From 0da20063c8f2b5bd1e8abb1e846d15a9346e4eff Mon Sep 17 00:00:00 2001
From: Luca Prete <preteluca@gmail.com>
Date: Fri, 21 Jan 2022 19:38:18 +0100
Subject: [PATCH] Fix fast org policies (#444)

* Fix fast org policies

* Generate tfdoc

* Minor refactoring of resman organization org policies

Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>
---
 fast/stages/00-bootstrap/README.md       |  4 +++-
 fast/stages/00-bootstrap/organization.tf |  2 +-
 fast/stages/01-resman/organization.tf    | 16 +++++++++++-----
 3 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/fast/stages/00-bootstrap/README.md b/fast/stages/00-bootstrap/README.md
index 621b42b53..5a40589e2 100644
--- a/fast/stages/00-bootstrap/README.md
+++ b/fast/stages/00-bootstrap/README.md
@@ -265,6 +265,7 @@ If a different convention is needed, identify names via search/grep (e.g. with `
 Names used in internal references (e.g. `module.foo-prod.id`) are only used by Terraform and do not influence resource naming, so they are best left untouched to avoid having to debug complex errors.
 
 
+
 <!-- BEGIN TFDOC -->
 
 ## Files
@@ -275,7 +276,7 @@ Names used in internal references (e.g. `module.foo-prod.id`) are only used by T
 | [billing.tf](./billing.tf) | Billing export project and dataset. | <code>bigquery-dataset</code> · <code>organization</code> · <code>project</code> | <code>google_billing_account_iam_member</code> · <code>google_organization_iam_binding</code> |
 | [log-export.tf](./log-export.tf) | Audit log project and sink. | <code>bigquery-dataset</code> · <code>gcs</code> · <code>logging-bucket</code> · <code>project</code> · <code>pubsub</code> |  |
 | [main.tf](./main.tf) | Module-level locals and resources. |  |  |
-| [organization.tf](./organization.tf) | Organization-level IAM and org policies. | <code>organization</code> | <code>google_organization_iam_binding</code> |
+| [organization.tf](./organization.tf) | Organization-level IAM. | <code>organization</code> | <code>google_organization_iam_binding</code> |
 | [outputs.tf](./outputs.tf) | Module outputs. |  | <code>local_file</code> |
 | [variables.tf](./variables.tf) | Module variables. |  |  |
 
@@ -308,3 +309,4 @@ Names used in internal references (e.g. `module.foo-prod.id`) are only used by T
 
 
 
+
diff --git a/fast/stages/00-bootstrap/organization.tf b/fast/stages/00-bootstrap/organization.tf
index 04be206a4..a13480160 100644
--- a/fast/stages/00-bootstrap/organization.tf
+++ b/fast/stages/00-bootstrap/organization.tf
@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-# tfdoc:file:description Organization-level IAM and org policies.
+# tfdoc:file:description Organization-level IAM.
 
 locals {
   # organization authoritative IAM bindings, in an easy to edit format before
diff --git a/fast/stages/01-resman/organization.tf b/fast/stages/01-resman/organization.tf
index f96ad16c3..10fbb6fde 100644
--- a/fast/stages/01-resman/organization.tf
+++ b/fast/stages/01-resman/organization.tf
@@ -23,6 +23,12 @@ locals {
     module.branch-teams-dev-projectfactory-sa.iam_email,
     module.branch-teams-prod-projectfactory-sa.iam_email
   ]
+  list_allow = {
+    inherit_from_parent = false
+    suggested_value     = null
+    status              = true
+    values              = []
+  }
   list_deny = {
     inherit_from_parent = false
     suggested_value     = null
@@ -93,13 +99,13 @@ module "organization" {
   }
   policy_list = {
     "constraints/cloudfunctions.allowedIngressSettings" = merge(
-      local.list_deny, { values = ["ALLOW_INTERNAL_ONLY"] }
+      local.list_allow, { values = ["is:ALLOW_INTERNAL_ONLY"] }
     )
     "constraints/cloudfunctions.allowedVpcConnectorEgressSettings" = merge(
-      local.list_deny, { values = ["PRIVATE_RANGES_ONLY"] }
+      local.list_allow, { values = ["is:PRIVATE_RANGES_ONLY"] }
     )
     "constraints/compute.restrictLoadBalancerCreationForTypes" = merge(
-      local.list_deny, { values = ["in:INTERNAL"] }
+      local.list_allow, { values = ["in:INTERNAL"] }
     )
     "constraints/compute.vmExternalIpAccess" = local.list_deny
     "constraints/iam.allowedPolicyMemberDomains" = {
@@ -112,10 +118,10 @@ module "organization" {
       )
     }
     "constraints/run.allowedIngress" = merge(
-      local.list_deny, { values = ["internal"] }
+      local.list_allow, { values = ["is:internal"] }
     )
     "constraints/run.allowedVPCEgress" = merge(
-      local.list_deny, { values = ["private-ranges-only"] }
+      local.list_allow, { values = ["is:private-ranges-only"] }
     )
     # "constraints/compute.restrictCloudNATUsage"                      = local.list_deny
     # "constraints/compute.restrictDedicatedInterconnectUsage"         = local.list_deny