Enable ADMIN_READ audit log for sts.googleapis.com in automation (iac) project (#3290)

* Enable ADMIN_READ audit log for sts.googleapis.com in the automation (iac) project for better workload identity debugging and auditing * Fix FAST tests * Test fix #2 * Test fix #3 * Final test fix --------- Co-authored-by: Julio Castillo <jccb@google.com>
2025-09-01 15:58:28 +02:00
parent a3f7faf7d4
commit b3c7699b8c
3 changed files with 21 additions and 5 deletions
--- a/tests/fast/stages/s0_bootstrap/cicd.yaml
+++ b/tests/fast/stages/s0_bootstrap/cicd.yaml
@@ -173,6 +173,12 @@ values:
      log_type: ADMIN_READ
    project: fast-prod-iac-core-0
    service: iam.googleapis.com
+  module.automation-project.google_project_iam_audit_config.default["sts.googleapis.com"]:
+    audit_log_config:
+    - exempted_members: []
+      log_type: ADMIN_READ
+    project: fast-prod-iac-core-0
+    service: sts.googleapis.com
  module.automation-project.google_project_iam_binding.authoritative["organizations/123456789012/roles/storageViewer"]:
    condition: []
    members:
@@ -2390,7 +2396,7 @@ counts:
  google_organization_iam_custom_role: 16
  google_organization_iam_member: 31
  google_project: 3
-  google_project_iam_audit_config: 1
+  google_project_iam_audit_config: 2
  google_project_iam_binding: 19
  google_project_iam_member: 23
  google_project_service: 33
@@ -2406,7 +2412,7 @@ counts:
  google_tags_tag_value: 2
  local_file: 13
  modules: 26
-  resources: 297
+  resources: 298

 outputs:
  custom_roles:
--- a/tests/fast/stages/s0_bootstrap/simple.yaml
+++ b/tests/fast/stages/s0_bootstrap/simple.yaml
@@ -111,6 +111,12 @@ values:
      log_type: ADMIN_READ
    project: fast-prod-iac-core-0
    service: iam.googleapis.com
+  module.automation-project.google_project_iam_audit_config.default["sts.googleapis.com"]:
+    audit_log_config:
+    - exempted_members: []
+      log_type: ADMIN_READ
+    project: fast-prod-iac-core-0
+    service: sts.googleapis.com
  module.automation-project.google_project_iam_binding.authoritative["organizations/123456789012/roles/storageViewer"]:
    condition: []
    members:
@@ -1587,7 +1593,7 @@ counts:
  google_organization_iam_custom_role: 16
  google_organization_iam_member: 31
  google_project: 3
-  google_project_iam_audit_config: 1
+  google_project_iam_audit_config: 2
  google_project_iam_binding: 19
  google_project_iam_member: 17
  google_project_service: 33
@@ -1603,7 +1609,7 @@ counts:
  google_tags_tag_value: 2
  local_file: 8
  modules: 20
-  resources: 260
+  resources: 261

 outputs:
  cicd_repositories: {}