kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/master' into fast-dev

Browse Source
This commit is contained in:
Ludovico Magnocavallo
2026-01-20 08:47:01 +00:00
parent 8342558732 558e552b5e
commit 9d486022bf
30 changed files with 713 additions and 586 deletions
Download Patch File Download Diff File Expand all files Collapse all files

628
tests/fast/stages/s0_org_setup/hardened.yaml
View File

File diff suppressed because it is too large Load Diff

274
tests/fast/stages/s0_org_setup/simple.yaml
View File

@@ -513,6 +513,108 @@ values:
filename: /tmp/fast-config/tfvars/0-org-setup.auto.tfvars.json
sensitive_content: null
source: null
local_file.workflows["org-setup"]:
content: "# Copyright 2025 Google LLC\n#\n# Licensed under the Apache License,\
\ Version 2.0 (the \"License\");\n# you may not use this file except in compliance\
\ with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n\
#\n# Unless required by applicable law or agreed to in writing, software\n#\
\ distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT\
\ WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the\
\ License for the specific language governing permissions and\n# limitations\
\ under the License.\n\nname: \"FAST org-setup stage\"\n\non:\n pull_request:\n\
\ branches:\n - main\n types:\n - closed\n - opened\n \
\ - synchronize\n\nenv:\n FAST_SERVICE_ACCOUNT: iac-org-cicd-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com\n\
\ FAST_SERVICE_ACCOUNT_PLAN: iac-org-cicd-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com\n\
\ FAST_WIF_PROVIDER: projects/1234567890/locations/global/workloadIdentityPools/default\n\
\ SSH_AUTH_SOCK: /tmp/ssh_agent.sock\n TF_PROVIDERS_FILE: 0-org-setup-providers.tf\n\
\ TF_PROVIDERS_FILE_PLAN: 0-org-setup-providers-ro.tf\n TF_VERSION: 1.12.2\n\
\njobs:\n fast-pr:\n # Skip PRs which are closed without being merged.\n\
\ if: >-\n github.event.action == 'closed' &&\n github.event.pull_request.merged\
\ == true ||\n github.event.action == 'opened' ||\n github.event.action\
\ == 'synchronize'\n permissions:\n contents: read\n id-token:\
\ write\n issues: write\n pull-requests: write\n runs-on: ubuntu-latest\n\
\ steps:\n - id: checkout\n name: Checkout repository\n \
\ uses: actions/checkout@v4\n\n # set up SSH key authentication to the\
\ modules repository\n\n - id: ssh-config\n name: Configure SSH\
\ authentication\n run: |\n ssh-agent -a \"$SSH_AUTH_SOCK\"\
\ > /dev/null\n ssh-add - <<< \"${{ secrets.CICD_MODULES_KEY }}\"\n\
\n # set up step variables for plan / apply\n\n - id: vars-plan\n\
\ if: github.event.pull_request.merged != true && success()\n \
\ name: Set up plan variables\n run: |\n echo \"plan_opts=-lock=false\"\
\ >> \"$GITHUB_ENV\"\n echo \"provider_file=${{env.TF_PROVIDERS_FILE_PLAN}}\"\
\ >> \"$GITHUB_ENV\"\n echo \"service_account=${{env.FAST_SERVICE_ACCOUNT_PLAN}}\"\
\ >> \"$GITHUB_ENV\"\n\n - id: vars-apply\n if: github.event.pull_request.merged\
\ == true && success()\n name: Set up apply variables\n run: |\n\
\ echo \"provider_file=${{env.TF_PROVIDERS_FILE}}\" >> \"$GITHUB_ENV\"\
\n echo \"service_account=${{env.FAST_SERVICE_ACCOUNT}}\" >> \"$GITHUB_ENV\"\
\n\n # set up authentication via Workload identity Federation and gcloud\n\
\n - id: gcp-auth\n name: Authenticate to Google Cloud\n \
\ uses: google-github-actions/auth@v2\n with:\n workload_identity_provider:\
\ ${{env.FAST_WIF_PROVIDER}}\n service_account: ${{env.service_account}}\n\
\ access_token_lifetime: 900s\n\n - id: gcp-sdk\n name:\
\ Set up Cloud SDK\n uses: google-github-actions/setup-gcloud@v2\n \
\ with:\n install_components: alpha\n\n # copy provider file\n\
\n - id: tf-config-provider\n name: Copy Terraform provider file\n\
\ run: |\n gcloud storage cp -r \\\n \"gs://ft0-prod-iac-core-0-iac-outputs/providers/${{env.provider_file}}\"\
\ ./\n gcloud storage cp -r \\\n \"gs://ft0-prod-iac-core-0-iac-outputs/tfvars/0-org-setup.auto.tfvars\"\
\ ./\n\n - id: tf-setup\n name: Set up Terraform\n uses:\
\ hashicorp/setup-terraform@v3\n with:\n terraform_version:\
\ ${{env.TF_VERSION}}\n\n # run Terraform init/validate/plan\n\n -\
\ id: tf-init\n name: Terraform init\n continue-on-error: true\n\
\ run: |\n terraform init -no-color\n\n - id: tf-validate\n\
\ continue-on-error: true\n name: Terraform validate\n \
\ run: terraform validate -no-color\n\n - id: tf-plan\n name: Terraform\
\ plan\n continue-on-error: true\n run: |\n terraform\
\ plan -input=false -out ../plan.out -no-color ${{env.plan_opts}}\n\n -\
\ id: tf-apply\n if: github.event.pull_request.merged == true && success()\n\
\ name: Terraform apply\n continue-on-error: true\n run:\
\ |\n terraform apply -input=false -auto-approve -no-color ../plan.out\n\
\n # PR comment with Terraform result from previous steps\n # length\
\ is checked and trimmed for length so as to stay within the limit\n\n \
\ - id: pr-comment\n name: Post comment to Pull Request\n continue-on-error:\
\ true\n uses: actions/github-script@v7\n if: github.event_name\
\ == 'pull_request'\n env:\n PLAN: ${{steps.tf-plan.outputs.stdout}}\\\
n${{steps.tf-plan.outputs.stderr}}\n with:\n script: |\n \
\ const output = `### Terraform Initialization \\`${{steps.tf-init.outcome}}\\\
`\n\n ### Terraform Validation \\`${{steps.tf-validate.outcome}}\\\
`\n\n <details><summary>Validation Output</summary>\n\n \
\ \\`\\`\\`\\n\n ${{steps.tf-validate.outputs.stdout}}\n \
\ \\`\\`\\`\n\n </details>\n\n ### Terraform Plan\
\ \\`${{steps.tf-plan.outcome}}\\`\n\n <details><summary>Show Plan</summary>\n\
\n \\`\\`\\`\\n\n ${process.env.PLAN.split('\\n').filter(l\
\ => l.match(/^([A-Z\\s].*|)$$/)).join('\\n')}\n \\`\\`\\`\n\n \
\ </details>\n\n ### Terraform Apply \\`${{steps.tf-apply.outcome}}\\\
`\n\n *Pusher: @${{github.actor}}, Action: \\`${{github.event_name}}\\\
`, Working Directory: \\`${{env.tf_actions_working_dir}}\\`, Workflow: \\`${{github.workflow}}\\\
`*`;\n\n github.rest.issues.createComment({\n issue_number:\
\ context.issue.number,\n owner: context.repo.owner,\n \
\ repo: context.repo.repo,\n body: output\n })\n\
\n - id: pr-short-comment\n name: Post comment to Pull Request (abbreviated)\n\
\ uses: actions/github-script@v7\n if: github.event_name == 'pull_request'\
\ && steps.pr-comment.outcome != 'success'\n with:\n script:\
\ |\n const output = `### Terraform Initialization \\`${{steps.tf-init.outcome}}\\\
`\n\n ### Terraform Validation \\`${{steps.tf-validate.outcome}}\\\
`\n\n ### Terraform Plan \\`${{steps.tf-plan.outcome}}\\`\n\n \
\ Plan output is in the action log.\n\n ### Terraform Apply\
\ \\`${{steps.tf-apply.outcome}}\\`\n\n *Pusher: @${{github.actor}},\
\ Action: \\`${{github.event_name}}\\`, Working Directory: \\`${{env.tf_actions_working_dir}}\\\
`, Workflow: \\`${{github.workflow}}\\`*`;\n\n github.rest.issues.createComment({\n\
\ issue_number: context.issue.number,\n owner: context.repo.owner,\n\
\ repo: context.repo.repo,\n body: output\n \
\ })\n\n # exit on error from previous steps\n\n - id: check-init\n\
\ name: Check init failure\n if: steps.tf-init.outcome != 'success'\n\
\ run: exit 1\n\n - id: check-validate\n name: Check validate\
\ failure\n if: steps.tf-validate.outcome != 'success'\n run:\
\ exit 1\n\n - id: check-plan\n name: Check plan failure\n \
\ if: steps.tf-plan.outcome != 'success'\n run: exit 1\n\n - id:\
\ check-apply\n name: Check apply failure\n if: github.event.pull_request.merged\
\ == true && steps.tf-apply.outcome != 'success'\n run: exit 1\n"
content_base64: null
directory_permission: '0777'
file_permission: '0644'
filename: /tmp/fast-config/workflows/org-setup.yaml
sensitive_content: null
source: null
module.billing-accounts["default"].google_billing_account_iam_member.bindings["billing_admin_org_admins"]:
billing_account_id: 012345-012345-012345
condition: []
@@ -606,15 +708,11 @@ values:
? module.factory.module.buckets["iac-0/iac-org-state"].google_storage_bucket_iam_binding.authoritative["$custom_roles:storage_viewer"]
: bucket: ft0-prod-iac-core-0-iac-org-state
condition: []
members:
- serviceAccount:iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: organizations/1234567890/roles/storageViewer
timeouts: null
? module.factory.module.buckets["iac-0/iac-org-state"].google_storage_bucket_iam_binding.authoritative["roles/storage.admin"]
: bucket: ft0-prod-iac-core-0-iac-org-state
condition: []
members:
- serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/storage.admin
timeouts: null
module.factory.module.buckets["iac-0/iac-outputs"].google_storage_bucket.bucket[0]:
@@ -647,27 +745,11 @@ values:
? module.factory.module.buckets["iac-0/iac-outputs"].google_storage_bucket_iam_binding.authoritative["$custom_roles:storage_viewer"]
: bucket: ft0-prod-iac-core-0-iac-outputs
condition: []
members:
- serviceAccount:iac-dp-dev-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
- serviceAccount:iac-networking-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
- serviceAccount:iac-org-cicd-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
- serviceAccount:iac-org-cicd-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
- serviceAccount:iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
- serviceAccount:iac-pf-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
- serviceAccount:iac-security-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
- serviceAccount:iac-vpcsc-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: organizations/1234567890/roles/storageViewer
timeouts: null
module.factory.module.buckets["iac-0/iac-outputs"].google_storage_bucket_iam_binding.authoritative["roles/storage.admin"]:
bucket: ft0-prod-iac-core-0-iac-outputs
condition: []
members:
- serviceAccount:iac-dp-dev-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
- serviceAccount:iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
- serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
- serviceAccount:iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
- serviceAccount:iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
- serviceAccount:iac-vpcsc-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/storage.admin
timeouts: null
module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_bucket.bucket[0]:
@@ -726,131 +808,87 @@ values:
: bucket: ft0-prod-iac-core-0-iac-stage-state
condition: []
managed_folder: 1-vpcsc/
members:
- serviceAccount:iac-vpcsc-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: organizations/1234567890/roles/storageViewer
? module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder_iam_binding.authoritative["1-vpcsc/roles/storage.admin"]
: bucket: ft0-prod-iac-core-0-iac-stage-state
condition: []
managed_folder: 1-vpcsc/
members:
- serviceAccount:iac-vpcsc-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/storage.admin
? module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder_iam_binding.authoritative["2-networking/$custom_roles:storage_viewer"]
: bucket: ft0-prod-iac-core-0-iac-stage-state
condition: []
managed_folder: 2-networking/
members:
- serviceAccount:iac-networking-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: organizations/1234567890/roles/storageViewer
? module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder_iam_binding.authoritative["2-networking/roles/storage.admin"]
: bucket: ft0-prod-iac-core-0-iac-stage-state
condition: []
managed_folder: 2-networking/
members:
- serviceAccount:iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/storage.admin
? module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder_iam_binding.authoritative["2-project-factory/$custom_roles:storage_viewer"]
: bucket: ft0-prod-iac-core-0-iac-stage-state
condition: []
managed_folder: 2-project-factory/
members:
- serviceAccount:iac-pf-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: organizations/1234567890/roles/storageViewer
? module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder_iam_binding.authoritative["2-project-factory/roles/storage.admin"]
: bucket: ft0-prod-iac-core-0-iac-stage-state
condition: []
managed_folder: 2-project-factory/
members:
- serviceAccount:iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/storage.admin
? module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder_iam_binding.authoritative["2-security/$custom_roles:storage_viewer"]
: bucket: ft0-prod-iac-core-0-iac-stage-state
condition: []
managed_folder: 2-security/
members:
- serviceAccount:iac-security-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: organizations/1234567890/roles/storageViewer
? module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder_iam_binding.authoritative["2-security/roles/storage.admin"]
: bucket: ft0-prod-iac-core-0-iac-stage-state
condition: []
managed_folder: 2-security/
members:
- serviceAccount:iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/storage.admin
? module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder_iam_binding.authoritative["3-data-platform-dev/$custom_roles:storage_viewer"]
: bucket: ft0-prod-iac-core-0-iac-stage-state
condition: []
managed_folder: 3-data-platform-dev/
members:
- serviceAccount:iac-dp-dev-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: organizations/1234567890/roles/storageViewer
? module.factory.module.buckets["iac-0/iac-stage-state"].google_storage_managed_folder_iam_binding.authoritative["3-data-platform-dev/roles/storage.admin"]
: bucket: ft0-prod-iac-core-0-iac-stage-state
condition: []
managed_folder: 3-data-platform-dev/
members:
- serviceAccount:iac-dp-dev-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/storage.admin
? module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["$custom_roles:project_iam_viewer"]
: condition: []
members:
- serviceAccount:iac-pf-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: organizations/1234567890/roles/projectIamViewer
? module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["$custom_roles:service_project_network_admin"]
: condition: []
members:
- serviceAccount:iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: organizations/1234567890/roles/serviceProjectNetworkAdmin
module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/compute.viewer"]:
condition: []
members:
- serviceAccount:iac-pf-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/compute.viewer
module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]:
condition: []
members:
- serviceAccount:iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/compute.xpnAdmin
module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/logging.admin"]:
condition: []
members:
- serviceAccount:iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/logging.admin
module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/owner"]:
condition: []
members:
- serviceAccount:iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/owner
? module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]
: condition: []
members:
- serviceAccount:iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/resourcemanager.folderAdmin
? module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]
: condition: []
members:
- serviceAccount:iac-networking-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/resourcemanager.folderViewer
? module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]
: condition: []
members:
- serviceAccount:iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/resourcemanager.projectCreator
module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/resourcemanager.tagUser"]:
condition: []
members:
- serviceAccount:iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/resourcemanager.tagUser
? module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/resourcemanager.tagViewer"]
: condition: []
members:
- serviceAccount:iac-networking-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/resourcemanager.tagViewer
module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.authoritative["roles/viewer"]:
condition: []
members:
- serviceAccount:iac-networking-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/viewer
module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.bindings["dp_dev_ro"]:
condition:
@@ -859,8 +897,6 @@ values:
'
title: Data platform dev network viewer.
members:
- serviceAccount:iac-dp-dev-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/compute.networkViewer
module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.bindings["dp_dev_rw"]:
condition:
@@ -869,8 +905,6 @@ values:
'
title: Data platform dev service project admin.
members:
- serviceAccount:iac-dp-dev-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: organizations/1234567890/roles/serviceProjectNetworkAdmin
module.factory.module.folder-1-iam["networking"].google_folder_iam_binding.bindings["project_factory"]:
condition:
@@ -879,63 +913,39 @@ values:
\ 'roles/compute.networkUser', 'roles/composer.sharedVpcAgent',\n 'roles/container.hostServiceAgentUser',\
\ 'roles/vpcaccess.user'\n])\n"
title: Project factory delegated IAM grant.
members:
- serviceAccount:iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/resourcemanager.projectIamAdmin
module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["$custom_roles:project_iam_viewer"]:
condition: []
members:
- serviceAccount:iac-pf-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: organizations/1234567890/roles/projectIamViewer
? module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/cloudkms.cryptoKeyEncrypterDecrypter"]
: condition: []
members:
- serviceAccount:iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/cloudkms.cryptoKeyEncrypterDecrypter
module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/cloudkms.viewer"]:
condition: []
members:
- serviceAccount:iac-pf-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/cloudkms.viewer
module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/logging.admin"]:
condition: []
members:
- serviceAccount:iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/logging.admin
module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/owner"]:
condition: []
members:
- serviceAccount:iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/owner
? module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]
: condition: []
members:
- serviceAccount:iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/resourcemanager.folderAdmin
? module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]
: condition: []
members:
- serviceAccount:iac-security-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/resourcemanager.folderViewer
? module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]
: condition: []
members:
- serviceAccount:iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/resourcemanager.projectCreator
module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/resourcemanager.tagUser"]:
condition: []
members:
- serviceAccount:iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/resourcemanager.tagUser
module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/resourcemanager.tagViewer"]:
condition: []
members:
- serviceAccount:iac-security-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/resourcemanager.tagViewer
module.factory.module.folder-1-iam["security"].google_folder_iam_binding.authoritative["roles/viewer"]:
condition: []
members:
- serviceAccount:iac-security-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/viewer
module.factory.module.folder-1-iam["security"].google_folder_iam_binding.bindings["project_factory"]:
condition:
@@ -943,48 +953,30 @@ values:
expression: "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([\n\
\ 'roles/cloudkms.cryptoKeyEncrypterDecrypter'\n])\n"
title: Project factory delegated IAM grant.
members:
- serviceAccount:iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/resourcemanager.projectIamAdmin
? module.factory.module.folder-1-iam["teams"].google_folder_iam_binding.authoritative["$custom_roles:service_project_network_admin"]
: condition: []
members:
- serviceAccount:iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: organizations/1234567890/roles/serviceProjectNetworkAdmin
module.factory.module.folder-1-iam["teams"].google_folder_iam_binding.authoritative["roles/owner"]:
condition: []
members:
- serviceAccount:iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/owner
module.factory.module.folder-1-iam["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]:
condition: []
members:
- serviceAccount:iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/resourcemanager.folderAdmin
module.factory.module.folder-1-iam["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]:
condition: []
members:
- serviceAccount:iac-pf-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/resourcemanager.folderViewer
? module.factory.module.folder-1-iam["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]
: condition: []
members:
- serviceAccount:iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/resourcemanager.projectCreator
module.factory.module.folder-1-iam["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.tagUser"]:
condition: []
members:
- serviceAccount:iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/resourcemanager.tagUser
module.factory.module.folder-1-iam["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.tagViewer"]:
condition: []
members:
- serviceAccount:iac-pf-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/resourcemanager.tagViewer
module.factory.module.folder-1-iam["teams"].google_folder_iam_binding.authoritative["roles/viewer"]:
condition: []
members:
- serviceAccount:iac-pf-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/viewer
module.factory.module.folder-1["data-platform"].google_folder.folder[0]:
deletion_protection: false
@@ -1014,43 +1006,27 @@ values:
timeouts: null
module.factory.module.folder-2-iam["data-platform/dev"].google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]:
condition: []
members:
- serviceAccount:iac-dp-dev-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/compute.xpnAdmin
module.factory.module.folder-2-iam["data-platform/dev"].google_folder_iam_binding.authoritative["roles/logging.admin"]:
condition: []
members:
- serviceAccount:iac-dp-dev-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/logging.admin
module.factory.module.folder-2-iam["data-platform/dev"].google_folder_iam_binding.authoritative["roles/owner"]:
condition: []
members:
- serviceAccount:iac-dp-dev-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/owner
? module.factory.module.folder-2-iam["data-platform/dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]
: condition: []
members:
- serviceAccount:iac-dp-dev-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/resourcemanager.folderAdmin
? module.factory.module.folder-2-iam["data-platform/dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]
: condition: []
members:
- serviceAccount:iac-dp-dev-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/resourcemanager.folderViewer
? module.factory.module.folder-2-iam["data-platform/dev"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]
: condition: []
members:
- serviceAccount:iac-dp-dev-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/resourcemanager.projectCreator
module.factory.module.folder-2-iam["data-platform/dev"].google_folder_iam_binding.authoritative["roles/viewer"]:
condition: []
members:
- serviceAccount:iac-dp-dev-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/viewer
? module.factory.module.folder-2-iam["networking/dev"].google_folder_iam_binding.authoritative["$custom_roles:project_iam_viewer"]
: condition: []
members:
- serviceAccount:iac-dp-dev-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: organizations/1234567890/roles/projectIamViewer
module.factory.module.folder-2-iam["networking/dev"].google_folder_iam_binding.bindings["dp_dev"]:
condition:
@@ -1058,8 +1034,6 @@ values:
expression: "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([\n\
\ 'organizations/1234567890/roles/serviceProjectNetworkAdmin'\n])\n"
title: Data platform dev delegated IAM grant.
members:
- serviceAccount:iac-dp-dev-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
role: roles/resourcemanager.projectIamAdmin
module.factory.module.folder-2["data-platform/dev"].google_folder.folder[0]:
deletion_protection: false
@@ -1132,14 +1106,10 @@ values:
retention_days: 31
module.factory.module.projects-iam["billing-0"].google_project_iam_binding.authoritative["roles/owner"]:
condition: []
members:
- serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
project: ft0-prod-billing-exp-0
role: roles/owner
module.factory.module.projects-iam["billing-0"].google_project_iam_binding.authoritative["roles/viewer"]:
condition: []
members:
- serviceAccount:iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
project: ft0-prod-billing-exp-0
role: roles/viewer
module.factory.module.projects-iam["iac-0"].google_project_iam_audit_config.default["storage.googleapis.com"]:
@@ -1160,98 +1130,62 @@ values:
service: sts.googleapis.com
module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["$custom_roles:storage_viewer"]:
condition: []
members:
- serviceAccount:iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
project: ft0-prod-iac-core-0
role: organizations/1234567890/roles/storageViewer
module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/browser"]:
condition: []
members:
- serviceAccount:iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
project: ft0-prod-iac-core-0
role: roles/browser
module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/cloudbuild.builds.editor"]:
condition: []
members:
- serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
project: ft0-prod-iac-core-0
role: roles/cloudbuild.builds.editor
module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/cloudbuild.builds.viewer"]:
condition: []
members:
- serviceAccount:iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
project: ft0-prod-iac-core-0
role: roles/cloudbuild.builds.viewer
module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/iam.serviceAccountAdmin"]:
condition: []
members:
- serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
project: ft0-prod-iac-core-0
role: roles/iam.serviceAccountAdmin
? module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]
: condition: []
members:
- group:fabric-fast-owners@google.com
project: ft0-prod-iac-core-0
role: roles/iam.serviceAccountTokenCreator
module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/iam.serviceAccountViewer"]:
condition: []
members:
- serviceAccount:iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
project: ft0-prod-iac-core-0
role: roles/iam.serviceAccountViewer
? module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/iam.workloadIdentityPoolAdmin"]
: condition: []
members:
- group:fabric-fast-owners@google.com
- serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
project: ft0-prod-iac-core-0
role: roles/iam.workloadIdentityPoolAdmin
? module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/iam.workloadIdentityPoolViewer"]
: condition: []
members:
- serviceAccount:iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
project: ft0-prod-iac-core-0
role: roles/iam.workloadIdentityPoolViewer
module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/owner"]:
condition: []
members:
- serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
project: ft0-prod-iac-core-0
role: roles/owner
? module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/serviceusage.serviceUsageConsumer"]
: condition: []
members:
- serviceAccount:iac-networking-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
- serviceAccount:iac-networking-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
- serviceAccount:iac-pf-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
- serviceAccount:iac-pf-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
- serviceAccount:iac-security-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
- serviceAccount:iac-security-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
project: ft0-prod-iac-core-0
role: roles/serviceusage.serviceUsageConsumer
module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/storage.admin"]:
condition: []
members:
- serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
project: ft0-prod-iac-core-0
role: roles/storage.admin
module.factory.module.projects-iam["iac-0"].google_project_iam_binding.authoritative["roles/viewer"]:
condition: []
members:
- serviceAccount:iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
project: ft0-prod-iac-core-0
role: roles/viewer
module.factory.module.projects-iam["log-0"].google_project_iam_binding.authoritative["roles/owner"]:
condition: []
members:
- serviceAccount:iac-org-rw@ft0-prod-iac-core-0.iam.gserviceaccount.com
project: ft0-prod-audit-logs-0
role: roles/owner
module.factory.module.projects-iam["log-0"].google_project_iam_binding.authoritative["roles/viewer"]:
condition: []
members:
- serviceAccount:iac-org-ro@ft0-prod-iac-core-0.iam.gserviceaccount.com
project: ft0-prod-audit-logs-0
role: roles/viewer
module.factory.module.projects["billing-0"].data.google_bigquery_default_service_account.bq_sa[0]:
@@ -2972,6 +2906,10 @@ values:
input: null
output: null
triggers_replace: null
terraform_data.precondition-cicd:
input: null
output: null
triggers_replace: null
counts:
google_bigquery_dataset: 1

72
tests/modules/agent_engine/examples/pickle-gcs.yaml Normal file
View File

@@ -0,0 +1,72 @@
# Copyright 2026 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.agent_engine.google_project_iam_member.default["roles/aiplatform.user"]:
condition: []
member: serviceAccount:my-agent@project-id.iam.gserviceaccount.com
project: project-id
role: roles/aiplatform.user
module.agent_engine.google_project_iam_member.default["roles/storage.objectViewer"]:
condition: []
member: serviceAccount:my-agent@project-id.iam.gserviceaccount.com
project: project-id
role: roles/storage.objectViewer
module.agent_engine.google_project_iam_member.default["roles/viewer"]:
condition: []
member: serviceAccount:my-agent@project-id.iam.gserviceaccount.com
project: project-id
role: roles/viewer
module.agent_engine.google_service_account.service_account[0]:
account_id: my-agent
create_ignore_already_exists: null
description: null
disabled: false
display_name: my-agent
email: my-agent@project-id.iam.gserviceaccount.com
member: serviceAccount:my-agent@project-id.iam.gserviceaccount.com
project: project-id
timeouts: null
module.agent_engine.google_vertex_ai_reasoning_engine.managed[0]:
description: Terraform managed.
display_name: my-agent
encryption_spec: []
project: project-id
region: europe-west8
spec:
- agent_framework: google-adk
class_methods: null
deployment_spec: []
package_spec:
- dependency_files_gcs_uri: dependencies.tar.gz
pickle_object_gcs_uri: pickle.pkl
python_version: '3.12'
requirements_gcs_uri: requirements.txt
service_account: my-agent@project-id.iam.gserviceaccount.com
source_code_spec: []
timeouts: null
module.agent_engine.time_sleep.wait_5_minutes:
create_duration: 5m
destroy_duration: null
triggers: null
counts:
google_project_iam_member: 3
google_service_account: 1
google_vertex_ai_reasoning_engine: 1
modules: 1
resources: 6
time_sleep: 1
outputs: {}