Created
May 19, 2023 22:16
-
-
Save mikesparr/287a5577c18061dfc5e7729568210d0e to your computer and use it in GitHub Desktop.
Recommended GCP Organization Policies
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
##################################################################### | |
# ORG POLICIES (SET ON DEMO PARENT FOLDER FOR DEMO [SHOULD SET ON ORG]) | |
# REF: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints#how-to_guides | |
# REF: https://cloud.google.com/storage/docs/org-policy-constraints | |
##################################################################### | |
# disable external IPs for VMs | |
export IP_POLICY_FILE=policy-extip.json | |
cat > $IP_POLICY_FILE << EOF | |
{ | |
"constraint": "constraints/compute.vmExternalIpAccess", | |
"listPolicy": { | |
"allValues": "DENY" | |
} | |
} | |
EOF | |
gcloud resource-manager org-policies set-policy $IP_POLICY_FILE --folder=$DEMO_FOLDER_ID | |
# restrict prod networks to production folder (optional) | |
export SHARED_VPC_POLICY_FILE=policy-allowedsubnetsprod.yaml | |
cat > $SHARED_VPC_POLICY_FILE << EOF | |
constraint: constraints/compute.restrictSharedVpcSubnetworks | |
listPolicy: | |
allowed_values: | |
- projects/$HOST_PROJECT_PROD_ID/regions/$GCP_REGION/subnetworks/k8s-nodes-prod | |
- projects/$HOST_PROJECT_PROD_ID/regions/$GCP_REGION/subnetworks/bastion-prod | |
- projects/$HOST_PROJECT_PROD_ID/regions/$GCP_REGION/subnetworks/vms-prod | |
- projects/$HOST_PROJECT_PROD_ID/regions/$GCP_REGION/subnetworks/dbs-prod | |
- projects/$HOST_PROJECT_PROD_ID/regions/$GCP_REGION/subnetworks/vpcconn-prod | |
- projects/$HOST_PROJECT_PROD_ID/regions/$GCP_REGION/subnetworks/memorystore-prod | |
EOF | |
gcloud beta resource-manager org-policies set-policy $SHARED_VPC_POLICY_FILE --folder=$PROD_FOLDER_ID | |
# disable default networks ( constraints/compute.skipDefaultNetworkCreation ) | |
gcloud resource-manager org-policies enable-enforce \ | |
--folder $DEMO_FOLDER_ID \ | |
compute.skipDefaultNetworkCreation | |
# require OS Login for all VMs ( compute.requireOsLogin ) | |
gcloud resource-manager org-policies enable-enforce \ | |
--folder $DEMO_FOLDER_ID \ | |
compute.requireOsLogin | |
# disable edit role on default service accounts ( iam.automaticIamGrantsForDefaultServiceAccounts ) | |
gcloud resource-manager org-policies enable-enforce \ | |
--folder $DEMO_FOLDER_ID \ | |
iam.automaticIamGrantsForDefaultServiceAccounts | |
# disable SA key creation ( iam.disableServiceAccountKeyCreation ) | |
gcloud resource-manager org-policies enable-enforce \ | |
--folder $DEMO_FOLDER_ID \ | |
iam.disableServiceAccountKeyCreation | |
# disable SA key upload ( iam.disableServiceAccountKeyUpload ) | |
gcloud resource-manager org-policies enable-enforce \ | |
--folder $DEMO_FOLDER_ID \ | |
iam.disableServiceAccountKeyUpload | |
# disable lien removal since we allow cross-project SA ( iam.restrictCrossProjectServiceAccountLienRemoval ) | |
gcloud resource-manager org-policies enable-enforce \ | |
--folder $DEMO_FOLDER_ID \ | |
iam.restrictCrossProjectServiceAccountLienRemoval | |
# require uniform bucket level access ( storage.uniformBucketLevelAccess ) | |
gcloud resource-manager org-policies enable-enforce \ | |
--folder $DEMO_FOLDER_ID \ | |
storage.uniformBucketLevelAccess |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment