# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. values: module.bucket.google_logging_project_bucket_config.bucket[0]: bucket_id: test-bucket cmek_settings: [] enable_analytics: false index_configs: [] location: global locked: null project: project-id retention_days: 30 module.create-project.google_project.project[0]: auto_create_network: false billing_account: 123456-123456-123456 folder_id: '1122334455' labels: null name: test-project org_id: null project_id: test-project skip_delete: false timeouts: null module.dataset.google_bigquery_dataset.default: dataset_id: bq_sink default_encryption_configuration: [] default_partition_expiration_ms: null default_table_expiration_ms: null delete_contents_on_destroy: true description: Terraform managed. external_dataset_reference: [] friendly_name: null labels: null location: EU max_time_travel_hours: '168' project: project-id timeouts: null module.gcs.google_storage_bucket.bucket: autoclass: - enabled: false cors: [] custom_placement_config: [] default_event_based_hold: null enable_object_retention: null encryption: [] force_destroy: true labels: null lifecycle_rule: [] location: EU logging: [] name: test-gcs_sink project: project-id requester_pays: null retention_policy: [] storage_class: MULTI_REGIONAL timeouts: null uniform_bucket_level_access: true versioning: - enabled: false module.host-project.google_compute_shared_vpc_host_project.shared_vpc_host[0]: project: test-host timeouts: null module.host-project.google_project.project[0]: auto_create_network: false billing_account: 123456-123456-123456 folder_id: '1122334455' labels: null name: test-host org_id: null project_id: test-host skip_delete: false timeouts: null module.project.data.google_bigquery_default_service_account.bq_sa[0]: project: test-project module.project.data.google_project.project[0]: project_id: test-project module.project.data.google_storage_project_service_account.gcs_sa[0]: project: test-project user_project: null module.project.google_bigquery_dataset_iam_member.bq-sinks-binding["info"]: condition: [] role: roles/bigquery.dataEditor module.project.google_compute_shared_vpc_service_project.shared_vpc_service[0]: deletion_policy: null host_project: test-host service_project: test-project timeouts: null module.project.google_kms_crypto_key_iam_member.service_agent_cmek["kms_key_self_link.compute-system"]: condition: [] crypto_key_id: kms_key_self_link role: roles/cloudkms.cryptoKeyEncrypterDecrypter module.project.google_kms_crypto_key_iam_member.service_agent_cmek["kms_key_self_link.gs-project-accounts"]: condition: [] crypto_key_id: kms_key_self_link role: roles/cloudkms.cryptoKeyEncrypterDecrypter module.project.google_logging_project_exclusion.logging-exclusion["no-gce-instances"]: description: no-gce-instances (Terraform-managed). disabled: null filter: resource.type=gce_instance name: no-gce-instances project: test-project module.project.google_logging_project_sink.sink["debug"]: custom_writer_identity: null description: debug (Terraform-managed). disabled: false exclusions: - description: null disabled: false filter: logName:compute name: no-compute filter: severity=DEBUG name: debug project: test-project unique_writer_identity: true module.project.google_logging_project_sink.sink["info"]: bigquery_options: - use_partitioned_tables: false custom_writer_identity: null description: info (Terraform-managed). disabled: false exclusions: [] filter: severity=INFO name: info project: test-project unique_writer_identity: true module.project.google_logging_project_sink.sink["notice"]: custom_writer_identity: null description: notice (Terraform-managed). destination: pubsub.googleapis.com/projects/project-id/topics/pubsub_sink disabled: false exclusions: [] filter: severity=NOTICE name: notice project: test-project unique_writer_identity: true module.project.google_logging_project_sink.sink["warnings"]: custom_writer_identity: null description: warnings (Terraform-managed). destination: storage.googleapis.com/test-gcs_sink disabled: false exclusions: [] filter: severity=WARNING name: warnings project: test-project unique_writer_identity: true module.project.google_org_policy_policy.default["compute.disableGuestAttributesAccess"]: dry_run_spec: [] name: projects/test-project/policies/compute.disableGuestAttributesAccess parent: projects/test-project spec: - inherit_from_parent: null reset: null rules: - allow_all: null condition: [] deny_all: null enforce: 'TRUE' values: [] timeouts: null module.project.google_org_policy_policy.default["compute.skipDefaultNetworkCreation"]: dry_run_spec: [] name: projects/test-project/policies/compute.skipDefaultNetworkCreation parent: projects/test-project