Skip to content

Instantly share code, notes, and snippets.

@mikesparr

mikesparr/org-policies-gcloud-gcp.sh

Created May 19, 2023 22:16
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save mikesparr/287a5577c18061dfc5e7729568210d0e to your computer and use it in GitHub Desktop.
Save mikesparr/287a5577c18061dfc5e7729568210d0e to your computer and use it in GitHub Desktop.
Download ZIP
Recommended GCP Organization Policies
Raw
org-policies-gcloud-gcp.sh
#####################################################################
# ORG POLICIES (SET ON DEMO PARENT FOLDER FOR DEMO [SHOULD SET ON ORG])
# REF: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints#how-to_guides
# REF: https://cloud.google.com/storage/docs/org-policy-constraints
#####################################################################
# disable external IPs for VMs
export IP_POLICY_FILE=policy-extip.json
cat > $IP_POLICY_FILE << EOF
{
"constraint": "constraints/compute.vmExternalIpAccess",
"listPolicy": {
"allValues": "DENY"
}
}
EOF
gcloud resource-manager org-policies set-policy $IP_POLICY_FILE --folder=$DEMO_FOLDER_ID
# restrict prod networks to production folder (optional)
export SHARED_VPC_POLICY_FILE=policy-allowedsubnetsprod.yaml
cat > $SHARED_VPC_POLICY_FILE << EOF
constraint: constraints/compute.restrictSharedVpcSubnetworks
listPolicy:
allowed_values:
- projects/$HOST_PROJECT_PROD_ID/regions/$GCP_REGION/subnetworks/k8s-nodes-prod
- projects/$HOST_PROJECT_PROD_ID/regions/$GCP_REGION/subnetworks/bastion-prod
- projects/$HOST_PROJECT_PROD_ID/regions/$GCP_REGION/subnetworks/vms-prod
- projects/$HOST_PROJECT_PROD_ID/regions/$GCP_REGION/subnetworks/dbs-prod
- projects/$HOST_PROJECT_PROD_ID/regions/$GCP_REGION/subnetworks/vpcconn-prod
- projects/$HOST_PROJECT_PROD_ID/regions/$GCP_REGION/subnetworks/memorystore-prod
EOF
gcloud beta resource-manager org-policies set-policy $SHARED_VPC_POLICY_FILE --folder=$PROD_FOLDER_ID
# disable default networks ( constraints/compute.skipDefaultNetworkCreation )
gcloud resource-manager org-policies enable-enforce \
--folder $DEMO_FOLDER_ID \
compute.skipDefaultNetworkCreation
# require OS Login for all VMs ( compute.requireOsLogin )
gcloud resource-manager org-policies enable-enforce \
--folder $DEMO_FOLDER_ID \
compute.requireOsLogin
# disable edit role on default service accounts ( iam.automaticIamGrantsForDefaultServiceAccounts )
gcloud resource-manager org-policies enable-enforce \
--folder $DEMO_FOLDER_ID \
iam.automaticIamGrantsForDefaultServiceAccounts
# disable SA key creation ( iam.disableServiceAccountKeyCreation )
gcloud resource-manager org-policies enable-enforce \
--folder $DEMO_FOLDER_ID \
iam.disableServiceAccountKeyCreation
# disable SA key upload ( iam.disableServiceAccountKeyUpload )
gcloud resource-manager org-policies enable-enforce \
--folder $DEMO_FOLDER_ID \
iam.disableServiceAccountKeyUpload
# disable lien removal since we allow cross-project SA ( iam.restrictCrossProjectServiceAccountLienRemoval )
gcloud resource-manager org-policies enable-enforce \
--folder $DEMO_FOLDER_ID \
iam.restrictCrossProjectServiceAccountLienRemoval
# require uniform bucket level access ( storage.uniformBucketLevelAccess )
gcloud resource-manager org-policies enable-enforce \
--folder $DEMO_FOLDER_ID \
storage.uniformBucketLevelAccess
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment