[pull] main from GoogleCloudPlatform:main

README.md

@@ -507,6 +507,7 @@ Platform usage.
     A shell script for gDNS-zDNS project bulk migration.
 *   [GKE Billing Export](tools/gke-billing-export) - Google Kubernetes Engine
     fine grained billing export.
+*   [GKE GPU Driver Version](tools/gke-gpu-driver-version) - A tool to find the supported GPU driver version for a given GKE cluster version and GPU type.
 *   [gmon](tools/gmon/) - A command-line interface (CLI) for Cloud Monitoring
     written in Python.
 *   [Google Cloud Support Slackbot](tools/google-cloud-support-slackbot) - Slack

examples/creative-studio/frontend/package.json

@@ -33,9 +33,9 @@
     "@angular/material": "^18.2.1",
     "@angular/platform-browser": "^18.1.0",
     "@angular/platform-browser-dynamic": "^18.1.0",
-    "@angular/platform-server": "^18.1.0",
+    "@angular/platform-server": "^18.2.14",
     "@angular/router": "^18.1.0",
-    "@angular/ssr": "^18.1.2",
+    "@angular/ssr": "^18.2.21",
     "express": "^4.18.2",
     "file-saver": "^2.0.5",
     "ngx-image-cropper": "^9.1.5",

tools/custom-organization-policy-library/.gitignore

@@ -3,6 +3,7 @@
 .terraform.tfstate*
 *.out
 *.bak
+*.env
 */**/terraform.tfstate*
 terraform/
 tests/venv/

tools/custom-organization-policy-library/build/config/services/schema.accesscontextmanager.yaml

@@ -0,0 +1,25 @@
+#!  Copyright 2024 Google LLC
+#!
+#!  Licensed under the Apache License, Version 2.0 (the "License");
+#!  you may not use this file except in compliance with the License.
+#!  You may obtain a copy of the License at
+#!
+#!       http://www.apache.org/licenses/LICENSE-2.0
+#!
+#!  Unless required by applicable law or agreed to in writing, software
+#!  distributed under the License is distributed on an "AS IS" BASIS,
+#!  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#!  See the License for the specific language governing permissions and
+#!  limitations under the License.
+
+#@ load("@ytt:overlay", "overlay")
+#@data/values-schema
+---
+#@overlay/match missing_ok=True
+accesscontextmanager:
+  accesscontextmanagerDisableBridgePerimeters:
+    #@schema/validation one_of=["default", "skip", "include", "skip-policy"]
+    generation: "default"
+    bundles:
+      pci-dss: false
+      cis: false

tools/custom-organization-policy-library/build/config/services/schema.cloudsql.yaml

@@ -92,6 +92,12 @@ cloudsql:
     bundles:
       pci-dss: false
       cis: false
+  cloudsqlRequirePostgreSQLDatabaseAdditionalFlags:
+    #@schema/validation one_of=["default", "skip", "include", "skip-policy"]
+    generation: "default"
+    bundles:
+      pci-dss: true
+      cis: true
   cloudsqlRequirePostgreSQLDatabaseFlags:
     #@schema/validation one_of=["default", "skip", "include", "skip-policy"]
     generation: "default"

tools/custom-organization-policy-library/build/config/services/schema.firewall.yaml

@@ -26,6 +26,18 @@ firewall:
     params:
       #@schema/validation min_len=1
       name_regex: ""
+  firewallEnforcePolicyRuleLogging:
+    #@schema/validation one_of=["default", "skip", "include", "skip-policy"]
+    generation: "default"
+    bundles:
+      pci-dss: false
+      cis: false
+  firewallEnforceRuleLogging:
+    #@schema/validation one_of=["default", "skip", "include", "skip-policy"]
+    generation: "default"
+    bundles:
+      pci-dss: false
+      cis: false
   firewallRequireDescription:
     #@schema/validation one_of=["default", "skip", "include", "skip-policy"]
     generation: "default"

tools/custom-organization-policy-library/build/config/services/schema.gke.yaml

@@ -17,16 +17,6 @@
 ---
 #@overlay/match missing_ok=True
 gke:
-  gkeAllowedInitialClusterVersions:
-    #@schema/validation one_of=["default", "skip", "include", "skip-policy"]
-    generation: "default"
-    bundles:
-      pci-dss: true
-      cis: false
-    params:
-      #@schema/validation min_len=1
-      initial_cluster_versions: 
-      - ""
   gkeAllowedNodePoolImages:
     #@schema/validation one_of=["default", "skip", "include", "skip-policy"]
     generation: "default"

tools/custom-organization-policy-library/build/config/services/schema.iam.yaml

@@ -33,6 +33,9 @@ iam:
     bundles:
       pci-dss: false
       cis: true  
+    params:
+      exceptions:
+      - ""
   iamDisableBasicRoles:
     #@schema/validation one_of=["default", "skip", "include", "skip-policy"]
     generation: "default"
@@ -51,9 +54,21 @@ iam:
     bundles:
       pci-dss: true
       cis: true
+    params:
+      exceptions:
+      - ""
   iamDisablePublicBindings:
     #@schema/validation one_of=["default", "skip", "include", "skip-policy"]
     generation: "default"
     bundles:
       pci-dss: true
-      cis: true
+      cis: true
+  iamDisableRedisAdminRoles:
+    #@schema/validation one_of=["default", "skip", "include", "skip-policy"]
+    generation: "default"
+    bundles:
+      pci-dss: true
+      cis: true
+    params:
+      exceptions:
+      - ""

tools/custom-organization-policy-library/build/custom-constraints/accesscontextmanager/accesscontextmanagerDisableBridgePerimeters.yaml

@@ -0,0 +1,15 @@
+#@ load("/constraints.lib.star", "build_constraint")
+#@ constraint = build_constraint("accesscontextmanagerDisableBridgePerimeters")
+
+#@ if constraint.to_generate():
+name: #@ constraint.constraint_name()
+resourceTypes:
+- accesscontextmanager.googleapis.com/ServicePerimeter
+methodTypes:
+- CREATE
+- UPDATE
+condition: "resource.perimeterType == 'PERIMETER_TYPE_BRIDGE'"
+actionType: DENY
+displayName: Deny usage of perimeter bridges
+description: Ensure no perimeter bridges are used. Instead, use ingress and egress rules.
+#@ end

tools/custom-organization-policy-library/build/custom-constraints/cloudsql/cloudsqlRequirePostgreSQLDatabaseAdditionalFlags.yaml

@@ -0,0 +1,20 @@
+#@ load("/constraints.lib.star", "build_constraint")
+#@ constraint = build_constraint("cloudsqlRequirePostgreSQLDatabaseAdditionalFlags")
+
+#@ if constraint.to_generate():
+name: #@ constraint.constraint_name()
+resourceTypes:
+- sqladmin.googleapis.com/Instance
+methodTypes:
+- CREATE
+- UPDATE
+condition: >-
+  resource.databaseVersion.startsWith('POSTGRES') && (
+    !resource.settings.databaseFlags.exists(flag, flag.name == 'log_checkpoints' && flag.value == 'on') ||
+    !resource.settings.databaseFlags.exists(flag, flag.name == 'log_executor_stats' && flag.value == 'off') ||
+    !resource.settings.databaseFlags.exists(flag, flag.name == 'log_lock_waits' && flag.value == 'on')
+  )
+actionType: DENY
+display_name: Require Cloud SQL for PostgreSQL instance database flags to be configured correctly (e.g log_checkpoints, log_executor_stats, log_lock_waits)
+description: Ensure Cloud SQL for PostgreSQL instance database flags are set correctly (e.g log_checkpoints, log_executor_stats, log_lock_waits)
+#@ end

tools/custom-organization-policy-library/build/custom-constraints/compute/computeAllowedInstanceLabels.yaml

@@ -2,7 +2,7 @@
 #@ constraint = build_constraint("computeAllowedInstanceLabels")
 
 #@ def condition(labels):
-#@   return "resource.labels.all(label, (label in " + str(labels) + ")) == false"
+#@   return "resource.labels.all(label, (label in " + str(labels) + ") || label.startsWith('goog-')) == false"
 #@ end
 
 #@ if constraint.to_generate():

tools/custom-organization-policy-library/build/custom-constraints/firewall/firewallEnforceNamingConvention.yaml

@@ -2,7 +2,18 @@
 #@ constraint = build_constraint("firewallEnforceNamingConvention")
 
 #@ def condition(name_regex):
-#@    return 'resource.name.matches("' + str(name_regex) + '") == false'
+#@   lines = [
+#@     '(',
+#@     '  resource.name.matches("' + str(name_regex) + '") == false &&',
+#@     '  !resource.name.startsWith("gke-") &&',
+#@     '  !resource.name.startsWith("k8s-") &&',
+#@     '  !resource.name.endsWith("-hc") &&',
+#@     '  !resource.name.startsWith("k8s2-") &&',
+#@     '  !resource.name.startsWith("gkegw1-l7-") &&',
+#@     '  !resource.name.startsWith("gkemcg1-l7-")',
+#@     ')'
+#@   ]
+#@   return "\n".join(lines)
 #@ end
 
 #@ if constraint.to_generate():

tools/custom-organization-policy-library/build/custom-constraints/firewall/firewallEnforcePolicyRuleLogging.yaml

@@ -0,0 +1,15 @@
+#@ load("/constraints.lib.star", "build_constraint")
+#@ constraint = build_constraint("firewallEnforcePolicyRuleLogging")
+
+#@ if constraint.to_generate():
+name: #@ constraint.constraint_name()
+resource_types: 
+- compute.googleapis.com/FirewallPolicy
+condition: resource.rules.exists(rule, rule.action != 'goto_next' && rule.enableLogging == false)
+action_type: DENY
+method_types: 
+- CREATE 
+- UPDATE
+display_name: Require Firewall Policy rules to have logging enabled
+description: Ensure that Firewall Policy rules have logging enabled
+#@ end