Control types for @turbot/gcp-orgpolicy
- GCP > Project > Organization Policy
- GCP > Project > Organization Policy > Allowed VPC Connector egress settings (Cloud Functions)
- GCP > Project > Organization Policy > Allowed ingress settings (Cloud Functions)
- GCP > Project > Organization Policy > Compute Storage resource use restrictions (Compute Engine disks, images, and snapshots)
- GCP > Project > Organization Policy > Define allowed external IPs for VM instances
- GCP > Project > Organization Policy > Define allowed root certificate authority [Deprecated]
- GCP > Project > Organization Policy > Define trusted image projects
- GCP > Project > Organization Policy > Disable Automatic IAM Grants for Default Service Accounts
- GCP > Project > Organization Policy > Disable Cloud Logging
- GCP > Project > Organization Policy > Disable Guest Attributes of Compute Engine metadata
- GCP > Project > Organization Policy > Disable Internet Network Endpoint Groups
- GCP > Project > Organization Policy > Disable Service Account Key Upload
- GCP > Project > Organization Policy > Disable Source Code Download
- GCP > Project > Organization Policy > Disable VM nested virtualization
- GCP > Project > Organization Policy > Disable VM serial port access
- GCP > Project > Organization Policy > Disable VM serial port logging to Stackdriver
- GCP > Project > Organization Policy > Disable Workload Identity Cluster Creation
- GCP > Project > Organization Policy > Disable service account creation
- GCP > Project > Organization Policy > Disable service account key creation
- GCP > Project > Organization Policy > Domain restricted sharing
- GCP > Project > Organization Policy > Enforce Public Access Prevention
- GCP > Project > Organization Policy > Enforce uniform bucket-level access
- GCP > Project > Organization Policy > Google Cloud Platform - Resource Location Restriction
- GCP > Project > Organization Policy > Require OS Login
- GCP > Project > Organization Policy > Require VPC Connector (Cloud Functions)
- GCP > Project > Organization Policy > Restrict Authorized Networks on Cloud SQL instances
- GCP > Project > Organization Policy > Restrict Cloud NAT usage
- GCP > Project > Organization Policy > Restrict Load Balancer Creation Based on Load Balancer Types
- GCP > Project > Organization Policy > Restrict Protocol Forwarding Based on type of IP Address
- GCP > Project > Organization Policy > Restrict Public IP access on Cloud SQL instances
- GCP > Project > Organization Policy > Restrict Shared VPC Host Projects
- GCP > Project > Organization Policy > Restrict Shared VPC Subnetworks
- GCP > Project > Organization Policy > Restrict VM IP Forwarding
- GCP > Project > Organization Policy > Restrict VPC peering usage
- GCP > Project > Organization Policy > Restrict allowed Google Cloud APIs and services
- GCP > Project > Organization Policy > Restrict default Google-managed encryption on Cloud SQL instances [Deprecated]
- GCP > Project > Organization Policy > Restrict shared VPC project lien removal
- GCP > Project > Organization Policy > Retention policy duration in seconds
- GCP > Project > Organization Policy > Shielded VMs
- GCP > Project > Organization Policy > Skip default network creation
GCP > Project > Organization Policy
tmod:@turbot/gcp-orgpolicy#/control/types/organizationPolicyGCP > Project > Organization Policy > Allowed VPC Connector egress settings (Cloud Functions)
Manage the GCP Organization Policy "Allowed VPC Connector egress settings (Cloud Functions)" for the project.
This list constraint defines the allowed VPC Connector egress settings for deployment of a Cloud Function. When this constraint is enforced, functions will be required to have VPC Connector egress settings that match one of the allowed values.
By default, Cloud Functions can use any VPC Connector egress settings. VPC Connector egress settings must be specified in the allowed list using the values of the VpcConnectorEgressSettings enum.
tmod:@turbot/gcp-orgpolicy#/control/types/cloudfunctionsAllowedVpcConnectorEgressSettingsGCP > Project > Organization Policy > Allowed ingress settings (Cloud Functions)
Manage the GCP Organization Policy "Allowed ingress settings (Cloud Functions)" for the project.
This list constraint defines the allowed ingress settings for deployment of a Cloud Function. When this constraint is enforced, functions will be required to have ingress settings that match one of the allowed values. By default, Cloud Functions can use any ingress settings.
Ingress settings must be specified in the allowed list using the values of the IngressSettings enum.
tmod:@turbot/gcp-orgpolicy#/control/types/cloudfunctionsAllowedIngressSettingsGCP > Project > Organization Policy > Compute Storage resource use restrictions (Compute Engine disks, images, and snapshots)
Manage the GCP Organization Policy "Compute Storage resource use restrictions (Compute Engine disks, images, and snapshots)" for the project.
This list constraint defines a set of projects that are allowed to use Compute Engine's storage resources. By default, anyone with appropriate Cloud IAM permissions can access Compute Engine resources. When using this constraint, users must have Cloud IAM permissions, and they must not be restricted by the constraint to access the resource.
Projects, folders, and organizations specified in allowed or denied lists must be in the form: under:projects/PROJECT_ID, under:folders/FOLDER_ID, under:organizations/ORGANIZATION_ID.
tmod:@turbot/gcp-orgpolicy#/control/types/computeStorageResourceUseRestrictionsGCP > Project > Organization Policy > Define allowed external IPs for VM instances
Manage the GCP Organization Policy "Define allowed external IPs for VM instances" for the project.
This list constraint defines the set of Compute Engine VM instances that are allowed to use external IP addresses. By default, all VM instances are allowed to use external IP addresses.
The allowed/denied list of VM instances must be identified by the VM instance name, in the form: projects/PROJECT_ID/zones/ZONE/instances/INSTANCE
tmod:@turbot/gcp-orgpolicy#/control/types/computeVmExternalIpAccessGCP > Project > Organization Policy > Define allowed root certificate authority [Deprecated]
Manage the GCP Organization Policy "Define allowed root certificate authority" for the project. BETA: This list constraint defines the set of trusted root certificate authorities from which the issued public certificates can be added to Cloud IAM Service Accounts. By default, all public certificates are allowed to be uploaded to Cloud IAM Service Accounts. If this constraint is active, only public certificates issued by the root certificate authorities in the allowed list will be eligible to be added to Cloud IAM service accounts. Note: This control has been deprecated in v5.1.0 and will be removed in the next major version.
tmod:@turbot/gcp-orgpolicy#/control/types/iamAllowedPublicCertificateTrustedRootCaGCP > Project > Organization Policy > Define trusted image projects
Manage the GCP Organization Policy "Define trusted image projects" for the project.
This list constraint defines the set of projects that can be used for image storage and disk instantiation for Compute Engine. By default, instances can be created from images in any project that shares images publicly or explicitly with the user.
The allowed/denied list of publisher projects must be strings in the form: projects/PROJECT_ID. If this constraint is active, only images from trusted projects will be allowed as the source for boot disks for new instances.
tmod:@turbot/gcp-orgpolicy#/control/types/computeTrustedImageProjectsGCP > Project > Organization Policy > Disable Automatic IAM Grants for Default Service Accounts
Manage the GCP Organization Policy "Disable Automatic IAM Grants for Default Service Accounts" for the project.
This boolean constraint, when enforced, prevents the default App Engine and Compute Engine service accounts that are created in your projects from being automatically granted any IAM role on the project when the accounts are created.
By default, these service accounts automatically receive the Editor role when they are created.
tmod:@turbot/gcp-orgpolicy#/control/types/iamAutomaticIamGrantsForDefaultServiceAccountsGCP > Project > Organization Policy > Disable Cloud Logging
Manage the GCP Organization Policy "Disable Cloud Logging" for the project.
Disables Cloud Logging in the organization, project, or folder where this constraint is enforced. Audit logs aren't affected by this constraint. Logs generated before the constraint is enforced are not deleted and could still be accessed.
This constraint is only supported in Cloud Healthcare API.
tmod:@turbot/gcp-orgpolicy#/control/types/gcpDisableCloudLoggingGCP > Project > Organization Policy > Disable Guest Attributes of Compute Engine metadata
Manage the GCP Organization Policy "Disable Guest Attributes of Compute Engine metadata" for the project.
This boolean constraint disables Compute Engine API access to the Guest Attributes of Compute Engine VMs belonging to the organization, project, or folder where this constraint is set to True.
By default, the Compute Engine API can be used to access Compute Engine VM guest attributes.
tmod:@turbot/gcp-orgpolicy#/control/types/computeDisableGuestAttributesAccessGCP > Project > Organization Policy > Disable Internet Network Endpoint Groups
Manage the GCP Organization Policy "Disable Internet Network Endpoint Groups" for the project.
This boolean constraint restricts whether a user can create Internet Network Endpoint Groups (NEG) with a type of INTERNET_FQDN_PORT and INTERNET_IP_PORT.
By default, any user with appropriate IAM permissions can create Intenet NEGs in any project.
tmod:@turbot/gcp-orgpolicy#/control/types/computeDisableInternetNetworkEndpointGroupGCP > Project > Organization Policy > Disable Service Account Key Upload
Manage the GCP Organization Policy "Disable Service Account Key Upload" for the project.
This boolean constraint disables the feature that allows uploading public key to service account where this constraint is set to True.
By default, users can upload public key to service account based on their Cloud IAM roles and permissions.
tmod:@turbot/gcp-orgpolicy#/control/types/iamDisableServiceAccountKeyUploadGCP > Project > Organization Policy > Disable Source Code Download
Manage the GCP Organization Policy "Disable Source Code Download" for the project.
Disables code downloads of source code previously uploaded to App Engine.
tmod:@turbot/gcp-orgpolicy#/control/types/appengineDisableCodeDownloadGCP > Project > Organization Policy > Disable VM nested virtualization
Manage the GCP Organization Policy "Disable VM nested virtualization" for the project.
This boolean constraint disables hardware-accelerated nested virtualization for all Compute Engine VMs belonging to the organization, project, or folder where this constraint is set to True.
By default, hardware-accelerated nested virtualization is allowed for all Compute Engine VMs running on Intel Haswell or newer CPU platforms.
tmod:@turbot/gcp-orgpolicy#/control/types/computeDisableNestedVirtualizationGCP > Project > Organization Policy > Disable VM serial port access
Manage the GCP Organization Policy "Disable VM serial port access" for the project.
This boolean constraint disables serial port access to Compute Engine VMs belonging to the organization, project, or folder where this constraint is set to True.
By default, customers can enable serial port access for Compute Engine VMs on a per-VM or per-project basis using metadata attributes.
Enforcing this constraint will disable serial port access for Compute Engine VMs, regardless of the metadata attributes.
tmod:@turbot/gcp-orgpolicy#/control/types/computeDisableSerialPortAccessGCP > Project > Organization Policy > Disable VM serial port logging to Stackdriver
Manage the GCP Organization Policy "Disable VM serial port logging to Stackdriver" for the project.
This boolean constraint disables serial port logging to Stackdriver from Compute Engine VMs belonging to the organization, project, or folder where this constraint is being enforced.
By default, serial port logging for Compute Engine VMs is disabled, and can be selectively enabled on a per-VM or per-project basis using metadata attributes. When enforced, this constraint
disables serial port logging for new Compute Engine VMs whenever a new VM is created, as well as preventing users from changing the metadata attribute of any VMs (old or new) to True.
tmod:@turbot/gcp-orgpolicy#/control/types/computeDisableSerialPortLoggingGCP > Project > Organization Policy > Disable Workload Identity Cluster Creation
Manage the GCP Organization Policy "Disable Workload Identity Cluster Creation" for the project.
This boolean constraint, when set to True, requires that all new GKE clusters have Workload Identity disabled at creation time. Existing GKE clusters with Workload Identity already enabled will continue to work as usual.
By default, Workload Identity can be enabled for any GKE cluster.
tmod:@turbot/gcp-orgpolicy#/control/types/iamDisableWorkloadIdentityClusterCreationGCP > Project > Organization Policy > Disable service account creation
Manage the GCP Organization Policy "Disable service account creation" for the project.
This boolean constraint disables the creation of service accounts where this constraint is set to True.
By default, service accounts can be created by users based on their Cloud IAM roles and permissions.
tmod:@turbot/gcp-orgpolicy#/control/types/iamDisableServiceAccountCreationGCP > Project > Organization Policy > Disable service account key creation
Manage the GCP Organization Policy "Disable service account key creation" for the project.
This boolean constraint disables the creation of service account external keys where this constraint is set to True.
By default, service account external keys can be created by users based on their Cloud IAM roles and permissions.
tmod:@turbot/gcp-orgpolicy#/control/types/iamDisableServiceAccountKeyCreationGCP > Project > Organization Policy > Domain restricted sharing
Manage the GCP Organization Policy "Domain restricted sharing" for the project.
This list constraint defines the set of members that can be added to Cloud IAM policies. By default, all user identities are allowed to be added to Cloud IAM policies. The allowed/denied list must specify one or more Cloud Identity or G Suite customer IDs. If this constraint is active, only identities in the allowed list will be eligible to be added to Cloud IAM policies.
tmod:@turbot/gcp-orgpolicy#/control/types/iamAllowedPolicyMemberDomainsGCP > Project > Organization Policy > Enforce Public Access Prevention
Manage the GCP Organization Policy "Enforce Public Access Prevention" for the project.
Secure your Cloud Storage data from public exposure by enforcing public access prevention.
This governance policy prevents existing and future resources from being accessed via the public internet by disabling and blocking ACLs and IAM permissions that grant access to allUsers and allAuthenticatedUsers. Enforce this policy on the entire organization (recommended), specific projects, or specific folders to ensure no data is publicly exposed.
This policy overrides existing public permissions. Public access will be revoked for existing buckets and objects after this policy is enabled.
tmod:@turbot/gcp-orgpolicy#/control/types/storagePublicAccessPreventionGCP > Project > Organization Policy > Enforce uniform bucket-level access
Manage the GCP Organization Policy "Enforce uniform bucket-level access" for the project.
This boolean constraint requires buckets to use uniform bucket-level access where this constraint is set to True. Any new bucket in the Organization resource must have uniform
bucket-level access enabled, and no existing buckets in the organization resource can disable uniform bucket-level access.
Enforcement of this constraint is not retroactive: existing buckets with uniform bucket-level access disabled continue to have it disabled. The default value for this constraint is False.
Uniform bucket-level access disables the evaluation of ACLs assigned to Cloud Storage objects in the bucket. Consequently, only IAM policies grant access to objects in these buckets.
tmod:@turbot/gcp-orgpolicy#/control/types/storageUniformBucketLevelAccessGCP > Project > Organization Policy > Google Cloud Platform - Resource Location Restriction
Manage the GCP Organization Policy "Google Cloud Platform - Resource Location Restriction" for the project.
This list constraint defines the set of locations where location-based GCP resources can be created. Policies for this constraint can specify multi-regions such as asia and europe, regions such as us-east1 or europe-west1 as allowed or denied locations. Every location to be allowed or denied must be listed explicitly. Allowing or denying a multi-region does not imply that all included sub-locations should also be allowed or denied.
For example, if the policy denies the us region, resources can still be created in the regional location us-east1. You can specify value groups, collections of locations that are curated by Google to provide a simple way to define your resource locations. To use value groups in your organization policy, prefix your entries with the string in:, followed by the value group. If the suggested_value field is used in a location policy, it should be a region. If the value specified is a region, a UI for a zonal resource may pre-populate any zone in that region. By default, resources can be created in any location.
tmod:@turbot/gcp-orgpolicy#/control/types/gcpResourceLocationsGCP > Project > Organization Policy > Require OS Login
Manage the GCP Organization Policy "Require OS Login" for the project.
This boolean constraint, when set to true, enables OS Login on all newly created Projects. All VM instances created in new projects will have OS Login enabled. On new and existing projects, this constraint prevents metadata updates that disable OS Login at the project or instance level.
By default, the OS Login feature is disabled on Compute Engine projects.GKE instances do not currently support OS Login. If this constraint is applied to a Project, GKE instances running in that Project may not function properly.
tmod:@turbot/gcp-orgpolicy#/control/types/computeRequireOsLoginGCP > Project > Organization Policy > Require VPC Connector (Cloud Functions)
Manage the GCP Organization Policy "Require VPC Connector (Cloud Functions)" for the project.
This boolean constraint enforces setting a VPC Connector when deploying a Cloud Function. When this constraint is enforced, functions will be required to specify a VPC Connector.
By default, specifying a VPC Connector is not required to deploy a Cloud Function.
tmod:@turbot/gcp-orgpolicy#/control/types/cloudfunctionsRequireVpcConnectorGCP > Project > Organization Policy > Restrict Authorized Networks on Cloud SQL instances
Manage the GCP Organization Policy "Restrict Authorized Networks on Cloud SQL instances" for the project.
This boolean constraint restricts adding Authorized Networks for unproxied database access to Cloud SQL instances where this constraint is set to True.
This constraint is not retroactive, Cloud SQL instances with existing Authorized Networks will still work even after this constraint is enforced.
By default, Authorized Networks can be added to Cloud SQL instances.
tmod:@turbot/gcp-orgpolicy#/control/types/sqlRestrictAuthorizedNetworksGCP > Project > Organization Policy > Restrict Cloud NAT usage
Manage the GCP Organization Policy "Restrict Cloud NAT usage" for the project.
This list constraint defines the set of subnetworks that are allowed to use Cloud NAT. By default, all subnetworks are allowed to use Cloud NAT.
The allowed/denied list of subnetworks must be identified in the form: under:organizations/ORGANIZATION_ID, under:folders/FOLDER_ID, under:projects/PROJECT_ID, or projects/PROJECT_ID/regions/REGION_NAME/subnetworks/SUBNETWORK_NAME.
tmod:@turbot/gcp-orgpolicy#/control/types/computeRestrictCloudNatUsageGCP > Project > Organization Policy > Restrict Load Balancer Creation Based on Load Balancer Types
Manage the GCP Organization Policy "Restrict Load Balancer Creation Based on Load Balancer Types" for the project.
This list constraint defines the set of load balancer types which can be created for an organization, folder, or project. Every load balancer type to be allowed or denied must be listed explicitly. By default, creation of all types of load balancers is allowed.
The list of allowed or denied values must be identified as the string name of a load balancer, and can only include values from the list below:
INTERNAL_TCP_UDPINTERNAL_HTTP_HTTPSEXTERNAL_NETWORK_TCP_UDPEXTERNAL_TCP_PROXYEXTERNAL_SSL_PROXYEXTERNAL_HTTP_HTTPSTo include all internal or all external load balancer types, use the in: prefix followed by INTERNAL or EXTERNAL. For example, allowing in:INTERNAL will allow all load balancer types from the above list that include INTERNAL.
tmod:@turbot/gcp-orgpolicy#/control/types/computeRestrictLoadBalancerCreationForTypesGCP > Project > Organization Policy > Restrict Protocol Forwarding Based on type of IP Address
Manage the GCP Organization Policy "Restrict Protocol Forwarding Based on type of IP Address" for the project.
This list constraint defines the type of protocol forwarding rule objects with target instance that a user can create. When this constraint is enforced, new forwarding rule objects with target instance will be limited to internal and/or external IP addresses, based on the types specified.
The types to be allowed or denied must be listed explicitly. By default, creation of both internal and external protocol forwarding rule objects with target instance are allowed.
The list of allowed or denied values can only include values from the list below:
INTERNAL EXTERNALtmod:@turbot/gcp-orgpolicy#/control/types/computeRestrictProtocolForwardingCreationForTypesGCP > Project > Organization Policy > Restrict Public IP access on Cloud SQL instances
Manage the GCP Organization Policy "Restrict Public IP access on Cloud SQL instances" for the project.
This boolean constraint restricts configuring Public IP on Cloud SQL instances where this constraint is set to True. This constraint is not retroactive, Cloud SQL instances with existing Public IP access will still work even after this constraint is enforced.
By default, Public IP access is allowed to Cloud SQL instances.
tmod:@turbot/gcp-orgpolicy#/control/types/sqlRestrictPublicIpGCP > Project > Organization Policy > Restrict Shared VPC Host Projects
Manage the GCP Organization Policy "Restrict Shared VPC Host Projects" for the project.
This list constraint defines the set of Shared VPC host projects that projects at or below this resource can attach to. By default, a project can attach to any host project in the same organization, thereby becoming a service project.
Projects, folders, and organizations in allowed/denied lists affect all objects underneath them in the resource hierarchy, and must be specified in the form: under:organizations/ORGANIZATION_ID, under:folders/FOLDER_ID, or projects/PROJECT_ID.
tmod:@turbot/gcp-orgpolicy#/control/types/computeRestrictSharedVpcHostProjectsGCP > Project > Organization Policy > Restrict Shared VPC Subnetworks
Manage the GCP Organization Policy "Restrict Shared VPC Subnetworks" for the project.
This list constraint defines the set of shared VPC subnetworks that eligible resources can use. This constraint does not apply to resources within the same project. By default, eligible resources can use any shared VPC subnetwork.
The allowed/denied list of subnetworks must be specified in the form: under:organizations/ORGANIZATION_ID, under:folders/FOLDER_ID, under:projects/PROJECT_ID, or projects/PROJECT_ID/regions/REGION/subnetworks/SUBNETWORK-NAME.
tmod:@turbot/gcp-orgpolicy#/control/types/computeRestrictSharedVpcSubnetworksGCP > Project > Organization Policy > Restrict VM IP Forwarding
Manage the GCP Organization Policy "Restrict VM IP Forwarding" for the project.
This list constraint defines the set of VM instances that can enable IP forwarding. By default, any VM can enable IP forwarding in any virtual network.
VM instances must be specified in the form: under:organizations/ORGANIZATION_ID, under:folders/FOLDER_ID, under:projects/PROJECT_ID, or projects/PROJECT_ID/zones/ZONE/instances/INSTANCE-NAME.
tmod:@turbot/gcp-orgpolicy#/control/types/computeVmCanIpForwardGCP > Project > Organization Policy > Restrict VPC peering usage
Manage the GCP Organization Policy "Restrict VPC peering usage" for the project.
This list constraint defines the set of VPC networks that are allowed to be peered with the VPC networks belonging to this project, folder, or organization. By default, a Network Admin for one network can peer with any other network.
The allowed/denied list of networks must be identified in the form: under:organizations/ORGANIZATION_ID, under:folders/FOLDER_ID, under:projects/PROJECT_ID, or projects/PROJECT_ID/global/networks/NETWORK_NAME. This constraint is retroactive.
tmod:@turbot/gcp-orgpolicy#/control/types/computeRestrictVpcPeeringGCP > Project > Organization Policy > Restrict allowed Google Cloud APIs and services
Manage the GCP Organization Policy "Restrict allowed Google Cloud APIs and services" for the project.
This list constraint restricts the set of services and their APIs that can be enabled on this resource. By default, all services are allowed. The denied list of services must come from the list below. Explicitly enabling APIs via this constraint is not currently supported.
Specifying an API not in this list will result in an error.
compute.googleapis.com deploymentmanager.googleapis.com dns.googleapis.com doubleclicksearch.googleapis.com replicapool.googleapis.com replicapoolupdater.googleapis.com resourceviews.googleapis.comEnforcement of this constraint is not retroactive. If a service is already enabled on a resource when this constraint is enforced, it will remain enabled.
tmod:@turbot/gcp-orgpolicy#/control/types/serviceuserServicesGCP > Project > Organization Policy > Restrict default Google-managed encryption on Cloud SQL instances [Deprecated]
Manage the GCP Organization Policy "Restrict default Google-managed encryption on Cloud SQL instances" for the project. This boolean constraint, when set to True, requires all newly created, restarted, or updated Cloud SQL instances to use customer-managed encryption keys (CMEK). It is not retroactive (meaning existing instances with Google-managed encryption are not impacted unless they are updated or refreshed).
By default, this constraint is set to False and Google-managed encryption is allowed for Cloud SQL instances. Note: This control has been deprecated in v5.1.0 and will be removed in the next major version.
tmod:@turbot/gcp-orgpolicy#/control/types/sqlDisableDefaultEncryptionCreationGCP > Project > Organization Policy > Restrict shared VPC project lien removal
Manage the GCP Organization Policy "Restrict shared VPC project lien removal" for the project.
This boolean constraint restricts the set of users that can remove a Shared VPC project lien without organization-level permission where this constraint is set to True.
By default, any user with the permission to update liens can remove a Shared VPC project lien. Enforcing this constraint requires that permission be granted at the organization level.
tmod:@turbot/gcp-orgpolicy#/control/types/computeRestrictXpnProjectLienRemovalGCP > Project > Organization Policy > Retention policy duration in seconds
Manage the GCP Organization Policy "Retention policy duration in seconds" for the project.
This list constraint defines the set of durations for retention policies that can be set on Cloud Storage buckets. By default, if no organization policy is specified, a Cloud Storage bucket can have a retention policy of any duration. The list of allowed durations must be specified as a positive integer value greater than zero, representing the retention policy in seconds.
Any insert, update, or patch operation on a bucket in the organization resource must have a retention policy duration that matches the constraint. Enforcement of this constraint is not retroactive. When a new organization policy is applied, the retention policy of existing buckets remain unchanged and valid.
tmod:@turbot/gcp-orgpolicy#/control/types/storageRetentionPolicySecondsGCP > Project > Organization Policy > Shielded VMs
Manage the GCP Organization Policy "Shielded VMs" for the project.
This boolean constraint, when set to True, requires that all new Compute Engine VM instances use Shielded disk images with Secure Boot, vTPM, and Integrity Monitoring options enabled.
Secure Boot can be disabled after creation, if desired. Existing running instances will continue to work as usual. By default, Shielded VM features do not need to be enabled in order to create Compute Engine VM instances.
Shielded VM features add verifiable integrity and exfiltration resistance to your VMs.
tmod:@turbot/gcp-orgpolicy#/control/types/computeRequireShieldedVmGCP > Project > Organization Policy > Skip default network creation
Manage the GCP Organization Policy "Skip default network creation" for the project.
This boolean constraint skips the creation of the default network and related resources during Google Cloud Platform Project resource creation where this constraint is set to True.
By default, a default network and supporting resources are automatically created when creating a Project resource.
tmod:@turbot/gcp-orgpolicy#/control/types/computeSkipDefaultNetworkCreation