google_organization_policy
Use the google_organization_policy
InSpec audit resource to test constraints set on a GCP organization.
Syntax
Google organization policies can restrict certain GCP services. For more information see https://cloud.google.com/resource-manager/docs/organization-policy/understanding-constraints
A google_organization_policy
resource block declares the tests for a single GCP organization constraint identified by the pair of the name
of the organization and the constraint
:
describe google_organization_policy(name: 'organizations/123456', constraint: 'constraints/compute.disableGuestAttributesAccess') do
it { should exist }
its('boolean_policy.enforced') { should be true }
end
Examples
The following examples show how to use this InSpec audit resource.
Test that a GCP organization has a specific constraint enforced
describe google_organization_policy(name: 'organizations/123456', constraint: 'constraints/compute.disableGuestAttributesAccess') do
it { should exist }
its('boolean_policy.enforced') { should be true }
end
Test that a GCP organization has certain values allowed for a list constraint
describe google_organization_policy(name: 'organizations/123456', constraint: 'constraints/someListConstraint') do
it { should exist }
its('list_policy.allowed_values') { should include 'included_val' }
its('list_policy.allowed_values') { should_not include 'excluded' }
its('list_policy.denied_values') { should include 'denied' }
end
Properties
update_time
: The time stamp this policy was last updated.boolean_policy
: Only available for constraints that are boolean policies.enforced
: Boolean for if this policy is enforced.
list_policy
: Available for list policies.allowed_values
: List of values allowed at this resource.denied_values
: List of values denied at this resource.
GCP Permissions
Ensure the Cloud Resource Manager API is enabled for the project.