kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/master' into fast-dev

Browse Source
This commit is contained in:
Ludovico Magnocavallo
2026-01-30 15:54:45 +00:00
parent d95c4fcc3f 06c6df5fec
commit 30810146cf
265 changed files with 2443 additions and 509 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
default-versions.tf
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
default-versions.tofu
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
fast/project-templates/managed-kafka/versions.tf generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

132
fast/stages/0-org-setup/README-GCD.md
View File

@@ -2,7 +2,7 @@
This document serves as an extension to the main **[FAST Organization Setup README](../README.md)**, detailing the specific configurations and steps required to deploy the Fabric FAST landing zone on **Google Cloud Dedicated (GCD)**.
It assumes familiarity with the standard FAST bootstrap flow but highlights the critical divergences required for the Trusted Private Cloud (TPC) environment. For a detailed overview of the differences between Google Cloud and Google Cloud Dedicated, please refer to the [official S3NS documentation](https://documentation.s3ns.fr/docs/overview/tpc-key-differences).
It assumes familiarity with the standard FAST bootstrap flow but highlights the critical divergences required for the Google Cloud Dedicated (GCD) environment.
## Configuration Reference
@@ -40,7 +40,7 @@ An IdP is configured for your organization, and you can sign in with your admini
### Repository
Clone the latest version of the repository (currently v50.0.0) or download it from the Releases page:
Clone the latest version of the repository or download it from the Releases page:
```bash
git clone https://github.com/GoogleCloudPlatform/cloud-foundation-fabric.git
@@ -89,12 +89,25 @@ gcloud auth application-default login \
GCD requires a manual bootstrap project because organization policy services are not automatically available at the organization root during the initial setup.
1. **Create a project:** Use the Cloud Console to create a temporary project. A billing account is **not** required.
2. **Enable APIs:** Enable the `orgpolicy.googleapis.com` service within this project.
3. **Set default project:** Configure your CLI context:
```bash
gcloud config set project <TEMP_PROJECT_ID>
```
2. **Enable APIs:** Enable the the following services within this project.
```bash
gcloud services enable \
bigquery.googleapis.com \
cloudbilling.googleapis.com \
cloudresourcemanager.googleapis.com \
essentialcontacts.googleapis.com \
iam.googleapis.com \
logging.googleapis.com \
orgpolicy.googleapis.com \
serviceusage.googleapis.com
```
4. **Post-Setup Cleanup:** After the initial `0-org-setup` stage is successfully deployed, switch to the production `iac-0` project and delete this temporary bootstrap project.
@@ -143,46 +156,107 @@ projects:
- networksecurity.googleapis.com
```
## 5. Managing Organization Policies
### Switch to GCD Dataset
*This section extends the [Importing org policies](../README.md#importing-org-policies) instructions.*
Create a `terraform.tfvars` file to configure the `classic-gcd` dataset. This overrides the default factory locations to use the GCD-specific configurations.
Organization policies must be adapted to account for universe-specific constraints and available services. The recommended approach is to **bypass organization policies** during the first apply and then enable them iteratively.
```terraform
factories_config = {
billing_accounts = "datasets/classic-gcd/billing-accounts"
cicd_workflows = "datasets/classic-gcd/cicd.yaml"
defaults = "datasets/classic-gcd/defaults.yaml"
folders = "datasets/classic-gcd/folders"
organization = "datasets/classic-gcd/organization"
projects = "datasets/classic-gcd/projects"
}
```
## 5. Organization Policies
### Step A: Bypass for First Apply
The `classic-gcd` dataset provides a baseline set of organization policies compatible with the GCD environment. While it works out-of-the-box, it includes fewer policies than the standard dataset. Notably, it disables domain restricted sharing (`iam.allowedPolicyMemberDomains`) as Cloud Identity is typically not present in GCD organizations. **We strongly encourage you to review the differences between the `classic` dataset and `classic-gcd`, customizing as needed.**
1. **Rename** the `organization/org-policies` folder (e.g., to `organization/org-policies.unused`).
2. **Comment out** the `org-policies` block in the `projects/iac-0.yaml` file.
3. Run `terraform apply` as described in the [First apply cycle](../README.md#first-apply-cycle) section.
### Importing Default Policies
### Step B: Iterative Import
The first `terraform apply` **must** import the default set of organization policies that are already active in your organization environment. Failure to do so may result in apply errors or unintended policy overwrites.
Once the stage is applied and you have switched credentials to the IaC service account:
To do this, you need to list the existing policies and add them to the `org_policies_imports` variable in your `terraform.tfvars`.
1. Create an empty `organization/org-policies` folder.
2. Move policy YAML files back one by one, uncommenting relevant policies.
3. **Adjust constraints:** Update policy values for GCD. For example, the `compute.trustedImageProjects` constraint must reference your universe-specific system projects:
Use the following command to generate the configuration and append it directly to your `terraform.tfvars` file:
```yaml
compute.trustedImageProjects:
rules:
- allow:
values:
# Replace UNIVERS_PREFIX with the value from the Configuration Reference table
- "is:projects/<UNIVERSE_PREFIX>-system:cos-cloud"
- "is:projects/<UNIVERSE_PREFIX>-system:debian-cloud"
- "is:projects/<UNIVERSE_PREFIX>-system:rocky-linux-cloud"
- "is:projects/<UNIVERSE_PREFIX>-system:ubuntu-os-cloud"
```bash
ORG_ID="your-org-id-here"
P=$(gcloud org-policies list --organization="$ORG_ID" --format="value(constraint)") && [ -n "$P" ] && {
printf "\norg_policies_imports = [\n"
printf "%s\n" "$P" | sed 's/.*/ "&",/'
echo "]"
} >> terraform.tfvars
```
To import pre-existing default policies without modifying them, define the constraint in your `terraform.tfvars` using the `org_policies_imports` variable:
This will append a configuration block similar to:
```terraform
org_policies_imports = [
"compute.trustedImageProjects",
"sql.restrictPublicIp",
"compute.vmExternalIpAccess",
"iam.disableServiceAccountKeyUpload",
"compute.restrictXpnProjectLienRemoval",
]
```
## 6. Deploy
## 6. Next Steps
At this point you can proceed to grant the required permissions to the bootstrap identity and perform the first Terraform run.
### Granting Permissions
Use the following commands to grant the necessary IAM roles to the principal running the deployment:
```bash
export FAST_PRINCIPAL="group:gcp-organization-admins@example.com"
# find your organization and export its id in the FAST_ORG variable
gcloud organizations list
export FAST_ORG_ID=123456
# set needed roles (billing role only needed for organization-owned account)
export FAST_ROLES="\
roles/billing.admin \
roles/logging.admin \
roles/iam.organizationRoleAdmin \
roles/orgpolicy.policyAdmin \
roles/resourcemanager.folderAdmin \
roles/resourcemanager.organizationAdmin \
roles/resourcemanager.projectCreator \
roles/resourcemanager.tagAdmin \
roles/owner"
for role in $FAST_ROLES; do
gcloud organizations add-iam-policy-binding $FAST_ORG_ID \
--member $FAST_PRINCIPAL --role $role --condition None
done
```
### First Apply
Initialize and apply the configuration:
```bash
terraform init
terraform apply
```
Once the apply completes successfully, continue with the [Provider setup and final apply cycle](../README.md#provider-setup-and-final-apply-cycle) instructions in the main README.
## 7. Next Steps
Once the **Organization Setup** stage is fully deployed:
1. **Delete Temporary Project:** You can now safely delete the temporary bootstrap project created in Step 3. Also remember to set your default gcloud project to the IAC project.
```bash
gcloud projects delete <TEMP_PROJECT_ID>
gcloud config set project <IAC_PROJECT_ID>
```
2. **Proceed to Next Stages:** Continue with the subsequent FAST stages (VPC-SC, Security, Networking, Project Factory). The universe configuration established here is automatically propagated to these stages via the FAST cross-stage output mechanism.
Once the **Organization Setup** stage is fully deployed, you can proceed with subsequent stages (VPC-SC, Security, Networking, Project Factory). The universe configuration established here is automatically propagated to these stages via the FAST cross-stage output mechanism.

46
fast/stages/0-org-setup/datasets/classic-gcd/billing-accounts/default.yaml Normal file
View File

@@ -0,0 +1,46 @@
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../../schemas/billing-account.schema.json
id: $defaults:billing_account
# authoritative IAM must be used with care here, as it resets permissions
# three modes of managing billing IAM
# - at the org level (don't set anything here, set roles in the org)
# - at the billing account level (set the roles below)
# - no admin access to billing account (don't set roles here or in org)
iam_bindings_additive:
billing_admin_org_admins:
role: roles/billing.admin
member: $iam_principals:gcp-organization-admins
billing_admin_org_sa:
role: roles/billing.admin
member: $iam_principals:service_accounts/iac-0/iac-org-rw
billing_viewer_org_ro:
role: roles/billing.viewer
member: $iam_principals:service_accounts/iac-0/iac-org-ro
billing_user_security_sa:
role: roles/billing.user
member: $iam_principals:service_accounts/iac-0/iac-security-rw
billing_user_networking_sa:
role: roles/billing.user
member: $iam_principals:service_accounts/iac-0/iac-networking-rw
billing_user_pf_sa:
role: roles/billing.user
member: $iam_principals:service_accounts/iac-0/iac-pf-rw
# logging_sinks:
# test:
# description: Test sink
# destination: $project_ids:log-0
# type: project

36
fast/stages/0-org-setup/datasets/classic-gcd/cicd.yaml Normal file
View File

@@ -0,0 +1,36 @@
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../schemas/cicd-workflows.schema.json
org-setup:
provider_files:
apply: 0-org-setup-providers.tf
plan: 0-org-setup-providers-ro.tf
repository:
name: myorg/0-org-setup
type: github
apply_branches:
- master
- fast-dev
service_accounts:
apply: $iam_principals:service_accounts/iac-0/iac-org-cicd-rw
plan: $iam_principals:service_accounts/iac-0/iac-org-cicd-ro
tfvars_files:
- 0-org-setup.auto.tfvars
workload_identity:
pool: $workload_identity_pools:iac-0/default
provider: $workload_identity_providers:iac-0/default/github-default
iam_principalsets:
template: github

103
fast/stages/0-org-setup/datasets/classic-gcd/defaults.yaml Normal file
View File

@@ -0,0 +1,103 @@
# Copyright 2026 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../schemas/defaults.schema.json
global:
# use `gcloud beta billing accounts list` to populate
billing_account: ABCDEF-0123456-ABCDEF
organization:
# use `gcloud organizations list`` to populate
domain: fast-test-00.example.com
id: 1234567890
projects:
defaults:
# prefix must be unique and less than 9 characters
prefix: test00
locations:
bigquery: $locations:primary
logging: $locations:primary
storage: $locations:primary
overrides:
universe:
# Replace with values from the Configuration Reference table in ../../README-GCD.md
domain: <UNIVERSE_API_DOMAIN>
prefix: <UNIVERSE_PREFIX>
forced_jit_service_identities:
- compute.googleapis.com
unavailable_service_identities:
- dns.googleapis.com
- monitoring.googleapis.com
- networksecurity.googleapis.com
context:
# you can populate context variables here for use in YAML replacements
email_addresses:
gcp-organization-admins: gcp-organization-admins@example.com
iam_principals:
# this is the default group used in bootstrap, initial user must be a member
gcp-organization-admins: group:gcp-organization-admins@example.com
locations:
# Replace with values from the Configuration Reference table
primary: <UNIVERSE_REGION>
output_files:
# local path is optional but recommended when starting
local_path: ~/fast-config/fast-test-00
storage_bucket: $storage_buckets:iac-0/iac-outputs
providers:
0-org-setup:
bucket: $storage_buckets:iac-0/iac-org-state
service_account: $iam_principals:service_accounts/iac-0/iac-org-rw
0-org-setup-ro:
bucket: $storage_buckets:iac-0/iac-org-state
service_account: $iam_principals:service_accounts/iac-0/iac-org-ro
1-vpcsc:
bucket: $storage_buckets:iac-0/iac-stage-state
prefix: 1-vpcsc
service_account: $iam_principals:service_accounts/iac-0/iac-vpcsc-rw
1-vpcsc-ro:
bucket: $storage_buckets:iac-0/iac-stage-state
prefix: 1-vpcsc
service_account: $iam_principals:service_accounts/iac-0/iac-vpcsc-ro
2-networking:
bucket: $storage_buckets:iac-0/iac-stage-state
prefix: 2-networking
service_account: $iam_principals:service_accounts/iac-0/iac-networking-rw
2-networking-ro:
bucket: $storage_buckets:iac-0/iac-stage-state
prefix: 2-networking
service_account: $iam_principals:service_accounts/iac-0/iac-networking-ro
2-security:
bucket: $storage_buckets:iac-0/iac-stage-state
prefix: 2-security
service_account: $iam_principals:service_accounts/iac-0/iac-security-rw
2-security-ro:
bucket: $storage_buckets:iac-0/iac-stage-state
prefix: 2-security
service_account: $iam_principals:service_accounts/iac-0/iac-security-ro
2-project-factory:
bucket: $storage_buckets:iac-0/iac-stage-state
prefix: 2-project-factory
service_account: $iam_principals:service_accounts/iac-0/iac-pf-rw
2-project-factory-ro:
bucket: $storage_buckets:iac-0/iac-stage-state
prefix: 2-project-factory
service_account: $iam_principals:service_accounts/iac-0/iac-pf-ro
3-data-platform-dev:
bucket: $storage_buckets:iac-0/iac-stage-state
prefix: 3-data-platform-dev
service_account: $iam_principals:service_accounts/iac-0/iac-dp-dev-rw
3-data-platform-dev-ro:
bucket: $storage_buckets:iac-0/iac-stage-state
prefix: 3-data-platform-dev
service_account: $iam_principals:service_accounts/iac-0/iac-dp-dev-ro

17
fast/stages/0-org-setup/datasets/classic-gcd/folders/data-platform/.config.yaml Normal file
View File

@@ -0,0 +1,17 @@
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../../../schemas/folder.schema.json
name: Data Platform

29
fast/stages/0-org-setup/datasets/classic-gcd/folders/data-platform/dev/.config.yaml Normal file
View File

@@ -0,0 +1,29 @@
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../../../../schemas/folder.schema.json
name: Development
iam_by_principals:
$iam_principals:service_accounts/iac-0/iac-dp-dev-rw:
- roles/logging.admin
- roles/owner
- roles/resourcemanager.folderAdmin
- roles/resourcemanager.projectCreator
- roles/compute.xpnAdmin
$iam_principals:service_accounts/iac-0/iac-dp-dev-ro:
- roles/viewer
- roles/resourcemanager.folderViewer
tag_bindings:
environment: $tag_values:environment/development

19
fast/stages/0-org-setup/datasets/classic-gcd/folders/data-platform/prod/.config.yaml Normal file
View File

@@ -0,0 +1,19 @@
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../../../../schemas/folder.schema.json
name: Production
tag_bindings:
environment: $tag_values:environment/production

62
fast/stages/0-org-setup/datasets/classic-gcd/folders/networking/.config.yaml Normal file
View File

@@ -0,0 +1,62 @@
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../../../schemas/folder.schema.json
name: Networking
iam_by_principals:
$iam_principals:service_accounts/iac-0/iac-networking-rw:
- roles/compute.xpnAdmin
- roles/logging.admin
- roles/owner
- roles/resourcemanager.folderAdmin
- roles/resourcemanager.projectCreator
- roles/resourcemanager.tagUser
$iam_principals:service_accounts/iac-0/iac-networking-ro:
- roles/resourcemanager.folderViewer
- roles/resourcemanager.tagViewer
- roles/viewer
$iam_principals:service_accounts/iac-0/iac-pf-rw:
- $custom_roles:service_project_network_admin
$iam_principals:service_accounts/iac-0/iac-pf-ro:
- roles/compute.viewer
- $custom_roles:project_iam_viewer
iam_bindings:
dp_dev_rw:
members:
- $iam_principals:service_accounts/iac-0/iac-dp-dev-rw
role: $custom_roles:service_project_network_admin
condition:
expression: |
resource.matchTag('${organization.id}/environment', 'development')
title: Data platform dev service project admin.
dp_dev_ro:
role: roles/compute.networkViewer
members:
- $iam_principals:service_accounts/iac-0/iac-dp-dev-ro
condition:
title: Data platform dev network viewer.
expression: |
resource.matchTag('${organization.id}/environment', 'development')
project_factory:
role: roles/resourcemanager.projectIamAdmin
members:
- $iam_principals:service_accounts/iac-0/iac-pf-rw
condition:
title: Project factory delegated IAM grant.
expression: |
api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([
'roles/compute.networkUser', 'roles/composer.sharedVpcAgent',
'roles/container.hostServiceAgentUser', 'roles/vpcaccess.user'
])

33
fast/stages/0-org-setup/datasets/classic-gcd/folders/networking/dev/.config.yaml Normal file
View File

@@ -0,0 +1,33 @@
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../../../../schemas/folder.schema.json
name: Development
iam:
$custom_roles:project_iam_viewer:
- $iam_principals:service_accounts/iac-0/iac-dp-dev-ro
iam_bindings:
dp_dev:
role: roles/resourcemanager.projectIamAdmin
members:
- $iam_principals:service_accounts/iac-0/iac-dp-dev-rw
condition:
title: Data platform dev delegated IAM grant.
expression: |
api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([
'${custom_roles.service_project_network_admin}'
])
tag_bindings:
environment: $tag_values:environment/development

19
fast/stages/0-org-setup/datasets/classic-gcd/folders/networking/prod/.config.yaml Normal file
View File

@@ -0,0 +1,19 @@
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../../../../schemas/folder.schema.json
name: Production
tag_bindings:
environment: $tag_values:environment/production

44
fast/stages/0-org-setup/datasets/classic-gcd/folders/security/.config.yaml Normal file
View File

@@ -0,0 +1,44 @@
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../../../schemas/folder.schema.json
name: Security
iam_by_principals:
$iam_principals:service_accounts/iac-0/iac-security-rw:
- roles/logging.admin
- roles/owner
- roles/resourcemanager.folderAdmin
- roles/resourcemanager.projectCreator
- roles/resourcemanager.tagUser
$iam_principals:service_accounts/iac-0/iac-security-ro:
- roles/viewer
- roles/resourcemanager.folderViewer
- roles/resourcemanager.tagViewer
$iam_principals:service_accounts/iac-0/iac-pf-rw:
- roles/cloudkms.cryptoKeyEncrypterDecrypter
$iam_principals:service_accounts/iac-0/iac-pf-ro:
- roles/cloudkms.viewer
- $custom_roles:project_iam_viewer
iam_bindings:
project_factory:
role: roles/resourcemanager.projectIamAdmin
members:
- $iam_principals:service_accounts/iac-0/iac-pf-rw
condition:
title: Project factory delegated IAM grant.
expression: |
api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([
'roles/cloudkms.cryptoKeyEncrypterDecrypter'
])

20
fast/stages/0-org-setup/datasets/classic-gcd/folders/security/dev/.config.yaml Normal file
View File

@@ -0,0 +1,20 @@
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../../../0-org-setup/schemas/folder.schema.json
name: Development
parent: $folder_ids:security
tag_bindings:
environment: $tag_values:environment/development

20
fast/stages/0-org-setup/datasets/classic-gcd/folders/security/prod/.config.yaml Normal file
View File

@@ -0,0 +1,20 @@
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../../../0-org-setup/schemas/folder.schema.json
name: Production
parent: $folder_ids:security
tag_bindings:
environment: $tag_values:environment/production

32
fast/stages/0-org-setup/datasets/classic-gcd/folders/teams/.config.yaml Normal file
View File

@@ -0,0 +1,32 @@
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../../../schemas/folder.schema.json
name: Teams
iam_by_principals:
$iam_principals:service_accounts/iac-0/iac-pf-rw:
- roles/owner
- roles/resourcemanager.folderAdmin
- roles/resourcemanager.projectCreator
- roles/resourcemanager.tagUser
- $custom_roles:service_project_network_admin
$iam_principals:service_accounts/iac-0/iac-pf-ro:
# uncomment if you want to use Assured Workloads
# - roles/assuredworkloads.reader
- roles/viewer
- roles/resourcemanager.folderViewer
- roles/resourcemanager.tagViewer
tag_bindings:
context: $tag_values:context/project-factory

145
fast/stages/0-org-setup/datasets/classic-gcd/organization/.config.yaml Normal file
View File

@@ -0,0 +1,145 @@
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# TODO: data access logs
# yaml-language-server: $schema=../../../schemas/organization.schema.json
id: $defaults:organization/id
contacts:
$email_addresses:gcp-organization-admins:
- ALL
# conditional authoritative IAM bindings
iam_bindings:
# these don't conflict with IAM / IAM by principal
pf_org_policy_admin:
role: roles/orgpolicy.policyAdmin
members:
- $iam_principals:service_accounts/iac-0/iac-pf-rw
condition:
expression: resource.matchTag('${organization.id}/context', 'project-factory')
title: Project factory org policy admin
pf_org_policy_viewer:
role: roles/orgpolicy.policyViewer
members:
- $iam_principals:service_accounts/iac-0/iac-pf-ro
condition:
expression: resource.matchTag('${organization.id}/context', 'project-factory')
title: Project factory org policy viewer
# authoritative IAM bindings by principal
iam_by_principals:
$iam_principals:gcp-organization-admins:
- roles/cloudasset.owner
- roles/cloudsupport.admin
- roles/cloudsupport.techSupportEditor
- roles/compute.osAdminLogin
- roles/compute.osLoginExternalUser
- roles/compute.xpnAdmin
- roles/orgpolicy.policyAdmin
- roles/owner
- roles/resourcemanager.folderAdmin
- roles/resourcemanager.organizationAdmin
- roles/resourcemanager.projectCreator
- roles/resourcemanager.tagAdmin
- roles/iam.workforcePoolAdmin
$iam_principals:service_accounts/iac-0/iac-org-rw:
- roles/accesscontextmanager.policyAdmin
- roles/cloudasset.viewer
- roles/essentialcontacts.admin
- roles/iam.organizationRoleAdmin
- roles/iam.workforcePoolAdmin
- roles/logging.admin
- roles/orgpolicy.policyAdmin
- roles/resourcemanager.folderAdmin
- roles/resourcemanager.organizationAdmin
- roles/resourcemanager.projectCreator
- roles/resourcemanager.projectMover
- roles/resourcemanager.tagAdmin
- roles/resourcemanager.tagUser
$iam_principals:service_accounts/iac-0/iac-org-ro:
- roles/cloudasset.viewer
- roles/essentialcontacts.viewer
- roles/iam.organizationRoleViewer
- roles/iam.workforcePoolViewer
- roles/logging.viewer
- roles/orgpolicy.policyViewer
- roles/resourcemanager.folderViewer
- roles/resourcemanager.tagViewer
- roles/serviceusage.serviceUsageViewer
- $custom_roles:organization_admin_viewer
- $custom_roles:tag_viewer
$iam_principals:service_accounts/iac-0/iac-networking-rw:
# uncomment for cooperative VPC-SC configurations
# - roles/accesscontextmanager.policyEditor
- roles/compute.orgFirewallPolicyAdmin
- roles/compute.xpnAdmin
$iam_principals:service_accounts/iac-0/iac-networking-ro:
# uncomment for cooperative VPC-SC configurations
# - roles/accesscontextmanager.policyViewer
- roles/compute.orgFirewallPolicyUser
- roles/compute.viewer
# uncomment for cooperative VPC-SC configurations
# $iam_principals:service_accounts/iac-0/iac-pw-rw:
# - roles/accesscontextmanager.policyEditor
# uncomment if you want to use Assured Workloads
# $iam_principals:service_accounts/iac-0/iac-pf-rw:
# - roles/assuredworkloads.editor
$iam_principals:service_accounts/iac-0/iac-security-rw:
# uncomment for cooperative VPC-SC configurations
# - roles/accesscontextmanager.policyEditor
- roles/cloudasset.viewer
$iam_principals:service_accounts/iac-0/iac-security-ro:
# uncomment for cooperative VPC-SC configurations
# - roles/accesscontextmanager.policyViewer
- roles/cloudasset.viewer
$iam_principals:service_accounts/iac-0/iac-vpcsc-rw:
- roles/accesscontextmanager.policyAdmin
- roles/cloudasset.viewer
$iam_principals:service_accounts/iac-0/iac-vpcsc-ro:
- roles/accesscontextmanager.policyReader
- roles/cloudasset.viewer
# Uncomment if you want to use PAM.
# $service_agents:pam:
# - roles/privilegedaccessmanager.serviceAgent
data_access_logs:
sts.googleapis.com:
ADMIN_READ: {}
logging:
# disable_default_log_sink: false
storage_location: $locations:primary
sinks:
audit-logs:
# description: foo
# exclusions: {}
destination: $log_buckets:log-0/audit-logs
filter: |
log_id("cloudaudit.googleapis.com/activity") OR
log_id("cloudaudit.googleapis.com/system_event") OR
log_id("cloudaudit.googleapis.com/policy") OR
log_id("cloudaudit.googleapis.com/access_transparency")
iam:
destination: $log_buckets:log-0/iam
filter: |
protoPayload.serviceName="iamcredentials.googleapis.com" OR
protoPayload.serviceName="iam.googleapis.com" OR
protoPayload.serviceName="sts.googleapis.com"
vpc-sc:
destination: $log_buckets:log-0/vpc-sc
filter: |
protoPayload.metadata.@type="type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata"
# authoritative IAM bindings by role
# these are internally merged with IAM by principal
iam:
# reset default role on new organizations
roles/billing.creator: []

24
fast/stages/0-org-setup/datasets/classic-gcd/organization/custom-roles/network_firewall_policies_admin.yaml Normal file
View File

@@ -0,0 +1,24 @@
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../../../schemas/custom-role.schema.json
name: networkFirewallPoliciesAdmin
includedPermissions:
- compute.networks.setFirewallPolicy
- networksecurity.firewallEndpointAssociations.create
- networksecurity.firewallEndpointAssociations.delete
- networksecurity.firewallEndpointAssociations.get
- networksecurity.firewallEndpointAssociations.list
- networksecurity.firewallEndpointAssociations.update

49
fast/stages/0-org-setup/datasets/classic-gcd/organization/custom-roles/ngfw_enterprise_admin.yaml Normal file
View File

@@ -0,0 +1,49 @@
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../../../schemas/custom-role.schema.json
# this is used by the networking SA to deploy NGFW Enterprise through the addon
name: ngfwEnterpriseAdmin
includedPermissions:
- networksecurity.firewallEndpoints.create
- networksecurity.firewallEndpoints.delete
- networksecurity.firewallEndpoints.get
- networksecurity.firewallEndpoints.list
- networksecurity.firewallEndpoints.update
- networksecurity.firewallEndpoints.use
- networksecurity.locations.get
- networksecurity.locations.list
- networksecurity.operations.cancel
- networksecurity.operations.delete
- networksecurity.operations.get
- networksecurity.operations.list
- networksecurity.securityProfileGroups.create
- networksecurity.securityProfileGroups.delete
- networksecurity.securityProfileGroups.get
- networksecurity.securityProfileGroups.list
- networksecurity.securityProfileGroups.update
- networksecurity.securityProfileGroups.use
- networksecurity.securityProfiles.create
- networksecurity.securityProfiles.delete
- networksecurity.securityProfiles.get
- networksecurity.securityProfiles.list
- networksecurity.securityProfiles.update
- networksecurity.securityProfiles.use
- networksecurity.tlsInspectionPolicies.create
- networksecurity.tlsInspectionPolicies.delete
- networksecurity.tlsInspectionPolicies.get
- networksecurity.tlsInspectionPolicies.list
- networksecurity.tlsInspectionPolicies.update
- networksecurity.tlsInspectionPolicies.use

35
fast/stages/0-org-setup/datasets/classic-gcd/organization/custom-roles/ngfw_enterprise_viewer.yaml Normal file
View File

@@ -0,0 +1,35 @@
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../../../schemas/custom-role.schema.json
# this is used by the networking SA to deploy NGFW Enterprise through the addon
name: ngfwEnterpriseViewer
includedPermissions:
- networksecurity.firewallEndpoints.get
- networksecurity.firewallEndpoints.list
- networksecurity.firewallEndpoints.use
- networksecurity.locations.get
- networksecurity.locations.list
- networksecurity.operations.get
- networksecurity.operations.list
- networksecurity.securityProfileGroups.get
- networksecurity.securityProfileGroups.list
- networksecurity.securityProfileGroups.use
- networksecurity.securityProfiles.get
- networksecurity.securityProfiles.list
- networksecurity.securityProfiles.use
- networksecurity.tlsInspectionPolicies.get
- networksecurity.tlsInspectionPolicies.list
- networksecurity.tlsInspectionPolicies.use

34
fast/stages/0-org-setup/datasets/classic-gcd/organization/custom-roles/organization_admin_viewer.yaml Normal file
View File

@@ -0,0 +1,34 @@
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../../../schemas/custom-role.schema.json
# this is used by the plan-only admin SA
name: organizationAdminViewer
includedPermissions:
- essentialcontacts.contacts.get
- essentialcontacts.contacts.list
- logging.settings.get
- orgpolicy.constraints.list
- orgpolicy.policies.list
- orgpolicy.policy.get
- resourcemanager.folders.get
- resourcemanager.folders.getIamPolicy
- resourcemanager.folders.list
- resourcemanager.organizations.get
- resourcemanager.organizations.getIamPolicy
- resourcemanager.projects.get
- resourcemanager.projects.getIamPolicy
- resourcemanager.projects.list
- storage.buckets.getIamPolicy

22
fast/stages/0-org-setup/datasets/classic-gcd/organization/custom-roles/organization_iam_admin.yaml Normal file
View File

@@ -0,0 +1,22 @@
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../../../schemas/custom-role.schema.json
# this is needed for use in additive IAM bindings, to avoid conflicts
name: organizationIamAdmin
includedPermissions:
- resourcemanager.organizations.get
- resourcemanager.organizations.getIamPolicy
- resourcemanager.organizations.setIamPolicy

24
fast/stages/0-org-setup/datasets/classic-gcd/organization/custom-roles/project_iam_viewer.yaml Normal file
View File

@@ -0,0 +1,24 @@
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../../../schemas/custom-role.schema.json
# this is used by the plan-only admin SA
name: projectIamViewer
includedPermissions:
- iam.policybindings.get
- iam.policybindings.list
- resourcemanager.projects.get
- resourcemanager.projects.getIamPolicy
- resourcemanager.projects.searchPolicyBindings

33
fast/stages/0-org-setup/datasets/classic-gcd/organization/custom-roles/service_project_network_admin.yaml Normal file
View File

@@ -0,0 +1,33 @@
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../../../schemas/custom-role.schema.json
name: serviceProjectNetworkAdmin
includedPermissions:
- compute.globalOperations.get
# compute.networks.updatePeering and compute.networks.get are
# used by automation service accounts who manage service
# projects where peering creation might be needed (e.g. GKE). If
# you remove them your network administrators should create
# peerings for service projects
- compute.networks.updatePeering
- compute.networks.get
- compute.organizations.disableXpnResource
- compute.organizations.enableXpnResource
- compute.projects.get
- compute.subnetworks.getIamPolicy
- compute.subnetworks.setIamPolicy
- dns.networks.bindPrivateDNSZone
- resourcemanager.projects.get

33
fast/stages/0-org-setup/datasets/classic-gcd/organization/custom-roles/storage_viewer.yaml Normal file
View File

@@ -0,0 +1,33 @@
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../../../schemas/custom-role.schema.json
# the following permissions are a descoped version of storage.admin
name: storageViewer
includedPermissions:
- storage.buckets.get
- storage.buckets.getIamPolicy
- storage.buckets.getObjectInsights
- storage.buckets.list
- storage.buckets.listEffectiveTags
- storage.buckets.listTagBindings
- storage.managedFolders.get
- storage.managedFolders.getIamPolicy
- storage.managedFolders.list
- storage.multipartUploads.list
- storage.multipartUploads.listParts
- storage.objects.get
- storage.objects.getIamPolicy
- storage.objects.list

26
fast/stages/0-org-setup/datasets/classic-gcd/organization/custom-roles/tag_viewer.yaml Normal file
View File

@@ -0,0 +1,26 @@
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../../../schemas/custom-role.schema.json
# the following permissions are a descoped version of tagAdm
name: tagViewer
includedPermissions:
- resourcemanager.tagHolds.list
- resourcemanager.tagKeys.get
- resourcemanager.tagKeys.getIamPolicy
- resourcemanager.tagKeys.list
- resourcemanager.tagValues.get
- resourcemanager.tagValues.getIamPolicy
- resourcemanager.tagValues.list

31
fast/stages/0-org-setup/datasets/classic-gcd/organization/org-policies/cloudbuild.yaml Normal file
View File

@@ -0,0 +1,31 @@
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
# sample subset of useful organization policies, edit to suit requirements
# start of document (---) avoids errors if the file only contains comments
# yaml-language-server: $schema=../../../../schemas/org-policies.schema.json
cloudbuild.disableCreateDefaultServiceAccount:
rules:
- enforce: true
cloudbuild.useBuildServiceAccount:
rules:
- enforce: true
cloudbuild.useComputeServiceAccount:
rules:
- enforce: true

147
fast/stages/0-org-setup/datasets/classic-gcd/organization/org-policies/compute.yaml Normal file
View File

@@ -0,0 +1,147 @@
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
# sample subset of useful organization policies, edit to suit requirements
# start of document (---) avoids errors if the file only contains comments
# yaml-language-server: $schema=../../../../schemas/org-policies.schema.json
compute.disableGuestAttributesAccess:
rules:
- enforce: true
compute.disableInternetNetworkEndpointGroup:
rules:
- enforce: true
compute.disableNestedVirtualization:
rules:
- enforce: true
compute.disableSerialPortAccess:
rules:
- enforce: true
compute.disableVpcExternalIpv6:
rules:
- enforce: true
compute.requireOsLogin:
rules:
- enforce: true
compute.restrictLoadBalancerCreationForTypes:
rules:
- allow:
values:
- in:INTERNAL
# GCD does not create a default network
# The following needs to be commented out for GCD deployments
# compute.skipDefaultNetworkCreation:
# rules:
# - enforce: true
compute.setNewProjectDefaultToZonalDNSOnly:
rules:
- enforce: true
# only allow GCP images by default
# The following needs to be commented out for GCD deployments
# compute.trustedImageProjects:
# rules:
# - allow:
# values:
# - "is:projects/centos-cloud"
# - "is:projects/cos-cloud"
# - "is:projects/debian-cloud"
# - "is:projects/fedora-cloud"
# - "is:projects/fedora-coreos-cloud"
# - "is:projects/opensuse-cloud"
# - "is:projects/rhel-cloud"
# - "is:projects/rhel-sap-cloud"
# - "is:projects/rocky-linux-cloud"
# - "is:projects/suse-cloud"
# - "is:projects/suse-sap-cloud"
# - "is:projects/ubuntu-os-cloud"
# - "is:projects/ubuntu-os-pro-cloud"
# - "is:projects/windows-cloud"
# - "is:projects/windows-sql-cloud"
# - "is:projects/confidential-vm-images"
# - "is:projects/confidential-space-images"
# - "is:projects/backupdr-images"
# - "is:projects/deeplearning-platform-release"
# - "is:projects/serverless-vpc-access-images"
# - "is:projects/gke-node-images"
# - "is:projects/gke-windows-node-images"
# - "is:projects/ubuntu-os-gke-cloud"
compute.vmExternalIpAccess:
rules:
- deny:
all: true
# compute.disableInternetNetworkEndpointGroup:
# rules:
# - enforce: true
# compute.restrictCloudNATUsage:
# rules:
# - deny:
# all: true
# compute.restrictDedicatedInterconnectUsage:
# rules:
# - deny:
# all: true
# compute.restrictPartnerInterconnectUsage:
# rules:
# - deny:
# all: true
compute.restrictProtocolForwardingCreationForTypes:
rules:
- allow:
values:
- is:INTERNAL
# compute.restrictSharedVpcHostProjects:
# rules:
# - deny:
# all: true
# compute.restrictSharedVpcSubnetworks:
# rules:
# - deny:
# all: true
# compute.restrictVpcPeering:
# rules:
# - deny:
# all: true
# compute.restrictVpnPeerIPs:
# rules:
# - deny:
# all: true
# compute.restrictXpnProjectLienRemoval:
# rules:
# - enforce: true
# compute.vmCanIpForward:
# rules:
# - deny:
# all: true

35
fast/stages/0-org-setup/datasets/classic-gcd/organization/org-policies/essentialcontacts.yaml Normal file
View File

@@ -0,0 +1,35 @@
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
# sample subset of useful organization policies, edit to suit requirements
# start of document (---) avoids errors if the file only contains comments
# yaml-language-server: $schema=../../../../schemas/org-policies.schema.json
essentialcontacts.allowedContactDomains:
rules:
- allow:
values:
- '@${organization.domain}'
condition:
title: Restrict essential contacts domains
expression: |
!resource.matchTag('${organization.id}/org-policies', 'allowed-essential-contacts-domains-all')
- allow:
all: true
condition:
title: Allow essential contacts from any domain
expression: |
resource.matchTag('${organization.id}/org-policies', 'allowed-essential-contacts-domains-all')

87
fast/stages/0-org-setup/datasets/classic-gcd/organization/org-policies/iam.yaml Normal file
View File

@@ -0,0 +1,87 @@
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
# sample subset of useful organization policies, edit to suit requirements
# start of document (---) avoids errors if the file only contains comments
# yaml-language-server: $schema=../../../../schemas/org-policies.schema.json
# The following needs to be commented out for GCD deployments
# iam.allowedPolicyMemberDomains:
# rules:
# - allow:
# values:
# - is:${organization.customer_id}
# condition:
# title: Restrict member domains
# expression: |
# !resource.matchTag('${organization.id}/org-policies', 'allowed-policy-member-domains-all')
# - allow:
# all: true
# condition:
# title: Allow any member domain
# expression: |
# resource.matchTag('${organization.id}/org-policies', 'allowed-policy-member-domains-all')
# For Workforce identity use-cases:
# Switch from the above iam.allowedPolicyMemberDomains to the below iam.managed.allowedPolicyMembers configuration
# To allow principalSet://iam.googleapis.com/locations/global/workforcePools/WORKFORCE_POOL_ID IAM assignments
#iam.managed.allowedPolicyMembers:
# rules:
# - enforce: false
# condition:
# title: Allow any member domain
# expression: |
# resource.matchTag('${organization.id}/org-policies', 'allowed-policy-member-domains-all')
# - parameters: '{"allowedMemberSubjects": ["is:${organization.customer_id}"], "allowedPrincipalSets": ["//cloudresourcemanager.googleapis.com/organizations/${organization.id}"]}'
# enforce: true
iam.disableAuditLoggingExemption:
rules:
- enforce: true
iam.automaticIamGrantsForDefaultServiceAccounts:
rules:
- enforce: true
iam.disableServiceAccountKeyCreation:
rules:
- enforce: true
iam.disableServiceAccountKeyUpload:
rules:
- enforce: true
# The following needs to be commented out for GCD deployments
# iam.managed.disableServiceAccountApiKeyCreation:
# rules:
# - enforce: true
iam.serviceAccountKeyExposureResponse:
rules:
- allow:
values:
- is:DISABLE_KEY
iam.workloadIdentityPoolAwsAccounts:
rules:
- deny:
all: true
iam.workloadIdentityPoolProviders:
rules:
- deny:
all: true

27
fast/stages/0-org-setup/datasets/classic-gcd/organization/org-policies/sql.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
# sample subset of useful organization policies, edit to suit requirements
# start of document (---) avoids errors if the file only contains comments
# yaml-language-server: $schema=../../../../schemas/org-policies.schema.json
sql.restrictAuthorizedNetworks:
rules:
- enforce: true
sql.restrictPublicIp:
rules:
- enforce: true

37
fast/stages/0-org-setup/datasets/classic-gcd/organization/org-policies/storage.yaml Normal file
View File

@@ -0,0 +1,37 @@
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
# sample subset of useful organization policies, edit to suit requirements
# start of document (---) avoids errors if the file only contains comments
# yaml-language-server: $schema=../../../../schemas/org-policies.schema.json
storage.uniformBucketLevelAccess:
rules:
- enforce: true
storage.publicAccessPrevention:
rules:
- enforce: true
storage.secureHttpTransport:
rules:
- enforce: true
storage.restrictAuthTypes:
rules:
- deny:
values:
- in:ALL_HMAC_SIGNED_REQUESTS

23
fast/stages/0-org-setup/datasets/classic-gcd/organization/tags/context.yaml Normal file
View File

@@ -0,0 +1,23 @@
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../../../schemas/tags.schema.json
description: "Organization-level contexts."
# iam:
# "roles/resourcemanager.tagViewer":
# - "group:finance-team@example.com"
values:
project-factory:
description: "Project factory."

43
fast/stages/0-org-setup/datasets/classic-gcd/organization/tags/environment.yaml Normal file
View File

@@ -0,0 +1,43 @@
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../../../schemas/tags.schema.json
description: "Organization-level environments."
# iam:
# "roles/resourcemanager.tagViewer":
# - "group:finance-team@example.com"
values:
development:
description: "Development."
iam:
"roles/resourcemanager.tagUser":
- $iam_principals:service_accounts/iac-0/iac-networking-rw
- $iam_principals:service_accounts/iac-0/iac-security-rw
- $iam_principals:service_accounts/iac-0/iac-pf-rw
"roles/resourcemanager.tagViewer":
- $iam_principals:service_accounts/iac-0/iac-networking-ro
- $iam_principals:service_accounts/iac-0/iac-security-ro
- $iam_principals:service_accounts/iac-0/iac-pf-ro
production:
description: "Production."
iam:
"roles/resourcemanager.tagUser":
- $iam_principals:service_accounts/iac-0/iac-networking-rw
- $iam_principals:service_accounts/iac-0/iac-security-rw
- $iam_principals:service_accounts/iac-0/iac-pf-rw
"roles/resourcemanager.tagViewer":
- $iam_principals:service_accounts/iac-0/iac-networking-ro
- $iam_principals:service_accounts/iac-0/iac-security-ro
- $iam_principals:service_accounts/iac-0/iac-pf-ro

25
fast/stages/0-org-setup/datasets/classic-gcd/organization/tags/org-policies.yaml Normal file
View File

@@ -0,0 +1,25 @@
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../../../schemas/tags.schema.json
description: "Organization policy condition tags."
# iam:
# "roles/resourcemanager.tagViewer":
# - "group:finance-team@example.com"
values:
allowed-essential-contacts-domains-all:
description: "Allow all domains in essntial contacts org policy."
allowed-policy-member-domains-all:
description: "Allow all domains in DRS org policy."

29
fast/stages/0-org-setup/datasets/classic-gcd/projects/core/billing-0.yaml Normal file
View File

@@ -0,0 +1,29 @@
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../../../schemas/project.schema.json
name: prod-billing-exp-0
iam_by_principals:
$iam_principals:service_accounts/iac-0/iac-org-ro:
- roles/viewer
$iam_principals:service_accounts/iac-0/iac-org-rw:
- roles/owner
services:
- bigquery.googleapis.com
- bigquerydatatransfer.googleapis.com
- storage.googleapis.com
datasets:
billing_export:
friendly_name: Billing export

213
fast/stages/0-org-setup/datasets/classic-gcd/projects/core/iac-0.yaml Normal file
View File

@@ -0,0 +1,213 @@
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../../../schemas/project.schema.json
# TODO: data access logs configuration
name: prod-iac-core-0
iam_by_principals:
$iam_principals:gcp-organization-admins:
- roles/iam.serviceAccountTokenCreator
- roles/iam.workloadIdentityPoolAdmin
$iam_principals:service_accounts/iac-0/iac-org-ro:
- roles/browser
- roles/cloudbuild.builds.viewer
- roles/iam.serviceAccountViewer
- roles/iam.workloadIdentityPoolViewer
- $custom_roles:storage_viewer
- roles/viewer
$iam_principals:service_accounts/iac-0/iac-org-rw:
- roles/cloudbuild.builds.editor
- roles/iam.serviceAccountAdmin
- roles/iam.workloadIdentityPoolAdmin
- roles/owner
- roles/storage.admin
$iam_principals:service_accounts/iac-0/iac-networking-rw:
- roles/serviceusage.serviceUsageConsumer
$iam_principals:service_accounts/iac-0/iac-networking-ro:
- roles/serviceusage.serviceUsageConsumer
$iam_principals:service_accounts/iac-0/iac-pf-rw:
- roles/serviceusage.serviceUsageConsumer
$iam_principals:service_accounts/iac-0/iac-pf-ro:
- roles/serviceusage.serviceUsageConsumer
$iam_principals:service_accounts/iac-0/iac-security-rw:
- roles/serviceusage.serviceUsageConsumer
$iam_principals:service_accounts/iac-0/iac-security-ro:
- roles/serviceusage.serviceUsageConsumer
services:
- accesscontextmanager.googleapis.com
# uncomment if you want to use Assured Workloads
# - assuredworkloads.googleapis.com
- bigquery.googleapis.com
# The following commented services need to be commented out for GCD deployments
# - bigqueryreservation.googleapis.com
- bigquerystorage.googleapis.com
# - billingbudgets.googleapis.com
# - cloudasset.googleapis.com
- cloudbilling.googleapis.com
# - cloudbuild.googleapis.com
- cloudkms.googleapis.com
# - cloudquotas.googleapis.com
- cloudresourcemanager.googleapis.com
- compute.googleapis.com
- container.googleapis.com
# - datacatalog.googleapis.com
- essentialcontacts.googleapis.com
- iam.googleapis.com
- iamcredentials.googleapis.com
- logging.googleapis.com
- monitoring.googleapis.com
# - networksecurity.googleapis.com
- orgpolicy.googleapis.com
- pubsub.googleapis.com
# - servicenetworking.googleapis.com
- serviceusage.googleapis.com
- storage-component.googleapis.com
- storage.googleapis.com
- sts.googleapis.com
org_policies:
iam.workloadIdentityPoolProviders:
rules:
- allow:
values:
- https://token.actions.githubusercontent.com
- https://gitlab.com
- https://app.terraform.io
data_access_logs:
storage.googleapis.com:
DATA_READ: {}
DATA_WRITE: {}
sts.googleapis.com:
DATA_READ: {}
DATA_WRITE: {}
buckets:
# Terraform state bucket for this stage
iac-org-state:
description: Terraform state for the org-level automation.
versioning: true
iam:
roles/storage.admin:
- $iam_principals:service_accounts/iac-0/iac-org-rw
$custom_roles:storage_viewer:
- $iam_principals:service_accounts/iac-0/iac-org-ro
# Terraform state bucket for additional FAST stages
iac-stage-state:
description: Terraform state for stage automation.
versioning: true
managed_folders:
1-vpcsc:
iam:
roles/storage.admin:
- $iam_principals:service_accounts/iac-0/iac-vpcsc-rw
$custom_roles:storage_viewer:
- $iam_principals:service_accounts/iac-0/iac-vpcsc-ro
2-networking:
iam:
roles/storage.admin:
- $iam_principals:service_accounts/iac-0/iac-networking-rw
$custom_roles:storage_viewer:
- $iam_principals:service_accounts/iac-0/iac-networking-ro
2-security:
iam:
roles/storage.admin:
- $iam_principals:service_accounts/iac-0/iac-security-rw
$custom_roles:storage_viewer:
- $iam_principals:service_accounts/iac-0/iac-security-ro
2-project-factory:
iam:
roles/storage.admin:
- $iam_principals:service_accounts/iac-0/iac-pf-rw
$custom_roles:storage_viewer:
- $iam_principals:service_accounts/iac-0/iac-pf-ro
3-data-platform-dev:
iam:
roles/storage.admin:
- $iam_principals:service_accounts/iac-0/iac-dp-dev-rw
$custom_roles:storage_viewer:
- $iam_principals:service_accounts/iac-0/iac-dp-dev-ro
# Terraform state bucket for FAST outputs
iac-outputs:
description: Terraform state for the org-level automation.
versioning: true
iam:
roles/storage.admin:
- $iam_principals:service_accounts/iac-0/iac-org-rw
- $iam_principals:service_accounts/iac-0/iac-dp-dev-rw
- $iam_principals:service_accounts/iac-0/iac-networking-rw
- $iam_principals:service_accounts/iac-0/iac-security-rw
- $iam_principals:service_accounts/iac-0/iac-pf-rw
- $iam_principals:service_accounts/iac-0/iac-vpcsc-rw
$custom_roles:storage_viewer:
- $iam_principals:service_accounts/iac-0/iac-org-ro
- $iam_principals:service_accounts/iac-0/iac-dp-dev-ro
- $iam_principals:service_accounts/iac-0/iac-networking-ro
- $iam_principals:service_accounts/iac-0/iac-security-ro
- $iam_principals:service_accounts/iac-0/iac-pf-ro
- $iam_principals:service_accounts/iac-0/iac-vpcsc-ro
- $iam_principals:service_accounts/iac-0/iac-org-cicd-rw
- $iam_principals:service_accounts/iac-0/iac-org-cicd-ro
service_accounts:
# IaC service accounts for this stage
iac-org-ro:
display_name: IaC service account for org setup (read-only).
iac-org-rw:
display_name: IaC service account for org setup (read-write).
# CI/CD service accounts for this stage
iac-org-cicd-ro:
display_name: IaC service account for org setup CI/CD (read-only).
iam_sa_roles:
$service_account_ids:iac-0/iac-org-ro:
- roles/iam.workloadIdentityUser
- roles/iam.serviceAccountTokenCreator
iac-org-cicd-rw:
display_name: IaC service account for org setup CI/CD (read-write).
iam_sa_roles:
$service_account_ids:iac-0/iac-org-rw:
- roles/iam.workloadIdentityUser
- roles/iam.serviceAccountTokenCreator
# IaC service accounts for vpc-sc stage
iac-vpcsc-ro:
display_name: IaC service account for VPC service controls (read-only).
iac-vpcsc-rw:
display_name: IaC service account for VPC service controls (read-write).
# IaC service accounts for networking stage
iac-networking-ro:
display_name: IaC service account for networking (read-only).
iac-networking-rw:
display_name: IaC service account for networking (read-write).
# IaC service accounts for security stage
iac-security-ro:
display_name: IaC service account for security (read-only).
iac-security-rw:
display_name: IaC service account for security (read-write).
# IaC service accounts for project factory stage
iac-pf-ro:
display_name: IaC service account for project factory (read-only).
iac-pf-rw:
display_name: IaC service account for project factory (read-write).
# IaC service accounts for data platform (dev) stage
iac-dp-dev-ro:
display_name: IaC service account for data platform dev (read-only).
iac-dp-dev-rw:
display_name: IaC service account for data platform dev (read-write).
# workload_identity_pools:
# default:
# display_name: Default pool for CI/CD.
# providers:
# github-default:
# display_name: GitHub (my org).
# attribute_condition: attribute.repository_owner=="myorg"
# identity_provider:
# oidc:
# template: github

31
fast/stages/0-org-setup/datasets/classic-gcd/projects/core/log-0.yaml Normal file
View File

@@ -0,0 +1,31 @@
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../../../schemas/project.schema.json
name: prod-audit-logs-0
iam_by_principals:
$iam_principals:service_accounts/iac-0/iac-org-ro:
- roles/viewer
$iam_principals:service_accounts/iac-0/iac-org-rw:
- roles/owner
services:
- logging.googleapis.com
- pubsub.googleapis.com
- storage.googleapis.com
log_buckets:
audit-logs: {}
iam: {}
# The following needs to be explicitly set to empty object for GCD deployments
vpc-sc: {}

4
modules/__experimental_deprecated/alloydb-instance/versions.tf generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/__experimental_deprecated/alloydb-instance/versions.tofu generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/__experimental_deprecated/net-neg/versions.tf generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/__experimental_deprecated/net-neg/versions.tofu generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/__experimental_deprecated/project-iam-magic/versions.tf generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/__experimental_deprecated/project-iam-magic/versions.tofu generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

60
modules/agent-engine/README.md
View File

@@ -13,6 +13,7 @@ The module creates Agent Engine and related dependencies.
- [Serialized Object Deployment](#serialized-object-deployment)
- [Unmanaged deployments](#unmanaged-deployments)
- [Service accounts](#service-accounts)
- [Private networking: setup PSC-I](#private-networking-setup-psc-i)
- [Specify an encryption key](#specify-an-encryption-key)
- [Define environment variables and use secrets](#define-environment-variables-and-use-secrets)
- [Getting values from context](#getting-values-from-context)
@@ -231,6 +232,58 @@ module "agent_engine" {
# tftest inventory=sa-custom.yaml
```
## Private networking: setup PSC-I
Your agent can privately access resources in your VPC. This is done with Private Service Connect Interface (PSC-I).
```hcl
module "agent_engine" {
source = "./fabric/modules/agent-engine"
name = "my-agent"
project_id = var.project_id
region = var.region
agent_engine_config = {
agent_framework = "google-adk"
}
deployment_files = {
source_config = {
source_path = "assets/src/source.tar.gz"
}
}
networking_config = {
network_attachment_id = google_compute_network_attachment.network_attachment.id
dns_peering_configs = {
"example.com" = {
target_network_name = "my-vpc-1"
}
"my-company.local" = {
target_network_name = "my-vpc-2"
target_project_id = "my-other-project"
}
}
}
}
resource "google_compute_network_attachment" "network_attachment" {
name = "network-attachment"
project = var.project_id
region = var.region
description = "Network attachment for Agent Engine PSC-I"
connection_preference = "ACCEPT_MANUAL"
subnetworks = [var.subnet.self_link]
# Agent Engine SA automatically populates this when PSC-I is active.
# It adds the tenant project id.
lifecycle {
ignore_changes = [producer_accept_lists]
}
}
# tftest inventory=psc-i.yaml
```
## Specify an encryption key
You can optionally specify an existing encryption key, created in KMS.
@@ -299,16 +352,17 @@ The module allows you to dynamically reference context values for resources crea
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
| [agent_engine_config](variables.tf#L17) | The agent configuration. | <code title="object&#40;&#123;&#10; agent_framework &#61; string&#10; class_methods &#61; optional&#40;list&#40;any&#41;, &#91;&#93;&#41;&#10; container_concurrency &#61; optional&#40;number&#41;&#10; environment_variables &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; max_instances &#61; optional&#40;number&#41;&#10; min_instances &#61; optional&#40;number&#41;&#10; python_version &#61; optional&#40;string, &#34;3.12&#34;&#41;&#10; resource_limits &#61; optional&#40;object&#40;&#123;&#10; cpu &#61; string&#10; memory &#61; string&#10; &#125;&#41;&#41;&#10; secret_environment_variables &#61; optional&#40;map&#40;object&#40;&#123;&#10; secret_id &#61; string&#10; version &#61; optional&#40;string, &#34;latest&#34;&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ | |
| [agent_engine_config](variables.tf#L17) | The agent configuration. | <code title="object&#40;&#123;&#10; agent_framework &#61; string&#10; class_methods &#61; optional&#40;list&#40;any&#41;, &#91;&#93;&#41;&#10; container_concurrency &#61; optional&#40;number&#41;&#10; environment_variables &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; max_instances &#61; optional&#40;number&#41;&#10; min_instances &#61; optional&#40;number&#41;&#10; python_version &#61; optional&#40;string, &#34;3.13&#34;&#41;&#10; resource_limits &#61; optional&#40;object&#40;&#123;&#10; cpu &#61; string&#10; memory &#61; string&#10; &#125;&#41;&#41;&#10; secret_environment_variables &#61; optional&#40;map&#40;object&#40;&#123;&#10; secret_id &#61; string&#10; version &#61; optional&#40;string, &#34;latest&#34;&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ | |
| [name](variables.tf#L122) | The name of the agent. | <code>string</code> | ✓ | |
| [project_id](variables.tf#L128) | The id of the project where to deploy the agent. | <code>string</code> | ✓ | |
| [region](variables.tf#L134) | The region where to deploy the agent. | <code>string</code> | ✓ | |
| [project_id](variables.tf#L141) | The id of the project where to deploy the agent. | <code>string</code> | ✓ | |
| [region](variables.tf#L147) | The region where to deploy the agent. | <code>string</code> | ✓ | |
| [bucket_config](variables.tf#L40) | The GCS bucket configuration. | <code title="object&#40;&#123;&#10; create &#61; optional&#40;bool, true&#41;&#10; deletion_protection &#61; optional&#40;bool, true&#41;&#10; name &#61; optional&#40;string&#41;&#10; uniform_bucket_level_access &#61; optional&#40;bool, true&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [context](variables.tf#L52) | Context-specific interpolations. | <code title="object&#40;&#123;&#10; custom_roles &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; iam_principals &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; locations &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; kms_keys &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; project_ids &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [deployment_files](variables.tf#L65) | The to source files path and names. | <code title="object&#40;&#123;&#10; package_config &#61; optional&#40;object&#40;&#123;&#10; are_paths_local &#61; optional&#40;bool, true&#41;&#10; dependencies_path &#61; optional&#40;string, &#34;.&#47;src&#47;dependencies.tar.gz&#34;&#41;&#10; pickle_path &#61; optional&#40;string, &#34;.&#47;src&#47;pickle.pkl&#34;&#41;&#10; requirements_path &#61; optional&#40;string, &#34;.&#47;src&#47;requirements.txt&#34;&#41;&#10; &#125;&#41;, null&#41;&#10; source_config &#61; optional&#40;object&#40;&#123;&#10; entrypoint_module &#61; optional&#40;string, &#34;agent&#34;&#41;&#10; entrypoint_object &#61; optional&#40;string, &#34;agent&#34;&#41;&#10; requirements_path &#61; optional&#40;string, &#34;requirements.txt&#34;&#41;&#10; source_path &#61; optional&#40;string, &#34;.&#47;src&#47;source.tar.gz&#34;&#41;&#10; &#125;&#41;, null&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; package_config &#61; null&#10; source_config &#61; &#123;&#125;&#10;&#125;">&#123;&#8230;&#125;</code> |
| [description](variables.tf#L102) | The Agent Engine description. | <code>string</code> | | <code>&#34;Terraform managed.&#34;</code> |
| [encryption_key](variables.tf#L109) | The full resource name of the Cloud KMS CryptoKey. | <code>string</code> | | <code>null</code> |
| [managed](variables.tf#L115) | Whether the Terraform module should control the code updates. | <code>bool</code> | | <code>true</code> |
| [networking_config](variables.tf#L128) | Networking configuration. | <code title="object&#40;&#123;&#10; network_attachment_id &#61; string&#10; dns_peering_configs &#61; optional&#40;map&#40;object&#40;&#123;&#10; target_network_name &#61; string&#10; target_project_id &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [service_account_config](variables-serviceaccount.tf#L18) | Service account configurations. | <code title="object&#40;&#123;&#10; create &#61; optional&#40;bool, true&#41;&#10; display_name &#61; optional&#40;string&#41;&#10; email &#61; optional&#40;string&#41;&#10; name &#61; optional&#40;string&#41;&#10; roles &#61; optional&#40;list&#40;string&#41;, &#91;&#10; &#34;roles&#47;aiplatform.user&#34;,&#10; &#34;roles&#47;storage.objectViewer&#34;,&#10; &#34;roles&#47;viewer&#34;&#10; &#93;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
## Outputs

25
modules/agent-engine/agent-managed.tf
View File

@@ -1,5 +1,5 @@
/**
* Copyright 2025 Google LLC
* Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -48,6 +48,7 @@ resource "google_vertex_ai_reasoning_engine" "managed" {
var.agent_engine_config.max_instances != null ||
var.agent_engine_config.min_instances != null ||
var.agent_engine_config.resource_limits != null ||
var.networking_config != null ||
length(var.agent_engine_config.environment_variables) > 0 ||
length(var.agent_engine_config.secret_environment_variables) > 0
? { 1 = 1 }
@@ -69,6 +70,28 @@ resource "google_vertex_ai_reasoning_engine" "managed" {
}
}
dynamic "psc_interface_config" {
for_each = var.networking_config == null ? {} : { 1 = 1 }
content {
network_attachment = var.networking_config.network_attachment_id
dynamic "dns_peering_configs" {
for_each = var.networking_config.dns_peering_configs
content {
domain = dns_peering_configs.key
target_network = dns_peering_configs.value.target_network_name
target_project = (
dns_peering_configs.value.target_project_id == null
? var.project_id
: dns_peering_configs.value.target_project_id
)
}
}
}
}
dynamic "secret_env" {
for_each = var.agent_engine_config.secret_environment_variables

25
modules/agent-engine/agent-unmanaged.tf
View File

@@ -1,5 +1,5 @@
/**
* Copyright 2025 Google LLC
* Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -48,6 +48,7 @@ resource "google_vertex_ai_reasoning_engine" "unmanaged" {
var.agent_engine_config.max_instances != null ||
var.agent_engine_config.min_instances != null ||
var.agent_engine_config.resource_limits != null ||
var.networking_config != null ||
length(var.agent_engine_config.environment_variables) > 0 ||
length(var.agent_engine_config.secret_environment_variables) > 0
? { 1 = 1 }
@@ -69,6 +70,28 @@ resource "google_vertex_ai_reasoning_engine" "unmanaged" {
}
}
dynamic "psc_interface_config" {
for_each = var.networking_config == null ? {} : { 1 = 1 }
content {
network_attachment = var.networking_config.network_attachment_id
dynamic "dns_peering_configs" {
for_each = var.networking_config.dns_peering_configs
content {
domain = dns_peering_configs.key
target_network = dns_peering_configs.value.target_network_name
target_project = (
dns_peering_configs.value.target_project_id == null
? var.project_id
: dns_peering_configs.value.target_project_id
)
}
}
}
}
dynamic "secret_env" {
for_each = var.agent_engine_config.secret_environment_variables

17
modules/agent-engine/variables.tf
View File

@@ -1,5 +1,5 @@
/**
* Copyright 2025 Google LLC
* Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -24,7 +24,7 @@ variable "agent_engine_config" {
environment_variables = optional(map(string), {})
max_instances = optional(number)
min_instances = optional(number)
python_version = optional(string, "3.12")
python_version = optional(string, "3.13")
resource_limits = optional(object({
cpu = string
memory = string
@@ -125,6 +125,19 @@ variable "name" {
nullable = false
}
variable "networking_config" {
description = "Networking configuration."
type = object({
network_attachment_id = string
# key is the domain
dns_peering_configs = optional(map(object({
target_network_name = string
target_project_id = optional(string)
})))
})
default = null
}
variable "project_id" {
description = "The id of the project where to deploy the agent."
type = string

4
modules/agent-engine/versions.tf generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/agent-engine/versions.tofu generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/ai-applications/versions.tf generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/ai-applications/versions.tofu generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/alloydb/versions.tf generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/alloydb/versions.tofu generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/analytics-hub/versions.tf generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/analytics-hub/versions.tofu generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/api-gateway/versions.tf generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/api-gateway/versions.tofu generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/apigee/versions.tf generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/apigee/versions.tofu generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/artifact-registry/versions.tf generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/artifact-registry/versions.tofu generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/backup-dr/versions.tf generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/backup-dr/versions.tofu generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/bigquery-connection/versions.tf generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/bigquery-connection/versions.tofu generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/bigquery-dataset/versions.tf generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/bigquery-dataset/versions.tofu generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/bigtable-instance/versions.tf generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/bigtable-instance/versions.tofu generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/billing-account/versions.tf generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/billing-account/versions.tofu generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/binauthz/versions.tf generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/binauthz/versions.tofu generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/certificate-authority-service/versions.tf generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/certificate-authority-service/versions.tofu generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/certificate-manager/versions.tf generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/certificate-manager/versions.tofu generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/cloud-build-v2-connection/versions.tf generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/cloud-build-v2-connection/versions.tofu generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/cloud-config-container/__need_fixing/onprem/versions.tf generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/cloud-config-container/__need_fixing/onprem/versions.tofu generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/cloud-config-container/__need_fixing/squid/versions.tf generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/cloud-config-container/__need_fixing/squid/versions.tofu generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/cloud-config-container/bindplane/versions.tf generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/cloud-config-container/bindplane/versions.tofu generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/cloud-config-container/coredns/versions.tf generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/cloud-config-container/coredns/versions.tofu generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/cloud-config-container/cos-generic-metadata/versions.tf generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/cloud-config-container/cos-generic-metadata/versions.tofu generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/versions.tf generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/versions.tofu generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/cloud-config-container/envoy-traffic-director/versions.tf generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/cloud-config-container/envoy-traffic-director/versions.tofu generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/cloud-config-container/mysql/versions.tf generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/cloud-config-container/mysql/versions.tofu generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/cloud-config-container/nginx-tls/versions.tf generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/cloud-config-container/nginx-tls/versions.tofu generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

4
modules/cloud-config-container/nginx/versions.tf generated
View File

@@ -19,11 +19,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.13.0, < 8.0.0" # tftest
version = ">= 7.17.0, < 8.0.0" # tftest
}
}
provider_meta "google" {

Some files were not shown because too many files have changed in this diff Show More