forked from GoogleCloudPlatform/policy-library
-
Notifications
You must be signed in to change notification settings - Fork 0
/
enforce_label.yaml
53 lines (52 loc) · 2.33 KB
/
enforce_label.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
# Copyright 2019 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPEnforceLabelConstraintV1
metadata:
name: require_labels
annotations:
description: Checks that labels are set for all resources (or a subset of resources)
and that they match a certain regular expression pattern.
spec:
severity: high
match:
ancestries:
- "organizations/**"
parameters:
# required parameter: list of label objects that resources should have.
# A label object is composed of a key value pair like:
#
# "label_key": "label_value_regex_to_match"
#
# Any missing label results in a violation. For instance a resource with no label1 or label2 label,
# in this sample case, would raise 2 violations: one for label1 being absent and one for label2.
#
# In the same spirit, a resource with label1 or label2 present, but with values not matching their respective regex
# would also raise one violation per mismatch.
#
# In the following example, valid values for a label named "label1" would be only "label1-value",
# but a label named label2 could have various values like "label2-value", "label2-valueOK" etc.
#
# A violation is raised if the label value does not match the pattern passed as a parameter here.
mandatory_labels:
- "label1": "^label1-value$"
- "label2": "^label2-value.*$"
# optional parameter: list of resource types to scan for labels
# any resource that is not of these types will not raise any violation.
# In this sample use case, only non-compliant projects and buckets would be flagged.
# If not passed, all tested resource types would be scanned for (see template for full list)
resource_types_to_scan:
- "cloudresourcemanager.googleapis.com/Project"
- "storage.googleapis.com/Bucket"