From 7e20abc19dff0b23cff4eacc5d6103c690d68c3d Mon Sep 17 00:00:00 2001 From: Julio Castillo Date: Wed, 2 Jul 2025 15:53:58 +0200 Subject: [PATCH] Update default FAST org policies (#3207) --- .github/actions/fabric-tests/action.yml | 4 +- .github/workflows/tests.yml | 2 +- .../data/org-policies-managed/gke.yaml | 8 +++ .../data/org-policies-managed/iam.yaml | 4 ++ .../0-bootstrap/data/org-policies/gke.yaml | 8 +++ .../0-bootstrap/data/org-policies/iam.yaml | 8 ++- tests/fast/stages/s0_bootstrap/cicd.yaml | 67 ++++++++++++++++++- tests/fast/stages/s0_bootstrap/simple.yaml | 37 +++++++++- .../s0_bootstrap/simple_org_policies.yaml | 30 +++++++++ 9 files changed, 159 insertions(+), 9 deletions(-) diff --git a/.github/actions/fabric-tests/action.yml b/.github/actions/fabric-tests/action.yml index f31e77e74..28a085155 100644 --- a/.github/actions/fabric-tests/action.yml +++ b/.github/actions/fabric-tests/action.yml @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -71,7 +71,7 @@ runs: - name: Pin provider versions shell: bash run: | - for f in $(find . -name versions.tf); do + for f in $(find . -name versions.tf -o -name versions.tofu); do sed -i 's/>=\(.*# tftest\)/=\1/g' $f; done - name: Install Python Dependencies diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index da628acf4..106567784 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -83,7 +83,7 @@ jobs: mkdir -p ${{ env.TF_PLUGIN_CACHE_DIR }} echo 'plugin_cache_dir = "${{ env.TF_PLUGIN_CACHE_DIR }}"' | tee -a /home/runner/.terraformrc echo 'disable_checkpoint = true' | tee -a /home/runner/.terraformrc - sed -i -e 's/>=\(.*# tftest\)/=\1/g' tools/lockfile/versions.tf + sed -i -e 's/>=\(.*# tftest\)/=\1/g' tools/lockfile/versions.tf tools/lockfile/versions.tofu # change terraform version to the one that is running sed -i 's/required_version = .*$/required_version = ">= ${{ matrix.version }}"/g' tools/lockfile/versions.tf diff --git a/fast/stages/0-bootstrap/data/org-policies-managed/gke.yaml b/fast/stages/0-bootstrap/data/org-policies-managed/gke.yaml index bd0bfcbce..01a883724 100644 --- a/fast/stages/0-bootstrap/data/org-policies-managed/gke.yaml +++ b/fast/stages/0-bootstrap/data/org-policies-managed/gke.yaml @@ -21,3 +21,11 @@ # custom.disableKubeletReadOnlyPort: # rules: # - enforce: true + +container.managed.enablePrivateNodes: + rules: + - enforce: true + +# container.managed.enableControlPlaneDNSOnlyAccess: +# rules: +# - enforce: true diff --git a/fast/stages/0-bootstrap/data/org-policies-managed/iam.yaml b/fast/stages/0-bootstrap/data/org-policies-managed/iam.yaml index f68b72b16..d122b661c 100644 --- a/fast/stages/0-bootstrap/data/org-policies-managed/iam.yaml +++ b/fast/stages/0-bootstrap/data/org-policies-managed/iam.yaml @@ -50,6 +50,10 @@ iam.managed.disableServiceAccountKeyUpload: rules: - enforce: true +iam.managed.disableServiceAccountApiKeyCreation: + rules: + - enforce: true + iam.serviceAccountKeyExposureResponse: rules: - allow: diff --git a/fast/stages/0-bootstrap/data/org-policies/gke.yaml b/fast/stages/0-bootstrap/data/org-policies/gke.yaml index bd0bfcbce..01a883724 100644 --- a/fast/stages/0-bootstrap/data/org-policies/gke.yaml +++ b/fast/stages/0-bootstrap/data/org-policies/gke.yaml @@ -21,3 +21,11 @@ # custom.disableKubeletReadOnlyPort: # rules: # - enforce: true + +container.managed.enablePrivateNodes: + rules: + - enforce: true + +# container.managed.enableControlPlaneDNSOnlyAccess: +# rules: +# - enforce: true diff --git a/fast/stages/0-bootstrap/data/org-policies/iam.yaml b/fast/stages/0-bootstrap/data/org-policies/iam.yaml index 460376a6f..54edbaf89 100644 --- a/fast/stages/0-bootstrap/data/org-policies/iam.yaml +++ b/fast/stages/0-bootstrap/data/org-policies/iam.yaml @@ -34,11 +34,11 @@ iam.allowedPolicyMemberDomains: expression: | resource.matchTag('${tags.org_policies_tag_name}', 'allowed-policy-member-domains-all') -iam.automaticIamGrantsForDefaultServiceAccounts: +iam.disableAuditLoggingExemption: rules: - enforce: true -iam.disableAuditLoggingExemption: +iam.automaticIamGrantsForDefaultServiceAccounts: rules: - enforce: true @@ -50,6 +50,10 @@ iam.disableServiceAccountKeyUpload: rules: - enforce: true +iam.managed.disableServiceAccountApiKeyCreation: + rules: + - enforce: true + iam.serviceAccountKeyExposureResponse: rules: - allow: diff --git a/tests/fast/stages/s0_bootstrap/cicd.yaml b/tests/fast/stages/s0_bootstrap/cicd.yaml index 349fa2a14..ef9e69d1c 100644 --- a/tests/fast/stages/s0_bootstrap/cicd.yaml +++ b/tests/fast/stages/s0_bootstrap/cicd.yaml @@ -1406,6 +1406,21 @@ values: parameters: null values: [] timeouts: null + module.organization.google_org_policy_policy.default["container.managed.enablePrivateNodes"]: + dry_run_spec: [] + name: organizations/123456789012/policies/container.managed.enablePrivateNodes + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null module.organization.google_org_policy_policy.default["custom.denyBridgePerimeters"]: dry_run_spec: [] name: organizations/123456789012/policies/custom.denyBridgePerimeters @@ -1568,6 +1583,21 @@ values: parameters: null values: [] timeouts: null + module.organization.google_org_policy_policy.default["iam.managed.disableServiceAccountApiKeyCreation"]: + dry_run_spec: [] + name: organizations/123456789012/policies/iam.managed.disableServiceAccountApiKeyCreation + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null module.organization.google_org_policy_policy.default["iam.serviceAccountKeyExposureResponse"]: dry_run_spec: [] name: organizations/123456789012/policies/iam.serviceAccountKeyExposureResponse @@ -1946,6 +1976,14 @@ values: role_id: billingViewer stage: GA title: Custom role billingViewer + module.organization.google_organization_iam_custom_role.roles["dns_zone_binder"]: + description: Terraform-managed. + org_id: '123456789012' + permissions: + - dns.networks.bindPrivateDNSZone + role_id: dnsZoneBinder + stage: GA + title: Custom role dnsZoneBinder module.organization.google_organization_iam_custom_role.roles["gcve_network_admin"]: description: Terraform-managed. org_id: '123456789012' @@ -1968,6 +2006,31 @@ values: role_id: gcveNetworkViewer stage: GA title: Custom role gcveNetworkViewer + module.organization.google_organization_iam_custom_role.roles["kms_key_encryption_admin"]: + description: Terraform-managed. + org_id: '123456789012' + permissions: + - cloudkms.cryptoKeyVersions.get + - cloudkms.cryptoKeyVersions.list + - cloudkms.cryptoKeys.get + - cloudkms.cryptoKeys.getIamPolicy + - cloudkms.cryptoKeys.list + - cloudkms.cryptoKeys.setIamPolicy + role_id: kmsKeyEncryptionAdmin + stage: GA + title: Custom role kmsKeyEncryptionAdmin + module.organization.google_organization_iam_custom_role.roles["kms_key_viewer"]: + description: Terraform-managed. + org_id: '123456789012' + permissions: + - cloudkms.cryptoKeyVersions.get + - cloudkms.cryptoKeyVersions.list + - cloudkms.cryptoKeys.get + - cloudkms.cryptoKeys.getIamPolicy + - cloudkms.cryptoKeys.list + role_id: kmsKeyViewer + stage: GA + title: Custom role kmsKeyViewer module.organization.google_organization_iam_custom_role.roles["network_firewall_policies_admin"]: description: Terraform-managed. org_id: '123456789012' @@ -2322,7 +2385,7 @@ counts: google_logging_organization_sink: 4 google_logging_project_bucket_config: 4 google_org_policy_custom_constraint: 1 - google_org_policy_policy: 38 + google_org_policy_policy: 40 google_organization_iam_binding: 26 google_organization_iam_custom_role: 16 google_organization_iam_member: 31 @@ -2343,7 +2406,7 @@ counts: google_tags_tag_value: 2 local_file: 13 modules: 26 - resources: 295 + resources: 297 outputs: custom_roles: diff --git a/tests/fast/stages/s0_bootstrap/simple.yaml b/tests/fast/stages/s0_bootstrap/simple.yaml index 9418116f7..66a2c2dea 100644 --- a/tests/fast/stages/s0_bootstrap/simple.yaml +++ b/tests/fast/stages/s0_bootstrap/simple.yaml @@ -1175,6 +1175,14 @@ values: role_id: billingViewer stage: GA title: Custom role billingViewer + module.organization.google_organization_iam_custom_role.roles["dns_zone_binder"]: + description: Terraform-managed. + org_id: '123456789012' + permissions: + - dns.networks.bindPrivateDNSZone + role_id: dnsZoneBinder + stage: GA + title: Custom role dnsZoneBinder module.organization.google_organization_iam_custom_role.roles["gcve_network_admin"]: description: Terraform-managed. org_id: '123456789012' @@ -1197,6 +1205,31 @@ values: role_id: gcveNetworkViewer stage: GA title: Custom role gcveNetworkViewer + module.organization.google_organization_iam_custom_role.roles["kms_key_encryption_admin"]: + description: Terraform-managed. + org_id: '123456789012' + permissions: + - cloudkms.cryptoKeyVersions.get + - cloudkms.cryptoKeyVersions.list + - cloudkms.cryptoKeys.get + - cloudkms.cryptoKeys.getIamPolicy + - cloudkms.cryptoKeys.list + - cloudkms.cryptoKeys.setIamPolicy + role_id: kmsKeyEncryptionAdmin + stage: GA + title: Custom role kmsKeyEncryptionAdmin + module.organization.google_organization_iam_custom_role.roles["kms_key_viewer"]: + description: Terraform-managed. + org_id: '123456789012' + permissions: + - cloudkms.cryptoKeyVersions.get + - cloudkms.cryptoKeyVersions.list + - cloudkms.cryptoKeys.get + - cloudkms.cryptoKeys.getIamPolicy + - cloudkms.cryptoKeys.list + role_id: kmsKeyViewer + stage: GA + title: Custom role kmsKeyViewer module.organization.google_organization_iam_custom_role.roles["network_firewall_policies_admin"]: description: Terraform-managed. org_id: '123456789012' @@ -1549,7 +1582,7 @@ counts: google_logging_organization_sink: 4 google_logging_project_bucket_config: 4 google_org_policy_custom_constraint: 1 - google_org_policy_policy: 38 + google_org_policy_policy: 40 google_organization_iam_binding: 26 google_organization_iam_custom_role: 16 google_organization_iam_member: 31 @@ -1570,7 +1603,7 @@ counts: google_tags_tag_value: 2 local_file: 8 modules: 20 - resources: 258 + resources: 260 outputs: cicd_repositories: {} diff --git a/tests/fast/stages/s0_bootstrap/simple_org_policies.yaml b/tests/fast/stages/s0_bootstrap/simple_org_policies.yaml index a6d5cfc75..8053833b3 100644 --- a/tests/fast/stages/s0_bootstrap/simple_org_policies.yaml +++ b/tests/fast/stages/s0_bootstrap/simple_org_policies.yaml @@ -590,3 +590,33 @@ values: parameters: null values: [] timeouts: null + module.organization.google_org_policy_policy.default["container.managed.enablePrivateNodes"]: + dry_run_spec: [] + name: organizations/123456789012/policies/container.managed.enablePrivateNodes + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null + module.organization.google_org_policy_policy.default["iam.managed.disableServiceAccountApiKeyCreation"]: + dry_run_spec: [] + name: organizations/123456789012/policies/iam.managed.disableServiceAccountApiKeyCreation + parent: organizations/123456789012 + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + parameters: null + values: [] + timeouts: null