From b1969f6c60d1bbbe759445303f6a34fe7d54761d Mon Sep 17 00:00:00 2001
From: Zsolt Molnar <ysolt@users.noreply.github.com>
Date: Fri, 5 Dec 2025 17:26:04 +0100
Subject: [PATCH] Workforce identity: migrate to
 iam.managed.allowedPolicyMembers Organizational Policy (#3546)

* Migrate to iam.managed.allowedPolicyMembers Organizational Policy to allow PrincipalSets configuration for Workforce identity use-cases

* Keep iam.managed.allowedPolicyMembers implementation as comment only

---------

Co-authored-by: Julio Castillo <jccb@google.com>
---
 .../classic/organization/org-policies/iam.yaml     | 14 ++++++++++++++
 .../hardened/organization/org-policies/iam.yaml    | 14 ++++++++++++++
 2 files changed, 28 insertions(+)

diff --git a/fast/stages/0-org-setup/datasets/classic/organization/org-policies/iam.yaml b/fast/stages/0-org-setup/datasets/classic/organization/org-policies/iam.yaml
index 0c624be2a..18eae09a0 100644
--- a/fast/stages/0-org-setup/datasets/classic/organization/org-policies/iam.yaml
+++ b/fast/stages/0-org-setup/datasets/classic/organization/org-policies/iam.yaml
@@ -34,6 +34,20 @@ iam.allowedPolicyMemberDomains:
         expression: |
           resource.matchTag('${organization.id}/org-policies', 'allowed-policy-member-domains-all')
 
+# For Workforce identity use-cases:
+# Switch from the above iam.allowedPolicyMemberDomains to the below iam.managed.allowedPolicyMembers configuration
+# To allow principalSet://iam.googleapis.com/locations/global/workforcePools/WORKFORCE_POOL_ID IAM assignments
+
+#iam.managed.allowedPolicyMembers:
+#  rules:
+#    - enforce: false
+#      condition:
+#        title: Allow any member domain
+#        expression: |
+#          resource.matchTag('${organization.id}/org-policies', 'allowed-policy-member-domains-all')
+#    - parameters: '{"allowedMemberSubjects": ["is:${organization.customer_id}"], "allowedPrincipalSets": ["//cloudresourcemanager.googleapis.com/organizations/${organization.id}"]}'
+#      enforce: true
+
 iam.disableAuditLoggingExemption:
   rules:
     - enforce: true
diff --git a/fast/stages/0-org-setup/datasets/hardened/organization/org-policies/iam.yaml b/fast/stages/0-org-setup/datasets/hardened/organization/org-policies/iam.yaml
index d1e5f7f57..5a0c0dbf0 100644
--- a/fast/stages/0-org-setup/datasets/hardened/organization/org-policies/iam.yaml
+++ b/fast/stages/0-org-setup/datasets/hardened/organization/org-policies/iam.yaml
@@ -38,6 +38,20 @@ iam.allowedPolicyMemberDomains:
         expression: |
           resource.matchTag('${organization.id}/org-policies', 'allowed-policy-member-domains-all')
 
+# For Workforce identity use-cases:
+# Switch from the above iam.allowedPolicyMemberDomains to the below iam.managed.allowedPolicyMembers configuration
+# To allow principalSet://iam.googleapis.com/locations/global/workforcePools/WORKFORCE_POOL_ID IAM assignments
+
+#iam.managed.allowedPolicyMembers:
+#  rules:
+#    - enforce: false
+#      condition:
+#        title: Allow any member domain
+#        expression: |
+#          resource.matchTag('${organization.id}/org-policies', 'allowed-policy-member-domains-all')
+#    - parameters: '{"allowedMemberSubjects": ["is:${organization.customer_id}"], "allowedPrincipalSets": ["//cloudresourcemanager.googleapis.com/organizations/${organization.id}"]}'
+#      enforce: true
+
 iam.disableAuditLoggingExemption:
   rules:
     - enforce: true