access to # Compute Engine VMs belonging to the organization, project, # or folder where this constraint is set to True. # ######### apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: ResourceManagerPolicy metadata: name: disable-serial-port-access namespace: config-control # kpt-set: ${management-namespace} labels: guardrail: "true" guardrail-enforced: guardrails-02 annotations: config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/config-control/IAMPolicyMember/guardrails-project-id-sa-policy-admin # kpt-set: iam.cnrm.cloud.google.com/namespaces/config-control/IAMPolicyMember/${management-project-id}-org-policyadmin spec: constraint: "constraints/compute.disableSerialPortAccess" booleanPolicy: enforced: true organizationRef: # Replace "${ORG_ID?}" with the numeric ID for your organization external: "0000000000" # kpt-set: ${org-id} --- ####### # # Constraint: constraints/compute.vmCanIpForward # This list constraint defines the set of VM instances that can enable IP forwarding. # By default, any VM can enable IP forwarding in any virtual network. # VM instances must be specified in the form: # organizations/ORGANIZATION_ID, folders/FOLDER_ID, projects/PROJECT_ID, # or projects/PROJECT_ID/zones/ZONE/instances/INSTANCE-NAME. # ######### apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: ResourceManagerPolicy metadata: name: vm-can-ip-forward namespace: config-control # kpt-set: ${management-namespace} labels: guardrail: "false" annotations: config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/config-control/IAMPolicyMember/guardrails-project-id-sa-policy-admin # kpt-set: iam.cnrm.cloud.google.com/namespaces/config-control/IAMPolicyMember/${management-project-id}-org-policyadmin spec: constraint: "constraints/compute.vmCanIpForward" listPolicy: allow: all: true # values: # kpt-set: ${can-ip-forward} # - projects/PROJECT_ID organizationRef: # Replace "${ORG_ID?}" with the numeric ID for your organization external: "0000000000" # kpt-set: ${org-id} --- ######### # # Constraint: constraints/compute.disableGuestAttributesAccess # # This boolean constraint disables Compute Engine API access # to the Guest Attributes of Compute Engine VMs belonging # to the organization, project, or folder where this constraint is set to True. # ######### apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: ResourceManagerPolicy metadata: name: disable-guest-attribute-access namespace: config-control # kpt-set: ${management-namespace} labels: guardrail: "false" annotations: config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/config-control/IAMPolicyMember/guardrails-project-id-sa-policy-admin # kpt-set: iam.cnrm.cloud.google.com/namespaces/config-control/IAMPolicyMember/${management-project-id}-org-policyadmin spec: constraint: "constraints/compute.disableGuestAttributesAccess" booleanPolicy: enforced: true organizationRef: # Replace "${ORG_ID?}" with the numeric ID for your organization external: "0000000000" # kpt-set: ${org-id} --- ######### # # Constraint: constraints/compute.disableNestedVirtualization # # This boolean constraint disables hardware-accelerated nested # virtualization for all Compute Engine VMs belonging to the # organization, project, or folder where this constraint is set to True. # ######### apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: ResourceManagerPolicy metadata: name: disable-nested-virtualization namespace: config-control # kpt-set: ${management-namespace} labels: guardrail: "false" annotations: config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/config-control/IAMPolicyMember/guardrails-project-id-sa-policy-admin # kpt-set: iam.cnrm.cloud.google.com/namespaces/config-control/IAMPolicyMember/${management-project-id}-org-policyadmin spec: constraint: "constraints/compute.disableNestedVirtualization" booleanPolicy: enforced: true organizationRef: # Replace "${ORG_ID?}" with the numeric ID for your organization external: "0000000000" # kpt-set: ${org-id} --- ################## # # Constraint: constraints/compute.restrictXpnProjectLienRemoval # # This boolean constraint restricts the set of users that can # remove a Shared VPC project lien without organization-level # permission where this constraint is set to True. # ######### apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: ResourceManagerPolicy metadata: name: restrict-vpc-lien-removal namespace: config-control # kpt-set: ${management-namespace} labels: guardrail: "false" annotations: config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/config-control/IAMPolicyMember/guardrails-project-id-sa-policy-admin # kpt-set: iam.cnrm.cloud.google.com/namespaces/config-control/IAMPolicyMember/${management-project-id}-org-policyadmin spec: constraint: "constraints/compute.restrictXpnProjectLienRemoval" booleanPolicy: enforced: true organizationRef: # Replace "${ORG_ID?}" with the numeric ID for your organization external: "0000000000" # kpt-set: ${org-id} --- ######### # # Constraint: constraints/sql.restrictPublicIp # # This boolean constraint restricts configuring Public IP on # Cloud SQL instances where this constraint is set to True. # ######### apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: ResourceManagerPolicy metadata: name: restrict-sql-public-ip namespace: config-control # kpt-set: ${management-namespace} labels: guardrail: "false" annotations: config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/config-control/IAMPolicyMember/guardrails-project-id-sa-policy-admin # kpt-set: iam.cnrm.cloud.google.com/namespaces/config-control/IAMPolicyMember/${management-project-id}-org-policyadmin spec: constraint: "constraints/sql.restrictPublicIp" booleanPolicy: enforced: true organizationRef: # Replace "${ORG_ID?}" with the numeric ID for your organization external: "0000000000" # kpt-set: ${org-id} --- ######### # # Constraint: constraints/storage.publicAccessPrevention # # Secure your Cloud Storage data from public exposure by # enforcing public access prevention. This governance policy # prevents existing and future resources from being accessed # via the public internet by disabling and blocking ACLs and # IAM permissions that grant access to allUsers and allAuthenticatedUsers. # Enforce this policy on the entire organization (recommended), # specific projects, or specific folders to ensure no data is publicly exposed. # ######### apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: ResourceManagerPolicy metadata: name: storage-public-access-prevention namespace: config-control # kpt-set: ${management-namespace} labels: guardrail: "false" annotations: config.kubernetes.io/depends-on: iam.cnrm.cloud.google.com/namespaces/config-control/IAMPolicyMember/guardrails-project-id-sa-policy-admin # kpt-set: iam.cnrm.cloud.google.com/namespaces/config-control/IAMPolicyMember/${management-project-id}-org-policyadmin spec: constraint: "constraints/storage.publicAccessPrevention" booleanPolicy: enforced: true organizationRef: # Replace "${ORG_ID?}" with the numeric ID for your organization external: "0000000000" # kpt-set: ${org-id}