Migrate a workload

This page describes how to perform a compliance analysis before migrating anexisting project to an Assured Workloads folder. This analysis comparesthe source project and the destination Assured Workloads folder todetermine what changes might be required before or after you initiate themigration. For example, if you have a project that you want to move to anAssured Workloads folder configured for FedRAMP Moderate, you canproactively address any potential compliance violations that might occur beforemoving the project.

The following types of findings are returned by the move analysis:

• The source project uses unsupported products or services.
• The source project contains resources that are located in a disallowedlocation.
• The source project is configured with organization policy constraint valuesthat are incompatible with the destination Assured Workloads folder.

These findings are important to discover before attempting a move. By default,an Assured Workloads folder can only contain resource types for theservices that are supported bythe folder's control package. If your project contains resources for aservice that is not supported by the folder's control package, you may needto redeploy or remove those resources.

Although you can change the default list of supported services for anAssured Workloads folder by changing itsresource usage restriction organization policy—thus allowing non-compliant services to be deployed in your folder—the non-compliant service and its resources will be ignored by backgroundcompliance checks. Therefore, by enabling an unsupported service, you arechoosing to accept the risk that it may cause your workload to fall out ofcompliance.

Migrating Assured Workloads folders and projects

If you're migrating Assured Workloads folders or projects, only migratethem to a folder that uses the same control package. Otherwise, you can incuradditional billing fees and undermine your compliance status.

Before you begin

• Gather the resource IDs for both the source project and the destinationAssured Workloads folder.
• Assign or verify IAM permissions on both thesource project and the destination Assured Workloads folder toensure that the caller is authorized to perform the migration.

Required IAM permissions

To perform a migration analysis, the caller must be granted IAMpermissions using either apredefined role that includes awider set of permissions, or acustom role that is restricted tothe minimum necessary permissions.

The following permissions are required:

• assuredworkloads.workload.get on the destinationworkload
• cloudasset.assets.searchAllResources on the source project
• orgpolicy.policy.get on the source project and destinationAssured Workloads folder

Performing a migration analysis

When performing an analysis on the source project and the destinationAssured Workloads folder, you should address any findings before movingthe project to the destination. Although the findings don't prevent you frommoving the project, they may result in compliance violations in the destinationAssured Workloads folder.

These findings are of two different types:

• Warning: A warning result occurs when the source project is potentiallyincompatible with the destination, and may result in a compliance violation.Warnings should be investigated to verify that the incompatibility is eitheracceptable or should be addressed before the move.
• Blocker: A blocker result occurs when a compliance violation is detectedbetween the source project and the destination. Blockers must be addressedbefore proceeding with a move.

The following types of findings are reported:

• Resource locations: Many control packages enforce location restrictionsfor resources to adhere to compliance requirements, such as if your sourceproject contains resources that are located in a disallowed location.

  To resolve this issue, move the affected resources to allowed locations,delete them, or modify the target'sgcp.resourceLocations organizationpolicy constraint setting.

• Unsupported products/services: Each control package supports aspecific list of Google Cloud products and services. If your project uses aservice that is unsupported by the destination Assured Workloadsfolder's control package, this will be listed as a finding.

  Warning: We recommend that you don't migrate a project that uses unsupportedproducts or services without first disabling them. However, if you choose toaccept the risk and proceed with the migration, be sure todisable resource usage restrictionson the destination folder or update it to allow the unsupported services.

• Organization Policy constraints: Your source project may be configuredwith organization policy constraint values that differ from the destinationAssured Workloads folder's effective policy, or are not compliantwith the target control package. This analysis is performed only forconstraints that are relevant to the destination Assured Workloadsfolder's control package; all of the project's constraint values are notevaluated. Several outcomes are possible, such as the following issues:

  • Your project and the destination's effective policy are incompatible.
  • Your project has organization policy constraint values that aren't seton the destination, or the other way around.
  • Your project has organization policy constraint values that aren'tcompliant with the target control package.

  If a blocker is found for an organization policy constraint, the responseincludes the expected values that are compliant with the target controlpackage. You can use these expected values to make changes to your projectbefore you perform a migration.

To resolve this issue, determine which organization policy constraint needs tobe modified, andmake the required changes.

Unsupported finding types

The migration analysis doesn't support the following types of findings:

• Resource-level incompatibilities for organization policy constraints otherthangcp.resourceLocations. For example, some control packages areconfigured with the globalgcp.restrictCmekCryptoKeyProjects constraint orthe Compute Engine-specificcompute.disableNestedVirtualizationconstraint; incompatibilities with these constraints between the source anddestination are not analyzed or reported.
• Service-specific features that may be disabled for a given control package.For example,Cloud Monitoring's uptime checksare disabled for IL4 folders andBigQuery's remote functionsare disabled for ITAR folders; if your source project uses such disabledfeatures, these incompatibilities are not analyzed or reported.

