Implement various compliance configuration and principle of least privilege for hardened dataset (#3635)

fast/stages/0-org-setup/datasets/hardened/README.md

@@ -34,7 +34,11 @@ To use this `hardened` dataset, create a `0-org-setup.auto.tfvars` file in the `
 
 ```tfvars
 factories_config = {
+  defaults         = "datasets/hardened/defaults.yaml"
+  folders          = "datasets/hardened/folders"
+  observability    = "datasets/hardened/observability"
   organization     = "datasets/hardened/organization"
+  projects         = "datasets/hardened/projects"
 }
 ```
 

fast/stages/0-org-setup/datasets/hardened/folders/data-platform/.config.yaml

@@ -0,0 +1,17 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# yaml-language-server: $schema=../../../../schemas/folder.schema.json
+
+name: Data Platform

fast/stages/0-org-setup/datasets/hardened/folders/data-platform/dev/.config.yaml

@@ -0,0 +1,52 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# yaml-language-server: $schema=../../../../../schemas/folder.schema.json
+
+name: Development
+iam_by_principals:
+  $iam_principals:service_accounts/iac-0/iac-dp-dev-rw:
+    - roles/bigquery.admin
+    - roles/composer.admin
+    - roles/compute.xpnAdmin
+    - roles/dataflow.admin
+    - roles/iam.serviceAccountAdmin
+    - roles/logging.admin
+    - roles/pubsub.admin
+    - roles/resourcemanager.folderAdmin
+    - roles/resourcemanager.projectCreator
+    - roles/resourcemanager.projectDeleter
+    - roles/resourcemanager.projectIamAdmin
+    - roles/serviceusage.serviceUsageAdmin
+    - roles/storage.admin
+  $iam_principals:service_accounts/iac-0/iac-dp-dev-ro:
+    - roles/bigquery.dataViewer
+    - roles/bigquery.jobUser
+    - roles/browser
+    - roles/composer.user
+    - roles/datacatalog.viewer
+    - roles/dataflow.viewer
+    - roles/logging.viewer
+    - roles/pubsub.viewer
+    - roles/resourcemanager.folderViewer
+    - roles/resourcemanager.tagViewer
+    - roles/serviceusage.serviceUsageViewer
+    - roles/storage.bucketViewer
+    - roles/storage.objectViewer
+    - $custom_roles:folder_viewer
+    - $custom_roles:logging_viewer
+    - $custom_roles:service_account_viewer
+    - $custom_roles:storage_viewer
+tag_bindings:
+  environment: $tag_values:environment/development

fast/stages/0-org-setup/datasets/hardened/folders/data-platform/prod/.config.yaml

@@ -0,0 +1,19 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# yaml-language-server: $schema=../../../../../schemas/folder.schema.json
+
+name: Production
+tag_bindings:
+  environment: $tag_values:environment/production

fast/stages/0-org-setup/datasets/hardened/folders/networking/.config.yaml

@@ -0,0 +1,73 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# yaml-language-server: $schema=../../../../schemas/folder.schema.json
+
+name: Networking
+iam_by_principals:
+  $iam_principals:service_accounts/iac-0/iac-networking-rw:
+    - roles/compute.networkAdmin
+    - roles/compute.securityAdmin
+    - roles/compute.xpnAdmin
+    - roles/dns.admin
+    - roles/iam.networkAdmin
+    - roles/logging.admin
+    - roles/resourcemanager.folderAdmin
+    - roles/resourcemanager.projectCreator
+    - roles/resourcemanager.projectDeleter
+    - roles/resourcemanager.projectIamAdmin
+    - roles/resourcemanager.tagUser
+    - roles/serviceusage.serviceUsageAdmin
+  $iam_principals:service_accounts/iac-0/iac-networking-ro:
+    - roles/browser
+    - roles/compute.networkViewer
+    - roles/dns.reader
+    - roles/logging.viewer
+    - roles/resourcemanager.folderViewer
+    - roles/resourcemanager.tagViewer
+    - roles/serviceusage.serviceUsageViewer
+    - $custom_roles:service_networking_viewer
+  $iam_principals:service_accounts/iac-0/iac-pf-rw:
+    - $custom_roles:service_project_network_admin
+  $iam_principals:service_accounts/iac-0/iac-pf-ro:
+    - roles/compute.viewer
+    - $custom_roles:project_iam_viewer
+iam_bindings:
+  dp_dev_rw:
+    members:
+      - $iam_principals:service_accounts/iac-0/iac-dp-dev-rw
+    role: $custom_roles:service_project_network_admin
+    condition:
+      expression: |
+        resource.matchTag('${organization.id}/environment', 'development')
+      title: Data platform dev service project admin.
+  dp_dev_ro:
+    role: roles/compute.networkViewer
+    members:
+      - $iam_principals:service_accounts/iac-0/iac-dp-dev-ro
+    condition:
+      title: Data platform dev network viewer.
+      expression: |
+        resource.matchTag('${organization.id}/environment', 'development')
+  project_factory:
+    role: roles/resourcemanager.projectIamAdmin
+    members:
+      - $iam_principals:service_accounts/iac-0/iac-pf-rw
+    condition:
+      title: Project factory delegated IAM grant.
+      expression: |
+        api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([
+          'roles/compute.networkUser', 'roles/composer.sharedVpcAgent',
+          'roles/container.hostServiceAgentUser', 'roles/vpcaccess.user'
+        ])

fast/stages/0-org-setup/datasets/hardened/folders/networking/dev/.config.yaml

@@ -0,0 +1,33 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# yaml-language-server: $schema=../../../../../schemas/folder.schema.json
+
+name: Development
+iam:
+  $custom_roles:project_iam_viewer:
+    - $iam_principals:service_accounts/iac-0/iac-dp-dev-ro
+iam_bindings:
+  dp_dev:
+    role: roles/resourcemanager.projectIamAdmin
+    members:
+      - $iam_principals:service_accounts/iac-0/iac-dp-dev-rw
+    condition:
+      title: Data platform dev delegated IAM grant.
+      expression: |
+        api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([
+          '${custom_roles.service_project_network_admin}'
+        ])
+tag_bindings:
+  environment: $tag_values:environment/development

fast/stages/0-org-setup/datasets/hardened/folders/networking/prod/.config.yaml

@@ -0,0 +1,19 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# yaml-language-server: $schema=../../../../../schemas/folder.schema.json
+
+name: Production
+tag_bindings:
+  environment: $tag_values:environment/production

fast/stages/0-org-setup/datasets/hardened/folders/security/.config.yaml

@@ -0,0 +1,53 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# yaml-language-server: $schema=../../../../schemas/folder.schema.json
+
+name: Security
+iam_by_principals:
+  $iam_principals:service_accounts/iac-0/iac-security-rw:
+    - roles/cloudkms.admin
+    - roles/logging.admin
+    - roles/resourcemanager.folderAdmin
+    - roles/resourcemanager.projectCreator
+    - roles/resourcemanager.projectDeleter
+    - roles/resourcemanager.projectIamAdmin
+    - roles/resourcemanager.tagUser
+    - roles/securitycenter.admin
+    - roles/serviceusage.serviceUsageAdmin
+  $iam_principals:service_accounts/iac-0/iac-security-ro:
+    - roles/browser
+    - roles/cloudkms.viewer
+    - roles/logging.viewer
+    - roles/resourcemanager.folderViewer
+    - roles/resourcemanager.tagViewer
+    - roles/securitycenter.viewer
+    - roles/serviceusage.serviceUsageViewer
+    - $custom_roles:logging_viewer
+  $iam_principals:service_accounts/iac-0/iac-pf-rw:
+    - roles/cloudkms.cryptoKeyEncrypterDecrypter
+  $iam_principals:service_accounts/iac-0/iac-pf-ro:
+    - roles/cloudkms.viewer
+    - $custom_roles:project_iam_viewer
+iam_bindings:
+  project_factory:
+    role: roles/resourcemanager.projectIamAdmin
+    members:
+      - $iam_principals:service_accounts/iac-0/iac-pf-rw
+    condition:
+      title: Project factory delegated IAM grant.
+      expression: |
+        api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([
+          'roles/cloudkms.cryptoKeyEncrypterDecrypter'
+        ])

fast/stages/0-org-setup/datasets/hardened/folders/security/dev/.config.yaml

@@ -0,0 +1,25 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# yaml-language-server: $schema=../../../../0-org-setup/schemas/folder.schema.json
+
+name: Development
+parent: $folder_ids:security
+tag_bindings:
+  environment: $tag_values:environment/development
+iam_by_principals:
+  $iam_principals:service_accounts/iac-0/iac-dp-dev-ro:
+    - $custom_roles:cloudkms_viewer
+  $iam_principals:service_accounts/iac-0/iac-pf-ro:
+    - $custom_roles:cloudkms_viewer

fast/stages/0-org-setup/datasets/hardened/folders/security/prod/.config.yaml

@@ -0,0 +1,20 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# yaml-language-server: $schema=../../../../0-org-setup/schemas/folder.schema.json
+
+name: Production
+parent: $folder_ids:security
+tag_bindings:
+  environment: $tag_values:environment/production

fast/stages/0-org-setup/datasets/hardened/folders/teams/.config.yaml

@@ -0,0 +1,47 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# yaml-language-server: $schema=../../../../schemas/folder.schema.json
+
+name: Teams
+iam_by_principals:
+  $iam_principals:service_accounts/iac-0/iac-pf-rw:
+    - roles/bigquery.admin
+    - roles/container.admin
+    - roles/iam.serviceAccountAdmin
+    - roles/logging.admin
+    - roles/pubsub.admin
+    - roles/resourcemanager.folderAdmin
+    - roles/resourcemanager.projectCreator
+    - roles/resourcemanager.projectDeleter
+    - roles/resourcemanager.projectIamAdmin
+    - roles/resourcemanager.tagUser
+    - roles/serviceusage.serviceUsageAdmin
+    - roles/storage.admin
+    - $custom_roles:service_project_network_admin
+  $iam_principals:service_accounts/iac-0/iac-pf-ro:
+    - roles/bigquery.dataViewer
+    - roles/bigquery.jobUser
+    - roles/browser
+    - roles/compute.viewer
+    - roles/container.clusterViewer
+    - roles/logging.viewer
+    - roles/pubsub.viewer
+    - roles/resourcemanager.folderViewer
+    - roles/resourcemanager.tagViewer
+    - roles/serviceusage.serviceUsageViewer
+    - $custom_roles:logging_viewer
+    - $custom_roles:service_account_viewer
+tag_bindings:
+  context: $tag_values:context/project-factory

fast/stages/0-org-setup/datasets/hardened/organization/.config.yaml

@@ -64,6 +64,7 @@ iam_by_principals:
     - roles/resourcemanager.folderAdmin
     - roles/resourcemanager.organizationAdmin
     - roles/resourcemanager.projectCreator
+    - roles/resourcemanager.projectDeleter
     - roles/resourcemanager.projectMover
     - roles/resourcemanager.tagAdmin
     - roles/resourcemanager.tagUser
@@ -80,6 +81,7 @@ iam_by_principals:
     - roles/serviceusage.serviceUsageViewer
     - $custom_roles:organization_admin_viewer
     - $custom_roles:tag_viewer
+    - roles/securitycentermanagement.customModulesViewer
   $iam_principals:service_accounts/iac-0/iac-networking-rw:
     # uncomment for cooperative VPC-SC configurations
     # - roles/accesscontextmanager.policyEditor

fast/stages/0-org-setup/datasets/hardened/organization/custom-roles/cloudkms_viewer.yaml

@@ -0,0 +1,46 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# yaml-language-server: $schema=../../../../schemas/custom-role.schema.json
+# the following permissions are a descoped version of storage.admin
+
+name: cloudKmsViewer
+includedPermissions:
+  - cloudkms.autokeyConfigs.get
+  - cloudkms.cryptoKeyVersions.get
+  - cloudkms.cryptoKeyVersions.list
+  - cloudkms.cryptoKeys.get
+  - cloudkms.cryptoKeys.getIamPolicy
+  - cloudkms.cryptoKeys.list
+  - cloudkms.ekmConfigs.get
+  - cloudkms.ekmConfigs.getIamPolicy
+  - cloudkms.ekmConnections.get
+  - cloudkms.ekmConnections.getIamPolicy
+  - cloudkms.ekmConnections.list
+  - cloudkms.importJobs.get
+  - cloudkms.importJobs.getIamPolicy
+  - cloudkms.importJobs.list
+  - cloudkms.kajPolicyConfigs.get
+  - cloudkms.keyHandles.get
+  - cloudkms.keyHandles.list
+  - cloudkms.keyRings.get
+  - cloudkms.keyRings.getIamPolicy
+  - cloudkms.keyRings.list
+  - cloudkms.locations.get
+  - cloudkms.locations.list
+  - cloudkms.operations.get
+  - cloudkms.singleTenantHsmInstanceProposals.get
+  - cloudkms.singleTenantHsmInstanceProposals.list
+  - cloudkms.singleTenantHsmInstances.get
+  - cloudkms.singleTenantHsmInstances.list

fast/stages/0-org-setup/datasets/hardened/organization/custom-roles/folder_viewer.yaml

@@ -0,0 +1,24 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# yaml-language-server: $schema=../../../../schemas/custom-role.schema.json
+# the following permissions are a descoped version of tagAdm
+
+name: folderViewer
+includedPermissions:
+  - resourcemanager.folders.get
+  - resourcemanager.folders.getIamPolicy
+  - resourcemanager.folders.list
+  - resourcemanager.folders.searchPolicyBindings
+

fast/stages/0-org-setup/datasets/hardened/organization/custom-roles/logging_viewer.yaml

@@ -0,0 +1,65 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# yaml-language-server: $schema=../../../../schemas/custom-role.schema.json
+# the following permissions are a descoped version of tagAdm
+
+name: loggingViewer
+includedPermissions:
+  - logging.buckets.get
+  - logging.buckets.list
+  - logging.buckets.listEffectiveTags
+  - logging.buckets.listTagBindings
+  - logging.exclusions.get
+  - logging.exclusions.list
+  - logging.fields.access
+  - logging.links.get
+  - logging.links.list
+  - logging.locations.get
+  - logging.locations.list
+  - logging.logEntries.list
+  - logging.logMetrics.get
+  - logging.logMetrics.list
+  - logging.logs.list
+  - logging.logScopes.get
+  - logging.logScopes.list
+  - logging.logServiceIndexes.list
+  - logging.logServices.list
+  - logging.notificationRules.get
+  - logging.notificationRules.list
+  - logging.operations.get
+  - logging.operations.list
+  - logging.privateLogEntries.list
+  - logging.queries.getShared
+  - logging.queries.listShared
+  - logging.settings.get
+  - logging.sinks.get
+  - logging.sinks.list
+  - logging.usage.get
+  - logging.views.get
+  - logging.views.getIamPolicy
+  - logging.views.list
+  - logging.views.listLogs
+  - logging.views.listResourceKeys
+  - logging.views.listResourceValues
+  - observability.scopes.get
+  - resourcemanager.projects.get
+  - resourcemanager.projects.list
+  - resourcemanager.tagHolds.list
+  - resourcemanager.tagKeys.get
+  - resourcemanager.tagKeys.getIamPolicy
+  - resourcemanager.tagKeys.list
+  - resourcemanager.tagValues.get
+  - resourcemanager.tagValues.getIamPolicy
+  - resourcemanager.tagValues.list

fast/stages/0-org-setup/datasets/hardened/organization/custom-roles/service_account_viewer.yaml

@@ -0,0 +1,23 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# yaml-language-server: $schema=../../../../schemas/custom-role.schema.json
+# the following permissions are a descoped version of storage.admin
+
+name: serviceAccountViewer
+includedPermissions:
+  - iam.serviceAccounts.get
+  - iam.serviceAccounts.getIamPolicy
+  - iam.serviceAccounts.list
+

fast/stages/0-org-setup/datasets/hardened/organization/custom-roles/service_networking_viewer.yaml

@@ -0,0 +1,25 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# yaml-language-server: $schema=../../../../schemas/custom-role.schema.json
+# the following permissions are a descoped version of storage.admin
+
+name: serviceNetworkingViewer
+includedPermissions:
+  - servicenetworking.operations.get
+  - servicenetworking.operations.list
+  - servicenetworking.services.get
+  - servicenetworking.services.getConsumerConfig
+  - servicenetworking.services.getVpcServiceControls
+  - servicenetworking.services.listPeeredDnsDomains

fast/stages/0-org-setup/datasets/hardened/organization/org-policies/network.yaml

@@ -18,6 +18,10 @@
 
 # yaml-language-server: $schema=../../../../schemas/org-policies.schema.json
 
+compute.disableVpcInternalIpv6:
+  rules:
+    - enforce: true
+
 compute.requireVpcFlowLogs:
   rules:
     - allow:

fast/stages/0-org-setup/datasets/hardened/projects/core/billing-0.yaml

@@ -17,14 +17,27 @@
 name: prod-billing-exp-0
 iam_by_principals:
   $iam_principals:service_accounts/iac-0/iac-org-ro:
-    - roles/viewer
+    - roles/bigquery.jobUser
+    - roles/bigquery.dataViewer
+    - roles/browser
+    - roles/serviceusage.serviceUsageViewer
+    - roles/storage.objectViewer
+    - $custom_roles:cloudkms_viewer
   $iam_principals:service_accounts/iac-0/iac-org-rw:
-    - roles/owner
+    - roles/bigquery.admin
+    - roles/cloudkms.admin
+    - roles/resourcemanager.projectIamAdmin
+    - roles/serviceusage.serviceUsageAdmin
+    - roles/storage.admin
 services:
   - bigquery.googleapis.com
   - bigquerydatatransfer.googleapis.com
   - cloudkms.googleapis.com
+  - logging.googleapis.com
   - storage.googleapis.com
+iam:
+  # reset default role on new project
+  roles/owner: []
 kms:
   keyrings:
     ew1:
@@ -32,6 +45,10 @@ kms:
       keys:
         bigquery:
           rotation_period: 7776000s
+log_buckets:
+  _Default:
+    retention: 90
+    location: europe-west1
 service_encryption_key_ids:
   bigquery.googleapis.com:
     - $kms_keys:billing-0/ew1/bigquery

fast/stages/0-org-setup/datasets/hardened/projects/core/iac-0.yaml

@@ -25,13 +25,37 @@ iam_by_principals:
     - roles/cloudbuild.builds.viewer
     - roles/iam.serviceAccountViewer
     - roles/iam.workloadIdentityPoolViewer
+    - roles/bigquery.jobUser
+    - roles/bigquery.dataViewer
+    - roles/compute.viewer
+    - roles/container.viewer
+    - roles/logging.viewer
+    - roles/monitoring.viewer
+    - roles/pubsub.viewer
+    - roles/securitycentermanagement.viewer
+    - roles/storage.objectViewer
     - $custom_roles:storage_viewer
-    - roles/viewer
+    - $custom_roles:cloudkms_viewer
   $iam_principals:service_accounts/iac-0/iac-org-rw:
     - roles/cloudbuild.builds.editor
     - roles/iam.serviceAccountAdmin
     - roles/iam.workloadIdentityPoolAdmin
-    - roles/owner
+    - roles/accesscontextmanager.policyAdmin
+    - roles/bigquery.admin
+    - roles/billing.projectManager
+    - roles/cloudasset.owner
+    - roles/cloudkms.admin
+    - roles/compute.admin
+    - roles/container.admin
+    - roles/datacatalog.admin
+    - roles/iam.roleAdmin
+    - roles/logging.admin
+    - roles/monitoring.admin
+    - roles/pubsub.admin
+    - roles/resourcemanager.projectIamAdmin
+    - roles/securitycentermanagement.admin
+    - roles/servicenetworking.networksAdmin
+    - roles/serviceusage.serviceUsageAdmin
     - roles/storage.admin
   $iam_principals:service_accounts/iac-0/iac-networking-rw:
     - roles/serviceusage.serviceUsageConsumer
@@ -45,6 +69,9 @@ iam_by_principals:
     - roles/serviceusage.serviceUsageConsumer
   $iam_principals:service_accounts/iac-0/iac-security-ro:
     - roles/serviceusage.serviceUsageConsumer
+iam:
+  # reset default role on new project
+  roles/owner: []
 services:
   - accesscontextmanager.googleapis.com
   - bigquery.googleapis.com
@@ -81,6 +108,10 @@ kms:
       keys:
         storage:
           rotation_period: 7776000s
+log_buckets:
+  _Default:
+    retention: 90
+    location: europe-west1
 service_encryption_key_ids:
   storage.googleapis.com:
     - $kms_keys:iac-0/ew1/storage
@@ -102,6 +133,31 @@ buckets:
     description: Terraform state for the org-level automation.
     versioning: true
     encryption_key: $kms_keys:iac-0/ew1/storage
+    lifecycle_rules:
+      nearline-30:
+        action:
+          type: SetStorageClass
+          storage_class: NEARLINE
+        condition:
+          age: 30
+          matches_storage_class:
+            - STANDARD
+      coldline-90:
+        action:
+          type: SetStorageClass
+          storage_class: COLDLINE
+        condition:
+          age: 90
+          matches_storage_class:
+            - NEARLINE
+      archive-365:
+        action:
+          type: SetStorageClass
+          storage_class: ARCHIVE
+        condition:
+          age: 365
+          matches_storage_class:
+            - COLDLINE
     iam:
       roles/storage.admin:
         - $iam_principals:service_accounts/iac-0/iac-org-rw
@@ -112,6 +168,31 @@ buckets:
     description: Terraform state for stage automation.
     versioning: true
     encryption_key: $kms_keys:iac-0/ew1/storage
+    lifecycle_rules:
+      nearline-30:
+        action:
+          type: SetStorageClass
+          storage_class: NEARLINE
+        condition:
+          age: 30
+          matches_storage_class:
+            - STANDARD
+      coldline-90:
+        action:
+          type: SetStorageClass
+          storage_class: COLDLINE
+        condition:
+          age: 90
+          matches_storage_class:
+            - NEARLINE
+      archive-365:
+        action:
+          type: SetStorageClass
+          storage_class: ARCHIVE
+        condition:
+          age: 365
+          matches_storage_class:
+            - COLDLINE
     managed_folders:
       1-vpcsc:
         iam:
@@ -148,6 +229,31 @@ buckets:
     description: Terraform state for the org-level automation.
     versioning: true
     encryption_key: $kms_keys:iac-0/ew1/storage
+    lifecycle_rules:
+      nearline-30:
+        action:
+          type: SetStorageClass
+          storage_class: NEARLINE
+        condition:
+          age: 30
+          matches_storage_class:
+            - STANDARD
+      coldline-90:
+        action:
+          type: SetStorageClass
+          storage_class: COLDLINE
+        condition:
+          age: 90
+          matches_storage_class:
+            - NEARLINE
+      archive-365:
+        action:
+          type: SetStorageClass
+          storage_class: ARCHIVE
+        condition:
+          age: 365
+          matches_storage_class:
+            - COLDLINE
     iam:
       roles/storage.admin:
         - $iam_principals:service_accounts/iac-0/iac-org-rw

fast/stages/0-org-setup/datasets/hardened/projects/core/log-0.yaml

@@ -17,9 +17,23 @@
 name: prod-audit-logs-0
 iam_by_principals:
   $iam_principals:service_accounts/iac-0/iac-org-ro:
-    - roles/viewer
+    - roles/browser
+    - roles/logging.viewer
+    - roles/monitoring.viewer
+    - roles/pubsub.viewer
+    - roles/storage.objectViewer
+    - $custom_roles:cloudkms_viewer
   $iam_principals:service_accounts/iac-0/iac-org-rw:
-    - roles/owner
+    - roles/cloudkms.admin
+    - roles/logging.admin
+    - roles/monitoring.admin
+    - roles/pubsub.admin
+    - roles/resourcemanager.projectIamAdmin
+    - roles/serviceusage.serviceUsageAdmin
+    - roles/storage.admin
+iam:
+  # reset default role on new project
+  roles/owner: []
 services:
   - cloudkms.googleapis.com
   - logging.googleapis.com
@@ -36,15 +50,20 @@ service_encryption_key_ids:
   logging.googleapis.com:
     - $kms_keys:log-0/ew1/logging
 log_buckets:
+  _Default:
+    retention: 90
+    location: europe-west1
   audit-logs:
     kms_key_name: $kms_keys:log-0/ew1/logging
+    retention: 90
   iam:
     kms_key_name: $kms_keys:log-0/ew1/logging
+    retention: 90
   vpc-sc:
     kms_key_name: $kms_keys:log-0/ew1/logging
     log_analytics:
       enable: true
-    retention: 31
+    retention: 90
 factories_config:
   observability: datasets/hardened/organization/observability/
 org_policies:

fast/stages/2-networking/datasets/hub-and-spokes-peerings/firewall-policies/networking-policy.yaml

@@ -10,6 +10,7 @@ ingress_rules:
   allow-healthchecks:
     description: Enable SSH, HTTP and HTTPS healthchecks
     priority: 1001
+    # enable_logging: true
     match:
       source_ranges:
         - $cidr_ranges_sets:healthchecks
@@ -31,6 +32,7 @@ ingress_rules:
   allow-icmp:
     description: Enable ICMP
     priority: 1003
+    # enable_logging: true
     match:
       source_ranges:
         - 0.0.0.0/0
@@ -40,6 +42,7 @@ ingress_rules:
   allow-nat-ranges:
     description: Enable NAT ranges for VPC serverless connector
     priority: 1004
+    # enable_logging: true
     match:
       source_ranges:
         - 107.178.230.64/26
@@ -48,6 +51,7 @@ egress_rules:
   deny-example-ip:
     description: Allow internal traffic within the VPC
     priority: 2000
+    # enable_logging: true
     match:
       destination_ranges:
         - 1.2.3.4/32

fast/stages/2-networking/datasets/hub-and-spokes-peerings/projects/net-core-0.yaml

@@ -17,3 +17,10 @@ services:
   - vpcaccess.googleapis.com
 shared_vpc_host_config:
   enabled: true
+# iam:
+#   # reset default role on new project
+#   roles/owner: []
+# log_buckets:
+#   _Default:
+#     retention: 90
+#     location: europe-west1

fast/stages/2-networking/datasets/hub-and-spokes-peerings/projects/net-dev-0.yaml

@@ -18,3 +18,10 @@ services:
   - vpcaccess.googleapis.com
 shared_vpc_host_config:
   enabled: true
+# iam:
+#   # reset default role on new project
+#   roles/owner: []
+# log_buckets:
+#   _Default:
+#     retention: 90
+#     location: europe-west1

fast/stages/2-networking/datasets/hub-and-spokes-peerings/projects/net-prod-0.yaml

@@ -18,3 +18,10 @@ services:
   - vpcaccess.googleapis.com
 shared_vpc_host_config:
   enabled: true
+# iam:
+#   # reset default role on new project
+#   roles/owner: []
+# log_buckets:
+#   _Default:
+#     retention: 90
+#     location: europe-west1

fast/stages/2-networking/datasets/hub-and-spokes-peerings/vpcs/dev/subnets/dev-default.yaml

@@ -6,3 +6,7 @@ name: dev-default
 region: $locations:primary
 ip_cidr_range: 10.73.0.0/24
 description: Default primary-region subnet for dev
+# flow_logs_config:
+#   aggregation_interval: "INTERVAL_15_MIN"
+#   flow_sampling: 0.5
+#   metadata: "INCLUDE_ALL_METADATA"

fast/stages/2-networking/datasets/hub-and-spokes-peerings/vpcs/hub/subnets/hub-default.yaml

@@ -6,3 +6,7 @@ name: hub-default
 region: $locations:primary
 ip_cidr_range: 10.71.0.0/24
 description: Default primary-region subnet for hub
+# flow_logs_config:
+#   aggregation_interval: "INTERVAL_15_MIN"
+#   flow_sampling: 0.5
+#   metadata: "INCLUDE_ALL_METADATA"

fast/stages/2-networking/datasets/hub-and-spokes-peerings/vpcs/prod/subnets/prod-default.yaml

@@ -6,3 +6,7 @@ name: prod-default
 region: $locations:primary
 ip_cidr_range: 10.72.0.0/24
 description: Default primary-region subnet for prod
+# flow_logs_config:
+#   aggregation_interval: "INTERVAL_15_MIN"
+#   flow_sampling: 0.5
+#   metadata: "INCLUDE_ALL_METADATA"

fast/stages/2-project-factory/data/projects/dev-app-a-0.yaml

@@ -21,3 +21,10 @@ shared_vpc_service_config:
   host_project: $project_ids:net-dev-0
   # network_users:
   #   - group:team-a-admins@example.com
+# iam:
+#   # reset default role on new project
+#   roles/owner: []
+# log_buckets:
+#   _Default:
+#     retention: 90
+#     location: europe-west1

