From 1f0940a71659098100ae6748c42547adbd3b66ce Mon Sep 17 00:00:00 2001 From: Vannick Trinquier Date: Tue, 11 Nov 2025 14:00:49 +0700 Subject: [PATCH] Update yaml controls to match max line-length (#3520) * Update yaml controls to match max line-length * Add test for stage 0 with hardened datasets --------- Co-authored-by: Julio Castillo --- ...drunDisableEnvironmentVariablePattern.yaml | 10 +- ...tom.cloudsqlEnforcePasswordComplexity.yaml | 5 +- ...tom.cloudsqlRequireMySQLDatabaseFlags.yaml | 10 +- ...om.cloudsqlRequirePointInTimeRecovery.yaml | 6 +- ...loudsqlRequirePostgreSQLDatabaseFlags.yaml | 22 +- ...cloudsqlRequireSQLServerDatabaseFlags.yaml | 30 +- .../custom.dnsAllowedSigningAlgorithms.yaml | 8 +- ...tom.gkeDisableLegacyMetadataEndpoints.yaml | 5 +- .../custom.iamDisablePublicBindings.yaml | 8 +- .../observability/firewallRuleChanges.yaml | 3 +- ...RequireIngressInternalAndLoadBalancer.yaml | 7 +- .../cloudsqlRequirePointInTimeRecovery.yaml | 7 +- .../fast/stages/s0_org_setup/hardened.tfvars | 6 + tests/fast/stages/s0_org_setup/hardened.yaml | 5808 +++++++++++++++++ tests/fast/stages/s0_org_setup/tftest.yaml | 5 + 15 files changed, 5892 insertions(+), 48 deletions(-) create mode 100644 tests/fast/stages/s0_org_setup/hardened.tfvars create mode 100644 tests/fast/stages/s0_org_setup/hardened.yaml diff --git a/fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.cloudrunDisableEnvironmentVariablePattern.yaml b/fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.cloudrunDisableEnvironmentVariablePattern.yaml index 734727d2a..6e8a76f40 100644 --- a/fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.cloudrunDisableEnvironmentVariablePattern.yaml +++ b/fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.cloudrunDisableEnvironmentVariablePattern.yaml @@ -12,12 +12,16 @@ # See the License for the specific language governing permissions and # limitations under the License. -# yamllint disable rule:line-length - custom.cloudrunDisableEnvironmentVariablePattern: action_type: DENY condition: |- - resource.spec.template.spec.containers.exists(container, container.env.exists(env, ["[sS][eE][cC][rR][eE][tT]", "[kK][eE][yY]", "[pP][aA][sS][sS][wW][oO][rR][dD]", "[tT][oO][kK][eE][nN]"].exists(pattern, env.name.matches(pattern)))) + resource.spec.template.spec.containers.exists(container, + container.env.exists(env, + ["[sS][eE][cC][rR][eE][tT]", "[kK][eE][yY]", "[pP][aA][sS][sS][wW][oO][rR][dD]", "[tT][oO][kK][eE][nN]"].exists( + pattern, env.name.matches(pattern) + ) + ) + ) description: Enforce that certain patterns are not used in environment variables of Cloud Run Service or Cloud Run Functions display_name: Disable usage of certain patterns in Cloud Run Service or Cloud Run diff --git a/fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.cloudsqlEnforcePasswordComplexity.yaml b/fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.cloudsqlEnforcePasswordComplexity.yaml index 5729c6464..636f23b70 100644 --- a/fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.cloudsqlEnforcePasswordComplexity.yaml +++ b/fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.cloudsqlEnforcePasswordComplexity.yaml @@ -12,12 +12,11 @@ # See the License for the specific language governing permissions and # limitations under the License. -# yamllint disable rule:line-length - custom.cloudsqlEnforcePasswordComplexity: action_type: DENY condition: |- - resource.settings.passwordValidationPolicy.complexity != "COMPLEXITY_DEFAULT" || resource.settings.passwordValidationPolicy.minLength < 12 + resource.settings.passwordValidationPolicy.complexity != 'COMPLEXITY_DEFAULT' || + resource.settings.passwordValidationPolicy.minLength < 12 description: Ensure that Cloud SQL instance is configured with a password complexity to be combination of lowercase, uppercase, numeric, and non-alphanumeric characters display_name: Require Cloud SQL instances to configure password complexity to COMPLEXITY_DEFAULT diff --git a/fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.cloudsqlRequireMySQLDatabaseFlags.yaml b/fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.cloudsqlRequireMySQLDatabaseFlags.yaml index e06bbf196..fd23ef012 100644 --- a/fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.cloudsqlRequireMySQLDatabaseFlags.yaml +++ b/fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.cloudsqlRequireMySQLDatabaseFlags.yaml @@ -12,14 +12,16 @@ # See the License for the specific language governing permissions and # limitations under the License. -# yamllint disable rule:line-length - custom.cloudsqlRequireMySQLDatabaseFlags: action_type: DENY condition: |- resource.databaseVersion.startsWith('MYSQL') && ( - (resource.settings.databaseFlags.exists(flag, flag.name == 'skip_show_database' && flag.value == 'on') == false) || - (resource.settings.databaseFlags.exists(flag, flag.name == 'local_infile' && flag.value == 'off') == false) + !resource.settings.databaseFlags.exists(flag, + flag.name == 'skip_show_database' && flag.value == 'on' + ) || + !resource.settings.databaseFlags.exists(flag, + flag.name == 'local_infile' && flag.value == 'off' + ) ) description: Ensure Cloud SQL for MySQL instance database flags are set correctly (e.g skip_show_database, local_infile) diff --git a/fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.cloudsqlRequirePointInTimeRecovery.yaml b/fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.cloudsqlRequirePointInTimeRecovery.yaml index 51aa371d5..5972e0adf 100644 --- a/fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.cloudsqlRequirePointInTimeRecovery.yaml +++ b/fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.cloudsqlRequirePointInTimeRecovery.yaml @@ -12,12 +12,12 @@ # See the License for the specific language governing permissions and # limitations under the License. -# yamllint disable rule:line-length - custom.cloudsqlRequirePointInTimeRecovery: action_type: DENY condition: |- - (resource.databaseVersion.contains("POSTGRES") || resource.databaseVersion.contains("SQLSERVER")) && resource.settings.backupConfiguration.pointInTimeRecoveryEnabled == false + (resource.databaseVersion.contains("POSTGRES") + || resource.databaseVersion.contains("SQLSERVER")) + && resource.settings.backupConfiguration.pointInTimeRecoveryEnabled == false description: Ensure that Cloud SQL instance is configure enable point in time recovery in the backup configuration. This setting is possibly for Postgres and SQLServer databases. diff --git a/fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.cloudsqlRequirePostgreSQLDatabaseFlags.yaml b/fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.cloudsqlRequirePostgreSQLDatabaseFlags.yaml index 103c0aeb9..a44029f4b 100644 --- a/fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.cloudsqlRequirePostgreSQLDatabaseFlags.yaml +++ b/fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.cloudsqlRequirePostgreSQLDatabaseFlags.yaml @@ -12,20 +12,22 @@ # See the License for the specific language governing permissions and # limitations under the License. -# yamllint disable rule:line-length - custom.cloudsqlRequirePostgreSQLDatabaseFlags: action_type: DENY condition: |- resource.databaseVersion.startsWith('POSTGRES') && ( - !resource.settings.databaseFlags.exists(flag, flag.name == 'log_connections' && flag.value == 'on') || - !resource.settings.databaseFlags.exists(flag, flag.name == 'log_disconnections' && flag.value == 'on') || - !resource.settings.databaseFlags.exists(flag, flag.name == 'log_min_duration_statement' && flag.value == '-1') || - !resource.settings.databaseFlags.exists(flag, flag.name == 'cloudsql.enable_pgaudit' && flag.value == 'on') || - resource.settings.databaseFlags.exists(flag, flag.name == 'log_min_messages' && flag.value in ['error' , 'log', 'fatal', 'panic']) || - resource.settings.databaseFlags.exists(flag, flag.name == 'log_min_error_statement' && flag.value in ['log', 'fatal', 'panic']) || - resource.settings.databaseFlags.exists(flag, flag.name == 'log_error_verbosity' && flag.value in ['terse']) || - resource.settings.databaseFlags.exists(flag, flag.name == 'log_statement' && flag.value in ['none']) + !resource.settings.databaseFlags.exists(f, f.name == 'log_connections' && f.value == 'on') || + !resource.settings.databaseFlags.exists(f, f.name == 'log_disconnections' && f.value == 'on') || + !resource.settings.databaseFlags.exists(f, f.name == 'log_min_duration_statement' && f.value == '-1') || + !resource.settings.databaseFlags.exists(f, f.name == 'cloudsql.enable_pgaudit' && f.value == 'on') || + resource.settings.databaseFlags.exists(f, f.name == 'log_error_verbosity' && f.value == 'terse') || + resource.settings.databaseFlags.exists(f, f.name == 'log_statement' && f.value == 'none') || + resource.settings.databaseFlags.exists(f, + f.name == 'log_min_messages' && f.value in ['error' , 'log', 'fatal', 'panic'] + ) || + resource.settings.databaseFlags.exists(f, + f.name == 'log_min_error_statement' && f.value in ['log', 'fatal', 'panic'] + ) ) description: Ensure Cloud SQL for PostgreSQL instance database flags are set correctly (e.g log_connections) diff --git a/fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.cloudsqlRequireSQLServerDatabaseFlags.yaml b/fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.cloudsqlRequireSQLServerDatabaseFlags.yaml index 5b47bd360..2f3216495 100644 --- a/fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.cloudsqlRequireSQLServerDatabaseFlags.yaml +++ b/fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.cloudsqlRequireSQLServerDatabaseFlags.yaml @@ -12,19 +12,31 @@ # See the License for the specific language governing permissions and # limitations under the License. -# yamllint disable rule:line-length - custom.cloudsqlRequireSQLServerDatabaseFlags: action_type: DENY condition: |- resource.databaseVersion.startsWith('SQLSERVER') && ( - resource.settings.databaseFlags.exists(flag, flag.name == 'external scripts enabled' && flag.value == 'on') || - resource.settings.databaseFlags.exists(flag, flag.name == 'cross db ownership chaining' && flag.value == 'on') || - resource.settings.databaseFlags.exists(flag, flag.name == 'contained database authentication' && flag.value == 'on') || - resource.settings.databaseFlags.exists(flag, flag.name == 'user connections' && flag.value != '0') || - resource.settings.databaseFlags.exists(flag, flag.name == 'user options' && flag.value != '0') || - !resource.settings.databaseFlags.exists(flag, flag.name == 'remote access' && flag.value == 'off') || - !resource.settings.databaseFlags.exists(flag, flag.name == '3625' && flag.value == 'on') + resource.settings.databaseFlags.exists(flag, + flag.name == 'external scripts enabled' && flag.value == 'on' + ) || + resource.settings.databaseFlags.exists(flag, + flag.name == 'cross db ownership chaining' && flag.value == 'on' + ) || + resource.settings.databaseFlags.exists(flag, + flag.name == 'contained database authentication' && flag.value == 'on' + ) || + resource.settings.databaseFlags.exists(flag, + flag.name == 'user connections' && flag.value != '0' + ) || + resource.settings.databaseFlags.exists(flag, + flag.name == 'user options' && flag.value != '0' + ) || + !resource.settings.databaseFlags.exists(flag, + flag.name == 'remote access' && flag.value == 'off' + ) || + !resource.settings.databaseFlags.exists(flag, + flag.name == '3625' && flag.value == 'on' + ) ) description: Ensure Cloud SQL for SQLServer instance database flags are set correctly (e.g external scripts enabled ...) diff --git a/fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.dnsAllowedSigningAlgorithms.yaml b/fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.dnsAllowedSigningAlgorithms.yaml index 50dd3b2de..d301810d1 100644 --- a/fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.dnsAllowedSigningAlgorithms.yaml +++ b/fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.dnsAllowedSigningAlgorithms.yaml @@ -12,12 +12,14 @@ # See the License for the specific language governing permissions and # limitations under the License. -# yamllint disable rule:line-length - custom.dnsAllowedSigningAlgorithms: action_type: DENY condition: |- - resource.visibility == "PUBLIC" && resource.dnssecConfig.state == "ON" && resource.dnssecConfig.defaultKeySpecs.exists(spec, spec.algorithm in ["ECDSAP256SHA256"] == false) + resource.visibility == 'PUBLIC' && + resource.dnssecConfig.state == 'ON' && + resource.dnssecConfig.defaultKeySpecs.exists(spec, + spec.algorithm in ["ECDSAP256SHA256"] == false + ) description: Ensure that allowed signing algorithms are used for the Key-Signing key and Zone-Signing key in Cloud DNS DNSSEC display_name: Require Cloud DNS DNSSEC configured to use only allowed algorithms diff --git a/fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.gkeDisableLegacyMetadataEndpoints.yaml b/fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.gkeDisableLegacyMetadataEndpoints.yaml index 55b652a52..bbea18c81 100644 --- a/fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.gkeDisableLegacyMetadataEndpoints.yaml +++ b/fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.gkeDisableLegacyMetadataEndpoints.yaml @@ -12,12 +12,11 @@ # See the License for the specific language governing permissions and # limitations under the License. -# yamllint disable rule:line-length - custom.gkeDisableLegacyMetadataEndpoints: action_type: DENY condition: |- - ('disable-legacy-endpoints' in resource.config.metadata && resource.config.metadata['disable-legacy-endpoints'] == 'false') + ('disable-legacy-endpoints' in resource.config.metadata && + resource.config.metadata['disable-legacy-endpoints'] == 'false') description: Enforce that GKE clusters are created with legacy metadata endpoints disabled display_name: Disable legacy metadata endpoints diff --git a/fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.iamDisablePublicBindings.yaml b/fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.iamDisablePublicBindings.yaml index 35385bef9..27e179543 100644 --- a/fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.iamDisablePublicBindings.yaml +++ b/fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.iamDisablePublicBindings.yaml @@ -12,12 +12,14 @@ # See the License for the specific language governing permissions and # limitations under the License. -# yamllint disable rule:line-length - custom.iamDisablePublicBindings: action_type: DENY condition: |- - resource.bindings.exists(binding, binding.members.exists(member, MemberSubjectMatches(member, ['allUsers', 'allAuthenticatedUsers']))) + resource.bindings.exists(binding, + binding.members.exists(member, + MemberSubjectMatches(member, ['allUsers', 'allAuthenticatedUsers']) + ) + ) description: Ensure no use of public bindings (allUsers, allAuthenticatedUsers) display_name: Deny use of public access bindings with allUsers or allAuthenticatedUsers method_types: diff --git a/fast/stages/0-org-setup/datasets/hardened/organization/observability/firewallRuleChanges.yaml b/fast/stages/0-org-setup/datasets/hardened/organization/observability/firewallRuleChanges.yaml index b1a0913f2..ac8296d59 100644 --- a/fast/stages/0-org-setup/datasets/hardened/organization/observability/firewallRuleChanges.yaml +++ b/fast/stages/0-org-setup/datasets/hardened/organization/observability/firewallRuleChanges.yaml @@ -39,7 +39,8 @@ alerts: Firewall rule changes. This alert helps ensure security by monitoring creation, modification, or - deletion of firewall rules. ``` resource.type="gce_firewall_rule" AND (protoPayload.methodName:"compute.firewalls.patch" + deletion of firewall rules. + ``` resource.type="gce_firewall_rule" AND (protoPayload.methodName:"compute.firewalls.patch" OR protoPayload.methodName:"compute.firewalls.insert" OR protoPayload.methodName:"compute.firewalls.delete") ```' mime_type: text/markdown diff --git a/fast/stages/0-org-setup/datasets/hardened/organization/scc-sha-custom-modules/cloudrunRequireIngressInternalAndLoadBalancer.yaml b/fast/stages/0-org-setup/datasets/hardened/organization/scc-sha-custom-modules/cloudrunRequireIngressInternalAndLoadBalancer.yaml index 0cae26b1c..621c351b5 100644 --- a/fast/stages/0-org-setup/datasets/hardened/organization/scc-sha-custom-modules/cloudrunRequireIngressInternalAndLoadBalancer.yaml +++ b/fast/stages/0-org-setup/datasets/hardened/organization/scc-sha-custom-modules/cloudrunRequireIngressInternalAndLoadBalancer.yaml @@ -12,13 +12,14 @@ # See the License for the specific language governing permissions and # limitations under the License. -# yamllint disable rule:line-length - cloudrunRequireIngressInternalAndLoadBalancer: description: Detect if Cloud Run services are not configured to allow only internal traffic and traffic from load balancer predicate: - expression: (!resource.metadata.annotations['run.googleapis.com/ingress'].matches('internal-and-cloud-load-balancing')) + expression: |- + ( + !resource.metadata.annotations['run.googleapis.com/ingress'].matches('internal-and-cloud-load-balancing') + ) recommendation: Ensure Cloud Run services are configured to allow only internal traffic and traffic from load balancer resource_selector: diff --git a/fast/stages/0-org-setup/datasets/hardened/organization/scc-sha-custom-modules/cloudsqlRequirePointInTimeRecovery.yaml b/fast/stages/0-org-setup/datasets/hardened/organization/scc-sha-custom-modules/cloudsqlRequirePointInTimeRecovery.yaml index 9b78793d6..485b88463 100644 --- a/fast/stages/0-org-setup/datasets/hardened/organization/scc-sha-custom-modules/cloudsqlRequirePointInTimeRecovery.yaml +++ b/fast/stages/0-org-setup/datasets/hardened/organization/scc-sha-custom-modules/cloudsqlRequirePointInTimeRecovery.yaml @@ -12,12 +12,13 @@ # See the License for the specific language governing permissions and # limitations under the License. -# yamllint disable rule:line-length - cloudsqlRequirePointInTimeRecovery: description: Detect if the CloudSQL instances have point in time recovery disabled predicate: - expression: (!resource.settings.backupConfiguration.binaryLogEnabled && !resource.settings.backupConfiguration.pointInTimeRecoveryEnabled + expression: |- + ( + !resource.settings.backupConfiguration.binaryLogEnabled && + !resource.settings.backupConfiguration.pointInTimeRecoveryEnabled ) recommendation: Ensure the CloudSQL instances have point in time recovery enabled resource_selector: diff --git a/tests/fast/stages/s0_org_setup/hardened.tfvars b/tests/fast/stages/s0_org_setup/hardened.tfvars new file mode 100644 index 000000000..49c56d8d2 --- /dev/null +++ b/tests/fast/stages/s0_org_setup/hardened.tfvars @@ -0,0 +1,6 @@ +factories_config = { + cicd = "data-simple/cicd.yaml" + defaults = "data-simple/defaults.yaml" + organization = "datasets/hardened/organization" + projects = "datasets/hardened/projects" +} diff --git a/tests/fast/stages/s0_org_setup/hardened.yaml b/tests/fast/stages/s0_org_setup/hardened.yaml new file mode 100644 index 000000000..254833dd3 --- /dev/null +++ b/tests/fast/stages/s0_org_setup/hardened.yaml @@ -0,0 +1,5808 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# yamllint disable rule:line-length +values: + google_iam_workload_identity_pool.default[0]: + description: null + disabled: null + display_name: null + project: ft0-prod-iac-core-0 + timeouts: null + workload_identity_pool_id: iac-0 + google_iam_workload_identity_pool_provider.default["github"]: + attribute_condition: attribute.repository_owner=="my_org" + attribute_mapping: + attribute.actor: assertion.actor + attribute.fast_sub: '"repo:" + assertion.repository + ":ref:" + assertion.ref' + attribute.ref: assertion.ref + attribute.repository: assertion.repository + attribute.repository_owner: assertion.repository_owner + attribute.sub: assertion.sub + google.subject: assertion.sub + aws: [] + description: null + disabled: null + display_name: null + oidc: + - allowed_audiences: [] + issuer_uri: https://token.actions.githubusercontent.com + jwks_json: null + project: ft0-prod-iac-core-0 + saml: [] + timeouts: null + workload_identity_pool_id: iac-0 + workload_identity_pool_provider_id: github + x509: [] + google_storage_bucket_object.providers["0-org-setup"]: + bucket: ft0-prod-iac-core-0-iac-outputs + cache_control: null + content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ + \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ + \ in compliance with the License.\n * You may obtain a copy of the License at\n\ + \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ + \ by applicable law or agreed to in writing, software\n * distributed under\ + \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ + \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ + \ the specific language governing permissions and\n * limitations under the\ + \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ + \ = \"ft0-prod-iac-core-0-iac-org-state\"\n impersonate_service_account\ + \ = \"iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n }\n}\nprovider\ + \ \"google\" {\n impersonate_service_account = \"iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\ + \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\ + \n}\n" + content_disposition: null + content_encoding: null + content_language: null + customer_encryption: [] + deletion_policy: null + detect_md5hash: different hash + event_based_hold: null + force_empty_content_type: null + metadata: null + name: providers/0-org-setup-providers.tf + retention: [] + source: null + source_md5hash: null + temporary_hold: null + timeouts: null + google_storage_bucket_object.providers["0-org-setup-ro"]: + bucket: ft0-prod-iac-core-0-iac-outputs + cache_control: null + content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ + \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ + \ in compliance with the License.\n * You may obtain a copy of the License at\n\ + \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ + \ by applicable law or agreed to in writing, software\n * distributed under\ + \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ + \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ + \ the specific language governing permissions and\n * limitations under the\ + \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ + \ = \"ft0-prod-iac-core-0-iac-org-state\"\n impersonate_service_account\ + \ = \"iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n }\n}\nprovider\ + \ \"google\" {\n impersonate_service_account = \"iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\ + \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\ + \n}\n" + content_disposition: null + content_encoding: null + content_language: null + customer_encryption: [] + deletion_policy: null + detect_md5hash: different hash + event_based_hold: null + force_empty_content_type: null + metadata: null + name: providers/0-org-setup-ro-providers.tf + retention: [] + source: null + source_md5hash: null + temporary_hold: null + timeouts: null + google_storage_bucket_object.providers["1-vpcsc"]: + bucket: ft0-prod-iac-core-0-iac-outputs + cache_control: null + content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ + \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ + \ in compliance with the License.\n * You may obtain a copy of the License at\n\ + \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ + \ by applicable law or agreed to in writing, software\n * distributed under\ + \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ + \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ + \ the specific language governing permissions and\n * limitations under the\ + \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ + \ = \"ft0-prod-iac-core-0-iac-stage-state\"\n impersonate_service_account\ + \ = \"iac-vpcsc-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n prefix\ + \ = \"1-vpcsc\"\n }\n}\nprovider \"google\" {\n impersonate_service_account\ + \ = \"iac-vpcsc-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n}\nprovider\ + \ \"google-beta\" {\n impersonate_service_account = \"iac-vpcsc-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\ + \n}\n" + content_disposition: null + content_encoding: null + content_language: null + customer_encryption: [] + deletion_policy: null + detect_md5hash: different hash + event_based_hold: null + force_empty_content_type: null + metadata: null + name: providers/1-vpcsc-providers.tf + retention: [] + source: null + source_md5hash: null + temporary_hold: null + timeouts: null + google_storage_bucket_object.providers["2-networking"]: + bucket: ft0-prod-iac-core-0-iac-outputs + cache_control: null + content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ + \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ + \ in compliance with the License.\n * You may obtain a copy of the License at\n\ + \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ + \ by applicable law or agreed to in writing, software\n * distributed under\ + \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ + \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ + \ the specific language governing permissions and\n * limitations under the\ + \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ + \ = \"ft0-prod-iac-core-0-iac-stage-state\"\n impersonate_service_account\ + \ = \"iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n prefix\ + \ = \"2-networking\"\n }\n}\nprovider \"google\" {\n impersonate_service_account\ + \ = \"iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n}\nprovider\ + \ \"google-beta\" {\n impersonate_service_account = \"iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\ + \n}\n" + content_disposition: null + content_encoding: null + content_language: null + customer_encryption: [] + deletion_policy: null + detect_md5hash: different hash + event_based_hold: null + force_empty_content_type: null + metadata: null + name: providers/2-networking-providers.tf + retention: [] + source: null + source_md5hash: null + temporary_hold: null + timeouts: null + google_storage_bucket_object.providers["2-project-factory"]: + bucket: ft0-prod-iac-core-0-iac-outputs + cache_control: null + content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ + \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ + \ in compliance with the License.