diff --git a/fast/stages/0-bootstrap/data/custom-roles/network_firewall_policies_viewer.yaml b/fast/stages/0-bootstrap/data/custom-roles/network_firewall_policies_viewer.yaml
new file mode 100644
index 0000000000..6f0ab59e91
--- /dev/null
+++ b/fast/stages/0-bootstrap/data/custom-roles/network_firewall_policies_viewer.yaml
@@ -0,0 +1,20 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# yaml-language-server: $schema=../../schemas/custom-role.schema.json
+
+name: networkFirewallPoliciesViewer
+includedPermissions:
+ - networksecurity.firewallEndpointAssociations.get
+ - networksecurity.firewallEndpointAssociations.list
diff --git a/fast/stages/0-bootstrap/data/custom-roles/ngfw_enterprise_viewer.yaml b/fast/stages/0-bootstrap/data/custom-roles/ngfw_enterprise_viewer.yaml
new file mode 100644
index 0000000000..2242207a09
--- /dev/null
+++ b/fast/stages/0-bootstrap/data/custom-roles/ngfw_enterprise_viewer.yaml
@@ -0,0 +1,31 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# yaml-language-server: $schema=../../schemas/custom-role.schema.json
+
+name: ngfwEnterpriseViewer
+includedPermissions:
+ - networksecurity.firewallEndpoints.get
+ - networksecurity.firewallEndpoints.list
+ - networksecurity.firewallEndpoints.use
+ - networksecurity.locations.get
+ - networksecurity.locations.list
+ - networksecurity.operations.get
+ - networksecurity.operations.list
+ - networksecurity.securityProfileGroups.get
+ - networksecurity.securityProfileGroups.list
+ - networksecurity.securityProfileGroups.use
+ - networksecurity.securityProfiles.get
+ - networksecurity.securityProfiles.list
+ - networksecurity.securityProfiles.use
diff --git a/fast/stages/0-bootstrap/organization.tf b/fast/stages/0-bootstrap/organization.tf
index b7aa68d4ab..aa700dc7fb 100644
--- a/fast/stages/0-bootstrap/organization.tf
+++ b/fast/stages/0-bootstrap/organization.tf
@@ -188,7 +188,9 @@ module "organization" {
]))
, join(",", formatlist("'%s'", [
module.organization.custom_role_id["network_firewall_policies_admin"],
+ module.organization.custom_role_id["network_firewall_policies_viewer"],
module.organization.custom_role_id["ngfw_enterprise_admin"],
+ module.organization.custom_role_id["ngfw_enterprise_viewer"],
module.organization.custom_role_id["service_project_network_admin"],
module.organization.custom_role_id["tenant_network_admin"]
]))
diff --git a/fast/stages/1-resman/README.md b/fast/stages/1-resman/README.md
index d85829e000..854fa6c507 100644
--- a/fast/stages/1-resman/README.md
+++ b/fast/stages/1-resman/README.md
@@ -267,18 +267,18 @@ A full reference of IAM roles managed by this stage [is available here](./IAM.md
|---|---|:---:|:---:|:---:|:---:|
| [automation](variables-fast.tf#L19) | Automation resources created by the bootstrap stage. | object({…})
| ✓ | | 0-bootstrap
|
| [billing_account](variables-fast.tf#L42) | Billing account id. If billing account is not part of the same org set `is_org_level` to `false`. To disable handling of billing IAM roles set `no_iam` to `true`. | object({…})
| ✓ | | 0-bootstrap
|
-| [logging](variables-fast.tf#L95) | Logging configuration for tenants. | object({…})
| ✓ | | 1-tenant-factory
|
-| [organization](variables-fast.tf#L108) | Organization details. | object({…})
| ✓ | | 0-bootstrap
|
-| [prefix](variables-fast.tf#L126) | Prefix used for resources that need unique names. Use 9 characters or less. | string
| ✓ | | 0-bootstrap
|
+| [logging](variables-fast.tf#L96) | Logging configuration for tenants. | object({…})
| ✓ | | 1-tenant-factory
|
+| [organization](variables-fast.tf#L109) | Organization details. | object({…})
| ✓ | | 0-bootstrap
|
+| [prefix](variables-fast.tf#L127) | Prefix used for resources that need unique names. Use 9 characters or less. | string
| ✓ | | 0-bootstrap
|
| [cicd_repositories](variables.tf#L20) | CI/CD repository configuration. Identity providers reference keys in the `automation.federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | object({…})
| | null
| |
-| [custom_roles](variables-fast.tf#L53) | Custom roles defined at the org level, in key => id format. | object({…})
| | null
| 0-bootstrap
|
+| [custom_roles](variables-fast.tf#L53) | Custom roles defined at the org level, in key => id format. | object({…})
| | null
| 0-bootstrap
|
| [factories_config](variables.tf#L122) | Configuration for the resource factories or external data. | object({…})
| | {}
| |
| [fast_features](variables.tf#L133) | Selective control for top-level FAST features. | object({…})
| | {}
| |
| [folder_iam](variables.tf#L146) | Authoritative IAM for top-level folders. | object({…})
| | {}
| |
-| [groups](variables-fast.tf#L67) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | object({…})
| | {}
| 0-bootstrap
|
-| [locations](variables-fast.tf#L82) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…})
| | {}
| 0-bootstrap
|
+| [groups](variables-fast.tf#L68) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | object({…})
| | {}
| 0-bootstrap
|
+| [locations](variables-fast.tf#L83) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…})
| | {}
| 0-bootstrap
|
| [outputs_location](variables.tf#L160) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | string
| | null
| |
-| [root_node](variables-fast.tf#L132) | Root node for the hierarchy, if running in tenant mode. | string
| | null
| 0-bootstrap
|
+| [root_node](variables-fast.tf#L133) | Root node for the hierarchy, if running in tenant mode. | string
| | null
| 0-bootstrap
|
| [tag_names](variables.tf#L166) | Customized names for resource management tags. | object({…})
| | {}
| |
| [tags](variables.tf#L180) | Custom secure tags by key name. The `iam` attribute behaves like the similarly named one at module level. | map(object({…}))
| | {}
| |
| [top_level_folders](variables.tf#L201) | Additional top-level folders. Keys are used for service account and bucket names, values implement the folders module interface with the addition of the 'automation' attribute. | map(object({…}))
| | {}
| |
diff --git a/fast/stages/1-resman/branch-networking.tf b/fast/stages/1-resman/branch-networking.tf
index 1fb575a71c..68314a18a0 100644
--- a/fast/stages/1-resman/branch-networking.tf
+++ b/fast/stages/1-resman/branch-networking.tf
@@ -31,13 +31,19 @@ locals {
"roles/resourcemanager.folderViewer" = [module.branch-network-r-sa.iam_email]
},
var.fast_features.nsec != true ? {} : {
- # nsec service account
+ # nsec service accounts
"roles/serviceusage.serviceUsageAdmin" = [
try(module.branch-nsec-sa[0].iam_email, null)
]
+ "roles/serviceusage.serviceUsageConsumer" = [
+ try(module.branch-nsec-r-sa[0].iam_email, null)
+ ]
(var.custom_roles["network_firewall_policies_admin"]) = [
try(module.branch-nsec-sa[0].iam_email, null)
]
+ (var.custom_roles["network_firewall_policies_viewer"]) = [
+ try(module.branch-nsec-r-sa[0].iam_email, null)
+ ]
}
)
# deep-merge FAST-specific IAM with user-provided bindings in var.folder_iam
diff --git a/fast/stages/1-resman/iam.tf b/fast/stages/1-resman/iam.tf
index 44706fe977..d4bb6277c0 100644
--- a/fast/stages/1-resman/iam.tf
+++ b/fast/stages/1-resman/iam.tf
@@ -48,6 +48,14 @@ locals {
member = module.branch-nsec-sa[0].iam_email
role = local.custom_roles["ngfw_enterprise_admin"],
}
+ sa_net_nsec_r_fw_policy_admin = {
+ member = module.branch-nsec-sa[0].iam_email
+ role = "roles/compute.orgFirewallPolicyUser"
+ }
+ sa_net_nsec_r_ngfw_enterprise_viewer = {
+ member = module.branch-nsec-r-sa[0].iam_email
+ role = local.custom_roles["ngfw_enterprise_viewer"],
+ }
},
# optional billing roles for network and security
local.billing_mode != "org" ? {} : {
diff --git a/fast/stages/1-resman/variables-fast.tf b/fast/stages/1-resman/variables-fast.tf
index c6b833362e..1418d91ef1 100644
--- a/fast/stages/1-resman/variables-fast.tf
+++ b/fast/stages/1-resman/variables-fast.tf
@@ -57,6 +57,7 @@ variable "custom_roles" {
gcve_network_admin = string
network_firewall_policies_admin = string
ngfw_enterprise_admin = string
+ ngfw_enterprise_viewer = string
organization_admin_viewer = string
service_project_network_admin = string
storage_viewer = string
diff --git a/tests/fast/stages/s0_bootstrap/checklist.yaml b/tests/fast/stages/s0_bootstrap/checklist.yaml
