Merge remote-tracking branch 'origin/master' into fast-dev

fast/stages/0-org-setup/README-GCD.md

@@ -1,6 +1,6 @@
 # FAST Installation on Google Cloud Dedicated (GCD)
 
-This document serves as an extension to the main **[FAST Organization Setup README](../README.md)**, detailing the specific configurations and steps required to deploy the Fabric FAST landing zone on **Google Cloud Dedicated (GCD)**.
+This document serves as an extension to the main **[FAST Organization Setup README](./README.md)**, detailing the specific configurations and steps required to deploy the Fabric FAST landing zone on **Google Cloud Dedicated (GCD)**.
 
 It assumes familiarity with the standard FAST bootstrap flow but highlights the critical divergences required for the Google Cloud Dedicated (GCD) environment.
 
@@ -31,7 +31,7 @@ The core stages are:
 
 ## 2. Prerequisites
 
-In addition to the [standard FAST prerequisites](../README.md#prerequisites), ensure the following GCD-specific requirements are met.
+In addition to the [standard FAST prerequisites](./README.md#prerequisites), ensure the following GCD-specific requirements are met.
 
 
 ### Identity Provider
@@ -84,7 +84,7 @@ gcloud auth application-default login \
 
 ## 3. Bootstrap: Manual Temporary Project
 
-*This step replaces the standard [Default project](../README.md#default-project) creation flow.*
+*This step replaces the standard [Default project](./README.md#default-project) creation flow.*
 
 GCD requires a manual bootstrap project because organization policy services are not automatically available at the organization root during the initial setup.
 
@@ -113,7 +113,7 @@ GCD requires a manual bootstrap project because organization policy services are
 
 ## 4. Terraform Configuration Updates
 
-*This section details specific modifications to the [Configure defaults](../README.md#configure-defaults) step.*
+*This section details specific modifications to the [Configure defaults](./README.md#configure-defaults) step.*
 
 ### Provider Configuration
 
@@ -134,7 +134,16 @@ provider "google-beta" {
 
 Update your `defaults.yaml` file to include a `universe` block within the `overrides` section. This configures the correct API domains and disables service identities that are not available in GCD.
 
+Additionally, you must provide valid values for the following fields in the context section:
+* `context.email_addresses.gcp-organization-admins`: used to set the [essential contact](https://docs.cloud.google.com/resource-manager/docs/manage-essential-contacts) for the core projects
+* `context.iam_principals.gcp-organization-admins`: Used to grant administrative permissions to the administrators.
+
+  **Note on Principals:** If you use a group for the admin principal, ensure your user identity is a member of that group. Otherwise, set this field to your own user identity (e.g., `principal://iam.googleapis.com/locations/global/workforcePools/...`) instead of a group. For further details, refer to the [Configure defaults](./README.md#configure-defaults) section in the standard README.
+
+Your `defaults.yaml should` contain sections that look like this:
+
 ```yaml
+# ... existing configuration ...
 projects:
   defaults:
     # customize prefix as per usual FAST instructions
@@ -154,6 +163,15 @@ projects:
         - dns.googleapis.com
         - monitoring.googleapis.com
         - networksecurity.googleapis.com
+context:
+  email_addresses:
+    gcp-organization-admins: gcp-organization-admins@example.com
+  iam_principals:
+    gcp-organization-admins: group:gcp-organization-admins@example.com
+  locations:
+    # Replace with values from the Configuration Reference table
+    primary: <UNIVERSE_REGION>
+# ... existing configuration ...
 ```
 
 ### Switch to GCD Dataset
@@ -259,4 +277,3 @@ Once the **Organization Setup** stage is fully deployed:
     ```
 
 2.  **Proceed to Next Stages:** Continue with the subsequent FAST stages (VPC-SC, Security, Networking, Project Factory). The universe configuration established here is automatically propagated to these stages via the FAST cross-stage output mechanism.
-

fast/stages/0-org-setup/datasets/classic-gcd/projects/core/billing-0.yaml

@@ -1,4 +1,4 @@
-# Copyright 2025 Google LLC
+# Copyright 2026 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -22,7 +22,7 @@ iam_by_principals:
     - roles/owner
 services:
   - bigquery.googleapis.com
-  - bigquerydatatransfer.googleapis.com
+  # - bigquerydatatransfer.googleapis.com
   - storage.googleapis.com
 datasets:
   billing_export:

fast/stages/0-org-setup/datasets/classic/observability/iac-0/impersonation.yaml

@@ -0,0 +1,63 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# yaml-language-server: $schema=../../../../schemas/observability.schema.json
+
+notification_channels:
+  email-security:
+    type: email
+    display_name: Security Team Email
+    labels:
+      email_address: $email_addresses:gcp-organization-admins
+    enabled: true
+
+logging_metrics:
+  sa-impersonation:
+    filter: |
+      protoPayload.serviceName="iamcredentials.googleapis.com"
+      (protoPayload.methodName="GenerateAccessToken" OR protoPayload.methodName="GenerateIdToken")
+    label_extractors:
+      email_id: EXTRACT(resource.labels.email_id)
+    metric_descriptor:
+      metric_kind: DELTA
+      value_type: INT64
+      unit: "1"
+      display_name: Service Account Impersonation
+      labels:
+        - key: email_id
+          value_type: STRING
+
+alerts:
+  sa-impersonation-alert:
+    display_name: Service Account Impersonation Alert
+    combiner: OR
+    conditions:
+      - display_name: Impersonation Detected
+        condition_threshold:
+          filter: |
+            metric.type="logging.googleapis.com/user/sa-impersonation" AND
+            resource.type="global"
+          comparison: COMPARISON_GT
+          threshold_value: 0
+          duration: 60s
+          trigger:
+            count: 1
+          aggregations:
+            alignment_period: 60s
+            per_series_aligner: ALIGN_COUNT
+            cross_series_reducer: REDUCE_SUM
+            group_by_fields: ["metric.label.email_id"]
+    notification_channels:
+      - email-security
+    enabled: true

fast/stages/0-org-setup/datasets/classic/projects/core/iac-0.yaml

@@ -1,4 +1,4 @@
-# Copyright 2025 Google LLC
+# Copyright 2026 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -83,6 +83,8 @@ org_policies:
             - https://token.actions.githubusercontent.com
             - https://gitlab.com
             - https://app.terraform.io
+factories_config:
+  observability: datasets/classic/observability/iac-0
 data_access_logs:
   storage.googleapis.com:
     DATA_READ: {}
@@ -90,6 +92,10 @@ data_access_logs:
   sts.googleapis.com:
     DATA_READ: {}
     DATA_WRITE: {}
+  # required to capture service account impersonation events
+  iam.googleapis.com:
+    DATA_READ: {}
+    DATA_WRITE: {}
 buckets:
   # Terraform state bucket for this stage
   iac-org-state: