enforce trusted image projects constraint in stage 0 (#2014)

fast/stages/0-bootstrap/data/org-policies/compute.yaml

@@ -28,6 +28,29 @@ compute.vmExternalIpAccess:
   rules:
     - deny:
         all: true
+
+# only allow GCP images by default
+compute.trustedImageProjects:
+  rules:
+  - allow:
+      values:
+      - "projects/centos-cloud"
+      - "projects/cos-cloud"
+      - "projects/debian-cloud"
+      - "projects/fedora-cloud"
+      - "projects/fedora-coreos-cloud"
+      - "projects/opensuse-cloud"
+      - "projects/rhel-cloud"
+      - "projects/rhel-sap-cloud"
+      - "projects/rocky-linux-cloud"
+      - "projects/suse-cloud"
+      - "projects/suse-byos-cloud"
+      - "projects/suse-sap-cloud"
+      - "projects/ubuntu-os-cloud"
+      - "projects/ubuntu-os-pro-cloud"
+      - "projects/windows-cloud"
+      - "projects/windows-sql-cloud"
+
 # compute.disableInternetNetworkEndpointGroup:
 #   rules:
 #   - enforce: true

tests/fast/stages/s0_bootstrap/checklist.yaml

@@ -362,7 +362,7 @@ counts:
   google_essential_contacts_contact: 3
   google_logging_organization_sink: 3
   google_logging_project_bucket_config: 3
-  google_org_policy_policy: 16
+  google_org_policy_policy: 17
   google_organization_iam_binding: 25
   google_organization_iam_custom_role: 6
   google_organization_iam_member: 35
@@ -381,4 +381,4 @@ counts:
   google_tags_tag_key: 1
   google_tags_tag_value: 1
   modules: 16
-  resources: 185
+  resources: 186

tests/fast/stages/s0_bootstrap/simple.yaml

@@ -18,7 +18,7 @@ counts:
   google_essential_contacts_contact: 3
   google_logging_organization_sink: 3
   google_logging_project_bucket_config: 3
-  google_org_policy_policy: 16
+  google_org_policy_policy: 17
   google_organization_iam_binding: 25
   google_organization_iam_custom_role: 6
   google_organization_iam_member: 22
@@ -38,7 +38,7 @@ counts:
   google_tags_tag_value: 1
   local_file: 7
   modules: 15
-  resources: 176
+  resources: 177
 
 outputs:
   custom_roles: