Manage billing.creator role authoritatively in FAST bootstrap.

By default new orgs grant billing.creator and resourcemanager.projectCreator to the whole domain[1]. This PR makes FAST remove the former binding during the bootstrap (the latter is already managed by FAST). Fixes #1220 [1] https://cloud.google.com/resource-manager/docs/default-access-control
GoogleCloudPlatform · Mar 7, 2023 · 38808b3 · 38808b3
1 parent cd8f089
commit 38808b3
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/fast/stages/0-bootstrap/organization.tf b/fast/stages/0-bootstrap/organization.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -20,6 +20,7 @@ locals {
   # organization authoritative IAM bindings, in an easy to edit format before
   # they are combined with var.iam a bit further in locals
   _iam = {
+    "roles/billing.creator" = []
     "roles/browser" = [
       "domain:${var.organization.domain}"
     ]