fast/stages/2-project-factory/data/projects/prod-app-a-0.yaml

@@ -21,3 +21,10 @@ shared_vpc_service_config:
   host_project: $project_ids:net-prod-0
   # network_users:
   #   - group:team-a-admins@example.com
+# iam:
+#   # reset default role on new project
+#   roles/owner: []
+# log_buckets:
+#   _Default:
+#     retention: 90
+#     location: europe-west1

fast/stages/2-project-factory/main.tf

@@ -25,10 +25,10 @@ locals {
   })
   defaults = yamldecode(file(pathexpand(var.factories_config.defaults)))
   fast_defaults = {
-    billing_account = coalesce(
+    billing_account = try(coalesce(
       var.data_defaults.billing_account,
       var.billing_account.id
-    )
+    ), null)
     prefix = coalesce(
       var.data_defaults.prefix, var.prefix
     )

fast/stages/2-security/data/projects/dev-sec-core-0.yaml

@@ -28,6 +28,7 @@ iam_bindings:
   key_delegated:
     members:
       - $iam_principals:service_accounts/iac-0/iac-pf-rw
+      - $iam_principals:service_accounts/iac-0/iac-dp-dev-rw
     role: roles/cloudkms.admin
     condition:
       title: Delegated IAM grant on keys.
@@ -37,6 +38,14 @@ iam_bindings:
           .hasOnly(['roles/cloudkms.cryptoKeyEncrypterDecrypter']
         )
 
+# iam:
+#   # reset default role on new project
+#   roles/owner: []
+# log_buckets:
+#   _Default:
+#     retention: 90
+#     location: europe-west1
+
 # uncomment the following if parent is the security folder
 
 # tag_bindings:

fast/stages/2-security/data/projects/prod-sec-core-0.yaml

@@ -37,6 +37,14 @@ iam_bindings:
           .hasOnly(['roles/cloudkms.cryptoKeyEncrypterDecrypter']
         )
 
+# iam:
+#   # reset default role on new project
+#   roles/owner: []
+# log_buckets:
+#   _Default:
+#     retention: 90
+#     location: europe-west1
+
 # uncomment the following if parent is the security folder
 
 # tag_bindings:

tests/fast/stages/s0_org_setup/hardened.tfvars

@@ -1,6 +1,7 @@
 factories_config = {
   cicd_workflows = "data-hardened/cicd-workflows.yaml"
   defaults       = "data-hardened/defaults.yaml"
+  folders        = "datasets/hardened/folders"
   observability  = "datasets/hardened/observability"
   organization   = "datasets/hardened/organization"
   projects       = "datasets/hardened/projects"

tests/fast/stages/s2_security/simple.tfvars

@@ -18,8 +18,9 @@ organization = {
 }
 prefix = "fast"
 service_accounts = {
-  "iac-0/iac-pf-rw" = "iac-pf-rw@test.iam.gserviceaccount.com"
-  "iac-0/iac-pf-ro" = "iac-pf-ro@test.iam.gserviceaccount.com"
+  "iac-0/iac-pf-rw"     = "iac-pf-rw@test.iam.gserviceaccount.com"
+  "iac-0/iac-pf-ro"     = "iac-pf-ro@test.iam.gserviceaccount.com"
+  "iac-0/iac-dp-dev-rw" = "iac-dp-dev-rw@test.iam.gserviceaccount.com"
 }
 storage_buckets = {
   "iac-0/iac-outputs" = "test"

tests/fast/stages/s2_security/simple.yaml

@@ -117,6 +117,7 @@ values:
         \ [])\n  .hasOnly(['roles/cloudkms.cryptoKeyEncrypterDecrypter']\n)\n"
       title: Delegated IAM grant on keys.
     members:
+    - serviceAccount:iac-dp-dev-rw@test.iam.gserviceaccount.com
     - serviceAccount:iac-pf-rw@test.iam.gserviceaccount.com
     project: fast-dev-sec-core-0
     role: roles/cloudkms.admin

tools/duplicate-diff.py

@@ -22,10 +22,6 @@ import os
 # List of folders and files that are expected to have same content
 duplicates = [
     # deep recursive folder comparison
-    [
-        "fast/stages/0-org-setup/datasets/classic/organization/custom-roles",
-        "fast/stages/0-org-setup/datasets/hardened/organization/custom-roles",
-    ],
     [
         "fast/stages/0-org-setup/datasets/classic/organization/tags",
         "fast/stages/0-org-setup/datasets/hardened/organization/tags",