[FAST] TLS inspection support for NGFW Enterprise (#2484)

tests/fast/stages/s0_bootstrap/checklist.yaml

@@ -46,21 +46,6 @@ values:
   google_storage_bucket_object.providers["0-bootstrap"]:
     bucket: fast-prod-iac-core-outputs-0
     cache_control: null
-    content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\
-      \ License, Version 2.0 (the \"License\");\n * you may not use this file except\
-      \ in compliance with the License.\n * You may obtain a copy of the License at\n\
-      \ *\n *      http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\
-      \ by applicable law or agreed to in writing, software\n * distributed under\
-      \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\
-      \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\
-      \ the specific language governing permissions and\n * limitations under the\
-      \ License.\n */\n\nterraform {\n  backend \"gcs\" {\n    bucket            \
-      \          = \"fast-prod-iac-core-bootstrap-0\"\n    impersonate_service_account\
-      \ = \"fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n\
-      \  }\n}\nprovider \"google\" {\n  impersonate_service_account = \"fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\
-      \n}\nprovider \"google-beta\" {\n  impersonate_service_account = \"fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\
-      \n}\n\n# end provider.tf for bootstrap\n"
-    content_disposition: null
     content_encoding: null
     content_language: null
     customer_encryption: []
@@ -75,21 +60,6 @@ values:
   google_storage_bucket_object.providers["0-bootstrap-r"]:
     bucket: fast-prod-iac-core-outputs-0
     cache_control: null
-    content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\
-      \ License, Version 2.0 (the \"License\");\n * you may not use this file except\
-      \ in compliance with the License.\n * You may obtain a copy of the License at\n\
-      \ *\n *      http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\
-      \ by applicable law or agreed to in writing, software\n * distributed under\
-      \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\
-      \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\
-      \ the specific language governing permissions and\n * limitations under the\
-      \ License.\n */\n\nterraform {\n  backend \"gcs\" {\n    bucket            \
-      \          = \"fast-prod-iac-core-bootstrap-0\"\n    impersonate_service_account\
-      \ = \"fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n\
-      \  }\n}\nprovider \"google\" {\n  impersonate_service_account = \"fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\
-      \n}\nprovider \"google-beta\" {\n  impersonate_service_account = \"fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\
-      \n}\n\n# end provider.tf for bootstrap\n"
-    content_disposition: null
     content_encoding: null
     content_language: null
     customer_encryption: []
@@ -104,21 +74,6 @@ values:
   google_storage_bucket_object.providers["1-resman"]:
     bucket: fast-prod-iac-core-outputs-0
     cache_control: null
-    content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\
-      \ License, Version 2.0 (the \"License\");\n * you may not use this file except\
-      \ in compliance with the License.\n * You may obtain a copy of the License at\n\
-      \ *\n *      http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\
-      \ by applicable law or agreed to in writing, software\n * distributed under\
-      \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\
-      \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\
-      \ the specific language governing permissions and\n * limitations under the\
-      \ License.\n */\n\nterraform {\n  backend \"gcs\" {\n    bucket            \
-      \          = \"fast-prod-iac-core-resman-0\"\n    impersonate_service_account\
-      \ = \"fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n  }\n\
-      }\nprovider \"google\" {\n  impersonate_service_account = \"fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\
-      \n}\nprovider \"google-beta\" {\n  impersonate_service_account = \"fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\
-      \n}\n\n# end provider.tf for resman\n"
-    content_disposition: null
     content_encoding: null
     content_language: null
     customer_encryption: []
@@ -133,21 +88,6 @@ values:
   google_storage_bucket_object.providers["1-resman-r"]:
     bucket: fast-prod-iac-core-outputs-0
     cache_control: null
-    content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\
-      \ License, Version 2.0 (the \"License\");\n * you may not use this file except\
-      \ in compliance with the License.\n * You may obtain a copy of the License at\n\
-      \ *\n *      http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\
-      \ by applicable law or agreed to in writing, software\n * distributed under\
-      \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\
-      \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\
-      \ the specific language governing permissions and\n * limitations under the\
-      \ License.\n */\n\nterraform {\n  backend \"gcs\" {\n    bucket            \
-      \          = \"fast-prod-iac-core-resman-0\"\n    impersonate_service_account\
-      \ = \"fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n \
-      \ }\n}\nprovider \"google\" {\n  impersonate_service_account = \"fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\
-      \n}\nprovider \"google-beta\" {\n  impersonate_service_account = \"fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\
-      \n}\n\n# end provider.tf for resman\n"
-    content_disposition: null
     content_encoding: null
     content_language: null
     customer_encryption: []
@@ -162,21 +102,6 @@ values:
   google_storage_bucket_object.providers["1-tenant-factory"]:
     bucket: fast-prod-iac-core-outputs-0
     cache_control: null
-    content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\
-      \ License, Version 2.0 (the \"License\");\n * you may not use this file except\
-      \ in compliance with the License.\n * You may obtain a copy of the License at\n\
-      \ *\n *      http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\
-      \ by applicable law or agreed to in writing, software\n * distributed under\
-      \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\
-      \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\
-      \ the specific language governing permissions and\n * limitations under the\
-      \ License.\n */\n\nterraform {\n  backend \"gcs\" {\n    bucket            \
-      \          = \"fast-prod-iac-core-resman-0\"\n    impersonate_service_account\
-      \ = \"fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n  \
-      \  prefix = \"tenant-factory\"\n  }\n}\nprovider \"google\" {\n  impersonate_service_account\
-      \ = \"fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n}\n\
-      provider \"google-beta\" {\n  impersonate_service_account = \"fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\
-      \n}\n\n# end provider.tf for tenant-factory\n"
     content_disposition: null
     content_encoding: null
     content_language: null
@@ -192,21 +117,6 @@ values:
   google_storage_bucket_object.providers["1-tenant-factory-r"]:
     bucket: fast-prod-iac-core-outputs-0
     cache_control: null
-    content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\
-      \ License, Version 2.0 (the \"License\");\n * you may not use this file except\
-      \ in compliance with the License.\n * You may obtain a copy of the License at\n\
-      \ *\n *      http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\
-      \ by applicable law or agreed to in writing, software\n * distributed under\
-      \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\
-      \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\
-      \ the specific language governing permissions and\n * limitations under the\
-      \ License.\n */\n\nterraform {\n  backend \"gcs\" {\n    bucket            \
-      \          = \"fast-prod-iac-core-resman-0\"\n    impersonate_service_account\
-      \ = \"fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n \
-      \   prefix = \"tenant-factory\"\n  }\n}\nprovider \"google\" {\n  impersonate_service_account\
-      \ = \"fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n}\n\
-      provider \"google-beta\" {\n  impersonate_service_account = \"fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\
-      \n}\n\n# end provider.tf for tenant-factory\n"
     content_disposition: null
     content_encoding: null
     content_language: null
@@ -222,21 +132,6 @@ values:
   google_storage_bucket_object.providers["1-vpcsc"]:
     bucket: fast-prod-iac-core-outputs-0
     cache_control: null
-    content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\
-      \ License, Version 2.0 (the \"License\");\n * you may not use this file except\
-      \ in compliance with the License.\n * You may obtain a copy of the License at\n\
-      \ *\n *      http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\
-      \ by applicable law or agreed to in writing, software\n * distributed under\
-      \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\
-      \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\
-      \ the specific language governing permissions and\n * limitations under the\
-      \ License.\n */\n\nterraform {\n  backend \"gcs\" {\n    bucket            \
-      \          = \"fast-prod-iac-core-vpcsc-0\"\n    impersonate_service_account\
-      \ = \"fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n   \
-      \ prefix = \"vpcsc\"\n  }\n}\nprovider \"google\" {\n  impersonate_service_account\
-      \ = \"fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n}\n\
-      provider \"google-beta\" {\n  impersonate_service_account = \"fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\
-      \n}\n\n# end provider.tf for vpcsc\n"
     content_disposition: null
     content_encoding: null
     content_language: null
@@ -252,21 +147,6 @@ values:
   google_storage_bucket_object.providers["1-vpcsc-r"]:
     bucket: fast-prod-iac-core-outputs-0
     cache_control: null
-    content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\
-      \ License, Version 2.0 (the \"License\");\n * you may not use this file except\
-      \ in compliance with the License.\n * You may obtain a copy of the License at\n\
-      \ *\n *      http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\
-      \ by applicable law or agreed to in writing, software\n * distributed under\
-      \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\
-      \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\
-      \ the specific language governing permissions and\n * limitations under the\
-      \ License.\n */\n\nterraform {\n  backend \"gcs\" {\n    bucket            \
-      \          = \"fast-prod-iac-core-vpcsc-0\"\n    impersonate_service_account\
-      \ = \"fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n  \
-      \  prefix = \"vpcsc\"\n  }\n}\nprovider \"google\" {\n  impersonate_service_account\
-      \ = \"fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n}\n\
-      provider \"google-beta\" {\n  impersonate_service_account = \"fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\
-      \n}\n\n# end provider.tf for vpcsc\n"
     content_disposition: null
     content_encoding: null
     content_language: null
@@ -1646,9 +1526,9 @@ values:
   module.organization.google_organization_iam_binding.bindings["organization_iam_admin_conditional"]:
     condition:
     - description: Automation service account delegated grants.
-      expression: 'api.getAttribute(''iam.googleapis.com/modifiedGrantsByRole'', []).hasOnly([''roles/accesscontextmanager.policyAdmin'',''roles/cloudasset.viewer'',''roles/compute.orgFirewallPolicyAdmin'',''roles/compute.xpnAdmin'',''roles/orgpolicy.policyAdmin'',''roles/orgpolicy.policyViewer'',''roles/resourcemanager.organizationViewer''])
+      expression: 'api.getAttribute(''iam.googleapis.com/modifiedGrantsByRole'', []).hasOnly([''roles/accesscontextmanager.policyAdmin'',''roles/cloudasset.viewer'',''roles/compute.orgFirewallPolicyAdmin'',''roles/compute.orgFirewallPolicyUser'',''roles/compute.xpnAdmin'',''roles/orgpolicy.policyAdmin'',''roles/orgpolicy.policyViewer'',''roles/resourcemanager.organizationViewer''])
 
-        || api.getAttribute(''iam.googleapis.com/modifiedGrantsByRole'', []).hasOnly([''organizations/123456789012/roles/networkFirewallPoliciesAdmin'',''organizations/123456789012/roles/networkFirewallPoliciesViewer'',''organizations/123456789012/roles/ngfwEnterpriseAdmin'',''organizations/123456789012/roles/ngfwEnterpriseViewer'',''organizations/123456789012/roles/serviceProjectNetworkAdmin'',''organizations/123456789012/roles/tenantNetworkAdmin''])
+        || api.getAttribute(''iam.googleapis.com/modifiedGrantsByRole'', []).hasOnly([''organizations/123456789012/roles/networkFirewallPoliciesAdmin'',''organizations/123456789012/roles/ngfwEnterpriseAdmin'',''organizations/123456789012/roles/ngfwEnterpriseViewer'',''organizations/123456789012/roles/serviceProjectNetworkAdmin'',''organizations/123456789012/roles/tenantNetworkAdmin''])
 
         '
       title: automation_sa_delegated_grants
@@ -1687,15 +1567,6 @@ values:
     role_id: networkFirewallPoliciesAdmin
     stage: GA
     title: Custom role networkFirewallPoliciesAdmin
-  module.organization.google_organization_iam_custom_role.roles["network_firewall_policies_viewer"]:
-    description: Terraform-managed.
-    org_id: '123456789012'
-    permissions:
-    - networksecurity.firewallEndpointAssociations.get
-    - networksecurity.firewallEndpointAssociations.list
-    role_id: networkFirewallPoliciesViewer
-    stage: GA
-    title: Custom role networkFirewallPoliciesViewer
   module.organization.google_organization_iam_custom_role.roles["ngfw_enterprise_admin"]:
     description: Terraform-managed.
     org_id: '123456789012'
@@ -1724,6 +1595,11 @@ values:
     - networksecurity.securityProfiles.list
     - networksecurity.securityProfiles.update
     - networksecurity.securityProfiles.use
+    - networksecurity.tlsInspectionPolicies.create
+    - networksecurity.tlsInspectionPolicies.get
+    - networksecurity.tlsInspectionPolicies.list
+    - networksecurity.tlsInspectionPolicies.update
+    - networksecurity.tlsInspectionPolicies.use
     role_id: ngfwEnterpriseAdmin
     stage: GA
     title: Custom role ngfwEnterpriseAdmin
@@ -1744,6 +1620,9 @@ values:
     - networksecurity.securityProfiles.get
     - networksecurity.securityProfiles.list
     - networksecurity.securityProfiles.use
+    - networksecurity.tlsInspectionPolicies.get
+    - networksecurity.tlsInspectionPolicies.list
+    - networksecurity.tlsInspectionPolicies.use
     role_id: ngfwEnterpriseViewer
     stage: GA
     title: Custom role ngfwEnterpriseViewer
@@ -2066,7 +1945,7 @@ counts:
   google_logging_project_bucket_config: 4
   google_org_policy_policy: 22
   google_organization_iam_binding: 28
-  google_organization_iam_custom_role: 11
+  google_organization_iam_custom_role: 10
   google_organization_iam_member: 42
   google_project: 3
   google_project_iam_audit_config: 1
@@ -2085,4 +1964,4 @@ counts:
   google_tags_tag_key: 1
   google_tags_tag_value: 1
   modules: 21
-  resources: 237
+  resources: 236

tests/fast/stages/s0_bootstrap/simple.yaml

@@ -21,7 +21,7 @@ counts:
   google_logging_project_bucket_config: 4
   google_org_policy_policy: 22
   google_organization_iam_binding: 28
-  google_organization_iam_custom_role: 11
+  google_organization_iam_custom_role: 10
   google_organization_iam_member: 29
   google_project: 3
   google_project_iam_audit_config: 1
@@ -41,7 +41,7 @@ counts:
   google_tags_tag_value: 1
   local_file: 10
   modules: 20
-  resources: 231
+  resources: 230
 
 outputs:
   automation: __missing__
@@ -50,7 +50,6 @@ outputs:
   custom_roles:
     gcve_network_admin: organizations/123456789012/roles/gcveNetworkAdmin
     network_firewall_policies_admin: organizations/123456789012/roles/networkFirewallPoliciesAdmin
-    network_firewall_policies_viewer: organizations/123456789012/roles/networkFirewallPoliciesViewer
     ngfw_enterprise_admin: organizations/123456789012/roles/ngfwEnterpriseAdmin
     ngfw_enterprise_viewer: organizations/123456789012/roles/ngfwEnterpriseViewer
     organization_admin_viewer: organizations/123456789012/roles/organizationAdminViewer
@@ -73,3 +72,4 @@ outputs:
   workload_identity_pool:
     pool: null
     providers: {}
+

tests/fast/stages/s1_resman/checklist.tfvars

@@ -13,14 +13,13 @@ billing_account = {
 }
 custom_roles = {
   # organization_iam_admin = "organizations/123456789012/roles/organizationIamAdmin",
-  gcve_network_admin               = "organizations/123456789012/roles/gcveNetworkAdmin"
-  network_firewall_policies_admin  = "organizations/123456789012/roles/networkFirewallPoliciesAdmin"
-  network_firewall_policies_viewer = "organizations/123456789012/roles/networkFirewallPoliciesViewer"
-  ngfw_enterprise_admin            = "organizations/123456789012/roles/ngfwEnterpriseAdmin"
-  ngfw_enterprise_viewer           = "organizations/123456789012/roles/ngfwEnterpriseViewer"
-  organization_admin_viewer        = "organizations/123456789012/roles/organizationAdminViewer"
-  service_project_network_admin    = "organizations/123456789012/roles/xpnServiceAdmin"
-  storage_viewer                   = "organizations/123456789012/roles/storageViewer"
+  gcve_network_admin              = "organizations/123456789012/roles/gcveNetworkAdmin"
+  network_firewall_policies_admin = "organizations/123456789012/roles/networkFirewallPoliciesAdmin"
+  ngfw_enterprise_admin           = "organizations/123456789012/roles/ngfwEnterpriseAdmin"
+  ngfw_enterprise_viewer          = "organizations/123456789012/roles/ngfwEnterpriseViewer"
+  organization_admin_viewer       = "organizations/123456789012/roles/organizationAdminViewer"
+  service_project_network_admin   = "organizations/123456789012/roles/xpnServiceAdmin"
+  storage_viewer                  = "organizations/123456789012/roles/storageViewer"
 }
 factories_config = {
   checklist_data = "checklist-data.json"

tests/fast/stages/s1_resman/checklist.yaml

@@ -13,6 +13,671 @@
 # limitations under the License.
 
 values:
+  google_storage_bucket_object.providers["2-networking"]:
+    bucket: test
+    cache_control: null
+    content_disposition: null
+    content_encoding: null
+    content_language: null
+    customer_encryption: []
+    detect_md5hash: different hash
+    event_based_hold: null
+    metadata: null
+    name: providers/2-networking-providers.tf
+    retention: []
+    source: null
+    temporary_hold: null
+    timeouts: null
+  google_storage_bucket_object.providers["2-networking-r"]:
+    bucket: test
+    cache_control: null
+    content_disposition: null
+    content_encoding: null
+    content_language: null
+    customer_encryption: []
+    detect_md5hash: different hash
+    event_based_hold: null
+    metadata: null
+    name: providers/2-networking-r-providers.tf
+    retention: []
+    source: null
+    temporary_hold: null
+    timeouts: null
+  google_storage_bucket_object.providers["2-project-factory"]:
+    bucket: test
+    cache_control: null
+    content_encoding: null
+    content_language: null
+    customer_encryption: []
+    detect_md5hash: different hash
+    event_based_hold: null
+    metadata: null
+    name: providers/2-project-factory-providers.tf
+    retention: []
+    source: null
+    temporary_hold: null
+    timeouts: null
+  google_storage_bucket_object.providers["2-project-factory-dev"]:
+    bucket: test
+    cache_control: null
+    content_disposition: null
+    content_encoding: null
+    content_language: null
+    customer_encryption: []
+    detect_md5hash: different hash
+    event_based_hold: null
+    metadata: null
+    name: providers/2-project-factory-dev-providers.tf
+    retention: []
+    source: null
+    temporary_hold: null
+    timeouts: null
+  google_storage_bucket_object.providers["2-project-factory-dev-r"]:
+    bucket: test
+    cache_control: null
+    content_disposition: null
+    content_encoding: null
+    content_language: null
+    customer_encryption: []
+    detect_md5hash: different hash
+    event_based_hold: null
+    metadata: null
+    name: providers/2-project-factory-dev-r-providers.tf
+    retention: []
+    source: null
+    temporary_hold: null
+    timeouts: null
+  google_storage_bucket_object.providers["2-project-factory-prod"]:
+    bucket: test
+    cache_control: null
+    content_disposition: null
+    content_encoding: null
+    content_language: null
+    customer_encryption: []
+    detect_md5hash: different hash
+    event_based_hold: null
+    metadata: null
+    name: providers/2-project-factory-prod-providers.tf
+    retention: []
+    source: null
+    temporary_hold: null
+    timeouts: null
+  google_storage_bucket_object.providers["2-project-factory-prod-r"]:
+    bucket: test
+    cache_control: null
+    content_disposition: null
+    content_encoding: null
+    content_language: null
+    customer_encryption: []
+    detect_md5hash: different hash
+    event_based_hold: null
+    metadata: null
+    name: providers/2-project-factory-prod-r-providers.tf
+    retention: []
+    source: null
+    temporary_hold: null
+    timeouts: null
+  google_storage_bucket_object.providers["2-project-factory-r"]:
+    bucket: test
+    cache_control: null
+    content_encoding: null
+    content_language: null
+    customer_encryption: []
+    detect_md5hash: different hash
+    event_based_hold: null
+    metadata: null
+    name: providers/2-project-factory-r-providers.tf
+    retention: []
+    source: null
+    temporary_hold: null
+    timeouts: null
+  google_storage_bucket_object.providers["2-security"]:
+    bucket: test
+    cache_control: null
+    content_disposition: null
+    content_encoding: null
+    content_language: null
+    customer_encryption: []
+    detect_md5hash: different hash
+    event_based_hold: null
+    metadata: null
+    name: providers/2-security-providers.tf
+    retention: []
+    source: null
+    temporary_hold: null
+    timeouts: null
+  google_storage_bucket_object.providers["2-security-r"]:
+    bucket: test
+    cache_control: null
+    content_disposition: null
+    content_encoding: null
+    content_language: null
+    customer_encryption: []
+    detect_md5hash: different hash
+    event_based_hold: null
+    metadata: null
+    name: providers/2-security-r-providers.tf
+    retention: []
+    source: null
+    temporary_hold: null
+    timeouts: null
+  google_storage_bucket_object.tfvars:
+    bucket: test
+    cache_control: null
+    content_disposition: null
+    content_encoding: null
+    content_language: null
+    customer_encryption: []
+    detect_md5hash: different hash
+    event_based_hold: null
+    metadata: null
+    name: tfvars/1-resman.auto.tfvars.json
+    retention: []
+    source: null
+    temporary_hold: null
+    timeouts: null
+  module.branch-network-dev-folder.google_folder.folder[0]:
+    display_name: Development
+    timeouts: null
+  ? module.branch-network-dev-folder.google_folder_iam_binding.authoritative["organizations/123456789012/roles/gcveNetworkAdmin"]
+  : condition: []
+    members: null
+    role: organizations/123456789012/roles/gcveNetworkAdmin
+  ? module.branch-network-dev-folder.google_folder_iam_binding.authoritative["organizations/123456789012/roles/xpnServiceAdmin"]
+  : condition: []
+    members:
+    - serviceAccount:fast2-dev-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+    - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+    role: organizations/123456789012/roles/xpnServiceAdmin
+  module.branch-network-dev-folder.google_folder_iam_binding.authoritative["roles/compute.networkViewer"]:
+    condition: []
+    members:
+    - serviceAccount:fast2-dev-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com
+    - serviceAccount:fast2-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/compute.networkViewer
+  module.branch-network-dev-folder.google_tags_tag_binding.binding["environment"]:
+    timeouts: null
+  module.branch-network-folder.google_folder.folder[0]:
+    display_name: Networking
+    parent: organizations/123456789012
+    timeouts: null
+  module.branch-network-folder.google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]:
+    condition: []
+    members:
+    - serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/compute.xpnAdmin
+  module.branch-network-folder.google_folder_iam_binding.authoritative["roles/editor"]:
+    condition: []
+    members:
+    - group:gcp-vpc-network-admins@fast.example.com
+    role: roles/editor
+  module.branch-network-folder.google_folder_iam_binding.authoritative["roles/logging.admin"]:
+    condition: []
+    members:
+    - serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/logging.admin
+  module.branch-network-folder.google_folder_iam_binding.authoritative["roles/owner"]:
+    condition: []
+    members:
+    - serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/owner
+  module.branch-network-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]:
+    condition: []
+    members:
+    - serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/resourcemanager.folderAdmin
+  module.branch-network-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]:
+    condition: []
+    members:
+    - serviceAccount:fast2-prod-resman-net-0r@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/resourcemanager.folderViewer
+  module.branch-network-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]:
+    condition: []
+    members:
+    - serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/resourcemanager.projectCreator
+  module.branch-network-folder.google_folder_iam_binding.authoritative["roles/viewer"]:
+    condition: []
+    members:
+    - serviceAccount:fast2-prod-resman-net-0r@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/viewer
+  module.branch-network-folder.google_tags_tag_binding.binding["context"]:
+    timeouts: null
+  module.branch-network-gcs.google_storage_bucket.bucket:
+    autoclass: []
+    cors: []
+    custom_placement_config: []
+    default_event_based_hold: null
+    enable_object_retention: null
+    encryption: []
+    force_destroy: false
+    labels: null
+    lifecycle_rule: []
+    location: EU
+    logging: []
+    name: fast2-prod-resman-net-0
+    project: fast-prod-automation
+    requester_pays: null
+    retention_policy: []
+    storage_class: STANDARD
+    timeouts: null
+    uniform_bucket_level_access: true
+    versioning:
+    - enabled: true
+  module.branch-network-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]:
+    bucket: fast2-prod-resman-net-0
+    condition: []
+    members:
+    - serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/storage.objectAdmin
+  module.branch-network-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]:
+    bucket: fast2-prod-resman-net-0
+    condition: []
+    members:
+    - serviceAccount:fast2-prod-resman-net-0r@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/storage.objectViewer
+  module.branch-network-prod-folder.google_folder.folder[0]:
+    display_name: Production
+    timeouts: null
+  ? module.branch-network-prod-folder.google_folder_iam_binding.authoritative["organizations/123456789012/roles/gcveNetworkAdmin"]
+  : condition: []
+    members: null
+    role: organizations/123456789012/roles/gcveNetworkAdmin
+  ? module.branch-network-prod-folder.google_folder_iam_binding.authoritative["organizations/123456789012/roles/xpnServiceAdmin"]
+  : condition: []
+    members:
+    - serviceAccount:fast2-prod-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+    - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+    role: organizations/123456789012/roles/xpnServiceAdmin
+  module.branch-network-prod-folder.google_folder_iam_binding.authoritative["roles/compute.networkViewer"]:
+    condition: []
+    members:
+    - serviceAccount:fast2-prod-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com
+    - serviceAccount:fast2-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/compute.networkViewer
+  module.branch-network-prod-folder.google_tags_tag_binding.binding["environment"]:
+    timeouts: null
+  ? module.branch-network-r-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"]
+  : condition: []
+    project: fast-prod-automation
+    role: roles/serviceusage.serviceUsageConsumer
+  module.branch-network-r-sa.google_service_account.service_account[0]:
+    account_id: fast2-prod-resman-net-0r
+    create_ignore_already_exists: null
+    description: null
+    disabled: false
+    display_name: Terraform resman networking service account (read-only).
+    project: fast-prod-automation
+    timeouts: null
+  module.branch-network-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]:
+    condition: []
+    members: null
+    role: roles/iam.serviceAccountTokenCreator
+  ? module.branch-network-r-sa.google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"]
+  : bucket: test
+    condition: []
+    role: organizations/123456789012/roles/storageViewer
+  ? module.branch-network-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"]
+  : condition: []
+    project: fast-prod-automation
+    role: roles/serviceusage.serviceUsageConsumer
+  module.branch-network-sa.google_service_account.service_account[0]:
+    account_id: fast2-prod-resman-net-0
+    create_ignore_already_exists: null
+    description: null
+    disabled: false
+    display_name: Terraform resman networking service account.
+    project: fast-prod-automation
+    timeouts: null
+  module.branch-network-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]:
+    condition: []
+    members: null
+    role: roles/iam.serviceAccountTokenCreator
+  module.branch-network-sa.google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]:
+    bucket: test
+    condition: []
+    role: roles/storage.objectAdmin
+  module.branch-pf-dev-gcs.google_storage_bucket.bucket:
+    autoclass: []
+    cors: []
+    custom_placement_config: []
+    default_event_based_hold: null
+    enable_object_retention: null
+    encryption: []
+    force_destroy: false
+    labels: null
+    lifecycle_rule: []
+    location: EU
+    logging: []
+    name: fast2-dev-resman-pf-0
+    project: fast-prod-automation
+    requester_pays: null
+    retention_policy: []
+    storage_class: STANDARD
+    timeouts: null
+    uniform_bucket_level_access: true
+    versioning:
+    - enabled: true
+  module.branch-pf-dev-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]:
+    bucket: fast2-dev-resman-pf-0
+    condition: []
+    members:
+    - serviceAccount:fast2-dev-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/storage.objectAdmin
+  module.branch-pf-dev-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]:
+    bucket: fast2-dev-resman-pf-0
+    condition: []
+    members:
+    - serviceAccount:fast2-dev-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/storage.objectViewer
+  ? module.branch-pf-dev-r-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"]
+  : condition: []
+    project: fast-prod-automation
+    role: roles/serviceusage.serviceUsageConsumer
+  module.branch-pf-dev-r-sa.google_service_account.service_account[0]:
+    account_id: fast2-dev-resman-pf-0r
+    create_ignore_already_exists: null
+    description: null
+    disabled: false
+    display_name: Terraform project factory development service account (read-only).
+    project: fast-prod-automation
+    timeouts: null
+  module.branch-pf-dev-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]:
+    condition: []
+    members: null
+    role: roles/iam.serviceAccountTokenCreator
+  ? module.branch-pf-dev-r-sa.google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"]
+  : bucket: test
+    condition: []
+    role: organizations/123456789012/roles/storageViewer
+  ? module.branch-pf-dev-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"]
+  : condition: []
+    project: fast-prod-automation
+    role: roles/serviceusage.serviceUsageConsumer
+  module.branch-pf-dev-sa.google_service_account.service_account[0]:
+    account_id: fast2-dev-resman-pf-0
+    create_ignore_already_exists: null
+    description: null
+    disabled: false
+    display_name: Terraform project factory development service account.
+    project: fast-prod-automation
+    timeouts: null
+  module.branch-pf-dev-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]:
+    condition: []
+    members: null
+    role: roles/iam.serviceAccountTokenCreator
+  module.branch-pf-dev-sa.google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]:
+    bucket: test
+    condition: []
+    role: roles/storage.objectAdmin
+  module.branch-pf-gcs.google_storage_bucket.bucket:
+    autoclass: []
+    cors: []
+    custom_placement_config: []
+    default_event_based_hold: null
+    enable_object_retention: null
+    encryption: []
+    force_destroy: false
+    labels: null
+    lifecycle_rule: []
+    location: EU
+    logging: []
+    name: fast2-resman-pf-0
+    project: fast-prod-automation
+    requester_pays: null
+    retention_policy: []
+    storage_class: STANDARD
+    timeouts: null
+    uniform_bucket_level_access: true
+    versioning:
+    - enabled: true
+  module.branch-pf-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]:
+    bucket: fast2-resman-pf-0
+    condition: []
+    members:
+    - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/storage.objectAdmin
+  module.branch-pf-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]:
+    bucket: fast2-resman-pf-0
+    condition: []
+    members:
+    - serviceAccount:fast2-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/storage.objectViewer
+  module.branch-pf-prod-gcs.google_storage_bucket.bucket:
+    autoclass: []
+    cors: []
+    custom_placement_config: []
+    default_event_based_hold: null
+    enable_object_retention: null
+    encryption: []
+    force_destroy: false
+    labels: null
+    lifecycle_rule: []
+    location: EU
+    logging: []
+    name: fast2-prod-resman-pf-0
+    project: fast-prod-automation
+    requester_pays: null
+    retention_policy: []
+    storage_class: STANDARD
+    timeouts: null
+    uniform_bucket_level_access: true
+    versioning:
+    - enabled: true
+  module.branch-pf-prod-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]:
+    bucket: fast2-prod-resman-pf-0
+    condition: []
+    members:
+    - serviceAccount:fast2-prod-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/storage.objectAdmin
+  module.branch-pf-prod-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]:
+    bucket: fast2-prod-resman-pf-0
+    condition: []
+    members:
+    - serviceAccount:fast2-prod-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/storage.objectViewer
+  ? module.branch-pf-prod-r-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"]
+  : condition: []
+    project: fast-prod-automation
