Organizational Policy Modules in Secure Landing Zone
These Terraform modules enforce specific constraints and policies within an SLZ, enhancing the security and compliance posture of your GCP organization.
These Terraform modules define crucial security constraints and policies in alignment with best practices. The modules play an essential role in the Secure Landing Zone, aiding in enforcing compliance requirements and enhancing the overall security posture of the GCP environment.
Modules
1. Skip Default Network Creation
Prevents the automatic creation of a default network in new projects.
module "skip_default_network" {
constraint = "constraints/compute.skipDefaultNetworkCreation"
// Other configurations...
}
2. Uniform Bucket Level Access
Enforces uniform bucket-level access control across all Cloud Storage buckets.
module "uniform_bucket_level_access" {
constraint = "constraints/storage.uniformBucketLevelAccess"
// Other configurations...
}
3. Enforce Bucket Public Access Prevention
Prevents public access to Cloud Storage buckets.
module "enforce_bucket_public_access_prevention" {
constraint = "constraints/storage.publicAccessPrevention"
// Other configurations...
}
4. Disable VM Serial Ports
Disables the global serial port access to VM instances.
module "disable_vm_serial_ports" {
constraint = "constraints/compute.disableGlobalSerialPortAccess"
// Other configurations...
}
5. Restrict Shared VPC Project Lien
Restricts the removal of shared VPC project liens.
module "restrict_shared_vpc_project_lien" {
constraint = "constraints/compute.restrictXpnProjectLienRemoval"
// Other configurations...
}
6. Restrict Public IP CloudSQL
Disallows public IP addresses for Cloud SQL instances.
module "restrict_public_ip_cloudsql" {
constraint = "constraints/sql.restrictPublicIp"
// Other configurations...
}
7. Disable VM Nested Virtualization
Prevents the use of nested virtualization in VM instances.
module "disable_vm_nested_virtualization" {
constraint = "constraints/compute.disableNestedVirtualization"
// Other configurations...
}
8. Disable Guest Attributes Access
Blocks access to guest attributes in VM instances.
module "disable_guest_attributes" {
constraint = "constraints/compute.disableGuestAttributesAccess"
// Other configurations...
}
9. Require OS Login
Enforces OS login for SSH access to VM instances.
module "require_os_login" {
constraint = "constraints/compute.requireOsLogin"
// Other configurations...
}
10. Domain Restricted Sharing
Restricts sharing to specific domains.
module "domain_restricted_sharing" {
constraint = "constraints/iam.allowedPolicyMemberDomains"
// Other configurations...
}
11. Restrict VM External IP
Prohibits external IP access for VM instances.
module "restrict_vm_external_ip" {
constraint = "constraints/compute.vmExternalIpAccess"
// Other configurations...
}
12. Restrict VPC Peering
Limits VPC peering connections.
module "restrict_vpc_peering" {
constraint = "constraints/compute.restrictVpcPeering"
// Other configurations...
}
13. Restrict Shared VPC Host Projects
Restricts the creation of shared VPC host projects.
module "restrict_vpc_host_projects" {
constraint = "constraints/compute.restrictSharedVpcHostProjects"
// Other configurations...
}
14. Disable Service Account Key Creation
Prevents the creation of service account keys.
module "disable_service_account_key_creation" {
constraint = "constraints/iam.disableServiceAccountKeyCreation"
// Other configurations...
}
15. Disable Service Account Key Upload
Disallows the upload of service account keys.
module "disable_service_account_key_upload" {
constraint = "constraints/iam.disableServiceAccountKeyUpload"
// Other configurations...
}
Info
From this point on the document is autogenerated, don't modify it directly
Code
module "skip_default_network" {
source = "../modules/org-policy"
policy_root = "organization"
policy_root_id = var.org_id
rules = [{
enforcement = true
allow = []
deny = []
conditions = []
}]
constraint = "constraints/compute.skipDefaultNetworkCreation"
policy_type = "boolean"
}
module "uniform_bucket_level_access" {
source = "../modules/org-policy"
policy_root = "organization"
policy_root_id = var.org_id
rules = [{
enforcement = true
allow = []
deny = []
conditions = []
}]
constraint = "constraints/storage.uniformBucketLevelAccess"
policy_type = "boolean"
}
module "enforce_bucket_public_access_prevention" {
source = "../modules/org-policy"
policy_root = "organization"
policy_root_id = var.org_id
rules = [{
enforcement = true
allow = []
deny = []
conditions = []
}]
constraint = "constraints/storage.publicAccessPrevention"
policy_type = "boolean"
}
module "disable_vm_serial_ports" {
source = "../modules/org-policy"
policy_root = "organization"
policy_root_id = var.org_id
rules = [{
enforcement = true
allow = []
deny = []
conditions = []
}]
constraint = "constraints/compute.disableGlobalSerialPortAccess"
policy_type = "boolean"
}
module "restrict_shared_vpc_project_lien" {
source = "../modules/org-policy"
policy_root = "organization"
policy_root_id = var.org_id
rules = [{
enforcement = false
allow = []
deny = []
conditions = []
}]
constraint = "constraints/compute.restrictXpnProjectLienRemoval"
policy_type = "boolean"
}
module "restrict_public_ip_cloudsql" {
source = "../modules/org-policy"
policy_root = "organization"
policy_root_id = var.org_id
rules = [{
enforcement = true
allow = []
deny = []
conditions = []
}]
constraint = "constraints/sql.restrictPublicIp"
policy_type = "boolean"
}
module "disable_vm_nested_virtualization" {
source = "../modules/org-policy"
policy_root = "organization"
policy_root_id = var.org_id
rules = [{
enforcement = true
allow = []
deny = []
conditions = []
}]
constraint = "constraints/compute.disableNestedVirtualization"
policy_type = "boolean"
}
module "disable_guest_attributes" {
source = "../modules/org-policy"
policy_root = "organization"
policy_root_id = var.org_id
rules = [{
enforcement = true
allow = []
deny = []
conditions = []
}]
constraint = "constraints/compute.disableGuestAttributesAccess"
policy_type = "boolean"
}
module "require_os_login" {
source = "../modules/org-policy"
policy_root = "organization"
policy_root_id = var.org_id
rules = [{
enforcement = true
allow = []
deny = []
conditions = []
}]
constraint = "constraints/compute.requireOsLogin"
policy_type = "boolean"
}
module "domain_restricted_sharing" {
source = "../modules/org-policy"
policy_root = "organization"
policy_root_id = var.org_id
rules = [{
enforcement = false
allow = []
deny = []
conditions = []
}]
constraint = "constraints/iam.allowedPolicyMemberDomains"
policy_type = "list"
}
module "restrict_vm_external_ip" {
source = "../modules/org-policy"
policy_root = "organization"
policy_root_id = var.org_id
rules = [{
enforcement = true
allow = []
deny = []
conditions = []
}]
constraint = "constraints/compute.vmExternalIpAccess"
policy_type = "list"
}
module "restrict_vpc_peering" {
source = "../modules/org-policy"
policy_root = "organization"
policy_root_id = var.org_id
rules = [{
enforcement = false
allow = []
deny = []
conditions = []
}]
constraint = "constraints/compute.restrictVpcPeering"
policy_type = "list"
}
module "restrict_vpc_host_projects" {
source = "../modules/org-policy"
policy_root = "organization"
policy_root_id = var.org_id
rules = [{
enforcement = false
allow = []
deny = []
conditions = []
}]
constraint = "constraints/compute.restrictSharedVpcHostProjects"
policy_type = "list"
}