迁移工作负载
本页面介绍了如何在将现有项目迁移到 Assured Workloads 文件夹之前执行合规性分析。此分析会比较源项目和目标文件夹,以确定在启动迁移之前或之后可能需要进行的更改。例如,如果您要将某个项目移至配置为 FedRAMP 中等级别配置的 Assured Workloads 文件夹,则可以在移动项目之前主动解决可能发生的任何潜在合规性违规行为。
移动分析会返回以下类型的发现结果:
- 源项目使用了不受支持的产品或服务。
- 源项目包含的资源位于不允许的位置。
- 源项目配置了与目标不兼容的组织政策限制条件值。
在尝试迁移之前,请务必了解这些发现结果。默认情况下,Assured Workloads 文件夹只能包含该文件夹的合规性计划支持的服务的资源类型。如果您的项目包含该文件夹的合规计划不支持的服务资源,您可能需要重新部署或移除这些资源。
虽然您可以通过更改 Assured Workloads 文件夹的资源使用限制组织政策来更改受支持服务的默认列表,从而允许在您的文件夹中部署不符合政策规定的服务,但后台合规性检查会忽略不合规的服务及其资源。因此,启用不受支持的服务,即表示您选择接受它可能导致工作负载不合规的风险。
准备工作
- 收集源项目和目标工作负载的资源 ID。
- 分配或验证源项目和目标工作负载的 IAM 权限,以确保调用方有权执行迁移。
必需的 IAM 权限
如需执行迁移分析,必须使用包含一组更多权限的预定义角色或仅授予最少必要权限的自定义角色为调用者授予 IAM 权限。
必须拥有以下权限:
- 针对目标工作负载的
assuredworkloads.workload.get权限 - 针对源项目的
cloudasset.assets.searchAllResources权限 - 针对源项目和目标 Assured Workloads 文件夹的
orgpolicy.policy.get权限
执行迁移分析
对源项目和目标 Assured Workloads 文件夹执行分析时,应先处理所有发现结果,然后再将项目移动到目标文件夹。虽然发现结果不会阻止您移动项目,但它们可能会导致目标 Assured Workloads 文件夹中出现合规性违规行为。
这些发现结果有两种不同的类型:
- 警告:当源项目可能与目标不兼容时,系统会显示警告结果,可能导致合规性违规行为。您应调查警告,以验证不兼容之处在迁移之前是否可接受或者是否应解决。
- 拦截器:当在源项目和目标之间检测到违规行为时,就会出现拦截器结果。在进行迁移之前,必须先解决障碍。
系统会报告以下类型的发现结果:
资源位置:许多合规计划都会对资源强制执行位置限制,以遵守合规性要求,例如,您的源项目包含的资源位于不允许的位置。
如需解决此问题,请将受影响的资源移动到允许的位置、删除这些资源,或修改目标的
gcp.resourceLocations组织政策限制条件设置。不支持的产品/服务:每个合规性计划都支持一系列特定的 Google Cloud 产品和服务。如果您的项目使用了目标 Assured Workloads 文件夹的合规计划不支持的服务,则该服务将列为发现结果。
组织政策限制条件:您的源项目可能配置了与目标 Assured Workloads 文件夹的有效政策不同的组织政策限制条件值,或者不符合目标合规性计划。系统仅针对与目标 Assured Workloads 文件夹的合规计划相关的限制条件执行此分析;系统不会评估项目的所有限制条件值。可能会出现多种结果,例如以下问题:
- 您的项目与目标位置的有效政策不兼容。
- 您的项目具有未在目标位置设置(反之亦然)的组织政策限制条件值。
- 您的项目包含不符合目标合规性计划的组织政策限制条件值。
如果找到了组织政策限制条件的阻止项,响应会包含符合目标合规性计划要求的预期值。在执行迁移之前,您可以使用这些预期值对项目进行更改。
如需解决此问题,请确定需要修改哪项组织政策限制条件,然后进行必要的更改。
分析将项目移动到 Assured Workloads 文件夹
analyzeWorkloadMove 方法可执行将源项目移动到目标 Assured Workloads 文件夹的分析。
在下面的请求示例中,将以下参数替换为您自己的参数:
- ENDPOINT_URI:Assured Workloads 服务端点 URI。此 URI 必须是目标工作负载的区域化端点,例如
https://us-west1-assuredworkloads.googleapis.com。 - DESTINATION_ORGANIZATION_ID:源项目将迁移到的目标工作负载的组织 ID。例如
919698201234 - DESTINATION_LOCATION_ID:源项目将迁移到的目标工作负载的位置 ID。例如:
us-west1 - DESTINATION_WORKLOAD_ID:要迁移源项目的目标工作负载的 ID。例如:
00-701ea036-7152-4780-a867-9f5 - SOURCE_PROJECT_ID:要迁移的源项目的 ID 的查询参数。例如
my-project-123 - ASSET_TYPES:可选。每个查询参数一个资产类型,用于仅过滤出指定的类型。例如:
cloudresourcemanager.googleapis.com/Project。 - PAGE_SIZE:可选。每页返回的结果数量的查询参数。例如
5 - PAGE_TOKEN:可选。用于继续分页结果的令牌的查询参数。例如
CiAKGjBpNDd2Nmp2Zml2cXRwYjBpOXA
HTTP 方法、网址和查询参数:
GET https://[ENDPOINT_URI]/v1/organizations/[DESTINATION_ORGANIZATION_ID]/locations/[DESTINATION_LOCATION_ID]/workloads/[DESTINATION_WORKLOAD_ID]:analyzeWorkloadMove?project=projects/SOURCE_PROJECT_ID&page_size=PAGE_SIZE&page_token=PAGE_TOKEN
例如:
GET https://assuredworkloads.googleapis.com/v1/organizations/919698298765/locations/us-west1/workloads/00-701ea036-7152-4781-a867-9f5:analyzeWorkloadMove?project=projects/my-project-123&page_size=5&page_token=CiAKGjBpNDd2Nmp2Zml2cXRwYjBpOXA
您应该收到类似以下内容的 JSON 响应:
{
"assetMoveAnalyses": [
{
"asset": "//orgpolicy.googleapis.com/projects/130536381852/policies/container.restrictNoncompliantDiagnosticDataAccess",
"assetType": "orgpolicy.googleapis.com/Policy"
},
{
"asset": "//compute.googleapis.com/projects/my-project-123/global/routes/default-route-9ca6e6b0ab7326f0",
"assetType": "compute.googleapis.com/Route",
"analysisGroups": [
{
"displayName": "RESOURCE_LOCATIONS",
"analysisResult": {
"warnings": [
{
"detail": "The asset's location 'global' is incompatible with the gcp.resourceLocations org policy effective at the target. In case of 'global only' assets, this may be ignored."
}
]
}
}
]
},
{
"asset": "//compute.googleapis.com/projects/my-project-123/regions/europe-west10/subnetworks/default",
"assetType": "compute.googleapis.com/Subnetwork",
"analysisGroups": [
{
"displayName": "RESOURCE_LOCATIONS",
"analysisResult": {
"blockers": [
{
"detail": "The asset's location 'europe-west10' is incompatible with the gcp.resourceLocations org policy effective at the target."
}
]
}
}
]
},
{
"asset": "//serviceusage.googleapis.com/projects/130536381852/services/servicemanagement.googleapis.com",
"assetType": "serviceusage.googleapis.com/Service"
},
{
"asset": "//serviceusage.googleapis.com/projects/130536381852/services/monitoring.googleapis.com",
"assetType": "serviceusage.googleapis.com/Service"
},
{
"asset": "//serviceusage.googleapis.com/projects/130536381852/services/bigquerymigration.googleapis.com",
"assetType": "serviceusage.googleapis.com/Service",
"analysisGroups": [
{
"displayName": "DISALLOWED_SERVICES",
"analysisResult": {
"warnings": [
{
"detail": "This service is not allowed by the gcp.restrictServiceUsage org policy effective at the target"
}
]
}
}
]
},
{
"asset": "//cloudresourcemanager.googleapis.com/projects/my-project-123",
"assetType": "cloudresourcemanager.googleapis.com/Project",
"analysisGroups": [
{
"displayName": "ORG_POLICIES",
"analysisResult": {
"warnings": [
{
"detail": "constraints/gcp.resourceLocations: Target applies/inherits this custom policy and it is not applied by the source. Upon moving, this policy will get inherited from the target."
},
{
"detail": "constraints/compute.disableInstanceDataAccessApis: Source applies this custom policy and it is not applied by the target."
},
{
"detail": "constraints/cloudkms.allowedProtectionLevels: Source and target set different values for this policy."
},
{
"detail": "constraints/container.restrictNoncompliantDiagnosticDataAccess: Source and target set different values for this policy."
},
{
"detail": "constraints/gcp.restrictServiceUsage: Target applies/inherits this custom policy and it is not applied by the source. Upon moving, this policy will get inherited from the target."
}
],
"blockers": [
{
"detail": "constraints/gcp.resourceLocations: The value applied at the source is not compliant with the target compliance program. The expected allowed values are [us-west4, us-west1, us-west2, us-west3, us-central1, us-east1, us-east4, us-south1, us-central2, us-east5]."
