diff --git a/.github/actions/fabric-tests/action.yml b/.github/actions/fabric-tests/action.yml index 05f93fcf7..8fcd78906 100644 --- a/.github/actions/fabric-tests/action.yml +++ b/.github/actions/fabric-tests/action.yml @@ -52,11 +52,11 @@ runs: - name: Configure provider cache shell: bash run: | - echo 'plugin_cache_dir = "${{ env.TF_PLUGIN_CACHE_DIR }}"' \ + echo 'plugin_cache_dir = "${TF_PLUGIN_CACHE_DIR}"' \ | tee -a /home/runner/.terraformrc echo 'disable_checkpoint = true' \ | tee -a /home/runner/.terraformrc - mkdir -p ${{ env.TF_PLUGIN_CACHE_DIR }} + mkdir -p ${TF_PLUGIN_CACHE_DIR} - name: Download lockfile uses: actions/download-artifact@v4 with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c900e5c39..1b21866f3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -39,11 +39,16 @@ jobs: - name: "Validate input" # yamllint disable rule:line-length run: | - [[ "${{ github.event.inputs.changelog }}" != "true" ]] && { echo 'You didn''t update the changelog.' ; exit 1; } - [[ -n "${{ github.event.inputs.version }}" ]] || { echo 'Version not specified!'; exit 1; } - [[ "${{ github.event.inputs.version }}" != v* ]] && { echo 'Version does not start with v!' ; exit 1; } + [[ "${GITHUB_EVENT_INPUTS_CHANGELOG}" != "true" ]] && { echo 'You didn''t update the changelog.' ; exit 1; } + [[ -n "${GITHUB_EVENT_INPUTS_VERSION}" ]] || { echo 'Version not specified!'; exit 1; } + [[ "${GITHUB_EVENT_INPUTS_VERSION}" != v* ]] && { echo 'Version does not start with v!' ; exit 1; } + env: + GITHUB_EVENT_INPUTS_CHANGELOG: ${{ github.event.inputs.changelog }} + GITHUB_EVENT_INPUTS_VERSION: ${{ github.event.inputs.version }} - name: "Tag and release" run: | - git tag ${{ github.event.inputs.version }} - git push origin ${{ github.event.inputs.version }} + git tag ${GITHUB_EVENT_INPUTS_VERSION} + git push origin ${GITHUB_EVENT_INPUTS_VERSION} + env: + GITHUB_EVENT_INPUTS_VERSION: ${{ github.event.inputs.version }} diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index e57996199..55b08c0e0 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -57,7 +57,7 @@ jobs: run: | set -e -o xtrace if [[ ${{ matrix.flavour }} == 'terraform' ]] ; then - echo TERRAFORM_VERSION=${{ env.DEFAULT_TERRAFORM_VERSION }} | tee -a ${GITHUB_ENV} + echo TERRAFORM_VERSION=${DEFAULT_TERRAFORM_VERSION} | tee -a ${GITHUB_ENV} elif [[ ${{ matrix.flavour }} == 'tofu' ]] ; then echo TERRAFORM_VERSION=${{ env.DEFAULT_TOFU_VERSION }} | tee -a ${GITHUB_ENV} else @@ -85,7 +85,7 @@ jobs: sed -i -e 's/>=\(.*# tftest\)/=\1/g' tools/lockfile/versions.tf tools/lockfile/versions.tofu # change terraform version to the one that is running - sed -i 's/required_version = .*$/required_version = ">= ${{ env.TERRAFORM_VERSION }}"/g' \ + sed -i "s/required_version = .\*$/required_version = \">= ${TERRAFORM_VERSION}\"/g" \ tools/lockfile/versions.tf cd tools/lockfile @@ -145,7 +145,7 @@ jobs: run: | set -e -o xtrace if [[ ${{ matrix.flavour }} == 'terraform' ]] ; then - echo TERRAFORM_VERSION=${{ env.DEFAULT_TERRAFORM_VERSION }} | tee -a ${GITHUB_ENV} + echo TERRAFORM_VERSION=${DEFAULT_TERRAFORM_VERSION} | tee -a ${GITHUB_ENV} elif [[ ${{ matrix.flavour }} == 'tofu' ]] ; then echo TERRAFORM_VERSION=${{ env.DEFAULT_TOFU_VERSION }} | tee -a ${GITHUB_ENV} else @@ -189,7 +189,7 @@ jobs: run: | set -e -o xtrace if [[ ${{ matrix.flavour }} == 'terraform' ]] ; then - echo TERRAFORM_VERSION=${{ env.DEFAULT_TERRAFORM_VERSION }} | tee -a ${GITHUB_ENV} + echo TERRAFORM_VERSION=${DEFAULT_TERRAFORM_VERSION} | tee -a ${GITHUB_ENV} elif [[ ${{ matrix.flavour }} == 'tofu' ]] ; then echo TERRAFORM_VERSION=${{ env.DEFAULT_TOFU_VERSION }} | tee -a ${GITHUB_ENV} else @@ -233,7 +233,7 @@ jobs: run: | set -e -o xtrace if [[ ${{ matrix.flavour }} == 'terraform' ]] ; then - echo TERRAFORM_VERSION=${{ env.DEFAULT_TERRAFORM_VERSION }} | tee -a ${GITHUB_ENV} + echo TERRAFORM_VERSION=${DEFAULT_TERRAFORM_VERSION} | tee -a ${GITHUB_ENV} elif [[ ${{ matrix.flavour }} == 'tofu' ]] ; then echo TERRAFORM_VERSION=${{ env.DEFAULT_TOFU_VERSION }} | tee -a ${GITHUB_ENV} else diff --git a/fast/stages/0-org-setup/datasets/classic-gcd/organization/.config.yaml b/fast/stages/0-org-setup/datasets/classic-gcd/organization/.config.yaml index 7de12fe33..9ea2d5552 100644 --- a/fast/stages/0-org-setup/datasets/classic-gcd/organization/.config.yaml +++ b/fast/stages/0-org-setup/datasets/classic-gcd/organization/.config.yaml @@ -86,11 +86,11 @@ iam_by_principals: - roles/compute.xpnAdmin $iam_principals:service_accounts/iac-0/iac-networking-ro: # uncomment for cooperative VPC-SC configurations - # - roles/accesscontextmanager.policyViewer + # - roles/accesscontextmanager.policyReader - roles/compute.orgFirewallPolicyUser - roles/compute.viewer # uncomment for cooperative VPC-SC configurations - # $iam_principals:service_accounts/iac-0/iac-pw-rw: + # $iam_principals:service_accounts/iac-0/iac-pf-rw: # - roles/accesscontextmanager.policyEditor # uncomment if you want to use Assured Workloads # $iam_principals:service_accounts/iac-0/iac-pf-rw: @@ -101,7 +101,7 @@ iam_by_principals: - roles/cloudasset.viewer $iam_principals:service_accounts/iac-0/iac-security-ro: # uncomment for cooperative VPC-SC configurations - # - roles/accesscontextmanager.policyViewer + # - roles/accesscontextmanager.policyReader - roles/cloudasset.viewer $iam_principals:service_accounts/iac-0/iac-vpcsc-rw: - roles/accesscontextmanager.policyAdmin diff --git a/fast/stages/0-org-setup/datasets/classic/organization/.config.yaml b/fast/stages/0-org-setup/datasets/classic/organization/.config.yaml index 7de12fe33..9ea2d5552 100644 --- a/fast/stages/0-org-setup/datasets/classic/organization/.config.yaml +++ b/fast/stages/0-org-setup/datasets/classic/organization/.config.yaml @@ -86,11 +86,11 @@ iam_by_principals: - roles/compute.xpnAdmin $iam_principals:service_accounts/iac-0/iac-networking-ro: # uncomment for cooperative VPC-SC configurations - # - roles/accesscontextmanager.policyViewer + # - roles/accesscontextmanager.policyReader - roles/compute.orgFirewallPolicyUser - roles/compute.viewer # uncomment for cooperative VPC-SC configurations - # $iam_principals:service_accounts/iac-0/iac-pw-rw: + # $iam_principals:service_accounts/iac-0/iac-pf-rw: # - roles/accesscontextmanager.policyEditor # uncomment if you want to use Assured Workloads # $iam_principals:service_accounts/iac-0/iac-pf-rw: @@ -101,7 +101,7 @@ iam_by_principals: - roles/cloudasset.viewer $iam_principals:service_accounts/iac-0/iac-security-ro: # uncomment for cooperative VPC-SC configurations - # - roles/accesscontextmanager.policyViewer + # - roles/accesscontextmanager.policyReader - roles/cloudasset.viewer $iam_principals:service_accounts/iac-0/iac-vpcsc-rw: - roles/accesscontextmanager.policyAdmin diff --git a/fast/stages/0-org-setup/datasets/hardened/organization/.config.yaml b/fast/stages/0-org-setup/datasets/hardened/organization/.config.yaml index ec25bfb14..7a1fdfc29 100644 --- a/fast/stages/0-org-setup/datasets/hardened/organization/.config.yaml +++ b/fast/stages/0-org-setup/datasets/hardened/organization/.config.yaml @@ -89,11 +89,11 @@ iam_by_principals: - roles/compute.xpnAdmin $iam_principals:service_accounts/iac-0/iac-networking-ro: # uncomment for cooperative VPC-SC configurations - # - roles/accesscontextmanager.policyViewer + # - roles/accesscontextmanager.policyReader - roles/compute.orgFirewallPolicyUser - roles/compute.viewer # uncomment for cooperative VPC-SC configurations - # $iam_principals:service_accounts/iac-0/iac-pw-rw: + # $iam_principals:service_accounts/iac-0/iac-pf-rw: # - roles/accesscontextmanager.policyEditor # uncomment if you want to use Assured Workloads # $iam_principals:service_accounts/iac-0/iac-pf-rw: @@ -104,7 +104,7 @@ iam_by_principals: - roles/cloudasset.viewer $iam_principals:service_accounts/iac-0/iac-security-ro: # uncomment for cooperative VPC-SC configurations - # - roles/accesscontextmanager.policyViewer + # - roles/accesscontextmanager.policyReader - roles/cloudasset.viewer $iam_principals:service_accounts/iac-0/iac-vpcsc-rw: - roles/accesscontextmanager.policyAdmin diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-nva/vpcs/dmz/.config.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-nva/vpcs/dmz/.config.yaml index 958590264..9fca4d35a 100644 --- a/fast/stages/2-networking/datasets/hub-and-spokes-nva/vpcs/dmz/.config.yaml +++ b/fast/stages/2-networking/datasets/hub-and-spokes-nva/vpcs/dmz/.config.yaml @@ -17,6 +17,12 @@ routers: "10.0.0.0/8": "rfc1918-10" "172.16.0.0/12": "rfc1918-172" "192.168.0.0/16": "rfc1918-192" + # # Uncomment to advertise the Cloud DNS query source address range. (see https://docs.cloud.google.com/dns/docs/server-policies-overview#altns-targets:~:text=0/19-,Type%202%20name%20server,-An%20IP%20address) + # "35.199.192.0/19": "cloud-dns-resolver" + # # Uncomment to advertise the Private Google Access routes. (see https://docs.cloud.google.com/vpc/docs/private-google-access-hybrid) + # "199.36.153.8/30": "private-googleapis-com" + # # Uncomment to advertise the Private Google Access routes that support VPC Service Controls. (see https://docs.cloud.google.com/vpc/docs/private-google-access-hybrid) + # "199.36.153.4/30": "restricted-googleapis-com" nat_config: nat-ew8: region: europe-west1 diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-peerings/vpcs/hub/.config.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-peerings/vpcs/hub/.config.yaml index ec9b0e468..9796b923a 100644 --- a/fast/stages/2-networking/datasets/hub-and-spokes-peerings/vpcs/hub/.config.yaml +++ b/fast/stages/2-networking/datasets/hub-and-spokes-peerings/vpcs/hub/.config.yaml @@ -19,6 +19,16 @@ routers: vpn-router: region: $locations:primary asn: 64514 + # Uncomment to enable custom route advertisement. (see https://docs.cloud.google.com/network-connectivity/docs/router/how-to/advertising-custom-ip) + # custom_advertise: + # all_subnets: true + # ip_ranges: + # # Uncomment to advertise the Cloud DNS query source address range. (see https://docs.cloud.google.com/dns/docs/server-policies-overview#altns-targets:~:text=0/19-,Type%202%20name%20server,-An%20IP%20address) + # "35.199.192.0/19": "cloud-dns-resolver" + # # Uncomment to advertise the Private Google Access routes. (see https://docs.cloud.google.com/vpc/docs/private-google-access-hybrid) + # "199.36.153.8/30": "private-googleapis-com" + # # Uncomment to advertise the Private Google Access routes that support VPC Service Controls. (see https://docs.cloud.google.com/vpc/docs/private-google-access-hybrid) + # "199.36.153.4/30": "restricted-googleapis-com" routes: default: dest_range: 0.0.0.0/0 diff --git a/fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/hub/vpns/onprem.yaml b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/hub/vpns/onprem.yaml index 89f224395..2f3a7f730 100644 --- a/fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/hub/vpns/onprem.yaml +++ b/fast/stages/2-networking/datasets/hub-and-spokes-vpns/vpcs/hub/vpns/onprem.yaml @@ -30,6 +30,19 @@ tunnels: bgp_peer: address: 169.254.128.1 asn: 64513 + # Uncomment to enable custom route advertisements for this BGP peer. (see https://docs.cloud.google.com/network-connectivity/docs/router/concepts/advertised-routes#am-custom) + # custom_advertise: + # all_subnets: true + # ip_ranges: + # "10.0.0.0/8": "rfc1918-10" + # "172.16.0.0/12": "rfc1918-172" + # "192.168.0.0/16": "rfc1918-192" + # # Uncomment to advertise the Cloud DNS query source address range. (see https://docs.cloud.google.com/dns/docs/server-policies-overview#altns-targets:~:text=0/19-,Type%202%20name%20server,-An%20IP%20address) + # "35.199.192.0/19": "cloud-dns-resolver" + # # Uncomment to advertise the Private Google Access routes. (see https://docs.cloud.google.com/vpc/docs/private-google-access-hybrid) + # "199.36.153.8/30": "private-googleapis-com" + # # Uncomment to advertise the Private Google Access routes that support VPC Service Controls. (see https://docs.cloud.google.com/vpc/docs/private-google-access-hybrid) + # "199.36.153.4/30": "restricted-googleapis-com" bgp_session_range: "169.254.128.2/30" peer_external_gateway_interface: 0 shared_secret: "mySecret" @@ -38,6 +51,19 @@ tunnels: bgp_peer: address: 169.254.128.5 asn: 64513 + # Uncomment to enable custom route advertisements for this BGP peer. (see https://docs.cloud.google.com/network-connectivity/docs/router/concepts/advertised-routes#am-custom) + # custom_advertise: + # all_subnets: true + # ip_ranges: + # "10.0.0.0/8": "rfc1918-10" + # "172.16.0.0/12": "rfc1918-172" + # "192.168.0.0/16": "rfc1918-192" + # # Uncomment to advertise the Cloud DNS query source address range. (see https://docs.cloud.google.com/dns/docs/server-policies-overview#altns-targets:~:text=0/19-,Type%202%20name%20server,-An%20IP%20address) + # "35.199.192.0/19": "cloud-dns-resolver" + # # Uncomment to advertise the Private Google Access routes. (see https://docs.cloud.google.com/vpc/docs/private-google-access-hybrid) + # "199.36.153.8/30": "private-googleapis-com" + # # Uncomment to advertise the Private Google Access routes that support VPC Service Controls. (see https://docs.cloud.google.com/vpc/docs/private-google-access-hybrid) + # "199.36.153.4/30": "restricted-googleapis-com" bgp_session_range: "169.254.128.6/30" peer_external_gateway_interface: 0 shared_secret: "mySecret" diff --git a/modules/api-gateway/recipe-multi-region/function/package-lock.json b/modules/api-gateway/recipe-multi-region/function/package-lock.json index e41cc95c7..8d7168fd9 100644 --- a/modules/api-gateway/recipe-multi-region/function/package-lock.json +++ b/modules/api-gateway/recipe-multi-region/function/package-lock.json @@ -166,9 +166,9 @@ } }, "node_modules/ajv": { - "version": "8.17.1", - "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.17.1.tgz", - "integrity": "sha512-B/gBuNg5SiMTrPkC+A2+cW0RszwxYmn6VYxB/inlBStS5nx6xHIt/ehKRhIMhqusl7a8LjQoZnjCs5vhwxOQ1g==", + "version": "8.18.0", + "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.18.0.tgz", + "integrity": "sha512-PlXPeEWMXMZ7sPYOHqmDyCJzcfNrUr3fGNKtezX14ykXOEIvyK81d+qydx89KY5O71FKMPaQ2vBfBFI5NHR63A==", "license": "MIT", "dependencies": { "fast-deep-equal": "^3.1.3", @@ -1136,9 +1136,9 @@ } }, "node_modules/qs": { - "version": "6.14.1", - "resolved": "https://registry.npmjs.org/qs/-/qs-6.14.1.tgz", - "integrity": "sha512-4EK3+xJl8Ts67nLYNwqw/dsFVnCf+qR7RgXSK9jEEm9unao3njwMDdmsdvoKBKHzxd7tCYz5e5M+SnMjdtXGQQ==", + "version": "6.14.2", + "resolved": "https://registry.npmjs.org/qs/-/qs-6.14.2.tgz", + "integrity": "sha512-V/yCWTTF7VJ9hIh18Ugr2zhJMP01MY7c5kh4J870L7imm6/DIzBsNLTXzMwUA3yZ5b/KBqLx8Kp3uRvd7xSe3Q==", "license": "BSD-3-Clause", "dependencies": { "side-channel": "^1.1.0" diff --git a/modules/cloud-run-v2/README.md b/modules/cloud-run-v2/README.md index 10bbb20b4..62032e084 100644 --- a/modules/cloud-run-v2/README.md +++ b/modules/cloud-run-v2/README.md @@ -862,11 +862,10 @@ IAP is only supported for service. Refer to the [Configure IAP directly on cloud ```hcl module "cloud_run" { - source = "./fabric/modules/cloud-run-v2" - project_id = var.project_id - name = "example-hello" - region = var.region - launch_stage = "BETA" + source = "./fabric/modules/cloud-run-v2" + project_id = var.project_id + name = "example-hello" + region = var.region containers = { hello = { image = "us-docker.pkg.dev/cloudrun/container/hello" diff --git a/modules/compute-vm/template.tf b/modules/compute-vm/template.tf index bf0463dae..692ea2e5f 100644 --- a/modules/compute-vm/template.tf +++ b/modules/compute-vm/template.tf @@ -156,13 +156,14 @@ resource "google_compute_instance_template" "default" { nic_type = config.value.nic_type stack_type = config.value.stack_type dynamic "access_config" { - for_each = config.value.nat ? [""] : [] + for_each = config.value.nat || config.value.network_tier != null ? [""] : [] content { nat_ip = try( local.ctx.addresses[config.value.addresses.external], config.value.addresses.external, null ) + network_tier = try(config.value.network_tier, null) } } dynamic "alias_ip_range" { @@ -380,13 +381,14 @@ resource "google_compute_region_instance_template" "default" { nic_type = config.value.nic_type stack_type = config.value.stack_type dynamic "access_config" { - for_each = config.value.nat ? [""] : [] + for_each = config.value.nat || config.value.network_tier != null ? [""] : [] content { nat_ip = try( local.ctx.addresses[config.value.addresses.external], config.value.addresses.external, null ) + network_tier = try(config.value.network_tier, null) } } dynamic "alias_ip_range" { diff --git a/modules/organization/README.md b/modules/organization/README.md index 7322d000d..c54248f32 100644 --- a/modules/organization/README.md +++ b/modules/organization/README.md @@ -26,6 +26,7 @@ To manage organization policies, the `orgpolicy.googleapis.com` service should b - [Privileged Access Manager (PAM) Entitlements Factory](#privileged-access-manager-pam-entitlements-factory) - [Hierarchical Firewall Policy Attachments](#hierarchical-firewall-policy-attachments) - [Log Sinks](#log-sinks) + - [Externally Managing IAM for Log Sinks](#externally-managing-iam-for-log-sinks) - [Data Access Logs](#data-access-logs) - [Custom Roles](#custom-roles) - [Custom Roles Factory](#custom-roles-factory) @@ -447,6 +448,68 @@ module "org" { # tftest inventory=logging.yaml ``` +### Externally Managing IAM for Log Sinks + +By default the module creates one conditional IAM binding per sink for `roles/logging.bucketWriter` on the destination project. GCP enforces a hard limit of [20 conditional bindings per role and principal](https://cloud.google.com/iam/docs/conditions-overview#limitations) on a single resource. If you route many sinks to the same destination project, you will hit this limit. + +Set `iam = false` on the affected sinks and manage the IAM binding externally, consolidating multiple destinations into fewer bindings using an OR'd CEL condition expression (max 12 logical operators per condition). + +```hcl +module "log-bucket-0" { + source = "./fabric/modules/logging-bucket" + parent = var.project_id + name = "audit-0" +} + +module "log-bucket-1" { + source = "./fabric/modules/logging-bucket" + parent = var.project_id + name = "audit-1" +} + +module "org" { + source = "./fabric/modules/organization" + organization_id = var.organization_id + logging_sinks = { + audit-0 = { + destination = module.log-bucket-0.id + filter = "severity=NOTICE" + type = "logging" + iam = false + } + audit-1 = { + destination = module.log-bucket-1.id + filter = "severity=WARNING" + type = "logging" + iam = false + } + } +} + +resource "google_project_iam_member" "log-bucket-writer" { + project = var.project_id + role = "roles/logging.bucketWriter" + member = module.org.sink_writer_identities["audit-0"] + condition { + title = "log_bucket_writer" + description = "Grants bucketWriter for audit-0, audit-1." + expression = join(" || ", [ + "resource.name.endsWith('${module.log-bucket-0.id}')", + "resource.name.endsWith('${module.log-bucket-1.id}')", + # add up to 11 more + ]) + } + lifecycle { + create_before_destroy = true + } +} +# tftest inventory=logging-iam-external.yaml +``` + +When you exceed 13 sinks per binding, use Terraform's `chunklist()` with `for_each` to generate multiple `google_project_iam_member` resources automatically. + +For production-scale deployments or strict per-sink isolation, consider using [user-managed service accounts for log routing](https://cloud.google.com/logging/docs/routing/user-managed-service-accounts) instead of the default shared writer identity. This removes the conditional binding limit entirely and provides per-sink auditability. + ## Data Access Logs Activation of data access logs can be controlled via the `logging_data_access` variable. diff --git a/modules/project-factory/README.md b/modules/project-factory/README.md index 7eca54311..394cc279a 100644 --- a/modules/project-factory/README.md +++ b/modules/project-factory/README.md @@ -880,7 +880,8 @@ compute.disableSerialPortAccess: | [service_account_iam_emails](outputs.tf#L144) | Service account IAM-format emails. | | | [service_account_ids](outputs.tf#L151) | Service account IDs. | | | [service_accounts](outputs.tf#L158) | Service account emails. | | -| [storage_buckets](outputs.tf#L163) | Bucket names. | | +| [service_agents](outputs.tf#L163) | Service agent emails. | | +| [storage_buckets](outputs.tf#L174) | Bucket names. | | ## Tests diff --git a/modules/project-factory/outputs.tf b/modules/project-factory/outputs.tf index 36953d530..4c4d492b5 100644 --- a/modules/project-factory/outputs.tf +++ b/modules/project-factory/outputs.tf @@ -160,6 +160,17 @@ output "service_accounts" { value = local.outputs_service_accounts } +output "service_agents" { + description = "Service agent emails." + value = { + for k, v in local.projects_service_agents + : trimprefix(k, "service_agents/") => { + email = trimprefix(v, "serviceAccount:") + iamEmail = v + } + } +} + output "storage_buckets" { description = "Bucket names." value = merge( diff --git a/tests/fast/stages/s0_org_setup/hardened.yaml b/tests/fast/stages/s0_org_setup/hardened.yaml index d0c17c32f..9778db7bc 100644 --- a/tests/fast/stages/s0_org_setup/hardened.yaml +++ b/tests/fast/stages/s0_org_setup/hardened.yaml @@ -45,7 +45,6 @@ values: name: providers/0-org-setup-providers.tf retention: [] source: null - source_md5hash: 2a0bbb00e4b7f1454a50ac7f26c23c05 temporary_hold: null timeouts: null google_storage_bucket_object.providers["0-org-setup-ro"]: @@ -78,7 +77,6 @@ values: name: providers/0-org-setup-ro-providers.tf retention: [] source: null - source_md5hash: 2a0bbb00e4b7f1454a50ac7f26c23c05 temporary_hold: null timeouts: null google_storage_bucket_object.providers["1-vpcsc"]: @@ -112,7 +110,6 @@ values: name: providers/1-vpcsc-providers.tf retention: [] source: null - source_md5hash: d2df90abc46524d941227a1dec12dd86 temporary_hold: null timeouts: null google_storage_bucket_object.providers["2-networking"]: @@ -146,7 +143,6 @@ values: name: providers/2-networking-providers.tf retention: [] source: null - source_md5hash: a724885c3dcc9850116aca1ef4d4fc5a temporary_hold: null timeouts: null google_storage_bucket_object.providers["2-project-factory"]: @@ -180,7 +176,6 @@ values: name: providers/2-project-factory-providers.tf retention: [] source: null - source_md5hash: 165844578c46bc04c4581139c8b8b8d4 temporary_hold: null timeouts: null google_storage_bucket_object.providers["2-security"]: @@ -214,7 +209,6 @@ values: name: providers/2-security-providers.tf retention: [] source: null - source_md5hash: 5969d3e40a61a42d849a81417a6a84eb temporary_hold: null timeouts: null google_storage_bucket_object.tfvars["globals"]: @@ -234,7 +228,6 @@ values: name: tfvars/0-globals.auto.tfvars.json retention: [] source: null - source_md5hash: cdbf79d3eff8bced040e5deccf39d765 temporary_hold: null timeouts: null google_storage_bucket_object.tfvars["org-setup"]: @@ -271,7 +264,6 @@ values: name: versions/0-org-setup-version.txt retention: [] source: fast_version.txt - source_md5hash: bd0ef4e3857492f0215774bdcb2f3dc7 temporary_hold: null timeouts: null google_storage_bucket_object.workflows["org-setup"]: @@ -385,7 +377,6 @@ values: name: workflows/org-setup.yaml retention: [] source: null - source_md5hash: e5dc153b195e936b1c81bc33db1935c7 temporary_hold: null timeouts: null local_file.providers["0-org-setup"]: diff --git a/tests/modules/cloud_run_v2/examples/iap.yaml b/tests/modules/cloud_run_v2/examples/iap.yaml index 38b07ab30..8ce494084 100644 --- a/tests/modules/cloud_run_v2/examples/iap.yaml +++ b/tests/modules/cloud_run_v2/examples/iap.yaml @@ -16,7 +16,6 @@ values: module.cloud_run.google_cloud_run_v2_service.service[0]: iap_enabled: true invoker_iam_disabled: false - launch_stage: BETA location: europe-west8 name: example-hello project: project-id diff --git a/tests/modules/organization/examples/logging-iam-external.yaml b/tests/modules/organization/examples/logging-iam-external.yaml new file mode 100644 index 000000000..5d7fe003e --- /dev/null +++ b/tests/modules/organization/examples/logging-iam-external.yaml @@ -0,0 +1,47 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +values: + module.log-bucket-0.google_logging_project_bucket_config.bucket[0]: + bucket_id: audit-0 + location: global + project: project-id + retention_days: 30 + module.log-bucket-1.google_logging_project_bucket_config.bucket[0]: + bucket_id: audit-1 + location: global + project: project-id + retention_days: 30 + module.org.google_logging_organization_sink.sink["audit-0"]: + filter: severity=NOTICE + include_children: true + name: audit-0 + org_id: '1122334455' + module.org.google_logging_organization_sink.sink["audit-1"]: + filter: severity=WARNING + include_children: true + name: audit-1 + org_id: '1122334455' + google_project_iam_member.log-bucket-writer: + project: project-id + role: roles/logging.bucketWriter + condition: + - title: log_bucket_writer + +counts: + google_logging_organization_sink: 2 + google_logging_project_bucket_config: 2 + google_project_iam_member: 1 + modules: 3 + resources: 5