kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update default FAST org policies (#2906)

Browse Source 
* Update org default org policies

* Update default FAST org policies
This commit is contained in:
Julio Castillo
2025-02-18 16:34:44 +01:00
committed by GitHub
parent 348e4df081
commit 51bd19bc30
11 changed files with 351 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
tests/fast/stages/s0_bootstrap/cicd.yaml
View File

@@ -335,7 +335,7 @@ counts:
google_logging_organization_sink: 4
google_logging_project_bucket_config: 4
google_org_policy_custom_constraint: 1
google_org_policy_policy: 26
google_org_policy_policy: 34
google_organization_iam_binding: 27
google_organization_iam_custom_role: 13
google_organization_iam_member: 29
@@ -356,4 +356,4 @@ counts:
google_tags_tag_value: 2
local_file: 13
modules: 26
resources: 274
resources: 282

113
tests/fast/stages/s0_bootstrap/managed_org_policies.yaml
View File

@@ -26,6 +26,48 @@ values:
parent: organizations/123456789012
resource_types:
- container.googleapis.com/Cluster
module.organization.google_org_policy_policy.default["cloudbuild.disableCreateDefaultServiceAccount"]:
dry_run_spec: []
name: organizations/123456789012/policies/cloudbuild.disableCreateDefaultServiceAccount
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
parameters: null
values: []
module.organization.google_org_policy_policy.default["cloudbuild.useBuildServiceAccount"]:
dry_run_spec: []
name: organizations/123456789012/policies/cloudbuild.useBuildServiceAccount
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
parameters: null
values: []
module.organization.google_org_policy_policy.default["cloudbuild.useComputeServiceAccount"]:
dry_run_spec: []
name: organizations/123456789012/policies/cloudbuild.useComputeServiceAccount
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
parameters: null
values: []
module.organization.google_org_policy_policy.default["compute.disableGuestAttributesAccess"]:
dry_run_spec: []
name: organizations/123456789012/policies/compute.disableGuestAttributesAccess
@@ -40,6 +82,20 @@ values:
enforce: 'TRUE'
parameters: null
values: []
module.organization.google_org_policy_policy.default["compute.disableInternetNetworkEndpointGroup"]:
dry_run_spec: []
name: organizations/123456789012/policies/compute.disableInternetNetworkEndpointGroup
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
parameters: null
values: []
module.organization.google_org_policy_policy.default["compute.disableNestedVirtualization"]:
dry_run_spec: []
name: organizations/123456789012/policies/compute.disableNestedVirtualization
@@ -68,6 +124,20 @@ values:
enforce: 'TRUE'
parameters: null
values: []
module.organization.google_org_policy_policy.default["compute.disableVpcExternalIpv6"]:
dry_run_spec: []
name: organizations/123456789012/policies/compute.disableVpcExternalIpv6
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
parameters: null
values: []
module.organization.google_org_policy_policy.default["compute.managed.restrictProtocolForwardingCreationForTypes"]:
dry_run_spec: []
name: organizations/123456789012/policies/compute.managed.restrictProtocolForwardingCreationForTypes
@@ -239,6 +309,20 @@ values:
enforce: null
parameters: null
values: []
module.organization.google_org_policy_policy.default["iam.disableAuditLoggingExemption"]:
dry_run_spec: []
name: organizations/123456789012/policies/iam.disableAuditLoggingExemption
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
parameters: null
values: []
module.organization.google_org_policy_policy.default["iam.managed.allowedPolicyMembers"]:
dry_run_spec: []
name: organizations/123456789012/policies/iam.managed.allowedPolicyMembers
@@ -324,6 +408,34 @@ values:
- allowed_values:
- DISABLE_KEY
denied_values: null
module.organization.google_org_policy_policy.default["iam.workloadIdentityPoolAwsAccounts"]:
dry_run_spec: []
name: organizations/123456789012/policies/iam.workloadIdentityPoolAwsAccounts
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: 'TRUE'
enforce: null
parameters: null
values: []
module.organization.google_org_policy_policy.default["iam.workloadIdentityPoolProviders"]:
dry_run_spec: []
name: organizations/123456789012/policies/iam.workloadIdentityPoolProviders
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: 'TRUE'
enforce: null
parameters: null
values: []
module.organization.google_org_policy_policy.default["run.allowedIngress"]:
dry_run_spec: []
name: organizations/123456789012/policies/run.allowedIngress
@@ -411,4 +523,3 @@ values:
enforce: 'TRUE'
parameters: null
values: []

4
tests/fast/stages/s0_bootstrap/simple.yaml
View File

@@ -20,7 +20,7 @@ counts:
google_logging_organization_sink: 4
google_logging_project_bucket_config: 4
google_org_policy_custom_constraint: 1
google_org_policy_policy: 26
google_org_policy_policy: 34
google_organization_iam_binding: 27
google_organization_iam_custom_role: 13
google_organization_iam_member: 29
@@ -41,7 +41,7 @@ counts:
google_tags_tag_value: 2
local_file: 8
modules: 20
resources: 237
resources: 245
outputs:
automation: __missing__

112
tests/fast/stages/s0_bootstrap/simple_org_policies.yaml
View File

@@ -26,6 +26,48 @@ values:
parent: organizations/123456789012
resource_types:
- container.googleapis.com/Cluster
module.organization.google_org_policy_policy.default["cloudbuild.disableCreateDefaultServiceAccount"]:
dry_run_spec: []
name: organizations/123456789012/policies/cloudbuild.disableCreateDefaultServiceAccount
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
parameters: null
values: []
module.organization.google_org_policy_policy.default["cloudbuild.useBuildServiceAccount"]:
dry_run_spec: []
name: organizations/123456789012/policies/cloudbuild.useBuildServiceAccount
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
parameters: null
values: []
module.organization.google_org_policy_policy.default["cloudbuild.useComputeServiceAccount"]:
dry_run_spec: []
name: organizations/123456789012/policies/cloudbuild.useComputeServiceAccount
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
parameters: null
values: []
module.organization.google_org_policy_policy.default["compute.disableGuestAttributesAccess"]:
dry_run_spec: []
name: organizations/123456789012/policies/compute.disableGuestAttributesAccess
@@ -40,6 +82,20 @@ values:
enforce: 'TRUE'
parameters: null
values: []
module.organization.google_org_policy_policy.default["compute.disableInternetNetworkEndpointGroup"]:
dry_run_spec: []
name: organizations/123456789012/policies/compute.disableInternetNetworkEndpointGroup
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
parameters: null
values: []
module.organization.google_org_policy_policy.default["compute.disableNestedVirtualization"]:
dry_run_spec: []
name: organizations/123456789012/policies/compute.disableNestedVirtualization
@@ -68,6 +124,20 @@ values:
enforce: 'TRUE'
parameters: null
values: []
module.organization.google_org_policy_policy.default["compute.disableVpcExternalIpv6"]:
dry_run_spec: []
name: organizations/123456789012/policies/compute.disableVpcExternalIpv6
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
parameters: null
values: []
module.organization.google_org_policy_policy.default["compute.requireOsLogin"]:
dry_run_spec: []
name: organizations/123456789012/policies/compute.requireOsLogin
@@ -291,6 +361,20 @@ values:
enforce: 'TRUE'
parameters: null
values: []
module.organization.google_org_policy_policy.default["iam.disableAuditLoggingExemption"]:
dry_run_spec: []
name: organizations/123456789012/policies/iam.disableAuditLoggingExemption
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
parameters: null
values: []
module.organization.google_org_policy_policy.default["iam.disableServiceAccountKeyCreation"]:
dry_run_spec: []
name: organizations/123456789012/policies/iam.disableServiceAccountKeyCreation
@@ -336,6 +420,34 @@ values:
- allowed_values:
- DISABLE_KEY
denied_values: null
module.organization.google_org_policy_policy.default["iam.workloadIdentityPoolAwsAccounts"]:
dry_run_spec: []
name: organizations/123456789012/policies/iam.workloadIdentityPoolAwsAccounts
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: 'TRUE'
enforce: null
parameters: null
values: []
module.organization.google_org_policy_policy.default["iam.workloadIdentityPoolProviders"]:
dry_run_spec: []
name: organizations/123456789012/policies/iam.workloadIdentityPoolProviders
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: 'TRUE'
enforce: null
parameters: null
values: []
module.organization.google_org_policy_policy.default["run.allowedIngress"]:
dry_run_spec: []
name: organizations/123456789012/policies/run.allowedIngress