This repository was archived by the owner on Aug 20, 2025. It is now read-only.
This repository was archived by the owner on Aug 20, 2025. It is now read-only.
Samples seem wrong and documentation seems lacking on target combined with Forseti v2.25.2 #385
Description
https://github.com/forseti-security/policy-library/blob/master/docs/user_guide.md mentions "organizations" (plural).
Pretty much all examples on https://github.com/forseti-security/policy-library/tree/master/samples also mention "organizations" (plural).
However when you use Forseti v2.25.2 (Used the Forseti Terraform Module to install it) it seems any constraint with the use of "organizations" for the target fails to work. What I mean with fails to work is that the constraints are not being processed and do nothing.
This seems related to: #372
Example that works on Forseti v2.25.2 (Note the non-plural organization):
apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPEnforceLabelConstraintV1
metadata:
name: require_labels
spec:
severity: high
match:
target:
- organization/123456789
parameters:
# required parameter: list of label objects that resources should have.
# A label object is composed of a key value pair like:
#
# "label_key": "label_value_regex_to_match"
#
# Any missing label results in a violation. For instance a resource with no label1 or label2 label,
# in this sample case, would raise 2 violations: one for label1 being absent and one for label2.
#
# In the same spirit, a resource with label1 or label2 present, but with values not matching their respective regex
# would also raise one violation per mismatch.
#
# In the following example, valid values for a label named "label1" would be only "label1-value",
# but a label named label2 could have various values like "label2-value", "label2-valueOK" etc.
#
# A violation is raised if the label value does not match the pattern passed as a parameter here.
mandatory_labels:
- "owner": "^[a-zA-Z0-9]+$"
- "service": "^[a-zA-Z0-9-]+$"
- "environment": "prod|dta"
# optional parameter: list of resource types to scan for labels
# In this case we want to scan all resources so we comment this out.
# any resource that is not of these types will not raise any violation.
# In this sample use case, only non-compliant projects and buckets would be flagged.
# If not passed, all tested resource types would be scanned for (see template for full list)
#resource_types_to_scan:
# - "cloudresourcemanager.googleapis.com/Project"
# - "storage.googleapis.com/Bucket"Non working on Forseti v2.25.2 (Note the plural organizations):
apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPEnforceLabelConstraintV1
metadata:
name: require_labels
spec:
severity: high
match:
target:
- organizations/123456789
parameters:
# required parameter: list of label objects that resources should have.
# A label object is composed of a key value pair like:
#
# "label_key": "label_value_regex_to_match"
#
# Any missing label results in a violation. For instance a resource with no label1 or label2 label,
# in this sample case, would raise 2 violations: one for label1 being absent and one for label2.
#
# In the same spirit, a resource with label1 or label2 present, but with values not matching their respective regex
# would also raise one violation per mismatch.
#
# In the following example, valid values for a label named "label1" would be only "label1-value",
# but a label named label2 could have various values like "label2-value", "label2-valueOK" etc.
#
# A violation is raised if the label value does not match the pattern passed as a parameter here.
mandatory_labels:
- "owner": "^[a-zA-Z0-9]+$"
- "service": "^[a-zA-Z0-9-]+$"
- "environment": "prod|dta"
# optional parameter: list of resource types to scan for labels
# In this case we want to scan all resources so we comment this out.
# any resource that is not of these types will not raise any violation.
# In this sample use case, only non-compliant projects and buckets would be flagged.
# If not passed, all tested resource types would be scanned for (see template for full list)
#resource_types_to_scan:
# - "cloudresourcemanager.googleapis.com/Project"
# - "storage.googleapis.com/Bucket"Why am I seeing this behavior? Are the docs and samples wrong? Is Forseti v2.25.2 having a bug? Any leads would be helpful.