diff --git a/blueprints/apigee/apigee-x-foundations/functions/instance-monitor/package-lock.json b/blueprints/apigee/apigee-x-foundations/functions/instance-monitor/package-lock.json
index 7bd0165e2..2be218908 100644
--- a/blueprints/apigee/apigee-x-foundations/functions/instance-monitor/package-lock.json
+++ b/blueprints/apigee/apigee-x-foundations/functions/instance-monitor/package-lock.json
@@ -586,6 +586,17 @@
"npm": "1.2.8000 || >= 1.4.16"
}
},
+ "node_modules/brace-expansion": {
+ "version": "1.1.12",
+ "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz",
+ "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==",
+ "license": "MIT",
+ "optional": true,
+ "dependencies": {
+ "balanced-match": "^1.0.0",
+ "concat-map": "0.0.1"
+ }
+ },
"node_modules/buffer-equal-constant-time": {
"version": "1.0.1",
"resolved": "https://registry.npmjs.org/buffer-equal-constant-time/-/buffer-equal-constant-time-1.0.1.tgz",
@@ -634,6 +645,19 @@
"url": "https://github.com/sponsors/ljharb"
}
},
+ "node_modules/call-bind-apply-helpers": {
+ "version": "1.0.2",
+ "resolved": "https://registry.npmjs.org/call-bind-apply-helpers/-/call-bind-apply-helpers-1.0.2.tgz",
+ "integrity": "sha512-Sp1ablJ0ivDkSzjcaJdxEunN5/XvksFJ2sMBFfq6x0ryhQV/2b/KwFe21cMpmHtPOSij8K99/wSfoEuTObmuMQ==",
+ "license": "MIT",
+ "dependencies": {
+ "es-errors": "^1.3.0",
+ "function-bind": "^1.1.2"
+ },
+ "engines": {
+ "node": ">= 0.4"
+ }
+ },
"node_modules/chalk": {
"version": "2.4.2",
"resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz",
@@ -814,6 +838,20 @@
"node": ">=0.10"
}
},
+ "node_modules/dunder-proto": {
+ "version": "1.0.1",
+ "resolved": "https://registry.npmjs.org/dunder-proto/-/dunder-proto-1.0.1.tgz",
+ "integrity": "sha512-KIN/nDJBQRcXw0MLVhZE9iQHmG68qAVIBg9CqmUYjmQIhgij9U5MFvrqkUL5FbtyyzZuOeOt0zdeRe4UY7ct+A==",
+ "license": "MIT",
+ "dependencies": {
+ "call-bind-apply-helpers": "^1.0.1",
+ "es-errors": "^1.3.0",
+ "gopd": "^1.2.0"
+ },
+ "engines": {
+ "node": ">= 0.4"
+ }
+ },
"node_modules/duplexify": {
"version": "4.1.3",
"resolved": "https://registry.npmjs.org/duplexify/-/duplexify-4.1.3.tgz",
@@ -868,12 +906,10 @@
}
},
"node_modules/es-define-property": {
- "version": "1.0.0",
- "resolved": "https://registry.npmjs.org/es-define-property/-/es-define-property-1.0.0.tgz",
- "integrity": "sha512-jxayLKShrEqqzJ0eumQbVhTYQM27CfT1T35+gCgDFoL82JLsXqTJ76zv6A0YLOgEnLUMvLzsDsGIrl8NFpT2gQ==",
- "dependencies": {
- "get-intrinsic": "^1.2.4"
- },
+ "version": "1.0.1",
+ "resolved": "https://registry.npmjs.org/es-define-property/-/es-define-property-1.0.1.tgz",
+ "integrity": "sha512-e3nRfgfUZ4rNGL232gUgX06QNyyez04KdjFrF+LTRoOXmrOgFKDg4BCdsjW8EnT69eqdYGmRpJwiPVYNrCaW3g==",
+ "license": "MIT",
"engines": {
"node": ">= 0.4"
}
@@ -886,6 +922,33 @@
"node": ">= 0.4"
}
},
+ "node_modules/es-object-atoms": {
+ "version": "1.1.1",
+ "resolved": "https://registry.npmjs.org/es-object-atoms/-/es-object-atoms-1.1.1.tgz",
+ "integrity": "sha512-FGgH2h8zKNim9ljj7dankFPcICIK9Cp5bm+c2gQSYePhpaG5+esrLODihIorn+Pe6FGJzWhXQotPv73jTaldXA==",
+ "license": "MIT",
+ "dependencies": {
+ "es-errors": "^1.3.0"
+ },
+ "engines": {
+ "node": ">= 0.4"
+ }
+ },
+ "node_modules/es-set-tostringtag": {
+ "version": "2.1.0",
+ "resolved": "https://registry.npmjs.org/es-set-tostringtag/-/es-set-tostringtag-2.1.0.tgz",
+ "integrity": "sha512-j6vWzfrGVfyXxge+O0x5sh6cvxAog0a/4Rdd2K36zCMV5eJ+/+tOAngRO8cODMNWbVRdVlmGZQL2YS3yR8bIUA==",
+ "license": "MIT",
+ "dependencies": {
+ "es-errors": "^1.3.0",
+ "get-intrinsic": "^1.2.6",
+ "has-tostringtag": "^1.0.2",
+ "hasown": "^2.0.2"
+ },
+ "engines": {
+ "node": ">= 0.4"
+ }
+ },
"node_modules/escalade": {
"version": "3.1.2",
"resolved": "https://registry.npmjs.org/escalade/-/escalade-3.1.2.tgz",
@@ -1027,13 +1090,17 @@
}
},
"node_modules/form-data": {
- "version": "2.5.1",
- "resolved": "https://registry.npmjs.org/form-data/-/form-data-2.5.1.tgz",
- "integrity": "sha512-m21N3WOmEEURgk6B9GLOE4RuWOFf28Lhh9qGYeNlGq4VDXUlJy2th2slBNU8Gp8EzloYZOibZJ7t5ecIrFSjVA==",
+ "version": "2.5.5",
+ "resolved": "https://registry.npmjs.org/form-data/-/form-data-2.5.5.tgz",
+ "integrity": "sha512-jqdObeR2rxZZbPSGL+3VckHMYtu+f9//KXBsVny6JSX/pa38Fy+bGjuG8eW/H6USNQWhLi8Num++cU2yOCNz4A==",
+ "license": "MIT",
"dependencies": {
"asynckit": "^0.4.0",
- "combined-stream": "^1.0.6",
- "mime-types": "^2.1.12"
+ "combined-stream": "^1.0.8",
+ "es-set-tostringtag": "^2.1.0",
+ "hasown": "^2.0.2",
+ "mime-types": "^2.1.35",
+ "safe-buffer": "^5.2.1"
},
"engines": {
"node": ">= 0.12"
@@ -1111,15 +1178,21 @@
}
},
"node_modules/get-intrinsic": {
- "version": "1.2.4",
- "resolved": "https://registry.npmjs.org/get-intrinsic/-/get-intrinsic-1.2.4.tgz",
- "integrity": "sha512-5uYhsJH8VJBTv7oslg4BznJYhDoRI6waYCxMmCdnTrcCrHA/fCFKoTFz2JKKE0HdDFUF7/oQuhzumXJK7paBRQ==",
+ "version": "1.3.0",
+ "resolved": "https://registry.npmjs.org/get-intrinsic/-/get-intrinsic-1.3.0.tgz",
+ "integrity": "sha512-9fSjSaos/fRIVIp+xSJlE6lfwhES7LNtKaCBIamHsjr2na1BiABJPo0mOjjz8GJDURarmCPGqaiVg5mfjb98CQ==",
+ "license": "MIT",
"dependencies": {
+ "call-bind-apply-helpers": "^1.0.2",
+ "es-define-property": "^1.0.1",
"es-errors": "^1.3.0",
+ "es-object-atoms": "^1.1.1",
"function-bind": "^1.1.2",
- "has-proto": "^1.0.1",
- "has-symbols": "^1.0.3",
- "hasown": "^2.0.0"
+ "get-proto": "^1.0.1",
+ "gopd": "^1.2.0",
+ "has-symbols": "^1.1.0",
+ "hasown": "^2.0.2",
+ "math-intrinsics": "^1.1.0"
},
"engines": {
"node": ">= 0.4"
@@ -1128,6 +1201,19 @@
"url": "https://github.com/sponsors/ljharb"
}
},
+ "node_modules/get-proto": {
+ "version": "1.0.1",
+ "resolved": "https://registry.npmjs.org/get-proto/-/get-proto-1.0.1.tgz",
+ "integrity": "sha512-sTSfBjoXBp89JvIKIefqw7U2CCebsc74kiY6awiGogKtoSGbgjYE/G/+l9sF3MWFPNc9IcoOC4ODfKHfxFmp0g==",
+ "license": "MIT",
+ "dependencies": {
+ "dunder-proto": "^1.0.1",
+ "es-object-atoms": "^1.0.0"
+ },
+ "engines": {
+ "node": ">= 0.4"
+ }
+ },
"node_modules/google-auth-library": {
"version": "9.10.0",
"resolved": "https://registry.npmjs.org/google-auth-library/-/google-auth-library-9.10.0.tgz",
@@ -1179,11 +1265,12 @@
}
},
"node_modules/gopd": {
- "version": "1.0.1",
- "resolved": "https://registry.npmjs.org/gopd/-/gopd-1.0.1.tgz",
- "integrity": "sha512-d65bNlIadxvpb/A2abVdlqKqV563juRnZ1Wtk6s1sIR8uNsXR70xqIzVqxVf1eTqDunwT2MkczEeaezCKTZhwA==",
- "dependencies": {
- "get-intrinsic": "^1.1.3"
+ "version": "1.2.0",
+ "resolved": "https://registry.npmjs.org/gopd/-/gopd-1.2.0.tgz",
+ "integrity": "sha512-ZUKRh6/kUFoAiTAtTYPZJ3hw9wNxx+BIBOijnlG9PnrJsCcSjs1wyyD6vJpaYtgnzDrKYRSqf3OO6Rfa93xsRg==",
+ "license": "MIT",
+ "engines": {
+ "node": ">= 0.4"
},
"funding": {
"url": "https://github.com/sponsors/ljharb"
@@ -1231,21 +1318,11 @@
"url": "https://github.com/sponsors/ljharb"
}
},
- "node_modules/has-proto": {
- "version": "1.0.1",
- "resolved": "https://registry.npmjs.org/has-proto/-/has-proto-1.0.1.tgz",
- "integrity": "sha512-7qE+iP+O+bgF9clE5+UoBFzE65mlBiVj3tKCrlNQ0Ogwm0BjpT/gK4SlLYDMybDh5I3TCTKnPPa0oMG7JDYrhg==",
- "engines": {
- "node": ">= 0.4"
- },
- "funding": {
- "url": "https://github.com/sponsors/ljharb"
- }
- },
"node_modules/has-symbols": {
- "version": "1.0.3",
- "resolved": "https://registry.npmjs.org/has-symbols/-/has-symbols-1.0.3.tgz",
- "integrity": "sha512-l3LCuF6MgDNwTDKkdYGEihYjt5pRPbEg46rtlmnSPlUbgmB8LOIrKJbYYFBSbnPaJexMKtiPO8hmeRjRz2Td+A==",
+ "version": "1.1.0",
+ "resolved": "https://registry.npmjs.org/has-symbols/-/has-symbols-1.1.0.tgz",
+ "integrity": "sha512-1cDNdwJ2Jaohmb3sg4OmKaMBwuC48sYni5HUw2DvsC8LjGTLK9h+eb1X6RyuOHe4hT0ULCW68iomhjUoKUqlPQ==",
+ "license": "MIT",
"engines": {
"node": ">= 0.4"
},
@@ -1254,11 +1331,12 @@
}
},
"node_modules/has-tostringtag": {
- "version": "1.0.0",
- "resolved": "https://registry.npmjs.org/has-tostringtag/-/has-tostringtag-1.0.0.tgz",
- "integrity": "sha512-kFjcSNhnlGV1kyoGk7OXKSawH5JOb/LzUc5w9B02hOTO0dfFRjbHQKvg1d6cf3HbeUmtU9VbbV3qzZ2Teh97WQ==",
+ "version": "1.0.2",
+ "resolved": "https://registry.npmjs.org/has-tostringtag/-/has-tostringtag-1.0.2.tgz",
+ "integrity": "sha512-NqADB8VjPFLM2V0VvHUewwwsw0ZWBaIdgo+ieHtK3hasLz4qeCRjYcqfB6AQrBggRKppKF8L52/VqdVsO47Dlw==",
+ "license": "MIT",
"dependencies": {
- "has-symbols": "^1.0.2"
+ "has-symbols": "^1.0.3"
},
"engines": {
"node": ">= 0.4"
@@ -1601,6 +1679,15 @@
"node": ">=10"
}
},
+ "node_modules/math-intrinsics": {
+ "version": "1.1.0",
+ "resolved": "https://registry.npmjs.org/math-intrinsics/-/math-intrinsics-1.1.0.tgz",
+ "integrity": "sha512-/IXtbwEk5HTPyEwyKX6hGkYXxM9nbj64B+ilVJnC/R6B0pH5G4V3b0pVbL7DBj4tkhBAppbQUlf6F6Xl9LHu1g==",
+ "license": "MIT",
+ "engines": {
+ "node": ">= 0.4"
+ }
+ },
"node_modules/media-typer": {
"version": "0.3.0",
"resolved": "https://registry.npmjs.org/media-typer/-/media-typer-0.3.0.tgz",
@@ -1691,16 +1778,6 @@
"node": ">=0.8.0"
}
},
- "node_modules/mv/node_modules/brace-expansion": {
- "version": "1.1.11",
- "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz",
- "integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==",
- "optional": true,
- "dependencies": {
- "balanced-match": "^1.0.0",
- "concat-map": "0.0.1"
- }
- },
"node_modules/mv/node_modules/glob": {
"version": "6.0.4",
"resolved": "https://registry.npmjs.org/glob/-/glob-6.0.4.tgz",
diff --git a/blueprints/cloud-operations/unmanaged-instances-healthcheck/function/healthchecker/go.mod b/blueprints/cloud-operations/unmanaged-instances-healthcheck/function/healthchecker/go.mod
index f2d940b54..f24844eac 100644
--- a/blueprints/cloud-operations/unmanaged-instances-healthcheck/function/healthchecker/go.mod
+++ b/blueprints/cloud-operations/unmanaged-instances-healthcheck/function/healthchecker/go.mod
@@ -1,6 +1,7 @@
module example.com/healthckecker
-go 1.16
+go 1.23.0
+
toolchain go1.24.1
require (
@@ -10,8 +11,7 @@ require (
require (
cloud.google.com/go v0.110.0 // indirect
- cloud.google.com/go/compute v1.19.1 // indirect
- cloud.google.com/go/compute/metadata v0.2.3 // indirect
+ cloud.google.com/go/compute/metadata v0.3.0 // indirect
cloud.google.com/go/iam v0.13.0 // indirect
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
github.com/golang/protobuf v1.5.3 // indirect
@@ -21,10 +21,10 @@ require (
github.com/googleapis/gax-go/v2 v2.7.1 // indirect
go.opencensus.io v0.24.0 // indirect
golang.org/x/net v0.38.0 // indirect
- golang.org/x/oauth2 v0.7.0 // indirect
- golang.org/x/sync v0.11.0 // indirect
- golang.org/x/sys v0.30.0 // indirect
- golang.org/x/text v0.22.0 // indirect
+ golang.org/x/oauth2 v0.27.0 // indirect
+ golang.org/x/sync v0.12.0 // indirect
+ golang.org/x/sys v0.31.0 // indirect
+ golang.org/x/text v0.23.0 // indirect
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect
google.golang.org/grpc v1.56.3 // indirect
diff --git a/blueprints/cloud-operations/unmanaged-instances-healthcheck/function/healthchecker/go.sum b/blueprints/cloud-operations/unmanaged-instances-healthcheck/function/healthchecker/go.sum
index 6dd7dbc5b..35917ec13 100644
--- a/blueprints/cloud-operations/unmanaged-instances-healthcheck/function/healthchecker/go.sum
+++ b/blueprints/cloud-operations/unmanaged-instances-healthcheck/function/healthchecker/go.sum
@@ -1,10 +1,8 @@
cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
cloud.google.com/go v0.110.0 h1:Zc8gqp3+a9/Eyph2KDmcGaPtbKRIoqq4YTlL4NMD0Ys=
cloud.google.com/go v0.110.0/go.mod h1:SJnCLqQ0FCFGSZMUNUf84MV3Aia54kn7pi8st7tMzaY=
-cloud.google.com/go/compute v1.19.1 h1:am86mquDUgjGNWxiGn+5PGLbmgiWXlE/yNWpIpNvuXY=
-cloud.google.com/go/compute v1.19.1/go.mod h1:6ylj3a05WF8leseCdIf77NK0g1ey+nj5IKd5/kvShxE=
-cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY=
-cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA=
+cloud.google.com/go/compute/metadata v0.3.0 h1:Tz+eQXMEqDIKRsmY3cHTL6FVaynIjX2QxYC4trgAKZc=
+cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
cloud.google.com/go/iam v0.13.0 h1:+CmB+K0J/33d0zSQ9SlFWUeCCEn5XJA0ZMZ3pHE9u8k=
cloud.google.com/go/iam v0.13.0/go.mod h1:ljOg+rcNfzZ5d6f1nAUJ8ZIxOaZUVoS14bKCtaLZ/D0=
cloud.google.com/go/kms v1.10.1 h1:7hm1bRqGCA1GBRQUrp831TwJ9TWhP+tvLuP497CQS2g=
@@ -80,27 +78,27 @@ golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.36.0 h1:vWF2fRbw4qslQsQzgFqZff+BItCvGFQqKzKIzx1rmoA=
-golang.org/x/net v0.36.0/go.mod h1:bFmbeoIPfrw4sMHNhb4J9f6+tPziuGjq7Jk/38fxi1I=
+golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
+golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.7.0 h1:qe6s0zUXlPX80/dITx3440hWZ7GwMwgDDyrSGTPJG/g=
-golang.org/x/oauth2 v0.7.0/go.mod h1:hPLQkd9LyjfXTiRohC/41GhcFqxisoUQ99sCUOHO9x4=
+golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
+golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w=
-golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
+golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
-golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
+golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
-golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
+golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
+golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
diff --git a/fast/stages/0-bootstrap/README.md b/fast/stages/0-bootstrap/README.md
index ea11baedc..8e11db17f 100644
--- a/fast/stages/0-bootstrap/README.md
+++ b/fast/stages/0-bootstrap/README.md
@@ -662,7 +662,7 @@ FAST defines a simple mechanism to extend stage functionality via the use of [ad
| name | description | modules | resources |
|---|---|---|---|
| [automation.tf](./automation.tf) | Automation project and resources. | gcs · iam-service-account · project | |
-| [billing.tf](./billing.tf) | Billing export project and dataset. | bigquery-dataset · project | google_billing_account_iam_member |
+| [billing.tf](./billing.tf) | Billing export project and dataset. | bigquery-dataset · billing-account · logging-bucket · project | |
| [cicd.tf](./cicd.tf) | CI/CD locals and resources. | iam-service-account | |
| [identity-providers-wfif-defs.tf](./identity-providers-wfif-defs.tf) | Workforce Identity provider definitions. | | |
| [identity-providers-wfif.tf](./identity-providers-wfif.tf) | Workforce Identity Federation provider definitions. | | google_iam_workforce_pool · google_iam_workforce_pool_provider |
@@ -683,29 +683,29 @@ FAST defines a simple mechanism to extend stage functionality via the use of [ad
| name | description | type | required | default | producer |
|---|---|:---:|:---:|:---:|:---:|
-| [billing_account](variables.tf#L17) | Billing account id. If billing account is not part of the same org set `is_org_level` to `false`. To disable handling of billing IAM roles set `no_iam` to `true`. | object({…}) | ✓ | | |
-| [organization](variables.tf#L281) | Organization details. | object({…}) | ✓ | | |
-| [prefix](variables.tf#L296) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | |
-| [bootstrap_user](variables.tf#L38) | Email of the nominal user running this stage for the first time. | string | | null | |
-| [cicd_config](variables.tf#L44) | CI/CD repository configuration. Identity providers reference keys in the `federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | object({…}) | | {} | |
-| [custom_roles](variables.tf#L85) | Map of role names => list of permissions to additionally create at the organization level. | map(list(string)) | | {} | |
-| [environments](variables.tf#L92) | Environment names. When not defined, short name is set to the key and tag name to lower(name). | map(object({…})) | | {…} | |
-| [essential_contacts](variables.tf#L132) | Email used for essential contacts, unset if null. | string | | null | |
-| [factories_config](variables.tf#L138) | Configuration for the resource factories or external data. | object({…}) | | {} | |
+| [billing_account](variables.tf#L17) | Billing account id. If billing account is not part of the same org set `is_org_level` to `false`. To disable handling of billing IAM roles set `no_iam` to `true`. | object({…}) | ✓ | | |
+| [organization](variables.tf#L282) | Organization details. | object({…}) | ✓ | | |
+| [prefix](variables.tf#L297) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | |
+| [bootstrap_user](variables.tf#L39) | Email of the nominal user running this stage for the first time. | string | | null | |
+| [cicd_config](variables.tf#L45) | CI/CD repository configuration. Identity providers reference keys in the `federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | object({…}) | | {} | |
+| [custom_roles](variables.tf#L86) | Map of role names => list of permissions to additionally create at the organization level. | map(list(string)) | | {} | |
+| [environments](variables.tf#L93) | Environment names. When not defined, short name is set to the key and tag name to lower(name). | map(object({…})) | | {…} | |
+| [essential_contacts](variables.tf#L133) | Email used for essential contacts, unset if null. | string | | null | |
+| [factories_config](variables.tf#L139) | Configuration for the resource factories or external data. | object({…}) | | {} | |
| [fast_addon](variables-addons.tf#L17) | FAST addons configurations for stages 1. Keys are used as short names for the add-on resources. | map(object({…})) | | {} | |
-| [groups](variables.tf#L150) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | object({…}) | | {} | |
-| [iam](variables.tf#L167) | Organization-level custom IAM settings in role => [principal] format. | map(list(string)) | | {} | |
-| [iam_bindings_additive](variables.tf#L174) | Organization-level custom additive IAM bindings. Keys are arbitrary. | map(object({…})) | | {} | |
-| [iam_by_principals](variables.tf#L189) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | map(list(string)) | | {} | |
-| [locations](variables.tf#L196) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {} | |
-| [log_sinks](variables.tf#L210) | Org-level log sinks, in name => {type, filter} format. | map(object({…})) | | {…} | |
-| [org_policies_config](variables.tf#L266) | Organization policies customization. | object({…}) | | {} | |
-| [outputs_location](variables.tf#L290) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | string | | null | |
-| [project_parent_ids](variables.tf#L305) | Optional parents for projects created here in folders/nnnnnnn format. Null values will use the organization as parent. | object({…}) | | {} | |
-| [resource_names](variables.tf#L316) | Resource names overrides for specific resources. Prefix is always set via code, except where noted in the variable type. | object({…}) | | {} | |
-| [universe](variables.tf#L348) | Target GCP universe. | object({…}) | | null | |
-| [workforce_identity_providers](variables.tf#L358) | Workforce Identity Federation pools. | map(object({…})) | | {} | |
-| [workload_identity_providers](variables.tf#L374) | Workload Identity Federation pools. The `cicd_repositories` variable references keys here. | map(object({…})) | | {} | |
+| [groups](variables.tf#L151) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | object({…}) | | {} | |
+| [iam](variables.tf#L168) | Organization-level custom IAM settings in role => [principal] format. | map(list(string)) | | {} | |
+| [iam_bindings_additive](variables.tf#L175) | Organization-level custom additive IAM bindings. Keys are arbitrary. | map(object({…})) | | {} | |
+| [iam_by_principals](variables.tf#L190) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | map(list(string)) | | {} | |
+| [locations](variables.tf#L197) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {} | |
+| [log_sinks](variables.tf#L211) | Org-level log sinks, in name => {type, filter} format. | map(object({…})) | | {…} | |
+| [org_policies_config](variables.tf#L267) | Organization policies customization. | object({…}) | | {} | |
+| [outputs_location](variables.tf#L291) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | string | | null | |
+| [project_parent_ids](variables.tf#L306) | Optional parents for projects created here in folders/nnnnnnn format. Null values will use the organization as parent. | object({…}) | | {} | |
+| [resource_names](variables.tf#L317) | Resource names overrides for specific resources. Prefix is always set via code, except where noted in the variable type. | object({…}) | | {} | |
+| [universe](variables.tf#L349) | Target GCP universe. | object({…}) | | null | |
+| [workforce_identity_providers](variables.tf#L359) | Workforce Identity Federation pools. | map(object({…})) | | {} | |
+| [workload_identity_providers](variables.tf#L375) | Workload Identity Federation pools. The `cicd_repositories` variable references keys here. | map(object({…})) | | {} | |
## Outputs
diff --git a/fast/stages/0-bootstrap/billing.tf b/fast/stages/0-bootstrap/billing.tf
index bb5a25be3..1d8892627 100644
--- a/fast/stages/0-bootstrap/billing.tf
+++ b/fast/stages/0-bootstrap/billing.tf
@@ -17,22 +17,41 @@
# tfdoc:file:description Billing export project and dataset.
locals {
- # used here for convenience, in organization.tf members are explicit
- billing_ext_admins = [
- local.principals.gcp-billing-admins,
- local.principals.gcp-organization-admins,
- module.automation-tf-bootstrap-sa.iam_email,
- module.automation-tf-resman-sa.iam_email
- ]
- billing_ext_viewers = [
- module.automation-tf-bootstrap-r-sa.iam_email,
- module.automation-tf-resman-r-sa.iam_email
- ]
billing_mode = (
var.billing_account.no_iam
? null
: var.billing_account.is_org_level ? "org" : "resource"
)
+
+ _billing_iam_bindings = {
+ "roles/billing.admin" = [
+ local.principals.gcp-billing-admins,
+ local.principals.gcp-organization-admins,
+ module.automation-tf-bootstrap-sa.iam_email,
+ module.automation-tf-resman-sa.iam_email
+ ],
+ "roles/billing.viewer" = [
+ module.automation-tf-bootstrap-r-sa.iam_email,
+ module.automation-tf-resman-r-sa.iam_email
+ ],
+ "roles/logging.configWriter" = local.billing_mode == "org" || !var.billing_account.force_create.log_bucket ? [] : [
+ module.automation-tf-bootstrap-sa.iam_email
+ ]
+ }
+
+ _billing_iam_bindings_add = flatten([for role, bindings in local._billing_iam_bindings : [
+ for member in bindings : {
+ member = member,
+ role = role
+ }
+ ]])
+
+ billing_iam_bindings_additive = {
+ for b in local._billing_iam_bindings_add : "${b.role}-${b.member}" => {
+ member = b.member
+ role = b.role
+ }
+ }
}
# billing account in same org (IAM is in the organization.tf file)
@@ -81,20 +100,28 @@ module "billing-export-dataset" {
# standalone billing account
-resource "google_billing_account_iam_member" "billing_ext_admin" {
- for_each = toset(
- local.billing_mode == "resource" ? local.billing_ext_admins : []
- )
- billing_account_id = var.billing_account.id
- role = "roles/billing.admin"
- member = each.key
+module "billing-account-logbucket" {
+ source = "../../../modules/logging-bucket"
+ count = local.billing_mode == "resource" && var.billing_account.force_create.log_bucket ? 1 : 0
+ parent_type = "project"
+ parent = module.log-export-project.project_id
+ id = "billing-account"
+ location = local.locations.logging
+ log_analytics = { enable = true }
+ # org-level logging settings ready before we create any logging buckets
+ depends_on = [module.organization-logging]
}
-resource "google_billing_account_iam_member" "billing_ext_viewer" {
- for_each = toset(
- local.billing_mode == "resource" ? local.billing_ext_viewers : []
- )
- billing_account_id = var.billing_account.id
- role = "roles/billing.viewer"
- member = each.key
-}
+module "billing-account" {
+ source = "../../../modules/billing-account"
+ count = local.billing_mode == "resource" ? 1 : 0
+ id = var.billing_account.id
+ iam_bindings_additive = local.billing_iam_bindings_additive
+ logging_sinks = !var.billing_account.force_create.log_bucket ? {} : {
+ billing_bucket_log_sink = {
+ destination = module.billing-account-logbucket[0].id
+ type = "logging"
+ description = "billing-account sink (Terraform-managed)."
+ }
+ }
+}
\ No newline at end of file
diff --git a/fast/stages/0-bootstrap/variables.tf b/fast/stages/0-bootstrap/variables.tf
index 8ba6c0d54..fec2f8a8f 100644
--- a/fast/stages/0-bootstrap/variables.tf
+++ b/fast/stages/0-bootstrap/variables.tf
@@ -19,8 +19,9 @@ variable "billing_account" {
type = object({
id = string
force_create = optional(object({
- dataset = optional(bool, false)
- project = optional(bool, false)
+ dataset = optional(bool, false)
+ project = optional(bool, false)
+ log_bucket = optional(bool, false)
}), {})
is_org_level = optional(bool, true)
no_iam = optional(bool, false)
diff --git a/tests/fast/stages/s0_bootstrap/cicd.yaml b/tests/fast/stages/s0_bootstrap/cicd.yaml
index ef9e69d1c..0fd6b0dbf 100644
--- a/tests/fast/stages/s0_bootstrap/cicd.yaml
+++ b/tests/fast/stages/s0_bootstrap/cicd.yaml
@@ -2556,6 +2556,7 @@ outputs:
force_create:
dataset: false
project: false
+ log_bucket: false
id: 000000-111111-222222
is_org_level: true
no_iam: false
diff --git a/tests/fast/stages/s0_bootstrap/external_billing_account.tfvars b/tests/fast/stages/s0_bootstrap/external_billing_account.tfvars
new file mode 100644
index 000000000..6fbca686e
--- /dev/null
+++ b/tests/fast/stages/s0_bootstrap/external_billing_account.tfvars
@@ -0,0 +1,23 @@
+billing_account = {
+ id = "000000-111111-222222"
+ is_org_level = false
+ force_create = {
+ dataset = true
+ project = true
+ log_bucket = true
+ }
+}
+essential_contacts = "gcp-organization-admins@fast.example.com"
+groups = {
+ gcp-support = "group:gcp-support@example.com"
+}
+org_policies_config = {
+ import_defaults = false
+}
+organization = {
+ domain = "fast.example.com"
+ id = 123456789012
+ customer_id = "C00000000"
+}
+outputs_location = "/fast-config"
+prefix = "fast"
diff --git a/tests/fast/stages/s0_bootstrap/external_billing_account.yaml b/tests/fast/stages/s0_bootstrap/external_billing_account.yaml
new file mode 100644
index 000000000..c8ddff64b
--- /dev/null
+++ b/tests/fast/stages/s0_bootstrap/external_billing_account.yaml
@@ -0,0 +1,2172 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+ module.automation-project.data.google_bigquery_default_service_account.bq_sa[0]:
+ project: fast-prod-iac-core-0
+ module.automation-project.data.google_storage_project_service_account.gcs_sa[0]:
+ project: fast-prod-iac-core-0
+ user_project: null
+ module.automation-project.google_essential_contacts_contact.contact["gcp-organization-admins@fast.example.com"]:
+ email: gcp-organization-admins@fast.example.com
+ language_tag: en
+ notification_category_subscriptions:
+ - ALL
+ parent: projects/fast-prod-iac-core-0
+ timeouts: null
+ module.automation-project.google_org_policy_policy.default["compute.skipDefaultNetworkCreation"]:
+ dry_run_spec: []
+ name: projects/fast-prod-iac-core-0/policies/compute.skipDefaultNetworkCreation
+ parent: projects/fast-prod-iac-core-0
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: 'TRUE'
+ parameters: null
+ values: []
+ timeouts: null
+ module.automation-project.google_org_policy_policy.default["iam.automaticIamGrantsForDefaultServiceAccounts"]:
+ dry_run_spec: []
+ name: projects/fast-prod-iac-core-0/policies/iam.automaticIamGrantsForDefaultServiceAccounts
+ parent: projects/fast-prod-iac-core-0
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: 'TRUE'
+ parameters: null
+ values: []
+ timeouts: null
+ module.automation-project.google_org_policy_policy.default["iam.disableServiceAccountKeyCreation"]:
+ dry_run_spec: []
+ name: projects/fast-prod-iac-core-0/policies/iam.disableServiceAccountKeyCreation
+ parent: projects/fast-prod-iac-core-0
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: 'TRUE'
+ parameters: null
+ values: []
+ timeouts: null
+ module.automation-project.google_org_policy_policy.default["iam.workloadIdentityPoolProviders"]:
+ dry_run_spec: []
+ name: projects/fast-prod-iac-core-0/policies/iam.workloadIdentityPoolProviders
+ parent: projects/fast-prod-iac-core-0
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: null
+ parameters: null
+ values:
+ - allowed_values:
+ - https://token.actions.githubusercontent.com
+ - https://gitlab.com
+ - https://app.terraform.io
+ denied_values: null
+ timeouts: null
+ module.automation-project.google_project.project[0]:
+ auto_create_network: false
+ billing_account: 000000-111111-222222
+ deletion_policy: DELETE
+ effective_labels:
+ goog-terraform-provisioned: 'true'
+ folder_id: null
+ labels: null
+ name: fast-prod-iac-core-0
+ org_id: '123456789012'
+ project_id: fast-prod-iac-core-0
+ tags: null
+ terraform_labels:
+ goog-terraform-provisioned: 'true'
+ timeouts: null
+ module.automation-project.google_project_iam_audit_config.default["iam.googleapis.com"]:
+ audit_log_config:
+ - exempted_members: []
+ log_type: ADMIN_READ
+ project: fast-prod-iac-core-0
+ service: iam.googleapis.com
+ module.automation-project.google_project_iam_binding.authoritative["organizations/123456789012/roles/storageViewer"]:
+ condition: []
+ members:
+ - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ project: fast-prod-iac-core-0
+ role: organizations/123456789012/roles/storageViewer
+ module.automation-project.google_project_iam_binding.authoritative["roles/browser"]:
+ condition: []
+ members:
+ - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ project: fast-prod-iac-core-0
+ role: roles/browser
+ module.automation-project.google_project_iam_binding.authoritative["roles/cloudbuild.builds.editor"]:
+ condition: []
+ members:
+ - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ project: fast-prod-iac-core-0
+ role: roles/cloudbuild.builds.editor
+ module.automation-project.google_project_iam_binding.authoritative["roles/cloudbuild.builds.viewer"]:
+ condition: []
+ members:
+ - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ project: fast-prod-iac-core-0
+ role: roles/cloudbuild.builds.viewer
+ module.automation-project.google_project_iam_binding.authoritative["roles/iam.serviceAccountAdmin"]:
+ condition: []
+ members:
+ - group:gcp-devops@fast.example.com
+ - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ project: fast-prod-iac-core-0
+ role: roles/iam.serviceAccountAdmin
+ module.automation-project.google_project_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]:
+ condition: []
+ members:
+ - group:gcp-devops@fast.example.com
+ - group:gcp-organization-admins@fast.example.com
+ project: fast-prod-iac-core-0
+ role: roles/iam.serviceAccountTokenCreator
+ module.automation-project.google_project_iam_binding.authoritative["roles/iam.serviceAccountViewer"]:
+ condition: []
+ members:
+ - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ project: fast-prod-iac-core-0
+ role: roles/iam.serviceAccountViewer
+ module.automation-project.google_project_iam_binding.authoritative["roles/iam.workloadIdentityPoolAdmin"]:
+ condition: []
+ members:
+ - group:gcp-organization-admins@fast.example.com
+ - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ project: fast-prod-iac-core-0
+ role: roles/iam.workloadIdentityPoolAdmin
+ module.automation-project.google_project_iam_binding.authoritative["roles/iam.workloadIdentityPoolViewer"]:
+ condition: []
+ members:
+ - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ project: fast-prod-iac-core-0
+ role: roles/iam.workloadIdentityPoolViewer
+ module.automation-project.google_project_iam_binding.authoritative["roles/owner"]:
+ condition: []
+ members:
+ - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ project: fast-prod-iac-core-0
+ role: roles/owner
+ module.automation-project.google_project_iam_binding.authoritative["roles/source.admin"]:
+ condition: []
+ members:
+ - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ project: fast-prod-iac-core-0
+ role: roles/source.admin
+ module.automation-project.google_project_iam_binding.authoritative["roles/source.reader"]:
+ condition: []
+ members:
+ - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ project: fast-prod-iac-core-0
+ role: roles/source.reader
+ module.automation-project.google_project_iam_binding.authoritative["roles/storage.admin"]:
+ condition: []
+ members:
+ - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ project: fast-prod-iac-core-0
+ role: roles/storage.admin
+ module.automation-project.google_project_iam_binding.authoritative["roles/viewer"]:
+ condition: []
+ members:
+ - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ project: fast-prod-iac-core-0
+ role: roles/viewer
+ module.automation-project.google_project_iam_binding.bindings["delegated_grants_resman"]:
+ condition:
+ - description: Resource manager service account delegated grant.
+ expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/serviceusage.serviceUsageConsumer'])
+ title: resman_delegated_grant
+ members:
+ - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ project: fast-prod-iac-core-0
+ role: roles/resourcemanager.projectIamAdmin
+ module.automation-project.google_project_iam_member.bindings["serviceusage_resman"]:
+ condition: []
+ member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ project: fast-prod-iac-core-0
+ role: roles/serviceusage.serviceUsageConsumer
+ module.automation-project.google_project_iam_member.bindings["serviceusage_resman_r"]:
+ condition: []
+ member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ project: fast-prod-iac-core-0
+ role: roles/serviceusage.serviceUsageViewer
+ module.automation-project.google_project_iam_member.service_agents["cloudasset"]:
+ condition: []
+ project: fast-prod-iac-core-0
+ role: roles/cloudasset.serviceAgent
+ module.automation-project.google_project_iam_member.service_agents["cloudbuild"]:
+ condition: []
+ project: fast-prod-iac-core-0
+ role: roles/cloudbuild.serviceAgent
+ module.automation-project.google_project_iam_member.service_agents["cloudbuild-sa"]:
+ condition: []
+ project: fast-prod-iac-core-0
+ role: roles/cloudbuild.builds.builder
+ module.automation-project.google_project_iam_member.service_agents["cloudkms"]:
+ condition: []
+ project: fast-prod-iac-core-0
+ role: roles/cloudkms.serviceAgent
+ module.automation-project.google_project_iam_member.service_agents["compute-system"]:
+ condition: []
+ project: fast-prod-iac-core-0
+ role: roles/compute.serviceAgent
+ module.automation-project.google_project_iam_member.service_agents["container-engine-robot"]:
+ condition: []
+ project: fast-prod-iac-core-0
+ role: roles/container.serviceAgent
+ module.automation-project.google_project_iam_member.service_agents["gkenode"]:
+ condition: []
+ project: fast-prod-iac-core-0
+ role: roles/container.defaultNodeServiceAgent
+ module.automation-project.google_project_iam_member.service_agents["monitoring-notification"]:
+ condition: []
+ project: fast-prod-iac-core-0
+ role: roles/monitoring.notificationServiceAgent
+ module.automation-project.google_project_iam_member.service_agents["pubsub"]:
+ condition: []
+ project: fast-prod-iac-core-0
+ role: roles/pubsub.serviceAgent
+ module.automation-project.google_project_iam_member.service_agents["service-networking"]:
+ condition: []
+ project: fast-prod-iac-core-0
+ role: roles/servicenetworking.serviceAgent
+ module.automation-project.google_project_service.project_services["accesscontextmanager.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: accesscontextmanager.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["bigquery.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: bigquery.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["bigqueryreservation.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: bigqueryreservation.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["bigquerystorage.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: bigquerystorage.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["billingbudgets.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: billingbudgets.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["cloudasset.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: cloudasset.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["cloudbilling.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: cloudbilling.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["cloudbuild.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: cloudbuild.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["cloudkms.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: cloudkms.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["cloudquotas.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: cloudquotas.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["cloudresourcemanager.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: cloudresourcemanager.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["compute.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: compute.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["container.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: container.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["datacatalog.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: datacatalog.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["essentialcontacts.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: essentialcontacts.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["iam.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: iam.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["iamcredentials.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: iamcredentials.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["logging.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: logging.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["monitoring.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: monitoring.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["networksecurity.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: networksecurity.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["orgpolicy.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: orgpolicy.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["pubsub.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: pubsub.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["servicenetworking.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: servicenetworking.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["serviceusage.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: serviceusage.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["storage-component.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: storage-component.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["storage.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: storage.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["sts.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: sts.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service_identity.default["cloudasset.googleapis.com"]:
+ project: fast-prod-iac-core-0
+ service: cloudasset.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service_identity.default["cloudkms.googleapis.com"]:
+ project: fast-prod-iac-core-0
+ service: cloudkms.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service_identity.default["container.googleapis.com"]:
+ project: fast-prod-iac-core-0
+ service: container.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service_identity.default["monitoring.googleapis.com"]:
+ project: fast-prod-iac-core-0
+ service: monitoring.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service_identity.default["networksecurity.googleapis.com"]:
+ project: fast-prod-iac-core-0
+ service: networksecurity.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service_identity.default["pubsub.googleapis.com"]:
+ project: fast-prod-iac-core-0
+ service: pubsub.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service_identity.default["servicenetworking.googleapis.com"]:
+ project: fast-prod-iac-core-0
+ service: servicenetworking.googleapis.com
+ timeouts: null
+ module.automation-tf-bootstrap-gcs.google_storage_bucket.bucket[0]:
+ autoclass: []
+ cors: []
+ custom_placement_config: []
+ default_event_based_hold: null
+ effective_labels:
+ goog-terraform-provisioned: 'true'
+ enable_object_retention: null
+ encryption: []
+ force_destroy: false
+ hierarchical_namespace: []
+ ip_filter: []
+ labels: null
+ lifecycle_rule: []
+ location: EU
+ logging: []
+ name: fast-prod-iac-core-bootstrap-0
+ project: fast-prod-iac-core-0
+ requester_pays: null
+ retention_policy: []
+ storage_class: STANDARD
+ terraform_labels:
+ goog-terraform-provisioned: 'true'
+ timeouts: null
+ uniform_bucket_level_access: true
+ versioning:
+ - enabled: true
+ ? module.automation-tf-bootstrap-r-sa.google_organization_iam_member.organization-roles["123456789012-organizations/123456789012/roles/organizationAdminViewer"]
+ : condition: []
+ org_id: '123456789012'
+ role: organizations/123456789012/roles/organizationAdminViewer
+ ? module.automation-tf-bootstrap-r-sa.google_organization_iam_member.organization-roles["123456789012-organizations/123456789012/roles/tagViewer"]
+ : condition: []
+ org_id: '123456789012'
+ role: organizations/123456789012/roles/tagViewer
+ module.automation-tf-bootstrap-r-sa.google_service_account.service_account[0]:
+ account_id: fast-prod-bootstrap-0r
+ create_ignore_already_exists: null
+ description: null
+ disabled: false
+ display_name: Terraform organization bootstrap service account (read-only).
+ email: fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ project: fast-prod-iac-core-0
+ timeouts: null
+ ? module.automation-tf-bootstrap-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]
+ : condition: []
+ members: null
+ role: roles/iam.serviceAccountTokenCreator
+ ? module.automation-tf-bootstrap-r-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-organizations/123456789012/roles/storageViewer"]
+ : bucket: fast-prod-iac-core-outputs-0
+ condition: []
+ role: organizations/123456789012/roles/storageViewer
+ module.automation-tf-bootstrap-sa.google_service_account.service_account[0]:
+ account_id: fast-prod-bootstrap-0
+ create_ignore_already_exists: null
+ description: null
+ disabled: false
+ display_name: Terraform organization bootstrap service account.
+ email: fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ project: fast-prod-iac-core-0
+ timeouts: null
+ module.automation-tf-bootstrap-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]:
+ condition: []
+ members: null
+ role: roles/iam.serviceAccountTokenCreator
+ ? module.automation-tf-bootstrap-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-roles/storage.admin"]
+ : bucket: fast-prod-iac-core-outputs-0
+ condition: []
+ role: roles/storage.admin
+ module.automation-tf-output-gcs.google_storage_bucket.bucket[0]:
+ autoclass: []
+ cors: []
+ custom_placement_config: []
+ default_event_based_hold: null
+ effective_labels:
+ goog-terraform-provisioned: 'true'
+ enable_object_retention: null
+ encryption: []
+ force_destroy: false
+ hierarchical_namespace: []
+ ip_filter: []
+ labels: null
+ lifecycle_rule: []
+ location: EU
+ logging: []
+ name: fast-prod-iac-core-outputs-0
+ project: fast-prod-iac-core-0
+ requester_pays: null
+ retention_policy: []
+ storage_class: STANDARD
+ terraform_labels:
+ goog-terraform-provisioned: 'true'
+ timeouts: null
+ uniform_bucket_level_access: true
+ versioning:
+ - enabled: true
+ module.automation-tf-resman-gcs.google_storage_bucket.bucket[0]:
+ autoclass: []
+ cors: []
+ custom_placement_config: []
+ default_event_based_hold: null
+ effective_labels:
+ goog-terraform-provisioned: 'true'
+ enable_object_retention: null
+ encryption: []
+ force_destroy: false
+ hierarchical_namespace: []
+ ip_filter: []
+ labels: null
+ lifecycle_rule: []
+ location: EU
+ logging: []
+ name: fast-prod-iac-core-resman-0
+ project: fast-prod-iac-core-0
+ requester_pays: null
+ retention_policy: []
+ storage_class: STANDARD
+ terraform_labels:
+ goog-terraform-provisioned: 'true'
+ timeouts: null
+ uniform_bucket_level_access: true
+ versioning:
+ - enabled: true
+ module.automation-tf-resman-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]:
+ bucket: fast-prod-iac-core-resman-0
+ condition: []
+ members:
+ - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ role: roles/storage.objectAdmin
+ module.automation-tf-resman-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]:
+ bucket: fast-prod-iac-core-resman-0
+ condition: []
+ members:
+ - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ role: roles/storage.objectViewer
+ ? module.automation-tf-resman-r-sa.google_organization_iam_member.organization-roles["123456789012-organizations/123456789012/roles/organizationAdminViewer"]
+ : condition: []
+ org_id: '123456789012'
+ role: organizations/123456789012/roles/organizationAdminViewer
+ ? module.automation-tf-resman-r-sa.google_organization_iam_member.organization-roles["123456789012-organizations/123456789012/roles/tagViewer"]
+ : condition: []
+ org_id: '123456789012'
+ role: organizations/123456789012/roles/tagViewer
+ module.automation-tf-resman-r-sa.google_service_account.service_account[0]:
+ account_id: fast-prod-resman-0r
+ create_ignore_already_exists: null
+ description: null
+ disabled: false
+ display_name: Terraform stage 1 resman service account (read-only).
+ email: fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ project: fast-prod-iac-core-0
+ timeouts: null
+ module.automation-tf-resman-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]:
+ condition: []
+ members: null
+ role: roles/iam.serviceAccountTokenCreator
+ ? module.automation-tf-resman-r-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-organizations/123456789012/roles/storageViewer"]
+ : bucket: fast-prod-iac-core-outputs-0
+ condition: []
+ role: organizations/123456789012/roles/storageViewer
+ module.automation-tf-resman-sa.google_service_account.service_account[0]:
+ account_id: fast-prod-resman-0
+ create_ignore_already_exists: null
+ description: null
+ disabled: false
+ display_name: Terraform stage 1 resman service account.
+ email: fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ project: fast-prod-iac-core-0
+ timeouts: null
+ module.automation-tf-resman-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]:
+ condition: []
+ members: null
+ role: roles/iam.serviceAccountTokenCreator
+ ? module.automation-tf-resman-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-roles/storage.admin"]
+ : bucket: fast-prod-iac-core-outputs-0
+ condition: []
+ role: roles/storage.admin
+ module.automation-tf-vpcsc-gcs.google_storage_bucket.bucket[0]:
+ autoclass: []
+ cors: []
+ custom_placement_config: []
+ default_event_based_hold: null
+ effective_labels:
+ goog-terraform-provisioned: 'true'
+ enable_object_retention: null
+ encryption: []
+ force_destroy: false
+ hierarchical_namespace: []
+ ip_filter: []
+ labels: null
+ lifecycle_rule: []
+ location: EU
+ logging: []
+ name: fast-prod-iac-core-vpcsc-0
+ project: fast-prod-iac-core-0
+ requester_pays: null
+ retention_policy: []
+ storage_class: STANDARD
+ terraform_labels:
+ goog-terraform-provisioned: 'true'
+ timeouts: null
+ uniform_bucket_level_access: true
+ versioning:
+ - enabled: true
+ module.automation-tf-vpcsc-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]:
+ bucket: fast-prod-iac-core-vpcsc-0
+ condition: []
+ members:
+ - serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ role: roles/storage.objectAdmin
+ module.automation-tf-vpcsc-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]:
+ bucket: fast-prod-iac-core-vpcsc-0
+ condition: []
+ members:
+ - serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ role: roles/storage.objectViewer
+ module.automation-tf-vpcsc-r-sa.google_service_account.service_account[0]:
+ account_id: fast-prod-vpcsc-0r
+ create_ignore_already_exists: null
+ description: null
+ disabled: false
+ display_name: Terraform stage 1 vpcsc service account (read-only).
+ email: fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ member: serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ project: fast-prod-iac-core-0
+ timeouts: null
+ module.automation-tf-vpcsc-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]:
+ condition: []
+ members: null
+ role: roles/iam.serviceAccountTokenCreator
+ ? module.automation-tf-vpcsc-r-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-organizations/123456789012/roles/storageViewer"]
+ : bucket: fast-prod-iac-core-outputs-0
+ condition: []
+ role: organizations/123456789012/roles/storageViewer
+ module.automation-tf-vpcsc-sa.google_service_account.service_account[0]:
+ account_id: fast-prod-vpcsc-0
+ create_ignore_already_exists: null
+ description: null
+ disabled: false
+ display_name: Terraform stage 1 vpcsc service account.
+ email: fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ member: serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ project: fast-prod-iac-core-0
+ timeouts: null
+ module.automation-tf-vpcsc-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]:
+ condition: []
+ members:
+ - group:gcp-security-admins@fast.example.com
+ role: roles/iam.serviceAccountTokenCreator
+ ? module.automation-tf-vpcsc-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-roles/storage.admin"]
+ : bucket: fast-prod-iac-core-outputs-0
+ condition: []
+ role: roles/storage.admin
+ module.billing-account-logbucket[0].google_logging_project_bucket_config.bucket[0]:
+ bucket_id: billing-account
+ cmek_settings: []
+ enable_analytics: true
+ index_configs: []
+ location: global
+ locked: null
+ project: fast-prod-audit-logs-0
+ retention_days: 30
+ ? module.billing-account[0].google_billing_account_iam_member.bindings["roles/billing.admin-group:gcp-billing-admins@fast.example.com"]
+ : billing_account_id: 000000-111111-222222
+ condition: []
+ member: group:gcp-billing-admins@fast.example.com
+ role: roles/billing.admin
+ ? module.billing-account[0].google_billing_account_iam_member.bindings["roles/billing.admin-group:gcp-organization-admins@fast.example.com"]
+ : billing_account_id: 000000-111111-222222
+ condition: []
+ member: group:gcp-organization-admins@fast.example.com
+ role: roles/billing.admin
+ ? module.billing-account[0].google_billing_account_iam_member.bindings["roles/billing.admin-serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com"]
+ : billing_account_id: 000000-111111-222222
+ condition: []
+ member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ role: roles/billing.admin
+ ? module.billing-account[0].google_billing_account_iam_member.bindings["roles/billing.admin-serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com"]
+ : billing_account_id: 000000-111111-222222
+ condition: []
+ member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ role: roles/billing.admin
+ ? module.billing-account[0].google_billing_account_iam_member.bindings["roles/billing.viewer-serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"]
+ : billing_account_id: 000000-111111-222222
+ condition: []
+ member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ role: roles/billing.viewer
+ ? module.billing-account[0].google_billing_account_iam_member.bindings["roles/billing.viewer-serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"]
+ : billing_account_id: 000000-111111-222222
+ condition: []
+ member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ role: roles/billing.viewer
+ ? module.billing-account[0].google_billing_account_iam_member.bindings["roles/logging.configWriter-serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com"]
+ : billing_account_id: 000000-111111-222222
+ condition: []
+ member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ role: roles/logging.configWriter
+ module.billing-account[0].google_logging_billing_account_sink.sink["billing_bucket_log_sink"]:
+ billing_account: 000000-111111-222222
+ description: billing-account sink (Terraform-managed).
+ disabled: false
+ exclusions: []
+ filter: null
+ name: billing_bucket_log_sink
+ module.billing-account[0].google_project_iam_member.bucket-sinks-binding["billing_bucket_log_sink"]:
+ condition:
+ - title: billing_bucket_log_sink bucket writer
+ role: roles/logging.bucketWriter
+ module.billing-export-dataset[0].google_bigquery_dataset.default:
+ dataset_id: billing_export
+ default_encryption_configuration: []
+ default_partition_expiration_ms: null
+ default_table_expiration_ms: null
+ delete_contents_on_destroy: false
+ description: Terraform managed.
+ effective_labels:
+ goog-terraform-provisioned: 'true'
+ external_catalog_dataset_options: []
+ external_dataset_reference: []
+ friendly_name: Billing export.
+ labels: null
+ location: EU
+ max_time_travel_hours: '168'
+ project: fast-prod-billing-exp-0
+ resource_tags: null
+ terraform_labels:
+ goog-terraform-provisioned: 'true'
+ timeouts: null
+ module.billing-export-project[0].data.google_bigquery_default_service_account.bq_sa[0]:
+ project: fast-prod-billing-exp-0
+ module.billing-export-project[0].data.google_storage_project_service_account.gcs_sa[0]:
+ project: fast-prod-billing-exp-0
+ user_project: null
+ module.billing-export-project[0].google_essential_contacts_contact.contact["gcp-organization-admins@fast.example.com"]:
+ email: gcp-organization-admins@fast.example.com
+ language_tag: en
+ notification_category_subscriptions:
+ - ALL
+ parent: projects/fast-prod-billing-exp-0
+ timeouts: null
+ module.billing-export-project[0].google_project.project[0]:
+ auto_create_network: false
+ billing_account: 000000-111111-222222
+ deletion_policy: DELETE
+ effective_labels:
+ goog-terraform-provisioned: 'true'
+ folder_id: null
+ labels: null
+ name: fast-prod-billing-exp-0
+ org_id: '123456789012'
+ project_id: fast-prod-billing-exp-0
+ tags: null
+ terraform_labels:
+ goog-terraform-provisioned: 'true'
+ timeouts: null
+ module.billing-export-project[0].google_project_iam_binding.authoritative["roles/owner"]:
+ condition: []
+ members:
+ - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ project: fast-prod-billing-exp-0
+ role: roles/owner
+ module.billing-export-project[0].google_project_iam_binding.authoritative["roles/viewer"]:
+ condition: []
+ members:
+ - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ project: fast-prod-billing-exp-0
+ role: roles/viewer
+ module.billing-export-project[0].google_project_iam_member.service_agents["bigquerydatatransfer"]:
+ condition: []
+ project: fast-prod-billing-exp-0
+ role: roles/bigquerydatatransfer.serviceAgent
+ module.billing-export-project[0].google_project_service.project_services["bigquery.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-billing-exp-0
+ service: bigquery.googleapis.com
+ timeouts: null
+ module.billing-export-project[0].google_project_service.project_services["bigquerydatatransfer.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-billing-exp-0
+ service: bigquerydatatransfer.googleapis.com
+ timeouts: null
+ module.billing-export-project[0].google_project_service.project_services["storage.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-billing-exp-0
+ service: storage.googleapis.com
+ timeouts: null
+ module.billing-export-project[0].google_project_service_identity.default["bigquerydatatransfer.googleapis.com"]:
+ project: fast-prod-billing-exp-0
+ service: bigquerydatatransfer.googleapis.com
+ timeouts: null
+ module.log-export-logbucket["audit-logs"].google_logging_project_bucket_config.bucket[0]:
+ bucket_id: audit-logs
+ cmek_settings: []
+ enable_analytics: true
+ index_configs: []
+ location: global
+ locked: null
+ project: fast-prod-audit-logs-0
+ retention_days: 30
+ module.log-export-logbucket["iam"].google_logging_project_bucket_config.bucket[0]:
+ bucket_id: iam
+ cmek_settings: []
+ enable_analytics: true
+ index_configs: []
+ location: global
+ locked: null
+ project: fast-prod-audit-logs-0
+ retention_days: 30
+ module.log-export-logbucket["vpc-sc"].google_logging_project_bucket_config.bucket[0]:
+ bucket_id: vpc-sc
+ cmek_settings: []
+ enable_analytics: true
+ index_configs: []
+ location: global
+ locked: null
+ project: fast-prod-audit-logs-0
+ retention_days: 30
+ module.log-export-logbucket["workspace-audit-logs"].google_logging_project_bucket_config.bucket[0]:
+ bucket_id: workspace-audit-logs
+ cmek_settings: []
+ enable_analytics: true
+ index_configs: []
+ location: global
+ locked: null
+ project: fast-prod-audit-logs-0
+ retention_days: 30
+ module.log-export-project.data.google_bigquery_default_service_account.bq_sa[0]:
+ project: fast-prod-audit-logs-0
+ module.log-export-project.data.google_storage_project_service_account.gcs_sa[0]:
+ project: fast-prod-audit-logs-0
+ user_project: null
+ module.log-export-project.google_essential_contacts_contact.contact["gcp-organization-admins@fast.example.com"]:
+ email: gcp-organization-admins@fast.example.com
+ language_tag: en
+ notification_category_subscriptions:
+ - ALL
+ parent: projects/fast-prod-audit-logs-0
+ timeouts: null
+ module.log-export-project.google_project.project[0]:
+ auto_create_network: false
+ billing_account: 000000-111111-222222
+ deletion_policy: DELETE
+ effective_labels:
+ goog-terraform-provisioned: 'true'
+ folder_id: null
+ labels: null
+ name: fast-prod-audit-logs-0
+ org_id: '123456789012'
+ project_id: fast-prod-audit-logs-0
+ tags: null
+ terraform_labels:
+ goog-terraform-provisioned: 'true'
+ timeouts: null
+ module.log-export-project.google_project_iam_binding.authoritative["roles/owner"]:
+ condition: []
+ members:
+ - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ project: fast-prod-audit-logs-0
+ role: roles/owner
+ module.log-export-project.google_project_iam_binding.authoritative["roles/viewer"]:
+ condition: []
+ members:
+ - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ project: fast-prod-audit-logs-0
+ role: roles/viewer
+ module.log-export-project.google_project_service.project_services["bigquery.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-audit-logs-0
+ service: bigquery.googleapis.com
+ timeouts: null
+ module.log-export-project.google_project_service.project_services["stackdriver.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-audit-logs-0
+ service: stackdriver.googleapis.com
+ timeouts: null
+ module.log-export-project.google_project_service.project_services["storage.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-audit-logs-0
+ service: storage.googleapis.com
+ timeouts: null
+ module.organization-logging.google_logging_organization_settings.default[0]:
+ organization: '123456789012'
+ storage_location: global
+ timeouts: null
+ module.organization.google_logging_organization_sink.sink["audit-logs"]:
+ description: audit-logs (Terraform-managed).
