Add support of organizational based service agents in VPC-SC stage (#3802)

2026-03-18 16:08:08 +07:00
parent 349811d31a
commit 38e885a47c
7 changed files with 141 additions and 2 deletions
--- a/tests/fast/stages/s1_vpcsc/hardened.tfvars
+++ b/tests/fast/stages/s1_vpcsc/hardened.tfvars
@@ -4,6 +4,11 @@ automation = {
 factories_config = {
  dataset = "datasets/hardened"
 }
+iam_principals = {
+  "service_agents/org/csc-hpsa"            = "serviceAccount:service-org-1234567890@gcp-sa-csc-hpsa.iam.gserviceaccount.com"
+  "service_agents/org/ktd-hpsa"            = "serviceAccount:service-org-1234567890@gcp-sa-ktd-hpsa.iam.gserviceaccount.com"
+  "service_agents/org/security-center-api" = "serviceAccount:service-org-1234567890@security-center-api.iam.gserviceaccount.com"
+}
 logging = {
  project_number = "1234567890"
  writer_identities = {
--- a/tests/fast/stages/s1_vpcsc/hardened.yaml
+++ b/tests/fast/stages/s1_vpcsc/hardened.yaml
@@ -83,7 +83,26 @@ values:
    perimeter_type: PERIMETER_TYPE_REGULAR
    spec: []
    status:
-    - egress_policies: []
+    - egress_policies:
+      - egress_from:
+        - identities:
+          - serviceAccount:service-org-1234567890@gcp-sa-csc-hpsa.iam.gserviceaccount.com
+          - serviceAccount:service-org-1234567890@gcp-sa-ktd-hpsa.iam.gserviceaccount.com
+          - serviceAccount:service-org-1234567890@security-center-api.iam.gserviceaccount.com
+          identity_type: null
+          source_restriction: SOURCE_RESTRICTION_ENABLED
+          sources:
+          - access_level: '*'
+            resource: null
+        egress_to:
+        - external_resources: null
+          operations:
+          - method_selectors: []
+            service_name: '*'
+          resources:
+          - '*'
+          roles: []
+        title: fast-org-scc
      ingress_policies:
      - ingress_from:
        - identities:
@@ -101,6 +120,23 @@ values:
          - projects/1234567890
          roles: []
        title: fast-org-log-sinks
+      - ingress_from:
+        - identities:
+          - serviceAccount:service-org-1234567890@gcp-sa-csc-hpsa.iam.gserviceaccount.com
+          - serviceAccount:service-org-1234567890@gcp-sa-ktd-hpsa.iam.gserviceaccount.com
+          - serviceAccount:service-org-1234567890@security-center-api.iam.gserviceaccount.com
+          identity_type: null
+          sources:
+          - access_level: '*'
+            resource: null
+        ingress_to:
+        - operations:
+          - method_selectors: []
+            service_name: '*'
+          resources:
+          - '*'
+          roles: []
+        title: fast-org-scc
      resources: null
      restricted_services:
      - accessapproval.googleapis.com