index 09f1cdb703..d10b3d98d4 100644
--- a/tests/fast/stages/s0_bootstrap/checklist.yaml
+++ b/tests/fast/stages/s0_bootstrap/checklist.yaml
@@ -13,6 +13,1000 @@
# limitations under the License.
values:
+ google_storage_bucket_object.checklist_data[0]:
+ bucket: fast-prod-iac-core-checklist-0
+ cache_control: null
+ content_disposition: null
+ content_encoding: null
+ content_language: null
+ customer_encryption: []
+ detect_md5hash: different hash
+ event_based_hold: null
+ metadata: null
+ name: checklist/data.tfvars.json
+ retention: []
+ source: checklist-data.json
+ temporary_hold: null
+ timeouts: null
+ google_storage_bucket_object.checklist_org_iam[0]:
+ bucket: fast-prod-iac-core-checklist-0
+ cache_control: null
+ content_disposition: null
+ content_encoding: null
+ content_language: null
+ customer_encryption: []
+ detect_md5hash: different hash
+ event_based_hold: null
+ metadata: null
+ name: checklist/org-iam.tfvars.json
+ retention: []
+ source: checklist-org-iam.json
+ temporary_hold: null
+ timeouts: null
+ google_storage_bucket_object.providers["0-bootstrap"]:
+ bucket: fast-prod-iac-core-outputs-0
+ cache_control: null
+ content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\
+ \ License, Version 2.0 (the \"License\");\n * you may not use this file except\
+ \ in compliance with the License.\n * You may obtain a copy of the License at\n\
+ \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\
+ \ by applicable law or agreed to in writing, software\n * distributed under\
+ \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\
+ \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\
+ \ the specific language governing permissions and\n * limitations under the\
+ \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \
+ \ = \"fast-prod-iac-core-bootstrap-0\"\n impersonate_service_account\
+ \ = \"fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n\
+ \ }\n}\nprovider \"google\" {\n impersonate_service_account = \"fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\
+ \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\
+ \n}\n\n# end provider.tf for bootstrap\n"
+ content_disposition: null
+ content_encoding: null
+ content_language: null
+ customer_encryption: []
+ detect_md5hash: different hash
+ event_based_hold: null
+ metadata: null
+ name: providers/0-bootstrap-providers.tf
+ retention: []
+ source: null
+ temporary_hold: null
+ timeouts: null
+ google_storage_bucket_object.providers["0-bootstrap-r"]:
+ bucket: fast-prod-iac-core-outputs-0
+ cache_control: null
+ content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\
+ \ License, Version 2.0 (the \"License\");\n * you may not use this file except\
+ \ in compliance with the License.\n * You may obtain a copy of the License at\n\
+ \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\
+ \ by applicable law or agreed to in writing, software\n * distributed under\
+ \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\
+ \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\
+ \ the specific language governing permissions and\n * limitations under the\
+ \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \
+ \ = \"fast-prod-iac-core-bootstrap-0\"\n impersonate_service_account\
+ \ = \"fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n\
+ \ }\n}\nprovider \"google\" {\n impersonate_service_account = \"fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\
+ \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\
+ \n}\n\n# end provider.tf for bootstrap\n"
+ content_disposition: null
+ content_encoding: null
+ content_language: null
+ customer_encryption: []
+ detect_md5hash: different hash
+ event_based_hold: null
+ metadata: null
+ name: providers/0-bootstrap-r-providers.tf
+ retention: []
+ source: null
+ temporary_hold: null
+ timeouts: null
+ google_storage_bucket_object.providers["1-resman"]:
+ bucket: fast-prod-iac-core-outputs-0
+ cache_control: null
+ content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\
+ \ License, Version 2.0 (the \"License\");\n * you may not use this file except\
+ \ in compliance with the License.\n * You may obtain a copy of the License at\n\
+ \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\
+ \ by applicable law or agreed to in writing, software\n * distributed under\
+ \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\
+ \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\
+ \ the specific language governing permissions and\n * limitations under the\
+ \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \
+ \ = \"fast-prod-iac-core-resman-0\"\n impersonate_service_account\
+ \ = \"fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n }\n\
+ }\nprovider \"google\" {\n impersonate_service_account = \"fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\
+ \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\
+ \n}\n\n# end provider.tf for resman\n"
+ content_disposition: null
+ content_encoding: null
+ content_language: null
+ customer_encryption: []
+ detect_md5hash: different hash
+ event_based_hold: null
+ metadata: null
+ name: providers/1-resman-providers.tf
+ retention: []
+ source: null
+ temporary_hold: null
+ timeouts: null
+ google_storage_bucket_object.providers["1-resman-r"]:
+ bucket: fast-prod-iac-core-outputs-0
+ cache_control: null
+ content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\
+ \ License, Version 2.0 (the \"License\");\n * you may not use this file except\
+ \ in compliance with the License.\n * You may obtain a copy of the License at\n\
+ \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\
+ \ by applicable law or agreed to in writing, software\n * distributed under\
+ \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\
+ \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\
+ \ the specific language governing permissions and\n * limitations under the\
+ \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \
+ \ = \"fast-prod-iac-core-resman-0\"\n impersonate_service_account\
+ \ = \"fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n \
+ \ }\n}\nprovider \"google\" {\n impersonate_service_account = \"fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\
+ \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\
+ \n}\n\n# end provider.tf for resman\n"
+ content_disposition: null
+ content_encoding: null
+ content_language: null
+ customer_encryption: []
+ detect_md5hash: different hash
+ event_based_hold: null
+ metadata: null
+ name: providers/1-resman-r-providers.tf
+ retention: []
+ source: null
+ temporary_hold: null
+ timeouts: null
+ google_storage_bucket_object.providers["1-tenant-factory"]:
+ bucket: fast-prod-iac-core-outputs-0
+ cache_control: null
+ content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\
+ \ License, Version 2.0 (the \"License\");\n * you may not use this file except\
+ \ in compliance with the License.\n * You may obtain a copy of the License at\n\
+ \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\
+ \ by applicable law or agreed to in writing, software\n * distributed under\
+ \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\
+ \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\
+ \ the specific language governing permissions and\n * limitations under the\
+ \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \
+ \ = \"fast-prod-iac-core-resman-0\"\n impersonate_service_account\
+ \ = \"fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n \
+ \ prefix = \"tenant-factory\"\n }\n}\nprovider \"google\" {\n impersonate_service_account\
+ \ = \"fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n}\n\
+ provider \"google-beta\" {\n impersonate_service_account = \"fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\
+ \n}\n\n# end provider.tf for tenant-factory\n"
+ content_disposition: null
+ content_encoding: null
+ content_language: null
+ customer_encryption: []
+ detect_md5hash: different hash
+ event_based_hold: null
+ metadata: null
+ name: providers/1-tenant-factory-providers.tf
+ retention: []
+ source: null
+ temporary_hold: null
+ timeouts: null
+ google_storage_bucket_object.providers["1-tenant-factory-r"]:
+ bucket: fast-prod-iac-core-outputs-0
+ cache_control: null
+ content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\
+ \ License, Version 2.0 (the \"License\");\n * you may not use this file except\
+ \ in compliance with the License.\n * You may obtain a copy of the License at\n\
+ \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\
+ \ by applicable law or agreed to in writing, software\n * distributed under\
+ \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\
+ \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\
+ \ the specific language governing permissions and\n * limitations under the\
+ \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \
+ \ = \"fast-prod-iac-core-resman-0\"\n impersonate_service_account\
+ \ = \"fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n \
+ \ prefix = \"tenant-factory\"\n }\n}\nprovider \"google\" {\n impersonate_service_account\
+ \ = \"fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n}\n\
+ provider \"google-beta\" {\n impersonate_service_account = \"fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\
+ \n}\n\n# end provider.tf for tenant-factory\n"
+ content_disposition: null
+ content_encoding: null
+ content_language: null
+ customer_encryption: []
+ detect_md5hash: different hash
+ event_based_hold: null
+ metadata: null
+ name: providers/1-tenant-factory-r-providers.tf
+ retention: []
+ source: null
+ temporary_hold: null
+ timeouts: null
+ google_storage_bucket_object.providers["1-vpcsc"]:
+ bucket: fast-prod-iac-core-outputs-0
+ cache_control: null
+ content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\
+ \ License, Version 2.0 (the \"License\");\n * you may not use this file except\
+ \ in compliance with the License.\n * You may obtain a copy of the License at\n\
+ \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\
+ \ by applicable law or agreed to in writing, software\n * distributed under\
+ \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\
+ \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\
+ \ the specific language governing permissions and\n * limitations under the\
+ \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \
+ \ = \"fast-prod-iac-core-vpcsc-0\"\n impersonate_service_account\
+ \ = \"fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n \
+ \ prefix = \"vpcsc\"\n }\n}\nprovider \"google\" {\n impersonate_service_account\
+ \ = \"fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n}\n\
+ provider \"google-beta\" {\n impersonate_service_account = \"fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\
+ \n}\n\n# end provider.tf for vpcsc\n"
+ content_disposition: null
+ content_encoding: null
+ content_language: null
+ customer_encryption: []
+ detect_md5hash: different hash
+ event_based_hold: null
+ metadata: null
+ name: providers/1-vpcsc-providers.tf
+ retention: []
+ source: null
+ temporary_hold: null
+ timeouts: null
+ google_storage_bucket_object.providers["1-vpcsc-r"]:
+ bucket: fast-prod-iac-core-outputs-0
+ cache_control: null
+ content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\
+ \ License, Version 2.0 (the \"License\");\n * you may not use this file except\
+ \ in compliance with the License.\n * You may obtain a copy of the License at\n\
+ \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\
+ \ by applicable law or agreed to in writing, software\n * distributed under\
+ \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\
+ \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\
+ \ the specific language governing permissions and\n * limitations under the\
+ \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \
+ \ = \"fast-prod-iac-core-vpcsc-0\"\n impersonate_service_account\
+ \ = \"fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n \
+ \ prefix = \"vpcsc\"\n }\n}\nprovider \"google\" {\n impersonate_service_account\
+ \ = \"fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n}\n\
+ provider \"google-beta\" {\n impersonate_service_account = \"fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\
+ \n}\n\n# end provider.tf for vpcsc\n"
+ content_disposition: null
+ content_encoding: null
+ content_language: null
+ customer_encryption: []
+ detect_md5hash: different hash
+ event_based_hold: null
+ metadata: null
+ name: providers/1-vpcsc-r-providers.tf
+ retention: []
+ source: null
+ temporary_hold: null
+ timeouts: null
+ google_storage_bucket_object.tfvars:
+ bucket: fast-prod-iac-core-outputs-0
+ cache_control: null
+ content_disposition: null
+ content_encoding: null
+ content_language: null
+ customer_encryption: []
+ detect_md5hash: different hash
+ event_based_hold: null
+ metadata: null
+ name: tfvars/0-bootstrap.auto.tfvars.json
+ retention: []
+ source: null
+ temporary_hold: null
+ timeouts: null
+ google_storage_bucket_object.tfvars_globals:
+ bucket: fast-prod-iac-core-outputs-0
+ cache_control: null
+ content: '{"billing_account":{"id":"000000-111111-222222","is_org_level":true,"no_iam":false},"environments":{"dev":{"is_default":false,"name":"Development"},"prod":{"is_default":true,"name":"Production"}},"groups":{"gcp-billing-admins":"group:gcp-billing-admins@fast.example.com","gcp-devops":"group:gcp-devops@fast.example.com","gcp-network-admins":"group:gcp-vpc-network-admins@fast.example.com","gcp-organization-admins":"group:gcp-organization-admins@fast.example.com","gcp-security-admins":"group:gcp-security-admins@fast.example.com","gcp-support":"group:gcp-devops@fast.example.com"},"locations":{"bq":"EU","gcs":"EU","logging":"europe-west1","pubsub":[]},"organization":{"customer_id":"C00000000","domain":"fast.example.com","id":123456789012},"prefix":"fast"}'
+ content_disposition: null
+ content_encoding: null
+ content_language: null
+ customer_encryption: []
+ detect_md5hash: different hash
+ event_based_hold: null
+ metadata: null
+ name: tfvars/0-globals.auto.tfvars.json
+ retention: []
+ source: null
+ temporary_hold: null
+ timeouts: null
+ module.automation-project.data.google_bigquery_default_service_account.bq_sa[0]:
+ project: fast-prod-iac-core-0
+ module.automation-project.data.google_storage_project_service_account.gcs_sa[0]:
+ project: fast-prod-iac-core-0
+ user_project: null
+ module.automation-project.google_essential_contacts_contact.contact["gcp-organization-admins@fast.example.com"]:
+ email: gcp-organization-admins@fast.example.com
+ language_tag: en
+ notification_category_subscriptions:
+ - ALL
+ parent: projects/fast-prod-iac-core-0
+ timeouts: null
+ module.automation-project.google_org_policy_policy.default["compute.skipDefaultNetworkCreation"]:
+ dry_run_spec: []
+ name: projects/fast-prod-iac-core-0/policies/compute.skipDefaultNetworkCreation
+ parent: projects/fast-prod-iac-core-0
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: 'TRUE'
+ values: []
+ timeouts: null
+ module.automation-project.google_org_policy_policy.default["iam.automaticIamGrantsForDefaultServiceAccounts"]:
+ dry_run_spec: []
+ name: projects/fast-prod-iac-core-0/policies/iam.automaticIamGrantsForDefaultServiceAccounts
+ parent: projects/fast-prod-iac-core-0
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: 'TRUE'
+ values: []
+ timeouts: null
+ module.automation-project.google_org_policy_policy.default["iam.disableServiceAccountKeyCreation"]:
+ dry_run_spec: []
+ name: projects/fast-prod-iac-core-0/policies/iam.disableServiceAccountKeyCreation
+ parent: projects/fast-prod-iac-core-0
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: 'TRUE'
+ values: []
+ timeouts: null
+ module.automation-project.google_project.project[0]:
+ auto_create_network: false
+ billing_account: 000000-111111-222222
+ deletion_policy: DELETE
+ folder_id: null
+ labels: null
+ name: fast-prod-iac-core-0
+ org_id: '123456789012'
+ project_id: fast-prod-iac-core-0
+ timeouts: null
+ module.automation-project.google_project_iam_audit_config.default["iam.googleapis.com"]:
+ audit_log_config:
+ - exempted_members: []
+ log_type: ADMIN_READ
+ project: fast-prod-iac-core-0
+ service: iam.googleapis.com
+ module.automation-project.google_project_iam_binding.authoritative["organizations/123456789012/roles/storageViewer"]:
+ condition: []
+ members:
+ - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ project: fast-prod-iac-core-0
+ role: organizations/123456789012/roles/storageViewer
+ module.automation-project.google_project_iam_binding.authoritative["roles/browser"]:
+ condition: []
+ members:
+ - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ project: fast-prod-iac-core-0
+ role: roles/browser
+ module.automation-project.google_project_iam_binding.authoritative["roles/cloudbuild.builds.editor"]:
+ condition: []
+ members:
+ - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ project: fast-prod-iac-core-0
+ role: roles/cloudbuild.builds.editor
+ module.automation-project.google_project_iam_binding.authoritative["roles/cloudbuild.builds.viewer"]:
+ condition: []
+ members:
+ - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ project: fast-prod-iac-core-0
+ role: roles/cloudbuild.builds.viewer
+ module.automation-project.google_project_iam_binding.authoritative["roles/iam.serviceAccountAdmin"]:
+ condition: []
+ members:
+ - group:gcp-devops@fast.example.com
+ - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ project: fast-prod-iac-core-0
+ role: roles/iam.serviceAccountAdmin
+ module.automation-project.google_project_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]:
+ condition: []
+ members:
+ - group:gcp-devops@fast.example.com
+ - group:gcp-organization-admins@fast.example.com
+ project: fast-prod-iac-core-0
+ role: roles/iam.serviceAccountTokenCreator
+ module.automation-project.google_project_iam_binding.authoritative["roles/iam.serviceAccountViewer"]:
+ condition: []
+ members:
+ - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ project: fast-prod-iac-core-0
+ role: roles/iam.serviceAccountViewer
+ module.automation-project.google_project_iam_binding.authoritative["roles/iam.workloadIdentityPoolAdmin"]:
+ condition: []
+ members:
+ - group:gcp-organization-admins@fast.example.com
+ - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ project: fast-prod-iac-core-0
+ role: roles/iam.workloadIdentityPoolAdmin
+ module.automation-project.google_project_iam_binding.authoritative["roles/iam.workloadIdentityPoolViewer"]:
+ condition: []
+ members:
+ - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ project: fast-prod-iac-core-0
+ role: roles/iam.workloadIdentityPoolViewer
+ module.automation-project.google_project_iam_binding.authoritative["roles/owner"]:
+ condition: []
+ members:
+ - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ project: fast-prod-iac-core-0
+ role: roles/owner
+ module.automation-project.google_project_iam_binding.authoritative["roles/source.admin"]:
+ condition: []
+ members:
+ - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ project: fast-prod-iac-core-0
+ role: roles/source.admin
+ module.automation-project.google_project_iam_binding.authoritative["roles/source.reader"]:
+ condition: []
+ members:
+ - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ project: fast-prod-iac-core-0
+ role: roles/source.reader
+ module.automation-project.google_project_iam_binding.authoritative["roles/storage.admin"]:
+ condition: []
+ members:
+ - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ project: fast-prod-iac-core-0
+ role: roles/storage.admin
+ module.automation-project.google_project_iam_binding.authoritative["roles/viewer"]:
+ condition: []
+ members:
+ - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ project: fast-prod-iac-core-0
+ role: roles/viewer
+ module.automation-project.google_project_iam_binding.bindings["delegated_grants_resman"]:
+ condition:
+ - description: Resource manager service account delegated grant.
+ expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/serviceusage.serviceUsageConsumer'])
+ title: resman_delegated_grant
+ members:
+ - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ project: fast-prod-iac-core-0
+ role: roles/resourcemanager.projectIamAdmin
+ module.automation-project.google_project_iam_member.bindings["serviceusage_resman"]:
+ condition: []
+ member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ project: fast-prod-iac-core-0
+ role: roles/serviceusage.serviceUsageConsumer
+ module.automation-project.google_project_iam_member.bindings["serviceusage_resman_r"]:
+ condition: []
+ member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ project: fast-prod-iac-core-0
+ role: roles/serviceusage.serviceUsageViewer
+ module.automation-project.google_project_iam_member.service_agents["cloudasset"]:
+ condition: []
+ project: fast-prod-iac-core-0
+ role: roles/cloudasset.serviceAgent
+ module.automation-project.google_project_iam_member.service_agents["cloudbuild"]:
+ condition: []
+ project: fast-prod-iac-core-0
+ role: roles/cloudbuild.serviceAgent
+ module.automation-project.google_project_iam_member.service_agents["cloudbuild-sa"]:
+ condition: []
+ project: fast-prod-iac-core-0
+ role: roles/cloudbuild.builds.builder
+ module.automation-project.google_project_iam_member.service_agents["cloudkms"]:
+ condition: []
+ project: fast-prod-iac-core-0
+ role: roles/cloudkms.serviceAgent
+ module.automation-project.google_project_iam_member.service_agents["compute-system"]:
+ condition: []
+ project: fast-prod-iac-core-0
+ role: roles/compute.serviceAgent
+ module.automation-project.google_project_iam_member.service_agents["container-engine-robot"]:
+ condition: []
+ project: fast-prod-iac-core-0
+ role: roles/container.serviceAgent
+ module.automation-project.google_project_iam_member.service_agents["gkenode"]:
+ condition: []
+ project: fast-prod-iac-core-0
+ role: roles/container.nodeServiceAgent
+ module.automation-project.google_project_iam_member.service_agents["pubsub"]:
+ condition: []
+ project: fast-prod-iac-core-0
+ role: roles/pubsub.serviceAgent
+ module.automation-project.google_project_iam_member.service_agents["service-networking"]:
+ condition: []
+ project: fast-prod-iac-core-0
+ role: roles/servicenetworking.serviceAgent
+ module.automation-project.google_project_service.project_services["accesscontextmanager.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: accesscontextmanager.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["bigquery.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: bigquery.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["bigqueryreservation.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: bigqueryreservation.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["bigquerystorage.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: bigquerystorage.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["billingbudgets.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: billingbudgets.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["cloudasset.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: cloudasset.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["cloudbilling.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: cloudbilling.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["cloudbuild.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: cloudbuild.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["cloudkms.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: cloudkms.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["cloudquotas.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: cloudquotas.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["cloudresourcemanager.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: cloudresourcemanager.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["compute.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: compute.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["container.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: container.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["essentialcontacts.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: essentialcontacts.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["iam.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: iam.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["iamcredentials.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: iamcredentials.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["networksecurity.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: networksecurity.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["orgpolicy.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: orgpolicy.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["pubsub.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: pubsub.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["servicenetworking.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: servicenetworking.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["serviceusage.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: serviceusage.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["stackdriver.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: stackdriver.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["storage-component.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: storage-component.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["storage.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: storage.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service.project_services["sts.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-iac-core-0
+ service: sts.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service_identity.default["cloudasset.googleapis.com"]:
+ project: fast-prod-iac-core-0
+ service: cloudasset.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service_identity.default["cloudkms.googleapis.com"]:
+ project: fast-prod-iac-core-0
+ service: cloudkms.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service_identity.default["container.googleapis.com"]:
+ project: fast-prod-iac-core-0
+ service: container.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service_identity.default["networksecurity.googleapis.com"]:
+ project: fast-prod-iac-core-0
+ service: networksecurity.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service_identity.default["pubsub.googleapis.com"]:
+ project: fast-prod-iac-core-0
+ service: pubsub.googleapis.com
+ timeouts: null
+ module.automation-project.google_project_service_identity.default["servicenetworking.googleapis.com"]:
+ project: fast-prod-iac-core-0
+ service: servicenetworking.googleapis.com
+ timeouts: null
+ module.automation-tf-bootstrap-gcs.google_storage_bucket.bucket:
+ autoclass:
+ - enabled: false
+ cors: []
+ custom_placement_config: []
+ default_event_based_hold: null
+ enable_object_retention: null
+ encryption: []
+ force_destroy: false
+ labels: null
+ lifecycle_rule: []
+ location: EU
+ logging: []
+ name: fast-prod-iac-core-bootstrap-0
+ project: fast-prod-iac-core-0
+ requester_pays: null
+ retention_policy: []
+ storage_class: MULTI_REGIONAL
+ timeouts: null
+ uniform_bucket_level_access: true
+ versioning:
+ - enabled: true
+ ? module.automation-tf-bootstrap-r-sa.google_organization_iam_member.organization-roles["123456789012-organizations/123456789012/roles/organizationAdminViewer"]
+ : condition: []
+ org_id: '123456789012'
+ role: organizations/123456789012/roles/organizationAdminViewer
+ ? module.automation-tf-bootstrap-r-sa.google_organization_iam_member.organization-roles["123456789012-organizations/123456789012/roles/tagViewer"]
+ : condition: []
+ org_id: '123456789012'
+ role: organizations/123456789012/roles/tagViewer
+ module.automation-tf-bootstrap-r-sa.google_service_account.service_account[0]:
+ account_id: fast-prod-bootstrap-0r
+ create_ignore_already_exists: null
+ description: null
+ disabled: false
+ display_name: Terraform organization bootstrap service account (read-only).
+ project: fast-prod-iac-core-0
+ timeouts: null
+ ? module.automation-tf-bootstrap-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]
+ : condition: []
+ members: null
+ role: roles/iam.serviceAccountTokenCreator
+ ? module.automation-tf-bootstrap-r-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-organizations/123456789012/roles/storageViewer"]
+ : bucket: fast-prod-iac-core-outputs-0
+ condition: []
+ role: organizations/123456789012/roles/storageViewer
+ module.automation-tf-bootstrap-sa.google_service_account.service_account[0]:
+ account_id: fast-prod-bootstrap-0
+ create_ignore_already_exists: null
+ description: null
+ disabled: false
+ display_name: Terraform organization bootstrap service account.
+ project: fast-prod-iac-core-0
+ timeouts: null
+ module.automation-tf-bootstrap-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]:
+ condition: []
+ members: null
+ role: roles/iam.serviceAccountTokenCreator
+ ? module.automation-tf-bootstrap-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-roles/storage.admin"]
+ : bucket: fast-prod-iac-core-outputs-0
+ condition: []
+ role: roles/storage.admin
+ module.automation-tf-checklist-gcs[0].google_storage_bucket.bucket:
+ autoclass:
+ - enabled: false
+ cors: []
+ custom_placement_config: []
+ default_event_based_hold: null
+ enable_object_retention: null
+ encryption: []
+ force_destroy: false
+ labels: null
+ lifecycle_rule: []
+ location: EU
+ logging: []
+ name: fast-prod-iac-core-checklist-0
+ project: fast-prod-iac-core-0
+ requester_pays: null
+ retention_policy: []
+ storage_class: MULTI_REGIONAL
+ timeouts: null
+ uniform_bucket_level_access: true
+ versioning:
+ - enabled: true
+ module.automation-tf-output-gcs.google_storage_bucket.bucket:
+ autoclass:
+ - enabled: false
+ cors: []
+ custom_placement_config: []
+ default_event_based_hold: null
+ enable_object_retention: null
+ encryption: []
+ force_destroy: false
+ labels: null
+ lifecycle_rule: []
+ location: EU
+ logging: []
+ name: fast-prod-iac-core-outputs-0
+ project: fast-prod-iac-core-0
+ requester_pays: null
+ retention_policy: []
+ storage_class: MULTI_REGIONAL
+ timeouts: null
+ uniform_bucket_level_access: true
+ versioning:
+ - enabled: true
+ module.automation-tf-resman-gcs.google_storage_bucket.bucket:
+ autoclass:
+ - enabled: false
+ cors: []
+ custom_placement_config: []
+ default_event_based_hold: null
+ enable_object_retention: null
+ encryption: []
+ force_destroy: false
+ labels: null
+ lifecycle_rule: []
+ location: EU
+ logging: []
+ name: fast-prod-iac-core-resman-0
+ project: fast-prod-iac-core-0
+ requester_pays: null
+ retention_policy: []
+ storage_class: MULTI_REGIONAL
+ timeouts: null
+ uniform_bucket_level_access: true
+ versioning:
+ - enabled: true
+ module.automation-tf-resman-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]:
+ bucket: fast-prod-iac-core-resman-0
+ condition: []
+ members:
+ - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ role: roles/storage.objectAdmin
+ module.automation-tf-resman-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]:
+ bucket: fast-prod-iac-core-resman-0
+ condition: []
+ members:
+ - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ role: roles/storage.objectViewer
+ ? module.automation-tf-resman-r-sa.google_organization_iam_member.organization-roles["123456789012-organizations/123456789012/roles/organizationAdminViewer"]
+ : condition: []
+ org_id: '123456789012'
+ role: organizations/123456789012/roles/organizationAdminViewer
+ ? module.automation-tf-resman-r-sa.google_organization_iam_member.organization-roles["123456789012-organizations/123456789012/roles/tagViewer"]
+ : condition: []
+ org_id: '123456789012'
+ role: organizations/123456789012/roles/tagViewer
+ module.automation-tf-resman-r-sa.google_service_account.service_account[0]:
+ account_id: fast-prod-resman-0r
+ create_ignore_already_exists: null
+ description: null
+ disabled: false
+ display_name: Terraform stage 1 resman service account (read-only).
+ project: fast-prod-iac-core-0
+ timeouts: null
+ ? module.automation-tf-resman-r-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-organizations/123456789012/roles/storageViewer"]
+ : bucket: fast-prod-iac-core-outputs-0
+ condition: []
+ role: organizations/123456789012/roles/storageViewer
+ module.automation-tf-resman-sa.google_service_account.service_account[0]:
+ account_id: fast-prod-resman-0
+ create_ignore_already_exists: null
+ description: null
+ disabled: false
+ display_name: Terraform stage 1 resman service account.
+ project: fast-prod-iac-core-0
+ timeouts: null
+ ? module.automation-tf-resman-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-roles/storage.admin"]
+ : bucket: fast-prod-iac-core-outputs-0
+ condition: []
+ role: roles/storage.admin
+ module.automation-tf-vpcsc-gcs.google_storage_bucket.bucket:
+ autoclass:
+ - enabled: false
+ cors: []
+ custom_placement_config: []
+ default_event_based_hold: null
+ enable_object_retention: null
+ encryption: []
+ force_destroy: false
+ labels: null
+ lifecycle_rule: []
+ location: EU
+ logging: []
+ name: fast-prod-iac-core-vpcsc-0
+ project: fast-prod-iac-core-0
+ requester_pays: null
+ retention_policy: []
+ storage_class: MULTI_REGIONAL
+ timeouts: null
+ uniform_bucket_level_access: true
+ versioning:
+ - enabled: true
+ module.automation-tf-vpcsc-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]:
+ bucket: fast-prod-iac-core-vpcsc-0
+ condition: []
+ members:
+ - serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ role: roles/storage.objectAdmin
+ module.automation-tf-vpcsc-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]:
+ bucket: fast-prod-iac-core-vpcsc-0
+ condition: []
+ members:
+ - serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ role: roles/storage.objectViewer
+ module.automation-tf-vpcsc-r-sa.google_service_account.service_account[0]:
+ account_id: fast-prod-vpcsc-0r
+ create_ignore_already_exists: null
+ description: null
+ disabled: false
+ display_name: Terraform stage 1 vpcsc service account (read-only).
+ project: fast-prod-iac-core-0
+ timeouts: null
+ ? module.automation-tf-vpcsc-r-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-organizations/123456789012/roles/storageViewer"]
+ : bucket: fast-prod-iac-core-outputs-0
+ condition: []
+ role: organizations/123456789012/roles/storageViewer
+ module.automation-tf-vpcsc-sa.google_service_account.service_account[0]:
+ account_id: fast-prod-vpcsc-0
+ create_ignore_already_exists: null
+ description: null
+ disabled: false
+ display_name: Terraform stage 1 vpcsc service account.
+ project: fast-prod-iac-core-0
+ timeouts: null
+ module.automation-tf-vpcsc-sa.google_service_account_iam_member.bindings["security_admins"]:
+ condition: []
+ member: group:gcp-security-admins@fast.example.com
+ role: roles/iam.serviceAccountTokenCreator
+ ? module.automation-tf-vpcsc-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-roles/storage.admin"]
+ : bucket: fast-prod-iac-core-outputs-0
+ condition: []
+ role: roles/storage.admin
+ module.billing-export-dataset[0].google_bigquery_dataset.default:
+ dataset_id: billing_export
+ default_encryption_configuration: []
+ default_partition_expiration_ms: null
+ default_table_expiration_ms: null
+ delete_contents_on_destroy: false
+ description: Terraform managed.
+ external_dataset_reference: []
+ friendly_name: Billing export.
+ labels: null
+ location: EU
+ max_time_travel_hours: '168'
+ project: fast-prod-billing-exp-0
+ resource_tags: null
+ timeouts: null
+ module.billing-export-project[0].data.google_bigquery_default_service_account.bq_sa[0]:
+ project: fast-prod-billing-exp-0
+ module.billing-export-project[0].data.google_storage_project_service_account.gcs_sa[0]:
+ project: fast-prod-billing-exp-0
+ user_project: null
+ module.billing-export-project[0].google_essential_contacts_contact.contact["gcp-organization-admins@fast.example.com"]:
+ email: gcp-organization-admins@fast.example.com
+ language_tag: en
+ notification_category_subscriptions:
+ - ALL
+ parent: projects/fast-prod-billing-exp-0
+ timeouts: null
+ module.billing-export-project[0].google_project.project[0]:
+ auto_create_network: false
+ billing_account: 000000-111111-222222
+ deletion_policy: DELETE
+ folder_id: null
+ labels: null
+ name: fast-prod-billing-exp-0
+ org_id: '123456789012'
+ project_id: fast-prod-billing-exp-0
+ timeouts: null
+ module.billing-export-project[0].google_project_iam_binding.authoritative["roles/owner"]:
+ condition: []
+ members:
+ - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ project: fast-prod-billing-exp-0
+ role: roles/owner
+ module.billing-export-project[0].google_project_iam_binding.authoritative["roles/viewer"]:
+ condition: []
+ members:
+ - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ project: fast-prod-billing-exp-0
+ role: roles/viewer
+ module.billing-export-project[0].google_project_iam_member.service_agents["bigquerydatatransfer"]:
+ condition: []
+ project: fast-prod-billing-exp-0
+ role: roles/bigquerydatatransfer.serviceAgent
+ module.billing-export-project[0].google_project_service.project_services["bigquery.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-billing-exp-0
+ service: bigquery.googleapis.com
+ timeouts: null
+ module.billing-export-project[0].google_project_service.project_services["bigquerydatatransfer.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-billing-exp-0
+ service: bigquerydatatransfer.googleapis.com
+ timeouts: null
+ module.billing-export-project[0].google_project_service.project_services["storage.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-billing-exp-0
+ service: storage.googleapis.com
+ timeouts: null
+ module.billing-export-project[0].google_project_service_identity.default["bigquerydatatransfer.googleapis.com"]:
+ project: fast-prod-billing-exp-0
+ service: bigquerydatatransfer.googleapis.com
+ timeouts: null
module.log-export-logbucket["audit-logs"].google_logging_project_bucket_config.bucket[0]:
bucket_id: audit-logs
cmek_settings: []
@@ -22,6 +1016,15 @@ values:
locked: null
project: fast-prod-audit-logs-0
retention_days: 30
+ module.log-export-logbucket["iam"].google_logging_project_bucket_config.bucket[0]:
+ bucket_id: iam
+ cmek_settings: []
+ enable_analytics: true
+ index_configs: []
+ location: europe-west1
+ locked: null
+ project: fast-prod-audit-logs-0
+ retention_days: 30
module.log-export-logbucket["vpc-sc"].google_logging_project_bucket_config.bucket[0]:
bucket_id: vpc-sc
cmek_settings: []
@@ -40,6 +1043,430 @@ values:
locked: null
project: fast-prod-audit-logs-0
retention_days: 30
+ module.log-export-project.data.google_bigquery_default_service_account.bq_sa[0]:
+ project: fast-prod-audit-logs-0
+ module.log-export-project.data.google_storage_project_service_account.gcs_sa[0]:
+ project: fast-prod-audit-logs-0
+ user_project: null
+ module.log-export-project.google_essential_contacts_contact.contact["gcp-organization-admins@fast.example.com"]:
+ email: gcp-organization-admins@fast.example.com
+ language_tag: en
+ notification_category_subscriptions:
+ - ALL
+ parent: projects/fast-prod-audit-logs-0
+ timeouts: null
+ module.log-export-project.google_project.project[0]:
+ auto_create_network: false
+ billing_account: 000000-111111-222222
+ deletion_policy: DELETE
+ folder_id: null
+ labels: null
+ name: fast-prod-audit-logs-0
+ org_id: '123456789012'
+ project_id: fast-prod-audit-logs-0
+ timeouts: null
+ module.log-export-project.google_project_iam_binding.authoritative["roles/owner"]:
+ condition: []
+ members:
+ - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ project: fast-prod-audit-logs-0
+ role: roles/owner
+ module.log-export-project.google_project_iam_binding.authoritative["roles/viewer"]:
+ condition: []
+ members:
+ - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ project: fast-prod-audit-logs-0
+ role: roles/viewer
+ module.log-export-project.google_project_service.project_services["bigquery.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-audit-logs-0
+ service: bigquery.googleapis.com
+ timeouts: null
+ module.log-export-project.google_project_service.project_services["stackdriver.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-audit-logs-0
+ service: stackdriver.googleapis.com
+ timeouts: null
+ module.log-export-project.google_project_service.project_services["storage.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: fast-prod-audit-logs-0
+ service: storage.googleapis.com
+ timeouts: null
+ module.organization-logging.google_logging_organization_settings.default[0]:
+ organization: '123456789012'
+ storage_location: global
+ timeouts: null
+ module.organization.google_logging_organization_sink.sink["audit-logs"]:
+ description: audit-logs (Terraform-managed).
+ disabled: false
+ exclusions: []
+ filter: 'log_id("cloudaudit.googleapis.com/activity") OR
+
+ log_id("cloudaudit.googleapis.com/system_event") OR
+
+ log_id("cloudaudit.googleapis.com/policy") OR
+
+ log_id("cloudaudit.googleapis.com/access_transparency")
+
+ '
+ include_children: true
+ intercept_children: false
+ name: audit-logs
+ org_id: '123456789012'
+ module.organization.google_logging_organization_sink.sink["iam"]:
+ description: iam (Terraform-managed).
+ disabled: false
+ exclusions: []
+ filter: 'protoPayload.serviceName="iamcredentials.googleapis.com" OR
+
+ protoPayload.serviceName="iam.googleapis.com" OR
+
+ protoPayload.serviceName="sts.googleapis.com"
+
+ '
+ include_children: true
+ intercept_children: false
+ name: iam
+ org_id: '123456789012'
+ module.organization.google_logging_organization_sink.sink["vpc-sc"]:
+ description: vpc-sc (Terraform-managed).
+ disabled: false
+ exclusions: []
+ filter: 'protoPayload.metadata.@type="type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata"
+
+ '
+ include_children: true
+ intercept_children: false
+ name: vpc-sc
+ org_id: '123456789012'
+ module.organization.google_logging_organization_sink.sink["workspace-audit-logs"]:
+ description: workspace-audit-logs (Terraform-managed).
+ disabled: false
+ exclusions: []
+ filter: 'log_id("cloudaudit.googleapis.com/data_access") AND
+
+ protoPayload.serviceName="login.googleapis.com"
+
+ '
+ include_children: true
+ intercept_children: false
+ name: workspace-audit-logs
+ org_id: '123456789012'
+ module.organization.google_org_policy_policy.default["compute.disableGuestAttributesAccess"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/compute.disableGuestAttributesAccess
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: 'TRUE'
+ values: []
+ timeouts: null
+ module.organization.google_org_policy_policy.default["compute.disableNestedVirtualization"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/compute.disableNestedVirtualization
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: 'TRUE'
+ values: []
+ timeouts: null
+ module.organization.google_org_policy_policy.default["compute.disableSerialPortAccess"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/compute.disableSerialPortAccess
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: 'TRUE'
+ values: []
+ timeouts: null
+ module.organization.google_org_policy_policy.default["compute.requireOsLogin"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/compute.requireOsLogin
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: 'TRUE'
+ values: []
+ timeouts: null
+ module.organization.google_org_policy_policy.default["compute.restrictLoadBalancerCreationForTypes"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/compute.restrictLoadBalancerCreationForTypes
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: null
+ values:
+ - allowed_values:
+ - in:INTERNAL
+ denied_values: null
+ timeouts: null
+ module.organization.google_org_policy_policy.default["compute.skipDefaultNetworkCreation"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/compute.skipDefaultNetworkCreation
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: 'TRUE'
+ values: []
+ timeouts: null
+ module.organization.google_org_policy_policy.default["compute.trustedImageProjects"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/compute.trustedImageProjects
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: null
+ values:
+ - allowed_values:
+ - is:projects/centos-cloud
+ - is:projects/cos-cloud
+ - is:projects/debian-cloud
+ - is:projects/fedora-cloud
+ - is:projects/fedora-coreos-cloud
+ - is:projects/opensuse-cloud
+ - is:projects/rhel-cloud
+ - is:projects/rhel-sap-cloud
+ - is:projects/rocky-linux-cloud
+ - is:projects/suse-cloud
+ - is:projects/suse-sap-cloud
+ - is:projects/ubuntu-os-cloud
+ - is:projects/ubuntu-os-pro-cloud
+ - is:projects/windows-cloud
+ - is:projects/windows-sql-cloud
+ - is:projects/confidential-vm-images
+ - is:projects/backupdr-images
+ - is:projects/deeplearning-platform-release
+ - is:projects/serverless-vpc-access-images
+ denied_values: null
+ timeouts: null
+ module.organization.google_org_policy_policy.default["compute.vmExternalIpAccess"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/compute.vmExternalIpAccess
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: 'TRUE'
+ enforce: null
+ values: []
+ timeouts: null
+ module.organization.google_org_policy_policy.default["iam.allowedPolicyMemberDomains"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/iam.allowedPolicyMemberDomains
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition:
+ - description: null
+ expression: '!resource.matchTag(''123456789012/org-policies'', ''allowed-policy-member-domains-all'')'
+ location: null
+ title: null
+ deny_all: null
+ enforce: null
+ values:
+ - allowed_values:
+ - C00000000
+ denied_values: null
+ - allow_all: 'TRUE'
+ condition:
+ - description: null
+ expression: resource.matchTag('123456789012/org-policies', 'allowed-policy-member-domains-all')
+ location: null
+ title: allow-all
+ deny_all: null
+ enforce: null
+ values: []
+ timeouts: null
+ module.organization.google_org_policy_policy.default["iam.automaticIamGrantsForDefaultServiceAccounts"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/iam.automaticIamGrantsForDefaultServiceAccounts
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: 'TRUE'
+ values: []
+ timeouts: null
+ module.organization.google_org_policy_policy.default["iam.disableServiceAccountKeyCreation"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/iam.disableServiceAccountKeyCreation
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: 'TRUE'
+ values: []
+ timeouts: null
+ module.organization.google_org_policy_policy.default["iam.disableServiceAccountKeyUpload"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/iam.disableServiceAccountKeyUpload
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: 'TRUE'
+ values: []
+ timeouts: null
+ module.organization.google_org_policy_policy.default["iam.serviceAccountKeyExposureResponse"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/iam.serviceAccountKeyExposureResponse
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: null
+ values:
+ - allowed_values:
+ - DISABLE_KEY
+ denied_values: null
+ timeouts: null
+ module.organization.google_org_policy_policy.default["run.allowedIngress"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/run.allowedIngress
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: null
+ values:
+ - allowed_values:
+ - is:internal-and-cloud-load-balancing
+ denied_values: null
+ timeouts: null
+ module.organization.google_org_policy_policy.default["sql.restrictAuthorizedNetworks"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/sql.restrictAuthorizedNetworks
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: 'TRUE'
+ values: []
+ timeouts: null
+ module.organization.google_org_policy_policy.default["sql.restrictPublicIp"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/sql.restrictPublicIp
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: 'TRUE'
+ values: []
+ timeouts: null
+ module.organization.google_org_policy_policy.default["storage.publicAccessPrevention"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/storage.publicAccessPrevention
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: 'TRUE'
+ values: []
+ timeouts: null
+ module.organization.google_org_policy_policy.default["storage.secureHttpTransport"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/storage.secureHttpTransport
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: 'TRUE'
+ values: []
+ timeouts: null
+ module.organization.google_org_policy_policy.default["storage.uniformBucketLevelAccess"]:
+ dry_run_spec: []
+ name: organizations/123456789012/policies/storage.uniformBucketLevelAccess
+ parent: organizations/123456789012
+ spec:
+ - inherit_from_parent: null
+ reset: null
+ rules:
+ - allow_all: null
+ condition: []
+ deny_all: null
+ enforce: 'TRUE'
+ values: []
+ timeouts: null
module.organization.google_organization_iam_binding.authoritative["roles/billing.creator"]:
condition: []
members:
@@ -86,6 +1513,20 @@ values:
- group:gcp-organization-admins@fast.example.com
org_id: '123456789012'
role: roles/compute.osLoginExternalUser
+ module.organization.google_organization_iam_binding.authoritative["roles/essentialcontacts.admin"]:
+ condition: []
+ members:
+ - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '123456789012'
+ role: roles/essentialcontacts.admin
+ module.organization.google_organization_iam_binding.authoritative["roles/essentialcontacts.viewer"]:
+ condition: []
+ members:
+ - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '123456789012'
+ role: roles/essentialcontacts.viewer
module.organization.google_organization_iam_binding.authoritative["roles/iam.securityReviewer"]:
condition: []
members:
@@ -93,10 +1534,10 @@ values:
org_id: '123456789012'
role: roles/iam.securityReviewer
module.organization.google_organization_iam_binding.authoritative["roles/iam.workforcePoolAdmin"]:
- condition: [ ]
+ condition: []
members:
- - group:gcp-organization-admins@fast.example.com
- - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ - group:gcp-organization-admins@fast.example.com
+ - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com
org_id: '123456789012'
role: roles/iam.workforcePoolAdmin
module.organization.google_organization_iam_binding.authoritative["roles/logging.admin"]:
@@ -198,23 +1639,236 @@ values:
- serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
org_id: '123456789012'
role: roles/serviceusage.serviceUsageViewer
+ module.organization.google_organization_iam_binding.bindings["organization_billing_conditional"]:
+ condition:
+ - description: Automation service account delegated grants.
+ expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/billing.admin','roles/billing.costsManager','roles/billing.user'])
+ title: automation_sa_delegated_grants
+ members:
+ - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '123456789012'
+ role: organizations/123456789012/roles/organizationIamAdmin
module.organization.google_organization_iam_binding.bindings["organization_iam_admin_conditional"]:
condition:
- description: Automation service account delegated grants.
- expression: |
- api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/accesscontextmanager.policyAdmin','roles/cloudasset.viewer','roles/compute.orgFirewallPolicyAdmin','roles/compute.xpnAdmin','roles/orgpolicy.policyAdmin','roles/orgpolicy.policyViewer','roles/resourcemanager.organizationViewer'])
- || api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['organizations/123456789012/roles/networkFirewallPoliciesAdmin','organizations/123456789012/roles/ngfwEnterpriseAdmin','organizations/123456789012/roles/serviceProjectNetworkAdmin','organizations/123456789012/roles/tenantNetworkAdmin'])
+ expression: 'api.getAttribute(''iam.googleapis.com/modifiedGrantsByRole'', []).hasOnly([''roles/accesscontextmanager.policyAdmin'',''roles/cloudasset.viewer'',''roles/compute.orgFirewallPolicyAdmin'',''roles/compute.xpnAdmin'',''roles/orgpolicy.policyAdmin'',''roles/orgpolicy.policyViewer'',''roles/resourcemanager.organizationViewer''])
+
+ || api.getAttribute(''iam.googleapis.com/modifiedGrantsByRole'', []).hasOnly([''organizations/123456789012/roles/networkFirewallPoliciesAdmin'',''organizations/123456789012/roles/networkFirewallPoliciesViewer'',''organizations/123456789012/roles/ngfwEnterpriseAdmin'',''organizations/123456789012/roles/ngfwEnterpriseViewer'',''organizations/123456789012/roles/serviceProjectNetworkAdmin'',''organizations/123456789012/roles/tenantNetworkAdmin''])
+ '
title: automation_sa_delegated_grants
members:
- serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
org_id: '123456789012'
role: organizations/123456789012/roles/organizationIamAdmin
+ module.organization.google_organization_iam_binding.bindings["organization_ngfw_enterprise_admin"]:
+ condition: []
+ members:
+ - group:gcp-vpc-network-admins@fast.example.com
+ org_id: '123456789012'
+ role: organizations/123456789012/roles/ngfwEnterpriseAdmin
+ module.organization.google_organization_iam_custom_role.roles["gcve_network_admin"]:
+ description: Terraform-managed.
+ org_id: '123456789012'
+ permissions:
+ - vmwareengine.networkPeerings.create
+ - vmwareengine.networkPeerings.delete
+ - vmwareengine.networkPeerings.get
+ - vmwareengine.networkPeerings.list
+ - vmwareengine.operations.get
+ role_id: gcveNetworkAdmin
+ stage: GA
+ title: Custom role gcveNetworkAdmin
+ module.organization.google_organization_iam_custom_role.roles["network_firewall_policies_admin"]:
+ description: Terraform-managed.
+ org_id: '123456789012'
+ permissions:
+ - compute.networks.setFirewallPolicy
+ - networksecurity.firewallEndpointAssociations.create
+ - networksecurity.firewallEndpointAssociations.delete
+ - networksecurity.firewallEndpointAssociations.get
+ - networksecurity.firewallEndpointAssociations.list
+ - networksecurity.firewallEndpointAssociations.update
+ role_id: networkFirewallPoliciesAdmin
+ stage: GA
+ title: Custom role networkFirewallPoliciesAdmin
+ module.organization.google_organization_iam_custom_role.roles["network_firewall_policies_viewer"]:
+ description: Terraform-managed.
+ org_id: '123456789012'
+ permissions:
+ - networksecurity.firewallEndpointAssociations.get
+ - networksecurity.firewallEndpointAssociations.list
+ role_id: networkFirewallPoliciesViewer
+ stage: GA
+ title: Custom role networkFirewallPoliciesViewer
+ module.organization.google_organization_iam_custom_role.roles["ngfw_enterprise_admin"]:
+ description: Terraform-managed.
+ org_id: '123456789012'
+ permissions:
+ - networksecurity.firewallEndpoints.create
+ - networksecurity.firewallEndpoints.delete
+ - networksecurity.firewallEndpoints.get
+ - networksecurity.firewallEndpoints.list
+ - networksecurity.firewallEndpoints.update
+ - networksecurity.firewallEndpoints.use
+ - networksecurity.locations.get
+ - networksecurity.locations.list
+ - networksecurity.operations.cancel
+ - networksecurity.operations.delete
+ - networksecurity.operations.get
+ - networksecurity.operations.list
+ - networksecurity.securityProfileGroups.create
+ - networksecurity.securityProfileGroups.delete
+ - networksecurity.securityProfileGroups.get
+ - networksecurity.securityProfileGroups.list
+ - networksecurity.securityProfileGroups.update
+ - networksecurity.securityProfileGroups.use
+ - networksecurity.securityProfiles.create
+ - networksecurity.securityProfiles.delete
+ - networksecurity.securityProfiles.get
+ - networksecurity.securityProfiles.list
+ - networksecurity.securityProfiles.update
+ - networksecurity.securityProfiles.use
+ role_id: ngfwEnterpriseAdmin
+ stage: GA
+ title: Custom role ngfwEnterpriseAdmin
+ module.organization.google_organization_iam_custom_role.roles["ngfw_enterprise_viewer"]:
+ description: Terraform-managed.
+ org_id: '123456789012'
+ permissions:
+ - networksecurity.firewallEndpoints.get
+ - networksecurity.firewallEndpoints.list
+ - networksecurity.firewallEndpoints.use
+ - networksecurity.locations.get
+ - networksecurity.locations.list
+ - networksecurity.operations.get
+ - networksecurity.operations.list
+ - networksecurity.securityProfileGroups.get
+ - networksecurity.securityProfileGroups.list
+ - networksecurity.securityProfileGroups.use
+ - networksecurity.securityProfiles.get
+ - networksecurity.securityProfiles.list
+ - networksecurity.securityProfiles.use
+ role_id: ngfwEnterpriseViewer
+ stage: GA
+ title: Custom role ngfwEnterpriseViewer
+ module.organization.google_organization_iam_custom_role.roles["organization_admin_viewer"]:
+ description: Terraform-managed.
+ org_id: '123456789012'
+ permissions:
+ - essentialcontacts.contacts.get
+ - essentialcontacts.contacts.list
+ - logging.settings.get
+ - orgpolicy.constraints.list
+ - orgpolicy.policies.list
+ - orgpolicy.policy.get
+ - resourcemanager.folders.get
+ - resourcemanager.folders.getIamPolicy
+ - resourcemanager.folders.list
+ - resourcemanager.organizations.get
+ - resourcemanager.organizations.getIamPolicy
+ - resourcemanager.projects.get
+ - resourcemanager.projects.getIamPolicy
+ - resourcemanager.projects.list
+ role_id: organizationAdminViewer
+ stage: GA
+ title: Custom role organizationAdminViewer
+ module.organization.google_organization_iam_custom_role.roles["organization_iam_admin"]:
+ description: Terraform-managed.
+ org_id: '123456789012'
+ permissions:
+ - resourcemanager.organizations.get
+ - resourcemanager.organizations.getIamPolicy
+ - resourcemanager.organizations.setIamPolicy
+ role_id: organizationIamAdmin
+ stage: GA
+ title: Custom role organizationIamAdmin
+ module.organization.google_organization_iam_custom_role.roles["service_project_network_admin"]:
+ description: Terraform-managed.
+ org_id: '123456789012'
+ permissions:
+ - compute.globalOperations.get
+ - compute.networks.get
+ - compute.networks.updatePeering
+ - compute.organizations.disableXpnResource
+ - compute.organizations.enableXpnResource
+ - compute.projects.get
+ - compute.subnetworks.getIamPolicy
+ - compute.subnetworks.setIamPolicy
+ - dns.networks.bindPrivateDNSZone
+ - resourcemanager.projects.get
+ role_id: serviceProjectNetworkAdmin
+ stage: GA
+ title: Custom role serviceProjectNetworkAdmin
+ module.organization.google_organization_iam_custom_role.roles["storage_viewer"]:
+ description: Terraform-managed.
+ org_id: '123456789012'
+ permissions:
+ - storage.buckets.get
+ - storage.buckets.getIamPolicy
+ - storage.buckets.getObjectInsights
+ - storage.buckets.list
+ - storage.buckets.listEffectiveTags
+ - storage.buckets.listTagBindings
+ - storage.managedFolders.get
+ - storage.managedFolders.getIamPolicy
+ - storage.managedFolders.list
+ - storage.multipartUploads.list
+ - storage.multipartUploads.listParts
+ - storage.objects.create
+ - storage.objects.get
+ - storage.objects.getIamPolicy
+ - storage.objects.list
+ role_id: storageViewer
+ stage: GA
+ title: Custom role storageViewer
+ module.organization.google_organization_iam_custom_role.roles["tag_viewer"]:
+ description: Terraform-managed.
+ org_id: '123456789012'
+ permissions:
+ - resourcemanager.tagHolds.list
+ - resourcemanager.tagKeys.get
+ - resourcemanager.tagKeys.getIamPolicy
+ - resourcemanager.tagKeys.list
+ - resourcemanager.tagValues.get
+ - resourcemanager.tagValues.getIamPolicy
+ - resourcemanager.tagValues.list
+ role_id: tagViewer
+ stage: GA
+ title: Custom role tagViewer
+ module.organization.google_organization_iam_custom_role.roles["tenant_network_admin"]:
+ description: Terraform-managed.
+ org_id: '123456789012'
+ permissions:
+ - compute.globalOperations.get
+ role_id: tenantNetworkAdmin
+ stage: GA
+ title: Custom role tenantNetworkAdmin
? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyAdmin-group:gcp-security-admins@fast.example.com"]
: condition: []
member: group:gcp-security-admins@fast.example.com
org_id: '123456789012'
role: roles/accesscontextmanager.policyAdmin
+ ? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyAdmin-serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com"]
+ : condition: []
+ member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '123456789012'
+ role: roles/accesscontextmanager.policyAdmin
+ ? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyAdmin-serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com"]
+ : condition: []
+ member: serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '123456789012'
+ role: roles/accesscontextmanager.policyAdmin
+ ? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyReader-serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"]
+ : condition: []
+ member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '123456789012'
+ role: roles/accesscontextmanager.policyReader
+ ? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyReader-serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"]
+ : condition: []
+ member: serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '123456789012'
+ role: roles/accesscontextmanager.policyReader
? module.organization.google_organization_iam_member.bindings["roles/billing.admin-group:gcp-billing-admins@fast.example.com"]
: condition: []
member: group:gcp-billing-admins@fast.example.com
@@ -250,6 +1904,16 @@ values:
member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
org_id: '123456789012'
role: roles/billing.viewer
+ ? module.organization.google_organization_iam_member.bindings["roles/cloudasset.viewer-serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com"]
+ : condition: []
+ member: serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '123456789012'
+ role: roles/cloudasset.viewer
+ ? module.organization.google_organization_iam_member.bindings["roles/cloudasset.viewer-serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"]
+ : condition: []
+ member: serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ org_id: '123456789012'
+ role: roles/cloudasset.viewer
? module.organization.google_organization_iam_member.bindings["roles/compute.networkAdmin-group:gcp-vpc-network-admins@fast.example.com"]
: condition: []
member: group:gcp-vpc-network-admins@fast.example.com
@@ -306,7 +1970,7 @@ values:
org_id: '123456789012'
role: roles/iam.organizationRoleViewer
? module.organization.google_organization_iam_member.bindings["roles/iam.workforcePoolViewer-serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"]
- : condition: [ ]
+ : condition: []
member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
org_id: '123456789012'
role: roles/iam.workforcePoolViewer
@@ -370,6 +2034,33 @@ values:
member: group:gcp-organization-admins@fast.example.com
org_id: '123456789012'
role: roles/storage.objectAdmin
+ module.organization.google_project_iam_member.bucket-sinks-binding["audit-logs"]:
+ condition:
+ - title: audit-logs bucket writer
+ role: roles/logging.bucketWriter
+ module.organization.google_project_iam_member.bucket-sinks-binding["iam"]:
+ condition:
+ - title: iam bucket writer
+ role: roles/logging.bucketWriter
+ module.organization.google_project_iam_member.bucket-sinks-binding["vpc-sc"]:
+ condition:
+ - title: vpc-sc bucket writer
+ role: roles/logging.bucketWriter
+ module.organization.google_project_iam_member.bucket-sinks-binding["workspace-audit-logs"]:
+ condition:
+ - title: workspace-audit-logs bucket writer
+ role: roles/logging.bucketWriter
+ module.organization.google_tags_tag_key.default["org-policies"]:
+ description: Organization policy conditions.
+ parent: organizations/123456789012
+ purpose: null
+ purpose_data: null
+ short_name: org-policies
+ timeouts: null
+ module.organization.google_tags_tag_value.default["org-policies/allowed-policy-member-domains-all"]:
+ description: Managed by the Terraform organization module.
+ short_name: allowed-policy-member-domains-all
+ timeouts: null
counts:
google_bigquery_dataset: 1
@@ -380,7 +2071,7 @@ counts:
google_logging_project_bucket_config: 4
google_org_policy_policy: 22
google_organization_iam_binding: 28
- google_organization_iam_custom_role: 9
+ google_organization_iam_custom_role: 11
google_organization_iam_member: 42
google_project: 3
google_project_iam_audit_config: 1
@@ -399,4 +2090,4 @@ counts:
google_tags_tag_key: 1
google_tags_tag_value: 1
modules: 21
- resources: 235
+ resources: 237
diff --git a/tests/fast/stages/s0_bootstrap/simple.yaml b/tests/fast/stages/s0_bootstrap/simple.yaml
index 53e28ffe25..d5e936d86e 100644
--- a/tests/fast/stages/s0_bootstrap/simple.yaml
+++ b/tests/fast/stages/s0_bootstrap/simple.yaml
@@ -21,7 +21,7 @@ counts:
google_logging_project_bucket_config: 4
google_org_policy_policy: 22
google_organization_iam_binding: 28
- google_organization_iam_custom_role: 9
+ google_organization_iam_custom_role: 11
google_organization_iam_member: 29
google_project: 3
google_project_iam_audit_config: 1
@@ -41,7 +41,7 @@ counts:
google_tags_tag_value: 1
local_file: 10
modules: 20
- resources: 229
+ resources: 231
outputs:
automation: __missing__
@@ -50,7 +50,9 @@ outputs:
custom_roles:
gcve_network_admin: organizations/123456789012/roles/gcveNetworkAdmin
network_firewall_policies_admin: organizations/123456789012/roles/networkFirewallPoliciesAdmin
+ network_firewall_policies_viewer: organizations/123456789012/roles/networkFirewallPoliciesViewer
ngfw_enterprise_admin: organizations/123456789012/roles/ngfwEnterpriseAdmin
+ ngfw_enterprise_viewer: organizations/123456789012/roles/ngfwEnterpriseViewer
organization_admin_viewer: organizations/123456789012/roles/organizationAdminViewer
organization_iam_admin: organizations/123456789012/roles/organizationIamAdmin
service_project_network_admin: organizations/123456789012/roles/serviceProjectNetworkAdmin
diff --git a/tests/fast/stages/s0_bootstrap/simple_projects.yaml b/tests/fast/stages/s0_bootstrap/simple_projects.yaml
index de53c0045c..c25391ab84 100644
--- a/tests/fast/stages/s0_bootstrap/simple_projects.yaml
+++ b/tests/fast/stages/s0_bootstrap/simple_projects.yaml
@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/fast/stages/s1_resman/checklist.tfvars b/tests/fast/stages/s1_resman/checklist.tfvars
index 7629428051..3684f0f770 100644
--- a/tests/fast/stages/s1_resman/checklist.tfvars
+++ b/tests/fast/stages/s1_resman/checklist.tfvars
@@ -13,12 +13,14 @@ billing_account = {
}
custom_roles = {
# organization_iam_admin = "organizations/123456789012/roles/organizationIamAdmin",
- gcve_network_admin = "organizations/123456789012/roles/gcveNetworkAdmin"
- network_firewall_policies_admin = "organizations/123456789012/roles/networkFirewallPoliciesAdmin"
- ngfw_enterprise_admin = "organizations/123456789012/roles/ngfwEnterpriseAdmin"
- organization_admin_viewer = "organizations/123456789012/roles/organizationAdminViewer"
- service_project_network_admin = "organizations/123456789012/roles/xpnServiceAdmin"
- storage_viewer = "organizations/123456789012/roles/storageViewer"
+ gcve_network_admin = "organizations/123456789012/roles/gcveNetworkAdmin"
+ network_firewall_policies_admin = "organizations/123456789012/roles/networkFirewallPoliciesAdmin"
+ network_firewall_policies_viewer = "organizations/123456789012/roles/networkFirewallPoliciesViewer"
+ ngfw_enterprise_admin = "organizations/123456789012/roles/ngfwEnterpriseAdmin"
+ ngfw_enterprise_viewer = "organizations/123456789012/roles/ngfwEnterpriseViewer"
+ organization_admin_viewer = "organizations/123456789012/roles/organizationAdminViewer"
+ service_project_network_admin = "organizations/123456789012/roles/xpnServiceAdmin"
+ storage_viewer = "organizations/123456789012/roles/storageViewer"
}
factories_config = {
checklist_data = "checklist-data.json"
diff --git a/tests/fast/stages/s1_resman/simple.tfvars b/tests/fast/stages/s1_resman/simple.tfvars
index 16c762f1f2..046f45fdf4 100644
--- a/tests/fast/stages/s1_resman/simple.tfvars
+++ b/tests/fast/stages/s1_resman/simple.tfvars
@@ -13,12 +13,14 @@ billing_account = {
}
custom_roles = {
# organization_iam_admin = "organizations/123456789012/roles/organizationIamAdmin",
- gcve_network_admin = "organizations/123456789012/roles/gcveNetworkAdmin"
- network_firewall_policies_admin = "organizations/123456789012/roles/networkFirewallPoliciesAdmin"
- ngfw_enterprise_admin = "organizations/123456789012/roles/ngfwEnterpriseAdmin"
- organization_admin_viewer = "organizations/123456789012/roles/organizationAdminViewer"
- service_project_network_admin = "organizations/123456789012/roles/xpnServiceAdmin"
- storage_viewer = "organizations/123456789012/roles/storageViewer"
+ gcve_network_admin = "organizations/123456789012/roles/gcveNetworkAdmin"
+ network_firewall_policies_admin = "organizations/123456789012/roles/networkFirewallPoliciesAdmin"
+ network_firewall_policies_viewer = "organizations/123456789012/roles/networkFirewallPoliciesViewer"
+ ngfw_enterprise_admin = "organizations/123456789012/roles/ngfwEnterpriseAdmin"
+ ngfw_enterprise_viewer = "organizations/123456789012/roles/ngfwEnterpriseViewer"
+ organization_admin_viewer = "organizations/123456789012/roles/organizationAdminViewer"
+ service_project_network_admin = "organizations/123456789012/roles/xpnServiceAdmin"
+ storage_viewer = "organizations/123456789012/roles/storageViewer"
}
groups = {
gcp-billing-admins = "gcp-billing-admins",