Update default FAST org policies (#3207)

.github/actions/fabric-tests/action.yml

@@ -1,4 +1,4 @@
-# Copyright 2024 Google LLC
+# Copyright 2025 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -71,7 +71,7 @@ runs:
     - name: Pin provider versions
       shell: bash
       run: |
-        for f in $(find . -name versions.tf); do
+        for f in $(find . -name versions.tf  -o -name versions.tofu); do
           sed -i 's/>=\(.*# tftest\)/=\1/g' $f;
         done
     - name: Install Python Dependencies

.github/workflows/tests.yml

@@ -83,7 +83,7 @@ jobs:
           mkdir -p ${{ env.TF_PLUGIN_CACHE_DIR }}
           echo 'plugin_cache_dir = "${{ env.TF_PLUGIN_CACHE_DIR }}"' | tee -a /home/runner/.terraformrc
           echo 'disable_checkpoint = true' | tee -a /home/runner/.terraformrc
-          sed -i -e 's/>=\(.*# tftest\)/=\1/g'  tools/lockfile/versions.tf
+          sed -i -e 's/>=\(.*# tftest\)/=\1/g' tools/lockfile/versions.tf tools/lockfile/versions.tofu
 
           # change terraform version to the one that is running
           sed -i 's/required_version = .*$/required_version = ">= ${{ matrix.version }}"/g' tools/lockfile/versions.tf

fast/stages/0-bootstrap/data/org-policies-managed/gke.yaml

@@ -21,3 +21,11 @@
 # custom.disableKubeletReadOnlyPort:
 #   rules:
 #     - enforce: true
+
+container.managed.enablePrivateNodes:
+  rules:
+    - enforce: true
+
+# container.managed.enableControlPlaneDNSOnlyAccess:
+#   rules:
+#     - enforce: true

fast/stages/0-bootstrap/data/org-policies-managed/iam.yaml

@@ -50,6 +50,10 @@ iam.managed.disableServiceAccountKeyUpload:
   rules:
     - enforce: true
 
+iam.managed.disableServiceAccountApiKeyCreation:
+  rules:
+    - enforce: true
+
 iam.serviceAccountKeyExposureResponse:
   rules:
     - allow:

fast/stages/0-bootstrap/data/org-policies/gke.yaml

@@ -21,3 +21,11 @@
 # custom.disableKubeletReadOnlyPort:
 #   rules:
 #     - enforce: true
+
+container.managed.enablePrivateNodes:
+  rules:
+    - enforce: true
+
+# container.managed.enableControlPlaneDNSOnlyAccess:
+#   rules:
+#     - enforce: true

fast/stages/0-bootstrap/data/org-policies/iam.yaml

@@ -34,11 +34,11 @@ iam.allowedPolicyMemberDomains:
         expression: |
           resource.matchTag('${tags.org_policies_tag_name}', 'allowed-policy-member-domains-all')
 
-iam.automaticIamGrantsForDefaultServiceAccounts:
+iam.disableAuditLoggingExemption:
   rules:
     - enforce: true
 
-iam.disableAuditLoggingExemption:
+iam.automaticIamGrantsForDefaultServiceAccounts:
   rules:
     - enforce: true
 
@@ -50,6 +50,10 @@ iam.disableServiceAccountKeyUpload:
   rules:
     - enforce: true
 
+iam.managed.disableServiceAccountApiKeyCreation:
+  rules:
+    - enforce: true
+
 iam.serviceAccountKeyExposureResponse:
   rules:
     - allow:

