Merge branch 'master' into lcaggio/dp-projectcreate

fast/stages-multitenant/1-resman-tenant/branch-sandbox.tf

@@ -28,8 +28,8 @@ module "branch-sandbox-folder" {
     "roles/resourcemanager.projectCreator" = [local.automation_sas_iam.sandbox]
   }
   org_policies = {
-    "constraints/sql.restrictPublicIp"       = { enforce = false }
-    "constraints/compute.vmExternalIpAccess" = { allow = { all = true } }
+    "sql.restrictPublicIp"       = { rules = [{ enforce = false }] }
+    "compute.vmExternalIpAccess" = { rules = [{ allow = { all = true } }] }
   }
   tag_bindings = {
     context = var.tags.values["${var.tags.names.context}/sandbox"]

fast/stages-multitenant/1-resman-tenant/data/org-policies/compute.yaml

@@ -3,71 +3,90 @@
 # sample subset of useful organization policies, edit to suit requirements
 
 compute.disableGuestAttributesAccess:
-  enforce: true
+  rules:
+  - enforce: true
 
 compute.requireOsLogin:
-  enforce: true
+  rules:
+  - enforce: true
 
 compute.restrictLoadBalancerCreationForTypes:
-  allow:
-    values:
-    - in:INTERNAL
+  rules:
+  - allow:
+      values:
+      - in:INTERNAL
 
 compute.skipDefaultNetworkCreation:
-  enforce: true
+  rules:
+  - enforce: true
 
 compute.vmExternalIpAccess:
-  deny:
-    all: true
+  rules:
+  - deny:
+      all: true
 
 
 # compute.disableInternetNetworkEndpointGroup:
-#   enforce: true
+#   rules:
+#   - enforce: true
 
 # compute.disableNestedVirtualization:
-#   enforce: true
+#   rules:
+#   - enforce: true
 
 # compute.disableSerialPortAccess:
-#   enforce: true
+#   rules:
+#   - enforce: true
 
 # compute.restrictCloudNATUsage:
-#   deny:
-#     all: true
+#   rules:
+#   - deny:
+#       all: true
 
 # compute.restrictDedicatedInterconnectUsage:
-#   deny:
-#     all: true
+#   rules:
+#   - deny:
+#       all: true
 
 # compute.restrictPartnerInterconnectUsage:
-#   deny:
-#     all: true
+#   rules:
+#   - deny:
+#       all: true
 
 # compute.restrictProtocolForwardingCreationForTypes:
-#   deny:
-#     all: true
+#   rules:
+#   - deny:
+#       all: true
 
 # compute.restrictSharedVpcHostProjects:
-#   deny:
-#     all: true
+#   rules:
+#   - deny:
+#       all: true
 
 # compute.restrictSharedVpcSubnetworks:
-#   deny:
-#     all: true
+#   rules:
+#   - deny:
+#       all: true
 
 # compute.restrictVpcPeering:
-#   deny:
-#     all: true
+#   rules:
+#   - deny:
+#       all: true
 
 # compute.restrictVpnPeerIPs:
-#   deny:
-#     all: true
+#   rules:
+#   - deny:
+#       all: true
 
 # compute.restrictXpnProjectLienRemoval:
-#   enforce: true
+#   rules:
+#   - enforce: true
 
 # compute.setNewProjectDefaultToZonalDNSOnly:
-#   enforce: true
+#   rules:
+#   - enforce: true
 
 # compute.vmCanIpForward:
-#   deny:
-#     all: true
+#   rules:
+#   - deny:
+#       all: true

fast/stages-multitenant/1-resman-tenant/data/org-policies/iam.yaml

@@ -3,10 +3,13 @@
 # sample subset of useful organization policies, edit to suit requirements
 
 iam.automaticIamGrantsForDefaultServiceAccounts:
-  enforce: true
+  rules:
+  - enforce: true
 
 iam.disableServiceAccountKeyCreation:
-  enforce: true
+  rules:
+  - enforce: true
 
 iam.disableServiceAccountKeyUpload:
-  enforce: true
+  rules:
+  - enforce: true

fast/stages-multitenant/1-resman-tenant/data/org-policies/serverless.yaml

@@ -3,24 +3,29 @@
 # sample subset of useful organization policies, edit to suit requirements
 
 run.allowedIngress:
-  allow:
-    values:
-    - is:internal
+  rules:
+  - allow:
+      values:
+      - is:internal
 
 # run.allowedVPCEgress:
-#   allow:
-#     values:
+#   rules:
+#   - allow:
+#       values:
 #       - is:private-ranges-only
 
 # cloudfunctions.allowedIngressSettings:
-#   allow:
-#     values:
-#     - is:ALLOW_INTERNAL_ONLY
+#   rules:
+#   - allow:
+#       values:
+#       - is:ALLOW_INTERNAL_ONLY
 
 # cloudfunctions.allowedVpcConnectorEgressSettings:
-#   allow:
-#     values:
-#     - is:PRIVATE_RANGES_ONLY
+#   rules:
+#   - allow:
+#       values:
+#       - is:PRIVATE_RANGES_ONLY
 
 # cloudfunctions.requireVPCConnector:
-#   enforce: true
+#   rules:
+#   - enforce: true

fast/stages-multitenant/1-resman-tenant/data/org-policies/sql.yaml

@@ -3,7 +3,9 @@
 # sample subset of useful organization policies, edit to suit requirements
 
 sql.restrictAuthorizedNetworks:
-  enforce: true
+  rules:
+  - enforce: true
 
 sql.restrictPublicIp:
-  enforce: true
+  rules:
+  - enforce: true

fast/stages-multitenant/1-resman-tenant/data/org-policies/storage.yaml

@@ -3,4 +3,5 @@
 # sample subset of useful organization policies, edit to suit requirements
 
 storage.uniformBucketLevelAccess:
-  enforce: true
+  rules:
+  - enforce: true

fast/stages/0-bootstrap/README.md

@@ -452,7 +452,10 @@ The remaining configuration is manual, as it regards the repositories themselves
   - edit the modules source to match your modules repository
     - a simple way is using the "Replace in files" function of your editor
       - search for `source\s*= "../../../modules/([^"]+)"`
-      - replace with `source = "git@github.com:my-org/fast-modules.git//$1?ref=v1.0"`
+      - replace with:
+        - modules stored on GitHub: `source = "git@github.com:my-org/fast-modules.git//$1?ref=v1.0"`
+        - modules stored on Gitlab: `source = "git::ssh://git@gitlab.com/my-org/fast-modules.git//$1?ref=v1.0"`
+        - modules stored on Source Repositories: `source = git::https://source.developers.google.com/p/my-project/r/my-repository//$1?ref=v1.0"`. You may need to run `git config --global credential.'https://source.developers.google.com'.helper gcloud.sh` first as documented [here](https://cloud.google.com/source-repositories/docs/adding-repositories-as-remotes#add_the_repository_as_a_remote)
   - copy the generated workflow file for the stage from the GCS output files bucket or from the local clone if enabled
     - for GitHub, place it in a `.github/workflows` folder in the repository root
     - for Gitlab, rename it to `.gitlab-ci.yml` and place it in the repository root

fast/stages/1-resman/branch-sandbox.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -33,8 +33,8 @@ module "branch-sandbox-folder" {
     "roles/resourcemanager.projectCreator" = [module.branch-sandbox-sa.0.iam_email]
   }
   org_policies = {
-    "constraints/sql.restrictPublicIp"       = { enforce = false }
-    "constraints/compute.vmExternalIpAccess" = { allow = { all = true } }
+    "sql.restrictPublicIp"       = { rules = [{ enforce = false }] }
+    "compute.vmExternalIpAccess" = { rules = [{ allow = { all = true } }] }
   }
   tag_bindings = {
     context = try(

fast/stages/1-resman/data/org-policies/compute.yaml

@@ -3,71 +3,90 @@
 # sample subset of useful organization policies, edit to suit requirements
 
 compute.disableGuestAttributesAccess:
-  enforce: true
+  rules:
+  - enforce: true
 
 compute.requireOsLogin:
-  enforce: true
+  rules:
+  - enforce: true
 
 compute.restrictLoadBalancerCreationForTypes:
-  allow:
-    values:
-    - in:INTERNAL
+  rules:
+  - allow:
+      values:
+      - in:INTERNAL
 
 compute.skipDefaultNetworkCreation:
-  enforce: true
+  rules:
+  - enforce: true
 
 compute.vmExternalIpAccess:
-  deny:
-    all: true
+  rules:
+  - deny:
+      all: true
 
 
 # compute.disableInternetNetworkEndpointGroup:
-#   enforce: true
+#   rules:
+#   - enforce: true
 
 # compute.disableNestedVirtualization:
-#   enforce: true
+#   rules:
+#   - enforce: true
 
 # compute.disableSerialPortAccess:
-#   enforce: true
+#   rules:
+#   - enforce: true
 
 # compute.restrictCloudNATUsage:
-#   deny:
-#     all: true
+#   rules:
+#   - deny:
+#       all: true
 
 # compute.restrictDedicatedInterconnectUsage:
-#   deny:
-#     all: true
+#   rules:
+#   - deny:
+#       all: true
 
 # compute.restrictPartnerInterconnectUsage:
-#   deny:
-#     all: true
+#   rules:
+#   - deny:
+#       all: true
 
 # compute.restrictProtocolForwardingCreationForTypes:
-#   deny:
-#     all: true
+#   rules:
+#   - deny:
+#       all: true
 
 # compute.restrictSharedVpcHostProjects:
-#   deny:
-#     all: true
+#   rules:
+#   - deny:
+#       all: true
 
 # compute.restrictSharedVpcSubnetworks:
-#   deny:
-#     all: true
+#   rules:
+#   - deny:
+#       all: true
 
 # compute.restrictVpcPeering:
-#   deny:
-#     all: true
+#   rules:
+#   - deny:
+#       all: true
 
 # compute.restrictVpnPeerIPs:
-#   deny:
-#     all: true
+#   rules:
+#   - deny:
+#       all: true
 
 # compute.restrictXpnProjectLienRemoval:
-#   enforce: true
+#   rules:
+#   - enforce: true
 
 # compute.setNewProjectDefaultToZonalDNSOnly:
-#   enforce: true
+#   rules:
+#   - enforce: true
 
 # compute.vmCanIpForward:
-#   deny:
-#     all: true
+#   rules:
+#   - deny:
+#       all: true

fast/stages/1-resman/data/org-policies/iam.yaml

@@ -3,10 +3,13 @@
 # sample subset of useful organization policies, edit to suit requirements
 
 iam.automaticIamGrantsForDefaultServiceAccounts:
-  enforce: true
+  rules:
+  - enforce: true
 
 iam.disableServiceAccountKeyCreation:
-  enforce: true
+  rules:
+  - enforce: true
 
 iam.disableServiceAccountKeyUpload:
-  enforce: true
+  rules:
+  - enforce: true

fast/stages/1-resman/data/org-policies/serverless.yaml

@@ -3,24 +3,29 @@
 # sample subset of useful organization policies, edit to suit requirements
 
 run.allowedIngress:
-  allow:
-    values:
-    - is:internal
+  rules:
+  - allow:
+      values:
+      - is:internal
 
 # run.allowedVPCEgress:
-#   allow:
-#     values:
+#   rules:
+#   - allow:
+#       values:
 #       - is:private-ranges-only
 
 # cloudfunctions.allowedIngressSettings:
-#   allow:
-#     values:
-#     - is:ALLOW_INTERNAL_ONLY
+#   rules:
+#   - allow:
+#       values:
+#       - is:ALLOW_INTERNAL_ONLY
 
 # cloudfunctions.allowedVpcConnectorEgressSettings:
-#   allow:
-#     values:
-#     - is:PRIVATE_RANGES_ONLY
+#   rules:
+#   - allow:
+#       values:
+#       - is:PRIVATE_RANGES_ONLY
 
 # cloudfunctions.requireVPCConnector:
-#   enforce: true
+#   rules:
+#   - enforce: true

fast/stages/1-resman/data/org-policies/sql.yaml

@@ -3,7 +3,9 @@
 # sample subset of useful organization policies, edit to suit requirements
 
 sql.restrictAuthorizedNetworks:
-  enforce: true
+  rules:
+  - enforce: true
 
 sql.restrictPublicIp:
-  enforce: true
+  rules:
+  - enforce: true

fast/stages/1-resman/data/org-policies/storage.yaml

@@ -3,4 +3,5 @@
 # sample subset of useful organization policies, edit to suit requirements
 
 storage.uniformBucketLevelAccess:
-  enforce: true
+  rules:
+  - enforce: true

fast/stages/1-resman/organization.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -68,7 +68,11 @@ module "organization" {
 
   # sample subset of useful organization policies, edit to suit requirements
   org_policies = {
-    "iam.allowedPolicyMemberDomains" = { allow = { values = local.all_drs_domains } }
+    "iam.allowedPolicyMemberDomains" = {
+      rules = [
+        { allow = { values = local.all_drs_domains } }
+      ]
+    }
 
     #"gcp.resourceLocations" = {
     #   allow = { values = local.allowed_regions }

fast/stages/3-project-factory/dev/data/projects/project.yaml.sample

@@ -48,15 +48,18 @@ labels:
 
 # [opt] Org policy overrides defined at project level
 org_policies:
-  constraints/compute.disableGuestAttributesAccess:
-    enforce: true
-  constraints/compute.trustedImageProjects:
-    allow:
-      values:
+  compute.disableGuestAttributesAccess:
+    rules:
+    - enforce: true
+  compute.trustedImageProjects:
+    rules:
+    - allow:
+        values:
         - projects/fast-dev-iac-core-0
-  constraints/compute.vmExternalIpAccess:
-    deny:
-      all: true
+  compute.vmExternalIpAccess:
+    rules:
+      - deny:
+          all: true
 
 # [opt] Service account to create for the project and their roles on the project
 # in name => [roles] format