spec: - inherit_from_parent: null reset: null rules: - allow_all: null condition: [] deny_all: null enforce: 'TRUE' values: [] timeouts: null module.project.google_org_policy_policy.default["compute.trustedImageProjects"]: dry_run_spec: [] name: projects/test-project/policies/compute.trustedImageProjects parent: projects/test-project spec: - inherit_from_parent: null reset: null rules: - allow_all: null condition: [] deny_all: null enforce: null values: - allowed_values: - projects/my-project denied_values: null timeouts: null module.project.google_org_policy_policy.default["compute.vmExternalIpAccess"]: dry_run_spec: [] name: projects/test-project/policies/compute.vmExternalIpAccess parent: projects/test-project spec: - inherit_from_parent: null reset: null rules: - allow_all: null condition: [] deny_all: 'TRUE' enforce: null values: [] timeouts: null module.project.google_org_policy_policy.default["iam.allowedPolicyMemberDomains"]: dry_run_spec: [] name: projects/test-project/policies/iam.allowedPolicyMemberDomains parent: projects/test-project spec: - inherit_from_parent: null reset: null rules: - allow_all: null condition: [] deny_all: null enforce: null values: - allowed_values: - C0xxxxxxx - C0yyyyyyy denied_values: null timeouts: null module.project.google_org_policy_policy.default["iam.disableServiceAccountKeyCreation"]: dry_run_spec: [] name: projects/test-project/policies/iam.disableServiceAccountKeyCreation parent: projects/test-project spec: - inherit_from_parent: null reset: null rules: - allow_all: null condition: [] deny_all: null enforce: 'TRUE' values: [] timeouts: null module.project.google_org_policy_policy.default["iam.disableServiceAccountKeyUpload"]: dry_run_spec: [] name: projects/test-project/policies/iam.disableServiceAccountKeyUpload parent: projects/test-project spec: - inherit_from_parent: null reset: null rules: - allow_all: null condition: - description: test condition expression: resource.matchTagId('tagKeys/1234', 'tagValues/1234') location: somewhere title: condition deny_all: null enforce: 'TRUE' values: [] - allow_all: null condition: [] deny_all: null enforce: 'FALSE' values: [] timeouts: null module.project.google_project_iam_audit_config.default["allServices"]: audit_log_config: - exempted_members: - group:organization-admins@example.org log_type: ADMIN_READ project: test-project service: allServices module.project.google_project_iam_audit_config.default["storage.googleapis.com"]: audit_log_config: - exempted_members: [] log_type: DATA_READ - exempted_members: [] log_type: DATA_WRITE project: test-project service: storage.googleapis.com module.project.google_project_iam_binding.authoritative["roles/apigee.serviceAgent"]: condition: [] project: test-project role: roles/apigee.serviceAgent module.project.google_project_iam_binding.authoritative["roles/cloudasset.owner"]: condition: [] members: - group:organization-admins@example.org project: test-project role: roles/cloudasset.owner module.project.google_project_iam_binding.authoritative["roles/cloudsupport.techSupportEditor"]: condition: [] members: - group:organization-admins@example.org project: test-project role: roles/cloudsupport.techSupportEditor module.project.google_project_iam_binding.authoritative["roles/editor"]: condition: [] project: test-project role: roles/editor module.project.google_project_iam_binding.authoritative["roles/iam.securityReviewer"]: condition: [] members: - group:organization-admins@example.org project: test-project role: roles/iam.securityReviewer module.project.google_project_iam_binding.authoritative["roles/logging.admin"]: condition: [] members: - group:organization-admins@example.org project: test-project role: roles/logging.admin module.project.google_project_iam_binding.bindings["iam_admin_conditional"]: condition: - description: null expression: "api.getAttribute(\n 'iam.googleapis.com/modifiedGrantsByRole',\ \ []\n).hasOnly([\n 'roles/compute.networkAdmin'\n])\n" title: delegated_network_user_one members: - group:organization-admins@example.org project: test-project role: roles/resourcemanager.projectIamAdmin module.project.google_project_iam_member.bindings["group-owner"]: condition: [] member: group:organization-admins@example.org project: test-project role: roles/owner module.project.google_project_iam_member.bucket-sinks-binding["debug"]: condition: - title: debug bucket writer role: roles/logging.bucketWriter module.project.google_project_iam_member.service_agents["apigee"]: condition: [] project: test-project role: roles/apigee.serviceAgent module.project.google_project_iam_member.service_agents["compute-system"]: condition: [] project: test-project role: roles/compute.serviceAgent module.project.google_project_iam_member.service_agents["container-engine-robot"]: condition: [] project: test-project role: roles/container.serviceAgent module.project.google_project_iam_member.service_agents["gkenode"]: condition: [] project: test-project role: roles/container.nodeServiceAgent module.project.google_project_iam_member.service_agents["serverless-robot-prod"]: condition: [] project: test-project role: roles/run.serviceAgent module.project.google_project_iam_member.shared_vpc_host_robots["roles/cloudasset.owner:cloudservices"]: condition: [] project: test-host role: roles/cloudasset.owner module.project.google_project_iam_member.shared_vpc_host_robots["roles/cloudasset.owner:container-engine"]: condition: [] project: test-host role: roles/cloudasset.owner module.project.google_project_iam_member.shared_vpc_host_robots["roles/compute.networkUser:cloudservices"]: condition: [] project: test-host role: roles/compute.networkUser module.project.google_project_iam_member.shared_vpc_host_robots["roles/compute.networkUser:container"]: condition: [] project: test-host role: roles/compute.networkUser module.project.google_project_iam_member.shared_vpc_host_robots["roles/compute.securityAdmin:container"]: condition: [] project: test-host role: roles/compute.securityAdmin module.project.google_project_iam_member.shared_vpc_host_robots["roles/container.hostServiceAgentUser:container"]: condition: [] project: test-host role: roles/container.hostServiceAgentUser module.project.google_project_iam_member.shared_vpc_host_robots["roles/vpcaccess.user:cloudrun"]: condition: [] project: test-host role: roles/vpcaccess.user module.project.google_project_service.project_services["apigee.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false project: test-project service: apigee.googleapis.com timeouts: null module.project.google_project_service.project_services["bigquery.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false project: test-project service: bigquery.googleapis.com timeouts: null module.project.google_project_service.project_services["compute.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false project: test-project service: compute.googleapis.com timeouts: null module.project.google_project_service.project_services["container.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false project: test-project service: container.googleapis.com timeouts: null module.project.google_project_service.project_services["logging.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false project: test-project service: logging.googleapis.com timeouts: null module.project.google_project_service.project_services["run.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false project: test-project service: run.googleapis.com timeouts: null module.project.google_project_service.project_services["storage.googleapis.com"]: disable_dependent_services: false disable_on_destroy: false project: test-project service: storage.googleapis.com timeouts: null module.project.google_project_service_identity.default["apigee.googleapis.com"]: project: test-project service: apigee.googleapis.com timeouts: null module.project.google_project_service_identity.default["container.googleapis.com"]: project: test-project service: container.googleapis.com timeouts: null module.project.google_project_service_identity.default["run.googleapis.com"]: project: test-project service: run.googleapis.com timeouts: null module.project.google_pubsub_topic_iam_member.pubsub-sinks-binding["notice"]: condition: [] project: project-id role: roles/pubsub.publisher topic: pubsub_sink module.project.google_storage_bucket_iam_member.gcs-sinks-binding["warnings"]: bucket: test-gcs_sink condition: [] role: roles/storage.objectCreator module.pubsub.google_pubsub_topic.default: ingestion_data_source_settings: [] kms_key_name: null labels: null message_retention_duration: null name: pubsub_sink project: project-id timeouts: null counts: google_bigquery_dataset: 1 google_bigquery_dataset_iam_member: 1 google_bigquery_default_service_account: 1 google_compute_shared_vpc_host_project: 1 google_compute_shared_vpc_service_project: 1 google_kms_crypto_key_iam_member: 2 google_logging_project_bucket_config: 1 google_logging_project_exclusion: 1 google_logging_project_sink: 4 google_org_policy_policy: 7 google_project: 3 google_project_iam_audit_config: 2 google_project_iam_binding: 7 google_project_iam_member: 14 google_project_service: 7 google_project_service_identity: 3 google_pubsub_topic: 1 google_pubsub_topic_iam_member: 1 google_storage_bucket: 1 google_storage_bucket_iam_member: 1 google_storage_project_service_account: 1 modules: 7 resources: 61 outputs: {}