As you progress to implement org policies preventive controls (both out of the box and custom org policies) you might need a single way to analyze where those controls exists and the conditional tags or expressions they are enforcing.
This can be done using a combination of Cloud Asset Inventory and BigQuery
Simple Steps:
- Export Cloud Asset Inventory data, it can be full data or just Org Policy data. We’ll use 2 resource types but you can add more, for example Projects or Folders to join and retrieve descriptions. Keep in mind the most recent data is located in the table named: resource_orgpolicy_googleapis_com_Policy for out of the box org policies and resource_orgpolicy_googleapis_com_CustomConstraint for custom org policies.
Here is full documentation on how to export from Asset Iventory to BigQuery
Use BigQuery to retrieve information like:
- constraint name
- resource where the constraint is set (org, folder or project)
- enforced status for boolean constraints
- allowed and denied values for list constraints
- conditions for tags (if any)
Example Query for out of the box Org Policies:
WITH policies AS
(
SELECT
name,REGEXP_EXTRACT(name, '//orgpolicy.googleapis.com/([^/]*)/') AS parentType,
REGEXP_EXTRACT(name,r'\d+') as ID,
REGEXP_EXTRACT(name, '//orgpolicy.googleapis.com/.*/([^/]*)') AS constraint,
denyAll,allowAll,enforce, values.allowedValues as allowed_values, values.deniedValues as denied_values, condition.expression
FROM `projec.cai.resource_orgpolicy_googleapis_com_Policy`
,UNNEST(resource.data.spec.rules) as resource
)
SELECT
policies.name,
constraint,parentType
parentType, policies.ID, denyAll,allowAll, enforce,allowed_values,denied_values,
ARRAY_LENGTH(allowed_values) AS allowed_values_count,
ARRAY_LENGTH(denied_values) AS denied_values_count,
expression
FROM policies
Example query for custom org policies:
WITH policies AS
(
SELECT
name,REGEXP_EXTRACT(name, '//orgpolicy.googleapis.com/([^/]*)/') AS parentType,
REGEXP_EXTRACT(name,r'\d+') as ID,
REGEXP_EXTRACT(name, '//orgpolicy.googleapis.com/.*/([^/]*)') AS constraint,
resource.data.resourceTypes as resource_types,
resource.data.methodTypes as method_types,
resource.data.condition as condition,
resource.data.actionType as action_type
FROM `project.cai.resource_orgpolicy_googleapis_com_CustomConstraint`)
SELECT
policies.name,
constraint,parentType
parentType, policies.ID,
resource_types,
method_types,
condition,
action_type
FROM policies
There are more possibilities around this simple use case since Cloud Asset Inventory also supports Feeds as a way to get real time data if you need to.
Source Credit: https://medium.com/google-cloud/analyzing-gcp-org-policies-with-cloud-asset-inventory-1615fd87ea74?source=rss—-e52cf94d98af—4
![[News] NVIDIA’s Rival Axelera Unveils Europa AI Chip – TrendForce](https://lh3.googleusercontent.com/J6_coFbogxhRI9iM864NL_liGXvsQp2AupsKei7z0cNNfDvGUmWUy20nuUhkREQyrpY4bEeIBuc=s0-w300-rw "[News] NVIDIA’s Rival Axelera Unveils Europa AI Chip – TrendForce")