Skip to content

Commit

Permalink
Merge branch 'master' into ngfw
Browse files Browse the repository at this point in the history
  • Loading branch information
LucaPrete authored Jul 29, 2024
2 parents 67e6de7 + 2854ae6 commit fed4931
Show file tree
Hide file tree
Showing 4 changed files with 7 additions and 7 deletions.
4 changes: 2 additions & 2 deletions blueprints/data-solutions/shielded-folder/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -62,8 +62,8 @@ You can configure the Organization policies enforced on the folder editing yaml

Some additional Organization policy constraints you may want to evaluate adding:

- `constraints/gcp.resourceLocations`: to define the locations where location-based GCP resources can be created.
- `constraints/gcp.restrictCmekCryptoKeyProjects`: to define which projects may be used to supply Customer-Managed Encryption Keys (CMEK) when creating resources.
- `gcp.resourceLocations`: to define the locations where location-based GCP resources can be created.
- `gcp.restrictCmekCryptoKeyProjects`: to define which projects may be used to supply Customer-Managed Encryption Keys (CMEK) when creating resources.

### VPC Service Control

Expand Down
4 changes: 2 additions & 2 deletions fast/docs/0-org-policies.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,9 @@ Three different requirements drive this proposal.

### Organization policies deployed at bootstrap time

Many organizations take security seriously, and would like to have organization policies (for example `constraints/iam.automaticIamGrantsForDefaultServiceAccounts`) deployed right from the beginning at bootstrap time. This is currently extremely cumbersome, as organization policies are managed in stage 1.
Many organizations take security seriously, and would like to have organization policies (for example `iam.automaticIamGrantsForDefaultServiceAccounts`) deployed right from the beginning at bootstrap time. This is currently extremely cumbersome, as organization policies are managed in stage 1.

As an additional benefit, managing some or all organization policies in stage 0 will enable to turn off undesired resource configuration for the initial projects (for example `constraints/compute.skipDefaultNetworkCreation`).
As an additional benefit, managing some or all organization policies in stage 0 will enable to turn off undesired resource configuration for the initial projects (for example `compute.skipDefaultNetworkCreation`).

### Simplify and limit delegation of Organization Policy Administrator role

Expand Down
4 changes: 2 additions & 2 deletions fast/stages/0-bootstrap/data/org-policies/gcp.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Copyright 2023 Google LLC
# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
Expand All @@ -16,7 +16,7 @@
# Terraform will be unable to decode this file if it does not contain valid YAML
# You can retain `---` (start of the document) to indicate an empty document.

# constraints/gcp.resourceLocations:
# gcp.resourceLocations:
# rules:
# - allow:
# values:
Expand Down
2 changes: 1 addition & 1 deletion fast/stages/0-bootstrap/data/org-policies/serverless.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ run.allowedIngress:
# rules:
# - enforce: true

# constraints/cloudfunctions.restrictAllowedGenerations:
# cloudfunctions.restrictAllowedGenerations:
# rules:
# - allow:
# values:
Expand Down

0 comments on commit fed4931

Please sign in to comment.