From f0b5af8a68a95cf35200a9c3dfba890bb5b5e94c Mon Sep 17 00:00:00 2001 From: ScaleSec Automation Bot <55104509+scalesec-automation-bot@users.noreply.github.com> Date: Fri, 20 Dec 2024 19:00:11 -0500 Subject: [PATCH] Org Policy Update Detected on 2024-12-21 --- policies/org_policy.json | 113 +++++++++++++++++++++++++++++++++------ 1 file changed, 96 insertions(+), 17 deletions(-) diff --git a/policies/org_policy.json b/policies/org_policy.json index 5ca5920..0e73ffb 100644 --- a/policies/org_policy.json +++ b/policies/org_policy.json @@ -30,8 +30,8 @@ }, { "name": "constraints/ainotebooks.environmentOptions", - "displayName": "Restrict environment options on new Vertex AI Workbench notebooks and instances", - "description": "This list constraint defines the VM and container image options a user can select when creating new Vertex AI Workbench notebooks and instances where this constraint is enforced. The options to be allowed or denied must be listed explicitly.The expected format for VM instances is ainotebooks-vm/PROJECT_ID/IMAGE_TYPE/CONSTRAINED_VALUE. Replace IMAGE_TYPE with image-family or image-name. Examples: ainotebooks-vm/deeplearning-platform-release/image-family/pytorch-1-4-cpu, ainotebooks-vm/deeplearning-platform-release/image-name/pytorch-latest-cpu-20200615.The expected format for container images will be ainotebooks-container/CONTAINER_REPOSITORY:TAG. Examples: ainotebooks-container/gcr.io/deeplearning-platform-release/tf-gpu.1-15:latest, ainotebooks-container/gcr.io/deeplearning-platform-release/tf-gpu.1-15:m48.", + "displayName": "Restrict environment options on new Vertex AI Workbench user-managed notebooks", + "description": "This list constraint defines the VM and container image options a user can select when creating new Vertex AI Workbench user-managed notebooks. The options to be allowed or denied must be listed explicitly.The expected format for VM instances is ainotebooks-vm/PROJECT_ID/IMAGE_TYPE/CONSTRAINED_VALUE. Replace IMAGE_TYPE with image-family or image-name. Examples: ainotebooks-vm/deeplearning-platform-release/image-family/pytorch-1-4-cpu, ainotebooks-vm/deeplearning-platform-release/image-name/pytorch-latest-cpu-20200615.The expected format for container images will be ainotebooks-container/CONTAINER_REPOSITORY:TAG. Examples: ainotebooks-container/gcr.io/deeplearning-platform-release/tf-gpu.1-15:latest, ainotebooks-container/gcr.io/deeplearning-platform-release/tf-gpu.1-15:m48.", "constraintDefault": "ALLOW", "listConstraint": {} }, @@ -109,6 +109,20 @@ "constraintDefault": "DENY", "booleanConstraint": {} }, + { + "name": "constraints/cloudbuild.useBuildServiceAccount", + "displayName": "Use default service account (Cloud Build)", + "description": "This boolean constraint, when enforced, allows the legacy Cloud Build service account to be used by default.", + "constraintDefault": "DENY", + "booleanConstraint": {} + }, + { + "name": "constraints/cloudbuild.useComputeServiceAccount", + "displayName": "Use Compute Engine Service Account by Default (Cloud Build)", + "description": "This boolean constraint, when enforced, allows the Compute Engine service account to be used by default.", + "constraintDefault": "DENY", + "booleanConstraint": {} + }, { "name": "constraints/clouddeploy.disableServiceLabelGeneration", "displayName": "Disable Cloud Deploy service labels", @@ -228,6 +242,13 @@ "constraintDefault": "ALLOW", "booleanConstraint": {} }, + { + "name": "constraints/compute.requireOsConfig", + "displayName": "Require OS Config", + "description": "This boolean constraint, when enforced, enables VM Manager (OS Config) on all new projects. All VM instances created in new projects will have VM Manager enabled. On new and existing projects, this constraint prevents metadata updates that disable VM Manager at the project or instance level. By default, VM Manager is disabled on Compute Engine projects.", + "constraintDefault": "ALLOW", + "booleanConstraint": {} + }, { "name": "constraints/compute.requireShieldedVm", "displayName": "Shielded VMs", @@ -296,14 +317,14 @@ { "name": "constraints/gcp.resourceLocations", "displayName": "Google Cloud Platform - Resource Location Restriction", - "description": "This list constraint defines the set of locations where location-based Google Cloud resources can be created. By default, resources can be created in any location. Policies for this constraint can specify multi-regions such as asia and europe, regions such as us-east1 or europe-west1 as allowed or denied locations. Allowing or denying a multi-region does not imply that all included sub-locations should also be allowed or denied. For example, if the policy denies the us multi-region (which refers to multi-region resources, like some storage services), resources can still be created in the regional location us-east1. On the other hand, the in:us-locations group contains all locations within the us region, and can be used to block every region. We recommend using value groups to define your policy. You can specify value groups, collections of locations that are curated by Google to provide a simple way to define your resource locations. To use value groups in your organization policy, prefix your entries with the string in:, followed by the value group. For example, to create resources that will only be physically located within the US, set in:us-locations in the list of allowed values.If the suggested_value field is used in a location policy, it should be a region. If the value specified is a region, a UI for a zonal resource may pre-populate any zone in that region. ", + "description": "This list constraint defines the set of locations where location-based Google Cloud resources can be created. Important: The information on this page does not describe Google Cloud Platform's data location commitments for Customer Data (as defined in the agreement under which Google has agreed to provide Google Cloud Platform services and as described in the Google Cloud Platform Services Summary at https://cloud.google.com/terms/services) to its customers. For the list of Google Cloud Platform services for which Customer Data location may be selected by customers, see Google Cloud Platform Services with Data Residency at https://cloud.google.com/terms/data-residency. By default, resources can be created in any location. For a full list of supported services, see https://cloud.google.com/resource-manager/docs/organization-policy/defining-locations-supported-services. Policies for this constraint can specify multi-regions such as asia and europe, regions such as us-east1 or europe-west1 as allowed or denied locations. Allowing or denying a multi-region does not imply that all included sub-locations should also be allowed or denied. For example, if the policy denies the us multi-region (which refers to multi-region resources, like some storage services), resources can still be created in the regional location us-east1. On the other hand, the in:us-locations group contains all locations within the us region, and can be used to block every region. We recommend using value groups to define your policy. You can specify value groups, collections of locations that are curated by Google to provide a simple way to define your resource locations. To use value groups in your organization policy, prefix your entries with the string in:, followed by the value group. For example, to create resources that will only be physically located within the US, set in:us-locations in the list of allowed values. If the suggested_value field is used in a location policy, it should be a region. If the value specified is a region, a UI for a zonal resource may pre-populate any zone in that region. ", "constraintDefault": "ALLOW", "listConstraint": {} }, { "name": "constraints/gcp.restrictCmekCryptoKeyProjects", "displayName": "Restrict which projects may supply KMS CryptoKeys for CMEK", - "description": "This list constraint defines which projects may be used to supply Customer-Managed Encryption Keys (CMEK) when creating resources. Setting this constraint to Allow (i.e. only allow CMEK keys from these projects) ensures that CMEK keys from other projects cannot be used to protect newly created resources. Values for this constraint must be specified in the form of under:organizations/ORGANIZATION_ID, under:folders/FOLDER_ID, or projects/PROJECT_ID. Supported services that enforce this constraint are: [aiplatform.googleapis.com, artifactregistry.googleapis.com, bigquery.googleapis.com, bigquerydatatransfer.googleapis.com, bigtable.googleapis.com, cloudfunctions.googleapis.com, composer.googleapis.com, compute.googleapis.com, container.googleapis.com, dataflow.googleapis.com, dataproc.googleapis.com, documentai.googleapis.com, firestore.googleapis.com, integrations.googleapis.com, logging.googleapis.com, notebooks.googleapis.com, pubsub.googleapis.com, run.googleapis.com, secretmanager.googleapis.com, spanner.googleapis.com, sqladmin.googleapis.com, storage.googleapis.com]. Enforcement of this constraint may grow over time to include additional services. Use caution when applying this constraint to projects, folders, or organizations where a mix of supported and unsupported services are used. Setting this constraint to Deny or Deny All is not permitted. Enforcement of this constraint is not retroactive. Existing CMEK Google Cloud resources with KMS CryptoKeys from disallowed projects must be reconfigured or recreated manually to ensure enforcement.", + "description": "This list constraint defines which projects may be used to supply Customer-Managed Encryption Keys (CMEK) when creating resources. Setting this constraint to Allow (i.e. only allow CMEK keys from these projects) ensures that CMEK keys from other projects cannot be used to protect newly created resources. Values for this constraint must be specified in the form of under:organizations/ORGANIZATION_ID, under:folders/FOLDER_ID, or projects/PROJECT_ID. Supported services that enforce this constraint are: [aiplatform.googleapis.com, alloydb.googleapis.com, apigee.googleapis.com, artifactregistry.googleapis.com, bigquery.googleapis.com, bigquerydatatransfer.googleapis.com, bigtable.googleapis.com, cloudfunctions.googleapis.com, composer.googleapis.com, compute.googleapis.com, container.googleapis.com, dataflow.googleapis.com, datafusion.googleapis.com, dataproc.googleapis.com, discoveryengine.googleapis.com, documentai.googleapis.com, file.googleapis.com, firestore.googleapis.com, integrations.googleapis.com, logging.googleapis.com, notebooks.googleapis.com, pubsub.googleapis.com, redis.googleapis.com, run.googleapis.com, secretmanager.googleapis.com, securesourcemanager.googleapis.com, spanner.googleapis.com, speech.googleapis.com, sqladmin.googleapis.com, storage.googleapis.com, workstations.googleapis.com]. Enforcement of this constraint may grow over time to include additional services. Use caution when applying this constraint to projects, folders, or organizations where a mix of supported and unsupported services are used. Setting this constraint to Deny or Deny All is not permitted. Enforcement of this constraint is not retroactive. Existing CMEK Google Cloud resources with KMS CryptoKeys from disallowed projects must be reconfigured or recreated manually to ensure enforcement.", "constraintDefault": "ALLOW", "listConstraint": { "supportsUnder": true @@ -312,7 +333,7 @@ { "name": "constraints/gcp.restrictNonCmekServices", "displayName": "Restrict which services may create resources without CMEK", - "description": "This list constraint defines which services require Customer-Managed Encryption Keys (CMEK). Setting this constraint to Deny (i.e. deny resource creation without CMEK) requires that, for the specified services, newly created resources must be protected by a CMEK key. Supported services that can be set in this constraint are: [aiplatform.googleapis.com, artifactregistry.googleapis.com, bigquery.googleapis.com, bigquerydatatransfer.googleapis.com, bigtable.googleapis.com, cloudfunctions.googleapis.com, composer.googleapis.com, compute.googleapis.com, container.googleapis.com, dataflow.googleapis.com, dataproc.googleapis.com, documentai.googleapis.com, firestore.googleapis.com, integrations.googleapis.com, logging.googleapis.com, notebooks.googleapis.com, pubsub.googleapis.com, run.googleapis.com, secretmanager.googleapis.com, spanner.googleapis.com, sqladmin.googleapis.com, storage.googleapis.com, storagetransfer.googleapis.com]. Setting this constraint to Deny All is not permitted. Setting this constraint to Allow is not permitted. Enforcement of this constraint is not retroactive. Existing non-CMEK Google Cloud resources must be reconfigured or recreated manually to ensure enforcement.", + "description": "This list constraint defines which services require Customer-Managed Encryption Keys (CMEK). Setting this constraint to Deny (i.e. deny resource creation without CMEK) requires that, for the specified services, newly created resources must be protected by a CMEK key. Supported services that can be set in this constraint are: [aiplatform.googleapis.com, alloydb.googleapis.com, apigee.googleapis.com, artifactregistry.googleapis.com, bigquery.googleapis.com, bigquerydatatransfer.googleapis.com, bigtable.googleapis.com, cloudfunctions.googleapis.com, composer.googleapis.com, compute.googleapis.com, container.googleapis.com, dataflow.googleapis.com, datafusion.googleapis.com, dataproc.googleapis.com, discoveryengine.googleapis.com, documentai.googleapis.com, file.googleapis.com, firestore.googleapis.com, integrations.googleapis.com, logging.googleapis.com, notebooks.googleapis.com, pubsub.googleapis.com, redis.googleapis.com, run.googleapis.com, secretmanager.googleapis.com, securesourcemanager.googleapis.com, spanner.googleapis.com, speech.googleapis.com, sqladmin.googleapis.com, storage.googleapis.com, storagetransfer.googleapis.com, workstations.googleapis.com]. Setting this constraint to Deny All is not permitted. Setting this constraint to Allow is not permitted. Enforcement of this constraint is not retroactive. Existing non-CMEK Google Cloud resources must be reconfigured or recreated manually to ensure enforcement.", "constraintDefault": "ALLOW", "listConstraint": {} }, @@ -347,7 +368,7 @@ { "name": "constraints/iam.disableServiceAccountKeyCreation", "displayName": "Disable service account key creation", - "description": "This boolean constraint disables the creation of service account external keys where this constraint is set to `True`. By default, service account external keys can be created by users based on their Cloud IAM roles and permissions.", + "description": "This boolean constraint, when enforced, disables the creation of service account external keys and Cloud Storage HMAC keys. By default, service account external keys can be created by users based on their Cloud IAM roles and permissions.", "constraintDefault": "ALLOW", "booleanConstraint": {} }, @@ -361,7 +382,7 @@ { "name": "constraints/iam.automaticIamGrantsForDefaultServiceAccounts", "displayName": "Disable Automatic IAM Grants for Default Service Accounts", - "description": "This boolean constraint, when enforced, prevents the default App Engine and Compute Engine service accounts that are created in your projects from being automatically granted any IAM role on the project when the accounts are created. By default, these service accounts automatically receive the Editor role when they are created.", + "description": "This boolean constraint, when enforced, prevents the default App Engine and Compute Engine service accounts that are created in your projects from being automatically granted any IAM role on the project when the accounts are created. By default, these service accounts automatically receive the Editor role when they are created. To learn about default service accounts, see https://cloud.google.com/iam/help/service-accounts/default. To learn which roles to grant instead of the Editor role, see https://cloud.google.com/iam/help/service-accounts/troubleshoot-roles-default.", "constraintDefault": "ALLOW", "booleanConstraint": {} }, @@ -476,6 +497,13 @@ "constraintDefault": "ALLOW", "listConstraint": {} }, + { + "name": "constraints/storage.softDeletePolicySeconds", + "displayName": "Cloud Storage - soft delete policy retention duration in seconds", + "description": "This constraint defines the allowable retention durations for soft delete policies set on Cloud Storage buckets where this constraint is enforced. Any insert, update, or patch operation on a bucket where this constraint is enforced must have a soft delete policy duration that matches the constraint. When a new organization policy is enforced, the soft delete policy of existing buckets remains unchanged and valid. By default, if no organization policy is specified, a Cloud Storage bucket can have a soft delete policy of any duration.", + "constraintDefault": "ALLOW", + "listConstraint": {} + }, { "name": "constraints/storage.restrictAuthTypes", "displayName": "Cloud Storage - restrict authentication types", @@ -502,7 +530,7 @@ { "name": "constraints/compute.restrictVpcPeering", "displayName": "Restrict VPC peering usage", - "description": "This list constraint defines the set of VPC networks that are allowed to be peered with the VPC networks belonging to this project, folder, or organization. By default, a Network Admin for one network can peer with any other network. The allowed/denied list of networks must be identified in the form: under:organizations/ORGANIZATION_ID, under:folders/FOLDER_ID, under:projects/PROJECT_ID, or projects/PROJECT_ID/global/networks/NETWORK_NAME.", + "description": "This list constraint defines the set of VPC networks that are allowed to be peered with the VPC networks belonging to this project, folder, or organization. Each peering end is required to have peering permission. By default, a Network Admin for one network can peer with any other network. The allowed/denied list of networks must be identified in the form: under:organizations/ORGANIZATION_ID, under:folders/FOLDER_ID, under:projects/PROJECT_ID, or projects/PROJECT_ID/global/networks/NETWORK_NAME.", "constraintDefault": "ALLOW", "listConstraint": { "supportsUnder": true @@ -620,7 +648,7 @@ { "name": "constraints/gcp.restrictTLSVersion", "displayName": "Restrict TLS Versions", - "description": "This constraint defines the set of TLS versions that cannot be used on the organization, folder, or project where this constraint is enforced, or any of that resource's children in the resource hierarchy. By default, all TLS versions are allowed. TLS versions can only be specified in the denied list, and must be identified in the form TLS_VERSION_1 or TLS_VERSION_1_1.This constraint is only applied to requests using TLS. It will not be used to restrict unencrpyted requests. For more information, see https://cloud.google.com/assured-workloads/docs/restrict-tls-versions.", + "description": "This constraint defines the set of TLS versions that cannot be used on the organization, folder, or project where this constraint is enforced, or any of that resource's children in the resource hierarchy. By default, all TLS versions are allowed. TLS versions can only be specified in the denied list, and must be identified in the form TLS_VERSION_1 or TLS_VERSION_1_1.This constraint is only applied to requests using TLS. It will not be used to restrict unencrypted requests. For more information, see https://cloud.google.com/assured-workloads/docs/restrict-tls-versions.", "constraintDefault": "ALLOW", "listConstraint": {} }, @@ -701,7 +729,7 @@ { "name": "constraints/storage.publicAccessPrevention", "displayName": "Enforce Public Access Prevention", - "description": "Secure your Cloud Storage data from public exposure by enforcing public access prevention. This governance policy prevents existing and future resources from being accessed via the public internet by disabling and blocking ACLs and IAM permissions that grant access to allUsers and allAuthenticatedUsers. Enforce this policy on the entire organization (recommended), specific projects, or specific folders to ensure no data is publicly exposed.This policy overrides existing public permissions. Public access will be revoked for existing buckets and objects after this policy is enabled.", + "description": "Secure your Cloud Storage data from public exposure by enforcing public access prevention. This governance policy prevents existing and future resources from being accessed via the public internet by disabling and blocking ACLs and IAM permissions that grant access to allUsers and allAuthenticatedUsers. Enforce this policy on the entire organization (recommended), specific projects, or specific folders to ensure no data is publicly exposed.This policy overrides existing public permissions. Public access will be revoked for existing buckets and objects after this policy is enabled. For more details on the effects of changing enforcement of this constraint on resources, please see: https://cloud.google.com/storage/docs/public-access-prevention.", "constraintDefault": "ALLOW", "booleanConstraint": {} }, @@ -722,7 +750,7 @@ { "name": "constraints/compute.disableHybridCloudIpv6", "displayName": "Disable Hybrid Cloud IPv6 usage", - "description": "This boolean constraint, when set to True, disables the creation of or update to hybrid cloud resources including Cloud Router, Interconnect Attachments, and Cloud VPN with a stack_type of IPV4_IPV6. By default, anyone with appropriate Cloud IAM permissions can create or update hybrid cloud resources with stack_type of IPV4_IPV6 in any projects, folders and organizations.", + "description": "This boolean constraint, when enforced, disables the creation of, or updates to, hybrid cloud resources including Interconnect Attachments and Cloud VPN gateways with a stack_type of IPV4_IPV6 or IPV6_ONLY, or a gatewayIpVersion of IPv6. If enforced on a Cloud Router resource, the ability to create IPv6 Border Gateway Protocol (BGP) sessions and the ability to enable IPv6 route exchange over IPv4 BGP sessions are disabled. By default, anyone with appropriate Cloud IAM permissions can create or update hybrid cloud resources with stack_type of IPV4_IPV6 in projects, folders, and organizations.", "constraintDefault": "ALLOW", "booleanConstraint": {} }, @@ -819,8 +847,8 @@ }, { "name": "constraints/compute.disableSshInBrowser", - "displayName": "Disable SSH in browser", - "description": "This boolean constraint disables the SSH-in-browser tool in the Cloud Console. When enforced, the SSH-in-browser button is disabled. By default, using the SSH-in-browser tool is allowed.", + "displayName": "Disable SSH-in-browser", + "description": "This boolean constraint disables the SSH-in-browser tool in the Cloud Console for VMs that use OS Login and App Engine flexible environment VMs. When enforced, the SSH-in-browser button is disabled. By default, using the SSH-in-browser tool is allowed.", "constraintDefault": "ALLOW", "booleanConstraint": {} }, @@ -834,14 +862,14 @@ { "name": "constraints/commerceorggovernance.marketplaceServices", "displayName": "Restrict access on marketplace services", - "description": "This list constraint defines the set of services allowed for marketplace organizations, and can only include values from the list below: [PRIVATE_MARKETPLACE, IAAS_PROCUREMENT]. If PRIVATE_MARKETPLACE is in the allowed value list, the private marketplace is enabled. If the IAAS_PROCUREMENT is in the allowed value list, the IaaS procurement governance experience is enabled for all products. By default, the private marketplace is disabled and the IaaS procurement governance experience is disabled. Also, the IAAS_PROCUREMENT policy works independently from the Request Procurement governance capability, which is specifically for SaaS products listed on the marketplace.", + "description": "This list constraint defines the set of services allowed for marketplace organizations, and can only include values from the list below: [PRIVATE_MARKETPLACE, IAAS_PROCUREMENT]. If the IAAS_PROCUREMENT is in the allowed value list, the IaaS procurement governance experience is enabled for all products. By default, the IaaS procurement governance experience is turned off. The IAAS_PROCUREMENT policy works independently from the Request Procurement governance capability, which is specifically for SaaS products listed on Cloud Marketplace.Note: The PRIVATE_MARKETPLACE value is no longer supported and using it has no effect. To turn on Google Private Marketplace, you must follow the instructions at https://cloud.google.com/marketplace/docs/governance/enable-private-marketplace.", "constraintDefault": "DENY", "listConstraint": {} }, { "name": "constraints/commerceorggovernance.disablePublicMarketplace", - "displayName": "Disable Public Marketplace", - "description": "This boolean constraint, when enforced, disables public marketplace for all users under the org. By default, public marketplace access is enabled for the org.", + "displayName": "Disable public marketplace", + "description": "This boolean constraint, when enforced, turns off {{marketplace_name}} for all users under the organization. By default, public marketplace access is turned on for the organization. This policy only works when the Private Marketplace is enabled (https://cloud.google.com/marketplace/docs/governance/enable-private-marketplace).Important: For the most optimal experience, we strongly recommend that you use the marketplace user access restrictions feature, as described in https://cloud.google.com/marketplace/docs/governance/strict-user-access to prevent unauthorized use of the marketplace in your organization, instead of doing so via this organization policy.", "constraintDefault": "ALLOW", "booleanConstraint": {} }, @@ -876,9 +904,60 @@ { "name": "constraints/iam.serviceAccountKeyExposureResponse", "displayName": "Service account key exposure response", - "description": "This list constraint defines the response taken if Google detects that a service account key is exposed publicly. By default, there is no response. The allowed values are DISABLE_KEY and WAIT_FOR_ABUSE. Values not explicitly part of this list cannot be used. Only one allowed value can be specified, and denied values are not supported. Allowing the DISABLE_KEY value automatically disables any publicly exposed service account key, and creates an entry in the audit log. Allowing the WAIT_FOR_ABUSE value opts out of this protection, and does not disable exposed service account keys automatically. However, Google Cloud may disable exposed service account keys if they are used in ways that adversely affect the platform, but makes no promise to do so. To enforce this constraint, set it to replace the parent policy in the Google Cloud Console, or set inheritFromParent=false in the policy file if using the gcloud CLI. This constraint can't be merged with a parent policy. ", + "description": "This list constraint defines the response taken if Google detects that a service account key is exposed publicly. If not set, defaults to the behavior described for DISABLE_KEY. The allowed values are DISABLE_KEY and WAIT_FOR_ABUSE. Values not explicitly part of this list cannot be used. Only one allowed value can be specified, and denied values are not supported. Allowing the DISABLE_KEY value automatically disables any publicly exposed service account key, and creates an entry in the audit log. Allowing the WAIT_FOR_ABUSE value opts out of this protection, and does not disable exposed service account keys automatically. However, Google Cloud may disable exposed service account keys if they are used in ways that adversely affect the platform, but makes no promise to do so. To enforce this constraint, set it to replace the parent policy in the Google Cloud Console, or set inheritFromParent=false in the policy file if using the gcloud CLI. This constraint can't be merged with a parent policy. ", "constraintDefault": "DENY", "listConstraint": {} + }, + { + "name": "constraints/compute.requireBasicQuotaInResponse", + "displayName": "Disable fail-open behavior for list methods that display quota information for a region", + "description": "This boolean constraint, when enforced, disables the fail-open behavior on server-side failures for regions.list, regions.get, and projects.get methods. That means that if the quota information is unavailable, these methods fail when the constraint is enforced. By default, these methods succeed on server-side failures and display a warning message when the quota information is unavailable.", + "constraintDefault": "ALLOW", + "booleanConstraint": {} + }, + { + "name": "constraints/vertexai.allowedGenAIModels", + "displayName": "Define access to Google proprietary generative AI models on Vertex AI", + "description": "This list constraint defines the set of generative AI models and features allowed to be used in Vertex AI APIs. The values of the allowlist should follow the format model_id:feature_family. For example, publishers/google/models/text-bison:predict. This list constraint only restricts access to Google proprietary generative AI models, and does not effect third-party proprietary models or open source models. The constraint vertexai.allowedModels can be used to define access to a broader set of models including Google proprietary models, third-party proprietary models, and open source models. By default, all models can be used in Vertex AI APIs.", + "constraintDefault": "ALLOW", + "listConstraint": {} + }, + { + "name": "constraints/vertexai.allowedModels", + "displayName": "Define access to models on Vertex AI", + "description": "This list constraint defines the set of models and features allowed to be used in Vertex AI APIs. The values of the allowlist should follow the format \"model_id:feature_family\", for example \"publishers/google/models/gemini-1.0-pro:predict\". By default, all models can be used in Vertex AI APIs.", + "constraintDefault": "ALLOW", + "listConstraint": {} + }, + { + "name": "constraints/iam.managed.allowedPolicyMembers", + "displayName": "Restrict Allowed Policy Members in IAM Allow Policies", + "description": "This constraint defines the set of members that can be granted IAM roles in your organization. You can specify the allowed members by specifying an organization principalSet or by specifying individual members. Specifying an organization principalSet allows all identities that are associated with that organization (including Workspace accounts, Workspace groups, service accounts, workforce pool identities, workload pool identities, and service agents) to be granted roles in your organization. Your organization principalSet is not added automatically. To ensure that identities from your organization can be added to allow policies in your organization, you must specify your organization as one of the allowed principal sets. Specifying individual members allows only those members (and associated aliases) to be granted roles in your organization. When you specify individual users, you must include the principal type prefix (for example, 'user:' or 'serviceAccount:').", + "constraintDefault": "ALLOW" + }, + { + "name": "constraints/iam.managed.preventPrivilegedBasicRolesForDefaultServiceAccounts", + "displayName": "Prevent Privileged Basic Roles for Default Service Accounts", + "description": "When this constraint is enforced, it prevents anyone from granting the Editor role (roles/editor) or the Owner role (roles/owner) to the Compute Engine and App Engine default service accounts, at any time. To learn more about default service accounts, see https://cloud.google.com/iam/help/service-accounts/default. Enforcing this constraint prevents the default service accounts from automatically being granted the Editor role (roles/editor). This might cause permission issues for services that use these service accounts. To learn which roles to grant to each service account, see https://cloud.google.com/iam/help/service-accounts/troubleshoot-roles-default.", + "constraintDefault": "ALLOW" + }, + { + "name": "constraints/iam.managed.disableServiceAccountKeyCreation", + "displayName": "Disable service account key creation", + "description": "This constraint, when enforced, blocks service account key creation.", + "constraintDefault": "ALLOW" + }, + { + "name": "constraints/iam.managed.disableServiceAccountKeyUpload", + "displayName": "Disable Service Account Key Upload", + "description": "This boolean constraint disables the feature that allows uploading public keys to service accounts where this constraint is set to `True`. By default, users can upload public keys to service accounts based on their Cloud IAM roles and permissions.", + "constraintDefault": "ALLOW" + }, + { + "name": "constraints/essentialcontacts.managed.allowedContactDomains", + "displayName": "Restrict Contact Domains", + "description": "This constraint defines the set of allowed domains that email addresses added to Essential Contacts can have. By default, email addresses with any domain can be added to Essential Contacts. The allowedDomains list must specify one or more domains of the form @example.com. If this constraint is enforced, only email addresses with a suffix matching one of the entries from the list of allowed domains can be added in Essential Contacts. This constraint has no effect on updating or removing existing contacts.", + "constraintDefault": "ALLOW" } ] } \ No newline at end of file