+    role: roles/serviceusage.serviceUsageConsumer
+  module.branch-pf-prod-r-sa.google_service_account.service_account[0]:
+    account_id: fast2-prod-resman-pf-0r
+    create_ignore_already_exists: null
+    description: null
+    disabled: false
+    display_name: Terraform project factory production service account (read-only).
+    project: fast-prod-automation
+    timeouts: null
+  module.branch-pf-prod-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]:
+    condition: []
+    members: null
+    role: roles/iam.serviceAccountTokenCreator
+  ? module.branch-pf-prod-r-sa.google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"]
+  : bucket: test
+    condition: []
+    role: organizations/123456789012/roles/storageViewer
+  ? module.branch-pf-prod-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"]
+  : condition: []
+    project: fast-prod-automation
+    role: roles/serviceusage.serviceUsageConsumer
+  module.branch-pf-prod-sa.google_service_account.service_account[0]:
+    account_id: fast2-prod-resman-pf-0
+    create_ignore_already_exists: null
+    description: null
+    disabled: false
+    display_name: Terraform project factory production service account.
+    project: fast-prod-automation
+    timeouts: null
+  module.branch-pf-prod-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]:
+    condition: []
+    members: null
+    role: roles/iam.serviceAccountTokenCreator
+  module.branch-pf-prod-sa.google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]:
+    bucket: test
+    condition: []
+    role: roles/storage.objectAdmin
+  ? module.branch-pf-r-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"]
+  : condition: []
+    project: fast-prod-automation
+    role: roles/serviceusage.serviceUsageConsumer
+  module.branch-pf-r-sa.google_service_account.service_account[0]:
+    account_id: fast2-resman-pf-0r
+    create_ignore_already_exists: null
+    description: null
+    disabled: false
+    display_name: Terraform project factory main service account (read-only).
+    project: fast-prod-automation
+    timeouts: null
+  module.branch-pf-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]:
+    condition: []
+    members: null
+    role: roles/iam.serviceAccountTokenCreator
+  module.branch-pf-r-sa.google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"]:
+    bucket: test
+    condition: []
+    role: organizations/123456789012/roles/storageViewer
+  ? module.branch-pf-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"]
+  : condition: []
+    project: fast-prod-automation
+    role: roles/serviceusage.serviceUsageConsumer
+  module.branch-pf-sa.google_service_account.service_account[0]:
+    account_id: fast2-resman-pf-0
+    create_ignore_already_exists: null
+    description: null
+    disabled: false
+    display_name: Terraform project factory main service account.
+    project: fast-prod-automation
+    timeouts: null
+  module.branch-pf-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]:
+    condition: []
+    members: null
+    role: roles/iam.serviceAccountTokenCreator
+  module.branch-pf-sa.google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]:
+    bucket: test
+    condition: []
+    role: roles/storage.objectAdmin
+  module.branch-security-folder.google_folder.folder[0]:
+    display_name: Security
+    parent: organizations/123456789012
+    timeouts: null
+  module.branch-security-folder.google_folder_iam_binding.authoritative["roles/editor"]:
+    condition: []
+    members:
+    - group:gcp-security-admins@fast.example.com
+    role: roles/editor
+  module.branch-security-folder.google_folder_iam_binding.authoritative["roles/logging.admin"]:
+    condition: []
+    members:
+    - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/logging.admin
+  module.branch-security-folder.google_folder_iam_binding.authoritative["roles/owner"]:
+    condition: []
+    members:
+    - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/owner
+  module.branch-security-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]:
+    condition: []
+    members:
+    - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/resourcemanager.folderAdmin
+  module.branch-security-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]:
+    condition: []
+    members:
+    - serviceAccount:fast2-prod-resman-sec-0r@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/resourcemanager.folderViewer
+  module.branch-security-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]:
+    condition: []
+    members:
+    - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/resourcemanager.projectCreator
+  module.branch-security-folder.google_folder_iam_binding.authoritative["roles/viewer"]:
+    condition: []
+    members:
+    - serviceAccount:fast2-prod-resman-sec-0r@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/viewer
+  module.branch-security-folder.google_folder_iam_binding.bindings["tenant_iam_admin_conditional"]:
+    condition:
+    - description: Certificate Authority Service delegated grants.
+      expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/privateca.certificateManager'])
+      title: security_sa_delegated_grants
+    members:
+    - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/resourcemanager.folderIamAdmin
+  module.branch-security-folder.google_tags_tag_binding.binding["context"]:
+    timeouts: null
+  module.branch-security-gcs.google_storage_bucket.bucket:
+    autoclass: []
+    cors: []
+    custom_placement_config: []
+    default_event_based_hold: null
+    enable_object_retention: null
+    encryption: []
+    force_destroy: false
+    labels: null
+    lifecycle_rule: []
+    location: EU
+    logging: []
+    name: fast2-prod-resman-sec-0
+    project: fast-prod-automation
+    requester_pays: null
+    retention_policy: []
+    storage_class: STANDARD
+    timeouts: null
+    uniform_bucket_level_access: true
+    versioning:
+    - enabled: true
+  module.branch-security-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]:
+    bucket: fast2-prod-resman-sec-0
+    condition: []
+    members:
+    - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/storage.objectAdmin
+  module.branch-security-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]:
+    bucket: fast2-prod-resman-sec-0
+    condition: []
+    members:
+    - serviceAccount:fast2-prod-resman-sec-0r@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/storage.objectViewer
+  ? module.branch-security-r-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"]
+  : condition: []
+    project: fast-prod-automation
+    role: roles/serviceusage.serviceUsageConsumer
+  module.branch-security-r-sa.google_service_account.service_account[0]:
+    account_id: fast2-prod-resman-sec-0r
+    create_ignore_already_exists: null
+    description: null
+    disabled: false
+    display_name: Terraform resman security service account (read-only).
+    project: fast-prod-automation
+    timeouts: null
+  module.branch-security-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]:
+    condition: []
+    members: null
+    role: roles/iam.serviceAccountTokenCreator
+  ? module.branch-security-r-sa.google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"]
+  : bucket: test
+    condition: []
+    role: organizations/123456789012/roles/storageViewer
+  ? module.branch-security-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"]
+  : condition: []
+    project: fast-prod-automation
+    role: roles/serviceusage.serviceUsageConsumer
+  module.branch-security-sa.google_service_account.service_account[0]:
+    account_id: fast2-prod-resman-sec-0
+    create_ignore_already_exists: null
+    description: null
+    disabled: false
+    display_name: Terraform resman security service account.
+    project: fast-prod-automation
+    timeouts: null
+  module.branch-security-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]:
+    condition: []
+    members: null
+    role: roles/iam.serviceAccountTokenCreator
+  module.branch-security-sa.google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]:
+    bucket: test
+    condition: []
+    role: roles/storage.objectAdmin
   module.checklist-folder-1["Common"].google_folder.folder[0]:
     display_name: Common
     parent: organizations/123456789012
@@ -413,10 +1078,194 @@ values:
   module.checklist-folder-3["Department 3/Team 4/Production"].google_folder.folder[0]:
     display_name: Production
     timeouts: null
+  module.organization[0].google_organization_iam_member.bindings["sa_net_billing"]:
+    condition: []
+    member: serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com
+    org_id: '123456789012'
+    role: roles/billing.user
+  module.organization[0].google_organization_iam_member.bindings["sa_net_fw_policy_admin"]:
+    condition: []
+    member: serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com
+    org_id: '123456789012'
+    role: roles/compute.orgFirewallPolicyAdmin
+  module.organization[0].google_organization_iam_member.bindings["sa_net_xpn_admin"]:
+    condition: []
+    member: serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com
+    org_id: '123456789012'
+    role: roles/compute.xpnAdmin
+  module.organization[0].google_organization_iam_member.bindings["sa_pf_billing"]:
+    condition: []
+    member: serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+    org_id: '123456789012'
+    role: roles/billing.user
+  module.organization[0].google_organization_iam_member.bindings["sa_pf_conditional_org_policy"]:
+    condition:
+    - description: Org policy tag scoped grant for project factory main.
+      expression: 'resource.matchTag(''123456789012/context'', ''project-factory'')
+
+        '
+      title: org_policy_tag_pf_scoped
+    member: serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+    org_id: '123456789012'
+    role: roles/orgpolicy.policyAdmin
+  module.organization[0].google_organization_iam_member.bindings["sa_pf_costs_manager"]:
+    condition: []
+    member: serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+    org_id: '123456789012'
+    role: roles/billing.costsManager
+  module.organization[0].google_organization_iam_member.bindings["sa_pf_dev_billing"]:
+    condition: []
+    member: serviceAccount:fast2-dev-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+    org_id: '123456789012'
+    role: roles/billing.user
+  module.organization[0].google_organization_iam_member.bindings["sa_pf_dev_conditional_org_policy"]:
+    condition:
+    - description: Org policy tag scoped grant for project factory dev.
+      expression: 'resource.matchTag(''123456789012/context'', ''project-factory'')
+
+        &&
+
+        resource.matchTag(''123456789012/environment'', ''development'')
+
+        '
+      title: org_policy_tag_pf_scoped_dev
+    member: serviceAccount:fast2-dev-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+    org_id: '123456789012'
+    role: roles/orgpolicy.policyAdmin
+  module.organization[0].google_organization_iam_member.bindings["sa_pf_dev_costs_manager"]:
+    condition: []
+    member: serviceAccount:fast2-dev-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+    org_id: '123456789012'
+    role: roles/billing.costsManager
+  module.organization[0].google_organization_iam_member.bindings["sa_pf_prod_billing"]:
+    condition: []
+    member: serviceAccount:fast2-prod-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+    org_id: '123456789012'
+    role: roles/billing.user
+  module.organization[0].google_organization_iam_member.bindings["sa_pf_prod_conditional_org_policy"]:
+    condition:
+    - description: Org policy tag scoped grant for project factory prod.
+      expression: 'resource.matchTag(''123456789012/context'', ''project-factory'')
+
+        &&
+
+        resource.matchTag(''123456789012/environment'', ''production'')
+
+        '
+      title: org_policy_tag_pf_scoped_prod
+    member: serviceAccount:fast2-prod-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+    org_id: '123456789012'
+    role: roles/orgpolicy.policyAdmin
+  module.organization[0].google_organization_iam_member.bindings["sa_pf_prod_costs_manager"]:
+    condition: []
+    member: serviceAccount:fast2-prod-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+    org_id: '123456789012'
+    role: roles/billing.costsManager
+  module.organization[0].google_organization_iam_member.bindings["sa_sec_asset_viewer"]:
+    condition: []
+    member: serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com
+    org_id: '123456789012'
+    role: roles/cloudasset.viewer
+  module.organization[0].google_organization_iam_member.bindings["sa_sec_billing"]:
+    condition: []
+    member: serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com
+    org_id: '123456789012'
+    role: roles/billing.user
+  module.organization[0].google_tags_tag_key.default["context"]:
+    description: Resource management context.
+    parent: organizations/123456789012
+    purpose: null
+    purpose_data: null
+    short_name: context
+    timeouts: null
+  module.organization[0].google_tags_tag_key.default["environment"]:
+    description: Environment definition.
+    parent: organizations/123456789012
+    purpose: null
+    purpose_data: null
+    short_name: environment
+    timeouts: null
+  module.organization[0].google_tags_tag_value.default["context/data"]:
+    description: Managed by the Terraform organization module.
+    short_name: data
+    timeouts: null
+  module.organization[0].google_tags_tag_value.default["context/gcve"]:
+    description: Managed by the Terraform organization module.
+    short_name: gcve
+    timeouts: null
+  module.organization[0].google_tags_tag_value.default["context/gke"]:
+    description: Managed by the Terraform organization module.
+    short_name: gke
+    timeouts: null
+  module.organization[0].google_tags_tag_value.default["context/networking"]:
+    description: Managed by the Terraform organization module.
+    short_name: networking
+    timeouts: null
+  module.organization[0].google_tags_tag_value.default["context/project-factory"]:
+    description: Managed by the Terraform organization module.
+    short_name: project-factory
+    timeouts: null
+  module.organization[0].google_tags_tag_value.default["context/sandbox"]:
+    description: Managed by the Terraform organization module.
+    short_name: sandbox
+    timeouts: null
+  module.organization[0].google_tags_tag_value.default["context/security"]:
+    description: Managed by the Terraform organization module.
+    short_name: security
+    timeouts: null
+  module.organization[0].google_tags_tag_value.default["environment/development"]:
+    description: Managed by the Terraform organization module.
+    short_name: development
+    timeouts: null
+  module.organization[0].google_tags_tag_value.default["environment/production"]:
+    description: Managed by the Terraform organization module.
+    short_name: production
+    timeouts: null
+  module.organization[0].google_tags_tag_value_iam_binding.bindings["environment/development:pf"]:
+    condition: []
+    members:
+    - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/resourcemanager.tagUser
+  module.organization[0].google_tags_tag_value_iam_binding.bindings["environment/production:pf"]:
+    condition: []
+    members:
+    - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/resourcemanager.tagUser
+  module.top-level-folder["teams"].google_folder.folder[0]:
+    display_name: Teams
+    parent: organizations/123456789012
+    timeouts: null
+  ? module.top-level-folder["teams"].google_folder_iam_binding.authoritative["organizations/123456789012/roles/xpnServiceAdmin"]
+  : condition: []
+    members:
+    - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+    role: organizations/123456789012/roles/xpnServiceAdmin
+  module.top-level-folder["teams"].google_folder_iam_binding.authoritative["roles/owner"]:
+    condition: []
+    members:
+    - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/owner
+  module.top-level-folder["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]:
+    condition: []
+    members:
+    - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/resourcemanager.folderAdmin
+  module.top-level-folder["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]:
+    condition: []
+    members:
+    - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/resourcemanager.projectCreator
+  module.top-level-folder["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.tagUser"]:
+    condition: []
+    members:
+    - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/resourcemanager.tagUser
+  module.top-level-folder["teams"].google_tags_tag_binding.binding["context"]:
+    timeouts: null
 
