2-secops stage (#3038)

* new 2-secops stage
* new 3-secops-dev stage

---------

Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>

tests/fast/stages/s0_bootstrap/simple.yaml

@@ -96,6 +96,7 @@ outputs:
       gcp-devops: group:gcp-devops@fast.example.com
       gcp-network-admins: group:gcp-vpc-network-admins@fast.example.com
       gcp-organization-admins: group:gcp-organization-admins@fast.example.com
+      gcp-secops-admins: group:gcp-secops-admins@fast.example.com
       gcp-security-admins: group:gcp-security-admins@fast.example.com
       gcp-support: group:gcp-support@example.com
     locations:

tests/fast/stages/s1_resman/simple.yaml

@@ -13,23 +13,23 @@
 # limitations under the License.
 
 counts:
-  google_folder: 12
-  google_folder_iam_binding: 51
+  google_folder: 14
+  google_folder_iam_binding: 67
   google_org_policy_policy: 2
-  google_organization_iam_member: 15
-  google_project_iam_member: 13
-  google_service_account: 13
-  google_service_account_iam_binding: 13
-  google_storage_bucket: 6
-  google_storage_bucket_iam_binding: 12
-  google_storage_bucket_iam_member: 13
-  google_storage_bucket_object: 15
-  google_tags_tag_binding: 12
+  google_organization_iam_member: 20
+  google_project_iam_member: 17
+  google_service_account: 17
+  google_service_account_iam_binding: 17
+  google_storage_bucket: 8
+  google_storage_bucket_iam_binding: 16
+  google_storage_bucket_iam_member: 17
+  google_storage_bucket_object: 19
+  google_tags_tag_binding: 14
   google_tags_tag_key: 2
-  google_tags_tag_value: 12
+  google_tags_tag_value: 13
   google_tags_tag_value_iam_binding: 4
-  modules: 32
-  resources: 195
+  modules: 40
+  resources: 247
 
 outputs:
   cicd_repositories:
@@ -49,6 +49,10 @@ outputs:
     project-factory-ro: fast2-prod-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com
     project-factory-rw: fast2-prod-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com
     sandbox: fast2-dev-resman-sbox-0@fast2-prod-automation.iam.gserviceaccount.com
+    secops-dev-ro: fast2-dev-resman-secops-0r@fast2-prod-automation.iam.gserviceaccount.com
+    secops-dev-rw: fast2-dev-resman-secops-0@fast2-prod-automation.iam.gserviceaccount.com
+    secops-ro: fast2-prod-resman-so-0r@fast2-prod-automation.iam.gserviceaccount.com
+    secops-rw: fast2-prod-resman-so-0@fast2-prod-automation.iam.gserviceaccount.com
     security-ro: fast2-prod-resman-sec-0r@fast2-prod-automation.iam.gserviceaccount.com
     security-rw: fast2-prod-resman-sec-0@fast2-prod-automation.iam.gserviceaccount.com
 

tests/fast/stages/s2_secops/simple.tfvars

@@ -0,0 +1,32 @@
+automation = {
+  outputs_bucket = "test"
+}
+billing_account = {
+  id = "000000-111111-222222"
+}
+custom_roles = {
+  project_iam_viewer = "organizations/123456789012/roles/bar"
+}
+environments = {
+  "dev" : {
+    "is_default" : true,
+    "key" : "dev",
+    "name" : "Development",
+    "short_name" : "dev",
+    "tag_name" : "development"
+  }
+}
+essential_contacts = "gcp-secops-admins@fast.example.com"
+folder_ids = {
+  secops = "folders/12345678"
+}
+organization = {
+  domain      = "fast.example.com"
+  id          = 123456789012
+  customer_id = "C00000000"
+}
+prefix = "fast"
+tag_values = {
+  "environment/development" = "tagValues/12345"
+  "environment/production"  = "tagValues/12346"
+}

tests/fast/stages/s2_secops/simple.yaml

@@ -0,0 +1,34 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+counts:
+  google_essential_contacts_contact: 1
+  google_project: 1
+  google_project_iam_binding: 1
+  google_project_iam_member: 1
+  google_project_service: 2
+  google_project_service_identity: 1
+  google_storage_bucket_object: 1
+  google_tags_tag_binding: 1
+  modules: 2
+  resources: 9
+
+outputs:
+  federated_identity_pool: null
+  secops_project_ids:
+    dev: fast-dev-secops-0
+  tfvars:
+    federated_identity_pool: null
+    secops_project_ids:
+      dev: fast-dev-secops-0

tests/fast/stages/s2_secops/tftest.yaml

@@ -0,0 +1,18 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module: fast/stages/2-secops
+
+tests:
+  simple:

tests/fast/stages/s3_secops_dev/simple.tfvars

@@ -0,0 +1,45 @@
+billing_account = {
+  id = "012345-67890A-BCDEF0",
+}
+project_reuse = null
+folder_ids = {
+  "secops-dev" = "folders/123456789"
+}
+tenant_config = {
+  customer_id = "xxxxxx-xxxxxx-xxxxxx"
+  region      = "europe"
+}
+secops_project_ids = {
+  dev = "fast-dev-secops-0"
+}
+iam_default = {
+  viewers = ["gcp-secops-admins@fast.example.com"]
+}
+iam = {
+  "user:test@fast.example.com" = {
+    roles  = ["roles/chronicle.editor"]
+    scopes = ["gscope"]
+  }
+}
+workspace_integration_config = {
+  delegated_user        = "secops-feed@fast.example.com"
+  workspace_customer_id = "C121212"
+}
+data_rbac_config = {
+  labels = {
+    google = {
+      description = "Google logs"
+      label_id    = "google"
+      udm_query   = "principal.hostname=\"google.com\""
+    }
+  }
+  scopes = {
+    google = {
+      description = "Google logs"
+      scope_id    = "gscope"
+      allowed_data_access_labels = [{
+        data_access_label = "google"
+      }]
+    }
+  }
+}

tests/fast/stages/s3_secops_dev/simple.yaml

@@ -0,0 +1,37 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+counts:
+  google_apikeys_key: 1
+  google_chronicle_data_access_label: 1
+  google_chronicle_data_access_scope: 1
+  google_chronicle_reference_list: 1
+  google_chronicle_rule: 1
+  google_chronicle_rule_deployment: 1
+  google_org_policy_policy: 1
+  google_project: 1
+  google_project_iam_custom_role: 2
+  google_project_iam_member: 5
+  google_project_service: 9
+  google_project_service_identity: 5
+  google_secret_manager_secret: 2
+  google_secret_manager_secret_version: 2
+  google_service_account: 1
+  google_service_account_key: 1
+  modules: 4
+  resources: 41
+  restful_resource: 6
+
+outputs:
+  project_id: fast-dev-secops-0

tests/fast/stages/s3_secops_dev/tftest.yaml

@@ -0,0 +1,18 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module: fast/stages/3-secops-dev/
+
+tests:
+  simple: