mindvalley · rmaloloyon · Dec 12, 2023 · Dec 12, 2023 · Dec 13, 2023 · Dec 14, 2023
diff --git a/policies/constraints/bigquery_table_retention.yaml b/policies/constraints/bigquery_table_retention.yaml
diff --git a/policies/constraints/bq_dataset_location.yaml b/policies/constraints/bq_dataset_location.yaml
diff --git a/policies/constraints/compute_zone.yaml b/policies/constraints/compute_zone.yaml
diff --git a/policies/constraints/gcp_enforce_naming.yaml b/policies/constraints/gcp_enforce_naming.yaml
@@ -33,30 +33,28 @@ spec:
       - "cert-self-signed-.*"
     - resource: "compute.googleapis.com/Instance"         # asset_type field from inventory
       patterns:
-      - "^mv-(\\w+)-(\\w+)-(\\w+)-gce-(\\d+)$"
+      - "^mv-(dev|stg|prod)-[a-z0-9]+-[a-z0-9]+-gce-[a-z0-9]+$"
     - resource: "sqladmin.googleapis.com/Instance"        # asset_type field from inventory
       patterns:
-      - "^cloudsql-(\\w+)-mv-(\\w+)-(\\w+)-.*"
+      - "^cloudsql-[a-z0-9]+-mv-(dev|stg|prod)-[a-z0-9]+"
     - resource: "redis.googleapis.com/Instance"           # asset_type field from inventory
       patterns:
-      - "^redis-(\\w+)-mv-(\\w+)-multi-app$"
+      - "^redis-[a-z0-9]+-mv-(dev|stg|prod)-[a-z0-9]+"
     - resource: "storage.googleapis.com/Bucket"           # asset_type field from inventory
       patterns:
-      - "^mv-(\\w+)-(\\w+)-(\\w+)$"
+      - "^mv-(dev|stg|prod)-[a-z0-9]+-[a-z0-9]+$"
     - resource: "compute.googleapis.com/Network"          # asset_type field from inventory
       patterns:
-      - "^mv-(\\w+)-(\\w+)-vpc-(\\d+)$"
+      - "^mv-(dev|stg|prod)-[a-z0-9]+-vpc-[a-z0-9]+$"
     - resource: "compute.googleapis.com/Subnetwork"       # asset_type field from inventory
       patterns:
-      - "^mv-(\\w+)-(\\w+)-(\\w+)-sn-(\\d+)$"
+      - "^mv-(dev|stg|prod)-[a-z0-9]+-[a-z0-9]+-sn-[a-z0-9]+$"
     - resource: "compute.googleapis.com/Route"            # asset_type field from inventory
       patterns:
-      - "^mv-(\\w+)-(\\w+)-route-(\\d+)$"
+      - "^mv-(dev|stg|prod)-[a-z0-9]+-[a-z0-9]+-route-[a-z0-9]+$"
     - resource: "compute.googleapis.com/Firewall"         # asset_type field from inventory
       patterns:
-      - "^mv-(\\w+)-allow-(\\w+)$"
-      - "^mv-(\\w+)-deny-(\\w+)$"
+      - "^mv-[a-z0-9]+-(allow|deny)-(all|icmp|tcp|udp)-access$"
     - resource: "container.googleapis.com/Cluster"        # asset_type field from inventory
       patterns:
-      - "^mv-(\\w+)-(\\w+)-(\\w+)-gke-(\\d+)$"
-
+      - "^mv-(dev|stg|prod)-[a-z0-9]+-[a-z0-9]+-gke-[a-z0-9]+$"
diff --git a/policies/constraints/gke_allow_only_private_cluster.yaml b/policies/constraints/gke_allow_only_private_cluster.yaml
@@ -12,6 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
+# master_ipv4_cidr_block     = "192.168.5.0/28"
 apiVersion: constraints.gatekeeper.sh/v1alpha1
 kind: GCPGKEPrivateClusterConstraintV1
 metadata:

diff --git a/policies/constraints/gke_allowed_node_sa_scope.yaml b/policies/constraints/gke_allowed_node_sa_scope.yaml
@@ -12,6 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
+# - "projects/mv-dev-ricardo" -- For specific project only (ancestries)
 apiVersion: constraints.gatekeeper.sh/v1alpha1
 kind: GCPGKEAllowedNodeSAConstraintV1
 metadata:

diff --git a/policies/constraints/gke_cluster_location.yaml b/policies/constraints/gke_cluster_location.yaml
@@ -29,4 +29,5 @@ spec:
     locations:
     - us-central1
     - us-east4
+    - asia-southeast1
     exemptions: []
diff --git a/policies/constraints/gke_cluster_version.yaml b/policies/constraints/gke_cluster_version.yaml
diff --git a/policies/constraints/gke_container_optimized_os.yaml b/policies/constraints/gke_container_optimized_os.yaml
@@ -12,6 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
+# - "projects/mv-dev-ricardo" -- For specific project only (ancestries)
 apiVersion: constraints.gatekeeper.sh/v1alpha1
 kind: GCPGKEContainerOptimizedOSConstraintV1
 metadata:

diff --git a/policies/constraints/gke_enable_shielded_nodes.yaml b/policies/constraints/gke_enable_shielded_nodes.yaml
diff --git a/policies/constraints/gke_node_pool_auto_repair.yaml b/policies/constraints/gke_node_pool_auto_repair.yaml
diff --git a/policies/constraints/gke_node_pool_auto_upgrade.yaml b/policies/constraints/gke_node_pool_auto_upgrade.yaml
diff --git a/policies/constraints/gke_restrict_pod_traffic.yaml b/policies/constraints/gke_restrict_pod_traffic.yaml
@@ -12,6 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
+# equivalent to this command (gcloud container clusters update)
 apiVersion: constraints.gatekeeper.sh/v1alpha1
 kind: GCPGKERestrictPodTrafficConstraintV2
 metadata:

diff --git a/policies/constraints/iam_required_roles.yaml b/policies/constraints/iam_required_roles.yaml
@@ -11,7 +11,8 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-
+#
+# - "user:[email protected]" -- other domain would be acceptable 
 apiVersion: constraints.gatekeeper.sh/v1alpha1
 kind: GCPIAMRequiredBindingsConstraintV1
 metadata:
@@ -25,4 +26,3 @@ spec:
     members:
     - "user:*@mindvalley.com"
     - "group:*@mindvalley.com"
-    # - "user:[email protected]"
diff --git a/policies/constraints/network_restrict_default.yaml b/policies/constraints/network_restrict_default.yaml
diff --git a/policies/constraints/sql_backup.yaml b/policies/constraints/sql_backup.yaml
@@ -13,6 +13,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
+# Applied only for 'mv-dev-ricardo' project ID
+# - "projects/mv-dev-ricardo"
 
 apiVersion: constraints.gatekeeper.sh/v1alpha1
 kind: GCPSQLBackupConstraintV1
@@ -24,4 +26,4 @@ spec:
   severity: high
   match:
     ancestries:
-    - "organizations/**"
+    - "organizations/**"       # Applied to All Projects
diff --git a/policies/constraints/sql_location.yaml b/policies/constraints/sql_location.yaml
@@ -32,4 +32,5 @@ spec:
     - us-east4
     - europe-west3
     - southamerica-east1
+    - asia-southeast1
     exemptions: []
diff --git a/policies/constraints/sql_public_ip.yaml b/policies/constraints/sql_public_ip.yaml
@@ -26,5 +26,20 @@ spec:
   severity: high
   match:
     ancestries:
-    - "organizations/**"
+    - "projects/mindvalleyadvertisingai"
+    - "projects/mv-blogs"
+    - "projects/mv-prod-coaching"
+    - "projects/mv-prod-linode"
+    - "projects/mv-prod-overmind2"
+    - "projects/mv-prod-spaces"
+    - "projects/mv-stg-coaching"
+    - "projects/mv-stg-connect"
+    - "projects/mv-stg-insights"
+    - "projects/mv-stg-lifebook"
+    - "projects/mv-stg-lifebook"
+    - "projects/mv-stg-overmind2"
+    - "projects/mv-stg-spaces"
+    - "projects/mv-stg-stories"
+    - "projects/mv-stg-usermanager"
+    # - "organizations/**"
     excludedAncestries: [] # optional, default is no exclusions
diff --git a/policies/constraints/storage_denylist_public.yaml b/policies/constraints/storage_denylist_public.yaml
@@ -26,6 +26,16 @@ spec:
   match:
     ancestries:
     - "organizations/**"
-    excludedAncestries: [] # optional, default is no exclusions
+    excludedAncestries:
+    - "projects/event-stream-staging"
+    - "projects/mv-auxiliary"
+    - "projects/mv-blogs"
+    - "projects/mv-brain" 
+    - "projects/mv-dev-mulail"
+    - "projects/mv-dev-ricardo" 
+    - "projects/mv-page-builder" 
+    - "projects/mv-page-builder-stg" 
+    - "projects/mv-prod-linode"
+    - "projects/mv-stg-auxiliary"
   parameters:
     exemptions: [] # optional, default is no exemptions