GCP custom role deny permission #450
Description
Hello - We are trying to configure custom role deny permission, something like below on referring the following YAML file. But this deny list is not working as expected during Terraform validation. Does this "GCPIAMCustomRolePermissionsConstraintV1" currently supports only "allowlist" mode? Please advise. If yes, please recommend, how we can prevent/restrict some permissions which are added during custom role creation? Please advise with recommended policy. Also, let us know if we can use latest Policy to achieve this requirement (like latest apiVersion and kind).
apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPIAMCustomRolePermissionsConstraintV1
metadata:
name: denylist-custom-role-permissions
annotations:
description: Custom role must only have specific permissions
spec:
severity: high
parameters:
mode: denylist
title: "Restrict custom role creation with PAM permissions"
permissions:
- "privilegedaccessmanager.entitlements.create"
- "privilegedaccessmanager.entitlements.setIamPolicy"
- "privilegedaccessmanager.entitlements.update"
- "resourcemanager.projects.setIamPolicy"