diff --git a/fast/stages/0-org-setup/datasets/classic/folders/teams/.config.yaml b/fast/stages/0-org-setup/datasets/classic/folders/teams/.config.yaml
index a186eb914..5cbd93e25 100644
--- a/fast/stages/0-org-setup/datasets/classic/folders/teams/.config.yaml
+++ b/fast/stages/0-org-setup/datasets/classic/folders/teams/.config.yaml
@@ -23,6 +23,8 @@ iam_by_principals:
- roles/resourcemanager.tagUser
- $custom_roles:service_project_network_admin
$iam_principals:service_accounts/iac-0/iac-pf-ro:
+ # uncomment if you want to use Assured Workloads
+ # - roles/assuredworkloads.reader
- roles/viewer
- roles/resourcemanager.folderViewer
- roles/resourcemanager.tagViewer
diff --git a/fast/stages/0-org-setup/datasets/classic/organization/.config.yaml b/fast/stages/0-org-setup/datasets/classic/organization/.config.yaml
index fe5e48060..7de12fe33 100644
--- a/fast/stages/0-org-setup/datasets/classic/organization/.config.yaml
+++ b/fast/stages/0-org-setup/datasets/classic/organization/.config.yaml
@@ -92,6 +92,9 @@ iam_by_principals:
# uncomment for cooperative VPC-SC configurations
# $iam_principals:service_accounts/iac-0/iac-pw-rw:
# - roles/accesscontextmanager.policyEditor
+ # uncomment if you want to use Assured Workloads
+ # $iam_principals:service_accounts/iac-0/iac-pf-rw:
+ # - roles/assuredworkloads.editor
$iam_principals:service_accounts/iac-0/iac-security-rw:
# uncomment for cooperative VPC-SC configurations
# - roles/accesscontextmanager.policyEditor
diff --git a/fast/stages/0-org-setup/datasets/classic/projects/core/iac-0.yaml b/fast/stages/0-org-setup/datasets/classic/projects/core/iac-0.yaml
index eb97bd974..0b234f28f 100644
--- a/fast/stages/0-org-setup/datasets/classic/projects/core/iac-0.yaml
+++ b/fast/stages/0-org-setup/datasets/classic/projects/core/iac-0.yaml
@@ -47,6 +47,8 @@ iam_by_principals:
- roles/serviceusage.serviceUsageConsumer
services:
- accesscontextmanager.googleapis.com
+# uncomment if you want to use Assured Workloads
+# - assuredworkloads.googleapis.com
- bigquery.googleapis.com
- bigqueryreservation.googleapis.com
- bigquerystorage.googleapis.com
diff --git a/fast/stages/0-org-setup/datasets/hardened/organization/.config.yaml b/fast/stages/0-org-setup/datasets/hardened/organization/.config.yaml
index ae282ba27..35deaced9 100644
--- a/fast/stages/0-org-setup/datasets/hardened/organization/.config.yaml
+++ b/fast/stages/0-org-setup/datasets/hardened/organization/.config.yaml
@@ -93,6 +93,9 @@ iam_by_principals:
# uncomment for cooperative VPC-SC configurations
# $iam_principals:service_accounts/iac-0/iac-pw-rw:
# - roles/accesscontextmanager.policyEditor
+ # uncomment if you want to use Assured Workloads
+ # $iam_principals:service_accounts/iac-0/iac-pf-rw:
+ # - roles/assuredworkloads.editor
$iam_principals:service_accounts/iac-0/iac-security-rw:
# uncomment for cooperative VPC-SC configurations
# - roles/accesscontextmanager.policyEditor
diff --git a/fast/stages/0-org-setup/datasets/hardened/projects/core/iac-0.yaml b/fast/stages/0-org-setup/datasets/hardened/projects/core/iac-0.yaml
index d1879bfe8..e6032bfaa 100644
--- a/fast/stages/0-org-setup/datasets/hardened/projects/core/iac-0.yaml
+++ b/fast/stages/0-org-setup/datasets/hardened/projects/core/iac-0.yaml
@@ -47,6 +47,8 @@ iam_by_principals:
- roles/serviceusage.serviceUsageConsumer
services:
- accesscontextmanager.googleapis.com
+# uncomment if you want to use Assured Workloads
+# - assuredworkloads.googleapis.com
- bigquery.googleapis.com
- bigqueryreservation.googleapis.com
- bigquerystorage.googleapis.com
diff --git a/fast/stages/0-org-setup/schemas/folder.schema.json b/fast/stages/0-org-setup/schemas/folder.schema.json
index 21e8b8d3b..393f49d0c 100644
--- a/fast/stages/0-org-setup/schemas/folder.schema.json
+++ b/fast/stages/0-org-setup/schemas/folder.schema.json
@@ -349,6 +349,9 @@
"pam_entitlements": {
"$ref": "#/$defs/pam_entitlements"
},
+ "assured_workload_config": {
+ "$ref": "#/$defs/assured_workload_config"
+ },
"parent": {
"type": "string",
"pattern": "^(?:folders/[0-9]+|organizations/[0-9]+|\\$folder_ids:[a-z0-9_-]+)$"
@@ -767,6 +770,95 @@
"additionalProperties": false
}
}
+ },
+ "assured_workload_config": {
+ "type": "object",
+ "additionalProperties": false,
+ "properties": {
+ "compliance_regime": {
+ "type": "string",
+ "enum": [
+ "ASSURED_WORKLOADS_FOR_PARTNERS",
+ "AU_REGIONS_AND_US_SUPPORT",
+ "CA_PROTECTED_B",
+ "CA_REGIONS_AND_SUPPORT",
+ "CJIS",
+ "COMPLIANCE_REGIME_UNSPECIFIED",
+ "EU_REGIONS_AND_SUPPORT",
+ "FEDRAMP_HIGH",
+ "FEDRAMP_MODERATE",
+ "HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS_US_SUPPORT",
+ "HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS",
+ "HIPAA",
+ "HITRUST",
+ "IL2",
+ "IL4",
+ "IL5",
+ "IRS_1075",
+ "ISR_REGIONS_AND_SUPPORT",
+ "ISR_REGIONS",
+ "ITAR",
+ "JP_REGIONS_AND_SUPPORT",
+ "KSA_REGIONS_AND_SUPPORT_WITH_SOVEREIGNTY_CONTROLS",
+ "REGIONAL_CONTROLS",
+ "US_REGIONAL_ACCESS"
+ ]
+ },
+ "display_name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "organization": {
+ "type": "string"
+ },
+ "enable_sovereign_controls": {
+ "type": "boolean"
+ },
+ "labels": {
+ "type": "object",
+ "additionalProperties": {
+ "type": "string"
+ }
+ },
+ "partner": {
+ "type": "string",
+ "enum": [
+ "LOCAL_CONTROLS_BY_S3NS",
+ "PARTNER_UNSPECIFIED",
+ "SOVEREIGN_CONTROLS_BY_CNTXT_NO_EKM",
+ "SOVEREIGN_CONTROLS_BY_CNTXT",
+ "SOVEREIGN_CONTROLS_BY_PSN",
+ "SOVEREIGN_CONTROLS_BY_SIA_MINSAIT",
+ "SOVEREIGN_CONTROLS_BY_T_SYSTEMS"
+ ]
+ },
+ "partner_permissions": {
+ "type": "object",
+ "additionalProperties": false,
+ "properties": {
+ "assured_workloads_monitoring": {
+ "type": "boolean"
+ },
+ "data_logs_viewer": {
+ "type": "boolean"
+ },
+ "service_access_approver": {
+ "type": "boolean"
+ }
+ }
+ },
+ "violation_notifications_enabled": {
+ "type": "boolean"
+ }
+ },
+ "required": [
+ "compliance_regime",
+ "display_name",
+ "location",
+ "organization"
+ ]
}
}
}
\ No newline at end of file
diff --git a/fast/stages/0-org-setup/schemas/folder.schema.md b/fast/stages/0-org-setup/schemas/folder.schema.md
index 52c48b342..d71e11920 100644
--- a/fast/stages/0-org-setup/schemas/folder.schema.md
+++ b/fast/stages/0-org-setup/schemas/folder.schema.md
@@ -90,6 +90,7 @@
- **location**: *string*
- **title**: *string*
- **pam_entitlements**: *reference([pam_entitlements](#refs-pam_entitlements))*
+- **assured_workload_config**: *reference([assured_workload_config](#refs-assured_workload_config))*
- **parent**: *string*
*pattern: ^(?:folders/[0-9]+|organizations/[0-9]+|\$folder_ids:[a-z0-9_-]+)$*
- **tag_bindings**: *object*
@@ -227,3 +228,21 @@
- items: *string*
- **requester_email_recipients**: *array*
- items: *string*
+- **assured_workload_config**: *object*
+
*additional properties: false*
+ - ⁺**compliance_regime**: *string*
+
*enum: ['ASSURED_WORKLOADS_FOR_PARTNERS', 'AU_REGIONS_AND_US_SUPPORT', 'CA_PROTECTED_B', 'CA_REGIONS_AND_SUPPORT', 'CJIS', 'COMPLIANCE_REGIME_UNSPECIFIED', 'EU_REGIONS_AND_SUPPORT', 'FEDRAMP_HIGH', 'FEDRAMP_MODERATE', 'HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS_US_SUPPORT', 'HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS', 'HIPAA', 'HITRUST', 'IL2', 'IL4', 'IL5', 'IRS_1075', 'ISR_REGIONS_AND_SUPPORT', 'ISR_REGIONS', 'ITAR', 'JP_REGIONS_AND_SUPPORT', 'KSA_REGIONS_AND_SUPPORT_WITH_SOVEREIGNTY_CONTROLS', 'REGIONAL_CONTROLS', 'US_REGIONAL_ACCESS']*
+ - ⁺**display_name**: *string*
+ - ⁺**location**: *string*
+ - ⁺**organization**: *string*
+ - **enable_sovereign_controls**: *boolean*
+ - **labels**: *object*
+ *additional properties: String*
+ - **partner**: *string*
+
*enum: ['LOCAL_CONTROLS_BY_S3NS', 'PARTNER_UNSPECIFIED', 'SOVEREIGN_CONTROLS_BY_CNTXT_NO_EKM', 'SOVEREIGN_CONTROLS_BY_CNTXT', 'SOVEREIGN_CONTROLS_BY_PSN', 'SOVEREIGN_CONTROLS_BY_SIA_MINSAIT', 'SOVEREIGN_CONTROLS_BY_T_SYSTEMS']*
+ - **partner_permissions**: *object*
+
*additional properties: false*
+ - **assured_workloads_monitoring**: *boolean*
+ - **data_logs_viewer**: *boolean*
+ - **service_access_approver**: *boolean*
+ - **violation_notifications_enabled**: *boolean*
diff --git a/fast/stages/2-networking/schemas/folder.schema.json b/fast/stages/2-networking/schemas/folder.schema.json
index 21e8b8d3b..393f49d0c 100644
--- a/fast/stages/2-networking/schemas/folder.schema.json
+++ b/fast/stages/2-networking/schemas/folder.schema.json
@@ -349,6 +349,9 @@
"pam_entitlements": {
"$ref": "#/$defs/pam_entitlements"
},
+ "assured_workload_config": {
+ "$ref": "#/$defs/assured_workload_config"
+ },
"parent": {
"type": "string",
"pattern": "^(?:folders/[0-9]+|organizations/[0-9]+|\\$folder_ids:[a-z0-9_-]+)$"
@@ -767,6 +770,95 @@
"additionalProperties": false
}
}
+ },
+ "assured_workload_config": {
+ "type": "object",
+ "additionalProperties": false,
+ "properties": {
+ "compliance_regime": {
+ "type": "string",
+ "enum": [
+ "ASSURED_WORKLOADS_FOR_PARTNERS",
+ "AU_REGIONS_AND_US_SUPPORT",
+ "CA_PROTECTED_B",
+ "CA_REGIONS_AND_SUPPORT",
+ "CJIS",
+ "COMPLIANCE_REGIME_UNSPECIFIED",
+ "EU_REGIONS_AND_SUPPORT",
+ "FEDRAMP_HIGH",
+ "FEDRAMP_MODERATE",
+ "HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS_US_SUPPORT",
+ "HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS",
+ "HIPAA",
+ "HITRUST",
+ "IL2",
+ "IL4",
+ "IL5",
+ "IRS_1075",
+ "ISR_REGIONS_AND_SUPPORT",
+ "ISR_REGIONS",
+ "ITAR",
+ "JP_REGIONS_AND_SUPPORT",
+ "KSA_REGIONS_AND_SUPPORT_WITH_SOVEREIGNTY_CONTROLS",
+ "REGIONAL_CONTROLS",
+ "US_REGIONAL_ACCESS"
+ ]
+ },
+ "display_name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "organization": {
+ "type": "string"
+ },
+ "enable_sovereign_controls": {
+ "type": "boolean"
+ },
+ "labels": {
+ "type": "object",
+ "additionalProperties": {
+ "type": "string"
+ }
+ },
+ "partner": {
+ "type": "string",
+ "enum": [
+ "LOCAL_CONTROLS_BY_S3NS",
+ "PARTNER_UNSPECIFIED",
+ "SOVEREIGN_CONTROLS_BY_CNTXT_NO_EKM",
+ "SOVEREIGN_CONTROLS_BY_CNTXT",
+ "SOVEREIGN_CONTROLS_BY_PSN",
+ "SOVEREIGN_CONTROLS_BY_SIA_MINSAIT",
+ "SOVEREIGN_CONTROLS_BY_T_SYSTEMS"
+ ]
+ },
+ "partner_permissions": {
+ "type": "object",
+ "additionalProperties": false,
+ "properties": {
+ "assured_workloads_monitoring": {
+ "type": "boolean"
+ },
+ "data_logs_viewer": {
+ "type": "boolean"
+ },
+ "service_access_approver": {
+ "type": "boolean"
+ }
+ }
+ },
+ "violation_notifications_enabled": {
+ "type": "boolean"
+ }
+ },
+ "required": [
+ "compliance_regime",
+ "display_name",
+ "location",
+ "organization"
+ ]
}
}
}
\ No newline at end of file
diff --git a/fast/stages/2-project-factory/README.md b/fast/stages/2-project-factory/README.md
index e1b28cff8..e0dcd5b0a 100644
--- a/fast/stages/2-project-factory/README.md
+++ b/fast/stages/2-project-factory/README.md
@@ -479,8 +479,9 @@ Pattern-based files make specific assumptions:
| name | description | type | required | default | producer |
|---|---|:---:|:---:|:---:|:---:|
| [automation](variables-fast.tf#L17) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-org-setup |
-| [billing_account](variables-fast.tf#L26) | Billing account id. | object({…}) | ✓ | | 0-org-setup |
-| [prefix](variables-fast.tf#L82) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-org-setup |
+| [billing_account](variables-fast.tf#L26) | Billing account id. | object({…}) | ✓ | | 0-globals |
+| [organization](variables-fast.tf#L74) | Organization details. | object({…}) | ✓ | | 0-globals |
+| [prefix](variables-fast.tf#L92) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-globals |
| [context](variables.tf#L17) | Context-specific interpolations. | object({…}) | | {} | |
| [custom_roles](variables-fast.tf#L34) | Custom roles defined at the org level, in key => id format. | map(string) | | {} | 0-org-setup |
| [data_defaults](variables-projects.tf#L17) | Optional default values used when corresponding project or folder data from files are missing. | object({…}) | | {} | |
@@ -491,13 +492,13 @@ Pattern-based files make specific assumptions:
| [host_project_ids](variables-fast.tf#L58) | Host project for the shared VPC. | map(string) | | {} | 2-networking |
| [iam_principals](variables-fast.tf#L50) | IAM-format principals. | map(string) | | {} | 0-org-setup |
| [kms_keys](variables-fast.tf#L66) | KMS key ids. | map(string) | | {} | 2-security |
-| [perimeters](variables-fast.tf#L74) | Optional VPC-SC perimeter ids. | map(string) | | {} | 1-vpcsc |
-| [project_ids](variables-fast.tf#L92) | Projects created in the bootstrap stage. | map(string) | | {} | 0-org-setup |
-| [service_accounts](variables-fast.tf#L100) | Service accounts created in the bootstrap stage. | map(string) | | {} | 0-org-setup |
+| [perimeters](variables-fast.tf#L84) | Optional VPC-SC perimeter ids. | map(string) | | {} | 1-vpcsc |
+| [project_ids](variables-fast.tf#L102) | Projects created in the bootstrap stage. | map(string) | | {} | 0-org-setup |
+| [service_accounts](variables-fast.tf#L110) | Service accounts created in the bootstrap stage. | map(string) | | {} | 0-org-setup |
| [stage_name](variables.tf#L58) | FAST stage name. Used to separate output files across different factories. | string | | "2-project-factory" | |
-| [subnet_self_links](variables-fast.tf#L108) | Shared VPC subnet IDs. | map(map(string)) | | {} | 2-networking |
-| [tag_values](variables-fast.tf#L116) | FAST-managed resource manager tag values. | map(string) | | {} | 0-org-setup |
-| [universe](variables-fast.tf#L124) | GCP universe where to deploy projects. The prefix will be prepended to the project id. | object({…}) | | null | 0-org-setup |
+| [subnet_self_links](variables-fast.tf#L118) | Shared VPC subnet IDs. | map(map(string)) | | {} | 2-networking |
+| [tag_values](variables-fast.tf#L126) | FAST-managed resource manager tag values. | map(string) | | {} | 0-org-setup |
+| [universe](variables-fast.tf#L134) | GCP universe where to deploy projects. The prefix will be prepended to the project id. | object({…}) | | null | 0-globals |
## Outputs
diff --git a/fast/stages/2-project-factory/main.tf b/fast/stages/2-project-factory/main.tf
index 1a7e19716..a6a9de0ad 100644
--- a/fast/stages/2-project-factory/main.tf
+++ b/fast/stages/2-project-factory/main.tf
@@ -73,6 +73,11 @@ module "factory" {
subnet_self_links = {
for v in local.subnet_self_links : v.key => v.link
}
+ organization = {
+ id = var.organization.id
+ domain = var.organization.domain
+ customer_id = var.organization.customer_id
+ }
}, local.context.condition_vars)
custom_roles = merge(var.custom_roles, local.context.custom_roles)
folder_ids = merge(var.folder_ids, local.context.folder_ids)
diff --git a/fast/stages/2-project-factory/schemas/folder.schema.json b/fast/stages/2-project-factory/schemas/folder.schema.json
index 21e8b8d3b..393f49d0c 100644
--- a/fast/stages/2-project-factory/schemas/folder.schema.json
+++ b/fast/stages/2-project-factory/schemas/folder.schema.json
@@ -349,6 +349,9 @@
"pam_entitlements": {
"$ref": "#/$defs/pam_entitlements"
},
+ "assured_workload_config": {
+ "$ref": "#/$defs/assured_workload_config"
+ },
"parent": {
"type": "string",
"pattern": "^(?:folders/[0-9]+|organizations/[0-9]+|\\$folder_ids:[a-z0-9_-]+)$"
@@ -767,6 +770,95 @@
"additionalProperties": false
}
}
+ },
+ "assured_workload_config": {
+ "type": "object",
+ "additionalProperties": false,
+ "properties": {
+ "compliance_regime": {
+ "type": "string",
+ "enum": [
+ "ASSURED_WORKLOADS_FOR_PARTNERS",
+ "AU_REGIONS_AND_US_SUPPORT",
+ "CA_PROTECTED_B",
+ "CA_REGIONS_AND_SUPPORT",
+ "CJIS",
+ "COMPLIANCE_REGIME_UNSPECIFIED",
+ "EU_REGIONS_AND_SUPPORT",
+ "FEDRAMP_HIGH",
+ "FEDRAMP_MODERATE",
+ "HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS_US_SUPPORT",
+ "HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS",
+ "HIPAA",
+ "HITRUST",
+ "IL2",
+ "IL4",
+ "IL5",
+ "IRS_1075",
+ "ISR_REGIONS_AND_SUPPORT",
+ "ISR_REGIONS",
+ "ITAR",
+ "JP_REGIONS_AND_SUPPORT",
+ "KSA_REGIONS_AND_SUPPORT_WITH_SOVEREIGNTY_CONTROLS",
+ "REGIONAL_CONTROLS",
+ "US_REGIONAL_ACCESS"
+ ]
+ },
+ "display_name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "organization": {
+ "type": "string"
+ },
+ "enable_sovereign_controls": {
+ "type": "boolean"
+ },
+ "labels": {
+ "type": "object",
+ "additionalProperties": {
+ "type": "string"
+ }
+ },
+ "partner": {
+ "type": "string",
+ "enum": [
+ "LOCAL_CONTROLS_BY_S3NS",
+ "PARTNER_UNSPECIFIED",
+ "SOVEREIGN_CONTROLS_BY_CNTXT_NO_EKM",
+ "SOVEREIGN_CONTROLS_BY_CNTXT",
+ "SOVEREIGN_CONTROLS_BY_PSN",
+ "SOVEREIGN_CONTROLS_BY_SIA_MINSAIT",
+ "SOVEREIGN_CONTROLS_BY_T_SYSTEMS"
+ ]
+ },
+ "partner_permissions": {
+ "type": "object",
+ "additionalProperties": false,
+ "properties": {
+ "assured_workloads_monitoring": {
+ "type": "boolean"
+ },
+ "data_logs_viewer": {
+ "type": "boolean"
+ },
+ "service_access_approver": {
+ "type": "boolean"
+ }
+ }
+ },
+ "violation_notifications_enabled": {
+ "type": "boolean"
+ }
+ },
+ "required": [
+ "compliance_regime",
+ "display_name",
+ "location",
+ "organization"
+ ]
}
}
}
\ No newline at end of file
diff --git a/fast/stages/2-project-factory/schemas/folder.schema.md b/fast/stages/2-project-factory/schemas/folder.schema.md
index 52c48b342..d71e11920 100644
--- a/fast/stages/2-project-factory/schemas/folder.schema.md
+++ b/fast/stages/2-project-factory/schemas/folder.schema.md
@@ -90,6 +90,7 @@
- **location**: *string*
- **title**: *string*
- **pam_entitlements**: *reference([pam_entitlements](#refs-pam_entitlements))*
+- **assured_workload_config**: *reference([assured_workload_config](#refs-assured_workload_config))*
- **parent**: *string*
*pattern: ^(?:folders/[0-9]+|organizations/[0-9]+|\$folder_ids:[a-z0-9_-]+)$*
- **tag_bindings**: *object*
@@ -227,3 +228,21 @@
- items: *string*
- **requester_email_recipients**: *array*
- items: *string*
+- **assured_workload_config**: *object*
+
*additional properties: false*
+ - ⁺**compliance_regime**: *string*
+
*enum: ['ASSURED_WORKLOADS_FOR_PARTNERS', 'AU_REGIONS_AND_US_SUPPORT', 'CA_PROTECTED_B', 'CA_REGIONS_AND_SUPPORT', 'CJIS', 'COMPLIANCE_REGIME_UNSPECIFIED', 'EU_REGIONS_AND_SUPPORT', 'FEDRAMP_HIGH', 'FEDRAMP_MODERATE', 'HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS_US_SUPPORT', 'HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS', 'HIPAA', 'HITRUST', 'IL2', 'IL4', 'IL5', 'IRS_1075', 'ISR_REGIONS_AND_SUPPORT', 'ISR_REGIONS', 'ITAR', 'JP_REGIONS_AND_SUPPORT', 'KSA_REGIONS_AND_SUPPORT_WITH_SOVEREIGNTY_CONTROLS', 'REGIONAL_CONTROLS', 'US_REGIONAL_ACCESS']*
+ - ⁺**display_name**: *string*
+ - ⁺**location**: *string*
+ - ⁺**organization**: *string*
+ - **enable_sovereign_controls**: *boolean*
+ - **labels**: *object*
+ *additional properties: String*
+ - **partner**: *string*
+
*enum: ['LOCAL_CONTROLS_BY_S3NS', 'PARTNER_UNSPECIFIED', 'SOVEREIGN_CONTROLS_BY_CNTXT_NO_EKM', 'SOVEREIGN_CONTROLS_BY_CNTXT', 'SOVEREIGN_CONTROLS_BY_PSN', 'SOVEREIGN_CONTROLS_BY_SIA_MINSAIT', 'SOVEREIGN_CONTROLS_BY_T_SYSTEMS']*
+ - **partner_permissions**: *object*
+
*additional properties: false*
+ - **assured_workloads_monitoring**: *boolean*
+ - **data_logs_viewer**: *boolean*
+ - **service_access_approver**: *boolean*
+ - **violation_notifications_enabled**: *boolean*
diff --git a/fast/stages/2-project-factory/variables-fast.tf b/fast/stages/2-project-factory/variables-fast.tf
index 65bb622f5..6214c04bf 100644
--- a/fast/stages/2-project-factory/variables-fast.tf
+++ b/fast/stages/2-project-factory/variables-fast.tf
@@ -24,7 +24,7 @@ variable "automation" {
}
variable "billing_account" {
- # tfdoc:variable:source 0-org-setup
+ # tfdoc:variable:source 0-globals
description = "Billing account id."
type = object({
id = string
@@ -71,6 +71,16 @@ variable "kms_keys" {
default = {}
}
+variable "organization" {
+ # tfdoc:variable:source 0-globals
+ description = "Organization details."
+ type = object({
+ domain = string
+ id = number
+ customer_id = string
+ })
+}
+
variable "perimeters" {
# tfdoc:variable:source 1-vpcsc
description = "Optional VPC-SC perimeter ids."
@@ -80,7 +90,7 @@ variable "perimeters" {
}
variable "prefix" {
- # tfdoc:variable:source 0-org-setup
+ # tfdoc:variable:source 0-globals
description = "Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants."
type = string
validation {
@@ -122,7 +132,7 @@ variable "tag_values" {
}
variable "universe" {
- # tfdoc:variable:source 0-org-setup
+ # tfdoc:variable:source 0-globals
description = "GCP universe where to deploy projects. The prefix will be prepended to the project id."
type = object({
domain = string
diff --git a/fast/stages/2-security/schemas/folder.schema.json b/fast/stages/2-security/schemas/folder.schema.json
index 21e8b8d3b..393f49d0c 100644
--- a/fast/stages/2-security/schemas/folder.schema.json
+++ b/fast/stages/2-security/schemas/folder.schema.json
@@ -349,6 +349,9 @@
"pam_entitlements": {
"$ref": "#/$defs/pam_entitlements"
},
+ "assured_workload_config": {
+ "$ref": "#/$defs/assured_workload_config"
+ },
"parent": {
"type": "string",
"pattern": "^(?:folders/[0-9]+|organizations/[0-9]+|\\$folder_ids:[a-z0-9_-]+)$"
@@ -767,6 +770,95 @@
"additionalProperties": false
}
}
+ },
+ "assured_workload_config": {
+ "type": "object",
+ "additionalProperties": false,
+ "properties": {
+ "compliance_regime": {
+ "type": "string",
+ "enum": [
+ "ASSURED_WORKLOADS_FOR_PARTNERS",
+ "AU_REGIONS_AND_US_SUPPORT",
+ "CA_PROTECTED_B",
+ "CA_REGIONS_AND_SUPPORT",
+ "CJIS",
+ "COMPLIANCE_REGIME_UNSPECIFIED",
+ "EU_REGIONS_AND_SUPPORT",
+ "FEDRAMP_HIGH",
+ "FEDRAMP_MODERATE",
+ "HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS_US_SUPPORT",
+ "HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS",
+ "HIPAA",
+ "HITRUST",
+ "IL2",
+ "IL4",
+ "IL5",
+ "IRS_1075",
+ "ISR_REGIONS_AND_SUPPORT",
+ "ISR_REGIONS",
+ "ITAR",
+ "JP_REGIONS_AND_SUPPORT",
+ "KSA_REGIONS_AND_SUPPORT_WITH_SOVEREIGNTY_CONTROLS",
+ "REGIONAL_CONTROLS",
+ "US_REGIONAL_ACCESS"
+ ]
+ },
+ "display_name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "organization": {
+ "type": "string"
+ },
+ "enable_sovereign_controls": {
+ "type": "boolean"
+ },
+ "labels": {
+ "type": "object",
+ "additionalProperties": {
+ "type": "string"
+ }
+ },
+ "partner": {
+ "type": "string",
+ "enum": [
+ "LOCAL_CONTROLS_BY_S3NS",
+ "PARTNER_UNSPECIFIED",
+ "SOVEREIGN_CONTROLS_BY_CNTXT_NO_EKM",
+ "SOVEREIGN_CONTROLS_BY_CNTXT",
+ "SOVEREIGN_CONTROLS_BY_PSN",
+ "SOVEREIGN_CONTROLS_BY_SIA_MINSAIT",
+ "SOVEREIGN_CONTROLS_BY_T_SYSTEMS"
+ ]
+ },
+ "partner_permissions": {
+ "type": "object",
+ "additionalProperties": false,
+ "properties": {
+ "assured_workloads_monitoring": {
+ "type": "boolean"
+ },
+ "data_logs_viewer": {
+ "type": "boolean"
+ },
+ "service_access_approver": {
+ "type": "boolean"
+ }
+ }
+ },
+ "violation_notifications_enabled": {
+ "type": "boolean"
+ }
+ },
+ "required": [
+ "compliance_regime",
+ "display_name",
+ "location",
+ "organization"
+ ]
}
}
}
\ No newline at end of file
diff --git a/modules/folder/README.md b/modules/folder/README.md
index 2ae84ba27..c3bcf5c19 100644
--- a/modules/folder/README.md
+++ b/modules/folder/README.md
@@ -661,30 +661,30 @@ module "folder" {
|---|---|:---:|:---:|:---:|
| [asset_feeds](variables.tf#L18) | Cloud Asset Inventory feeds. | map(object({…})) | | {} |
| [assured_workload_config](variables.tf#L51) | Create AssuredWorkloads folder instead of regular folder when value is provided. Incompatible with folder_create=false. | object({…}) | | null |
-| [autokey_config](variables.tf#L104) | Enable autokey support for this folder's children. Project accepts either project id or number. | object({…}) | | null |
-| [contacts](variables.tf#L113) | List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES. | map(list(string)) | | {} |
-| [context](variables.tf#L132) | Context-specific interpolations. | object({…}) | | {} |
-| [deletion_protection](variables.tf#L152) | Deletion protection setting for this folder. | bool | | false |
-| [factories_config](variables.tf#L158) | Paths to data files and folders that enable factory functionality. | object({…}) | | {} |
-| [firewall_policy](variables.tf#L169) | Hierarchical firewall policy to associate to this folder. | object({…}) | | null |
-| [folder_create](variables.tf#L178) | Create folder. When set to false, uses id to reference an existing folder. | bool | | true |
+| [autokey_config](variables.tf#L113) | Enable autokey support for this folder's children. Project accepts either project id or number. | object({…}) | | null |
+| [contacts](variables.tf#L122) | List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES. | map(list(string)) | | {} |
+| [context](variables.tf#L141) | Context-specific interpolations. | object({…}) | | {} |
+| [deletion_protection](variables.tf#L161) | Deletion protection setting for this folder. | bool | | false |
+| [factories_config](variables.tf#L167) | Paths to data files and folders that enable factory functionality. | object({…}) | | {} |
+| [firewall_policy](variables.tf#L178) | Hierarchical firewall policy to associate to this folder. | object({…}) | | null |
+| [folder_create](variables.tf#L187) | Create folder. When set to false, uses id to reference an existing folder. | bool | | true |
| [iam](variables-iam.tf#L17) | IAM bindings in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} |
| [iam_bindings](variables-iam.tf#L24) | Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. | map(object({…})) | | {} |
| [iam_bindings_additive](variables-iam.tf#L39) | Individual additive IAM bindings. Keys are arbitrary. | map(object({…})) | | {} |
| [iam_by_principals](variables-iam.tf#L61) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid errors. Merged internally with the `iam` variable. | map(list(string)) | | {} |
| [iam_by_principals_additive](variables-iam.tf#L54) | Additive IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid errors. Merged internally with the `iam_bindings_additive` variable. | map(list(string)) | | {} |
| [iam_by_principals_conditional](variables-iam.tf#L68) | Authoritative IAM binding in {PRINCIPAL => {roles = [roles], condition = {cond}}} format. Principals need to be statically defined to avoid errors. Condition is required. | map(object({…})) | | {} |
-| [id](variables.tf#L188) | Folder ID in case you use folder_create=false. | string | | null |
+| [id](variables.tf#L197) | Folder ID in case you use folder_create=false. | string | | null |
| [logging_data_access](variables-logging.tf#L17) | Control activation of data access logs. The special 'allServices' key denotes configuration for all services. | map(object({…})) | | {} |
| [logging_exclusions](variables-logging.tf#L28) | Logging exclusions for this folder in the form {NAME -> FILTER}. | map(string) | | {} |
| [logging_settings](variables-logging.tf#L35) | Default settings for logging resources. | object({…}) | | null |
| [logging_sinks](variables-logging.tf#L45) | Logging sinks to create for the folder. | map(object({…})) | | {} |
-| [name](variables.tf#L194) | Folder name. | string | | null |
-| [org_policies](variables.tf#L200) | Organization policies applied to this folder keyed by policy name. | map(object({…})) | | {} |
+| [name](variables.tf#L203) | Folder name. | string | | null |
+| [org_policies](variables.tf#L209) | Organization policies applied to this folder keyed by policy name. | map(object({…})) | | {} |
| [pam_entitlements](variables-pam.tf#L17) | Privileged Access Manager entitlements for this resource, keyed by entitlement ID. | map(object({…})) | | {} |
-| [parent](variables.tf#L228) | Parent in folders/folder_id or organizations/org_id format. | string | | null |
+| [parent](variables.tf#L237) | Parent in folders/folder_id or organizations/org_id format. | string | | null |
| [scc_sha_custom_modules](variables-scc.tf#L17) | SCC custom modules keyed by module name. | map(object({…})) | | {} |
-| [tag_bindings](variables.tf#L242) | Tag bindings for this folder, in key => tag value id format. | map(string) | | null |
+| [tag_bindings](variables.tf#L251) | Tag bindings for this folder, in key => tag value id format. | map(string) | | null |
## Outputs
diff --git a/modules/folder/main.tf b/modules/folder/main.tf
index c8762f83f..ca6ac2e99 100644
--- a/modules/folder/main.tf
+++ b/modules/folder/main.tf
@@ -38,7 +38,7 @@ locals {
: (
try(startswith(var.parent, "folders/"))
? var.parent
- : null
+ : lookup(local.ctx.folder_ids, var.parent, null)
)
)
}
@@ -89,7 +89,7 @@ resource "google_assured_workloads_workload" "folder" {
compliance_regime = var.assured_workload_config.compliance_regime
display_name = var.assured_workload_config.display_name
location = var.assured_workload_config.location
- organization = var.assured_workload_config.organization
+ organization = templatestring(var.assured_workload_config.organization, var.context.condition_vars)
enable_sovereign_controls = var.assured_workload_config.enable_sovereign_controls
labels = var.assured_workload_config.labels
partner = var.assured_workload_config.partner
diff --git a/modules/folder/variables.tf b/modules/folder/variables.tf
index 9beadb855..68114ea4d 100644
--- a/modules/folder/variables.tf
+++ b/modules/folder/variables.tf
@@ -71,20 +71,27 @@ variable "assured_workload_config" {
condition = try(contains([
"ASSURED_WORKLOADS_FOR_PARTNERS",
"AU_REGIONS_AND_US_SUPPORT",
- "CA_PROTECTED_B, IL5",
+ "CA_PROTECTED_B",
"CA_REGIONS_AND_SUPPORT",
"CJIS",
"COMPLIANCE_REGIME_UNSPECIFIED",
"EU_REGIONS_AND_SUPPORT",
"FEDRAMP_HIGH",
"FEDRAMP_MODERATE",
- "HIPAA, HITRUST",
+ "HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS_US_SUPPORT",
+ "HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS",
+ "HIPAA",
+ "HITRUST",
"IL2",
"IL4",
+ "IL5",
+ "IRS_1075",
"ISR_REGIONS_AND_SUPPORT",
"ISR_REGIONS",
"ITAR",
"JP_REGIONS_AND_SUPPORT",
+ "KSA_REGIONS_AND_SUPPORT_WITH_SOVEREIGNTY_CONTROLS",
+ "REGIONAL_CONTROLS",
"US_REGIONAL_ACCESS"
], var.assured_workload_config.compliance_regime), true)
error_message = "Field assured_workload_config.compliance_regime must be one of the values listed in https://cloud.google.com/assured-workloads/docs/reference/rest/Shared.Types/ComplianceRegime"
@@ -93,9 +100,11 @@ variable "assured_workload_config" {
condition = try(contains([
"LOCAL_CONTROLS_BY_S3NS",
"PARTNER_UNSPECIFIED",
+ "SOVEREIGN_CONTROLS_BY_CNTXT_NO_EKM",
+ "SOVEREIGN_CONTROLS_BY_CNTXT",
"SOVEREIGN_CONTROLS_BY_PSN",
"SOVEREIGN_CONTROLS_BY_SIA_MINSAIT",
- "SOVEREIGN_CONTROLS_BY_T_SYSTEMS"
+ "SOVEREIGN_CONTROLS_BY_T_SYSTEMS",
], var.assured_workload_config.partner), true)
error_message = "Field assured_workload_config.partner must be one of the values listed in https://cloud.google.com/assured-workloads/docs/reference/rest/Shared.Types/Partner"
}
diff --git a/modules/project-factory/README.md b/modules/project-factory/README.md
index d38fecddd..1558925d8 100644
--- a/modules/project-factory/README.md
+++ b/modules/project-factory/README.md
@@ -842,7 +842,7 @@ compute.disableSerialPortAccess:
| [data_defaults](variables.tf#L40) | Optional default values used when corresponding project or folder data from files are missing. | object({…}) | | {} |
| [data_merges](variables.tf#L105) | Optional values that will be merged with corresponding data from files. Combines with `data_defaults`, file data, and `data_overrides`. | object({…}) | | {} |
| [data_overrides](variables.tf#L124) | Optional values that override corresponding data from files. Takes precedence over file data and `data_defaults`. | object({…}) | | {} |
-| [folders](variables-folders.tf#L17) | Folders data merged with factory data. | map(object({…})) | | {} |
+| [folders](variables-folders.tf#L17) | Folders data merged with factory data. | map(object({…})) | | {} |
| [notification_channels](variables-billing.tf#L17) | Notification channels used by budget alerts. | map(object({…})) | | {} |
| [projects](variables-projects.tf#L17) | Projects data merged with factory data. | map(object({…})) | | {} |
diff --git a/modules/project-factory/folders.tf b/modules/project-factory/folders.tf
index 18f617e59..bea5d77cb 100644
--- a/modules/project-factory/folders.tf
+++ b/modules/project-factory/folders.tf
@@ -64,10 +64,11 @@ module "folder-1" {
org_policies = try(each.value.factories_config.org_policies, null)
scc_sha_custom_modules = try(each.value.factories_config.scc_sha_custom_modules, null)
}
- org_policies = lookup(each.value, "org_policies", {})
- pam_entitlements = lookup(each.value, "pam_entitlements", {})
- tag_bindings = lookup(each.value, "tag_bindings", {})
- context = local.ctx
+ org_policies = lookup(each.value, "org_policies", {})
+ pam_entitlements = lookup(each.value, "pam_entitlements", {})
+ tag_bindings = lookup(each.value, "tag_bindings", {})
+ assured_workload_config = lookup(each.value, "assured_workload_config", null)
+ context = local.ctx
}
module "folder-1-iam" {
@@ -110,9 +111,10 @@ module "folder-2" {
org_policies = try(each.value.factories_config.org_policies, null)
scc_sha_custom_modules = try(each.value.factories_config.scc_sha_custom_modules, null)
}
- org_policies = lookup(each.value, "org_policies", {})
- pam_entitlements = lookup(each.value, "pam_entitlements", {})
- tag_bindings = lookup(each.value, "tag_bindings", {})
+ org_policies = lookup(each.value, "org_policies", {})
+ pam_entitlements = lookup(each.value, "pam_entitlements", {})
+ tag_bindings = lookup(each.value, "tag_bindings", {})
+ assured_workload_config = lookup(each.value, "assured_workload_config", null)
context = merge(local.ctx, {
folder_ids = merge(local.ctx.folder_ids, {
for k, v in module.folder-1 : k => v.id
@@ -164,9 +166,10 @@ module "folder-3" {
org_policies = try(each.value.factories_config.org_policies, null)
scc_sha_custom_modules = try(each.value.factories_config.scc_sha_custom_modules, null)
}
- org_policies = lookup(each.value, "org_policies", {})
- pam_entitlements = lookup(each.value, "pam_entitlements", {})
- tag_bindings = lookup(each.value, "tag_bindings", {})
+ org_policies = lookup(each.value, "org_policies", {})
+ pam_entitlements = lookup(each.value, "pam_entitlements", {})
+ tag_bindings = lookup(each.value, "tag_bindings", {})
+ assured_workload_config = lookup(each.value, "assured_workload_config", null)
context = merge(local.ctx, {
folder_ids = merge(local.ctx.folder_ids, {
for k, v in module.folder-2 : k => v.id
@@ -218,9 +221,10 @@ module "folder-4" {
org_policies = try(each.value.factories_config.org_policies, null)
scc_sha_custom_modules = try(each.value.factories_config.scc_sha_custom_modules, null)
}
- org_policies = lookup(each.value, "org_policies", {})
- pam_entitlements = lookup(each.value, "pam_entitlements", {})
- tag_bindings = lookup(each.value, "tag_bindings", {})
+ org_policies = lookup(each.value, "org_policies", {})
+ pam_entitlements = lookup(each.value, "pam_entitlements", {})
+ tag_bindings = lookup(each.value, "tag_bindings", {})
+ assured_workload_config = lookup(each.value, "assured_workload_config", null)
context = merge(local.ctx, {
folder_ids = merge(local.ctx.folder_ids, {
for k, v in module.folder-3 : k => v.id
diff --git a/modules/project-factory/schemas/folder.schema.json b/modules/project-factory/schemas/folder.schema.json
index 21e8b8d3b..393f49d0c 100644
--- a/modules/project-factory/schemas/folder.schema.json
+++ b/modules/project-factory/schemas/folder.schema.json
@@ -349,6 +349,9 @@
"pam_entitlements": {
"$ref": "#/$defs/pam_entitlements"
},
+ "assured_workload_config": {
+ "$ref": "#/$defs/assured_workload_config"
+ },
"parent": {
"type": "string",
"pattern": "^(?:folders/[0-9]+|organizations/[0-9]+|\\$folder_ids:[a-z0-9_-]+)$"
@@ -767,6 +770,95 @@
"additionalProperties": false
}
}
+ },
+ "assured_workload_config": {
+ "type": "object",
+ "additionalProperties": false,
+ "properties": {
+ "compliance_regime": {
+ "type": "string",
+ "enum": [
+ "ASSURED_WORKLOADS_FOR_PARTNERS",
+ "AU_REGIONS_AND_US_SUPPORT",
+ "CA_PROTECTED_B",
+ "CA_REGIONS_AND_SUPPORT",
+ "CJIS",
+ "COMPLIANCE_REGIME_UNSPECIFIED",
+ "EU_REGIONS_AND_SUPPORT",
+ "FEDRAMP_HIGH",
+ "FEDRAMP_MODERATE",
+ "HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS_US_SUPPORT",
+ "HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS",
+ "HIPAA",
+ "HITRUST",
+ "IL2",
+ "IL4",
+ "IL5",
+ "IRS_1075",
+ "ISR_REGIONS_AND_SUPPORT",
+ "ISR_REGIONS",
+ "ITAR",
+ "JP_REGIONS_AND_SUPPORT",
+ "KSA_REGIONS_AND_SUPPORT_WITH_SOVEREIGNTY_CONTROLS",
+ "REGIONAL_CONTROLS",
+ "US_REGIONAL_ACCESS"
+ ]
+ },
+ "display_name": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "organization": {
+ "type": "string"
+ },
+ "enable_sovereign_controls": {
+ "type": "boolean"
+ },
+ "labels": {
+ "type": "object",
+ "additionalProperties": {
+ "type": "string"
+ }
+ },
+ "partner": {
+ "type": "string",
+ "enum": [
+ "LOCAL_CONTROLS_BY_S3NS",
+ "PARTNER_UNSPECIFIED",
+ "SOVEREIGN_CONTROLS_BY_CNTXT_NO_EKM",
+ "SOVEREIGN_CONTROLS_BY_CNTXT",
+ "SOVEREIGN_CONTROLS_BY_PSN",
+ "SOVEREIGN_CONTROLS_BY_SIA_MINSAIT",
+ "SOVEREIGN_CONTROLS_BY_T_SYSTEMS"
+ ]
+ },
+ "partner_permissions": {
+ "type": "object",
+ "additionalProperties": false,
+ "properties": {
+ "assured_workloads_monitoring": {
+ "type": "boolean"
+ },
+ "data_logs_viewer": {
+ "type": "boolean"
+ },
+ "service_access_approver": {
+ "type": "boolean"
+ }
+ }
+ },
+ "violation_notifications_enabled": {
+ "type": "boolean"
+ }
+ },
+ "required": [
+ "compliance_regime",
+ "display_name",
+ "location",
+ "organization"
+ ]
}
}
}
\ No newline at end of file
diff --git a/modules/project-factory/schemas/folder.schema.md b/modules/project-factory/schemas/folder.schema.md
index 52c48b342..d71e11920 100644
--- a/modules/project-factory/schemas/folder.schema.md
+++ b/modules/project-factory/schemas/folder.schema.md
@@ -90,6 +90,7 @@
- **location**: *string*
- **title**: *string*
- **pam_entitlements**: *reference([pam_entitlements](#refs-pam_entitlements))*
+- **assured_workload_config**: *reference([assured_workload_config](#refs-assured_workload_config))*
- **parent**: *string*
*pattern: ^(?:folders/[0-9]+|organizations/[0-9]+|\$folder_ids:[a-z0-9_-]+)$*
- **tag_bindings**: *object*
@@ -227,3 +228,21 @@
- items: *string*
- **requester_email_recipients**: *array*
- items: *string*
+- **assured_workload_config**: *object*
+
*additional properties: false*
+ - ⁺**compliance_regime**: *string*
+
*enum: ['ASSURED_WORKLOADS_FOR_PARTNERS', 'AU_REGIONS_AND_US_SUPPORT', 'CA_PROTECTED_B', 'CA_REGIONS_AND_SUPPORT', 'CJIS', 'COMPLIANCE_REGIME_UNSPECIFIED', 'EU_REGIONS_AND_SUPPORT', 'FEDRAMP_HIGH', 'FEDRAMP_MODERATE', 'HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS_US_SUPPORT', 'HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS', 'HIPAA', 'HITRUST', 'IL2', 'IL4', 'IL5', 'IRS_1075', 'ISR_REGIONS_AND_SUPPORT', 'ISR_REGIONS', 'ITAR', 'JP_REGIONS_AND_SUPPORT', 'KSA_REGIONS_AND_SUPPORT_WITH_SOVEREIGNTY_CONTROLS', 'REGIONAL_CONTROLS', 'US_REGIONAL_ACCESS']*
+ - ⁺**display_name**: *string*
+ - ⁺**location**: *string*
+ - ⁺**organization**: *string*
+ - **enable_sovereign_controls**: *boolean*
+ - **labels**: *object*
+ *additional properties: String*
+ - **partner**: *string*
+
*enum: ['LOCAL_CONTROLS_BY_S3NS', 'PARTNER_UNSPECIFIED', 'SOVEREIGN_CONTROLS_BY_CNTXT_NO_EKM', 'SOVEREIGN_CONTROLS_BY_CNTXT', 'SOVEREIGN_CONTROLS_BY_PSN', 'SOVEREIGN_CONTROLS_BY_SIA_MINSAIT', 'SOVEREIGN_CONTROLS_BY_T_SYSTEMS']*
+ - **partner_permissions**: *object*
+
*additional properties: false*
+ - **assured_workloads_monitoring**: *boolean*
+ - **data_logs_viewer**: *boolean*
+ - **service_access_approver**: *boolean*
+ - **violation_notifications_enabled**: *boolean*
diff --git a/modules/project-factory/variables-folders.tf b/modules/project-factory/variables-folders.tf
index bc1c368d8..dfeafa62f 100644
--- a/modules/project-factory/variables-folders.tf
+++ b/modules/project-factory/variables-folders.tf
@@ -34,6 +34,21 @@ variable "folders" {
location = optional(string)
}))
})), {})
+ assured_workload_config = optional(object({
+ compliance_regime = string
+ display_name = string
+ location = string
+ organization = string
+ enable_sovereign_controls = optional(bool)
+ labels = optional(map(string), {})
+ partner = optional(string)
+ partner_permissions = optional(object({
+ assured_workloads_monitoring = optional(bool)
+ data_logs_viewer = optional(bool)
+ service_access_approver = optional(bool)
+ }))
+ violation_notifications_enabled = optional(bool)
+ }), null)
name = optional(string)
parent = optional(string)
deletion_protection = optional(bool)
diff --git a/tests/fast/stages/s2_project_factory/simple.tfvars b/tests/fast/stages/s2_project_factory/simple.tfvars
index 70a02d32d..af498cd67 100644
--- a/tests/fast/stages/s2_project_factory/simple.tfvars
+++ b/tests/fast/stages/s2_project_factory/simple.tfvars
@@ -17,3 +17,8 @@ data_defaults = {
storage = "europe-west1"
}
}
+organization = {
+ domain = "fast.example.com"
+ id = 123456789012
+ customer_id = "C00000000"
+}
\ No newline at end of file