Add context support for constraints and additional controls for hardened datasets (IAM, GKE and others) (#3661)

fast/stages/0-org-setup/datasets/hardened/README.md

@@ -79,6 +79,7 @@ In that case, the controls placed in the `organization/scc-sha-custom-modules` f
 | `compute.disableNestedVirtualization` | Prevent the creation of Compute Engine instances with nested virtualization enabled. |  |
 | `compute.disableSerialPortAccess` | Prevent the enablement of serial port access for VM instances. | **CIS for GCP 3.0**: 4.5<br>**CIS Controls 8.0**: 4.8<br>**PCI-DSS 4.0**: 1.2.1, 1.4.1<br>**NIST 800-53 R5**: CM-6, CM-7<br>**ISO-2700-1 v2022**: A.8.9<br>**SOC2 v2017**: CC6.6.1, CC6.6.3, CC6.6.4 |
 | `compute.disableVpcExternalIpv6` | Prevent configuration of subnets with external IPv6 ranges. |  |
+| `compute.disableVpcInternalIpv6` | Enforce the block of VPC subnetworks from using internal IPv6 addresses. A subnetwork with an internal IPv6 address might be exposed to potential risks due to its current limited support. |  |
 | `compute.managed.blockPreviewFeatures` | Ensures that preview feature updates are blocked unless explicitly allowed |  |
 | `compute.managed.disableSerialPortLogging` | Prevent serial port logging to Cloud Logging for VMs. |  |
 | `compute.managed.vmCanIpForward` | Prevent IP forwarding from being enabled on Compute Engine instances. | **CIS for GCP 3.0**: 4.6<br>**CIS Controls 8.0**: 4.4, 4.5<br>**NIST 800-53 R5**: CA-9, SC-7<br>**SOC2 v2017**: CC6.6.1, CC6.6.4 |
@@ -109,11 +110,14 @@ In that case, the controls placed in the `organization/scc-sha-custom-modules` f
 | `container.managed.enableGoogleGroupsRBAC` | Enforce that GKE is configured so Google Groups can be used with RBAC | **CIS for GKE 1.5**: 5.8.2<br>**PCI-DSS 4.0**: 1.1.2 |
 | `container.managed.enableNetworkPolicy` | Enforce that GKE clusters are configured with Network Policy enabled | **CIS for GKE 1.5**: 5.6.7<br>**PCI-DSS 4.0**: 1.2,1.1,1.4<br>**ISO-2700-1 v2013**: A.13.1.1 |
 | `container.managed.enablePrivateNodes` | Enforce that GKE clusters are created as private clusters with private nodes | **CIS for GKE 1.5**: 5.6.5<br>**PCI-DSS 4.0**: 1.3.1 |
+| `container.managed.enableSecretsEncryption` | Enforce that the GKE clusters is configured to encrypt secret in etcd | **CIS for GKE 1.5**: 5.3.1<br>**PCI-DSS 4.0**: 3.6 |
 | `container.managed.enableSecurityBulletinNotifications` | Require enabling Security Bulletin Notifications in GKE clusters. |  |
 | `container.managed.enableShieldedNodes` | Enforce that GKE nodes is configured with shielded GKE nodes | **CIS for GKE 1.5**: 5.5.5 |
 | `container.managed.enableWorkloadIdentityFederation` | Enforce that GKE clusters are enabled with Workload Identity  | **CIS for GKE 1.5**: 5.2.2<br>**PCI-DSS 4.0**: 7.2.2 |
 | `essentialcontacts.allowedContactDomains` | Restrict essential contact domains to an authorized list. |  |
 | `gcp.resourceLocations` | Restrict resource locations. |  |
+| `gcp.restrictCmekCryptoKeyProjects` | Prevent the use of CMEKs from unauthorized projects. |  |
+| `gcp.restrictNonCmekServices` | Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK) | **CIS for GCP 3.0**: 7.2<br>**CIS Controls 8.0**: 3.11<br>**PCI-DSS 4.0**: 3.1.1, 3.3.2, 3.3.3, 3.5.1, 3.5.1.2, 3.5.1.3, 8.3.2<br>**NIST 800-53 R5**: IA-5, SC-28<br>**NIST Cybersecurity Framework 1.0**: PR-DS-1<br>**ISO-2700-1 v2022**: A.5.33<br>**HIPAA**: 164.312(a)(2)(iv), 164.312(e)(2)(ii)<br>**Cloud Controls Matrix 4**: CEK-03 |
 | `gcp.restrictTLSCipherSuites` | Prevent the use of weak cipher suites and TLS versions on HTTPS and SSL Proxy load balancers. | **CIS for GCP 3.0**: 3.9<br>**NIST 800-53 R4**: SC-7<br>**ISO-2700-1 v2013**: A.14.1.3 |
 | `gcp.restrictTLSVersion` | Prevent the use of weak cipher suites and TLS versions on HTTPS and SSL Proxy load balancers. | **CIS for GCP 3.0**: 3.9<br>**NIST 800-53 R4**: SC-7<br>**ISO-2700-1 v2013**: A.14.1.3 |
 | `iam.allowedPolicyMemberDomains` | Restrict domain sharing to authorized domains. | **CIS for GCP 3.0**: 1.1<br>**NIST 800-53 R4**: AC-3<br>**ISO-2700-1 v2013**: A.9.2.3 |
@@ -142,7 +146,9 @@ In that case, the controls placed in the `organization/scc-sha-custom-modules` f
 |---|---|---|
 | `accesscontextmanagerDisableBridgePerimeters` | Ensure no perimeter bridges are used. Instead, use ingress and egress rules. |  |
 | `cloudbuildDisableWorkerPoolExternalIP` | Prevent the configuration of Cloud Build worker pools with external IP addresses. |  |
+| `cloudkmsAllowedAlgorithms` | Ensure the algorithm used for Cloud KMS keys is configured correctly. |  |
 | `cloudkmsAllowedProtectionLevel` | Ensure Cloud KMS keys are configured with the correct protection level. |  |
+| `cloudkmsAllowedRotationPeriod` | Ensure Cloud KMS keys have the correct rotation period configured. | **CIS for GCP 3.0**: 1.10<br>**CIS Controls 8.0**: 3.11<br>**PCI-DSS 4.0**: 3.1.1, 3.3.2, 3.3.3, 3.5.1, 3.5.1.2, 3.5.1.3, 8.3.2<br>**NIST 800-53 R4**: SC-12<br>**NIST 800-53 R5**: IA-5, SC-28<br>**ISO-2700-1 v2013**: A.10.1.2<br>**ISO-2700-1 v2022**: A.5.33<br>**SOC2 v2017**: CC6.1.10, CC6.1.3<br>**HIPAA**: 164.312(a)(2)(iv), 164.312(e)(2)(ii)<br>**Cloud Controls Matrix 4**: CEK-03 |
 | `cloudrunDisableEnvironmentVariablePattern` | Prevent secrets from being stored in Cloud Run environment variables. | **CIS for GCP 3.0**: 1.17 |
 | `cloudrunJobDisableDefaultServiceAccount` | Ensure all Cloud Run jobs use a non-default service account. |  |
 | `cloudrunJobRequireBinaryAuthorization` | Enforce all Cloud Run jobs use binary authorization. |  |
@@ -159,6 +165,7 @@ In that case, the controls placed in the `organization/scc-sha-custom-modules` f
 | `cloudsqlRequireSQLServerDatabaseFlags` | Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off' | **CIS for GCP 3.0**: 6.3.1<br>**CIS Controls 8.0**: 2.7<br>**PCI-DSS 4.0**: 1.2.5, 2.2.4, 6.4.3<br>**NIST 800-53 R5**: CM-7, SI-7<br>**NIST Cybersecurity Framework 1.0**: PR-IP-1, PR-PT-3<br>**SOC2 v2017**: CC5.2.1, CC5.2.2, CC5.2.3, CC5.2.4 |
 | `cloudsqlRequireSSLConnection` | Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL | **CIS for GCP 3.0**: 6.4<br>**NIST 800-53 R4**: SC-7<br>**ISO-2700-1 v2013**: A.13.2.1, A.14.1.3, A.8.2.3 |
 | `dataprocDisableDefaultServiceAccount` | Prevent Dataproc VMs from using default user-managed service accounts. |  |
+| `dataprocRequireDiskCmekEncryption` | Enforce encryption of Dataproc clusters with a Customer-Managed Encryption Key (CMEK). | **CIS for GCP 3.0**: 8.1<br>**CIS Controls 8.0**: 3.11<br>**PCI-DSS 4.0**:  3.1.1, 3.3.2, 3.3.3, 3.5.1, 3.5.1.2, 3.5.1.3, 8.3.2<br>**NIST 800-53 R5**: IA-5, SC-28<br>**NIST Cybersecurity Framework 1.0**: PR-DS-1<br>**ISO-2700-1 v2013**: A.5.33<br>**SOC2 v2017**: CC6.1.10, CC6.1.3<br>**HIPAA**: 164.312(a)(2)(iv), 164.312(e)(2)(ii)<br>**Cloud Controls Matrix 4**: CEK-03 |
 | `dataprocRequireInternalIp` | Enforce the use of internal IP addresses only for Dataproc clusters. |  |
 | `dataprocRequireKerberos` | Enforce the use of Kerberos for secure authentication on all Dataproc clusters. |  |
 | `dnsAllowedSigningAlgorithms` | Prevent the use of the RSASHA1 algorithm for the Key-Signing Key in Cloud DNS DNSSEC. | **CIS for GCP 3.0**: 3.4<br>**PCI-DSS 4.0**: 1.1.1, 1.2.1, 1.2.6, 1.2.7, 1.4.2, 1.5.1, 2.1.1, 2.2.1<br>**NIST 800-53 R4**: 4.2<br>**NIST 800-53 R5**: AC-18, CM-2, CM-6, CM-7, CM-9<br>**NIST Cybersecurity Framework 1.0**: PR-IP-1<br>**ISO-2700-1 v2022**: A.8.9<br>**SOC2 v2017**: CC5.2.2<br>**Cloud Controls Matrix 4**: IVS-04 |
@@ -171,6 +178,8 @@ In that case, the controls placed in the `organization/scc-sha-custom-modules` f
 | `firewallRestrictCacheSearchDatabasesRule` | Prevent Cassandra port access from the internet via VPC firewall rules. | **CIS Controls 8.0**: 4.4, 4.5<br>**PCI-DSS 4.0**: 1.2.1, 1.4.1<br>**NIST 800-53 R4**: SC-7<br>**NIST 800-53 R5**: CA-9, SC-7<br>**ISO-2700-1 v2013**: A.13.1.1<br>**SOC2 v2017**: CC6.6.1, CC6.6.4 |
 | `firewallRestrictDirectoryServicesPolicyRule` | Prevent directory services port access from the internet via firewall policies. | **CIS Controls 8.0**: 4.4, 4.5<br>**PCI-DSS 4.0**: 1.2.1, 1.4.1<br>**NIST 800-53 R4**: SC-7<br>**NIST 800-53 R5**: CA-9, SC-7<br>**ISO-2700-1 v2013**: A.13.1.1<br>**SOC2 v2017**: CC6.6.1, CC6.6.4 |
 | `firewallRestrictDirectoryServicesRule` | Prevent directory services port access from the internet via VPC firewall rules. | **CIS Controls 8.0**: 4.4, 4.5<br>**PCI-DSS 4.0**: 1.2.1, 1.4.1<br>**NIST 800-53 R4**: SC-7<br>**NIST 800-53 R5**: CA-9, SC-7<br>**ISO-2700-1 v2013**: A.13.1.1<br>**SOC2 v2017**: CC6.6.1, CC6.6.4 |
+| `firewallRestrictExplicitAllPortsPolicyRule` | Prevent rules that explicitly specify all TCP/UDP ports using ranges like 0-65535 or 1-65535 via firewall policies. |  |
+| `firewallRestrictExplicitAllPortsRule` | Prevent rules that explicitly specify all TCP/UDP ports using ranges like 0-65535 or 1-65535 via VPC firewall rules or any ports. |  |
 | `firewallRestrictInsecureProtocolsPolicyRule` | Prevent FTP port access from the internet via firewall policies. | **CIS Controls 8.0**: 4.4, 4.5<br>**PCI-DSS 4.0**: 1.2.1, 1.4.1<br>**NIST 800-53 R4**: SC-7<br>**NIST 800-53 R5**: CA-9, SC-7<br>**ISO-2700-1 v2013**: A.13.1.1<br>**SOC2 v2017**: CC6.6.1, CC6.6.4 |
 | `firewallRestrictInsecureProtocolsRule` | Prevent FTP port access from the internet via VPC firewall rules. | **CIS Controls 8.0**: 4.4, 4.5<br>**PCI-DSS 4.0**: 1.2.1, 1.4.1<br>**NIST 800-53 R4**: SC-7<br>**NIST 800-53 R5**: CA-9, SC-7<br>**ISO-2700-1 v2013**: A.13.1.1<br>**SOC2 v2017**: CC6.6.1, CC6.6.4 |
 | `firewallRestrictMailProtocolsPolicyRule` | Prevent POP3 port access from the internet via firewall policies. | **CIS Controls 8.0**: 4.4, 4.5<br>**PCI-DSS 4.0**: 1.2.1, 1.4.1<br>**NIST 800-53 R4**: SC-7<br>**NIST 800-53 R5**: CA-9, SC-7<br>**ISO-2700-1 v2013**: A.13.1.1<br>**SOC2 v2017**: CC6.6.1, CC6.6.4 |
@@ -181,7 +190,8 @@ In that case, the controls placed in the `organization/scc-sha-custom-modules` f
 | `firewallRestrictNetworkServicesRule` | Prevent DNS port access from the internet via VPC firewall rules. | **CIS Controls 8.0**: 4.4, 4.5<br>**PCI-DSS 4.0**: 1.2.1, 1.4.1<br>**NIST 800-53 R4**: SC-7<br>**NIST 800-53 R5**: CA-9, SC-7<br>**ISO-2700-1 v2013**: A.13.1.1<br>**SOC2 v2017**: CC6.6.1, CC6.6.4 |
 | `firewallRestrictNoSQLDatabasesPolicyRule` | Prevent Elasticsearch port access from the internet via firewall policies. | **CIS Controls 8.0**: 4.4, 4.5<br>**PCI-DSS 4.0**: 1.2.1, 1.4.1<br>**NIST 800-53 R4**: SC-7<br>**NIST 800-53 R5**: CA-9, SC-7<br>**ISO-2700-1 v2013**: A.13.1.1<br>**SOC2 v2017**: CC6.6.1, CC6.6.4 |
 | `firewallRestrictNoSQLDatabasesRule` | Prevent Elasticsearch port access from the internet via VPC firewall rules. | **CIS Controls 8.0**: 4.4, 4.5<br>**PCI-DSS 4.0**: 1.2.1, 1.4.1<br>**NIST 800-53 R4**: SC-7<br>**NIST 800-53 R5**: CA-9, SC-7<br>**ISO-2700-1 v2013**: A.13.1.1<br>**SOC2 v2017**: CC6.6.1, CC6.6.4 |
-| `firewallRestrictPublicAccessRule` | Prevent the creation of VPC firewall rules with a source or destination of `0.0.0.0/0`. |  |
+| `firewallRestrictPublicAccessPolicyRule` | Prevent open to public access  via firewall policies. |  |
+| `firewallRestrictPublicAccessRule` | Prevent open to public access  via VPC firewall rules. |  |
 | `firewallRestrictRdpPolicyRule` | Prevent RDP access from the internet via firewall policies. | **CIS for GCP 3.0**: 3.7<br>**CIS Controls 8.0**: 4.4, 4.5<br>**PCI-DSS 4.0**: 1.2.1, 1.4.1<br>**NIST 800-53 R4**: SC-7<br>**NIST 800-53 R5**: CA-9, SC-7<br>**ISO-2700-1 v2013**: A.13.1.1<br>**SOC2 v2017**: CC6.6.1, CC6.6.4 |
 | `firewallRestrictRdpRule` | Prevent RDP access from the internet via VPC firewall rules. | **CIS for GCP 3.0**: 3.7<br>**CIS Controls 8.0**: 4.4, 4.5<br>**PCI-DSS 4.0**: 1.2.1, 1.4.1<br>**NIST 800-53 R4**: SC-7<br>**NIST 800-53 R5**: CA-9, SC-7<br>**ISO-2700-1 v2013**: A.13.1.1<br>**SOC2 v2017**: CC6.6.1, CC6.6.4 |
 | `firewallRestrictSQLDatabasesPolicyRule` | Prevent MySQL port access from the internet via firewall policies. | **CIS Controls 8.0**: 4.4, 4.5<br>**PCI-DSS 4.0**: 1.2.1, 1.4.1<br>**NIST 800-53 R4**: SC-7<br>**NIST 800-53 R5**: CA-9, SC-7<br>**ISO-2700-1 v2013**: A.13.1.1<br>**SOC2 v2017**: CC6.6.1, CC6.6.4 |
@@ -204,6 +214,7 @@ In that case, the controls placed in the `organization/scc-sha-custom-modules` f
 | `gkeRequireMonitoring` | Enforce that GKE clusters monitoring is enabled | **CIS for GKE 1.5**: 5.7.1<br>**PCI-DSS 4.0**: 10.2 |
 | `gkeRequireNodePoolAutoRepair` | Enforce that GKE clusters are configured with node auto-repair enabled | **CIS for GKE 1.5**: 5.5.2<br>**PCI-DSS 4.0**: 2.2.6 |
 | `gkeRequireNodePoolAutoUpgrade` | Enforce that GKE clusters are configured with node auto-upgrade enabled  | **CIS for GKE 1.5**: 5.5.3<br>**PCI-DSS 4.0**: 2.2.6 |
+| `gkeRequireNodePoolCMEKEncryption` | Enforce that GKE nodes are configured with CMEK Encryption | **CIS for GKE 1.5**: 5.9.1<br>**PCI-DSS 4.0**: 3.6 |
 | `gkeRequireNodePoolSandbox` | Enforce that the GKE clusters nodes are isolated using GKE sandbox | **CIS for GKE 1.5**: 5.10.3<br>**PCI-DSS 4.0**: 6.2.1 |
 | `gkeRequirePrivateEndpoint` | Enforce that GKE clusters are created as private clusters with public endpoint disabled | **CIS for GKE 1.5**: 5.6.4<br>**PCI-DSS 4.0**: 1.3.1 |
 | `gkeRequireRegionalClusters` | Enforce the creation of regional GKE clusters |  |
@@ -231,8 +242,10 @@ SCC Custom SHA Detectors are available only for organization have subscribed to
 
 | Module | Description | Compliance Mapping |
 |---|---|---|
+| `artifactregistryRequireCMEK` | Ensure Artifact Registry repositories are encrypted with a Customer-Managed Encryption Key (CMEK). |  |
 | `cloudfunctionsV1RequireIngressInternalAndLoadBalancer` | Ensure Cloud Functions Gen1 only allows internal and load balancer traffic. |  |
 | `cloudfunctionsV1RequireVPCConnector` | Ensure Cloud Functions v1 are configured with a VPC connector. |  |
+| `cloudkmsAllowedAlgorithms` | Ensure the algorithm used for Cloud KMS keys is configured correctly. |  |
 | `cloudkmsAllowedProtectionLevel` | Ensure Cloud KMS keys are configured with the correct protection level. |  |
 | `cloudrunDisableJobDefaultServiceAccount` | Ensure all Cloud Run services use a non-default service account. |  |
 | `cloudrunDisableServiceDefaultServiceAccount` | Ensure all Cloud Run jobs use a non-default service account. |  |
@@ -276,8 +289,8 @@ region: $locations:primary
 ip_cidr_range: 10.73.0.0/24
 description: Default primary-region subnet for dev
 flow_logs_config: # This section enables VPC Flow Logs
-  aggregation_interval: "INTERVAL_15_MIN"
+  aggregation_interval: "INTERVAL_5_SEC"
-  flow_sampling: 0.5
+  flow_sampling: 1.0
   metadata: "INCLUDE_ALL_METADATA"
 ```
 

fast/stages/0-org-setup/datasets/hardened/folders/data-platform/.config.yaml

@@ -15,3 +15,10 @@
 # yaml-language-server: $schema=../../../../schemas/folder.schema.json
 
 name: Data Platform
+org_policies:
+  custom.iamDisableAdminServiceAccount:
+    rules:
+      - enforce: false
+  custom.iamDisableProjectServiceAccountImpersonationRoles:
+    rules:
+      - enforce: false

fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.cloudkmsAllowedAlgorithms.yaml

@@ -0,0 +1,34 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+custom.cloudkmsAllowedAlgorithms:
+  action_type: DENY
+  condition: |-
+    has(resource.versionTemplate.algorithm) && resource.versionTemplate.algorithm in [
+      'GOOGLE_SYMMETRIC_ENCRYPTION',
+      'RSA_SIGN_PSS_2048_SHA256',
+      'RSA_SIGN_PSS_3072_SHA256',
+      'RSA_SIGN_PSS_4096_SHA256',
+      'RSA_DECRYPT_OAEP_2048_SHA256',
+      'RSA_DECRYPT_OAEP_4096_SHA256',
+      'RSA_DECRYPT_OAEP_2048_SHA1',
+      'RSA_DECRYPT_OAEP_4096_SHA1'
+    ] == false
+  description: Ensure the algorithm for Cloud KMS keys is configured correctly
+  display_name: Require Cloud KMS keys algorithm to be configured correctly
+  method_types:
+  - CREATE
+  - UPDATE
+  resource_types:
+  - cloudkms.googleapis.com/CryptoKey

fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.cloudkmsAllowedRotationPeriod.yaml

@@ -0,0 +1,25 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+custom.cloudkmsAllowedRotationPeriod:
+  action_type: DENY
+  condition: |-
+    has(resource.rotationPeriod) && resource.rotationPeriod > duration("7776000s")
+  description: Ensure the rotation period for Cloud KMS keys is configured correctly
+  display_name: Require Cloud KMS keys to have rotation period configured correctly
+  method_types:
+  - CREATE
+  - UPDATE
+  resource_types:
+  - cloudkms.googleapis.com/CryptoKey

fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.dataprocRequireDiskCmekEncryption.yaml

@@ -0,0 +1,26 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+custom.dataprocRequireDiskCmekEncryption:
+  action_type: DENY
+  condition: |-
+    has(resource.config.encryptionConfig.gcePdKmsKeyName) == false
+  description: Enforce that the Dataproc cluster is created with an CMEK encryption
+    key.
+  display_name: Enable Dataproc CMEK encryption
+  method_types:
+  - CREATE
+  - UPDATE
+  resource_types:
+  - dataproc.googleapis.com/Cluster

fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.firewallRestrictExplicitAllPortsPolicyRule.yaml

@@ -0,0 +1,37 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+custom.firewallRestrictExplicitAllPortsPolicyRule:
+  action_type: DENY
+  condition: |-
+    resource.rules.exists(rule,
+      rule.action == 'allow' &&
+      rule.priority < 2147483644 &&
+      rule.direction == 'INGRESS' &&
+      rule.match.layer4Configs.exists(l4,
+        l4.ipProtocol in ['tcp', 'udp'] && (
+          !has(l4.ports) ||
+          '0-65535' in l4.ports ||
+          '1-65535' in l4.ports
+        )
+      )
+    )
+  description: Prevent Firewall Policy rules that explicitly specify all TCP/UDP ports
+    using ranges like 0-65535 or 1-65535
+  display_name: Restrict Firewall Policy rules with explicit all-ports specifications
+  method_types:
+  - CREATE
+  - UPDATE
+  resource_types:
+  - compute.googleapis.com/FirewallPolicy

fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.firewallRestrictExplicitAllPortsRule.yaml

@@ -0,0 +1,39 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+custom.firewallRestrictExplicitAllPortsRule:
+  action_type: DENY
+  condition: |-
+    resource.direction == 'INGRESS' &&
+    resource.allowed.exists(rule,
+      rule.IPProtocol in ['tcp', 'udp'] && (
+        !has(rule.ports) ||
+        '0-65535' in rule.ports ||
+        '1-65535' in rule.ports
+      )
+    ) &&
+    !resource.name.startsWith('gke-') &&
+    !resource.name.startsWith('k8s-') &&
+    !resource.name.endsWith('-hc') &&
+    !resource.name.startsWith('k8s2-') &&
+    !resource.name.startsWith('gkegw1-l7-') &&
+    !resource.name.startsWith('gkemcg1-l7-')
+  description: Prevent VPC firewall rules that explicitly specify all TCP/UDP ports
+    using ranges like 0-65535 or 1-65535
+  display_name: Restrict VPC Firewall rules with explicit all-ports specifications
+  method_types:
+  - CREATE
+  - UPDATE
+  resource_types:
+  - compute.googleapis.com/Firewall

fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.firewallRestrictPublicAccessPolicyRule.yaml

@@ -0,0 +1,33 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+custom.firewallRestrictPublicAccessPolicyRule:
+  action_type: DENY
+  condition: |-
+    resource.rules.exists(rule,
+      rule.action == 'allow' &&
+      rule.priority < 2147483644 &&
+      rule.direction == 'INGRESS' &&
+      rule.match.srcIpRanges.exists(range, range == '0.0.0.0/0') &&
+      !rule.match.layer4Configs.exists(l4,
+        l4.ipProtocol == 'icmp'
+      )
+    )
+  description: Prevent Firewall Policy ingress rules from 0.0.0.0/0 except for allowed protocols (ICMP)
+  display_name: Restrict Firewall Policy ingress rules allowing public Internet access
+  method_types:
+  - CREATE
+  - UPDATE
+  resource_types:
+  - compute.googleapis.com/FirewallPolicy

fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.firewallRestrictPublicAccessRule.yaml

@@ -15,15 +15,16 @@
 custom.firewallRestrictPublicAccessRule:
   action_type: DENY
   condition: |-
-    (size(resource.allowed) > 0) &&
+    resource.direction == 'INGRESS' &&
-    (
+    size(resource.allowed) > 0 &&
-      resource.sourceRanges.exists(range, range == '0.0.0.0/0') ||
+    resource.sourceRanges.exists(r, r == '0.0.0.0/0') &&
-      resource.destinationRanges.exists(range, range == '0.0.0.0/0')
+    !resource.allowed.exists(a,
+      a.IPProtocol == 'icmp'
     )
-  description: Prevent the creation of VPC firewall rules with source or destination
+  description: Prevent VPC Firewall ingress rules from 0.0.0.0/0 except for allowed protocols (ICMP).
-    any IP address (0.0.0.0/0)
+  display_name: Restrict VPC Firewall ingress rules allowing public Internet access
-  display_name: Restrict VPC Firewall rules allowing public Internet access
   method_types:
   - CREATE
+  - UPDATE
   resource_types:
   - compute.googleapis.com/Firewall

fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.iamAllowedMembers.yaml

@@ -17,7 +17,8 @@ custom.iamAllowedMembers:
   condition: |-
     resource.bindings.exists(binding,
       binding.members.exists(member,
-        !MemberSubjectEndsWith(member, ['@${organization.domain}', '.gserviceaccount.com'])
+        MemberSubjectStartsWith(member, ['user:', 'group:']) &&
+        !MemberSubjectEndsWith(member, ['@${organization.domain}', '${iam_principals.gcp-organization-admins}'])
       )
     )
   description: Ensure no binding are done with members outside the organization domain

fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.iamDisableAdminServiceAccount.yaml

@@ -0,0 +1,38 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+custom.iamDisableAdminServiceAccount:
+  action_type: DENY
+  condition: |-
+    resource.bindings.exists(binding,
+      binding.members.exists(member,
+        !MemberSubjectEndsWith(member, ['@cloudservices.gserviceaccount.com']) &&
+        MemberSubjectStartsWith(member, ['serviceAccount:']) &&
+        !MemberSubjectEndsWith(member, ['@${project_ids.iac-0}.iam.gserviceaccount.com'])
+      ) &&
+      (
+        RoleNameMatches(binding.role, ['roles/owner', 'roles/admin']) ||
+        RoleNameMatches(binding.role, ['roles/editor', 'roles/writer']) ||
+        RoleNameContains(binding.role, ['admin', 'Admin'])
+      )
+    )
+  description: Ensure no use of the legacy basic roles (owner and editor), basic roles
+    (admin, writer) and usage of admin roles for service account
+  display_name: Deny use of the legacy basic roles, basic roles and usage of admin role
+    for service account
+  method_types:
+  - CREATE
+  - UPDATE
+  resource_types:
+  - iam.googleapis.com/AllowPolicy

fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.iamDisableBasicRoles.yaml

@@ -0,0 +1,36 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+custom.iamDisableBasicRoles:
+  action_type: DENY
+  condition: |-
+    resource.bindings.exists(binding,
+      binding.members.exists(member,
+        MemberSubjectStartsWith(member, ['user:', 'group:']) &&
+        !MemberSubjectStartsWith(member, ['${iam_principals.gcp-organization-admins}']) &&
+        (
+          RoleNameMatches(binding.role, ['roles/owner', 'roles/admin']) ||
+          RoleNameMatches(binding.role, ['roles/editor', 'roles/writer']) ||
+          RoleNameContains(binding.role, ['roles/viewer', 'roles/reader'])
+        )
+      )
+    )
+  description: Ensure no use of the legacy basic roles (viewer, editor and owner) and
+    basic roles (reader, writer and admin)
+  display_name: Deny use of the basic roles
+  method_types:
+  - CREATE
+  - UPDATE
+  resource_types:
+  - iam.googleapis.com/AllowPolicy

fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.iamDisableProjectServiceAccountImpersonationRoles.yaml

@@ -0,0 +1,37 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+custom.iamDisableProjectServiceAccountImpersonationRoles:
+  action_type: DENY
+  condition: |-
+    resource.bindings.exists(binding,
+      binding.members.exists(member,
+        MemberSubjectStartsWith(member, ['user:', 'group:']) &&
+        !MemberSubjectStartsWith(member, ['${iam_principals.gcp-organization-admins}'])
+      ) &&
+      (
+        RoleNameMatches(binding.role, ['roles/iam.serviceAccountUser']) ||
+        RoleNameMatches(binding.role, ['roles/iam.serviceAccountTokenCreator'])
+      )
+    )
+  description: Ensure that IAM Users are not assigned the service account user or
+    service account token creator roles (requires usage of IAM Condition and tags
+    to ensure the constraint is not applied on allowed service accounts)
+  display_name: Deny assignment of the service account user or service account token
+    creator roles to users
+  method_types:
+  - CREATE
+  - UPDATE
+  resource_types:
+  - iam.googleapis.com/AllowPolicy

fast/stages/0-org-setup/datasets/hardened/organization/org-policies/cloudkms.yaml

@@ -18,10 +18,22 @@
 
 # yaml-language-server: $schema=../../../../schemas/org-policies.schema.json
 
+custom.cloudkmsAllowedAlgorithms:
+  rules:
+    - enforce: true
+
 custom.cloudkmsAllowedProtectionLevel:
   rules:
     - enforce: true
 
+custom.cloudkmsAllowedRotationPeriod:
+  rules:
+    - enforce: true
+
+custom.dataprocRequireDiskCmekEncryption:
+  rules:
+    - enforce: true
+
 gcp.restrictCmekCryptoKeyProjects:
   rules:
     - allow:
@@ -77,7 +89,9 @@ gcp.restrictNonCmekServices:
           - "run.googleapis.com"
           - "secretmanager.googleapis.com"
           - "securesourcemanager.googleapis.com"
-          - "securitycenter.googleapis.com"
+          # To enabled when needed: https://docs.cloud.google.com/security-command-center/docs/cmek
+          # CMEK needs can be configured at activation time only
+          # - "securitycenter.googleapis.com"
           - "spanner.googleapis.com"
           - "speech.googleapis.com"
           - "sqladmin.googleapis.com"

fast/stages/0-org-setup/datasets/hardened/organization/org-policies/firewall.yaml

@@ -46,6 +46,14 @@ custom.firewallRestrictDirectoryServicesRule:
   rules:
     - enforce: true
 
+custom.firewallRestrictExplicitAllPortsPolicyRule:
+  rules:
+    - enforce: true
+
+custom.firewallRestrictExplicitAllPortsRule:
+  rules:
+    - enforce: true
+
 custom.firewallRestrictInsecureProtocolsPolicyRule:
   rules:
     - enforce: true
@@ -86,6 +94,10 @@ custom.firewallRestrictNoSQLDatabasesRule:
   rules:
     - enforce: true
 
+custom.firewallRestrictPublicAccessPolicyRule:
+  rules:
+    - enforce: true
+
 custom.firewallRestrictPublicAccessRule:
   rules:
     - enforce: true

fast/stages/0-org-setup/datasets/hardened/organization/org-policies/gke.yaml

@@ -58,6 +58,10 @@ container.managed.enablePrivateNodes:
   rules:
     - enforce: true
 
+container.managed.enableSecretsEncryption:
+  rules:
+    - enforce: true
+
 container.managed.enableSecurityBulletinNotifications:
   rules:
     - enforce: true
@@ -134,6 +138,10 @@ custom.gkeRequireNodePoolAutoUpgrade:
   rules:
     - enforce: true
 
+custom.gkeRequireNodePoolCMEKEncryption:
+  rules:
+    - enforce: true
+
 custom.gkeRequireNodePoolSandbox:
   rules:
     - enforce: true

fast/stages/0-org-setup/datasets/hardened/organization/org-policies/iam.yaml

@@ -18,6 +18,23 @@
 
 # yaml-language-server: $schema=../../../../schemas/org-policies.schema.json
 
+custom.iamDisableAdminServiceAccount:
+  rules:
+    - enforce: true
+
+custom.iamDisableBasicRoles:
+  rules:
+    - enforce: true
+
+custom.iamDisableProjectServiceAccountImpersonationRoles:
+  rules:
+    - enforce: false
+      condition:
+        title: Allow service account impersonation for tagged users
+        expression: |
+          resource.matchTag('${organization.id}/org-policies', 'allowed-sa-impersonation')
+    - enforce: true
+
 custom.iamDisableRedisAdminRoles:
   rules:
     - enforce: false
@@ -68,6 +85,10 @@ iam.managed.disableServiceAccountApiKeyCreation:
   rules:
     - enforce: true
 
+iam.managed.preventPrivilegedBasicRolesForDefaultServiceAccounts:
+  rules:
+    - enforce: true
+
 iam.serviceAccountKeyExposureResponse:
   rules:
     - allow:

fast/stages/0-org-setup/datasets/hardened/organization/org-policies/serviceusage.yaml

@@ -0,0 +1,103 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+# sample subset of useful organization policies, edit to suit requirements
+# start of document (---) avoids errors if the file only contains comments
+
+# yaml-language-server: $schema=../../../../schemas/org-policies.schema.json
+
+gcp.restrictServiceUsage:
+  rules:
+    - allow:
+        values:
+          - "accesscontextmanager.googleapis.com"
+          - "analyticshub.googleapis.com"
+          - "anthos.googleapis.com"
+          - "anthosconfigmanagement.googleapis.com"
+          - "appoptimize.googleapis.com"
+          - "artifactregistry.googleapis.com"
+          - "autoscaling.googleapis.com"
+          - "bigquery.googleapis.com"
+          - "bigqueryconnection.googleapis.com"
+          - "bigquerydatapolicy.googleapis.com"
+          - "bigquerydatatransfer.googleapis.com"
+          - "bigquerymigration.googleapis.com"
+          - "bigqueryreservation.googleapis.com"
+          - "bigquerystorage.googleapis.com"
+          - "billingbudgets.googleapis.com"
+          - "certificatemanager.googleapis.com"
+          - "cloudaicompanion.googleapis.com"
+          - "cloudapis.googleapis.com"
+          - "cloudasset.googleapis.com"
+          - "cloudbilling.googleapis.com"
+          - "cloudbuild.googleapis.com"
+          - "cloudkms.googleapis.com"
+          - "cloudquotas.googleapis.com"
+          - "cloudresourcemanager.googleapis.com"
+          - "cloudsecuritycompliance.googleapis.com"
+          - "cloudtrace.googleapis.com"
+          - "composer.googleapis.com"
+          - "compute.googleapis.com"
+          - "container.googleapis.com"
+          - "containerfilesystem.googleapis.com"
+          - "containerregistry.googleapis.com"
+          - "containersecurity.googleapis.com"
+          - "containerthreatdetection.googleapis.com"
+          - "datacatalog.googleapis.com"
+          - "dataform.googleapis.com"
+          - "datalineage.googleapis.com"
+          - "dataplex.googleapis.com"
+          - "datastore.googleapis.com"
+          - "deploymentmanager.googleapis.com"
+          - "dns.googleapis.com"
+          - "essentialcontacts.googleapis.com"
+          - "geminicloudassist.googleapis.com"
+          - "gkebackup.googleapis.com"
+          - "gkeconnect.googleapis.com"
+          - "gkehub.googleapis.com"
+          - "iam.googleapis.com"
+          - "iamcredentials.googleapis.com"
+          - "iap.googleapis.com"
+          - "logging.googleapis.com"
+          - "monitoring.googleapis.com"
+          - "multiclusteringress.googleapis.com"
+          - "multiclustermetering.googleapis.com"
+          - "multiclusterservicediscovery.googleapis.com"
+          - "networkconnectivity.googleapis.com"
+          - "networkmanagement.googleapis.com"
+          - "networksecurity.googleapis.com"
+          - "notebooksecurityscanner.googleapis.com"
+          - "orgpolicy.googleapis.com"
+          - "oslogin.googleapis.com"
+          - "privateca.googleapis.com"
+          - "pubsub.googleapis.com"
+          - "recommender.googleapis.com"
+          - "secretmanager.googleapis.com"
+          - "securitycenter.googleapis.com"
+          - "securitycentermanagement.googleapis.com"
+          - "servicedirectory.googleapis.com"
+          - "servicemanagement.googleapis.com"
+          - "servicenetworking.googleapis.com"
+          - "serviceusage.googleapis.com"
+          - "sql-component.googleapis.com"
+          - "sqladmin.googleapis.com"
+          - "stackdriver.googleapis.com"
+          - "storage-api.googleapis.com"
+          - "storage-component.googleapis.com"
+          - "storage.googleapis.com"
+          - "sts.googleapis.com"
+          - "trafficdirector.googleapis.com"
+          - "vpcaccess.googleapis.com"
+          - "websecurityscanner.googleapis.com"

fast/stages/0-org-setup/datasets/hardened/organization/scc-sha-custom-modules/artifactregistryRequireCMEK.yaml

@@ -0,0 +1,23 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+artifactregistryRequireCMEK:
+  description: Detect if Artifact Registry repositories are not encrypted using CMEK
+  predicate:
+    expression: (!has(resource.kmsKeyName))
+  recommendation: Ensure the Artifact Registry repositoriesa are encrypted using CMEK
+  resource_selector:
+    resource_types:
+      - artifactregistry.googleapis.com/Repository
+  severity: HIGH

fast/stages/0-org-setup/datasets/hardened/organization/scc-sha-custom-modules/cloudkmsAllowedAlgorithms.yaml

@@ -0,0 +1,23 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+cloudkmsAllowedAlgorithms:
+  description: Detect if the the algorithm for Cloud KMS keys is not configured correctly
+  predicate:
+    expression: resource.algorithm in ["GOOGLE_SYMMETRIC_ENCRYPTION", "EXTERNAL_SYMMETRIC_ENCRYPTION"] == false
+  recommendation: Ensure the algorithm for Cloud KMS keys is configured correctly
+  resource_selector:
+    resource_types:
+      - cloudkms.googleapis.com/CryptoKeyVersion
+  severity: MEDIUM

fast/stages/0-org-setup/datasets/hardened/organization/scc-sha-custom-modules/gkeRequireDataplaneV2.yaml

@@ -15,7 +15,7 @@
 gkeRequireDataplaneV2:
   description: Detect if GKE clusters are configured with a version different than Dataplane V2
   predicate:
-    expression: resource.networkConfig.datapathProvider == 'ADVANCED_DATAPATH'
+    expression: resource.networkConfig.datapathProvider != 'ADVANCED_DATAPATH'
   recommendation: Ensure only GKE Dataplane V2 are configured
   resource_selector:
     resource_types:

fast/stages/0-org-setup/datasets/hardened/organization/tags/org-policies.yaml

@@ -23,3 +23,5 @@ values:
     description: "Allow all domains in essntial contacts org policy."
   allowed-policy-member-domains-all:
     description: "Allow all domains in DRS org policy."
+  allowed-sa-impersonation:
+    description: "Allow service account impersonation for tagged principals."

fast/stages/0-org-setup/organization.tf

@@ -92,10 +92,9 @@ module "organization" {
   }
   contacts = lookup(local.organization, "contacts", {})
   factories_config = {
-    org_policy_custom_constraints = "${local.paths.organization}/custom-constraints"
+    custom_roles           = "${local.paths.organization}/custom-roles"
-    custom_roles                  = "${local.paths.organization}/custom-roles"
+    tags                   = "${local.paths.organization}/tags"
-    tags                          = "${local.paths.organization}/tags"
+    scc_sha_custom_modules = "${local.paths.organization}/scc-sha-custom-modules"
-    scc_sha_custom_modules        = "${local.paths.organization}/scc-sha-custom-modules"
   }
   tags_config = {
     ignore_iam = true
@@ -113,7 +112,8 @@ module "organization-iam" {
     condition_vars = merge(
       local.ctx_condition_vars,
       { folder_ids = module.factory.folder_ids },
-      { project_ids = module.factory.project_ids }
+      { project_ids = module.factory.project_ids },
+      { iam_principals = local.ctx.iam_principals },
     )
     custom_roles = merge(
       local.ctx.custom_roles,
@@ -139,8 +139,9 @@ module "organization-iam" {
     )
   })
   factories_config = {
-    org_policies = "${local.paths.organization}/org-policies"
+    org_policy_custom_constraints = "${local.paths.organization}/custom-constraints"
-    tags         = "${local.paths.organization}/tags"
+    org_policies                  = "${local.paths.organization}/org-policies"
+    tags                          = "${local.paths.organization}/tags"
   }
   iam = lookup(
     local.organization, "iam", {}

fast/stages/2-networking/datasets/hub-and-spokes-peerings/vpcs/dev/.config.yaml

@@ -19,3 +19,5 @@ routes:
     dest_range: 0.0.0.0/0
     next_hop_type: "gateway"
     next_hop: "default-internet-gateway"
+# dns_policy:
+#   logging: true

fast/stages/2-networking/datasets/hub-and-spokes-peerings/vpcs/dev/subnets/dev-default.yaml

@@ -7,6 +7,6 @@ region: $locations:primary
 ip_cidr_range: 10.73.0.0/24
 description: Default primary-region subnet for dev
 # flow_logs_config:
-#   aggregation_interval: "INTERVAL_15_MIN"
+#   aggregation_interval: "INTERVAL_5_SEC"
-#   flow_sampling: 0.5
+#   flow_sampling: 1.0
 #   metadata: "INCLUDE_ALL_METADATA"

fast/stages/2-networking/datasets/hub-and-spokes-peerings/vpcs/hub/.config.yaml

@@ -24,3 +24,5 @@ routes:
     dest_range: 0.0.0.0/0
     next_hop_type: "gateway"
     next_hop: "default-internet-gateway"
+# dns_policy:
+#   logging: true

fast/stages/2-networking/datasets/hub-and-spokes-peerings/vpcs/hub/subnets/hub-default.yaml

@@ -7,6 +7,6 @@ region: $locations:primary
 ip_cidr_range: 10.71.0.0/24
 description: Default primary-region subnet for hub
 # flow_logs_config:
-#   aggregation_interval: "INTERVAL_15_MIN"
+#   aggregation_interval: "INTERVAL_5_SEC"
-#   flow_sampling: 0.5
+#   flow_sampling: 1.0
 #   metadata: "INCLUDE_ALL_METADATA"

fast/stages/2-networking/datasets/hub-and-spokes-peerings/vpcs/prod/.config.yaml

@@ -31,3 +31,5 @@ subnets_proxy_only:
     region: $locations:primary
     name: primary-region-proxy-only
     active: true
+# dns_policy:
+#   logging: true

fast/stages/2-networking/datasets/hub-and-spokes-peerings/vpcs/prod/subnets/prod-default.yaml

@@ -7,6 +7,6 @@ region: $locations:primary
 ip_cidr_range: 10.72.0.0/24
 description: Default primary-region subnet for prod
 # flow_logs_config:
-#   aggregation_interval: "INTERVAL_15_MIN"
+#   aggregation_interval: "INTERVAL_5_SEC"
-#   flow_sampling: 0.5
+#   flow_sampling: 1.0
 #   metadata: "INCLUDE_ALL_METADATA"

fast/stages/UPGRADING.md

@@ -12,5 +12,17 @@ As usual, consider this a guideline with no guarantees. Migrations between FAST
 
 > v44.0.0 and v45.0.0 deprecated several legacy stages, refer to those releases or branches for legacy upgrading instructions. Upgrades from legacy to current stages are not directly supported.
 
+> v52.0.0 moves creation of custom constraints to `module.organization-iam` (from `module.organization`) in stage `0-org-setup`. As `moved` block is not possible and supported for this change, manual state migration is required to avoid destroying existing constraints. 
+> This can be done executing this in stage `0-org-setup`:
+> ```bash
+> constraints=$(terraform state list | grep 'module.organization\[0\].google_org_policy_custom_constraint.constraint')
+> for old in $constraints; do
+>   terraform state mv "$old" "${old/module.organization\[0\]/module.organization-iam\[0\]}"
+> done
+> ```
+> **Warning**: If you skip this step and run `terraform apply`, Terraform will destroy the existing constraints. Because deleted custom constraints cannot be immediately recreated with the same name, the subsequent creation step will fail, breaking your deployment (refer to this [documentation](https://docs.cloud.google.com/resource-manager/docs/organization-policy/creating-managing-custom-constraints#delete_custom_constraint)) for more information.
+
+
 <!-- BEGIN TOC -->
 <!-- END TOC -->
+

modules/organization/org-policy-custom-constraints.tf

@@ -53,7 +53,7 @@ resource "google_org_policy_custom_constraint" "constraint" {
   display_name   = each.value.display_name
   description    = each.value.description
   action_type    = each.value.action_type
-  condition      = each.value.condition
+  condition      = templatestring(each.value.condition, var.context.condition_vars)
   method_types   = each.value.method_types
   resource_types = each.value.resource_types
 }

tests/fast/stages/s0_org_setup/simple.yaml

@@ -1759,6 +1759,20 @@ values:
     intercept_children: false
     name: vpc-sc
     org_id: '1234567890'
+  module.organization-iam[0].google_org_policy_custom_constraint.constraint["custom.denyBridgePerimeters"]:
+    action_type: DENY
+    condition: resource.perimeterType == 'PERIMETER_TYPE_BRIDGE'
+    description: Disables the use of perimeter bridges. Instead, use ingress and egress
+      rules.
+    display_name: Disable perimeter bridges
+    method_types:
+    - CREATE
+    - UPDATE
+    name: custom.denyBridgePerimeters
+    parent: organizations/1234567890
+    resource_types:
+    - accesscontextmanager.googleapis.com/ServicePerimeter
+    timeouts: null
   module.organization-iam[0].google_org_policy_policy.default["cloudbuild.disableCreateDefaultServiceAccount"]:
     dry_run_spec: []
     name: organizations/1234567890/policies/cloudbuild.disableCreateDefaultServiceAccount
@@ -2678,20 +2692,6 @@ values:
     organization: '1234567890'
     storage_location: europe-west1
     timeouts: null
-  module.organization[0].google_org_policy_custom_constraint.constraint["custom.denyBridgePerimeters"]:
-    action_type: DENY
-    condition: resource.perimeterType == 'PERIMETER_TYPE_BRIDGE'
-    description: Disables the use of perimeter bridges. Instead, use ingress and egress
-      rules.
-    display_name: Disable perimeter bridges
-    method_types:
-    - CREATE
-    - UPDATE
-    name: custom.denyBridgePerimeters
-    parent: organizations/1234567890
-    resource_types:
-    - accesscontextmanager.googleapis.com/ServicePerimeter
-    timeouts: null
   module.organization[0].google_organization_iam_custom_role.roles["network_firewall_policies_admin"]:
     description: Terraform-managed.
     org_id: '1234567890'

tools/duplicate-diff.py

@@ -21,11 +21,6 @@ import os
 
 # List of folders and files that are expected to have same content
 duplicates = [
-    # deep recursive folder comparison
-    [
-        "fast/stages/0-org-setup/datasets/classic/organization/tags",
-        "fast/stages/0-org-setup/datasets/hardened/organization/tags",
-    ],
     # schemas
     [
         "fast/stages/1-vpcsc/schemas/access-level.schema.json",