From 33b53f24b9eaa3efbb3f6704543e7eeac15120ce Mon Sep 17 00:00:00 2001 From: Luca Prete Date: Wed, 28 Aug 2024 10:55:00 +0200 Subject: [PATCH] tests and docs --- fast/stages/2-security/README.md | 86 +- fast/stages/2-security/outputs.tf | 39 +- fast/stages/3-network-security/README.md | 37 +- fast/stages/3-network-security/net-dev.tf | 4 +- fast/stages/3-network-security/net-prod.tf | 4 +- .../3-network-security/variables-fast.tf | 51 +- tests/fast/stages/s0_bootstrap/checklist.yaml | 150 +--- tests/fast/stages/s0_bootstrap/simple.yaml | 2 +- tests/fast/stages/s1_resman/checklist.tfvars | 16 +- tests/fast/stages/s1_resman/checklist.yaml | 19 +- tests/fast/stages/s1_resman/simple.tfvars | 16 +- tests/fast/stages/s1_resman/simple.yaml | 840 ++++++++++++++++++ tests/fast/stages/s2_security/simple.tfvars | 5 + tests/fast/stages/s2_security/simple.yaml | 457 +++++++++- .../stages/s3_network_security/tls.tfvars | 54 +- .../fast/stages/s3_network_security/tls.yaml | 285 +++++- 16 files changed, 1765 insertions(+), 300 deletions(-) diff --git a/fast/stages/2-security/README.md b/fast/stages/2-security/README.md index f5b650aabd..fbb8ea647d 100644 --- a/fast/stages/2-security/README.md +++ b/fast/stages/2-security/README.md @@ -50,15 +50,19 @@ IAM roles on keys can be configured at the logical level for all locations where ### Certificate Authority Service (CAS) -You can use this stage to optionally leverage Certificate Authority Services (CAS) and create as many CAs you need for each environment. To create custom CAS, you can use the `cas_configs` variable. The variables come with some defaults for demo purposes: for each environment, specifying the CA `location` should be enough for most of your test scenarios. +With this stage you can leverage Certificate Authority Services (CAS) and create as many CAs you need for each environments. To create custom CAS, you can use the `cas_configs` variable. The variable comes with some defaults, useful for demos: in each environment, specifying the CA `location` should be enough for most of your test scenarios. ### Trust Configs -The stage lets you also create Certificate Manager trust configs. With trust configs you can trust whole CAs or specific server certificates, when you use them with third-party services in GCP. You can create additional trust configs for each environment with the `trust_configs` variable. At a very minimum, for each trust config you'll need to specify the `location` (the region) and either a `trust_stores` block or an `allowed_certificates` block. +The stage lets you also create Certificate Manager trust configs. With trust configs you can trust whole CAs or specific server certificates, when you use them with other services, such as NGFW Enterprise. You can create additional trust configs for each environment with the `trust_configs` variable. At a very minimum, each trust config needs a `location` (the region) and either a `trust_stores` block or an `allowed_certificates` block. ### NGFW Enterprise and TLS inspection support -We deploy NGFW Enterprise in the [network-security stage](../3-network-security/README.md). If you want to enable TLS inspection, NGFW Enterprise requires CAS and -optionally- a Certificate Manager trust config. You can create both leveraging the `cas_configs` and the `trust_configs` variables. Given the [network-security stage](../3-network-security/README.md) needs to reference these resources, you will need to use specific map keys. These are defined in the `ngfw_tls_config_keys` variable, which comes with default and can be further customized. You can read more about NGFW configurations in the [Customizations section](#customizations) of this document. +We deploy NGFW Enterprise in the [network-security stage](../3-network-security/README.md). If you require TLS inspection, NGFW needs to interact with CAS and -optionally- Certificate Manager trust-configs. These components bind to firewall endpoint associations (created in the [network-security stage](../3-network-security/README.md)) with zonal TLS inspection policies. +Using this module, you can define CAS configurations and trust-configs for NGFW Enterprise. You can create them using the `cas_configs` and `trust_configs` variables. Anyway, these will need to use specific keys (defined in `ngfw_tls_configs.keys`), so that FAST knows which configurations to use for NGFW Enterprise. +You can then enable TLS inspection and customize its behavior for NGFW Enterprise, using the `ngfw_tls_configs.tls_inspection` variable. FAST will create the TLS inspection policies for you in the regions where you defined your CAs for NGFW Enterprise. +When you create your CAs and trust-configs for NGFW Enterprise, make sure their region matches the zones where you will define your firewall endpoints. +You can read more about NGFW configurations in the [Customizations section](#customizations) of this document. ## How to run this stage @@ -178,7 +182,7 @@ The script will create one keyring for each specified location and keys on each ### NGFW Enterprise - sample TLS configurations -This is a sample configuration that creates a CA and a trust config, both for dev and prod, for NGFW Enterprise. +This is a minimal configuration that creates a CAs for each environment and enables TLS inspection policies for NGFW Enterprise. ```tfvars cas_configs = { @@ -193,9 +197,70 @@ cas_configs = { } } } +tls_inspection = { + enabled = true +} +``` + +You can optionally create also trust-configs for NGFW Enterprise. + +```tfvars +cas_configs = { + dev = { + ngfw-dev-cas-0 = { + location = "europe-west1" + } + } + prod = { + ngfw-prod-cas-0 = { + location = "europe-west1" + } + } +} +trust_configs = { + dev = { + ngfw-dev-tc-0 = { + allowlisted_certificates = { + my_ca = "~/my_keys/srv-dev.crt" + } + location = "europe-west1" + } + } + prod = { + ngfw-prod-tc-0 = { + allowlisted_certificates = { + my_ca = "~/my_keys/srv-prod.crt" + } + location = "europe-west1" + } + } +} +tls_inspection = { + enabled = true +} ``` -You can choose what components to activate in each environment. For example, you may create them just in dev and not in prod. As we do in this example, you can also avoid to create a trust config, if you feel you don't need it. Please, refer to the variable `ngfw_tls_configs` spec for more configuration options. +You can customize the keys of your configurations, as long as they match the ones you specify in the `ngfw_tls_configs.keys` variable. + +```tfvars +cas_configs = { + dev = { + my-ca-0 = { + location = "europe-west1" + } + } +} +ngfw_tls_configs = { + keys = { + dev = { + cas = "my-ca-0" + } + } +} +tls_inspection = { + enabled = true +} +``` @@ -232,10 +297,9 @@ You can choose what components to activate in each environment. For example, you | name | description | sensitive | consumers | |---|---|:---:|---| -| [cas_configs](outputs.tf#L97) | Certificate Authority Service configurations. | | | -| [kms_keys](outputs.tf#L102) | KMS key ids. | | | -| [ngfw_tls_configs](outputs.tf#L107) | The NGFW Enterprise configurations. | | | -| [tfvars](outputs.tf#L112) | Terraform variable files for the following stages. | ✓ | | -| [tls_inspection_policy_ids](outputs.tf#L118) | TLS inspection policy ids for NGFW by environment and region. | | | -| [trust_config_ids](outputs.tf#L123) | Certificate Manager trust-config ids. | | | +| [cas_configs](outputs.tf#L99) | Certificate Authority Service configurations. | | | +| [kms_keys](outputs.tf#L104) | KMS key ids. | | | +| [ngfw_tls_configs](outputs.tf#L109) | The NGFW Enterprise configurations. | | | +| [tfvars](outputs.tf#L114) | Terraform variable files for the following stages. | ✓ | | +| [trust_config_ids](outputs.tf#L120) | Certificate Manager trust-config ids. | | | diff --git a/fast/stages/2-security/outputs.tf b/fast/stages/2-security/outputs.tf index 9e7fdd76f4..9fdd127836 100644 --- a/fast/stages/2-security/outputs.tf +++ b/fast/stages/2-security/outputs.tf @@ -51,23 +51,25 @@ locals { } } } + ngfw_tls_configs = { + tls_enabled = var.ngfw_tls_configs.tls_inspection.enabled + tls_ip_ids_by_region = { + dev = { + for k, v in google_network_security_tls_inspection_policy.ngfw_dev_tls_ips + : v.location => v.id + } + prod = { + for k, v in google_network_security_tls_inspection_policy.ngfw_prod_tls_ips + : v.location => v.id + } + } + } output_kms_keys = { for k in local._output_kms_keys : k.key => k.id } tfvars = { - cas_configs = local.cas_configs - kms_keys = local.output_kms_keys - ngfw_tls_configs = var.ngfw_tls_configs - tls_inspection_policy_ids = local.tls_inspection_policy_ids - trust_config_ids = local.trust_config_ids - } - tls_inspection_policy_ids = { - dev = { - for k, v in google_network_security_tls_inspection_policy.ngfw_dev_tls_ips - : v.location => v.id - } - prod = { - for k, v in google_network_security_tls_inspection_policy.ngfw_prod_tls_ips - : v.location => v.id - } + cas_configs = local.cas_configs + kms_keys = local.output_kms_keys + ngfw_tls_configs = local.ngfw_tls_configs + trust_config_ids = local.trust_config_ids } trust_config_ids = { dev = { @@ -106,7 +108,7 @@ output "kms_keys" { output "ngfw_tls_configs" { description = "The NGFW Enterprise configurations." - value = var.ngfw_tls_configs + value = local.ngfw_tls_configs } output "tfvars" { @@ -115,11 +117,6 @@ output "tfvars" { value = local.tfvars } -output "tls_inspection_policy_ids" { - description = "TLS inspection policy ids for NGFW by environment and region." - value = local.tls_inspection_policy_ids -} - output "trust_config_ids" { description = "Certificate Manager trust-config ids." value = local.trust_config_ids diff --git a/fast/stages/3-network-security/README.md b/fast/stages/3-network-security/README.md index ec489a6a95..b6eca0d3f0 100644 --- a/fast/stages/3-network-security/README.md +++ b/fast/stages/3-network-security/README.md @@ -137,24 +137,9 @@ ngfw_enterprise_config = { } ``` -You can optionally enable TLS inspection. As a preliminary step, you should activate the TLS components in stage [2-security](../2-security/README.md). Then, activate the inspection in this stage with this minimal configuration. - -```tfvars -ngfw_enterprise_config = { - endpoint_zones = [ - "europe-west1-b", - "europe-west1-c", - "europe-west1-d" - ] - tls_inspection = { - enabled = true - } -} -``` - -You can refer to the variable definition for further customizations. -The stage will automatically create as many TLS inspection policies needed, in the regions matching your endpoint zones. The NGFW Enterprise CAS pool and the trusted config created in the security stage should be in the same region as the TLS inspection policy. -Multiple regions support would require further customization in the security stage. +You can optionally enable TLS inspection in stage [2-security](../2-security/README.md). +Ingesting outputs from [stage 2-security](../2-security/README.md), this stage will configure TLS inspection in NGFW Enterprise and will reference the CAs and the trust-configs you created in [stage 2-security](../2-security/README.md). +Make sure the CAs and the trusted configs created for NGFW Enterprise in the [2-security stage](../2-security/README.md) match the region where you defined your zonal firewall endpoints. @@ -162,6 +147,7 @@ Multiple regions support would require further customization in the security sta | name | description | modules | resources | |---|---|---|---| +| [3-network-security-providers.tf](./3-network-security-providers.tf) | None | | | | [main.tf](./main.tf) | Next-Generation Firewall Enterprise configuration. | project | google_network_security_firewall_endpoint | | [net-dev.tf](./net-dev.tf) | Security components for dev spoke VPC. | net-firewall-policy | google_network_security_firewall_endpoint_association · google_network_security_security_profile · google_network_security_security_profile_group | | [net-prod.tf](./net-prod.tf) | Security components for prod spoke VPC. | net-firewall-policy | google_network_security_firewall_endpoint_association · google_network_security_security_profile · google_network_security_security_profile_group | @@ -174,16 +160,15 @@ Multiple regions support would require further customization in the security sta | name | description | type | required | default | producer | |---|---|:---:|:---:|:---:|:---:| | [billing_account](variables-fast.tf#L17) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | -| [folder_ids](variables-fast.tf#L52) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | -| [organization](variables-fast.tf#L101) | Organization details. | object({…}) | ✓ | | 00-globals | -| [prefix](variables-fast.tf#L111) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | -| [vpc_self_links](variables-fast.tf#L135) | Self link for the shared VPC. | object({…}) | ✓ | | 2-networking | -| [cas_configs](variables-fast.tf#L30) | The CAS pools and CA ids, by environment. | object({…}) | | {…} | 2-security | +| [folder_ids](variables-fast.tf#L30) | Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created. | object({…}) | ✓ | | 1-resman | +| [organization](variables-fast.tf#L72) | Organization details. | object({…}) | ✓ | | 00-globals | +| [prefix](variables-fast.tf#L82) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | +| [vpc_self_links](variables-fast.tf#L106) | Self link for the shared VPC. | object({…}) | ✓ | | 2-networking | | [factories_config](variables.tf#L17) | Configuration for network resource factories. | object({…}) | | {…} | | -| [host_project_ids](variables-fast.tf#L63) | Host project for the shared VPC. | object({…}) | | {} | 2-networking | +| [host_project_ids](variables-fast.tf#L41) | Host project for the shared VPC. | object({…}) | | {} | 2-networking | | [ngfw_enterprise_config](variables.tf#L35) | NGFW Enterprise configuration. | object({…}) | | {…} | | -| [ngfw_tls_configs](variables-fast.tf#L74) | The CAS and trust configurations key names to be used for NGFW Enterprise. | object({…}) | | {…} | 2-security | -| [tls_inspection_policy_ids](variables-fast.tf#L121) | TLS inspection policy ids for NGFW by environment and region. | object({…}) | | {…} | 2-security | +| [ngfw_tls_configs](variables-fast.tf#L52) | The NGFW Enterprise TLS configurations. | object({…}) | | {…} | 2-security | +| [tls_inspection_policy_ids](variables-fast.tf#L92) | TLS inspection policy ids for NGFW by environment and region. | object({…}) | | {…} | 2-security | ## Outputs diff --git a/fast/stages/3-network-security/net-dev.tf b/fast/stages/3-network-security/net-dev.tf index c5ba93c4c7..461cd8db00 100644 --- a/fast/stages/3-network-security/net-dev.tf +++ b/fast/stages/3-network-security/net-dev.tf @@ -40,8 +40,8 @@ resource "google_network_security_firewall_endpoint_association" "dev_fw_ep_asso network = try(local.vpc_ids.dev-spoke-0, null) # If TLS inspection is enabled, link the regional TLS inspection policy tls_inspection_policy = ( - var.ngfw_tls_configs.tls_inspection.enabled - ? var.tls_inspection_policy_ids.dev[substr(each.value, 0, length(each.value) - 2)] + var.ngfw_tls_configs.tls_enabled + ? try(var.ngfw_tls_configs.tls_ip_ids_by_region.dev[substr(each.value, 0, length(each.value) - 2)], null) : null ) } diff --git a/fast/stages/3-network-security/net-prod.tf b/fast/stages/3-network-security/net-prod.tf index f8e2906b8c..d69638033b 100644 --- a/fast/stages/3-network-security/net-prod.tf +++ b/fast/stages/3-network-security/net-prod.tf @@ -40,8 +40,8 @@ resource "google_network_security_firewall_endpoint_association" "prod_fw_ep_ass network = try(local.vpc_ids.prod-spoke-0, null) # If TLS inspection is enabled, link the regional TLS inspection policy tls_inspection_policy = ( - var.ngfw_tls_configs.tls_inspection.enabled - ? var.tls_inspection_policy_ids.prod[substr(each.value, 0, length(each.value) - 2)] + var.ngfw_tls_configs.tls_enabled + ? try(var.ngfw_tls_configs.tls_ip_ids_by_region.prod[substr(each.value, 0, length(each.value) - 2)], null) : null ) } diff --git a/fast/stages/3-network-security/variables-fast.tf b/fast/stages/3-network-security/variables-fast.tf index 3df4f187a2..bc71cd7da2 100644 --- a/fast/stages/3-network-security/variables-fast.tf +++ b/fast/stages/3-network-security/variables-fast.tf @@ -27,28 +27,6 @@ variable "billing_account" { } } -variable "cas_configs" { - # tfdoc:variable:source 2-security - description = "The CAS pools and CA ids, by environment." - type = object({ - dev = map(object({ - ca_pool_id = string - ca_ids = map(string) - location = string - })) - prod = map(object({ - ca_pool_id = string - ca_ids = map(string) - location = string - })) - }) - nullable = false - default = { - dev = {} - prod = {} - } -} - variable "folder_ids" { # tfdoc:variable:source 1-resman description = "Folders to be used for the networking resources in folders/nnnnnnnnnnn format. If null, folder will be created." @@ -73,28 +51,21 @@ variable "host_project_ids" { variable "ngfw_tls_configs" { # tfdoc:variable:source 2-security - description = "The CAS and trust configurations key names to be used for NGFW Enterprise." + description = "The NGFW Enterprise TLS configurations." type = object({ - keys = optional(object({ - dev = optional(object({ - cas = optional(list(string), []) - trust_configs = optional(list(string), []) - }), {}) - prod = optional(object({ - cas = optional(list(string), []) - trust_configs = optional(list(string), []) - }), {}) - }), {}) - tls_inspection = optional(object({ - enabled = optional(bool, false) - exclude_public_ca_set = optional(bool, false) - min_tls_version = optional(string, "TLS_1_0") - }), {}) + tls_enabled = optional(bool, false) + tls_ip_ids_by_region = optional(object({ + dev = optional(map(string), {}) + prod = optional(map(string), {}) + })) }) nullable = false default = { - dev = {} - prod = {} + tls_enabled = false + tls_ip_ids_by_region = { + dev = {} + prod = {} + } } } diff --git a/tests/fast/stages/s0_bootstrap/checklist.yaml b/tests/fast/stages/s0_bootstrap/checklist.yaml index d10b3d98d4..b2d740217f 100644 --- a/tests/fast/stages/s0_bootstrap/checklist.yaml +++ b/tests/fast/stages/s0_bootstrap/checklist.yaml @@ -46,21 +46,6 @@ values: google_storage_bucket_object.providers["0-bootstrap"]: bucket: fast-prod-iac-core-outputs-0 cache_control: null - content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ - \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ - \ in compliance with the License.\n * You may obtain a copy of the License at\n\ - \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ - \ by applicable law or agreed to in writing, software\n * distributed under\ - \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ - \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ - \ the specific language governing permissions and\n * limitations under the\ - \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ - \ = \"fast-prod-iac-core-bootstrap-0\"\n impersonate_service_account\ - \ = \"fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n\ - \ }\n}\nprovider \"google\" {\n impersonate_service_account = \"fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\ - \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\ - \n}\n\n# end provider.tf for bootstrap\n" - content_disposition: null content_encoding: null content_language: null customer_encryption: [] @@ -75,21 +60,6 @@ values: google_storage_bucket_object.providers["0-bootstrap-r"]: bucket: fast-prod-iac-core-outputs-0 cache_control: null - content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ - \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ - \ in compliance with the License.\n * You may obtain a copy of the License at\n\ - \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ - \ by applicable law or agreed to in writing, software\n * distributed under\ - \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ - \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ - \ the specific language governing permissions and\n * limitations under the\ - \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ - \ = \"fast-prod-iac-core-bootstrap-0\"\n impersonate_service_account\ - \ = \"fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n\ - \ }\n}\nprovider \"google\" {\n impersonate_service_account = \"fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\ - \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\ - \n}\n\n# end provider.tf for bootstrap\n" - content_disposition: null content_encoding: null content_language: null customer_encryption: [] @@ -104,21 +74,6 @@ values: google_storage_bucket_object.providers["1-resman"]: bucket: fast-prod-iac-core-outputs-0 cache_control: null - content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ - \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ - \ in compliance with the License.\n * You may obtain a copy of the License at\n\ - \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ - \ by applicable law or agreed to in writing, software\n * distributed under\ - \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ - \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ - \ the specific language governing permissions and\n * limitations under the\ - \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ - \ = \"fast-prod-iac-core-resman-0\"\n impersonate_service_account\ - \ = \"fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n }\n\ - }\nprovider \"google\" {\n impersonate_service_account = \"fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\ - \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\ - \n}\n\n# end provider.tf for resman\n" - content_disposition: null content_encoding: null content_language: null customer_encryption: [] @@ -133,21 +88,6 @@ values: google_storage_bucket_object.providers["1-resman-r"]: bucket: fast-prod-iac-core-outputs-0 cache_control: null - content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ - \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ - \ in compliance with the License.\n * You may obtain a copy of the License at\n\ - \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ - \ by applicable law or agreed to in writing, software\n * distributed under\ - \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ - \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ - \ the specific language governing permissions and\n * limitations under the\ - \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ - \ = \"fast-prod-iac-core-resman-0\"\n impersonate_service_account\ - \ = \"fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n \ - \ }\n}\nprovider \"google\" {\n impersonate_service_account = \"fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\ - \n}\nprovider \"google-beta\" {\n impersonate_service_account = \"fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\ - \n}\n\n# end provider.tf for resman\n" - content_disposition: null content_encoding: null content_language: null customer_encryption: [] @@ -162,21 +102,6 @@ values: google_storage_bucket_object.providers["1-tenant-factory"]: bucket: fast-prod-iac-core-outputs-0 cache_control: null - content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ - \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ - \ in compliance with the License.\n * You may obtain a copy of the License at\n\ - \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ - \ by applicable law or agreed to in writing, software\n * distributed under\ - \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ - \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ - \ the specific language governing permissions and\n * limitations under the\ - \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ - \ = \"fast-prod-iac-core-resman-0\"\n impersonate_service_account\ - \ = \"fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n \ - \ prefix = \"tenant-factory\"\n }\n}\nprovider \"google\" {\n impersonate_service_account\ - \ = \"fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n}\n\ - provider \"google-beta\" {\n impersonate_service_account = \"fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\ - \n}\n\n# end provider.tf for tenant-factory\n" content_disposition: null content_encoding: null content_language: null @@ -192,21 +117,6 @@ values: google_storage_bucket_object.providers["1-tenant-factory-r"]: bucket: fast-prod-iac-core-outputs-0 cache_control: null - content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ - \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ - \ in compliance with the License.\n * You may obtain a copy of the License at\n\ - \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ - \ by applicable law or agreed to in writing, software\n * distributed under\ - \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ - \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ - \ the specific language governing permissions and\n * limitations under the\ - \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ - \ = \"fast-prod-iac-core-resman-0\"\n impersonate_service_account\ - \ = \"fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n \ - \ prefix = \"tenant-factory\"\n }\n}\nprovider \"google\" {\n impersonate_service_account\ - \ = \"fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n}\n\ - provider \"google-beta\" {\n impersonate_service_account = \"fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\ - \n}\n\n# end provider.tf for tenant-factory\n" content_disposition: null content_encoding: null content_language: null @@ -222,21 +132,6 @@ values: google_storage_bucket_object.providers["1-vpcsc"]: bucket: fast-prod-iac-core-outputs-0 cache_control: null - content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ - \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ - \ in compliance with the License.\n * You may obtain a copy of the License at\n\ - \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ - \ by applicable law or agreed to in writing, software\n * distributed under\ - \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ - \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ - \ the specific language governing permissions and\n * limitations under the\ - \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ - \ = \"fast-prod-iac-core-vpcsc-0\"\n impersonate_service_account\ - \ = \"fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n \ - \ prefix = \"vpcsc\"\n }\n}\nprovider \"google\" {\n impersonate_service_account\ - \ = \"fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n}\n\ - provider \"google-beta\" {\n impersonate_service_account = \"fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com\"\ - \n}\n\n# end provider.tf for vpcsc\n" content_disposition: null content_encoding: null content_language: null @@ -252,21 +147,6 @@ values: google_storage_bucket_object.providers["1-vpcsc-r"]: bucket: fast-prod-iac-core-outputs-0 cache_control: null - content: "/**\n * Copyright 2022 Google LLC\n *\n * Licensed under the Apache\ - \ License, Version 2.0 (the \"License\");\n * you may not use this file except\ - \ in compliance with the License.\n * You may obtain a copy of the License at\n\ - \ *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required\ - \ by applicable law or agreed to in writing, software\n * distributed under\ - \ the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR\ - \ CONDITIONS OF ANY KIND, either express or implied.\n * See the License for\ - \ the specific language governing permissions and\n * limitations under the\ - \ License.\n */\n\nterraform {\n backend \"gcs\" {\n bucket \ - \ = \"fast-prod-iac-core-vpcsc-0\"\n impersonate_service_account\ - \ = \"fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n \ - \ prefix = \"vpcsc\"\n }\n}\nprovider \"google\" {\n impersonate_service_account\ - \ = \"fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\n}\n\ - provider \"google-beta\" {\n impersonate_service_account = \"fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com\"\ - \n}\n\n# end provider.tf for vpcsc\n" content_disposition: null content_encoding: null content_language: null @@ -1651,9 +1531,9 @@ values: module.organization.google_organization_iam_binding.bindings["organization_iam_admin_conditional"]: condition: - description: Automation service account delegated grants. - expression: 'api.getAttribute(''iam.googleapis.com/modifiedGrantsByRole'', []).hasOnly([''roles/accesscontextmanager.policyAdmin'',''roles/cloudasset.viewer'',''roles/compute.orgFirewallPolicyAdmin'',''roles/compute.xpnAdmin'',''roles/orgpolicy.policyAdmin'',''roles/orgpolicy.policyViewer'',''roles/resourcemanager.organizationViewer'']) + expression: 'api.getAttribute(''iam.googleapis.com/modifiedGrantsByRole'', []).hasOnly([''roles/accesscontextmanager.policyAdmin'',''roles/cloudasset.viewer'',''roles/compute.orgFirewallPolicyAdmin'',''roles/compute.orgFirewallPolicyUser'',''roles/compute.xpnAdmin'',''roles/orgpolicy.policyAdmin'',''roles/orgpolicy.policyViewer'',''roles/resourcemanager.organizationViewer'']) - || api.getAttribute(''iam.googleapis.com/modifiedGrantsByRole'', []).hasOnly([''organizations/123456789012/roles/networkFirewallPoliciesAdmin'',''organizations/123456789012/roles/networkFirewallPoliciesViewer'',''organizations/123456789012/roles/ngfwEnterpriseAdmin'',''organizations/123456789012/roles/ngfwEnterpriseViewer'',''organizations/123456789012/roles/serviceProjectNetworkAdmin'',''organizations/123456789012/roles/tenantNetworkAdmin'']) + || api.getAttribute(''iam.googleapis.com/modifiedGrantsByRole'', []).hasOnly([''organizations/123456789012/roles/networkFirewallPoliciesAdmin'',''organizations/123456789012/roles/ngfwEnterpriseAdmin'',''organizations/123456789012/roles/ngfwEnterpriseViewer'',''organizations/123456789012/roles/privateCaUser'',''organizations/123456789012/roles/serviceProjectNetworkAdmin'',''organizations/123456789012/roles/tenantNetworkAdmin'']) ' title: automation_sa_delegated_grants @@ -1692,15 +1572,6 @@ values: role_id: networkFirewallPoliciesAdmin stage: GA title: Custom role networkFirewallPoliciesAdmin - module.organization.google_organization_iam_custom_role.roles["network_firewall_policies_viewer"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - networksecurity.firewallEndpointAssociations.get - - networksecurity.firewallEndpointAssociations.list - role_id: networkFirewallPoliciesViewer - stage: GA - title: Custom role networkFirewallPoliciesViewer module.organization.google_organization_iam_custom_role.roles["ngfw_enterprise_admin"]: description: Terraform-managed. org_id: '123456789012' @@ -1729,6 +1600,11 @@ values: - networksecurity.securityProfiles.list - networksecurity.securityProfiles.update - networksecurity.securityProfiles.use + - networksecurity.tlsInspectionPolicies.create + - networksecurity.tlsInspectionPolicies.get + - networksecurity.tlsInspectionPolicies.list + - networksecurity.tlsInspectionPolicies.update + - networksecurity.tlsInspectionPolicies.use role_id: ngfwEnterpriseAdmin stage: GA title: Custom role ngfwEnterpriseAdmin @@ -1749,6 +1625,9 @@ values: - networksecurity.securityProfiles.get - networksecurity.securityProfiles.list - networksecurity.securityProfiles.use + - networksecurity.tlsInspectionPolicies.get + - networksecurity.tlsInspectionPolicies.list + - networksecurity.tlsInspectionPolicies.use role_id: ngfwEnterpriseViewer stage: GA title: Custom role ngfwEnterpriseViewer @@ -1783,6 +1662,15 @@ values: role_id: organizationIamAdmin stage: GA title: Custom role organizationIamAdmin + module.organization.google_organization_iam_custom_role.roles["private_ca_user"]: + description: Terraform-managed. + org_id: '123456789012' + permissions: + - privateca.caPools.get + - privateca.caPools.use + role_id: privateCaUser + stage: GA + title: Custom role privateCaUser module.organization.google_organization_iam_custom_role.roles["service_project_network_admin"]: description: Terraform-managed. org_id: '123456789012' diff --git a/tests/fast/stages/s0_bootstrap/simple.yaml b/tests/fast/stages/s0_bootstrap/simple.yaml index d5e936d86e..463fe642cd 100644 --- a/tests/fast/stages/s0_bootstrap/simple.yaml +++ b/tests/fast/stages/s0_bootstrap/simple.yaml @@ -50,11 +50,11 @@ outputs: custom_roles: gcve_network_admin: organizations/123456789012/roles/gcveNetworkAdmin network_firewall_policies_admin: organizations/123456789012/roles/networkFirewallPoliciesAdmin - network_firewall_policies_viewer: organizations/123456789012/roles/networkFirewallPoliciesViewer ngfw_enterprise_admin: organizations/123456789012/roles/ngfwEnterpriseAdmin ngfw_enterprise_viewer: organizations/123456789012/roles/ngfwEnterpriseViewer organization_admin_viewer: organizations/123456789012/roles/organizationAdminViewer organization_iam_admin: organizations/123456789012/roles/organizationIamAdmin + private_ca_user: organizations/123456789012/roles/privateCaUser service_project_network_admin: organizations/123456789012/roles/serviceProjectNetworkAdmin storage_viewer: organizations/123456789012/roles/storageViewer tag_viewer: organizations/123456789012/roles/tagViewer diff --git a/tests/fast/stages/s1_resman/checklist.tfvars b/tests/fast/stages/s1_resman/checklist.tfvars index 3684f0f770..eac8904399 100644 --- a/tests/fast/stages/s1_resman/checklist.tfvars +++ b/tests/fast/stages/s1_resman/checklist.tfvars @@ -13,14 +13,14 @@ billing_account = { } custom_roles = { # organization_iam_admin = "organizations/123456789012/roles/organizationIamAdmin", - gcve_network_admin = "organizations/123456789012/roles/gcveNetworkAdmin" - network_firewall_policies_admin = "organizations/123456789012/roles/networkFirewallPoliciesAdmin" - network_firewall_policies_viewer = "organizations/123456789012/roles/networkFirewallPoliciesViewer" - ngfw_enterprise_admin = "organizations/123456789012/roles/ngfwEnterpriseAdmin" - ngfw_enterprise_viewer = "organizations/123456789012/roles/ngfwEnterpriseViewer" - organization_admin_viewer = "organizations/123456789012/roles/organizationAdminViewer" - service_project_network_admin = "organizations/123456789012/roles/xpnServiceAdmin" - storage_viewer = "organizations/123456789012/roles/storageViewer" + gcve_network_admin = "organizations/123456789012/roles/gcveNetworkAdmin" + network_firewall_policies_admin = "organizations/123456789012/roles/networkFirewallPoliciesAdmin" + ngfw_enterprise_admin = "organizations/123456789012/roles/ngfwEnterpriseAdmin" + ngfw_enterprise_viewer = "organizations/123456789012/roles/ngfwEnterpriseViewer" + organization_admin_viewer = "organizations/123456789012/roles/organizationAdminViewer" + private_ca_user = "organizations/123456789012/roles/privateCaUser" + service_project_network_admin = "organizations/123456789012/roles/xpnServiceAdmin" + storage_viewer = "organizations/123456789012/roles/storageViewer" } factories_config = { checklist_data = "checklist-data.json" diff --git a/tests/fast/stages/s1_resman/checklist.yaml b/tests/fast/stages/s1_resman/checklist.yaml index 8a15227041..50d28c3798 100644 --- a/tests/fast/stages/s1_resman/checklist.yaml +++ b/tests/fast/stages/s1_resman/checklist.yaml @@ -602,7 +602,7 @@ values: module.branch-security-folder.google_folder_iam_binding.bindings["tenant_iam_admin_conditional"]: condition: - description: Certificate Authority Service delegated grants. - expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/privateca.certificateManager']) + expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/privateca.certificateManager','organizations/123456789012/roles/privateCaUser']) title: security_sa_delegated_grants members: - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com @@ -1106,6 +1106,9 @@ values: module.organization[0].google_organization_iam_member.bindings["sa_pf_conditional_org_policy"]: condition: - description: Org policy tag scoped grant for project factory main. + expression: 'resource.matchTag(''123456789012/context'', ''project-factory'') + + ' title: org_policy_tag_pf_scoped member: serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com org_id: '123456789012' @@ -1123,6 +1126,13 @@ values: module.organization[0].google_organization_iam_member.bindings["sa_pf_dev_conditional_org_policy"]: condition: - description: Org policy tag scoped grant for project factory dev. + expression: 'resource.matchTag(''123456789012/context'', ''project-factory'') + + && + + resource.matchTag(''123456789012/environment'', ''development'') + + ' title: org_policy_tag_pf_scoped_dev member: serviceAccount:fast2-dev-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com org_id: '123456789012' @@ -1140,6 +1150,13 @@ values: module.organization[0].google_organization_iam_member.bindings["sa_pf_prod_conditional_org_policy"]: condition: - description: Org policy tag scoped grant for project factory prod. + expression: 'resource.matchTag(''123456789012/context'', ''project-factory'') + + && + + resource.matchTag(''123456789012/environment'', ''production'') + + ' title: org_policy_tag_pf_scoped_prod member: serviceAccount:fast2-prod-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com org_id: '123456789012' diff --git a/tests/fast/stages/s1_resman/simple.tfvars b/tests/fast/stages/s1_resman/simple.tfvars index 046f45fdf4..fc011a956c 100644 --- a/tests/fast/stages/s1_resman/simple.tfvars +++ b/tests/fast/stages/s1_resman/simple.tfvars @@ -13,14 +13,14 @@ billing_account = { } custom_roles = { # organization_iam_admin = "organizations/123456789012/roles/organizationIamAdmin", - gcve_network_admin = "organizations/123456789012/roles/gcveNetworkAdmin" - network_firewall_policies_admin = "organizations/123456789012/roles/networkFirewallPoliciesAdmin" - network_firewall_policies_viewer = "organizations/123456789012/roles/networkFirewallPoliciesViewer" - ngfw_enterprise_admin = "organizations/123456789012/roles/ngfwEnterpriseAdmin" - ngfw_enterprise_viewer = "organizations/123456789012/roles/ngfwEnterpriseViewer" - organization_admin_viewer = "organizations/123456789012/roles/organizationAdminViewer" - service_project_network_admin = "organizations/123456789012/roles/xpnServiceAdmin" - storage_viewer = "organizations/123456789012/roles/storageViewer" + gcve_network_admin = "organizations/123456789012/roles/gcveNetworkAdmin" + network_firewall_policies_admin = "organizations/123456789012/roles/networkFirewallPoliciesAdmin" + ngfw_enterprise_admin = "organizations/123456789012/roles/ngfwEnterpriseAdmin" + ngfw_enterprise_viewer = "organizations/123456789012/roles/ngfwEnterpriseViewer" + organization_admin_viewer = "organizations/123456789012/roles/organizationAdminViewer" + private_ca_user = "organizations/123456789012/roles/privateCaUser" + service_project_network_admin = "organizations/123456789012/roles/xpnServiceAdmin" + storage_viewer = "organizations/123456789012/roles/storageViewer" } groups = { gcp-billing-admins = "gcp-billing-admins", diff --git a/tests/fast/stages/s1_resman/simple.yaml b/tests/fast/stages/s1_resman/simple.yaml index 2ad8c933df..29a582e372 100644 --- a/tests/fast/stages/s1_resman/simple.yaml +++ b/tests/fast/stages/s1_resman/simple.yaml @@ -13,6 +13,841 @@ # limitations under the License. values: + google_storage_bucket_object.providers["2-networking"]: + bucket: test + cache_control: null + content_disposition: null + content_encoding: null + content_language: null + customer_encryption: [] + detect_md5hash: different hash + event_based_hold: null + metadata: null + name: providers/2-networking-providers.tf + retention: [] + source: null + temporary_hold: null + timeouts: null + google_storage_bucket_object.providers["2-networking-r"]: + bucket: test + cache_control: null + content_disposition: null + content_encoding: null + content_language: null + customer_encryption: [] + detect_md5hash: different hash + event_based_hold: null + metadata: null + name: providers/2-networking-r-providers.tf + retention: [] + source: null + temporary_hold: null + timeouts: null + google_storage_bucket_object.providers["2-project-factory"]: + bucket: test + cache_control: null + content_encoding: null + content_language: null + customer_encryption: [] + detect_md5hash: different hash + event_based_hold: null + metadata: null + name: providers/2-project-factory-providers.tf + retention: [] + source: null + temporary_hold: null + timeouts: null + google_storage_bucket_object.providers["2-project-factory-dev"]: + bucket: test + cache_control: null + content_disposition: null + content_encoding: null + content_language: null + customer_encryption: [] + detect_md5hash: different hash + event_based_hold: null + metadata: null + name: providers/2-project-factory-dev-providers.tf + retention: [] + source: null + temporary_hold: null + timeouts: null + google_storage_bucket_object.providers["2-project-factory-dev-r"]: + bucket: test + cache_control: null + content_disposition: null + content_encoding: null + content_language: null + customer_encryption: [] + detect_md5hash: different hash + event_based_hold: null + metadata: null + name: providers/2-project-factory-dev-r-providers.tf + retention: [] + source: null + temporary_hold: null + timeouts: null + google_storage_bucket_object.providers["2-project-factory-prod"]: + bucket: test + cache_control: null + content_disposition: null + content_encoding: null + content_language: null + customer_encryption: [] + detect_md5hash: different hash + event_based_hold: null + metadata: null + name: providers/2-project-factory-prod-providers.tf + retention: [] + source: null + temporary_hold: null + timeouts: null + google_storage_bucket_object.providers["2-project-factory-prod-r"]: + bucket: test + cache_control: null + content_disposition: null + content_encoding: null + content_language: null + customer_encryption: [] + detect_md5hash: different hash + event_based_hold: null + metadata: null + name: providers/2-project-factory-prod-r-providers.tf + retention: [] + source: null + temporary_hold: null + timeouts: null + google_storage_bucket_object.providers["2-project-factory-r"]: + bucket: test + cache_control: null + content_encoding: null + content_language: null + customer_encryption: [] + detect_md5hash: different hash + event_based_hold: null + metadata: null + name: providers/2-project-factory-r-providers.tf + retention: [] + source: null + temporary_hold: null + timeouts: null + google_storage_bucket_object.providers["2-security"]: + bucket: test + cache_control: null + content_disposition: null + content_encoding: null + content_language: null + customer_encryption: [] + detect_md5hash: different hash + event_based_hold: null + metadata: null + name: providers/2-security-providers.tf + retention: [] + source: null + temporary_hold: null + timeouts: null + google_storage_bucket_object.providers["2-security-r"]: + bucket: test + cache_control: null + content_disposition: null + content_encoding: null + content_language: null + customer_encryption: [] + detect_md5hash: different hash + event_based_hold: null + metadata: null + name: providers/2-security-r-providers.tf + retention: [] + source: null + temporary_hold: null + timeouts: null + google_storage_bucket_object.tfvars: + bucket: test + cache_control: null + content_disposition: null + content_encoding: null + content_language: null + customer_encryption: [] + detect_md5hash: different hash + event_based_hold: null + metadata: null + name: tfvars/1-resman.auto.tfvars.json + retention: [] + source: null + temporary_hold: null + timeouts: null + module.branch-network-dev-folder.google_folder.folder[0]: + display_name: Development + timeouts: null + ? module.branch-network-dev-folder.google_folder_iam_binding.authoritative["organizations/123456789012/roles/gcveNetworkAdmin"] + : condition: [] + members: null + role: organizations/123456789012/roles/gcveNetworkAdmin + ? module.branch-network-dev-folder.google_folder_iam_binding.authoritative["organizations/123456789012/roles/xpnServiceAdmin"] + : condition: [] + members: + - serviceAccount:fast2-dev-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + role: organizations/123456789012/roles/xpnServiceAdmin + module.branch-network-dev-folder.google_folder_iam_binding.authoritative["roles/compute.networkViewer"]: + condition: [] + members: + - serviceAccount:fast2-dev-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com + role: roles/compute.networkViewer + module.branch-network-dev-folder.google_tags_tag_binding.binding["environment"]: + timeouts: null + module.branch-network-folder.google_folder.folder[0]: + display_name: Networking + parent: organizations/123456789012 + timeouts: null + module.branch-network-folder.google_folder_iam_binding.authoritative["roles/browser"]: + condition: [] + members: + - user:extra-browser@fast.example.com + role: roles/browser + module.branch-network-folder.google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/compute.xpnAdmin + module.branch-network-folder.google_folder_iam_binding.authoritative["roles/editor"]: + condition: [] + members: + - group:gcp-vpc-network-admins@fast.example.com + role: roles/editor + module.branch-network-folder.google_folder_iam_binding.authoritative["roles/logging.admin"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/logging.admin + module.branch-network-folder.google_folder_iam_binding.authoritative["roles/owner"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com + - user:extra-owner@fast.example.com + role: roles/owner + module.branch-network-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.folderAdmin + module.branch-network-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-net-0r@fast-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.folderViewer + module.branch-network-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.projectCreator + module.branch-network-folder.google_folder_iam_binding.authoritative["roles/viewer"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-net-0r@fast-prod-automation.iam.gserviceaccount.com + role: roles/viewer + module.branch-network-folder.google_tags_tag_binding.binding["context"]: + timeouts: null + module.branch-network-gcs.google_storage_bucket.bucket: + autoclass: + - enabled: false + cors: [] + custom_placement_config: [] + default_event_based_hold: null + enable_object_retention: null + encryption: [] + force_destroy: false + labels: null + lifecycle_rule: [] + location: EU + logging: [] + name: fast2-prod-resman-net-0 + project: fast-prod-automation + requester_pays: null + retention_policy: [] + storage_class: MULTI_REGIONAL + timeouts: null + uniform_bucket_level_access: true + versioning: + - enabled: true + module.branch-network-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: + bucket: fast2-prod-resman-net-0 + condition: [] + members: + - serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/storage.objectAdmin + module.branch-network-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: + bucket: fast2-prod-resman-net-0 + condition: [] + members: + - serviceAccount:fast2-prod-resman-net-0r@fast-prod-automation.iam.gserviceaccount.com + role: roles/storage.objectViewer + module.branch-network-prod-folder.google_folder.folder[0]: + display_name: Production + timeouts: null + ? module.branch-network-prod-folder.google_folder_iam_binding.authoritative["organizations/123456789012/roles/gcveNetworkAdmin"] + : condition: [] + members: null + role: organizations/123456789012/roles/gcveNetworkAdmin + ? module.branch-network-prod-folder.google_folder_iam_binding.authoritative["organizations/123456789012/roles/xpnServiceAdmin"] + : condition: [] + members: + - serviceAccount:fast2-prod-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + role: organizations/123456789012/roles/xpnServiceAdmin + module.branch-network-prod-folder.google_folder_iam_binding.authoritative["roles/compute.networkViewer"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com + role: roles/compute.networkViewer + module.branch-network-prod-folder.google_tags_tag_binding.binding["environment"]: + timeouts: null + ? module.branch-network-r-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + : condition: [] + project: fast-prod-automation + role: roles/serviceusage.serviceUsageConsumer + module.branch-network-r-sa.google_service_account.service_account[0]: + account_id: fast2-prod-resman-net-0r + create_ignore_already_exists: null + description: null + disabled: false + display_name: Terraform resman networking service account (read-only). + project: fast-prod-automation + timeouts: null + module.branch-network-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: + condition: [] + members: null + role: roles/iam.serviceAccountTokenCreator + ? module.branch-network-r-sa.google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"] + : bucket: test + condition: [] + role: organizations/123456789012/roles/storageViewer + ? module.branch-network-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + : condition: [] + project: fast-prod-automation + role: roles/serviceusage.serviceUsageConsumer + module.branch-network-sa.google_service_account.service_account[0]: + account_id: fast2-prod-resman-net-0 + create_ignore_already_exists: null + description: null + disabled: false + display_name: Terraform resman networking service account. + project: fast-prod-automation + timeouts: null + module.branch-network-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: + condition: [] + members: null + role: roles/iam.serviceAccountTokenCreator + module.branch-network-sa.google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]: + bucket: test + condition: [] + role: roles/storage.objectAdmin + module.branch-pf-dev-gcs.google_storage_bucket.bucket: + autoclass: + - enabled: false + cors: [] + custom_placement_config: [] + default_event_based_hold: null + enable_object_retention: null + encryption: [] + force_destroy: false + labels: null + lifecycle_rule: [] + location: EU + logging: [] + name: fast2-dev-resman-pf-0 + project: fast-prod-automation + requester_pays: null + retention_policy: [] + storage_class: MULTI_REGIONAL + timeouts: null + uniform_bucket_level_access: true + versioning: + - enabled: true + module.branch-pf-dev-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: + bucket: fast2-dev-resman-pf-0 + condition: [] + members: + - serviceAccount:fast2-dev-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/storage.objectAdmin + module.branch-pf-dev-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: + bucket: fast2-dev-resman-pf-0 + condition: [] + members: + - serviceAccount:fast2-dev-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com + role: roles/storage.objectViewer + ? module.branch-pf-dev-r-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + : condition: [] + project: fast-prod-automation + role: roles/serviceusage.serviceUsageConsumer + module.branch-pf-dev-r-sa.google_service_account.service_account[0]: + account_id: fast2-dev-resman-pf-0r + create_ignore_already_exists: null + description: null + disabled: false + display_name: Terraform project factory development service account (read-only). + project: fast-prod-automation + timeouts: null + module.branch-pf-dev-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: + condition: [] + members: null + role: roles/iam.serviceAccountTokenCreator + ? module.branch-pf-dev-r-sa.google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"] + : bucket: test + condition: [] + role: organizations/123456789012/roles/storageViewer + ? module.branch-pf-dev-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + : condition: [] + project: fast-prod-automation + role: roles/serviceusage.serviceUsageConsumer + module.branch-pf-dev-sa.google_service_account.service_account[0]: + account_id: fast2-dev-resman-pf-0 + create_ignore_already_exists: null + description: null + disabled: false + display_name: Terraform project factory development service account. + project: fast-prod-automation + timeouts: null + module.branch-pf-dev-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: + condition: [] + members: null + role: roles/iam.serviceAccountTokenCreator + module.branch-pf-dev-sa.google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]: + bucket: test + condition: [] + role: roles/storage.objectAdmin + module.branch-pf-gcs.google_storage_bucket.bucket: + autoclass: + - enabled: false + cors: [] + custom_placement_config: [] + default_event_based_hold: null + enable_object_retention: null + encryption: [] + force_destroy: false + labels: null + lifecycle_rule: [] + location: EU + logging: [] + name: fast2-resman-pf-0 + project: fast-prod-automation + requester_pays: null + retention_policy: [] + storage_class: MULTI_REGIONAL + timeouts: null + uniform_bucket_level_access: true + versioning: + - enabled: true + module.branch-pf-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: + bucket: fast2-resman-pf-0 + condition: [] + members: + - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/storage.objectAdmin + module.branch-pf-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: + bucket: fast2-resman-pf-0 + condition: [] + members: + - serviceAccount:fast2-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com + role: roles/storage.objectViewer + module.branch-pf-prod-gcs.google_storage_bucket.bucket: + autoclass: + - enabled: false + cors: [] + custom_placement_config: [] + default_event_based_hold: null + enable_object_retention: null + encryption: [] + force_destroy: false + labels: null + lifecycle_rule: [] + location: EU + logging: [] + name: fast2-prod-resman-pf-0 + project: fast-prod-automation + requester_pays: null + retention_policy: [] + storage_class: MULTI_REGIONAL + timeouts: null + uniform_bucket_level_access: true + versioning: + - enabled: true + module.branch-pf-prod-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: + bucket: fast2-prod-resman-pf-0 + condition: [] + members: + - serviceAccount:fast2-prod-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/storage.objectAdmin + module.branch-pf-prod-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: + bucket: fast2-prod-resman-pf-0 + condition: [] + members: + - serviceAccount:fast2-prod-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com + role: roles/storage.objectViewer + ? module.branch-pf-prod-r-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + : condition: [] + project: fast-prod-automation + role: roles/serviceusage.serviceUsageConsumer + module.branch-pf-prod-r-sa.google_service_account.service_account[0]: + account_id: fast2-prod-resman-pf-0r + create_ignore_already_exists: null + description: null + disabled: false + display_name: Terraform project factory production service account (read-only). + project: fast-prod-automation + timeouts: null + module.branch-pf-prod-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: + condition: [] + members: null + role: roles/iam.serviceAccountTokenCreator + ? module.branch-pf-prod-r-sa.google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"] + : bucket: test + condition: [] + role: organizations/123456789012/roles/storageViewer + ? module.branch-pf-prod-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + : condition: [] + project: fast-prod-automation + role: roles/serviceusage.serviceUsageConsumer + module.branch-pf-prod-sa.google_service_account.service_account[0]: + account_id: fast2-prod-resman-pf-0 + create_ignore_already_exists: null + description: null + disabled: false + display_name: Terraform project factory production service account. + project: fast-prod-automation + timeouts: null + module.branch-pf-prod-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: + condition: [] + members: null + role: roles/iam.serviceAccountTokenCreator + module.branch-pf-prod-sa.google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]: + bucket: test + condition: [] + role: roles/storage.objectAdmin + ? module.branch-pf-r-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + : condition: [] + project: fast-prod-automation + role: roles/serviceusage.serviceUsageConsumer + module.branch-pf-r-sa.google_service_account.service_account[0]: + account_id: fast2-resman-pf-0r + create_ignore_already_exists: null + description: null + disabled: false + display_name: Terraform project factory main service account (read-only). + project: fast-prod-automation + timeouts: null + module.branch-pf-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: + condition: [] + members: null + role: roles/iam.serviceAccountTokenCreator + module.branch-pf-r-sa.google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"]: + bucket: test + condition: [] + role: organizations/123456789012/roles/storageViewer + ? module.branch-pf-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + : condition: [] + project: fast-prod-automation + role: roles/serviceusage.serviceUsageConsumer + module.branch-pf-sa.google_service_account.service_account[0]: + account_id: fast2-resman-pf-0 + create_ignore_already_exists: null + description: null + disabled: false + display_name: Terraform project factory main service account. + project: fast-prod-automation + timeouts: null + module.branch-pf-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: + condition: [] + members: null + role: roles/iam.serviceAccountTokenCreator + module.branch-pf-sa.google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]: + bucket: test + condition: [] + role: roles/storage.objectAdmin + module.branch-security-folder.google_folder.folder[0]: + display_name: Security + parent: organizations/123456789012 + timeouts: null + module.branch-security-folder.google_folder_iam_binding.authoritative["roles/browser"]: + condition: [] + members: + - user:extra-browser@fast.example.com + role: roles/browser + module.branch-security-folder.google_folder_iam_binding.authoritative["roles/editor"]: + condition: [] + members: + - group:gcp-security-admins@fast.example.com + role: roles/editor + module.branch-security-folder.google_folder_iam_binding.authoritative["roles/logging.admin"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/logging.admin + module.branch-security-folder.google_folder_iam_binding.authoritative["roles/owner"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com + - user:extra-owner@fast.example.com + role: roles/owner + module.branch-security-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.folderAdmin + module.branch-security-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-sec-0r@fast-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.folderViewer + module.branch-security-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.projectCreator + module.branch-security-folder.google_folder_iam_binding.authoritative["roles/viewer"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-sec-0r@fast-prod-automation.iam.gserviceaccount.com + role: roles/viewer + module.branch-security-folder.google_folder_iam_binding.bindings["tenant_iam_admin_conditional"]: + condition: + - description: Certificate Authority Service delegated grants. + expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/privateca.certificateManager','organizations/123456789012/roles/privateCaUser']) + title: security_sa_delegated_grants + members: + - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.folderIamAdmin + module.branch-security-folder.google_tags_tag_binding.binding["context"]: + timeouts: null + module.branch-security-gcs.google_storage_bucket.bucket: + autoclass: + - enabled: false + cors: [] + custom_placement_config: [] + default_event_based_hold: null + enable_object_retention: null + encryption: [] + force_destroy: false + labels: null + lifecycle_rule: [] + location: EU + logging: [] + name: fast2-prod-resman-sec-0 + project: fast-prod-automation + requester_pays: null + retention_policy: [] + storage_class: MULTI_REGIONAL + timeouts: null + uniform_bucket_level_access: true + versioning: + - enabled: true + module.branch-security-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: + bucket: fast2-prod-resman-sec-0 + condition: [] + members: + - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/storage.objectAdmin + module.branch-security-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: + bucket: fast2-prod-resman-sec-0 + condition: [] + members: + - serviceAccount:fast2-prod-resman-sec-0r@fast-prod-automation.iam.gserviceaccount.com + role: roles/storage.objectViewer + ? module.branch-security-r-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + : condition: [] + project: fast-prod-automation + role: roles/serviceusage.serviceUsageConsumer + module.branch-security-r-sa.google_service_account.service_account[0]: + account_id: fast2-prod-resman-sec-0r + create_ignore_already_exists: null + description: null + disabled: false + display_name: Terraform resman security service account (read-only). + project: fast-prod-automation + timeouts: null + module.branch-security-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: + condition: [] + members: null + role: roles/iam.serviceAccountTokenCreator + ? module.branch-security-r-sa.google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"] + : bucket: test + condition: [] + role: organizations/123456789012/roles/storageViewer + ? module.branch-security-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + : condition: [] + project: fast-prod-automation + role: roles/serviceusage.serviceUsageConsumer + module.branch-security-sa.google_service_account.service_account[0]: + account_id: fast2-prod-resman-sec-0 + create_ignore_already_exists: null + description: null + disabled: false + display_name: Terraform resman security service account. + project: fast-prod-automation + timeouts: null + module.branch-security-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: + condition: [] + members: null + role: roles/iam.serviceAccountTokenCreator + module.branch-security-sa.google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]: + bucket: test + condition: [] + role: roles/storage.objectAdmin + module.organization[0].google_organization_iam_member.bindings["sa_net_billing"]: + condition: [] + member: serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/billing.user + module.organization[0].google_organization_iam_member.bindings["sa_net_fw_policy_admin"]: + condition: [] + member: serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/compute.orgFirewallPolicyAdmin + module.organization[0].google_organization_iam_member.bindings["sa_net_xpn_admin"]: + condition: [] + member: serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/compute.xpnAdmin + module.organization[0].google_organization_iam_member.bindings["sa_pf_billing"]: + condition: [] + member: serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/billing.user + module.organization[0].google_organization_iam_member.bindings["sa_pf_conditional_org_policy"]: + condition: + - description: Org policy tag scoped grant for project factory main. + expression: 'resource.matchTag(''123456789012/context'', ''project-factory'') + + ' + title: org_policy_tag_pf_scoped + member: serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/orgpolicy.policyAdmin + module.organization[0].google_organization_iam_member.bindings["sa_pf_costs_manager"]: + condition: [] + member: serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/billing.costsManager + module.organization[0].google_organization_iam_member.bindings["sa_pf_dev_billing"]: + condition: [] + member: serviceAccount:fast2-dev-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/billing.user + module.organization[0].google_organization_iam_member.bindings["sa_pf_dev_conditional_org_policy"]: + condition: + - description: Org policy tag scoped grant for project factory dev. + expression: 'resource.matchTag(''123456789012/context'', ''project-factory'') + + && + + resource.matchTag(''123456789012/environment'', ''development'') + + ' + title: org_policy_tag_pf_scoped_dev + member: serviceAccount:fast2-dev-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/orgpolicy.policyAdmin + module.organization[0].google_organization_iam_member.bindings["sa_pf_dev_costs_manager"]: + condition: [] + member: serviceAccount:fast2-dev-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/billing.costsManager + module.organization[0].google_organization_iam_member.bindings["sa_pf_prod_billing"]: + condition: [] + member: serviceAccount:fast2-prod-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/billing.user + module.organization[0].google_organization_iam_member.bindings["sa_pf_prod_conditional_org_policy"]: + condition: + - description: Org policy tag scoped grant for project factory prod. + expression: 'resource.matchTag(''123456789012/context'', ''project-factory'') + + && + + resource.matchTag(''123456789012/environment'', ''production'') + + ' + title: org_policy_tag_pf_scoped_prod + member: serviceAccount:fast2-prod-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/orgpolicy.policyAdmin + module.organization[0].google_organization_iam_member.bindings["sa_pf_prod_costs_manager"]: + condition: [] + member: serviceAccount:fast2-prod-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/billing.costsManager + module.organization[0].google_organization_iam_member.bindings["sa_sec_asset_viewer"]: + condition: [] + member: serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/cloudasset.viewer + module.organization[0].google_organization_iam_member.bindings["sa_sec_billing"]: + condition: [] + member: serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/billing.user + module.organization[0].google_tags_tag_key.default["context"]: + description: Resource management context. + parent: organizations/123456789012 + purpose: null + purpose_data: null + short_name: context + timeouts: null + module.organization[0].google_tags_tag_key.default["environment"]: + description: Environment definition. + parent: organizations/123456789012 + purpose: null + purpose_data: null + short_name: environment + timeouts: null + module.organization[0].google_tags_tag_value.default["context/data"]: + description: Managed by the Terraform organization module. + short_name: data + timeouts: null + module.organization[0].google_tags_tag_value.default["context/gcve"]: + description: Managed by the Terraform organization module. + short_name: gcve + timeouts: null + module.organization[0].google_tags_tag_value.default["context/gke"]: + description: Managed by the Terraform organization module. + short_name: gke + timeouts: null + module.organization[0].google_tags_tag_value.default["context/networking"]: + description: Managed by the Terraform organization module. + short_name: networking + timeouts: null + module.organization[0].google_tags_tag_value.default["context/project-factory"]: + description: Managed by the Terraform organization module. + short_name: project-factory + timeouts: null + module.organization[0].google_tags_tag_value.default["context/sandbox"]: + description: Managed by the Terraform organization module. + short_name: sandbox + timeouts: null + module.organization[0].google_tags_tag_value.default["context/security"]: + description: Managed by the Terraform organization module. + short_name: security + timeouts: null + module.organization[0].google_tags_tag_value.default["environment/development"]: + description: Managed by the Terraform organization module. + short_name: development + timeouts: null + module.organization[0].google_tags_tag_value.default["environment/production"]: + description: Managed by the Terraform organization module. + short_name: production + timeouts: null + module.organization[0].google_tags_tag_value_iam_binding.bindings["environment/development:pf"]: + condition: [] + members: + - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.tagUser + module.organization[0].google_tags_tag_value_iam_binding.bindings["environment/production:pf"]: + condition: [] + members: + - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.tagUser module.top-level-folder["teams"].google_folder.folder[0]: display_name: Teams parent: organizations/123456789012 @@ -37,6 +872,11 @@ values: members: - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.projectCreator + module.top-level-folder["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.tagUser"]: + condition: [] + members: + - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.tagUser module.top-level-folder["teams"].google_tags_tag_binding.binding["context"]: timeouts: null diff --git a/tests/fast/stages/s2_security/simple.tfvars b/tests/fast/stages/s2_security/simple.tfvars index 8d7dbab286..cb94918951 100644 --- a/tests/fast/stages/s2_security/simple.tfvars +++ b/tests/fast/stages/s2_security/simple.tfvars @@ -4,6 +4,9 @@ automation = { billing_account = { id = "000000-111111-222222" } +custom_roles = { + private_ca_user = "organizations/123456789012/roles/privateCaUser" +} essential_contacts = "gcp-security-admins@fast.example.com" folder_ids = { security = null @@ -28,6 +31,8 @@ service_accounts = { security = "foobar@iam.gserviceaccount.com" data-platform-dev = "foobar@iam.gserviceaccount.com" data-platform-prod = "foobar@iam.gserviceaccount.com" + nsec = "foobar@iam.gserviceaccount.com" + nsec-r = "foobar@iam.gserviceaccount.com" project-factory = "foobar@iam.gserviceaccount.com" project-factory-dev = "foobar@iam.gserviceaccount.com" project-factory-prod = "foobar@iam.gserviceaccount.com" diff --git a/tests/fast/stages/s2_security/simple.yaml b/tests/fast/stages/s2_security/simple.yaml index 86771fc01a..ece3432203 100644 --- a/tests/fast/stages/s2_security/simple.yaml +++ b/tests/fast/stages/s2_security/simple.yaml @@ -12,6 +12,459 @@ # See the License for the specific language governing permissions and # limitations under the License. +values: + google_storage_bucket_object.tfvars: + bucket: test + cache_control: null + content_disposition: null + content_encoding: null + content_language: null + customer_encryption: [] + detect_md5hash: different hash + event_based_hold: null + metadata: null + name: tfvars/2-security.auto.tfvars.json + retention: [] + source: null + temporary_hold: null + timeouts: null + module.dev-sec-kms["europe"].google_kms_crypto_key.default["compute"]: + effective_labels: + service: compute + labels: + service: compute + name: compute + purpose: ENCRYPT_DECRYPT + rotation_period: 7776000s + skip_initial_version_creation: false + terraform_labels: + service: compute + timeouts: null + module.dev-sec-kms["europe"].google_kms_crypto_key_iam_binding.authoritative["compute.roles/cloudkms.admin"]: + condition: [] + members: + - user:user1@example.com + role: roles/cloudkms.admin + module.dev-sec-kms["europe"].google_kms_key_ring.default[0]: + location: europe + name: dev-europe + project: fast-dev-sec-core-0 + timeouts: null + module.dev-sec-kms["europe-west1"].google_kms_crypto_key.default["compute"]: + effective_labels: + service: compute + labels: + service: compute + name: compute + purpose: ENCRYPT_DECRYPT + rotation_period: 7776000s + skip_initial_version_creation: false + terraform_labels: + service: compute + timeouts: null + module.dev-sec-kms["europe-west1"].google_kms_crypto_key_iam_binding.authoritative["compute.roles/cloudkms.admin"]: + condition: [] + members: + - user:user1@example.com + role: roles/cloudkms.admin + module.dev-sec-kms["europe-west1"].google_kms_key_ring.default[0]: + location: europe-west1 + name: dev-europe-west1 + project: fast-dev-sec-core-0 + timeouts: null + module.dev-sec-kms["europe-west3"].google_kms_crypto_key.default["compute"]: + effective_labels: + service: compute + labels: + service: compute + name: compute + purpose: ENCRYPT_DECRYPT + rotation_period: 7776000s + skip_initial_version_creation: false + terraform_labels: + service: compute + timeouts: null + module.dev-sec-kms["europe-west3"].google_kms_crypto_key_iam_binding.authoritative["compute.roles/cloudkms.admin"]: + condition: [] + members: + - user:user1@example.com + role: roles/cloudkms.admin + module.dev-sec-kms["europe-west3"].google_kms_key_ring.default[0]: + location: europe-west3 + name: dev-europe-west3 + project: fast-dev-sec-core-0 + timeouts: null + module.dev-sec-kms["global"].google_kms_crypto_key.default["compute"]: + effective_labels: + service: compute + labels: + service: compute + name: compute + purpose: ENCRYPT_DECRYPT + rotation_period: 7776000s + skip_initial_version_creation: false + terraform_labels: + service: compute + timeouts: null + module.dev-sec-kms["global"].google_kms_crypto_key_iam_binding.authoritative["compute.roles/cloudkms.admin"]: + condition: [] + members: + - user:user1@example.com + role: roles/cloudkms.admin + module.dev-sec-kms["global"].google_kms_key_ring.default[0]: + location: global + name: dev-global + project: fast-dev-sec-core-0 + timeouts: null + module.dev-sec-project.google_project.project[0]: + auto_create_network: false + billing_account: 000000-111111-222222 + deletion_policy: DELETE + effective_labels: + environment: dev + team: security + folder_id: null + labels: + environment: dev + team: security + name: fast-dev-sec-core-0 + org_id: null + project_id: fast-dev-sec-core-0 + terraform_labels: + environment: dev + team: security + timeouts: null + module.dev-sec-project.google_project_iam_binding.authoritative["roles/cloudkms.viewer"]: + condition: [] + members: + - serviceAccount:foobar@iam.gserviceaccount.com + project: fast-dev-sec-core-0 + role: roles/cloudkms.viewer + ? module.dev-sec-project.google_project_iam_member.bindings["kms_restricted_admin.serviceAccount:foobar@iam.gserviceaccount.com"] + : condition: + - description: Automation service account delegated grants. + expression: 'api.getAttribute(''iam.googleapis.com/modifiedGrantsByRole'', []).hasOnly([''roles/cloudkms.cryptoKeyEncrypterDecrypter'',''roles/cloudkms.cryptoKeyEncrypterDecrypterViaDelegation'']) + && + + resource.type == ''cloudkms.googleapis.com/CryptoKey'' + + ' + title: kms_sa_delegated_grants + member: serviceAccount:foobar@iam.gserviceaccount.com + project: fast-dev-sec-core-0 + role: roles/cloudkms.admin + module.dev-sec-project.google_project_iam_member.bindings["nsec_dev_sa_binding"]: + condition: [] + member: serviceAccount:foobar@iam.gserviceaccount.com + project: fast-dev-sec-core-0 + role: organizations/123456789012/roles/privateCaUser + module.dev-sec-project.google_project_iam_member.bindings["nsec_dev_sa_r_binding"]: + condition: [] + member: serviceAccount:foobar@iam.gserviceaccount.com + project: fast-dev-sec-core-0 + role: organizations/123456789012/roles/privateCaUser + module.dev-sec-project.google_project_iam_member.service_agents["certificatemanager"]: + condition: [] + project: fast-dev-sec-core-0 + role: roles/certificatemanager.serviceAgent + module.dev-sec-project.google_project_iam_member.service_agents["cloudkms"]: + condition: [] + project: fast-dev-sec-core-0 + role: roles/cloudkms.serviceAgent + module.dev-sec-project.google_project_iam_member.service_agents["networkmanagement"]: + condition: [] + project: fast-dev-sec-core-0 + role: roles/networkmanagement.serviceAgent + module.dev-sec-project.google_project_service.project_services["certificatemanager.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-dev-sec-core-0 + service: certificatemanager.googleapis.com + timeouts: null + module.dev-sec-project.google_project_service.project_services["cloudkms.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-dev-sec-core-0 + service: cloudkms.googleapis.com + timeouts: null + module.dev-sec-project.google_project_service.project_services["networkmanagement.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-dev-sec-core-0 + service: networkmanagement.googleapis.com + timeouts: null + module.dev-sec-project.google_project_service.project_services["networksecurity.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-dev-sec-core-0 + service: networksecurity.googleapis.com + timeouts: null + module.dev-sec-project.google_project_service.project_services["privateca.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-dev-sec-core-0 + service: privateca.googleapis.com + timeouts: null + module.dev-sec-project.google_project_service.project_services["secretmanager.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-dev-sec-core-0 + service: secretmanager.googleapis.com + timeouts: null + module.dev-sec-project.google_project_service.project_services["stackdriver.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-dev-sec-core-0 + service: stackdriver.googleapis.com + timeouts: null + module.dev-sec-project.google_project_service_identity.default["certificatemanager.googleapis.com"]: + project: fast-dev-sec-core-0 + service: certificatemanager.googleapis.com + timeouts: null + module.dev-sec-project.google_project_service_identity.default["cloudkms.googleapis.com"]: + project: fast-dev-sec-core-0 + service: cloudkms.googleapis.com + timeouts: null + module.dev-sec-project.google_project_service_identity.default["networkmanagement.googleapis.com"]: + project: fast-dev-sec-core-0 + service: networkmanagement.googleapis.com + timeouts: null + module.dev-sec-project.google_project_service_identity.default["networksecurity.googleapis.com"]: + project: fast-dev-sec-core-0 + service: networksecurity.googleapis.com + timeouts: null + module.dev-sec-project.google_project_service_identity.default["privateca.googleapis.com"]: + project: fast-dev-sec-core-0 + service: privateca.googleapis.com + timeouts: null + module.dev-sec-project.google_project_service_identity.default["secretmanager.googleapis.com"]: + project: fast-dev-sec-core-0 + service: secretmanager.googleapis.com + timeouts: null + module.folder.google_essential_contacts_contact.contact["gcp-security-admins@fast.example.com"]: + email: gcp-security-admins@fast.example.com + language_tag: en + notification_category_subscriptions: + - ALL + timeouts: null + module.folder.google_folder.folder[0]: + display_name: Security + parent: organizations/123456789012 + timeouts: null + module.prod-sec-kms["europe"].google_kms_crypto_key.default["compute"]: + effective_labels: + service: compute + labels: + service: compute + name: compute + purpose: ENCRYPT_DECRYPT + rotation_period: 7776000s + skip_initial_version_creation: false + terraform_labels: + service: compute + timeouts: null + module.prod-sec-kms["europe"].google_kms_crypto_key_iam_binding.authoritative["compute.roles/cloudkms.admin"]: + condition: [] + members: + - user:user1@example.com + role: roles/cloudkms.admin + module.prod-sec-kms["europe"].google_kms_key_ring.default[0]: + location: europe + name: prod-europe + project: fast-prod-sec-core-0 + timeouts: null + module.prod-sec-kms["europe-west1"].google_kms_crypto_key.default["compute"]: + effective_labels: + service: compute + labels: + service: compute + name: compute + purpose: ENCRYPT_DECRYPT + rotation_period: 7776000s + skip_initial_version_creation: false + terraform_labels: + service: compute + timeouts: null + module.prod-sec-kms["europe-west1"].google_kms_crypto_key_iam_binding.authoritative["compute.roles/cloudkms.admin"]: + condition: [] + members: + - user:user1@example.com + role: roles/cloudkms.admin + module.prod-sec-kms["europe-west1"].google_kms_key_ring.default[0]: + location: europe-west1 + name: prod-europe-west1 + project: fast-prod-sec-core-0 + timeouts: null + module.prod-sec-kms["europe-west3"].google_kms_crypto_key.default["compute"]: + effective_labels: + service: compute + labels: + service: compute + name: compute + purpose: ENCRYPT_DECRYPT + rotation_period: 7776000s + skip_initial_version_creation: false + terraform_labels: + service: compute + timeouts: null + module.prod-sec-kms["europe-west3"].google_kms_crypto_key_iam_binding.authoritative["compute.roles/cloudkms.admin"]: + condition: [] + members: + - user:user1@example.com + role: roles/cloudkms.admin + module.prod-sec-kms["europe-west3"].google_kms_key_ring.default[0]: + location: europe-west3 + name: prod-europe-west3 + project: fast-prod-sec-core-0 + timeouts: null + module.prod-sec-kms["global"].google_kms_crypto_key.default["compute"]: + effective_labels: + service: compute + labels: + service: compute + name: compute + purpose: ENCRYPT_DECRYPT + rotation_period: 7776000s + skip_initial_version_creation: false + terraform_labels: + service: compute + timeouts: null + module.prod-sec-kms["global"].google_kms_crypto_key_iam_binding.authoritative["compute.roles/cloudkms.admin"]: + condition: [] + members: + - user:user1@example.com + role: roles/cloudkms.admin + module.prod-sec-kms["global"].google_kms_key_ring.default[0]: + location: global + name: prod-global + project: fast-prod-sec-core-0 + timeouts: null + module.prod-sec-project.google_project.project[0]: + auto_create_network: false + billing_account: 000000-111111-222222 + deletion_policy: DELETE + effective_labels: + environment: prod + team: security + folder_id: null + labels: + environment: prod + team: security + name: fast-prod-sec-core-0 + org_id: null + project_id: fast-prod-sec-core-0 + terraform_labels: + environment: prod + team: security + timeouts: null + module.prod-sec-project.google_project_iam_binding.authoritative["roles/cloudkms.viewer"]: + condition: [] + members: + - serviceAccount:foobar@iam.gserviceaccount.com + project: fast-prod-sec-core-0 + role: roles/cloudkms.viewer + ? module.prod-sec-project.google_project_iam_member.bindings["kms_restricted_admin.serviceAccount:foobar@iam.gserviceaccount.com"] + : condition: + - description: Automation service account delegated grants. + expression: 'api.getAttribute(''iam.googleapis.com/modifiedGrantsByRole'', []).hasOnly([''roles/cloudkms.cryptoKeyEncrypterDecrypter'',''roles/cloudkms.cryptoKeyEncrypterDecrypterViaDelegation'']) + && + + resource.type == ''cloudkms.googleapis.com/CryptoKey'' + + ' + title: kms_sa_delegated_grants + member: serviceAccount:foobar@iam.gserviceaccount.com + project: fast-prod-sec-core-0 + role: roles/cloudkms.admin + module.prod-sec-project.google_project_iam_member.bindings["nsec_prod_sa_binding"]: + condition: [] + member: serviceAccount:foobar@iam.gserviceaccount.com + project: fast-prod-sec-core-0 + role: organizations/123456789012/roles/privateCaUser + module.prod-sec-project.google_project_iam_member.bindings["nsec_prod_sa_r_binding"]: + condition: [] + member: serviceAccount:foobar@iam.gserviceaccount.com + project: fast-prod-sec-core-0 + role: organizations/123456789012/roles/privateCaUser + module.prod-sec-project.google_project_iam_member.service_agents["certificatemanager"]: + condition: [] + project: fast-prod-sec-core-0 + role: roles/certificatemanager.serviceAgent + module.prod-sec-project.google_project_iam_member.service_agents["cloudkms"]: + condition: [] + project: fast-prod-sec-core-0 + role: roles/cloudkms.serviceAgent + module.prod-sec-project.google_project_iam_member.service_agents["networkmanagement"]: + condition: [] + project: fast-prod-sec-core-0 + role: roles/networkmanagement.serviceAgent + module.prod-sec-project.google_project_service.project_services["certificatemanager.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-sec-core-0 + service: certificatemanager.googleapis.com + timeouts: null + module.prod-sec-project.google_project_service.project_services["cloudkms.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-sec-core-0 + service: cloudkms.googleapis.com + timeouts: null + module.prod-sec-project.google_project_service.project_services["networkmanagement.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-sec-core-0 + service: networkmanagement.googleapis.com + timeouts: null + module.prod-sec-project.google_project_service.project_services["networksecurity.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-sec-core-0 + service: networksecurity.googleapis.com + timeouts: null + module.prod-sec-project.google_project_service.project_services["privateca.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-sec-core-0 + service: privateca.googleapis.com + timeouts: null + module.prod-sec-project.google_project_service.project_services["secretmanager.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-sec-core-0 + service: secretmanager.googleapis.com + timeouts: null + module.prod-sec-project.google_project_service.project_services["stackdriver.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast-prod-sec-core-0 + service: stackdriver.googleapis.com + timeouts: null + module.prod-sec-project.google_project_service_identity.default["certificatemanager.googleapis.com"]: + project: fast-prod-sec-core-0 + service: certificatemanager.googleapis.com + timeouts: null + module.prod-sec-project.google_project_service_identity.default["cloudkms.googleapis.com"]: + project: fast-prod-sec-core-0 + service: cloudkms.googleapis.com + timeouts: null + module.prod-sec-project.google_project_service_identity.default["networkmanagement.googleapis.com"]: + project: fast-prod-sec-core-0 + service: networkmanagement.googleapis.com + timeouts: null + module.prod-sec-project.google_project_service_identity.default["networksecurity.googleapis.com"]: + project: fast-prod-sec-core-0 + service: networksecurity.googleapis.com + timeouts: null + module.prod-sec-project.google_project_service_identity.default["privateca.googleapis.com"]: + project: fast-prod-sec-core-0 + service: privateca.googleapis.com + timeouts: null + module.prod-sec-project.google_project_service_identity.default["secretmanager.googleapis.com"]: + project: fast-prod-sec-core-0 + service: secretmanager.googleapis.com + timeouts: null + counts: google_essential_contacts_contact: 1 google_folder: 1 @@ -20,9 +473,9 @@ counts: google_kms_key_ring: 8 google_project: 2 google_project_iam_binding: 2 - google_project_iam_member: 8 + google_project_iam_member: 12 google_project_service: 14 google_project_service_identity: 12 google_storage_bucket_object: 1 modules: 11 - resources: 65 + resources: 69 diff --git a/tests/fast/stages/s3_network_security/tls.tfvars b/tests/fast/stages/s3_network_security/tls.tfvars index 8c785a66bd..72f88d6604 100644 --- a/tests/fast/stages/s3_network_security/tls.tfvars +++ b/tests/fast/stages/s3_network_security/tls.tfvars @@ -1,26 +1,6 @@ billing_account = { id = "000000-111111-222222" } -cas_configs = { - "dev" = { - "ngfw-dev-cas-0" = { - "ca_pool_id" = "projects/dev-sec-core-0/locations/europe-west1/caPools/dev-ngfw-ca-pool-0" - "ca_ids" = { - "dev-root-ngfw-ca-0" = "projects/dev-sec-core-0/locations/europe-west1/caPools/dev-ngfw-ca-pool-0/certificateAuthorities/dev-root-ngfw-ca-0" - } - location = "europe-west1" - } - } - "prod" = { - "ngfw-prod-cas-0" = { - "ca_pool_id" = "projects/prod-sec-core-0/locations/europe-west1/caPools/prod-ngfw-ca-pool-0" - "ca_ids" = { - "prod-root-ngfw-ca-0" = "projects/prod-sec-core-0/locations/europe-west1/caPools/prod-ngfw-ca-pool-0/certificateAuthorities/prod-root-ngfw-ca-0" - } - location = "europe-west1" - } - } -} folder_ids = { networking = "folders/12345678900" networking-dev = "folders/12345678901" @@ -36,18 +16,16 @@ ngfw_enterprise_config = { "europe-west1-c", "europe-west1-d" ] - tls_inspection = { - enabled = true - } } -ngfw_tls_config_keys = { - dev = { - cas = ["ngfw-dev-cas-0", "ngfw-dev-cas-1"] - trust_configs = ["ngfw-dev-tc-0", "ngfw-dev-tc-1"] - } - prod = { - cas = ["ngfw-prod-cas-0", "ngfw-prod-cas-1"] - trust_configs = ["ngfw-prod-tc-0", "ngfw-prod-tc-1"] +ngfw_tls_configs = { + tls_enabled = true + tls_ip_ids_by_region = { + dev = { + europe-west1 = "projects/project1/locations/europe-west1/tlsInspectionPolicies/dev-tls-ip-0" + } + prod = { + europe-west1 = "projects/project1/locations/europe-west1/tlsInspectionPolicies/prod-tls-ip-0" + } } } organization = { @@ -56,20 +34,6 @@ organization = { customer_id = "C00000000" } prefix = "fast2" -trust_configs = { - "dev" = { - "ngfw-dev-tc-0" = { - id = "projects/dev-sec-core-0/locations/europe-west1/trustConfigs/dev-trust-0" - location = "europe-west1" - } - } - "prod" = { - "ngfw-prod-tc-0" = { - id = "projects/prod-sec-core-0/locations/europe-west1/trustConfigs/prod-trust-0" - location = "europe-west1" - } - } -} vpc_self_links = { dev-spoke-0 = "https://www.googleapis.com/compute/v1/projects/123456789/networks/vpc-1" prod-spoke-0 = "https://www.googleapis.com/compute/v1/projects/123456789/networks/vpc-2" diff --git a/tests/fast/stages/s3_network_security/tls.yaml b/tests/fast/stages/s3_network_security/tls.yaml index 3d24c2cd8a..83431eac8a 100644 --- a/tests/fast/stages/s3_network_security/tls.yaml +++ b/tests/fast/stages/s3_network_security/tls.yaml @@ -12,6 +12,283 @@ # See the License for the specific language governing permissions and # limitations under the License. +values: + google_network_security_firewall_endpoint.firewall_endpoint["europe-west1-b"]: + billing_project_id: fast2-net-ngfw-0 + labels: null + location: europe-west1-b + name: fast2-ngfw-endpoint-europe-west1-b + parent: organizations/123456789012 + timeouts: null + google_network_security_firewall_endpoint.firewall_endpoint["europe-west1-c"]: + billing_project_id: fast2-net-ngfw-0 + labels: null + location: europe-west1-c + name: fast2-ngfw-endpoint-europe-west1-c + parent: organizations/123456789012 + timeouts: null + google_network_security_firewall_endpoint.firewall_endpoint["europe-west1-d"]: + billing_project_id: fast2-net-ngfw-0 + labels: null + location: europe-west1-d + name: fast2-ngfw-endpoint-europe-west1-d + parent: organizations/123456789012 + timeouts: null + google_network_security_firewall_endpoint_association.dev_fw_ep_association["europe-west1-b"]: + disabled: false + labels: null + location: europe-west1-b + name: fast2-dev-epa-europe-west1-b + network: projects/123456789/networks/vpc-1 + parent: projects/dev-project + timeouts: null + tls_inspection_policy: projects/project1/locations/europe-west1/tlsInspectionPolicies/dev-tls-ip-0 + google_network_security_firewall_endpoint_association.dev_fw_ep_association["europe-west1-c"]: + disabled: false + labels: null + location: europe-west1-c + name: fast2-dev-epa-europe-west1-c + network: projects/123456789/networks/vpc-1 + parent: projects/dev-project + timeouts: null + tls_inspection_policy: projects/project1/locations/europe-west1/tlsInspectionPolicies/dev-tls-ip-0 + google_network_security_firewall_endpoint_association.dev_fw_ep_association["europe-west1-d"]: + disabled: false + labels: null + location: europe-west1-d + name: fast2-dev-epa-europe-west1-d + network: projects/123456789/networks/vpc-1 + parent: projects/dev-project + timeouts: null + tls_inspection_policy: projects/project1/locations/europe-west1/tlsInspectionPolicies/dev-tls-ip-0 + google_network_security_firewall_endpoint_association.prod_fw_ep_association["europe-west1-b"]: + disabled: false + labels: null + location: europe-west1-b + name: fast2-prod-epa-europe-west1-b + network: projects/123456789/networks/vpc-2 + parent: projects/prod-project + timeouts: null + tls_inspection_policy: projects/project1/locations/europe-west1/tlsInspectionPolicies/prod-tls-ip-0 + google_network_security_firewall_endpoint_association.prod_fw_ep_association["europe-west1-c"]: + disabled: false + labels: null + location: europe-west1-c + name: fast2-prod-epa-europe-west1-c + network: projects/123456789/networks/vpc-2 + parent: projects/prod-project + timeouts: null + tls_inspection_policy: projects/project1/locations/europe-west1/tlsInspectionPolicies/prod-tls-ip-0 + google_network_security_firewall_endpoint_association.prod_fw_ep_association["europe-west1-d"]: + disabled: false + labels: null + location: europe-west1-d + name: fast2-prod-epa-europe-west1-d + network: projects/123456789/networks/vpc-2 + parent: projects/prod-project + timeouts: null + tls_inspection_policy: projects/project1/locations/europe-west1/tlsInspectionPolicies/prod-tls-ip-0 + google_network_security_security_profile.dev_sec_profile: + description: null + labels: null + location: global + name: fast2-dev-sp-0 + parent: organizations/123456789012 + threat_prevention_profile: [] + timeouts: null + type: THREAT_PREVENTION + google_network_security_security_profile.prod_sec_profile: + description: null + labels: null + location: global + name: fast2-prod-sp-0 + parent: organizations/123456789012 + threat_prevention_profile: [] + timeouts: null + type: THREAT_PREVENTION + google_network_security_security_profile_group.dev_sec_profile_group: + description: Dev security profile group. + labels: null + location: global + name: fast2-dev-spg-0 + parent: organizations/123456789012 + timeouts: null + google_network_security_security_profile_group.prod_sec_profile_group: + description: prod security profile group. + labels: null + location: global + name: fast2-prod-spg-0 + parent: organizations/123456789012 + timeouts: null + module.dev-spoke-firewall-policy.google_compute_network_firewall_policy.net-global[0]: + description: null + name: fast2-dev-fw-policy + project: dev-project + timeouts: null + module.dev-spoke-firewall-policy.google_compute_network_firewall_policy_association.net-global["dev-spoke"]: + attachment_target: https://www.googleapis.com/compute/v1/projects/123456789/networks/vpc-1 + firewall_policy: fast2-dev-fw-policy + name: fast2-dev-fw-policy-dev-spoke + project: dev-project + timeouts: null + module.dev-spoke-firewall-policy.google_compute_network_firewall_policy_rule.net-global["egress/egress-allow-rfc1918"]: + action: allow + description: Allow all hosts to RFC-1918 + direction: EGRESS + disabled: false + enable_logging: null + firewall_policy: fast2-dev-fw-policy + match: + - dest_address_groups: null + dest_fqdns: null + dest_ip_ranges: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + dest_region_codes: null + dest_threat_intelligences: null + layer4_configs: + - ip_protocol: all + ports: null + src_address_groups: null + src_fqdns: null + src_ip_ranges: null + src_region_codes: null + src_secure_tags: [] + src_threat_intelligences: null + priority: 2147483546 + project: dev-project + rule_name: egress-allow-rfc1918 + security_profile_group: null + target_secure_tags: [] + target_service_accounts: null + timeouts: null + tls_inspect: null + module.dev-spoke-firewall-policy.google_compute_network_firewall_policy_rule.net-global["egress/egress-inspect-internet"]: + action: apply_security_profile_group + description: Inspect egress traffic from all dev hosts to Internet + direction: EGRESS + disabled: false + enable_logging: null + firewall_policy: fast2-dev-fw-policy + match: + - dest_address_groups: null + dest_fqdns: null + dest_ip_ranges: + - 0.0.0.0/0 + dest_region_codes: null + dest_threat_intelligences: null + layer4_configs: + - ip_protocol: all + ports: null + src_address_groups: null + src_fqdns: null + src_ip_ranges: null + src_region_codes: null + src_secure_tags: [] + src_threat_intelligences: null + priority: 2147483547 + project: dev-project + rule_name: egress-inspect-internet + target_secure_tags: [] + target_service_accounts: null + timeouts: null + tls_inspect: null + module.ngfw-quota-project.google_project.project[0]: + auto_create_network: false + billing_account: 000000-111111-222222 + deletion_policy: DELETE + folder_id: '12345678900' + labels: null + name: fast2-net-ngfw-0 + org_id: null + project_id: fast2-net-ngfw-0 + timeouts: null + module.ngfw-quota-project.google_project_service.project_services["networksecurity.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: fast2-net-ngfw-0 + service: networksecurity.googleapis.com + timeouts: null + module.ngfw-quota-project.google_project_service_identity.default["networksecurity.googleapis.com"]: + project: fast2-net-ngfw-0 + service: networksecurity.googleapis.com + timeouts: null + module.prod-spoke-firewall-policy.google_compute_network_firewall_policy.net-global[0]: + description: null + name: fast2-prod-fw-policy + project: prod-project + timeouts: null + module.prod-spoke-firewall-policy.google_compute_network_firewall_policy_association.net-global["prod-spoke"]: + attachment_target: https://www.googleapis.com/compute/v1/projects/123456789/networks/vpc-2 + firewall_policy: fast2-prod-fw-policy + name: fast2-prod-fw-policy-prod-spoke + project: prod-project + timeouts: null + module.prod-spoke-firewall-policy.google_compute_network_firewall_policy_rule.net-global["egress/egress-allow-rfc1918"]: + action: allow + description: Allow all hosts to RFC-1918 + direction: EGRESS + disabled: false + enable_logging: null + firewall_policy: fast2-prod-fw-policy + match: + - dest_address_groups: null + dest_fqdns: null + dest_ip_ranges: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + dest_region_codes: null + dest_threat_intelligences: null + layer4_configs: + - ip_protocol: all + ports: null + src_address_groups: null + src_fqdns: null + src_ip_ranges: null + src_region_codes: null + src_secure_tags: [] + src_threat_intelligences: null + priority: 2147483546 + project: prod-project + rule_name: egress-allow-rfc1918 + security_profile_group: null + target_secure_tags: [] + target_service_accounts: null + timeouts: null + tls_inspect: null + module.prod-spoke-firewall-policy.google_compute_network_firewall_policy_rule.net-global["egress/egress-inspect-internet"]: + action: apply_security_profile_group + description: Inspect egress traffic from all prod hosts to Internet + direction: EGRESS + disabled: false + enable_logging: null + firewall_policy: fast2-prod-fw-policy + match: + - dest_address_groups: null + dest_fqdns: null + dest_ip_ranges: + - 0.0.0.0/0 + dest_region_codes: null + dest_threat_intelligences: null + layer4_configs: + - ip_protocol: all + ports: null + src_address_groups: null + src_fqdns: null + src_ip_ranges: null + src_region_codes: null + src_secure_tags: [] + src_threat_intelligences: null + priority: 2147483547 + project: prod-project + rule_name: egress-inspect-internet + target_secure_tags: [] + target_service_accounts: null + timeouts: null + tls_inspect: null + counts: google_compute_network_firewall_policy: 2 google_compute_network_firewall_policy_association: 2 @@ -20,9 +297,13 @@ counts: google_network_security_firewall_endpoint_association: 6 google_network_security_security_profile: 2 google_network_security_security_profile_group: 2 - google_network_security_tls_inspection_policy: 2 google_project: 1 google_project_service: 1 google_project_service_identity: 1 modules: 3 - resources: 26 + resources: 24 + +outputs: + ngfw_enterprise_endpoint_ids: __missing__ + ngfw_enterprise_endpoints_quota_project: fast2-net-ngfw-0 +