From 2aae7b3ab6831345fcf774f2e64b7e7e15a369ac Mon Sep 17 00:00:00 2001
From: norbert-loderer <norbert.loderer@ysys.hu>
Date: Fri, 19 Sep 2025 06:15:05 +0000
Subject: [PATCH] Add conditional grants on security to pf service account in
 FAST stage 0 (#3338)

---
 .../data/folders/security/.config.yaml           | 16 ++++++++++++++++
 tests/fast/stages/s0_org_setup/not-simple.yaml   |  4 ++--
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/fast/stages/0-org-setup/data/folders/security/.config.yaml b/fast/stages/0-org-setup/data/folders/security/.config.yaml
index 5051e4782..60519f037 100644
--- a/fast/stages/0-org-setup/data/folders/security/.config.yaml
+++ b/fast/stages/0-org-setup/data/folders/security/.config.yaml
@@ -26,3 +26,19 @@ iam_by_principals:
     - roles/viewer
     - roles/resourcemanager.folderViewer
     - roles/resourcemanager.tagViewer
+  $iam_principals:service_accounts/iac-0/iac-pf-rw:
+    - roles/cloudkms.cryptoKeyEncrypterDecrypter
+  $iam_principals:service_accounts/iac-0/iac-pf-ro:
+    - roles/cloudkms.viewer
+    - $custom_roles:project_iam_viewer
+iam_bindings:
+  project_factory:
+    role: roles/resourcemanager.projectIamAdmin
+    members:
+      - $iam_principals:service_accounts/iac-0/iac-pf-rw
+    condition:
+      title: Project factory delegated IAM grant.
+      expression: |
+        api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([
+          'roles/cloudkms.cryptoKeyEncrypterDecrypter'
+        ])
\ No newline at end of file
diff --git a/tests/fast/stages/s0_org_setup/not-simple.yaml b/tests/fast/stages/s0_org_setup/not-simple.yaml
index 4759033a2..497636692 100644
--- a/tests/fast/stages/s0_org_setup/not-simple.yaml
+++ b/tests/fast/stages/s0_org_setup/not-simple.yaml
@@ -2619,7 +2619,7 @@ counts:
   google_bigquery_default_service_account: 1
   google_billing_account_iam_member: 5
   google_folder: 8
-  google_folder_iam_binding: 40
+  google_folder_iam_binding: 44
   google_iam_workload_identity_pool: 1
   google_iam_workload_identity_pool_provider: 1
   google_logging_organization_settings: 1
@@ -2648,5 +2648,5 @@ counts:
   google_tags_tag_value_iam_binding: 4
   local_file: 9
   modules: 43
-  resources: 288
+  resources: 292
   terraform_data: 2