From 332b516ae864924275943493610f84adfbf84d7d Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Thu, 14 May 2026 14:36:34 +0200 Subject: [PATCH] Add support for org-level service agents in stage 0 (#3962) * Add support for org-level service agents in stage 0 * update schema doc * Fix service agents context key separator --- fast/stages/0-org-setup/README.md | 4 +- .../classic/organization/.config.yaml | 4 + fast/stages/0-org-setup/organization.tf | 9 +- .../schemas/organization.schema.json | 15 + .../schemas/organization.schema.md | 5 + .../stages/s0_org_setup/customizations.tfvars | 6 + .../stages/s0_org_setup/customizations.yaml | 1684 +++++++++++++++++ .../data-customizations/defaults.yaml | 65 + .../folders/dev/.config.yaml | 19 + .../folders/prod/.config.yaml | 19 + .../organization/.config.yaml | 66 + .../organization/tags/environment.yaml | 43 + .../projects/apps/dev-app-0.yaml | 26 + .../projects/apps/prod-app-0.yaml | 26 + .../data-customizations/projects/iac-0.yaml | 73 + .../projects/net/dev-net-0.yaml | 27 + .../projects/net/prod-net-0.yaml | 27 + .../data-customizations/vpcs/dev/.config.yaml | 19 + .../dev/firewall-rules/default-ingress.yaml | 42 + .../vpcs/dev/subnets/default.yaml | 20 + .../vpcs/prod/.config.yaml | 19 + .../prod/firewall-rules/default-ingress.yaml | 42 + .../vpcs/prod/subnets/default.yaml | 20 + tests/fast/stages/s0_org_setup/tftest.yaml | 5 + 24 files changed, 2281 insertions(+), 4 deletions(-) create mode 100644 tests/fast/stages/s0_org_setup/customizations.tfvars create mode 100644 tests/fast/stages/s0_org_setup/customizations.yaml create mode 100644 tests/fast/stages/s0_org_setup/data-customizations/defaults.yaml create mode 100644 tests/fast/stages/s0_org_setup/data-customizations/folders/dev/.config.yaml create mode 100644 tests/fast/stages/s0_org_setup/data-customizations/folders/prod/.config.yaml create mode 100644 tests/fast/stages/s0_org_setup/data-customizations/organization/.config.yaml create mode 100644 tests/fast/stages/s0_org_setup/data-customizations/organization/tags/environment.yaml create mode 100644 tests/fast/stages/s0_org_setup/data-customizations/projects/apps/dev-app-0.yaml create mode 100644 tests/fast/stages/s0_org_setup/data-customizations/projects/apps/prod-app-0.yaml create mode 100644 tests/fast/stages/s0_org_setup/data-customizations/projects/iac-0.yaml create mode 100644 tests/fast/stages/s0_org_setup/data-customizations/projects/net/dev-net-0.yaml create mode 100644 tests/fast/stages/s0_org_setup/data-customizations/projects/net/prod-net-0.yaml create mode 100644 tests/fast/stages/s0_org_setup/data-customizations/vpcs/dev/.config.yaml create mode 100644 tests/fast/stages/s0_org_setup/data-customizations/vpcs/dev/firewall-rules/default-ingress.yaml create mode 100644 tests/fast/stages/s0_org_setup/data-customizations/vpcs/dev/subnets/default.yaml create mode 100644 tests/fast/stages/s0_org_setup/data-customizations/vpcs/prod/.config.yaml create mode 100644 tests/fast/stages/s0_org_setup/data-customizations/vpcs/prod/firewall-rules/default-ingress.yaml create mode 100644 tests/fast/stages/s0_org_setup/data-customizations/vpcs/prod/subnets/default.yaml diff --git a/fast/stages/0-org-setup/README.md b/fast/stages/0-org-setup/README.md index 25f017f0f..759ddbf65 100644 --- a/fast/stages/0-org-setup/README.md +++ b/fast/stages/0-org-setup/README.md @@ -406,7 +406,7 @@ The default paths point to the dataset in the `datasets/classic` folder which de - **billing_accounts** (`[dataset]/billing-accounts`) \ folder-level factory where each YAML file defines billing-account level IAM for one billing account; only used for externally managed accounts - **organization** (`[dataset]/organization/.config.yaml`) \ - file-level factory to define organization IAM and log sinks + file-level factory to define organization IAM, service agents, and log sinks - **custom roles** (`[dataset]/organization/custom-roles`) \ folder-level factory to define organization-level custom roles - **org policies** (`[dataset]/organization/org-policies`) \ @@ -515,7 +515,7 @@ logging_sinks: ### Organization configuration -The default dataset implements a classic FAST design, recreating the required custom roles, IAM bindings, org policies, tags, and log sinks via the factories described in a previous section. +The default dataset implements a classic FAST design, recreating the required custom roles, IAM bindings, org policies, tags, service agents, and log sinks via the factories described in a previous section. Compared to classic FAST this approach makes org-level configuration explicit, allowing easy customization of IAM and all other attributes. Before running this stage, check that the data files match your expected design. diff --git a/fast/stages/0-org-setup/datasets/classic/organization/.config.yaml b/fast/stages/0-org-setup/datasets/classic/organization/.config.yaml index 9ea2d5552..f9e2b9476 100644 --- a/fast/stages/0-org-setup/datasets/classic/organization/.config.yaml +++ b/fast/stages/0-org-setup/datasets/classic/organization/.config.yaml @@ -61,6 +61,8 @@ iam_by_principals: - roles/iam.workforcePoolAdmin - roles/logging.admin - roles/orgpolicy.policyAdmin + # Uncomment to allow managing PAM entitlements. + # - roles/privilegedaccessmanager.admin - roles/resourcemanager.folderAdmin - roles/resourcemanager.organizationAdmin - roles/resourcemanager.projectCreator @@ -74,6 +76,8 @@ iam_by_principals: - roles/iam.workforcePoolViewer - roles/logging.viewer - roles/orgpolicy.policyViewer + # Uncomment to allow viewing PAM entitlements. + # - roles/privilegedaccessmanager.viewer - roles/resourcemanager.folderViewer - roles/resourcemanager.tagViewer - roles/serviceusage.serviceUsageViewer diff --git a/fast/stages/0-org-setup/organization.tf b/fast/stages/0-org-setup/organization.tf index d2ced0949..c1da161dc 100644 --- a/fast/stages/0-org-setup/organization.tf +++ b/fast/stages/0-org-setup/organization.tf @@ -90,7 +90,8 @@ module "organization" { email_addresses = local.ctx.email_addresses locations = local.ctx.locations } - contacts = lookup(local.organization, "contacts", {}) + contacts = lookup(local.organization, "contacts", {}) + service_agents_config = lookup(local.organization, "service_agents_config", {}) factories_config = { custom_roles = "${local.paths.organization}/custom-roles" tags = "${local.paths.organization}/tags" @@ -122,7 +123,11 @@ module "organization-iam" { ) iam_principals = merge( local.ctx.iam_principals, - module.factory.iam_principals + module.factory.iam_principals, + { + for k, v in module.organization[0].service_agents : + "service_agents/${k}" => v.iam_email + } ) log_buckets = module.factory.log_buckets project_ids = merge( diff --git a/fast/stages/0-org-setup/schemas/organization.schema.json b/fast/stages/0-org-setup/schemas/organization.schema.json index 7e43c5e06..4092e5320 100644 --- a/fast/stages/0-org-setup/schemas/organization.schema.json +++ b/fast/stages/0-org-setup/schemas/organization.schema.json @@ -305,6 +305,21 @@ "pam_entitlements": { "$ref": "#/$defs/pam_entitlements" }, + "service_agents_config": { + "type": "object", + "additionalProperties": false, + "properties": { + "create_agents": { + "type": "boolean" + }, + "services": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, "tags": { "type": "object", "additionalProperties": { diff --git a/fast/stages/0-org-setup/schemas/organization.schema.md b/fast/stages/0-org-setup/schemas/organization.schema.md index 8f8c28f1b..9523f7334 100644 --- a/fast/stages/0-org-setup/schemas/organization.schema.md +++ b/fast/stages/0-org-setup/schemas/organization.schema.md @@ -96,6 +96,11 @@ - **location**: *string* - **title**: *string* - **pam_entitlements**: *reference([pam_entitlements](#refs-pam_entitlements))* +- **service_agents_config**: *object* +
*additional properties: false* + - **create_agents**: *boolean* + - **services**: *array* + - items: *string* - **tags**: *object*
*additional properties: object* - **workforce_identity_pools**: *object* diff --git a/tests/fast/stages/s0_org_setup/customizations.tfvars b/tests/fast/stages/s0_org_setup/customizations.tfvars new file mode 100644 index 000000000..5d101d0bd --- /dev/null +++ b/tests/fast/stages/s0_org_setup/customizations.tfvars @@ -0,0 +1,6 @@ +factories_config = { + paths = { + defaults = "./data-customizations/defaults.yaml" + organization = "./data-customizations/organization" + } +} diff --git a/tests/fast/stages/s0_org_setup/customizations.yaml b/tests/fast/stages/s0_org_setup/customizations.yaml new file mode 100644 index 000000000..f6c2ce114 --- /dev/null +++ b/tests/fast/stages/s0_org_setup/customizations.yaml @@ -0,0 +1,1684 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +values: + google_storage_bucket_object.providers["0-org-setup"]: + bucket: ft0-prod-iac-core-0-iac-outputs + cache_control: null + content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ + \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ + \ in compliance with the License.\n * You may obtain a copy of the License at\n\ + \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ + \ by applicable law or agreed to in writing, software\n * distributed under\ + \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ + \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ + \ the specific language governing permissions and\n * limitations under the\ + \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ + \ = \"ft0-prod-iac-core-0-iac-org-state\"\n impersonate_service_account\ + \ = \"iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n }\n}\nprovider\ + \ \"google\" {\n impersonate_service_account = \"iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\ + \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\ + \n}\n" + content_disposition: null + content_encoding: null + content_language: null + contexts: [] + customer_encryption: [] + deletion_policy: null + detect_md5hash: null + event_based_hold: null + force_empty_content_type: null + metadata: null + name: providers/0-org-setup-providers.tf + retention: [] + source: null + temporary_hold: null + timeouts: null + google_storage_bucket_object.providers["0-org-setup-ro"]: + bucket: ft0-prod-iac-core-0-iac-outputs + cache_control: null + content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ + \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ + \ in compliance with the License.\n * You may obtain a copy of the License at\n\ + \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ + \ by applicable law or agreed to in writing, software\n * distributed under\ + \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ + \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ + \ the specific language governing permissions and\n * limitations under the\ + \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ + \ = \"ft0-prod-iac-core-0-iac-org-state\"\n impersonate_service_account\ + \ = \"iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n }\n}\nprovider\ + \ \"google\" {\n impersonate_service_account = \"iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\ + \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\ + \n}\n" + content_disposition: null + content_encoding: null + content_language: null + contexts: [] + customer_encryption: [] + deletion_policy: null + detect_md5hash: null + event_based_hold: null + force_empty_content_type: null + metadata: null + name: providers/0-org-setup-ro-providers.tf + retention: [] + source: null + temporary_hold: null + timeouts: null + google_storage_bucket_object.providers["1-vpcsc"]: + bucket: ft0-prod-iac-core-0-iac-outputs + cache_control: null + content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ + \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ + \ in compliance with the License.\n * You may obtain a copy of the License at\n\ + \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ + \ by applicable law or agreed to in writing, software\n * distributed under\ + \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ + \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ + \ the specific language governing permissions and\n * limitations under the\ + \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ + \ = \"ft0-prod-iac-core-0-iac-stage-state\"\n impersonate_service_account\ + \ = \"iac-vpcsc-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n prefix\ + \ = \"1-vpcsc\"\n }\n}\nprovider \"google\" {\n impersonate_service_account\ + \ = \"iac-vpcsc-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n}\nprovider\ + \ \"google-beta\" {\n impersonate_service_account = \"iac-vpcsc-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\ + \n}\n" + content_disposition: null + content_encoding: null + content_language: null + contexts: [] + customer_encryption: [] + deletion_policy: null + detect_md5hash: null + event_based_hold: null + force_empty_content_type: null + metadata: null + name: providers/1-vpcsc-providers.tf + retention: [] + source: null + temporary_hold: null + timeouts: null + google_storage_bucket_object.providers["2-networking"]: + bucket: ft0-prod-iac-core-0-iac-outputs + cache_control: null + content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ + \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ + \ in compliance with the License.\n * You may obtain a copy of the License at\n\ + \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ + \ by applicable law or agreed to in writing, software\n * distributed under\ + \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ + \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ + \ the specific language governing permissions and\n * limitations under the\ + \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ + \ = \"ft0-prod-iac-core-0-iac-stage-state\"\n impersonate_service_account\ + \ = \"iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n prefix\ + \ = \"2-networking\"\n }\n}\nprovider \"google\" {\n impersonate_service_account\ + \ = \"iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n}\nprovider\ + \ \"google-beta\" {\n impersonate_service_account = \"iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\ + \n}\n" + content_disposition: null + content_encoding: null + content_language: null + contexts: [] + customer_encryption: [] + deletion_policy: null + detect_md5hash: null + event_based_hold: null + force_empty_content_type: null + metadata: null + name: providers/2-networking-providers.tf + retention: [] + source: null + temporary_hold: null + timeouts: null + google_storage_bucket_object.providers["2-project-factory"]: + bucket: ft0-prod-iac-core-0-iac-outputs + cache_control: null + content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ + \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ + \ in compliance with the License.\n * You may obtain a copy of the License at\n\ + \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ + \ by applicable law or agreed to in writing, software\n * distributed under\ + \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ + \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ + \ the specific language governing permissions and\n * limitations under the\ + \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ + \ = \"ft0-prod-iac-core-0-iac-stage-state\"\n impersonate_service_account\ + \ = \"iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n prefix =\ + \ \"2-project-factory\"\n }\n}\nprovider \"google\" {\n impersonate_service_account\ + \ = \"iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n}\nprovider \"\ + google-beta\" {\n impersonate_service_account = \"iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\ + \n}\n" + content_disposition: null + content_encoding: null + content_language: null + contexts: [] + customer_encryption: [] + deletion_policy: null + detect_md5hash: null + event_based_hold: null + force_empty_content_type: null + metadata: null + name: providers/2-project-factory-providers.tf + retention: [] + source: null + temporary_hold: null + timeouts: null + google_storage_bucket_object.providers["2-security"]: + bucket: ft0-prod-iac-core-0-iac-outputs + cache_control: null + content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ + \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ + \ in compliance with the License.\n * You may obtain a copy of the License at\n\ + \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ + \ by applicable law or agreed to in writing, software\n * distributed under\ + \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ + \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ + \ the specific language governing permissions and\n * limitations under the\ + \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ + \ = \"ft0-prod-iac-core-0-iac-stage-state\"\n impersonate_service_account\ + \ = \"iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n prefix\ + \ = \"2-security\"\n }\n}\nprovider \"google\" {\n impersonate_service_account\ + \ = \"iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n}\nprovider\ + \ \"google-beta\" {\n impersonate_service_account = \"iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\ + \n}\n" + content_disposition: null + content_encoding: null + content_language: null + contexts: [] + customer_encryption: [] + deletion_policy: null + detect_md5hash: null + event_based_hold: null + force_empty_content_type: null + metadata: null + name: providers/2-security-providers.tf + retention: [] + source: null + temporary_hold: null + timeouts: null + google_storage_bucket_object.tfvars["globals"]: + bucket: ft0-prod-iac-core-0-iac-outputs + cache_control: null + content: '{"billing_account":{"id":"012345-012345-012345"},"groups":{"domain":"domain:example.org","gcp-billing-admins":"group:gcp-billing-admins@example.org","gcp-devops":"group:gcp-devops@example.org","gcp-network-admins":"group:gcp-network-admins@example.org","gcp-organization-admins":"group:fabric-fast-owners@google.com","gcp-secops-admins":"group:gcp-secops-admins@example.org","gcp-security-admins":"group:gcp-security-admins@example.org","gcp-support":"group:gcp-support@example.org"},"organization":{"customer_id":"abcd123456","domain":"example.org","id":"1234567890"},"prefix":"ft0","universe":null}' + content_disposition: null + content_encoding: null + content_language: null + contexts: [] + customer_encryption: [] + deletion_policy: null + detect_md5hash: null + event_based_hold: null + force_empty_content_type: null + metadata: null + name: tfvars/0-globals.auto.tfvars.json + retention: [] + source: null + temporary_hold: null + timeouts: null + google_storage_bucket_object.tfvars["org-setup"]: + bucket: ft0-prod-iac-core-0-iac-outputs + cache_control: null + content_disposition: null + content_encoding: null + content_language: null + contexts: [] + customer_encryption: [] + deletion_policy: null + detect_md5hash: null + event_based_hold: null + force_empty_content_type: null + metadata: null + name: tfvars/0-org-setup.auto.tfvars.json + retention: [] + source: null + temporary_hold: null + timeouts: null + google_storage_bucket_object.version[0]: + bucket: ft0-prod-iac-core-0-iac-outputs + cache_control: null + content_disposition: null + content_encoding: null + content_language: null + contexts: [] + customer_encryption: [] + deletion_policy: null + detect_md5hash: null + event_based_hold: null + force_empty_content_type: null + metadata: null + name: versions/0-org-setup-version.txt + retention: [] + source: fast_version.txt + temporary_hold: null + timeouts: null + local_file.providers["0-org-setup"]: + content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ + \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ + \ in compliance with the License.\n * You may obtain a copy of the License at\n\ + \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ + \ by applicable law or agreed to in writing, software\n * distributed under\ + \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ + \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ + \ the specific language governing permissions and\n * limitations under the\ + \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ + \ = \"ft0-prod-iac-core-0-iac-org-state\"\n impersonate_service_account\ + \ = \"iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n }\n}\nprovider\ + \ \"google\" {\n impersonate_service_account = \"iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\ + \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\ + \n}\n" + content_base64: null + directory_permission: '0777' + file_permission: '0644' + filename: /tmp/fast-config/providers/0-org-setup-providers.tf + sensitive_content: null + source: null + local_file.providers["0-org-setup-ro"]: + content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ + \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ + \ in compliance with the License.\n * You may obtain a copy of the License at\n\ + \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ + \ by applicable law or agreed to in writing, software\n * distributed under\ + \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ + \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ + \ the specific language governing permissions and\n * limitations under the\ + \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ + \ = \"ft0-prod-iac-core-0-iac-org-state\"\n impersonate_service_account\ + \ = \"iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n }\n}\nprovider\ + \ \"google\" {\n impersonate_service_account = \"iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\ + \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\ + \n}\n" + content_base64: null + directory_permission: '0777' + file_permission: '0644' + filename: /tmp/fast-config/providers/0-org-setup-ro-providers.tf + sensitive_content: null + source: null + local_file.providers["1-vpcsc"]: + content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ + \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ + \ in compliance with the License.\n * You may obtain a copy of the License at\n\ + \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ + \ by applicable law or agreed to in writing, software\n * distributed under\ + \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ + \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ + \ the specific language governing permissions and\n * limitations under the\ + \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ + \ = \"ft0-prod-iac-core-0-iac-stage-state\"\n impersonate_service_account\ + \ = \"iac-vpcsc-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n prefix\ + \ = \"1-vpcsc\"\n }\n}\nprovider \"google\" {\n impersonate_service_account\ + \ = \"iac-vpcsc-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n}\nprovider\ + \ \"google-beta\" {\n impersonate_service_account = \"iac-vpcsc-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\ + \n}\n" + content_base64: null + directory_permission: '0777' + file_permission: '0644' + filename: /tmp/fast-config/providers/1-vpcsc-providers.tf + sensitive_content: null + source: null + local_file.providers["2-networking"]: + content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ + \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ + \ in compliance with the License.\n * You may obtain a copy of the License at\n\ + \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ + \ by applicable law or agreed to in writing, software\n * distributed under\ + \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ + \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ + \ the specific language governing permissions and\n * limitations under the\ + \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ + \ = \"ft0-prod-iac-core-0-iac-stage-state\"\n impersonate_service_account\ + \ = \"iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n prefix\ + \ = \"2-networking\"\n }\n}\nprovider \"google\" {\n impersonate_service_account\ + \ = \"iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n}\nprovider\ + \ \"google-beta\" {\n impersonate_service_account = \"iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\ + \n}\n" + content_base64: null + directory_permission: '0777' + file_permission: '0644' + filename: /tmp/fast-config/providers/2-networking-providers.tf + sensitive_content: null + source: null + local_file.providers["2-project-factory"]: + content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ + \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ + \ in compliance with the License.\n * You may obtain a copy of the License at\n\ + \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ + \ by applicable law or agreed to in writing, software\n * distributed under\ + \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ + \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ + \ the specific language governing permissions and\n * limitations under the\ + \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ + \ = \"ft0-prod-iac-core-0-iac-stage-state\"\n impersonate_service_account\ + \ = \"iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n prefix =\ + \ \"2-project-factory\"\n }\n}\nprovider \"google\" {\n impersonate_service_account\ + \ = \"iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n}\nprovider \"\ + google-beta\" {\n impersonate_service_account = \"iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\ + \n}\n" + content_base64: null + directory_permission: '0777' + file_permission: '0644' + filename: /tmp/fast-config/providers/2-project-factory-providers.tf + sensitive_content: null + source: null + local_file.providers["2-security"]: + content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ + \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ + \ in compliance with the License.\n * You may obtain a copy of the License at\n\ + \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ + \ by applicable law or agreed to in writing, software\n * distributed under\ + \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ + \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ + \ the specific language governing permissions and\n * limitations under the\ + \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ + \ = \"ft0-prod-iac-core-0-iac-stage-state\"\n impersonate_service_account\ + \ = \"iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n prefix\ + \ = \"2-security\"\n }\n}\nprovider \"google\" {\n impersonate_service_account\ + \ = \"iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\n}\nprovider\ + \ \"google-beta\" {\n impersonate_service_account = \"iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\"\ + \n}\n" + content_base64: null + directory_permission: '0777' + file_permission: '0644' + filename: /tmp/fast-config/providers/2-security-providers.tf + sensitive_content: null + source: null + local_file.tfvars["globals"]: + content: '{"billing_account":{"id":"012345-012345-012345"},"groups":{"domain":"domain:example.org","gcp-billing-admins":"group:gcp-billing-admins@example.org","gcp-devops":"group:gcp-devops@example.org","gcp-network-admins":"group:gcp-network-admins@example.org","gcp-organization-admins":"group:fabric-fast-owners@google.com","gcp-secops-admins":"group:gcp-secops-admins@example.org","gcp-security-admins":"group:gcp-security-admins@example.org","gcp-support":"group:gcp-support@example.org"},"organization":{"customer_id":"abcd123456","domain":"example.org","id":"1234567890"},"prefix":"ft0","universe":null}' + content_base64: null + directory_permission: '0777' + file_permission: '0644' + filename: /tmp/fast-config/tfvars/0-globals.auto.tfvars.json + sensitive_content: null + source: null + local_file.tfvars["org-setup"]: + content_base64: null + directory_permission: '0777' + file_permission: '0644' + filename: /tmp/fast-config/tfvars/0-org-setup.auto.tfvars.json + sensitive_content: null + source: null + module.billing-accounts["default"].google_billing_account_iam_member.bindings["billing_admin_org_admins"]: + billing_account_id: 012345-012345-012345 + condition: [] + member: group:fabric-fast-owners@google.com + role: roles/billing.admin + module.billing-accounts["default"].google_billing_account_iam_member.bindings["billing_admin_org_sa"]: + billing_account_id: 012345-012345-012345 + condition: [] + member: serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/billing.admin + module.billing-accounts["default"].google_billing_account_iam_member.bindings["billing_user_networking_sa"]: + billing_account_id: 012345-012345-012345 + condition: [] + member: serviceAccount:iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/billing.user + module.billing-accounts["default"].google_billing_account_iam_member.bindings["billing_user_pf_sa"]: + billing_account_id: 012345-012345-012345 + condition: [] + member: serviceAccount:iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/billing.user + module.billing-accounts["default"].google_billing_account_iam_member.bindings["billing_user_security_sa"]: + billing_account_id: 012345-012345-012345 + condition: [] + member: serviceAccount:iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/billing.user + module.billing-accounts["default"].google_billing_account_iam_member.bindings["billing_viewer_org_ro"]: + billing_account_id: 012345-012345-012345 + condition: [] + member: serviceAccount:iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/billing.viewer + module.factory.module.bigquery-datasets["billing-0/billing_export"].google_bigquery_dataset.default: + dataset_id: billing_export + default_encryption_configuration: [] + default_partition_expiration_ms: null + default_table_expiration_ms: null + delete_contents_on_destroy: false + description: Terraform managed. + effective_labels: + goog-terraform-provisioned: 'true' + external_catalog_dataset_options: [] + external_dataset_reference: [] + friendly_name: Billing export + labels: null + location: europe-west1 + max_time_travel_hours: '168' + project: ft0-prod-billing-exp-0 + resource_tags: null + terraform_labels: + goog-terraform-provisioned: 'true' + timeouts: null + module.factory.module.buckets["iac-0/iac-org-state"].google_storage_bucket.bucket[0]: + autoclass: [] + cors: [] + custom_placement_config: [] + default_event_based_hold: null + effective_labels: + goog-terraform-provisioned: 'true' + enable_object_retention: null + encryption: [] + force_destroy: false + hierarchical_namespace: [] + ip_filter: [] + labels: null + lifecycle_rule: [] + location: EUROPE-WEST1 + logging: [] + name: ft0-prod-iac-core-0-iac-org-state + project: ft0-prod-iac-core-0 + requester_pays: null + retention_policy: [] + storage_class: STANDARD + terraform_labels: + goog-terraform-provisioned: 'true' + timeouts: null + uniform_bucket_level_access: true + versioning: + - enabled: true + ? module.factory.module.buckets["iac-0/iac-org-state"].google_storage_bucket_iam_binding.authoritative["$custom_roles:storage_viewer"] + : bucket: ft0-prod-iac-core-0-iac-org-state + condition: [] + role: $custom_roles:storage_viewer + timeouts: null + ? module.factory.module.buckets["iac-0/iac-org-state"].google_storage_bucket_iam_binding.authoritative["roles/storage.admin"] + : bucket: ft0-prod-iac-core-0-iac-org-state + condition: [] + role: roles/storage.admin + timeouts: null + module.factory.module.buckets["iac-0/iac-outputs"].google_storage_bucket.bucket[0]: + autoclass: [] + cors: [] + custom_placement_config: [] + default_event_based_hold: null + effective_labels: + goog-terraform-provisioned: 'true' + enable_object_retention: null + encryption: [] + force_destroy: false + hierarchical_namespace: [] + ip_filter: [] + labels: null + lifecycle_rule: [] + location: EUROPE-WEST1 + logging: [] + name: ft0-prod-iac-core-0-iac-outputs + project: ft0-prod-iac-core-0 + requester_pays: null + retention_policy: [] + storage_class: STANDARD + terraform_labels: + goog-terraform-provisioned: 'true' + timeouts: null + uniform_bucket_level_access: true + versioning: + - enabled: true + ? module.factory.module.buckets["iac-0/iac-outputs"].google_storage_bucket_iam_binding.authoritative["$custom_roles:storage_viewer"] + : bucket: ft0-prod-iac-core-0-iac-outputs + condition: [] + role: $custom_roles:storage_viewer + timeouts: null + module.factory.module.buckets["iac-0/iac-outputs"].google_storage_bucket_iam_binding.authoritative["roles/storage.admin"]: + bucket: ft0-prod-iac-core-0-iac-outputs + condition: [] + role: roles/storage.admin + timeouts: null + module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_bucket.bucket[0]: + autoclass: [] + cors: [] + custom_placement_config: [] + default_event_based_hold: null + effective_labels: + goog-terraform-provisioned: 'true' + enable_object_retention: null + encryption: [] + force_destroy: false + hierarchical_namespace: [] + ip_filter: [] + labels: null + lifecycle_rule: [] + location: EUROPE-WEST1 + logging: [] + name: ft0-prod-iac-core-0-iac-stage-state + project: ft0-prod-iac-core-0 + requester_pays: null + retention_policy: [] + storage_class: STANDARD + terraform_labels: + goog-terraform-provisioned: 'true' + timeouts: null + uniform_bucket_level_access: true + versioning: + - enabled: true + module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder.folder["1-vpcsc/"]: + bucket: ft0-prod-iac-core-0-iac-stage-state + force_destroy: false + name: 1-vpcsc/ + timeouts: null + module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder.folder["2-networking/"]: + bucket: ft0-prod-iac-core-0-iac-stage-state + force_destroy: false + name: 2-networking/ + timeouts: null + module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder.folder["2-project-factory/"]: + bucket: ft0-prod-iac-core-0-iac-stage-state + force_destroy: false + name: 2-project-factory/ + timeouts: null + module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder.folder["2-security/"]: + bucket: ft0-prod-iac-core-0-iac-stage-state + force_destroy: false + name: 2-security/ + timeouts: null + ? module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder_iam_binding.authoritative["1-vpcsc/$custom_roles:storage_viewer"] + : bucket: ft0-prod-iac-core-0-iac-stage-state + condition: [] + managed_folder: 1-vpcsc/ + role: $custom_roles:storage_viewer + ? module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder_iam_binding.authoritative["1-vpcsc/roles/storage.admin"] + : bucket: ft0-prod-iac-core-0-iac-stage-state + condition: [] + managed_folder: 1-vpcsc/ + role: roles/storage.admin + ? module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder_iam_binding.authoritative["2-networking/$custom_roles:storage_viewer"] + : bucket: ft0-prod-iac-core-0-iac-stage-state + condition: [] + managed_folder: 2-networking/ + role: $custom_roles:storage_viewer + ? module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder_iam_binding.authoritative["2-networking/roles/storage.admin"] + : bucket: ft0-prod-iac-core-0-iac-stage-state + condition: [] + managed_folder: 2-networking/ + role: roles/storage.admin + ? module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder_iam_binding.authoritative["2-project-factory/$custom_roles:storage_viewer"] + : bucket: ft0-prod-iac-core-0-iac-stage-state + condition: [] + managed_folder: 2-project-factory/ + role: $custom_roles:storage_viewer + ? module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder_iam_binding.authoritative["2-project-factory/roles/storage.admin"] + : bucket: ft0-prod-iac-core-0-iac-stage-state + condition: [] + managed_folder: 2-project-factory/ + role: roles/storage.admin + ? module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder_iam_binding.authoritative["2-security/$custom_roles:storage_viewer"] + : bucket: ft0-prod-iac-core-0-iac-stage-state + condition: [] + managed_folder: 2-security/ + role: $custom_roles:storage_viewer + ? module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder_iam_binding.authoritative["2-security/roles/storage.admin"] + : bucket: ft0-prod-iac-core-0-iac-stage-state + condition: [] + managed_folder: 2-security/ + role: roles/storage.admin + ? module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["$custom_roles:project_iam_viewer"] + : condition: [] + role: $custom_roles:project_iam_viewer + ? module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["$custom_roles:service_project_network_admin"] + : condition: [] + role: $custom_roles:service_project_network_admin + module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/compute.viewer"]: + condition: [] + role: roles/compute.viewer + module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: + condition: [] + role: roles/compute.xpnAdmin + module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/logging.admin"]: + condition: [] + role: roles/logging.admin + module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/owner"]: + condition: [] + role: roles/owner + ? module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"] + : condition: [] + role: roles/resourcemanager.folderAdmin + ? module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"] + : condition: [] + role: roles/resourcemanager.folderViewer + ? module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"] + : condition: [] + role: roles/resourcemanager.projectCreator + module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/resourcemanager.tagUser"]: + condition: [] + role: roles/resourcemanager.tagUser + ? module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/resourcemanager.tagViewer"] + : condition: [] + role: roles/resourcemanager.tagViewer + module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/viewer"]: + condition: [] + role: roles/viewer + module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.bindings["project_factory"]: + condition: + - description: null + expression: "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([\n\ + \ 'roles/compute.networkUser', 'roles/composer.sharedVpcAgent',\n 'roles/container.hostServiceAgentUser',\ + \ 'roles/vpcaccess.user'\n])\n" + title: Project factory delegated IAM grant. + role: roles/resourcemanager.projectIamAdmin + module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["$custom_roles:project_iam_viewer"]: + condition: [] + role: $custom_roles:project_iam_viewer + ? module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/cloudkms.cryptoKeyEncrypterDecrypter"] + : condition: [] + role: roles/cloudkms.cryptoKeyEncrypterDecrypter + module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/cloudkms.viewer"]: + condition: [] + role: roles/cloudkms.viewer + module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/logging.admin"]: + condition: [] + role: roles/logging.admin + module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/owner"]: + condition: [] + role: roles/owner + ? module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"] + : condition: [] + role: roles/resourcemanager.folderAdmin + ? module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"] + : condition: [] + role: roles/resourcemanager.folderViewer + ? module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"] + : condition: [] + role: roles/resourcemanager.projectCreator + module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/resourcemanager.tagUser"]: + condition: [] + role: roles/resourcemanager.tagUser + module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/resourcemanager.tagViewer"]: + condition: [] + role: roles/resourcemanager.tagViewer + module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/viewer"]: + condition: [] + role: roles/viewer + module.factory.module.folder-1-iam["security"].google_folder_iam_binding.bindings["project_factory"]: + condition: + - description: null + expression: "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([\n\ + \ 'roles/cloudkms.cryptoKeyEncrypterDecrypter'\n])\n" + title: Project factory delegated IAM grant. + role: roles/resourcemanager.projectIamAdmin + ? module.factory.module.folder-1-iam["teams"].google_folder_iam_binding.authoritative["$custom_roles:service_project_network_admin"] + : condition: [] + role: $custom_roles:service_project_network_admin + module.factory.module.folder-1-iam["teams"].google_folder_iam_binding.authoritative["roles/owner"]: + condition: [] + role: roles/owner + module.factory.module.folder-1-iam["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: + condition: [] + role: roles/resourcemanager.folderAdmin + module.factory.module.folder-1-iam["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]: + condition: [] + role: roles/resourcemanager.folderViewer + ? module.factory.module.folder-1-iam["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"] + : condition: [] + role: roles/resourcemanager.projectCreator + module.factory.module.folder-1-iam["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.tagUser"]: + condition: [] + role: roles/resourcemanager.tagUser + module.factory.module.folder-1-iam["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.tagViewer"]: + condition: [] + role: roles/resourcemanager.tagViewer + module.factory.module.folder-1-iam["teams"].google_folder_iam_binding.authoritative["roles/viewer"]: + condition: [] + role: roles/viewer + module.factory.module.folder-1-iam["teams"].google_tags_tag_binding.binding["context"]: + tag_value: $tag_values:context/project-factory + timeouts: null + module.factory.module.folder-1["networking"].google_folder.folder[0]: + deletion_protection: false + display_name: Networking + parent: organizations/1234567890 + tags: null + timeouts: null + module.factory.module.folder-1["security"].google_folder.folder[0]: + deletion_protection: false + display_name: Security + parent: organizations/1234567890 + tags: null + timeouts: null + module.factory.module.folder-1["teams"].google_folder.folder[0]: + deletion_protection: false + display_name: Teams + parent: organizations/1234567890 + tags: null + timeouts: null + module.factory.module.folder-2-iam["networking/dev"].google_tags_tag_binding.binding["environment"]: + timeouts: null + module.factory.module.folder-2-iam["networking/prod"].google_tags_tag_binding.binding["environment"]: + timeouts: null + module.factory.module.folder-2-iam["security/dev"].google_tags_tag_binding.binding["environment"]: + timeouts: null + module.factory.module.folder-2-iam["security/prod"].google_tags_tag_binding.binding["environment"]: + timeouts: null + module.factory.module.folder-2["networking/dev"].google_folder.folder[0]: + deletion_protection: false + display_name: Development + tags: null + timeouts: null + module.factory.module.folder-2["networking/prod"].google_folder.folder[0]: + deletion_protection: false + display_name: Production + tags: null + timeouts: null + module.factory.module.folder-2["security/dev"].google_folder.folder[0]: + deletion_protection: false + display_name: Development + tags: null + timeouts: null + module.factory.module.folder-2["security/prod"].google_folder.folder[0]: + deletion_protection: false + display_name: Production + tags: null + timeouts: null + module.factory.module.log-buckets["log-0/audit-logs"].google_logging_project_bucket_config.bucket[0]: + bucket_id: audit-logs + cmek_settings: [] + enable_analytics: false + index_configs: [] + location: europe-west1 + locked: null + project: ft0-prod-audit-logs-0 + retention_days: 30 + module.factory.module.log-buckets["log-0/iam"].google_logging_project_bucket_config.bucket[0]: + bucket_id: iam + cmek_settings: [] + enable_analytics: false + index_configs: [] + location: europe-west1 + locked: null + project: ft0-prod-audit-logs-0 + retention_days: 30 + module.factory.module.log-buckets["log-0/vpc-sc"].google_logging_project_bucket_config.bucket[0]: + bucket_id: vpc-sc + cmek_settings: [] + enable_analytics: true + index_configs: [] + location: europe-west1 + locked: null + project: ft0-prod-audit-logs-0 + retention_days: 31 + module.factory.module.projects-iam["billing-0"].google_project_iam_binding.authoritative["roles/owner"]: + condition: [] + project: ft0-prod-billing-exp-0 + role: roles/owner + module.factory.module.projects-iam["billing-0"].google_project_iam_binding.authoritative["roles/viewer"]: + condition: [] + project: ft0-prod-billing-exp-0 + role: roles/viewer + module.factory.module.projects-iam["iac-0"].google_org_policy_policy.default["iam.workloadIdentityPoolProviders"]: + dry_run_spec: [] + name: projects/ft0-prod-iac-core-0/policies/iam.workloadIdentityPoolProviders + parent: projects/ft0-prod-iac-core-0 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: null + parameters: null + values: + - allowed_values: + - https://token.actions.githubusercontent.com + - https://gitlab.com + - https://app.terraform.io + denied_values: null + timeouts: null + module.factory.module.projects-iam["iac-0"].google_project_iam_audit_config.default["iam.googleapis.com"]: + audit_log_config: + - exempted_members: [] + log_type: DATA_READ + - exempted_members: [] + log_type: DATA_WRITE + project: ft0-prod-iac-core-0 + service: iam.googleapis.com + module.factory.module.projects-iam["iac-0"].google_project_iam_audit_config.default["storage.googleapis.com"]: + audit_log_config: + - exempted_members: [] + log_type: DATA_READ + - exempted_members: [] + log_type: DATA_WRITE + project: ft0-prod-iac-core-0 + service: storage.googleapis.com + module.factory.module.projects-iam["iac-0"].google_project_iam_audit_config.default["sts.googleapis.com"]: + audit_log_config: + - exempted_members: [] + log_type: DATA_READ + - exempted_members: [] + log_type: DATA_WRITE + project: ft0-prod-iac-core-0 + service: sts.googleapis.com + module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["$custom_roles:storage_viewer"]: + condition: [] + project: ft0-prod-iac-core-0 + role: $custom_roles:storage_viewer + module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/browser"]: + condition: [] + project: ft0-prod-iac-core-0 + role: roles/browser + module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/cloudbuild.builds.editor"]: + condition: [] + project: ft0-prod-iac-core-0 + role: roles/cloudbuild.builds.editor + module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/cloudbuild.builds.viewer"]: + condition: [] + project: ft0-prod-iac-core-0 + role: roles/cloudbuild.builds.viewer + module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/iam.serviceAccountAdmin"]: + condition: [] + project: ft0-prod-iac-core-0 + role: roles/iam.serviceAccountAdmin + ? module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] + : condition: [] + project: ft0-prod-iac-core-0 + role: roles/iam.serviceAccountTokenCreator + module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/iam.serviceAccountViewer"]: + condition: [] + project: ft0-prod-iac-core-0 + role: roles/iam.serviceAccountViewer + ? module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/iam.workloadIdentityPoolAdmin"] + : condition: [] + project: ft0-prod-iac-core-0 + role: roles/iam.workloadIdentityPoolAdmin + ? module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/iam.workloadIdentityPoolViewer"] + : condition: [] + project: ft0-prod-iac-core-0 + role: roles/iam.workloadIdentityPoolViewer + module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/owner"]: + condition: [] + project: ft0-prod-iac-core-0 + role: roles/owner + ? module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/serviceusage.serviceUsageConsumer"] + : condition: [] + project: ft0-prod-iac-core-0 + role: roles/serviceusage.serviceUsageConsumer + module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/storage.admin"]: + condition: [] + project: ft0-prod-iac-core-0 + role: roles/storage.admin + module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/viewer"]: + condition: [] + project: ft0-prod-iac-core-0 + role: roles/viewer + module.factory.module.projects-iam["log-0"].google_project_iam_binding.authoritative["roles/owner"]: + condition: [] + project: ft0-prod-audit-logs-0 + role: roles/owner + module.factory.module.projects-iam["log-0"].google_project_iam_binding.authoritative["roles/viewer"]: + condition: [] + project: ft0-prod-audit-logs-0 + role: roles/viewer + module.factory.module.projects["billing-0"].data.google_bigquery_default_service_account.bq_sa[0]: + project: ft0-prod-billing-exp-0 + module.factory.module.projects["billing-0"].data.google_storage_project_service_account.gcs_sa[0]: + project: ft0-prod-billing-exp-0 + user_project: null + module.factory.module.projects["billing-0"].google_project.project[0]: + auto_create_network: false + billing_account: 012345-012345-012345 + deletion_policy: DELETE + effective_labels: + goog-terraform-provisioned: 'true' + folder_id: null + labels: null + name: ft0-prod-billing-exp-0 + org_id: '1234567890' + project_id: ft0-prod-billing-exp-0 + tags: null + terraform_labels: + goog-terraform-provisioned: 'true' + timeouts: null + module.factory.module.projects["billing-0"].google_project_iam_member.service_agents["bigquerydatatransfer"]: + condition: [] + project: ft0-prod-billing-exp-0 + role: roles/bigquerydatatransfer.serviceAgent + module.factory.module.projects["billing-0"].google_project_service.project_services["bigquery.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-billing-exp-0 + service: bigquery.googleapis.com + timeouts: null + module.factory.module.projects["billing-0"].google_project_service.project_services["bigquerydatatransfer.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-billing-exp-0 + service: bigquerydatatransfer.googleapis.com + timeouts: null + module.factory.module.projects["billing-0"].google_project_service.project_services["storage.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-billing-exp-0 + service: storage.googleapis.com + timeouts: null + module.factory.module.projects["billing-0"].google_project_service_identity.default["bigquerydatatransfer.googleapis.com"]: + project: ft0-prod-billing-exp-0 + service: bigquerydatatransfer.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].data.google_bigquery_default_service_account.bq_sa[0]: + project: ft0-prod-iac-core-0 + module.factory.module.projects["iac-0"].data.google_logging_project_settings.logging_sa[0]: + project: ft0-prod-iac-core-0 + module.factory.module.projects["iac-0"].data.google_storage_project_service_account.gcs_sa[0]: + project: ft0-prod-iac-core-0 + user_project: null + module.factory.module.projects["iac-0"].google_project.project[0]: + auto_create_network: false + billing_account: 012345-012345-012345 + deletion_policy: DELETE + effective_labels: + goog-terraform-provisioned: 'true' + folder_id: null + labels: null + name: ft0-prod-iac-core-0 + org_id: '1234567890' + project_id: ft0-prod-iac-core-0 + tags: null + terraform_labels: + goog-terraform-provisioned: 'true' + timeouts: null + module.factory.module.projects["iac-0"].google_project_iam_member.service_agents["cloudasset"]: + condition: [] + project: ft0-prod-iac-core-0 + role: roles/cloudasset.serviceAgent + module.factory.module.projects["iac-0"].google_project_iam_member.service_agents["cloudbuild"]: + condition: [] + project: ft0-prod-iac-core-0 + role: roles/cloudbuild.serviceAgent + module.factory.module.projects["iac-0"].google_project_iam_member.service_agents["cloudbuild-sa"]: + condition: [] + project: ft0-prod-iac-core-0 + role: roles/cloudbuild.builds.builder + module.factory.module.projects["iac-0"].google_project_iam_member.service_agents["cloudkms"]: + condition: [] + project: ft0-prod-iac-core-0 + role: roles/cloudkms.serviceAgent + module.factory.module.projects["iac-0"].google_project_iam_member.service_agents["compute-system"]: + condition: [] + project: ft0-prod-iac-core-0 + role: roles/compute.serviceAgent + module.factory.module.projects["iac-0"].google_project_iam_member.service_agents["container-engine-robot"]: + condition: [] + project: ft0-prod-iac-core-0 + role: roles/container.serviceAgent + module.factory.module.projects["iac-0"].google_project_iam_member.service_agents["gkenode"]: + condition: [] + project: ft0-prod-iac-core-0 + role: roles/container.defaultNodeServiceAgent + module.factory.module.projects["iac-0"].google_project_iam_member.service_agents["monitoring-notification"]: + condition: [] + project: ft0-prod-iac-core-0 + role: roles/monitoring.notificationServiceAgent + module.factory.module.projects["iac-0"].google_project_iam_member.service_agents["pubsub"]: + condition: [] + project: ft0-prod-iac-core-0 + role: roles/pubsub.serviceAgent + module.factory.module.projects["iac-0"].google_project_iam_member.service_agents["service-networking"]: + condition: [] + project: ft0-prod-iac-core-0 + role: roles/servicenetworking.serviceAgent + module.factory.module.projects["iac-0"].google_project_service.org_policy_service[0]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: orgpolicy.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["accesscontextmanager.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: accesscontextmanager.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["bigquery.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: bigquery.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["bigqueryreservation.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: bigqueryreservation.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["bigquerystorage.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: bigquerystorage.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["billingbudgets.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: billingbudgets.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["cloudasset.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: cloudasset.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["cloudbilling.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: cloudbilling.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["cloudbuild.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: cloudbuild.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["cloudkms.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: cloudkms.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["cloudquotas.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: cloudquotas.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["cloudresourcemanager.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: cloudresourcemanager.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["compute.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: compute.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["container.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: container.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["datacatalog.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: datacatalog.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["essentialcontacts.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: essentialcontacts.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["iam.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: iam.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["iamcredentials.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: iamcredentials.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["logging.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: logging.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["monitoring.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: monitoring.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["networksecurity.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: networksecurity.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["pubsub.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: pubsub.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["servicenetworking.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: servicenetworking.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["serviceusage.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: serviceusage.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["storage-component.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: storage-component.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["storage.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: storage.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service.project_services["sts.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-iac-core-0 + service: sts.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service_identity.default["cloudasset.googleapis.com"]: + project: ft0-prod-iac-core-0 + service: cloudasset.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service_identity.default["cloudkms.googleapis.com"]: + project: ft0-prod-iac-core-0 + service: cloudkms.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service_identity.default["container.googleapis.com"]: + project: ft0-prod-iac-core-0 + service: container.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service_identity.default["monitoring.googleapis.com"]: + project: ft0-prod-iac-core-0 + service: monitoring.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service_identity.default["networksecurity.googleapis.com"]: + project: ft0-prod-iac-core-0 + service: networksecurity.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service_identity.default["pubsub.googleapis.com"]: + project: ft0-prod-iac-core-0 + service: pubsub.googleapis.com + timeouts: null + module.factory.module.projects["iac-0"].google_project_service_identity.default["servicenetworking.googleapis.com"]: + project: ft0-prod-iac-core-0 + service: servicenetworking.googleapis.com + timeouts: null + module.factory.module.projects["log-0"].data.google_logging_project_settings.logging_sa[0]: + project: ft0-prod-audit-logs-0 + module.factory.module.projects["log-0"].data.google_storage_project_service_account.gcs_sa[0]: + project: ft0-prod-audit-logs-0 + user_project: null + module.factory.module.projects["log-0"].google_project.project[0]: + auto_create_network: false + billing_account: 012345-012345-012345 + deletion_policy: DELETE + effective_labels: + goog-terraform-provisioned: 'true' + folder_id: null + labels: null + name: ft0-prod-audit-logs-0 + org_id: '1234567890' + project_id: ft0-prod-audit-logs-0 + tags: null + terraform_labels: + goog-terraform-provisioned: 'true' + timeouts: null + module.factory.module.projects["log-0"].google_project_iam_member.service_agents["pubsub"]: + condition: [] + project: ft0-prod-audit-logs-0 + role: roles/pubsub.serviceAgent + module.factory.module.projects["log-0"].google_project_service.project_services["logging.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-audit-logs-0 + service: logging.googleapis.com + timeouts: null + module.factory.module.projects["log-0"].google_project_service.project_services["pubsub.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-audit-logs-0 + service: pubsub.googleapis.com + timeouts: null + module.factory.module.projects["log-0"].google_project_service.project_services["storage.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: ft0-prod-audit-logs-0 + service: storage.googleapis.com + timeouts: null + module.factory.module.projects["log-0"].google_project_service_identity.default["pubsub.googleapis.com"]: + project: ft0-prod-audit-logs-0 + service: pubsub.googleapis.com + timeouts: null + ? module.factory.module.service-accounts-iam["iac-0/iac-org-cicd-ro"].google_service_account_iam_member.additive["$service_account_ids:iac-0/iac-org-ro-roles/iam.serviceAccountTokenCreator"] + : condition: [] + role: roles/iam.serviceAccountTokenCreator + service_account_id: projects/ft0-prod-iac-core-0/serviceAccounts/iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + ? module.factory.module.service-accounts-iam["iac-0/iac-org-cicd-ro"].google_service_account_iam_member.additive["$service_account_ids:iac-0/iac-org-ro-roles/iam.workloadIdentityUser"] + : condition: [] + role: roles/iam.workloadIdentityUser + service_account_id: projects/ft0-prod-iac-core-0/serviceAccounts/iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + ? module.factory.module.service-accounts-iam["iac-0/iac-org-cicd-rw"].google_service_account_iam_member.additive["$service_account_ids:iac-0/iac-org-rw-roles/iam.serviceAccountTokenCreator"] + : condition: [] + role: roles/iam.serviceAccountTokenCreator + service_account_id: projects/ft0-prod-iac-core-0/serviceAccounts/iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + ? module.factory.module.service-accounts-iam["iac-0/iac-org-cicd-rw"].google_service_account_iam_member.additive["$service_account_ids:iac-0/iac-org-rw-roles/iam.workloadIdentityUser"] + : condition: [] + role: roles/iam.workloadIdentityUser + service_account_id: projects/ft0-prod-iac-core-0/serviceAccounts/iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + module.factory.module.service-accounts["iac-0/iac-networking-ro"].google_service_account.service_account[0]: + account_id: iac-networking-ro + create_ignore_already_exists: null + description: null + disabled: false + display_name: IaC service account for networking (read-only). + email: iac-networking-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + member: serviceAccount:iac-networking-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + project: ft0-prod-iac-core-0 + timeouts: null + module.factory.module.service-accounts["iac-0/iac-networking-rw"].google_service_account.service_account[0]: + account_id: iac-networking-rw + create_ignore_already_exists: null + description: null + disabled: false + display_name: IaC service account for networking (read-write). + email: iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + member: serviceAccount:iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + project: ft0-prod-iac-core-0 + timeouts: null + module.factory.module.service-accounts["iac-0/iac-org-cicd-ro"].google_service_account.service_account[0]: + account_id: iac-org-cicd-ro + create_ignore_already_exists: null + description: null + disabled: false + display_name: IaC service account for org setup CI/CD (read-only). + email: iac-org-cicd-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + member: serviceAccount:iac-org-cicd-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + project: ft0-prod-iac-core-0 + timeouts: null + module.factory.module.service-accounts["iac-0/iac-org-cicd-rw"].google_service_account.service_account[0]: + account_id: iac-org-cicd-rw + create_ignore_already_exists: null + description: null + disabled: false + display_name: IaC service account for org setup CI/CD (read-write). + email: iac-org-cicd-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + member: serviceAccount:iac-org-cicd-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + project: ft0-prod-iac-core-0 + timeouts: null + module.factory.module.service-accounts["iac-0/iac-org-ro"].google_service_account.service_account[0]: + account_id: iac-org-ro + create_ignore_already_exists: null + description: null + disabled: false + display_name: IaC service account for org setup (read-only). + email: iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + member: serviceAccount:iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + project: ft0-prod-iac-core-0 + timeouts: null + module.factory.module.service-accounts["iac-0/iac-org-rw"].google_service_account.service_account[0]: + account_id: iac-org-rw + create_ignore_already_exists: null + description: null + disabled: false + display_name: IaC service account for org setup (read-write). + email: iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + member: serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + project: ft0-prod-iac-core-0 + timeouts: null + module.factory.module.service-accounts["iac-0/iac-pf-ro"].google_service_account.service_account[0]: + account_id: iac-pf-ro + create_ignore_already_exists: null + description: null + disabled: false + display_name: IaC service account for project factory (read-only). + email: iac-pf-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + member: serviceAccount:iac-pf-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + project: ft0-prod-iac-core-0 + timeouts: null + module.factory.module.service-accounts["iac-0/iac-pf-rw"].google_service_account.service_account[0]: + account_id: iac-pf-rw + create_ignore_already_exists: null + description: null + disabled: false + display_name: IaC service account for project factory (read-write). + email: iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + member: serviceAccount:iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + project: ft0-prod-iac-core-0 + timeouts: null + module.factory.module.service-accounts["iac-0/iac-security-ro"].google_service_account.service_account[0]: + account_id: iac-security-ro + create_ignore_already_exists: null + description: null + disabled: false + display_name: IaC service account for security (read-only). + email: iac-security-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + member: serviceAccount:iac-security-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + project: ft0-prod-iac-core-0 + timeouts: null + module.factory.module.service-accounts["iac-0/iac-security-rw"].google_service_account.service_account[0]: + account_id: iac-security-rw + create_ignore_already_exists: null + description: null + disabled: false + display_name: IaC service account for security (read-write). + email: iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + member: serviceAccount:iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + project: ft0-prod-iac-core-0 + timeouts: null + module.factory.module.service-accounts["iac-0/iac-vpcsc-ro"].google_service_account.service_account[0]: + account_id: iac-vpcsc-ro + create_ignore_already_exists: null + description: null + disabled: false + display_name: IaC service account for VPC service controls (read-only). + email: iac-vpcsc-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + member: serviceAccount:iac-vpcsc-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + project: ft0-prod-iac-core-0 + timeouts: null + module.factory.module.service-accounts["iac-0/iac-vpcsc-rw"].google_service_account.service_account[0]: + account_id: iac-vpcsc-rw + create_ignore_already_exists: null + description: null + disabled: false + display_name: IaC service account for VPC service controls (read-write). + email: iac-vpcsc-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + member: serviceAccount:iac-vpcsc-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + project: ft0-prod-iac-core-0 + timeouts: null + module.factory.terraform_data.defaults_preconditions: + input: null + output: null + triggers_replace: null + module.factory.terraform_data.project_preconditions: + input: null + output: null + triggers_replace: null + module.organization-iam[0].google_logging_organization_sink.sink["audit-logs"]: + description: audit-logs (Terraform-managed). + destination: logging.googleapis.com/$log_buckets:iac-0/audit-logs + disabled: false + exclusions: [] + filter: 'log_id("cloudaudit.googleapis.com/activity") OR + + log_id("cloudaudit.googleapis.com/system_event") OR + + log_id("cloudaudit.googleapis.com/policy") OR + + log_id("cloudaudit.googleapis.com/access_transparency") + + ' + include_children: true + intercept_children: false + name: audit-logs + org_id: '1234567890' + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/accesscontextmanager.policyAdmin"]: + condition: [] + members: + - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + org_id: '1234567890' + role: roles/accesscontextmanager.policyAdmin + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/billing.creator"]: + condition: [] + members: null + org_id: '1234567890' + role: roles/billing.creator + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/cloudasset.owner"]: + condition: [] + members: + - group:fabric-fast-owners@google.com + org_id: '1234567890' + role: roles/cloudasset.owner + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/cloudasset.viewer"]: + condition: [] + members: + - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + org_id: '1234567890' + role: roles/cloudasset.viewer + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/cloudsupport.admin"]: + condition: [] + members: + - group:fabric-fast-owners@google.com + org_id: '1234567890' + role: roles/cloudsupport.admin + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/cloudsupport.techSupportEditor"]: + condition: [] + members: + - group:fabric-fast-owners@google.com + org_id: '1234567890' + role: roles/cloudsupport.techSupportEditor + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/compute.osAdminLogin"]: + condition: [] + members: + - group:fabric-fast-owners@google.com + org_id: '1234567890' + role: roles/compute.osAdminLogin + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/compute.osLoginExternalUser"]: + condition: [] + members: + - group:fabric-fast-owners@google.com + org_id: '1234567890' + role: roles/compute.osLoginExternalUser + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/compute.xpnAdmin"]: + condition: [] + members: + - group:fabric-fast-owners@google.com + org_id: '1234567890' + role: roles/compute.xpnAdmin + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/essentialcontacts.admin"]: + condition: [] + members: + - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + org_id: '1234567890' + role: roles/essentialcontacts.admin + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/iam.organizationRoleAdmin"]: + condition: [] + members: + - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + org_id: '1234567890' + role: roles/iam.organizationRoleAdmin + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/iam.workforcePoolAdmin"]: + condition: [] + members: + - group:fabric-fast-owners@google.com + - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + org_id: '1234567890' + role: roles/iam.workforcePoolAdmin + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/logging.admin"]: + condition: [] + members: + - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + org_id: '1234567890' + role: roles/logging.admin + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/orgpolicy.policyAdmin"]: + condition: [] + members: + - group:fabric-fast-owners@google.com + - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + org_id: '1234567890' + role: roles/orgpolicy.policyAdmin + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/owner"]: + condition: [] + members: + - group:fabric-fast-owners@google.com + org_id: '1234567890' + role: roles/owner + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/privilegedaccessmanager.admin"]: + condition: [] + members: + - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + org_id: '1234567890' + role: roles/privilegedaccessmanager.admin + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: + condition: [] + members: + - group:fabric-fast-owners@google.com + - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + org_id: '1234567890' + role: roles/resourcemanager.folderAdmin + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/resourcemanager.organizationAdmin"]: + condition: [] + members: + - group:fabric-fast-owners@google.com + - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + org_id: '1234567890' + role: roles/resourcemanager.organizationAdmin + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: + condition: [] + members: + - group:fabric-fast-owners@google.com + - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + org_id: '1234567890' + role: roles/resourcemanager.projectCreator + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/resourcemanager.projectMover"]: + condition: [] + members: + - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + org_id: '1234567890' + role: roles/resourcemanager.projectMover + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/resourcemanager.tagAdmin"]: + condition: [] + members: + - group:fabric-fast-owners@google.com + - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + org_id: '1234567890' + role: roles/resourcemanager.tagAdmin + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/resourcemanager.tagUser"]: + condition: [] + members: + - serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + org_id: '1234567890' + role: roles/resourcemanager.tagUser + module.organization-iam[0].google_organization_iam_binding.authoritative["roles/viewer"]: + condition: [] + members: + - serviceAccount:service-org-1234567890@gcp-sa-pam.iam.gserviceaccount.com + org_id: '1234567890' + role: roles/viewer + module.organization-iam[0].google_project_iam_member.bucket_sinks_binding["audit-logs"]: + condition: + - expression: resource.name.endsWith('$log_buckets:iac-0/audit-logs') + title: audit-logs bucket writer + project: audit-logs + role: roles/logging.bucketWriter + ? module.organization-iam[0].google_tags_tag_value_iam_binding.default["environment/development:roles/resourcemanager.tagUser"] + : condition: [] + members: + - serviceAccount:iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/resourcemanager.tagUser + ? module.organization-iam[0].google_tags_tag_value_iam_binding.default["environment/development:roles/resourcemanager.tagViewer"] + : condition: [] + members: + - serviceAccount:iac-networking-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:iac-pf-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:iac-security-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/resourcemanager.tagViewer + ? module.organization-iam[0].google_tags_tag_value_iam_binding.default["environment/production:roles/resourcemanager.tagUser"] + : condition: [] + members: + - serviceAccount:iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/resourcemanager.tagUser + ? module.organization-iam[0].google_tags_tag_value_iam_binding.default["environment/production:roles/resourcemanager.tagViewer"] + : condition: [] + members: + - serviceAccount:iac-networking-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:iac-pf-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:iac-security-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com + role: roles/resourcemanager.tagViewer + module.organization[0].google_logging_organization_settings.default[0]: + organization: '1234567890' + timeouts: null + module.organization[0].google_organization_service_identity.default["pam"]: + organization: '1234567890' + service: privilegedaccessmanager.googleapis.com + timeouts: null + module.organization[0].google_tags_tag_key.default["environment"]: + allowed_values_regex: null + description: Organization-level environments. + parent: organizations/1234567890 + purpose: null + purpose_data: null + short_name: environment + timeouts: null + module.organization[0].google_tags_tag_value.default["environment/development"]: + description: Development. + short_name: development + timeouts: null + module.organization[0].google_tags_tag_value.default["environment/production"]: + description: Production. + short_name: production + timeouts: null + terraform_data.precondition: + input: null + output: null + triggers_replace: null + terraform_data.precondition_cicd: + input: null + output: null + triggers_replace: null + +counts: + google_bigquery_dataset: 1 + google_bigquery_default_service_account: 2 + google_billing_account_iam_member: 6 + google_folder: 7 + google_folder_iam_binding: 33 + google_logging_organization_settings: 1 + google_logging_organization_sink: 1 + google_logging_project_bucket_config: 3 + google_logging_project_settings: 2 + google_org_policy_policy: 1 + google_organization_iam_binding: 23 + google_organization_service_identity: 1 + google_project: 3 + google_project_iam_audit_config: 3 + google_project_iam_binding: 17 + google_project_iam_member: 13 + google_project_service: 33 + google_project_service_identity: 9 + google_service_account: 12 + google_service_account_iam_member: 4 + google_storage_bucket: 3 + google_storage_bucket_iam_binding: 4 + google_storage_bucket_object: 9 + google_storage_managed_folder: 4 + google_storage_managed_folder_iam_binding: 8 + google_storage_project_service_account: 3 + google_tags_tag_binding: 5 + google_tags_tag_key: 1 + google_tags_tag_value: 2 + google_tags_tag_value_iam_binding: 4 + local_file: 8 + modules: 45 + resources: 230 + terraform_data: 4 + +outputs: + iam_principals: + domain: domain:example.org + gcp-billing-admins: group:gcp-billing-admins@example.org + gcp-devops: group:gcp-devops@example.org + gcp-network-admins: group:gcp-network-admins@example.org + gcp-organization-admins: group:fabric-fast-owners@google.com + gcp-secops-admins: group:gcp-secops-admins@example.org + gcp-security-admins: group:gcp-security-admins@example.org + gcp-support: group:gcp-support@example.org + projects: __missing__ + subnet_ips: {} + subnet_self_links: {} + tfvars: __missing__ + vpc_self_links: {} diff --git a/tests/fast/stages/s0_org_setup/data-customizations/defaults.yaml b/tests/fast/stages/s0_org_setup/data-customizations/defaults.yaml new file mode 100644 index 000000000..0640dac5f --- /dev/null +++ b/tests/fast/stages/s0_org_setup/data-customizations/defaults.yaml @@ -0,0 +1,65 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# yaml-language-server: $schema=../../../../../fast/stages/0-org-setup/schemas/defaults.schema.json + +# defaults: +# storage_location: europe-west1 +global: + billing_account: 012345-012345-012345 + organization: + domain: example.org + id: 1234567890 + customer_id: abcd123456 +projects: + defaults: + prefix: ft0 + locations: + bigquery: $locations:primary + logging: $locations:primary + storage: $locations:primary + overrides: {} +output_files: + local_path: /tmp/fast-config + storage_bucket: $storage_buckets:iac-0/iac-outputs + providers: + 0-org-setup: + bucket: $storage_buckets:iac-0/iac-org-state + service_account: $iam_principals:service_accounts/iac-0/iac-org-rw + 0-org-setup-ro: + bucket: $storage_buckets:iac-0/iac-org-state + service_account: $iam_principals:service_accounts/iac-0/iac-org-rw + 1-vpcsc: + bucket: $storage_buckets:iac-0/iac-stage-state + prefix: 1-vpcsc + service_account: $iam_principals:service_accounts/iac-0/iac-vpcsc-rw + 2-networking: + bucket: $storage_buckets:iac-0/iac-stage-state + prefix: 2-networking + service_account: $iam_principals:service_accounts/iac-0/iac-networking-rw + 2-security: + bucket: $storage_buckets:iac-0/iac-stage-state + prefix: 2-security + service_account: $iam_principals:service_accounts/iac-0/iac-security-rw + 2-project-factory: + bucket: $storage_buckets:iac-0/iac-stage-state + prefix: 2-project-factory + service_account: $iam_principals:service_accounts/iac-0/iac-pf-rw +context: + iam_principals: + gcp-organization-admins: group:fabric-fast-owners@google.com + locations: + primary: europe-west1 + workload_identity_providers: + iac-0/default/github-default: projects/1234567890/locations/global/workloadIdentityPools/default diff --git a/tests/fast/stages/s0_org_setup/data-customizations/folders/dev/.config.yaml b/tests/fast/stages/s0_org_setup/data-customizations/folders/dev/.config.yaml new file mode 100644 index 000000000..700f5219a --- /dev/null +++ b/tests/fast/stages/s0_org_setup/data-customizations/folders/dev/.config.yaml @@ -0,0 +1,19 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# yaml-language-server: $schema=../../../../schemas/folder.schema.json + +name: Development +tag_bindings: + environment: $tag_values:environment/development diff --git a/tests/fast/stages/s0_org_setup/data-customizations/folders/prod/.config.yaml b/tests/fast/stages/s0_org_setup/data-customizations/folders/prod/.config.yaml new file mode 100644 index 000000000..f09758b6c --- /dev/null +++ b/tests/fast/stages/s0_org_setup/data-customizations/folders/prod/.config.yaml @@ -0,0 +1,19 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# yaml-language-server: $schema=../../../../schemas/folder.schema.json + +name: Production +tag_bindings: + environment: $tag_values:environment/production diff --git a/tests/fast/stages/s0_org_setup/data-customizations/organization/.config.yaml b/tests/fast/stages/s0_org_setup/data-customizations/organization/.config.yaml new file mode 100644 index 000000000..13ffa7377 --- /dev/null +++ b/tests/fast/stages/s0_org_setup/data-customizations/organization/.config.yaml @@ -0,0 +1,66 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# TODO: data access logs + +# yaml-language-server: $schema=../../../schemas/organization.schema.json + +id: $defaults:organization/id +service_agents_config: + services: + - privilegedaccessmanager.googleapis.com + +iam_by_principals: + $iam_principals:gcp-organization-admins: + - roles/cloudasset.owner + - roles/cloudsupport.admin + - roles/cloudsupport.techSupportEditor + - roles/compute.osAdminLogin + - roles/compute.osLoginExternalUser + - roles/compute.xpnAdmin + - roles/orgpolicy.policyAdmin + - roles/owner + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.organizationAdmin + - roles/resourcemanager.projectCreator + - roles/resourcemanager.tagAdmin + - roles/iam.workforcePoolAdmin + $iam_principals:service_accounts/iac-0/iac-org-rw: + - roles/accesscontextmanager.policyAdmin + - roles/cloudasset.viewer + - roles/essentialcontacts.admin + - roles/iam.organizationRoleAdmin + - roles/iam.workforcePoolAdmin + - roles/logging.admin + - roles/orgpolicy.policyAdmin + - roles/privilegedaccessmanager.admin + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.organizationAdmin + - roles/resourcemanager.projectCreator + - roles/resourcemanager.projectMover + - roles/resourcemanager.tagAdmin + - roles/resourcemanager.tagUser + "$iam_principals:service_agents/pam": + - roles/viewer +logging: + sinks: + audit-logs: + destination: $log_buckets:iac-0/audit-logs + filter: | + log_id("cloudaudit.googleapis.com/activity") OR + log_id("cloudaudit.googleapis.com/system_event") OR + log_id("cloudaudit.googleapis.com/policy") OR + log_id("cloudaudit.googleapis.com/access_transparency") +iam: + roles/billing.creator: [] diff --git a/tests/fast/stages/s0_org_setup/data-customizations/organization/tags/environment.yaml b/tests/fast/stages/s0_org_setup/data-customizations/organization/tags/environment.yaml new file mode 100644 index 000000000..4580772b4 --- /dev/null +++ b/tests/fast/stages/s0_org_setup/data-customizations/organization/tags/environment.yaml @@ -0,0 +1,43 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# yaml-language-server: $schema=../../../../schemas/tags.schema.json + +description: "Organization-level environments." +# iam: +# "roles/resourcemanager.tagViewer": +# - "group:finance-team@example.com" +values: + development: + description: "Development." + iam: + "roles/resourcemanager.tagUser": + - $iam_principals:service_accounts/iac-0/iac-networking-rw + - $iam_principals:service_accounts/iac-0/iac-security-rw + - $iam_principals:service_accounts/iac-0/iac-pf-rw + "roles/resourcemanager.tagViewer": + - $iam_principals:service_accounts/iac-0/iac-networking-ro + - $iam_principals:service_accounts/iac-0/iac-security-ro + - $iam_principals:service_accounts/iac-0/iac-pf-ro + production: + description: "Production." + iam: + "roles/resourcemanager.tagUser": + - $iam_principals:service_accounts/iac-0/iac-networking-rw + - $iam_principals:service_accounts/iac-0/iac-security-rw + - $iam_principals:service_accounts/iac-0/iac-pf-rw + "roles/resourcemanager.tagViewer": + - $iam_principals:service_accounts/iac-0/iac-networking-ro + - $iam_principals:service_accounts/iac-0/iac-security-ro + - $iam_principals:service_accounts/iac-0/iac-pf-ro diff --git a/tests/fast/stages/s0_org_setup/data-customizations/projects/apps/dev-app-0.yaml b/tests/fast/stages/s0_org_setup/data-customizations/projects/apps/dev-app-0.yaml new file mode 100644 index 000000000..de3a36d9d --- /dev/null +++ b/tests/fast/stages/s0_org_setup/data-customizations/projects/apps/dev-app-0.yaml @@ -0,0 +1,26 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# yaml-language-server: $schema=../../../../schemas/project.schema.json + +name: dev-app-example-0 +parent: $folder_ids:dev +services: + - bigquery.googleapis.com + - compute.googleapis.com + - logging.googleapis.com + - monitoring.googleapis.com + - storage.googleapis.com +shared_vpc_service_config: + host_project: $project_ids:dev-net-0 diff --git a/tests/fast/stages/s0_org_setup/data-customizations/projects/apps/prod-app-0.yaml b/tests/fast/stages/s0_org_setup/data-customizations/projects/apps/prod-app-0.yaml new file mode 100644 index 000000000..272953578 --- /dev/null +++ b/tests/fast/stages/s0_org_setup/data-customizations/projects/apps/prod-app-0.yaml @@ -0,0 +1,26 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# yaml-language-server: $schema=../../../../schemas/project.schema.json + +name: prod-app-example-0 +parent: $folder_ids:prod +services: + - bigquery.googleapis.com + - compute.googleapis.com + - logging.googleapis.com + - monitoring.googleapis.com + - storage.googleapis.com +shared_vpc_service_config: + host_project: $project_ids:prod-net-0 diff --git a/tests/fast/stages/s0_org_setup/data-customizations/projects/iac-0.yaml b/tests/fast/stages/s0_org_setup/data-customizations/projects/iac-0.yaml new file mode 100644 index 000000000..1ad613537 --- /dev/null +++ b/tests/fast/stages/s0_org_setup/data-customizations/projects/iac-0.yaml @@ -0,0 +1,73 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# yaml-language-server: $schema=../../../schemas/project.schema.json + +name: prod-iac-core-0 +iam_by_principals: + $iam_principals:gcp-organization-admins: + - roles/iam.serviceAccountTokenCreator + - roles/iam.workloadIdentityPoolAdmin + $iam_principals:service_accounts/iac-0/iac-org-rw: + - roles/cloudbuild.builds.editor + - roles/iam.serviceAccountAdmin + - roles/iam.workloadIdentityPoolAdmin + - roles/owner + - roles/storage.admin +services: + - accesscontextmanager.googleapis.com + - bigquery.googleapis.com + - bigquerystorage.googleapis.com + - cloudbilling.googleapis.com + - cloudkms.googleapis.com + - cloudresourcemanager.googleapis.com + - compute.googleapis.com + - container.googleapis.com + - essentialcontacts.googleapis.com + - iam.googleapis.com + - iamcredentials.googleapis.com + - logging.googleapis.com + - monitoring.googleapis.com + - orgpolicy.googleapis.com + - pubsub.googleapis.com + - serviceusage.googleapis.com + - storage-component.googleapis.com + - storage.googleapis.com + - sts.googleapis.com +buckets: + iac-org-state: + description: Terraform state for the org-level automation. + versioning: true + iam: + roles/storage.admin: + - $iam_principals:service_accounts/iac-0/iac-org-rw + $custom_roles:storage_viewer: + - $iam_principals:service_accounts/iac-0/iac-org-ro + iac-outputs: + description: Terraform state for the org-level automation. + versioning: true + iam: + roles/storage.admin: + - $iam_principals:service_accounts/iac-0/iac-org-rw +service_accounts: + iac-org-rw: + display_name: IaC service account for org setup (read-write). +datasets: + billing_export: + friendly_name: Billing export +log_buckets: + audit-logs: + log_analytics: + enable: true + retention: 31 diff --git a/tests/fast/stages/s0_org_setup/data-customizations/projects/net/dev-net-0.yaml b/tests/fast/stages/s0_org_setup/data-customizations/projects/net/dev-net-0.yaml new file mode 100644 index 000000000..b25044eec --- /dev/null +++ b/tests/fast/stages/s0_org_setup/data-customizations/projects/net/dev-net-0.yaml @@ -0,0 +1,27 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# yaml-language-server: $schema=../../../../schemas/project.schema.json + +name: dev-net-shared-0 +parent: $folder_ids:dev +services: + - container.googleapis.com + - compute.googleapis.com + - dns.googleapis.com + - iap.googleapis.com + - logging.googleapis.com + - monitoring.googleapis.com +shared_vpc_host_config: + enabled: true diff --git a/tests/fast/stages/s0_org_setup/data-customizations/projects/net/prod-net-0.yaml b/tests/fast/stages/s0_org_setup/data-customizations/projects/net/prod-net-0.yaml new file mode 100644 index 000000000..4607c7669 --- /dev/null +++ b/tests/fast/stages/s0_org_setup/data-customizations/projects/net/prod-net-0.yaml @@ -0,0 +1,27 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# yaml-language-server: $schema=../../../../schemas/project.schema.json + +name: prod-net-shared-0 +parent: $folder_ids:prod +services: + - container.googleapis.com + - compute.googleapis.com + - dns.googleapis.com + - iap.googleapis.com + - logging.googleapis.com + - monitoring.googleapis.com +shared_vpc_host_config: + enabled: true diff --git a/tests/fast/stages/s0_org_setup/data-customizations/vpcs/dev/.config.yaml b/tests/fast/stages/s0_org_setup/data-customizations/vpcs/dev/.config.yaml new file mode 100644 index 000000000..a03764602 --- /dev/null +++ b/tests/fast/stages/s0_org_setup/data-customizations/vpcs/dev/.config.yaml @@ -0,0 +1,19 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# yaml-language-server: $schema=../../../../schemas/vpc-factory.schema.json + +name: dev-shared-0 +project_id: $project_ids:dev-net-0 +auto_create_subnetworks: false diff --git a/tests/fast/stages/s0_org_setup/data-customizations/vpcs/dev/firewall-rules/default-ingress.yaml b/tests/fast/stages/s0_org_setup/data-customizations/vpcs/dev/firewall-rules/default-ingress.yaml new file mode 100644 index 000000000..f224df256 --- /dev/null +++ b/tests/fast/stages/s0_org_setup/data-customizations/vpcs/dev/firewall-rules/default-ingress.yaml @@ -0,0 +1,42 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# yaml-language-server: $schema=../../../../../schemas/firewall-rules.schema.json + +ingress: + + ingress-default-allow-iap: + description: Allow IAP. + source_ranges: + - 35.235.240.0/20 + rules: + - protocol: all + ports: [] + + ingress-default-allow-healthchecks: + description: Allow GCP Healthcheck Ranges. + source_ranges: + - 35.191.0.0/16 + - 130.211.0.0/22 + - 209.85.152.0/22 + - 209.85.204.0/22 + rules: + - protocol: all + ports: [] + + ingress-default-allow-icmp: + description: Allow ICMP. + rules: + - protocol: icmp + ports: [] diff --git a/tests/fast/stages/s0_org_setup/data-customizations/vpcs/dev/subnets/default.yaml b/tests/fast/stages/s0_org_setup/data-customizations/vpcs/dev/subnets/default.yaml new file mode 100644 index 000000000..ba2683ce3 --- /dev/null +++ b/tests/fast/stages/s0_org_setup/data-customizations/vpcs/dev/subnets/default.yaml @@ -0,0 +1,20 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# yaml-language-server: $schema=../../../../../schemas/subnet.schema.json + +name: default +region: $locations:primary +ip_cidr_range: 10.0.0.0/24 +description: Default primary-region subnet for dev diff --git a/tests/fast/stages/s0_org_setup/data-customizations/vpcs/prod/.config.yaml b/tests/fast/stages/s0_org_setup/data-customizations/vpcs/prod/.config.yaml new file mode 100644 index 000000000..98071fab3 --- /dev/null +++ b/tests/fast/stages/s0_org_setup/data-customizations/vpcs/prod/.config.yaml @@ -0,0 +1,19 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# yaml-language-server: $schema=../../../../schemas/vpc-factory.schema.json + +name: prod-shared-0 +project_id: $project_ids:prod-net-0 +auto_create_subnetworks: false diff --git a/tests/fast/stages/s0_org_setup/data-customizations/vpcs/prod/firewall-rules/default-ingress.yaml b/tests/fast/stages/s0_org_setup/data-customizations/vpcs/prod/firewall-rules/default-ingress.yaml new file mode 100644 index 000000000..f224df256 --- /dev/null +++ b/tests/fast/stages/s0_org_setup/data-customizations/vpcs/prod/firewall-rules/default-ingress.yaml @@ -0,0 +1,42 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# yaml-language-server: $schema=../../../../../schemas/firewall-rules.schema.json + +ingress: + + ingress-default-allow-iap: + description: Allow IAP. + source_ranges: + - 35.235.240.0/20 + rules: + - protocol: all + ports: [] + + ingress-default-allow-healthchecks: + description: Allow GCP Healthcheck Ranges. + source_ranges: + - 35.191.0.0/16 + - 130.211.0.0/22 + - 209.85.152.0/22 + - 209.85.204.0/22 + rules: + - protocol: all + ports: [] + + ingress-default-allow-icmp: + description: Allow ICMP. + rules: + - protocol: icmp + ports: [] diff --git a/tests/fast/stages/s0_org_setup/data-customizations/vpcs/prod/subnets/default.yaml b/tests/fast/stages/s0_org_setup/data-customizations/vpcs/prod/subnets/default.yaml new file mode 100644 index 000000000..15f1b856b --- /dev/null +++ b/tests/fast/stages/s0_org_setup/data-customizations/vpcs/prod/subnets/default.yaml @@ -0,0 +1,20 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# yaml-language-server: $schema=../../../../../schemas/subnet.schema.json + +name: default +region: $locations:primary +ip_cidr_range: 10.0.0.0/24 +description: Default primary-region subnet for prod diff --git a/tests/fast/stages/s0_org_setup/tftest.yaml b/tests/fast/stages/s0_org_setup/tftest.yaml index 26f3a3a61..e31d0e2aa 100644 --- a/tests/fast/stages/s0_org_setup/tftest.yaml +++ b/tests/fast/stages/s0_org_setup/tftest.yaml @@ -30,3 +30,8 @@ tests: - starter-gcd.yaml extra_dirs: - ../../../tests/fast/stages/s0_org_setup/data-starter-gcd + customizations: + inventory: + - customizations.yaml + extra_dirs: + - ../../../tests/fast/stages/s0_org_setup/data-customizations