\n * You may obtain a copy of the License at\n\ + \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ + \ by applicable law or agreed to in writing, software\n * distributed under\ + \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ + \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ + \ the specific language governing permissions and\n * limitations under the\ + \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ + \ = \"ft0-prod-iac-core-0-iac-stage-state\"\n impersonate_service_account\ + \ = \"iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n prefix =\ + \ \"2-project-factory\"\n }\n}\nprovider \"google\" {\n impersonate_service_account\ + \ = \"iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n}\nprovider \"\ + google-beta\" {\n impersonate_service_account = \"iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\ + \n}\n" + content_disposition: null + content_encoding: null + content_language: null + customer_encryption: [] + deletion_policy: null + detect_md5hash: different hash + event_based_hold: null + force_empty_content_type: null + metadata: null + name: providers/2-project-factory-providers.tf + retention: [] + source: null + source_md5hash: null + temporary_hold: null + timeouts: null + google_storage_bucket_object.providers["2-security"]: + bucket: ft0-prod-iac-core-0-iac-outputs + cache_control: null + content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ + \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ + \ in compliance with the License.\n * You may obtain a copy of the License at\n\ + \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ + \ by applicable law or agreed to in writing, software\n * distributed under\ + \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ + \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ + \ the specific language governing permissions and\n * limitations under the\ + \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ + \ = \"ft0-prod-iac-core-0-iac-stage-state\"\n impersonate_service_account\ + \ = \"iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n prefix\ + \ = \"2-security\"\n }\n}\nprovider \"google\" {\n impersonate_service_account\ + \ = \"iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n}\nprovider\ + \ \"google-beta\" {\n impersonate_service_account = \"iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\ + \n}\n" + content_disposition: null + content_encoding: null + content_language: null + customer_encryption: [] + deletion_policy: null + detect_md5hash: different hash + event_based_hold: null + force_empty_content_type: null + metadata: null + name: providers/2-security-providers.tf + retention: [] + source: null + source_md5hash: null + temporary_hold: null + timeouts: null + google_storage_bucket_object.tfvars["globals"]: + bucket: ft0-prod-iac-core-0-iac-outputs + cache_control: null + content: '{"billing_account":{"id":"012345-012345-012345"},"groups":{"domain":"domain:example.org","gcp-billing-admins":"group:gcp-billing-admins@example.org","gcp-devops":"group:gcp-devops@example.org","gcp-network-admins":"group:gcp-network-admins@example.org","gcp-organization-admins":"group:fabric-fast-owners@google.com","gcp-secops-admins":"group:gcp-secops-admins@example.org","gcp-security-admins":"group:gcp-security-admins@example.org","gcp-support":"group:gcp-support@example.org"},"organization":{"customer_id":"abcd123456","domain":"example.org","id":"1234567890"},"prefix":"ft0","universe":null}' + content_disposition: null + content_encoding: null + content_language: null + customer_encryption: [] + deletion_policy: null + detect_md5hash: different hash + event_based_hold: null + force_empty_content_type: null + metadata: null + name: tfvars/0-globals.auto.tfvars.json + retention: [] + source: null + source_md5hash: null + temporary_hold: null + timeouts: null + google_storage_bucket_object.tfvars["org-setup"]: + bucket: ft0-prod-iac-core-0-iac-outputs + cache_control: null + content_disposition: null + content_encoding: null + content_language: null + customer_encryption: [] + deletion_policy: null + detect_md5hash: different hash + event_based_hold: null + force_empty_content_type: null + metadata: null + name: tfvars/0-org-setup.auto.tfvars.json + retention: [] + source: null + source_md5hash: null + temporary_hold: null + timeouts: null + local_file.providers["0-org-setup"]: + content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ + \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ + \ in compliance with the License.\n * You may obtain a copy of the License at\n\ + \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ + \ by applicable law or agreed to in writing, software\n * distributed under\ + \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ + \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ + \ the specific language governing permissions and\n * limitations under the\ + \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ + \ = \"ft0-prod-iac-core-0-iac-org-state\"\n impersonate_service_account\ + \ = \"iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n }\n}\nprovider\ + \ \"google\" {\n impersonate_service_account = \"iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\ + \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\ + \n}\n" + content_base64: null + directory_permission: '0777' + file_permission: '0644' + filename: /tmp/fast-config/providers/0-org-setup-providers.tf + sensitive_content: null + source: null + local_file.providers["0-org-setup-ro"]: + content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ + \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ + \ in compliance with the License.\n * You may obtain a copy of the License at\n\ + \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ + \ by applicable law or agreed to in writing, software\n * distributed under\ + \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ + \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ + \ the specific language governing permissions and\n * limitations under the\ + \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ + \ = \"ft0-prod-iac-core-0-iac-org-state\"\n impersonate_service_account\ + \ = \"iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n }\n}\nprovider\ + \ \"google\" {\n impersonate_service_account = \"iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\ + \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\ + \n}\n" + content_base64: null + directory_permission: '0777' + file_permission: '0644' + filename: /tmp/fast-config/providers/0-org-setup-ro-providers.tf + sensitive_content: null + source: null + local_file.providers["1-vpcsc"]: + content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ + \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ + \ in compliance with the License.\n * You may obtain a copy of the License at\n\ + \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ + \ by applicable law or agreed to in writing, software\n * distributed under\ + \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ + \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ + \ the specific language governing permissions and\n * limitations under the\ + \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ + \ = \"ft0-prod-iac-core-0-iac-stage-state\"\n impersonate_service_account\ + \ = \"iac-vpcsc-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n prefix\ + \ = \"1-vpcsc\"\n }\n}\nprovider \"google\" {\n impersonate_service_account\ + \ = \"iac-vpcsc-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n}\nprovider\ + \ \"google-beta\" {\n impersonate_service_account = \"iac-vpcsc-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\ + \n}\n" + content_base64: null + directory_permission: '0777' + file_permission: '0644' + filename: /tmp/fast-config/providers/1-vpcsc-providers.tf + sensitive_content: null + source: null + local_file.providers["2-networking"]: + content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ + \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ + \ in compliance with the License.\n * You may obtain a copy of the License at\n\ + \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ + \ by applicable law or agreed to in writing, software\n * distributed under\ + \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ + \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ + \ the specific language governing permissions and\n * limitations under the\ + \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ + \ = \"ft0-prod-iac-core-0-iac-stage-state\"\n impersonate_service_account\ + \ = \"iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n prefix\ + \ = \"2-networking\"\n }\n}\nprovider \"google\" {\n impersonate_service_account\ + \ = \"iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n}\nprovider\ + \ \"google-beta\" {\n impersonate_service_account = \"iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\ + \n}\n" + content_base64: null + directory_permission: '0777' + file_permission: '0644' + filename: /tmp/fast-config/providers/2-networking-providers.tf + sensitive_content: null + source: null + local_file.providers["2-project-factory"]: + content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ + \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ + \ in compliance with the License.\n * You may obtain a copy of the License at\n\ + \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ + \ by applicable law or agreed to in writing, software\n * distributed under\ + \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ + \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ + \ the specific language governing permissions and\n * limitations under the\ + \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ + \ = \"ft0-prod-iac-core-0-iac-stage-state\"\n impersonate_service_account\ + \ = \"iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n prefix =\ + \ \"2-project-factory\"\n }\n}\nprovider \"google\" {\n impersonate_service_account\ + \ = \"iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n}\nprovider \"\ + google-beta\" {\n impersonate_service_account = \"iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\ + \n}\n" + content_base64: null + directory_permission: '0777' + file_permission: '0644' + filename: /tmp/fast-config/providers/2-project-factory-providers.tf + sensitive_content: null + source: null + local_file.providers["2-security"]: + content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ + \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ + \ in compliance with the License.\n * You may obtain a copy of the License at\n\ + \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ + \ by applicable law or agreed to in writing, software\n * distributed under\ + \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ + \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ + \ the specific language governing permissions and\n * limitations under the\ + \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ + \ = \"ft0-prod-iac-core-0-iac-stage-state\"\n impersonate_service_account\ + \ = \"iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n prefix\ + \ = \"2-security\"\n }\n}\nprovider \"google\" {\n impersonate_service_account\ + \ = \"iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n}\nprovider\ + \ \"google-beta\" {\n impersonate_service_account = \"iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\ + \n}\n" + content_base64: null + directory_permission: '0777' + file_permission: '0644' + filename: /tmp/fast-config/providers/2-security-providers.tf + sensitive_content: null + source: null + local_file.tfvars["globals"]: + content: '{"billing_account":{"id":"012345-012345-012345"},"groups":{"domain":"domain:example.org","gcp-billing-admins":"group:gcp-billing-admins@example.org","gcp-devops":"group:gcp-devops@example.org","gcp-network-admins":"group:gcp-network-admins@example.org","gcp-organization-admins":"group:fabric-fast-owners@google.com","gcp-secops-admins":"group:gcp-secops-admins@example.org","gcp-security-admins":"group:gcp-security-admins@example.org","gcp-support":"group:gcp-support@example.org"},"organization":{"customer_id":"abcd123456","domain":"example.org","id":"1234567890"},"prefix":"ft0","universe":null}' + content_base64: null + directory_permission: '0777' + file_permission: '0644' + filename: /tmp/fast-config/tfvars/0-globals.auto.tfvars.json + sensitive_content: null + source: null + local_file.tfvars["org-setup"]: + content_base64: null + directory_permission: '0777' + file_permission: '0644' + filename: /tmp/fast-config/tfvars/0-org-setup.auto.tfvars.json + sensitive_content: null + source: null + module.billing-accounts["default"].google_billing_account_iam_member.bindings["billing_admin_org_admins"]: + billing_account_id: 012345-012345-012345 + condition: [] + member: group:fabric-fast-owners@google.com + role: roles/billing.admin + module.billing-accounts["default"].google_billing_account_iam_member.bindings["billing_admin_org_sa"]: + billing_account_id: 012345-012345-012345 + condition: [] + member: serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/billing.admin + module.billing-accounts["default"].google_billing_account_iam_member.bindings["billing_user_networking_sa"]: + billing_account_id: 012345-012345-012345 + condition: [] + member: serviceAccount:iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/billing.user + module.billing-accounts["default"].google_billing_account_iam_member.bindings["billing_user_pf_sa"]: + billing_account_id: 012345-012345-012345 + condition: [] + member: serviceAccount:iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/billing.user + module.billing-accounts["default"].google_billing_account_iam_member.bindings["billing_user_security_sa"]: + billing_account_id: 012345-012345-012345 + condition: [] + member: serviceAccount:iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/billing.user + module.billing-accounts["default"].google_billing_account_iam_member.bindings["billing_viewer_org_ro"]: + billing_account_id: 012345-012345-012345 + condition: [] + member: serviceAccount:iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/billing.viewer + module.factory.module.bigquery-datasets["billing-0/billing_export"].google_bigquery_dataset.default: + dataset_id: billing_export + default_encryption_configuration: [] + default_partition_expiration_ms: null + default_table_expiration_ms: null + delete_contents_on_destroy: false + description: Terraform managed. + effective_labels: + goog-terraform-provisioned: 'true' + external_catalog_dataset_options: [] + external_dataset_reference: [] + friendly_name: Billing export + labels: null + location: europe-west1 + max_time_travel_hours: '168' + project: ft0-prod-billing-exp-0 + resource_tags: null + terraform_labels: + goog-terraform-provisioned: 'true' + timeouts: null + module.factory.module.buckets["iac-0/iac-org-state"].google_storage_bucket.bucket[0]: + autoclass: [] + cors: [] + custom_placement_config: [] + default_event_based_hold: null + effective_labels: + goog-terraform-provisioned: 'true' + enable_object_retention: null + encryption: [] + force_destroy: false + hierarchical_namespace: [] + ip_filter: [] + labels: null + lifecycle_rule: [] + location: EUROPE-WEST1 + logging: [] + name: ft0-prod-iac-core-0-iac-org-state + project: ft0-prod-iac-core-0 + requester_pays: null + retention_policy: [] + storage_class: STANDARD + terraform_labels: + goog-terraform-provisioned: 'true' + timeouts: null + uniform_bucket_level_access: true + versioning: + - enabled: true + ? module.factory.module.buckets["iac-0/iac-org-state"].google_storage_bucket_iam_binding.authoritative["$custom_roles:storage_viewer"] + : bucket: ft0-prod-iac-core-0-iac-org-state + condition: [] + members: + - serviceAccount:iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: organizations/1234567890/roles/storageViewer + timeouts: null + ? module.factory.module.buckets["iac-0/iac-org-state"].google_storage_bucket_iam_binding.authoritative["roles/storage.admin"] + : bucket: ft0-prod-iac-core-0-iac-org-state + condition: [] + members: + - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/storage.admin + timeouts: null + module.factory.module.buckets["iac-0/iac-outputs"].google_storage_bucket.bucket[0]: + autoclass: [] + cors: [] + custom_placement_config: [] + default_event_based_hold: null + effective_labels: + goog-terraform-provisioned: 'true' + enable_object_retention: null + encryption: [] + force_destroy: false + hierarchical_namespace: [] + ip_filter: [] + labels: null + lifecycle_rule: [] + location: EUROPE-WEST1 + logging: [] + name: ft0-prod-iac-core-0-iac-outputs + project: ft0-prod-iac-core-0 + requester_pays: null + retention_policy: [] + storage_class: STANDARD + terraform_labels: + goog-terraform-provisioned: 'true' + timeouts: null + uniform_bucket_level_access: true + versioning: + - enabled: true + ? module.factory.module.buckets["iac-0/iac-outputs"].google_storage_bucket_iam_binding.authoritative["$custom_roles:storage_viewer"] + : bucket: ft0-prod-iac-core-0-iac-outputs + condition: [] + members: + - serviceAccount:iac-dp-dev-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:iac-networking-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:iac-org-cicd-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:iac-org-cicd-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:iac-pf-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:iac-security-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:iac-vpcsc-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: organizations/1234567890/roles/storageViewer + timeouts: null + module.factory.module.buckets["iac-0/iac-outputs"].google_storage_bucket_iam_binding.authoritative["roles/storage.admin"]: + bucket: ft0-prod-iac-core-0-iac-outputs + condition: [] + members: + - serviceAccount:iac-dp-dev-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:iac-vpcsc-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/storage.admin + timeouts: null + module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_bucket.bucket[0]: + autoclass: [] + cors: [] + custom_placement_config: [] + default_event_based_hold: null + effective_labels: + goog-terraform-provisioned: 'true' + enable_object_retention: null + encryption: [] + force_destroy: false + hierarchical_namespace: [] + ip_filter: [] + labels: null + lifecycle_rule: [] + location: EUROPE-WEST1 + logging: [] + name: ft0-prod-iac-core-0-iac-stage-state + project: ft0-prod-iac-core-0 + requester_pays: null + retention_policy: [] + storage_class: STANDARD + terraform_labels: + goog-terraform-provisioned: 'true' + timeouts: null + uniform_bucket_level_access: true + versioning: + - enabled: true + module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder.folder["1-vpcsc/"]: + bucket: ft0-prod-iac-core-0-iac-stage-state + force_destroy: false + name: 1-vpcsc/ + timeouts: null + module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder.folder["2-networking/"]: + bucket: ft0-prod-iac-core-0-iac-stage-state + force_destroy: false + name: 2-networking/ + timeouts: null + module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder.folder["2-project-factory/"]: + bucket: ft0-prod-iac-core-0-iac-stage-state + force_destroy: false + name: 2-project-factory/ + timeouts: null + module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder.folder["2-security/"]: + bucket: ft0-prod-iac-core-0-iac-stage-state + force_destroy: false + name: 2-security/ + timeouts: null + module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder.folder["3-data-platform-dev/"]: + bucket: ft0-prod-iac-core-0-iac-stage-state + force_destroy: false + name: 3-data-platform-dev/ + timeouts: null + ? module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder_iam_binding.authoritative["1-vpcsc/$custom_roles:storage_viewer"] + : bucket: ft0-prod-iac-core-0-iac-stage-state + condition: [] + managed_folder: 1-vpcsc/ + members: + - serviceAccount:iac-vpcsc-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: organizations/1234567890/roles/storageViewer + ? module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder_iam_binding.authoritative["1-vpcsc/roles/storage.admin"] + : bucket: ft0-prod-iac-core-0-iac-stage-state + condition: [] + managed_folder: 1-vpcsc/ + members: + - serviceAccount:iac-vpcsc-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/storage.admin + ? module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder_iam_binding.authoritative["2-networking/$custom_roles:storage_viewer"] + : bucket: ft0-prod-iac-core-0-iac-stage-state + condition: [] + managed_folder: 2-networking/ + members: + - serviceAccount:iac-networking-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: organizations/1234567890/roles/storageViewer + ? module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder_iam_binding.authoritative["2-networking/roles/storage.admin"] + : bucket: ft0-prod-iac-core-0-iac-stage-state + condition: [] + managed_folder: 2-networking/ + members: + - serviceAccount:iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/storage.admin + ? module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder_iam_binding.authoritative["2-project-factory/$custom_roles:storage_viewer"] + : bucket: ft0-prod-iac-core-0-iac-stage-state + condition: [] + managed_folder: 2-project-factory/ + members: + - serviceAccount:iac-pf-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: organizations/1234567890/roles/storageViewer + ? module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder_iam_binding.authoritative["2-project-factory/roles/storage.admin"] + : bucket: ft0-prod-iac-core-0-iac-stage-state + condition: [] + managed_folder: 2-project-factory/ + members: + - serviceAccount:iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/storage.admin + ? module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder_iam_binding.authoritative["2-security/$custom_roles:storage_viewer"] + : bucket: ft0-prod-iac-core-0-iac-stage-state + condition: [] + managed_folder: 2-security/ + members: + - serviceAccount:iac-security-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: organizations/1234567890/roles/storageViewer + ? module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder_iam_binding.authoritative["2-security/roles/storage.admin"] + : bucket: ft0-prod-iac-core-0-iac-stage-state + condition: [] + managed_folder: 2-security/ + members: + - serviceAccount:iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/storage.admin + ? module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder_iam_binding.authoritative["3-data-platform-dev/$custom_roles:storage_viewer"] + : bucket: ft0-prod-iac-core-0-iac-stage-state + condition: [] + managed_folder: 3-data-platform-dev/ + members: + - serviceAccount:iac-dp-dev-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: organizations/1234567890/roles/storageViewer + ? module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder_iam_binding.authoritative["3-data-platform-dev/roles/storage.admin"] + : bucket: ft0-prod-iac-core-0-iac-stage-state + condition: [] + managed_folder: 3-data-platform-dev/ + members: + - serviceAccount:iac-dp-dev-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/storage.admin + ? module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["$custom_roles:project_iam_viewer"] + : condition: [] + members: + - serviceAccount:iac-pf-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: organizations/1234567890/roles/projectIamViewer + ? module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["$custom_roles:service_project_network_admin"] + : condition: [] + members: + - serviceAccount:iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: organizations/1234567890/roles/serviceProjectNetworkAdmin + module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/compute.viewer"]: + condition: [] + members: + - serviceAccount:iac-pf-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/compute.viewer + module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: + condition: [] + members: + - serviceAccount:iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/compute.xpnAdmin + module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/logging.admin"]: + condition: [] + members: + - serviceAccount:iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/logging.admin + module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/owner"]: + condition: [] + members: + - serviceAccount:iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/owner + ? module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"] + : condition: [] + members: + - serviceAccount:iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/resourcemanager.folderAdmin + ? module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"] + : condition: [] + members: + - serviceAccount:iac-networking-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/resourcemanager.folderViewer + ? module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"] + : condition: [] + members: + - serviceAccount:iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/resourcemanager.projectCreator + module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/resourcemanager.tagUser"]: + condition: [] + members: + - serviceAccount:iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/resourcemanager.tagUser + ? module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/resourcemanager.tagViewer"] + : condition: [] + members: + - serviceAccount:iac-networking-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/resourcemanager.tagViewer + module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/viewer"]: + condition: [] + members: + - serviceAccount:iac-networking-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/viewer + module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.bindings["dp_dev_ro"]: + condition: + - description: null + expression: 'resource.matchTag(''1234567890/environment'', ''development'') + + ' + title: Data platform dev network viewer. + members: + - serviceAccount:iac-dp-dev-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/compute.networkViewer + module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.bindings["dp_dev_rw"]: + condition: + - description: null + expression: 'resource.matchTag(''1234567890/environment'', ''development'') + + ' + title: Data platform dev service project admin. + members: + - serviceAccount:iac-dp-dev-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: organizations/1234567890/roles/serviceProjectNetworkAdmin + module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.bindings["project_factory"]: + condition: + - description: null + expression: "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([\n\ + \ 'roles/compute.networkUser', 'roles/composer.sharedVpcAgent',\n 'roles/container.hostServiceAgentUser',\ + \ 'roles/vpcaccess.user'\n])" + title: Project factory delegated IAM grant. + members: + - serviceAccount:iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/resourcemanager.projectIamAdmin + module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["$custom_roles:project_iam_viewer"]: + condition: [] + members: + - serviceAccount:iac-pf-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: organizations/1234567890/roles/projectIamViewer + ? module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/cloudkms.cryptoKeyEncrypterDecrypter"] + : condition: [] + members: + - serviceAccount:iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/cloudkms.cryptoKeyEncrypterDecrypter + module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/cloudkms.viewer"]: + condition: [] + members: + - serviceAccount:iac-pf-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/cloudkms.viewer + module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/logging.admin"]: + condition: [] + members: + - serviceAccount:iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/logging.admin + module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/owner"]: + condition: [] + members: + - serviceAccount:iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/owner + ? module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"] + : condition: [] + members: + - serviceAccount:iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/resourcemanager.folderAdmin + ? module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"] + : condition: [] + members: + - serviceAccount:iac-security-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/resourcemanager.folderViewer + ? module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"] + : condition: [] + members: + - serviceAccount:iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/resourcemanager.projectCreator + module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/resourcemanager.tagUser"]: + condition: [] + members: + - serviceAccount:iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/resourcemanager.tagUser + module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/resourcemanager.tagViewer"]: + condition: [] + members: + - serviceAccount:iac-security-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/resourcemanager.tagViewer + module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/viewer"]: + condition: [] + members: + - serviceAccount:iac-security-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/viewer + module.factory.module.folder-1-iam["security"].google_folder_iam_binding.bindings["project_factory"]: + condition: + - description: null + expression: "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([\n\ + \ 'roles/cloudkms.cryptoKeyEncrypterDecrypter'\n])" + title: Project factory delegated IAM grant. + members: + - serviceAccount:iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/resourcemanager.projectIamAdmin + ? module.factory.module.folder-1-iam["teams"].google_folder_iam_binding.authoritative["$custom_roles:service_project_network_admin"] + : condition: [] + members: + - serviceAccount:iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: organizations/1234567890/roles/serviceProjectNetworkAdmin + module.factory.module.folder-1-iam["teams"].google_folder_iam_binding.authoritative["roles/owner"]: + condition: [] + members: + - serviceAccount:iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/owner + module.factory.module.folder-1-iam["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: + condition: [] + members: + - serviceAccount:iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/resourcemanager.folderAdmin + module.factory.module.folder-1-iam["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]: + condition: [] + members: + - serviceAccount:iac-pf-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/resourcemanager.folderViewer + ? module.factory.module.folder-1-iam["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"] + : condition: [] + members: + - serviceAccount:iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/resourcemanager.projectCreator + module.factory.module.folder-1-iam["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.tagUser"]: + condition: [] + members: + - serviceAccount:iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/resourcemanager.tagUser + module.factory.module.folder-1-iam["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.tagViewer"]: + condition: [] + members: + - serviceAccount:iac-pf-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/resourcemanager.tagViewer + module.factory.module.folder-1-iam["teams"].google_folder_iam_binding.authoritative["roles/viewer"]: + condition: [] + members: + - serviceAccount:iac-pf-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/viewer + module.factory.module.folder-1["data-platform"].google_folder.folder[0]: + deletion_protection: false + display_name: Data Platform + parent: organizations/1234567890 + tags: null + timeouts: null + module.factory.module.folder-1["networking"].google_folder.folder[0]: + deletion_protection: false + display_name: Networking + parent: organizations/1234567890 + tags: null + timeouts: null + module.factory.module.folder-1["security"].google_folder.folder[0]: + deletion_protection: false + display_name: Security + parent: organizations/1234567890 + tags: null + timeouts: null + module.factory.module.folder-1["teams"].google_folder.folder[0]: + deletion_protection: false + display_name: Teams + parent: organizations/1234567890 + tags: null + timeouts: null + module.factory.module.folder-1["teams"].google_tags_tag_binding.binding["context"]: + timeouts: null + module.factory.module.folder-2-iam["data-platform/dev"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: + condition: [] + members: + - serviceAccount:iac-dp-dev-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/compute.xpnAdmin + module.factory.module.folder-2-iam["data-platform/dev"].google_folder_iam_binding.authoritative["roles/logging.admin"]: + condition: [] + members: + - serviceAccount:iac-dp-dev-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/logging.admin + module.factory.module.folder-2-iam["data-platform/dev"].google_folder_iam_binding.authoritative["roles/owner"]: + condition: [] + members: + - serviceAccount:iac-dp-dev-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/owner + ? module.factory.module.folder-2-iam["data-platform/dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"] + : condition: [] + members: + - serviceAccount:iac-dp-dev-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/resourcemanager.folderAdmin + ? module.factory.module.folder-2-iam["data-platform/dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"] + : condition: [] + members: + - serviceAccount:iac-dp-dev-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/resourcemanager.folderViewer + ? module.factory.module.folder-2-iam["data-platform/dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"] + : condition: [] + members: + - serviceAccount:iac-dp-dev-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/resourcemanager.projectCreator + module.factory.module.folder-2-iam["data-platform/dev"].google_folder_iam_binding.authoritative["roles/viewer"]: + condition: [] + members: + - serviceAccount:iac-dp-dev-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/viewer + ? module.factory.module.folder-2-iam["networking/dev"].google_folder_iam_binding.authoritative["$custom_roles:project_iam_viewer"] + : condition: [] + members: + - serviceAccount:iac-dp-dev-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: organizations/1234567890/roles/projectIamViewer + module.factory.module.folder-2-iam["networking/dev"].google_folder_iam_binding.bindings["dp_dev"]: + condition: + - description: null + expression: "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([\n\ + \ 'organizations/1234567890/roles/serviceProjectNetworkAdmin'\n])\n" + title: Data platform dev delegated IAM grant. + members: + - serviceAccount:iac-dp-dev-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/resourcemanager.projectIamAdmin + module.factory.module.folder-2["data-platform/dev"].google_folder.folder[0]: + deletion_protection: false + display_name: Development + tags: null + timeouts: null + module.factory.module.folder-2["data-platform/dev"].google_tags_tag_binding.binding["environment"]: + timeouts: null + module.factory.module.folder-2["data-platform/prod"].google_folder.folder[0]: + deletion_protection: false + display_name: Production + tags: null + timeouts: null + module.factory.module.folder-2["data-platform/prod"].google_tags_tag_binding.binding["environment"]: + timeouts: null + module.factory.module.folder-2["networking/dev"].google_folder.folder[0]: + deletion_protection: false + display_name: Development + tags: null + timeouts: null + module.factory.module.folder-2["networking/dev"].google_tags_tag_binding.binding["environment"]: + timeouts: null + module.factory.module.folder-2["networking/prod"].google_folder.folder[0]: + deletion_protection: false + display_name: Production + tags: null + timeouts: null + module.factory.module.folder-2["networking/prod"].google_tags_tag_binding.binding["environment"]: + timeouts: null + module.factory.module.log-buckets["log-0/audit-logs"].google_logging_project_bucket_config.bucket[0]: + bucket_id: audit-logs + cmek_settings: [] + enable_analytics: false + index_configs: [] + location: europe-west1 + locked: null + project: ft0-prod-audit-logs-0 + retention_days: 30 + module.factory.module.log-buckets["log-0/iam"].google_logging_project_bucket_config.bucket[0]: + bucket_id: iam + cmek_settings: [] + enable_analytics: false + index_configs: [] + location: europe-west1 + locked: null + project: ft0-prod-audit-logs-0 + retention_days: 30 + module.factory.module.log-buckets["log-0/vpc-sc"].google_logging_project_bucket_config.bucket[0]: + bucket_id: vpc-sc + cmek_settings: [] + enable_analytics: true + index_configs: [] + location: europe-west1 + locked: null + project: ft0-prod-audit-logs-0 + retention_days: 31 + module.factory.module.projects-iam["billing-0"].google_project_iam_binding.authoritative["roles/owner"]: + condition: [] + members: + - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + project: ft0-prod-billing-exp-0 + role: roles/owner + module.factory.module.projects-iam["billing-0"].google_project_iam_binding.authoritative["roles/viewer"]: + condition: [] + members: + - serviceAccount:iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + project: ft0-prod-billing-exp-0 + role: roles/viewer + module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["$custom_roles:storage_viewer"]: + condition: [] + members: + - serviceAccount:iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + project: ft0-prod-iac-core-0 + role: organizations/1234567890/roles/storageViewer + module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/browser"]: + condition: [] + members: + - serviceAccount:iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + project: ft0-prod-iac-core-0 + role: roles/browser + module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/cloudbuild.builds.editor"]: + condition: [] + members: + - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + project: ft0-prod-iac-core-0 + role: roles/cloudbuild.builds.editor + module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/cloudbuild.builds.viewer"]: + condition: [] + members: + - serviceAccount:iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + project: ft0-prod-iac-core-0 + role: roles/cloudbuild.builds.viewer + module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/iam.serviceAccountAdmin"]: + condition: [] + members: + - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + project: ft0-prod-iac-core-0 + role: roles/iam.serviceAccountAdmin + ? module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] + : condition: [] + members: + - group:fabric-fast-owners@google.com + project: ft0-prod-iac-core-0 + role: roles/iam.serviceAccountTokenCreator + module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/iam.serviceAccountViewer"]: + condition: [] + members: + - serviceAccount:iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + project: ft0-prod-iac-core-0 + role: roles/iam.serviceAccountViewer + ? module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/iam.workloadIdentityPoolAdmin"] + : condition: [] + members: + - group:fabric-fast-owners@google.com + - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + project: ft0-prod-iac-core-0 + role: roles/iam.workloadIdentityPoolAdmin + ? module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/iam.workloadIdentityPoolViewer"] + : condition: [] + members: + - serviceAccount:iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + project: ft0-prod-iac-core-0 + role: roles/iam.workloadIdentityPoolViewer + module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/owner"]: + condition: [] + members: + - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + project: ft0-prod-iac-core-0 + role: roles/owner + module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/storage.admin"]: + condition: [] + members: + - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + project: ft0-prod-iac-core-0 + role: roles/storage.admin + module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/viewer"]: + condition: [] + members: + - serviceAccount:iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + project: ft0-prod-iac-core-0 + role: roles/viewer + module.factory.module.projects-iam["log-0"].google_logging_metric.metrics["auditConfigChanges"]: + bucket_options: [] + description: Audit Configuration Changes + disabled: null + filter: protoPayload.methodName="SetIamPolicy" AND protoPayload.serviceData.policyDelta.auditConfigDeltas:* + label_extractors: + folder_id: EXTRACT(labels.folder_id) + method_name: EXTRACT(protoPayload.methodName) + organization_id: EXTRACT(labels.organization_id) + principal: EXTRACT(protoPayload.authenticationInfo.principalEmail) + project_id: EXTRACT(labels.project_id) + metric_descriptor: + - display_name: null + labels: + - description: folder_id + key: folder_id + value_type: STRING + - description: method_name + key: method_name + value_type: STRING + - description: organization_id + key: organization_id + value_type: STRING + - description: principal + key: principal + value_type: STRING + - description: project_id + key: project_id + value_type: STRING + metric_kind: DELTA + unit: '1' + value_type: INT64 + name: auditConfigChanges + project: ft0-prod-audit-logs-0 + timeouts: null + value_extractor: null + module.factory.module.projects-iam["log-0"].google_logging_metric.metrics["cloudsqlInstanceChanges"]: + bucket_options: [] + description: Cloud SQL Instance Configuration Changes + disabled: null + filter: protoPayload.methodName="cloudsql.instances.update" + label_extractors: + database_id: EXTRACT(labels.database_id) + method_name: EXTRACT(protoPayload.methodName) + principal: EXTRACT(protoPayload.authenticationInfo.principalEmail) + project_id: EXTRACT(labels.project_id) + metric_descriptor: + - display_name: null + labels: + - description: database_id + key: database_id + value_type: STRING + - description: method_name + key: method_name + value_type: STRING + - description: principal + key: principal + value_type: STRING + - description: project_id + key: project_id + value_type: STRING + metric_kind: DELTA + unit: '1' + value_type: INT64 + name: cloudsqlInstanceChanges + project: ft0-prod-audit-logs-0 + timeouts: null + value_extractor: null + module.factory.module.projects-iam["log-0"].google_logging_metric.metrics["customRoleChanges"]: + bucket_options: [] + description: Custom Role Changes + disabled: null + filter: "resource.type=\"iam_role\" AND (\n protoPayload.methodName=\"google.iam.admin.v1.CreateRole\"\ + \ OR\n protoPayload.methodName=\"google.iam.admin.v1.UpdateRole\" OR\n protoPayload.methodName=\"\ + google.iam.admin.v1.DeleteRole\"\n)" + label_extractors: + method_name: EXTRACT(protoPayload.methodName) + organization_id: EXTRACT(labels.organization_id) + principal: EXTRACT(protoPayload.authenticationInfo.principalEmail) + project_id: EXTRACT(labels.project_id) + role_name: EXTRACT(labels.role_name) + metric_descriptor: + - display_name: null + labels: + - description: method_name + key: method_name + value_type: STRING + - description: organization_id + key: organization_id + value_type: STRING + - description: principal + key: principal + value_type: STRING + - description: project_id + key: project_id + value_type: STRING + - description: role_name + key: role_name + value_type: STRING + metric_kind: DELTA + unit: '1' + value_type: INT64 + name: customRoleChanges + project: ft0-prod-audit-logs-0 + timeouts: null + value_extractor: null + module.factory.module.projects-iam["log-0"].google_logging_metric.metrics["firewallPolicyRuleChanges"]: + bucket_options: [] + description: Network Firewall Policy Rule Changes + disabled: null + filter: "resource.labels.method:\"compute.networkFirewallPolicies\" AND (\n protoPayload.methodName:\"\ + compute.networkFirewallPolicies.addRule\" OR\n protoPayload.methodName:\"compute.networkFirewallPolicies.removeRule\"\ + \ OR\n protoPayload.methodName:\"compute.networkFirewallPolicies.patchRule\"\ + \n)" + label_extractors: + method_name: EXTRACT(protoPayload.methodName) + principal: EXTRACT(protoPayload.authenticationInfo.principalEmail) + metric_descriptor: + - display_name: null + labels: + - description: method_name + key: method_name + value_type: STRING + - description: principal + key: principal + value_type: STRING + metric_kind: DELTA + unit: '1' + value_type: INT64 + name: firewallPolicyRuleChanges + project: ft0-prod-audit-logs-0 + timeouts: null + value_extractor: null + module.factory.module.projects-iam["log-0"].google_logging_metric.metrics["firewallRuleChanges"]: + bucket_options: [] + description: VPC Network Firewall Rule Changes + disabled: null + filter: resource.type="gce_firewall_rule" AND (protoPayload.methodName:"compute.firewalls.patch" + OR protoPayload.methodName:"compute.firewalls.insert" OR protoPayload.methodName:"compute.firewalls.delete") + label_extractors: + firewall_rule_id: EXTRACT(labels.firewall_rule_id) + method_name: EXTRACT(protoPayload.methodName) + principal: EXTRACT(protoPayload.authenticationInfo.principalEmail) + project_id: EXTRACT(labels.project_id) + metric_descriptor: + - display_name: null + labels: + - description: firewall_rule_id + key: firewall_rule_id + value_type: STRING + - description: method_name + key: method_name + value_type: STRING + - description: principal + key: principal + value_type: STRING + - description: project_id + key: project_id + value_type: STRING + metric_kind: DELTA + unit: '1' + value_type: INT64 + name: firewallRuleChanges + project: ft0-prod-audit-logs-0 + timeouts: null + value_extractor: null + module.factory.module.projects-iam["log-0"].google_logging_metric.metrics["networkChanges"]: + bucket_options: [] + description: VPC Network Changes + disabled: null + filter: "resource.type=\"gce_network\" AND (\n protoPayload.methodName:\"compute.networks.insert\"\ + \ OR\n protoPayload.methodName:\"compute.networks.patch\" OR\n protoPayload.methodName:\"\ + compute.networks.delete\" OR\n protoPayload.methodName:\"compute.networks.addPeering\"\ + \ OR\n protoPayload.methodName:\"compute.networks.updatePeering\" OR\n protoPayload.methodName:\"\ + compute.networks.removePeering\"\n)" + label_extractors: + method_name: EXTRACT(protoPayload.methodName) + network_id: EXTRACT(labels.network_id) + principal: EXTRACT(protoPayload.authenticationInfo.principalEmail) + project_id: EXTRACT(labels.project_id) + metric_descriptor: + - display_name: null + labels: + - description: method_name + key: method_name + value_type: STRING + - description: network_id + key: network_id + value_type: STRING + - description: principal + key: principal + value_type: STRING + - description: project_id + key: project_id + value_type: STRING + metric_kind: DELTA + unit: '1' + value_type: INT64 + name: networkChanges + project: ft0-prod-audit-logs-0 + timeouts: null + value_extractor: null + module.factory.module.projects-iam["log-0"].google_logging_metric.metrics["networkRouteChanges"]: + bucket_options: [] + description: VPC Network Route Changes + disabled: null + filter: "resource.type=\"gce_route\" AND (\n protoPayload.methodName:\"compute.routes.insert\"\ + \ OR\n protoPayload.methodName:\"compute.routes.delete\"\n)" + label_extractors: + method_name: EXTRACT(protoPayload.methodName) + principal: EXTRACT(protoPayload.authenticationInfo.principalEmail) + project_id: EXTRACT(labels.project_id) + route_id: EXTRACT(labels.route_id) + metric_descriptor: + - display_name: null + labels: + - description: method_name + key: method_name + value_type: STRING + - description: principal + key: principal + value_type: STRING + - description: project_id + key: project_id + value_type: STRING + - description: route_id + key: route_id + value_type: STRING + metric_kind: DELTA + unit: '1' + value_type: INT64 + name: networkRouteChanges + project: ft0-prod-audit-logs-0 + timeouts: null + value_extractor: null + module.factory.module.projects-iam["log-0"].google_logging_metric.metrics["projectOwnershipChange"]: + bucket_options: [] + description: Project Ownership Changes + disabled: null + filter: "(protoPayload.serviceName=\"cloudresourcemanager.googleapis.com\") AND\ + \ (ProjectOwnership OR projectOwnerInvitee) OR (\n protoPayload.serviceData.policyDelta.bindingDeltas.action=\"\ + REMOVE\" AND\n protoPayload.serviceData.policyDelta.bindingDeltas.role=\"roles/owner\"\ + \n) OR (\n protoPayload.serviceData.policyDelta.bindingDeltas.action=\"ADD\"\ + \ AND\n protoPayload.serviceData.policyDelta.bindingDeltas.role=\"roles/owner\"\ + \n)" + label_extractors: + folder_id: EXTRACT(labels.folder_id) + method_name: EXTRACT(protoPayload.methodName) + organization_id: EXTRACT(labels.organization_id) + principal: EXTRACT(protoPayload.authenticationInfo.principalEmail) + project_id: EXTRACT(labels.project_id) + metric_descriptor: + - display_name: null + labels: + - description: folder_id + key: folder_id + value_type: STRING + - description: method_name + key: method_name + value_type: STRING + - description: organization_id + key: organization_id + value_type: STRING + - description: principal + key: principal + value_type: STRING + - description: project_id + key: project_id + value_type: STRING + metric_kind: DELTA + unit: '1' + value_type: INT64 + name: projectOwnershipChange + project: ft0-prod-audit-logs-0 + timeouts: null + value_extractor: null + module.factory.module.projects-iam["log-0"].google_logging_metric.metrics["storageIamChanges"]: + bucket_options: [] + description: Cloud Storage IAM Permission Changes + disabled: null + filter: resource.type="gcs_bucket" AND protoPayload.methodName="storage.setIamPermissions" + label_extractors: + bucket_name: EXTRACT(labels.bucket_name) + location: EXTRACT(labels.location) + method_name: EXTRACT(protoPayload.methodName) + principal: EXTRACT(protoPayload.authenticationInfo.principalEmail) + project_id: EXTRACT(labels.project_id) + metric_descriptor: + - display_name: null + labels: + - description: bucket_name + key: bucket_name + value_type: STRING + - description: location + key: location + value_type: STRING + - description: method_name + key: method_name + value_type: STRING + - description: principal + key: principal + value_type: STRING + - description: project_id + key: project_id + value_type: STRING + metric_kind: DELTA + unit: '1' + value_type: INT64 + name: storageIamChanges + project: ft0-prod-audit-logs-0 + timeouts: null + value_extractor: null + module.factory.module.projects-iam["log-0"].google_monitoring_alert_policy.alerts["auditConfigChanges"]: + alert_strategy: [] + combiner: OR + conditions: + - condition_absent: [] + condition_matched_log: [] + condition_monitoring_query_language: [] + condition_prometheus_query_language: [] + condition_sql: [] + condition_threshold: + - aggregations: + - alignment_period: 60s + cross_series_reducer: REDUCE_SUM + group_by_fields: + - metric.label.principal + - metric.label.method_name + - metric.label.organization_id + - metric.label.folder_id + - metric.label.project_id + per_series_aligner: ALIGN_SUM + comparison: COMPARISON_GT + denominator_aggregations: [] + denominator_filter: null + duration: 0s + evaluation_missing_data: null + filter: resource.type = "logging_bucket" AND metric.type = "logging.googleapis.com/user/auditConfigChanges" + forecast_options: [] + threshold_value: 0 + trigger: + - count: 1 + percent: null + display_name: 'Log match condition: Audit Configuration Changes' + display_name: Audit Configuration Changes + documentation: + - content: 'Log-based alerting policy in project ${project} detected audit configuration + changes. + + This alert helps track GCP services audit log configuration changes to ensure + appropriate audit logs are being collected. ``` protoPayload.methodName="SetIamPolicy" + AND protoPayload.serviceData.policyDelta.auditConfigDeltas:* ```' + links: [] + mime_type: text/markdown + subject: null + enabled: true + notification_channels: [] + project: ft0-prod-audit-logs-0 + severity: null + timeouts: null + user_labels: null + module.factory.module.projects-iam["log-0"].google_monitoring_alert_policy.alerts["cloudsqlInstanceChanges"]: + alert_strategy: [] + combiner: OR + conditions: + - condition_absent: [] + condition_matched_log: [] + condition_monitoring_query_language: [] + condition_prometheus_query_language: [] + condition_sql: [] + condition_threshold: + - aggregations: + - alignment_period: 60s + cross_series_reducer: REDUCE_SUM + group_by_fields: + - metric.label.principal + - metric.label.method_name + - metric.label.project_id + - metric.label.database_id + per_series_aligner: ALIGN_SUM + comparison: COMPARISON_GT + denominator_aggregations: [] + denominator_filter: null + duration: 0s + evaluation_missing_data: null + filter: resource.type = "logging_bucket" AND metric.type = "logging.googleapis.com/user/cloudsqlInstanceChanges" + forecast_options: [] + threshold_value: 0 + trigger: + - count: 1 + percent: null + display_name: 'Log match condition: Cloud SQL instance configuration changes' + display_name: Cloud SQL Instance Configuration Changes + documentation: + - content: 'Log-based alerting policy in project ${project} detected Cloud SQL + instance configuration changes. + + This alert helps ensure security by monitoring configuration changes to SQL + instances. ``` protoPayload.methodName="cloudsql.instances.update" ```' + links: [] + mime_type: text/markdown + subject: null + enabled: true + notification_channels: [] + project: ft0-prod-audit-logs-0 + severity: null + timeouts: null + user_labels: null + module.factory.module.projects-iam["log-0"].google_monitoring_alert_policy.alerts["customRoleChanges"]: + alert_strategy: [] + combiner: OR + conditions: + - condition_absent: [] + condition_matched_log: [] + condition_monitoring_query_language: [] + condition_prometheus_query_language: [] + condition_sql: [] + condition_threshold: + - aggregations: + - alignment_period: 60s + cross_series_reducer: REDUCE_SUM + group_by_fields: + - metric.label.principal + - metric.label.method_name + - metric.label.organization_id + - metric.label.project_id + - metric.label.role_name + per_series_aligner: ALIGN_SUM + comparison: COMPARISON_GT + denominator_aggregations: [] + denominator_filter: null + duration: 0s + evaluation_missing_data: null + filter: resource.type = "logging_bucket" AND metric.type = "logging.googleapis.com/user/customRoleChanges" + forecast_options: [] + threshold_value: 0 + trigger: + - count: 1 + percent: null + display_name: 'Log match condition: custom role changes' + display_name: Custom Role Changes + documentation: + - content: "Log-based alerting policy in project ${project} detected custom IAM\ + \ role creation, deletion or update activities.\nThis alert helps ensure security\ + \ by monitoring changes to Identity and Access Management (IAM) roles. ```\n\ + \ resource.type=\"iam_role\" AND \n (\n protoPayload.methodName=\"google.iam.admin.v1.CreateRole\"\ + \ OR \n protoPayload.methodName=\"google.iam.admin.v1.UpdateRole\" OR \n\ + \ protoPayload.methodName=\"google.iam.admin.v1.DeleteRole\"\n )\n```" + links: [] + mime_type: text/markdown + subject: null + enabled: true + notification_channels: [] + project: ft0-prod-audit-logs-0 + severity: null + timeouts: null + user_labels: null + module.factory.module.projects-iam["log-0"].google_monitoring_alert_policy.alerts["firewallPolicyRuleChanges"]: + alert_strategy: [] + combiner: OR + conditions: + - condition_absent: [] + condition_matched_log: [] + condition_monitoring_query_language: [] + condition_prometheus_query_language: [] + condition_sql: [] + condition_threshold: + - aggregations: + - alignment_period: 60s + cross_series_reducer: REDUCE_SUM + group_by_fields: + - metric.label.principal + - metric.label.method_name + per_series_aligner: ALIGN_SUM + comparison: COMPARISON_GT + denominator_aggregations: [] + denominator_filter: null + duration: 0s + evaluation_missing_data: null + filter: resource.type = "logging_bucket" AND metric.type = "logging.googleapis.com/user/firewallPolicyRuleChanges" + forecast_options: [] + threshold_value: 0 + trigger: + - count: 1 + percent: null + display_name: 'Log match condition: Network Firewall Policy Rule Changes' + display_name: Network Firewall Policy Rule Changes + documentation: + - content: "Log-based alerting policy in project ${project} detected Firewall\ + \ Policy rule changes.\nThis alert helps ensure security by monitoring creation,\ + \ modification, or deletion of firewall rules. ``` resource.labels.method:\"\ + compute.networkFirewallPolicies\" AND (\n protoPayload.methodName:\"compute.networkFirewallPolicies.addRule\"\ + \ OR \n protoPayload.methodName:\"compute.networkFirewallPolicies.removeRule\"\ + \ OR \n protoPayload.methodName:\"compute.networkFirewallPolicies.patchRule\"\ + )\n```" + links: [] + mime_type: text/markdown + subject: null + enabled: true + notification_channels: [] + project: ft0-prod-audit-logs-0 + severity: null + timeouts: null + user_labels: null + module.factory.module.projects-iam["log-0"].google_monitoring_alert_policy.alerts["firewallRuleChanges"]: + alert_strategy: [] + combiner: OR + conditions: + - condition_absent: [] + condition_matched_log: [] + condition_monitoring_query_language: [] + condition_prometheus_query_language: [] + condition_sql: [] + condition_threshold: + - aggregations: + - alignment_period: 60s + cross_series_reducer: REDUCE_SUM + group_by_fields: + - metric.label.principal + - metric.label.method_name + - metric.label.project_id + - metric.label.firewall_rule_id + per_series_aligner: ALIGN_SUM + comparison: COMPARISON_GT + denominator_aggregations: [] + denominator_filter: null + duration: 0s + evaluation_missing_data: null + filter: resource.type = "logging_bucket" AND metric.type = "logging.googleapis.com/user/firewallRuleChanges" + forecast_options: [] + threshold_value: 0 + trigger: + - count: 1 + percent: null + display_name: 'Log match condition: VPC Network Firewall Rule Changes' + display_name: VPC Network Firewall Rule Changes + documentation: + - content: 'Log-based alerting policy in project ${project} detected VPC Network + Firewall rule changes. + + This alert helps ensure security by monitoring creation, modification, or + deletion of firewall rules. ``` resource.type="gce_firewall_rule" AND (protoPayload.methodName:"compute.firewalls.patch" + OR protoPayload.methodName:"compute.firewalls.insert" OR protoPayload.methodName:"compute.firewalls.delete") + ```' + links: [] + mime_type: text/markdown + subject: null + enabled: true + notification_channels: [] + project: ft0-prod-audit-logs-0 + severity: null + timeouts: null + user_labels: null + module.factory.module.projects-iam["log-0"].google_monitoring_alert_policy.alerts["networkChanges"]: + alert_strategy: [] + combiner: OR + conditions: + - condition_absent: [] + condition_matched_log: [] + condition_monitoring_query_language: [] + condition_prometheus_query_language: [] + condition_sql: [] + condition_threshold: + - aggregations: + - alignment_period: 60s + cross_series_reducer: REDUCE_SUM + group_by_fields: + - metric.label.principal + - metric.label.method_name + - metric.label.project_id + - metric.label.network_id + per_series_aligner: ALIGN_SUM + comparison: COMPARISON_GT + denominator_aggregations: [] + denominator_filter: null + duration: 0s + evaluation_missing_data: null + filter: resource.type = "logging_bucket" AND metric.type = "logging.googleapis.com/user/networkChanges" + forecast_options: [] + threshold_value: 0 + trigger: + - count: 1 + percent: null + display_name: 'Log match condition: VPC Network Changes' + display_name: VPC Network Changes + documentation: + - content: "Log-based alerting policy in project ${project} detected VPC Network\ + \ changes.\nThis alert helps ensure security by monitoring creation, modification,\ + \ deletion, or peering changes to VPC networks. ``` resource.type=\"gce_network\"\ + \ AND (\n protoPayload.methodName:\"compute.networks.insert\" OR \n protoPayload.methodName:\"\ + compute.networks.patch\" OR \n protoPayload.methodName:\"compute.networks.delete\"\ + \ OR \n protoPayload.methodName:\"compute.networks.addPeering\" OR \n protoPayload.methodName:\"\ + compute.networks.updatePeering\" OR \n protoPayload.methodName:\"compute.networks.removePeering\"\ + \n) ```" + links: [] + mime_type: text/markdown + subject: null + enabled: true + notification_channels: [] + project: ft0-prod-audit-logs-0 + severity: null + timeouts: null + user_labels: null + module.factory.module.projects-iam["log-0"].google_monitoring_alert_policy.alerts["networkRouteChanges"]: + alert_strategy: [] + combiner: OR + conditions: + - condition_absent: [] + condition_matched_log: [] + condition_monitoring_query_language: [] + condition_prometheus_query_language: [] + condition_sql: [] + condition_threshold: + - aggregations: + - alignment_period: 60s + cross_series_reducer: REDUCE_SUM + group_by_fields: + - metric.label.principal + - metric.label.method_name + - metric.label.project_id + - metric.label.route_id + per_series_aligner: ALIGN_SUM + comparison: COMPARISON_GT + denominator_aggregations: [] + denominator_filter: null + duration: 0s + evaluation_missing_data: null + filter: resource.type = "logging_bucket" AND metric.type = "logging.googleapis.com/user/networkRouteChanges" + forecast_options: [] + threshold_value: 0 + trigger: + - count: 1 + percent: null + display_name: 'Log match condition: VPC Network Route Changes' + display_name: VPC Network Route Changes + documentation: + - content: "Log-based alerting policy in project ${project} detected VPC Network\ + \ Route changes.\nThis alert helps ensure security by monitoring creation\ + \ or deletion of network routes. ``` resource.type=\"gce_route\" AND (\n\ + \ protoPayload.methodName:\"compute.routes.insert\" OR \n protoPayload.methodName:\"\ + compute.routes.delete\"\n) ```" + links: [] + mime_type: text/markdown + subject: null + enabled: true + notification_channels: [] + project: ft0-prod-audit-logs-0 + severity: null + timeouts: null + user_labels: null + module.factory.module.projects-iam["log-0"].google_monitoring_alert_policy.alerts["projectOwnershipChange"]: + alert_strategy: [] + combiner: OR + conditions: + - condition_absent: [] + condition_matched_log: [] + condition_monitoring_query_language: [] + condition_prometheus_query_language: [] + condition_sql: [] + condition_threshold: + - aggregations: + - alignment_period: 60s + cross_series_reducer: REDUCE_SUM + group_by_fields: + - metric.label.principal + - metric.label.method_name + - metric.label.organization_id + - metric.label.folder_id + - metric.label.project_id + per_series_aligner: ALIGN_SUM + comparison: COMPARISON_GT + denominator_aggregations: [] + denominator_filter: null + duration: 0s + evaluation_missing_data: null + filter: 'resource.type = "logging_bucket" AND + + metric.type = "logging.googleapis.com/user/projectOwnershipChange" + + ' + forecast_options: [] + threshold_value: 0 + trigger: + - count: 1 + percent: null + display_name: Project Ownership Changes + display_name: Project Ownership Changes + documentation: + - content: "Log-based alerting policy in project ${project} detected a project\ + \ ownership assignments or changes. ``` (protoPayload.serviceName=\"cloudresourcemanager.googleapis.com\"\ + ) AND (ProjectOwnership OR projectOwnerInvitee) OR (\n protoPayload.serviceData.policyDelta.bindingDeltas.action=\"\ + REMOVE\" AND \n protoPayload.serviceData.policyDelta.bindingDeltas.role=\"\ + roles/owner\"\n) OR (\n protoPayload.serviceData.policyDelta.bindingDeltas.action=\"\ + ADD\" AND \n protoPayload.serviceData.policyDelta.bindingDeltas.role=\"roles/owner\"\ + \n) ```" + links: [] + mime_type: text/markdown + subject: null + enabled: true + notification_channels: [] + project: ft0-prod-audit-logs-0 + severity: null + timeouts: null + user_labels: null + module.factory.module.projects-iam["log-0"].google_monitoring_alert_policy.alerts["storageIamChanges"]: + alert_strategy: [] + combiner: OR + conditions: + - condition_absent: [] + condition_matched_log: [] + condition_monitoring_query_language: [] + condition_prometheus_query_language: [] + condition_sql: [] + condition_threshold: + - aggregations: + - alignment_period: 60s + cross_series_reducer: REDUCE_SUM + group_by_fields: + - metric.label.principal + - metric.label.method_name + - metric.label.project_id + - metric.label.location + - metric.label.bucket_name + per_series_aligner: ALIGN_SUM + comparison: COMPARISON_GT + denominator_aggregations: [] + denominator_filter: null + duration: 0s + evaluation_missing_data: null + filter: resource.type = "logging_bucket" AND metric.type = "logging.googleapis.com/user/storageIamChanges" + forecast_options: [] + threshold_value: 0 + trigger: + - count: 1 + percent: null + display_name: Cloud Storage IAM Permission Changes + display_name: Cloud Storage IAM Permission Changes + documentation: + - content: 'Log-based alerting policy in project ${project} detected Cloud Storage + Bucket IAM changes. + + This alert helps ensure security by monitoring IAM permission changes to Cloud + Storage buckets. ``` resource.type="gcs_bucket" AND protoPayload.methodName="storage.setIamPermissions" + ```' + links: [] + mime_type: text/markdown + subject: null + enabled: true + notification_channels: [] + project: ft0-prod-audit-logs-0 + severity: null + timeouts: null + user_labels: null + module.factory.module.projects-iam["log-0"].google_project_iam_binding.authoritative["roles/owner"]: + condition: [] + members: + - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + project: ft0-prod-audit-logs-0 + role: roles/owner + module.factory.module.projects-iam["log-0"].google_project_iam_binding.authoritative["roles/viewer"]: + condition: [] + members: + - serviceAccount:iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + project: ft0-prod-audit-logs-0 + role: roles/viewer + module.factory.module.projects["billing-0"].data.google_bigquery_default_service_account.bq_sa[0]: + project: ft0-prod-billing-exp-0 + module.factory.module.projects["billing-0"].data.google_storage_project_service_account.gcs_sa[0]: + project: ft0-prod-billing-exp-0 + user_project: null + module.factory.module.projects["billing-0"].google_project.project[0]: + auto_create_network: false + billing_account: 012345-012345-012345 + deletion_policy: DELETE + effective_labels: + goog-terraform-provisioned: 'true' + folder_id: null + labels: null + name: ft0-prod-billing-exp-0 + org_id: '1234567890' + project_id: ft0-prod-billing-exp-0 + tags: null + terraform_labels: + goog-terraform-provisioned: 'true' + timeouts: null + module.factory.module.projects["billing-0"].google_project_iam_member.service_agents["bigquerydatatransfer"]: + condition: [] + project: ft0-prod-billing-exp-0 + role: roles/bigquerydatatransfer.serviceAgent + module.factory.module.projects["billing-0"].google_project_service.project_services["bigquery.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-billing-exp-0 + service: bigquery.googleapis.com + timeouts: null + module.factory.module.projects["billing-0"].google_project_service.project_services["bigquerydatatransfer.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-billing-exp-0 + service: bigquerydatatransfer.googleapis.com + timeouts: null + module.factory.module.projects["billing-0"].google_project_service.project_services["storage.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-billing-exp-0 + service: storage.googleapis.com + timeouts: null + module.factory.module.projects["billing-0"].google_project_service_identity.default["bigquerydatatransfer.googleapis.com"]: + project: ft0-prod-billing-exp-0 + service: bigquerydatatransfer.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].data.google_bigquery_default_service_account.bq_sa[0]: + project: ft0-prod-iac-core-0 + module.factory.module.projects["iac-0"].data.google_storage_project_service_account.gcs_sa[0]: + project: ft0-prod-iac-core-0 + user_project: null + module.factory.module.projects["iac-0"].google_org_policy_policy.default["iam.workloadIdentityPoolProviders"]: + dry_run_spec: [] + name: projects/ft0-prod-iac-core-0/policies/iam.workloadIdentityPoolProviders + parent: projects/ft0-prod-iac-core-0 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: null + parameters: null + values: + - allowed_values: + - https://token.actions.githubusercontent.com + - https://gitlab.com + - https://app.terraform.io + denied_values: null + timeouts: null + module.factory.module.projects["iac-0"].google_project.project[0]: + auto_create_network: false + billing_account: 012345-012345-012345 + deletion_policy: DELETE + effective_labels: + goog-terraform-provisioned: 'true' + folder_id: null + labels: null + name: ft0-prod-iac-core-0 + org_id: '1234567890' + project_id: ft0-prod-iac-core-0 + tags: null + terraform_labels: + goog-terraform-provisioned: 'true' + timeouts: null + module.factory.module.projects["iac-0"].google_project_iam_member.service_agents["cloudasset"]: + condition: [] + project: ft0-prod-iac-core-0 + role: roles/cloudasset.serviceAgent + module.factory.module.projects["iac-0"].google_project_iam_member.service_agents["cloudbuild"]: + condition: [] + project: ft0-prod-iac-core-0 + role: roles/cloudbuild.serviceAgent + module.factory.module.projects["iac-0"].google_project_iam_member.service_agents["cloudbuild-sa"]: + condition: [] + project: ft0-prod-iac-core-0 + role: roles/cloudbuild.builds.builder + module.factory.module.projects["iac-0"].google_project_iam_member.service_agents["cloudkms"]: + condition: [] + project: ft0-prod-iac-core-0 + role: roles/cloudkms.serviceAgent + module.factory.module.projects["iac-0"].google_project_iam_member.service_agents["compute-system"]: + condition: [] + project: ft0-prod-iac-core-0 + role: roles/compute.serviceAgent + module.factory.module.projects["iac-0"].google_project_iam_member.service_agents["container-engine-robot"]: + condition: [] + project: ft0-prod-iac-core-0 + role: roles/container.serviceAgent + module.factory.module.projects["iac-0"].google_project_iam_member.service_agents["gkenode"]: + condition: [] + project: ft0-prod-iac-core-0 + role: roles/container.defaultNodeServiceAgent + module.factory.module.projects["iac-0"].google_project_iam_member.service_agents["monitoring-notification"]: + condition: [] + project: ft0-prod-iac-core-0 + role: roles/monitoring.notificationServiceAgent + module.factory.module.projects["iac-0"].google_project_iam_member.service_agents["pubsub"]: + condition: [] + project: ft0-prod-iac-core-0 + role: roles/pubsub.serviceAgent + module.factory.module.projects["iac-0"].google_project_iam_member.service_agents["service-networking"]: + condition: [] + project: ft0-prod-iac-core-0 + role: roles/servicenetworking.serviceAgent + module.factory.module.projects["iac-0"].google_project_service.project_services["accesscontextmanager.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: accesscontextmanager.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["bigquery.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: bigquery.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["bigqueryreservation.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: bigqueryreservation.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["bigquerystorage.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: bigquerystorage.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["billingbudgets.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: billingbudgets.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["cloudasset.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: cloudasset.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["cloudbilling.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: cloudbilling.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["cloudbuild.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: cloudbuild.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["cloudkms.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: cloudkms.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["cloudquotas.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: cloudquotas.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["cloudresourcemanager.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: cloudresourcemanager.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["compute.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: compute.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["container.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: container.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["datacatalog.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: datacatalog.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["essentialcontacts.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: essentialcontacts.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["iam.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: iam.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["iamcredentials.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: iamcredentials.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["logging.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: logging.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["monitoring.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: monitoring.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["networksecurity.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: networksecurity.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["orgpolicy.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: orgpolicy.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["pubsub.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: pubsub.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["securitycentermanagement.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: securitycentermanagement.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["servicenetworking.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: servicenetworking.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["serviceusage.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: serviceusage.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["storage-component.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: storage-component.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["storage.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: storage.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["sts.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: sts.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service_identity.default["cloudasset.googleapis.com"]: + project: ft0-prod-iac-core-0 + service: cloudasset.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service_identity.default["cloudkms.googleapis.com"]: + project: ft0-prod-iac-core-0 + service: cloudkms.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service_identity.default["container.googleapis.com"]: + project: ft0-prod-iac-core-0 + service: container.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service_identity.default["monitoring.googleapis.com"]: + project: ft0-prod-iac-core-0 + service: monitoring.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service_identity.default["networksecurity.googleapis.com"]: + project: ft0-prod-iac-core-0 + service: networksecurity.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service_identity.default["pubsub.googleapis.com"]: + project: ft0-prod-iac-core-0 + service: pubsub.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service_identity.default["servicenetworking.googleapis.com"]: + project: ft0-prod-iac-core-0 + service: servicenetworking.googleapis.com + timeouts: null + module.factory.module.projects["log-0"].data.google_storage_project_service_account.gcs_sa[0]: + project: ft0-prod-audit-logs-0 + user_project: null + module.factory.module.projects["log-0"].google_project.project[0]: + auto_create_network: false + billing_account: 012345-012345-012345 + deletion_policy: DELETE + effective_labels: + goog-terraform-provisioned: 'true' + folder_id: null + labels: null + name: ft0-prod-audit-logs-0 + org_id: '1234567890' + project_id: ft0-prod-audit-logs-0 + tags: null + terraform_labels: + goog-terraform-provisioned: 'true' + timeouts: null + module.factory.module.projects["log-0"].google_project_iam_member.service_agents["pubsub"]: + condition: [] + project: ft0-prod-audit-logs-0 + role: roles/pubsub.serviceAgent + module.factory.module.projects["log-0"].google_project_service.project_services["logging.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-audit-logs-0 + service: logging.googleapis.com + timeouts: null + module.factory.module.projects["log-0"].google_project_service.project_services["pubsub.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-audit-logs-0 + service: pubsub.googleapis.com + timeouts: null + module.factory.module.projects["log-0"].google_project_service.project_services["storage.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-audit-logs-0 + service: storage.googleapis.com + timeouts: null + module.factory.module.projects["log-0"].google_project_service_identity.default["pubsub.googleapis.com"]: + project: ft0-prod-audit-logs-0 + service: pubsub.googleapis.com + timeouts: null + module.factory.module.service-accounts["iac-0/iac-dp-dev-ro"].google_service_account.service_account[0]: + account_id: iac-dp-dev-ro + create_ignore_already_exists: null + description: null + disabled: false + display_name: IaC service account for data platform dev (read-only). + email: iac-dp-dev-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + member: serviceAccount:iac-dp-dev-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + project: ft0-prod-iac-core-0 + timeouts: null + module.factory.module.service-accounts["iac-0/iac-dp-dev-rw"].google_service_account.service_account[0]: + account_id: iac-dp-dev-rw + create_ignore_already_exists: null + description: null + disabled: false + display_name: IaC service account for data platform dev (read-write). + email: iac-dp-dev-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + member: serviceAccount:iac-dp-dev-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + project: ft0-prod-iac-core-0 + timeouts: null + module.factory.module.service-accounts["iac-0/iac-networking-ro"].google_service_account.service_account[0]: + account_id: iac-networking-ro + create_ignore_already_exists: null + description: null + disabled: false + display_name: IaC service account for networking (read-only). + email: iac-networking-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + member: serviceAccount:iac-networking-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + project: ft0-prod-iac-core-0 + timeouts: null + module.factory.module.service-accounts["iac-0/iac-networking-rw"].google_service_account.service_account[0]: + account_id: iac-networking-rw + create_ignore_already_exists: null + description: null + disabled: false + display_name: IaC service account for networking (read-write). + email: iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + member: serviceAccount:iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + project: ft0-prod-iac-core-0 + timeouts: null + module.factory.module.service-accounts["iac-0/iac-org-cicd-ro"].google_service_account.service_account[0]: + account_id: iac-org-cicd-ro + create_ignore_already_exists: null + description: null + disabled: false + display_name: IaC service account for org setup CI/CD (read-only). + email: iac-org-cicd-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + member: serviceAccount:iac-org-cicd-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + project: ft0-prod-iac-core-0 + timeouts: null + module.factory.module.service-accounts["iac-0/iac-org-cicd-rw"].google_service_account.service_account[0]: + account_id: iac-org-cicd-rw + create_ignore_already_exists: null + description: null + disabled: false + display_name: IaC service account for org setup CI/CD (read-write). + email: iac-org-cicd-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + member: serviceAccount:iac-org-cicd-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + project: ft0-prod-iac-core-0 + timeouts: null + module.factory.module.service-accounts["iac-0/iac-org-ro"].google_service_account.service_account[0]: + account_id: iac-org-ro + create_ignore_already_exists: null + description: null + disabled: false + display_name: IaC service account for org setup (read-only). + email: iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + member: serviceAccount:iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + project: ft0-prod-iac-core-0 + timeouts: null + module.factory.module.service-accounts["iac-0/iac-org-rw"].google_service_account.service_account[0]: + account_id: iac-org-rw + create_ignore_already_exists: null + description: null + disabled: false + display_name: IaC service account for org setup (read-write). + email: iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + member: serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + project: ft0-prod-iac-core-0 + timeouts: null + module.factory.module.service-accounts["iac-0/iac-pf-ro"].google_service_account.service_account[0]: + account_id: iac-pf-ro + create_ignore_already_exists: null + description: null + disabled: false + display_name: IaC service account for project factory (read-only). + email: iac-pf-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + member: serviceAccount:iac-pf-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + project: ft0-prod-iac-core-0 + timeouts: null + module.factory.module.service-accounts["iac-0/iac-pf-rw"].google_service_account.service_account[0]: + account_id: iac-pf-rw + create_ignore_already_exists: null + description: null + disabled: false + display_name: IaC service account for project factory (read-write). + email: iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + member: serviceAccount:iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + project: ft0-prod-iac-core-0 + timeouts: null + module.factory.module.service-accounts["iac-0/iac-security-ro"].google_service_account.service_account[0]: + account_id: iac-security-ro + create_ignore_already_exists: null + description: null + disabled: false + display_name: IaC service account for security (read-only). + email: iac-security-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + member: serviceAccount:iac-security-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + project: ft0-prod-iac-core-0 + timeouts: null + module.factory.module.service-accounts["iac-0/iac-security-rw"].google_service_account.service_account[0]: + account_id: iac-security-rw + create_ignore_already_exists: null + description: null + disabled: false + display_name: IaC service account for security (read-write). + email: iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + member: serviceAccount:iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + project: ft0-prod-iac-core-0 + timeouts: null + module.factory.module.service-accounts["iac-0/iac-vpcsc-ro"].google_service_account.service_account[0]: + account_id: iac-vpcsc-ro + create_ignore_already_exists: null + description: null + disabled: false + display_name: IaC service account for VPC service controls (read-only). + email: iac-vpcsc-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + member: serviceAccount:iac-vpcsc-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + project: ft0-prod-iac-core-0 + timeouts: null + module.factory.module.service-accounts["iac-0/iac-vpcsc-rw"].google_service_account.service_account[0]: + account_id: iac-vpcsc-rw + create_ignore_already_exists: null + description: null + disabled: false + display_name: IaC service account for VPC service controls (read-write). + email: iac-vpcsc-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + member: serviceAccount:iac-vpcsc-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + project: ft0-prod-iac-core-0 + timeouts: null + ? module.factory.module.service_accounts-iam["iac-0/iac-org-cicd-ro"].google_service_account_iam_member.additive["$service_account_ids:iac-0/iac-org-ro-roles/iam.serviceAccountTokenCreator"] + : condition: [] + role: roles/iam.serviceAccountTokenCreator + service_account_id: projects/ft0-prod-iac-core-0/serviceAccounts/iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + ? module.factory.module.service_accounts-iam["iac-0/iac-org-cicd-ro"].google_service_account_iam_member.additive["$service_account_ids:iac-0/iac-org-ro-roles/iam.workloadIdentityUser"] + : condition: [] + role: roles/iam.workloadIdentityUser + service_account_id: projects/ft0-prod-iac-core-0/serviceAccounts/iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + ? module.factory.module.service_accounts-iam["iac-0/iac-org-cicd-rw"].google_service_account_iam_member.additive["$service_account_ids:iac-0/iac-org-rw-roles/iam.serviceAccountTokenCreator"] + : condition: [] + role: roles/iam.serviceAccountTokenCreator + service_account_id: projects/ft0-prod-iac-core-0/serviceAccounts/iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + ? module.factory.module.service_accounts-iam["iac-0/iac-org-cicd-rw"].google_service_account_iam_member.additive["$service_account_ids:iac-0/iac-org-rw-roles/iam.workloadIdentityUser"] + : condition: [] + role: roles/iam.workloadIdentityUser + service_account_id: projects/ft0-prod-iac-core-0/serviceAccounts/iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + module.factory.terraform_data.defaults_preconditions: + input: null + output: null + triggers_replace: null + module.organization-iam[0].google_logging_organization_sink.sink["audit-logs"]: + description: audit-logs (Terraform-managed). + disabled: false + exclusions: [] + filter: 'log_id("cloudaudit.googleapis.com/activity") OR + + log_id("cloudaudit.googleapis.com/system_event") OR + + log_id("cloudaudit.googleapis.com/policy") OR + + log_id("cloudaudit.googleapis.com/access_transparency") + + ' + include_children: true + intercept_children: false + name: audit-logs + org_id: '1234567890' + module.organization-iam[0].google_logging_organization_sink.sink["iam"]: + description: iam (Terraform-managed). + disabled: false + exclusions: [] + filter: 'protoPayload.serviceName="iamcredentials.googleapis.com" OR + + protoPayload.serviceName="iam.googleapis.com" OR + + protoPayload.serviceName="sts.googleapis.com" + + ' + include_children: true + intercept_children: false + name: iam + org_id: '1234567890' + module.organization-iam[0].google_logging_organization_sink.sink["vpc-sc"]: + description: vpc-sc (Terraform-managed). + disabled: false + exclusions: [] + filter: 'protoPayload.metadata.@type="type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata" + + ' + include_children: true + intercept_children: false + name: vpc-sc + org_id: '1234567890' + module.organization-iam[0].google_org_policy_policy.default["ainotebooks.disableFileDownloads"]: + dry_run_spec: [] + name: organizations/1234567890/policies/ainotebooks.disableFileDownloads + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["ainotebooks.disableRootAccess"]: + dry_run_spec: [] + name: organizations/1234567890/policies/ainotebooks.disableRootAccess + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["ainotebooks.restrictPublicIp"]: + dry_run_spec: [] + name: organizations/1234567890/policies/ainotebooks.restrictPublicIp + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["ainotebooks.restrictVpcNetworks"]: + dry_run_spec: [] + name: organizations/1234567890/policies/ainotebooks.restrictVpcNetworks + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: null + parameters: null + values: + - allowed_values: + - under:organizations/1234567890 + denied_values: null + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["appengine.disableCodeDownload"]: + dry_run_spec: [] + name: organizations/1234567890/policies/appengine.disableCodeDownload + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["bigquery.disableBQOmniAWS"]: + dry_run_spec: [] + name: organizations/1234567890/policies/bigquery.disableBQOmniAWS + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["bigquery.disableBQOmniAzure"]: + dry_run_spec: [] + name: organizations/1234567890/policies/bigquery.disableBQOmniAzure + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["cloudbuild.allowedIntegrations"]: + dry_run_spec: [] + name: organizations/1234567890/policies/cloudbuild.allowedIntegrations + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: 'TRUE' + enforce: null + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["cloudbuild.allowedWorkerPools"]: + dry_run_spec: [] + name: organizations/1234567890/policies/cloudbuild.allowedWorkerPools + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: null + parameters: null + values: + - allowed_values: + - under:organizations/1234567890 + denied_values: null + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["cloudbuild.disableCreateDefaultServiceAccount"]: + dry_run_spec: [] + name: organizations/1234567890/policies/cloudbuild.disableCreateDefaultServiceAccount + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["cloudfunctions.allowedVpcConnectorEgressSettings"]: + dry_run_spec: [] + name: organizations/1234567890/policies/cloudfunctions.allowedVpcConnectorEgressSettings + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: null + parameters: null + values: + - allowed_values: + - ALL_TRAFFIC + denied_values: null + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["cloudfunctions.requireVPCConnector"]: + dry_run_spec: [] + name: organizations/1234567890/policies/cloudfunctions.requireVPCConnector + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["compute.disableGuestAttributesAccess"]: + dry_run_spec: [] + name: organizations/1234567890/policies/compute.disableGuestAttributesAccess + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["compute.disableInternetNetworkEndpointGroup"]: + dry_run_spec: [] + name: organizations/1234567890/policies/compute.disableInternetNetworkEndpointGroup + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["compute.disableNestedVirtualization"]: + dry_run_spec: [] + name: organizations/1234567890/policies/compute.disableNestedVirtualization + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["compute.disableSerialPortAccess"]: + dry_run_spec: [] + name: organizations/1234567890/policies/compute.disableSerialPortAccess + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["compute.disableVpcExternalIpv6"]: + dry_run_spec: [] + name: organizations/1234567890/policies/compute.disableVpcExternalIpv6 + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["compute.managed.blockPreviewFeatures"]: + dry_run_spec: [] + name: organizations/1234567890/policies/compute.managed.blockPreviewFeatures + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["compute.requireOsLogin"]: + dry_run_spec: [] + name: organizations/1234567890/policies/compute.requireOsLogin + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["compute.requireShieldedVm"]: + dry_run_spec: [] + name: organizations/1234567890/policies/compute.requireShieldedVm + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["compute.requireSslPolicy"]: + dry_run_spec: [] + name: organizations/1234567890/policies/compute.requireSslPolicy + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: null + parameters: null + values: + - allowed_values: + - under:organizations/1234567890 + denied_values: null + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["compute.requireVpcFlowLogs"]: + dry_run_spec: [] + name: organizations/1234567890/policies/compute.requireVpcFlowLogs + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: null + parameters: null + values: + - allowed_values: + - ESSENTIAL + - LIGHT + - COMPREHENSIVE + denied_values: null + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["compute.restrictCloudNATUsage"]: + dry_run_spec: [] + name: organizations/1234567890/policies/compute.restrictCloudNATUsage + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: null + parameters: null + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["compute.restrictDedicatedInterconnectUsage"]: + dry_run_spec: [] + name: organizations/1234567890/policies/compute.restrictDedicatedInterconnectUsage + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: null + parameters: null + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["compute.restrictLoadBalancerCreationForTypes"]: + dry_run_spec: [] + name: organizations/1234567890/policies/compute.restrictLoadBalancerCreationForTypes + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: null + parameters: null + values: + - allowed_values: + - in:INTERNAL + denied_values: null + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["compute.restrictPartnerInterconnectUsage"]: + dry_run_spec: [] + name: organizations/1234567890/policies/compute.restrictPartnerInterconnectUsage + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: null + parameters: null + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["compute.restrictProtocolForwardingCreationForTypes"]: + dry_run_spec: [] + name: organizations/1234567890/policies/compute.restrictProtocolForwardingCreationForTypes + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: null + parameters: null + values: + - allowed_values: + - is:INTERNAL + denied_values: null + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["compute.restrictSharedVpcHostProjects"]: + dry_run_spec: [] + name: organizations/1234567890/policies/compute.restrictSharedVpcHostProjects + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: null + parameters: null + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["compute.restrictVpcPeering"]: + dry_run_spec: [] + name: organizations/1234567890/policies/compute.restrictVpcPeering + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: null + parameters: null + values: + - allowed_values: + - under:organizations/1234567890 + denied_values: null + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["compute.setNewProjectDefaultToZonalDNSOnly"]: + dry_run_spec: [] + name: organizations/1234567890/policies/compute.setNewProjectDefaultToZonalDNSOnly + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["compute.skipDefaultNetworkCreation"]: + dry_run_spec: [] + name: organizations/1234567890/policies/compute.skipDefaultNetworkCreation + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["compute.trustedImageProjects"]: + dry_run_spec: [] + name: organizations/1234567890/policies/compute.trustedImageProjects + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: null + parameters: null + values: + - allowed_values: + - is:projects/centos-cloud + - is:projects/cos-cloud + - is:projects/debian-cloud + - is:projects/fedora-cloud + - is:projects/fedora-coreos-cloud + - is:projects/opensuse-cloud + - is:projects/rhel-cloud + - is:projects/rhel-sap-cloud + - is:projects/rocky-linux-cloud + - is:projects/suse-cloud + - is:projects/suse-sap-cloud + - is:projects/ubuntu-os-cloud + - is:projects/ubuntu-os-pro-cloud + - is:projects/windows-cloud + - is:projects/windows-sql-cloud + - is:projects/confidential-vm-images + - is:projects/confidential-space-images + - is:projects/backupdr-images + - is:projects/deeplearning-platform-release + - is:projects/serverless-vpc-access-images + - is:projects/gke-node-images + - is:projects/gke-windows-node-images + - is:projects/ubuntu-os-gke-cloud + denied_values: null + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["compute.vmExternalIpAccess"]: + dry_run_spec: [] + name: organizations/1234567890/policies/compute.vmExternalIpAccess + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: 'TRUE' + enforce: null + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["container.managed.disableABAC"]: + dry_run_spec: [] + name: organizations/1234567890/policies/container.managed.disableABAC + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["container.managed.disableInsecureKubeletReadOnlyPort"]: + dry_run_spec: [] + name: organizations/1234567890/policies/container.managed.disableInsecureKubeletReadOnlyPort + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["container.managed.disableLegacyClientCertificateIssuance"]: + dry_run_spec: [] + name: organizations/1234567890/policies/container.managed.disableLegacyClientCertificateIssuance + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["container.managed.disableRBACSystemBindings"]: + dry_run_spec: [] + name: organizations/1234567890/policies/container.managed.disableRBACSystemBindings + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["container.managed.disallowDefaultComputeServiceAccount"]: + dry_run_spec: [] + name: organizations/1234567890/policies/container.managed.disallowDefaultComputeServiceAccount + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["container.managed.enableCloudLogging"]: + dry_run_spec: [] + name: organizations/1234567890/policies/container.managed.enableCloudLogging + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["container.managed.enableNetworkPolicy"]: + dry_run_spec: [] + name: organizations/1234567890/policies/container.managed.enableNetworkPolicy + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["container.managed.enablePrivateNodes"]: + dry_run_spec: [] + name: organizations/1234567890/policies/container.managed.enablePrivateNodes + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["container.managed.enableSecurityBulletinNotifications"]: + dry_run_spec: [] + name: organizations/1234567890/policies/container.managed.enableSecurityBulletinNotifications + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["container.managed.enableShieldedNodes"]: + dry_run_spec: [] + name: organizations/1234567890/policies/container.managed.enableShieldedNodes + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["container.managed.enableWorkloadIdentityFederation"]: + dry_run_spec: [] + name: organizations/1234567890/policies/container.managed.enableWorkloadIdentityFederation + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["custom.accesscontextmanagerDisableBridgePerimeters"]: + dry_run_spec: [] + name: organizations/1234567890/policies/custom.accesscontextmanagerDisableBridgePerimeters + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["custom.cloudbuildDisableWorkerPoolExternalIP"]: + dry_run_spec: [] + name: organizations/1234567890/policies/custom.cloudbuildDisableWorkerPoolExternalIP + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["custom.cloudrunDisableEnvironmentVariablePattern"]: + dry_run_spec: [] + name: organizations/1234567890/policies/custom.cloudrunDisableEnvironmentVariablePattern + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["custom.cloudsqlDisablePublicAuthorizedNetworks"]: + dry_run_spec: [] + name: organizations/1234567890/policies/custom.cloudsqlDisablePublicAuthorizedNetworks + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["custom.cloudsqlEnforcePasswordComplexity"]: + dry_run_spec: [] + name: organizations/1234567890/policies/custom.cloudsqlEnforcePasswordComplexity + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["custom.cloudsqlRequireAutomatedBackup"]: + dry_run_spec: [] + name: organizations/1234567890/policies/custom.cloudsqlRequireAutomatedBackup + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["custom.cloudsqlRequireMySQLDatabaseFlags"]: + dry_run_spec: [] + name: organizations/1234567890/policies/custom.cloudsqlRequireMySQLDatabaseFlags + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["custom.cloudsqlRequirePointInTimeRecovery"]: + dry_run_spec: [] + name: organizations/1234567890/policies/custom.cloudsqlRequirePointInTimeRecovery + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["custom.cloudsqlRequirePostgreSQLDatabaseFlags"]: + dry_run_spec: [] + name: organizations/1234567890/policies/custom.cloudsqlRequirePostgreSQLDatabaseFlags + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["custom.cloudsqlRequireRootPassword"]: + dry_run_spec: [] + name: organizations/1234567890/policies/custom.cloudsqlRequireRootPassword + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["custom.cloudsqlRequireSQLServerDatabaseFlags"]: + dry_run_spec: [] + name: organizations/1234567890/policies/custom.cloudsqlRequireSQLServerDatabaseFlags + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["custom.cloudsqlRequireSSLConnection"]: + dry_run_spec: [] + name: organizations/1234567890/policies/custom.cloudsqlRequireSSLConnection + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["custom.dnsAllowedSigningAlgorithms"]: + dry_run_spec: [] + name: organizations/1234567890/policies/custom.dnsAllowedSigningAlgorithms + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["custom.dnsRequireManageZoneDNSSEC"]: + dry_run_spec: [] + name: organizations/1234567890/policies/custom.dnsRequireManageZoneDNSSEC + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["custom.dnsRequirePolicyLogging"]: + dry_run_spec: [] + name: organizations/1234567890/policies/custom.dnsRequirePolicyLogging + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["custom.firewallEnforcePolicyRuleLogging"]: + dry_run_spec: [] + name: organizations/1234567890/policies/custom.firewallEnforcePolicyRuleLogging + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["custom.firewallEnforceRuleLogging"]: + dry_run_spec: [] + name: organizations/1234567890/policies/custom.firewallEnforceRuleLogging + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["custom.firewallRestrictOpenWorldRule"]: + dry_run_spec: [] + name: organizations/1234567890/policies/custom.firewallRestrictOpenWorldRule + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["custom.firewallRestrictRdpPolicyRule"]: + dry_run_spec: [] + name: organizations/1234567890/policies/custom.firewallRestrictRdpPolicyRule + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["custom.firewallRestrictRdpRule"]: + dry_run_spec: [] + name: organizations/1234567890/policies/custom.firewallRestrictRdpRule + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["custom.firewallRestrictSshPolicyRule"]: + dry_run_spec: [] + name: organizations/1234567890/policies/custom.firewallRestrictSshPolicyRule + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["custom.firewallRestrictSshRule"]: + dry_run_spec: [] + name: organizations/1234567890/policies/custom.firewallRestrictSshRule + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["custom.gkeAllowedNodePoolImages"]: + dry_run_spec: [] + name: organizations/1234567890/policies/custom.gkeAllowedNodePoolImages + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["custom.gkeAllowedReleaseChannels"]: + dry_run_spec: [] + name: organizations/1234567890/policies/custom.gkeAllowedReleaseChannels + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["custom.gkeDisableAlphaCluster"]: + dry_run_spec: [] + name: organizations/1234567890/policies/custom.gkeDisableAlphaCluster + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["custom.gkeDisableKubernetesDashboard"]: + dry_run_spec: [] + name: organizations/1234567890/policies/custom.gkeDisableKubernetesDashboard + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["custom.gkeDisableLegacyAbac"]: + dry_run_spec: [] + name: organizations/1234567890/policies/custom.gkeDisableLegacyAbac + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["custom.gkeDisableLegacyMetadataEndpoints"]: + dry_run_spec: [] + name: organizations/1234567890/policies/custom.gkeDisableLegacyMetadataEndpoints + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["custom.gkeRequireCOSImage"]: + dry_run_spec: [] + name: organizations/1234567890/policies/custom.gkeRequireCOSImage + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["custom.gkeRequireDataplaneV2"]: + dry_run_spec: [] + name: organizations/1234567890/policies/custom.gkeRequireDataplaneV2 + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["custom.gkeRequireGKEMetadataServer"]: + dry_run_spec: [] + name: organizations/1234567890/policies/custom.gkeRequireGKEMetadataServer + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["custom.gkeRequireIntegrityMonitoring"]: + dry_run_spec: [] + name: organizations/1234567890/policies/custom.gkeRequireIntegrityMonitoring + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["custom.gkeRequireIntraNodeVisibility"]: + dry_run_spec: [] + name: organizations/1234567890/policies/custom.gkeRequireIntraNodeVisibility + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["custom.gkeRequireMasterAuthorizedNetworks"]: + dry_run_spec: [] + name: organizations/1234567890/policies/custom.gkeRequireMasterAuthorizedNetworks + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["custom.gkeRequireMonitoring"]: + dry_run_spec: [] + name: organizations/1234567890/policies/custom.gkeRequireMonitoring + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["custom.gkeRequireNodePoolAutoRepair"]: + dry_run_spec: [] + name: organizations/1234567890/policies/custom.gkeRequireNodePoolAutoRepair + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["custom.gkeRequireNodePoolAutoUpgrade"]: + dry_run_spec: [] + name: organizations/1234567890/policies/custom.gkeRequireNodePoolAutoUpgrade + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["custom.gkeRequirePrivateEndpoint"]: + dry_run_spec: [] + name: organizations/1234567890/policies/custom.gkeRequirePrivateEndpoint + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["custom.gkeRequireRegionalClusters"]: + dry_run_spec: [] + name: organizations/1234567890/policies/custom.gkeRequireRegionalClusters + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["custom.gkeRequireSecureBoot"]: + dry_run_spec: [] + name: organizations/1234567890/policies/custom.gkeRequireSecureBoot + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["custom.gkeRequireVPCNativeCluster"]: + dry_run_spec: [] + name: organizations/1234567890/policies/custom.gkeRequireVPCNativeCluster + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["custom.iamDisablePublicBindings"]: + dry_run_spec: [] + name: organizations/1234567890/policies/custom.iamDisablePublicBindings + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["custom.networkDisableTargetHTTPProxy"]: + dry_run_spec: [] + name: organizations/1234567890/policies/custom.networkDisableTargetHTTPProxy + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["custom.networkDisableWeakSSLPolicy"]: + dry_run_spec: [] + name: organizations/1234567890/policies/custom.networkDisableWeakSSLPolicy + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["custom.networkRequireBackendServiceLogging"]: + dry_run_spec: [] + name: organizations/1234567890/policies/custom.networkRequireBackendServiceLogging + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["custom.networkRequireCustomModeVpc"]: + dry_run_spec: [] + name: organizations/1234567890/policies/custom.networkRequireCustomModeVpc + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["custom.networkRequireSubnetPrivateGoogleAccess"]: + dry_run_spec: [] + name: organizations/1234567890/policies/custom.networkRequireSubnetPrivateGoogleAccess + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["essentialcontacts.allowedContactDomains"]: + dry_run_spec: [] + name: organizations/1234567890/policies/essentialcontacts.allowedContactDomains + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: + - description: null + expression: '!resource.matchTag(''1234567890/org-policies'', ''allowed-essential-contacts-domains-all'') + + ' + location: null + title: Restrict essential contacts domains + deny_all: null + enforce: null + parameters: null + values: + - allowed_values: + - '@example.org' + denied_values: null + - allow_all: 'TRUE' + condition: + - description: null + expression: 'resource.matchTag(''1234567890/org-policies'', ''allowed-essential-contacts-domains-all'') + + ' + location: null + title: Allow essential contacts from any domain + deny_all: null + enforce: null + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["gcp.restrictTLSCipherSuites"]: + dry_run_spec: [] + name: organizations/1234567890/policies/gcp.restrictTLSCipherSuites + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: null + parameters: null + values: + - allowed_values: + - in:NIST-800-52-recommended-ciphers + denied_values: null + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["gcp.restrictTLSVersion"]: + dry_run_spec: [] + name: organizations/1234567890/policies/gcp.restrictTLSVersion + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: null + parameters: null + values: + - allowed_values: null + denied_values: + - TLS_VERSION_1 + - TLS_VERSION_1_1 + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["iam.allowedPolicyMemberDomains"]: + dry_run_spec: [] + name: organizations/1234567890/policies/iam.allowedPolicyMemberDomains + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: + - description: null + expression: '!resource.matchTag(''1234567890/org-policies'', ''allowed-policy-member-domains-all'') + + ' + location: null + title: Restrict member domains + deny_all: null + enforce: null + parameters: null + values: + - allowed_values: + - is:abcd123456 + denied_values: null + - allow_all: 'TRUE' + condition: + - description: null + expression: 'resource.matchTag(''1234567890/org-policies'', ''allowed-policy-member-domains-all'') + + ' + location: null + title: Allow any member domain + deny_all: null + enforce: null + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["iam.automaticIamGrantsForDefaultServiceAccounts"]: + dry_run_spec: [] + name: organizations/1234567890/policies/iam.automaticIamGrantsForDefaultServiceAccounts + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["iam.disableAuditLoggingExemption"]: + dry_run_spec: [] + name: organizations/1234567890/policies/iam.disableAuditLoggingExemption + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["iam.disableServiceAccountKeyCreation"]: + dry_run_spec: [] + name: organizations/1234567890/policies/iam.disableServiceAccountKeyCreation + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["iam.disableServiceAccountKeyUpload"]: + dry_run_spec: [] + name: organizations/1234567890/policies/iam.disableServiceAccountKeyUpload + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["iam.managed.disableServiceAccountApiKeyCreation"]: + dry_run_spec: [] + name: organizations/1234567890/policies/iam.managed.disableServiceAccountApiKeyCreation + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["iam.serviceAccountKeyExposureResponse"]: + dry_run_spec: [] + name: organizations/1234567890/policies/iam.serviceAccountKeyExposureResponse + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: null + parameters: null + values: + - allowed_values: + - is:DISABLE_KEY + denied_values: null + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["iam.workloadIdentityPoolAwsAccounts"]: + dry_run_spec: [] + name: organizations/1234567890/policies/iam.workloadIdentityPoolAwsAccounts + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: 'TRUE' + enforce: null + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["iam.workloadIdentityPoolProviders"]: + dry_run_spec: [] + name: organizations/1234567890/policies/iam.workloadIdentityPoolProviders + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: 'TRUE' + enforce: null + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["run.allowedBinaryAuthorizationPolicies"]: + dry_run_spec: [] + name: organizations/1234567890/policies/run.allowedBinaryAuthorizationPolicies + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: null + parameters: null + values: + - allowed_values: + - default + denied_values: null + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["run.allowedIngress"]: + dry_run_spec: [] + name: organizations/1234567890/policies/run.allowedIngress + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: null + parameters: null + values: + - allowed_values: + - is:internal-and-cloud-load-balancing + denied_values: null + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["run.allowedVPCEgress"]: + dry_run_spec: [] + name: organizations/1234567890/policies/run.allowedVPCEgress + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: null + parameters: null + values: + - allowed_values: + - all-traffic + denied_values: null + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["run.managed.requireInvokerIam"]: + dry_run_spec: [] + name: organizations/1234567890/policies/run.managed.requireInvokerIam + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["sql.restrictAuthorizedNetworks"]: + dry_run_spec: [] + name: organizations/1234567890/policies/sql.restrictAuthorizedNetworks + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["sql.restrictPublicIp"]: + dry_run_spec: [] + name: organizations/1234567890/policies/sql.restrictPublicIp + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["storage.publicAccessPrevention"]: + dry_run_spec: [] + name: organizations/1234567890/policies/storage.publicAccessPrevention + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["storage.restrictAuthTypes"]: + dry_run_spec: [] + name: organizations/1234567890/policies/storage.restrictAuthTypes + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: null + parameters: null + values: + - allowed_values: null + denied_values: + - in:ALL_HMAC_SIGNED_REQUESTS + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["storage.secureHttpTransport"]: + dry_run_spec: [] + name: organizations/1234567890/policies/storage.secureHttpTransport + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_org_policy_policy.default["storage.uniformBucketLevelAccess"]: + dry_run_spec: [] + name: organizations/1234567890/policies/storage.uniformBucketLevelAccess + parent: organizations/1234567890 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization-iam[0].google_organization_iam_binding.authoritative["$custom_roles:organization_admin_viewer"]: + condition: [] + members: + - serviceAccount:iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + org_id: '1234567890' + role: organizations/1234567890/roles/organizationAdminViewer + module.organization-iam[0].google_organization_iam_binding.authoritative["$custom_roles:tag_viewer"]: + condition: [] + members: + - serviceAccount:iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + org_id: '1234567890' + role: organizations/1234567890/roles/tagViewer + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/accesscontextmanager.policyAdmin"]: + condition: [] + members: + - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:iac-vpcsc-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + org_id: '1234567890' + role: roles/accesscontextmanager.policyAdmin + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/accesscontextmanager.policyReader"]: + condition: [] + members: + - serviceAccount:iac-vpcsc-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + org_id: '1234567890' + role: roles/accesscontextmanager.policyReader + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/billing.creator"]: + condition: [] + members: null + org_id: '1234567890' + role: roles/billing.creator + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/cloudasset.owner"]: + condition: [] + members: + - group:fabric-fast-owners@google.com + org_id: '1234567890' + role: roles/cloudasset.owner + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/cloudasset.viewer"]: + condition: [] + members: + - serviceAccount:iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:iac-vpcsc-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:iac-vpcsc-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + org_id: '1234567890' + role: roles/cloudasset.viewer + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/cloudsupport.admin"]: + condition: [] + members: + - group:fabric-fast-owners@google.com + org_id: '1234567890' + role: roles/cloudsupport.admin + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/compute.orgFirewallPolicyAdmin"]: + condition: [] + members: + - serviceAccount:iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + org_id: '1234567890' + role: roles/compute.orgFirewallPolicyAdmin + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/compute.orgFirewallPolicyUser"]: + condition: [] + members: + - serviceAccount:iac-networking-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + org_id: '1234567890' + role: roles/compute.orgFirewallPolicyUser + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/compute.osAdminLogin"]: + condition: [] + members: + - group:fabric-fast-owners@google.com + org_id: '1234567890' + role: roles/compute.osAdminLogin + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/compute.osLoginExternalUser"]: + condition: [] + members: + - group:fabric-fast-owners@google.com + org_id: '1234567890' + role: roles/compute.osLoginExternalUser + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/compute.viewer"]: + condition: [] + members: + - serviceAccount:iac-networking-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + org_id: '1234567890' + role: roles/compute.viewer + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/compute.xpnAdmin"]: + condition: [] + members: + - group:fabric-fast-owners@google.com + - serviceAccount:iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + org_id: '1234567890' + role: roles/compute.xpnAdmin + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/essentialcontacts.admin"]: + condition: [] + members: + - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + org_id: '1234567890' + role: roles/essentialcontacts.admin + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/essentialcontacts.viewer"]: + condition: [] + members: + - serviceAccount:iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + org_id: '1234567890' + role: roles/essentialcontacts.viewer + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/iam.organizationRoleAdmin"]: + condition: [] + members: + - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + org_id: '1234567890' + role: roles/iam.organizationRoleAdmin + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/iam.organizationRoleViewer"]: + condition: [] + members: + - serviceAccount:iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + org_id: '1234567890' + role: roles/iam.organizationRoleViewer + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/iam.workforcePoolAdmin"]: + condition: [] + members: + - group:fabric-fast-owners@google.com + - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + org_id: '1234567890' + role: roles/iam.workforcePoolAdmin + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/iam.workforcePoolViewer"]: + condition: [] + members: + - serviceAccount:iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + org_id: '1234567890' + role: roles/iam.workforcePoolViewer + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/logging.admin"]: + condition: [] + members: + - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + org_id: '1234567890' + role: roles/logging.admin + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/logging.viewer"]: + condition: [] + members: + - serviceAccount:iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + org_id: '1234567890' + role: roles/logging.viewer + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/orgpolicy.policyAdmin"]: + condition: [] + members: + - group:fabric-fast-owners@google.com + - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + org_id: '1234567890' + role: roles/orgpolicy.policyAdmin + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/orgpolicy.policyViewer"]: + condition: [] + members: + - serviceAccount:iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + org_id: '1234567890' + role: roles/orgpolicy.policyViewer + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/owner"]: + condition: [] + members: + - group:fabric-fast-owners@google.com + org_id: '1234567890' + role: roles/owner + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: + condition: [] + members: + - group:fabric-fast-owners@google.com + - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + org_id: '1234567890' + role: roles/resourcemanager.folderAdmin + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/resourcemanager.folderViewer"]: + condition: [] + members: + - serviceAccount:iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + org_id: '1234567890' + role: roles/resourcemanager.folderViewer + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/resourcemanager.organizationAdmin"]: + condition: [] + members: + - group:fabric-fast-owners@google.com + - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + org_id: '1234567890' + role: roles/resourcemanager.organizationAdmin + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: + condition: [] + members: + - group:fabric-fast-owners@google.com + - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + org_id: '1234567890' + role: roles/resourcemanager.projectCreator + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/resourcemanager.projectMover"]: + condition: [] + members: + - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + org_id: '1234567890' + role: roles/resourcemanager.projectMover + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/resourcemanager.tagAdmin"]: + condition: [] + members: + - group:fabric-fast-owners@google.com + - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + org_id: '1234567890' + role: roles/resourcemanager.tagAdmin + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/resourcemanager.tagUser"]: + condition: [] + members: + - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + org_id: '1234567890' + role: roles/resourcemanager.tagUser + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/resourcemanager.tagViewer"]: + condition: [] + members: + - serviceAccount:iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + org_id: '1234567890' + role: roles/resourcemanager.tagViewer + ? module.organization-iam[0].google_organization_iam_binding.authoritative["roles/securitycentermanagement.customModulesEditor"] + : condition: [] + members: + - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + org_id: '1234567890' + role: roles/securitycentermanagement.customModulesEditor + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/serviceusage.serviceUsageViewer"]: + condition: [] + members: + - serviceAccount:iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + org_id: '1234567890' + role: roles/serviceusage.serviceUsageViewer + module.organization-iam[0].google_organization_iam_binding.bindings["pf_org_policy_admin"]: + condition: + - description: null + expression: resource.matchTag('1234567890/context', 'project-factory') + title: Project factory org policy admin + members: + - serviceAccount:iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + org_id: '1234567890' + role: roles/orgpolicy.policyAdmin + module.organization-iam[0].google_organization_iam_binding.bindings["pf_org_policy_viewer"]: + condition: + - description: null + expression: resource.matchTag('1234567890/context', 'project-factory') + title: Project factory org policy viewer + members: + - serviceAccount:iac-pf-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + org_id: '1234567890' + role: roles/orgpolicy.policyViewer + module.organization-iam[0].google_project_iam_member.bucket-sinks-binding["audit-logs"]: + condition: + - title: audit-logs bucket writer + role: roles/logging.bucketWriter + module.organization-iam[0].google_project_iam_member.bucket-sinks-binding["iam"]: + condition: + - title: iam bucket writer + role: roles/logging.bucketWriter + module.organization-iam[0].google_project_iam_member.bucket-sinks-binding["vpc-sc"]: + condition: + - title: vpc-sc bucket writer + role: roles/logging.bucketWriter + ? module.organization-iam[0].google_tags_tag_value_iam_binding.default["environment/development:roles/resourcemanager.tagUser"] + : condition: [] + members: + - serviceAccount:iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/resourcemanager.tagUser + ? module.organization-iam[0].google_tags_tag_value_iam_binding.default["environment/development:roles/resourcemanager.tagViewer"] + : condition: [] + members: + - serviceAccount:iac-networking-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:iac-pf-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:iac-security-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/resourcemanager.tagViewer + ? module.organization-iam[0].google_tags_tag_value_iam_binding.default["environment/production:roles/resourcemanager.tagUser"] + : condition: [] + members: + - serviceAccount:iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/resourcemanager.tagUser + ? module.organization-iam[0].google_tags_tag_value_iam_binding.default["environment/production:roles/resourcemanager.tagViewer"] + : condition: [] + members: + - serviceAccount:iac-networking-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:iac-pf-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:iac-security-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/resourcemanager.tagViewer + module.organization[0].google_essential_contacts_contact.contact["$email_addresses:gcp-organization-admins"]: + email: $email_addresses:gcp-organization-admins + language_tag: en + notification_category_subscriptions: + - ALL + parent: organizations/1234567890 + timeouts: null + module.organization[0].google_logging_organization_settings.default[0]: + organization: '1234567890' + storage_location: europe-west1 + timeouts: null + ? module.organization[0].google_org_policy_custom_constraint.constraint["custom.accesscontextmanagerDisableBridgePerimeters"] + : action_type: DENY + condition: resource.perimeterType == 'PERIMETER_TYPE_BRIDGE' + description: Ensure no perimeter bridges are used. Instead, use ingress and egress + rules. + display_name: Deny usage of perimeter bridges + method_types: + - CREATE + - UPDATE + name: custom.accesscontextmanagerDisableBridgePerimeters + parent: organizations/1234567890 + resource_types: + - accesscontextmanager.googleapis.com/ServicePerimeter + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.cloudbuildDisableWorkerPoolExternalIP"]: + action_type: DENY + condition: (resource.privatePoolV1Config.networkConfig.egressOption != "NO_PUBLIC_EGRESS") + description: Ensure no unauthorized worker pools external ip used for each build + display_name: Deny unauthorized worker pools external ip used for each build + method_types: + - CREATE + - UPDATE + name: custom.cloudbuildDisableWorkerPoolExternalIP + parent: organizations/1234567890 + resource_types: + - cloudbuild.googleapis.com/WorkerPool + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.cloudrunDisableEnvironmentVariablePattern"]: + action_type: DENY + condition: "resource.spec.template.spec.containers.exists(container,\n container.env.exists(env,\n\ + \ [\"[sS][eE][cC][rR][eE][tT]\", \"[kK][eE][yY]\", \"[pP][aA][sS][sS][wW][oO][rR][dD]\"\ + , \"[tT][oO][kK][eE][nN]\"].exists(\n pattern, env.name.matches(pattern)\n\ + \ )\n )\n)" + description: Enforce that certain patterns are not used in environment variables + of Cloud Run Service or Cloud Run Functions + display_name: Disable usage of certain patterns in Cloud Run Service or Cloud + Run Functions environment variables + method_types: + - CREATE + - UPDATE + name: custom.cloudrunDisableEnvironmentVariablePattern + parent: organizations/1234567890 + resource_types: + - run.googleapis.com/Service + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.cloudrunJobRequireBinaryAuthorization"]: + action_type: DENY + condition: '!(''run.googleapis.com/binary-authorization'' in resource.metadata.annotations)' + description: Enforce that Cloud Run Job are using binary authorization + display_name: Disable creation of Cloud Run Job without Binary Authorization + method_types: + - CREATE + - UPDATE + name: custom.cloudrunJobRequireBinaryAuthorization + parent: organizations/1234567890 + resource_types: + - run.googleapis.com/Job + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.cloudrunServiceRequireBinaryAuthorization"]: + action_type: DENY + condition: '!(''run.googleapis.com/binary-authorization'' in resource.metadata.annotations)' + description: Enforce that Cloud Run Service are using binary authorization + display_name: Disable creation of Cloud Run Service without Binary Authorization + method_types: + - CREATE + - UPDATE + name: custom.cloudrunServiceRequireBinaryAuthorization + parent: organizations/1234567890 + resource_types: + - run.googleapis.com/Service + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.cloudsqlDisablePublicAuthorizedNetworks"]: + action_type: DENY + condition: resource.settings.ipConfiguration.authorizedNetworks.exists(network, + network.value == '0.0.0.0/0') + description: Ensure That Cloud SQL database instances do not implicitly whitelist + all public IP addresses + display_name: Require Cloud SQL database instances to not whitelist all public + IP addresses + method_types: + - CREATE + - UPDATE + name: custom.cloudsqlDisablePublicAuthorizedNetworks + parent: organizations/1234567890 + resource_types: + - sqladmin.googleapis.com/Instance + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.cloudsqlEnforcePasswordComplexity"]: + action_type: DENY + condition: 'resource.settings.passwordValidationPolicy.complexity != ''COMPLEXITY_DEFAULT'' + || + + resource.settings.passwordValidationPolicy.minLength < 12' + description: Ensure that Cloud SQL instance is configured with a password complexity + to be combination of lowercase, uppercase, numeric, and non-alphanumeric characters + display_name: Require Cloud SQL instances to configure password complexity to + COMPLEXITY_DEFAULT + method_types: + - CREATE + - UPDATE + name: custom.cloudsqlEnforcePasswordComplexity + parent: organizations/1234567890 + resource_types: + - sqladmin.googleapis.com/Instance + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.cloudsqlRequireAutomatedBackup"]: + action_type: DENY + condition: resource.settings.backupConfiguration.enabled != true + description: Ensure that Cloud SQL instance have automated backup enabled + display_name: Require Cloud SQL instances to have automated backup enabled + method_types: + - CREATE + - UPDATE + name: custom.cloudsqlRequireAutomatedBackup + parent: organizations/1234567890 + resource_types: + - sqladmin.googleapis.com/Instance + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.cloudsqlRequireMySQLDatabaseFlags"]: + action_type: DENY + condition: "resource.databaseVersion.startsWith('MYSQL') && (\n !resource.settings.databaseFlags.exists(flag,\n\ + \ flag.name == 'skip_show_database' && flag.value == 'on'\n ) ||\n !resource.settings.databaseFlags.exists(flag,\n\ + \ flag.name == 'local_infile' && flag.value == 'off'\n )\n)" + description: Ensure Cloud SQL for MySQL instance database flags are set correctly + (e.g skip_show_database, local_infile) + display_name: Require Cloud SQL for MySQL instance database flags to be configured + correctly (e.g skip_show_database, local_infile) + method_types: + - CREATE + - UPDATE + name: custom.cloudsqlRequireMySQLDatabaseFlags + parent: organizations/1234567890 + resource_types: + - sqladmin.googleapis.com/Instance + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.cloudsqlRequirePointInTimeRecovery"]: + action_type: DENY + condition: "(resource.databaseVersion.contains(\"POSTGRES\")\n || resource.databaseVersion.contains(\"\ + SQLSERVER\"))\n && resource.settings.backupConfiguration.pointInTimeRecoveryEnabled\ + \ == false" + description: Ensure that Cloud SQL instance is configure enable point in time + recovery in the backup configuration. This setting is possibly for Postgres + and SQLServer databases. + display_name: Require Cloud SQL instances to enable point in time recovery + method_types: + - CREATE + - UPDATE + name: custom.cloudsqlRequirePointInTimeRecovery + parent: organizations/1234567890 + resource_types: + - sqladmin.googleapis.com/Instance + timeouts: null + ? module.organization[0].google_org_policy_custom_constraint.constraint["custom.cloudsqlRequirePostgreSQLDatabaseAdditionalFlags"] + : action_type: DENY + condition: "resource.databaseVersion.startsWith('POSTGRES') && (\n !resource.settings.databaseFlags.exists(flag,\ + \ flag.name == 'log_checkpoints' && flag.value == 'on') ||\n !resource.settings.databaseFlags.exists(flag,\ + \ flag.name == 'log_executor_stats' && flag.value == 'off') ||\n !resource.settings.databaseFlags.exists(flag,\ + \ flag.name == 'log_lock_waits' && flag.value == 'on')\n)" + description: Ensure Cloud SQL for PostgreSQL instance database flags are set correctly + (e.g log_checkpoints, log_executor_stats, log_lock_waits) + display_name: Require Cloud SQL for PostgreSQL instance database flags to be configured + correctly (e.g log_checkpoints, log_executor_stats, log_lock_waits) + method_types: + - CREATE + - UPDATE + name: custom.cloudsqlRequirePostgreSQLDatabaseAdditionalFlags + parent: organizations/1234567890 + resource_types: + - sqladmin.googleapis.com/Instance + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.cloudsqlRequirePostgreSQLDatabaseFlags"]: + action_type: DENY + condition: "resource.databaseVersion.startsWith('POSTGRES') && (\n !resource.settings.databaseFlags.exists(f,\ + \ f.name == 'log_connections' && f.value == 'on') ||\n !resource.settings.databaseFlags.exists(f,\ + \ f.name == 'log_disconnections' && f.value == 'on') ||\n !resource.settings.databaseFlags.exists(f,\ + \ f.name == 'log_min_duration_statement' && f.value == '-1') ||\n !resource.settings.databaseFlags.exists(f,\ + \ f.name == 'cloudsql.enable_pgaudit' && f.value == 'on') ||\n resource.settings.databaseFlags.exists(f,\ + \ f.name == 'log_error_verbosity' && f.value == 'terse') ||\n resource.settings.databaseFlags.exists(f,\ + \ f.name == 'log_statement' && f.value == 'none') ||\n resource.settings.databaseFlags.exists(f,\n\ + \ f.name == 'log_min_messages' && f.value in ['error' , 'log', 'fatal', 'panic']\n\ + \ ) ||\n resource.settings.databaseFlags.exists(f,\n f.name == 'log_min_error_statement'\ + \ && f.value in ['log', 'fatal', 'panic']\n )\n)" + description: Ensure Cloud SQL for PostgreSQL instance database flags are set correctly + (e.g log_connections) + display_name: Require Cloud SQL for PostgreSQL instance database flags to be configured + correctly (e.g log_connections) + method_types: + - CREATE + - UPDATE + name: custom.cloudsqlRequirePostgreSQLDatabaseFlags + parent: organizations/1234567890 + resource_types: + - sqladmin.googleapis.com/Instance + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.cloudsqlRequireRootPassword"]: + action_type: DENY + condition: resource.settings.passwordValidationPolicy.minLength == 0 + description: Ensure that Cloud SQL instance is configured to use a root password + display_name: Require Cloud SQL instances to configure root password + method_types: + - CREATE + - UPDATE + name: custom.cloudsqlRequireRootPassword + parent: organizations/1234567890 + resource_types: + - sqladmin.googleapis.com/Instance + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.cloudsqlRequireSQLServerDatabaseFlags"]: + action_type: DENY + condition: "resource.databaseVersion.startsWith('SQLSERVER') && (\n resource.settings.databaseFlags.exists(flag,\n\ + \ flag.name == 'external scripts enabled' && flag.value == 'on'\n ) ||\n\ + \ resource.settings.databaseFlags.exists(flag,\n flag.name == 'cross db\ + \ ownership chaining' && flag.value == 'on'\n ) ||\n resource.settings.databaseFlags.exists(flag,\n\ + \ flag.name == 'contained database authentication' && flag.value == 'on'\n\ + \ ) ||\n resource.settings.databaseFlags.exists(flag,\n flag.name == 'user\ + \ connections' && flag.value != '0'\n ) ||\n resource.settings.databaseFlags.exists(flag,\n\ + \ flag.name == 'user options' && flag.value != '0'\n ) ||\n !resource.settings.databaseFlags.exists(flag,\n\ + \ flag.name == 'remote access' && flag.value == 'off'\n ) ||\n !resource.settings.databaseFlags.exists(flag,\n\ + \ flag.name == '3625' && flag.value == 'on'\n )\n)" + description: Ensure Cloud SQL for SQLServer instance database flags are set correctly + (e.g external scripts enabled ...) + display_name: Require Cloud SQL for SQLServer instance database flags to be configured + correctly (e.g external scripts enabled ...) + method_types: + - CREATE + - UPDATE + name: custom.cloudsqlRequireSQLServerDatabaseFlags + parent: organizations/1234567890 + resource_types: + - sqladmin.googleapis.com/Instance + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.cloudsqlRequireSSLConnection"]: + action_type: DENY + condition: resource.settings.ipConfiguration.sslMode in ['ENCRYPTED_ONLY', 'TRUSTED_CLIENT_CERTIFICATE_REQUIRED'] + == false + description: Ensure that Cloud SQL instance is configured to allow only connections + that are encrypted with SSL/TLS + display_name: Require Cloud SQL instances to allow only connections that are encrypted + with SSL/TLS + method_types: + - CREATE + - UPDATE + name: custom.cloudsqlRequireSSLConnection + parent: organizations/1234567890 + resource_types: + - sqladmin.googleapis.com/Instance + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.dnsAllowedSigningAlgorithms"]: + action_type: DENY + condition: "resource.visibility == 'PUBLIC' &&\nresource.dnssecConfig.state ==\ + \ 'ON' &&\nresource.dnssecConfig.defaultKeySpecs.exists(spec,\n spec.algorithm\ + \ in [\"ECDSAP256SHA256\"] == false\n)" + description: Ensure that allowed signing algorithms are used for the Key-Signing + key and Zone-Signing key in Cloud DNS DNSSEC + display_name: Require Cloud DNS DNSSEC configured to use only allowed algorithms + in Cloud DNS DNSSEC + method_types: + - CREATE + - UPDATE + name: custom.dnsAllowedSigningAlgorithms + parent: organizations/1234567890 + resource_types: + - dns.googleapis.com/ManagedZone + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.dnsRequireManageZoneDNSSEC"]: + action_type: DENY + condition: resource.visibility == "PUBLIC" && (resource.dnssecConfig.state in + ["ON", "TRANSFER"] == false) + description: Ensure that Cloud DNS DNSSEC is enabled when configuring a DNS Public + Managed Zone + display_name: Require Cloud DNS DNSSEC enabled when configuring a DNS Public Managed + Zone + method_types: + - CREATE + - UPDATE + name: custom.dnsRequireManageZoneDNSSEC + parent: organizations/1234567890 + resource_types: + - dns.googleapis.com/ManagedZone + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.dnsRequirePolicyLogging"]: + action_type: DENY + condition: resource.enableLogging != true + description: Ensure that Cloud DNS logging is enabled when configuring a DNS Policy + display_name: Require Cloud DNS logging enabled when configuring a DNS Policy + method_types: + - CREATE + - UPDATE + name: custom.dnsRequirePolicyLogging + parent: organizations/1234567890 + resource_types: + - dns.googleapis.com/Policy + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.firewallEnforcePolicyRuleLogging"]: + action_type: DENY + condition: resource.rules.exists(rule, rule.action != 'goto_next' && rule.enableLogging + == false) + description: Ensure that Firewall Policy rules have logging enabled + display_name: Require Firewall Policy rules to have logging enabled + method_types: + - CREATE + - UPDATE + name: custom.firewallEnforcePolicyRuleLogging + parent: organizations/1234567890 + resource_types: + - compute.googleapis.com/FirewallPolicy + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.firewallEnforceRuleLogging"]: + action_type: DENY + condition: "(\n (has(resource.logConfig) == false || resource.logConfig.enable\ + \ == false) &&\n !resource.name.startsWith(\"gke-\") &&\n !resource.name.startsWith(\"\ + k8s-\") &&\n !resource.name.endsWith(\"-hc\") &&\n !resource.name.startsWith(\"\ + k8s2-\") &&\n !resource.name.startsWith(\"gkegw1-l7-\") &&\n !resource.name.startsWith(\"\ + gkemcg1-l7-\")\n)" + description: Ensure that VPC Firewall rules have logging enabled + display_name: Require VPC Firewall rules to have logging enabled + method_types: + - CREATE + - UPDATE + name: custom.firewallEnforceRuleLogging + parent: organizations/1234567890 + resource_types: + - compute.googleapis.com/Firewall + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.firewallRestrictOpenWorldRule"]: + action_type: DENY + condition: (size(resource.allowed) > 0) && (resource.sourceRanges.exists(range, + range == '0.0.0.0/0') || resource.destinationRanges.exists(range, range == '0.0.0.0/0')) + description: Prevent the creation of VPC firewall rule with source or destination + any IP address (0.0.0.0/0) + display_name: Restrict VPC Firewall rule creation that are open to the world + method_types: + - CREATE + name: custom.firewallRestrictOpenWorldRule + parent: organizations/1234567890 + resource_types: + - compute.googleapis.com/Firewall + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.firewallRestrictRdpPolicyRule"]: + action_type: DENY + condition: "resource.rules.exists(rule,\n rule.priority < 2147483644 &&\n \ + \ rule.direction == 'INGRESS' &&\n !rule.match.srcIpRanges.all(ipRange,\n\ + \ ipRange == '35.235.240.0/20' ||\n ipRange.startsWith('192.168.')\ + \ ||\n ipRange.matches('^172\\\\.(?:1[6-9]|2\\\\d|3[0-1]).*') ||\n \ + \ ipRange.startsWith('10.')\n ) &&\n rule.match.layer4Configs.all(l4config,\n\ + \ l4config.ipProtocol == 'tcp' &&\n l4config.ports.all(port, port\ + \ == '3389')\n )\n)" + description: Ensure that RDP access is restricted from the Internet when using + Firewall Policy Rule + display_name: Restrict Firewall Policy rules allowing RDP access from the Internet + method_types: + - CREATE + - UPDATE + name: custom.firewallRestrictRdpPolicyRule + parent: organizations/1234567890 + resource_types: + - compute.googleapis.com/FirewallPolicy + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.firewallRestrictRdpRule"]: + action_type: DENY + condition: "resource.direction.matches('INGRESS') &&\n!resource.name.startsWith(\"\ + gke-\") &&\n!resource.name.startsWith(\"k8s-\") &&\n!resource.name.endsWith(\"\ + -hc\") &&\n!resource.name.startsWith(\"k8s2-\") &&\n!resource.name.startsWith(\"\ + gkegw1-l7-\") &&\n!resource.name.startsWith(\"gkemcg1-l7-\") &&\nresource.allowed.containsFirewallPort('tcp',\ + \ '3389') &&\n!resource.sourceRanges.all(range,\n range == '35.235.240.0/20'\ + \ ||\n range.startsWith('10.') ||\n range.matches('^172\\\\.(?:1[6-9]|2\\\\\ + d|3[0-1]).*') ||\n range.startsWith('192.168.')\n)" + description: Ensure that RDP access is restricted from the Internet when using + VPC Firewall Rule + display_name: Restrict VPC Firewall rules allowing RDP access from the Internet + method_types: + - CREATE + - UPDATE + name: custom.firewallRestrictRdpRule + parent: organizations/1234567890 + resource_types: + - compute.googleapis.com/Firewall + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.firewallRestrictSshPolicyRule"]: + action_type: DENY + condition: "resource.rules.exists(rule,\n rule.priority < 2147483644 &&\n \ + \ rule.direction == 'INGRESS' &&\n !rule.match.srcIpRanges.all(ipRange,\n\ + \ ipRange == '35.235.240.0/20' ||\n ipRange.startsWith('192.168.')\ + \ ||\n ipRange.matches('^172\\\\.(?:1[6-9]|2\\\\d|3[0-1]).*') ||\n \ + \ ipRange.startsWith('10.')\n ) &&\n rule.match.layer4Configs.all(l4config,\n\ + \ l4config.ipProtocol == 'tcp' &&\n l4config.ports.all(port, port\ + \ == '22')\n )\n)" + description: Ensure that SSH access is restricted from the Internet when using + Firewall Policy Rule + display_name: Restrict Firewall Policy rules allowing SSH access from the Internet + method_types: + - CREATE + - UPDATE + name: custom.firewallRestrictSshPolicyRule + parent: organizations/1234567890 + resource_types: + - compute.googleapis.com/FirewallPolicy + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.firewallRestrictSshRule"]: + action_type: DENY + condition: "resource.direction.matches('INGRESS') &&\n!resource.name.startsWith(\"\ + gke-\") &&\n!resource.name.startsWith(\"k8s-\") &&\n!resource.name.endsWith(\"\ + -hc\") &&\n!resource.name.startsWith(\"k8s2-\") &&\n!resource.name.startsWith(\"\ + gkegw1-l7-\") &&\n!resource.name.startsWith(\"gkemcg1-l7-\") &&\nresource.allowed.containsFirewallPort('tcp',\ + \ '22') &&\n!resource.sourceRanges.all(range,\n range == '35.235.240.0/20'\ + \ ||\n range.startsWith('10.') ||\n range.matches('^172\\\\.(?:1[6-9]|2\\\\\ + d|3[0-1]).*') ||\n range.startsWith('192.168.')\n)" + description: Ensure that SSH access is restricted from the Internet when using + VPC Firewall Rule + display_name: Restrict VPC Firewall rules allowing SSH access from the Internet + method_types: + - CREATE + - UPDATE + name: custom.firewallRestrictSshRule + parent: organizations/1234567890 + resource_types: + - compute.googleapis.com/Firewall + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.gkeAllowedNodePoolImages"]: + action_type: DENY + condition: resource.config.imageType in ["COS_CONTAINERD"] == false + description: Enforce that GKE nodes are using authorized node images + display_name: Allow only authorized node pool images + method_types: + - CREATE + - UPDATE + name: custom.gkeAllowedNodePoolImages + parent: organizations/1234567890 + resource_types: + - container.googleapis.com/NodePool + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.gkeAllowedReleaseChannels"]: + action_type: DENY + condition: resource.releaseChannel.channel in ["REGULAR", "STABLE"] == false + description: Enforce that GKE cluster are using authorized release channels + display_name: Allow only authorized release channels + method_types: + - CREATE + - UPDATE + name: custom.gkeAllowedReleaseChannels + parent: organizations/1234567890 + resource_types: + - container.googleapis.com/Cluster + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.gkeDisableAlphaCluster"]: + action_type: DENY + condition: resource.enableKubernetesAlpha == true + description: Enforce that GKE clusters are not using alpha features for production + workloads + display_name: Disable alpha features for production workloads + method_types: + - CREATE + - UPDATE + name: custom.gkeDisableAlphaCluster + parent: organizations/1234567890 + resource_types: + - container.googleapis.com/Cluster + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.gkeDisableKubernetesDashboard"]: + action_type: DENY + condition: resource.addonsConfig.kubernetesDashboard.disabled == false + description: Enforce that GKE clusters does not have Web UI dashboard enabled + display_name: Disable Web UI dashboard + method_types: + - CREATE + - UPDATE + name: custom.gkeDisableKubernetesDashboard + parent: organizations/1234567890 + resource_types: + - container.googleapis.com/Cluster + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.gkeDisableLegacyAbac"]: + action_type: DENY + condition: resource.legacyAbac.enabled == true + description: Enforce that GKE clusters is configured with no legacy ABAC enabled + display_name: Disable legacy ABAC + method_types: + - CREATE + - UPDATE + name: custom.gkeDisableLegacyAbac + parent: organizations/1234567890 + resource_types: + - container.googleapis.com/Cluster + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.gkeDisableLegacyMetadataEndpoints"]: + action_type: DENY + condition: '(''disable-legacy-endpoints'' in resource.config.metadata && + + resource.config.metadata[''disable-legacy-endpoints''] == ''false'')' + description: Enforce that GKE clusters are created with legacy metadata endpoints + disabled + display_name: Disable legacy metadata endpoints + method_types: + - CREATE + - UPDATE + name: custom.gkeDisableLegacyMetadataEndpoints + parent: organizations/1234567890 + resource_types: + - container.googleapis.com/NodePool + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.gkeRequireCOSImage"]: + action_type: DENY + condition: resource.config.imageType != "COS_CONTAINERD" + description: Enforce the nodes pool are using Container-Optimized OS for running + containers + display_name: Require Container-Optimized OS on node pools + method_types: + - CREATE + - UPDATE + name: custom.gkeRequireCOSImage + parent: organizations/1234567890 + resource_types: + - container.googleapis.com/NodePool + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.gkeRequireDataplaneV2"]: + action_type: DENY + condition: resource.networkConfig.datapathProvider != 'ADVANCED_DATAPATH' + description: Enforce that the GKE clusters is configured to use dataplane v2 + display_name: Require dataplane v2 + method_types: + - CREATE + - UPDATE + name: custom.gkeRequireDataplaneV2 + parent: organizations/1234567890 + resource_types: + - container.googleapis.com/Cluster + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.gkeRequireGKEMetadataServer"]: + action_type: DENY + condition: resource.config.workloadMetadataConfig.mode != 'GKE_METADATA' + description: Enforce that GKE clusters are configured with GKE metadata server + enabled + display_name: Require GKE metadata server + method_types: + - CREATE + - UPDATE + name: custom.gkeRequireGKEMetadataServer + parent: organizations/1234567890 + resource_types: + - container.googleapis.com/NodePool + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.gkeRequireIntegrityMonitoring"]: + action_type: DENY + condition: resource.config.shieldedInstanceConfig.enableIntegrityMonitoring == + false + description: Enforce that GKE nodes are configured with integrity monitoring enabled + display_name: Enable integrity monitoring + method_types: + - CREATE + - UPDATE + name: custom.gkeRequireIntegrityMonitoring + parent: organizations/1234567890 + resource_types: + - container.googleapis.com/NodePool + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.gkeRequireIntraNodeVisibility"]: + action_type: DENY + condition: resource.networkConfig.enableIntraNodeVisibility == false + description: Enforce that GKE clusters intranode visibility is enabled + display_name: Enable intranode visibility + method_types: + - CREATE + - UPDATE + name: custom.gkeRequireIntraNodeVisibility + parent: organizations/1234567890 + resource_types: + - container.googleapis.com/Cluster + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.gkeRequireMasterAuthorizedNetworks"]: + action_type: DENY + condition: resource.masterAuthorizedNetworksConfig.enabled == false + description: Enforce that GKE clusters restrict network access to the control + planes by configuring master authorized networks with authorized CIDR IP ranges + display_name: Require master authorized network with authorized CIDR IP ranges + method_types: + - CREATE + - UPDATE + name: custom.gkeRequireMasterAuthorizedNetworks + parent: organizations/1234567890 + resource_types: + - container.googleapis.com/Cluster + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.gkeRequireMonitoring"]: + action_type: DENY + condition: resource.monitoringService != 'monitoring.googleapis.com/kubernetes' + description: Enforce that GKE clusters monitoring is enabled + display_name: Enable monitoring + method_types: + - CREATE + - UPDATE + name: custom.gkeRequireMonitoring + parent: organizations/1234567890 + resource_types: + - container.googleapis.com/Cluster + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.gkeRequireNodePoolAutoRepair"]: + action_type: DENY + condition: resource.management.autoRepair == false + description: Enforce that GKE clusters are configured with node auto-repair enabled + display_name: Enable node auto-repair + method_types: + - CREATE + - UPDATE + name: custom.gkeRequireNodePoolAutoRepair + parent: organizations/1234567890 + resource_types: + - container.googleapis.com/NodePool + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.gkeRequireNodePoolAutoUpgrade"]: + action_type: DENY + condition: resource.management.autoUpgrade == false + description: Enforce that GKE clusters are configured with node auto-upgrade enabled + display_name: Enable node auto-upgrade + method_types: + - CREATE + - UPDATE + name: custom.gkeRequireNodePoolAutoUpgrade + parent: organizations/1234567890 + resource_types: + - container.googleapis.com/NodePool + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.gkeRequireNodePoolCMEKEncryption"]: + action_type: DENY + condition: has(resource.config.bootDiskKmsKey) == false + description: Enforce that GKE nodes are configured with CMEK Encryption + display_name: Require NodePool CMEK Encryption + method_types: + - CREATE + - UPDATE + name: custom.gkeRequireNodePoolCMEKEncryption + parent: organizations/1234567890 + resource_types: + - container.googleapis.com/NodePool + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.gkeRequireNodePoolSandbox"]: + action_type: DENY + condition: resource.name.matches("default-pool") == false && has(resource.config.sandboxConfig) + == false && resource.config.sandboxConfig.type != 'GVISOR' + description: Enforce that the GKE clusters nodes are isolated using GKE sandbox + (excepting the default node pool) + display_name: Require GKE Sandbox runtime + method_types: + - CREATE + - UPDATE + name: custom.gkeRequireNodePoolSandbox + parent: organizations/1234567890 + resource_types: + - container.googleapis.com/NodePool + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.gkeRequirePrivateEndpoint"]: + action_type: DENY + condition: resource.privateClusterConfig.enablePrivateEndpoint == false + description: Enforce that GKE clusters are created as private clusters with public + endpoint disabled + display_name: Disable public endpoints + method_types: + - CREATE + - UPDATE + name: custom.gkeRequirePrivateEndpoint + parent: organizations/1234567890 + resource_types: + - container.googleapis.com/Cluster + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.gkeRequireRegionalClusters"]: + action_type: DENY + condition: resource.location.matches("^[a-z]+(-[a-z, 1-9]+)$") == false + description: Enforce the creation of regional GKE clusters + display_name: Require regional GKE cluster + method_types: + - CREATE + - UPDATE + name: custom.gkeRequireRegionalClusters + parent: organizations/1234567890 + resource_types: + - container.googleapis.com/Cluster + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.gkeRequireSecureBoot"]: + action_type: DENY + condition: resource.config.shieldedInstanceConfig.enableSecureBoot == false + description: Enforce that GKE nodes are configured with secure boot enabled + display_name: Enable secure boot + method_types: + - CREATE + - UPDATE + name: custom.gkeRequireSecureBoot + parent: organizations/1234567890 + resource_types: + - container.googleapis.com/NodePool + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.gkeRequireVPCNativeCluster"]: + action_type: DENY + condition: resource.ipAllocationPolicy.useIpAliases == false + description: Enforce that GKE clusters are created with VPC-native + display_name: Require VPC-native + method_types: + - CREATE + - UPDATE + name: custom.gkeRequireVPCNativeCluster + parent: organizations/1234567890 + resource_types: + - container.googleapis.com/Cluster + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.iamAllowedMembers"]: + action_type: DENY + condition: "resource.bindings.exists(binding,\n binding.members.exists(member,\n\ + \ !MemberSubjectEndsWith(member, ['@${organization.domain}', '.gserviceaccount.com'])\n\ + \ )\n)" + description: Ensure no binding are done with members outside the organization + domain + display_name: Deny principals and members outside the organization domain + method_types: + - CREATE + - UPDATE + name: custom.iamAllowedMembers + parent: organizations/1234567890 + resource_types: + - iam.googleapis.com/AllowPolicy + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.iamDisablePublicBindings"]: + action_type: DENY + condition: "resource.bindings.exists(binding,\n binding.members.exists(member,\n\ + \ MemberSubjectMatches(member, ['allUsers', 'allAuthenticatedUsers'])\n \ + \ )\n)" + description: Ensure no use of public bindings (allUsers, allAuthenticatedUsers) + display_name: Deny use of public access bindings with allUsers or allAuthenticatedUsers + method_types: + - CREATE + - UPDATE + name: custom.iamDisablePublicBindings + parent: organizations/1234567890 + resource_types: + - iam.googleapis.com/AllowPolicy + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.iamDisableRedisAdminRoles"]: + action_type: DENY + condition: "resource.bindings.exists(binding,\n binding.members.exists(member,\n\ + \ !MemberSubjectMatches(member, []) &&\n (\n RoleNameMatches(binding.role,\ + \ ['roles/redis.admin']) ||\n RoleNameMatches(binding.role, ['roles/redis.editor'])\ + \ ||\n RoleNameContains(binding.role, ['roles/redis.viewer'])\n )\n\ + \ )\n)" + description: Ensure no use of the basic roles (viewer, editor and owner) + display_name: Deny use of the basic roles + method_types: + - CREATE + - UPDATE + name: custom.iamDisableRedisAdminRoles + parent: organizations/1234567890 + resource_types: + - iam.googleapis.com/AllowPolicy + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.networkDisableTargetHTTPProxy"]: + action_type: DENY + condition: true == true + description: Ensure Target HTTP Proxy are not used + display_name: Deny usage and creation of Target HTTP Proxy + method_types: + - CREATE + - UPDATE + name: custom.networkDisableTargetHTTPProxy + parent: organizations/1234567890 + resource_types: + - compute.googleapis.com/TargetHttpProxy + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.networkDisableWeakSSLPolicy"]: + action_type: DENY + condition: "(resource.profile == \"COMPATIBLE\") || (resource.profile == \"CUSTOM\"\ + \ &&\n resource.customFeatures.exists(feature, feature in [\n \"TLS_RSA_WITH_AES_128_GCM_SHA256\"\ + ,\n \"TLS_RSA_WITH_AES_256_GCM_SHA384\",\n \"TLS_RSA_WITH_AES_128_CBC_SHA\"\ + ,\n \"TLS_RSA_WITH_AES_256_CBC_SHA\",\n \"TLS_RSA_WITH_3DES_EDE_CBC_SHA\"\ + ,\n ])\n) || (resource.profile == \"CUSTOM\" &&\n resource.minTlsVersion in\ + \ [\"TLS_1_2\", \"TLS_1_3\"] == false\n) || (resource.profile == \"MODERN\"\ + \ &&\n resource.minTlsVersion in [\"TLS_1_2\", \"TLS_1_3\"] == false\n) ||\ + \ (resource.profile == \"RESTRICTED\" &&\n resource.minTlsVersion in [\"TLS_1_2\"\ + , \"TLS_1_3\"] == false\n)" + description: Ensure SSL Policies created does not have weak cipher suites + display_name: Deny usage of SSL Policies with weak cipher suites + method_types: + - CREATE + - UPDATE + name: custom.networkDisableWeakSSLPolicy + parent: organizations/1234567890 + resource_types: + - compute.googleapis.com/SslPolicy + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.networkRequireBackendServiceLogging"]: + action_type: DENY + condition: has(resource.logConfig) == false || resource.logConfig.enable == false + description: Enforce that Backend Services have logging enabled + display_name: Require logging to be enabled on Backend Services + method_types: + - CREATE + - UPDATE + name: custom.networkRequireBackendServiceLogging + parent: organizations/1234567890 + resource_types: + - compute.googleapis.com/BackendService + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.networkRequireCustomModeVpc"]: + action_type: DENY + condition: resource.autoCreateSubnetworks == true + description: Enforce that the subnets creation is using custom mode for a VPC + network + display_name: Require custom mode VPC network + method_types: + - CREATE + name: custom.networkRequireCustomModeVpc + parent: organizations/1234567890 + resource_types: + - compute.googleapis.com/Network + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.networkRequireSubnetPrivateGoogleAccess"]: + action_type: DENY + condition: "resource.privateIpGoogleAccess == false &&\n resource.purpose in\ + \ ['REGIONAL_MANAGED_PROXY', 'GLOBAL_MANAGED_PROXY'] == false" + description: Enforce that the VPC network subnets are configured with private + Google access + display_name: Require Private Google Access + method_types: + - CREATE + name: custom.networkRequireSubnetPrivateGoogleAccess + parent: organizations/1234567890 + resource_types: + - compute.googleapis.com/Subnetwork + timeouts: null + module.organization[0].google_org_policy_custom_constraint.constraint["custom.storageRequireBucketObjectVersionning"]: + action_type: DENY + condition: resource.versioning.enabled == false + description: Enforce Cloud Storage bucket object versioning to be configured + display_name: Require object versioning + method_types: + - CREATE + - UPDATE + name: custom.storageRequireBucketObjectVersionning + parent: organizations/1234567890 + resource_types: + - storage.googleapis.com/Bucket + timeouts: null + module.organization[0].google_organization_iam_custom_role.roles["network_firewall_policies_admin"]: + description: Terraform-managed. + org_id: '1234567890' + permissions: + - compute.networks.setFirewallPolicy + - networksecurity.firewallEndpointAssociations.create + - networksecurity.firewallEndpointAssociations.delete + - networksecurity.firewallEndpointAssociations.get + - networksecurity.firewallEndpointAssociations.list + - networksecurity.firewallEndpointAssociations.update + role_id: networkFirewallPoliciesAdmin + stage: GA + title: Custom role networkFirewallPoliciesAdmin + module.organization[0].google_organization_iam_custom_role.roles["ngfw_enterprise_admin"]: + description: Terraform-managed. + org_id: '1234567890' + permissions: + - networksecurity.firewallEndpoints.create + - networksecurity.firewallEndpoints.delete + - networksecurity.firewallEndpoints.get + - networksecurity.firewallEndpoints.list + - networksecurity.firewallEndpoints.update + - networksecurity.firewallEndpoints.use + - networksecurity.locations.get + - networksecurity.locations.list + - networksecurity.operations.cancel + - networksecurity.operations.delete + - networksecurity.operations.get + - networksecurity.operations.list + - networksecurity.securityProfileGroups.create + - networksecurity.securityProfileGroups.delete + - networksecurity.securityProfileGroups.get + - networksecurity.securityProfileGroups.list + - networksecurity.securityProfileGroups.update + - networksecurity.securityProfileGroups.use + - networksecurity.securityProfiles.create + - networksecurity.securityProfiles.delete + - networksecurity.securityProfiles.get + - networksecurity.securityProfiles.list + - networksecurity.securityProfiles.update + - networksecurity.securityProfiles.use + - networksecurity.tlsInspectionPolicies.create + - networksecurity.tlsInspectionPolicies.delete + - networksecurity.tlsInspectionPolicies.get + - networksecurity.tlsInspectionPolicies.list + - networksecurity.tlsInspectionPolicies.update + - networksecurity.tlsInspectionPolicies.use + role_id: ngfwEnterpriseAdmin + stage: GA + title: Custom role ngfwEnterpriseAdmin + module.organization[0].google_organization_iam_custom_role.roles["ngfw_enterprise_viewer"]: + description: Terraform-managed. + org_id: '1234567890' + permissions: + - networksecurity.firewallEndpoints.get + - networksecurity.firewallEndpoints.list + - networksecurity.firewallEndpoints.use + - networksecurity.locations.get + - networksecurity.locations.list + - networksecurity.operations.get + - networksecurity.operations.list + - networksecurity.securityProfileGroups.get + - networksecurity.securityProfileGroups.list + - networksecurity.securityProfileGroups.use + - networksecurity.securityProfiles.get + - networksecurity.securityProfiles.list + - networksecurity.securityProfiles.use + - networksecurity.tlsInspectionPolicies.get + - networksecurity.tlsInspectionPolicies.list + - networksecurity.tlsInspectionPolicies.use + role_id: ngfwEnterpriseViewer + stage: GA + title: Custom role ngfwEnterpriseViewer + module.organization[0].google_organization_iam_custom_role.roles["organization_admin_viewer"]: + description: Terraform-managed. + org_id: '1234567890' + permissions: + - essentialcontacts.contacts.get + - essentialcontacts.contacts.list + - logging.settings.get + - orgpolicy.constraints.list + - orgpolicy.policies.list + - orgpolicy.policy.get + - resourcemanager.folders.get + - resourcemanager.folders.getIamPolicy + - resourcemanager.folders.list + - resourcemanager.organizations.get + - resourcemanager.organizations.getIamPolicy + - resourcemanager.projects.get + - resourcemanager.projects.getIamPolicy + - resourcemanager.projects.list + - storage.buckets.getIamPolicy + role_id: organizationAdminViewer + stage: GA + title: Custom role organizationAdminViewer + module.organization[0].google_organization_iam_custom_role.roles["organization_iam_admin"]: + description: Terraform-managed. + org_id: '1234567890' + permissions: + - resourcemanager.organizations.get + - resourcemanager.organizations.getIamPolicy + - resourcemanager.organizations.setIamPolicy + role_id: organizationIamAdmin + stage: GA + title: Custom role organizationIamAdmin + module.organization[0].google_organization_iam_custom_role.roles["project_iam_viewer"]: + description: Terraform-managed. + org_id: '1234567890' + permissions: + - iam.policybindings.get + - iam.policybindings.list + - resourcemanager.projects.get + - resourcemanager.projects.getIamPolicy + - resourcemanager.projects.searchPolicyBindings + role_id: projectIamViewer + stage: GA + title: Custom role projectIamViewer + module.organization[0].google_organization_iam_custom_role.roles["service_project_network_admin"]: + description: Terraform-managed. + org_id: '1234567890' + permissions: + - compute.globalOperations.get + - compute.networks.get + - compute.networks.updatePeering + - compute.organizations.disableXpnResource + - compute.organizations.enableXpnResource + - compute.projects.get + - compute.subnetworks.getIamPolicy + - compute.subnetworks.setIamPolicy + - dns.networks.bindPrivateDNSZone + - resourcemanager.projects.get + role_id: serviceProjectNetworkAdmin + stage: GA + title: Custom role serviceProjectNetworkAdmin + module.organization[0].google_organization_iam_custom_role.roles["storage_viewer"]: + description: Terraform-managed. + org_id: '1234567890' + permissions: + - storage.buckets.get + - storage.buckets.getIamPolicy + - storage.buckets.getObjectInsights + - storage.buckets.list + - storage.buckets.listEffectiveTags + - storage.buckets.listTagBindings + - storage.managedFolders.get + - storage.managedFolders.getIamPolicy + - storage.managedFolders.list + - storage.multipartUploads.list + - storage.multipartUploads.listParts + - storage.objects.get + - storage.objects.getIamPolicy + - storage.objects.list + role_id: storageViewer + stage: GA + title: Custom role storageViewer + module.organization[0].google_organization_iam_custom_role.roles["tag_viewer"]: + description: Terraform-managed. + org_id: '1234567890' + permissions: + - resourcemanager.tagHolds.list + - resourcemanager.tagKeys.get + - resourcemanager.tagKeys.getIamPolicy + - resourcemanager.tagKeys.list + - resourcemanager.tagValues.get + - resourcemanager.tagValues.getIamPolicy + - resourcemanager.tagValues.list + role_id: tagViewer + stage: GA + title: Custom role tagViewer + ? module.organization[0].google_scc_management_organization_security_health_analytics_custom_module.scc_organization_custom_module["cloudfunctionsV1RequireIngressInternalAndLoadBalancer"] + : custom_config: + - custom_output: [] + description: Detect if Gen1 Cloud Functions are not configured to allow only + internal traffic and traffic from load balancer + predicate: + - description: null + expression: (!resource.ingressSettings.matches("ALLOW_INTERNAL_AND_GCLB")) + location: null + title: null + recommendation: Ensure Gen1 Cloud Functions are configured to allow only internal + traffic and traffic from load balancer + resource_selector: + - resource_types: + - cloudfunctions.googleapis.com/CloudFunction + severity: MEDIUM + display_name: cloudfunctionsV1RequireIngressInternalAndLoadBalancer + enablement_state: ENABLED + location: global + organization: '1234567890' + timeouts: null + ? module.organization[0].google_scc_management_organization_security_health_analytics_custom_module.scc_organization_custom_module["cloudfunctionsV1RequireVPCConnector"] + : custom_config: + - custom_output: [] + description: Detect if Gen1 Cloud Functions are configured without any VPC Connector + predicate: + - description: null + expression: (!has(resource.vpcConnector)) + location: null + title: null + recommendation: Ensure Gen1 Cloud Functions are configured with VPC Connector + resource_selector: + - resource_types: + - cloudfunctions.googleapis.com/CloudFunction + severity: MEDIUM + display_name: cloudfunctionsV1RequireVPCConnector + enablement_state: ENABLED + location: global + organization: '1234567890' + timeouts: null + ? module.organization[0].google_scc_management_organization_security_health_analytics_custom_module.scc_organization_custom_module["cloudrunRequireBinaryAuthorization"] + : custom_config: + - custom_output: [] + description: Detect if Cloud Run services are configured without Binary Authorization + enabled + predicate: + - description: null + expression: (!resource.metadata.annotations.exists(data, data == 'run.googleapis.com/binary-authorization')) + location: null + title: null + recommendation: Ensure that Binary Authorization is enabled for all Cloud Run + services and that the project's default Binary Authorization policy requires + attestation + resource_selector: + - resource_types: + - run.googleapis.com/Job + - run.googleapis.com/Service + severity: HIGH + display_name: cloudrunRequireBinaryAuthorization + enablement_state: ENABLED + location: global + organization: '1234567890' + timeouts: null + ? module.organization[0].google_scc_management_organization_security_health_analytics_custom_module.scc_organization_custom_module["cloudrunRequireIngressInternalAndLoadBalancer"] + : custom_config: + - custom_output: [] + description: Detect if Cloud Run services are not configured to allow only internal + traffic and traffic from load balancer + predicate: + - description: null + expression: "(\n !resource.metadata.annotations['run.googleapis.com/ingress'].matches('internal-and-cloud-load-balancing')\n\ + )" + location: null + title: null + recommendation: Ensure Cloud Run services are configured to allow only internal + traffic and traffic from load balancer + resource_selector: + - resource_types: + - run.googleapis.com/Service + severity: HIGH + display_name: cloudrunRequireIngressInternalAndLoadBalancer + enablement_state: ENABLED + location: global + organization: '1234567890' + timeouts: null + ? module.organization[0].google_scc_management_organization_security_health_analytics_custom_module.scc_organization_custom_module["cloudsqlRequirePointInTimeRecovery"] + : custom_config: + - custom_output: [] + description: Detect if the CloudSQL instances have point in time recovery disabled + predicate: + - description: null + expression: "(\n !resource.settings.backupConfiguration.binaryLogEnabled\ + \ &&\n !resource.settings.backupConfiguration.pointInTimeRecoveryEnabled\n\ + )" + location: null + title: null + recommendation: Ensure the CloudSQL instances have point in time recovery enabled + resource_selector: + - resource_types: + - sqladmin.googleapis.com/Instance + severity: HIGH + display_name: cloudsqlRequirePointInTimeRecovery + enablement_state: ENABLED + location: global + organization: '1234567890' + timeouts: null + ? module.organization[0].google_scc_management_organization_security_health_analytics_custom_module.scc_organization_custom_module["computeDisableNestedVirtualization"] + : custom_config: + - custom_output: [] + description: Detect Compute Instances with nested virtualization enabled + predicate: + - description: null + expression: resource.advancedMachineFeatures.enableNestedVirtualization + location: null + title: null + recommendation: Ensure Compute Instance does not have nested virtualization + enabled + resource_selector: + - resource_types: + - compute.googleapis.com/Instance + severity: MEDIUM + display_name: computeDisableNestedVirtualization + enablement_state: ENABLED + location: global + organization: '1234567890' + timeouts: null + ? module.organization[0].google_scc_management_organization_security_health_analytics_custom_module.scc_organization_custom_module["gkeDisableClientCertificateAuth"] + : custom_config: + - custom_output: [] + description: Detect if any GKE clusters uses client certificate authentication + predicate: + - description: null + expression: resource.masterAuth.clientCertificateConfig.issueClientCertificate + == true + location: null + title: null + recommendation: Ensure that control plane does not use client certificate authentication + resource_selector: + - resource_types: + - container.googleapis.com/Cluster + severity: CRITICAL + display_name: gkeDisableClientCertificateAuth + enablement_state: ENABLED + location: global + organization: '1234567890' + timeouts: null + ? module.organization[0].google_scc_management_organization_security_health_analytics_custom_module.scc_organization_custom_module["gkeRequireDataplaneV2"] + : custom_config: + - custom_output: [] + description: Detect if GKE clusters are configured with a version different + than Dataplane V2 + predicate: + - description: null + expression: resource.networkConfig.datapathProvider == 'ADVANCED_DATAPATH' + location: null + title: null + recommendation: Ensure only GKE Dataplane V2 are configured + resource_selector: + - resource_types: + - container.googleapis.com/Cluster + severity: MEDIUM + display_name: gkeRequireDataplaneV2 + enablement_state: ENABLED + location: global + organization: '1234567890' + timeouts: null + ? module.organization[0].google_scc_management_organization_security_health_analytics_custom_module.scc_organization_custom_module["gkeRequireRegionalCluster"] + : custom_config: + - custom_output: [] + description: Detect if any non regional GKE clusters are used + predicate: + - description: null + expression: (!resource.location.matches("^[a-z]+(-[a-z, 1-9]+)$")) + location: null + title: null + recommendation: Ensure GKE clusters are configured to be regional + resource_selector: + - resource_types: + - container.googleapis.com/Cluster + severity: MEDIUM + display_name: gkeRequireRegionalCluster + enablement_state: ENABLED + location: global + organization: '1234567890' + timeouts: null + module.organization[0].google_tags_tag_key.default["context"]: + description: Organization-level contexts. + parent: organizations/1234567890 + purpose: null + purpose_data: null + short_name: context + timeouts: null + module.organization[0].google_tags_tag_key.default["environment"]: + description: Organization-level environments. + parent: organizations/1234567890 + purpose: null + purpose_data: null + short_name: environment + timeouts: null + module.organization[0].google_tags_tag_key.default["org-policies"]: + description: Organization policy condition tags. + parent: organizations/1234567890 + purpose: null + purpose_data: null + short_name: org-policies + timeouts: null + module.organization[0].google_tags_tag_value.default["context/project-factory"]: + description: Project factory. + short_name: project-factory + timeouts: null + module.organization[0].google_tags_tag_value.default["environment/development"]: + description: Development. + short_name: development + timeouts: null + module.organization[0].google_tags_tag_value.default["environment/production"]: + description: Production. + short_name: production + timeouts: null + module.organization[0].google_tags_tag_value.default["org-policies/allowed-essential-contacts-domains-all"]: + description: Allow all domains in essntial contacts org policy. + short_name: allowed-essential-contacts-domains-all + timeouts: null + module.organization[0].google_tags_tag_value.default["org-policies/allowed-policy-member-domains-all"]: + description: Allow all domains in DRS org policy. + short_name: allowed-policy-member-domains-all + timeouts: null + terraform_data.precondition: + input: null + output: null + triggers_replace: null + +counts: + google_bigquery_dataset: 1 + google_bigquery_default_service_account: 2 + google_billing_account_iam_member: 6 + google_essential_contacts_contact: 1 + google_folder: 8 + google_folder_iam_binding: 44 + google_iam_workload_identity_pool: 1 + google_iam_workload_identity_pool_provider: 1 + google_logging_metric: 9 + google_logging_organization_settings: 1 + google_logging_organization_sink: 3 + google_logging_project_bucket_config: 3 + google_monitoring_alert_policy: 9 + google_org_policy_custom_constraint: 55 + google_org_policy_policy: 114 + google_organization_iam_binding: 37 + google_organization_iam_custom_role: 9 + google_project: 3 + google_project_iam_binding: 16 + google_project_iam_member: 15 + google_project_service: 34 + google_project_service_identity: 9 + google_scc_management_organization_security_health_analytics_custom_module: 9 + google_service_account: 14 + google_service_account_iam_binding: 2 + google_service_account_iam_member: 4 + google_storage_bucket: 3 + google_storage_bucket_iam_binding: 4 + google_storage_bucket_object: 9 + google_storage_managed_folder: 5 + google_storage_managed_folder_iam_binding: 10 + google_storage_project_service_account: 3 + google_tags_tag_binding: 5 + google_tags_tag_key: 3 + google_tags_tag_value: 5 + google_tags_tag_value_iam_binding: 4 + local_file: 9 + modules: 48 + resources: 473 + terraform_data: 3 diff --git a/tests/fast/stages/s0_org_setup/tftest.yaml b/tests/fast/stages/s0_org_setup/tftest.yaml index 67480c49a..e9db27288 100644 --- a/tests/fast/stages/s0_org_setup/tftest.yaml +++ b/tests/fast/stages/s0_org_setup/tftest.yaml @@ -20,3 +20,8 @@ tests: - simple.yaml extra_dirs: - ../../../tests/fast/stages/s0_org_setup/data-simple + hardened: + inventory: + - hardened.yaml + extra_dirs: + - ../../../tests/fast/stages/s0_org_setup/data-simple