From b4172ec1745d1ced82d77a293f58d24f0379bca3 Mon Sep 17 00:00:00 2001 From: Vannick Trinquier Date: Wed, 18 Mar 2026 15:54:14 +0700 Subject: [PATCH] Hardened datasets minor fixes (#3795) --- .../organization/org-policies/compute.yaml | 3 +- .../folders/data-platform/.config.yaml | 15 +++--- .../observability/storageIamChanges.yaml | 2 +- .../organization/org-policies/compute.yaml | 2 + .../hardened/projects/core/log-0.yaml | 7 +-- tests/fast/stages/s0_org_setup/hardened.yaml | 48 ++----------------- tests/fast/stages/s0_org_setup/simple.yaml | 2 + 7 files changed, 23 insertions(+), 56 deletions(-) diff --git a/fast/stages/0-org-setup/datasets/classic/organization/org-policies/compute.yaml b/fast/stages/0-org-setup/datasets/classic/organization/org-policies/compute.yaml index af470445f..8cba17389 100644 --- a/fast/stages/0-org-setup/datasets/classic/organization/org-policies/compute.yaml +++ b/fast/stages/0-org-setup/datasets/classic/organization/org-policies/compute.yaml @@ -84,7 +84,8 @@ compute.trustedImageProjects: - "is:projects/gke-node-images" - "is:projects/gke-windows-node-images" - "is:projects/ubuntu-os-gke-cloud" - + - "is:projects/rocky-linux-accelerator-cloud" + - "is:projects/ubuntu-os-accelerator-images" compute.vmExternalIpAccess: rules: diff --git a/fast/stages/0-org-setup/datasets/hardened/folders/data-platform/.config.yaml b/fast/stages/0-org-setup/datasets/hardened/folders/data-platform/.config.yaml index 0f3c9fec9..482a2a1d3 100644 --- a/fast/stages/0-org-setup/datasets/hardened/folders/data-platform/.config.yaml +++ b/fast/stages/0-org-setup/datasets/hardened/folders/data-platform/.config.yaml @@ -15,10 +15,11 @@ # yaml-language-server: $schema=../../../../schemas/folder.schema.json name: Data Platform -org_policies: - custom.iamDisableAdminServiceAccount: - rules: - - enforce: false - custom.iamDisableProjectServiceAccountImpersonationRoles: - rules: - - enforce: false +# To enforce once the constraints are provisionned +# org_policies: +# custom.iamDisableAdminServiceAccount: +# rules: +# - enforce: false +# custom.iamDisableProjectServiceAccountImpersonationRoles: +# rules: +# - enforce: false diff --git a/fast/stages/0-org-setup/datasets/hardened/observability/storageIamChanges.yaml b/fast/stages/0-org-setup/datasets/hardened/observability/storageIamChanges.yaml index 81794bc65..26ea4fa20 100644 --- a/fast/stages/0-org-setup/datasets/hardened/observability/storageIamChanges.yaml +++ b/fast/stages/0-org-setup/datasets/hardened/observability/storageIamChanges.yaml @@ -48,7 +48,7 @@ alerts: mime_type: text/markdown logging_metrics: storageIamChanges: - bucket_name: l$log_buckets:log-0/audit-logs + bucket_name: $log_buckets:log-0/audit-logs description: Cloud Storage IAM Permission Changes filter: resource.type="gcs_bucket" AND protoPayload.methodName="storage.setIamPermissions" label_extractors: diff --git a/fast/stages/0-org-setup/datasets/hardened/organization/org-policies/compute.yaml b/fast/stages/0-org-setup/datasets/hardened/organization/org-policies/compute.yaml index 41383b649..05f3e2c8a 100644 --- a/fast/stages/0-org-setup/datasets/hardened/organization/org-policies/compute.yaml +++ b/fast/stages/0-org-setup/datasets/hardened/organization/org-policies/compute.yaml @@ -118,6 +118,8 @@ compute.trustedImageProjects: - "is:projects/gke-node-images" - "is:projects/gke-windows-node-images" - "is:projects/ubuntu-os-gke-cloud" + - "is:projects/rocky-linux-accelerator-cloud" + - "is:projects/ubuntu-os-accelerator-images" compute.vmExternalIpAccess: rules: diff --git a/fast/stages/0-org-setup/datasets/hardened/projects/core/log-0.yaml b/fast/stages/0-org-setup/datasets/hardened/projects/core/log-0.yaml index 2c59e2623..acb8b6b2c 100644 --- a/fast/stages/0-org-setup/datasets/hardened/projects/core/log-0.yaml +++ b/fast/stages/0-org-setup/datasets/hardened/projects/core/log-0.yaml @@ -71,6 +71,7 @@ org_policies: rules: - allow: all: true - custom.storageRequireBucketObjectVersionning: - rules: - - enforce: true + # To enforce once the constraints are provisionned + # custom.storageRequireBucketObjectVersionning: + # rules: + # - enforce: true diff --git a/tests/fast/stages/s0_org_setup/hardened.yaml b/tests/fast/stages/s0_org_setup/hardened.yaml index 9778db7bc..ffc260555 100644 --- a/tests/fast/stages/s0_org_setup/hardened.yaml +++ b/tests/fast/stages/s0_org_setup/hardened.yaml @@ -1278,32 +1278,6 @@ values: parent: organizations/1234567890 tags: null timeouts: null - module.factory.module.folder-1["data-platform"].google_org_policy_policy.default["custom.iamDisableAdminServiceAccount"]: - dry_run_spec: [] - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'FALSE' - parameters: null - values: [] - timeouts: null - ? module.factory.module.folder-1["data-platform"].google_org_policy_policy.default["custom.iamDisableProjectServiceAccountImpersonationRoles"] - : dry_run_spec: [] - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'FALSE' - parameters: null - values: [] - timeouts: null module.factory.module.folder-1["networking"].google_folder.folder[0]: deletion_protection: false display_name: Networking @@ -2223,21 +2197,6 @@ values: module.factory.module.projects["log-0"].data.google_storage_project_service_account.gcs_sa[0]: project: ft0-prod-audit-logs-0 user_project: null - module.factory.module.projects["log-0"].google_org_policy_policy.default["custom.storageRequireBucketObjectVersionning"]: - dry_run_spec: [] - name: projects/ft0-prod-audit-logs-0/policies/custom.storageRequireBucketObjectVersionning - parent: projects/ft0-prod-audit-logs-0 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - parameters: null - values: [] - timeouts: null module.factory.module.projects["log-0"].google_org_policy_policy.default["gcp.restrictCmekCryptoKeyProjects"]: dry_run_spec: [] name: projects/ft0-prod-audit-logs-0/policies/gcp.restrictCmekCryptoKeyProjects @@ -4562,6 +4521,8 @@ values: - is:projects/gke-node-images - is:projects/gke-windows-node-images - is:projects/ubuntu-os-gke-cloud + - is:projects/rocky-linux-accelerator-cloud + - is:projects/ubuntu-os-accelerator-images denied_values: null timeouts: null module.organization-iam[0].google_org_policy_policy.default["compute.vmExternalIpAccess"]: @@ -8015,7 +7976,6 @@ values: timeouts: null value_extractor: null module.projects-observability[0].google_logging_metric.metrics["storageIamChanges"]: - bucket_name: l$log_buckets:log-0/audit-logs bucket_options: [] description: Cloud Storage IAM Permission Changes disabled: null @@ -8597,7 +8557,7 @@ counts: google_logging_project_settings: 3 google_monitoring_alert_policy: 10 google_org_policy_custom_constraint: 89 - google_org_policy_policy: 170 + google_org_policy_policy: 167 google_organization_iam_audit_config: 1 google_organization_iam_binding: 40 google_organization_iam_custom_role: 14 @@ -8622,7 +8582,7 @@ counts: google_tags_tag_value_iam_binding: 4 local_file: 9 modules: 58 - resources: 718 + resources: 715 terraform_data: 4 outputs: diff --git a/tests/fast/stages/s0_org_setup/simple.yaml b/tests/fast/stages/s0_org_setup/simple.yaml index 5e7e34427..70644fc48 100644 --- a/tests/fast/stages/s0_org_setup/simple.yaml +++ b/tests/fast/stages/s0_org_setup/simple.yaml @@ -2031,6 +2031,8 @@ values: - is:projects/gke-node-images - is:projects/gke-windows-node-images - is:projects/ubuntu-os-gke-cloud + - is:projects/rocky-linux-accelerator-cloud + - is:projects/ubuntu-os-accelerator-images denied_values: null timeouts: null module.organization-iam[0].google_org_policy_policy.default["compute.vmExternalIpAccess"]: