Skip to content

Commit

Permalink
only apply org policies when bootstrap user is not set
Browse files Browse the repository at this point in the history
  • Loading branch information
ludoo committed Sep 27, 2023
1 parent 6426a36 commit 7a7a0fa
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 3 deletions.
2 changes: 1 addition & 1 deletion fast/stages/0-bootstrap/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ A full reference of IAM roles managed by this stage [is available here](./IAM.md

It's often desirable to have organization policies deployed before any other resource in the org, so as to ensure compliance with specific requirements (e.g. location restrictions), or control the configuration of specific resources (e.g. default network at project creation or service account grants).

To cover this use case, organization policies have been moved from the resource management to the bootstrap stage in FAST versions after 26.0.0. They are managed via the usual factory approach, and a [sample set of data files](./data/org-policies/) is included with this stage.
To cover this use case, organization policies have been moved from the resource management to the bootstrap stage in FAST versions after 26.0.0. They are managed via the usual factory approach, and a [sample set of data files](./data/org-policies/) is included with this stage. They are not applied during the initial run when the `bootstrap_user` variable is set, to work around incompatibilies with user credentials.

The only current exception to the factory approach is the `iam.allowedPolicyMemberDomains` constraint, which is managed in code so as to be able to auto-allow the organization's domain. More domains can be added via the `org_policies_config` variable, which also serves as an umbrella for future policies that will need to be managed in code.

Expand Down
8 changes: 6 additions & 2 deletions fast/stages/0-bootstrap/organization.tf
Original file line number Diff line number Diff line change
Expand Up @@ -156,8 +156,12 @@ module "organization" {
type = attrs.type
}
}
org_policies_data_path = var.factories_config.org_policy_data_path
org_policies = {
org_policies_data_path = (
var.bootstrap_user != null
? null
: var.factories_config.org_policy_data_path
)
org_policies = var.bootstrap_user != null ? {} : {
"iam.allowedPolicyMemberDomains" = {
rules = [
{
Expand Down

0 comments on commit 7a7a0fa

Please sign in to comment.