Workforce identity: migrate to iam.managed.allowedPolicyMembers Organizational Policy (#3546)

* Migrate to iam.managed.allowedPolicyMembers Organizational Policy to allow PrincipalSets configuration for Workforce identity use-cases * Keep iam.managed.allowedPolicyMembers implementation as comment only --------- Co-authored-by: Julio Castillo <jccb@google.com>
2025-12-05 17:26:04 +01:00
parent 33df0bba4a
commit b1969f6c60
2 changed files with 28 additions and 0 deletions
--- a/fast/stages/0-org-setup/datasets/classic/organization/org-policies/iam.yaml
+++ b/fast/stages/0-org-setup/datasets/classic/organization/org-policies/iam.yaml
@@ -34,6 +34,20 @@ iam.allowedPolicyMemberDomains:
        expression: |
          resource.matchTag('${organization.id}/org-policies', 'allowed-policy-member-domains-all')

+# For Workforce identity use-cases:
+# Switch from the above iam.allowedPolicyMemberDomains to the below iam.managed.allowedPolicyMembers configuration
+# To allow principalSet://iam.googleapis.com/locations/global/workforcePools/WORKFORCE_POOL_ID IAM assignments
+
+#iam.managed.allowedPolicyMembers:
+#  rules:
+#    - enforce: false
+#      condition:
+#        title: Allow any member domain
+#        expression: |
+#          resource.matchTag('${organization.id}/org-policies', 'allowed-policy-member-domains-all')
+#    - parameters: '{"allowedMemberSubjects": ["is:${organization.customer_id}"], "allowedPrincipalSets": ["//cloudresourcemanager.googleapis.com/organizations/${organization.id}"]}'
+#      enforce: true
+
 iam.disableAuditLoggingExemption:
  rules:
    - enforce: true
--- a/fast/stages/0-org-setup/datasets/hardened/organization/org-policies/iam.yaml
+++ b/fast/stages/0-org-setup/datasets/hardened/organization/org-policies/iam.yaml
@@ -38,6 +38,20 @@ iam.allowedPolicyMemberDomains:
        expression: |
          resource.matchTag('${organization.id}/org-policies', 'allowed-policy-member-domains-all')

+# For Workforce identity use-cases:
+# Switch from the above iam.allowedPolicyMemberDomains to the below iam.managed.allowedPolicyMembers configuration
+# To allow principalSet://iam.googleapis.com/locations/global/workforcePools/WORKFORCE_POOL_ID IAM assignments
+
+#iam.managed.allowedPolicyMembers:
+#  rules:
+#    - enforce: false
+#      condition:
+#        title: Allow any member domain
+#        expression: |
+#          resource.matchTag('${organization.id}/org-policies', 'allowed-policy-member-domains-all')
+#    - parameters: '{"allowedMemberSubjects": ["is:${organization.customer_id}"], "allowedPrincipalSets": ["//cloudresourcemanager.googleapis.com/organizations/${organization.id}"]}'
+#      enforce: true
+
 iam.disableAuditLoggingExemption:
  rules:
    - enforce: true