Restrict Shared VPC Subnetworks

01 Sign in to Google Cloud Management Console with the organizational unit credentials.

02 Click on the deployment selector from the top navigation bar, select ALL to list all the existing deployments, then choose the Google Cloud organization that you want to examine.

03 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

04 In the navigation panel, select Organization Policies to access the complete list of constraint policies made available for your GCP organization.

05 Click inside the Filter by policy name or ID filter box, select Name and Restrict Shared VPC Subnetworks to return the "Restrict Shared VPC Subnetworks" policy.

06 Click on the name of the organization policy returned at the previous step.

07 On the Policy details page, under Effective policy, check the Allowed configuration attribute value. If the Allowed attribute value is set to All, the policy constraints are not enforced for the entire organization, therefore your cloud resources can use any shared VPC subnetwork created for your GCP organization.

08 Repeat steps no. 2 – 7 for each organization available in your Google Cloud account.

01 Run organizations list command (Windows/macOS/Linux) using custom query filters to list the ID of each organization available within your Google Cloud account:

gcloud organizations list
    --format="table(name)"

02 The command output should return the requested organization identifiers (IDs):

ID
112233441122
123412341234

03 Run resource-manager org-policies describe command (Windows/macOS/Linux) using the ID of the GCP organization that you want to examine as identifier parameter, to describe the enforcement configuration of the "Restrict Shared VPC Subnetworks" policy, available for the selected organization:

gcloud alpha resource-manager org-policies describe
"compute.restrictSharedVpcSubnetworks"
    --effective
    --organization=112233441122
    --format="value(listPolicy.allValues)"

04 The command request should return the requested configuration information:

ALLOW

05 Repeat step no. 3 and 4 for each organization created in your Google Cloud account.

01 Sign in to your Trend Cloud One™ – Conformity account, access Restrict Shared VPC Subnetworks conformity rule settings and note the list of shared VPC subnetworks that eligible cloud resources can use, available in your GCP organization.

02 Sign in to Google Cloud Management Console with the organizational unit credentials.

03 Click on the deployment selector from the top navigation bar, select ALL to list all the existing deployments, then choose the Google Cloud organization that you want to reconfigure.

04 Navigate to Cloud Identity and Access Management (IAM) dashboard at https://console.cloud.google.com/iam-admin/iam.

05 In the navigation panel, select Organization Policies to access the list with the constraint policies available for your organization.

06 Click inside the Filter by policy name or ID filter box, select Name and Restrict Shared VPC Subnetworks to return only the "Restrict Shared VPC Subnetworks" policy.

07 Click on the name of the organization policy returned at the previous step.

08 On the Policy details page, click on the EDIT button from the dashboard top menu to edit the selected policy.

09 On the Edit policy configuration page, perform the following:

1. Under Applies to, select Customize to choose the type of the policy to apply (i.e. customized policy).
2. To override the inherited policies completely, select Replace under Policy enforcement.
3. To use explicit values, select Custom from the Policy values dropdown list.
4. For Policy type, select Allow to specify that the listed values will be the only allowed values, and all other values will be denied.
5. In the Custom values section, use the configuration controls to define the shared VPC subnetworks that can be used by eligible cloud resources within your GCP organization, identified at step no. 1. Use the following format to define the allowed VPC subnetworks: projects/<project-id>/regions/<subnetwork-region>/subnetworks/<subnetwork-name>, where <project-id> is the ID of the subnetwork's project, the <subnetwork-region> is the Google Cloud region where the subnetwork was created, and the <subnetwork-name> is the name of the shared VPC subnetwork that your eligible resources can use. You can also use the under: prefix if you need to allow access to all the subnetworks in a particular project (under:projects/<project-id>), a folder (under:folders/<folder-id>), or within an entire organization (under:organizations/<organization-id>).
6. (Optional) To set a recommendation for other users, click SET RECOMMENDATION, enter a string value into the Recommended value text box, and click SET to apply the recommendation. This string value will be displayed in the Google Cloud console to provide guidance to users about this organization policy. This is just a communication tool, and does not affect the policy configuration.
7. Click SAVE to apply the changes and enforce the "Restrict Shared VPC Subnetworks" policy constraints.

10 If required, repeat steps no. 3 – 9 to enable the policy for other organizations available in your Google Cloud account.

01 Sign in to your Trend Cloud One™ – Conformity account, access Restrict Shared VPC Subnetworks conformity rule settings and note the list of shared VPC subnetworks that eligible cloud resources can use, available in your GCP organization.

02 Define the "Restrict Shared VPC Subnetworks" organization policy constraints and save the YAML policy document to a file named cc-allowed-vpc-subnetworks.yaml. Use the list of shared VPC subnetworks that can be used by eligible cloud resources within your Google Cloud organization, identified at step no. 1, to configure the allowed_values list. The following policy configuration example allows access to shared VPC subnetwork identified by projects/<project-id>/regions/<subnetwork-region>/subnetworks/<subnetwork-name>, where <project-id> is the ID of the subnetwork's project, the <subnetwork-region> is the cloud region where the subnetwork was created, and the <subnetwork-name> is the name of the shared VPC subnetwork that your eligible resources can use (e.g. projects/cc-project5/regions/us-central1/subnetworks/cc-web-stack-subnetwork):

constraint: constraints/compute.restrictSharedVpcSubnetworks
listPolicy:
  allowed_values:
    projects/cc-project5/regions/us-central1/subnetworks/cc-web-stack-subnetwork

03 Run resource-manager org-policies set-policy command (Windows/macOS/Linux) using the ID of the Google Cloud Platform (GCP) organization that you want to reconfigure as identifier parameter, to enforce the "Restrict Shared VPC Subnetworks" constraint policy, using the policy document defined at the previous step, for the selected organization:

gcloud beta resource-manager org-policies set-policy cc-allowed-vpc-subnetworks.yaml
    --organization=112233441122

04 The command request should return the enforced organization policy metadata:

constraint: constraints/compute.restrictSharedVpcSubnetworks
etag: abcdabcdabcd
listPolicy:
  allowedValues:
  - projects/cc-project5/regions/us-central1/subnetworks/cc-web-stack-subnetwork
updateTime: '2020-09-15T15:00:00.000Z'

05 If required, repeat step no. 3 and 4 to enforce the policy for other organizations created within your Google Cloud account.