Public IP organization constraint override and VM orchestration verification

[fmichaelobrien]

prereq: 2 VPCs - one without a NAT (default), one with a NAT+Router (shared-vpc) Goal: public site ingress in both

VM in default (no nat) - without explicit public ip ephemeral code

none
--network-interface=stack-type=IPV4_ONLY,subnet=default,no-address 

gcloud compute instances create no-publicip --project=sharedvpc-ol1 --zone=us-central1-a --machine-type=e2-micro --network-interface=stack-type=IPV4_ONLY,subnet=default,no-address --maintenance-policy=MIGRATE --provisioning-model=STANDARD --service-account=978870925709-compute@developer.gserviceaccount.com --scopes=https://www.googleapis.com/auth/cloud-platform --tags=http-server,https-server --create-disk=auto-delete=yes,boot=yes,device-name=no-publicip,image=projects/debian-cloud/global/images/debian-11-bullseye-v20230509,mode=rw,size=10,type=projects/sharedvpc-ol1/zones/us-central1-a/diskTypes/pd-balanced --shielded-secure-boot --shielded-vtpm --shielded-integrity-monitoring --labels=ec-src=vm_add-gcloud --reservation-affinity=any

nic0 | default | default | 10.128.0.5 |   | IPv4 | None | - | Off | View details
-- | -- | -- | -- | -- | -- | -- | -- | -- | --

[nic0](https://console.cloud.google.com/networking/networkinterfaces/zones/us-central1-a/instances/no-publicip?networkInterface=nic0&project=sharedvpc-ol1) [default](https://console.cloud.google.com/networking/networks/details/default?project=sharedvpc-ol1)   [default](https://console.cloud.google.com/networking/subnetworks/details/us-central1/default?project=sharedvpc-ol1)    10.128.0.5      IPv4    None    -   Off [View details](https://console.cloud.google.com/networking/networkinterfaces/zones/us-central1-a/instances/no-publicip?networkInterface=nic0&project=sharedvpc-ol1)

default
gcloud compute instances create no-defaut-public-ip --project=sharedvpc-ol1 --zone=northamerica-northeast1-a --machine-type=e2-micro --network-interface=network-tier=PREMIUM,stack-type=IPV4_ONLY,subnet=default --maintenance-policy=MIGRATE --provisioning-model=STANDARD --service-account=978870925709-compute@developer.gserviceaccount.com --scopes=https://www.googleapis.com/auth/cloud-platform --tags=http-server,https-server --create-disk=auto-delete=yes,boot=yes,device-name=no-defaut-public-ip,image=projects/debian-cloud/global/images/debian-11-bullseye-v20230509,mode=rw,size=10,type=projects/sharedvpc-ol1/zones/us-central1-a/diskTypes/pd-balanced --shielded-secure-boot --shielded-vtpm --shielded-integrity-monitoring --labels=ec-src=vm_add-gcloud --reservation-affinity=any

nic0 | default | default | 10.162.0.4 |   | IPv4 | 35.203.27.160 (Ephemeral) | Premium | Off | View details
-- | -- | -- | -- | -- | -- | -- | -- | -- | --

[nic0](https://console.cloud.google.com/networking/networkinterfaces/zones/northamerica-northeast1-a/instances/no-defaut-public-ip?networkInterface=nic0&project=sharedvpc-ol1) [default](https://console.cloud.google.com/networking/networks/details/default?project=sharedvpc-ol1)   [default](https://console.cloud.google.com/networking/subnetworks/details/northamerica-northeast1/default?project=sharedvpc-ol1)    10.162.0.4      IPv4    35.203.27.160 (Ephemeral)   Premium Off [View details](https://console.cloud.google.com/networking/networkinterfaces/zones/northamerica-northeast1-a/instances/no-defaut-public-ip?networkInterface=nic0&project=sharedvpc-ol1)

VM above with public IP code

gcloud compute instances create default-explicit-public-ip --project=sharedvpc-ol1 --zone=northamerica-northeast1-a --machine-type=e2-micro --network-interface=network-tier=PREMIUM,stack-type=IPV4_ONLY,subnet=default --maintenance-policy=MIGRATE --provisioning-model=STANDARD --service-account=978870925709-compute@developer.gserviceaccount.com --scopes=https://www.googleapis.com/auth/cloud-platform --tags=http-server,https-server --create-disk=auto-delete=yes,boot=yes,device-name=default-explicit-public-ip,image=projects/debian-cloud/global/images/debian-11-bullseye-v20230509,mode=rw,size=10,type=projects/sharedvpc-ol1/zones/us-central1-a/diskTypes/pd-balanced --shielded-secure-boot --shielded-vtpm --shielded-integrity-monitoring --labels=ec-src=vm_add-gcloud --reservation-affinity=any

[nic0](https://console.cloud.google.com/networking/networkinterfaces/zones/northamerica-northeast1-a/instances/default-explicit-public-ip?networkInterface=nic0&project=sharedvpc-ol1)  [default](https://console.cloud.google.com/networking/networks/details/default?project=sharedvpc-ol1)   [default](https://console.cloud.google.com/networking/subnetworks/details/northamerica-northeast1/default?project=sharedvpc-ol1)    10.162.0.5      IPv4    35.203.42.228 (Ephemeral)   Premium Off [View details](https://console.cloud.google.com/networking/networkinterfaces/zones/northamerica-northeast1-a/instances/default-explicit-public-ip?networkInterface=nic0&project=sharedvpc-ol1)

GCP policy yaml get the instance name from asset inventory

//compute.googleapis.com/projects/sharedvpc-ol1/zones/northamerica-northeast1-a/instances/instance-n2

//compute.googleapis.com/projects/sharedvpc-ol1/zones/northamerica-northeast1-a/instances/instance-no-nat-pr

to
projects/sharedvpc-ol1/zones/northamerica-northeast1-a/instances/instance-no-nat-pr

constraints/compute.vmExternalIpAccess

gcloud code https://cloud.google.com/resource-manager/docs/organization-policy/using-constraints

gcloud org-policies set-policy ippolicy.yaml

[fmichaelobrien]

network-tier=PREMIUM brings in the public IP

[fmichaelobrien]

20240406: Closing issue during retrofit/rebase of this TEF V1 based/modified repo to TEF V4 standards This issue may participate in the LZ refactor after rebase Query on all issues related to the older V1 version via the tag https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/labels/2024-pre-tef-v4