As an organization administrator, you need to define policies that developers adhere to when applying infrastructure as code. Your organization's set of policies is represented as a policy library. This page helps you create a centralized policy repository and add constraints.
Before you begin
- You need an empty Git repository for storing your organization's policy library.
- You need to configure Git to connect securely. For example, if your git repository is on GitHub, you can follow the process outlined in Connecting to GitHub with SSH.
Duplicate the sample library
Google provides a sample repository that includes a set of pre-defined constraint templates which you can modify for your personal use.
Clone the policy library sample repository and duplicate it to your POLICY_LIBRARY_REPO:
git clone https://github.com/GoogleCloudPlatform/policy-library.git cd policy-library git remote set-url origin POLICY_LIBRARY_REPO git push origin main
Examine the available constraint templates in
Select the constraint templates you want to use. For this example, choose
gcp_storage_location_v1.yaml, which enforces location for Cloud Storage buckets.
Create constraint YAML files corresponding to those templates under
From inside your local copy of the
policy-libraryrepository, use the following commands to commit and push your changes:
git add --all . git commit -m "Initial commit of policy library constraints" git push -u origin main
A policy library repository contains the following directories:
policies/– This directory contains two subdirectories:
constraints/– This directory is initially empty. Place your constraint files here.
templates/– This directory contains pre-defined constraint templates.
validator/– This directory contains the
.regofiles and their associated unit tests. You don't need to touch this directory unless you intend to modify existing constraint templates or create new ones. Running
make buildinlines the Rego content in the corresponding constraint template files.
Periodically you should pull any changes from the public repository, which might contain new templates and Rego files.
git remote add public https://github.com/GoogleCloudPlatform/policy-library.git git pull public main git push origin main
The policy library contains a number of constraint templates and a
folder with example constraints. Read
Create Terraform constraints
Create CAI constraints
for details on how to write and use constraint templates and constraints.