diff --git a/fast/stages/0-bootstrap/data/custom-constraints/accesscontextmanager.yaml b/fast/stages/0-bootstrap/data/custom-constraints/accesscontextmanager.yaml new file mode 100644 index 000000000..4c7e59fdc --- /dev/null +++ b/fast/stages/0-bootstrap/data/custom-constraints/accesscontextmanager.yaml @@ -0,0 +1,26 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# yaml-language-server: $schema=../../schemas/org-policy-custom-constraint.schema.json + +custom.denyBridgePerimeters: + resource_types: + - accesscontextmanager.googleapis.com/ServicePerimeter + method_types: + - CREATE + - UPDATE + condition: "resource.perimeterType == 'PERIMETER_TYPE_BRIDGE'" + action_type: DENY + display_name: Disable perimeter bridges + description: Disables the use of perimeter bridges. Instead, use ingress and egress rules. diff --git a/tests/fast/stages/s0_bootstrap/simple_sas.yaml b/fast/stages/0-bootstrap/data/org-policies-managed/accesscontextmanager.yaml similarity index 57% rename from tests/fast/stages/s0_bootstrap/simple_sas.yaml rename to fast/stages/0-bootstrap/data/org-policies-managed/accesscontextmanager.yaml index 02c089ebd..4ae43a1d1 100644 --- a/tests/fast/stages/s0_bootstrap/simple_sas.yaml +++ b/fast/stages/0-bootstrap/data/org-policies-managed/accesscontextmanager.yaml @@ -12,12 +12,12 @@ # See the License for the specific language governing permissions and # limitations under the License. -values: - module.automation-tf-bootstrap-sa.google_service_account.service_account[0]: - account_id: fast-prod-bootstrap-0 - display_name: Terraform organization bootstrap service account. - project: fast-prod-iac-core-0 - module.automation-tf-resman-sa.google_service_account.service_account[0]: - account_id: fast-prod-resman-0 - display_name: Terraform stage 1 resman service account. - project: fast-prod-iac-core-0 +--- +# sample subset of useful organization policies, edit to suit requirements +# start of document (---) avoids errors if the file only contains comments + +# yaml-language-server: $schema=../../schemas/org-policies.schema.json + +custom.denyBridgePerimeters: + rules: + - enforce: true diff --git a/fast/stages/0-bootstrap/data/org-policies/accesscontextmanager.yaml b/fast/stages/0-bootstrap/data/org-policies/accesscontextmanager.yaml new file mode 100644 index 000000000..4ae43a1d1 --- /dev/null +++ b/fast/stages/0-bootstrap/data/org-policies/accesscontextmanager.yaml @@ -0,0 +1,23 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +# sample subset of useful organization policies, edit to suit requirements +# start of document (---) avoids errors if the file only contains comments + +# yaml-language-server: $schema=../../schemas/org-policies.schema.json + +custom.denyBridgePerimeters: + rules: + - enforce: true diff --git a/tests/fast/stages/s0_bootstrap/cicd.yaml b/tests/fast/stages/s0_bootstrap/cicd.yaml index eb73c324f..644f0407f 100644 --- a/tests/fast/stages/s0_bootstrap/cicd.yaml +++ b/tests/fast/stages/s0_bootstrap/cicd.yaml @@ -35,9 +35,9 @@ values: disabled: null display_name: null oidc: - - allowed_audiences: [] - issuer_uri: https://token.actions.githubusercontent.com - jwks_json: null + - allowed_audiences: [] + issuer_uri: https://token.actions.githubusercontent.com + jwks_json: null project: fast-prod-iac-core-0 saml: [] timeouts: null @@ -66,60 +66,485 @@ values: disabled: null display_name: null oidc: - - allowed_audiences: [] - issuer_uri: https://gitlab.com - jwks_json: null + - allowed_audiences: [] + issuer_uri: https://gitlab.com + jwks_json: null project: fast-prod-iac-core-0 saml: [] timeouts: null workload_identity_pool_id: fast-bootstrap workload_identity_pool_provider_id: fast-bootstrap-gl-test x509: [] - google_storage_bucket_object.workflows["0-bootstrap"]: - bucket: fast-prod-iac-core-outputs-0 - cache_control: null - content_disposition: null - content_encoding: null - content_language: null - customer_encryption: [] - detect_md5hash: different hash - event_based_hold: null - metadata: null - name: workflows/0-bootstrap-workflow.yaml - retention: [] - source: null - temporary_hold: null + module.automation-project.data.google_bigquery_default_service_account.bq_sa[0]: + project: fast-prod-iac-core-0 + module.automation-project.data.google_storage_project_service_account.gcs_sa[0]: + project: fast-prod-iac-core-0 + user_project: null + module.automation-project.google_essential_contacts_contact.contact["gcp-organization-admins@fast.example.com"]: + email: gcp-organization-admins@fast.example.com + language_tag: en + notification_category_subscriptions: + - ALL + parent: projects/fast-prod-iac-core-0 timeouts: null - google_storage_bucket_object.workflows["1-resman"]: - bucket: fast-prod-iac-core-outputs-0 - cache_control: null - content_disposition: null - content_encoding: null - content_language: null - customer_encryption: [] - detect_md5hash: different hash - event_based_hold: null - metadata: null - name: workflows/1-resman-workflow.yaml - retention: [] - source: null - temporary_hold: null + module.automation-project.google_org_policy_policy.default["compute.skipDefaultNetworkCreation"]: + dry_run_spec: [] + name: projects/fast-prod-iac-core-0/policies/compute.skipDefaultNetworkCreation + parent: projects/fast-prod-iac-core-0 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] timeouts: null - google_storage_bucket_object.workflows["1-resman-tenants"]: - bucket: fast-prod-iac-core-outputs-0 - cache_control: null - content_disposition: null - content_encoding: null - content_language: null - customer_encryption: [] - detect_md5hash: different hash - event_based_hold: null - metadata: null - name: workflows/1-resman-tenants-workflow.yaml - retention: [] - source: null - temporary_hold: null + module.automation-project.google_org_policy_policy.default["iam.automaticIamGrantsForDefaultServiceAccounts"]: + dry_run_spec: [] + name: projects/fast-prod-iac-core-0/policies/iam.automaticIamGrantsForDefaultServiceAccounts + parent: projects/fast-prod-iac-core-0 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] timeouts: null + module.automation-project.google_org_policy_policy.default["iam.disableServiceAccountKeyCreation"]: + dry_run_spec: [] + name: projects/fast-prod-iac-core-0/policies/iam.disableServiceAccountKeyCreation + parent: projects/fast-prod-iac-core-0 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.automation-project.google_org_policy_policy.default["iam.workloadIdentityPoolProviders"]: + dry_run_spec: [] + name: projects/fast-prod-iac-core-0/policies/iam.workloadIdentityPoolProviders + parent: projects/fast-prod-iac-core-0 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: null + parameters: null + values: + - allowed_values: + - https://token.actions.githubusercontent.com + - https://gitlab.com + - https://app.terraform.io + denied_values: null + timeouts: null + module.automation-project.google_project.project[0]: + auto_create_network: false + billing_account: 000000-111111-222222 + deletion_policy: DELETE + effective_labels: + goog-terraform-provisioned: 'true' + folder_id: null + labels: null + name: fast-prod-iac-core-0 + org_id: '123456789012' + project_id: fast-prod-iac-core-0 + tags: null + terraform_labels: + goog-terraform-provisioned: 'true' + timeouts: null + module.automation-project.google_project_iam_audit_config.default["iam.googleapis.com"]: + audit_log_config: + - exempted_members: [] + log_type: ADMIN_READ + project: fast-prod-iac-core-0 + service: iam.googleapis.com + module.automation-project.google_project_iam_binding.authoritative["organizations/123456789012/roles/storageViewer"]: + condition: [] + members: + - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + project: fast-prod-iac-core-0 + role: organizations/123456789012/roles/storageViewer + module.automation-project.google_project_iam_binding.authoritative["roles/browser"]: + condition: [] + members: + - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + project: fast-prod-iac-core-0 + role: roles/browser + module.automation-project.google_project_iam_binding.authoritative["roles/cloudbuild.builds.editor"]: + condition: [] + members: + - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com + project: fast-prod-iac-core-0 + role: roles/cloudbuild.builds.editor + module.automation-project.google_project_iam_binding.authoritative["roles/cloudbuild.builds.viewer"]: + condition: [] + members: + - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + project: fast-prod-iac-core-0 + role: roles/cloudbuild.builds.viewer + module.automation-project.google_project_iam_binding.authoritative["roles/iam.serviceAccountAdmin"]: + condition: [] + members: + - group:gcp-devops@fast.example.com + - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com + project: fast-prod-iac-core-0 + role: roles/iam.serviceAccountAdmin + module.automation-project.google_project_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: + condition: [] + members: + - group:gcp-devops@fast.example.com + - group:gcp-organization-admins@fast.example.com + project: fast-prod-iac-core-0 + role: roles/iam.serviceAccountTokenCreator + module.automation-project.google_project_iam_binding.authoritative["roles/iam.serviceAccountViewer"]: + condition: [] + members: + - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + project: fast-prod-iac-core-0 + role: roles/iam.serviceAccountViewer + module.automation-project.google_project_iam_binding.authoritative["roles/iam.workloadIdentityPoolAdmin"]: + condition: [] + members: + - group:gcp-organization-admins@fast.example.com + - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com + project: fast-prod-iac-core-0 + role: roles/iam.workloadIdentityPoolAdmin + module.automation-project.google_project_iam_binding.authoritative["roles/iam.workloadIdentityPoolViewer"]: + condition: [] + members: + - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + project: fast-prod-iac-core-0 + role: roles/iam.workloadIdentityPoolViewer + module.automation-project.google_project_iam_binding.authoritative["roles/owner"]: + condition: [] + members: + - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com + project: fast-prod-iac-core-0 + role: roles/owner + module.automation-project.google_project_iam_binding.authoritative["roles/source.admin"]: + condition: [] + members: + - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com + project: fast-prod-iac-core-0 + role: roles/source.admin + module.automation-project.google_project_iam_binding.authoritative["roles/source.reader"]: + condition: [] + members: + - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + project: fast-prod-iac-core-0 + role: roles/source.reader + module.automation-project.google_project_iam_binding.authoritative["roles/storage.admin"]: + condition: [] + members: + - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com + project: fast-prod-iac-core-0 + role: roles/storage.admin + module.automation-project.google_project_iam_binding.authoritative["roles/viewer"]: + condition: [] + members: + - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + project: fast-prod-iac-core-0 + role: roles/viewer + module.automation-project.google_project_iam_binding.bindings["delegated_grants_resman"]: + condition: + - description: Resource manager service account delegated grant. + expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/serviceusage.serviceUsageConsumer']) + title: resman_delegated_grant + members: + - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com + project: fast-prod-iac-core-0 + role: roles/resourcemanager.projectIamAdmin + module.automation-project.google_project_iam_member.bindings["serviceusage_resman"]: + condition: [] + member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com + project: fast-prod-iac-core-0 + role: roles/serviceusage.serviceUsageConsumer + module.automation-project.google_project_iam_member.bindings["serviceusage_resman_r"]: + condition: [] + member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + project: fast-prod-iac-core-0 + role: roles/serviceusage.serviceUsageViewer + module.automation-project.google_project_iam_member.service_agents["cloudasset"]: + condition: [] + project: fast-prod-iac-core-0 + role: roles/cloudasset.serviceAgent + module.automation-project.google_project_iam_member.service_agents["cloudbuild"]: + condition: [] + project: fast-prod-iac-core-0 + role: roles/cloudbuild.serviceAgent + module.automation-project.google_project_iam_member.service_agents["cloudbuild-sa"]: + condition: [] + project: fast-prod-iac-core-0 + role: roles/cloudbuild.builds.builder + module.automation-project.google_project_iam_member.service_agents["cloudkms"]: + condition: [] + project: fast-prod-iac-core-0 + role: roles/cloudkms.serviceAgent + module.automation-project.google_project_iam_member.service_agents["compute-system"]: + condition: [] + project: fast-prod-iac-core-0 + role: roles/compute.serviceAgent + module.automation-project.google_project_iam_member.service_agents["container-engine-robot"]: + condition: [] + project: fast-prod-iac-core-0 + role: roles/container.serviceAgent + module.automation-project.google_project_iam_member.service_agents["gkenode"]: + condition: [] + project: fast-prod-iac-core-0 + role: roles/container.defaultNodeServiceAgent + module.automation-project.google_project_iam_member.service_agents["monitoring-notification"]: + condition: [] + project: fast-prod-iac-core-0 + role: roles/monitoring.notificationServiceAgent + module.automation-project.google_project_iam_member.service_agents["pubsub"]: + condition: [] + project: fast-prod-iac-core-0 + role: roles/pubsub.serviceAgent + module.automation-project.google_project_iam_member.service_agents["service-networking"]: + condition: [] + project: fast-prod-iac-core-0 + role: roles/servicenetworking.serviceAgent + module.automation-project.google_project_service.project_services["accesscontextmanager.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: accesscontextmanager.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["bigquery.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: bigquery.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["bigqueryreservation.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: bigqueryreservation.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["bigquerystorage.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: bigquerystorage.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["billingbudgets.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: billingbudgets.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["cloudasset.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: cloudasset.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["cloudbilling.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: cloudbilling.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["cloudbuild.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: cloudbuild.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["cloudkms.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: cloudkms.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["cloudquotas.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: cloudquotas.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["cloudresourcemanager.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: cloudresourcemanager.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["compute.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: compute.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["container.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: container.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["datacatalog.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: datacatalog.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["essentialcontacts.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: essentialcontacts.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["iam.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: iam.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["iamcredentials.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: iamcredentials.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["logging.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: logging.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["monitoring.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: monitoring.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["networksecurity.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: networksecurity.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["orgpolicy.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: orgpolicy.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["pubsub.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: pubsub.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["servicenetworking.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: servicenetworking.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["serviceusage.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: serviceusage.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["storage-component.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: storage-component.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["storage.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: storage.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["sts.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: sts.googleapis.com + timeouts: null + module.automation-project.google_project_service_identity.default["cloudasset.googleapis.com"]: + project: fast-prod-iac-core-0 + service: cloudasset.googleapis.com + timeouts: null + module.automation-project.google_project_service_identity.default["cloudkms.googleapis.com"]: + project: fast-prod-iac-core-0 + service: cloudkms.googleapis.com + timeouts: null + module.automation-project.google_project_service_identity.default["container.googleapis.com"]: + project: fast-prod-iac-core-0 + service: container.googleapis.com + timeouts: null + module.automation-project.google_project_service_identity.default["monitoring.googleapis.com"]: + project: fast-prod-iac-core-0 + service: monitoring.googleapis.com + timeouts: null + module.automation-project.google_project_service_identity.default["networksecurity.googleapis.com"]: + project: fast-prod-iac-core-0 + service: networksecurity.googleapis.com + timeouts: null + module.automation-project.google_project_service_identity.default["pubsub.googleapis.com"]: + project: fast-prod-iac-core-0 + service: pubsub.googleapis.com + timeouts: null + module.automation-project.google_project_service_identity.default["servicenetworking.googleapis.com"]: + project: fast-prod-iac-core-0 + service: servicenetworking.googleapis.com + timeouts: null + module.automation-tf-bootstrap-gcs.google_storage_bucket.bucket[0]: + autoclass: [] + cors: [] + custom_placement_config: [] + default_event_based_hold: null + effective_labels: + goog-terraform-provisioned: 'true' + enable_object_retention: null + encryption: [] + force_destroy: false + hierarchical_namespace: [] + labels: null + lifecycle_rule: [] + location: EU + logging: [] + name: fast-prod-iac-core-bootstrap-0 + project: fast-prod-iac-core-0 + requester_pays: null + retention_policy: [] + storage_class: STANDARD + terraform_labels: + goog-terraform-provisioned: 'true' + timeouts: null + uniform_bucket_level_access: true + versioning: + - enabled: true + ? module.automation-tf-bootstrap-r-sa.google_organization_iam_member.organization-roles["123456789012-organizations/123456789012/roles/organizationAdminViewer"] + : condition: [] + org_id: '123456789012' + role: organizations/123456789012/roles/organizationAdminViewer + ? module.automation-tf-bootstrap-r-sa.google_organization_iam_member.organization-roles["123456789012-organizations/123456789012/roles/tagViewer"] + : condition: [] + org_id: '123456789012' + role: organizations/123456789012/roles/tagViewer module.automation-tf-bootstrap-r-sa.google_service_account.service_account[0]: account_id: fast-prod-bootstrap-0r create_ignore_already_exists: null @@ -133,7 +558,7 @@ values: ? module.automation-tf-bootstrap-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] : condition: [] members: - - serviceAccount:fast-prod-bootstrap-1r@fast-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:fast-prod-bootstrap-1r@fast-prod-iac-core-0.iam.gserviceaccount.com role: roles/iam.serviceAccountTokenCreator ? module.automation-tf-bootstrap-r-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-organizations/123456789012/roles/storageViewer"] : bucket: fast-prod-iac-core-outputs-0 @@ -149,10 +574,10 @@ values: member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com project: fast-prod-iac-core-0 timeouts: null - ? module.automation-tf-bootstrap-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] - : condition: [] + module.automation-tf-bootstrap-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: + condition: [] members: - - serviceAccount:fast-prod-bootstrap-1@fast-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:fast-prod-bootstrap-1@fast-prod-iac-core-0.iam.gserviceaccount.com role: roles/iam.serviceAccountTokenCreator ? module.automation-tf-bootstrap-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-roles/storage.admin"] : bucket: fast-prod-iac-core-outputs-0 @@ -162,8 +587,8 @@ values: : condition: [] project: fast-prod-iac-core-0 role: roles/logging.logWriter - ? module.automation-tf-cicd-r-sa["bootstrap"].google_service_account.service_account[0] - : account_id: fast-prod-bootstrap-1r + module.automation-tf-cicd-r-sa["bootstrap"].google_service_account.service_account[0]: + account_id: fast-prod-bootstrap-1r create_ignore_already_exists: null description: null disabled: false @@ -183,8 +608,8 @@ values: : condition: [] project: fast-prod-iac-core-0 role: roles/logging.logWriter - ? module.automation-tf-cicd-r-sa["resman"].google_service_account.service_account[0] - : account_id: fast-prod-resman-1r + module.automation-tf-cicd-r-sa["resman"].google_service_account.service_account[0]: + account_id: fast-prod-resman-1r create_ignore_already_exists: null description: null disabled: false @@ -204,8 +629,8 @@ values: : condition: [] project: fast-prod-iac-core-0 role: roles/logging.logWriter - ? module.automation-tf-cicd-r-sa["resman-tenants"].google_service_account.service_account[0] - : account_id: fast-prod-resman-tenants-1r + module.automation-tf-cicd-r-sa["resman-tenants"].google_service_account.service_account[0]: + account_id: fast-prod-resman-tenants-1r create_ignore_already_exists: null description: null disabled: false @@ -225,8 +650,8 @@ values: : condition: [] project: fast-prod-iac-core-0 role: roles/logging.logWriter - ? module.automation-tf-cicd-sa["bootstrap"].google_service_account.service_account[0] - : account_id: fast-prod-bootstrap-1 + module.automation-tf-cicd-sa["bootstrap"].google_service_account.service_account[0]: + account_id: fast-prod-bootstrap-1 create_ignore_already_exists: null description: null disabled: false @@ -246,8 +671,8 @@ values: : condition: [] project: fast-prod-iac-core-0 role: roles/logging.logWriter - ? module.automation-tf-cicd-sa["resman"].google_service_account.service_account[0] - : account_id: fast-prod-resman-1 + module.automation-tf-cicd-sa["resman"].google_service_account.service_account[0]: + account_id: fast-prod-resman-1 create_ignore_already_exists: null description: null disabled: false @@ -256,8 +681,8 @@ values: member: serviceAccount:fast-prod-resman-1@fast-prod-iac-core-0.iam.gserviceaccount.com project: fast-prod-iac-core-0 timeouts: null - ? module.automation-tf-cicd-sa["resman"].google_service_account_iam_binding.authoritative["roles/iam.workloadIdentityUser"] - : condition: [] + module.automation-tf-cicd-sa["resman"].google_service_account_iam_binding.authoritative["roles/iam.workloadIdentityUser"]: + condition: [] role: roles/iam.workloadIdentityUser ? module.automation-tf-cicd-sa["resman"].google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-roles/storage.objectViewer"] : bucket: fast-prod-iac-core-outputs-0 @@ -267,8 +692,8 @@ values: : condition: [] project: fast-prod-iac-core-0 role: roles/logging.logWriter - ? module.automation-tf-cicd-sa["resman-tenants"].google_service_account.service_account[0] - : account_id: fast-prod-resman-tenants-1 + module.automation-tf-cicd-sa["resman-tenants"].google_service_account.service_account[0]: + account_id: fast-prod-resman-tenants-1 create_ignore_already_exists: null description: null disabled: false @@ -284,6 +709,78 @@ values: : bucket: fast-prod-iac-core-outputs-0 condition: [] role: roles/storage.objectViewer + module.automation-tf-output-gcs.google_storage_bucket.bucket[0]: + autoclass: [] + cors: [] + custom_placement_config: [] + default_event_based_hold: null + effective_labels: + goog-terraform-provisioned: 'true' + enable_object_retention: null + encryption: [] + force_destroy: false + hierarchical_namespace: [] + labels: null + lifecycle_rule: [] + location: EU + logging: [] + name: fast-prod-iac-core-outputs-0 + project: fast-prod-iac-core-0 + requester_pays: null + retention_policy: [] + storage_class: STANDARD + terraform_labels: + goog-terraform-provisioned: 'true' + timeouts: null + uniform_bucket_level_access: true + versioning: + - enabled: true + module.automation-tf-resman-gcs.google_storage_bucket.bucket[0]: + autoclass: [] + cors: [] + custom_placement_config: [] + default_event_based_hold: null + effective_labels: + goog-terraform-provisioned: 'true' + enable_object_retention: null + encryption: [] + force_destroy: false + hierarchical_namespace: [] + labels: null + lifecycle_rule: [] + location: EU + logging: [] + name: fast-prod-iac-core-resman-0 + project: fast-prod-iac-core-0 + requester_pays: null + retention_policy: [] + storage_class: STANDARD + terraform_labels: + goog-terraform-provisioned: 'true' + timeouts: null + uniform_bucket_level_access: true + versioning: + - enabled: true + module.automation-tf-resman-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: + bucket: fast-prod-iac-core-resman-0 + condition: [] + members: + - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com + role: roles/storage.objectAdmin + module.automation-tf-resman-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: + bucket: fast-prod-iac-core-resman-0 + condition: [] + members: + - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + role: roles/storage.objectViewer + ? module.automation-tf-resman-r-sa.google_organization_iam_member.organization-roles["123456789012-organizations/123456789012/roles/organizationAdminViewer"] + : condition: [] + org_id: '123456789012' + role: organizations/123456789012/roles/organizationAdminViewer + ? module.automation-tf-resman-r-sa.google_organization_iam_member.organization-roles["123456789012-organizations/123456789012/roles/tagViewer"] + : condition: [] + org_id: '123456789012' + role: organizations/123456789012/roles/tagViewer module.automation-tf-resman-r-sa.google_service_account.service_account[0]: account_id: fast-prod-resman-0r create_ignore_already_exists: null @@ -294,11 +791,11 @@ values: member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com project: fast-prod-iac-core-0 timeouts: null - ? module.automation-tf-resman-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] - : condition: [] + module.automation-tf-resman-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: + condition: [] members: - - serviceAccount:fast-prod-resman-1r@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-tenants-1r@fast-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:fast-prod-resman-1r@fast-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:fast-prod-resman-tenants-1r@fast-prod-iac-core-0.iam.gserviceaccount.com role: roles/iam.serviceAccountTokenCreator ? module.automation-tf-resman-r-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-organizations/123456789012/roles/storageViewer"] : bucket: fast-prod-iac-core-outputs-0 @@ -314,16 +811,1535 @@ values: member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com project: fast-prod-iac-core-0 timeouts: null - ? module.automation-tf-resman-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] - : condition: [] + module.automation-tf-resman-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: + condition: [] members: - - serviceAccount:fast-prod-resman-1@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-tenants-1@fast-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:fast-prod-resman-1@fast-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:fast-prod-resman-tenants-1@fast-prod-iac-core-0.iam.gserviceaccount.com role: roles/iam.serviceAccountTokenCreator ? module.automation-tf-resman-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-roles/storage.admin"] : bucket: fast-prod-iac-core-outputs-0 condition: [] role: roles/storage.admin + module.automation-tf-vpcsc-gcs.google_storage_bucket.bucket[0]: + autoclass: [] + cors: [] + custom_placement_config: [] + default_event_based_hold: null + effective_labels: + goog-terraform-provisioned: 'true' + enable_object_retention: null + encryption: [] + force_destroy: false + hierarchical_namespace: [] + labels: null + lifecycle_rule: [] + location: EU + logging: [] + name: fast-prod-iac-core-vpcsc-0 + project: fast-prod-iac-core-0 + requester_pays: null + retention_policy: [] + storage_class: STANDARD + terraform_labels: + goog-terraform-provisioned: 'true' + timeouts: null + uniform_bucket_level_access: true + versioning: + - enabled: true + module.automation-tf-vpcsc-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: + bucket: fast-prod-iac-core-vpcsc-0 + condition: [] + members: + - serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com + role: roles/storage.objectAdmin + module.automation-tf-vpcsc-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: + bucket: fast-prod-iac-core-vpcsc-0 + condition: [] + members: + - serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + role: roles/storage.objectViewer + module.automation-tf-vpcsc-r-sa.google_service_account.service_account[0]: + account_id: fast-prod-vpcsc-0r + create_ignore_already_exists: null + description: null + disabled: false + display_name: Terraform stage 1 vpcsc service account (read-only). + email: fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + member: serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + project: fast-prod-iac-core-0 + timeouts: null + module.automation-tf-vpcsc-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: + condition: [] + members: null + role: roles/iam.serviceAccountTokenCreator + ? module.automation-tf-vpcsc-r-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-organizations/123456789012/roles/storageViewer"] + : bucket: fast-prod-iac-core-outputs-0 + condition: [] + role: organizations/123456789012/roles/storageViewer + module.automation-tf-vpcsc-sa.google_service_account.service_account[0]: + account_id: fast-prod-vpcsc-0 + create_ignore_already_exists: null + description: null + disabled: false + display_name: Terraform stage 1 vpcsc service account. + email: fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com + member: serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com + project: fast-prod-iac-core-0 + timeouts: null + module.automation-tf-vpcsc-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: + condition: [] + members: + - group:gcp-security-admins@fast.example.com + role: roles/iam.serviceAccountTokenCreator + ? module.automation-tf-vpcsc-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-roles/storage.admin"] + : bucket: fast-prod-iac-core-outputs-0 + condition: [] + role: roles/storage.admin + module.billing-export-dataset[0].google_bigquery_dataset.default: + dataset_id: billing_export + default_encryption_configuration: [] + default_partition_expiration_ms: null + default_table_expiration_ms: null + delete_contents_on_destroy: false + description: Terraform managed. + effective_labels: + goog-terraform-provisioned: 'true' + external_catalog_dataset_options: [] + external_dataset_reference: [] + friendly_name: Billing export. + labels: null + location: EU + max_time_travel_hours: '168' + project: fast-prod-billing-exp-0 + resource_tags: null + terraform_labels: + goog-terraform-provisioned: 'true' + timeouts: null + module.billing-export-project[0].data.google_bigquery_default_service_account.bq_sa[0]: + project: fast-prod-billing-exp-0 + module.billing-export-project[0].data.google_storage_project_service_account.gcs_sa[0]: + project: fast-prod-billing-exp-0 + user_project: null + module.billing-export-project[0].google_essential_contacts_contact.contact["gcp-organization-admins@fast.example.com"]: + email: gcp-organization-admins@fast.example.com + language_tag: en + notification_category_subscriptions: + - ALL + parent: projects/fast-prod-billing-exp-0 + timeouts: null + module.billing-export-project[0].google_project.project[0]: + auto_create_network: false + billing_account: 000000-111111-222222 + deletion_policy: DELETE + effective_labels: + goog-terraform-provisioned: 'true' + folder_id: null + labels: null + name: fast-prod-billing-exp-0 + org_id: '123456789012' + project_id: fast-prod-billing-exp-0 + tags: null + terraform_labels: + goog-terraform-provisioned: 'true' + timeouts: null + module.billing-export-project[0].google_project_iam_binding.authoritative["roles/owner"]: + condition: [] + members: + - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com + project: fast-prod-billing-exp-0 + role: roles/owner + module.billing-export-project[0].google_project_iam_binding.authoritative["roles/viewer"]: + condition: [] + members: + - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + project: fast-prod-billing-exp-0 + role: roles/viewer + module.billing-export-project[0].google_project_iam_member.service_agents["bigquerydatatransfer"]: + condition: [] + project: fast-prod-billing-exp-0 + role: roles/bigquerydatatransfer.serviceAgent + module.billing-export-project[0].google_project_service.project_services["bigquery.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-billing-exp-0 + service: bigquery.googleapis.com + timeouts: null + module.billing-export-project[0].google_project_service.project_services["bigquerydatatransfer.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-billing-exp-0 + service: bigquerydatatransfer.googleapis.com + timeouts: null + module.billing-export-project[0].google_project_service.project_services["storage.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-billing-exp-0 + service: storage.googleapis.com + timeouts: null + module.billing-export-project[0].google_project_service_identity.default["bigquerydatatransfer.googleapis.com"]: + project: fast-prod-billing-exp-0 + service: bigquerydatatransfer.googleapis.com + timeouts: null + module.log-export-logbucket["audit-logs"].google_logging_project_bucket_config.bucket[0]: + bucket_id: audit-logs + cmek_settings: [] + enable_analytics: true + index_configs: [] + location: global + locked: null + project: fast-prod-audit-logs-0 + retention_days: 30 + module.log-export-logbucket["iam"].google_logging_project_bucket_config.bucket[0]: + bucket_id: iam + cmek_settings: [] + enable_analytics: true + index_configs: [] + location: global + locked: null + project: fast-prod-audit-logs-0 + retention_days: 30 + module.log-export-logbucket["vpc-sc"].google_logging_project_bucket_config.bucket[0]: + bucket_id: vpc-sc + cmek_settings: [] + enable_analytics: true + index_configs: [] + location: global + locked: null + project: fast-prod-audit-logs-0 + retention_days: 30 + module.log-export-logbucket["workspace-audit-logs"].google_logging_project_bucket_config.bucket[0]: + bucket_id: workspace-audit-logs + cmek_settings: [] + enable_analytics: true + index_configs: [] + location: global + locked: null + project: fast-prod-audit-logs-0 + retention_days: 30 + module.log-export-project.data.google_bigquery_default_service_account.bq_sa[0]: + project: fast-prod-audit-logs-0 + module.log-export-project.data.google_storage_project_service_account.gcs_sa[0]: + project: fast-prod-audit-logs-0 + user_project: null + module.log-export-project.google_essential_contacts_contact.contact["gcp-organization-admins@fast.example.com"]: + email: gcp-organization-admins@fast.example.com + language_tag: en + notification_category_subscriptions: + - ALL + parent: projects/fast-prod-audit-logs-0 + timeouts: null + module.log-export-project.google_project.project[0]: + auto_create_network: false + billing_account: 000000-111111-222222 + deletion_policy: DELETE + effective_labels: + goog-terraform-provisioned: 'true' + folder_id: null + labels: null + name: fast-prod-audit-logs-0 + org_id: '123456789012' + project_id: fast-prod-audit-logs-0 + tags: null + terraform_labels: + goog-terraform-provisioned: 'true' + timeouts: null + module.log-export-project.google_project_iam_binding.authoritative["roles/owner"]: + condition: [] + members: + - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com + project: fast-prod-audit-logs-0 + role: roles/owner + module.log-export-project.google_project_iam_binding.authoritative["roles/viewer"]: + condition: [] + members: + - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + project: fast-prod-audit-logs-0 + role: roles/viewer + module.log-export-project.google_project_service.project_services["bigquery.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-audit-logs-0 + service: bigquery.googleapis.com + timeouts: null + module.log-export-project.google_project_service.project_services["stackdriver.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-audit-logs-0 + service: stackdriver.googleapis.com + timeouts: null + module.log-export-project.google_project_service.project_services["storage.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-audit-logs-0 + service: storage.googleapis.com + timeouts: null + module.organization-logging.google_logging_organization_settings.default[0]: + organization: '123456789012' + storage_location: global + timeouts: null + module.organization.google_logging_organization_sink.sink["audit-logs"]: + description: audit-logs (Terraform-managed). + disabled: false + exclusions: [] + filter: 'log_id("cloudaudit.googleapis.com/activity") OR + + log_id("cloudaudit.googleapis.com/system_event") OR + + log_id("cloudaudit.googleapis.com/policy") OR + + log_id("cloudaudit.googleapis.com/access_transparency") + + ' + include_children: true + intercept_children: false + name: audit-logs + org_id: '123456789012' + module.organization.google_logging_organization_sink.sink["iam"]: + description: iam (Terraform-managed). + disabled: false + exclusions: [] + filter: 'protoPayload.serviceName="iamcredentials.googleapis.com" OR + + protoPayload.serviceName="iam.googleapis.com" OR + + protoPayload.serviceName="sts.googleapis.com" + + ' + include_children: true + intercept_children: false + name: iam + org_id: '123456789012' + module.organization.google_logging_organization_sink.sink["vpc-sc"]: + description: vpc-sc (Terraform-managed). + disabled: false + exclusions: [] + filter: 'protoPayload.metadata.@type="type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata" + + ' + include_children: true + intercept_children: false + name: vpc-sc + org_id: '123456789012' + module.organization.google_logging_organization_sink.sink["workspace-audit-logs"]: + description: workspace-audit-logs (Terraform-managed). + disabled: false + exclusions: [] + filter: 'protoPayload.serviceName="admin.googleapis.com" OR + + protoPayload.serviceName="cloudidentity.googleapis.com" OR + + protoPayload.serviceName="login.googleapis.com" + + ' + include_children: true + intercept_children: false + name: workspace-audit-logs + org_id: '123456789012' + module.organization.google_org_policy_custom_constraint.constraint["custom.denyBridgePerimeters"]: + action_type: DENY + condition: resource.perimeterType == 'PERIMETER_TYPE_BRIDGE' + description: Disables the use of perimeter bridges. Instead, use ingress and egress + rules. + display_name: Disable perimeter bridges + method_types: + - CREATE + - UPDATE + name: custom.denyBridgePerimeters + parent: organizations/123456789012 + resource_types: + - accesscontextmanager.googleapis.com/ServicePerimeter + timeouts: null + module.organization.google_org_policy_custom_constraint.constraint["custom.disableKubeletReadOnlyPort"]: + action_type: DENY + condition: resource.nodeConfig.kubeletConfig.insecureKubeletReadonlyPortEnabled + == true + description: Disallows the use of Kubelet read-only port 10255 to enhance security + display_name: Disable Kubelet Read-Only Port 10255 + method_types: + - CREATE + - UPDATE + name: custom.disableKubeletReadOnlyPort + parent: organizations/123456789012 + resource_types: + - container.googleapis.com/Cluster + timeouts: null + module.organization.google_org_policy_policy.default["cloudbuild.disableCreateDefaultServiceAccount"]: + dry_run_spec: [] + name: organizations/123456789012/policies/cloudbuild.disableCreateDefaultServiceAccount + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization.google_org_policy_policy.default["cloudbuild.useBuildServiceAccount"]: + dry_run_spec: [] + name: organizations/123456789012/policies/cloudbuild.useBuildServiceAccount + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization.google_org_policy_policy.default["cloudbuild.useComputeServiceAccount"]: + dry_run_spec: [] + name: organizations/123456789012/policies/cloudbuild.useComputeServiceAccount + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization.google_org_policy_policy.default["compute.disableGuestAttributesAccess"]: + dry_run_spec: [] + name: organizations/123456789012/policies/compute.disableGuestAttributesAccess + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization.google_org_policy_policy.default["compute.disableInternetNetworkEndpointGroup"]: + dry_run_spec: [] + name: organizations/123456789012/policies/compute.disableInternetNetworkEndpointGroup + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization.google_org_policy_policy.default["compute.disableNestedVirtualization"]: + dry_run_spec: [] + name: organizations/123456789012/policies/compute.disableNestedVirtualization + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization.google_org_policy_policy.default["compute.disableSerialPortAccess"]: + dry_run_spec: [] + name: organizations/123456789012/policies/compute.disableSerialPortAccess + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization.google_org_policy_policy.default["compute.disableVpcExternalIpv6"]: + dry_run_spec: [] + name: organizations/123456789012/policies/compute.disableVpcExternalIpv6 + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization.google_org_policy_policy.default["compute.requireOsLogin"]: + dry_run_spec: [] + name: organizations/123456789012/policies/compute.requireOsLogin + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization.google_org_policy_policy.default["compute.restrictLoadBalancerCreationForTypes"]: + dry_run_spec: [] + name: organizations/123456789012/policies/compute.restrictLoadBalancerCreationForTypes + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: null + parameters: null + values: + - allowed_values: + - in:INTERNAL + denied_values: null + timeouts: null + module.organization.google_org_policy_policy.default["compute.restrictProtocolForwardingCreationForTypes"]: + dry_run_spec: [] + name: organizations/123456789012/policies/compute.restrictProtocolForwardingCreationForTypes + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: null + parameters: null + values: + - allowed_values: + - INTERNAL + denied_values: null + timeouts: null + module.organization.google_org_policy_policy.default["compute.setNewProjectDefaultToZonalDNSOnly"]: + dry_run_spec: [] + name: organizations/123456789012/policies/compute.setNewProjectDefaultToZonalDNSOnly + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization.google_org_policy_policy.default["compute.skipDefaultNetworkCreation"]: + dry_run_spec: [] + name: organizations/123456789012/policies/compute.skipDefaultNetworkCreation + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization.google_org_policy_policy.default["compute.trustedImageProjects"]: + dry_run_spec: [] + name: organizations/123456789012/policies/compute.trustedImageProjects + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: null + parameters: null + values: + - allowed_values: + - is:projects/centos-cloud + - is:projects/cos-cloud + - is:projects/debian-cloud + - is:projects/fedora-cloud + - is:projects/fedora-coreos-cloud + - is:projects/opensuse-cloud + - is:projects/rhel-cloud + - is:projects/rhel-sap-cloud + - is:projects/rocky-linux-cloud + - is:projects/suse-cloud + - is:projects/suse-sap-cloud + - is:projects/ubuntu-os-cloud + - is:projects/ubuntu-os-pro-cloud + - is:projects/windows-cloud + - is:projects/windows-sql-cloud + - is:projects/confidential-vm-images + - is:projects/confidential-space-images + - is:projects/backupdr-images + - is:projects/deeplearning-platform-release + - is:projects/serverless-vpc-access-images + - is:projects/gke-node-images + - is:projects/gke-windows-node-images + - is:projects/ubuntu-os-gke-cloud + denied_values: null + timeouts: null + module.organization.google_org_policy_policy.default["compute.vmExternalIpAccess"]: + dry_run_spec: [] + name: organizations/123456789012/policies/compute.vmExternalIpAccess + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: 'TRUE' + enforce: null + parameters: null + values: [] + timeouts: null + module.organization.google_org_policy_policy.default["custom.denyBridgePerimeters"]: + dry_run_spec: [] + name: organizations/123456789012/policies/custom.denyBridgePerimeters + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization.google_org_policy_policy.default["custom.disableKubeletReadOnlyPort"]: + dry_run_spec: [] + name: organizations/123456789012/policies/custom.disableKubeletReadOnlyPort + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization.google_org_policy_policy.default["essentialcontacts.allowedContactDomains"]: + dry_run_spec: [] + name: organizations/123456789012/policies/essentialcontacts.allowedContactDomains + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: + - description: null + expression: '!resource.matchTag(''123456789012/org-policies'', ''allowed-essential-contacts-domains-all'') + + ' + location: null + title: Restrict essential contacts domains + deny_all: null + enforce: null + parameters: null + values: + - allowed_values: + - '@fast.example.com' + denied_values: null + - allow_all: 'TRUE' + condition: + - description: null + expression: 'resource.matchTag(''123456789012/org-policies'', ''allowed-essential-contacts-domains-all'') + + ' + location: null + title: Allow essential contacts from any domain + deny_all: null + enforce: null + parameters: null + values: [] + timeouts: null + module.organization.google_org_policy_policy.default["gcp.resourceLocations"]: + dry_run_spec: [] + name: organizations/123456789012/policies/gcp.resourceLocations + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: 'TRUE' + condition: [] + deny_all: null + enforce: null + parameters: null + values: [] + timeouts: null + module.organization.google_org_policy_policy.default["iam.allowedPolicyMemberDomains"]: + dry_run_spec: [] + name: organizations/123456789012/policies/iam.allowedPolicyMemberDomains + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: + - description: null + expression: '!resource.matchTag(''123456789012/org-policies'', ''allowed-policy-member-domains-all'') + + ' + location: null + title: Restrict member domains + deny_all: null + enforce: null + parameters: null + values: + - allowed_values: + - C00000000 + denied_values: null + - allow_all: 'TRUE' + condition: + - description: null + expression: 'resource.matchTag(''123456789012/org-policies'', ''allowed-policy-member-domains-all'') + + ' + location: null + title: Allow any member domain + deny_all: null + enforce: null + parameters: null + values: [] + timeouts: null + module.organization.google_org_policy_policy.default["iam.automaticIamGrantsForDefaultServiceAccounts"]: + dry_run_spec: [] + name: organizations/123456789012/policies/iam.automaticIamGrantsForDefaultServiceAccounts + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization.google_org_policy_policy.default["iam.disableAuditLoggingExemption"]: + dry_run_spec: [] + name: organizations/123456789012/policies/iam.disableAuditLoggingExemption + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization.google_org_policy_policy.default["iam.disableServiceAccountKeyCreation"]: + dry_run_spec: [] + name: organizations/123456789012/policies/iam.disableServiceAccountKeyCreation + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization.google_org_policy_policy.default["iam.disableServiceAccountKeyUpload"]: + dry_run_spec: [] + name: organizations/123456789012/policies/iam.disableServiceAccountKeyUpload + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization.google_org_policy_policy.default["iam.serviceAccountKeyExposureResponse"]: + dry_run_spec: [] + name: organizations/123456789012/policies/iam.serviceAccountKeyExposureResponse + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: null + parameters: null + values: + - allowed_values: + - DISABLE_KEY + denied_values: null + timeouts: null + module.organization.google_org_policy_policy.default["iam.workloadIdentityPoolAwsAccounts"]: + dry_run_spec: [] + name: organizations/123456789012/policies/iam.workloadIdentityPoolAwsAccounts + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: 'TRUE' + enforce: null + parameters: null + values: [] + timeouts: null + module.organization.google_org_policy_policy.default["iam.workloadIdentityPoolProviders"]: + dry_run_spec: [] + name: organizations/123456789012/policies/iam.workloadIdentityPoolProviders + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: 'TRUE' + enforce: null + parameters: null + values: [] + timeouts: null + module.organization.google_org_policy_policy.default["run.allowedIngress"]: + dry_run_spec: [] + name: organizations/123456789012/policies/run.allowedIngress + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: null + parameters: null + values: + - allowed_values: + - is:internal-and-cloud-load-balancing + denied_values: null + timeouts: null + module.organization.google_org_policy_policy.default["run.managed.requireInvokerIam"]: + dry_run_spec: [] + name: organizations/123456789012/policies/run.managed.requireInvokerIam + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization.google_org_policy_policy.default["sql.restrictAuthorizedNetworks"]: + dry_run_spec: [] + name: organizations/123456789012/policies/sql.restrictAuthorizedNetworks + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization.google_org_policy_policy.default["sql.restrictPublicIp"]: + dry_run_spec: [] + name: organizations/123456789012/policies/sql.restrictPublicIp + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization.google_org_policy_policy.default["storage.publicAccessPrevention"]: + dry_run_spec: [] + name: organizations/123456789012/policies/storage.publicAccessPrevention + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization.google_org_policy_policy.default["storage.restrictAuthTypes"]: + dry_run_spec: [] + name: organizations/123456789012/policies/storage.restrictAuthTypes + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: null + parameters: null + values: + - allowed_values: null + denied_values: + - in:ALL_HMAC_SIGNED_REQUESTS + timeouts: null + module.organization.google_org_policy_policy.default["storage.secureHttpTransport"]: + dry_run_spec: [] + name: organizations/123456789012/policies/storage.secureHttpTransport + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization.google_org_policy_policy.default["storage.uniformBucketLevelAccess"]: + dry_run_spec: [] + name: organizations/123456789012/policies/storage.uniformBucketLevelAccess + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization.google_organization_iam_binding.authoritative["roles/billing.creator"]: + condition: [] + members: null + org_id: '123456789012' + role: roles/billing.creator + module.organization.google_organization_iam_binding.authoritative["roles/browser"]: + condition: [] + members: + - domain:fast.example.com + org_id: '123456789012' + role: roles/browser + module.organization.google_organization_iam_binding.authoritative["roles/cloudasset.owner"]: + condition: [] + members: + - group:gcp-organization-admins@fast.example.com + - group:gcp-security-admins@fast.example.com + - group:gcp-vpc-network-admins@fast.example.com + org_id: '123456789012' + role: roles/cloudasset.owner + module.organization.google_organization_iam_binding.authoritative["roles/cloudsupport.admin"]: + condition: [] + members: + - group:gcp-organization-admins@fast.example.com + org_id: '123456789012' + role: roles/cloudsupport.admin + module.organization.google_organization_iam_binding.authoritative["roles/cloudsupport.techSupportEditor"]: + condition: [] + members: + - group:gcp-security-admins@fast.example.com + - group:gcp-support@example.com + - group:gcp-vpc-network-admins@fast.example.com + org_id: '123456789012' + role: roles/cloudsupport.techSupportEditor + module.organization.google_organization_iam_binding.authoritative["roles/compute.osAdminLogin"]: + condition: [] + members: + - group:gcp-organization-admins@fast.example.com + org_id: '123456789012' + role: roles/compute.osAdminLogin + module.organization.google_organization_iam_binding.authoritative["roles/compute.osLoginExternalUser"]: + condition: [] + members: + - group:gcp-organization-admins@fast.example.com + org_id: '123456789012' + role: roles/compute.osLoginExternalUser + module.organization.google_organization_iam_binding.authoritative["roles/essentialcontacts.admin"]: + condition: [] + members: + - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/essentialcontacts.admin + module.organization.google_organization_iam_binding.authoritative["roles/essentialcontacts.viewer"]: + condition: [] + members: + - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/essentialcontacts.viewer + module.organization.google_organization_iam_binding.authoritative["roles/iam.securityReviewer"]: + condition: [] + members: + - group:gcp-security-admins@fast.example.com + org_id: '123456789012' + role: roles/iam.securityReviewer + module.organization.google_organization_iam_binding.authoritative["roles/logging.admin"]: + condition: [] + members: + - group:gcp-security-admins@fast.example.com + - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/logging.admin + module.organization.google_organization_iam_binding.authoritative["roles/logging.viewer"]: + condition: [] + members: + - group:gcp-support@example.com + - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/logging.viewer + module.organization.google_organization_iam_binding.authoritative["roles/monitoring.viewer"]: + condition: [] + members: + - group:gcp-support@example.com + org_id: '123456789012' + role: roles/monitoring.viewer + module.organization.google_organization_iam_binding.authoritative["roles/owner"]: + condition: [] + members: + - group:gcp-organization-admins@fast.example.com + org_id: '123456789012' + role: roles/owner + module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: + condition: [] + members: + - group:gcp-organization-admins@fast.example.com + - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/resourcemanager.folderAdmin + module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.folderViewer"]: + condition: [] + members: + - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/resourcemanager.folderViewer + module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.organizationAdmin"]: + condition: [] + members: + - group:gcp-organization-admins@fast.example.com + - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/resourcemanager.organizationAdmin + module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: + condition: [] + members: + - group:gcp-organization-admins@fast.example.com + - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/resourcemanager.projectCreator + module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.projectMover"]: + condition: [] + members: + - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/resourcemanager.projectMover + module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.tagAdmin"]: + condition: [] + members: + - group:gcp-organization-admins@fast.example.com + - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/resourcemanager.tagAdmin + module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.tagUser"]: + condition: [] + members: + - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/resourcemanager.tagUser + module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.tagViewer"]: + condition: [] + members: + - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/resourcemanager.tagViewer + module.organization.google_organization_iam_binding.authoritative["roles/securitycenter.admin"]: + condition: [] + members: + - group:gcp-security-admins@fast.example.com + org_id: '123456789012' + role: roles/securitycenter.admin + module.organization.google_organization_iam_binding.authoritative["roles/serviceusage.serviceUsageViewer"]: + condition: [] + members: + - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/serviceusage.serviceUsageViewer + module.organization.google_organization_iam_binding.bindings["organization_billing_conditional"]: + condition: + - description: Automation service account delegated grants. + expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/billing.admin','roles/billing.costsManager','roles/billing.user']) + title: automation_sa_delegated_grants + members: + - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: organizations/123456789012/roles/organizationIamAdmin + module.organization.google_organization_iam_binding.bindings["organization_iam_admin_conditional"]: + condition: + - description: Automation service account delegated grants. + expression: 'api.getAttribute(''iam.googleapis.com/modifiedGrantsByRole'', []).hasOnly([''roles/accesscontextmanager.policyEditor'',''roles/accesscontextmanager.policyReader'',''roles/cloudasset.viewer'',''roles/compute.orgFirewallPolicyAdmin'',''roles/compute.orgFirewallPolicyUser'',''roles/compute.xpnAdmin'',''roles/orgpolicy.policyAdmin'',''roles/orgpolicy.policyViewer'',''roles/resourcemanager.organizationViewer'']) + + || api.getAttribute(''iam.googleapis.com/modifiedGrantsByRole'', []).hasOnly([''roles/iam.workforcePoolAdmin'',''roles/iam.workforcePoolViewer'']) + + || api.getAttribute(''iam.googleapis.com/modifiedGrantsByRole'', []).hasOnly([''organizations/123456789012/roles/billingViewer'',''organizations/123456789012/roles/networkFirewallPoliciesAdmin'',''organizations/123456789012/roles/ngfwEnterpriseAdmin'',''organizations/123456789012/roles/ngfwEnterpriseViewer'',''organizations/123456789012/roles/serviceProjectNetworkAdmin'',''organizations/123456789012/roles/tenantNetworkAdmin'']) + + ' + title: automation_sa_delegated_grants + members: + - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: organizations/123456789012/roles/organizationIamAdmin + module.organization.google_organization_iam_custom_role.roles["billing_viewer"]: + description: Terraform-managed. + org_id: '123456789012' + permissions: + - billing.accounts.get + - billing.accounts.getIamPolicy + - billing.accounts.getSpendingInformation + - billing.accounts.getUsageExportSpec + - billing.accounts.list + - billing.budgets.get + - billing.budgets.list + - billing.budgets.update + - billing.credits.list + - billing.resourceAssociations.list + - recommender.costInsights.get + - recommender.costInsights.list + role_id: billingViewer + stage: GA + title: Custom role billingViewer + module.organization.google_organization_iam_custom_role.roles["gcve_network_admin"]: + description: Terraform-managed. + org_id: '123456789012' + permissions: + - vmwareengine.networkPeerings.create + - vmwareengine.networkPeerings.delete + - vmwareengine.networkPeerings.get + - vmwareengine.networkPeerings.list + - vmwareengine.operations.get + role_id: gcveNetworkAdmin + stage: GA + title: Custom role gcveNetworkAdmin + module.organization.google_organization_iam_custom_role.roles["gcve_network_viewer"]: + description: Terraform-managed. + org_id: '123456789012' + permissions: + - vmwareengine.networkPeerings.get + - vmwareengine.networkPeerings.list + - vmwareengine.operations.get + role_id: gcveNetworkViewer + stage: GA + title: Custom role gcveNetworkViewer + module.organization.google_organization_iam_custom_role.roles["network_firewall_policies_admin"]: + description: Terraform-managed. + org_id: '123456789012' + permissions: + - compute.networks.setFirewallPolicy + - networksecurity.firewallEndpointAssociations.create + - networksecurity.firewallEndpointAssociations.delete + - networksecurity.firewallEndpointAssociations.get + - networksecurity.firewallEndpointAssociations.list + - networksecurity.firewallEndpointAssociations.update + role_id: networkFirewallPoliciesAdmin + stage: GA + title: Custom role networkFirewallPoliciesAdmin + module.organization.google_organization_iam_custom_role.roles["ngfw_enterprise_admin"]: + description: Terraform-managed. + org_id: '123456789012' + permissions: + - networksecurity.firewallEndpoints.create + - networksecurity.firewallEndpoints.delete + - networksecurity.firewallEndpoints.get + - networksecurity.firewallEndpoints.list + - networksecurity.firewallEndpoints.update + - networksecurity.firewallEndpoints.use + - networksecurity.locations.get + - networksecurity.locations.list + - networksecurity.operations.cancel + - networksecurity.operations.delete + - networksecurity.operations.get + - networksecurity.operations.list + - networksecurity.securityProfileGroups.create + - networksecurity.securityProfileGroups.delete + - networksecurity.securityProfileGroups.get + - networksecurity.securityProfileGroups.list + - networksecurity.securityProfileGroups.update + - networksecurity.securityProfileGroups.use + - networksecurity.securityProfiles.create + - networksecurity.securityProfiles.delete + - networksecurity.securityProfiles.get + - networksecurity.securityProfiles.list + - networksecurity.securityProfiles.update + - networksecurity.securityProfiles.use + - networksecurity.tlsInspectionPolicies.create + - networksecurity.tlsInspectionPolicies.delete + - networksecurity.tlsInspectionPolicies.get + - networksecurity.tlsInspectionPolicies.list + - networksecurity.tlsInspectionPolicies.update + - networksecurity.tlsInspectionPolicies.use + role_id: ngfwEnterpriseAdmin + stage: GA + title: Custom role ngfwEnterpriseAdmin + module.organization.google_organization_iam_custom_role.roles["ngfw_enterprise_viewer"]: + description: Terraform-managed. + org_id: '123456789012' + permissions: + - networksecurity.firewallEndpoints.get + - networksecurity.firewallEndpoints.list + - networksecurity.firewallEndpoints.use + - networksecurity.locations.get + - networksecurity.locations.list + - networksecurity.operations.get + - networksecurity.operations.list + - networksecurity.securityProfileGroups.get + - networksecurity.securityProfileGroups.list + - networksecurity.securityProfileGroups.use + - networksecurity.securityProfiles.get + - networksecurity.securityProfiles.list + - networksecurity.securityProfiles.use + - networksecurity.tlsInspectionPolicies.get + - networksecurity.tlsInspectionPolicies.list + - networksecurity.tlsInspectionPolicies.use + role_id: ngfwEnterpriseViewer + stage: GA + title: Custom role ngfwEnterpriseViewer + module.organization.google_organization_iam_custom_role.roles["organization_admin_viewer"]: + description: Terraform-managed. + org_id: '123456789012' + permissions: + - essentialcontacts.contacts.get + - essentialcontacts.contacts.list + - logging.settings.get + - orgpolicy.constraints.list + - orgpolicy.policies.list + - orgpolicy.policy.get + - resourcemanager.folders.get + - resourcemanager.folders.getIamPolicy + - resourcemanager.folders.list + - resourcemanager.organizations.get + - resourcemanager.organizations.getIamPolicy + - resourcemanager.projects.get + - resourcemanager.projects.getIamPolicy + - resourcemanager.projects.list + - storage.buckets.getIamPolicy + role_id: organizationAdminViewer + stage: GA + title: Custom role organizationAdminViewer + module.organization.google_organization_iam_custom_role.roles["organization_iam_admin"]: + description: Terraform-managed. + org_id: '123456789012' + permissions: + - resourcemanager.organizations.get + - resourcemanager.organizations.getIamPolicy + - resourcemanager.organizations.setIamPolicy + role_id: organizationIamAdmin + stage: GA + title: Custom role organizationIamAdmin + module.organization.google_organization_iam_custom_role.roles["project_iam_viewer"]: + description: Terraform-managed. + org_id: '123456789012' + permissions: + - iam.policybindings.get + - iam.policybindings.list + - resourcemanager.projects.get + - resourcemanager.projects.getIamPolicy + - resourcemanager.projects.searchPolicyBindings + role_id: projectIamViewer + stage: GA + title: Custom role projectIamViewer + module.organization.google_organization_iam_custom_role.roles["service_project_network_admin"]: + description: Terraform-managed. + org_id: '123456789012' + permissions: + - compute.globalOperations.get + - compute.networks.get + - compute.networks.updatePeering + - compute.organizations.disableXpnResource + - compute.organizations.enableXpnResource + - compute.projects.get + - compute.subnetworks.getIamPolicy + - compute.subnetworks.setIamPolicy + - dns.networks.bindPrivateDNSZone + - resourcemanager.projects.get + role_id: serviceProjectNetworkAdmin + stage: GA + title: Custom role serviceProjectNetworkAdmin + module.organization.google_organization_iam_custom_role.roles["storage_viewer"]: + description: Terraform-managed. + org_id: '123456789012' + permissions: + - storage.buckets.get + - storage.buckets.getIamPolicy + - storage.buckets.getObjectInsights + - storage.buckets.list + - storage.buckets.listEffectiveTags + - storage.buckets.listTagBindings + - storage.managedFolders.get + - storage.managedFolders.getIamPolicy + - storage.managedFolders.list + - storage.multipartUploads.list + - storage.multipartUploads.listParts + - storage.objects.get + - storage.objects.getIamPolicy + - storage.objects.list + role_id: storageViewer + stage: GA + title: Custom role storageViewer + module.organization.google_organization_iam_custom_role.roles["tag_viewer"]: + description: Terraform-managed. + org_id: '123456789012' + permissions: + - resourcemanager.tagHolds.list + - resourcemanager.tagKeys.get + - resourcemanager.tagKeys.getIamPolicy + - resourcemanager.tagKeys.list + - resourcemanager.tagValues.get + - resourcemanager.tagValues.getIamPolicy + - resourcemanager.tagValues.list + role_id: tagViewer + stage: GA + title: Custom role tagViewer + module.organization.google_organization_iam_custom_role.roles["tenant_network_admin"]: + description: Terraform-managed. + org_id: '123456789012' + permissions: + - compute.globalOperations.get + role_id: tenantNetworkAdmin + stage: GA + title: Custom role tenantNetworkAdmin + ? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyAdmin-group:gcp-security-admins@fast.example.com"] + : condition: [] + member: group:gcp-security-admins@fast.example.com + org_id: '123456789012' + role: roles/accesscontextmanager.policyAdmin + ? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyAdmin-serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] + : condition: [] + member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/accesscontextmanager.policyAdmin + ? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyAdmin-serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] + : condition: [] + member: serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/accesscontextmanager.policyAdmin + ? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyReader-serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] + : condition: [] + member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/accesscontextmanager.policyReader + ? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyReader-serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] + : condition: [] + member: serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/accesscontextmanager.policyReader + ? module.organization.google_organization_iam_member.bindings["roles/billing.admin-group:gcp-billing-admins@fast.example.com"] + : condition: [] + member: group:gcp-billing-admins@fast.example.com + org_id: '123456789012' + role: roles/billing.admin + ? module.organization.google_organization_iam_member.bindings["roles/billing.admin-group:gcp-organization-admins@fast.example.com"] + : condition: [] + member: group:gcp-organization-admins@fast.example.com + org_id: '123456789012' + role: roles/billing.admin + ? module.organization.google_organization_iam_member.bindings["roles/billing.admin-serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] + : condition: [] + member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/billing.admin + ? module.organization.google_organization_iam_member.bindings["roles/billing.admin-serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] + : condition: [] + member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/billing.admin + ? module.organization.google_organization_iam_member.bindings["roles/billing.viewer-serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] + : condition: [] + member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/billing.viewer + ? module.organization.google_organization_iam_member.bindings["roles/billing.viewer-serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] + : condition: [] + member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/billing.viewer + ? module.organization.google_organization_iam_member.bindings["roles/cloudasset.viewer-serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] + : condition: [] + member: serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/cloudasset.viewer + ? module.organization.google_organization_iam_member.bindings["roles/cloudasset.viewer-serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] + : condition: [] + member: serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/cloudasset.viewer + ? module.organization.google_organization_iam_member.bindings["roles/compute.orgFirewallPolicyAdmin-group:gcp-vpc-network-admins@fast.example.com"] + : condition: [] + member: group:gcp-vpc-network-admins@fast.example.com + org_id: '123456789012' + role: roles/compute.orgFirewallPolicyAdmin + ? module.organization.google_organization_iam_member.bindings["roles/compute.xpnAdmin-group:gcp-vpc-network-admins@fast.example.com"] + : condition: [] + member: group:gcp-vpc-network-admins@fast.example.com + org_id: '123456789012' + role: roles/compute.xpnAdmin + ? module.organization.google_organization_iam_member.bindings["roles/iam.organizationRoleAdmin-group:gcp-security-admins@fast.example.com"] + : condition: [] + member: group:gcp-security-admins@fast.example.com + org_id: '123456789012' + role: roles/iam.organizationRoleAdmin + ? module.organization.google_organization_iam_member.bindings["roles/iam.organizationRoleAdmin-serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] + : condition: [] + member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/iam.organizationRoleAdmin + ? module.organization.google_organization_iam_member.bindings["roles/iam.organizationRoleViewer-serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] + : condition: [] + member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/iam.organizationRoleViewer + ? module.organization.google_organization_iam_member.bindings["roles/iam.workforcePoolAdmin-group:gcp-organization-admins@fast.example.com"] + : condition: [] + member: group:gcp-organization-admins@fast.example.com + org_id: '123456789012' + role: roles/iam.workforcePoolAdmin + ? module.organization.google_organization_iam_member.bindings["roles/iam.workforcePoolAdmin-serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] + : condition: [] + member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/iam.workforcePoolAdmin + ? module.organization.google_organization_iam_member.bindings["roles/iam.workforcePoolViewer-serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] + : condition: [] + member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/iam.workforcePoolViewer + ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyAdmin-group:gcp-organization-admins@fast.example.com"] + : condition: [] + member: group:gcp-organization-admins@fast.example.com + org_id: '123456789012' + role: roles/orgpolicy.policyAdmin + ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyAdmin-group:gcp-security-admins@fast.example.com"] + : condition: [] + member: group:gcp-security-admins@fast.example.com + org_id: '123456789012' + role: roles/orgpolicy.policyAdmin + ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyAdmin-serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] + : condition: [] + member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/orgpolicy.policyAdmin + ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyAdmin-serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] + : condition: [] + member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/orgpolicy.policyAdmin + ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyViewer-serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] + : condition: [] + member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/orgpolicy.policyViewer + ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyViewer-serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] + : condition: [] + member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/orgpolicy.policyViewer + module.organization.google_project_iam_member.bucket-sinks-binding["audit-logs"]: + condition: + - title: audit-logs bucket writer + role: roles/logging.bucketWriter + module.organization.google_project_iam_member.bucket-sinks-binding["iam"]: + condition: + - title: iam bucket writer + role: roles/logging.bucketWriter + module.organization.google_project_iam_member.bucket-sinks-binding["vpc-sc"]: + condition: + - title: vpc-sc bucket writer + role: roles/logging.bucketWriter + module.organization.google_project_iam_member.bucket-sinks-binding["workspace-audit-logs"]: + condition: + - title: workspace-audit-logs bucket writer + role: roles/logging.bucketWriter + module.organization.google_tags_tag_key.default["org-policies"]: + description: Organization policy conditions. + parent: organizations/123456789012 + purpose: null + purpose_data: null + short_name: org-policies + timeouts: null + module.organization.google_tags_tag_value.default["org-policies/allowed-essential-contacts-domains-all"]: + description: Managed by the Terraform organization module. + short_name: allowed-essential-contacts-domains-all + timeouts: null + module.organization.google_tags_tag_value.default["org-policies/allowed-policy-member-domains-all"]: + description: Managed by the Terraform organization module. + short_name: allowed-policy-member-domains-all + timeouts: null counts: google_bigquery_dataset: 1 @@ -334,8 +2350,8 @@ counts: google_logging_organization_settings: 1 google_logging_organization_sink: 4 google_logging_project_bucket_config: 4 - google_org_policy_custom_constraint: 1 - google_org_policy_policy: 38 + google_org_policy_custom_constraint: 2 + google_org_policy_policy: 39 google_organization_iam_binding: 26 google_organization_iam_custom_role: 13 google_organization_iam_member: 31 @@ -356,4 +2372,187 @@ counts: google_tags_tag_value: 2 local_file: 13 modules: 26 - resources: 291 + resources: 293 + +outputs: + custom_roles: + billing_viewer: organizations/123456789012/roles/billingViewer + gcve_network_admin: organizations/123456789012/roles/gcveNetworkAdmin + gcve_network_viewer: organizations/123456789012/roles/gcveNetworkViewer + network_firewall_policies_admin: organizations/123456789012/roles/networkFirewallPoliciesAdmin + ngfw_enterprise_admin: organizations/123456789012/roles/ngfwEnterpriseAdmin + ngfw_enterprise_viewer: organizations/123456789012/roles/ngfwEnterpriseViewer + organization_admin_viewer: organizations/123456789012/roles/organizationAdminViewer + organization_iam_admin: organizations/123456789012/roles/organizationIamAdmin + project_iam_viewer: organizations/123456789012/roles/projectIamViewer + service_project_network_admin: organizations/123456789012/roles/serviceProjectNetworkAdmin + storage_viewer: organizations/123456789012/roles/storageViewer + tag_viewer: organizations/123456789012/roles/tagViewer + tenant_network_admin: organizations/123456789012/roles/tenantNetworkAdmin + outputs_bucket: fast-prod-iac-core-outputs-0 + project_ids: + automation: fast-prod-iac-core-0 + billing-export: fast-prod-billing-exp-0 + log-export: fast-prod-audit-logs-0 + providers: + 0-bootstrap: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ + \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ + \ in compliance with the License.\n * You may obtain a copy of the License at\n\ + \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ + \ by applicable law or agreed to in writing, software\n * distributed under\ + \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ + \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ + \ the specific language governing permissions and\n * limitations under the\ + \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ + \ = \"fast-prod-iac-core-bootstrap-0\"\n impersonate_service_account\ + \ = \"fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n\ + \ }\n}\nprovider \"google\" {\n impersonate_service_account = \"fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\ + \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\ + \n}\n\n# end provider.tf for bootstrap\n" + 0-bootstrap-r: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ + \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ + \ in compliance with the License.\n * You may obtain a copy of the License at\n\ + \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ + \ by applicable law or agreed to in writing, software\n * distributed under\ + \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ + \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ + \ the specific language governing permissions and\n * limitations under the\ + \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ + \ = \"fast-prod-iac-core-bootstrap-0\"\n impersonate_service_account\ + \ = \"fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n\ + \ }\n}\nprovider \"google\" {\n impersonate_service_account = \"fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\ + \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\ + \n}\n\n# end provider.tf for bootstrap\n" + 1-resman: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ + \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ + \ in compliance with the License.\n * You may obtain a copy of the License at\n\ + \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ + \ by applicable law or agreed to in writing, software\n * distributed under\ + \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ + \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ + \ the specific language governing permissions and\n * limitations under the\ + \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ + \ = \"fast-prod-iac-core-resman-0\"\n impersonate_service_account\ + \ = \"fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n }\n\ + }\nprovider \"google\" {\n impersonate_service_account = \"fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\ + \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\ + \n}\n\n# end provider.tf for resman\n" + 1-resman-r: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ + \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ + \ in compliance with the License.\n * You may obtain a copy of the License at\n\ + \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ + \ by applicable law or agreed to in writing, software\n * distributed under\ + \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ + \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ + \ the specific language governing permissions and\n * limitations under the\ + \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ + \ = \"fast-prod-iac-core-resman-0\"\n impersonate_service_account\ + \ = \"fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n \ + \ }\n}\nprovider \"google\" {\n impersonate_service_account = \"fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\ + \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\ + \n}\n\n# end provider.tf for resman\n" + 1-resman-resman-tenants: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under\ + \ the Apache License, Version 2.0 (the \"License\");\n * you may not use this\ + \ file except in compliance with the License.\n * You may obtain a copy of the\ + \ License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n *\ + \ Unless required by applicable law or agreed to in writing, software\n * distributed\ + \ under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES\ + \ OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License\ + \ for the specific language governing permissions and\n * limitations under\ + \ the License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ + \ = \"fast-prod-iac-core-resman-0\"\n impersonate_service_account\ + \ = \"fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n \ + \ prefix = \"addons/resman-tenants\"\n }\n}\nprovider \"google\" {\n impersonate_service_account\ + \ = \"fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n}\n\ + provider \"google-beta\" {\n impersonate_service_account = \"fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\ + \n}\n\n# end provider.tf for 1-resman-resman-tenants\n" + 1-resman-resman-tenants-r: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed\ + \ under the Apache License, Version 2.0 (the \"License\");\n * you may not use\ + \ this file except in compliance with the License.\n * You may obtain a copy\ + \ of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n\ + \ *\n * Unless required by applicable law or agreed to in writing, software\n\ + \ * distributed under the License is distributed on an \"AS IS\" BASIS,\n *\ + \ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n\ + \ * See the License for the specific language governing permissions and\n *\ + \ limitations under the License.\n */\n\nterraform {\n backend \"gcs\" {\n\ + \ bucket = \"fast-prod-iac-core-resman-0\"\n impersonate_service_account\ + \ = \"fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n \ + \ prefix = \"addons/resman-tenants\"\n }\n}\nprovider \"google\" {\n impersonate_service_account\ + \ = \"fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n}\n\ + provider \"google-beta\" {\n impersonate_service_account = \"fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\ + \n}\n\n# end provider.tf for 1-resman-resman-tenants\n" + 1-vpcsc: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ + \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ + \ in compliance with the License.\n * You may obtain a copy of the License at\n\ + \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ + \ by applicable law or agreed to in writing, software\n * distributed under\ + \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ + \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ + \ the specific language governing permissions and\n * limitations under the\ + \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ + \ = \"fast-prod-iac-core-vpcsc-0\"\n impersonate_service_account\ + \ = \"fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n \ + \ prefix = \"vpcsc\"\n }\n}\nprovider \"google\" {\n impersonate_service_account\ + \ = \"fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n}\n\ + provider \"google-beta\" {\n impersonate_service_account = \"fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\ + \n}\n\n# end provider.tf for vpcsc\n" + 1-vpcsc-r: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ + \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ + \ in compliance with the License.\n * You may obtain a copy of the License at\n\ + \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ + \ by applicable law or agreed to in writing, software\n * distributed under\ + \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ + \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ + \ the specific language governing permissions and\n * limitations under the\ + \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ + \ = \"fast-prod-iac-core-vpcsc-0\"\n impersonate_service_account\ + \ = \"fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n \ + \ prefix = \"vpcsc\"\n }\n}\nprovider \"google\" {\n impersonate_service_account\ + \ = \"fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n}\n\ + provider \"google-beta\" {\n impersonate_service_account = \"fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\ + \n}\n\n# end provider.tf for vpcsc\n" + service_accounts: + bootstrap: fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com + resman: fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com + tfvars_globals: + billing_account: + force_create: + dataset: false + project: false + id: 000000-111111-222222 + is_org_level: true + no_iam: false + environments: + dev: + is_default: false + key: dev + name: Development + short_name: dev + tag_name: development + prod: + is_default: true + key: prod + name: Production + short_name: prod + tag_name: production + groups: + gcp-billing-admins: group:gcp-billing-admins@fast.example.com + gcp-devops: group:gcp-devops@fast.example.com + gcp-network-admins: group:gcp-vpc-network-admins@fast.example.com + gcp-organization-admins: group:gcp-organization-admins@fast.example.com + gcp-secops-admins: group:gcp-security-admins@fast.example.com + gcp-security-admins: group:gcp-security-admins@fast.example.com + gcp-support: group:gcp-support@example.com + locations: + bq: EU + gcs: EU + logging: global + pubsub: [] + organization: + customer_id: C00000000 + domain: fast.example.com + id: 123456789012 + prefix: fast + workforce_identity_pool: + pool: null + workload_identity_pool: __missing__ diff --git a/tests/fast/stages/s0_bootstrap/managed_org_policies.yaml b/tests/fast/stages/s0_bootstrap/managed_org_policies.yaml index a6a4a0fb7..db5ec8b95 100644 --- a/tests/fast/stages/s0_bootstrap/managed_org_policies.yaml +++ b/tests/fast/stages/s0_bootstrap/managed_org_policies.yaml @@ -13,19 +13,6 @@ # limitations under the License. values: - module.organization.google_org_policy_custom_constraint.constraint["custom.disableKubeletReadOnlyPort"]: - action_type: DENY - condition: resource.nodeConfig.kubeletConfig.insecureKubeletReadonlyPortEnabled - == true - description: Disallows the use of Kubelet read-only port 10255 to enhance security - display_name: Disable Kubelet Read-Only Port 10255 - method_types: - - CREATE - - UPDATE - name: custom.disableKubeletReadOnlyPort - parent: organizations/123456789012 - resource_types: - - container.googleapis.com/Cluster module.organization.google_org_policy_policy.default["cloudbuild.disableCreateDefaultServiceAccount"]: dry_run_spec: [] name: organizations/123456789012/policies/cloudbuild.disableCreateDefaultServiceAccount @@ -40,6 +27,7 @@ values: enforce: 'TRUE' parameters: null values: [] + timeouts: null module.organization.google_org_policy_policy.default["cloudbuild.useBuildServiceAccount"]: dry_run_spec: [] name: organizations/123456789012/policies/cloudbuild.useBuildServiceAccount @@ -54,6 +42,7 @@ values: enforce: 'TRUE' parameters: null values: [] + timeouts: null module.organization.google_org_policy_policy.default["cloudbuild.useComputeServiceAccount"]: dry_run_spec: [] name: organizations/123456789012/policies/cloudbuild.useComputeServiceAccount @@ -68,6 +57,7 @@ values: enforce: 'TRUE' parameters: null values: [] + timeouts: null module.organization.google_org_policy_policy.default["compute.disableGuestAttributesAccess"]: dry_run_spec: [] name: organizations/123456789012/policies/compute.disableGuestAttributesAccess @@ -82,6 +72,7 @@ values: enforce: 'TRUE' parameters: null values: [] + timeouts: null module.organization.google_org_policy_policy.default["compute.disableInternetNetworkEndpointGroup"]: dry_run_spec: [] name: organizations/123456789012/policies/compute.disableInternetNetworkEndpointGroup @@ -96,6 +87,7 @@ values: enforce: 'TRUE' parameters: null values: [] + timeouts: null module.organization.google_org_policy_policy.default["compute.disableNestedVirtualization"]: dry_run_spec: [] name: organizations/123456789012/policies/compute.disableNestedVirtualization @@ -110,6 +102,7 @@ values: enforce: 'TRUE' parameters: null values: [] + timeouts: null module.organization.google_org_policy_policy.default["compute.disableSerialPortAccess"]: dry_run_spec: [] name: organizations/123456789012/policies/compute.disableSerialPortAccess @@ -124,6 +117,7 @@ values: enforce: 'TRUE' parameters: null values: [] + timeouts: null module.organization.google_org_policy_policy.default["compute.disableVpcExternalIpv6"]: dry_run_spec: [] name: organizations/123456789012/policies/compute.disableVpcExternalIpv6 @@ -138,6 +132,7 @@ values: enforce: 'TRUE' parameters: null values: [] + timeouts: null module.organization.google_org_policy_policy.default["compute.managed.restrictProtocolForwardingCreationForTypes"]: dry_run_spec: [] name: organizations/123456789012/policies/compute.managed.restrictProtocolForwardingCreationForTypes @@ -152,6 +147,7 @@ values: enforce: 'TRUE' parameters: '{"allowedSchemes":["INTERNAL"]}' values: [] + timeouts: null module.organization.google_org_policy_policy.default["compute.requireOsLogin"]: dry_run_spec: [] name: organizations/123456789012/policies/compute.requireOsLogin @@ -166,6 +162,7 @@ values: enforce: 'TRUE' parameters: null values: [] + timeouts: null module.organization.google_org_policy_policy.default["compute.restrictLoadBalancerCreationForTypes"]: dry_run_spec: [] name: organizations/123456789012/policies/compute.restrictLoadBalancerCreationForTypes @@ -183,6 +180,7 @@ values: - allowed_values: - in:INTERNAL denied_values: null + timeouts: null module.organization.google_org_policy_policy.default["compute.setNewProjectDefaultToZonalDNSOnly"]: dry_run_spec: [] name: organizations/123456789012/policies/compute.setNewProjectDefaultToZonalDNSOnly @@ -197,6 +195,7 @@ values: enforce: 'TRUE' parameters: null values: [] + timeouts: null module.organization.google_org_policy_policy.default["compute.skipDefaultNetworkCreation"]: dry_run_spec: [] name: organizations/123456789012/policies/compute.skipDefaultNetworkCreation @@ -211,6 +210,7 @@ values: enforce: 'TRUE' parameters: null values: [] + timeouts: null module.organization.google_org_policy_policy.default["compute.trustedImageProjects"]: dry_run_spec: [] name: organizations/123456789012/policies/compute.trustedImageProjects @@ -246,6 +246,7 @@ values: - is:projects/deeplearning-platform-release - is:projects/serverless-vpc-access-images denied_values: null + timeouts: null module.organization.google_org_policy_policy.default["compute.vmExternalIpAccess"]: dry_run_spec: [] name: organizations/123456789012/policies/compute.vmExternalIpAccess @@ -260,6 +261,22 @@ values: enforce: null parameters: null values: [] + timeouts: null + module.organization.google_org_policy_policy.default["custom.denyBridgePerimeters"]: + dry_run_spec: [] + name: organizations/123456789012/policies/custom.denyBridgePerimeters + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null module.organization.google_org_policy_policy.default["custom.disableKubeletReadOnlyPort"]: dry_run_spec: [] name: organizations/123456789012/policies/custom.disableKubeletReadOnlyPort @@ -274,6 +291,7 @@ values: enforce: 'TRUE' parameters: null values: [] + timeouts: null module.organization.google_org_policy_policy.default["essentialcontacts.allowedContactDomains"]: dry_run_spec: [] name: organizations/123456789012/policies/essentialcontacts.allowedContactDomains @@ -309,6 +327,22 @@ values: enforce: null parameters: null values: [] + timeouts: null + module.organization.google_org_policy_policy.default["gcp.resourceLocations"]: + dry_run_spec: [] + name: organizations/123456789012/policies/gcp.resourceLocations + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: 'TRUE' + condition: [] + deny_all: null + enforce: null + parameters: null + values: [] + timeouts: null module.organization.google_org_policy_policy.default["iam.disableAuditLoggingExemption"]: dry_run_spec: [] name: organizations/123456789012/policies/iam.disableAuditLoggingExemption @@ -323,6 +357,7 @@ values: enforce: 'TRUE' parameters: null values: [] + timeouts: null module.organization.google_org_policy_policy.default["iam.managed.allowedPolicyMembers"]: dry_run_spec: [] name: organizations/123456789012/policies/iam.managed.allowedPolicyMembers @@ -349,6 +384,7 @@ values: enforce: 'TRUE' parameters: '{"allowedPrincipalSets":["//cloudresourcemanager.googleapis.com/organizations/123456789012"]}' values: [] + timeouts: null module.organization.google_org_policy_policy.default["iam.managed.disableServiceAccountKeyCreation"]: dry_run_spec: [] name: organizations/123456789012/policies/iam.managed.disableServiceAccountKeyCreation @@ -363,6 +399,7 @@ values: enforce: 'TRUE' parameters: null values: [] + timeouts: null module.organization.google_org_policy_policy.default["iam.managed.disableServiceAccountKeyUpload"]: dry_run_spec: [] name: organizations/123456789012/policies/iam.managed.disableServiceAccountKeyUpload @@ -377,6 +414,7 @@ values: enforce: 'TRUE' parameters: null values: [] + timeouts: null module.organization.google_org_policy_policy.default["iam.managed.preventPrivilegedBasicRolesForDefaultServiceAccounts"]: dry_run_spec: [] name: organizations/123456789012/policies/iam.managed.preventPrivilegedBasicRolesForDefaultServiceAccounts @@ -391,6 +429,7 @@ values: enforce: 'TRUE' parameters: null values: [] + timeouts: null module.organization.google_org_policy_policy.default["iam.serviceAccountKeyExposureResponse"]: dry_run_spec: [] name: organizations/123456789012/policies/iam.serviceAccountKeyExposureResponse @@ -408,6 +447,7 @@ values: - allowed_values: - DISABLE_KEY denied_values: null + timeouts: null module.organization.google_org_policy_policy.default["iam.workloadIdentityPoolAwsAccounts"]: dry_run_spec: [] name: organizations/123456789012/policies/iam.workloadIdentityPoolAwsAccounts @@ -422,6 +462,7 @@ values: enforce: null parameters: null values: [] + timeouts: null module.organization.google_org_policy_policy.default["iam.workloadIdentityPoolProviders"]: dry_run_spec: [] name: organizations/123456789012/policies/iam.workloadIdentityPoolProviders @@ -436,6 +477,7 @@ values: enforce: null parameters: null values: [] + timeouts: null module.organization.google_org_policy_policy.default["run.allowedIngress"]: dry_run_spec: [] name: organizations/123456789012/policies/run.allowedIngress @@ -453,6 +495,22 @@ values: - allowed_values: - is:internal-and-cloud-load-balancing denied_values: null + timeouts: null + module.organization.google_org_policy_policy.default["run.managed.requireInvokerIam"]: + dry_run_spec: [] + name: organizations/123456789012/policies/run.managed.requireInvokerIam + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null module.organization.google_org_policy_policy.default["sql.restrictAuthorizedNetworks"]: dry_run_spec: [] name: organizations/123456789012/policies/sql.restrictAuthorizedNetworks @@ -467,6 +525,7 @@ values: enforce: 'TRUE' parameters: null values: [] + timeouts: null module.organization.google_org_policy_policy.default["sql.restrictPublicIp"]: dry_run_spec: [] name: organizations/123456789012/policies/sql.restrictPublicIp @@ -481,6 +540,7 @@ values: enforce: 'TRUE' parameters: null values: [] + timeouts: null module.organization.google_org_policy_policy.default["storage.publicAccessPrevention"]: dry_run_spec: [] name: organizations/123456789012/policies/storage.publicAccessPrevention @@ -495,6 +555,25 @@ values: enforce: 'TRUE' parameters: null values: [] + timeouts: null + module.organization.google_org_policy_policy.default["storage.restrictAuthTypes"]: + dry_run_spec: [] + name: organizations/123456789012/policies/storage.restrictAuthTypes + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: null + parameters: null + values: + - allowed_values: null + denied_values: + - in:ALL_HMAC_SIGNED_REQUESTS + timeouts: null module.organization.google_org_policy_policy.default["storage.secureHttpTransport"]: dry_run_spec: [] name: organizations/123456789012/policies/storage.secureHttpTransport @@ -509,6 +588,7 @@ values: enforce: 'TRUE' parameters: null values: [] + timeouts: null module.organization.google_org_policy_policy.default["storage.uniformBucketLevelAccess"]: dry_run_spec: [] name: organizations/123456789012/policies/storage.uniformBucketLevelAccess @@ -523,3 +603,4 @@ values: enforce: 'TRUE' parameters: null values: [] + timeouts: null diff --git a/tests/fast/stages/s0_bootstrap/simple.yaml b/tests/fast/stages/s0_bootstrap/simple.yaml index 28b411747..837cc6227 100644 --- a/tests/fast/stages/s0_bootstrap/simple.yaml +++ b/tests/fast/stages/s0_bootstrap/simple.yaml @@ -12,6 +12,1549 @@ # See the License for the specific language governing permissions and # limitations under the License. +values: + module.automation-project.data.google_bigquery_default_service_account.bq_sa[0]: + project: fast-prod-iac-core-0 + module.automation-project.data.google_storage_project_service_account.gcs_sa[0]: + project: fast-prod-iac-core-0 + user_project: null + module.automation-project.google_essential_contacts_contact.contact["gcp-organization-admins@fast.example.com"]: + email: gcp-organization-admins@fast.example.com + language_tag: en + notification_category_subscriptions: + - ALL + parent: projects/fast-prod-iac-core-0 + timeouts: null + module.automation-project.google_org_policy_policy.default["compute.skipDefaultNetworkCreation"]: + dry_run_spec: [] + name: projects/fast-prod-iac-core-0/policies/compute.skipDefaultNetworkCreation + parent: projects/fast-prod-iac-core-0 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.automation-project.google_org_policy_policy.default["iam.automaticIamGrantsForDefaultServiceAccounts"]: + dry_run_spec: [] + name: projects/fast-prod-iac-core-0/policies/iam.automaticIamGrantsForDefaultServiceAccounts + parent: projects/fast-prod-iac-core-0 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.automation-project.google_org_policy_policy.default["iam.disableServiceAccountKeyCreation"]: + dry_run_spec: [] + name: projects/fast-prod-iac-core-0/policies/iam.disableServiceAccountKeyCreation + parent: projects/fast-prod-iac-core-0 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.automation-project.google_org_policy_policy.default["iam.workloadIdentityPoolProviders"]: + dry_run_spec: [] + name: projects/fast-prod-iac-core-0/policies/iam.workloadIdentityPoolProviders + parent: projects/fast-prod-iac-core-0 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: null + parameters: null + values: + - allowed_values: + - https://token.actions.githubusercontent.com + - https://gitlab.com + - https://app.terraform.io + denied_values: null + timeouts: null + module.automation-project.google_project.project[0]: + auto_create_network: false + billing_account: 000000-111111-222222 + deletion_policy: DELETE + effective_labels: + goog-terraform-provisioned: 'true' + folder_id: null + labels: null + name: fast-prod-iac-core-0 + org_id: '123456789012' + project_id: fast-prod-iac-core-0 + tags: null + terraform_labels: + goog-terraform-provisioned: 'true' + timeouts: null + module.automation-project.google_project_iam_audit_config.default["iam.googleapis.com"]: + audit_log_config: + - exempted_members: [] + log_type: ADMIN_READ + project: fast-prod-iac-core-0 + service: iam.googleapis.com + module.automation-project.google_project_iam_binding.authoritative["organizations/123456789012/roles/storageViewer"]: + condition: [] + members: + - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + project: fast-prod-iac-core-0 + role: organizations/123456789012/roles/storageViewer + module.automation-project.google_project_iam_binding.authoritative["roles/browser"]: + condition: [] + members: + - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + project: fast-prod-iac-core-0 + role: roles/browser + module.automation-project.google_project_iam_binding.authoritative["roles/cloudbuild.builds.editor"]: + condition: [] + members: + - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com + project: fast-prod-iac-core-0 + role: roles/cloudbuild.builds.editor + module.automation-project.google_project_iam_binding.authoritative["roles/cloudbuild.builds.viewer"]: + condition: [] + members: + - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + project: fast-prod-iac-core-0 + role: roles/cloudbuild.builds.viewer + module.automation-project.google_project_iam_binding.authoritative["roles/iam.serviceAccountAdmin"]: + condition: [] + members: + - group:gcp-devops@fast.example.com + - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com + project: fast-prod-iac-core-0 + role: roles/iam.serviceAccountAdmin + module.automation-project.google_project_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: + condition: [] + members: + - group:gcp-devops@fast.example.com + - group:gcp-organization-admins@fast.example.com + project: fast-prod-iac-core-0 + role: roles/iam.serviceAccountTokenCreator + module.automation-project.google_project_iam_binding.authoritative["roles/iam.serviceAccountViewer"]: + condition: [] + members: + - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + project: fast-prod-iac-core-0 + role: roles/iam.serviceAccountViewer + module.automation-project.google_project_iam_binding.authoritative["roles/iam.workloadIdentityPoolAdmin"]: + condition: [] + members: + - group:gcp-organization-admins@fast.example.com + - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com + project: fast-prod-iac-core-0 + role: roles/iam.workloadIdentityPoolAdmin + module.automation-project.google_project_iam_binding.authoritative["roles/iam.workloadIdentityPoolViewer"]: + condition: [] + members: + - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + project: fast-prod-iac-core-0 + role: roles/iam.workloadIdentityPoolViewer + module.automation-project.google_project_iam_binding.authoritative["roles/owner"]: + condition: [] + members: + - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com + project: fast-prod-iac-core-0 + role: roles/owner + module.automation-project.google_project_iam_binding.authoritative["roles/source.admin"]: + condition: [] + members: + - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com + project: fast-prod-iac-core-0 + role: roles/source.admin + module.automation-project.google_project_iam_binding.authoritative["roles/source.reader"]: + condition: [] + members: + - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + project: fast-prod-iac-core-0 + role: roles/source.reader + module.automation-project.google_project_iam_binding.authoritative["roles/storage.admin"]: + condition: [] + members: + - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com + project: fast-prod-iac-core-0 + role: roles/storage.admin + module.automation-project.google_project_iam_binding.authoritative["roles/viewer"]: + condition: [] + members: + - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + project: fast-prod-iac-core-0 + role: roles/viewer + module.automation-project.google_project_iam_binding.bindings["delegated_grants_resman"]: + condition: + - description: Resource manager service account delegated grant. + expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/serviceusage.serviceUsageConsumer']) + title: resman_delegated_grant + members: + - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com + project: fast-prod-iac-core-0 + role: roles/resourcemanager.projectIamAdmin + module.automation-project.google_project_iam_member.bindings["serviceusage_resman"]: + condition: [] + member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com + project: fast-prod-iac-core-0 + role: roles/serviceusage.serviceUsageConsumer + module.automation-project.google_project_iam_member.bindings["serviceusage_resman_r"]: + condition: [] + member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + project: fast-prod-iac-core-0 + role: roles/serviceusage.serviceUsageViewer + module.automation-project.google_project_iam_member.service_agents["cloudasset"]: + condition: [] + project: fast-prod-iac-core-0 + role: roles/cloudasset.serviceAgent + module.automation-project.google_project_iam_member.service_agents["cloudbuild"]: + condition: [] + project: fast-prod-iac-core-0 + role: roles/cloudbuild.serviceAgent + module.automation-project.google_project_iam_member.service_agents["cloudbuild-sa"]: + condition: [] + project: fast-prod-iac-core-0 + role: roles/cloudbuild.builds.builder + module.automation-project.google_project_iam_member.service_agents["cloudkms"]: + condition: [] + project: fast-prod-iac-core-0 + role: roles/cloudkms.serviceAgent + module.automation-project.google_project_iam_member.service_agents["compute-system"]: + condition: [] + project: fast-prod-iac-core-0 + role: roles/compute.serviceAgent + module.automation-project.google_project_iam_member.service_agents["container-engine-robot"]: + condition: [] + project: fast-prod-iac-core-0 + role: roles/container.serviceAgent + module.automation-project.google_project_iam_member.service_agents["gkenode"]: + condition: [] + project: fast-prod-iac-core-0 + role: roles/container.defaultNodeServiceAgent + module.automation-project.google_project_iam_member.service_agents["monitoring-notification"]: + condition: [] + project: fast-prod-iac-core-0 + role: roles/monitoring.notificationServiceAgent + module.automation-project.google_project_iam_member.service_agents["pubsub"]: + condition: [] + project: fast-prod-iac-core-0 + role: roles/pubsub.serviceAgent + module.automation-project.google_project_iam_member.service_agents["service-networking"]: + condition: [] + project: fast-prod-iac-core-0 + role: roles/servicenetworking.serviceAgent + module.automation-project.google_project_service.project_services["accesscontextmanager.