diff --git a/fast/stages/0-org-setup/README.md b/fast/stages/0-org-setup/README.md
index 25f017f0f..759ddbf65 100644
--- a/fast/stages/0-org-setup/README.md
+++ b/fast/stages/0-org-setup/README.md
@@ -406,7 +406,7 @@ The default paths point to the dataset in the `datasets/classic` folder which de
- **billing_accounts** (`[dataset]/billing-accounts`) \
folder-level factory where each YAML file defines billing-account level IAM for one billing account; only used for externally managed accounts
- **organization** (`[dataset]/organization/.config.yaml`) \
- file-level factory to define organization IAM and log sinks
+ file-level factory to define organization IAM, service agents, and log sinks
- **custom roles** (`[dataset]/organization/custom-roles`) \
folder-level factory to define organization-level custom roles
- **org policies** (`[dataset]/organization/org-policies`) \
@@ -515,7 +515,7 @@ logging_sinks:
### Organization configuration
-The default dataset implements a classic FAST design, recreating the required custom roles, IAM bindings, org policies, tags, and log sinks via the factories described in a previous section.
+The default dataset implements a classic FAST design, recreating the required custom roles, IAM bindings, org policies, tags, service agents, and log sinks via the factories described in a previous section.
Compared to classic FAST this approach makes org-level configuration explicit, allowing easy customization of IAM and all other attributes. Before running this stage, check that the data files match your expected design.
diff --git a/fast/stages/0-org-setup/datasets/classic/organization/.config.yaml b/fast/stages/0-org-setup/datasets/classic/organization/.config.yaml
index 9ea2d5552..f9e2b9476 100644
--- a/fast/stages/0-org-setup/datasets/classic/organization/.config.yaml
+++ b/fast/stages/0-org-setup/datasets/classic/organization/.config.yaml
@@ -61,6 +61,8 @@ iam_by_principals:
- roles/iam.workforcePoolAdmin
- roles/logging.admin
- roles/orgpolicy.policyAdmin
+ # Uncomment to allow managing PAM entitlements.
+ # - roles/privilegedaccessmanager.admin
- roles/resourcemanager.folderAdmin
- roles/resourcemanager.organizationAdmin
- roles/resourcemanager.projectCreator
@@ -74,6 +76,8 @@ iam_by_principals:
- roles/iam.workforcePoolViewer
- roles/logging.viewer
- roles/orgpolicy.policyViewer
+ # Uncomment to allow viewing PAM entitlements.
+ # - roles/privilegedaccessmanager.viewer
- roles/resourcemanager.folderViewer
- roles/resourcemanager.tagViewer
- roles/serviceusage.serviceUsageViewer
diff --git a/fast/stages/0-org-setup/organization.tf b/fast/stages/0-org-setup/organization.tf
index d2ced0949..c1da161dc 100644
--- a/fast/stages/0-org-setup/organization.tf
+++ b/fast/stages/0-org-setup/organization.tf
@@ -90,7 +90,8 @@ module "organization" {
email_addresses = local.ctx.email_addresses
locations = local.ctx.locations
}
- contacts = lookup(local.organization, "contacts", {})
+ contacts = lookup(local.organization, "contacts", {})
+ service_agents_config = lookup(local.organization, "service_agents_config", {})
factories_config = {
custom_roles = "${local.paths.organization}/custom-roles"
tags = "${local.paths.organization}/tags"
@@ -122,7 +123,11 @@ module "organization-iam" {
)
iam_principals = merge(
local.ctx.iam_principals,
- module.factory.iam_principals
+ module.factory.iam_principals,
+ {
+ for k, v in module.organization[0].service_agents :
+ "service_agents/${k}" => v.iam_email
+ }
)
log_buckets = module.factory.log_buckets
project_ids = merge(
diff --git a/fast/stages/0-org-setup/schemas/organization.schema.json b/fast/stages/0-org-setup/schemas/organization.schema.json
index 7e43c5e06..4092e5320 100644
--- a/fast/stages/0-org-setup/schemas/organization.schema.json
+++ b/fast/stages/0-org-setup/schemas/organization.schema.json
@@ -305,6 +305,21 @@
"pam_entitlements": {
"$ref": "#/$defs/pam_entitlements"
},
+ "service_agents_config": {
+ "type": "object",
+ "additionalProperties": false,
+ "properties": {
+ "create_agents": {
+ "type": "boolean"
+ },
+ "services": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
+ }
+ }
+ },
"tags": {
"type": "object",
"additionalProperties": {
diff --git a/fast/stages/0-org-setup/schemas/organization.schema.md b/fast/stages/0-org-setup/schemas/organization.schema.md
index 8f8c28f1b..9523f7334 100644
--- a/fast/stages/0-org-setup/schemas/organization.schema.md
+++ b/fast/stages/0-org-setup/schemas/organization.schema.md
@@ -96,6 +96,11 @@
- **location**: *string*
- **title**: *string*
- **pam_entitlements**: *reference([pam_entitlements](#refs-pam_entitlements))*
+- **service_agents_config**: *object*
+
*additional properties: false*
+ - **create_agents**: *boolean*
+ - **services**: *array*
+ - items: *string*
- **tags**: *object*
*additional properties: object*
- **workforce_identity_pools**: *object*
diff --git a/tests/fast/stages/s0_org_setup/customizations.tfvars b/tests/fast/stages/s0_org_setup/customizations.tfvars
new file mode 100644
index 000000000..5d101d0bd
--- /dev/null
+++ b/tests/fast/stages/s0_org_setup/customizations.tfvars
@@ -0,0 +1,6 @@
+factories_config = {
+ paths = {
+ defaults = "./data-customizations/defaults.yaml"
+ organization = "./data-customizations/organization"
+ }
+}
diff --git a/tests/fast/stages/s0_org_setup/customizations.yaml b/tests/fast/stages/s0_org_setup/customizations.yaml
new file mode 100644
index 000000000..f6c2ce114
--- /dev/null
+++ b/tests/fast/stages/s0_org_setup/customizations.yaml
@@ -0,0 +1,1684 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+ google_storage_bucket_object.providers["0-org-setup"]:
+ bucket: ft0-prod-iac-core-0-iac-outputs
+ cache_control: null
+ content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\
+ \ License, Version 2.0 (the \"License\");\n * you may not use this file except\
+ \ in compliance with the License.\n * You may obtain a copy of the License at\n\
+ \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\
+ \ by applicable law or agreed to in writing, software\n * distributed under\
+ \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\
+ \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\
+ \ the specific language governing permissions and\n * limitations under the\
+ \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \
+ \ = \"ft0-prod-iac-core-0-iac-org-state\"\n impersonate_service_account\
+ \ = \"iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n }\n}\nprovider\
+ \ \"google\" {\n impersonate_service_account = \"iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\
+ \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\
+ \n}\n"
+ content_disposition: null
+ content_encoding: null
+ content_language: null
+ contexts: []
+ customer_encryption: []
+ deletion_policy: null
+ detect_md5hash: null
+ event_based_hold: null
+ force_empty_content_type: null
+ metadata: null
+ name: providers/0-org-setup-providers.tf
+ retention: []
+ source: null
+ temporary_hold: null
+ timeouts: null
+ google_storage_bucket_object.providers["0-org-setup-ro"]:
+ bucket: ft0-prod-iac-core-0-iac-outputs
+ cache_control: null
+ content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\
+ \ License, Version 2.0 (the \"License\");\n * you may not use this file except\
+ \ in compliance with the License.\n * You may obtain a copy of the License at\n\
+ \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\
+ \ by applicable law or agreed to in writing, software\n * distributed under\
+ \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\
+ \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\
+ \ the specific language governing permissions and\n * limitations under the\
+ \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \
+ \ = \"ft0-prod-iac-core-0-iac-org-state\"\n impersonate_service_account\
+ \ = \"iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n }\n}\nprovider\
+ \ \"google\" {\n impersonate_service_account = \"iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\
+ \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\
+ \n}\n"
+ content_disposition: null
+ content_encoding: null
+ content_language: null
+ contexts: []
+ customer_encryption: []
+ deletion_policy: null
+ detect_md5hash: null
+ event_based_hold: null
+ force_empty_content_type: null
+ metadata: null
+ name: providers/0-org-setup-ro-providers.tf
+ retention: []
+ source: null
+ temporary_hold: null
+ timeouts: null
+ google_storage_bucket_object.providers["1-vpcsc"]:
+ bucket: ft0-prod-iac-core-0-iac-outputs
+ cache_control: null
+ content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\
+ \ License, Version 2.0 (the \"License\");\n * you may not use this file except\
+ \ in compliance with the License.\n * You may obtain a copy of the License at\n\
+ \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\
+ \ by applicable law or agreed to in writing, software\n * distributed under\
+ \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\
+ \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\
+ \ the specific language governing permissions and\n * limitations under the\
+ \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \
+ \ = \"ft0-prod-iac-core-0-iac-stage-state\"\n impersonate_service_account\
+ \ = \"iac-vpcsc-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n prefix\
+ \ = \"1-vpcsc\"\n }\n}\nprovider \"google\" {\n impersonate_service_account\
+ \ = \"iac-vpcsc-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n}\nprovider\
+ \ \"google-beta\" {\n impersonate_service_account = \"iac-vpcsc-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\
+ \n}\n"
+ content_disposition: null
+ content_encoding: null
+ content_language: null
+ contexts: []
+ customer_encryption: []
+ deletion_policy: null
+ detect_md5hash: null
+ event_based_hold: null
+ force_empty_content_type: null
+ metadata: null
+ name: providers/1-vpcsc-providers.tf
+ retention: []
+ source: null
+ temporary_hold: null
+ timeouts: null
+ google_storage_bucket_object.providers["2-networking"]:
+ bucket: ft0-prod-iac-core-0-iac-outputs
+ cache_control: null
+ content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\
+ \ License, Version 2.0 (the \"License\");\n * you may not use this file except\
+ \ in compliance with the License.\n * You may obtain a copy of the License at\n\
+ \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\
+ \ by applicable law or agreed to in writing, software\n * distributed under\
+ \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\
+ \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\
+ \ the specific language governing permissions and\n * limitations under the\
+ \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \
+ \ = \"ft0-prod-iac-core-0-iac-stage-state\"\n impersonate_service_account\
+ \ = \"iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n prefix\
+ \ = \"2-networking\"\n }\n}\nprovider \"google\" {\n impersonate_service_account\
+ \ = \"iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n}\nprovider\
+ \ \"google-beta\" {\n impersonate_service_account = \"iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\
+ \n}\n"
+ content_disposition: null
+ content_encoding: null
+ content_language: null
+ contexts: []
+ customer_encryption: []
+ deletion_policy: null
+ detect_md5hash: null
+ event_based_hold: null
+ force_empty_content_type: null
+ metadata: null
+ name: providers/2-networking-providers.tf
+ retention: []
+ source: null
+ temporary_hold: null
+ timeouts: null
+ google_storage_bucket_object.providers["2-project-factory"]:
+ bucket: ft0-prod-iac-core-0-iac-outputs
+ cache_control: null
+ content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\
+ \ License, Version 2.0 (the \"License\");\n * you may not use this file except\
+ \ in compliance with the License.\n * You may obtain a copy of the License at\n\
+ \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\
+ \ by applicable law or agreed to in writing, software\n * distributed under\
+ \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\
+ \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\
+ \ the specific language governing permissions and\n * limitations under the\
+ \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \
+ \ = \"ft0-prod-iac-core-0-iac-stage-state\"\n impersonate_service_account\
+ \ = \"iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n prefix =\
+ \ \"2-project-factory\"\n }\n}\nprovider \"google\" {\n impersonate_service_account\
+ \ = \"iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n}\nprovider \"\
+ google-beta\" {\n impersonate_service_account = \"iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\
+ \n}\n"
+ content_disposition: null
+ content_encoding: null
+ content_language: null
+ contexts: []
+ customer_encryption: []
+ deletion_policy: null
+ detect_md5hash: null
+ event_based_hold: null
+ force_empty_content_type: null
+ metadata: null
+ name: providers/2-project-factory-providers.tf
+ retention: []
+ source: null
+ temporary_hold: null
+ timeouts: null
+ google_storage_bucket_object.providers["2-security"]:
+ bucket: ft0-prod-iac-core-0-iac-outputs
+ cache_control: null
+ content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\
+ \ License, Version 2.0 (the \"License\");\n * you may not use this file except\
+ \ in compliance with the License.\n * You may obtain a copy of the License at\n\
+ \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\
+ \ by applicable law or agreed to in writing, software\n * distributed under\
+ \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\
+ \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\
+ \ the specific language governing permissions and\n * limitations under the\
+ \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \
+ \ = \"ft0-prod-iac-core-0-iac-stage-state\"\n impersonate_service_account\
+ \ = \"iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n prefix\
+ \ = \"2-security\"\n }\n}\nprovider \"google\" {\n impersonate_service_account\
+ \ = \"iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n}\nprovider\
+ \ \"google-beta\" {\n impersonate_service_account = \"iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\
+ \n}\n"
+ content_disposition: null
+ content_encoding: null
+ content_language: null
+ contexts: []
+ customer_encryption: []
+ deletion_policy: null
+ detect_md5hash: null
+ event_based_hold: null
+ force_empty_content_type: null
+ metadata: null
+ name: providers/2-security-providers.tf
+ retention: []
+ source: null
+ temporary_hold: null
+ timeouts: null
+ google_storage_bucket_object.tfvars["globals"]:
+ bucket: ft0-prod-iac-core-0-iac-outputs
+ cache_control: null
+ content: '{"billing_account":{"id":"012345-012345-012345"},"groups":{"domain":"domain:example.org","gcp-billing-admins":"group:gcp-billing-admins@example.org","gcp-devops":"group:gcp-devops@example.org","gcp-network-admins":"group:gcp-network-admins@example.org","gcp-organization-admins":"group:fabric-fast-owners@google.com","gcp-secops-admins":"group:gcp-secops-admins@example.org","gcp-security-admins":"group:gcp-security-admins@example.org","gcp-support":"group:gcp-support@example.org"},"organization":{"customer_id":"abcd123456","domain":"example.org","id":"1234567890"},"prefix":"ft0","universe":null}'
+ content_disposition: null
+ content_encoding: null
+ content_language: null
+ contexts: []
+ customer_encryption: []
+ deletion_policy: null
+ detect_md5hash: null
+ event_based_hold: null
+ force_empty_content_type: null
+ metadata: null
+ name: tfvars/0-globals.auto.tfvars.json
+ retention: []
+ source: null
+ temporary_hold: null
+ timeouts: null
+ google_storage_bucket_object.tfvars["org-setup"]:
+ bucket: ft0-prod-iac-core-0-iac-outputs
+ cache_control: null
+ content_disposition: null
+ content_encoding: null
+ content_language: null
+ contexts: []
+ customer_encryption: []
+ deletion_policy: null
+ detect_md5hash: null
+ event_based_hold: null
+ force_empty_content_type: null
+ metadata: null
+ name: tfvars/0-org-setup.auto.tfvars.json
+ retention: []
+ source: null
+ temporary_hold: null
+ timeouts: null
+ google_storage_bucket_object.version[0]:
+ bucket: ft0-prod-iac-core-0-iac-outputs
+ cache_control: null
+ content_disposition: null
+ content_encoding: null
+ content_language: null
+ contexts: []
+ customer_encryption: []
+ deletion_policy: null
+ detect_md5hash: null
+ event_based_hold: null
+ force_empty_content_type: null
+ metadata: null
+ name: versions/0-org-setup-version.txt
+ retention: []
+ source: fast_version.txt
+ temporary_hold: null
+ timeouts: null
+ local_file.providers["0-org-setup"]:
+ content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\
+ \ License, Version 2.0 (the \"License\");\n * you may not use this file except\
+ \ in compliance with the License.\n * You may obtain a copy of the License at\n\
+ \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\
+ \ by applicable law or agreed to in writing, software\n * distributed under\
+ \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\
+ \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\
+ \ the specific language governing permissions and\n * limitations under the\
+ \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \
+ \ = \"ft0-prod-iac-core-0-iac-org-state\"\n impersonate_service_account\
+ \ = \"iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n }\n}\nprovider\
+ \ \"google\" {\n impersonate_service_account = \"iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\
+ \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\
+ \n}\n"
+ content_base64: null
+ directory_permission: '0777'
+ file_permission: '0644'
+ filename: /tmp/fast-config/providers/0-org-setup-providers.tf
+ sensitive_content: null
+ source: null
+ local_file.providers["0-org-setup-ro"]:
+ content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\
+ \ License, Version 2.0 (the \"License\");\n * you may not use this file except\
+ \ in compliance with the License.\n * You may obtain a copy of the License at\n\
+ \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\
+ \ by applicable law or agreed to in writing, software\n * distributed under\
+ \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\
+ \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\
+ \ the specific language governing permissions and\n * limitations under the\
+ \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \
+ \ = \"ft0-prod-iac-core-0-iac-org-state\"\n impersonate_service_account\
+ \ = \"iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n }\n}\nprovider\
+ \ \"google\" {\n impersonate_service_account = \"iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\
+ \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\
+ \n}\n"
+ content_base64: null
+ directory_permission: '0777'
+ file_permission: '0644'
+ filename: /tmp/fast-config/providers/0-org-setup-ro-providers.tf
+ sensitive_content: null
+ source: null
+ local_file.providers["1-vpcsc"]:
+ content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\
+ \ License, Version 2.0 (the \"License\");\n * you may not use this file except\
+ \ in compliance with the License.\n * You may obtain a copy of the License at\n\
+ \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\
+ \ by applicable law or agreed to in writing, software\n * distributed under\
+ \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\
+ \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\
+ \ the specific language governing permissions and\n * limitations under the\
+ \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \
+ \ = \"ft0-prod-iac-core-0-iac-stage-state\"\n impersonate_service_account\
+ \ = \"iac-vpcsc-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n prefix\
+ \ = \"1-vpcsc\"\n }\n}\nprovider \"google\" {\n impersonate_service_account\
+ \ = \"iac-vpcsc-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n}\nprovider\
+ \ \"google-beta\" {\n impersonate_service_account = \"iac-vpcsc-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\
+ \n}\n"
+ content_base64: null
+ directory_permission: '0777'
+ file_permission: '0644'
+ filename: /tmp/fast-config/providers/1-vpcsc-providers.tf
+ sensitive_content: null
+ source: null
+ local_file.providers["2-networking"]:
+ content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\
+ \ License, Version 2.0 (the \"License\");\n * you may not use this file except\
+ \ in compliance with the License.\n * You may obtain a copy of the License at\n\
+ \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\
+ \ by applicable law or agreed to in writing, software\n * distributed under\
+ \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\
+ \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\
+ \ the specific language governing permissions and\n * limitations under the\
+ \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \
+ \ = \"ft0-prod-iac-core-0-iac-stage-state\"\n impersonate_service_account\
+ \ = \"iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n prefix\
+ \ = \"2-networking\"\n }\n}\nprovider \"google\" {\n impersonate_service_account\
+ \ = \"iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n}\nprovider\
+ \ \"google-beta\" {\n impersonate_service_account = \"iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\
+ \n}\n"
+ content_base64: null
+ directory_permission: '0777'
+ file_permission: '0644'
+ filename: /tmp/fast-config/providers/2-networking-providers.tf
+ sensitive_content: null
+ source: null
+ local_file.providers["2-project-factory"]:
+ content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\
+ \ License, Version 2.0 (the \"License\");\n * you may not use this file except\
+ \ in compliance with the License.\n * You may obtain a copy of the License at\n\
+ \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\
+ \ by applicable law or agreed to in writing, software\n * distributed under\
+ \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\
+ \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\
+ \ the specific language governing permissions and\n * limitations under the\
+ \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \
+ \ = \"ft0-prod-iac-core-0-iac-stage-state\"\n impersonate_service_account\
+ \ = \"iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n prefix =\
+ \ \"2-project-factory\"\n }\n}\nprovider \"google\" {\n impersonate_service_account\
+ \ = \"iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n}\nprovider \"\
+ google-beta\" {\n impersonate_service_account = \"iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\
+ \n}\n"
+ content_base64: null
+ directory_permission: '0777'
+ file_permission: '0644'
+ filename: /tmp/fast-config/providers/2-project-factory-providers.tf
+ sensitive_content: null
+ source: null
+ local_file.providers["2-security"]:
+ content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\
+ \ License, Version 2.0 (the \"License\");\n * you may not use this file except\
+ \ in compliance with the License.\n * You may obtain a copy of the License at\n\
+ \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\
+ \ by applicable law or agreed to in writing, software\n * distributed under\
+ \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\
+ \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\
+ \ the specific language governing permissions and\n * limitations under the\
+ \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \
+ \ = \"ft0-prod-iac-core-0-iac-stage-state\"\n impersonate_service_account\
+ \ = \"iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n prefix\
+ \ = \"2-security\"\n }\n}\nprovider \"google\" {\n impersonate_service_account\
+ \ = \"iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n}\nprovider\
+ \ \"google-beta\" {\n impersonate_service_account = \"iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\
+ \n}\n"
+ content_base64: null
+ directory_permission: '0777'
+ file_permission: '0644'
+ filename: /tmp/fast-config/providers/2-security-providers.tf
+ sensitive_content: null
+ source: null
+ local_file.tfvars["globals"]:
+ content: '{"billing_account":{"id":"012345-012345-012345"},"groups":{"domain":"domain:example.org","gcp-billing-admins":"group:gcp-billing-admins@example.org","gcp-devops":"group:gcp-devops@example.org","gcp-network-admins":"group:gcp-network-admins@example.org","gcp-organization-admins":"group:fabric-fast-owners@google.com","gcp-secops-admins":"group:gcp-secops-admins@example.org","gcp-security-admins":"group:gcp-security-admins@example.org","gcp-support":"group:gcp-support@example.org"},"organization":{"customer_id":"abcd123456","domain":"example.org","id":"1234567890"},"prefix":"ft0","universe":null}'
+ content_base64: null
+ directory_permission: '0777'
+ file_permission: '0644'
+ filename: /tmp/fast-config/tfvars/0-globals.auto.tfvars.json
+ sensitive_content: null
+ source: null
+ local_file.tfvars["org-setup"]:
+ content_base64: null
+ directory_permission: '0777'
+ file_permission: '0644'
+ filename: /tmp/fast-config/tfvars/0-org-setup.auto.tfvars.json
+ sensitive_content: null
+ source: null
+ module.billing-accounts["default"].google_billing_account_iam_member.bindings["billing_admin_org_admins"]:
+ billing_account_id: 012345-012345-012345
+ condition: []
+ member: group:fabric-fast-owners@google.com
+ role: roles/billing.admin
+ module.billing-accounts["default"].google_billing_account_iam_member.bindings["billing_admin_org_sa"]:
+ billing_account_id: 012345-012345-012345
+ condition: []
+ member: serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ role: roles/billing.admin
+ module.billing-accounts["default"].google_billing_account_iam_member.bindings["billing_user_networking_sa"]:
+ billing_account_id: 012345-012345-012345
+ condition: []
+ member: serviceAccount:iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ role: roles/billing.user
+ module.billing-accounts["default"].google_billing_account_iam_member.bindings["billing_user_pf_sa"]:
+ billing_account_id: 012345-012345-012345
+ condition: []
+ member: serviceAccount:iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ role: roles/billing.user
+ module.billing-accounts["default"].google_billing_account_iam_member.bindings["billing_user_security_sa"]:
+ billing_account_id: 012345-012345-012345
+ condition: []
+ member: serviceAccount:iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ role: roles/billing.user
+ module.billing-accounts["default"].google_billing_account_iam_member.bindings["billing_viewer_org_ro"]:
+ billing_account_id: 012345-012345-012345
+ condition: []
+ member: serviceAccount:iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ role: roles/billing.viewer
+ module.factory.module.bigquery-datasets["billing-0/billing_export"].google_bigquery_dataset.default:
+ dataset_id: billing_export
+ default_encryption_configuration: []
+ default_partition_expiration_ms: null
+ default_table_expiration_ms: null
+ delete_contents_on_destroy: false
+ description: Terraform managed.
+ effective_labels:
+ goog-terraform-provisioned: 'true'
+ external_catalog_dataset_options: []
+ external_dataset_reference: []
+ friendly_name: Billing export
+ labels: null
+ location: europe-west1
+ max_time_travel_hours: '168'
+ project: ft0-prod-billing-exp-0
+ resource_tags: null
+ terraform_labels:
+ goog-terraform-provisioned: 'true'
+ timeouts: null
+ module.factory.module.buckets["iac-0/iac-org-state"].google_storage_bucket.bucket[0]:
+ autoclass: []
+ cors: []
+ custom_placement_config: []
+ default_event_based_hold: null
+ effective_labels:
+ goog-terraform-provisioned: 'true'
+ enable_object_retention: null
+ encryption: []
+ force_destroy: false
+ hierarchical_namespace: []
+ ip_filter: []
+ labels: null
+ lifecycle_rule: []
+ location: EUROPE-WEST1
+ logging: []
+ name: ft0-prod-iac-core-0-iac-org-state
+ project: ft0-prod-iac-core-0
+ requester_pays: null
+ retention_policy: []
+ storage_class: STANDARD
+ terraform_labels:
+ goog-terraform-provisioned: 'true'
+ timeouts: null
+ uniform_bucket_level_access: true
+ versioning:
+ - enabled: true
+ ? module.factory.module.buckets["iac-0/iac-org-state"].google_storage_bucket_iam_binding.authoritative["$custom_roles:storage_viewer"]
+ : bucket: ft0-prod-iac-core-0-iac-org-state
+ condition: []
+ role: $custom_roles:storage_viewer
+ timeouts: null
+ ? module.factory.module.buckets["iac-0/iac-org-state"].google_storage_bucket_iam_binding.authoritative["roles/storage.admin"]
+ : bucket: ft0-prod-iac-core-0-iac-org-state
+ condition: []
+ role: roles/storage.admin
+ timeouts: null
+ module.factory.module.buckets["iac-0/iac-outputs"].google_storage_bucket.bucket[0]:
+ autoclass: []
+ cors: []
+ custom_placement_config: []
+ default_event_based_hold: null
+ effective_labels:
+ goog-terraform-provisioned: 'true'
+ enable_object_retention: null
+ encryption: []
+ force_destroy: false
+ hierarchical_namespace: []
+ ip_filter: []
+ labels: null
+ lifecycle_rule: []
+ location: EUROPE-WEST1
+ logging: []
+ name: ft0-prod-iac-core-0-iac-outputs
+ project: ft0-prod-iac-core-0
+ requester_pays: null
+ retention_policy: []
+ storage_class: STANDARD
+ terraform_labels:
+ goog-terraform-provisioned: 'true'
+ timeouts: null
+ uniform_bucket_level_access: true
+ versioning:
+ - enabled: true
+ ? module.factory.module.buckets["iac-0/iac-outputs"].google_storage_bucket_iam_binding.authoritative["$custom_roles:storage_viewer"]
+ : bucket: ft0-prod-iac-core-0-iac-outputs
+ condition: []
+ role: $custom_roles:storage_viewer
+ timeouts: null
+ module.factory.module.buckets["iac-0/iac-outputs"].google_storage_bucket_iam_binding.authoritative["roles/storage.admin"]:
+ bucket: ft0-prod-iac-core-0-iac-outputs
+ condition: []
+ role: roles/storage.admin
+ timeouts: null
+ module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_bucket.bucket[0]:
+ autoclass: []
+ cors: []
+ custom_placement_config: []
+ default_event_based_hold: null
+ effective_labels:
+ goog-terraform-provisioned: 'true'
+ enable_object_retention: null
+ encryption: []
+ force_destroy: false
+ hierarchical_namespace: []
+ ip_filter: []
+ labels: null
+ lifecycle_rule: []
+ location: EUROPE-WEST1
+ logging: []
+ name: ft0-prod-iac-core-0-iac-stage-state
+ project: ft0-prod-iac-core-0
+ requester_pays: null
+ retention_policy: []
+ storage_class: STANDARD
+ terraform_labels:
+ goog-terraform-provisioned: 'true'
+ timeouts: null
+ uniform_bucket_level_access: true
+ versioning:
+ - enabled: true
+ module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder.folder["1-vpcsc/"]:
+ bucket: ft0-prod-iac-core-0-iac-stage-state
+ force_destroy: false
+ name: 1-vpcsc/
+ timeouts: null
+ module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder.folder["2-networking/"]:
+ bucket: ft0-prod-iac-core-0-iac-stage-state
+ force_destroy: false
+ name: 2-networking/
+ timeouts: null
+ module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder.folder["2-project-factory/"]:
+ bucket: ft0-prod-iac-core-0-iac-stage-state
+ force_destroy: false
+ name: 2-project-factory/
+ timeouts: null
+ module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder.folder["2-security/"]:
+ bucket: ft0-prod-iac-core-0-iac-stage-state
+ force_destroy: false
+ name: 2-security/
+ timeouts: null
+ ? module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder_iam_binding.authoritative["1-vpcsc/$custom_roles:storage_viewer"]
+ : bucket: ft0-prod-iac-core-0-iac-stage-state
+ condition: []
+ managed_folder: 1-vpcsc/
+ role: $custom_roles:storage_viewer
+ ? module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder_iam_binding.authoritative["1-vpcsc/roles/storage.admin"]
+ : bucket: ft0-prod-iac-core-0-iac-stage-state
+ condition: []
+ managed_folder: 1-vpcsc/
+ role: roles/storage.admin
+ ? module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder_iam_binding.authoritative["2-networking/$custom_roles:storage_viewer"]
+ : bucket: ft0-prod-iac-core-0-iac-stage-state
+ condition: []
+ managed_folder: 2-networking/
+ role: $custom_roles:storage_viewer
+ ? module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder_iam_binding.authoritative["2-networking/roles/storage.admin"]
+ : bucket: ft0-prod-iac-core-0-iac-stage-state
+ condition: []
+ managed_folder: 2-networking/
+ role: roles/storage.admin
+ ? module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder_iam_binding.authoritative["2-project-factory/$custom_roles:storage_viewer"]
+ : bucket: ft0-prod-iac-core-0-iac-stage-state
+ condition: []
+ managed_folder: 2-project-factory/
+ role: $custom_roles:storage_viewer
+ ? module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder_iam_binding.authoritative["2-project-factory/roles/storage.admin"]
+ : bucket: ft0-prod-iac-core-0-iac-stage-state
+ condition: []
+ managed_folder: 2-project-factory/
+ role: roles/storage.admin
+ ? module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder_iam_binding.authoritative["2-security/$custom_roles:storage_viewer"]
+ : bucket: ft0-prod-iac-core-0-iac-stage-state
+ condition: []
+ managed_folder: 2-security/
+ role: $custom_roles:storage_viewer
+ ? module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder_iam_binding.authoritative["2-security/roles/storage.admin"]
+ : bucket: ft0-prod-iac-core-0-iac-stage-state
+ condition: []
+ managed_folder: 2-security/
+ role: roles/storage.admin
+ ? module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["$custom_roles:project_iam_viewer"]
+ : condition: []
+ role: $custom_roles:project_iam_viewer
+ ? module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["$custom_roles:service_project_network_admin"]
+ : condition: []
+ role: $custom_roles:service_project_network_admin
+ module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/compute.viewer"]:
+ condition: []
+ role: roles/compute.viewer
+ module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]:
+ condition: []
+ role: roles/compute.xpnAdmin
+ module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/logging.admin"]:
+ condition: []
+ role: roles/logging.admin
+ module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/owner"]:
+ condition: []
+ role: roles/owner
+ ? module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]
+ : condition: []
+ role: roles/resourcemanager.folderAdmin
+ ? module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]
+ : condition: []
+ role: roles/resourcemanager.folderViewer
+ ? module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]
+ : condition: []
+ role: roles/resourcemanager.projectCreator
+ module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/resourcemanager.tagUser"]:
+ condition: []
+ role: roles/resourcemanager.tagUser
+ ? module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/resourcemanager.tagViewer"]
+ : condition: []
+ role: roles/resourcemanager.tagViewer
+ module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/viewer"]:
+ condition: []
+ role: roles/viewer
+ module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.bindings["project_factory"]:
+ condition:
+ - description: null
+ expression: "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([\n\
+ \ 'roles/compute.networkUser', 'roles/composer.sharedVpcAgent',\n 'roles/container.hostServiceAgentUser',\
+ \ 'roles/vpcaccess.user'\n])\n"
+ title: Project factory delegated IAM grant.
+ role: roles/resourcemanager.projectIamAdmin
+ module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["$custom_roles:project_iam_viewer"]:
+ condition: []
+ role: $custom_roles:project_iam_viewer
+ ? module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/cloudkms.cryptoKeyEncrypterDecrypter"]
+ : condition: []
+ role: roles/cloudkms.cryptoKeyEncrypterDecrypter
+ module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/cloudkms.viewer"]:
+ condition: []
+ role: roles/cloudkms.viewer
+ module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/logging.admin"]:
+ condition: []
+ role: roles/logging.admin
+ module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/owner"]:
+ condition: []
+ role: roles/owner
+ ? module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]
+ : condition: []
+ role: roles/resourcemanager.folderAdmin
+ ? module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]
+ : condition: []
+ role: roles/resourcemanager.folderViewer
+ ? module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]
+ : condition: []
+ role: roles/resourcemanager.projectCreator
+ module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/resourcemanager.tagUser"]:
+ condition: []
+ role: roles/resourcemanager.tagUser
+ module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/resourcemanager.tagViewer"]:
+ condition: []
+ role: roles/resourcemanager.tagViewer
+ module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/viewer"]:
+ condition: []
+ role: roles/viewer
+ module.factory.module.folder-1-iam["security"].google_folder_iam_binding.bindings["project_factory"]:
+ condition:
+ - description: null
+ expression: "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([\n\
+ \ 'roles/cloudkms.cryptoKeyEncrypterDecrypter'\n])\n"
+ title: Project factory delegated IAM grant.
+ role: roles/resourcemanager.projectIamAdmin
+ ? module.factory.module.folder-1-iam["teams"].google_folder_iam_binding.authoritative["$custom_roles:service_project_network_admin"]
+ : condition: []
+ role: $custom_roles:service_project_network_admin
+ module.factory.module.folder-1-iam["teams"].google_folder_iam_binding.authoritative["roles/owner"]:
+ condition: []
+ role: roles/owner
+ module.factory.module.folder-1-iam["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]:
+ condition: []
+ role: roles/resourcemanager.folderAdmin
+ module.factory.module.folder-1-iam["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]:
+ condition: []
+ role: roles/resourcemanager.folderViewer
+ ? module.factory.module.folder-1-iam["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]
+ : condition: []
+ role: roles/resourcemanager.projectCreator
+ module.factory.module.folder-1-iam["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.tagUser"]:
+ condition: []
+ role: roles/resourcemanager.tagUser
+ module.factory.module.folder-1-iam["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.tagViewer"]:
+ condition: []
+ role: roles/resourcemanager.tagViewer
+ module.factory.module.folder-1-iam["teams"].google_folder_iam_binding.authoritative["roles/viewer"]:
+ condition: []
+ role: roles/viewer
+ module.factory.module.folder-1-iam["teams"].google_tags_tag_binding.binding["context"]:
+ tag_value: $tag_values:context/project-factory
+ timeouts: null
+ module.factory.module.folder-1["networking"].google_folder.folder[0]:
+ deletion_protection: false
+ display_name: Networking
+ parent: organizations/1234567890
+ tags: null
+ timeouts: null
+ module.factory.module.folder-1["security"].google_folder.folder[0]:
+ deletion_protection: false
+ display_name: Security
+ parent: organizations/1234567890
+ tags: null
+ timeouts: null
+ module.factory.module.folder-1["teams"].google_folder.folder[0]:
+ deletion_protection: false
+ display_name: Teams
+ parent: organizations/1234567890
+ tags: null
+ timeouts: null
+ module.factory.module.folder-2-iam["networking/dev"].google_tags_tag_binding.binding["environment"]:
+ timeouts: null
+ module.factory.module.folder-2-iam["networking/prod"].google_tags_tag_binding.binding["environment"]:
+ timeouts: null
+ module.factory.module.folder-2-iam["security/dev"].google_tags_tag_binding.binding["environment"]:
+ timeouts: null
+ module.factory.module.folder-2-iam["security/prod"].google_tags_tag_binding.binding["environment"]:
+ timeouts: null
+ module.factory.module.folder-2["networking/dev"].google_folder.folder[0]:
+ deletion_protection: false
+ display_name: Development
+ tags: null
+ timeouts: null
+ module.factory.module.folder-2["networking/prod"].google_folder.folder[0]:
+ deletion_protection: false
+ display_name: Production
+ tags: null
+ timeouts: null
+ module.factory.module.folder-2["security/dev"].google_folder.folder[0]:
+ deletion_protection: false
+ display_name: Development
+ tags: null
+ timeouts: null
+ module.factory.module.folder-2["security/prod"].google_folder.folder[0]:
+ deletion_protection: false
+ display_name: Production
+ tags: null
+ timeouts: null
+ module.factory.module.log-buckets["log-0/audit-logs"].google_logging_project_bucket_config.bucket[0]:
+ bucket_id: audit-logs
+ cmek_settings: []
+ enable_analytics: false
+ index_configs: []
+ location: europe-west1
+ locked: null
+ project: ft0-prod-audit-logs-0
+ retention_days: 30
+ module.factory.module.log-buckets["log-0/iam"].google_logging_project_bucket_config.bucket[0]:
+ bucket_id: iam
+ cmek_settings: []
+ enable_analytics: false
+ index_configs: []
+ location: europe-west1
+ locked: null
+ project: ft0-prod-audit-logs-0
+ retention_days: 30
+ module.factory.module.log-buckets["log-0/vpc-sc"].google_logging_project_bucket_config.bucket[0]:
+ bucket_id: vpc-sc
+ cmek_settings: []
+ enable_analytics: true
+ index_configs: []
+ location: europe-west1
+ locked: null
+ project: ft0-prod-audit-logs-0
+ retention_days: 31
+ module.factory.module.projects-iam["billing-0"].google_project_iam_binding.authoritative["roles/owner"]:
+ condition: []
+ project: ft0-prod-billing-exp-0
+ role: roles/owner
+ module.factory.module.projects-iam["billing-0"].google_project_iam_binding.authoritative["roles/viewer"]:
+ condition: []
+ project: ft0-prod-billing-exp-0
+ role: roles/viewer
+ module.factory.module.projects-iam["iac-0"].google_org_policy_policy.default["iam.workloadIdentityPoolProviders"]:
+ dry_run_spec: []
+ name: projects/ft0-prod-iac-core-0/policies/iam.workloadIdentityPoolProviders
+ parent: projects/ft0-prod-iac-core-0
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: null
+ parameters: null
+ values:
+ - allowed_values:
+ - https://token.actions.githubusercontent.com
+ - https://gitlab.com
+ - https://app.terraform.io
+ denied_values: null
+ timeouts: null
+ module.factory.module.projects-iam["iac-0"].google_project_iam_audit_config.default["iam.googleapis.com"]:
+ audit_log_config:
+ - exempted_members: []
+ log_type: DATA_READ
+ - exempted_members: []
+ log_type: DATA_WRITE
+ project: ft0-prod-iac-core-0
+ service: iam.googleapis.com
+ module.factory.module.projects-iam["iac-0"].google_project_iam_audit_config.default["storage.googleapis.com"]:
+ audit_log_config:
+ - exempted_members: []
+ log_type: DATA_READ
+ - exempted_members: []
+ log_type: DATA_WRITE
+ project: ft0-prod-iac-core-0
+ service: storage.googleapis.com
+ module.factory.module.projects-iam["iac-0"].google_project_iam_audit_config.default["sts.googleapis.com"]:
+ audit_log_config:
+ - exempted_members: []
+ log_type: DATA_READ
+ - exempted_members: []
+ log_type: DATA_WRITE
+ project: ft0-prod-iac-core-0
+ service: sts.googleapis.com
+ module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["$custom_roles:storage_viewer"]:
+ condition: []
+ project: ft0-prod-iac-core-0
+ role: $custom_roles:storage_viewer
+ module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/browser"]:
+ condition: []
+ project: ft0-prod-iac-core-0
+ role: roles/browser
+ module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/cloudbuild.builds.editor"]:
+ condition: []
+ project: ft0-prod-iac-core-0
+ role: roles/cloudbuild.builds.editor
+ module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/cloudbuild.builds.viewer"]:
+ condition: []
+ project: ft0-prod-iac-core-0
+ role: roles/cloudbuild.builds.viewer
+ module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/iam.serviceAccountAdmin"]:
+ condition: []
+ project: ft0-prod-iac-core-0
+ role: roles/iam.serviceAccountAdmin
+ ? module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]
+ : condition: []
+ project: ft0-prod-iac-core-0
+ role: roles/iam.serviceAccountTokenCreator
+ module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/iam.serviceAccountViewer"]:
+ condition: []
+ project: ft0-prod-iac-core-0
+ role: roles/iam.serviceAccountViewer
+ ? module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/iam.workloadIdentityPoolAdmin"]
+ : condition: []
+ project: ft0-prod-iac-core-0
+ role: roles/iam.workloadIdentityPoolAdmin
+ ? module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/iam.workloadIdentityPoolViewer"]
+ : condition: []
+ project: ft0-prod-iac-core-0
+ role: roles/iam.workloadIdentityPoolViewer
+ module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/owner"]:
+ condition: []
+ project: ft0-prod-iac-core-0
+ role: roles/owner
+ ? module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/serviceusage.serviceUsageConsumer"]
+ : condition: []
+ project: ft0-prod-iac-core-0
+ role: roles/serviceusage.serviceUsageConsumer
+ module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/storage.admin"]:
+ condition: []
+ project: ft0-prod-iac-core-0
+ role: roles/storage.admin
+ module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/viewer"]:
+ condition: []
+ project: ft0-prod-iac-core-0
+ role: roles/viewer
+ module.factory.module.projects-iam["log-0"].google_project_iam_binding.authoritative["roles/owner"]:
+ condition: []
+ project: ft0-prod-audit-logs-0
+ role: roles/owner
+ module.factory.module.projects-iam["log-0"].google_project_iam_binding.authoritative["roles/viewer"]:
+ condition: []
+ project: ft0-prod-audit-logs-0
+ role: roles/viewer
+ module.factory.module.projects["billing-0"].data.google_bigquery_default_service_account.bq_sa[0]:
+ project: ft0-prod-billing-exp-0
+ module.factory.module.projects["billing-0"].data.google_storage_project_service_account.gcs_sa[0]:
+ project: ft0-prod-billing-exp-0
+ user_project: null
+ module.factory.module.projects["billing-0"].google_project.project[0]:
+ auto_create_network: false
+ billing_account: 012345-012345-012345
+ deletion_policy: DELETE
+ effective_labels:
+ goog-terraform-provisioned: 'true'
+ folder_id: null
+ labels: null
+ name: ft0-prod-billing-exp-0
+ org_id: '1234567890'
+ project_id: ft0-prod-billing-exp-0
+ tags: null
+ terraform_labels:
+ goog-terraform-provisioned: 'true'
+ timeouts: null
+ module.factory.module.projects["billing-0"].google_project_iam_member.service_agents["bigquerydatatransfer"]:
+ condition: []
+ project: ft0-prod-billing-exp-0
+ role: roles/bigquerydatatransfer.serviceAgent
+ module.factory.module.projects["billing-0"].google_project_service.project_services["bigquery.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: ft0-prod-billing-exp-0
+ service: bigquery.googleapis.com
+ timeouts: null
+ module.factory.module.projects["billing-0"].google_project_service.project_services["bigquerydatatransfer.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: ft0-prod-billing-exp-0
+ service: bigquerydatatransfer.googleapis.com
+ timeouts: null
+ module.factory.module.projects["billing-0"].google_project_service.project_services["storage.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: ft0-prod-billing-exp-0
+ service: storage.googleapis.com
+ timeouts: null
+ module.factory.module.projects["billing-0"].google_project_service_identity.default["bigquerydatatransfer.googleapis.com"]:
+ project: ft0-prod-billing-exp-0
+ service: bigquerydatatransfer.googleapis.com
+ timeouts: null
+ module.factory.module.projects["iac-0"].data.google_bigquery_default_service_account.bq_sa[0]:
+ project: ft0-prod-iac-core-0
+ module.factory.module.projects["iac-0"].data.google_logging_project_settings.logging_sa[0]:
+ project: ft0-prod-iac-core-0
+ module.factory.module.projects["iac-0"].data.google_storage_project_service_account.gcs_sa[0]:
+ project: ft0-prod-iac-core-0
+ user_project: null
+ module.factory.module.projects["iac-0"].google_project.project[0]:
+ auto_create_network: false
+ billing_account: 012345-012345-012345
+ deletion_policy: DELETE
+ effective_labels:
+ goog-terraform-provisioned: 'true'
+ folder_id: null
+ labels: null
+ name: ft0-prod-iac-core-0
+ org_id: '1234567890'
+ project_id: ft0-prod-iac-core-0
+ tags: null
+ terraform_labels:
+ goog-terraform-provisioned: 'true'
+ timeouts: null
+ module.factory.module.projects["iac-0"].google_project_iam_member.service_agents["cloudasset"]:
+ condition: []
+ project: ft0-prod-iac-core-0
+ role: roles/cloudasset.serviceAgent
+ module.factory.module.projects["iac-0"].google_project_iam_member.service_agents["cloudbuild"]:
+ condition: []
+ project: ft0-prod-iac-core-0
+ role: roles/cloudbuild.serviceAgent
+ module.factory.module.projects["iac-0"].google_project_iam_member.service_agents["cloudbuild-sa"]:
+ condition: []
+ project: ft0-prod-iac-core-0
+ role: roles/cloudbuild.builds.builder
+ module.factory.module.projects["iac-0"].google_project_iam_member.service_agents["cloudkms"]:
+ condition: []
+ project: ft0-prod-iac-core-0
+ role: roles/cloudkms.serviceAgent
+ module.factory.module.projects["iac-0"].google_project_iam_member.service_agents["compute-system"]:
+ condition: []
+ project: ft0-prod-iac-core-0
+ role: roles/compute.serviceAgent
+ module.factory.module.projects["iac-0"].google_project_iam_member.service_agents["container-engine-robot"]:
+ condition: []
+ project: ft0-prod-iac-core-0
+ role: roles/container.serviceAgent
+ module.factory.module.projects["iac-0"].google_project_iam_member.service_agents["gkenode"]:
+ condition: []
+ project: ft0-prod-iac-core-0
+ role: roles/container.defaultNodeServiceAgent
+ module.factory.module.projects["iac-0"].google_project_iam_member.service_agents["monitoring-notification"]:
+ condition: []
+ project: ft0-prod-iac-core-0
+ role: roles/monitoring.notificationServiceAgent
+ module.factory.module.projects["iac-0"].google_project_iam_member.service_agents["pubsub"]:
+ condition: []
+ project: ft0-prod-iac-core-0
+ role: roles/pubsub.serviceAgent
+ module.factory.module.projects["iac-0"].google_project_iam_member.service_agents["service-networking"]:
+ condition: []
+ project: ft0-prod-iac-core-0
+ role: roles/servicenetworking.serviceAgent
+ module.factory.module.projects["iac-0"].google_project_service.org_policy_service[0]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: ft0-prod-iac-core-0
+ service: orgpolicy.googleapis.com
+ timeouts: null
+ module.factory.module.projects["iac-0"].google_project_service.project_services["accesscontextmanager.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: ft0-prod-iac-core-0
+ service: accesscontextmanager.googleapis.com
+ timeouts: null
+ module.factory.module.projects["iac-0"].google_project_service.project_services["bigquery.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: ft0-prod-iac-core-0
+ service: bigquery.googleapis.com
+ timeouts: null
+ module.factory.module.projects["iac-0"].google_project_service.project_services["bigqueryreservation.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: ft0-prod-iac-core-0
+ service: bigqueryreservation.googleapis.com
+ timeouts: null
+ module.factory.module.projects["iac-0"].google_project_service.project_services["bigquerystorage.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: ft0-prod-iac-core-0
+ service: bigquerystorage.googleapis.com
+ timeouts: null
+ module.factory.module.projects["iac-0"].google_project_service.project_services["billingbudgets.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: ft0-prod-iac-core-0
+ service: billingbudgets.googleapis.com
+ timeouts: null
+ module.factory.module.projects["iac-0"].google_project_service.project_services["cloudasset.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: ft0-prod-iac-core-0
+ service: cloudasset.googleapis.com
+ timeouts: null
+ module.factory.module.projects["iac-0"].google_project_service.project_services["cloudbilling.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: ft0-prod-iac-core-0
+ service: cloudbilling.googleapis.com
+ timeouts: null
+ module.factory.module.projects["iac-0"].google_project_service.project_services["cloudbuild.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: ft0-prod-iac-core-0
+ service: cloudbuild.googleapis.com
+ timeouts: null
+ module.factory.module.projects["iac-0"].google_project_service.project_services["cloudkms.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: ft0-prod-iac-core-0
+ service: cloudkms.googleapis.com
+ timeouts: null
+ module.factory.module.projects["iac-0"].google_project_service.project_services["cloudquotas.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: ft0-prod-iac-core-0
+ service: cloudquotas.googleapis.com
+ timeouts: null
+ module.factory.module.projects["iac-0"].google_project_service.project_services["cloudresourcemanager.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: ft0-prod-iac-core-0
+ service: cloudresourcemanager.googleapis.com
+ timeouts: null
+ module.factory.module.projects["iac-0"].google_project_service.project_services["compute.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: ft0-prod-iac-core-0
+ service: compute.googleapis.com
+ timeouts: null
+ module.factory.module.projects["iac-0"].google_project_service.project_services["container.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: ft0-prod-iac-core-0
+ service: container.googleapis.com
+ timeouts: null
+ module.factory.module.projects["iac-0"].google_project_service.project_services["datacatalog.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: ft0-prod-iac-core-0
+ service: datacatalog.googleapis.com
+ timeouts: null
+ module.factory.module.projects["iac-0"].google_project_service.project_services["essentialcontacts.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: ft0-prod-iac-core-0
+ service: essentialcontacts.googleapis.com
+ timeouts: null
+ module.factory.module.projects["iac-0"].google_project_service.project_services["iam.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: ft0-prod-iac-core-0
+ service: iam.googleapis.com
+ timeouts: null
+ module.factory.module.projects["iac-0"].google_project_service.project_services["iamcredentials.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: ft0-prod-iac-core-0
+ service: iamcredentials.googleapis.com
+ timeouts: null
+ module.factory.module.projects["iac-0"].google_project_service.project_services["logging.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: ft0-prod-iac-core-0
+ service: logging.googleapis.com
+ timeouts: null
+ module.factory.module.projects["iac-0"].google_project_service.project_services["monitoring.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: ft0-prod-iac-core-0
+ service: monitoring.googleapis.com
+ timeouts: null
+ module.factory.module.projects["iac-0"].google_project_service.project_services["networksecurity.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: ft0-prod-iac-core-0
+ service: networksecurity.googleapis.com
+ timeouts: null
+ module.factory.module.projects["iac-0"].google_project_service.project_services["pubsub.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: ft0-prod-iac-core-0
+ service: pubsub.googleapis.com
+ timeouts: null
+ module.factory.module.projects["iac-0"].google_project_service.project_services["servicenetworking.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: ft0-prod-iac-core-0
+ service: servicenetworking.googleapis.com
+ timeouts: null
+ module.factory.module.projects["iac-0"].google_project_service.project_services["serviceusage.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: ft0-prod-iac-core-0
+ service: serviceusage.googleapis.com
+ timeouts: null
+ module.factory.module.projects["iac-0"].google_project_service.project_services["storage-component.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: ft0-prod-iac-core-0
+ service: storage-component.googleapis.com
+ timeouts: null
+ module.factory.module.projects["iac-0"].google_project_service.project_services["storage.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: ft0-prod-iac-core-0
+ service: storage.googleapis.com
+ timeouts: null
+ module.factory.module.projects["iac-0"].google_project_service.project_services["sts.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: ft0-prod-iac-core-0
+ service: sts.googleapis.com
+ timeouts: null
+ module.factory.module.projects["iac-0"].google_project_service_identity.default["cloudasset.googleapis.com"]:
+ project: ft0-prod-iac-core-0
+ service: cloudasset.googleapis.com
+ timeouts: null
+ module.factory.module.projects["iac-0"].google_project_service_identity.default["cloudkms.googleapis.com"]:
+ project: ft0-prod-iac-core-0
+ service: cloudkms.googleapis.com
+ timeouts: null
+ module.factory.module.projects["iac-0"].google_project_service_identity.default["container.googleapis.com"]:
+ project: ft0-prod-iac-core-0
+ service: container.googleapis.com
+ timeouts: null
+ module.factory.module.projects["iac-0"].google_project_service_identity.default["monitoring.googleapis.com"]:
+ project: ft0-prod-iac-core-0
+ service: monitoring.googleapis.com
+ timeouts: null
+ module.factory.module.projects["iac-0"].google_project_service_identity.default["networksecurity.googleapis.com"]:
+ project: ft0-prod-iac-core-0
+ service: networksecurity.googleapis.com
+ timeouts: null
+ module.factory.module.projects["iac-0"].google_project_service_identity.default["pubsub.googleapis.com"]:
+ project: ft0-prod-iac-core-0
+ service: pubsub.googleapis.com
+ timeouts: null
+ module.factory.module.projects["iac-0"].google_project_service_identity.default["servicenetworking.googleapis.com"]:
+ project: ft0-prod-iac-core-0
+ service: servicenetworking.googleapis.com
+ timeouts: null
+ module.factory.module.projects["log-0"].data.google_logging_project_settings.logging_sa[0]:
+ project: ft0-prod-audit-logs-0
+ module.factory.module.projects["log-0"].data.google_storage_project_service_account.gcs_sa[0]:
+ project: ft0-prod-audit-logs-0
+ user_project: null
+ module.factory.module.projects["log-0"].google_project.project[0]:
+ auto_create_network: false
+ billing_account: 012345-012345-012345
+ deletion_policy: DELETE
+ effective_labels:
+ goog-terraform-provisioned: 'true'
+ folder_id: null
+ labels: null
+ name: ft0-prod-audit-logs-0
+ org_id: '1234567890'
+ project_id: ft0-prod-audit-logs-0
+ tags: null
+ terraform_labels:
+ goog-terraform-provisioned: 'true'
+ timeouts: null
+ module.factory.module.projects["log-0"].google_project_iam_member.service_agents["pubsub"]:
+ condition: []
+ project: ft0-prod-audit-logs-0
+ role: roles/pubsub.serviceAgent
+ module.factory.module.projects["log-0"].google_project_service.project_services["logging.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: ft0-prod-audit-logs-0
+ service: logging.googleapis.com
+ timeouts: null
+ module.factory.module.projects["log-0"].google_project_service.project_services["pubsub.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: ft0-prod-audit-logs-0
+ service: pubsub.googleapis.com
+ timeouts: null
+ module.factory.module.projects["log-0"].google_project_service.project_services["storage.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: ft0-prod-audit-logs-0
+ service: storage.googleapis.com
+ timeouts: null
+ module.factory.module.projects["log-0"].google_project_service_identity.default["pubsub.googleapis.com"]:
+ project: ft0-prod-audit-logs-0
+ service: pubsub.googleapis.com
+ timeouts: null
+ ? module.factory.module.service-accounts-iam["iac-0/iac-org-cicd-ro"].google_service_account_iam_member.additive["$service_account_ids:iac-0/iac-org-ro-roles/iam.serviceAccountTokenCreator"]
+ : condition: []
+ role: roles/iam.serviceAccountTokenCreator
+ service_account_id: projects/ft0-prod-iac-core-0/serviceAccounts/iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ ? module.factory.module.service-accounts-iam["iac-0/iac-org-cicd-ro"].google_service_account_iam_member.additive["$service_account_ids:iac-0/iac-org-ro-roles/iam.workloadIdentityUser"]
+ : condition: []
+ role: roles/iam.workloadIdentityUser
+ service_account_id: projects/ft0-prod-iac-core-0/serviceAccounts/iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ ? module.factory.module.service-accounts-iam["iac-0/iac-org-cicd-rw"].google_service_account_iam_member.additive["$service_account_ids:iac-0/iac-org-rw-roles/iam.serviceAccountTokenCreator"]
+ : condition: []
+ role: roles/iam.serviceAccountTokenCreator
+ service_account_id: projects/ft0-prod-iac-core-0/serviceAccounts/iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ ? module.factory.module.service-accounts-iam["iac-0/iac-org-cicd-rw"].google_service_account_iam_member.additive["$service_account_ids:iac-0/iac-org-rw-roles/iam.workloadIdentityUser"]
+ : condition: []
+ role: roles/iam.workloadIdentityUser
+ service_account_id: projects/ft0-prod-iac-core-0/serviceAccounts/iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ module.factory.module.service-accounts["iac-0/iac-networking-ro"].google_service_account.service_account[0]:
+ account_id: iac-networking-ro
+ create_ignore_already_exists: null
+ description: null
+ disabled: false
+ display_name: IaC service account for networking (read-only).
+ email: iac-networking-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ member: serviceAccount:iac-networking-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ project: ft0-prod-iac-core-0
+ timeouts: null
+ module.factory.module.service-accounts["iac-0/iac-networking-rw"].google_service_account.service_account[0]:
+ account_id: iac-networking-rw
+ create_ignore_already_exists: null
+ description: null
+ disabled: false
+ display_name: IaC service account for networking (read-write).
+ email: iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ member: serviceAccount:iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ project: ft0-prod-iac-core-0
+ timeouts: null
+ module.factory.module.service-accounts["iac-0/iac-org-cicd-ro"].google_service_account.service_account[0]:
+ account_id: iac-org-cicd-ro
+ create_ignore_already_exists: null
+ description: null
+ disabled: false
+ display_name: IaC service account for org setup CI/CD (read-only).
+ email: iac-org-cicd-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ member: serviceAccount:iac-org-cicd-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ project: ft0-prod-iac-core-0
+ timeouts: null
+ module.factory.module.service-accounts["iac-0/iac-org-cicd-rw"].google_service_account.service_account[0]:
+ account_id: iac-org-cicd-rw
+ create_ignore_already_exists: null
+ description: null
+ disabled: false
+ display_name: IaC service account for org setup CI/CD (read-write).
+ email: iac-org-cicd-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ member: serviceAccount:iac-org-cicd-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ project: ft0-prod-iac-core-0
+ timeouts: null
+ module.factory.module.service-accounts["iac-0/iac-org-ro"].google_service_account.service_account[0]:
+ account_id: iac-org-ro
+ create_ignore_already_exists: null
+ description: null
+ disabled: false
+ display_name: IaC service account for org setup (read-only).
+ email: iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ member: serviceAccount:iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ project: ft0-prod-iac-core-0
+ timeouts: null
+ module.factory.module.service-accounts["iac-0/iac-org-rw"].google_service_account.service_account[0]:
+ account_id: iac-org-rw
+ create_ignore_already_exists: null
+ description: null
+ disabled: false
+ display_name: IaC service account for org setup (read-write).
+ email: iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ member: serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ project: ft0-prod-iac-core-0
+ timeouts: null
+ module.factory.module.service-accounts["iac-0/iac-pf-ro"].google_service_account.service_account[0]:
+ account_id: iac-pf-ro
+ create_ignore_already_exists: null
+ description: null
+ disabled: false
+ display_name: IaC service account for project factory (read-only).
+ email: iac-pf-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ member: serviceAccount:iac-pf-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ project: ft0-prod-iac-core-0
+ timeouts: null
+ module.factory.module.service-accounts["iac-0/iac-pf-rw"].google_service_account.service_account[0]:
+ account_id: iac-pf-rw
+ create_ignore_already_exists: null
+ description: null
+ disabled: false
+ display_name: IaC service account for project factory (read-write).
+ email: iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ member: serviceAccount:iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ project: ft0-prod-iac-core-0
+ timeouts: null
+ module.factory.module.service-accounts["iac-0/iac-security-ro"].google_service_account.service_account[0]:
+ account_id: iac-security-ro
+ create_ignore_already_exists: null
+ description: null
+ disabled: false
+ display_name: IaC service account for security (read-only).
+ email: iac-security-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ member: serviceAccount:iac-security-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ project: ft0-prod-iac-core-0
+ timeouts: null
+ module.factory.module.service-accounts["iac-0/iac-security-rw"].google_service_account.service_account[0]:
+ account_id: iac-security-rw
+ create_ignore_already_exists: null
+ description: null
+ disabled: false
+ display_name: IaC service account for security (read-write).
+ email: iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ member: serviceAccount:iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ project: ft0-prod-iac-core-0
+ timeouts: null
+ module.factory.module.service-accounts["iac-0/iac-vpcsc-ro"].google_service_account.service_account[0]:
+ account_id: iac-vpcsc-ro
+ create_ignore_already_exists: null
+ description: null
+ disabled: false
+ display_name: IaC service account for VPC service controls (read-only).
+ email: iac-vpcsc-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ member: serviceAccount:iac-vpcsc-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ project: ft0-prod-iac-core-0
+ timeouts: null
+ module.factory.module.service-accounts["iac-0/iac-vpcsc-rw"].google_service_account.service_account[0]:
+ account_id: iac-vpcsc-rw
+ create_ignore_already_exists: null
+ description: null
+ disabled: false
+ display_name: IaC service account for VPC service controls (read-write).
+ email: iac-vpcsc-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ member: serviceAccount:iac-vpcsc-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ project: ft0-prod-iac-core-0
+ timeouts: null
+ module.factory.terraform_data.defaults_preconditions:
+ input: null
+ output: null
+ triggers_replace: null
+ module.factory.terraform_data.project_preconditions:
+ input: null
+ output: null
+ triggers_replace: null
+ module.organization-iam[0].google_logging_organization_sink.sink["audit-logs"]:
+ description: audit-logs (Terraform-managed).
+ destination: logging.googleapis.com/$log_buckets:iac-0/audit-logs
+ disabled: false
+ exclusions: []
+ filter: 'log_id("cloudaudit.googleapis.com/activity") OR
+
+ log_id("cloudaudit.googleapis.com/system_event") OR
+
+ log_id("cloudaudit.googleapis.com/policy") OR
+
+ log_id("cloudaudit.googleapis.com/access_transparency")
+
+ '
+ include_children: true
+ intercept_children: false
+ name: audit-logs
+ org_id: '1234567890'
+ module.organization-iam[0].google_organization_iam_binding.authoritative["roles/accesscontextmanager.policyAdmin"]:
+ condition: []
+ members:
+ - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '1234567890'
+ role: roles/accesscontextmanager.policyAdmin
+ module.organization-iam[0].google_organization_iam_binding.authoritative["roles/billing.creator"]:
+ condition: []
+ members: null
+ org_id: '1234567890'
+ role: roles/billing.creator
+ module.organization-iam[0].google_organization_iam_binding.authoritative["roles/cloudasset.owner"]:
+ condition: []
+ members:
+ - group:fabric-fast-owners@google.com
+ org_id: '1234567890'
+ role: roles/cloudasset.owner
+ module.organization-iam[0].google_organization_iam_binding.authoritative["roles/cloudasset.viewer"]:
+ condition: []
+ members:
+ - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '1234567890'
+ role: roles/cloudasset.viewer
+ module.organization-iam[0].google_organization_iam_binding.authoritative["roles/cloudsupport.admin"]:
+ condition: []
+ members:
+ - group:fabric-fast-owners@google.com
+ org_id: '1234567890'
+ role: roles/cloudsupport.admin
+ module.organization-iam[0].google_organization_iam_binding.authoritative["roles/cloudsupport.techSupportEditor"]:
+ condition: []
+ members:
+ - group:fabric-fast-owners@google.com
+ org_id: '1234567890'
+ role: roles/cloudsupport.techSupportEditor
+ module.organization-iam[0].google_organization_iam_binding.authoritative["roles/compute.osAdminLogin"]:
+ condition: []
+ members:
+ - group:fabric-fast-owners@google.com
+ org_id: '1234567890'
+ role: roles/compute.osAdminLogin
+ module.organization-iam[0].google_organization_iam_binding.authoritative["roles/compute.osLoginExternalUser"]:
+ condition: []
+ members:
+ - group:fabric-fast-owners@google.com
+ org_id: '1234567890'
+ role: roles/compute.osLoginExternalUser
+ module.organization-iam[0].google_organization_iam_binding.authoritative["roles/compute.xpnAdmin"]:
+ condition: []
+ members:
+ - group:fabric-fast-owners@google.com
+ org_id: '1234567890'
+ role: roles/compute.xpnAdmin
+ module.organization-iam[0].google_organization_iam_binding.authoritative["roles/essentialcontacts.admin"]:
+ condition: []
+ members:
+ - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '1234567890'
+ role: roles/essentialcontacts.admin
+ module.organization-iam[0].google_organization_iam_binding.authoritative["roles/iam.organizationRoleAdmin"]:
+ condition: []
+ members:
+ - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '1234567890'
+ role: roles/iam.organizationRoleAdmin
+ module.organization-iam[0].google_organization_iam_binding.authoritative["roles/iam.workforcePoolAdmin"]:
+ condition: []
+ members:
+ - group:fabric-fast-owners@google.com
+ - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '1234567890'
+ role: roles/iam.workforcePoolAdmin
+ module.organization-iam[0].google_organization_iam_binding.authoritative["roles/logging.admin"]:
+ condition: []
+ members:
+ - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '1234567890'
+ role: roles/logging.admin
+ module.organization-iam[0].google_organization_iam_binding.authoritative["roles/orgpolicy.policyAdmin"]:
+ condition: []
+ members:
+ - group:fabric-fast-owners@google.com
+ - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '1234567890'
+ role: roles/orgpolicy.policyAdmin
+ module.organization-iam[0].google_organization_iam_binding.authoritative["roles/owner"]:
+ condition: []
+ members:
+ - group:fabric-fast-owners@google.com
+ org_id: '1234567890'
+ role: roles/owner
+ module.organization-iam[0].google_organization_iam_binding.authoritative["roles/privilegedaccessmanager.admin"]:
+ condition: []
+ members:
+ - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '1234567890'
+ role: roles/privilegedaccessmanager.admin
+ module.organization-iam[0].google_organization_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]:
+ condition: []
+ members:
+ - group:fabric-fast-owners@google.com
+ - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '1234567890'
+ role: roles/resourcemanager.folderAdmin
+ module.organization-iam[0].google_organization_iam_binding.authoritative["roles/resourcemanager.organizationAdmin"]:
+ condition: []
+ members:
+ - group:fabric-fast-owners@google.com
+ - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '1234567890'
+ role: roles/resourcemanager.organizationAdmin
+ module.organization-iam[0].google_organization_iam_binding.authoritative["roles/resourcemanager.projectCreator"]:
+ condition: []
+ members:
+ - group:fabric-fast-owners@google.com
+ - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '1234567890'
+ role: roles/resourcemanager.projectCreator
+ module.organization-iam[0].google_organization_iam_binding.authoritative["roles/resourcemanager.projectMover"]:
+ condition: []
+ members:
+ - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '1234567890'
+ role: roles/resourcemanager.projectMover
+ module.organization-iam[0].google_organization_iam_binding.authoritative["roles/resourcemanager.tagAdmin"]:
+ condition: []
+ members:
+ - group:fabric-fast-owners@google.com
+ - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '1234567890'
+ role: roles/resourcemanager.tagAdmin
+ module.organization-iam[0].google_organization_iam_binding.authoritative["roles/resourcemanager.tagUser"]:
+ condition: []
+ members:
+ - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '1234567890'
+ role: roles/resourcemanager.tagUser
+ module.organization-iam[0].google_organization_iam_binding.authoritative["roles/viewer"]:
+ condition: []
+ members:
+ - serviceAccount:service-org-1234567890@gcp-sa-pam.iam.gserviceaccount.com
+ org_id: '1234567890'
+ role: roles/viewer
+ module.organization-iam[0].google_project_iam_member.bucket_sinks_binding["audit-logs"]:
+ condition:
+ - expression: resource.name.endsWith('$log_buckets:iac-0/audit-logs')
+ title: audit-logs bucket writer
+ project: audit-logs
+ role: roles/logging.bucketWriter
+ ? module.organization-iam[0].google_tags_tag_value_iam_binding.default["environment/development:roles/resourcemanager.tagUser"]
+ : condition: []
+ members:
+ - serviceAccount:iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ - serviceAccount:iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ - serviceAccount:iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ role: roles/resourcemanager.tagUser
+ ? module.organization-iam[0].google_tags_tag_value_iam_binding.default["environment/development:roles/resourcemanager.tagViewer"]
+ : condition: []
+ members:
+ - serviceAccount:iac-networking-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ - serviceAccount:iac-pf-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ - serviceAccount:iac-security-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ role: roles/resourcemanager.tagViewer
+ ? module.organization-iam[0].google_tags_tag_value_iam_binding.default["environment/production:roles/resourcemanager.tagUser"]
+ : condition: []
+ members:
+ - serviceAccount:iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ - serviceAccount:iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ - serviceAccount:iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ role: roles/resourcemanager.tagUser
+ ? module.organization-iam[0].google_tags_tag_value_iam_binding.default["environment/production:roles/resourcemanager.tagViewer"]
+ : condition: []
+ members:
+ - serviceAccount:iac-networking-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ - serviceAccount:iac-pf-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ - serviceAccount:iac-security-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
+ role: roles/resourcemanager.tagViewer
+ module.organization[0].google_logging_organization_settings.default[0]:
+ organization: '1234567890'
+ timeouts: null
+ module.organization[0].google_organization_service_identity.default["pam"]:
+ organization: '1234567890'
+ service: privilegedaccessmanager.googleapis.com
+ timeouts: null
+ module.organization[0].google_tags_tag_key.default["environment"]:
+ allowed_values_regex: null
+ description: Organization-level environments.
+ parent: organizations/1234567890
+ purpose: null
+ purpose_data: null
+ short_name: environment
+ timeouts: null
+ module.organization[0].google_tags_tag_value.default["environment/development"]:
+ description: Development.
+ short_name: development
+ timeouts: null
+ module.organization[0].google_tags_tag_value.default["environment/production"]:
+ description: Production.
+ short_name: production
+ timeouts: null
+ terraform_data.precondition:
+ input: null
+ output: null
+ triggers_replace: null
+ terraform_data.precondition_cicd:
+ input: null
+ output: null
+ triggers_replace: null
+
+counts:
+ google_bigquery_dataset: 1
+ google_bigquery_default_service_account: 2
+ google_billing_account_iam_member: 6
+ google_folder: 7
+ google_folder_iam_binding: 33
+ google_logging_organization_settings: 1
+ google_logging_organization_sink: 1
+ google_logging_project_bucket_config: 3
+ google_logging_project_settings: 2
+ google_org_policy_policy: 1
+ google_organization_iam_binding: 23
+ google_organization_service_identity: 1
+ google_project: 3
+ google_project_iam_audit_config: 3
+ google_project_iam_binding: 17
+ google_project_iam_member: 13
+ google_project_service: 33
+ google_project_service_identity: 9
+ google_service_account: 12
+ google_service_account_iam_member: 4
+ google_storage_bucket: 3
+ google_storage_bucket_iam_binding: 4
+ google_storage_bucket_object: 9
+ google_storage_managed_folder: 4
+ google_storage_managed_folder_iam_binding: 8
+ google_storage_project_service_account: 3
+ google_tags_tag_binding: 5
+ google_tags_tag_key: 1
+ google_tags_tag_value: 2
+ google_tags_tag_value_iam_binding: 4
+ local_file: 8
+ modules: 45
+ resources: 230
+ terraform_data: 4
+
+outputs:
+ iam_principals:
+ domain: domain:example.org
+ gcp-billing-admins: group:gcp-billing-admins@example.org
+ gcp-devops: group:gcp-devops@example.org
+ gcp-network-admins: group:gcp-network-admins@example.org
+ gcp-organization-admins: group:fabric-fast-owners@google.com
+ gcp-secops-admins: group:gcp-secops-admins@example.org
+ gcp-security-admins: group:gcp-security-admins@example.org
+ gcp-support: group:gcp-support@example.org
+ projects: __missing__
+ subnet_ips: {}
+ subnet_self_links: {}
+ tfvars: __missing__
+ vpc_self_links: {}
diff --git a/tests/fast/stages/s0_org_setup/data-customizations/defaults.yaml b/tests/fast/stages/s0_org_setup/data-customizations/defaults.yaml
new file mode 100644
index 000000000..0640dac5f
--- /dev/null
+++ b/tests/fast/stages/s0_org_setup/data-customizations/defaults.yaml
@@ -0,0 +1,65 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# yaml-language-server: $schema=../../../../../fast/stages/0-org-setup/schemas/defaults.schema.json
+
+# defaults:
+# storage_location: europe-west1
+global:
+ billing_account: 012345-012345-012345
+ organization:
+ domain: example.org
+ id: 1234567890
+ customer_id: abcd123456
+projects:
+ defaults:
+ prefix: ft0
+ locations:
+ bigquery: $locations:primary
+ logging: $locations:primary
+ storage: $locations:primary
+ overrides: {}
+output_files:
+ local_path: /tmp/fast-config
+ storage_bucket: $storage_buckets:iac-0/iac-outputs
+ providers:
+ 0-org-setup:
+ bucket: $storage_buckets:iac-0/iac-org-state
+ service_account: $iam_principals:service_accounts/iac-0/iac-org-rw
+ 0-org-setup-ro:
+ bucket: $storage_buckets:iac-0/iac-org-state
+ service_account: $iam_principals:service_accounts/iac-0/iac-org-rw
+ 1-vpcsc:
+ bucket: $storage_buckets:iac-0/iac-stage-state
+ prefix: 1-vpcsc
+ service_account: $iam_principals:service_accounts/iac-0/iac-vpcsc-rw
+ 2-networking:
+ bucket: $storage_buckets:iac-0/iac-stage-state
+ prefix: 2-networking
+ service_account: $iam_principals:service_accounts/iac-0/iac-networking-rw
+ 2-security:
+ bucket: $storage_buckets:iac-0/iac-stage-state
+ prefix: 2-security
+ service_account: $iam_principals:service_accounts/iac-0/iac-security-rw
+ 2-project-factory:
+ bucket: $storage_buckets:iac-0/iac-stage-state
+ prefix: 2-project-factory
+ service_account: $iam_principals:service_accounts/iac-0/iac-pf-rw
+context:
+ iam_principals:
+ gcp-organization-admins: group:fabric-fast-owners@google.com
+ locations:
+ primary: europe-west1
+ workload_identity_providers:
+ iac-0/default/github-default: projects/1234567890/locations/global/workloadIdentityPools/default
diff --git a/tests/fast/stages/s0_org_setup/data-customizations/folders/dev/.config.yaml b/tests/fast/stages/s0_org_setup/data-customizations/folders/dev/.config.yaml
new file mode 100644
index 000000000..700f5219a
--- /dev/null
+++ b/tests/fast/stages/s0_org_setup/data-customizations/folders/dev/.config.yaml
@@ -0,0 +1,19 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# yaml-language-server: $schema=../../../../schemas/folder.schema.json
+
+name: Development
+tag_bindings:
+ environment: $tag_values:environment/development
diff --git a/tests/fast/stages/s0_org_setup/data-customizations/folders/prod/.config.yaml b/tests/fast/stages/s0_org_setup/data-customizations/folders/prod/.config.yaml
new file mode 100644
index 000000000..f09758b6c
--- /dev/null
+++ b/tests/fast/stages/s0_org_setup/data-customizations/folders/prod/.config.yaml
@@ -0,0 +1,19 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# yaml-language-server: $schema=../../../../schemas/folder.schema.json
+
+name: Production
+tag_bindings:
+ environment: $tag_values:environment/production
diff --git a/tests/fast/stages/s0_org_setup/data-customizations/organization/.config.yaml b/tests/fast/stages/s0_org_setup/data-customizations/organization/.config.yaml
new file mode 100644
index 000000000..13ffa7377
--- /dev/null
+++ b/tests/fast/stages/s0_org_setup/data-customizations/organization/.config.yaml
@@ -0,0 +1,66 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# TODO: data access logs
+
+# yaml-language-server: $schema=../../../schemas/organization.schema.json
+
+id: $defaults:organization/id
+service_agents_config:
+ services:
+ - privilegedaccessmanager.googleapis.com
+
+iam_by_principals:
+ $iam_principals:gcp-organization-admins:
+ - roles/cloudasset.owner
+ - roles/cloudsupport.admin
+ - roles/cloudsupport.techSupportEditor
+ - roles/compute.osAdminLogin
+ - roles/compute.osLoginExternalUser
+ - roles/compute.xpnAdmin
+ - roles/orgpolicy.policyAdmin
+ - roles/owner
+ - roles/resourcemanager.folderAdmin
+ - roles/resourcemanager.organizationAdmin
+ - roles/resourcemanager.projectCreator
+ - roles/resourcemanager.tagAdmin
+ - roles/iam.workforcePoolAdmin
+ $iam_principals:service_accounts/iac-0/iac-org-rw:
+ - roles/accesscontextmanager.policyAdmin
+ - roles/cloudasset.viewer
+ - roles/essentialcontacts.admin
+ - roles/iam.organizationRoleAdmin
+ - roles/iam.workforcePoolAdmin
+ - roles/logging.admin
+ - roles/orgpolicy.policyAdmin
+ - roles/privilegedaccessmanager.admin
+ - roles/resourcemanager.folderAdmin
+ - roles/resourcemanager.organizationAdmin
+ - roles/resourcemanager.projectCreator
+ - roles/resourcemanager.projectMover
+ - roles/resourcemanager.tagAdmin
+ - roles/resourcemanager.tagUser
+ "$iam_principals:service_agents/pam":
+ - roles/viewer
+logging:
+ sinks:
+ audit-logs:
+ destination: $log_buckets:iac-0/audit-logs
+ filter: |
+ log_id("cloudaudit.googleapis.com/activity") OR
+ log_id("cloudaudit.googleapis.com/system_event") OR
+ log_id("cloudaudit.googleapis.com/policy") OR
+ log_id("cloudaudit.googleapis.com/access_transparency")
+iam:
+ roles/billing.creator: []
diff --git a/tests/fast/stages/s0_org_setup/data-customizations/organization/tags/environment.yaml b/tests/fast/stages/s0_org_setup/data-customizations/organization/tags/environment.yaml
new file mode 100644
index 000000000..4580772b4
--- /dev/null
+++ b/tests/fast/stages/s0_org_setup/data-customizations/organization/tags/environment.yaml
@@ -0,0 +1,43 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# yaml-language-server: $schema=../../../../schemas/tags.schema.json
+
+description: "Organization-level environments."
+# iam:
+# "roles/resourcemanager.tagViewer":
+# - "group:finance-team@example.com"
+values:
+ development:
+ description: "Development."
+ iam:
+ "roles/resourcemanager.tagUser":
+ - $iam_principals:service_accounts/iac-0/iac-networking-rw
+ - $iam_principals:service_accounts/iac-0/iac-security-rw
+ - $iam_principals:service_accounts/iac-0/iac-pf-rw
+ "roles/resourcemanager.tagViewer":
+ - $iam_principals:service_accounts/iac-0/iac-networking-ro
+ - $iam_principals:service_accounts/iac-0/iac-security-ro
+ - $iam_principals:service_accounts/iac-0/iac-pf-ro
+ production:
+ description: "Production."