tests/fast/stages/s0_bootstrap/cicd.yaml

@@ -1406,6 +1406,21 @@ values:
         parameters: null
         values: []
     timeouts: null
+  module.organization.google_org_policy_policy.default["container.managed.enablePrivateNodes"]:
+    dry_run_spec: []
+    name: organizations/123456789012/policies/container.managed.enablePrivateNodes
+    parent: organizations/123456789012
+    spec:
+    - inherit_from_parent: null
+      reset: null
+      rules:
+      - allow_all: null
+        condition: []
+        deny_all: null
+        enforce: 'TRUE'
+        parameters: null
+        values: []
+    timeouts: null
   module.organization.google_org_policy_policy.default["custom.denyBridgePerimeters"]:
     dry_run_spec: []
     name: organizations/123456789012/policies/custom.denyBridgePerimeters
@@ -1568,6 +1583,21 @@ values:
         parameters: null
         values: []
     timeouts: null
+  module.organization.google_org_policy_policy.default["iam.managed.disableServiceAccountApiKeyCreation"]:
+    dry_run_spec: []
+    name: organizations/123456789012/policies/iam.managed.disableServiceAccountApiKeyCreation
+    parent: organizations/123456789012
+    spec:
+    - inherit_from_parent: null
+      reset: null
+      rules:
+      - allow_all: null
+        condition: []
+        deny_all: null
+        enforce: 'TRUE'
+        parameters: null
+        values: []
+    timeouts: null
   module.organization.google_org_policy_policy.default["iam.serviceAccountKeyExposureResponse"]:
     dry_run_spec: []
     name: organizations/123456789012/policies/iam.serviceAccountKeyExposureResponse
@@ -1946,6 +1976,14 @@ values:
     role_id: billingViewer
     stage: GA
     title: Custom role billingViewer
+  module.organization.google_organization_iam_custom_role.roles["dns_zone_binder"]:
+    description: Terraform-managed.
+    org_id: '123456789012'
+    permissions:
+    - dns.networks.bindPrivateDNSZone
+    role_id: dnsZoneBinder
+    stage: GA
+    title: Custom role dnsZoneBinder
   module.organization.google_organization_iam_custom_role.roles["gcve_network_admin"]:
     description: Terraform-managed.
     org_id: '123456789012'
@@ -1968,6 +2006,31 @@ values:
     role_id: gcveNetworkViewer
     stage: GA
     title: Custom role gcveNetworkViewer
+  module.organization.google_organization_iam_custom_role.roles["kms_key_encryption_admin"]:
+    description: Terraform-managed.
+    org_id: '123456789012'
+    permissions:
+    - cloudkms.cryptoKeyVersions.get
+    - cloudkms.cryptoKeyVersions.list
+    - cloudkms.cryptoKeys.get
+    - cloudkms.cryptoKeys.getIamPolicy
+    - cloudkms.cryptoKeys.list
+    - cloudkms.cryptoKeys.setIamPolicy
+    role_id: kmsKeyEncryptionAdmin
+    stage: GA
+    title: Custom role kmsKeyEncryptionAdmin
+  module.organization.google_organization_iam_custom_role.roles["kms_key_viewer"]:
+    description: Terraform-managed.
+    org_id: '123456789012'
+    permissions:
+    - cloudkms.cryptoKeyVersions.get
+    - cloudkms.cryptoKeyVersions.list
+    - cloudkms.cryptoKeys.get
+    - cloudkms.cryptoKeys.getIamPolicy
+    - cloudkms.cryptoKeys.list
+    role_id: kmsKeyViewer
+    stage: GA
+    title: Custom role kmsKeyViewer
   module.organization.google_organization_iam_custom_role.roles["network_firewall_policies_admin"]:
     description: Terraform-managed.
     org_id: '123456789012'
@@ -2322,7 +2385,7 @@ counts:
   google_logging_organization_sink: 4
   google_logging_project_bucket_config: 4
   google_org_policy_custom_constraint: 1
-  google_org_policy_policy: 38
+  google_org_policy_policy: 40
   google_organization_iam_binding: 26
   google_organization_iam_custom_role: 16
   google_organization_iam_member: 31
@@ -2343,7 +2406,7 @@ counts:
   google_tags_tag_value: 2
   local_file: 13
   modules: 26
-  resources: 295
+  resources: 297
 
 outputs:
   custom_roles:

tests/fast/stages/s0_bootstrap/simple.yaml

@@ -1175,6 +1175,14 @@ values:
     role_id: billingViewer
     stage: GA
     title: Custom role billingViewer
+  module.organization.google_organization_iam_custom_role.roles["dns_zone_binder"]:
+    description: Terraform-managed.
+    org_id: '123456789012'
+    permissions:
+    - dns.networks.bindPrivateDNSZone
+    role_id: dnsZoneBinder
+    stage: GA
+    title: Custom role dnsZoneBinder
   module.organization.google_organization_iam_custom_role.roles["gcve_network_admin"]:
     description: Terraform-managed.
     org_id: '123456789012'
@@ -1197,6 +1205,31 @@ values:
     role_id: gcveNetworkViewer
     stage: GA
     title: Custom role gcveNetworkViewer
+  module.organization.google_organization_iam_custom_role.roles["kms_key_encryption_admin"]:
+    description: Terraform-managed.
+    org_id: '123456789012'
+    permissions:
+    - cloudkms.cryptoKeyVersions.get
+    - cloudkms.cryptoKeyVersions.list
+    - cloudkms.cryptoKeys.get
+    - cloudkms.cryptoKeys.getIamPolicy
+    - cloudkms.cryptoKeys.list
+    - cloudkms.cryptoKeys.setIamPolicy
+    role_id: kmsKeyEncryptionAdmin
+    stage: GA
+    title: Custom role kmsKeyEncryptionAdmin
+  module.organization.google_organization_iam_custom_role.roles["kms_key_viewer"]:
+    description: Terraform-managed.
+    org_id: '123456789012'
+    permissions:
+    - cloudkms.cryptoKeyVersions.get
+    - cloudkms.cryptoKeyVersions.list
+    - cloudkms.cryptoKeys.get
+    - cloudkms.cryptoKeys.getIamPolicy
+    - cloudkms.cryptoKeys.list
+    role_id: kmsKeyViewer
+    stage: GA
+    title: Custom role kmsKeyViewer
   module.organization.google_organization_iam_custom_role.roles["network_firewall_policies_admin"]:
     description: Terraform-managed.
     org_id: '123456789012'
@@ -1549,7 +1582,7 @@ counts:
   google_logging_organization_sink: 4
   google_logging_project_bucket_config: 4
   google_org_policy_custom_constraint: 1
-  google_org_policy_policy: 38
+  google_org_policy_policy: 40
   google_organization_iam_binding: 26
   google_organization_iam_custom_role: 16
   google_organization_iam_member: 31
@@ -1570,7 +1603,7 @@ counts:
   google_tags_tag_value: 2
   local_file: 8
   modules: 20
-  resources: 258
+  resources: 260
 
 outputs:
   cicd_repositories: {}

tests/fast/stages/s0_bootstrap/simple_org_policies.yaml

@@ -590,3 +590,33 @@ values:
         parameters: null
         values: []
     timeouts: null
+  module.organization.google_org_policy_policy.default["container.managed.enablePrivateNodes"]:
+    dry_run_spec: []
+    name: organizations/123456789012/policies/container.managed.enablePrivateNodes
+    parent: organizations/123456789012
+    spec:
+    - inherit_from_parent: null
+      reset: null
+      rules:
+      - allow_all: null
+        condition: []
+        deny_all: null
+        enforce: 'TRUE'
+        parameters: null
+        values: []
+    timeouts: null
+  module.organization.google_org_policy_policy.default["iam.managed.disableServiceAccountApiKeyCreation"]:
+    dry_run_spec: []
+    name: organizations/123456789012/policies/iam.managed.disableServiceAccountApiKeyCreation
+    parent: organizations/123456789012
+    spec:
+    - inherit_from_parent: null
+      reset: null
+      rules:
+      - allow_all: null
+        condition: []
+        deny_all: null
+        enforce: 'TRUE'
+        parameters: null
+        values: []
+    timeouts: null