Analyzing moving a project to an Assured Workloads folder

TheanalyzeWorkloadMovemethod performs an analysis of moving the source project to the destinationAssured Workloads folder.

In the request example below, replace the following parameters with your own:

• ENDPOINT_URI: The Assured Workloadsservice endpoint URI.This URI must be the endpoint matching the location of the destinationworkload, such ashttps://us-west1-assuredworkloads.googleapis.com for aregionalized workload in theus-west1 region andhttps://us-assuredworkloads.googleapis.com for a multi-region workload inthe US.
• DESTINATION_ORGANIZATION_ID: The organization ID for thedestination workload to which the source project will be migrated. Forexample:919698201234
• DESTINATION_LOCATION_ID: The location of the destinationworkload. For example:us-west1 orus. It corresponds to thedata region value of the workload.
• DESTINATION_WORKLOAD_ID: The ID of the destinationAssured Workloads folder where the source project will be migrated.For example:00-701ea036-7152-4780-a867-9f5
• SOURCE_PROJECT_ID: Query parameter for the ID of the sourceproject to be migrated. For example:my-project-123
• ASSET_TYPES: Optional. Oneasset type per queryparameter that will filter the findings to only the specified type(s).For example:cloudresourcemanager.googleapis.com/Project
• PAGE_SIZE: Optional. Query parameter for the number of results toreturn per page, up to a maximum of 50. For example:5
• PAGE_TOKEN: Optional. Query parameter for the token to continuepaginated results. For example:CiAKGjBpNDd2Nmp2Zml2cXRwYjBpOXA

HTTP method, URL, and query parameters:

GEThttps://[ENDPOINT_URI]/v1/organizations/[DESTINATION_ORGANIZATION_ID]/locations/[DESTINATION_LOCATION_ID]/workloads/[DESTINATION_WORKLOAD_ID]:analyzeWorkloadMove?project=projects/SOURCE_PROJECT_ID&page_size=PAGE_SIZE&page_token=PAGE_TOKEN

For example:

GEThttps://us-west1-assuredworkloads.googleapis.com/v1/organizations/919698298765/locations/us-west1/workloads/00-701ea036-7152-4781-a867-9f5:analyzeWorkloadMove?project=projects/my-project-123&page_size=5&page_token=CiAKGjBpNDd2Nmp2Zml2cXRwYjBpOXA

You should receive a JSON response similar to the following:

{"assetMoveAnalyses":[{"asset":"//orgpolicy.googleapis.com/projects/130536381852/policies/container.restrictNoncompliantDiagnosticDataAccess","assetType":"orgpolicy.googleapis.com/Policy"},{"asset":"//compute.googleapis.com/projects/my-project-123/global/routes/default-route-9ca6e6b0ab7326f0","assetType":"compute.googleapis.com/Route","analysisGroups":[{"displayName":"RESOURCE_LOCATIONS","analysisResult":{"warnings":[{"detail":"The asset's location 'global' is incompatible with the gcp.resourceLocations org policy effective at the target. In case of 'global only' assets, this may be ignored."}]}}]},{"asset":"//compute.googleapis.com/projects/my-project-123/regions/europe-west10/subnetworks/default","assetType":"compute.googleapis.com/Subnetwork","analysisGroups":[{"displayName":"RESOURCE_LOCATIONS","analysisResult":{"blockers":[{"detail":"The asset's location 'europe-west10' is incompatible with the gcp.resourceLocations org policy effective at the target."}]}}]},{"asset":"//serviceusage.googleapis.com/projects/130536381852/services/servicemanagement.googleapis.com","assetType":"serviceusage.googleapis.com/Service"},{"asset":"//serviceusage.googleapis.com/projects/130536381852/services/monitoring.googleapis.com","assetType":"serviceusage.googleapis.com/Service"},{"asset":"//serviceusage.googleapis.com/projects/130536381852/services/bigquerymigration.googleapis.com","assetType":"serviceusage.googleapis.com/Service","analysisGroups":[{"displayName":"DISALLOWED_SERVICES","analysisResult":{"warnings":[{"detail":"This service is not allowed by the gcp.restrictServiceUsage org policy effective at the target"}]}}]},{"asset":"//cloudresourcemanager.googleapis.com/projects/my-project-123","assetType":"cloudresourcemanager.googleapis.com/Project","analysisGroups":[{"displayName":"ORG_POLICIES","analysisResult":{"warnings":[{"detail":"constraints/gcp.resourceLocations: Target applies/inherits this custom policy and it is not applied by the source. Upon moving, this policy will get inherited from the target."},{"detail":"constraints/compute.disableInstanceDataAccessApis: Source applies this custom policy and it is not applied by the target."},{"detail":"constraints/cloudkms.allowedProtectionLevels: Source and target set different values for this policy."},{"detail":"constraints/container.restrictNoncompliantDiagnosticDataAccess: Source and target set different values for this policy."},{"detail":"constraints/gcp.restrictServiceUsage: Target applies/inherits this custom policy and it is not applied by the source. Upon moving, this policy will get inherited from the target."}],"blockers":[{"detail":"constraints/gcp.resourceLocations: The value applied at the source is not compliant with the target compliance program. The expected allowed values are [us-west4, us-west1, us-west2, us-west3, us-central1, us-east1, us-east4, us-south1, us-central2, us-east5]."},{"detail":"constraints/container.restrictNoncompliantDiagnosticDataAccess: The value applied at the source is not compliant with the target compliance program. The expected value is [true]."},{"detail":"constraints/container.restrictTLSVersion: The value applied at the source is not compliant with the target compliance program. The expected denied values are [TLS_VERSION_1, TLS_VERSION_1_1]."}]}}]}],"nextPageToken":"Ch8wLDc0MzY3NTExNCwzMzg4ODM1NTM2NDQ0NTg4MDMy"}

To filter the findings by a specific asset type, use theasset_types queryparameter:

GEThttps://assuredworkloads.googleapis.com/v1/organizations/919698298765/locations/us-west1/workloads/00-701ea036-7152-4781-a867-9f5:analyzeWorkloadMove?project=projects/my-project-123&asset_types=cloudresourcemanager.googleapis.com/Project&page_size=5&page_token=CiAKGjBpNDd2Nmp2Zml2cXRwYjBpOXA

The results will only contain any findings of the specified type(cloudresourcemanager.googleapis.com/Project):

{"assetMoveAnalyses":[{"asset":"//cloudresourcemanager.googleapis.com/projects/my-project-123","assetType":"cloudresourcemanager.googleapis.com/Project","analysisGroups":[{"displayName":"ORG_POLICIES","analysisResult":{"warnings":[{"detail":"constraints/gcp.resourceLocations: Target applies/inherits this custom policy and it is not applied by the source. Upon moving, this policy will get inherited from the target."},{"detail":"constraints/compute.disableInstanceDataAccessApis: Source applies this custom policy and it is not applied by the target."}],"blockers":[{"detail":"constraints/gcp.resourceLocations: The value applied at the source is not compliant with the target compliance program. The expected allowed values are [us-west4, us-west1, us-west2, us-west3, us-central1, us-east1, us-east4, us-south1, us-central2, us-east5]."}]}}]}],"nextPageToken":"Ch8wLDc0MzY3NTExNCwzMzg4ODM1NTM2NDQ0NTg4MDMy"}

To filter the findings by more than one asset type, add each as an additionalquery parameter:

GEThttps://assuredworkloads.googleapis.com/v1/organizations/919698298765/locations/us-west1/workloads/00-701ea036-7152-4781-a867-9f5:analyzeWorkloadMove?project=projects/my-project-123&asset_types=cloudresourcemanager.googleapis.com/Project&asset_types=serviceusage.googleapis.com/Service&page_size=5&page_token=CiAKGjBpNDd2Nmp2Zml2cXRwYjBpOXA

The results will only contain any findings of the specified types(cloudresourcemanager.googleapis.com/Project andserviceusage.googleapis.com/Service):

{"assetMoveAnalyses":[{"asset":"//serviceusage.googleapis.com/projects/130536381852/services/bigquerymigration.googleapis.com","assetType":"serviceusage.googleapis.com/Service","analysisGroups":[{"displayName":"DISALLOWED_SERVICES","analysisResult":{"warnings":[{"detail":"This service is not allowed by the gcp.restrictServiceUsage org policy effective at the target"}]}}]},{"asset":"//cloudresourcemanager.googleapis.com/projects/my-project-123","assetType":"cloudresourcemanager.googleapis.com/Project","analysisGroups":[{"displayName":"ORG_POLICIES","analysisResult":{"warnings":[{"detail":"constraints/gcp.resourceLocations: Target applies/inherits this custom policy and it is not applied by the source. Upon moving, this policy will get inherited from the target."},{"detail":"constraints/compute.disableInstanceDataAccessApis: Source applies this custom policy and it is not applied by the target."}],"blockers":[{"detail":"constraints/gcp.resourceLocations: The value applied at the source is not compliant with the target compliance program. The expected allowed values are [us-west4, us-west1, us-west2, us-west3, us-central1, us-east1, us-east4, us-south1, us-central2, us-east5]."}]}}]}],"nextPageToken":"Ch8wLDc0MzY3NTExNCwzMzg4ODM1NTM2NDQ0NTg4MDMy"}

After you have performed the migration analysis, review and resolve anywarnings or blockers, and then run the analysis again to verify that they havebeen addressed. Then, you can proceed withmoving the project.

What's next

• Understand Assured Workloads'control packages.
• Learn whichproducts are supportedfor each control package.