Unlock the full potential of your projects.
Mostra mappa intera
Copia ed edita mappa Copia

GCP policies & tags

ICT
BR
Bruno Reboul
Iniziamo. È gratuito!
o registrati con il tuo indirizzo email
Mappe mentali simili Schema mappa mentale
GCP policies & tags da Mind Map: GCP policies & tags

1. Policies

1.1. Where

1.1.1. iam policy

1.1.1.1. organization

1.1.1.2. folder / folder / ...

1.1.1.3. project

1.1.1.4. resources

1.1.2. org policy

1.1.2.1. organization

1.1.2.2. folder / folder / ...

1.1.2.3. project

1.2. What

1.2.1. iam policy

1.2.1.1. role

1.2.1.1.1. set of permissions

1.2.1.1.2. permission

1.2.2. org policy

1.2.2.1. constraints

1.2.2.1.1. constraints/gcp.resourceLocations

1.2.2.1.2. constraints/serviceuser.services

1.2.2.1.3. constraints/compute.vmExternalIpAccess

1.2.2.1.4. constraints/run.allowedIngress

1.2.2.1.5. ...

1.3. Who

1.3.1. iam policy

1.3.1.1. member

1.3.1.1.1. user

1.3.1.1.2. group

1.3.1.1.3. service account

1.3.1.1.4. special members

1.3.2. org policy

1.3.2.1. NO who

1.4. type

1.4.1. iam policy

1.4.1.1. Allow only

1.4.2. org policy

1.4.2.1. list

1.4.2.1.1. allow

1.4.2.1.2. deny

1.4.2.2. boolean

1.4.2.2.1. enforced

1.5. Inheritance

1.5.1. iam policy

1.5.1.1. Propagate down the structure: union of partents + self

1.5.1.2. cannot block what is coming from parents

1.5.2. org policy

1.5.2.1. one of

1.5.2.1.1. inherit from parents (default)

1.5.2.1.2. override inheritence with Google default

1.5.2.1.3. custom - merge

1.5.2.1.4. custom - replace

2. Problem

2.1. Lake of felxibility of the org-fld-pj hierarchy used as the "Where to apply" policies

2.2. the hierachy as only one primary orientation

2.3. case

2.3.1. If the hierarchy is primarily Environment oriented

2.3.1.1. o=my.org

2.3.1.1.1. f=managed_apps

2.3.1.1.2. f=unmanaged-apps

2.3.1.1.3. f=it

2.3.1.1.4. f=sandbox

2.3.2. then it cannot be primarily

2.3.2.1. department oriented

2.3.2.1.1. o=my.org

2.3.2.2. location oriented

2.3.2.2.1. o=my.org

3. Solution

3.1. Use tags as condition in the policy to solve the lake of flexibility of the hierarchy

3.2. How

3.2.1. Create Key - value pairs to completment the primary orientation of the hierarchy

3.2.1.1. examples

3.2.1.1.1. if the hierarchy is primarily Environment oriented

3.2.1.1.2. Then create

3.2.1.2. Limits

3.2.1.2.1. for now

3.2.1.3. are organization resources

3.2.1.3.1. Immutable. The resource name of the new TagKey's parent. Must be of the form organizations/{org_id}

3.2.2. Secure the key-values using

3.2.2.1. roles

3.2.2.1.1. roles/resourcemanager.tagAdmin

3.2.2.1.2. roles/resourcemanager.tagUser

3.2.2.1.3. roles/resourcemanager.tagViewer

3.2.2.2. permission: resourcemanager

3.2.2.2.1. tagKeys

3.2.2.2.2. tagValues

3.2.2.2.3. tagValueBindings

3.2.2.2.4. resourceTagBindings

3.2.3. Securely bind key-value pairs

3.2.3.1. to

3.2.3.1.1. project

3.2.3.1.2. org / folder

3.2.3.1.3. Future

3.2.3.2. note: must delete bindings before values or keys

3.2.3.3. Max 50 bindings per resource

3.2.3.4. example

3.2.3.4.1. Tags add the matrix flexibility to a GCP hierarchy

3.2.4. Wait for propagation latency

3.2.4.1. usual 1 min

3.2.4.2. up to 7 min

3.2.5. Set tag based conditions

3.2.5.1. in policies

3.2.5.1.1. Organization policies

3.2.5.1.2. iam condinational policies

3.2.5.2. to

3.2.5.2.1. allow

3.2.5.2.2. deny

3.2.5.3. Terrafrom

3.2.5.3.1. 2021-06-10 issue 9341 google_organization_policy support conditional expression

4. Ref

4.1. API

4.1.1. REST Resource: tagKeys

4.1.2. REST Resource: tagBindings

4.2. CEL langage specifications

4.3. Conditions

4.3.1. Setting an organization policy with tags

4.3.2. IAM policies with conditions

4.4. Org Policies

4.4.1. Organization Policy Constraints

4.4.2. Restricting Resource Locations

4.4.3. Using constraints

4.5. Labels

4.5.1. Creating and managing labbels