diff --git a/fast/stages/00-bootstrap/README.md b/fast/stages/00-bootstrap/README.md
index 621b42b53..5a40589e2 100644
--- a/fast/stages/00-bootstrap/README.md
+++ b/fast/stages/00-bootstrap/README.md
@@ -265,6 +265,7 @@ If a different convention is needed, identify names via search/grep (e.g. with `
Names used in internal references (e.g. `module.foo-prod.id`) are only used by Terraform and do not influence resource naming, so they are best left untouched to avoid having to debug complex errors.
+
## Files
@@ -275,7 +276,7 @@ Names used in internal references (e.g. `module.foo-prod.id`) are only used by T
| [billing.tf](./billing.tf) | Billing export project and dataset. | bigquery-dataset · organization · project | google_billing_account_iam_member · google_organization_iam_binding |
| [log-export.tf](./log-export.tf) | Audit log project and sink. | bigquery-dataset · gcs · logging-bucket · project · pubsub | |
| [main.tf](./main.tf) | Module-level locals and resources. | | |
-| [organization.tf](./organization.tf) | Organization-level IAM and org policies. | organization | google_organization_iam_binding |
+| [organization.tf](./organization.tf) | Organization-level IAM. | organization | google_organization_iam_binding |
| [outputs.tf](./outputs.tf) | Module outputs. | | local_file |
| [variables.tf](./variables.tf) | Module variables. | | |
@@ -308,3 +309,4 @@ Names used in internal references (e.g. `module.foo-prod.id`) are only used by T
+
diff --git a/fast/stages/00-bootstrap/organization.tf b/fast/stages/00-bootstrap/organization.tf
index 04be206a4..a13480160 100644
--- a/fast/stages/00-bootstrap/organization.tf
+++ b/fast/stages/00-bootstrap/organization.tf
@@ -14,7 +14,7 @@
* limitations under the License.
*/
-# tfdoc:file:description Organization-level IAM and org policies.
+# tfdoc:file:description Organization-level IAM.
locals {
# organization authoritative IAM bindings, in an easy to edit format before
diff --git a/fast/stages/01-resman/organization.tf b/fast/stages/01-resman/organization.tf
index f96ad16c3..10fbb6fde 100644
--- a/fast/stages/01-resman/organization.tf
+++ b/fast/stages/01-resman/organization.tf
@@ -23,6 +23,12 @@ locals {
module.branch-teams-dev-projectfactory-sa.iam_email,
module.branch-teams-prod-projectfactory-sa.iam_email
]
+ list_allow = {
+ inherit_from_parent = false
+ suggested_value = null
+ status = true
+ values = []
+ }
list_deny = {
inherit_from_parent = false
suggested_value = null
@@ -93,13 +99,13 @@ module "organization" {
}
policy_list = {
"constraints/cloudfunctions.allowedIngressSettings" = merge(
- local.list_deny, { values = ["ALLOW_INTERNAL_ONLY"] }
+ local.list_allow, { values = ["is:ALLOW_INTERNAL_ONLY"] }
)
"constraints/cloudfunctions.allowedVpcConnectorEgressSettings" = merge(
- local.list_deny, { values = ["PRIVATE_RANGES_ONLY"] }
+ local.list_allow, { values = ["is:PRIVATE_RANGES_ONLY"] }
)
"constraints/compute.restrictLoadBalancerCreationForTypes" = merge(
- local.list_deny, { values = ["in:INTERNAL"] }
+ local.list_allow, { values = ["in:INTERNAL"] }
)
"constraints/compute.vmExternalIpAccess" = local.list_deny
"constraints/iam.allowedPolicyMemberDomains" = {
@@ -112,10 +118,10 @@ module "organization" {
)
}
"constraints/run.allowedIngress" = merge(
- local.list_deny, { values = ["internal"] }
+ local.list_allow, { values = ["is:internal"] }
)
"constraints/run.allowedVPCEgress" = merge(
- local.list_deny, { values = ["private-ranges-only"] }
+ local.list_allow, { values = ["is:private-ranges-only"] }
)
# "constraints/compute.restrictCloudNATUsage" = local.list_deny
# "constraints/compute.restrictDedicatedInterconnectUsage" = local.list_deny