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: accesscontextmanager.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["bigquery.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: bigquery.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["bigqueryreservation.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: bigqueryreservation.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["bigquerystorage.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: bigquerystorage.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["billingbudgets.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: billingbudgets.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["cloudasset.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: cloudasset.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["cloudbilling.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: cloudbilling.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["cloudbuild.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: cloudbuild.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["cloudkms.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: cloudkms.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["cloudquotas.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: cloudquotas.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["cloudresourcemanager.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: cloudresourcemanager.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["compute.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: compute.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["container.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: container.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["datacatalog.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: datacatalog.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["essentialcontacts.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: essentialcontacts.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["iam.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: iam.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["iamcredentials.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: iamcredentials.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["logging.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: logging.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["monitoring.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: monitoring.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["networksecurity.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: networksecurity.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["orgpolicy.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: orgpolicy.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["pubsub.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: pubsub.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["servicenetworking.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: servicenetworking.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["serviceusage.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: serviceusage.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["storage-component.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: storage-component.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["storage.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: storage.googleapis.com + timeouts: null + module.automation-project.google_project_service.project_services["sts.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-iac-core-0 + service: sts.googleapis.com + timeouts: null + module.automation-project.google_project_service_identity.default["cloudasset.googleapis.com"]: + project: fast-prod-iac-core-0 + service: cloudasset.googleapis.com + timeouts: null + module.automation-project.google_project_service_identity.default["cloudkms.googleapis.com"]: + project: fast-prod-iac-core-0 + service: cloudkms.googleapis.com + timeouts: null + module.automation-project.google_project_service_identity.default["container.googleapis.com"]: + project: fast-prod-iac-core-0 + service: container.googleapis.com + timeouts: null + module.automation-project.google_project_service_identity.default["monitoring.googleapis.com"]: + project: fast-prod-iac-core-0 + service: monitoring.googleapis.com + timeouts: null + module.automation-project.google_project_service_identity.default["networksecurity.googleapis.com"]: + project: fast-prod-iac-core-0 + service: networksecurity.googleapis.com + timeouts: null + module.automation-project.google_project_service_identity.default["pubsub.googleapis.com"]: + project: fast-prod-iac-core-0 + service: pubsub.googleapis.com + timeouts: null + module.automation-project.google_project_service_identity.default["servicenetworking.googleapis.com"]: + project: fast-prod-iac-core-0 + service: servicenetworking.googleapis.com + timeouts: null + module.automation-tf-bootstrap-gcs.google_storage_bucket.bucket[0]: + autoclass: [] + cors: [] + custom_placement_config: [] + default_event_based_hold: null + effective_labels: + goog-terraform-provisioned: 'true' + enable_object_retention: null + encryption: [] + force_destroy: false + hierarchical_namespace: [] + labels: null + lifecycle_rule: [] + location: EU + logging: [] + name: fast-prod-iac-core-bootstrap-0 + project: fast-prod-iac-core-0 + requester_pays: null + retention_policy: [] + storage_class: STANDARD + terraform_labels: + goog-terraform-provisioned: 'true' + timeouts: null + uniform_bucket_level_access: true + versioning: + - enabled: true + ? module.automation-tf-bootstrap-r-sa.google_organization_iam_member.organization-roles["123456789012-organizations/123456789012/roles/organizationAdminViewer"] + : condition: [] + org_id: '123456789012' + role: organizations/123456789012/roles/organizationAdminViewer + ? module.automation-tf-bootstrap-r-sa.google_organization_iam_member.organization-roles["123456789012-organizations/123456789012/roles/tagViewer"] + : condition: [] + org_id: '123456789012' + role: organizations/123456789012/roles/tagViewer + module.automation-tf-bootstrap-r-sa.google_service_account.service_account[0]: + account_id: fast-prod-bootstrap-0r + create_ignore_already_exists: null + description: null + disabled: false + display_name: Terraform organization bootstrap service account (read-only). + email: fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + project: fast-prod-iac-core-0 + timeouts: null + ? module.automation-tf-bootstrap-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] + : condition: [] + members: null + role: roles/iam.serviceAccountTokenCreator + ? module.automation-tf-bootstrap-r-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-organizations/123456789012/roles/storageViewer"] + : bucket: fast-prod-iac-core-outputs-0 + condition: [] + role: organizations/123456789012/roles/storageViewer + module.automation-tf-bootstrap-sa.google_service_account.service_account[0]: + account_id: fast-prod-bootstrap-0 + create_ignore_already_exists: null + description: null + disabled: false + display_name: Terraform organization bootstrap service account. + email: fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com + member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com + project: fast-prod-iac-core-0 + timeouts: null + module.automation-tf-bootstrap-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: + condition: [] + members: null + role: roles/iam.serviceAccountTokenCreator + ? module.automation-tf-bootstrap-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-roles/storage.admin"] + : bucket: fast-prod-iac-core-outputs-0 + condition: [] + role: roles/storage.admin + module.automation-tf-output-gcs.google_storage_bucket.bucket[0]: + autoclass: [] + cors: [] + custom_placement_config: [] + default_event_based_hold: null + effective_labels: + goog-terraform-provisioned: 'true' + enable_object_retention: null + encryption: [] + force_destroy: false + hierarchical_namespace: [] + labels: null + lifecycle_rule: [] + location: EU + logging: [] + name: fast-prod-iac-core-outputs-0 + project: fast-prod-iac-core-0 + requester_pays: null + retention_policy: [] + storage_class: STANDARD + terraform_labels: + goog-terraform-provisioned: 'true' + timeouts: null + uniform_bucket_level_access: true + versioning: + - enabled: true + module.automation-tf-resman-gcs.google_storage_bucket.bucket[0]: + autoclass: [] + cors: [] + custom_placement_config: [] + default_event_based_hold: null + effective_labels: + goog-terraform-provisioned: 'true' + enable_object_retention: null + encryption: [] + force_destroy: false + hierarchical_namespace: [] + labels: null + lifecycle_rule: [] + location: EU + logging: [] + name: fast-prod-iac-core-resman-0 + project: fast-prod-iac-core-0 + requester_pays: null + retention_policy: [] + storage_class: STANDARD + terraform_labels: + goog-terraform-provisioned: 'true' + timeouts: null + uniform_bucket_level_access: true + versioning: + - enabled: true + module.automation-tf-resman-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: + bucket: fast-prod-iac-core-resman-0 + condition: [] + members: + - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com + role: roles/storage.objectAdmin + module.automation-tf-resman-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: + bucket: fast-prod-iac-core-resman-0 + condition: [] + members: + - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + role: roles/storage.objectViewer + ? module.automation-tf-resman-r-sa.google_organization_iam_member.organization-roles["123456789012-organizations/123456789012/roles/organizationAdminViewer"] + : condition: [] + org_id: '123456789012' + role: organizations/123456789012/roles/organizationAdminViewer + ? module.automation-tf-resman-r-sa.google_organization_iam_member.organization-roles["123456789012-organizations/123456789012/roles/tagViewer"] + : condition: [] + org_id: '123456789012' + role: organizations/123456789012/roles/tagViewer + module.automation-tf-resman-r-sa.google_service_account.service_account[0]: + account_id: fast-prod-resman-0r + create_ignore_already_exists: null + description: null + disabled: false + display_name: Terraform stage 1 resman service account (read-only). + email: fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + project: fast-prod-iac-core-0 + timeouts: null + module.automation-tf-resman-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: + condition: [] + members: null + role: roles/iam.serviceAccountTokenCreator + ? module.automation-tf-resman-r-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-organizations/123456789012/roles/storageViewer"] + : bucket: fast-prod-iac-core-outputs-0 + condition: [] + role: organizations/123456789012/roles/storageViewer + module.automation-tf-resman-sa.google_service_account.service_account[0]: + account_id: fast-prod-resman-0 + create_ignore_already_exists: null + description: null + disabled: false + display_name: Terraform stage 1 resman service account. + email: fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com + member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com + project: fast-prod-iac-core-0 + timeouts: null + module.automation-tf-resman-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: + condition: [] + members: null + role: roles/iam.serviceAccountTokenCreator + ? module.automation-tf-resman-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-roles/storage.admin"] + : bucket: fast-prod-iac-core-outputs-0 + condition: [] + role: roles/storage.admin + module.automation-tf-vpcsc-gcs.google_storage_bucket.bucket[0]: + autoclass: [] + cors: [] + custom_placement_config: [] + default_event_based_hold: null + effective_labels: + goog-terraform-provisioned: 'true' + enable_object_retention: null + encryption: [] + force_destroy: false + hierarchical_namespace: [] + labels: null + lifecycle_rule: [] + location: EU + logging: [] + name: fast-prod-iac-core-vpcsc-0 + project: fast-prod-iac-core-0 + requester_pays: null + retention_policy: [] + storage_class: STANDARD + terraform_labels: + goog-terraform-provisioned: 'true' + timeouts: null + uniform_bucket_level_access: true + versioning: + - enabled: true + module.automation-tf-vpcsc-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: + bucket: fast-prod-iac-core-vpcsc-0 + condition: [] + members: + - serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com + role: roles/storage.objectAdmin + module.automation-tf-vpcsc-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: + bucket: fast-prod-iac-core-vpcsc-0 + condition: [] + members: + - serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + role: roles/storage.objectViewer + module.automation-tf-vpcsc-r-sa.google_service_account.service_account[0]: + account_id: fast-prod-vpcsc-0r + create_ignore_already_exists: null + description: null + disabled: false + display_name: Terraform stage 1 vpcsc service account (read-only). + email: fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + member: serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + project: fast-prod-iac-core-0 + timeouts: null + module.automation-tf-vpcsc-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: + condition: [] + members: null + role: roles/iam.serviceAccountTokenCreator + ? module.automation-tf-vpcsc-r-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-organizations/123456789012/roles/storageViewer"] + : bucket: fast-prod-iac-core-outputs-0 + condition: [] + role: organizations/123456789012/roles/storageViewer + module.automation-tf-vpcsc-sa.google_service_account.service_account[0]: + account_id: fast-prod-vpcsc-0 + create_ignore_already_exists: null + description: null + disabled: false + display_name: Terraform stage 1 vpcsc service account. + email: fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com + member: serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com + project: fast-prod-iac-core-0 + timeouts: null + module.automation-tf-vpcsc-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: + condition: [] + members: + - group:gcp-security-admins@fast.example.com + role: roles/iam.serviceAccountTokenCreator + ? module.automation-tf-vpcsc-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-roles/storage.admin"] + : bucket: fast-prod-iac-core-outputs-0 + condition: [] + role: roles/storage.admin + module.billing-export-dataset[0].google_bigquery_dataset.default: + dataset_id: billing_export + default_encryption_configuration: [] + default_partition_expiration_ms: null + default_table_expiration_ms: null + delete_contents_on_destroy: false + description: Terraform managed. + effective_labels: + goog-terraform-provisioned: 'true' + external_catalog_dataset_options: [] + external_dataset_reference: [] + friendly_name: Billing export. + labels: null + location: EU + max_time_travel_hours: '168' + project: fast-prod-billing-exp-0 + resource_tags: null + terraform_labels: + goog-terraform-provisioned: 'true' + timeouts: null + module.billing-export-project[0].data.google_bigquery_default_service_account.bq_sa[0]: + project: fast-prod-billing-exp-0 + module.billing-export-project[0].data.google_storage_project_service_account.gcs_sa[0]: + project: fast-prod-billing-exp-0 + user_project: null + module.billing-export-project[0].google_essential_contacts_contact.contact["gcp-organization-admins@fast.example.com"]: + email: gcp-organization-admins@fast.example.com + language_tag: en + notification_category_subscriptions: + - ALL + parent: projects/fast-prod-billing-exp-0 + timeouts: null + module.billing-export-project[0].google_project.project[0]: + auto_create_network: false + billing_account: 000000-111111-222222 + deletion_policy: DELETE + effective_labels: + goog-terraform-provisioned: 'true' + folder_id: null + labels: null + name: fast-prod-billing-exp-0 + org_id: '123456789012' + project_id: fast-prod-billing-exp-0 + tags: null + terraform_labels: + goog-terraform-provisioned: 'true' + timeouts: null + module.billing-export-project[0].google_project_iam_binding.authoritative["roles/owner"]: + condition: [] + members: + - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com + project: fast-prod-billing-exp-0 + role: roles/owner + module.billing-export-project[0].google_project_iam_binding.authoritative["roles/viewer"]: + condition: [] + members: + - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + project: fast-prod-billing-exp-0 + role: roles/viewer + module.billing-export-project[0].google_project_iam_member.service_agents["bigquerydatatransfer"]: + condition: [] + project: fast-prod-billing-exp-0 + role: roles/bigquerydatatransfer.serviceAgent + module.billing-export-project[0].google_project_service.project_services["bigquery.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-billing-exp-0 + service: bigquery.googleapis.com + timeouts: null + module.billing-export-project[0].google_project_service.project_services["bigquerydatatransfer.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-billing-exp-0 + service: bigquerydatatransfer.googleapis.com + timeouts: null + module.billing-export-project[0].google_project_service.project_services["storage.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-billing-exp-0 + service: storage.googleapis.com + timeouts: null + module.billing-export-project[0].google_project_service_identity.default["bigquerydatatransfer.googleapis.com"]: + project: fast-prod-billing-exp-0 + service: bigquerydatatransfer.googleapis.com + timeouts: null + module.log-export-logbucket["audit-logs"].google_logging_project_bucket_config.bucket[0]: + bucket_id: audit-logs + cmek_settings: [] + enable_analytics: true + index_configs: [] + location: global + locked: null + project: fast-prod-audit-logs-0 + retention_days: 30 + module.log-export-logbucket["iam"].google_logging_project_bucket_config.bucket[0]: + bucket_id: iam + cmek_settings: [] + enable_analytics: true + index_configs: [] + location: global + locked: null + project: fast-prod-audit-logs-0 + retention_days: 30 + module.log-export-logbucket["vpc-sc"].google_logging_project_bucket_config.bucket[0]: + bucket_id: vpc-sc + cmek_settings: [] + enable_analytics: true + index_configs: [] + location: global + locked: null + project: fast-prod-audit-logs-0 + retention_days: 30 + module.log-export-logbucket["workspace-audit-logs"].google_logging_project_bucket_config.bucket[0]: + bucket_id: workspace-audit-logs + cmek_settings: [] + enable_analytics: true + index_configs: [] + location: global + locked: null + project: fast-prod-audit-logs-0 + retention_days: 30 + module.log-export-project.data.google_bigquery_default_service_account.bq_sa[0]: + project: fast-prod-audit-logs-0 + module.log-export-project.data.google_storage_project_service_account.gcs_sa[0]: + project: fast-prod-audit-logs-0 + user_project: null + module.log-export-project.google_essential_contacts_contact.contact["gcp-organization-admins@fast.example.com"]: + email: gcp-organization-admins@fast.example.com + language_tag: en + notification_category_subscriptions: + - ALL + parent: projects/fast-prod-audit-logs-0 + timeouts: null + module.log-export-project.google_project.project[0]: + auto_create_network: false + billing_account: 000000-111111-222222 + deletion_policy: DELETE + effective_labels: + goog-terraform-provisioned: 'true' + folder_id: null + labels: null + name: fast-prod-audit-logs-0 + org_id: '123456789012' + project_id: fast-prod-audit-logs-0 + tags: null + terraform_labels: + goog-terraform-provisioned: 'true' + timeouts: null + module.log-export-project.google_project_iam_binding.authoritative["roles/owner"]: + condition: [] + members: + - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com + project: fast-prod-audit-logs-0 + role: roles/owner + module.log-export-project.google_project_iam_binding.authoritative["roles/viewer"]: + condition: [] + members: + - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + project: fast-prod-audit-logs-0 + role: roles/viewer + module.log-export-project.google_project_service.project_services["bigquery.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-audit-logs-0 + service: bigquery.googleapis.com + timeouts: null + module.log-export-project.google_project_service.project_services["stackdriver.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-audit-logs-0 + service: stackdriver.googleapis.com + timeouts: null + module.log-export-project.google_project_service.project_services["storage.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-audit-logs-0 + service: storage.googleapis.com + timeouts: null + module.organization-logging.google_logging_organization_settings.default[0]: + organization: '123456789012' + storage_location: global + timeouts: null + module.organization.google_logging_organization_sink.sink["audit-logs"]: + description: audit-logs (Terraform-managed). + disabled: false + exclusions: [] + filter: 'log_id("cloudaudit.googleapis.com/activity") OR + + log_id("cloudaudit.googleapis.com/system_event") OR + + log_id("cloudaudit.googleapis.com/policy") OR + + log_id("cloudaudit.googleapis.com/access_transparency") + + ' + include_children: true + intercept_children: false + name: audit-logs + org_id: '123456789012' + module.organization.google_logging_organization_sink.sink["iam"]: + description: iam (Terraform-managed). + disabled: false + exclusions: [] + filter: 'protoPayload.serviceName="iamcredentials.googleapis.com" OR + + protoPayload.serviceName="iam.googleapis.com" OR + + protoPayload.serviceName="sts.googleapis.com" + + ' + include_children: true + intercept_children: false + name: iam + org_id: '123456789012' + module.organization.google_logging_organization_sink.sink["vpc-sc"]: + description: vpc-sc (Terraform-managed). + disabled: false + exclusions: [] + filter: 'protoPayload.metadata.@type="type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata" + + ' + include_children: true + intercept_children: false + name: vpc-sc + org_id: '123456789012' + module.organization.google_logging_organization_sink.sink["workspace-audit-logs"]: + description: workspace-audit-logs (Terraform-managed). + disabled: false + exclusions: [] + filter: 'protoPayload.serviceName="admin.googleapis.com" OR + + protoPayload.serviceName="cloudidentity.googleapis.com" OR + + protoPayload.serviceName="login.googleapis.com" + + ' + include_children: true + intercept_children: false + name: workspace-audit-logs + org_id: '123456789012' + module.organization.google_org_policy_custom_constraint.constraint["custom.denyBridgePerimeters"]: + action_type: DENY + condition: resource.perimeterType == 'PERIMETER_TYPE_BRIDGE' + description: Disables the use of perimeter bridges. Instead, use ingress and egress + rules. + display_name: Disable perimeter bridges + method_types: + - CREATE + - UPDATE + name: custom.denyBridgePerimeters + parent: organizations/123456789012 + resource_types: + - accesscontextmanager.googleapis.com/ServicePerimeter + timeouts: null + module.organization.google_org_policy_custom_constraint.constraint["custom.disableKubeletReadOnlyPort"]: + action_type: DENY + condition: resource.nodeConfig.kubeletConfig.insecureKubeletReadonlyPortEnabled + == true + description: Disallows the use of Kubelet read-only port 10255 to enhance security + display_name: Disable Kubelet Read-Only Port 10255 + method_types: + - CREATE + - UPDATE + name: custom.disableKubeletReadOnlyPort + parent: organizations/123456789012 + resource_types: + - container.googleapis.com/Cluster + timeouts: null + module.organization.google_org_policy_policy.default["cloudbuild.disableCreateDefaultServiceAccount"]: + dry_run_spec: [] + name: organizations/123456789012/policies/cloudbuild.disableCreateDefaultServiceAccount + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization.google_organization_iam_binding.authoritative["roles/billing.creator"]: + condition: [] + members: null + org_id: '123456789012' + role: roles/billing.creator + module.organization.google_organization_iam_binding.authoritative["roles/browser"]: + condition: [] + members: + - domain:fast.example.com + org_id: '123456789012' + role: roles/browser + module.organization.google_organization_iam_binding.authoritative["roles/cloudasset.owner"]: + condition: [] + members: + - group:gcp-organization-admins@fast.example.com + - group:gcp-security-admins@fast.example.com + - group:gcp-vpc-network-admins@fast.example.com + org_id: '123456789012' + role: roles/cloudasset.owner + module.organization.google_organization_iam_binding.authoritative["roles/cloudsupport.admin"]: + condition: [] + members: + - group:gcp-organization-admins@fast.example.com + org_id: '123456789012' + role: roles/cloudsupport.admin + module.organization.google_organization_iam_binding.authoritative["roles/cloudsupport.techSupportEditor"]: + condition: [] + members: + - group:gcp-security-admins@fast.example.com + - group:gcp-support@example.com + - group:gcp-vpc-network-admins@fast.example.com + org_id: '123456789012' + role: roles/cloudsupport.techSupportEditor + module.organization.google_organization_iam_binding.authoritative["roles/compute.osAdminLogin"]: + condition: [] + members: + - group:gcp-organization-admins@fast.example.com + org_id: '123456789012' + role: roles/compute.osAdminLogin + module.organization.google_organization_iam_binding.authoritative["roles/compute.osLoginExternalUser"]: + condition: [] + members: + - group:gcp-organization-admins@fast.example.com + org_id: '123456789012' + role: roles/compute.osLoginExternalUser + module.organization.google_organization_iam_binding.authoritative["roles/essentialcontacts.admin"]: + condition: [] + members: + - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/essentialcontacts.admin + module.organization.google_organization_iam_binding.authoritative["roles/essentialcontacts.viewer"]: + condition: [] + members: + - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/essentialcontacts.viewer + module.organization.google_organization_iam_binding.authoritative["roles/iam.securityReviewer"]: + condition: [] + members: + - group:gcp-security-admins@fast.example.com + org_id: '123456789012' + role: roles/iam.securityReviewer + module.organization.google_organization_iam_binding.authoritative["roles/logging.admin"]: + condition: [] + members: + - group:gcp-security-admins@fast.example.com + - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/logging.admin + module.organization.google_organization_iam_binding.authoritative["roles/logging.viewer"]: + condition: [] + members: + - group:gcp-support@example.com + - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/logging.viewer + module.organization.google_organization_iam_binding.authoritative["roles/monitoring.viewer"]: + condition: [] + members: + - group:gcp-support@example.com + org_id: '123456789012' + role: roles/monitoring.viewer + module.organization.google_organization_iam_binding.authoritative["roles/owner"]: + condition: [] + members: + - group:gcp-organization-admins@fast.example.com + org_id: '123456789012' + role: roles/owner + module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: + condition: [] + members: + - group:gcp-organization-admins@fast.example.com + - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/resourcemanager.folderAdmin + module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.folderViewer"]: + condition: [] + members: + - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/resourcemanager.folderViewer + module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.organizationAdmin"]: + condition: [] + members: + - group:gcp-organization-admins@fast.example.com + - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/resourcemanager.organizationAdmin + module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: + condition: [] + members: + - group:gcp-organization-admins@fast.example.com + - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/resourcemanager.projectCreator + module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.projectMover"]: + condition: [] + members: + - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/resourcemanager.projectMover + module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.tagAdmin"]: + condition: [] + members: + - group:gcp-organization-admins@fast.example.com + - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/resourcemanager.tagAdmin + module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.tagUser"]: + condition: [] + members: + - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/resourcemanager.tagUser + module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.tagViewer"]: + condition: [] + members: + - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/resourcemanager.tagViewer + module.organization.google_organization_iam_binding.authoritative["roles/securitycenter.admin"]: + condition: [] + members: + - group:gcp-security-admins@fast.example.com + org_id: '123456789012' + role: roles/securitycenter.admin + module.organization.google_organization_iam_binding.authoritative["roles/serviceusage.serviceUsageViewer"]: + condition: [] + members: + - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/serviceusage.serviceUsageViewer + module.organization.google_organization_iam_binding.bindings["organization_billing_conditional"]: + condition: + - description: Automation service account delegated grants. + expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/billing.admin','roles/billing.costsManager','roles/billing.user']) + title: automation_sa_delegated_grants + members: + - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: organizations/123456789012/roles/organizationIamAdmin + module.organization.google_organization_iam_binding.bindings["organization_iam_admin_conditional"]: + condition: + - description: Automation service account delegated grants. + expression: 'api.getAttribute(''iam.googleapis.com/modifiedGrantsByRole'', []).hasOnly([''roles/accesscontextmanager.policyEditor'',''roles/accesscontextmanager.policyReader'',''roles/cloudasset.viewer'',''roles/compute.orgFirewallPolicyAdmin'',''roles/compute.orgFirewallPolicyUser'',''roles/compute.xpnAdmin'',''roles/orgpolicy.policyAdmin'',''roles/orgpolicy.policyViewer'',''roles/resourcemanager.organizationViewer'']) + + || api.getAttribute(''iam.googleapis.com/modifiedGrantsByRole'', []).hasOnly([''roles/iam.workforcePoolAdmin'',''roles/iam.workforcePoolViewer'']) + + || api.getAttribute(''iam.googleapis.com/modifiedGrantsByRole'', []).hasOnly([''organizations/123456789012/roles/billingViewer'',''organizations/123456789012/roles/networkFirewallPoliciesAdmin'',''organizations/123456789012/roles/ngfwEnterpriseAdmin'',''organizations/123456789012/roles/ngfwEnterpriseViewer'',''organizations/123456789012/roles/serviceProjectNetworkAdmin'',''organizations/123456789012/roles/tenantNetworkAdmin'']) + + ' + title: automation_sa_delegated_grants + members: + - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: organizations/123456789012/roles/organizationIamAdmin + module.organization.google_organization_iam_custom_role.roles["billing_viewer"]: + description: Terraform-managed. + org_id: '123456789012' + permissions: + - billing.accounts.get + - billing.accounts.getIamPolicy + - billing.accounts.getSpendingInformation + - billing.accounts.getUsageExportSpec + - billing.accounts.list + - billing.budgets.get + - billing.budgets.list + - billing.budgets.update + - billing.credits.list + - billing.resourceAssociations.list + - recommender.costInsights.get + - recommender.costInsights.list + role_id: billingViewer + stage: GA + title: Custom role billingViewer + module.organization.google_organization_iam_custom_role.roles["gcve_network_admin"]: + description: Terraform-managed. + org_id: '123456789012' + permissions: + - vmwareengine.networkPeerings.create + - vmwareengine.networkPeerings.delete + - vmwareengine.networkPeerings.get + - vmwareengine.networkPeerings.list + - vmwareengine.operations.get + role_id: gcveNetworkAdmin + stage: GA + title: Custom role gcveNetworkAdmin + module.organization.google_organization_iam_custom_role.roles["gcve_network_viewer"]: + description: Terraform-managed. + org_id: '123456789012' + permissions: + - vmwareengine.networkPeerings.get + - vmwareengine.networkPeerings.list + - vmwareengine.operations.get + role_id: gcveNetworkViewer + stage: GA + title: Custom role gcveNetworkViewer + module.organization.google_organization_iam_custom_role.roles["network_firewall_policies_admin"]: + description: Terraform-managed. + org_id: '123456789012' + permissions: + - compute.networks.setFirewallPolicy + - networksecurity.firewallEndpointAssociations.create + - networksecurity.firewallEndpointAssociations.delete + - networksecurity.firewallEndpointAssociations.get + - networksecurity.firewallEndpointAssociations.list + - networksecurity.firewallEndpointAssociations.update + role_id: networkFirewallPoliciesAdmin + stage: GA + title: Custom role networkFirewallPoliciesAdmin + module.organization.google_organization_iam_custom_role.roles["ngfw_enterprise_admin"]: + description: Terraform-managed. + org_id: '123456789012' + permissions: + - networksecurity.firewallEndpoints.create + - networksecurity.firewallEndpoints.delete + - networksecurity.firewallEndpoints.get + - networksecurity.firewallEndpoints.list + - networksecurity.firewallEndpoints.update + - networksecurity.firewallEndpoints.use + - networksecurity.locations.get + - networksecurity.locations.list + - networksecurity.operations.cancel + - networksecurity.operations.delete + - networksecurity.operations.get + - networksecurity.operations.list + - networksecurity.securityProfileGroups.create + - networksecurity.securityProfileGroups.delete + - networksecurity.securityProfileGroups.get + - networksecurity.securityProfileGroups.list + - networksecurity.securityProfileGroups.update + - networksecurity.securityProfileGroups.use + - networksecurity.securityProfiles.create + - networksecurity.securityProfiles.delete + - networksecurity.securityProfiles.get + - networksecurity.securityProfiles.list + - networksecurity.securityProfiles.update + - networksecurity.securityProfiles.use + - networksecurity.tlsInspectionPolicies.create + - networksecurity.tlsInspectionPolicies.delete + - networksecurity.tlsInspectionPolicies.get + - networksecurity.tlsInspectionPolicies.list + - networksecurity.tlsInspectionPolicies.update + - networksecurity.tlsInspectionPolicies.use + role_id: ngfwEnterpriseAdmin + stage: GA + title: Custom role ngfwEnterpriseAdmin + module.organization.google_organization_iam_custom_role.roles["ngfw_enterprise_viewer"]: + description: Terraform-managed. + org_id: '123456789012' + permissions: + - networksecurity.firewallEndpoints.get + - networksecurity.firewallEndpoints.list + - networksecurity.firewallEndpoints.use + - networksecurity.locations.get + - networksecurity.locations.list + - networksecurity.operations.get + - networksecurity.operations.list + - networksecurity.securityProfileGroups.get + - networksecurity.securityProfileGroups.list + - networksecurity.securityProfileGroups.use + - networksecurity.securityProfiles.get + - networksecurity.securityProfiles.list + - networksecurity.securityProfiles.use + - networksecurity.tlsInspectionPolicies.get + - networksecurity.tlsInspectionPolicies.list + - networksecurity.tlsInspectionPolicies.use + role_id: ngfwEnterpriseViewer + stage: GA + title: Custom role ngfwEnterpriseViewer + module.organization.google_organization_iam_custom_role.roles["organization_admin_viewer"]: + description: Terraform-managed. + org_id: '123456789012' + permissions: + - essentialcontacts.contacts.get + - essentialcontacts.contacts.list + - logging.settings.get + - orgpolicy.constraints.list + - orgpolicy.policies.list + - orgpolicy.policy.get + - resourcemanager.folders.get + - resourcemanager.folders.getIamPolicy + - resourcemanager.folders.list + - resourcemanager.organizations.get + - resourcemanager.organizations.getIamPolicy + - resourcemanager.projects.get + - resourcemanager.projects.getIamPolicy + - resourcemanager.projects.list + - storage.buckets.getIamPolicy + role_id: organizationAdminViewer + stage: GA + title: Custom role organizationAdminViewer + module.organization.google_organization_iam_custom_role.roles["organization_iam_admin"]: + description: Terraform-managed. + org_id: '123456789012' + permissions: + - resourcemanager.organizations.get + - resourcemanager.organizations.getIamPolicy + - resourcemanager.organizations.setIamPolicy + role_id: organizationIamAdmin + stage: GA + title: Custom role organizationIamAdmin + module.organization.google_organization_iam_custom_role.roles["project_iam_viewer"]: + description: Terraform-managed. + org_id: '123456789012' + permissions: + - iam.policybindings.get + - iam.policybindings.list + - resourcemanager.projects.get + - resourcemanager.projects.getIamPolicy + - resourcemanager.projects.searchPolicyBindings + role_id: projectIamViewer + stage: GA + title: Custom role projectIamViewer + module.organization.google_organization_iam_custom_role.roles["service_project_network_admin"]: + description: Terraform-managed. + org_id: '123456789012' + permissions: + - compute.globalOperations.get + - compute.networks.get + - compute.networks.updatePeering + - compute.organizations.disableXpnResource + - compute.organizations.enableXpnResource + - compute.projects.get + - compute.subnetworks.getIamPolicy + - compute.subnetworks.setIamPolicy + - dns.networks.bindPrivateDNSZone + - resourcemanager.projects.get + role_id: serviceProjectNetworkAdmin + stage: GA + title: Custom role serviceProjectNetworkAdmin + module.organization.google_organization_iam_custom_role.roles["storage_viewer"]: + description: Terraform-managed. + org_id: '123456789012' + permissions: + - storage.buckets.get + - storage.buckets.getIamPolicy + - storage.buckets.getObjectInsights + - storage.buckets.list + - storage.buckets.listEffectiveTags + - storage.buckets.listTagBindings + - storage.managedFolders.get + - storage.managedFolders.getIamPolicy + - storage.managedFolders.list + - storage.multipartUploads.list + - storage.multipartUploads.listParts + - storage.objects.get + - storage.objects.getIamPolicy + - storage.objects.list + role_id: storageViewer + stage: GA + title: Custom role storageViewer + module.organization.google_organization_iam_custom_role.roles["tag_viewer"]: + description: Terraform-managed. + org_id: '123456789012' + permissions: + - resourcemanager.tagHolds.list + - resourcemanager.tagKeys.get + - resourcemanager.tagKeys.getIamPolicy + - resourcemanager.tagKeys.list + - resourcemanager.tagValues.get + - resourcemanager.tagValues.getIamPolicy + - resourcemanager.tagValues.list + role_id: tagViewer + stage: GA + title: Custom role tagViewer + module.organization.google_organization_iam_custom_role.roles["tenant_network_admin"]: + description: Terraform-managed. + org_id: '123456789012' + permissions: + - compute.globalOperations.get + role_id: tenantNetworkAdmin + stage: GA + title: Custom role tenantNetworkAdmin + ? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyAdmin-group:gcp-security-admins@fast.example.com"] + : condition: [] + member: group:gcp-security-admins@fast.example.com + org_id: '123456789012' + role: roles/accesscontextmanager.policyAdmin + ? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyAdmin-serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] + : condition: [] + member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/accesscontextmanager.policyAdmin + ? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyAdmin-serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] + : condition: [] + member: serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/accesscontextmanager.policyAdmin + ? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyReader-serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] + : condition: [] + member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/accesscontextmanager.policyReader + ? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyReader-serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] + : condition: [] + member: serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/accesscontextmanager.policyReader + ? module.organization.google_organization_iam_member.bindings["roles/billing.admin-group:gcp-billing-admins@fast.example.com"] + : condition: [] + member: group:gcp-billing-admins@fast.example.com + org_id: '123456789012' + role: roles/billing.admin + ? module.organization.google_organization_iam_member.bindings["roles/billing.admin-group:gcp-organization-admins@fast.example.com"] + : condition: [] + member: group:gcp-organization-admins@fast.example.com + org_id: '123456789012' + role: roles/billing.admin + ? module.organization.google_organization_iam_member.bindings["roles/billing.admin-serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] + : condition: [] + member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/billing.admin + ? module.organization.google_organization_iam_member.bindings["roles/billing.admin-serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] + : condition: [] + member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/billing.admin + ? module.organization.google_organization_iam_member.bindings["roles/billing.viewer-serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] + : condition: [] + member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/billing.viewer + ? module.organization.google_organization_iam_member.bindings["roles/billing.viewer-serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] + : condition: [] + member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/billing.viewer + ? module.organization.google_organization_iam_member.bindings["roles/cloudasset.viewer-serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] + : condition: [] + member: serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/cloudasset.viewer + ? module.organization.google_organization_iam_member.bindings["roles/cloudasset.viewer-serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] + : condition: [] + member: serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/cloudasset.viewer + ? module.organization.google_organization_iam_member.bindings["roles/compute.orgFirewallPolicyAdmin-group:gcp-vpc-network-admins@fast.example.com"] + : condition: [] + member: group:gcp-vpc-network-admins@fast.example.com + org_id: '123456789012' + role: roles/compute.orgFirewallPolicyAdmin + ? module.organization.google_organization_iam_member.bindings["roles/compute.xpnAdmin-group:gcp-vpc-network-admins@fast.example.com"] + : condition: [] + member: group:gcp-vpc-network-admins@fast.example.com + org_id: '123456789012' + role: roles/compute.xpnAdmin + ? module.organization.google_organization_iam_member.bindings["roles/iam.organizationRoleAdmin-group:gcp-security-admins@fast.example.com"] + : condition: [] + member: group:gcp-security-admins@fast.example.com + org_id: '123456789012' + role: roles/iam.organizationRoleAdmin + ? module.organization.google_organization_iam_member.bindings["roles/iam.organizationRoleAdmin-serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] + : condition: [] + member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/iam.organizationRoleAdmin + ? module.organization.google_organization_iam_member.bindings["roles/iam.organizationRoleViewer-serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] + : condition: [] + member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/iam.organizationRoleViewer + ? module.organization.google_organization_iam_member.bindings["roles/iam.workforcePoolAdmin-group:gcp-organization-admins@fast.example.com"] + : condition: [] + member: group:gcp-organization-admins@fast.example.com + org_id: '123456789012' + role: roles/iam.workforcePoolAdmin + ? module.organization.google_organization_iam_member.bindings["roles/iam.workforcePoolAdmin-serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] + : condition: [] + member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/iam.workforcePoolAdmin + ? module.organization.google_organization_iam_member.bindings["roles/iam.workforcePoolViewer-serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] + : condition: [] + member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/iam.workforcePoolViewer + ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyAdmin-group:gcp-organization-admins@fast.example.com"] + : condition: [] + member: group:gcp-organization-admins@fast.example.com + org_id: '123456789012' + role: roles/orgpolicy.policyAdmin + ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyAdmin-group:gcp-security-admins@fast.example.com"] + : condition: [] + member: group:gcp-security-admins@fast.example.com + org_id: '123456789012' + role: roles/orgpolicy.policyAdmin + ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyAdmin-serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] + : condition: [] + member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/orgpolicy.policyAdmin + ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyAdmin-serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] + : condition: [] + member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/orgpolicy.policyAdmin + ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyViewer-serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] + : condition: [] + member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/orgpolicy.policyViewer + ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyViewer-serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] + : condition: [] + member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/orgpolicy.policyViewer + module.organization.google_project_iam_member.bucket-sinks-binding["audit-logs"]: + condition: + - title: audit-logs bucket writer + role: roles/logging.bucketWriter + module.organization.google_project_iam_member.bucket-sinks-binding["iam"]: + condition: + - title: iam bucket writer + role: roles/logging.bucketWriter + module.organization.google_project_iam_member.bucket-sinks-binding["vpc-sc"]: + condition: + - title: vpc-sc bucket writer + role: roles/logging.bucketWriter + module.organization.google_project_iam_member.bucket-sinks-binding["workspace-audit-logs"]: + condition: + - title: workspace-audit-logs bucket writer + role: roles/logging.bucketWriter + module.organization.google_tags_tag_key.default["org-policies"]: + description: Organization policy conditions. + parent: organizations/123456789012 + purpose: null + purpose_data: null + short_name: org-policies + timeouts: null + module.organization.google_tags_tag_value.default["org-policies/allowed-essential-contacts-domains-all"]: + description: Managed by the Terraform organization module. + short_name: allowed-essential-contacts-domains-all + timeouts: null + module.organization.google_tags_tag_value.default["org-policies/allowed-policy-member-domains-all"]: + description: Managed by the Terraform organization module. + short_name: allowed-policy-member-domains-all + timeouts: null + counts: google_bigquery_dataset: 1 google_bigquery_default_service_account: 3 @@ -19,8 +1562,8 @@ counts: google_logging_organization_settings: 1 google_logging_organization_sink: 4 google_logging_project_bucket_config: 4 - google_org_policy_custom_constraint: 1 - google_org_policy_policy: 38 + google_org_policy_custom_constraint: 2 + google_org_policy_policy: 39 google_organization_iam_binding: 26 google_organization_iam_custom_role: 13 google_organization_iam_member: 31 @@ -41,11 +1584,9 @@ counts: google_tags_tag_value: 2 local_file: 8 modules: 20 - resources: 254 + resources: 256 outputs: - automation: __missing__ - billing_dataset: __missing__ cicd_repositories: {} custom_roles: billing_viewer: organizations/123456789012/roles/billingViewer @@ -69,7 +1610,6 @@ outputs: service_accounts: bootstrap: fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com resman: fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - tfvars: __missing__ tfvars_globals: billing_account: force_create: diff --git a/tests/fast/stages/s0_bootstrap/simple_org_policies.yaml b/tests/fast/stages/s0_bootstrap/simple_org_policies.yaml index ea7be607c..7131d08ea 100644 --- a/tests/fast/stages/s0_bootstrap/simple_org_policies.yaml +++ b/tests/fast/stages/s0_bootstrap/simple_org_policies.yaml @@ -13,33 +13,6 @@ # limitations under the License. values: - module.organization.google_org_policy_custom_constraint.constraint["custom.disableKubeletReadOnlyPort"]: - action_type: DENY - condition: resource.nodeConfig.kubeletConfig.insecureKubeletReadonlyPortEnabled - == true - description: Disallows the use of Kubelet read-only port 10255 to enhance security - display_name: Disable Kubelet Read-Only Port 10255 - method_types: - - CREATE - - UPDATE - name: custom.disableKubeletReadOnlyPort - parent: organizations/123456789012 - resource_types: - - container.googleapis.com/Cluster - module.organization.google_org_policy_policy.default["cloudbuild.disableCreateDefaultServiceAccount"]: - dry_run_spec: [] - name: organizations/123456789012/policies/cloudbuild.disableCreateDefaultServiceAccount - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] module.organization.google_org_policy_policy.default["cloudbuild.useBuildServiceAccount"]: dry_run_spec: [] name: organizations/123456789012/policies/cloudbuild.useBuildServiceAccount @@ -54,6 +27,7 @@ values: enforce: 'TRUE' parameters: null values: [] + timeouts: null module.organization.google_org_policy_policy.default["cloudbuild.useComputeServiceAccount"]: dry_run_spec: [] name: organizations/123456789012/policies/cloudbuild.useComputeServiceAccount @@ -68,6 +42,7 @@ values: enforce: 'TRUE' parameters: null values: [] + timeouts: null module.organization.google_org_policy_policy.default["compute.disableGuestAttributesAccess"]: dry_run_spec: [] name: organizations/123456789012/policies/compute.disableGuestAttributesAccess @@ -82,6 +57,7 @@ values: enforce: 'TRUE' parameters: null values: [] + timeouts: null module.organization.google_org_policy_policy.default["compute.disableInternetNetworkEndpointGroup"]: dry_run_spec: [] name: organizations/123456789012/policies/compute.disableInternetNetworkEndpointGroup @@ -96,6 +72,7 @@ values: enforce: 'TRUE' parameters: null values: [] + timeouts: null module.organization.google_org_policy_policy.default["compute.disableNestedVirtualization"]: dry_run_spec: [] name: organizations/123456789012/policies/compute.disableNestedVirtualization @@ -110,6 +87,7 @@ values: enforce: 'TRUE' parameters: null values: [] + timeouts: null module.organization.google_org_policy_policy.default["compute.disableSerialPortAccess"]: dry_run_spec: [] name: organizations/123456789012/policies/compute.disableSerialPortAccess @@ -124,6 +102,7 @@ values: enforce: 'TRUE' parameters: null values: [] + timeouts: null module.organization.google_org_policy_policy.default["compute.disableVpcExternalIpv6"]: dry_run_spec: [] name: organizations/123456789012/policies/compute.disableVpcExternalIpv6 @@ -138,6 +117,7 @@ values: enforce: 'TRUE' parameters: null values: [] + timeouts: null module.organization.google_org_policy_policy.default["compute.requireOsLogin"]: dry_run_spec: [] name: organizations/123456789012/policies/compute.requireOsLogin @@ -152,6 +132,7 @@ values: enforce: 'TRUE' parameters: null values: [] + timeouts: null module.organization.google_org_policy_policy.default["compute.restrictLoadBalancerCreationForTypes"]: dry_run_spec: [] name: organizations/123456789012/policies/compute.restrictLoadBalancerCreationForTypes @@ -169,6 +150,7 @@ values: - allowed_values: - in:INTERNAL denied_values: null + timeouts: null module.organization.google_org_policy_policy.default["compute.restrictProtocolForwardingCreationForTypes"]: dry_run_spec: [] name: organizations/123456789012/policies/compute.restrictProtocolForwardingCreationForTypes @@ -186,6 +168,7 @@ values: - allowed_values: - INTERNAL denied_values: null + timeouts: null module.organization.google_org_policy_policy.default["compute.setNewProjectDefaultToZonalDNSOnly"]: dry_run_spec: [] name: organizations/123456789012/policies/compute.setNewProjectDefaultToZonalDNSOnly @@ -200,6 +183,7 @@ values: enforce: 'TRUE' parameters: null values: [] + timeouts: null module.organization.google_org_policy_policy.default["compute.skipDefaultNetworkCreation"]: dry_run_spec: [] name: organizations/123456789012/policies/compute.skipDefaultNetworkCreation @@ -214,6 +198,7 @@ values: enforce: 'TRUE' parameters: null values: [] + timeouts: null module.organization.google_org_policy_policy.default["compute.trustedImageProjects"]: dry_run_spec: [] name: organizations/123456789012/policies/compute.trustedImageProjects @@ -253,6 +238,7 @@ values: - is:projects/gke-windows-node-images - is:projects/ubuntu-os-gke-cloud denied_values: null + timeouts: null module.organization.google_org_policy_policy.default["compute.vmExternalIpAccess"]: dry_run_spec: [] name: organizations/123456789012/policies/compute.vmExternalIpAccess @@ -267,6 +253,22 @@ values: enforce: null parameters: null values: [] + timeouts: null + module.organization.google_org_policy_policy.default["custom.denyBridgePerimeters"]: + dry_run_spec: [] + name: organizations/123456789012/policies/custom.denyBridgePerimeters + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null module.organization.google_org_policy_policy.default["custom.disableKubeletReadOnlyPort"]: dry_run_spec: [] name: organizations/123456789012/policies/custom.disableKubeletReadOnlyPort @@ -281,6 +283,7 @@ values: enforce: 'TRUE' parameters: null values: [] + timeouts: null module.organization.google_org_policy_policy.default["essentialcontacts.allowedContactDomains"]: dry_run_spec: [] name: organizations/123456789012/policies/essentialcontacts.allowedContactDomains @@ -316,6 +319,22 @@ values: enforce: null parameters: null values: [] + timeouts: null + module.organization.google_org_policy_policy.default["gcp.resourceLocations"]: + dry_run_spec: [] + name: organizations/123456789012/policies/gcp.resourceLocations + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: 'TRUE' + condition: [] + deny_all: null + enforce: null + parameters: null + values: [] + timeouts: null module.organization.google_org_policy_policy.default["iam.allowedPolicyMemberDomains"]: dry_run_spec: [] name: organizations/123456789012/policies/iam.allowedPolicyMemberDomains @@ -351,6 +370,7 @@ values: enforce: null parameters: null values: [] + timeouts: null module.organization.google_org_policy_policy.default["iam.automaticIamGrantsForDefaultServiceAccounts"]: dry_run_spec: [] name: organizations/123456789012/policies/iam.automaticIamGrantsForDefaultServiceAccounts @@ -365,6 +385,7 @@ values: enforce: 'TRUE' parameters: null values: [] + timeouts: null module.organization.google_org_policy_policy.default["iam.disableAuditLoggingExemption"]: dry_run_spec: [] name: organizations/123456789012/policies/iam.disableAuditLoggingExemption @@ -379,6 +400,7 @@ values: enforce: 'TRUE' parameters: null values: [] + timeouts: null module.organization.google_org_policy_policy.default["iam.disableServiceAccountKeyCreation"]: dry_run_spec: [] name: organizations/123456789012/policies/iam.disableServiceAccountKeyCreation @@ -393,6 +415,7 @@ values: enforce: 'TRUE' parameters: null values: [] + timeouts: null module.organization.google_org_policy_policy.default["iam.disableServiceAccountKeyUpload"]: dry_run_spec: [] name: organizations/123456789012/policies/iam.disableServiceAccountKeyUpload @@ -407,6 +430,7 @@ values: enforce: 'TRUE' parameters: null values: [] + timeouts: null module.organization.google_org_policy_policy.default["iam.serviceAccountKeyExposureResponse"]: dry_run_spec: [] name: organizations/123456789012/policies/iam.serviceAccountKeyExposureResponse @@ -424,6 +448,7 @@ values: - allowed_values: - DISABLE_KEY denied_values: null + timeouts: null module.organization.google_org_policy_policy.default["iam.workloadIdentityPoolAwsAccounts"]: dry_run_spec: [] name: organizations/123456789012/policies/iam.workloadIdentityPoolAwsAccounts @@ -438,6 +463,7 @@ values: enforce: null parameters: null values: [] + timeouts: null module.organization.google_org_policy_policy.default["iam.workloadIdentityPoolProviders"]: dry_run_spec: [] name: organizations/123456789012/policies/iam.workloadIdentityPoolProviders @@ -452,6 +478,7 @@ values: enforce: null parameters: null values: [] + timeouts: null module.organization.google_org_policy_policy.default["run.allowedIngress"]: dry_run_spec: [] name: organizations/123456789012/policies/run.allowedIngress @@ -469,6 +496,7 @@ values: - allowed_values: - is:internal-and-cloud-load-balancing denied_values: null + timeouts: null module.organization.google_org_policy_policy.default["run.managed.requireInvokerIam"]: dry_run_spec: [] name: organizations/123456789012/policies/run.managed.requireInvokerIam @@ -498,6 +526,7 @@ values: enforce: 'TRUE' parameters: null values: [] + timeouts: null module.organization.google_org_policy_policy.default["sql.restrictPublicIp"]: dry_run_spec: [] name: organizations/123456789012/policies/sql.restrictPublicIp @@ -512,6 +541,7 @@ values: enforce: 'TRUE' parameters: null values: [] + timeouts: null module.organization.google_org_policy_policy.default["storage.publicAccessPrevention"]: dry_run_spec: [] name: organizations/123456789012/policies/storage.publicAccessPrevention @@ -526,6 +556,25 @@ values: enforce: 'TRUE' parameters: null values: [] + timeouts: null + module.organization.google_org_policy_policy.default["storage.restrictAuthTypes"]: + dry_run_spec: [] + name: organizations/123456789012/policies/storage.restrictAuthTypes + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: null + parameters: null + values: + - allowed_values: null + denied_values: + - in:ALL_HMAC_SIGNED_REQUESTS + timeouts: null module.organization.google_org_policy_policy.default["storage.secureHttpTransport"]: dry_run_spec: [] name: organizations/123456789012/policies/storage.secureHttpTransport @@ -540,6 +589,7 @@ values: enforce: 'TRUE' parameters: null values: [] + timeouts: null module.organization.google_org_policy_policy.default["storage.uniformBucketLevelAccess"]: dry_run_spec: [] name: organizations/123456789012/policies/storage.uniformBucketLevelAccess @@ -554,3 +604,4 @@ values: enforce: 'TRUE' parameters: null values: [] + timeouts: null diff --git a/tests/fast/stages/s0_bootstrap/simple_projects.yaml b/tests/fast/stages/s0_bootstrap/simple_projects.yaml deleted file mode 100644 index c25391ab8..000000000 --- a/tests/fast/stages/s0_bootstrap/simple_projects.yaml +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -values: - module.automation-project.google_project.project[0]: - auto_create_network: false - billing_account: 000000-111111-222222 - name: fast-prod-iac-core-0 - org_id: '123456789012' - project_id: fast-prod-iac-core-0 - module.billing-export-project[0].google_project.project[0]: - auto_create_network: false - billing_account: 000000-111111-222222 - name: fast-prod-billing-exp-0 - org_id: '123456789012' - project_id: fast-prod-billing-exp-0 - module.log-export-project.google_project.project[0]: - auto_create_network: false - billing_account: 000000-111111-222222 - name: fast-prod-audit-logs-0 - org_id: '123456789012' - project_id: fast-prod-audit-logs-0 diff --git a/tests/fast/stages/s0_bootstrap/tftest.yaml b/tests/fast/stages/s0_bootstrap/tftest.yaml index 9d72b9c8e..5118d8577 100644 --- a/tests/fast/stages/s0_bootstrap/tftest.yaml +++ b/tests/fast/stages/s0_bootstrap/tftest.yaml @@ -18,14 +18,10 @@ tests: simple: inventory: - simple.yaml - - simple_projects.yaml - - simple_sas.yaml - simple_org_policies.yaml managed_org_policies: inventory: - simple.yaml - - simple_projects.yaml - - simple_sas.yaml - managed_org_policies.yaml iam_by_principals: cicd: