This product or feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA products and features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

As an organization administrator, you need to define policies that developers adhere to when applying infrastructure as code. Your organization's set of policies is represented as a policy library. This page helps you create a centralized policy repository and add constraints.

Before you begin

• You need an empty Git repository for storing your organization's policy library.
• You need to configure Git to connect securely. For example, if your git repository is on GitHub, you can follow the process outlined inConnecting to GitHub with SSH.

Duplicate the sample library

Google provides a sample repository that includes a set of pre-defined constraint templates which you can modify for your personal use.

1. Clone the policy library sample repository and duplicate it to yourPOLICY_LIBRARY_REPO:

   git clone https://github.com/GoogleCloudPlatform/policy-library.gitcd policy-librarygit remote set-url originPOLICY_LIBRARY_REPOgit push origin main

2. Examine the available constraint templates inpolicies/templates:ls policies/templates

3. Select the constraint templates you want to use. For this example, choosegcp_storage_location_v1.yaml, which enforces location for Cloud Storage buckets.

4. Create constraint YAML files corresponding to those templates underpolicies/constraints.

5. From inside your local copy of thepolicy-library repository, use the following commands to commit and push your changes:

   gitadd--all.gitcommit-m"Initial commit of policy library constraints"gitpush-uoriginmain

Library structure

A policy library repository contains the following directories:

• policies/ – This directory contains two subdirectories:

  • constraints/ – This directory is initially empty. Place your constraint files here.
  • templates/ – This directory contains pre-defined constraint templates.

• validator/ – This directory contains the.rego files and their associated unit tests. You don't need to touch this directory unless you intend to modify existing constraint templates or create new ones. Runningmake build inlines the Rego content in the corresponding constraint template files.

Periodic updates

Periodically you should pull any changes from the public repository, which might contain new templates and Rego files.

gitremoteaddpublichttps://github.com/GoogleCloudPlatform/policy-library.gitgitpullpublicmaingitpushoriginmain

Next steps

The policy library contains a number of constraint templates and asamplesfolder with example constraints. ReadCreate Terraform constraintsorCreate CAI constraintsfor details on how to write and use constraint templates and constraints.