diff --git a/fast/stages/0-bootstrap/data/org-policies-managed/cloudbuild.yaml b/fast/stages/0-bootstrap/data/org-policies-managed/cloudbuild.yaml new file mode 100644 index 000000000..8e463fbbc --- /dev/null +++ b/fast/stages/0-bootstrap/data/org-policies-managed/cloudbuild.yaml @@ -0,0 +1,36 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +# sample subset of useful organization policies, edit to suit requirements +# start of document (---) avoids errors if the file only contains comments + +# yaml-language-server: $schema=../../schemas/org-policies.schema.json + +compute.disableGuestAttributesAccess: + rules: + - enforce: true + +cloudbuild.disableCreateDefaultServiceAccount: + rules: + - enforce: true + +cloudbuild.useBuildServiceAccount: + rules: + - enforce: true + +cloudbuild.useComputeServiceAccount: + rules: + - enforce: true + diff --git a/fast/stages/0-bootstrap/data/org-policies-managed/compute.yaml b/fast/stages/0-bootstrap/data/org-policies-managed/compute.yaml index 0cbe635ec..2790a9b0a 100644 --- a/fast/stages/0-bootstrap/data/org-policies-managed/compute.yaml +++ b/fast/stages/0-bootstrap/data/org-policies-managed/compute.yaml @@ -18,6 +18,10 @@ # yaml-language-server: $schema=../../schemas/org-policies.schema.json +compute.disableInternetNetworkEndpointGroup: + rules: + - enforce: true + compute.disableGuestAttributesAccess: rules: - enforce: true @@ -28,7 +32,11 @@ compute.disableNestedVirtualization: compute.disableSerialPortAccess: rules: - - enforce: true + - enforce: true + +compute.disableVpcExternalIpv6: + rules: + - enforce: true compute.requireOsLogin: rules: @@ -46,8 +54,8 @@ compute.skipDefaultNetworkCreation: compute.setNewProjectDefaultToZonalDNSOnly: rules: - - enforce: true - + - enforce: true + # only allow GCP images by default compute.trustedImageProjects: rules: diff --git a/fast/stages/0-bootstrap/data/org-policies-managed/iam.yaml b/fast/stages/0-bootstrap/data/org-policies-managed/iam.yaml index 5aed9e466..1c303fe95 100644 --- a/fast/stages/0-bootstrap/data/org-policies-managed/iam.yaml +++ b/fast/stages/0-bootstrap/data/org-policies-managed/iam.yaml @@ -34,6 +34,10 @@ iam.managed.allowedPolicyMembers: ] } +iam.disableAuditLoggingExemption: + rules: + - enforce: true + iam.managed.preventPrivilegedBasicRolesForDefaultServiceAccounts: rules: - enforce: true @@ -51,3 +55,13 @@ iam.serviceAccountKeyExposureResponse: - allow: values: - DISABLE_KEY + +iam.workloadIdentityPoolAwsAccounts: + rules: + - deny: + all: true + +iam.workloadIdentityPoolProviders: + rules: + - deny: + all: true diff --git a/fast/stages/0-bootstrap/data/org-policies/cloudbuild.yaml b/fast/stages/0-bootstrap/data/org-policies/cloudbuild.yaml new file mode 100644 index 000000000..8e463fbbc --- /dev/null +++ b/fast/stages/0-bootstrap/data/org-policies/cloudbuild.yaml @@ -0,0 +1,36 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +# sample subset of useful organization policies, edit to suit requirements +# start of document (---) avoids errors if the file only contains comments + +# yaml-language-server: $schema=../../schemas/org-policies.schema.json + +compute.disableGuestAttributesAccess: + rules: + - enforce: true + +cloudbuild.disableCreateDefaultServiceAccount: + rules: + - enforce: true + +cloudbuild.useBuildServiceAccount: + rules: + - enforce: true + +cloudbuild.useComputeServiceAccount: + rules: + - enforce: true + diff --git a/fast/stages/0-bootstrap/data/org-policies/compute.yaml b/fast/stages/0-bootstrap/data/org-policies/compute.yaml index 040244095..a6cabc595 100644 --- a/fast/stages/0-bootstrap/data/org-policies/compute.yaml +++ b/fast/stages/0-bootstrap/data/org-policies/compute.yaml @@ -22,13 +22,21 @@ compute.disableGuestAttributesAccess: rules: - enforce: true +compute.disableInternetNetworkEndpointGroup: + rules: + - enforce: true + compute.disableNestedVirtualization: rules: - enforce: true compute.disableSerialPortAccess: rules: - - enforce: true + - enforce: true + +compute.disableVpcExternalIpv6: + rules: + - enforce: true compute.requireOsLogin: rules: @@ -46,8 +54,8 @@ compute.skipDefaultNetworkCreation: compute.setNewProjectDefaultToZonalDNSOnly: rules: - - enforce: true - + - enforce: true + # only allow GCP images by default compute.trustedImageProjects: rules: diff --git a/fast/stages/0-bootstrap/data/org-policies/iam.yaml b/fast/stages/0-bootstrap/data/org-policies/iam.yaml index fa1d76ca4..41c2c547a 100644 --- a/fast/stages/0-bootstrap/data/org-policies/iam.yaml +++ b/fast/stages/0-bootstrap/data/org-policies/iam.yaml @@ -38,6 +38,10 @@ iam.automaticIamGrantsForDefaultServiceAccounts: rules: - enforce: true +iam.disableAuditLoggingExemption: + rules: + - enforce: true + iam.disableServiceAccountKeyCreation: rules: - enforce: true @@ -51,3 +55,13 @@ iam.serviceAccountKeyExposureResponse: - allow: values: - DISABLE_KEY + +iam.workloadIdentityPoolAwsAccounts: + rules: + - deny: + all: true + +iam.workloadIdentityPoolProviders: + rules: + - deny: + all: true diff --git a/modules/organization/schemas/org-policies.schema.json b/modules/organization/schemas/org-policies.schema.json index dfcbf15cf..6c29331ec 100644 --- a/modules/organization/schemas/org-policies.schema.json +++ b/modules/organization/schemas/org-policies.schema.json @@ -4,7 +4,7 @@ "type": "object", "additionalProperties": false, "patternProperties": { - "^[a-z-]+[a-zA-Z\\.]+$": { + "^[a-z-]+[a-zA-Z0-9\\.]+$": { "type": "object", "additionalProperties": false, "properties": { diff --git a/tests/fast/stages/s0_bootstrap/cicd.yaml b/tests/fast/stages/s0_bootstrap/cicd.yaml index e531a1a1e..d10107d57 100644 --- a/tests/fast/stages/s0_bootstrap/cicd.yaml +++ b/tests/fast/stages/s0_bootstrap/cicd.yaml @@ -335,7 +335,7 @@ counts: google_logging_organization_sink: 4 google_logging_project_bucket_config: 4 google_org_policy_custom_constraint: 1 - google_org_policy_policy: 26 + google_org_policy_policy: 34 google_organization_iam_binding: 27 google_organization_iam_custom_role: 13 google_organization_iam_member: 29 @@ -356,4 +356,4 @@ counts: google_tags_tag_value: 2 local_file: 13 modules: 26 - resources: 274 + resources: 282 diff --git a/tests/fast/stages/s0_bootstrap/managed_org_policies.yaml b/tests/fast/stages/s0_bootstrap/managed_org_policies.yaml index c3d6f4504..a6a4a0fb7 100644 --- a/tests/fast/stages/s0_bootstrap/managed_org_policies.yaml +++ b/tests/fast/stages/s0_bootstrap/managed_org_policies.yaml @@ -26,6 +26,48 @@ values: parent: organizations/123456789012 resource_types: - container.googleapis.com/Cluster + module.organization.google_org_policy_policy.default["cloudbuild.disableCreateDefaultServiceAccount"]: + dry_run_spec: [] + name: organizations/123456789012/policies/cloudbuild.disableCreateDefaultServiceAccount + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + module.organization.google_org_policy_policy.default["cloudbuild.useBuildServiceAccount"]: + dry_run_spec: [] + name: organizations/123456789012/policies/cloudbuild.useBuildServiceAccount + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + module.organization.google_org_policy_policy.default["cloudbuild.useComputeServiceAccount"]: + dry_run_spec: [] + name: organizations/123456789012/policies/cloudbuild.useComputeServiceAccount + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] module.organization.google_org_policy_policy.default["compute.disableGuestAttributesAccess"]: dry_run_spec: [] name: organizations/123456789012/policies/compute.disableGuestAttributesAccess @@ -40,6 +82,20 @@ values: enforce: 'TRUE' parameters: null values: [] + module.organization.google_org_policy_policy.default["compute.disableInternetNetworkEndpointGroup"]: + dry_run_spec: [] + name: organizations/123456789012/policies/compute.disableInternetNetworkEndpointGroup + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] module.organization.google_org_policy_policy.default["compute.disableNestedVirtualization"]: dry_run_spec: [] name: organizations/123456789012/policies/compute.disableNestedVirtualization @@ -68,6 +124,20 @@ values: enforce: 'TRUE' parameters: null values: [] + module.organization.google_org_policy_policy.default["compute.disableVpcExternalIpv6"]: + dry_run_spec: [] + name: organizations/123456789012/policies/compute.disableVpcExternalIpv6 + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] module.organization.google_org_policy_policy.default["compute.managed.restrictProtocolForwardingCreationForTypes"]: dry_run_spec: [] name: organizations/123456789012/policies/compute.managed.restrictProtocolForwardingCreationForTypes @@ -239,6 +309,20 @@ values: enforce: null parameters: null values: [] + module.organization.google_org_policy_policy.default["iam.disableAuditLoggingExemption"]: + dry_run_spec: [] + name: organizations/123456789012/policies/iam.disableAuditLoggingExemption + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] module.organization.google_org_policy_policy.default["iam.managed.allowedPolicyMembers"]: dry_run_spec: [] name: organizations/123456789012/policies/iam.managed.allowedPolicyMembers @@ -324,6 +408,34 @@ values: - allowed_values: - DISABLE_KEY denied_values: null + module.organization.google_org_policy_policy.default["iam.workloadIdentityPoolAwsAccounts"]: + dry_run_spec: [] + name: organizations/123456789012/policies/iam.workloadIdentityPoolAwsAccounts + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: 'TRUE' + enforce: null + parameters: null + values: [] + module.organization.google_org_policy_policy.default["iam.workloadIdentityPoolProviders"]: + dry_run_spec: [] + name: organizations/123456789012/policies/iam.workloadIdentityPoolProviders + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: 'TRUE' + enforce: null + parameters: null + values: [] module.organization.google_org_policy_policy.default["run.allowedIngress"]: dry_run_spec: [] name: organizations/123456789012/policies/run.allowedIngress @@ -411,4 +523,3 @@ values: enforce: 'TRUE' parameters: null values: [] - diff --git a/tests/fast/stages/s0_bootstrap/simple.yaml b/tests/fast/stages/s0_bootstrap/simple.yaml index 0cb3385a8..88bfee98f 100644 --- a/tests/fast/stages/s0_bootstrap/simple.yaml +++ b/tests/fast/stages/s0_bootstrap/simple.yaml @@ -20,7 +20,7 @@ counts: google_logging_organization_sink: 4 google_logging_project_bucket_config: 4 google_org_policy_custom_constraint: 1 - google_org_policy_policy: 26 + google_org_policy_policy: 34 google_organization_iam_binding: 27 google_organization_iam_custom_role: 13 google_organization_iam_member: 29 @@ -41,7 +41,7 @@ counts: google_tags_tag_value: 2 local_file: 8 modules: 20 - resources: 237 + resources: 245 outputs: automation: __missing__ diff --git a/tests/fast/stages/s0_bootstrap/simple_org_policies.yaml b/tests/fast/stages/s0_bootstrap/simple_org_policies.yaml index 5eef2a969..c287eec4d 100644 --- a/tests/fast/stages/s0_bootstrap/simple_org_policies.yaml +++ b/tests/fast/stages/s0_bootstrap/simple_org_policies.yaml @@ -26,6 +26,48 @@ values: parent: organizations/123456789012 resource_types: - container.googleapis.com/Cluster + module.organization.google_org_policy_policy.default["cloudbuild.disableCreateDefaultServiceAccount"]: + dry_run_spec: [] + name: organizations/123456789012/policies/cloudbuild.disableCreateDefaultServiceAccount + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + module.organization.google_org_policy_policy.default["cloudbuild.useBuildServiceAccount"]: + dry_run_spec: [] + name: organizations/123456789012/policies/cloudbuild.useBuildServiceAccount + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + module.organization.google_org_policy_policy.default["cloudbuild.useComputeServiceAccount"]: + dry_run_spec: [] + name: organizations/123456789012/policies/cloudbuild.useComputeServiceAccount + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] module.organization.google_org_policy_policy.default["compute.disableGuestAttributesAccess"]: dry_run_spec: [] name: organizations/123456789012/policies/compute.disableGuestAttributesAccess @@ -40,6 +82,20 @@ values: enforce: 'TRUE' parameters: null values: [] + module.organization.google_org_policy_policy.default["compute.disableInternetNetworkEndpointGroup"]: + dry_run_spec: [] + name: organizations/123456789012/policies/compute.disableInternetNetworkEndpointGroup + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] module.organization.google_org_policy_policy.default["compute.disableNestedVirtualization"]: dry_run_spec: [] name: organizations/123456789012/policies/compute.disableNestedVirtualization @@ -68,6 +124,20 @@ values: enforce: 'TRUE' parameters: null values: [] + module.organization.google_org_policy_policy.default["compute.disableVpcExternalIpv6"]: + dry_run_spec: [] + name: organizations/123456789012/policies/compute.disableVpcExternalIpv6 + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] module.organization.google_org_policy_policy.default["compute.requireOsLogin"]: dry_run_spec: [] name: organizations/123456789012/policies/compute.requireOsLogin @@ -291,6 +361,20 @@ values: enforce: 'TRUE' parameters: null values: [] + module.organization.google_org_policy_policy.default["iam.disableAuditLoggingExemption"]: + dry_run_spec: [] + name: organizations/123456789012/policies/iam.disableAuditLoggingExemption + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] module.organization.google_org_policy_policy.default["iam.disableServiceAccountKeyCreation"]: dry_run_spec: [] name: organizations/123456789012/policies/iam.disableServiceAccountKeyCreation @@ -336,6 +420,34 @@ values: - allowed_values: - DISABLE_KEY denied_values: null + module.organization.google_org_policy_policy.default["iam.workloadIdentityPoolAwsAccounts"]: + dry_run_spec: [] + name: organizations/123456789012/policies/iam.workloadIdentityPoolAwsAccounts + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: 'TRUE' + enforce: null + parameters: null + values: [] + module.organization.google_org_policy_policy.default["iam.workloadIdentityPoolProviders"]: + dry_run_spec: [] + name: organizations/123456789012/policies/iam.workloadIdentityPoolProviders + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: 'TRUE' + enforce: null + parameters: null + values: [] module.organization.google_org_policy_policy.default["run.allowedIngress"]: dry_run_spec: [] name: organizations/123456789012/policies/run.allowedIngress