kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Move org policies lower in the project factory dependency chain to support extended context (#3937)

Browse Source 
* module project-factory: include project in conditional_var context for org policies

* module project-factory: include project and folders in conditional_var context for org policies

- Move project org policies (explicit and factory) to projects-iam invocation.
- Move folder org policies (explicit and factory) to folder-X-iam invocations (levels 1-4).
- Inject folder_ids into projects-iam condition_vars and pass resolved folders.
- Update and regenerate test inventories (example.yaml, simple.yaml, hardened.yaml).

TAG=agy
CONV=e0f45850-ab01-4600-a2b6-4de62465c204

---------

Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>
This commit is contained in:
Luca Prete
2026-05-06 14:48:08 +02:00
committed by GitHub
parent 26dbaa2d6e
commit 04e64c4ae2
5 changed files with 119 additions and 84 deletions
Download Patch File Download Diff File Expand all files Collapse all files

141
tests/modules/project_factory/examples/example.yaml
View File

@@ -4,7 +4,7 @@
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
@@ -12,9 +12,19 @@
# See the License for the specific language governing permissions and
# limitations under the License.
# yamllint disable rule:line-length
values:
module.project-factory.google_network_security_dns_threat_detector.dns_threat_detector["dev-ta-app0-be"]:
effective_labels:
goog-terraform-provisioned: 'true'
excluded_networks: []
labels: null
location: global
name: test-pf-dev-ta-app0-be
project: test-pf-dev-ta-app0-be
terraform_labels:
goog-terraform-provisioned: 'true'
threat_detector_provider: null
timeouts: null
module.project-factory.module.automation-bucket["dev-tb-app0-0/automation/tf-state"].google_storage_bucket.bucket[0]:
autoclass: []
cors: []
@@ -239,13 +249,8 @@ values:
parent: folders/5678901234
tags: null
timeouts: null
module.project-factory.module.folder-2["team-a/app-0"].google_folder.folder[0]:
deletion_protection: false
display_name: App 0
tags: null
timeouts: null
module.project-factory.module.folder-2["team-a/app-0"].google_org_policy_policy.default["compute.disableSerialPortAccess"]:
dry_run_spec: []
? module.project-factory.module.folder-2-iam["team-a/app-0"].google_org_policy_policy.default["compute.disableSerialPortAccess"]
: dry_run_spec: []
spec:
- inherit_from_parent: null
reset: null
@@ -257,6 +262,14 @@ values:
parameters: null
values: []
timeouts: null
module.project-factory.module.folder-2-iam["team-b/app-0"].google_tags_tag_binding.binding["drs-allow-all"]:
tag_value: tagValues/123456
timeouts: null
module.project-factory.module.folder-2["team-a/app-0"].google_folder.folder[0]:
deletion_protection: false
display_name: App 0
tags: null
timeouts: null
? module.project-factory.module.folder-2["team-a/app-0"].google_privileged_access_manager_entitlement.default["app-0-admins"]
: additional_notification_targets: []
approval_workflow:
@@ -290,9 +303,6 @@ values:
display_name: App 0
tags: null
timeouts: null
module.project-factory.module.folder-2-iam["team-b/app-0"].google_tags_tag_binding.binding["drs-allow-all"]:
tag_value: tagValues/123456
timeouts: null
module.project-factory.module.folder-2["team-c/apps"].google_folder.folder[0]:
deletion_protection: false
display_name: Apps
@@ -451,6 +461,37 @@ values:
- serviceAccount:app-0-be@test-pf-dev-tb-app0-1.iam.gserviceaccount.com
project: test-pf-dev-tb-app0-1
role: roles/run.developer
? module.project-factory.module.projects-iam["teams-iac-0"].google_org_policy_policy.default["compute.disableSerialPortAccess"]
: dry_run_spec: []
name: projects/test-pf-teams-iac-0/policies/compute.disableSerialPortAccess
parent: projects/test-pf-teams-iac-0
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'FALSE'
parameters: null
values: []
timeouts: null
? module.project-factory.module.projects-iam["teams-iac-0"].google_org_policy_policy.default["gcp.restrictCmekCryptoKeyProjects"]
: dry_run_spec: []
name: projects/test-pf-teams-iac-0/policies/gcp.restrictCmekCryptoKeyProjects
parent: projects/test-pf-teams-iac-0
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: null
parameters: null
values:
- denied_values: null
timeouts: null
module.project-factory.module.projects["dev-ta-app0-be"].data.google_storage_project_service_account.gcs_sa[0]:
project: test-pf-dev-ta-app0-be
user_project: null
@@ -681,9 +722,12 @@ values:
parent: projects/test-pf-teams-iac-0
timeouts: null
module.project-factory.module.projects["teams-iac-0"].google_iam_workload_identity_pool.default["test-0"]:
attestation_rules: []
description: null
disabled: null
display_name: Test pool.
