From 81e1a0c273a212a7ea41ba80b97b67acba4d2000 Mon Sep 17 00:00:00 2001 From: kovagoadam Date: Tue, 9 Jun 2026 09:40:18 +0200 Subject: [PATCH] Added IAM Deny Policy to organization schema (#4016) --- .../schemas/organization.schema.json | 79 +++++++++++++++++++ .../schemas/organization.schema.md | 23 ++++++ 2 files changed, 102 insertions(+) diff --git a/fast/stages/0-org-setup/schemas/organization.schema.json b/fast/stages/0-org-setup/schemas/organization.schema.json index 4092e5320..3f82b7e6f 100644 --- a/fast/stages/0-org-setup/schemas/organization.schema.json +++ b/fast/stages/0-org-setup/schemas/organization.schema.json @@ -178,6 +178,85 @@ "iam_by_principals_additive": { "$ref": "#/$defs/iam_by_principals" }, + "iam_deny_policies": { + "type": "object", + "additionalProperties": false, + "patternProperties": { + "^[a-z0-9-]+$": { + "type": "object", + "additionalProperties": false, + "required": [ + "rules" + ], + "properties": { + "display_name": { + "type": "string" + }, + "rules": { + "type": "array", + "items": { + "type": "object", + "additionalProperties": false, + "required": [ + "denied_permissions", + "denied_principals" + ], + "properties": { + "description": { + "type": "string" + }, + "denied_permissions": { + "type": "array", + "items": { + "type": "string" + } + }, + "denied_principals": { + "type": "array", + "items": { + "type": "string" + } + }, + "denial_condition": { + "type": "object", + "additionalProperties": false, + "required": [ + "expression" + ], + "properties": { + "expression": { + "type": "string" + }, + "title": { + "type": "string" + }, + "description": { + "type": "string" + }, + "location": { + "type": "string" + } + } + }, + "exception_permissions": { + "type": "array", + "items": { + "type": "string" + } + }, + "exception_principals": { + "type": "array", + "items": { + "type": "string" + } + } + } + } + } + } + } + } + }, "logging": { "type": "object", "additionalProperties": false, diff --git a/fast/stages/0-org-setup/schemas/organization.schema.md b/fast/stages/0-org-setup/schemas/organization.schema.md index 9523f7334..d22bd9b7d 100644 --- a/fast/stages/0-org-setup/schemas/organization.schema.md +++ b/fast/stages/0-org-setup/schemas/organization.schema.md @@ -56,6 +56,29 @@ - **iam_by_principals**: *reference([iam_by_principals](#refs-iam_by_principals))* - **iam_by_principals_conditional**: *reference([iam_by_principals_conditional](#refs-iam_by_principals_conditional))* - **iam_by_principals_additive**: *reference([iam_by_principals](#refs-iam_by_principals))* +- **iam_deny_policies**: *object* +
*additional properties: false* + - **`^[a-z0-9-]+$`**: *object* +
*additional properties: false* + - **display_name**: *string* + - ⁺**rules**: *array* + - items: *object* +
*additional properties: false* + - **description**: *string* + - ⁺**denied_permissions**: *array* + - items: *string* + - ⁺**denied_principals**: *array* + - items: *string* + - **denial_condition**: *object* +
*additional properties: false* + - ⁺**expression**: *string* + - **title**: *string* + - **description**: *string* + - **location**: *string* + - **exception_permissions**: *array* + - items: *string* + - **exception_principals**: *array* + - items: *string* - **logging**: *object*
*additional properties: false* - **kms_key_name**: *string*