+ disabled: false
+ exclusions: []
+ filter: 'log_id("cloudaudit.googleapis.com/activity") OR
+
+ log_id("cloudaudit.googleapis.com/system_event") OR
+
+ log_id("cloudaudit.googleapis.com/policy") OR
+
+ log_id("cloudaudit.googleapis.com/access_transparency")
+
+ '
+ include_children: true
+ intercept_children: false
+ name: audit-logs
+ org_id: '123456789012'
+ module.organization.google_logging_organization_sink.sink["iam"]:
+ description: iam (Terraform-managed).
+ disabled: false
+ exclusions: []
+ filter: 'protoPayload.serviceName="iamcredentials.googleapis.com" OR
+
+ protoPayload.serviceName="iam.googleapis.com" OR
+
+ protoPayload.serviceName="sts.googleapis.com"
+
+ '
+ include_children: true
+ intercept_children: false
+ name: iam
+ org_id: '123456789012'
+ module.organization.google_logging_organization_sink.sink["vpc-sc"]:
+ description: vpc-sc (Terraform-managed).
+ disabled: false
+ exclusions: []
+ filter: 'protoPayload.metadata.@type="type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata"
+
+ '
+ include_children: true
+ intercept_children: false
+ name: vpc-sc
+ org_id: '123456789012'
+ module.organization.google_logging_organization_sink.sink["workspace-audit-logs"]:
+ description: workspace-audit-logs (Terraform-managed).
+ disabled: false
+ exclusions: []
+ filter: 'protoPayload.serviceName="admin.googleapis.com" OR
+
+ protoPayload.serviceName="cloudidentity.googleapis.com" OR
+
+ protoPayload.serviceName="login.googleapis.com"
+
+ '
+ include_children: true
+ intercept_children: false
+ name: workspace-audit-logs
+ org_id: '123456789012'
+ module.organization.google_org_policy_custom_constraint.constraint["custom.denyBridgePerimeters"]:
+ action_type: DENY
+ condition: resource.perimeterType == 'PERIMETER_TYPE_BRIDGE'
+ description: Disables the use of perimeter bridges. Instead, use ingress and egress
+ rules.
+ display_name: Disable perimeter bridges
+ method_types:
+ - CREATE
+ - UPDATE
+ name: custom.denyBridgePerimeters
+ parent: organizations/123456789012
+ resource_types:
+ - accesscontextmanager.googleapis.com/ServicePerimeter
+ timeouts: null
+ module.organization.google_org_policy_policy.default["cloudbuild.disableCreateDefaultServiceAccount"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/cloudbuild.disableCreateDefaultServiceAccount
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: 'TRUE'
+ parameters: null
+ values: []
+ timeouts: null
+ module.organization.google_org_policy_policy.default["cloudbuild.useBuildServiceAccount"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/cloudbuild.useBuildServiceAccount
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: 'TRUE'
+ parameters: null
+ values: []
+ timeouts: null
+ module.organization.google_org_policy_policy.default["cloudbuild.useComputeServiceAccount"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/cloudbuild.useComputeServiceAccount
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: 'TRUE'
+ parameters: null
+ values: []
+ timeouts: null
+ module.organization.google_org_policy_policy.default["compute.disableGuestAttributesAccess"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/compute.disableGuestAttributesAccess
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: 'TRUE'
+ parameters: null
+ values: []
+ timeouts: null
+ module.organization.google_org_policy_policy.default["compute.disableInternetNetworkEndpointGroup"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/compute.disableInternetNetworkEndpointGroup
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: 'TRUE'
+ parameters: null
+ values: []
+ timeouts: null
+ module.organization.google_org_policy_policy.default["compute.disableNestedVirtualization"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/compute.disableNestedVirtualization
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: 'TRUE'
+ parameters: null
+ values: []
+ timeouts: null
+ module.organization.google_org_policy_policy.default["compute.disableSerialPortAccess"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/compute.disableSerialPortAccess
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: 'TRUE'
+ parameters: null
+ values: []
+ timeouts: null
+ module.organization.google_org_policy_policy.default["compute.disableVpcExternalIpv6"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/compute.disableVpcExternalIpv6
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: 'TRUE'
+ parameters: null
+ values: []
+ timeouts: null
+ module.organization.google_org_policy_policy.default["compute.requireOsLogin"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/compute.requireOsLogin
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: 'TRUE'
+ parameters: null
+ values: []
+ timeouts: null
+ module.organization.google_org_policy_policy.default["compute.restrictLoadBalancerCreationForTypes"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/compute.restrictLoadBalancerCreationForTypes
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: null
+ parameters: null
+ values:
+ - allowed_values:
+ - in:INTERNAL
+ denied_values: null
+ timeouts: null
+ module.organization.google_org_policy_policy.default["compute.restrictProtocolForwardingCreationForTypes"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/compute.restrictProtocolForwardingCreationForTypes
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: null
+ parameters: null
+ values:
+ - allowed_values:
+ - is:INTERNAL
+ denied_values: null
+ timeouts: null
+ module.organization.google_org_policy_policy.default["compute.setNewProjectDefaultToZonalDNSOnly"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/compute.setNewProjectDefaultToZonalDNSOnly
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: 'TRUE'
+ parameters: null
+ values: []
+ timeouts: null
+ module.organization.google_org_policy_policy.default["compute.skipDefaultNetworkCreation"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/compute.skipDefaultNetworkCreation
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: 'TRUE'
+ parameters: null
+ values: []
+ timeouts: null
+ module.organization.google_org_policy_policy.default["compute.trustedImageProjects"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/compute.trustedImageProjects
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: null
+ parameters: null
+ values:
+ - allowed_values:
+ - is:projects/centos-cloud
+ - is:projects/cos-cloud
+ - is:projects/debian-cloud
+ - is:projects/fedora-cloud
+ - is:projects/fedora-coreos-cloud
+ - is:projects/opensuse-cloud
+ - is:projects/rhel-cloud
+ - is:projects/rhel-sap-cloud
+ - is:projects/rocky-linux-cloud
+ - is:projects/suse-cloud
+ - is:projects/suse-sap-cloud
+ - is:projects/ubuntu-os-cloud
+ - is:projects/ubuntu-os-pro-cloud
+ - is:projects/windows-cloud
+ - is:projects/windows-sql-cloud
+ - is:projects/confidential-vm-images
+ - is:projects/confidential-space-images
+ - is:projects/backupdr-images
+ - is:projects/deeplearning-platform-release
+ - is:projects/serverless-vpc-access-images
+ - is:projects/gke-node-images
+ - is:projects/gke-windows-node-images
+ - is:projects/ubuntu-os-gke-cloud
+ denied_values: null
+ timeouts: null
+ module.organization.google_org_policy_policy.default["compute.vmExternalIpAccess"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/compute.vmExternalIpAccess
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: 'TRUE'
+ enforce: null
+ parameters: null
+ values: []
+ timeouts: null
+ module.organization.google_org_policy_policy.default["custom.denyBridgePerimeters"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/custom.denyBridgePerimeters
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: 'TRUE'
+ parameters: null
+ values: []
+ timeouts: null
+ module.organization.google_org_policy_policy.default["essentialcontacts.allowedContactDomains"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/essentialcontacts.allowedContactDomains
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition:
+ - description: null
+ expression: '!resource.matchTag(''123456789012/org-policies'', ''allowed-essential-contacts-domains-all'')
+
+ '
+ location: null
+ title: Restrict essential contacts domains
+ deny_all: null
+ enforce: null
+ parameters: null
+ values:
+ - allowed_values:
+ - '@fast.example.com'
+ denied_values: null
+ - allow_all: 'TRUE'
+ condition:
+ - description: null
+ expression: 'resource.matchTag(''123456789012/org-policies'', ''allowed-essential-contacts-domains-all'')
+
+ '
+ location: null
+ title: Allow essential contacts from any domain
+ deny_all: null
+ enforce: null
+ parameters: null
+ values: []
+ timeouts: null
+ module.organization.google_org_policy_policy.default["gcp.resourceLocations"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/gcp.resourceLocations
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: 'TRUE'
+ condition: []
+ deny_all: null
+ enforce: null
+ parameters: null
+ values: []
+ timeouts: null
+ module.organization.google_org_policy_policy.default["iam.allowedPolicyMemberDomains"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/iam.allowedPolicyMemberDomains
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition:
+ - description: null
+ expression: '!resource.matchTag(''123456789012/org-policies'', ''allowed-policy-member-domains-all'')
+
+ '
+ location: null
+ title: Restrict member domains
+ deny_all: null
+ enforce: null
+ parameters: null
+ values:
+ - allowed_values:
+ - is:C00000000
+ denied_values: null
+ - allow_all: 'TRUE'
+ condition:
+ - description: null
+ expression: 'resource.matchTag(''123456789012/org-policies'', ''allowed-policy-member-domains-all'')
+
+ '
+ location: null
+ title: Allow any member domain
+ deny_all: null
+ enforce: null
+ parameters: null
+ values: []
+ timeouts: null
+ module.organization.google_org_policy_policy.default["iam.automaticIamGrantsForDefaultServiceAccounts"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/iam.automaticIamGrantsForDefaultServiceAccounts
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: 'TRUE'
+ parameters: null
+ values: []
+ timeouts: null
+ module.organization.google_org_policy_policy.default["iam.disableAuditLoggingExemption"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/iam.disableAuditLoggingExemption
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: 'TRUE'
+ parameters: null
+ values: []
+ timeouts: null
+ module.organization.google_org_policy_policy.default["iam.disableServiceAccountKeyCreation"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/iam.disableServiceAccountKeyCreation
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: 'TRUE'
+ parameters: null
+ values: []
+ timeouts: null
+ module.organization.google_org_policy_policy.default["iam.disableServiceAccountKeyUpload"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/iam.disableServiceAccountKeyUpload
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: 'TRUE'
+ parameters: null
+ values: []
+ timeouts: null
+ module.organization.google_org_policy_policy.default["iam.serviceAccountKeyExposureResponse"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/iam.serviceAccountKeyExposureResponse
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: null
+ parameters: null
+ values:
+ - allowed_values:
+ - is:DISABLE_KEY
+ denied_values: null
+ timeouts: null
+ module.organization.google_org_policy_policy.default["iam.workloadIdentityPoolAwsAccounts"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/iam.workloadIdentityPoolAwsAccounts
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: 'TRUE'
+ enforce: null
+ parameters: null
+ values: []
+ timeouts: null
+ module.organization.google_org_policy_policy.default["iam.workloadIdentityPoolProviders"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/iam.workloadIdentityPoolProviders
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: 'TRUE'
+ enforce: null
+ parameters: null
+ values: []
+ timeouts: null
+ module.organization.google_org_policy_policy.default["run.allowedIngress"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/run.allowedIngress
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: null
+ parameters: null
+ values:
+ - allowed_values:
+ - is:internal-and-cloud-load-balancing
+ denied_values: null
+ timeouts: null
+ module.organization.google_org_policy_policy.default["run.managed.requireInvokerIam"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/run.managed.requireInvokerIam
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: 'TRUE'
+ parameters: null
+ values: []
+ timeouts: null
+ module.organization.google_org_policy_policy.default["sql.restrictAuthorizedNetworks"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/sql.restrictAuthorizedNetworks
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: 'TRUE'
+ parameters: null
+ values: []
+ timeouts: null
+ module.organization.google_org_policy_policy.default["sql.restrictPublicIp"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/sql.restrictPublicIp
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: 'TRUE'
+ parameters: null
+ values: []
+ timeouts: null
+ module.organization.google_org_policy_policy.default["storage.publicAccessPrevention"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/storage.publicAccessPrevention
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: 'TRUE'
+ parameters: null
+ values: []
+ timeouts: null
+ module.organization.google_org_policy_policy.default["storage.restrictAuthTypes"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/storage.restrictAuthTypes
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: null
+ parameters: null
+ values:
+ - allowed_values: null
+ denied_values:
+ - in:ALL_HMAC_SIGNED_REQUESTS
+ timeouts: null
+ module.organization.google_org_policy_policy.default["storage.secureHttpTransport"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/storage.secureHttpTransport
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: 'TRUE'
+ parameters: null
+ values: []
+ timeouts: null
+ module.organization.google_org_policy_policy.default["storage.uniformBucketLevelAccess"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/storage.uniformBucketLevelAccess
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: 'TRUE'
+ parameters: null
+ values: []
+ timeouts: null
+ module.organization.google_organization_iam_binding.authoritative["roles/billing.creator"]:
+ condition: []
+ members: null
+ org_id: '123456789012'
+ role: roles/billing.creator
+ module.organization.google_organization_iam_binding.authoritative["roles/browser"]:
+ condition: []
+ members:
+ - domain:fast.example.com
+ org_id: '123456789012'
+ role: roles/browser
+ module.organization.google_organization_iam_binding.authoritative["roles/cloudasset.owner"]:
+ condition: []
+ members:
+ - group:gcp-organization-admins@fast.example.com
+ - group:gcp-security-admins@fast.example.com
+ - group:gcp-vpc-network-admins@fast.example.com
+ org_id: '123456789012'
+ role: roles/cloudasset.owner
+ module.organization.google_organization_iam_binding.authoritative["roles/cloudsupport.admin"]:
+ condition: []
+ members:
+ - group:gcp-organization-admins@fast.example.com
+ org_id: '123456789012'
+ role: roles/cloudsupport.admin
+ module.organization.google_organization_iam_binding.authoritative["roles/cloudsupport.techSupportEditor"]:
+ condition: []
+ members:
+ - group:gcp-security-admins@fast.example.com
+ - group:gcp-support@example.com
+ - group:gcp-vpc-network-admins@fast.example.com
+ org_id: '123456789012'
+ role: roles/cloudsupport.techSupportEditor
+ module.organization.google_organization_iam_binding.authoritative["roles/compute.osAdminLogin"]:
+ condition: []
+ members:
+ - group:gcp-organization-admins@fast.example.com
+ org_id: '123456789012'
+ role: roles/compute.osAdminLogin
+ module.organization.google_organization_iam_binding.authoritative["roles/compute.osLoginExternalUser"]:
+ condition: []
+ members:
+ - group:gcp-organization-admins@fast.example.com
+ org_id: '123456789012'
+ role: roles/compute.osLoginExternalUser
+ module.organization.google_organization_iam_binding.authoritative["roles/essentialcontacts.admin"]:
+ condition: []
+ members:
+ - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '123456789012'
+ role: roles/essentialcontacts.admin
+ module.organization.google_organization_iam_binding.authoritative["roles/essentialcontacts.viewer"]:
+ condition: []
+ members:
+ - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '123456789012'
+ role: roles/essentialcontacts.viewer
+ module.organization.google_organization_iam_binding.authoritative["roles/iam.securityReviewer"]:
+ condition: []
+ members:
+ - group:gcp-security-admins@fast.example.com
+ org_id: '123456789012'
+ role: roles/iam.securityReviewer
+ module.organization.google_organization_iam_binding.authoritative["roles/logging.admin"]:
+ condition: []
+ members:
+ - group:gcp-security-admins@fast.example.com
+ - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '123456789012'
+ role: roles/logging.admin
+ module.organization.google_organization_iam_binding.authoritative["roles/logging.viewer"]:
+ condition: []
+ members:
+ - group:gcp-support@example.com
+ - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '123456789012'
+ role: roles/logging.viewer
+ module.organization.google_organization_iam_binding.authoritative["roles/monitoring.viewer"]:
+ condition: []
+ members:
+ - group:gcp-support@example.com
+ org_id: '123456789012'
+ role: roles/monitoring.viewer
+ module.organization.google_organization_iam_binding.authoritative["roles/owner"]:
+ condition: []
+ members:
+ - group:gcp-organization-admins@fast.example.com
+ org_id: '123456789012'
+ role: roles/owner
+ module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]:
+ condition: []
+ members:
+ - group:gcp-organization-admins@fast.example.com
+ - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '123456789012'
+ role: roles/resourcemanager.folderAdmin
+ module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.folderViewer"]:
+ condition: []
+ members:
+ - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '123456789012'
+ role: roles/resourcemanager.folderViewer
+ module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.organizationAdmin"]:
+ condition: []
+ members:
+ - group:gcp-organization-admins@fast.example.com
+ - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '123456789012'
+ role: roles/resourcemanager.organizationAdmin
+ module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.projectCreator"]:
+ condition: []
+ members:
+ - group:gcp-organization-admins@fast.example.com
+ - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '123456789012'
+ role: roles/resourcemanager.projectCreator
+ module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.projectMover"]:
+ condition: []
+ members:
+ - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '123456789012'
+ role: roles/resourcemanager.projectMover
+ module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.tagAdmin"]:
+ condition: []
+ members:
+ - group:gcp-organization-admins@fast.example.com
+ - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '123456789012'
+ role: roles/resourcemanager.tagAdmin
+ module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.tagUser"]:
+ condition: []
+ members:
+ - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '123456789012'
+ role: roles/resourcemanager.tagUser
+ module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.tagViewer"]:
+ condition: []
+ members:
+ - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '123456789012'
+ role: roles/resourcemanager.tagViewer
+ module.organization.google_organization_iam_binding.authoritative["roles/securitycenter.admin"]:
+ condition: []
+ members:
+ - group:gcp-security-admins@fast.example.com
+ org_id: '123456789012'
+ role: roles/securitycenter.admin
+ module.organization.google_organization_iam_binding.authoritative["roles/serviceusage.serviceUsageViewer"]:
+ condition: []
+ members:
+ - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '123456789012'
+ role: roles/serviceusage.serviceUsageViewer
+ module.organization.google_organization_iam_binding.bindings["organization_iam_admin_conditional"]:
+ condition:
+ - description: Automation service account delegated grants.
+ expression: 'api.getAttribute(''iam.googleapis.com/modifiedGrantsByRole'', []).hasOnly([''roles/accesscontextmanager.policyEditor'',''roles/accesscontextmanager.policyReader'',''roles/cloudasset.viewer'',''roles/compute.orgFirewallPolicyAdmin'',''roles/compute.orgFirewallPolicyUser'',''roles/compute.xpnAdmin'',''roles/orgpolicy.policyAdmin'',''roles/orgpolicy.policyViewer'',''roles/resourcemanager.organizationViewer''])
+
+ || api.getAttribute(''iam.googleapis.com/modifiedGrantsByRole'', []).hasOnly([''roles/iam.workforcePoolAdmin'',''roles/iam.workforcePoolViewer''])
+
+ || api.getAttribute(''iam.googleapis.com/modifiedGrantsByRole'', []).hasOnly([''organizations/123456789012/roles/billingViewer'',''organizations/123456789012/roles/networkFirewallPoliciesAdmin'',''organizations/123456789012/roles/ngfwEnterpriseAdmin'',''organizations/123456789012/roles/ngfwEnterpriseViewer'',''organizations/123456789012/roles/serviceProjectNetworkAdmin'',''organizations/123456789012/roles/tenantNetworkAdmin''])
+
+ '
+ title: automation_sa_delegated_grants
+ members:
+ - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '123456789012'
+ role: organizations/123456789012/roles/organizationIamAdmin
+ module.organization.google_organization_iam_custom_role.roles["billing_viewer"]:
+ description: Terraform-managed.
+ org_id: '123456789012'
+ permissions:
+ - billing.accounts.get
+ - billing.accounts.getIamPolicy
+ - billing.accounts.getSpendingInformation
+ - billing.accounts.getUsageExportSpec
+ - billing.accounts.list
+ - billing.budgets.get
+ - billing.budgets.list
+ - billing.budgets.update
+ - billing.credits.list
+ - billing.resourceAssociations.list
+ - recommender.costInsights.get
+ - recommender.costInsights.list
+ role_id: billingViewer
+ stage: GA
+ title: Custom role billingViewer
+ module.organization.google_organization_iam_custom_role.roles["dns_zone_binder"]:
+ description: Terraform-managed.
+ org_id: '123456789012'
+ permissions:
+ - dns.networks.bindPrivateDNSZone
+ role_id: dnsZoneBinder
+ stage: GA
+ title: Custom role dnsZoneBinder
+ module.organization.google_organization_iam_custom_role.roles["gcve_network_admin"]:
+ description: Terraform-managed.
+ org_id: '123456789012'
+ permissions:
+ - vmwareengine.networkPeerings.create
+ - vmwareengine.networkPeerings.delete
+ - vmwareengine.networkPeerings.get
+ - vmwareengine.networkPeerings.list
+ - vmwareengine.operations.get
+ role_id: gcveNetworkAdmin
+ stage: GA
+ title: Custom role gcveNetworkAdmin
+ module.organization.google_organization_iam_custom_role.roles["gcve_network_viewer"]:
+ description: Terraform-managed.
+ org_id: '123456789012'
+ permissions:
+ - vmwareengine.networkPeerings.get
+ - vmwareengine.networkPeerings.list
+ - vmwareengine.operations.get
+ role_id: gcveNetworkViewer
+ stage: GA
+ title: Custom role gcveNetworkViewer
+ module.organization.google_organization_iam_custom_role.roles["kms_key_encryption_admin"]:
+ description: Terraform-managed.
+ org_id: '123456789012'
+ permissions:
+ - cloudkms.cryptoKeyVersions.get
+ - cloudkms.cryptoKeyVersions.list
+ - cloudkms.cryptoKeys.get
+ - cloudkms.cryptoKeys.getIamPolicy
+ - cloudkms.cryptoKeys.list
+ - cloudkms.cryptoKeys.setIamPolicy
+ role_id: kmsKeyEncryptionAdmin
+ stage: GA
+ title: Custom role kmsKeyEncryptionAdmin
+ module.organization.google_organization_iam_custom_role.roles["kms_key_viewer"]:
+ description: Terraform-managed.
+ org_id: '123456789012'
+ permissions:
+ - cloudkms.cryptoKeyVersions.get
+ - cloudkms.cryptoKeyVersions.list
+ - cloudkms.cryptoKeys.get
+ - cloudkms.cryptoKeys.getIamPolicy
+ - cloudkms.cryptoKeys.list
+ role_id: kmsKeyViewer
+ stage: GA
+ title: Custom role kmsKeyViewer
+ module.organization.google_organization_iam_custom_role.roles["network_firewall_policies_admin"]:
+ description: Terraform-managed.
+ org_id: '123456789012'
+ permissions:
+ - compute.networks.setFirewallPolicy
+ - networksecurity.firewallEndpointAssociations.create
+ - networksecurity.firewallEndpointAssociations.delete
+ - networksecurity.firewallEndpointAssociations.get
+ - networksecurity.firewallEndpointAssociations.list
+ - networksecurity.firewallEndpointAssociations.update
+ role_id: networkFirewallPoliciesAdmin
+ stage: GA
+ title: Custom role networkFirewallPoliciesAdmin
+ module.organization.google_organization_iam_custom_role.roles["ngfw_enterprise_admin"]:
+ description: Terraform-managed.
+ org_id: '123456789012'
+ permissions:
+ - networksecurity.firewallEndpoints.create
+ - networksecurity.firewallEndpoints.delete
+ - networksecurity.firewallEndpoints.get
+ - networksecurity.firewallEndpoints.list
+ - networksecurity.firewallEndpoints.update
+ - networksecurity.firewallEndpoints.use
+ - networksecurity.locations.get
+ - networksecurity.locations.list
+ - networksecurity.operations.cancel
+ - networksecurity.operations.delete
+ - networksecurity.operations.get
+ - networksecurity.operations.list
+ - networksecurity.securityProfileGroups.create
+ - networksecurity.securityProfileGroups.delete
+ - networksecurity.securityProfileGroups.get
+ - networksecurity.securityProfileGroups.list
+ - networksecurity.securityProfileGroups.update
+ - networksecurity.securityProfileGroups.use
+ - networksecurity.securityProfiles.create
+ - networksecurity.securityProfiles.delete
+ - networksecurity.securityProfiles.get
+ - networksecurity.securityProfiles.list
+ - networksecurity.securityProfiles.update
+ - networksecurity.securityProfiles.use
+ - networksecurity.tlsInspectionPolicies.create
+ - networksecurity.tlsInspectionPolicies.delete
+ - networksecurity.tlsInspectionPolicies.get
+ - networksecurity.tlsInspectionPolicies.list
+ - networksecurity.tlsInspectionPolicies.update
+ - networksecurity.tlsInspectionPolicies.use
+ role_id: ngfwEnterpriseAdmin
+ stage: GA
+ title: Custom role ngfwEnterpriseAdmin
+ module.organization.google_organization_iam_custom_role.roles["ngfw_enterprise_viewer"]:
+ description: Terraform-managed.
+ org_id: '123456789012'
+ permissions:
+ - networksecurity.firewallEndpoints.get
+ - networksecurity.firewallEndpoints.list
+ - networksecurity.firewallEndpoints.use
+ - networksecurity.locations.get
+ - networksecurity.locations.list
+ - networksecurity.operations.get
+ - networksecurity.operations.list
+ - networksecurity.securityProfileGroups.get
+ - networksecurity.securityProfileGroups.list
+ - networksecurity.securityProfileGroups.use
+ - networksecurity.securityProfiles.get
+ - networksecurity.securityProfiles.list
+ - networksecurity.securityProfiles.use
+ - networksecurity.tlsInspectionPolicies.get
+ - networksecurity.tlsInspectionPolicies.list
+ - networksecurity.tlsInspectionPolicies.use
+ role_id: ngfwEnterpriseViewer
+ stage: GA
+ title: Custom role ngfwEnterpriseViewer
+ module.organization.google_organization_iam_custom_role.roles["organization_admin_viewer"]:
+ description: Terraform-managed.
+ org_id: '123456789012'
+ permissions:
+ - essentialcontacts.contacts.get
+ - essentialcontacts.contacts.list
+ - logging.settings.get
+ - orgpolicy.constraints.list
+ - orgpolicy.policies.list
+ - orgpolicy.policy.get
+ - resourcemanager.folders.get
+ - resourcemanager.folders.getIamPolicy
+ - resourcemanager.folders.list
+ - resourcemanager.organizations.get
+ - resourcemanager.organizations.getIamPolicy
+ - resourcemanager.projects.get
+ - resourcemanager.projects.getIamPolicy
+ - resourcemanager.projects.list
+ - storage.buckets.getIamPolicy
+ role_id: organizationAdminViewer
+ stage: GA
+ title: Custom role organizationAdminViewer
+ module.organization.google_organization_iam_custom_role.roles["organization_iam_admin"]:
+ description: Terraform-managed.
+ org_id: '123456789012'
+ permissions:
+ - resourcemanager.organizations.get
+ - resourcemanager.organizations.getIamPolicy
+ - resourcemanager.organizations.setIamPolicy
+ role_id: organizationIamAdmin
+ stage: GA
+ title: Custom role organizationIamAdmin
+ module.organization.google_organization_iam_custom_role.roles["project_iam_viewer"]:
+ description: Terraform-managed.
+ org_id: '123456789012'
+ permissions:
+ - iam.policybindings.get
+ - iam.policybindings.list
+ - resourcemanager.projects.get
+ - resourcemanager.projects.getIamPolicy
+ - resourcemanager.projects.searchPolicyBindings
+ role_id: projectIamViewer
+ stage: GA
+ title: Custom role projectIamViewer
+ module.organization.google_organization_iam_custom_role.roles["service_project_network_admin"]:
+ description: Terraform-managed.
+ org_id: '123456789012'
+ permissions:
+ - compute.globalOperations.get
+ - compute.networks.get
+ - compute.networks.updatePeering
+ - compute.organizations.disableXpnResource
+ - compute.organizations.enableXpnResource
+ - compute.projects.get
+ - compute.subnetworks.getIamPolicy
+ - compute.subnetworks.setIamPolicy
+ - dns.networks.bindPrivateDNSZone
+ - resourcemanager.projects.get
+ role_id: serviceProjectNetworkAdmin
+ stage: GA
+ title: Custom role serviceProjectNetworkAdmin
+ module.organization.google_organization_iam_custom_role.roles["storage_viewer"]:
+ description: Terraform-managed.
+ org_id: '123456789012'
+ permissions:
+ - storage.buckets.get
+ - storage.buckets.getIamPolicy
+ - storage.buckets.getObjectInsights
+ - storage.buckets.list
+ - storage.buckets.listEffectiveTags
+ - storage.buckets.listTagBindings
+ - storage.managedFolders.get
+ - storage.managedFolders.getIamPolicy
+ - storage.managedFolders.list
+ - storage.multipartUploads.list
+ - storage.multipartUploads.listParts
+ - storage.objects.get
+ - storage.objects.getIamPolicy
+ - storage.objects.list
+ role_id: storageViewer
+ stage: GA
+ title: Custom role storageViewer
+ module.organization.google_organization_iam_custom_role.roles["tag_viewer"]:
+ description: Terraform-managed.
+ org_id: '123456789012'
+ permissions:
+ - resourcemanager.tagHolds.list
+ - resourcemanager.tagKeys.get
+ - resourcemanager.tagKeys.getIamPolicy
+ - resourcemanager.tagKeys.list
+ - resourcemanager.tagValues.get
+ - resourcemanager.tagValues.getIamPolicy
+ - resourcemanager.tagValues.list
+ role_id: tagViewer
+ stage: GA
+ title: Custom role tagViewer
+ module.organization.google_organization_iam_custom_role.roles["tenant_network_admin"]:
+ description: Terraform-managed.
+ org_id: '123456789012'
+ permissions:
+ - compute.globalOperations.get
+ role_id: tenantNetworkAdmin
+ stage: GA
+ title: Custom role tenantNetworkAdmin
+ ? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyAdmin-group:gcp-security-admins@fast.example.com"]
+ : condition: []
+ member: group:gcp-security-admins@fast.example.com
+ org_id: '123456789012'
+ role: roles/accesscontextmanager.policyAdmin
+ ? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyAdmin-serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com"]
+ : condition: []
+ member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '123456789012'
+ role: roles/accesscontextmanager.policyAdmin
+ ? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyAdmin-serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com"]
+ : condition: []
+ member: serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '123456789012'
+ role: roles/accesscontextmanager.policyAdmin
+ ? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyReader-serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"]
+ : condition: []
+ member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '123456789012'
+ role: roles/accesscontextmanager.policyReader
+ ? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyReader-serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"]
+ : condition: []
+ member: serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '123456789012'
+ role: roles/accesscontextmanager.policyReader
+ ? module.organization.google_organization_iam_member.bindings["roles/cloudasset.viewer-serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com"]
+ : condition: []
+ member: serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '123456789012'
+ role: roles/cloudasset.viewer
+ ? module.organization.google_organization_iam_member.bindings["roles/cloudasset.viewer-serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"]
+ : condition: []
+ member: serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '123456789012'
+ role: roles/cloudasset.viewer
+ ? module.organization.google_organization_iam_member.bindings["roles/compute.orgFirewallPolicyAdmin-group:gcp-vpc-network-admins@fast.example.com"]
+ : condition: []
+ member: group:gcp-vpc-network-admins@fast.example.com
+ org_id: '123456789012'
+ role: roles/compute.orgFirewallPolicyAdmin
+ ? module.organization.google_organization_iam_member.bindings["roles/compute.xpnAdmin-group:gcp-vpc-network-admins@fast.example.com"]
+ : condition: []
+ member: group:gcp-vpc-network-admins@fast.example.com
+ org_id: '123456789012'
+ role: roles/compute.xpnAdmin
+ ? module.organization.google_organization_iam_member.bindings["roles/iam.organizationRoleAdmin-group:gcp-security-admins@fast.example.com"]
+ : condition: []
+ member: group:gcp-security-admins@fast.example.com
+ org_id: '123456789012'
+ role: roles/iam.organizationRoleAdmin
+ ? module.organization.google_organization_iam_member.bindings["roles/iam.organizationRoleAdmin-serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com"]
+ : condition: []
+ member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '123456789012'
+ role: roles/iam.organizationRoleAdmin
+ ? module.organization.google_organization_iam_member.bindings["roles/iam.organizationRoleViewer-serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"]
+ : condition: []
+ member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '123456789012'
+ role: roles/iam.organizationRoleViewer
+ ? module.organization.google_organization_iam_member.bindings["roles/iam.workforcePoolAdmin-group:gcp-organization-admins@fast.example.com"]
+ : condition: []
+ member: group:gcp-organization-admins@fast.example.com
+ org_id: '123456789012'
+ role: roles/iam.workforcePoolAdmin
+ ? module.organization.google_organization_iam_member.bindings["roles/iam.workforcePoolAdmin-serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com"]
+ : condition: []
+ member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '123456789012'
+ role: roles/iam.workforcePoolAdmin
+ ? module.organization.google_organization_iam_member.bindings["roles/iam.workforcePoolViewer-serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"]
+ : condition: []
+ member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '123456789012'
+ role: roles/iam.workforcePoolViewer
+ ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyAdmin-group:gcp-organization-admins@fast.example.com"]
+ : condition: []
+ member: group:gcp-organization-admins@fast.example.com
+ org_id: '123456789012'
+ role: roles/orgpolicy.policyAdmin
+ ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyAdmin-group:gcp-security-admins@fast.example.com"]
+ : condition: []
+ member: group:gcp-security-admins@fast.example.com
+ org_id: '123456789012'
+ role: roles/orgpolicy.policyAdmin
+ ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyAdmin-serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com"]
+ : condition: []
+ member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '123456789012'
+ role: roles/orgpolicy.policyAdmin
+ ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyAdmin-serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com"]
+ : condition: []
+ member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '123456789012'
+ role: roles/orgpolicy.policyAdmin
+ ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyViewer-serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"]
+ : condition: []
+ member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '123456789012'
+ role: roles/orgpolicy.policyViewer
+ ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyViewer-serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"]
+ : condition: []
+ member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '123456789012'
+ role: roles/orgpolicy.policyViewer
+ module.organization.google_project_iam_member.bucket-sinks-binding["audit-logs"]:
+ condition:
+ - title: audit-logs bucket writer
+ role: roles/logging.bucketWriter
+ module.organization.google_project_iam_member.bucket-sinks-binding["iam"]:
+ condition:
+ - title: iam bucket writer
+ role: roles/logging.bucketWriter
+ module.organization.google_project_iam_member.bucket-sinks-binding["vpc-sc"]:
+ condition:
+ - title: vpc-sc bucket writer
+ role: roles/logging.bucketWriter
+ module.organization.google_project_iam_member.bucket-sinks-binding["workspace-audit-logs"]:
+ condition:
+ - title: workspace-audit-logs bucket writer
+ role: roles/logging.bucketWriter
+ module.organization.google_tags_tag_key.default["org-policies"]:
+ description: Organization policy conditions.
+ parent: organizations/123456789012
+ purpose: null
+ purpose_data: null
+ short_name: org-policies
+ timeouts: null
+ module.organization.google_tags_tag_value.default["org-policies/allowed-essential-contacts-domains-all"]:
+ description: Managed by the Terraform organization module.
+ short_name: allowed-essential-contacts-domains-all
+ timeouts: null
+ module.organization.google_tags_tag_value.default["org-policies/allowed-policy-member-domains-all"]:
+ description: Managed by the Terraform organization module.
+ short_name: allowed-policy-member-domains-all
+ timeouts: null
\ No newline at end of file
diff --git a/tests/fast/stages/s0_bootstrap/simple.yaml b/tests/fast/stages/s0_bootstrap/simple.yaml
index 66a2c2dea..fcc02bb89 100644
--- a/tests/fast/stages/s0_bootstrap/simple.yaml
+++ b/tests/fast/stages/s0_bootstrap/simple.yaml
@@ -1637,6 +1637,7 @@ outputs:
force_create:
dataset: false
project: false
+ log_bucket: false
id: 000000-111111-222222
is_org_level: true
no_iam: false
diff --git a/tests/fast/stages/s0_bootstrap/tftest.yaml b/tests/fast/stages/s0_bootstrap/tftest.yaml
index 5118d8577..4aea722b0 100644
--- a/tests/fast/stages/s0_bootstrap/tftest.yaml
+++ b/tests/fast/stages/s0_bootstrap/tftest.yaml
@@ -23,5 +23,8 @@ tests:
inventory:
- simple.yaml
- managed_org_policies.yaml
+ external_billing_account:
+ inventory:
+ - external_billing_account.yaml
iam_by_principals:
cicd: