Hardened datasets minor fixes (#3795)

fast/stages/0-org-setup/datasets/classic/organization/org-policies/compute.yaml

@@ -84,7 +84,8 @@ compute.trustedImageProjects:
       - "is:projects/gke-node-images"
       - "is:projects/gke-windows-node-images"
       - "is:projects/ubuntu-os-gke-cloud"
-
+      - "is:projects/rocky-linux-accelerator-cloud"
+      - "is:projects/ubuntu-os-accelerator-images"
 
 compute.vmExternalIpAccess:
   rules:

fast/stages/0-org-setup/datasets/hardened/folders/data-platform/.config.yaml

@@ -15,10 +15,11 @@
 # yaml-language-server: $schema=../../../../schemas/folder.schema.json
 
 name: Data Platform
-org_policies:
+# To enforce once the constraints are provisionned
-  custom.iamDisableAdminServiceAccount:
+# org_policies:
-    rules:
+#   custom.iamDisableAdminServiceAccount:
-      - enforce: false
+#     rules:
-  custom.iamDisableProjectServiceAccountImpersonationRoles:
+#       - enforce: false
-    rules:
+#   custom.iamDisableProjectServiceAccountImpersonationRoles:
-      - enforce: false
+#     rules:
+#       - enforce: false

fast/stages/0-org-setup/datasets/hardened/observability/storageIamChanges.yaml

@@ -48,7 +48,7 @@ alerts:
       mime_type: text/markdown
 logging_metrics:
   storageIamChanges:
-    bucket_name: l$log_buckets:log-0/audit-logs
+    bucket_name: $log_buckets:log-0/audit-logs
     description: Cloud Storage IAM Permission Changes
     filter: resource.type="gcs_bucket" AND protoPayload.methodName="storage.setIamPermissions"
     label_extractors:

fast/stages/0-org-setup/datasets/hardened/organization/org-policies/compute.yaml

@@ -118,6 +118,8 @@ compute.trustedImageProjects:
           - "is:projects/gke-node-images"
           - "is:projects/gke-windows-node-images"
           - "is:projects/ubuntu-os-gke-cloud"
+          - "is:projects/rocky-linux-accelerator-cloud"
+          - "is:projects/ubuntu-os-accelerator-images"
 
 compute.vmExternalIpAccess:
   rules:

fast/stages/0-org-setup/datasets/hardened/projects/core/log-0.yaml

@@ -71,6 +71,7 @@ org_policies:
     rules:
       - allow:
           all: true
-  custom.storageRequireBucketObjectVersionning:
+  # To enforce once the constraints are provisionned
-    rules:
+  # custom.storageRequireBucketObjectVersionning:
-      - enforce: true
+  #   rules:
+  #     - enforce: true

tests/fast/stages/s0_org_setup/hardened.yaml

@@ -1278,32 +1278,6 @@ values:
     parent: organizations/1234567890
     tags: null
     timeouts: null
-  module.factory.module.folder-1["data-platform"].google_org_policy_policy.default["custom.iamDisableAdminServiceAccount"]:
-    dry_run_spec: []
-    spec:
-    - inherit_from_parent: null
-      reset: null
-      rules:
-      - allow_all: null
-        condition: []
-        deny_all: null
-        enforce: 'FALSE'
-        parameters: null
-        values: []
-    timeouts: null
-  ? module.factory.module.folder-1["data-platform"].google_org_policy_policy.default["custom.iamDisableProjectServiceAccountImpersonationRoles"]
-  : dry_run_spec: []
-    spec:
-    - inherit_from_parent: null
-      reset: null
-      rules:
-      - allow_all: null
-        condition: []
-        deny_all: null
-        enforce: 'FALSE'
-        parameters: null
-        values: []
-    timeouts: null
   module.factory.module.folder-1["networking"].google_folder.folder[0]:
     deletion_protection: false
     display_name: Networking
@@ -2223,21 +2197,6 @@ values:
   module.factory.module.projects["log-0"].data.google_storage_project_service_account.gcs_sa[0]:
     project: ft0-prod-audit-logs-0
     user_project: null
-  module.factory.module.projects["log-0"].google_org_policy_policy.default["custom.storageRequireBucketObjectVersionning"]:
-    dry_run_spec: []
-    name: projects/ft0-prod-audit-logs-0/policies/custom.storageRequireBucketObjectVersionning
-    parent: projects/ft0-prod-audit-logs-0
-    spec:
-    - inherit_from_parent: null
-      reset: null
-      rules:
-      - allow_all: null
-        condition: []
-        deny_all: null
-        enforce: 'TRUE'
-        parameters: null
-        values: []
-    timeouts: null
   module.factory.module.projects["log-0"].google_org_policy_policy.default["gcp.restrictCmekCryptoKeyProjects"]:
     dry_run_spec: []
     name: projects/ft0-prod-audit-logs-0/policies/gcp.restrictCmekCryptoKeyProjects
@@ -4562,6 +4521,8 @@ values:
           - is:projects/gke-node-images
           - is:projects/gke-windows-node-images
           - is:projects/ubuntu-os-gke-cloud
+          - is:projects/rocky-linux-accelerator-cloud
+          - is:projects/ubuntu-os-accelerator-images
           denied_values: null
     timeouts: null
   module.organization-iam[0].google_org_policy_policy.default["compute.vmExternalIpAccess"]:
@@ -8015,7 +7976,6 @@ values:
     timeouts: null
     value_extractor: null
   module.projects-observability[0].google_logging_metric.metrics["storageIamChanges"]:
-    bucket_name: l$log_buckets:log-0/audit-logs
     bucket_options: []
     description: Cloud Storage IAM Permission Changes
     disabled: null
@@ -8597,7 +8557,7 @@ counts:
   google_logging_project_settings: 3
   google_monitoring_alert_policy: 10
   google_org_policy_custom_constraint: 89
-  google_org_policy_policy: 170
+  google_org_policy_policy: 167
   google_organization_iam_audit_config: 1
   google_organization_iam_binding: 40
   google_organization_iam_custom_role: 14
@@ -8622,7 +8582,7 @@ counts:
   google_tags_tag_value_iam_binding: 4
   local_file: 9
   modules: 58
-  resources: 718
+  resources: 715
   terraform_data: 4
 
 outputs:

tests/fast/stages/s0_org_setup/simple.yaml

@@ -2031,6 +2031,8 @@ values:
           - is:projects/gke-node-images
           - is:projects/gke-windows-node-images
           - is:projects/ubuntu-os-gke-cloud
+          - is:projects/rocky-linux-accelerator-cloud
+          - is:projects/ubuntu-os-accelerator-images
           denied_values: null
     timeouts: null
   module.organization-iam[0].google_org_policy_policy.default["compute.vmExternalIpAccess"]: