Introducing custom rules in Workload Manager: Evaluate workloads against customized best practices

Are you a cloud architect or IT admin tasked with ensuring deployments are following best practices and generating configuration validation reports? The struggle of adopting best practices is real. And not just the first time: ensuring that a config doesn’t drift from org-wide best practices over time is notoriously difficult.    

Workload Manager provides a rule-based validation service for evaluating your workloads running on Google Cloud. Workload Manager scans your workloads, including SAP and Microsoft SQL Server, to detect deviations from standards, rules, and best practices to improve system quality, reliability, and performance. .

Introducing custom rules in Workload Manager

Today, we’re excited to extend Workload Manager with custom rules (GA), a detective-based service that helps ensure your validations are not blocking any deployments, but that allows you to easily detect compliance issues across different architectural intents. Now, you can flexibly and consistently validate your Google Cloud deployments across Projects, Folders and Orgs against best practices and custom standards to help ensure that they remain compliant.

Here’s how to get started with Workload Manager custom rules in a matter of minutes.

1) Codify best practices and validate resources
Identify best practices relevant to your deployments from the Google Cloud Architecture Framework, codify them in Rego, a declarative policy language that's used to define rules and express policies over complex data structures, and run or schedule evaluation scans across your deployments. 

Start with sample Rego policies in our GitHub repository: https://github.com/GoogleCloudPlatform/workload-manager

You can create new Rego rules based on your preferences, or reach out to your account team to get more help crafting new rules.

2) Export findings to BigQuery dataset and visualize them using Looker
You can configure your own BigQuery dataset to export each validation scan and easily integrate it with your existing reporting systems, build a new Looker dashboard, or export results to Google Sheets to plan remediation steps.  

Additionally, you can configure Pub/Sub-based notifications to send email, Google Chat messages, or integrate with your third-party systems based on different evaluation success criteria.

A flexible system to do more than typical config validation

With custom rules you can build rules with complex logic and validation requirements across multiple domains. You can delegate build and management to your subject matter experts, reducing development time and accelerating the time to release new policies. 

And with central BigQuery table export, you can combine violation findings from multiple evaluations and easily integrate with your reporting system to build a central compliance program.

Get started today with custom rules in Workload Manager by referring to the documentation and testing sample policies against your deployments.

Need more help? Engage with your account teams to get more help in crafting, curating and adopting best practices.