Fixing typos and adding missing roles for Terraform and CI/CD service… (#3351)

* Fixing typos and adding missing roles for Terraform and CI/CD service accounts in 0-org-setup stage. * Updated organization schema to allow defining custom roles under iam_by_principals and updated organization.schema.md accordingly.
2025-09-23 19:20:21 +00:00
parent f1762a5465
commit 2492494c68
7 changed files with 75 additions and 8 deletions
--- a/fast/stages/0-org-setup/data/cicd.yaml
+++ b/fast/stages/0-org-setup/data/cicd.yaml
@@ -41,7 +41,7 @@ workflows:
        apply: $output_files:providers/0-org-setup
        plan: $output_files:providers/0-org-setup-ro
      files:
-        - tfvars/0-boostrap.auto.tfvars.json
+        - 0-org-setup.auto.tfvars.json
    service_accounts:
      apply: $iam_principals:service_accounts/iac-0/iac-org-cicd-rw
      plan: $iam_principals:service_accounts/iac-0/iac-org-cicd-ro
--- a/fast/stages/0-org-setup/data/defaults.yaml
+++ b/fast/stages/0-org-setup/data/defaults.yaml
@@ -46,7 +46,7 @@ output_files:
      service_account: $iam_principals:service_accounts/iac-0/iac-org-rw
    0-org-setup-ro:
      bucket: $storage_buckets:iac-0/iac-org-state
-      service_account: $iam_principals:service_accounts/iac-0/iac-org-rw
+      service_account: $iam_principals:service_accounts/iac-0/iac-org-ro
    1-vpcsc:
      bucket: $storage_buckets:iac-0/iac-stage-state
      prefix: 1-vpcsc
--- a/fast/stages/0-org-setup/data/organization/.config.yaml
+++ b/fast/stages/0-org-setup/data/organization/.config.yaml
@@ -76,6 +76,8 @@ iam_by_principals:
    - roles/resourcemanager.folderViewer
    - roles/resourcemanager.tagViewer
    - roles/serviceusage.serviceUsageViewer
+    - $custom_roles:organization_admin_viewer
+    - $custom_roles:tag_viewer
  $iam_principals:service_accounts/iac-0/iac-networking-rw:
    - roles/compute.orgFirewallPolicyAdmin
    - roles/compute.xpnAdmin
--- a/fast/stages/0-org-setup/data/projects/core/iac-0.yaml
+++ b/fast/stages/0-org-setup/data/projects/core/iac-0.yaml
@@ -130,6 +130,8 @@ buckets:
        - $iam_principals:service_accounts/iac-0/iac-security-ro
        - $iam_principals:service_accounts/iac-0/iac-pf-ro
        - $iam_principals:service_accounts/iac-0/iac-vpcsc-ro
+        - $iam_principals:service_accounts/iac-0/iac-org-cicd-rw
+        - $iam_principals:service_accounts/iac-0/iac-org-cicd-ro
 service_accounts:
  # IaC service accounts for this stage
  iac-org-ro:
@@ -142,11 +144,13 @@ service_accounts:
    iam_sa_roles:
      $service_account_ids:iac-0/iac-org-ro:
        - roles/iam.workloadIdentityUser
+        - roles/iam.serviceAccountTokenCreator
  iac-org-cicd-rw:
    display_name: IaC service account for org setup CI/CD (read-write).
    iam_sa_roles:
      $service_account_ids:iac-0/iac-org-rw:
        - roles/iam.workloadIdentityUser
+        - roles/iam.serviceAccountTokenCreator
  # IaC service accounts for vpc-sc stage
  iac-vpcsc-ro:
    display_name: IaC service account for VPC service controls (read-only).
--- a/fast/stages/0-org-setup/schemas/organization.schema.json
+++ b/fast/stages/0-org-setup/schemas/organization.schema.json
@@ -312,7 +312,7 @@
          "type": "array",
          "items": {
            "type": "string",
-            "pattern": "^roles/"
+            "pattern": "^(?:roles/|\\$custom_roles:)"
          }
        }
      }
--- a/fast/stages/0-org-setup/schemas/organization.schema.md
+++ b/fast/stages/0-org-setup/schemas/organization.schema.md
@@ -94,4 +94,4 @@
  <br>*additional properties: false*
  - **`^(?:\$[a-z_-]+:|domain:|group:|serviceAccount:|user:|principal:|principalSet:)`**: *array*
    - items: *string*
-      <br>*pattern: ^roles/*
+      <br>*pattern: ^(?:roles/|\$custom_roles:)*