Hardened datasets minor fixes (#3795)

2026-03-18 15:54:14 +07:00
parent 36b58781ed
commit b4172ec174
7 changed files with 23 additions and 56 deletions
--- a/fast/stages/0-org-setup/datasets/classic/organization/org-policies/compute.yaml
+++ b/fast/stages/0-org-setup/datasets/classic/organization/org-policies/compute.yaml
@@ -84,7 +84,8 @@ compute.trustedImageProjects:
      - "is:projects/gke-node-images"
      - "is:projects/gke-windows-node-images"
      - "is:projects/ubuntu-os-gke-cloud"
-
+      - "is:projects/rocky-linux-accelerator-cloud"
+      - "is:projects/ubuntu-os-accelerator-images"

 compute.vmExternalIpAccess:
  rules:
--- a/fast/stages/0-org-setup/datasets/hardened/folders/data-platform/.config.yaml
+++ b/fast/stages/0-org-setup/datasets/hardened/folders/data-platform/.config.yaml
@@ -15,10 +15,11 @@
 # yaml-language-server: $schema=../../../../schemas/folder.schema.json

 name: Data Platform
-org_policies:
-  custom.iamDisableAdminServiceAccount:
-    rules:
-      - enforce: false
-  custom.iamDisableProjectServiceAccountImpersonationRoles:
-    rules:
-      - enforce: false
+# To enforce once the constraints are provisionned
+# org_policies:
+#   custom.iamDisableAdminServiceAccount:
+#     rules:
+#       - enforce: false
+#   custom.iamDisableProjectServiceAccountImpersonationRoles:
+#     rules:
+#       - enforce: false
--- a/fast/stages/0-org-setup/datasets/hardened/observability/storageIamChanges.yaml
+++ b/fast/stages/0-org-setup/datasets/hardened/observability/storageIamChanges.yaml
@@ -48,7 +48,7 @@ alerts:
      mime_type: text/markdown
 logging_metrics:
  storageIamChanges:
-    bucket_name: l$log_buckets:log-0/audit-logs
+    bucket_name: $log_buckets:log-0/audit-logs
    description: Cloud Storage IAM Permission Changes
    filter: resource.type="gcs_bucket" AND protoPayload.methodName="storage.setIamPermissions"
    label_extractors:
--- a/fast/stages/0-org-setup/datasets/hardened/organization/org-policies/compute.yaml
+++ b/fast/stages/0-org-setup/datasets/hardened/organization/org-policies/compute.yaml
@@ -118,6 +118,8 @@ compute.trustedImageProjects:
          - "is:projects/gke-node-images"
          - "is:projects/gke-windows-node-images"
          - "is:projects/ubuntu-os-gke-cloud"
+          - "is:projects/rocky-linux-accelerator-cloud"
+          - "is:projects/ubuntu-os-accelerator-images"

 compute.vmExternalIpAccess:
  rules:
--- a/fast/stages/0-org-setup/datasets/hardened/projects/core/log-0.yaml
+++ b/fast/stages/0-org-setup/datasets/hardened/projects/core/log-0.yaml
@@ -71,6 +71,7 @@ org_policies:
    rules:
      - allow:
          all: true
-  custom.storageRequireBucketObjectVersionning:
-    rules:
-      - enforce: true
+  # To enforce once the constraints are provisionned
+  # custom.storageRequireBucketObjectVersionning:
+  #   rules:
+  #     - enforce: true