+ iam:
+ "roles/resourcemanager.tagUser":
+ - $iam_principals:service_accounts/iac-0/iac-networking-rw
+ - $iam_principals:service_accounts/iac-0/iac-security-rw
+ - $iam_principals:service_accounts/iac-0/iac-pf-rw
+ "roles/resourcemanager.tagViewer":
+ - $iam_principals:service_accounts/iac-0/iac-networking-ro
+ - $iam_principals:service_accounts/iac-0/iac-security-ro
+ - $iam_principals:service_accounts/iac-0/iac-pf-ro
diff --git a/tests/fast/stages/s0_org_setup/data-customizations/projects/apps/dev-app-0.yaml b/tests/fast/stages/s0_org_setup/data-customizations/projects/apps/dev-app-0.yaml
new file mode 100644
index 000000000..de3a36d9d
--- /dev/null
+++ b/tests/fast/stages/s0_org_setup/data-customizations/projects/apps/dev-app-0.yaml
@@ -0,0 +1,26 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# yaml-language-server: $schema=../../../../schemas/project.schema.json
+
+name: dev-app-example-0
+parent: $folder_ids:dev
+services:
+ - bigquery.googleapis.com
+ - compute.googleapis.com
+ - logging.googleapis.com
+ - monitoring.googleapis.com
+ - storage.googleapis.com
+shared_vpc_service_config:
+ host_project: $project_ids:dev-net-0
diff --git a/tests/fast/stages/s0_org_setup/data-customizations/projects/apps/prod-app-0.yaml b/tests/fast/stages/s0_org_setup/data-customizations/projects/apps/prod-app-0.yaml
new file mode 100644
index 000000000..272953578
--- /dev/null
+++ b/tests/fast/stages/s0_org_setup/data-customizations/projects/apps/prod-app-0.yaml
@@ -0,0 +1,26 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# yaml-language-server: $schema=../../../../schemas/project.schema.json
+
+name: prod-app-example-0
+parent: $folder_ids:prod
+services:
+ - bigquery.googleapis.com
+ - compute.googleapis.com
+ - logging.googleapis.com
+ - monitoring.googleapis.com
+ - storage.googleapis.com
+shared_vpc_service_config:
+ host_project: $project_ids:prod-net-0
diff --git a/tests/fast/stages/s0_org_setup/data-customizations/projects/iac-0.yaml b/tests/fast/stages/s0_org_setup/data-customizations/projects/iac-0.yaml
new file mode 100644
index 000000000..1ad613537
--- /dev/null
+++ b/tests/fast/stages/s0_org_setup/data-customizations/projects/iac-0.yaml
@@ -0,0 +1,73 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# yaml-language-server: $schema=../../../schemas/project.schema.json
+
+name: prod-iac-core-0
+iam_by_principals:
+ $iam_principals:gcp-organization-admins:
+ - roles/iam.serviceAccountTokenCreator
+ - roles/iam.workloadIdentityPoolAdmin
+ $iam_principals:service_accounts/iac-0/iac-org-rw:
+ - roles/cloudbuild.builds.editor
+ - roles/iam.serviceAccountAdmin
+ - roles/iam.workloadIdentityPoolAdmin
+ - roles/owner
+ - roles/storage.admin
+services:
+ - accesscontextmanager.googleapis.com
+ - bigquery.googleapis.com
+ - bigquerystorage.googleapis.com
+ - cloudbilling.googleapis.com
+ - cloudkms.googleapis.com
+ - cloudresourcemanager.googleapis.com
+ - compute.googleapis.com
+ - container.googleapis.com
+ - essentialcontacts.googleapis.com
+ - iam.googleapis.com
+ - iamcredentials.googleapis.com
+ - logging.googleapis.com
+ - monitoring.googleapis.com
+ - orgpolicy.googleapis.com
+ - pubsub.googleapis.com
+ - serviceusage.googleapis.com
+ - storage-component.googleapis.com
+ - storage.googleapis.com
+ - sts.googleapis.com
+buckets:
+ iac-org-state:
+ description: Terraform state for the org-level automation.
+ versioning: true
+ iam:
+ roles/storage.admin:
+ - $iam_principals:service_accounts/iac-0/iac-org-rw
+ $custom_roles:storage_viewer:
+ - $iam_principals:service_accounts/iac-0/iac-org-ro
+ iac-outputs:
+ description: Terraform state for the org-level automation.
+ versioning: true
+ iam:
+ roles/storage.admin:
+ - $iam_principals:service_accounts/iac-0/iac-org-rw
+service_accounts:
+ iac-org-rw:
+ display_name: IaC service account for org setup (read-write).
+datasets:
+ billing_export:
+ friendly_name: Billing export
+log_buckets:
+ audit-logs:
+ log_analytics:
+ enable: true
+ retention: 31
diff --git a/tests/fast/stages/s0_org_setup/data-customizations/projects/net/dev-net-0.yaml b/tests/fast/stages/s0_org_setup/data-customizations/projects/net/dev-net-0.yaml
new file mode 100644
index 000000000..b25044eec
--- /dev/null
+++ b/tests/fast/stages/s0_org_setup/data-customizations/projects/net/dev-net-0.yaml
@@ -0,0 +1,27 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# yaml-language-server: $schema=../../../../schemas/project.schema.json
+
+name: dev-net-shared-0
+parent: $folder_ids:dev
+services:
+ - container.googleapis.com
+ - compute.googleapis.com
+ - dns.googleapis.com
+ - iap.googleapis.com
+ - logging.googleapis.com
+ - monitoring.googleapis.com
+shared_vpc_host_config:
+ enabled: true
diff --git a/tests/fast/stages/s0_org_setup/data-customizations/projects/net/prod-net-0.yaml b/tests/fast/stages/s0_org_setup/data-customizations/projects/net/prod-net-0.yaml
new file mode 100644
index 000000000..4607c7669
--- /dev/null
+++ b/tests/fast/stages/s0_org_setup/data-customizations/projects/net/prod-net-0.yaml
@@ -0,0 +1,27 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# yaml-language-server: $schema=../../../../schemas/project.schema.json
+
+name: prod-net-shared-0
+parent: $folder_ids:prod
+services:
+ - container.googleapis.com
+ - compute.googleapis.com
+ - dns.googleapis.com
+ - iap.googleapis.com
+ - logging.googleapis.com
+ - monitoring.googleapis.com
+shared_vpc_host_config:
+ enabled: true
diff --git a/tests/fast/stages/s0_org_setup/data-customizations/vpcs/dev/.config.yaml b/tests/fast/stages/s0_org_setup/data-customizations/vpcs/dev/.config.yaml
new file mode 100644
index 000000000..a03764602
--- /dev/null
+++ b/tests/fast/stages/s0_org_setup/data-customizations/vpcs/dev/.config.yaml
@@ -0,0 +1,19 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# yaml-language-server: $schema=../../../../schemas/vpc-factory.schema.json
+
+name: dev-shared-0
+project_id: $project_ids:dev-net-0
+auto_create_subnetworks: false
diff --git a/tests/fast/stages/s0_org_setup/data-customizations/vpcs/dev/firewall-rules/default-ingress.yaml b/tests/fast/stages/s0_org_setup/data-customizations/vpcs/dev/firewall-rules/default-ingress.yaml
new file mode 100644
index 000000000..f224df256
--- /dev/null
+++ b/tests/fast/stages/s0_org_setup/data-customizations/vpcs/dev/firewall-rules/default-ingress.yaml
@@ -0,0 +1,42 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# yaml-language-server: $schema=../../../../../schemas/firewall-rules.schema.json
+
+ingress:
+
+ ingress-default-allow-iap:
+ description: Allow IAP.
+ source_ranges:
+ - 35.235.240.0/20
+ rules:
+ - protocol: all
+ ports: []
+
+ ingress-default-allow-healthchecks:
+ description: Allow GCP Healthcheck Ranges.
+ source_ranges:
+ - 35.191.0.0/16
+ - 130.211.0.0/22
+ - 209.85.152.0/22
+ - 209.85.204.0/22
+ rules:
+ - protocol: all
+ ports: []
+
+ ingress-default-allow-icmp:
+ description: Allow ICMP.
+ rules:
+ - protocol: icmp
+ ports: []
diff --git a/tests/fast/stages/s0_org_setup/data-customizations/vpcs/dev/subnets/default.yaml b/tests/fast/stages/s0_org_setup/data-customizations/vpcs/dev/subnets/default.yaml
new file mode 100644
index 000000000..ba2683ce3
--- /dev/null
+++ b/tests/fast/stages/s0_org_setup/data-customizations/vpcs/dev/subnets/default.yaml
@@ -0,0 +1,20 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# yaml-language-server: $schema=../../../../../schemas/subnet.schema.json
+
+name: default
+region: $locations:primary
+ip_cidr_range: 10.0.0.0/24
+description: Default primary-region subnet for dev
diff --git a/tests/fast/stages/s0_org_setup/data-customizations/vpcs/prod/.config.yaml b/tests/fast/stages/s0_org_setup/data-customizations/vpcs/prod/.config.yaml
new file mode 100644
index 000000000..98071fab3
--- /dev/null
+++ b/tests/fast/stages/s0_org_setup/data-customizations/vpcs/prod/.config.yaml
@@ -0,0 +1,19 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# yaml-language-server: $schema=../../../../schemas/vpc-factory.schema.json
+
+name: prod-shared-0
+project_id: $project_ids:prod-net-0
+auto_create_subnetworks: false
diff --git a/tests/fast/stages/s0_org_setup/data-customizations/vpcs/prod/firewall-rules/default-ingress.yaml b/tests/fast/stages/s0_org_setup/data-customizations/vpcs/prod/firewall-rules/default-ingress.yaml
new file mode 100644
index 000000000..f224df256
--- /dev/null
+++ b/tests/fast/stages/s0_org_setup/data-customizations/vpcs/prod/firewall-rules/default-ingress.yaml
@@ -0,0 +1,42 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# yaml-language-server: $schema=../../../../../schemas/firewall-rules.schema.json
+
+ingress:
+
+ ingress-default-allow-iap:
+ description: Allow IAP.
+ source_ranges:
+ - 35.235.240.0/20
+ rules:
+ - protocol: all
+ ports: []
+
+ ingress-default-allow-healthchecks:
+ description: Allow GCP Healthcheck Ranges.
+ source_ranges:
+ - 35.191.0.0/16
+ - 130.211.0.0/22
+ - 209.85.152.0/22
+ - 209.85.204.0/22
+ rules:
+ - protocol: all
+ ports: []
+
+ ingress-default-allow-icmp:
+ description: Allow ICMP.
+ rules:
+ - protocol: icmp
+ ports: []
diff --git a/tests/fast/stages/s0_org_setup/data-customizations/vpcs/prod/subnets/default.yaml b/tests/fast/stages/s0_org_setup/data-customizations/vpcs/prod/subnets/default.yaml
new file mode 100644
index 000000000..15f1b856b
--- /dev/null
+++ b/tests/fast/stages/s0_org_setup/data-customizations/vpcs/prod/subnets/default.yaml
@@ -0,0 +1,20 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# yaml-language-server: $schema=../../../../../schemas/subnet.schema.json
+
+name: default
+region: $locations:primary
+ip_cidr_range: 10.0.0.0/24
+description: Default primary-region subnet for prod
diff --git a/tests/fast/stages/s0_org_setup/tftest.yaml b/tests/fast/stages/s0_org_setup/tftest.yaml
index 26f3a3a61..e31d0e2aa 100644
--- a/tests/fast/stages/s0_org_setup/tftest.yaml
+++ b/tests/fast/stages/s0_org_setup/tftest.yaml
@@ -30,3 +30,8 @@ tests:
- starter-gcd.yaml
extra_dirs:
- ../../../tests/fast/stages/s0_org_setup/data-starter-gcd
+ customizations:
+ inventory:
+ - customizations.yaml
+ extra_dirs:
+ - ../../../tests/fast/stages/s0_org_setup/data-customizations