},
{
"detail": "constraints/container.restrictNoncompliantDiagnosticDataAccess: The value applied at the source is not compliant with the target compliance program. The expected value is [true]."
},
{
"detail": "constraints/container.restrictTLSVersion: The value applied at the source is not compliant with the target compliance program. The expected denied values are [TLS_VERSION_1, TLS_VERSION_1_1]."
}
]
}
}
]
}
],
"nextPageToken": "Ch8wLDc0MzY3NTExNCwzMzg4ODM1NTM2NDQ0NTg4MDMy"
}
如需按特定资产类型过滤结果,请使用 asset_types 查询参数:
GET https://assuredworkloads.googleapis.com/v1/organizations/919698298765/locations/us-west1/workloads/00-701ea036-7152-4781-a867-9f5:analyzeWorkloadMove?project=projects/my-project-123&asset_types=cloudresourcemanager.googleapis.com/Project&page_size=5&page_token=CiAKGjBpNDd2Nmp2Zml2cXRwYjBpOXA
结果将仅包含指定类型 (cloudresourcemanager.googleapis.com/Project) 的任何发现结果:
{
"assetMoveAnalyses": [
{
"asset": "//cloudresourcemanager.googleapis.com/projects/my-project-123",
"assetType": "cloudresourcemanager.googleapis.com/Project",
"analysisGroups": [
{
"displayName": "ORG_POLICIES",
"analysisResult": {
"warnings": [
{
"detail": "constraints/gcp.resourceLocations: Target applies/inherits this custom policy and it is not applied by the source. Upon moving, this policy will get inherited from the target."
},
{
"detail": "constraints/compute.disableInstanceDataAccessApis: Source applies this custom policy and it is not applied by the target."
}
],
"blockers": [
{
"detail": "constraints/gcp.resourceLocations: The value applied at the source is not compliant with the target compliance program. The expected allowed values are [us-west4, us-west1, us-west2, us-west3, us-central1, us-east1, us-east4, us-south1, us-central2, us-east5]."
}
]
}
}
]
}
],
"nextPageToken": "Ch8wLDc0MzY3NTExNCwzMzg4ODM1NTM2NDQ0NTg4MDMy"
}
如需按多种资产类型过滤结果,请将每种资产类型添加为额外的查询参数:
GET https://assuredworkloads.googleapis.com/v1/organizations/919698298765/locations/us-west1/workloads/00-701ea036-7152-4781-a867-9f5:analyzeWorkloadMove?project=projects/my-project-123&asset_types=cloudresourcemanager.googleapis.com/Project&asset_types=serviceusage.googleapis.com/Service&page_size=5&page_token=CiAKGjBpNDd2Nmp2Zml2cXRwYjBpOXA
结果将仅包含指定类型(cloudresourcemanager.googleapis.com/Project 和 serviceusage.googleapis.com/Service)的任何发现结果:
{
"assetMoveAnalyses": [
{
"asset": "//serviceusage.googleapis.com/projects/130536381852/services/bigquerymigration.googleapis.com",
"assetType": "serviceusage.googleapis.com/Service",
"analysisGroups": [
{
"displayName": "DISALLOWED_SERVICES",
"analysisResult": {
"warnings": [
{
"detail": "This service is not allowed by the gcp.restrictServiceUsage org policy effective at the target"
}
]
}
}
]
},
{
"asset": "//cloudresourcemanager.googleapis.com/projects/my-project-123",
"assetType": "cloudresourcemanager.googleapis.com/Project",
"analysisGroups": [
{
"displayName": "ORG_POLICIES",
"analysisResult": {
"warnings": [
{
"detail": "constraints/gcp.resourceLocations: Target applies/inherits this custom policy and it is not applied by the source. Upon moving, this policy will get inherited from the target."
},
{
"detail": "constraints/compute.disableInstanceDataAccessApis: Source applies this custom policy and it is not applied by the target."
}
],
"blockers": [
{
"detail": "constraints/gcp.resourceLocations: The value applied at the source is not compliant with the target compliance program. The expected allowed values are [us-west4, us-west1, us-west2, us-west3, us-central1, us-east1, us-east4, us-south1, us-central2, us-east5]."
}
]
}
}
]
}
],
"nextPageToken": "Ch8wLDc0MzY3NTExNCwzMzg4ODM1NTM2NDQ0NTg4MDMy"
}
执行迁移分析后,查看并解决任何警告或阻碍因素,然后再次运行分析以验证它们是否已得到解决。然后,您可以继续移动项目。