-
Notifications
You must be signed in to change notification settings - Fork 104
/
Copy pathsetup_org_policy.sh
93 lines (74 loc) · 2.28 KB
/
setup_org_policy.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
#!/bin/bash
##################################################
##
## Create and Configure GCP project for Doc AI+BQ
##
##################################################
# shellcheck disable=SC1091
# source the previously set env variables
source ./config.sh
# prompt user to login
gcloud auth login "${USER_EMAIL}"
##################################################
##
## Project
##
##################################################
echo "Creating new project"
gcloud projects create "${PROJECT_ID}"
echo "Setting default project"
gcloud config set project "${PROJECT_ID}"
##################################################
##
## Billing
##
##################################################
echo "Assigning billing account"
gcloud beta billing projects link "${PROJECT_ID}" --billing-account="${BILLING_ACCOUNT_ID}"
##################################################
##
## Org Policies
##
##################################################
echo "Configuring org policies at project level"
cat <<EOF > new_policy.yaml
constraint: constraints/compute.restrictVpcPeering
listPolicy:
allValues: ALLOW
EOF
gcloud resource-manager org-policies set-policy \
--project="${PROJECT_ID}" new_policy.yaml
#disable the shielded vm requirement
gcloud resource-manager org-policies disable-enforce \
compute.requireShieldedVm --project="${PROJECT_ID}"
#allow external IPs for app engine
cat <<EOF > new_policy.yaml
constraint: constraints/compute.vmExternalIpAccess
listPolicy:
allValues: ALLOW
EOF
gcloud resource-manager org-policies set-policy \
--project="${PROJECT_ID}" new_policy.yaml
#enable Cloud Function
cat <<EOF > new_policy.yaml
constraint: constraints/cloudfunctions.allowedIngressSettings
listPolicy:
allValues: ALLOW
EOF
gcloud resource-manager org-policies set-policy \
--project="${PROJECT_ID}" new_policy.yaml
cat <<EOF > new_policy.yaml
constraint: constraints/iam.allowedPolicyMemberDomains
listPolicy:
allValues: ALLOW
EOF
gcloud resource-manager org-policies set-policy \
--project="${PROJECT_ID}" new_policy.yaml
#enable Key creation
cat <<EOF > new_policy.yaml
constraint: constraints/iam.disableServiceAccountKeyCreation
boolean_policy:
enforced: false
EOF
gcloud resource-manager org-policies set-policy \
--project="${PROJECT_ID}" new_policy.yaml