inline_certificate_issuance_config: []
inline_trust_config: []
project: test-pf-teams-iac-0
timeouts: null
workload_identity_pool_id: test-0
@@ -691,11 +735,15 @@ values:
: attribute_condition: attribute.repository_owner=="my_org"
attribute_mapping:
attribute.actor: assertion.actor
attribute.event_name: assertion.event_name
attribute.fast_sub: '"repo:" + assertion.repository + ":ref:" + assertion.ref'
attribute.job_workflow_ref: assertion.job_workflow_ref
attribute.pr_review_sub: '"event:" + assertion.event_name + ":workflow:" + assertion.workflow'
attribute.ref: assertion.ref
attribute.repository: assertion.repository
attribute.repository_owner: assertion.repository_owner
attribute.sub: assertion.sub
attribute.workflow: assertion.workflow
google.subject: assertion.sub
aws: []
description: null
@@ -711,37 +759,6 @@ values:
workload_identity_pool_id: test-0
workload_identity_pool_provider_id: github-test
x509: []
module.project-factory.module.projects["teams-iac-0"].google_org_policy_policy.default["compute.disableSerialPortAccess"]:
dry_run_spec: []
name: projects/test-pf-teams-iac-0/policies/compute.disableSerialPortAccess
parent: projects/test-pf-teams-iac-0
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'FALSE'
parameters: null
values: []
timeouts: null
? module.project-factory.module.projects["teams-iac-0"].google_org_policy_policy.default["gcp.restrictCmekCryptoKeyProjects"]
: dry_run_spec: []
name: projects/test-pf-teams-iac-0/policies/gcp.restrictCmekCryptoKeyProjects
parent: projects/test-pf-teams-iac-0
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: null
parameters: null
values:
- denied_values: null
timeouts: null
module.project-factory.module.projects["teams-iac-0"].google_project.project[0]:
auto_create_network: false
billing_account: 012345-67890A-BCDEF0
@@ -847,6 +864,22 @@ values:
terraform_labels:
goog-terraform-provisioned: 'true'
timeouts: null
? module.project-factory.module.service-accounts-iam["dev-ta-app0-be/app-0-be"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountUser"]
: condition: []
role: roles/iam.serviceAccountUser
? module.project-factory.module.service-accounts-iam["dev-ta-app0-be/app-0-be"].google_service_account_iam_member.additive["$service_account_ids:_self_/app-0-fe-roles/iam.serviceAccountUser"]
: condition: []
role: roles/iam.serviceAccountUser
service_account_id: projects/test-pf-dev-ta-app0-be/serviceAccounts/app-0-fe@test-pf-dev-ta-app0-be.iam.gserviceaccount.com
? module.project-factory.module.service-accounts-iam["dev-ta-app0-be/app-0-be"].google_service_account_iam_member.bindings["test"]
: condition: []
member: group:team-a-admins@example.org
role: roles/iam.serviceAccountUser
? module.project-factory.module.service-accounts-iam["dev-tb-app0-0/vm-default"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]
: condition: []
members:
- serviceAccount:dev-tb-app0-0-rw@test-pf-teams-iac-0.iam.gserviceaccount.com
role: roles/iam.serviceAccountTokenCreator
? module.project-factory.module.service-accounts["dev-ta-app0-be/app-0-be"].google_project_iam_member.project_roles["$project_ids:dev-spoke-0-roles/compute.networkUser"]
: condition: []
project: $project_ids:dev-spoke-0
@@ -930,22 +963,6 @@ values:
member: serviceAccount:app-0-be@test-pf-dev-tb-app0-1.iam.gserviceaccount.com
project: test-pf-dev-tb-app0-1
timeouts: null
? module.project-factory.module.service-accounts-iam["dev-ta-app0-be/app-0-be"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountUser"]
: condition: []
role: roles/iam.serviceAccountUser
? module.project-factory.module.service-accounts-iam["dev-ta-app0-be/app-0-be"].google_service_account_iam_member.additive["$service_account_ids:_self_/app-0-fe-roles/iam.serviceAccountUser"]
: condition: []
role: roles/iam.serviceAccountUser
service_account_id: projects/test-pf-dev-ta-app0-be/serviceAccounts/app-0-fe@test-pf-dev-ta-app0-be.iam.gserviceaccount.com
? module.project-factory.module.service-accounts-iam["dev-ta-app0-be/app-0-be"].google_service_account_iam_member.bindings["test"]
: condition: []
member: group:team-a-admins@example.org
role: roles/iam.serviceAccountUser
? module.project-factory.module.service-accounts-iam["dev-tb-app0-0/vm-default"].google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]
: condition: []
members:
- serviceAccount:dev-tb-app0-0-rw@test-pf-teams-iac-0.iam.gserviceaccount.com
role: roles/iam.serviceAccountTokenCreator
module.project-factory.terraform_data.defaults_preconditions:
input: null
output: null
@@ -995,6 +1012,8 @@ counts:
google_tags_tag_key: 1
google_tags_tag_value: 2
google_tags_tag_value_iam_binding: 1
modules: 35
modules: 37
resources: 119
terraform_data: 2
outputs: {}