 counts:
   google_folder: 57
-  google_folder_iam_binding: 74
+  google_folder_iam_binding: 75
   google_organization_iam_member: 14
   google_project_iam_member: 10
   google_service_account: 10
@@ -430,4 +1279,4 @@ counts:
   google_tags_tag_value: 9
   google_tags_tag_value_iam_binding: 2
   modules: 73
-  resources: 229
+  resources: 230

tests/fast/stages/s1_resman/simple.tfvars

@@ -13,14 +13,13 @@ billing_account = {
 }
 custom_roles = {
   # organization_iam_admin = "organizations/123456789012/roles/organizationIamAdmin",
-  gcve_network_admin               = "organizations/123456789012/roles/gcveNetworkAdmin"
-  network_firewall_policies_admin  = "organizations/123456789012/roles/networkFirewallPoliciesAdmin"
-  network_firewall_policies_viewer = "organizations/123456789012/roles/networkFirewallPoliciesViewer"
-  ngfw_enterprise_admin            = "organizations/123456789012/roles/ngfwEnterpriseAdmin"
-  ngfw_enterprise_viewer           = "organizations/123456789012/roles/ngfwEnterpriseViewer"
-  organization_admin_viewer        = "organizations/123456789012/roles/organizationAdminViewer"
-  service_project_network_admin    = "organizations/123456789012/roles/xpnServiceAdmin"
-  storage_viewer                   = "organizations/123456789012/roles/storageViewer"
+  gcve_network_admin              = "organizations/123456789012/roles/gcveNetworkAdmin"
+  network_firewall_policies_admin = "organizations/123456789012/roles/networkFirewallPoliciesAdmin"
+  ngfw_enterprise_admin           = "organizations/123456789012/roles/ngfwEnterpriseAdmin"
+  ngfw_enterprise_viewer          = "organizations/123456789012/roles/ngfwEnterpriseViewer"
+  organization_admin_viewer       = "organizations/123456789012/roles/organizationAdminViewer"
+  service_project_network_admin   = "organizations/123456789012/roles/xpnServiceAdmin"
+  storage_viewer                  = "organizations/123456789012/roles/storageViewer"
 }
 groups = {
   gcp-billing-admins      = "gcp-billing-admins",

tests/fast/stages/s1_resman/simple.yaml

@@ -13,6 +13,836 @@
 # limitations under the License.
 
 values:
+  google_storage_bucket_object.providers["2-networking"]:
+    bucket: test
+    cache_control: null
+    content_disposition: null
+    content_encoding: null
+    content_language: null
+    customer_encryption: []
+    detect_md5hash: different hash
+    event_based_hold: null
+    metadata: null
+    name: providers/2-networking-providers.tf
+    retention: []
+    source: null
+    temporary_hold: null
+    timeouts: null
+  google_storage_bucket_object.providers["2-networking-r"]:
+    bucket: test
+    cache_control: null
+    content_disposition: null
+    content_encoding: null
+    content_language: null
+    customer_encryption: []
+    detect_md5hash: different hash
+    event_based_hold: null
+    metadata: null
+    name: providers/2-networking-r-providers.tf
+    retention: []
+    source: null
+    temporary_hold: null
+    timeouts: null
+  google_storage_bucket_object.providers["2-project-factory"]:
+    bucket: test
+    cache_control: null
+    content_encoding: null
+    content_language: null
+    customer_encryption: []
+    detect_md5hash: different hash
+    event_based_hold: null
+    metadata: null
+    name: providers/2-project-factory-providers.tf
+    retention: []
+    source: null
+    temporary_hold: null
+    timeouts: null
+  google_storage_bucket_object.providers["2-project-factory-dev"]:
+    bucket: test
+    cache_control: null
+    content_disposition: null
+    content_encoding: null
+    content_language: null
+    customer_encryption: []
+    detect_md5hash: different hash
+    event_based_hold: null
+    metadata: null
+    name: providers/2-project-factory-dev-providers.tf
+    retention: []
+    source: null
+    temporary_hold: null
+    timeouts: null
+  google_storage_bucket_object.providers["2-project-factory-dev-r"]:
+    bucket: test
+    cache_control: null
+    content_disposition: null
+    content_encoding: null
+    content_language: null
+    customer_encryption: []
+    detect_md5hash: different hash
+    event_based_hold: null
+    metadata: null
+    name: providers/2-project-factory-dev-r-providers.tf
+    retention: []
+    source: null
+    temporary_hold: null
+    timeouts: null
+  google_storage_bucket_object.providers["2-project-factory-prod"]:
+    bucket: test
+    cache_control: null
+    content_disposition: null
+    content_encoding: null
+    content_language: null
+    customer_encryption: []
+    detect_md5hash: different hash
+    event_based_hold: null
+    metadata: null
+    name: providers/2-project-factory-prod-providers.tf
+    retention: []
+    source: null
+    temporary_hold: null
+    timeouts: null
+  google_storage_bucket_object.providers["2-project-factory-prod-r"]:
+    bucket: test
+    cache_control: null
+    content_disposition: null
+    content_encoding: null
+    content_language: null
+    customer_encryption: []
+    detect_md5hash: different hash
+    event_based_hold: null
+    metadata: null
+    name: providers/2-project-factory-prod-r-providers.tf
+    retention: []
+    source: null
+    temporary_hold: null
+    timeouts: null
+  google_storage_bucket_object.providers["2-project-factory-r"]:
+    bucket: test
+    cache_control: null
+    content_encoding: null
+    content_language: null
+    customer_encryption: []
+    detect_md5hash: different hash
+    event_based_hold: null
+    metadata: null
+    name: providers/2-project-factory-r-providers.tf
+    retention: []
+    source: null
+    temporary_hold: null
+    timeouts: null
+  google_storage_bucket_object.providers["2-security"]:
+    bucket: test
+    cache_control: null
+    content_disposition: null
+    content_encoding: null
+    content_language: null
+    customer_encryption: []
+    detect_md5hash: different hash
+    event_based_hold: null
+    metadata: null
+    name: providers/2-security-providers.tf
+    retention: []
+    source: null
+    temporary_hold: null
+    timeouts: null
+  google_storage_bucket_object.providers["2-security-r"]:
+    bucket: test
+    cache_control: null
+    content_disposition: null
+    content_encoding: null
+    content_language: null
+    customer_encryption: []
+    detect_md5hash: different hash
+    event_based_hold: null
+    metadata: null
+    name: providers/2-security-r-providers.tf
+    retention: []
+    source: null
+    temporary_hold: null
+    timeouts: null
+  google_storage_bucket_object.tfvars:
+    bucket: test
+    cache_control: null
+    content_disposition: null
+    content_encoding: null
+    content_language: null
+    customer_encryption: []
+    detect_md5hash: different hash
+    event_based_hold: null
+    metadata: null
+    name: tfvars/1-resman.auto.tfvars.json
+    retention: []
+    source: null
+    temporary_hold: null
+    timeouts: null
+  module.branch-network-dev-folder.google_folder.folder[0]:
+    display_name: Development
+    timeouts: null
+  ? module.branch-network-dev-folder.google_folder_iam_binding.authoritative["organizations/123456789012/roles/gcveNetworkAdmin"]
+  : condition: []
+    members: null
+    role: organizations/123456789012/roles/gcveNetworkAdmin
+  ? module.branch-network-dev-folder.google_folder_iam_binding.authoritative["organizations/123456789012/roles/xpnServiceAdmin"]
+  : condition: []
+    members:
+    - serviceAccount:fast2-dev-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+    - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+    role: organizations/123456789012/roles/xpnServiceAdmin
+  module.branch-network-dev-folder.google_folder_iam_binding.authoritative["roles/compute.networkViewer"]:
+    condition: []
+    members:
+    - serviceAccount:fast2-dev-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com
+    - serviceAccount:fast2-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/compute.networkViewer
+  module.branch-network-dev-folder.google_tags_tag_binding.binding["environment"]:
+    timeouts: null
+  module.branch-network-folder.google_folder.folder[0]:
+    display_name: Networking
+    parent: organizations/123456789012
+    timeouts: null
+  module.branch-network-folder.google_folder_iam_binding.authoritative["roles/browser"]:
+    condition: []
+    members:
+    - user:extra-browser@fast.example.com
+    role: roles/browser
+  module.branch-network-folder.google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]:
+    condition: []
+    members:
+    - serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/compute.xpnAdmin
+  module.branch-network-folder.google_folder_iam_binding.authoritative["roles/editor"]:
+    condition: []
+    members:
+    - group:gcp-vpc-network-admins@fast.example.com
+    role: roles/editor
+  module.branch-network-folder.google_folder_iam_binding.authoritative["roles/logging.admin"]:
+    condition: []
+    members:
+    - serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/logging.admin
+  module.branch-network-folder.google_folder_iam_binding.authoritative["roles/owner"]:
+    condition: []
+    members:
+    - serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com
+    - user:extra-owner@fast.example.com
+    role: roles/owner
+  module.branch-network-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]:
+    condition: []
+    members:
+    - serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/resourcemanager.folderAdmin
+  module.branch-network-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]:
+    condition: []
+    members:
+    - serviceAccount:fast2-prod-resman-net-0r@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/resourcemanager.folderViewer
+  module.branch-network-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]:
+    condition: []
+    members:
+    - serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/resourcemanager.projectCreator
+  module.branch-network-folder.google_folder_iam_binding.authoritative["roles/viewer"]:
+    condition: []
+    members:
+    - serviceAccount:fast2-prod-resman-net-0r@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/viewer
+  module.branch-network-folder.google_tags_tag_binding.binding["context"]:
+    timeouts: null
+  module.branch-network-gcs.google_storage_bucket.bucket:
+    autoclass: []
+    cors: []
+    custom_placement_config: []
+    default_event_based_hold: null
+    enable_object_retention: null
+    encryption: []
+    force_destroy: false
+    labels: null
+    lifecycle_rule: []
+    location: EU
+    logging: []
+    name: fast2-prod-resman-net-0
+    project: fast-prod-automation
+    requester_pays: null
+    retention_policy: []
+    storage_class: STANDARD
+    timeouts: null
+    uniform_bucket_level_access: true
+    versioning:
+    - enabled: true
+  module.branch-network-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]:
+    bucket: fast2-prod-resman-net-0
+    condition: []
+    members:
+    - serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/storage.objectAdmin
+  module.branch-network-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]:
+    bucket: fast2-prod-resman-net-0
+    condition: []
+    members:
+    - serviceAccount:fast2-prod-resman-net-0r@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/storage.objectViewer
+  module.branch-network-prod-folder.google_folder.folder[0]:
+    display_name: Production
+    timeouts: null
+  ? module.branch-network-prod-folder.google_folder_iam_binding.authoritative["organizations/123456789012/roles/gcveNetworkAdmin"]
+  : condition: []
+    members: null
+    role: organizations/123456789012/roles/gcveNetworkAdmin
+  ? module.branch-network-prod-folder.google_folder_iam_binding.authoritative["organizations/123456789012/roles/xpnServiceAdmin"]
+  : condition: []
+    members:
+    - serviceAccount:fast2-prod-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+    - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+    role: organizations/123456789012/roles/xpnServiceAdmin
+  module.branch-network-prod-folder.google_folder_iam_binding.authoritative["roles/compute.networkViewer"]:
+    condition: []
+    members:
+    - serviceAccount:fast2-prod-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com
+    - serviceAccount:fast2-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/compute.networkViewer
+  module.branch-network-prod-folder.google_tags_tag_binding.binding["environment"]:
+    timeouts: null
+  ? module.branch-network-r-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"]
+  : condition: []
+    project: fast-prod-automation
+    role: roles/serviceusage.serviceUsageConsumer
+  module.branch-network-r-sa.google_service_account.service_account[0]:
+    account_id: fast2-prod-resman-net-0r
+    create_ignore_already_exists: null
+    description: null
+    disabled: false
+    display_name: Terraform resman networking service account (read-only).
+    project: fast-prod-automation
+    timeouts: null
+  module.branch-network-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]:
+    condition: []
+    members: null
+    role: roles/iam.serviceAccountTokenCreator
+  ? module.branch-network-r-sa.google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"]
+  : bucket: test
+    condition: []
+    role: organizations/123456789012/roles/storageViewer
+  ? module.branch-network-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"]
+  : condition: []
+    project: fast-prod-automation
+    role: roles/serviceusage.serviceUsageConsumer
+  module.branch-network-sa.google_service_account.service_account[0]:
+    account_id: fast2-prod-resman-net-0
+    create_ignore_already_exists: null
+    description: null
+    disabled: false
+    display_name: Terraform resman networking service account.
+    project: fast-prod-automation
+    timeouts: null
+  module.branch-network-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]:
+    condition: []
+    members: null
+    role: roles/iam.serviceAccountTokenCreator
+  module.branch-network-sa.google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]:
+    bucket: test
+    condition: []
+    role: roles/storage.objectAdmin
+  module.branch-pf-dev-gcs.google_storage_bucket.bucket:
+    autoclass: []
+    cors: []
+    custom_placement_config: []
+    default_event_based_hold: null
+    enable_object_retention: null
+    encryption: []
+    force_destroy: false
+    labels: null
+    lifecycle_rule: []
+    location: EU
+    logging: []
+    name: fast2-dev-resman-pf-0
+    project: fast-prod-automation
+    requester_pays: null
+    retention_policy: []
+    storage_class: STANDARD
+    timeouts: null
+    uniform_bucket_level_access: true
+    versioning:
+    - enabled: true
+  module.branch-pf-dev-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]:
+    bucket: fast2-dev-resman-pf-0
+    condition: []
+    members:
+    - serviceAccount:fast2-dev-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/storage.objectAdmin
+  module.branch-pf-dev-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]:
+    bucket: fast2-dev-resman-pf-0
+    condition: []
+    members:
+    - serviceAccount:fast2-dev-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/storage.objectViewer
+  ? module.branch-pf-dev-r-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"]
+  : condition: []
+    project: fast-prod-automation
+    role: roles/serviceusage.serviceUsageConsumer
+  module.branch-pf-dev-r-sa.google_service_account.service_account[0]:
+    account_id: fast2-dev-resman-pf-0r
+    create_ignore_already_exists: null
+    description: null
+    disabled: false
+    display_name: Terraform project factory development service account (read-only).
+    project: fast-prod-automation
+    timeouts: null
+  module.branch-pf-dev-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]:
+    condition: []
+    members: null
+    role: roles/iam.serviceAccountTokenCreator
+  ? module.branch-pf-dev-r-sa.google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"]
+  : bucket: test
+    condition: []
+    role: organizations/123456789012/roles/storageViewer
+  ? module.branch-pf-dev-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"]
+  : condition: []
+    project: fast-prod-automation
+    role: roles/serviceusage.serviceUsageConsumer
+  module.branch-pf-dev-sa.google_service_account.service_account[0]:
+    account_id: fast2-dev-resman-pf-0
+    create_ignore_already_exists: null
+    description: null
+    disabled: false
+    display_name: Terraform project factory development service account.
+    project: fast-prod-automation
+    timeouts: null
+  module.branch-pf-dev-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]:
+    condition: []
+    members: null
+    role: roles/iam.serviceAccountTokenCreator
+  module.branch-pf-dev-sa.google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]:
+    bucket: test
+    condition: []
+    role: roles/storage.objectAdmin
+  module.branch-pf-gcs.google_storage_bucket.bucket:
+    autoclass: []
+    cors: []
+    custom_placement_config: []
+    default_event_based_hold: null
+    enable_object_retention: null
+    encryption: []
+    force_destroy: false
+    labels: null
+    lifecycle_rule: []
+    location: EU
+    logging: []
+    name: fast2-resman-pf-0
+    project: fast-prod-automation
+    requester_pays: null
+    retention_policy: []
+    storage_class: STANDARD
+    timeouts: null
+    uniform_bucket_level_access: true
+    versioning:
+    - enabled: true
+  module.branch-pf-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]:
+    bucket: fast2-resman-pf-0
+    condition: []
+    members:
+    - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/storage.objectAdmin
+  module.branch-pf-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]:
+    bucket: fast2-resman-pf-0
+    condition: []
+    members:
+    - serviceAccount:fast2-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/storage.objectViewer
+  module.branch-pf-prod-gcs.google_storage_bucket.bucket:
+    autoclass: []
+    cors: []
+    custom_placement_config: []
+    default_event_based_hold: null
+    enable_object_retention: null
+    encryption: []
+    force_destroy: false
+    labels: null
+    lifecycle_rule: []
+    location: EU
+    logging: []
+    name: fast2-prod-resman-pf-0
+    project: fast-prod-automation
+    requester_pays: null
+    retention_policy: []
+    storage_class: STANDARD
+    timeouts: null
+    uniform_bucket_level_access: true
+    versioning:
+    - enabled: true
+  module.branch-pf-prod-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]:
+    bucket: fast2-prod-resman-pf-0
+    condition: []
+    members:
+    - serviceAccount:fast2-prod-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/storage.objectAdmin
+  module.branch-pf-prod-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]:
+    bucket: fast2-prod-resman-pf-0
+    condition: []
+    members:
+    - serviceAccount:fast2-prod-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/storage.objectViewer
+  ? module.branch-pf-prod-r-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"]
+  : condition: []
+    project: fast-prod-automation
+    role: roles/serviceusage.serviceUsageConsumer
+  module.branch-pf-prod-r-sa.google_service_account.service_account[0]:
+    account_id: fast2-prod-resman-pf-0r
+    create_ignore_already_exists: null
+    description: null
+    disabled: false
+    display_name: Terraform project factory production service account (read-only).
+    project: fast-prod-automation
+    timeouts: null
+  module.branch-pf-prod-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]:
+    condition: []
+    members: null
+    role: roles/iam.serviceAccountTokenCreator
+  ? module.branch-pf-prod-r-sa.google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"]
+  : bucket: test
+    condition: []
+    role: organizations/123456789012/roles/storageViewer
+  ? module.branch-pf-prod-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"]
+  : condition: []
+    project: fast-prod-automation
+    role: roles/serviceusage.serviceUsageConsumer
+  module.branch-pf-prod-sa.google_service_account.service_account[0]:
+    account_id: fast2-prod-resman-pf-0
+    create_ignore_already_exists: null
+    description: null
+    disabled: false
+    display_name: Terraform project factory production service account.
+    project: fast-prod-automation
+    timeouts: null
+  module.branch-pf-prod-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]:
+    condition: []
+    members: null
+    role: roles/iam.serviceAccountTokenCreator
+  module.branch-pf-prod-sa.google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]:
+    bucket: test
+    condition: []
+    role: roles/storage.objectAdmin
+  ? module.branch-pf-r-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"]
+  : condition: []
+    project: fast-prod-automation
+    role: roles/serviceusage.serviceUsageConsumer
+  module.branch-pf-r-sa.google_service_account.service_account[0]:
+    account_id: fast2-resman-pf-0r
+    create_ignore_already_exists: null
+    description: null
+    disabled: false
+    display_name: Terraform project factory main service account (read-only).
+    project: fast-prod-automation
+    timeouts: null
+  module.branch-pf-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]:
+    condition: []
+    members: null
+    role: roles/iam.serviceAccountTokenCreator
+  module.branch-pf-r-sa.google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"]:
+    bucket: test
+    condition: []
+    role: organizations/123456789012/roles/storageViewer
+  ? module.branch-pf-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"]
+  : condition: []
+    project: fast-prod-automation
+    role: roles/serviceusage.serviceUsageConsumer
+  module.branch-pf-sa.google_service_account.service_account[0]:
+    account_id: fast2-resman-pf-0
+    create_ignore_already_exists: null
+    description: null
+    disabled: false
+    display_name: Terraform project factory main service account.
+    project: fast-prod-automation
+    timeouts: null
+  module.branch-pf-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]:
+    condition: []
+    members: null
+    role: roles/iam.serviceAccountTokenCreator
+  module.branch-pf-sa.google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]:
+    bucket: test
+    condition: []
+    role: roles/storage.objectAdmin
+  module.branch-security-folder.google_folder.folder[0]:
+    display_name: Security
+    parent: organizations/123456789012
+    timeouts: null
+  module.branch-security-folder.google_folder_iam_binding.authoritative["roles/browser"]:
+    condition: []
+    members:
+    - user:extra-browser@fast.example.com
+    role: roles/browser
+  module.branch-security-folder.google_folder_iam_binding.authoritative["roles/editor"]:
+    condition: []
+    members:
+    - group:gcp-security-admins@fast.example.com
+    role: roles/editor
+  module.branch-security-folder.google_folder_iam_binding.authoritative["roles/logging.admin"]:
+    condition: []
+    members:
+    - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/logging.admin
+  module.branch-security-folder.google_folder_iam_binding.authoritative["roles/owner"]:
+    condition: []
+    members:
+    - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com
+    - user:extra-owner@fast.example.com
+    role: roles/owner
+  module.branch-security-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]:
+    condition: []
+    members:
+    - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/resourcemanager.folderAdmin
+  module.branch-security-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]:
+    condition: []
+    members:
+    - serviceAccount:fast2-prod-resman-sec-0r@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/resourcemanager.folderViewer
+  module.branch-security-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]:
+    condition: []
+    members:
+    - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/resourcemanager.projectCreator
+  module.branch-security-folder.google_folder_iam_binding.authoritative["roles/viewer"]:
+    condition: []
+    members:
+    - serviceAccount:fast2-prod-resman-sec-0r@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/viewer
+  module.branch-security-folder.google_folder_iam_binding.bindings["tenant_iam_admin_conditional"]:
+    condition:
+    - description: Certificate Authority Service delegated grants.
+      expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/privateca.certificateManager'])
+      title: security_sa_delegated_grants
+    members:
+    - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/resourcemanager.folderIamAdmin
+  module.branch-security-folder.google_tags_tag_binding.binding["context"]:
+    timeouts: null
+  module.branch-security-gcs.google_storage_bucket.bucket:
+    autoclass: []
+    cors: []
+    custom_placement_config: []
+    default_event_based_hold: null
+    enable_object_retention: null
+    encryption: []
+    force_destroy: false
+    labels: null
+    lifecycle_rule: []
+    location: EU
+    logging: []
+    name: fast2-prod-resman-sec-0
+    project: fast-prod-automation
+    requester_pays: null
+    retention_policy: []
+    storage_class: STANDARD
+    timeouts: null
+    uniform_bucket_level_access: true
+    versioning:
+    - enabled: true
+  module.branch-security-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]:
+    bucket: fast2-prod-resman-sec-0
+    condition: []
+    members:
+    - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/storage.objectAdmin
+  module.branch-security-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]:
+    bucket: fast2-prod-resman-sec-0
+    condition: []
+    members:
+    - serviceAccount:fast2-prod-resman-sec-0r@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/storage.objectViewer
+  ? module.branch-security-r-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"]
+  : condition: []
+    project: fast-prod-automation
+    role: roles/serviceusage.serviceUsageConsumer
+  module.branch-security-r-sa.google_service_account.service_account[0]:
+    account_id: fast2-prod-resman-sec-0r
+    create_ignore_already_exists: null
+    description: null
+    disabled: false
+    display_name: Terraform resman security service account (read-only).
+    project: fast-prod-automation
+    timeouts: null
+  module.branch-security-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]:
+    condition: []
+    members: null
+    role: roles/iam.serviceAccountTokenCreator
+  ? module.branch-security-r-sa.google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"]
+  : bucket: test
+    condition: []
+    role: organizations/123456789012/roles/storageViewer
+  ? module.branch-security-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"]
+  : condition: []
+    project: fast-prod-automation
+    role: roles/serviceusage.serviceUsageConsumer
+  module.branch-security-sa.google_service_account.service_account[0]:
+    account_id: fast2-prod-resman-sec-0
+    create_ignore_already_exists: null
+    description: null
+    disabled: false
+    display_name: Terraform resman security service account.
+    project: fast-prod-automation
+    timeouts: null
+  module.branch-security-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]:
+    condition: []
+    members: null
+    role: roles/iam.serviceAccountTokenCreator
+  module.branch-security-sa.google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]:
+    bucket: test
+    condition: []
+    role: roles/storage.objectAdmin
+  module.organization[0].google_organization_iam_member.bindings["sa_net_billing"]:
+    condition: []
+    member: serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com
+    org_id: '123456789012'
+    role: roles/billing.user
+  module.organization[0].google_organization_iam_member.bindings["sa_net_fw_policy_admin"]:
+    condition: []
+    member: serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com
+    org_id: '123456789012'
+    role: roles/compute.orgFirewallPolicyAdmin
+  module.organization[0].google_organization_iam_member.bindings["sa_net_xpn_admin"]:
+    condition: []
+    member: serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com
+    org_id: '123456789012'
+    role: roles/compute.xpnAdmin
+  module.organization[0].google_organization_iam_member.bindings["sa_pf_billing"]:
+    condition: []
+    member: serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+    org_id: '123456789012'
+    role: roles/billing.user
+  module.organization[0].google_organization_iam_member.bindings["sa_pf_conditional_org_policy"]:
+    condition:
+    - description: Org policy tag scoped grant for project factory main.
+      expression: 'resource.matchTag(''123456789012/context'', ''project-factory'')
+
+        '
+      title: org_policy_tag_pf_scoped
+    member: serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+    org_id: '123456789012'
+    role: roles/orgpolicy.policyAdmin
+  module.organization[0].google_organization_iam_member.bindings["sa_pf_costs_manager"]:
+    condition: []
+    member: serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+    org_id: '123456789012'
+    role: roles/billing.costsManager
+  module.organization[0].google_organization_iam_member.bindings["sa_pf_dev_billing"]:
+    condition: []
+    member: serviceAccount:fast2-dev-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+    org_id: '123456789012'
+    role: roles/billing.user
+  module.organization[0].google_organization_iam_member.bindings["sa_pf_dev_conditional_org_policy"]:
+    condition:
+    - description: Org policy tag scoped grant for project factory dev.
+      expression: 'resource.matchTag(''123456789012/context'', ''project-factory'')
+
+        &&
+
+        resource.matchTag(''123456789012/environment'', ''development'')
+
+        '
+      title: org_policy_tag_pf_scoped_dev
+    member: serviceAccount:fast2-dev-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+    org_id: '123456789012'
+    role: roles/orgpolicy.policyAdmin
+  module.organization[0].google_organization_iam_member.bindings["sa_pf_dev_costs_manager"]:
+    condition: []
+    member: serviceAccount:fast2-dev-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+    org_id: '123456789012'
+    role: roles/billing.costsManager
+  module.organization[0].google_organization_iam_member.bindings["sa_pf_prod_billing"]:
+    condition: []
+    member: serviceAccount:fast2-prod-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+    org_id: '123456789012'
+    role: roles/billing.user
+  module.organization[0].google_organization_iam_member.bindings["sa_pf_prod_conditional_org_policy"]:
+    condition:
+    - description: Org policy tag scoped grant for project factory prod.
+      expression: 'resource.matchTag(''123456789012/context'', ''project-factory'')
+
+        &&
+
+        resource.matchTag(''123456789012/environment'', ''production'')
+
+        '
+      title: org_policy_tag_pf_scoped_prod
+    member: serviceAccount:fast2-prod-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+    org_id: '123456789012'
+    role: roles/orgpolicy.policyAdmin
+  module.organization[0].google_organization_iam_member.bindings["sa_pf_prod_costs_manager"]:
+    condition: []
+    member: serviceAccount:fast2-prod-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+    org_id: '123456789012'
+    role: roles/billing.costsManager
+  module.organization[0].google_organization_iam_member.bindings["sa_sec_asset_viewer"]:
+    condition: []
+    member: serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com
+    org_id: '123456789012'
+    role: roles/cloudasset.viewer
+  module.organization[0].google_organization_iam_member.bindings["sa_sec_billing"]:
+    condition: []
+    member: serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com
+    org_id: '123456789012'
+    role: roles/billing.user
+  module.organization[0].google_tags_tag_key.default["context"]:
+    description: Resource management context.
+    parent: organizations/123456789012
+    purpose: null
+    purpose_data: null
+    short_name: context
+    timeouts: null
+  module.organization[0].google_tags_tag_key.default["environment"]:
+    description: Environment definition.
+    parent: organizations/123456789012
+    purpose: null
+    purpose_data: null
+    short_name: environment
+    timeouts: null
+  module.organization[0].google_tags_tag_value.default["context/data"]:
+    description: Managed by the Terraform organization module.
+    short_name: data
+    timeouts: null
+  module.organization[0].google_tags_tag_value.default["context/gcve"]:
+    description: Managed by the Terraform organization module.
+    short_name: gcve
+    timeouts: null
+  module.organization[0].google_tags_tag_value.default["context/gke"]:
+    description: Managed by the Terraform organization module.
+    short_name: gke
+    timeouts: null
+  module.organization[0].google_tags_tag_value.default["context/networking"]:
+    description: Managed by the Terraform organization module.
+    short_name: networking
+    timeouts: null
+  module.organization[0].google_tags_tag_value.default["context/project-factory"]:
+    description: Managed by the Terraform organization module.
+    short_name: project-factory
+    timeouts: null
+  module.organization[0].google_tags_tag_value.default["context/sandbox"]:
+    description: Managed by the Terraform organization module.
+    short_name: sandbox
+    timeouts: null
+  module.organization[0].google_tags_tag_value.default["context/security"]:
+    description: Managed by the Terraform organization module.
+    short_name: security
+    timeouts: null
+  module.organization[0].google_tags_tag_value.default["environment/development"]:
+    description: Managed by the Terraform organization module.
+    short_name: development
+    timeouts: null
+  module.organization[0].google_tags_tag_value.default["environment/production"]:
+    description: Managed by the Terraform organization module.
+    short_name: production
+    timeouts: null
+  module.organization[0].google_tags_tag_value_iam_binding.bindings["environment/development:pf"]:
+    condition: []
+    members:
+    - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/resourcemanager.tagUser
+  module.organization[0].google_tags_tag_value_iam_binding.bindings["environment/production:pf"]:
+    condition: []
+    members:
+    - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/resourcemanager.tagUser
   module.top-level-folder["teams"].google_folder.folder[0]:
     display_name: Teams
     parent: organizations/123456789012
@@ -37,12 +867,17 @@ values:
     members:
     - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
     role: roles/resourcemanager.projectCreator
+  module.top-level-folder["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.tagUser"]:
+    condition: []
+    members:
+    - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+    role: roles/resourcemanager.tagUser
   module.top-level-folder["teams"].google_tags_tag_binding.binding["context"]:
     timeouts: null
 
 counts:
   google_folder: 5
-  google_folder_iam_binding: 28
+  google_folder_iam_binding: 29
   google_organization_iam_member: 14
   google_project_iam_member: 10
   google_service_account: 10
@@ -56,4 +891,4 @@ counts:
   google_tags_tag_value: 9
   google_tags_tag_value_iam_binding: 2
   modules: 21
-  resources: 131
+  resources: 132

tests/fast/stages/s2_security/simple.tfvars

@@ -28,6 +28,8 @@ service_accounts = {
   security             = "foobar@iam.gserviceaccount.com"
   data-platform-dev    = "foobar@iam.gserviceaccount.com"
   data-platform-prod   = "foobar@iam.gserviceaccount.com"
+  nsec                 = "foobar@iam.gserviceaccount.com"
+  nsec-r               = "foobar@iam.gserviceaccount.com"
   project-factory      = "foobar@iam.gserviceaccount.com"
   project-factory-dev  = "foobar@iam.gserviceaccount.com"
   project-factory-prod = "foobar@iam.gserviceaccount.com"

tests/fast/stages/s2_security/simple.yaml

@@ -12,6 +12,439 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+values:
+  google_storage_bucket_object.tfvars:
+    bucket: test
+    cache_control: null
+    content_disposition: null
+    content_encoding: null
+    content_language: null
+    customer_encryption: []
+    detect_md5hash: different hash
+    event_based_hold: null
+    metadata: null
+    name: tfvars/2-security.auto.tfvars.json
+    retention: []
+    source: null
+    temporary_hold: null
+    timeouts: null
+  module.dev-sec-kms["europe"].google_kms_crypto_key.default["compute"]:
+    effective_labels:
+      service: compute
+    labels:
+      service: compute
+    name: compute
+    purpose: ENCRYPT_DECRYPT
+    rotation_period: 7776000s
+    skip_initial_version_creation: false
+    terraform_labels:
+      service: compute
+    timeouts: null
+  module.dev-sec-kms["europe"].google_kms_crypto_key_iam_binding.authoritative["compute.roles/cloudkms.admin"]:
+    condition: []
+    members:
+    - user:user1@example.com
+    role: roles/cloudkms.admin
+  module.dev-sec-kms["europe"].google_kms_key_ring.default[0]:
+    location: europe
+    name: dev-europe
+    project: fast-dev-sec-core-0
+    timeouts: null
+  module.dev-sec-kms["europe-west1"].google_kms_crypto_key.default["compute"]:
+    effective_labels:
+      service: compute
+    labels:
+      service: compute
+    name: compute
+    purpose: ENCRYPT_DECRYPT
+    rotation_period: 7776000s
+    skip_initial_version_creation: false
+    terraform_labels:
+      service: compute
+    timeouts: null
+  module.dev-sec-kms["europe-west1"].google_kms_crypto_key_iam_binding.authoritative["compute.roles/cloudkms.admin"]:
+    condition: []
+    members:
+    - user:user1@example.com
+    role: roles/cloudkms.admin
+  module.dev-sec-kms["europe-west1"].google_kms_key_ring.default[0]:
+    location: europe-west1
+    name: dev-europe-west1
+    project: fast-dev-sec-core-0
+    timeouts: null
+  module.dev-sec-kms["europe-west3"].google_kms_crypto_key.default["compute"]:
+    effective_labels:
+      service: compute
+    labels:
+      service: compute
+    name: compute
+    purpose: ENCRYPT_DECRYPT
+    rotation_period: 7776000s
+    skip_initial_version_creation: false
+    terraform_labels:
+      service: compute
+    timeouts: null
+  module.dev-sec-kms["europe-west3"].google_kms_crypto_key_iam_binding.authoritative["compute.roles/cloudkms.admin"]:
+    condition: []
+    members:
+    - user:user1@example.com
+    role: roles/cloudkms.admin
+  module.dev-sec-kms["europe-west3"].google_kms_key_ring.default[0]:
+    location: europe-west3
+    name: dev-europe-west3
+    project: fast-dev-sec-core-0
+    timeouts: null
+  module.dev-sec-kms["global"].google_kms_crypto_key.default["compute"]:
+    effective_labels:
+      service: compute
+    labels:
+      service: compute
+    name: compute
+    purpose: ENCRYPT_DECRYPT
+    rotation_period: 7776000s
+    skip_initial_version_creation: false
+    terraform_labels:
+      service: compute
+    timeouts: null
+  module.dev-sec-kms["global"].google_kms_crypto_key_iam_binding.authoritative["compute.roles/cloudkms.admin"]:
+    condition: []
+    members:
+    - user:user1@example.com
+    role: roles/cloudkms.admin
+  module.dev-sec-kms["global"].google_kms_key_ring.default[0]:
+    location: global
+    name: dev-global
+    project: fast-dev-sec-core-0
+    timeouts: null
+  module.dev-sec-project.google_project.project[0]:
+    auto_create_network: false
+    billing_account: 000000-111111-222222
+    deletion_policy: DELETE
+    effective_labels:
+      environment: dev
+      team: security
+    folder_id: null
+    labels:
+      environment: dev
+      team: security
+    name: fast-dev-sec-core-0
+    org_id: null
+    project_id: fast-dev-sec-core-0
+    terraform_labels:
+      environment: dev
+      team: security
+    timeouts: null
+  module.dev-sec-project.google_project_iam_binding.authoritative["roles/cloudkms.viewer"]:
+    condition: []
+    members:
+    - serviceAccount:foobar@iam.gserviceaccount.com
+    project: fast-dev-sec-core-0
+    role: roles/cloudkms.viewer
+  ? module.dev-sec-project.google_project_iam_member.bindings["kms_restricted_admin.serviceAccount:foobar@iam.gserviceaccount.com"]
+  : condition:
+    - description: Automation service account delegated grants.
+      expression: 'api.getAttribute(''iam.googleapis.com/modifiedGrantsByRole'', []).hasOnly([''roles/cloudkms.cryptoKeyEncrypterDecrypter'',''roles/cloudkms.cryptoKeyEncrypterDecrypterViaDelegation''])
+        &&
+
+        resource.type == ''cloudkms.googleapis.com/CryptoKey''
+
+        '
+      title: kms_sa_delegated_grants
+    member: serviceAccount:foobar@iam.gserviceaccount.com
+    project: fast-dev-sec-core-0
+    role: roles/cloudkms.admin
+  module.dev-sec-project.google_project_iam_member.service_agents["certificatemanager"]:
+    condition: []
+    project: fast-dev-sec-core-0
+    role: roles/certificatemanager.serviceAgent
+  module.dev-sec-project.google_project_iam_member.service_agents["cloudkms"]:
+    condition: []
+    project: fast-dev-sec-core-0
+    role: roles/cloudkms.serviceAgent
+  module.dev-sec-project.google_project_iam_member.service_agents["networkmanagement"]:
+    condition: []
+    project: fast-dev-sec-core-0
+    role: roles/networkmanagement.serviceAgent
+  module.dev-sec-project.google_project_service.project_services["certificatemanager.googleapis.com"]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: fast-dev-sec-core-0
+    service: certificatemanager.googleapis.com
+    timeouts: null
+  module.dev-sec-project.google_project_service.project_services["cloudkms.googleapis.com"]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: fast-dev-sec-core-0
+    service: cloudkms.googleapis.com
+    timeouts: null
+  module.dev-sec-project.google_project_service.project_services["networkmanagement.googleapis.com"]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: fast-dev-sec-core-0
+    service: networkmanagement.googleapis.com
+    timeouts: null
+  module.dev-sec-project.google_project_service.project_services["networksecurity.googleapis.com"]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: fast-dev-sec-core-0
+    service: networksecurity.googleapis.com
+    timeouts: null
+  module.dev-sec-project.google_project_service.project_services["privateca.googleapis.com"]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: fast-dev-sec-core-0
+    service: privateca.googleapis.com
+    timeouts: null
+  module.dev-sec-project.google_project_service.project_services["secretmanager.googleapis.com"]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: fast-dev-sec-core-0
+    service: secretmanager.googleapis.com
+    timeouts: null
+  module.dev-sec-project.google_project_service.project_services["stackdriver.googleapis.com"]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: fast-dev-sec-core-0
+    service: stackdriver.googleapis.com
+    timeouts: null
+  module.dev-sec-project.google_project_service_identity.default["certificatemanager.googleapis.com"]:
+    project: fast-dev-sec-core-0
+    service: certificatemanager.googleapis.com
+    timeouts: null
+  module.dev-sec-project.google_project_service_identity.default["cloudkms.googleapis.com"]:
+    project: fast-dev-sec-core-0
+    service: cloudkms.googleapis.com
+    timeouts: null
+  module.dev-sec-project.google_project_service_identity.default["networkmanagement.googleapis.com"]:
+    project: fast-dev-sec-core-0
+    service: networkmanagement.googleapis.com
+    timeouts: null
+  module.dev-sec-project.google_project_service_identity.default["networksecurity.googleapis.com"]:
+    project: fast-dev-sec-core-0
+    service: networksecurity.googleapis.com
+    timeouts: null
+  module.dev-sec-project.google_project_service_identity.default["privateca.googleapis.com"]:
+    project: fast-dev-sec-core-0
+    service: privateca.googleapis.com
+    timeouts: null
+  module.dev-sec-project.google_project_service_identity.default["secretmanager.googleapis.com"]:
+    project: fast-dev-sec-core-0
+    service: secretmanager.googleapis.com
+    timeouts: null
+  module.folder.google_essential_contacts_contact.contact["gcp-security-admins@fast.example.com"]:
+    email: gcp-security-admins@fast.example.com
+    language_tag: en
+    notification_category_subscriptions:
+    - ALL
+    timeouts: null
+  module.folder.google_folder.folder[0]:
+    display_name: Security
+    parent: organizations/123456789012
+    timeouts: null
+  module.prod-sec-kms["europe"].google_kms_crypto_key.default["compute"]:
+    effective_labels:
+      service: compute
+    labels:
+      service: compute
+    name: compute
+    purpose: ENCRYPT_DECRYPT
+    rotation_period: 7776000s
+    skip_initial_version_creation: false
+    terraform_labels:
+      service: compute
+    timeouts: null
+  module.prod-sec-kms["europe"].google_kms_crypto_key_iam_binding.authoritative["compute.roles/cloudkms.admin"]:
+    condition: []
+    members:
+    - user:user1@example.com
+    role: roles/cloudkms.admin
+  module.prod-sec-kms["europe"].google_kms_key_ring.default[0]:
+    location: europe
+    name: prod-europe
+    project: fast-prod-sec-core-0
+    timeouts: null
+  module.prod-sec-kms["europe-west1"].google_kms_crypto_key.default["compute"]:
+    effective_labels:
+      service: compute
+    labels:
+      service: compute
+    name: compute
+    purpose: ENCRYPT_DECRYPT
+    rotation_period: 7776000s
+    skip_initial_version_creation: false
+    terraform_labels:
+      service: compute
+    timeouts: null
+  module.prod-sec-kms["europe-west1"].google_kms_crypto_key_iam_binding.authoritative["compute.roles/cloudkms.admin"]:
+    condition: []
+    members:
+    - user:user1@example.com
+    role: roles/cloudkms.admin
+  module.prod-sec-kms["europe-west1"].google_kms_key_ring.default[0]:
+    location: europe-west1
+    name: prod-europe-west1
+    project: fast-prod-sec-core-0
+    timeouts: null
+  module.prod-sec-kms["europe-west3"].google_kms_crypto_key.default["compute"]:
+    effective_labels:
+      service: compute
+    labels:
+      service: compute
+    name: compute
+    purpose: ENCRYPT_DECRYPT
+    rotation_period: 7776000s
+    skip_initial_version_creation: false
+    terraform_labels:
+      service: compute
+    timeouts: null
+  module.prod-sec-kms["europe-west3"].google_kms_crypto_key_iam_binding.authoritative["compute.roles/cloudkms.admin"]:
+    condition: []
+    members:
+    - user:user1@example.com
+    role: roles/cloudkms.admin
+  module.prod-sec-kms["europe-west3"].google_kms_key_ring.default[0]:
+    location: europe-west3
+    name: prod-europe-west3
+    project: fast-prod-sec-core-0
+    timeouts: null
+  module.prod-sec-kms["global"].google_kms_crypto_key.default["compute"]:
+    effective_labels:
+      service: compute
+    labels:
+      service: compute
+    name: compute
+    purpose: ENCRYPT_DECRYPT
+    rotation_period: 7776000s
+    skip_initial_version_creation: false
+    terraform_labels:
+      service: compute
+    timeouts: null
+  module.prod-sec-kms["global"].google_kms_crypto_key_iam_binding.authoritative["compute.roles/cloudkms.admin"]:
+    condition: []
+    members:
+    - user:user1@example.com
+    role: roles/cloudkms.admin
+  module.prod-sec-kms["global"].google_kms_key_ring.default[0]:
+    location: global
+    name: prod-global
+    project: fast-prod-sec-core-0
+    timeouts: null
+  module.prod-sec-project.google_project.project[0]:
+    auto_create_network: false
+    billing_account: 000000-111111-222222
+    deletion_policy: DELETE
+    effective_labels:
+      environment: prod
+      team: security
+    folder_id: null
+    labels:
+      environment: prod
+      team: security
+    name: fast-prod-sec-core-0
+    org_id: null
+    project_id: fast-prod-sec-core-0
+    terraform_labels:
+      environment: prod
+      team: security
+    timeouts: null
+  module.prod-sec-project.google_project_iam_binding.authoritative["roles/cloudkms.viewer"]:
+    condition: []
+    members:
+    - serviceAccount:foobar@iam.gserviceaccount.com
+    project: fast-prod-sec-core-0
+    role: roles/cloudkms.viewer
+  ? module.prod-sec-project.google_project_iam_member.bindings["kms_restricted_admin.serviceAccount:foobar@iam.gserviceaccount.com"]
+  : condition:
+    - description: Automation service account delegated grants.
+      expression: 'api.getAttribute(''iam.googleapis.com/modifiedGrantsByRole'', []).hasOnly([''roles/cloudkms.cryptoKeyEncrypterDecrypter'',''roles/cloudkms.cryptoKeyEncrypterDecrypterViaDelegation''])
+        &&
+
+        resource.type == ''cloudkms.googleapis.com/CryptoKey''
+
+        '
+      title: kms_sa_delegated_grants
+    member: serviceAccount:foobar@iam.gserviceaccount.com
+    project: fast-prod-sec-core-0
+    role: roles/cloudkms.admin
+  module.prod-sec-project.google_project_iam_member.service_agents["certificatemanager"]:
+    condition: []
+    project: fast-prod-sec-core-0
+    role: roles/certificatemanager.serviceAgent
+  module.prod-sec-project.google_project_iam_member.service_agents["cloudkms"]:
+    condition: []
+    project: fast-prod-sec-core-0
+    role: roles/cloudkms.serviceAgent
+  module.prod-sec-project.google_project_iam_member.service_agents["networkmanagement"]:
+    condition: []
+    project: fast-prod-sec-core-0
+    role: roles/networkmanagement.serviceAgent
+  module.prod-sec-project.google_project_service.project_services["certificatemanager.googleapis.com"]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: fast-prod-sec-core-0
+    service: certificatemanager.googleapis.com
+    timeouts: null
+  module.prod-sec-project.google_project_service.project_services["cloudkms.googleapis.com"]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: fast-prod-sec-core-0
+    service: cloudkms.googleapis.com
+    timeouts: null
+  module.prod-sec-project.google_project_service.project_services["networkmanagement.googleapis.com"]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: fast-prod-sec-core-0
+    service: networkmanagement.googleapis.com
+    timeouts: null
+  module.prod-sec-project.google_project_service.project_services["networksecurity.googleapis.com"]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: fast-prod-sec-core-0
+    service: networksecurity.googleapis.com
+    timeouts: null
+  module.prod-sec-project.google_project_service.project_services["privateca.googleapis.com"]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: fast-prod-sec-core-0
+    service: privateca.googleapis.com
+    timeouts: null
+  module.prod-sec-project.google_project_service.project_services["secretmanager.googleapis.com"]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: fast-prod-sec-core-0
+    service: secretmanager.googleapis.com
+    timeouts: null
+  module.prod-sec-project.google_project_service.project_services["stackdriver.googleapis.com"]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: fast-prod-sec-core-0
+    service: stackdriver.googleapis.com
+    timeouts: null
+  module.prod-sec-project.google_project_service_identity.default["certificatemanager.googleapis.com"]:
+    project: fast-prod-sec-core-0
+    service: certificatemanager.googleapis.com
+    timeouts: null
+  module.prod-sec-project.google_project_service_identity.default["cloudkms.googleapis.com"]:
+    project: fast-prod-sec-core-0
+    service: cloudkms.googleapis.com
+    timeouts: null
+  module.prod-sec-project.google_project_service_identity.default["networkmanagement.googleapis.com"]:
+    project: fast-prod-sec-core-0
+    service: networkmanagement.googleapis.com
+    timeouts: null
+  module.prod-sec-project.google_project_service_identity.default["networksecurity.googleapis.com"]:
+    project: fast-prod-sec-core-0
+    service: networksecurity.googleapis.com
+    timeouts: null
+  module.prod-sec-project.google_project_service_identity.default["privateca.googleapis.com"]:
+    project: fast-prod-sec-core-0
+    service: privateca.googleapis.com
+    timeouts: null
+  module.prod-sec-project.google_project_service_identity.default["secretmanager.googleapis.com"]:
+    project: fast-prod-sec-core-0
+    service: secretmanager.googleapis.com
+    timeouts: null
+
 counts:
   google_essential_contacts_contact: 1
   google_folder: 1
@@ -20,9 +453,24 @@ counts:
   google_kms_key_ring: 8
   google_project: 2
   google_project_iam_binding: 2
-  google_project_iam_member: 4
-  google_project_service: 6
-  google_project_service_identity: 4
+  google_project_iam_member: 8
+  google_project_service: 14
+  google_project_service_identity: 12
   google_storage_bucket_object: 1
   modules: 11
-  resources: 45
+  resources: 65
+
+outputs:
+  cas_configs:
+    dev: {}
+    prod: {}
+  kms_keys: __missing__
+  ngfw_tls_configs:
+    tls_enabled: false
+    tls_ip_ids_by_region:
+      dev: {}
+      prod: {}
+  tfvars: __missing__
+  trust_config_ids:
+    dev: {}
+    prod: {}

tests/fast/stages/s3_network_security/tftest.yaml

@@ -0,0 +1,19 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module: fast/stages/3-network-security/
+
+tests:
+  simple:
+  tls:

tests/fast/stages/s3_network_security/tls.tfvars

@@ -0,0 +1,40 @@
+billing_account = {
+  id = "000000-111111-222222"
+}
+folder_ids = {
+  networking      = "folders/12345678900"
+  networking-dev  = "folders/12345678901"
+  networking-prod = "folders/12345678902"
+}
+host_project_ids = {
+  dev-spoke-0  = "dev-project"
+  prod-spoke-0 = "prod-project"
+}
+ngfw_enterprise_config = {
+  endpoint_zones = [
+    "europe-west1-b",
+    "europe-west1-c",
+    "europe-west1-d"
+  ]
+}
+ngfw_tls_configs = {
+  tls_enabled = true
+  tls_ip_ids_by_region = {
+    dev = {
+      europe-west1 = "projects/project1/locations/europe-west1/tlsInspectionPolicies/dev-tls-ip-0"
+    }
+    prod = {
+      europe-west1 = "projects/project1/locations/europe-west1/tlsInspectionPolicies/prod-tls-ip-0"
+    }
+  }
+}
+organization = {
+  domain      = "fast.example.com"
+  id          = 123456789012
+  customer_id = "C00000000"
+}
+prefix = "fast2"
+vpc_self_links = {
+  dev-spoke-0  = "https://www.googleapis.com/compute/v1/projects/123456789/networks/vpc-1"
+  prod-spoke-0 = "https://www.googleapis.com/compute/v1/projects/123456789/networks/vpc-2"
+}

tests/fast/stages/s3_network_security/tls.yaml

@@ -0,0 +1,309 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  google_network_security_firewall_endpoint.firewall_endpoint["europe-west1-b"]:
+    billing_project_id: fast2-net-ngfw-0
+    labels: null
+    location: europe-west1-b
+    name: fast2-ngfw-endpoint-europe-west1-b
+    parent: organizations/123456789012
+    timeouts: null
+  google_network_security_firewall_endpoint.firewall_endpoint["europe-west1-c"]:
+    billing_project_id: fast2-net-ngfw-0
+    labels: null
+    location: europe-west1-c
+    name: fast2-ngfw-endpoint-europe-west1-c
+    parent: organizations/123456789012
+    timeouts: null
+  google_network_security_firewall_endpoint.firewall_endpoint["europe-west1-d"]:
+    billing_project_id: fast2-net-ngfw-0
+    labels: null
+    location: europe-west1-d
+    name: fast2-ngfw-endpoint-europe-west1-d
+    parent: organizations/123456789012
+    timeouts: null
+  google_network_security_firewall_endpoint_association.dev_fw_ep_association["europe-west1-b"]:
+    disabled: false
+    labels: null
+    location: europe-west1-b
+    name: fast2-dev-epa-europe-west1-b
+    network: projects/123456789/networks/vpc-1
+    parent: projects/dev-project
+    timeouts: null
+    tls_inspection_policy: projects/project1/locations/europe-west1/tlsInspectionPolicies/dev-tls-ip-0
+  google_network_security_firewall_endpoint_association.dev_fw_ep_association["europe-west1-c"]:
+    disabled: false
+    labels: null
+    location: europe-west1-c
+    name: fast2-dev-epa-europe-west1-c
+    network: projects/123456789/networks/vpc-1
+    parent: projects/dev-project
+    timeouts: null
+    tls_inspection_policy: projects/project1/locations/europe-west1/tlsInspectionPolicies/dev-tls-ip-0
+  google_network_security_firewall_endpoint_association.dev_fw_ep_association["europe-west1-d"]:
+    disabled: false
+    labels: null
+    location: europe-west1-d
+    name: fast2-dev-epa-europe-west1-d
+    network: projects/123456789/networks/vpc-1
+    parent: projects/dev-project
+    timeouts: null
+    tls_inspection_policy: projects/project1/locations/europe-west1/tlsInspectionPolicies/dev-tls-ip-0
+  google_network_security_firewall_endpoint_association.prod_fw_ep_association["europe-west1-b"]:
+    disabled: false
+    labels: null
+    location: europe-west1-b
+    name: fast2-prod-epa-europe-west1-b
+    network: projects/123456789/networks/vpc-2
+    parent: projects/prod-project
+    timeouts: null
+    tls_inspection_policy: projects/project1/locations/europe-west1/tlsInspectionPolicies/prod-tls-ip-0
+  google_network_security_firewall_endpoint_association.prod_fw_ep_association["europe-west1-c"]:
+    disabled: false
+    labels: null
+    location: europe-west1-c
+    name: fast2-prod-epa-europe-west1-c
+    network: projects/123456789/networks/vpc-2
+    parent: projects/prod-project
+    timeouts: null
+    tls_inspection_policy: projects/project1/locations/europe-west1/tlsInspectionPolicies/prod-tls-ip-0
+  google_network_security_firewall_endpoint_association.prod_fw_ep_association["europe-west1-d"]:
+    disabled: false
+    labels: null
+    location: europe-west1-d
+    name: fast2-prod-epa-europe-west1-d
+    network: projects/123456789/networks/vpc-2
+    parent: projects/prod-project
+    timeouts: null
+    tls_inspection_policy: projects/project1/locations/europe-west1/tlsInspectionPolicies/prod-tls-ip-0
+  google_network_security_security_profile.dev_sec_profile:
+    description: null
+    labels: null
+    location: global
+    name: fast2-dev-sp-0
+    parent: organizations/123456789012
+    threat_prevention_profile: []
+    timeouts: null
+    type: THREAT_PREVENTION
+  google_network_security_security_profile.prod_sec_profile:
+    description: null
+    labels: null
+    location: global
+    name: fast2-prod-sp-0
+    parent: organizations/123456789012
+    threat_prevention_profile: []
+    timeouts: null
+    type: THREAT_PREVENTION
+  google_network_security_security_profile_group.dev_sec_profile_group:
+    description: Dev security profile group.
+    labels: null
+    location: global
+    name: fast2-dev-spg-0
+    parent: organizations/123456789012
+    timeouts: null
+  google_network_security_security_profile_group.prod_sec_profile_group:
+    description: prod security profile group.
+    labels: null
+    location: global
+    name: fast2-prod-spg-0
+    parent: organizations/123456789012
+    timeouts: null
+  module.dev-spoke-firewall-policy.google_compute_network_firewall_policy.net-global[0]:
+    description: null
+    name: fast2-dev-fw-policy
+    project: dev-project
+    timeouts: null
+  module.dev-spoke-firewall-policy.google_compute_network_firewall_policy_association.net-global["dev-spoke"]:
+    attachment_target: https://www.googleapis.com/compute/v1/projects/123456789/networks/vpc-1
+    firewall_policy: fast2-dev-fw-policy
+    name: fast2-dev-fw-policy-dev-spoke
+    project: dev-project
+    timeouts: null
+  module.dev-spoke-firewall-policy.google_compute_network_firewall_policy_rule.net-global["egress/egress-allow-rfc1918"]:
+    action: allow
+    description: Allow all hosts to RFC-1918
+    direction: EGRESS
+    disabled: false
+    enable_logging: null
+    firewall_policy: fast2-dev-fw-policy
+    match:
+    - dest_address_groups: null
+      dest_fqdns: null
+      dest_ip_ranges:
+      - 10.0.0.0/8
+      - 172.16.0.0/12
+      - 192.168.0.0/16
+      dest_region_codes: null
+      dest_threat_intelligences: null
+      layer4_configs:
+      - ip_protocol: all
+        ports: null
+      src_address_groups: null
+      src_fqdns: null
+      src_ip_ranges: null
+      src_region_codes: null
+      src_secure_tags: []
+      src_threat_intelligences: null
+    priority: 2147483546
+    project: dev-project
+    rule_name: egress-allow-rfc1918
+    security_profile_group: null
+    target_secure_tags: []
+    target_service_accounts: null
+    timeouts: null
+    tls_inspect: null
+  module.dev-spoke-firewall-policy.google_compute_network_firewall_policy_rule.net-global["egress/egress-inspect-internet"]:
+    action: apply_security_profile_group
+    description: Inspect egress traffic from all dev hosts to Internet
+    direction: EGRESS
+    disabled: false
+    enable_logging: null
+    firewall_policy: fast2-dev-fw-policy
+    match:
+    - dest_address_groups: null
+      dest_fqdns: null
+      dest_ip_ranges:
+      - 0.0.0.0/0
+      dest_region_codes: null
+      dest_threat_intelligences: null
+      layer4_configs:
+      - ip_protocol: all
+        ports: null
+      src_address_groups: null
+      src_fqdns: null
+      src_ip_ranges: null
+      src_region_codes: null
+      src_secure_tags: []
+      src_threat_intelligences: null
+    priority: 2147483547
+    project: dev-project
+    rule_name: egress-inspect-internet
+    target_secure_tags: []
+    target_service_accounts: null
+    timeouts: null
+    tls_inspect: null
+  module.ngfw-quota-project.google_project.project[0]:
+    auto_create_network: false
+    billing_account: 000000-111111-222222
+    deletion_policy: DELETE
+    folder_id: '12345678900'
+    labels: null
+    name: fast2-net-ngfw-0
+    org_id: null
+    project_id: fast2-net-ngfw-0
+    timeouts: null
+  module.ngfw-quota-project.google_project_service.project_services["networksecurity.googleapis.com"]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: fast2-net-ngfw-0
+    service: networksecurity.googleapis.com
+    timeouts: null
+  module.ngfw-quota-project.google_project_service_identity.default["networksecurity.googleapis.com"]:
+    project: fast2-net-ngfw-0
+    service: networksecurity.googleapis.com
+    timeouts: null
+  module.prod-spoke-firewall-policy.google_compute_network_firewall_policy.net-global[0]:
+    description: null
+    name: fast2-prod-fw-policy
+    project: prod-project
+    timeouts: null
+  module.prod-spoke-firewall-policy.google_compute_network_firewall_policy_association.net-global["prod-spoke"]:
+    attachment_target: https://www.googleapis.com/compute/v1/projects/123456789/networks/vpc-2
+    firewall_policy: fast2-prod-fw-policy
+    name: fast2-prod-fw-policy-prod-spoke
+    project: prod-project
+    timeouts: null
+  module.prod-spoke-firewall-policy.google_compute_network_firewall_policy_rule.net-global["egress/egress-allow-rfc1918"]:
+    action: allow
+    description: Allow all hosts to RFC-1918
+    direction: EGRESS
+    disabled: false
+    enable_logging: null
+    firewall_policy: fast2-prod-fw-policy
+    match:
+    - dest_address_groups: null
+      dest_fqdns: null
+      dest_ip_ranges:
+      - 10.0.0.0/8
+      - 172.16.0.0/12
+      - 192.168.0.0/16
+      dest_region_codes: null
+      dest_threat_intelligences: null
+      layer4_configs:
+      - ip_protocol: all
+        ports: null
+      src_address_groups: null
+      src_fqdns: null
+      src_ip_ranges: null
+      src_region_codes: null
+      src_secure_tags: []
+      src_threat_intelligences: null
+    priority: 2147483546
+    project: prod-project
+    rule_name: egress-allow-rfc1918
+    security_profile_group: null
+    target_secure_tags: []
+    target_service_accounts: null
+    timeouts: null
+    tls_inspect: null
+  module.prod-spoke-firewall-policy.google_compute_network_firewall_policy_rule.net-global["egress/egress-inspect-internet"]:
+    action: apply_security_profile_group
+    description: Inspect egress traffic from all prod hosts to Internet
+    direction: EGRESS
+    disabled: false
+    enable_logging: null
+    firewall_policy: fast2-prod-fw-policy
+    match:
+    - dest_address_groups: null
+      dest_fqdns: null
+      dest_ip_ranges:
+      - 0.0.0.0/0
+      dest_region_codes: null
+      dest_threat_intelligences: null
+      layer4_configs:
+      - ip_protocol: all
+        ports: null
+      src_address_groups: null
+      src_fqdns: null
+      src_ip_ranges: null
+      src_region_codes: null
+      src_secure_tags: []
+      src_threat_intelligences: null
+    priority: 2147483547
+    project: prod-project
+    rule_name: egress-inspect-internet
+    target_secure_tags: []
+    target_service_accounts: null
+    timeouts: null
+    tls_inspect: null
+
+counts:
+  google_compute_network_firewall_policy: 2
+  google_compute_network_firewall_policy_association: 2
+  google_compute_network_firewall_policy_rule: 4
+  google_network_security_firewall_endpoint: 3
+  google_network_security_firewall_endpoint_association: 6
+  google_network_security_security_profile: 2
+  google_network_security_security_profile_group: 2
+  google_project: 1
+  google_project_service: 1
+  google_project_service_identity: 1
+  modules: 3
+  resources: 24
+
+outputs:
+  ngfw_enterprise_endpoint_ids: __missing__
+  ngfw_enterprise_endpoints_quota_project: fast2-net-ngfw-0
+