From 2854ae6bd880dfd37154ad428273e3c07939b070 Mon Sep 17 00:00:00 2001 From: Julio Castillo Date: Mon, 29 Jul 2024 15:15:04 +0200 Subject: [PATCH] Remove "constraints/" from org policy names (#2450) --- blueprints/data-solutions/shielded-folder/README.md | 4 ++-- fast/docs/0-org-policies.md | 4 ++-- fast/stages/0-bootstrap/data/org-policies/gcp.yaml | 4 ++-- fast/stages/0-bootstrap/data/org-policies/serverless.yaml | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/blueprints/data-solutions/shielded-folder/README.md b/blueprints/data-solutions/shielded-folder/README.md index 8821c456fe..204890aa4c 100644 --- a/blueprints/data-solutions/shielded-folder/README.md +++ b/blueprints/data-solutions/shielded-folder/README.md @@ -62,8 +62,8 @@ You can configure the Organization policies enforced on the folder editing yaml Some additional Organization policy constraints you may want to evaluate adding: -- `constraints/gcp.resourceLocations`: to define the locations where location-based GCP resources can be created. -- `constraints/gcp.restrictCmekCryptoKeyProjects`: to define which projects may be used to supply Customer-Managed Encryption Keys (CMEK) when creating resources. +- `gcp.resourceLocations`: to define the locations where location-based GCP resources can be created. +- `gcp.restrictCmekCryptoKeyProjects`: to define which projects may be used to supply Customer-Managed Encryption Keys (CMEK) when creating resources. ### VPC Service Control diff --git a/fast/docs/0-org-policies.md b/fast/docs/0-org-policies.md index e7d58ae57d..5a20209a98 100644 --- a/fast/docs/0-org-policies.md +++ b/fast/docs/0-org-policies.md @@ -13,9 +13,9 @@ Three different requirements drive this proposal. ### Organization policies deployed at bootstrap time -Many organizations take security seriously, and would like to have organization policies (for example `constraints/iam.automaticIamGrantsForDefaultServiceAccounts`) deployed right from the beginning at bootstrap time. This is currently extremely cumbersome, as organization policies are managed in stage 1. +Many organizations take security seriously, and would like to have organization policies (for example `iam.automaticIamGrantsForDefaultServiceAccounts`) deployed right from the beginning at bootstrap time. This is currently extremely cumbersome, as organization policies are managed in stage 1. -As an additional benefit, managing some or all organization policies in stage 0 will enable to turn off undesired resource configuration for the initial projects (for example `constraints/compute.skipDefaultNetworkCreation`). +As an additional benefit, managing some or all organization policies in stage 0 will enable to turn off undesired resource configuration for the initial projects (for example `compute.skipDefaultNetworkCreation`). ### Simplify and limit delegation of Organization Policy Administrator role diff --git a/fast/stages/0-bootstrap/data/org-policies/gcp.yaml b/fast/stages/0-bootstrap/data/org-policies/gcp.yaml index d244b6bbe1..bef5629c52 100644 --- a/fast/stages/0-bootstrap/data/org-policies/gcp.yaml +++ b/fast/stages/0-bootstrap/data/org-policies/gcp.yaml @@ -1,4 +1,4 @@ -# Copyright 2023 Google LLC +# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -16,7 +16,7 @@ # Terraform will be unable to decode this file if it does not contain valid YAML # You can retain `---` (start of the document) to indicate an empty document. -# constraints/gcp.resourceLocations: +# gcp.resourceLocations: # rules: # - allow: # values: diff --git a/fast/stages/0-bootstrap/data/org-policies/serverless.yaml b/fast/stages/0-bootstrap/data/org-policies/serverless.yaml index 0c7c957c42..b7c3dc2371 100644 --- a/fast/stages/0-bootstrap/data/org-policies/serverless.yaml +++ b/fast/stages/0-bootstrap/data/org-policies/serverless.yaml @@ -34,7 +34,7 @@ run.allowedIngress: # rules: # - enforce: true -# constraints/cloudfunctions.restrictAllowedGenerations: +# cloudfunctions.restrictAllowedGenerations: # rules: # - allow: # values: