15c7951f97
* Migrate organization policy tests to standard tftest.yaml. Remove python-hcl2 dependency and the custom python test file. Consolidate the boolean, list, and custom constraint tests into a single `org_policies` test with a factory equivalent. Restructure factory files into a unified `factory/` directory. * Migrate project and folder org policy tests to standard tftest.yaml. Replicate the organization module changes for project and folder modules: - Remove python-hcl2 dependency usages and conftest.py. - Remove custom python test files for org policies. - Consolidate org policy tests into a single `org_policies` test with a factory equivalent. - Unify factory files into a `factory/` directory. - Remove redundant common.tfvars in folder module. * Add factory policies directory to duplicate-diff checks. Ensure the YAML factory files for org policies remain perfectly identical across the organization, folder, and project modules. * Remove unused deepdiff dependency from requirements and pre-commit config. * Add boilerplate * fix broken link
81 lines
2.2 KiB
HCL
81 lines
2.2 KiB
HCL
org_policies = {
|
|
"iam.disableServiceAccountKeyCreation" = {
|
|
rules = [{ enforce = true }]
|
|
}
|
|
"iam.disableServiceAccountKeyUpload" = {
|
|
rules = [
|
|
{
|
|
condition = {
|
|
expression = "resource.matchTagId(aa, bb)"
|
|
title = "condition"
|
|
description = "test condition"
|
|
location = "xxx"
|
|
}
|
|
enforce = true
|
|
},
|
|
{
|
|
enforce = false
|
|
}
|
|
]
|
|
}
|
|
"compute.vmExternalIpAccess" = {
|
|
rules = [{ deny = { all = true } }]
|
|
}
|
|
"iam.allowedPolicyMemberDomains" = {
|
|
inherit_from_parent = true
|
|
rules = [{
|
|
allow = {
|
|
values = ["C0xxxxxxx", "C0yyyyyyy"]
|
|
}
|
|
}]
|
|
}
|
|
"compute.restrictLoadBalancerCreationForTypes" = {
|
|
rules = [
|
|
{
|
|
condition = {
|
|
expression = "resource.matchTagId(aa, bb)"
|
|
title = "condition"
|
|
description = "test condition"
|
|
location = "xxx"
|
|
}
|
|
allow = {
|
|
values = ["EXTERNAL_1"]
|
|
}
|
|
},
|
|
{
|
|
condition = {
|
|
expression = "resource.matchTagId(cc, dd)"
|
|
title = "condition2"
|
|
description = "test condition2"
|
|
location = "xxx"
|
|
}
|
|
allow = {
|
|
all = true
|
|
}
|
|
},
|
|
{
|
|
deny = { values = ["in:EXTERNAL"] }
|
|
}
|
|
]
|
|
}
|
|
}
|
|
|
|
org_policy_custom_constraints = {
|
|
"custom.gkeEnableAutoUpgrade" = {
|
|
resource_types = ["container.googleapis.com/NodePool"]
|
|
method_types = ["CREATE"]
|
|
condition = "resource.management.autoUpgrade == true"
|
|
action_type = "ALLOW"
|
|
display_name = "Enable node auto-upgrade"
|
|
description = "All node pools must have node auto-upgrade enabled."
|
|
},
|
|
"custom.dataprocNoMoreThan10Workers" = {
|
|
resource_types = ["dataproc.googleapis.com/Cluster"]
|
|
method_types = ["CREATE", "UPDATE"]
|
|
condition = "resource.config.workerConfig.numInstances + resource.config.secondaryWorkerConfig.numInstances > 10"
|
|
action_type = "DENY"
|
|
display_name = "Total number of worker instances cannot be larger than 10"
|
|
description = "Cluster cannot have more than 10 workers, including primary and secondary workers."
|
|
}
|
|
}
|