Add requireInvokerIam constraint to the polices to prevent public exposure of Cloud Run services

2025-03-31 18:19:12 +00:00
parent 925788b54a
commit bea36cb047
5 changed files with 27 additions and 5 deletions
--- a/fast/stages/0-bootstrap/data/org-policies-managed/serverless.yaml
+++ b/fast/stages/0-bootstrap/data/org-policies-managed/serverless.yaml
@@ -24,6 +24,10 @@ run.allowedIngress:
        values:
          - is:internal-and-cloud-load-balancing

+run.managed.requireInvokerIam:
+  rules:
+    - enforce: true
+
 # run.allowedVPCEgress:
 #   rules:
 #   - allow:
--- a/fast/stages/0-bootstrap/data/org-policies/serverless.yaml
+++ b/fast/stages/0-bootstrap/data/org-policies/serverless.yaml
@@ -24,6 +24,10 @@ run.allowedIngress:
        values:
          - is:internal-and-cloud-load-balancing

+run.managed.requireInvokerIam:
+  rules:
+    - enforce: true
+
 # run.allowedVPCEgress:
 #   rules:
 #   - allow:
--- a/tests/fast/stages/s0_bootstrap/cicd.yaml
+++ b/tests/fast/stages/s0_bootstrap/cicd.yaml
@@ -335,7 +335,7 @@ counts:
  google_logging_organization_sink: 4
  google_logging_project_bucket_config: 4
  google_org_policy_custom_constraint: 1
-  google_org_policy_policy: 34
+  google_org_policy_policy: 35
  google_organization_iam_binding: 27
  google_organization_iam_custom_role: 13
  google_organization_iam_member: 29
@@ -356,4 +356,4 @@ counts:
  google_tags_tag_value: 2
  local_file: 13
  modules: 26
-  resources: 282
+  resources: 283
--- a/tests/fast/stages/s0_bootstrap/simple.yaml
+++ b/tests/fast/stages/s0_bootstrap/simple.yaml
@@ -20,7 +20,7 @@ counts:
  google_logging_organization_sink: 4
  google_logging_project_bucket_config: 4
  google_org_policy_custom_constraint: 1
-  google_org_policy_policy: 34
+  google_org_policy_policy: 35
  google_organization_iam_binding: 27
  google_organization_iam_custom_role: 13
  google_organization_iam_member: 29
@@ -41,7 +41,7 @@ counts:
  google_tags_tag_value: 2
  local_file: 8
  modules: 20
-  resources: 245
+  resources: 246

 outputs:
  automation: __missing__
@@ -113,4 +113,3 @@ outputs:
  workload_identity_pool:
    pool: null
    providers: {}
-
--- a/tests/fast/stages/s0_bootstrap/simple_org_policies.yaml
+++ b/tests/fast/stages/s0_bootstrap/simple_org_policies.yaml
@@ -465,6 +465,21 @@ values:
        - allowed_values:
          - is:internal-and-cloud-load-balancing
          denied_values: null
+  module.organization.google_org_policy_policy.default["run.managed.requireInvokerIam"]:
+    dry_run_spec: []
+    name: organizations/123456789012/policies/run.managed.requireInvokerIam
+    parent: organizations/123456789012
+    spec:
+    - inherit_from_parent: null
+      reset: null
+      rules:
+      - allow_all: null
+        condition: []
+        deny_all: null
+        enforce: 'TRUE'
+        parameters: null
+        values: []
+    timeouts: null
  module.organization.google_org_policy_policy.default["sql.restrictAuthorizedNetworks"]:
    dry_run_spec: []
    name: organizations/123456789012/policies/sql.restrictAuthorizedNetworks