kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add new set of org policies with managed constraints to FAST bootstrap (#2884)

Browse Source 
* Managed org policies example

* Add folder with managed org policies

* Add tests for managed org policies

* Document new managed org policy set
This commit is contained in:
Julio Castillo
2025-02-12 20:38:44 +01:00
committed by GitHub
parent 2e63bf1029
commit d43c624f9e
16 changed files with 1266 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
tests/fast/stages/s0_bootstrap/cicd.yaml
View File

@@ -335,7 +335,7 @@ counts:
google_logging_organization_sink: 4
google_logging_project_bucket_config: 4
google_org_policy_custom_constraint: 1
google_org_policy_policy: 25
google_org_policy_policy: 26
google_organization_iam_binding: 27
google_organization_iam_custom_role: 13
google_organization_iam_member: 29
@@ -356,4 +356,4 @@ counts:
google_tags_tag_value: 2
local_file: 13
modules: 26
resources: 273
resources: 274

20
tests/fast/stages/s0_bootstrap/managed_org_policies.tfvars Normal file
View File

@@ -0,0 +1,20 @@
billing_account = {
id = "000000-111111-222222"
}
essential_contacts = "gcp-organization-admins@fast.example.com"
factories_config = {
org_policies = "data/org-policies-managed"
}
groups = {
gcp-support = "group:gcp-support@example.com"
}
org_policies_config = {
import_defaults = false
}
organization = {
domain = "fast.example.com"
id = 123456789012
customer_id = "C00000000"
}
outputs_location = "/fast-config"
prefix = "fast"

414
tests/fast/stages/s0_bootstrap/managed_org_policies.yaml Normal file
View File

@@ -0,0 +1,414 @@
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.organization.google_org_policy_custom_constraint.constraint["custom.disableKubeletReadOnlyPort"]:
action_type: DENY
condition: resource.nodeConfig.kubeletConfig.insecureKubeletReadonlyPortEnabled
== true
description: Disallows the use of Kubelet read-only port 10255 to enhance security
display_name: Disable Kubelet Read-Only Port 10255
method_types:
- CREATE
- UPDATE
name: custom.disableKubeletReadOnlyPort
parent: organizations/123456789012
resource_types:
- container.googleapis.com/Cluster
module.organization.google_org_policy_policy.default["compute.disableGuestAttributesAccess"]:
dry_run_spec: []
name: organizations/123456789012/policies/compute.disableGuestAttributesAccess
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
parameters: null
values: []
module.organization.google_org_policy_policy.default["compute.disableNestedVirtualization"]:
dry_run_spec: []
name: organizations/123456789012/policies/compute.disableNestedVirtualization
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
parameters: null
values: []
module.organization.google_org_policy_policy.default["compute.disableSerialPortAccess"]:
dry_run_spec: []
name: organizations/123456789012/policies/compute.disableSerialPortAccess
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
parameters: null
values: []
module.organization.google_org_policy_policy.default["compute.managed.restrictProtocolForwardingCreationForTypes"]:
dry_run_spec: []
name: organizations/123456789012/policies/compute.managed.restrictProtocolForwardingCreationForTypes
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
parameters: '{"allowedSchemes":["INTERNAL"]}'
values: []
module.organization.google_org_policy_policy.default["compute.requireOsLogin"]:
dry_run_spec: []
name: organizations/123456789012/policies/compute.requireOsLogin
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
parameters: null
values: []
module.organization.google_org_policy_policy.default["compute.restrictLoadBalancerCreationForTypes"]:
dry_run_spec: []
name: organizations/123456789012/policies/compute.restrictLoadBalancerCreationForTypes
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: null
parameters: null
values:
- allowed_values:
- in:INTERNAL
denied_values: null
module.organization.google_org_policy_policy.default["compute.setNewProjectDefaultToZonalDNSOnly"]:
dry_run_spec: []
name: organizations/123456789012/policies/compute.setNewProjectDefaultToZonalDNSOnly
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
parameters: null
values: []
module.organization.google_org_policy_policy.default["compute.skipDefaultNetworkCreation"]:
dry_run_spec: []
name: organizations/123456789012/policies/compute.skipDefaultNetworkCreation
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
parameters: null
values: []
module.organization.google_org_policy_policy.default["compute.trustedImageProjects"]:
dry_run_spec: []
name: organizations/123456789012/policies/compute.trustedImageProjects
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: null
parameters: null
values:
- allowed_values:
- is:projects/centos-cloud
- is:projects/cos-cloud
- is:projects/debian-cloud
- is:projects/fedora-cloud
- is:projects/fedora-coreos-cloud
- is:projects/opensuse-cloud
- is:projects/rhel-cloud
- is:projects/rhel-sap-cloud
- is:projects/rocky-linux-cloud
- is:projects/suse-cloud
- is:projects/suse-sap-cloud
- is:projects/ubuntu-os-cloud
- is:projects/ubuntu-os-pro-cloud
- is:projects/windows-cloud
- is:projects/windows-sql-cloud
- is:projects/confidential-vm-images
- is:projects/backupdr-images
- is:projects/deeplearning-platform-release
- is:projects/serverless-vpc-access-images
denied_values: null
module.organization.google_org_policy_policy.default["compute.vmExternalIpAccess"]:
dry_run_spec: []
name: organizations/123456789012/policies/compute.vmExternalIpAccess
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: 'TRUE'
enforce: null
parameters: null
values: []
module.organization.google_org_policy_policy.default["custom.disableKubeletReadOnlyPort"]:
dry_run_spec: []
name: organizations/123456789012/policies/custom.disableKubeletReadOnlyPort
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
parameters: null
values: []
module.organization.google_org_policy_policy.default["essentialcontacts.allowedContactDomains"]:
dry_run_spec: []
name: organizations/123456789012/policies/essentialcontacts.allowedContactDomains
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition:
- description: null
expression: '!resource.matchTag(''123456789012/org-policies'', ''allowed-essential-contacts-domains-all'')
'
location: null
title: Restrict essential contacts domains
deny_all: null
enforce: null
parameters: null
values:
- allowed_values:
- '@fast.example.com'
denied_values: null
- allow_all: 'TRUE'
condition:
- description: null
expression: 'resource.matchTag(''123456789012/org-policies'', ''allowed-essential-contacts-domains-all'')
'
location: null
title: Allow essential contacts from any domain
deny_all: null
enforce: null
parameters: null
values: []
module.organization.google_org_policy_policy.default["iam.managed.allowedPolicyMembers"]:
dry_run_spec: []
name: organizations/123456789012/policies/iam.managed.allowedPolicyMembers
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition:
- description: null
expression: 'resource.matchTag(''123456789012/org-policies'', ''allowed-policy-member-domains-all'')
'
location: null
title: Allow any member domain
deny_all: null
enforce: 'FALSE'
parameters: null
values: []
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
parameters: '{"allowedPrincipalSets":["//cloudresourcemanager.googleapis.com/organizations/123456789012"]}'
values: []
module.organization.google_org_policy_policy.default["iam.managed.disableServiceAccountKeyCreation"]:
dry_run_spec: []
name: organizations/123456789012/policies/iam.managed.disableServiceAccountKeyCreation
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
parameters: null
values: []
module.organization.google_org_policy_policy.default["iam.managed.disableServiceAccountKeyUpload"]:
dry_run_spec: []
name: organizations/123456789012/policies/iam.managed.disableServiceAccountKeyUpload
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
parameters: null
values: []
module.organization.google_org_policy_policy.default["iam.managed.preventPrivilegedBasicRolesForDefaultServiceAccounts"]:
dry_run_spec: []
name: organizations/123456789012/policies/iam.managed.preventPrivilegedBasicRolesForDefaultServiceAccounts
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
parameters: null
values: []
module.organization.google_org_policy_policy.default["iam.serviceAccountKeyExposureResponse"]:
dry_run_spec: []
name: organizations/123456789012/policies/iam.serviceAccountKeyExposureResponse
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: null
parameters: null
values:
- allowed_values:
- DISABLE_KEY
denied_values: null
module.organization.google_org_policy_policy.default["run.allowedIngress"]:
dry_run_spec: []
name: organizations/123456789012/policies/run.allowedIngress
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: null
parameters: null
values:
- allowed_values:
- is:internal-and-cloud-load-balancing
denied_values: null
module.organization.google_org_policy_policy.default["sql.restrictAuthorizedNetworks"]:
dry_run_spec: []
name: organizations/123456789012/policies/sql.restrictAuthorizedNetworks
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
parameters: null
values: []
module.organization.google_org_policy_policy.default["sql.restrictPublicIp"]:
dry_run_spec: []
name: organizations/123456789012/policies/sql.restrictPublicIp
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
parameters: null
values: []
module.organization.google_org_policy_policy.default["storage.publicAccessPrevention"]:
dry_run_spec: []
name: organizations/123456789012/policies/storage.publicAccessPrevention
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
parameters: null
values: []
module.organization.google_org_policy_policy.default["storage.secureHttpTransport"]:
dry_run_spec: []
name: organizations/123456789012/policies/storage.secureHttpTransport
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
parameters: null
values: []
module.organization.google_org_policy_policy.default["storage.uniformBucketLevelAccess"]:
dry_run_spec: []
name: organizations/123456789012/policies/storage.uniformBucketLevelAccess
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
parameters: null
values: []

4
tests/fast/stages/s0_bootstrap/simple.yaml
View File

@@ -20,7 +20,7 @@ counts:
google_logging_organization_sink: 4
google_logging_project_bucket_config: 4
google_org_policy_custom_constraint: 1
google_org_policy_policy: 25
google_org_policy_policy: 26
google_organization_iam_binding: 27
google_organization_iam_custom_role: 13
google_organization_iam_member: 29
@@ -41,7 +41,7 @@ counts:
google_tags_tag_value: 2
local_file: 8
modules: 20
resources: 236
resources: 237
outputs:
automation: __missing__

425
tests/fast/stages/s0_bootstrap/simple_org_policies.yaml Normal file
View File

@@ -0,0 +1,425 @@
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.organization.google_org_policy_custom_constraint.constraint["custom.disableKubeletReadOnlyPort"]:
action_type: DENY
condition: resource.nodeConfig.kubeletConfig.insecureKubeletReadonlyPortEnabled
== true
description: Disallows the use of Kubelet read-only port 10255 to enhance security
display_name: Disable Kubelet Read-Only Port 10255
method_types:
- CREATE
- UPDATE
name: custom.disableKubeletReadOnlyPort
parent: organizations/123456789012
resource_types:
- container.googleapis.com/Cluster
module.organization.google_org_policy_policy.default["compute.disableGuestAttributesAccess"]:
dry_run_spec: []
name: organizations/123456789012/policies/compute.disableGuestAttributesAccess
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
parameters: null
values: []
module.organization.google_org_policy_policy.default["compute.disableNestedVirtualization"]:
dry_run_spec: []
name: organizations/123456789012/policies/compute.disableNestedVirtualization
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
parameters: null
values: []
module.organization.google_org_policy_policy.default["compute.disableSerialPortAccess"]:
dry_run_spec: []
name: organizations/123456789012/policies/compute.disableSerialPortAccess
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
parameters: null
values: []
module.organization.google_org_policy_policy.default["compute.requireOsLogin"]:
dry_run_spec: []
name: organizations/123456789012/policies/compute.requireOsLogin
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
parameters: null
values: []
module.organization.google_org_policy_policy.default["compute.restrictLoadBalancerCreationForTypes"]:
dry_run_spec: []
name: organizations/123456789012/policies/compute.restrictLoadBalancerCreationForTypes
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: null
parameters: null
values:
- allowed_values:
- in:INTERNAL
denied_values: null
module.organization.google_org_policy_policy.default["compute.restrictProtocolForwardingCreationForTypes"]:
dry_run_spec: []
name: organizations/123456789012/policies/compute.restrictProtocolForwardingCreationForTypes
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: null
parameters: null
values:
- allowed_values:
- in:INTERNAL
denied_values: null
module.organization.google_org_policy_policy.default["compute.setNewProjectDefaultToZonalDNSOnly"]:
dry_run_spec: []
name: organizations/123456789012/policies/compute.setNewProjectDefaultToZonalDNSOnly
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
parameters: null
values: []
module.organization.google_org_policy_policy.default["compute.skipDefaultNetworkCreation"]:
dry_run_spec: []
name: organizations/123456789012/policies/compute.skipDefaultNetworkCreation
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
parameters: null
values: []
module.organization.google_org_policy_policy.default["compute.trustedImageProjects"]:
dry_run_spec: []
name: organizations/123456789012/policies/compute.trustedImageProjects
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: null
parameters: null
values:
- allowed_values:
- is:projects/centos-cloud
- is:projects/cos-cloud
- is:projects/debian-cloud
- is:projects/fedora-cloud
- is:projects/fedora-coreos-cloud
- is:projects/opensuse-cloud
- is:projects/rhel-cloud
- is:projects/rhel-sap-cloud
- is:projects/rocky-linux-cloud
- is:projects/suse-cloud
- is:projects/suse-sap-cloud
- is:projects/ubuntu-os-cloud
- is:projects/ubuntu-os-pro-cloud
- is:projects/windows-cloud
- is:projects/windows-sql-cloud
- is:projects/confidential-vm-images
- is:projects/backupdr-images
- is:projects/deeplearning-platform-release
- is:projects/serverless-vpc-access-images
denied_values: null
module.organization.google_org_policy_policy.default["compute.vmExternalIpAccess"]:
dry_run_spec: []
name: organizations/123456789012/policies/compute.vmExternalIpAccess
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: 'TRUE'
enforce: null
parameters: null
values: []
module.organization.google_org_policy_policy.default["custom.disableKubeletReadOnlyPort"]:
dry_run_spec: []
name: organizations/123456789012/policies/custom.disableKubeletReadOnlyPort
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
parameters: null
values: []
module.organization.google_org_policy_policy.default["essentialcontacts.allowedContactDomains"]:
dry_run_spec: []
name: organizations/123456789012/policies/essentialcontacts.allowedContactDomains
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition:
- description: null
expression: '!resource.matchTag(''123456789012/org-policies'', ''allowed-essential-contacts-domains-all'')
'
location: null
title: Restrict essential contacts domains
deny_all: null
enforce: null
parameters: null
values:
- allowed_values:
- '@fast.example.com'
denied_values: null
- allow_all: 'TRUE'
condition:
- description: null
expression: 'resource.matchTag(''123456789012/org-policies'', ''allowed-essential-contacts-domains-all'')
'
location: null
title: Allow essential contacts from any domain
deny_all: null
enforce: null
parameters: null
values: []
module.organization.google_org_policy_policy.default["iam.allowedPolicyMemberDomains"]:
dry_run_spec: []
name: organizations/123456789012/policies/iam.allowedPolicyMemberDomains
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition:
- description: null
expression: '!resource.matchTag(''123456789012/org-policies'', ''allowed-policy-member-domains-all'')
'
location: null
title: Restrict member domains
deny_all: null
enforce: null
parameters: null
values:
- allowed_values:
- C00000000
denied_values: null
- allow_all: 'TRUE'
condition:
- description: null
expression: 'resource.matchTag(''123456789012/org-policies'', ''allowed-policy-member-domains-all'')
'
location: null
title: Allow any member domain
deny_all: null
enforce: null
parameters: null
values: []
module.organization.google_org_policy_policy.default["iam.automaticIamGrantsForDefaultServiceAccounts"]:
dry_run_spec: []
name: organizations/123456789012/policies/iam.automaticIamGrantsForDefaultServiceAccounts
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
parameters: null
values: []
module.organization.google_org_policy_policy.default["iam.disableServiceAccountKeyCreation"]:
dry_run_spec: []
name: organizations/123456789012/policies/iam.disableServiceAccountKeyCreation
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
parameters: null
values: []
module.organization.google_org_policy_policy.default["iam.disableServiceAccountKeyUpload"]:
dry_run_spec: []
name: organizations/123456789012/policies/iam.disableServiceAccountKeyUpload
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
parameters: null
values: []
module.organization.google_org_policy_policy.default["iam.serviceAccountKeyExposureResponse"]:
dry_run_spec: []
name: organizations/123456789012/policies/iam.serviceAccountKeyExposureResponse
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: null
parameters: null
values:
- allowed_values:
- DISABLE_KEY
denied_values: null
module.organization.google_org_policy_policy.default["run.allowedIngress"]:
dry_run_spec: []
name: organizations/123456789012/policies/run.allowedIngress
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: null
parameters: null
values:
- allowed_values:
- is:internal-and-cloud-load-balancing
denied_values: null
module.organization.google_org_policy_policy.default["sql.restrictAuthorizedNetworks"]:
dry_run_spec: []
name: organizations/123456789012/policies/sql.restrictAuthorizedNetworks
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
parameters: null
values: []
module.organization.google_org_policy_policy.default["sql.restrictPublicIp"]:
dry_run_spec: []
name: organizations/123456789012/policies/sql.restrictPublicIp
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
parameters: null
values: []
module.organization.google_org_policy_policy.default["storage.publicAccessPrevention"]:
dry_run_spec: []
name: organizations/123456789012/policies/storage.publicAccessPrevention
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
parameters: null
values: []
module.organization.google_org_policy_policy.default["storage.secureHttpTransport"]:
dry_run_spec: []
name: organizations/123456789012/policies/storage.secureHttpTransport
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
parameters: null
values: []
module.organization.google_org_policy_policy.default["storage.uniformBucketLevelAccess"]:
dry_run_spec: []
name: organizations/123456789012/policies/storage.uniformBucketLevelAccess
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
parameters: null
values: []

11
tests/fast/stages/s0_bootstrap/tftest.yaml
View File

@@ -1,5 +1,5 @@
# skip boilerplate check
# Copyright 2024 Google LLC
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -20,5 +20,12 @@ tests:
- simple.yaml
- simple_projects.yaml
- simple_sas.yaml
- simple_org_policies.yaml
managed_org_policies:
inventory:
- simple.yaml
- simple_projects.yaml
- simple_sas.yaml
- managed_org_policies.yaml
iam_by_principals:
cicd:
cicd: