From fbd0af9a88dae5a675d6cb4c32dd41229dcbbff2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Wiktor=20Niesiob=C4=99dzki?= <wiktorn@google.com>
Date: Mon, 27 Apr 2026 06:31:17 +0000
Subject: [PATCH] Remove data platform IAM grants from datasets

---
 .../classic-gcd/folders/networking/.config.yaml  | 16 ----------------
 .../folders/networking/dev/.config.yaml          | 14 --------------
 .../classic/folders/networking/.config.yaml      | 16 ----------------
 .../classic/folders/networking/dev/.config.yaml  | 14 --------------
 .../hardened/folders/networking/.config.yaml     | 16 ----------------
 .../hardened/folders/networking/dev/.config.yaml | 14 --------------
 .../hardened/folders/security/dev/.config.yaml   |  2 --
 7 files changed, 92 deletions(-)

diff --git a/fast/stages/0-org-setup/datasets/classic-gcd/folders/networking/.config.yaml b/fast/stages/0-org-setup/datasets/classic-gcd/folders/networking/.config.yaml
index 00f5fe989..8fb4e5751 100644
--- a/fast/stages/0-org-setup/datasets/classic-gcd/folders/networking/.config.yaml
+++ b/fast/stages/0-org-setup/datasets/classic-gcd/folders/networking/.config.yaml
@@ -33,22 +33,6 @@ iam_by_principals:
     - roles/compute.viewer
     - $custom_roles:project_iam_viewer
 iam_bindings:
-  dp_dev_rw:
-    members:
-      - $iam_principals:service_accounts/iac-0/iac-dp-dev-rw
-    role: $custom_roles:service_project_network_admin
-    condition:
-      expression: |
-        resource.matchTag('${organization.id}/environment', 'development')
-      title: Data platform dev service project admin.
-  dp_dev_ro:
-    role: roles/compute.networkViewer
-    members:
-      - $iam_principals:service_accounts/iac-0/iac-dp-dev-ro
-    condition:
-      title: Data platform dev network viewer.
-      expression: |
-        resource.matchTag('${organization.id}/environment', 'development')
   project_factory:
     role: roles/resourcemanager.projectIamAdmin
     members:
diff --git a/fast/stages/0-org-setup/datasets/classic-gcd/folders/networking/dev/.config.yaml b/fast/stages/0-org-setup/datasets/classic-gcd/folders/networking/dev/.config.yaml
index 8ad69e209..7d279b117 100644
--- a/fast/stages/0-org-setup/datasets/classic-gcd/folders/networking/dev/.config.yaml
+++ b/fast/stages/0-org-setup/datasets/classic-gcd/folders/networking/dev/.config.yaml
@@ -15,19 +15,5 @@
 # yaml-language-server: $schema=../../../../../schemas/folder.schema.json
 
 name: Development
-iam:
-  $custom_roles:project_iam_viewer:
-    - $iam_principals:service_accounts/iac-0/iac-dp-dev-ro
-iam_bindings:
-  dp_dev:
-    role: roles/resourcemanager.projectIamAdmin
-    members:
-      - $iam_principals:service_accounts/iac-0/iac-dp-dev-rw
-    condition:
-      title: Data platform dev delegated IAM grant.
-      expression: |
-        api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([
-          '${custom_roles.service_project_network_admin}'
-        ])
 tag_bindings:
   environment: $tag_values:environment/development
diff --git a/fast/stages/0-org-setup/datasets/classic/folders/networking/.config.yaml b/fast/stages/0-org-setup/datasets/classic/folders/networking/.config.yaml
index 00f5fe989..8fb4e5751 100644
--- a/fast/stages/0-org-setup/datasets/classic/folders/networking/.config.yaml
+++ b/fast/stages/0-org-setup/datasets/classic/folders/networking/.config.yaml
@@ -33,22 +33,6 @@ iam_by_principals:
     - roles/compute.viewer
     - $custom_roles:project_iam_viewer
 iam_bindings:
-  dp_dev_rw:
-    members:
-      - $iam_principals:service_accounts/iac-0/iac-dp-dev-rw
-    role: $custom_roles:service_project_network_admin
-    condition:
-      expression: |
-        resource.matchTag('${organization.id}/environment', 'development')
-      title: Data platform dev service project admin.
-  dp_dev_ro:
-    role: roles/compute.networkViewer
-    members:
-      - $iam_principals:service_accounts/iac-0/iac-dp-dev-ro
-    condition:
-      title: Data platform dev network viewer.
-      expression: |
-        resource.matchTag('${organization.id}/environment', 'development')
   project_factory:
     role: roles/resourcemanager.projectIamAdmin
     members:
diff --git a/fast/stages/0-org-setup/datasets/classic/folders/networking/dev/.config.yaml b/fast/stages/0-org-setup/datasets/classic/folders/networking/dev/.config.yaml
index 8ad69e209..7d279b117 100644
--- a/fast/stages/0-org-setup/datasets/classic/folders/networking/dev/.config.yaml
+++ b/fast/stages/0-org-setup/datasets/classic/folders/networking/dev/.config.yaml
@@ -15,19 +15,5 @@
 # yaml-language-server: $schema=../../../../../schemas/folder.schema.json
 
 name: Development
-iam:
-  $custom_roles:project_iam_viewer:
-    - $iam_principals:service_accounts/iac-0/iac-dp-dev-ro
-iam_bindings:
-  dp_dev:
-    role: roles/resourcemanager.projectIamAdmin
-    members:
-      - $iam_principals:service_accounts/iac-0/iac-dp-dev-rw
-    condition:
-      title: Data platform dev delegated IAM grant.
-      expression: |
-        api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([
-          '${custom_roles.service_project_network_admin}'
-        ])
 tag_bindings:
   environment: $tag_values:environment/development
diff --git a/fast/stages/0-org-setup/datasets/hardened/folders/networking/.config.yaml b/fast/stages/0-org-setup/datasets/hardened/folders/networking/.config.yaml
index 3d7f52e45..316c3829c 100644
--- a/fast/stages/0-org-setup/datasets/hardened/folders/networking/.config.yaml
+++ b/fast/stages/0-org-setup/datasets/hardened/folders/networking/.config.yaml
@@ -44,22 +44,6 @@ iam_by_principals:
     - roles/compute.viewer
     - $custom_roles:project_iam_viewer
 iam_bindings:
-  dp_dev_rw:
-    members:
-      - $iam_principals:service_accounts/iac-0/iac-dp-dev-rw
-    role: $custom_roles:service_project_network_admin
-    condition:
-      expression: |
-        resource.matchTag('${organization.id}/environment', 'development')
-      title: Data platform dev service project admin.
-  dp_dev_ro:
-    role: roles/compute.networkViewer
-    members:
-      - $iam_principals:service_accounts/iac-0/iac-dp-dev-ro
-    condition:
-      title: Data platform dev network viewer.
-      expression: |
-        resource.matchTag('${organization.id}/environment', 'development')
   project_factory:
     role: roles/resourcemanager.projectIamAdmin
     members:
diff --git a/fast/stages/0-org-setup/datasets/hardened/folders/networking/dev/.config.yaml b/fast/stages/0-org-setup/datasets/hardened/folders/networking/dev/.config.yaml
index 8ad69e209..7d279b117 100644
--- a/fast/stages/0-org-setup/datasets/hardened/folders/networking/dev/.config.yaml
+++ b/fast/stages/0-org-setup/datasets/hardened/folders/networking/dev/.config.yaml
@@ -15,19 +15,5 @@
 # yaml-language-server: $schema=../../../../../schemas/folder.schema.json
 
 name: Development
-iam:
-  $custom_roles:project_iam_viewer:
-    - $iam_principals:service_accounts/iac-0/iac-dp-dev-ro
-iam_bindings:
-  dp_dev:
-    role: roles/resourcemanager.projectIamAdmin
-    members:
-      - $iam_principals:service_accounts/iac-0/iac-dp-dev-rw
-    condition:
-      title: Data platform dev delegated IAM grant.
-      expression: |
-        api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([
-          '${custom_roles.service_project_network_admin}'
-        ])
 tag_bindings:
   environment: $tag_values:environment/development
diff --git a/fast/stages/0-org-setup/datasets/hardened/folders/security/dev/.config.yaml b/fast/stages/0-org-setup/datasets/hardened/folders/security/dev/.config.yaml
index 23775d521..7f158b2b7 100644
--- a/fast/stages/0-org-setup/datasets/hardened/folders/security/dev/.config.yaml
+++ b/fast/stages/0-org-setup/datasets/hardened/folders/security/dev/.config.yaml
@@ -19,7 +19,5 @@ parent: $folder_ids:security
 tag_bindings:
   environment: $tag_values:environment/development
 iam_by_principals:
-  $iam_principals:service_accounts/iac-0/iac-dp-dev-ro:
-    - $custom_roles:cloudkms_viewer
   $iam_principals:service_accounts/iac-0/iac-pf-ro:
     - $custom_roles:cloudkms_viewer