diff --git a/fast/stages/0-bootstrap/data/custom-roles/private_ca_user.yaml b/fast/stages/0-bootstrap/data/custom-roles/private_ca_user.yaml
deleted file mode 100644
index eeabd8f6e0..0000000000
--- a/fast/stages/0-bootstrap/data/custom-roles/private_ca_user.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-# Copyright 2024 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# yaml-language-server: $schema=../../schemas/custom-role.schema.json
-
-name: privateCaUser
-includedPermissions:
- - privateca.caPools.get
- - privateca.caPools.use
diff --git a/fast/stages/0-bootstrap/organization.tf b/fast/stages/0-bootstrap/organization.tf
index 4c6e39a952..7505e149b3 100644
--- a/fast/stages/0-bootstrap/organization.tf
+++ b/fast/stages/0-bootstrap/organization.tf
@@ -191,7 +191,6 @@ module "organization" {
module.organization.custom_role_id["network_firewall_policies_admin"],
module.organization.custom_role_id["ngfw_enterprise_admin"],
module.organization.custom_role_id["ngfw_enterprise_viewer"],
- module.organization.custom_role_id["private_ca_user"],
module.organization.custom_role_id["service_project_network_admin"],
module.organization.custom_role_id["tenant_network_admin"]
]))
diff --git a/fast/stages/1-resman/README.md b/fast/stages/1-resman/README.md
index 852ae27808..854fa6c507 100644
--- a/fast/stages/1-resman/README.md
+++ b/fast/stages/1-resman/README.md
@@ -267,18 +267,18 @@ A full reference of IAM roles managed by this stage [is available here](./IAM.md
|---|---|:---:|:---:|:---:|:---:|
| [automation](variables-fast.tf#L19) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap |
| [billing_account](variables-fast.tf#L42) | Billing account id. If billing account is not part of the same org set `is_org_level` to `false`. To disable handling of billing IAM roles set `no_iam` to `true`. | object({…}) | ✓ | | 0-bootstrap |
-| [logging](variables-fast.tf#L97) | Logging configuration for tenants. | object({…}) | ✓ | | 1-tenant-factory |
-| [organization](variables-fast.tf#L110) | Organization details. | object({…}) | ✓ | | 0-bootstrap |
-| [prefix](variables-fast.tf#L128) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap |
+| [logging](variables-fast.tf#L96) | Logging configuration for tenants. | object({…}) | ✓ | | 1-tenant-factory |
+| [organization](variables-fast.tf#L109) | Organization details. | object({…}) | ✓ | | 0-bootstrap |
+| [prefix](variables-fast.tf#L127) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap |
| [cicd_repositories](variables.tf#L20) | CI/CD repository configuration. Identity providers reference keys in the `automation.federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | object({…}) | | null | |
-| [custom_roles](variables-fast.tf#L53) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap |
+| [custom_roles](variables-fast.tf#L53) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap |
| [factories_config](variables.tf#L122) | Configuration for the resource factories or external data. | object({…}) | | {} | |
| [fast_features](variables.tf#L133) | Selective control for top-level FAST features. | object({…}) | | {} | |
| [folder_iam](variables.tf#L146) | Authoritative IAM for top-level folders. | object({…}) | | {} | |
-| [groups](variables-fast.tf#L69) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | object({…}) | | {} | 0-bootstrap |
-| [locations](variables-fast.tf#L84) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {} | 0-bootstrap |
+| [groups](variables-fast.tf#L68) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | object({…}) | | {} | 0-bootstrap |
+| [locations](variables-fast.tf#L83) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {} | 0-bootstrap |
| [outputs_location](variables.tf#L160) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | string | | null | |
-| [root_node](variables-fast.tf#L134) | Root node for the hierarchy, if running in tenant mode. | string | | null | 0-bootstrap |
+| [root_node](variables-fast.tf#L133) | Root node for the hierarchy, if running in tenant mode. | string | | null | 0-bootstrap |
| [tag_names](variables.tf#L166) | Customized names for resource management tags. | object({…}) | | {} | |
| [tags](variables.tf#L180) | Custom secure tags by key name. The `iam` attribute behaves like the similarly named one at module level. | map(object({…})) | | {} | |
| [top_level_folders](variables.tf#L201) | Additional top-level folders. Keys are used for service account and bucket names, values implement the folders module interface with the addition of the 'automation' attribute. | map(object({…})) | | {} | |
diff --git a/fast/stages/1-resman/branch-security.tf b/fast/stages/1-resman/branch-security.tf
index 754cb24ce7..97cba1d7b1 100644
--- a/fast/stages/1-resman/branch-security.tf
+++ b/fast/stages/1-resman/branch-security.tf
@@ -60,8 +60,7 @@ module "branch-security-folder" {
expression = format(
"api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])",
join(",", formatlist("'%s'", [
- "roles/privateca.certificateManager",
- var.custom_roles.private_ca_user
+ "roles/privateca.certificateManager"
]))
)
title = "security_sa_delegated_grants"
diff --git a/fast/stages/1-resman/variables-fast.tf b/fast/stages/1-resman/variables-fast.tf
index 888460a10a..1418d91ef1 100644
--- a/fast/stages/1-resman/variables-fast.tf
+++ b/fast/stages/1-resman/variables-fast.tf
@@ -59,7 +59,6 @@ variable "custom_roles" {
ngfw_enterprise_admin = string
ngfw_enterprise_viewer = string
organization_admin_viewer = string
- private_ca_user = string
service_project_network_admin = string
storage_viewer = string
})
diff --git a/fast/stages/2-security/README.md b/fast/stages/2-security/README.md
index fbb8ea647d..f510f0844d 100644
--- a/fast/stages/2-security/README.md
+++ b/fast/stages/2-security/README.md
@@ -281,12 +281,11 @@ tls_inspection = {
|---|---|:---:|:---:|:---:|:---:|
| [automation](variables-fast.tf#L17) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap |
| [billing_account](variables-fast.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap |
-| [folder_ids](variables-fast.tf#L47) | Folder name => id mappings, the 'security' folder name must exist. | object({…}) | ✓ | | 1-resman |
-| [organization](variables-fast.tf#L55) | Organization details. | object({…}) | ✓ | | 0-bootstrap |
-| [prefix](variables-fast.tf#L65) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap |
-| [service_accounts](variables-fast.tf#L75) | Automation service accounts that can assign the encrypt/decrypt roles on keys. | object({…}) | ✓ | | 1-resman |
+| [folder_ids](variables-fast.tf#L38) | Folder name => id mappings, the 'security' folder name must exist. | object({…}) | ✓ | | 1-resman |
+| [organization](variables-fast.tf#L46) | Organization details. | object({…}) | ✓ | | 0-bootstrap |
+| [prefix](variables-fast.tf#L56) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap |
+| [service_accounts](variables-fast.tf#L66) | Automation service accounts that can assign the encrypt/decrypt roles on keys. | object({…}) | ✓ | | 1-resman |
| [cas_configs](variables.tf#L17) | The CAS CAs to add to each environment. | object({…}) | | {…} | |
-| [custom_roles](variables-fast.tf#L38) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap |
| [essential_contacts](variables.tf#L46) | Email used for essential contacts, unset if null. | string | | null | |
| [kms_keys](variables.tf#L52) | KMS keys to create, keyed by name. | map(object({…})) | | {} | |
| [ngfw_tls_configs](variables.tf#L91) | The CAS and trust configurations key names to be used for NGFW Enterprise. | object({…}) | | {…} | |
diff --git a/fast/stages/2-security/core-dev.tf b/fast/stages/2-security/core-dev.tf
index a15e98adcd..9ac7d417fd 100644
--- a/fast/stages/2-security/core-dev.tf
+++ b/fast/stages/2-security/core-dev.tf
@@ -27,16 +27,6 @@ locals {
role = "roles/privateca.certificateManager"
}
}
- ngfw_dev_sa_cas_iam_bindings_additive = {
- nsec_dev_sa_binding = {
- member = "serviceAccount:${var.service_accounts.nsec}"
- role = var.custom_roles.private_ca_user
- }
- nsec_dev_sa_r_binding = {
- member = "serviceAccount:${var.service_accounts.nsec-r}"
- role = var.custom_roles.private_ca_user
- }
- }
dev_kms_restricted_admins = [
for sa in distinct(compact([
var.service_accounts.data-platform-dev,
@@ -56,12 +46,12 @@ module "dev-sec-project" {
iam = {
"roles/cloudkms.viewer" = local.dev_kms_restricted_admins
}
- iam_bindings_additive = merge({
+ iam_bindings_additive = {
for member in local.dev_kms_restricted_admins :
"kms_restricted_admin.${member}" => merge(local.kms_restricted_admin_template, {
member = member
})
- }, local.ngfw_dev_sa_cas_iam_bindings_additive)
+ }
labels = { environment = "dev", team = "security" }
services = local.project_services
}
diff --git a/fast/stages/2-security/core-prod.tf b/fast/stages/2-security/core-prod.tf
index d6b342085e..c98fe70289 100644
--- a/fast/stages/2-security/core-prod.tf
+++ b/fast/stages/2-security/core-prod.tf
@@ -27,16 +27,6 @@ locals {
role = "roles/privateca.certificateManager"
}
}
- ngfw_prod_sa_cas_iam_bindings_additive = {
- nsec_prod_sa_binding = {
- member = "serviceAccount:${var.service_accounts.nsec}"
- role = var.custom_roles.private_ca_user
- }
- nsec_prod_sa_r_binding = {
- member = "serviceAccount:${var.service_accounts.nsec-r}"
- role = var.custom_roles.private_ca_user
- }
- }
prod_kms_restricted_admins = [
for sa in distinct(compact([
var.service_accounts.data-platform-prod,
@@ -55,12 +45,12 @@ module "prod-sec-project" {
iam = {
"roles/cloudkms.viewer" = local.prod_kms_restricted_admins
}
- iam_bindings_additive = merge({
+ iam_bindings_additive = {
for member in local.prod_kms_restricted_admins :
"kms_restricted_admin.${member}" => merge(local.kms_restricted_admin_template, {
member = member
})
- }, local.ngfw_prod_sa_cas_iam_bindings_additive)
+ }
labels = { environment = "prod", team = "security" }
services = local.project_services
}
diff --git a/fast/stages/2-security/variables-fast.tf b/fast/stages/2-security/variables-fast.tf
index c499440e12..7d6259920e 100644
--- a/fast/stages/2-security/variables-fast.tf
+++ b/fast/stages/2-security/variables-fast.tf
@@ -35,15 +35,6 @@ variable "billing_account" {
}
}
-variable "custom_roles" {
- # tfdoc:variable:source 0-bootstrap
- description = "Custom roles defined at the org level, in key => id format."
- type = object({
- private_ca_user = string
- })
- default = null
-}
-
variable "folder_ids" {
# tfdoc:variable:source 1-resman
description = "Folder name => id mappings, the 'security' folder name must exist."
diff --git a/tests/fast/stages/s0_bootstrap/checklist.yaml b/tests/fast/stages/s0_bootstrap/checklist.yaml
index 8e1fe2d1cc..8fadcd1440 100644
--- a/tests/fast/stages/s0_bootstrap/checklist.yaml
+++ b/tests/fast/stages/s0_bootstrap/checklist.yaml
@@ -13,8 +13,8 @@
# limitations under the License.
values:
- google_storage_bucket_object.checklist_data[0]:
- bucket: fast-prod-iac-core-checklist-0
+ google_storage_bucket_object.providers["2-networking"]:
+ bucket: test
cache_control: null
content_disposition: null
content_encoding: null
@@ -23,13 +23,13 @@ values:
detect_md5hash: different hash
event_based_hold: null
metadata: null
- name: checklist/data.tfvars.json
+ name: providers/2-networking-providers.tf
retention: []
- source: checklist-data.json
+ source: null
temporary_hold: null
timeouts: null
- google_storage_bucket_object.checklist_org_iam[0]:
- bucket: fast-prod-iac-core-checklist-0
+ google_storage_bucket_object.providers["2-networking-r"]:
+ bucket: test
cache_control: null
content_disposition: null
content_encoding: null
@@ -38,27 +38,13 @@ values:
detect_md5hash: different hash
event_based_hold: null
metadata: null
- name: checklist/org-iam.tfvars.json
- retention: []
- source: checklist-org-iam.json
- temporary_hold: null
- timeouts: null
- google_storage_bucket_object.providers["0-bootstrap"]:
- bucket: fast-prod-iac-core-outputs-0
- cache_control: null
- content_encoding: null
- content_language: null
- customer_encryption: []
- detect_md5hash: different hash
- event_based_hold: null
- metadata: null
- name: providers/0-bootstrap-providers.tf
+ name: providers/2-networking-r-providers.tf
retention: []
source: null
temporary_hold: null
timeouts: null
- google_storage_bucket_object.providers["0-bootstrap-r"]:
- bucket: fast-prod-iac-core-outputs-0
+ google_storage_bucket_object.providers["2-project-factory"]:
+ bucket: test
cache_control: null
content_encoding: null
content_language: null
@@ -66,41 +52,43 @@ values:
detect_md5hash: different hash
event_based_hold: null
metadata: null
- name: providers/0-bootstrap-r-providers.tf
+ name: providers/2-project-factory-providers.tf
retention: []
source: null
temporary_hold: null
timeouts: null
- google_storage_bucket_object.providers["1-resman"]:
- bucket: fast-prod-iac-core-outputs-0
+ google_storage_bucket_object.providers["2-project-factory-dev"]:
+ bucket: test
cache_control: null
+ content_disposition: null
content_encoding: null
content_language: null
customer_encryption: []
detect_md5hash: different hash
event_based_hold: null
metadata: null
- name: providers/1-resman-providers.tf
+ name: providers/2-project-factory-dev-providers.tf
retention: []
source: null
temporary_hold: null
timeouts: null
- google_storage_bucket_object.providers["1-resman-r"]:
- bucket: fast-prod-iac-core-outputs-0
+ google_storage_bucket_object.providers["2-project-factory-dev-r"]:
+ bucket: test
cache_control: null
+ content_disposition: null
content_encoding: null
content_language: null
customer_encryption: []
detect_md5hash: different hash
event_based_hold: null
metadata: null
- name: providers/1-resman-r-providers.tf
+ name: providers/2-project-factory-dev-r-providers.tf
retention: []
source: null
temporary_hold: null
timeouts: null
- google_storage_bucket_object.providers["1-tenant-factory"]:
- bucket: fast-prod-iac-core-outputs-0
+ google_storage_bucket_object.providers["2-project-factory-prod"]:
+ bucket: test
cache_control: null
content_disposition: null
content_encoding: null
@@ -109,13 +97,13 @@ values:
detect_md5hash: different hash
event_based_hold: null
metadata: null
- name: providers/1-tenant-factory-providers.tf
+ name: providers/2-project-factory-prod-providers.tf
retention: []
source: null
temporary_hold: null
timeouts: null
- google_storage_bucket_object.providers["1-tenant-factory-r"]:
- bucket: fast-prod-iac-core-outputs-0
+ google_storage_bucket_object.providers["2-project-factory-prod-r"]:
+ bucket: test
cache_control: null
content_disposition: null
content_encoding: null
@@ -124,28 +112,27 @@ values:
detect_md5hash: different hash
event_based_hold: null
metadata: null
- name: providers/1-tenant-factory-r-providers.tf
+ name: providers/2-project-factory-prod-r-providers.tf
retention: []
source: null
temporary_hold: null
timeouts: null
- google_storage_bucket_object.providers["1-vpcsc"]:
- bucket: fast-prod-iac-core-outputs-0
+ google_storage_bucket_object.providers["2-project-factory-r"]:
+ bucket: test
cache_control: null
- content_disposition: null
content_encoding: null
content_language: null
customer_encryption: []
detect_md5hash: different hash
event_based_hold: null
metadata: null
- name: providers/1-vpcsc-providers.tf
+ name: providers/2-project-factory-r-providers.tf
retention: []
source: null
temporary_hold: null
timeouts: null
- google_storage_bucket_object.providers["1-vpcsc-r"]:
- bucket: fast-prod-iac-core-outputs-0
+ google_storage_bucket_object.providers["2-security"]:
+ bucket: test
cache_control: null
content_disposition: null
content_encoding: null
@@ -154,13 +141,13 @@ values:
detect_md5hash: different hash
event_based_hold: null
metadata: null
- name: providers/1-vpcsc-r-providers.tf
+ name: providers/2-security-providers.tf
retention: []
source: null
temporary_hold: null
timeouts: null
- google_storage_bucket_object.tfvars:
- bucket: fast-prod-iac-core-outputs-0
+ google_storage_bucket_object.providers["2-security-r"]:
+ bucket: test
cache_control: null
content_disposition: null
content_encoding: null
@@ -169,15 +156,14 @@ values:
detect_md5hash: different hash
event_based_hold: null
metadata: null
- name: tfvars/0-bootstrap.auto.tfvars.json
+ name: providers/2-security-r-providers.tf
retention: []
source: null
temporary_hold: null
timeouts: null
- google_storage_bucket_object.tfvars_globals:
- bucket: fast-prod-iac-core-outputs-0
+ google_storage_bucket_object.tfvars:
+ bucket: test
cache_control: null
- content: '{"billing_account":{"id":"000000-111111-222222","is_org_level":true,"no_iam":false},"environments":{"dev":{"is_default":false,"name":"Development"},"prod":{"is_default":true,"name":"Production"}},"groups":{"gcp-billing-admins":"group:gcp-billing-admins@fast.example.com","gcp-devops":"group:gcp-devops@fast.example.com","gcp-network-admins":"group:gcp-vpc-network-admins@fast.example.com","gcp-organization-admins":"group:gcp-organization-admins@fast.example.com","gcp-security-admins":"group:gcp-security-admins@fast.example.com","gcp-support":"group:gcp-devops@fast.example.com"},"locations":{"bq":"EU","gcs":"EU","logging":"europe-west1","pubsub":[]},"organization":{"customer_id":"C00000000","domain":"fast.example.com","id":123456789012},"prefix":"fast"}'
content_disposition: null
content_encoding: null
content_language: null
@@ -185,400 +171,85 @@ values:
detect_md5hash: different hash
event_based_hold: null
metadata: null
- name: tfvars/0-globals.auto.tfvars.json
+ name: tfvars/1-resman.auto.tfvars.json
retention: []
source: null
temporary_hold: null
timeouts: null
- module.automation-project.data.google_bigquery_default_service_account.bq_sa[0]:
- project: fast-prod-iac-core-0
- module.automation-project.data.google_storage_project_service_account.gcs_sa[0]:
- project: fast-prod-iac-core-0
- user_project: null
- module.automation-project.google_essential_contacts_contact.contact["gcp-organization-admins@fast.example.com"]:
- email: gcp-organization-admins@fast.example.com
- language_tag: en
- notification_category_subscriptions:
- - ALL
- parent: projects/fast-prod-iac-core-0
+ module.branch-network-dev-folder.google_folder.folder[0]:
+ display_name: Development
timeouts: null
- module.automation-project.google_org_policy_policy.default["compute.skipDefaultNetworkCreation"]:
- dry_run_spec: []
- name: projects/fast-prod-iac-core-0/policies/compute.skipDefaultNetworkCreation
- parent: projects/fast-prod-iac-core-0
- spec:
- - inherit_from_parent: null
- reset: null
- rules:
- - allow_all: null
- condition: []
- deny_all: null
- enforce: 'TRUE'
- values: []
- timeouts: null
- module.automation-project.google_org_policy_policy.default["iam.automaticIamGrantsForDefaultServiceAccounts"]:
- dry_run_spec: []
- name: projects/fast-prod-iac-core-0/policies/iam.automaticIamGrantsForDefaultServiceAccounts
- parent: projects/fast-prod-iac-core-0
- spec:
- - inherit_from_parent: null
- reset: null
- rules:
- - allow_all: null
- condition: []
- deny_all: null
- enforce: 'TRUE'
- values: []
- timeouts: null
- module.automation-project.google_org_policy_policy.default["iam.disableServiceAccountKeyCreation"]:
- dry_run_spec: []
- name: projects/fast-prod-iac-core-0/policies/iam.disableServiceAccountKeyCreation
- parent: projects/fast-prod-iac-core-0
- spec:
- - inherit_from_parent: null
- reset: null
- rules:
- - allow_all: null
- condition: []
- deny_all: null
- enforce: 'TRUE'
- values: []
- timeouts: null
- module.automation-project.google_project.project[0]:
- auto_create_network: false
- billing_account: 000000-111111-222222
- deletion_policy: DELETE
- folder_id: null
- labels: null
- name: fast-prod-iac-core-0
- org_id: '123456789012'
- project_id: fast-prod-iac-core-0
- timeouts: null
- module.automation-project.google_project_iam_audit_config.default["iam.googleapis.com"]:
- audit_log_config:
- - exempted_members: []
- log_type: ADMIN_READ
- project: fast-prod-iac-core-0
- service: iam.googleapis.com
- module.automation-project.google_project_iam_binding.authoritative["organizations/123456789012/roles/storageViewer"]:
- condition: []
- members:
- - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
- - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
- project: fast-prod-iac-core-0
- role: organizations/123456789012/roles/storageViewer
- module.automation-project.google_project_iam_binding.authoritative["roles/browser"]:
- condition: []
- members:
- - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
- project: fast-prod-iac-core-0
- role: roles/browser
- module.automation-project.google_project_iam_binding.authoritative["roles/cloudbuild.builds.editor"]:
- condition: []
- members:
- - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
- project: fast-prod-iac-core-0
- role: roles/cloudbuild.builds.editor
- module.automation-project.google_project_iam_binding.authoritative["roles/cloudbuild.builds.viewer"]:
- condition: []
+ ? module.branch-network-dev-folder.google_folder_iam_binding.authoritative["organizations/123456789012/roles/gcveNetworkAdmin"]
+ : condition: []
+ members: null
+ role: organizations/123456789012/roles/gcveNetworkAdmin
+ ? module.branch-network-dev-folder.google_folder_iam_binding.authoritative["organizations/123456789012/roles/xpnServiceAdmin"]
+ : condition: []
members:
- - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
- project: fast-prod-iac-core-0
- role: roles/cloudbuild.builds.viewer
- module.automation-project.google_project_iam_binding.authoritative["roles/iam.serviceAccountAdmin"]:
+ - serviceAccount:fast2-dev-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+ - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+ role: organizations/123456789012/roles/xpnServiceAdmin
+ module.branch-network-dev-folder.google_folder_iam_binding.authoritative["roles/compute.networkViewer"]:
condition: []
members:
- - group:gcp-devops@fast.example.com
- - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
- project: fast-prod-iac-core-0
- role: roles/iam.serviceAccountAdmin
- module.automation-project.google_project_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]:
+ - serviceAccount:fast2-dev-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com
+ - serviceAccount:fast2-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com
+ role: roles/compute.networkViewer
+ module.branch-network-dev-folder.google_tags_tag_binding.binding["environment"]:
+ timeouts: null
+ module.branch-network-folder.google_folder.folder[0]:
+ display_name: Networking
+ parent: organizations/123456789012
+ timeouts: null
+ module.branch-network-folder.google_folder_iam_binding.authoritative["roles/browser"]:
condition: []
members:
- - group:gcp-devops@fast.example.com
- - group:gcp-organization-admins@fast.example.com
- project: fast-prod-iac-core-0
- role: roles/iam.serviceAccountTokenCreator
- module.automation-project.google_project_iam_binding.authoritative["roles/iam.serviceAccountViewer"]:
+ - user:extra-browser@fast.example.com
+ role: roles/browser
+ module.branch-network-folder.google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]:
condition: []
members:
- - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
- project: fast-prod-iac-core-0
- role: roles/iam.serviceAccountViewer
- module.automation-project.google_project_iam_binding.authoritative["roles/iam.workloadIdentityPoolAdmin"]:
+ - serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com
+ role: roles/compute.xpnAdmin
+ module.branch-network-folder.google_folder_iam_binding.authoritative["roles/editor"]:
condition: []
members:
- - group:gcp-organization-admins@fast.example.com
- - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
- project: fast-prod-iac-core-0
- role: roles/iam.workloadIdentityPoolAdmin
- module.automation-project.google_project_iam_binding.authoritative["roles/iam.workloadIdentityPoolViewer"]:
+ - group:gcp-vpc-network-admins@fast.example.com
+ role: roles/editor
+ module.branch-network-folder.google_folder_iam_binding.authoritative["roles/logging.admin"]:
condition: []
members:
- - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
- project: fast-prod-iac-core-0
- role: roles/iam.workloadIdentityPoolViewer
- module.automation-project.google_project_iam_binding.authoritative["roles/owner"]:
+ - serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com
+ role: roles/logging.admin
+ module.branch-network-folder.google_folder_iam_binding.authoritative["roles/owner"]:
condition: []
members:
- - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com
- project: fast-prod-iac-core-0
+ - serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com
+ - user:extra-owner@fast.example.com
role: roles/owner
- module.automation-project.google_project_iam_binding.authoritative["roles/source.admin"]:
+ module.branch-network-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]:
condition: []
members:
- - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
- project: fast-prod-iac-core-0
- role: roles/source.admin
- module.automation-project.google_project_iam_binding.authoritative["roles/source.reader"]:
+ - serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com
+ role: roles/resourcemanager.folderAdmin
+ module.branch-network-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]:
condition: []
members:
- - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
- project: fast-prod-iac-core-0
- role: roles/source.reader
- module.automation-project.google_project_iam_binding.authoritative["roles/storage.admin"]:
+ - serviceAccount:fast2-prod-resman-net-0r@fast-prod-automation.iam.gserviceaccount.com
+ role: roles/resourcemanager.folderViewer
+ module.branch-network-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]:
condition: []
members:
- - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
- project: fast-prod-iac-core-0
- role: roles/storage.admin
- module.automation-project.google_project_iam_binding.authoritative["roles/viewer"]:
+ - serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com
+ role: roles/resourcemanager.projectCreator
+ module.branch-network-folder.google_folder_iam_binding.authoritative["roles/viewer"]:
condition: []
members:
- - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
- - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
- project: fast-prod-iac-core-0
+ - serviceAccount:fast2-prod-resman-net-0r@fast-prod-automation.iam.gserviceaccount.com
role: roles/viewer
- module.automation-project.google_project_iam_binding.bindings["delegated_grants_resman"]:
- condition:
- - description: Resource manager service account delegated grant.
- expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/serviceusage.serviceUsageConsumer'])
- title: resman_delegated_grant
- members:
- - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
- project: fast-prod-iac-core-0
- role: roles/resourcemanager.projectIamAdmin
- module.automation-project.google_project_iam_member.bindings["serviceusage_resman"]:
- condition: []
- member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
- project: fast-prod-iac-core-0
- role: roles/serviceusage.serviceUsageConsumer
- module.automation-project.google_project_iam_member.bindings["serviceusage_resman_r"]:
- condition: []
- member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
- project: fast-prod-iac-core-0
- role: roles/serviceusage.serviceUsageViewer
- module.automation-project.google_project_iam_member.service_agents["cloudasset"]:
- condition: []
- project: fast-prod-iac-core-0
- role: roles/cloudasset.serviceAgent
- module.automation-project.google_project_iam_member.service_agents["cloudbuild"]:
- condition: []
- project: fast-prod-iac-core-0
- role: roles/cloudbuild.serviceAgent
- module.automation-project.google_project_iam_member.service_agents["cloudbuild-sa"]:
- condition: []
- project: fast-prod-iac-core-0
- role: roles/cloudbuild.builds.builder
- module.automation-project.google_project_iam_member.service_agents["cloudkms"]:
- condition: []
- project: fast-prod-iac-core-0
- role: roles/cloudkms.serviceAgent
- module.automation-project.google_project_iam_member.service_agents["compute-system"]:
- condition: []
- project: fast-prod-iac-core-0
- role: roles/compute.serviceAgent
- module.automation-project.google_project_iam_member.service_agents["container-engine-robot"]:
- condition: []
- project: fast-prod-iac-core-0
- role: roles/container.serviceAgent
- module.automation-project.google_project_iam_member.service_agents["gkenode"]:
- condition: []
- project: fast-prod-iac-core-0
- role: roles/container.nodeServiceAgent
- module.automation-project.google_project_iam_member.service_agents["pubsub"]:
- condition: []
- project: fast-prod-iac-core-0
- role: roles/pubsub.serviceAgent
- module.automation-project.google_project_iam_member.service_agents["service-networking"]:
- condition: []
- project: fast-prod-iac-core-0
- role: roles/servicenetworking.serviceAgent
- module.automation-project.google_project_service.project_services["accesscontextmanager.googleapis.com"]:
- disable_dependent_services: false
- disable_on_destroy: false
- project: fast-prod-iac-core-0
- service: accesscontextmanager.googleapis.com
- timeouts: null
- module.automation-project.google_project_service.project_services["bigquery.googleapis.com"]:
- disable_dependent_services: false
- disable_on_destroy: false
- project: fast-prod-iac-core-0
- service: bigquery.googleapis.com
- timeouts: null
- module.automation-project.google_project_service.project_services["bigqueryreservation.googleapis.com"]:
- disable_dependent_services: false
- disable_on_destroy: false
- project: fast-prod-iac-core-0
- service: bigqueryreservation.googleapis.com
- timeouts: null
- module.automation-project.google_project_service.project_services["bigquerystorage.googleapis.com"]:
- disable_dependent_services: false
- disable_on_destroy: false
- project: fast-prod-iac-core-0
- service: bigquerystorage.googleapis.com
- timeouts: null
- module.automation-project.google_project_service.project_services["billingbudgets.googleapis.com"]:
- disable_dependent_services: false
- disable_on_destroy: false
- project: fast-prod-iac-core-0
- service: billingbudgets.googleapis.com
- timeouts: null
- module.automation-project.google_project_service.project_services["cloudasset.googleapis.com"]:
- disable_dependent_services: false
- disable_on_destroy: false
- project: fast-prod-iac-core-0
- service: cloudasset.googleapis.com
- timeouts: null
- module.automation-project.google_project_service.project_services["cloudbilling.googleapis.com"]:
- disable_dependent_services: false
- disable_on_destroy: false
- project: fast-prod-iac-core-0
- service: cloudbilling.googleapis.com
- timeouts: null
- module.automation-project.google_project_service.project_services["cloudbuild.googleapis.com"]:
- disable_dependent_services: false
- disable_on_destroy: false
- project: fast-prod-iac-core-0
- service: cloudbuild.googleapis.com
- timeouts: null
- module.automation-project.google_project_service.project_services["cloudkms.googleapis.com"]:
- disable_dependent_services: false
- disable_on_destroy: false
- project: fast-prod-iac-core-0
- service: cloudkms.googleapis.com
- timeouts: null
- module.automation-project.google_project_service.project_services["cloudquotas.googleapis.com"]:
- disable_dependent_services: false
- disable_on_destroy: false
- project: fast-prod-iac-core-0
- service: cloudquotas.googleapis.com
- timeouts: null
- module.automation-project.google_project_service.project_services["cloudresourcemanager.googleapis.com"]:
- disable_dependent_services: false
- disable_on_destroy: false
- project: fast-prod-iac-core-0
- service: cloudresourcemanager.googleapis.com
- timeouts: null
- module.automation-project.google_project_service.project_services["compute.googleapis.com"]:
- disable_dependent_services: false
- disable_on_destroy: false
- project: fast-prod-iac-core-0
- service: compute.googleapis.com
- timeouts: null
- module.automation-project.google_project_service.project_services["container.googleapis.com"]:
- disable_dependent_services: false
- disable_on_destroy: false
- project: fast-prod-iac-core-0
- service: container.googleapis.com
- timeouts: null
- module.automation-project.google_project_service.project_services["essentialcontacts.googleapis.com"]:
- disable_dependent_services: false
- disable_on_destroy: false
- project: fast-prod-iac-core-0
- service: essentialcontacts.googleapis.com
- timeouts: null
- module.automation-project.google_project_service.project_services["iam.googleapis.com"]:
- disable_dependent_services: false
- disable_on_destroy: false
- project: fast-prod-iac-core-0
- service: iam.googleapis.com
- timeouts: null
- module.automation-project.google_project_service.project_services["iamcredentials.googleapis.com"]:
- disable_dependent_services: false
- disable_on_destroy: false
- project: fast-prod-iac-core-0
- service: iamcredentials.googleapis.com
+ module.branch-network-folder.google_tags_tag_binding.binding["context"]:
timeouts: null
- module.automation-project.google_project_service.project_services["networksecurity.googleapis.com"]:
- disable_dependent_services: false
- disable_on_destroy: false
- project: fast-prod-iac-core-0
- service: networksecurity.googleapis.com
- timeouts: null
- module.automation-project.google_project_service.project_services["orgpolicy.googleapis.com"]:
- disable_dependent_services: false
- disable_on_destroy: false
- project: fast-prod-iac-core-0
- service: orgpolicy.googleapis.com
- timeouts: null
- module.automation-project.google_project_service.project_services["pubsub.googleapis.com"]:
- disable_dependent_services: false
- disable_on_destroy: false
- project: fast-prod-iac-core-0
- service: pubsub.googleapis.com
- timeouts: null
- module.automation-project.google_project_service.project_services["servicenetworking.googleapis.com"]:
- disable_dependent_services: false
- disable_on_destroy: false
- project: fast-prod-iac-core-0
- service: servicenetworking.googleapis.com
- timeouts: null
- module.automation-project.google_project_service.project_services["serviceusage.googleapis.com"]:
- disable_dependent_services: false
- disable_on_destroy: false
- project: fast-prod-iac-core-0
- service: serviceusage.googleapis.com
- timeouts: null
- module.automation-project.google_project_service.project_services["stackdriver.googleapis.com"]:
- disable_dependent_services: false
- disable_on_destroy: false
- project: fast-prod-iac-core-0
- service: stackdriver.googleapis.com
- timeouts: null
- module.automation-project.google_project_service.project_services["storage-component.googleapis.com"]:
- disable_dependent_services: false
- disable_on_destroy: false
- project: fast-prod-iac-core-0
- service: storage-component.googleapis.com
- timeouts: null
- module.automation-project.google_project_service.project_services["storage.googleapis.com"]:
- disable_dependent_services: false
- disable_on_destroy: false
- project: fast-prod-iac-core-0
- service: storage.googleapis.com
- timeouts: null
- module.automation-project.google_project_service.project_services["sts.googleapis.com"]:
- disable_dependent_services: false
- disable_on_destroy: false
- project: fast-prod-iac-core-0
- service: sts.googleapis.com
- timeouts: null
- module.automation-project.google_project_service_identity.default["cloudasset.googleapis.com"]:
- project: fast-prod-iac-core-0
- service: cloudasset.googleapis.com
- timeouts: null
- module.automation-project.google_project_service_identity.default["cloudkms.googleapis.com"]:
- project: fast-prod-iac-core-0
- service: cloudkms.googleapis.com
- timeouts: null
- module.automation-project.google_project_service_identity.default["container.googleapis.com"]:
- project: fast-prod-iac-core-0
- service: container.googleapis.com
- timeouts: null
- module.automation-project.google_project_service_identity.default["networksecurity.googleapis.com"]:
- project: fast-prod-iac-core-0
- service: networksecurity.googleapis.com
- timeouts: null
- module.automation-project.google_project_service_identity.default["pubsub.googleapis.com"]:
- project: fast-prod-iac-core-0
- service: pubsub.googleapis.com
- timeouts: null
- module.automation-project.google_project_service_identity.default["servicenetworking.googleapis.com"]:
- project: fast-prod-iac-core-0
- service: servicenetworking.googleapis.com
- timeouts: null
- module.automation-tf-bootstrap-gcs.google_storage_bucket.bucket:
+ module.branch-network-gcs.google_storage_bucket.bucket:
autoclass: []
cors: []
custom_placement_config: []
@@ -590,8 +261,8 @@ values:
lifecycle_rule: []
location: EU
logging: []
- name: fast-prod-iac-core-bootstrap-0
- project: fast-prod-iac-core-0
+ name: fast2-prod-resman-net-0
+ project: fast-prod-automation
requester_pays: null
retention_policy: []
storage_class: STANDARD
@@ -599,47 +270,80 @@ values:
uniform_bucket_level_access: true
versioning:
- enabled: true
- ? module.automation-tf-bootstrap-r-sa.google_organization_iam_member.organization-roles["123456789012-organizations/123456789012/roles/organizationAdminViewer"]
+ module.branch-network-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]:
+ bucket: fast2-prod-resman-net-0
+ condition: []
+ members:
+ - serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com
+ role: roles/storage.objectAdmin
+ module.branch-network-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]:
+ bucket: fast2-prod-resman-net-0
+ condition: []
+ members:
+ - serviceAccount:fast2-prod-resman-net-0r@fast-prod-automation.iam.gserviceaccount.com
+ role: roles/storage.objectViewer
+ module.branch-network-prod-folder.google_folder.folder[0]:
+ display_name: Production
+ timeouts: null
+ ? module.branch-network-prod-folder.google_folder_iam_binding.authoritative["organizations/123456789012/roles/gcveNetworkAdmin"]
: condition: []
- org_id: '123456789012'
- role: organizations/123456789012/roles/organizationAdminViewer
- ? module.automation-tf-bootstrap-r-sa.google_organization_iam_member.organization-roles["123456789012-organizations/123456789012/roles/tagViewer"]
+ members: null
+ role: organizations/123456789012/roles/gcveNetworkAdmin
+ ? module.branch-network-prod-folder.google_folder_iam_binding.authoritative["organizations/123456789012/roles/xpnServiceAdmin"]
: condition: []
- org_id: '123456789012'
- role: organizations/123456789012/roles/tagViewer
- module.automation-tf-bootstrap-r-sa.google_service_account.service_account[0]:
- account_id: fast-prod-bootstrap-0r
+ members:
+ - serviceAccount:fast2-prod-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+ - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+ role: organizations/123456789012/roles/xpnServiceAdmin
+ module.branch-network-prod-folder.google_folder_iam_binding.authoritative["roles/compute.networkViewer"]:
+ condition: []
+ members:
+ - serviceAccount:fast2-prod-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com
+ - serviceAccount:fast2-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com
+ role: roles/compute.networkViewer
+ module.branch-network-prod-folder.google_tags_tag_binding.binding["environment"]:
+ timeouts: null
+ ? module.branch-network-r-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"]
+ : condition: []
+ project: fast-prod-automation
+ role: roles/serviceusage.serviceUsageConsumer
+ module.branch-network-r-sa.google_service_account.service_account[0]:
+ account_id: fast2-prod-resman-net-0r
create_ignore_already_exists: null
description: null
disabled: false
- display_name: Terraform organization bootstrap service account (read-only).
- project: fast-prod-iac-core-0
+ display_name: Terraform resman networking service account (read-only).
+ project: fast-prod-automation
timeouts: null
- ? module.automation-tf-bootstrap-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]
- : condition: []
+ module.branch-network-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]:
+ condition: []
members: null
role: roles/iam.serviceAccountTokenCreator
- ? module.automation-tf-bootstrap-r-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-organizations/123456789012/roles/storageViewer"]
- : bucket: fast-prod-iac-core-outputs-0
+ ? module.branch-network-r-sa.google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"]
+ : bucket: test
condition: []
role: organizations/123456789012/roles/storageViewer
- module.automation-tf-bootstrap-sa.google_service_account.service_account[0]:
- account_id: fast-prod-bootstrap-0
+ ? module.branch-network-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"]
+ : condition: []
+ project: fast-prod-automation
+ role: roles/serviceusage.serviceUsageConsumer
+ module.branch-network-sa.google_service_account.service_account[0]:
+ account_id: fast2-prod-resman-net-0
create_ignore_already_exists: null
description: null
disabled: false
- display_name: Terraform organization bootstrap service account.
- project: fast-prod-iac-core-0
+ display_name: Terraform resman networking service account.
+ project: fast-prod-automation
timeouts: null
- module.automation-tf-bootstrap-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]:
+ module.branch-network-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]:
condition: []
members: null
role: roles/iam.serviceAccountTokenCreator
- ? module.automation-tf-bootstrap-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-roles/storage.admin"]
- : bucket: fast-prod-iac-core-outputs-0
+ module.branch-network-sa.google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]:
+ bucket: test
condition: []
- role: roles/storage.admin
- module.automation-tf-checklist-gcs[0].google_storage_bucket.bucket:
+ role: roles/storage.objectAdmin
+ module.branch-pf-dev-gcs.google_storage_bucket.bucket:
autoclass: []
cors: []
custom_placement_config: []
@@ -651,8 +355,8 @@ values:
lifecycle_rule: []
location: EU
logging: []
- name: fast-prod-iac-core-checklist-0
- project: fast-prod-iac-core-0
+ name: fast2-dev-resman-pf-0
+ project: fast-prod-automation
requester_pays: null
retention_policy: []
storage_class: STANDARD
@@ -660,7 +364,59 @@ values:
uniform_bucket_level_access: true
versioning:
- enabled: true
- module.automation-tf-output-gcs.google_storage_bucket.bucket:
+ module.branch-pf-dev-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]:
+ bucket: fast2-dev-resman-pf-0
+ condition: []
+ members:
+ - serviceAccount:fast2-dev-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+ role: roles/storage.objectAdmin
+ module.branch-pf-dev-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]:
+ bucket: fast2-dev-resman-pf-0
+ condition: []
+ members:
+ - serviceAccount:fast2-dev-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com
+ role: roles/storage.objectViewer
+ ? module.branch-pf-dev-r-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"]
+ : condition: []
+ project: fast-prod-automation
+ role: roles/serviceusage.serviceUsageConsumer
+ module.branch-pf-dev-r-sa.google_service_account.service_account[0]:
+ account_id: fast2-dev-resman-pf-0r
+ create_ignore_already_exists: null
+ description: null
+ disabled: false
+ display_name: Terraform project factory development service account (read-only).
+ project: fast-prod-automation
+ timeouts: null
+ module.branch-pf-dev-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]:
+ condition: []
+ members: null
+ role: roles/iam.serviceAccountTokenCreator
+ ? module.branch-pf-dev-r-sa.google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"]
+ : bucket: test
+ condition: []
+ role: organizations/123456789012/roles/storageViewer
+ ? module.branch-pf-dev-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"]
+ : condition: []
+ project: fast-prod-automation
+ role: roles/serviceusage.serviceUsageConsumer
+ module.branch-pf-dev-sa.google_service_account.service_account[0]:
+ account_id: fast2-dev-resman-pf-0
+ create_ignore_already_exists: null
+ description: null
+ disabled: false
+ display_name: Terraform project factory development service account.
+ project: fast-prod-automation
+ timeouts: null
+ module.branch-pf-dev-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]:
+ condition: []
+ members: null
+ role: roles/iam.serviceAccountTokenCreator
+ module.branch-pf-dev-sa.google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]:
+ bucket: test
+ condition: []
+ role: roles/storage.objectAdmin
+ module.branch-pf-gcs.google_storage_bucket.bucket:
autoclass: []
cors: []
custom_placement_config: []
@@ -672,8 +428,8 @@ values:
lifecycle_rule: []
location: EU
logging: []
- name: fast-prod-iac-core-outputs-0
- project: fast-prod-iac-core-0
+ name: fast2-resman-pf-0
+ project: fast-prod-automation
requester_pays: null
retention_policy: []
storage_class: STANDARD
@@ -681,7 +437,19 @@ values:
uniform_bucket_level_access: true
versioning:
- enabled: true
- module.automation-tf-resman-gcs.google_storage_bucket.bucket:
+ module.branch-pf-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]:
+ bucket: fast2-resman-pf-0
+ condition: []
+ members:
+ - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+ role: roles/storage.objectAdmin
+ module.branch-pf-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]:
+ bucket: fast2-resman-pf-0
+ condition: []
+ members:
+ - serviceAccount:fast2-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com
+ role: roles/storage.objectViewer
+ module.branch-pf-prod-gcs.google_storage_bucket.bucket:
autoclass: []
cors: []
custom_placement_config: []
@@ -693,8 +461,8 @@ values:
lifecycle_rule: []
location: EU
logging: []
- name: fast-prod-iac-core-resman-0
- project: fast-prod-iac-core-0
+ name: fast2-prod-resman-pf-0
+ project: fast-prod-automation
requester_pays: null
retention_policy: []
storage_class: STANDARD
@@ -702,51 +470,154 @@ values:
uniform_bucket_level_access: true
versioning:
- enabled: true
- module.automation-tf-resman-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]:
- bucket: fast-prod-iac-core-resman-0
+ module.branch-pf-prod-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]:
+ bucket: fast2-prod-resman-pf-0
condition: []
members:
- - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ - serviceAccount:fast2-prod-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
role: roles/storage.objectAdmin
- module.automation-tf-resman-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]:
- bucket: fast-prod-iac-core-resman-0
+ module.branch-pf-prod-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]:
+ bucket: fast2-prod-resman-pf-0
condition: []
members:
- - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ - serviceAccount:fast2-prod-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com
role: roles/storage.objectViewer
- ? module.automation-tf-resman-r-sa.google_organization_iam_member.organization-roles["123456789012-organizations/123456789012/roles/organizationAdminViewer"]
+ ? module.branch-pf-prod-r-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"]
: condition: []
- org_id: '123456789012'
- role: organizations/123456789012/roles/organizationAdminViewer
- ? module.automation-tf-resman-r-sa.google_organization_iam_member.organization-roles["123456789012-organizations/123456789012/roles/tagViewer"]
+ project: fast-prod-automation
+ role: roles/serviceusage.serviceUsageConsumer
+ module.branch-pf-prod-r-sa.google_service_account.service_account[0]:
+ account_id: fast2-prod-resman-pf-0r
+ create_ignore_already_exists: null
+ description: null
+ disabled: false
+ display_name: Terraform project factory production service account (read-only).
+ project: fast-prod-automation
+ timeouts: null
+ module.branch-pf-prod-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]:
+ condition: []
+ members: null
+ role: roles/iam.serviceAccountTokenCreator
+ ? module.branch-pf-prod-r-sa.google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"]
+ : bucket: test
+ condition: []
+ role: organizations/123456789012/roles/storageViewer
+ ? module.branch-pf-prod-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"]
: condition: []
- org_id: '123456789012'
- role: organizations/123456789012/roles/tagViewer
- module.automation-tf-resman-r-sa.google_service_account.service_account[0]:
- account_id: fast-prod-resman-0r
+ project: fast-prod-automation
+ role: roles/serviceusage.serviceUsageConsumer
+ module.branch-pf-prod-sa.google_service_account.service_account[0]:
+ account_id: fast2-prod-resman-pf-0
+ create_ignore_already_exists: null
+ description: null
+ disabled: false
+ display_name: Terraform project factory production service account.
+ project: fast-prod-automation
+ timeouts: null
+ module.branch-pf-prod-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]:
+ condition: []
+ members: null
+ role: roles/iam.serviceAccountTokenCreator
+ module.branch-pf-prod-sa.google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]:
+ bucket: test
+ condition: []
+ role: roles/storage.objectAdmin
+ ? module.branch-pf-r-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"]
+ : condition: []
+ project: fast-prod-automation
+ role: roles/serviceusage.serviceUsageConsumer
+ module.branch-pf-r-sa.google_service_account.service_account[0]:
+ account_id: fast2-resman-pf-0r
create_ignore_already_exists: null
description: null
disabled: false
- display_name: Terraform stage 1 resman service account (read-only).
- project: fast-prod-iac-core-0
+ display_name: Terraform project factory main service account (read-only).
+ project: fast-prod-automation
timeouts: null
- ? module.automation-tf-resman-r-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-organizations/123456789012/roles/storageViewer"]
- : bucket: fast-prod-iac-core-outputs-0
+ module.branch-pf-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]:
+ condition: []
+ members: null
+ role: roles/iam.serviceAccountTokenCreator
+ module.branch-pf-r-sa.google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"]:
+ bucket: test
condition: []
role: organizations/123456789012/roles/storageViewer
- module.automation-tf-resman-sa.google_service_account.service_account[0]:
- account_id: fast-prod-resman-0
+ ? module.branch-pf-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"]
+ : condition: []
+ project: fast-prod-automation
+ role: roles/serviceusage.serviceUsageConsumer
+ module.branch-pf-sa.google_service_account.service_account[0]:
+ account_id: fast2-resman-pf-0
create_ignore_already_exists: null
description: null
disabled: false
- display_name: Terraform stage 1 resman service account.
- project: fast-prod-iac-core-0
+ display_name: Terraform project factory main service account.
+ project: fast-prod-automation
+ timeouts: null
+ module.branch-pf-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]:
+ condition: []
+ members: null
+ role: roles/iam.serviceAccountTokenCreator
+ module.branch-pf-sa.google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]:
+ bucket: test
+ condition: []
+ role: roles/storage.objectAdmin
+ module.branch-security-folder.google_folder.folder[0]:
+ display_name: Security
+ parent: organizations/123456789012
timeouts: null
- ? module.automation-tf-resman-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-roles/storage.admin"]
- : bucket: fast-prod-iac-core-outputs-0
+ module.branch-security-folder.google_folder_iam_binding.authoritative["roles/browser"]:
+ condition: []
+ members:
+ - user:extra-browser@fast.example.com
+ role: roles/browser
+ module.branch-security-folder.google_folder_iam_binding.authoritative["roles/editor"]:
+ condition: []
+ members:
+ - group:gcp-security-admins@fast.example.com
+ role: roles/editor
+ module.branch-security-folder.google_folder_iam_binding.authoritative["roles/logging.admin"]:
condition: []
- role: roles/storage.admin
- module.automation-tf-vpcsc-gcs.google_storage_bucket.bucket:
+ members:
+ - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com
+ role: roles/logging.admin
+ module.branch-security-folder.google_folder_iam_binding.authoritative["roles/owner"]:
+ condition: []
+ members:
+ - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com
+ - user:extra-owner@fast.example.com
+ role: roles/owner
+ module.branch-security-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]:
+ condition: []
+ members:
+ - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com
+ role: roles/resourcemanager.folderAdmin
+ module.branch-security-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]:
+ condition: []
+ members:
+ - serviceAccount:fast2-prod-resman-sec-0r@fast-prod-automation.iam.gserviceaccount.com
+ role: roles/resourcemanager.folderViewer
+ module.branch-security-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]:
+ condition: []
+ members:
+ - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com
+ role: roles/resourcemanager.projectCreator
+ module.branch-security-folder.google_folder_iam_binding.authoritative["roles/viewer"]:
+ condition: []
+ members:
+ - serviceAccount:fast2-prod-resman-sec-0r@fast-prod-automation.iam.gserviceaccount.com
+ role: roles/viewer
+ module.branch-security-folder.google_folder_iam_binding.bindings["tenant_iam_admin_conditional"]:
+ condition:
+ - description: Certificate Authority Service delegated grants.
+ expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/privateca.certificateManager','organizations/123456789012/roles/privateCaUser'])
+ title: security_sa_delegated_grants
+ members:
+ - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com
+ role: roles/resourcemanager.folderIamAdmin
+ module.branch-security-folder.google_tags_tag_binding.binding["context"]:
+ timeouts: null
+ module.branch-security-gcs.google_storage_bucket.bucket:
autoclass: []
cors: []
custom_placement_config: []
@@ -758,8 +629,8 @@ values:
lifecycle_rule: []
location: EU
logging: []
- name: fast-prod-iac-core-vpcsc-0
- project: fast-prod-iac-core-0
+ name: fast2-prod-resman-sec-0
+ project: fast-prod-automation
requester_pays: null
retention_policy: []
storage_class: STANDARD
@@ -767,1210 +638,257 @@ values:
uniform_bucket_level_access: true
versioning:
- enabled: true
- module.automation-tf-vpcsc-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]:
- bucket: fast-prod-iac-core-vpcsc-0
+ module.branch-security-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]:
+ bucket: fast2-prod-resman-sec-0
condition: []
members:
- - serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com
+ - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com
role: roles/storage.objectAdmin
- module.automation-tf-vpcsc-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]:
- bucket: fast-prod-iac-core-vpcsc-0
+ module.branch-security-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]:
+ bucket: fast2-prod-resman-sec-0
condition: []
members:
- - serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
+ - serviceAccount:fast2-prod-resman-sec-0r@fast-prod-automation.iam.gserviceaccount.com
role: roles/storage.objectViewer
- module.automation-tf-vpcsc-r-sa.google_service_account.service_account[0]:
- account_id: fast-prod-vpcsc-0r
+ ? module.branch-security-r-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"]
+ : condition: []
+ project: fast-prod-automation
+ role: roles/serviceusage.serviceUsageConsumer
+ module.branch-security-r-sa.google_service_account.service_account[0]:
+ account_id: fast2-prod-resman-sec-0r
create_ignore_already_exists: null
description: null
disabled: false
- display_name: Terraform stage 1 vpcsc service account (read-only).
- project: fast-prod-iac-core-0
+ display_name: Terraform resman security service account (read-only).
+ project: fast-prod-automation
timeouts: null
- ? module.automation-tf-vpcsc-r-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-organizations/123456789012/roles/storageViewer"]
- : bucket: fast-prod-iac-core-outputs-0
+ module.branch-security-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]:
+ condition: []
+ members: null
+ role: roles/iam.serviceAccountTokenCreator
+ ? module.branch-security-r-sa.google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"]
+ : bucket: test
condition: []
role: organizations/123456789012/roles/storageViewer
- module.automation-tf-vpcsc-sa.google_service_account.service_account[0]:
- account_id: fast-prod-vpcsc-0
+ ? module.branch-security-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"]
+ : condition: []
+ project: fast-prod-automation
+ role: roles/serviceusage.serviceUsageConsumer
+ module.branch-security-sa.google_service_account.service_account[0]:
+ account_id: fast2-prod-resman-sec-0
create_ignore_already_exists: null
description: null
disabled: false
- display_name: Terraform stage 1 vpcsc service account.
- project: fast-prod-iac-core-0
+ display_name: Terraform resman security service account.
+ project: fast-prod-automation
timeouts: null
- module.automation-tf-vpcsc-sa.google_service_account_iam_member.bindings["security_admins"]:
+ module.branch-security-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]:
condition: []
- member: group:gcp-security-admins@fast.example.com
+ members: null
role: roles/iam.serviceAccountTokenCreator
- ? module.automation-tf-vpcsc-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-roles/storage.admin"]
- : bucket: fast-prod-iac-core-outputs-0
- condition: []
- role: roles/storage.admin
- module.billing-export-dataset[0].google_bigquery_dataset.default:
- dataset_id: billing_export
- default_encryption_configuration: []
- default_partition_expiration_ms: null
- default_table_expiration_ms: null
- delete_contents_on_destroy: false
- description: Terraform managed.
- external_dataset_reference: []
- friendly_name: Billing export.
- labels: null
- location: EU
- max_time_travel_hours: '168'
- project: fast-prod-billing-exp-0
- resource_tags: null
- timeouts: null
- module.billing-export-project[0].data.google_bigquery_default_service_account.bq_sa[0]:
- project: fast-prod-billing-exp-0
- module.billing-export-project[0].data.google_storage_project_service_account.gcs_sa[0]:
- project: fast-prod-billing-exp-0
- user_project: null
- module.billing-export-project[0].google_essential_contacts_contact.contact["gcp-organization-admins@fast.example.com"]:
- email: gcp-organization-admins@fast.example.com
- language_tag: en
- notification_category_subscriptions:
- - ALL
- parent: projects/fast-prod-billing-exp-0
- timeouts: null
- module.billing-export-project[0].google_project.project[0]:
- auto_create_network: false
- billing_account: 000000-111111-222222
- deletion_policy: DELETE
- folder_id: null
- labels: null
- name: fast-prod-billing-exp-0
- org_id: '123456789012'
- project_id: fast-prod-billing-exp-0
- timeouts: null
- module.billing-export-project[0].google_project_iam_binding.authoritative["roles/owner"]:
+ module.branch-security-sa.google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]:
+ bucket: test
condition: []
- members:
- - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com
- project: fast-prod-billing-exp-0
- role: roles/owner
- module.billing-export-project[0].google_project_iam_binding.authoritative["roles/viewer"]:
+ role: roles/storage.objectAdmin
+ module.organization[0].google_organization_iam_member.bindings["sa_net_billing"]:
condition: []
- members:
- - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
- project: fast-prod-billing-exp-0
- role: roles/viewer
- module.billing-export-project[0].google_project_iam_member.service_agents["bigquerydatatransfer"]:
- condition: []
- project: fast-prod-billing-exp-0
- role: roles/bigquerydatatransfer.serviceAgent
- module.billing-export-project[0].google_project_service.project_services["bigquery.googleapis.com"]:
- disable_dependent_services: false
- disable_on_destroy: false
- project: fast-prod-billing-exp-0
- service: bigquery.googleapis.com
- timeouts: null
- module.billing-export-project[0].google_project_service.project_services["bigquerydatatransfer.googleapis.com"]:
- disable_dependent_services: false
- disable_on_destroy: false
- project: fast-prod-billing-exp-0
- service: bigquerydatatransfer.googleapis.com
- timeouts: null
- module.billing-export-project[0].google_project_service.project_services["storage.googleapis.com"]:
- disable_dependent_services: false
- disable_on_destroy: false
- project: fast-prod-billing-exp-0
- service: storage.googleapis.com
- timeouts: null
- module.billing-export-project[0].google_project_service_identity.default["bigquerydatatransfer.googleapis.com"]:
- project: fast-prod-billing-exp-0
- service: bigquerydatatransfer.googleapis.com
- timeouts: null
- module.log-export-logbucket["audit-logs"].google_logging_project_bucket_config.bucket[0]:
- bucket_id: audit-logs
- cmek_settings: []
- enable_analytics: true
- index_configs: []
- location: europe-west1
- locked: null
- project: fast-prod-audit-logs-0
- retention_days: 30
- module.log-export-logbucket["iam"].google_logging_project_bucket_config.bucket[0]:
- bucket_id: iam
- cmek_settings: []
- enable_analytics: true
- index_configs: []
- location: europe-west1
- locked: null
- project: fast-prod-audit-logs-0
- retention_days: 30
- module.log-export-logbucket["vpc-sc"].google_logging_project_bucket_config.bucket[0]:
- bucket_id: vpc-sc
- cmek_settings: []
- enable_analytics: true
- index_configs: []
- location: europe-west1
- locked: null
- project: fast-prod-audit-logs-0
- retention_days: 30
- module.log-export-logbucket["workspace-audit-logs"].google_logging_project_bucket_config.bucket[0]:
- bucket_id: workspace-audit-logs
- cmek_settings: []
- enable_analytics: true
- index_configs: []
- location: europe-west1
- locked: null
- project: fast-prod-audit-logs-0
- retention_days: 30
- module.log-export-project.data.google_bigquery_default_service_account.bq_sa[0]:
- project: fast-prod-audit-logs-0
- module.log-export-project.data.google_storage_project_service_account.gcs_sa[0]:
- project: fast-prod-audit-logs-0
- user_project: null
- module.log-export-project.google_essential_contacts_contact.contact["gcp-organization-admins@fast.example.com"]:
- email: gcp-organization-admins@fast.example.com
- language_tag: en
- notification_category_subscriptions:
- - ALL
- parent: projects/fast-prod-audit-logs-0
- timeouts: null
- module.log-export-project.google_project.project[0]:
- auto_create_network: false
- billing_account: 000000-111111-222222
- deletion_policy: DELETE
- folder_id: null
- labels: null
- name: fast-prod-audit-logs-0
+ member: serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com
org_id: '123456789012'
- project_id: fast-prod-audit-logs-0
- timeouts: null
- module.log-export-project.google_project_iam_binding.authoritative["roles/owner"]:
+ role: roles/billing.user
+ module.organization[0].google_organization_iam_member.bindings["sa_net_fw_policy_admin"]:
condition: []
- members:
- - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com
- project: fast-prod-audit-logs-0
- role: roles/owner
- module.log-export-project.google_project_iam_binding.authoritative["roles/viewer"]:
+ member: serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com
+ org_id: '123456789012'
+ role: roles/compute.orgFirewallPolicyAdmin
+ module.organization[0].google_organization_iam_member.bindings["sa_net_xpn_admin"]:
condition: []
- members:
- - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
- project: fast-prod-audit-logs-0
- role: roles/viewer
- module.log-export-project.google_project_service.project_services["bigquery.googleapis.com"]:
- disable_dependent_services: false
- disable_on_destroy: false
- project: fast-prod-audit-logs-0
- service: bigquery.googleapis.com
- timeouts: null
- module.log-export-project.google_project_service.project_services["stackdriver.googleapis.com"]:
- disable_dependent_services: false
- disable_on_destroy: false
- project: fast-prod-audit-logs-0
- service: stackdriver.googleapis.com
- timeouts: null
- module.log-export-project.google_project_service.project_services["storage.googleapis.com"]:
- disable_dependent_services: false
- disable_on_destroy: false
- project: fast-prod-audit-logs-0
- service: storage.googleapis.com
- timeouts: null
- module.organization-logging.google_logging_organization_settings.default[0]:
- organization: '123456789012'
- storage_location: global
- timeouts: null
- module.organization.google_logging_organization_sink.sink["audit-logs"]:
- description: audit-logs (Terraform-managed).
- disabled: false
- exclusions: []
- filter: 'log_id("cloudaudit.googleapis.com/activity") OR
+ member: serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com
+ org_id: '123456789012'
+ role: roles/compute.xpnAdmin
+ module.organization[0].google_organization_iam_member.bindings["sa_pf_billing"]:
+ condition: []
+ member: serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+ org_id: '123456789012'
+ role: roles/billing.user
+ module.organization[0].google_organization_iam_member.bindings["sa_pf_conditional_org_policy"]:
+ condition:
+ - description: Org policy tag scoped grant for project factory main.
+ expression: 'resource.matchTag(''123456789012/context'', ''project-factory'')
- log_id("cloudaudit.googleapis.com/system_event") OR
+ '
+ title: org_policy_tag_pf_scoped
+ member: serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+ org_id: '123456789012'
+ role: roles/orgpolicy.policyAdmin
+ module.organization[0].google_organization_iam_member.bindings["sa_pf_costs_manager"]:
+ condition: []
+ member: serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+ org_id: '123456789012'
+ role: roles/billing.costsManager
+ module.organization[0].google_organization_iam_member.bindings["sa_pf_dev_billing"]:
+ condition: []
+ member: serviceAccount:fast2-dev-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+ org_id: '123456789012'
+ role: roles/billing.user
+ module.organization[0].google_organization_iam_member.bindings["sa_pf_dev_conditional_org_policy"]:
+ condition:
+ - description: Org policy tag scoped grant for project factory dev.
+ expression: 'resource.matchTag(''123456789012/context'', ''project-factory'')
- log_id("cloudaudit.googleapis.com/policy") OR
+ &&
- log_id("cloudaudit.googleapis.com/access_transparency")
+ resource.matchTag(''123456789012/environment'', ''development'')
- '
- include_children: true
- intercept_children: false
- name: audit-logs
+ '
+ title: org_policy_tag_pf_scoped_dev
+ member: serviceAccount:fast2-dev-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
org_id: '123456789012'
- module.organization.google_logging_organization_sink.sink["iam"]:
- description: iam (Terraform-managed).
- disabled: false
- exclusions: []
- filter: 'protoPayload.serviceName="iamcredentials.googleapis.com" OR
+ role: roles/orgpolicy.policyAdmin
+ module.organization[0].google_organization_iam_member.bindings["sa_pf_dev_costs_manager"]:
+ condition: []
+ member: serviceAccount:fast2-dev-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+ org_id: '123456789012'
+ role: roles/billing.costsManager
+ module.organization[0].google_organization_iam_member.bindings["sa_pf_prod_billing"]:
+ condition: []
+ member: serviceAccount:fast2-prod-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+ org_id: '123456789012'
+ role: roles/billing.user
+ module.organization[0].google_organization_iam_member.bindings["sa_pf_prod_conditional_org_policy"]:
+ condition:
+ - description: Org policy tag scoped grant for project factory prod.
+ expression: 'resource.matchTag(''123456789012/context'', ''project-factory'')
- protoPayload.serviceName="iam.googleapis.com" OR
+ &&
- protoPayload.serviceName="sts.googleapis.com"
+ resource.matchTag(''123456789012/environment'', ''production'')
- '
- include_children: true
- intercept_children: false
- name: iam
+ '
+ title: org_policy_tag_pf_scoped_prod
+ member: serviceAccount:fast2-prod-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
org_id: '123456789012'
- module.organization.google_logging_organization_sink.sink["vpc-sc"]:
- description: vpc-sc (Terraform-managed).
- disabled: false
- exclusions: []
- filter: 'protoPayload.metadata.@type="type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata"
-
- '
- include_children: true
- intercept_children: false
- name: vpc-sc
+ role: roles/orgpolicy.policyAdmin
+ module.organization[0].google_organization_iam_member.bindings["sa_pf_prod_costs_manager"]:
+ condition: []
+ member: serviceAccount:fast2-prod-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
org_id: '123456789012'
- module.organization.google_logging_organization_sink.sink["workspace-audit-logs"]:
- description: workspace-audit-logs (Terraform-managed).
- disabled: false
- exclusions: []
- filter: 'log_id("cloudaudit.googleapis.com/data_access") AND
-
- protoPayload.serviceName="login.googleapis.com"
-
- '
- include_children: true
- intercept_children: false
- name: workspace-audit-logs
+ role: roles/billing.costsManager
+ module.organization[0].google_organization_iam_member.bindings["sa_sec_asset_viewer"]:
+ condition: []
+ member: serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com
org_id: '123456789012'
- module.organization.google_org_policy_policy.default["compute.disableGuestAttributesAccess"]:
- dry_run_spec: []
- name: organizations/123456789012/policies/compute.disableGuestAttributesAccess
- parent: organizations/123456789012
- spec:
- - inherit_from_parent: null
- reset: null
- rules:
- - allow_all: null
- condition: []
- deny_all: null
- enforce: 'TRUE'
- values: []
- timeouts: null
- module.organization.google_org_policy_policy.default["compute.disableNestedVirtualization"]:
- dry_run_spec: []
- name: organizations/123456789012/policies/compute.disableNestedVirtualization
- parent: organizations/123456789012
- spec:
- - inherit_from_parent: null
- reset: null
- rules:
- - allow_all: null
- condition: []
- deny_all: null
- enforce: 'TRUE'
- values: []
- timeouts: null
- module.organization.google_org_policy_policy.default["compute.disableSerialPortAccess"]:
- dry_run_spec: []
- name: organizations/123456789012/policies/compute.disableSerialPortAccess
- parent: organizations/123456789012
- spec:
- - inherit_from_parent: null
- reset: null
- rules:
- - allow_all: null
- condition: []
- deny_all: null
- enforce: 'TRUE'
- values: []
- timeouts: null
- module.organization.google_org_policy_policy.default["compute.requireOsLogin"]:
- dry_run_spec: []
- name: organizations/123456789012/policies/compute.requireOsLogin
- parent: organizations/123456789012
- spec:
- - inherit_from_parent: null
- reset: null
- rules:
- - allow_all: null
- condition: []
- deny_all: null
- enforce: 'TRUE'
- values: []
- timeouts: null
- module.organization.google_org_policy_policy.default["compute.restrictLoadBalancerCreationForTypes"]:
- dry_run_spec: []
- name: organizations/123456789012/policies/compute.restrictLoadBalancerCreationForTypes
- parent: organizations/123456789012
- spec:
- - inherit_from_parent: null
- reset: null
- rules:
- - allow_all: null
- condition: []
- deny_all: null
- enforce: null
- values:
- - allowed_values:
- - in:INTERNAL
- denied_values: null
- timeouts: null
- module.organization.google_org_policy_policy.default["compute.skipDefaultNetworkCreation"]:
- dry_run_spec: []
- name: organizations/123456789012/policies/compute.skipDefaultNetworkCreation
- parent: organizations/123456789012
- spec:
- - inherit_from_parent: null
- reset: null
- rules:
- - allow_all: null
- condition: []
- deny_all: null
- enforce: 'TRUE'
- values: []
- timeouts: null
- module.organization.google_org_policy_policy.default["compute.trustedImageProjects"]:
- dry_run_spec: []
- name: organizations/123456789012/policies/compute.trustedImageProjects
- parent: organizations/123456789012
- spec:
- - inherit_from_parent: null
- reset: null
- rules:
- - allow_all: null
- condition: []
- deny_all: null
- enforce: null
- values:
- - allowed_values:
- - is:projects/centos-cloud
- - is:projects/cos-cloud
- - is:projects/debian-cloud
- - is:projects/fedora-cloud
- - is:projects/fedora-coreos-cloud
- - is:projects/opensuse-cloud
- - is:projects/rhel-cloud
- - is:projects/rhel-sap-cloud
- - is:projects/rocky-linux-cloud
- - is:projects/suse-cloud
- - is:projects/suse-sap-cloud
- - is:projects/ubuntu-os-cloud
- - is:projects/ubuntu-os-pro-cloud
- - is:projects/windows-cloud
- - is:projects/windows-sql-cloud
- - is:projects/confidential-vm-images
- - is:projects/backupdr-images
- - is:projects/deeplearning-platform-release
- - is:projects/serverless-vpc-access-images
- denied_values: null
- timeouts: null
- module.organization.google_org_policy_policy.default["compute.vmExternalIpAccess"]:
- dry_run_spec: []
- name: organizations/123456789012/policies/compute.vmExternalIpAccess
- parent: organizations/123456789012
- spec:
- - inherit_from_parent: null
- reset: null
- rules:
- - allow_all: null
- condition: []
- deny_all: 'TRUE'
- enforce: null
- values: []
- timeouts: null
- module.organization.google_org_policy_policy.default["iam.allowedPolicyMemberDomains"]:
- dry_run_spec: []
- name: organizations/123456789012/policies/iam.allowedPolicyMemberDomains
+ role: roles/cloudasset.viewer
+ module.organization[0].google_organization_iam_member.bindings["sa_sec_billing"]:
+ condition: []
+ member: serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com
+ org_id: '123456789012'
+ role: roles/billing.user
+ module.organization[0].google_tags_tag_key.default["context"]:
+ description: Resource management context.
parent: organizations/123456789012
- spec:
- - inherit_from_parent: null
- reset: null
- rules:
- - allow_all: null
- condition:
- - description: null
- expression: '!resource.matchTag(''123456789012/org-policies'', ''allowed-policy-member-domains-all'')'
- location: null
- title: null
- deny_all: null
- enforce: null
- values:
- - allowed_values:
- - C00000000
- denied_values: null
- - allow_all: 'TRUE'
- condition:
- - description: null
- expression: resource.matchTag('123456789012/org-policies', 'allowed-policy-member-domains-all')
- location: null
- title: allow-all
- deny_all: null
- enforce: null
- values: []
+ purpose: null
+ purpose_data: null
+ short_name: context
timeouts: null
- module.organization.google_org_policy_policy.default["iam.automaticIamGrantsForDefaultServiceAccounts"]:
- dry_run_spec: []
- name: organizations/123456789012/policies/iam.automaticIamGrantsForDefaultServiceAccounts
+ module.organization[0].google_tags_tag_key.default["environment"]:
+ description: Environment definition.
parent: organizations/123456789012
- spec:
- - inherit_from_parent: null
- reset: null
- rules:
- - allow_all: null
- condition: []
- deny_all: null
- enforce: 'TRUE'
- values: []
+ purpose: null
+ purpose_data: null
+ short_name: environment
timeouts: null
- module.organization.google_org_policy_policy.default["iam.disableServiceAccountKeyCreation"]:
- dry_run_spec: []
- name: organizations/123456789012/policies/iam.disableServiceAccountKeyCreation
- parent: organizations/123456789012
- spec:
- - inherit_from_parent: null
- reset: null
- rules:
- - allow_all: null
- condition: []
- deny_all: null
- enforce: 'TRUE'
- values: []
+ module.organization[0].google_tags_tag_value.default["context/data"]:
+ description: Managed by the Terraform organization module.
+ short_name: data
timeouts: null
- module.organization.google_org_policy_policy.default["iam.disableServiceAccountKeyUpload"]:
- dry_run_spec: []
- name: organizations/123456789012/policies/iam.disableServiceAccountKeyUpload
- parent: organizations/123456789012
- spec:
- - inherit_from_parent: null
- reset: null
- rules:
- - allow_all: null
- condition: []
- deny_all: null
- enforce: 'TRUE'
- values: []
+ module.organization[0].google_tags_tag_value.default["context/gcve"]:
+ description: Managed by the Terraform organization module.
+ short_name: gcve
timeouts: null
- module.organization.google_org_policy_policy.default["iam.serviceAccountKeyExposureResponse"]:
- dry_run_spec: []
- name: organizations/123456789012/policies/iam.serviceAccountKeyExposureResponse
- parent: organizations/123456789012
- spec:
- - inherit_from_parent: null
- reset: null
- rules:
- - allow_all: null
- condition: []
- deny_all: null
- enforce: null
- values:
- - allowed_values:
- - DISABLE_KEY
- denied_values: null
+ module.organization[0].google_tags_tag_value.default["context/gke"]:
+ description: Managed by the Terraform organization module.
+ short_name: gke
timeouts: null
- module.organization.google_org_policy_policy.default["run.allowedIngress"]:
- dry_run_spec: []
- name: organizations/123456789012/policies/run.allowedIngress
- parent: organizations/123456789012
- spec:
- - inherit_from_parent: null
- reset: null
- rules:
- - allow_all: null
- condition: []
- deny_all: null
- enforce: null
- values:
- - allowed_values:
- - is:internal-and-cloud-load-balancing
- denied_values: null
+ module.organization[0].google_tags_tag_value.default["context/networking"]:
+ description: Managed by the Terraform organization module.
+ short_name: networking
timeouts: null
- module.organization.google_org_policy_policy.default["sql.restrictAuthorizedNetworks"]:
- dry_run_spec: []
- name: organizations/123456789012/policies/sql.restrictAuthorizedNetworks
- parent: organizations/123456789012
- spec:
- - inherit_from_parent: null
- reset: null
- rules:
- - allow_all: null
- condition: []
- deny_all: null
- enforce: 'TRUE'
- values: []
+ module.organization[0].google_tags_tag_value.default["context/project-factory"]:
+ description: Managed by the Terraform organization module.
+ short_name: project-factory
timeouts: null
- module.organization.google_org_policy_policy.default["sql.restrictPublicIp"]:
- dry_run_spec: []
- name: organizations/123456789012/policies/sql.restrictPublicIp
- parent: organizations/123456789012
- spec:
- - inherit_from_parent: null
- reset: null
- rules:
- - allow_all: null
- condition: []
- deny_all: null
- enforce: 'TRUE'
- values: []
+ module.organization[0].google_tags_tag_value.default["context/sandbox"]:
+ description: Managed by the Terraform organization module.
+ short_name: sandbox
timeouts: null
- module.organization.google_org_policy_policy.default["storage.publicAccessPrevention"]:
- dry_run_spec: []
- name: organizations/123456789012/policies/storage.publicAccessPrevention
- parent: organizations/123456789012
- spec:
- - inherit_from_parent: null
- reset: null
- rules:
- - allow_all: null
- condition: []
- deny_all: null
- enforce: 'TRUE'
- values: []
+ module.organization[0].google_tags_tag_value.default["context/security"]:
+ description: Managed by the Terraform organization module.
+ short_name: security
timeouts: null
- module.organization.google_org_policy_policy.default["storage.secureHttpTransport"]:
- dry_run_spec: []
- name: organizations/123456789012/policies/storage.secureHttpTransport
- parent: organizations/123456789012
- spec:
- - inherit_from_parent: null
- reset: null
- rules:
- - allow_all: null
- condition: []
- deny_all: null
- enforce: 'TRUE'
- values: []
+ module.organization[0].google_tags_tag_value.default["environment/development"]:
+ description: Managed by the Terraform organization module.
+ short_name: development
timeouts: null
- module.organization.google_org_policy_policy.default["storage.uniformBucketLevelAccess"]:
- dry_run_spec: []
- name: organizations/123456789012/policies/storage.uniformBucketLevelAccess
- parent: organizations/123456789012
- spec:
- - inherit_from_parent: null
- reset: null
- rules:
- - allow_all: null
- condition: []
- deny_all: null
- enforce: 'TRUE'
- values: []
+ module.organization[0].google_tags_tag_value.default["environment/production"]:
+ description: Managed by the Terraform organization module.
+ short_name: production
timeouts: null
- module.organization.google_organization_iam_binding.authoritative["roles/billing.creator"]:
+ module.organization[0].google_tags_tag_value_iam_binding.bindings["environment/development:pf"]:
condition: []
members:
- - group:gcp-billing-admins@fast.example.com
- org_id: '123456789012'
- role: roles/billing.creator
- module.organization.google_organization_iam_binding.authoritative["roles/browser"]:
- condition: []
- members:
- - domain:fast.example.com
- org_id: '123456789012'
- role: roles/browser
- module.organization.google_organization_iam_binding.authoritative["roles/cloudasset.owner"]:
- condition: []
- members:
- - group:gcp-organization-admins@fast.example.com
- - group:gcp-security-admins@fast.example.com
- - group:gcp-vpc-network-admins@fast.example.com
- org_id: '123456789012'
- role: roles/cloudasset.owner
- module.organization.google_organization_iam_binding.authoritative["roles/cloudsupport.admin"]:
- condition: []
- members:
- - group:gcp-organization-admins@fast.example.com
- org_id: '123456789012'
- role: roles/cloudsupport.admin
- module.organization.google_organization_iam_binding.authoritative["roles/cloudsupport.techSupportEditor"]:
- condition: []
- members:
- - group:gcp-devops@fast.example.com
- - group:gcp-security-admins@fast.example.com
- - group:gcp-vpc-network-admins@fast.example.com
- org_id: '123456789012'
- role: roles/cloudsupport.techSupportEditor
- module.organization.google_organization_iam_binding.authoritative["roles/compute.osAdminLogin"]:
- condition: []
- members:
- - group:gcp-organization-admins@fast.example.com
- org_id: '123456789012'
- role: roles/compute.osAdminLogin
- module.organization.google_organization_iam_binding.authoritative["roles/compute.osLoginExternalUser"]:
- condition: []
- members:
- - group:gcp-organization-admins@fast.example.com
- org_id: '123456789012'
- role: roles/compute.osLoginExternalUser
- module.organization.google_organization_iam_binding.authoritative["roles/essentialcontacts.admin"]:
- condition: []
- members:
- - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com
- - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
- org_id: '123456789012'
- role: roles/essentialcontacts.admin
- module.organization.google_organization_iam_binding.authoritative["roles/essentialcontacts.viewer"]:
- condition: []
- members:
- - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
- - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
- org_id: '123456789012'
- role: roles/essentialcontacts.viewer
- module.organization.google_organization_iam_binding.authoritative["roles/iam.securityReviewer"]:
- condition: []
- members:
- - group:gcp-security-admins@fast.example.com
- org_id: '123456789012'
- role: roles/iam.securityReviewer
- module.organization.google_organization_iam_binding.authoritative["roles/iam.workforcePoolAdmin"]:
- condition: []
- members:
- - group:gcp-organization-admins@fast.example.com
- - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com
- org_id: '123456789012'
- role: roles/iam.workforcePoolAdmin
- module.organization.google_organization_iam_binding.authoritative["roles/logging.admin"]:
- condition: []
- members:
- - group:gcp-security-admins@fast.example.com
- - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com
- - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
- org_id: '123456789012'
- role: roles/logging.admin
- module.organization.google_organization_iam_binding.authoritative["roles/logging.viewer"]:
+ - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+ role: roles/resourcemanager.tagUser
+ module.organization[0].google_tags_tag_value_iam_binding.bindings["environment/production:pf"]:
condition: []
members:
- - group:gcp-devops@fast.example.com
- - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
- - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
- org_id: '123456789012'
- role: roles/logging.viewer
- module.organization.google_organization_iam_binding.authoritative["roles/monitoring.viewer"]:
- condition: []
+ - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+ role: roles/resourcemanager.tagUser
+ module.top-level-folder["teams"].google_folder.folder[0]:
+ display_name: Teams
+ parent: organizations/123456789012
+ timeouts: null
+ ? module.top-level-folder["teams"].google_folder_iam_binding.authoritative["organizations/123456789012/roles/xpnServiceAdmin"]
+ : condition: []
members:
- - group:gcp-devops@fast.example.com
- org_id: '123456789012'
- role: roles/monitoring.viewer
- module.organization.google_organization_iam_binding.authoritative["roles/owner"]:
+ - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
+ role: organizations/123456789012/roles/xpnServiceAdmin
+ module.top-level-folder["teams"].google_folder_iam_binding.authoritative["roles/owner"]:
condition: []
members:
- - group:gcp-organization-admins@fast.example.com
- org_id: '123456789012'
+ - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
role: roles/owner
- module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]:
+ module.top-level-folder["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]:
condition: []
members:
- - group:gcp-organization-admins@fast.example.com
- - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
- org_id: '123456789012'
+ - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
role: roles/resourcemanager.folderAdmin
- module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.folderViewer"]:
+ module.top-level-folder["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]:
condition: []
members:
- - group:gcp-devops@fast.example.com
- - group:gcp-vpc-network-admins@fast.example.com
- - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
- - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
- org_id: '123456789012'
- role: roles/resourcemanager.folderViewer
- module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.organizationAdmin"]:
- condition: []
- members:
- - group:gcp-organization-admins@fast.example.com
- - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com
- org_id: '123456789012'
- role: roles/resourcemanager.organizationAdmin
- module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.projectCreator"]:
- condition: []
- members:
- - group:gcp-organization-admins@fast.example.com
- - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com
- - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
- org_id: '123456789012'
+ - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
role: roles/resourcemanager.projectCreator
- module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.projectMover"]:
- condition: []
- members:
- - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com
- org_id: '123456789012'
- role: roles/resourcemanager.projectMover
- module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.tagAdmin"]:
+ module.top-level-folder["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.tagUser"]:
condition: []
members:
- - group:gcp-organization-admins@fast.example.com
- - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com
- - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
- org_id: '123456789012'
- role: roles/resourcemanager.tagAdmin
- module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.tagUser"]:
- condition: []
- members:
- - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
- org_id: '123456789012'
+ - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com
role: roles/resourcemanager.tagUser
- module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.tagViewer"]:
- condition: []
- members:
- - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
- - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
- org_id: '123456789012'
- role: roles/resourcemanager.tagViewer
- module.organization.google_organization_iam_binding.authoritative["roles/securitycenter.admin"]:
- condition: []
- members:
- - group:gcp-organization-admins@fast.example.com
- - group:gcp-security-admins@fast.example.com
- org_id: '123456789012'
- role: roles/securitycenter.admin
- module.organization.google_organization_iam_binding.authoritative["roles/serviceusage.serviceUsageViewer"]:
- condition: []
- members:
- - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
- org_id: '123456789012'
- role: roles/serviceusage.serviceUsageViewer
- module.organization.google_organization_iam_binding.bindings["organization_billing_conditional"]:
- condition:
- - description: Automation service account delegated grants.
- expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/billing.admin','roles/billing.costsManager','roles/billing.user'])
- title: automation_sa_delegated_grants
- members:
- - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
- org_id: '123456789012'
- role: organizations/123456789012/roles/organizationIamAdmin
- module.organization.google_organization_iam_binding.bindings["organization_iam_admin_conditional"]:
- condition:
- - description: Automation service account delegated grants.
- expression: 'api.getAttribute(''iam.googleapis.com/modifiedGrantsByRole'', []).hasOnly([''roles/accesscontextmanager.policyAdmin'',''roles/cloudasset.viewer'',''roles/compute.orgFirewallPolicyAdmin'',''roles/compute.orgFirewallPolicyUser'',''roles/compute.xpnAdmin'',''roles/orgpolicy.policyAdmin'',''roles/orgpolicy.policyViewer'',''roles/resourcemanager.organizationViewer''])
-
- || api.getAttribute(''iam.googleapis.com/modifiedGrantsByRole'', []).hasOnly([''organizations/123456789012/roles/networkFirewallPoliciesAdmin'',''organizations/123456789012/roles/ngfwEnterpriseAdmin'',''organizations/123456789012/roles/ngfwEnterpriseViewer'',''organizations/123456789012/roles/privateCaUser'',''organizations/123456789012/roles/serviceProjectNetworkAdmin'',''organizations/123456789012/roles/tenantNetworkAdmin''])
-
- '
- title: automation_sa_delegated_grants
- members:
- - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
- org_id: '123456789012'
- role: organizations/123456789012/roles/organizationIamAdmin
- module.organization.google_organization_iam_binding.bindings["organization_ngfw_enterprise_admin"]:
- condition: []
- members:
- - group:gcp-vpc-network-admins@fast.example.com
- org_id: '123456789012'
- role: organizations/123456789012/roles/ngfwEnterpriseAdmin
- module.organization.google_organization_iam_custom_role.roles["gcve_network_admin"]:
- description: Terraform-managed.
- org_id: '123456789012'
- permissions:
- - vmwareengine.networkPeerings.create
- - vmwareengine.networkPeerings.delete
- - vmwareengine.networkPeerings.get
- - vmwareengine.networkPeerings.list
- - vmwareengine.operations.get
- role_id: gcveNetworkAdmin
- stage: GA
- title: Custom role gcveNetworkAdmin
- module.organization.google_organization_iam_custom_role.roles["network_firewall_policies_admin"]:
- description: Terraform-managed.
- org_id: '123456789012'
- permissions:
- - compute.networks.setFirewallPolicy
- - networksecurity.firewallEndpointAssociations.create
- - networksecurity.firewallEndpointAssociations.delete
- - networksecurity.firewallEndpointAssociations.get
- - networksecurity.firewallEndpointAssociations.list
- - networksecurity.firewallEndpointAssociations.update
- role_id: networkFirewallPoliciesAdmin
- stage: GA
- title: Custom role networkFirewallPoliciesAdmin
- module.organization.google_organization_iam_custom_role.roles["ngfw_enterprise_admin"]:
- description: Terraform-managed.
- org_id: '123456789012'
- permissions:
- - networksecurity.firewallEndpoints.create
- - networksecurity.firewallEndpoints.delete
- - networksecurity.firewallEndpoints.get
- - networksecurity.firewallEndpoints.list
- - networksecurity.firewallEndpoints.update
- - networksecurity.firewallEndpoints.use
- - networksecurity.locations.get
- - networksecurity.locations.list
- - networksecurity.operations.cancel
- - networksecurity.operations.delete
- - networksecurity.operations.get
- - networksecurity.operations.list
- - networksecurity.securityProfileGroups.create
- - networksecurity.securityProfileGroups.delete
- - networksecurity.securityProfileGroups.get
- - networksecurity.securityProfileGroups.list
- - networksecurity.securityProfileGroups.update
- - networksecurity.securityProfileGroups.use
- - networksecurity.securityProfiles.create
- - networksecurity.securityProfiles.delete
- - networksecurity.securityProfiles.get
- - networksecurity.securityProfiles.list
- - networksecurity.securityProfiles.update
- - networksecurity.securityProfiles.use
- - networksecurity.tlsInspectionPolicies.create
- - networksecurity.tlsInspectionPolicies.get
- - networksecurity.tlsInspectionPolicies.list
- - networksecurity.tlsInspectionPolicies.update
- - networksecurity.tlsInspectionPolicies.use
- role_id: ngfwEnterpriseAdmin
- stage: GA
- title: Custom role ngfwEnterpriseAdmin
- module.organization.google_organization_iam_custom_role.roles["ngfw_enterprise_viewer"]:
- description: Terraform-managed.
- org_id: '123456789012'
- permissions:
- - networksecurity.firewallEndpoints.get
- - networksecurity.firewallEndpoints.list
- - networksecurity.firewallEndpoints.use
- - networksecurity.locations.get
- - networksecurity.locations.list
- - networksecurity.operations.get
- - networksecurity.operations.list
- - networksecurity.securityProfileGroups.get
- - networksecurity.securityProfileGroups.list
- - networksecurity.securityProfileGroups.use
- - networksecurity.securityProfiles.get
- - networksecurity.securityProfiles.list
- - networksecurity.securityProfiles.use
- - networksecurity.tlsInspectionPolicies.get
- - networksecurity.tlsInspectionPolicies.list
- - networksecurity.tlsInspectionPolicies.use
- role_id: ngfwEnterpriseViewer
- stage: GA
- title: Custom role ngfwEnterpriseViewer
- module.organization.google_organization_iam_custom_role.roles["organization_admin_viewer"]:
- description: Terraform-managed.
- org_id: '123456789012'
- permissions:
- - essentialcontacts.contacts.get
- - essentialcontacts.contacts.list
- - logging.settings.get
- - orgpolicy.constraints.list
- - orgpolicy.policies.list
- - orgpolicy.policy.get
- - resourcemanager.folders.get
- - resourcemanager.folders.getIamPolicy
- - resourcemanager.folders.list
- - resourcemanager.organizations.get
- - resourcemanager.organizations.getIamPolicy
- - resourcemanager.projects.get
- - resourcemanager.projects.getIamPolicy
- - resourcemanager.projects.list
- role_id: organizationAdminViewer
- stage: GA
- title: Custom role organizationAdminViewer
- module.organization.google_organization_iam_custom_role.roles["organization_iam_admin"]:
- description: Terraform-managed.
- org_id: '123456789012'
- permissions:
- - resourcemanager.organizations.get
- - resourcemanager.organizations.getIamPolicy
- - resourcemanager.organizations.setIamPolicy
- role_id: organizationIamAdmin
- stage: GA
- title: Custom role organizationIamAdmin
- module.organization.google_organization_iam_custom_role.roles["private_ca_user"]:
- description: Terraform-managed.
- org_id: '123456789012'
- permissions:
- - privateca.caPools.get
- - privateca.caPools.use
- role_id: privateCaUser
- stage: GA
- title: Custom role privateCaUser
- module.organization.google_organization_iam_custom_role.roles["service_project_network_admin"]:
- description: Terraform-managed.
- org_id: '123456789012'
- permissions:
- - compute.globalOperations.get
- - compute.networks.get
- - compute.networks.updatePeering
- - compute.organizations.disableXpnResource
- - compute.organizations.enableXpnResource
- - compute.projects.get
- - compute.subnetworks.getIamPolicy
- - compute.subnetworks.setIamPolicy
- - dns.networks.bindPrivateDNSZone
- - resourcemanager.projects.get
- role_id: serviceProjectNetworkAdmin
- stage: GA
- title: Custom role serviceProjectNetworkAdmin
- module.organization.google_organization_iam_custom_role.roles["storage_viewer"]:
- description: Terraform-managed.
- org_id: '123456789012'
- permissions:
- - storage.buckets.get
- - storage.buckets.getIamPolicy
- - storage.buckets.getObjectInsights
- - storage.buckets.list
- - storage.buckets.listEffectiveTags
- - storage.buckets.listTagBindings
- - storage.managedFolders.get
- - storage.managedFolders.getIamPolicy
- - storage.managedFolders.list
- - storage.multipartUploads.list
- - storage.multipartUploads.listParts
- - storage.objects.create
- - storage.objects.get
- - storage.objects.getIamPolicy
- - storage.objects.list
- role_id: storageViewer
- stage: GA
- title: Custom role storageViewer
- module.organization.google_organization_iam_custom_role.roles["tag_viewer"]:
- description: Terraform-managed.
- org_id: '123456789012'
- permissions:
- - resourcemanager.tagHolds.list
- - resourcemanager.tagKeys.get
- - resourcemanager.tagKeys.getIamPolicy
- - resourcemanager.tagKeys.list
- - resourcemanager.tagValues.get
- - resourcemanager.tagValues.getIamPolicy
- - resourcemanager.tagValues.list
- role_id: tagViewer
- stage: GA
- title: Custom role tagViewer
- module.organization.google_organization_iam_custom_role.roles["tenant_network_admin"]:
- description: Terraform-managed.
- org_id: '123456789012'
- permissions:
- - compute.globalOperations.get
- role_id: tenantNetworkAdmin
- stage: GA
- title: Custom role tenantNetworkAdmin
- ? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyAdmin-group:gcp-security-admins@fast.example.com"]
- : condition: []
- member: group:gcp-security-admins@fast.example.com
- org_id: '123456789012'
- role: roles/accesscontextmanager.policyAdmin
- ? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyAdmin-serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com"]
- : condition: []
- member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
- org_id: '123456789012'
- role: roles/accesscontextmanager.policyAdmin
- ? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyAdmin-serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com"]
- : condition: []
- member: serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com
- org_id: '123456789012'
- role: roles/accesscontextmanager.policyAdmin
- ? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyReader-serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"]
- : condition: []
- member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
- org_id: '123456789012'
- role: roles/accesscontextmanager.policyReader
- ? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyReader-serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"]
- : condition: []
- member: serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
- org_id: '123456789012'
- role: roles/accesscontextmanager.policyReader
- ? module.organization.google_organization_iam_member.bindings["roles/billing.admin-group:gcp-billing-admins@fast.example.com"]
- : condition: []
- member: group:gcp-billing-admins@fast.example.com
- org_id: '123456789012'
- role: roles/billing.admin
- ? module.organization.google_organization_iam_member.bindings["roles/billing.admin-group:gcp-organization-admins@fast.example.com"]
- : condition: []
- member: group:gcp-organization-admins@fast.example.com
- org_id: '123456789012'
- role: roles/billing.admin
- ? module.organization.google_organization_iam_member.bindings["roles/billing.admin-serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com"]
- : condition: []
- member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com
- org_id: '123456789012'
- role: roles/billing.admin
- ? module.organization.google_organization_iam_member.bindings["roles/billing.admin-serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com"]
- : condition: []
- member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
- org_id: '123456789012'
- role: roles/billing.admin
- ? module.organization.google_organization_iam_member.bindings["roles/billing.user-group:gcp-organization-admins@fast.example.com"]
- : condition: []
- member: group:gcp-organization-admins@fast.example.com
- org_id: '123456789012'
- role: roles/billing.user
- ? module.organization.google_organization_iam_member.bindings["roles/billing.viewer-serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"]
- : condition: []
- member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
- org_id: '123456789012'
- role: roles/billing.viewer
- ? module.organization.google_organization_iam_member.bindings["roles/billing.viewer-serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"]
- : condition: []
- member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
- org_id: '123456789012'
- role: roles/billing.viewer
- ? module.organization.google_organization_iam_member.bindings["roles/cloudasset.viewer-serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com"]
- : condition: []
- member: serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com
- org_id: '123456789012'
- role: roles/cloudasset.viewer
- ? module.organization.google_organization_iam_member.bindings["roles/cloudasset.viewer-serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"]
- : condition: []
- member: serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
- org_id: '123456789012'
- role: roles/cloudasset.viewer
- ? module.organization.google_organization_iam_member.bindings["roles/compute.networkAdmin-group:gcp-vpc-network-admins@fast.example.com"]
- : condition: []
- member: group:gcp-vpc-network-admins@fast.example.com
- org_id: '123456789012'
- role: roles/compute.networkAdmin
- ? module.organization.google_organization_iam_member.bindings["roles/compute.orgFirewallPolicyAdmin-group:gcp-vpc-network-admins@fast.example.com"]
- : condition: []
- member: group:gcp-vpc-network-admins@fast.example.com
- org_id: '123456789012'
- role: roles/compute.orgFirewallPolicyAdmin
- ? module.organization.google_organization_iam_member.bindings["roles/compute.securityAdmin-group:gcp-vpc-network-admins@fast.example.com"]
- : condition: []
- member: group:gcp-vpc-network-admins@fast.example.com
- org_id: '123456789012'
- role: roles/compute.securityAdmin
- ? module.organization.google_organization_iam_member.bindings["roles/compute.viewer-group:gcp-security-admins@fast.example.com"]
- : condition: []
- member: group:gcp-security-admins@fast.example.com
- org_id: '123456789012'
- role: roles/compute.viewer
- ? module.organization.google_organization_iam_member.bindings["roles/compute.xpnAdmin-group:gcp-vpc-network-admins@fast.example.com"]
- : condition: []
- member: group:gcp-vpc-network-admins@fast.example.com
- org_id: '123456789012'
- role: roles/compute.xpnAdmin
- ? module.organization.google_organization_iam_member.bindings["roles/container.viewer-group:gcp-security-admins@fast.example.com"]
- : condition: []
- member: group:gcp-security-admins@fast.example.com
- org_id: '123456789012'
- role: roles/container.viewer
- ? module.organization.google_organization_iam_member.bindings["roles/iam.organizationRoleAdmin-group:gcp-organization-admins@fast.example.com"]
- : condition: []
- member: group:gcp-organization-admins@fast.example.com
- org_id: '123456789012'
- role: roles/iam.organizationRoleAdmin
- ? module.organization.google_organization_iam_member.bindings["roles/iam.organizationRoleAdmin-group:gcp-security-admins@fast.example.com"]
- : condition: []
- member: group:gcp-security-admins@fast.example.com
- org_id: '123456789012'
- role: roles/iam.organizationRoleAdmin
- ? module.organization.google_organization_iam_member.bindings["roles/iam.organizationRoleAdmin-serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com"]
- : condition: []
- member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com
- org_id: '123456789012'
- role: roles/iam.organizationRoleAdmin
- ? module.organization.google_organization_iam_member.bindings["roles/iam.organizationRoleViewer-group:gcp-security-admins@fast.example.com"]
- : condition: []
- member: group:gcp-security-admins@fast.example.com
- org_id: '123456789012'
- role: roles/iam.organizationRoleViewer
- ? module.organization.google_organization_iam_member.bindings["roles/iam.organizationRoleViewer-serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"]
- : condition: []
- member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
- org_id: '123456789012'
- role: roles/iam.organizationRoleViewer
- ? module.organization.google_organization_iam_member.bindings["roles/iam.workforcePoolViewer-serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"]
- : condition: []
- member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
- org_id: '123456789012'
- role: roles/iam.workforcePoolViewer
- ? module.organization.google_organization_iam_member.bindings["roles/logging.configWriter-group:gcp-security-admins@fast.example.com"]
- : condition: []
- member: group:gcp-security-admins@fast.example.com
- org_id: '123456789012'
- role: roles/logging.configWriter
- ? module.organization.google_organization_iam_member.bindings["roles/logging.privateLogViewer-group:gcp-security-admins@fast.example.com"]
- : condition: []
- member: group:gcp-security-admins@fast.example.com
- org_id: '123456789012'
- role: roles/logging.privateLogViewer
- ? module.organization.google_organization_iam_member.bindings["roles/monitoring.admin-group:gcp-monitoring-admins@fast.example.com"]
- : condition: []
- member: group:gcp-monitoring-admins@fast.example.com
- org_id: '123456789012'
- role: roles/monitoring.admin
- ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyAdmin-group:gcp-organization-admins@fast.example.com"]
- : condition: []
- member: group:gcp-organization-admins@fast.example.com
- org_id: '123456789012'
- role: roles/orgpolicy.policyAdmin
- ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyAdmin-group:gcp-security-admins@fast.example.com"]
- : condition: []
- member: group:gcp-security-admins@fast.example.com
- org_id: '123456789012'
- role: roles/orgpolicy.policyAdmin
- ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyAdmin-serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com"]
- : condition: []
- member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com
- org_id: '123456789012'
- role: roles/orgpolicy.policyAdmin
- ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyAdmin-serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com"]
- : condition: []
- member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
- org_id: '123456789012'
- role: roles/orgpolicy.policyAdmin
- ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyViewer-serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"]
- : condition: []
- member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
- org_id: '123456789012'
- role: roles/orgpolicy.policyViewer
- ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyViewer-serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"]
- : condition: []
- member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
- org_id: '123456789012'
- role: roles/orgpolicy.policyViewer
- ? module.organization.google_organization_iam_member.bindings["roles/resourcemanager.folderIamAdmin-group:gcp-security-admins@fast.example.com"]
- : condition: []
- member: group:gcp-security-admins@fast.example.com
- org_id: '123456789012'
- role: roles/resourcemanager.folderIamAdmin
- ? module.organization.google_organization_iam_member.bindings["roles/resourcemanager.organizationViewer-group:gcp-billing-admins@fast.example.com"]
- : condition: []
- member: group:gcp-billing-admins@fast.example.com
- org_id: '123456789012'
- role: roles/resourcemanager.organizationViewer
- ? module.organization.google_organization_iam_member.bindings["roles/storage.objectAdmin-group:gcp-organization-admins@fast.example.com"]
- : condition: []
- member: group:gcp-organization-admins@fast.example.com
- org_id: '123456789012'
- role: roles/storage.objectAdmin
- module.organization.google_project_iam_member.bucket-sinks-binding["audit-logs"]:
- condition:
- - title: audit-logs bucket writer
- role: roles/logging.bucketWriter
- module.organization.google_project_iam_member.bucket-sinks-binding["iam"]:
- condition:
- - title: iam bucket writer
- role: roles/logging.bucketWriter
- module.organization.google_project_iam_member.bucket-sinks-binding["vpc-sc"]:
- condition:
- - title: vpc-sc bucket writer
- role: roles/logging.bucketWriter
- module.organization.google_project_iam_member.bucket-sinks-binding["workspace-audit-logs"]:
- condition:
- - title: workspace-audit-logs bucket writer
- role: roles/logging.bucketWriter
- module.organization.google_tags_tag_key.default["org-policies"]:
- description: Organization policy conditions.
- parent: organizations/123456789012
- purpose: null
- purpose_data: null
- short_name: org-policies
- timeouts: null
- module.organization.google_tags_tag_value.default["org-policies/allowed-policy-member-domains-all"]:
- description: Managed by the Terraform organization module.
- short_name: allowed-policy-member-domains-all
+ module.top-level-folder["teams"].google_tags_tag_binding.binding["context"]:
timeouts: null
counts:
- google_bigquery_dataset: 1
- google_bigquery_default_service_account: 3
- google_essential_contacts_contact: 3
- google_logging_organization_settings: 1
- google_logging_organization_sink: 4
- google_logging_project_bucket_config: 4
- google_org_policy_policy: 22
- google_organization_iam_binding: 28
- google_organization_iam_custom_role: 11
- google_organization_iam_member: 42
- google_project: 3
- google_project_iam_audit_config: 1
- google_project_iam_binding: 19
- google_project_iam_member: 16
- google_project_service: 31
- google_project_service_identity: 7
- google_service_account: 6
- google_service_account_iam_binding: 2
- google_service_account_iam_member: 1
+ google_folder: 5
+ google_folder_iam_binding: 29
+ google_organization_iam_member: 14
+ google_project_iam_member: 10
+ google_service_account: 10
+ google_service_account_iam_binding: 10
google_storage_bucket: 5
- google_storage_bucket_iam_binding: 4
- google_storage_bucket_iam_member: 6
- google_storage_bucket_object: 12
- google_storage_project_service_account: 3
- google_tags_tag_key: 1
- google_tags_tag_value: 1
+ google_storage_bucket_iam_binding: 10
+ google_storage_bucket_iam_member: 10
+ google_storage_bucket_object: 11
+ google_tags_tag_binding: 5
+ google_tags_tag_key: 2
+ google_tags_tag_value: 9
+ google_tags_tag_value_iam_binding: 2
modules: 21
- resources: 237
+ resources: 132
diff --git a/tests/fast/stages/s0_bootstrap/simple.yaml b/tests/fast/stages/s0_bootstrap/simple.yaml
index 463fe642cd..4d15585059 100644
--- a/tests/fast/stages/s0_bootstrap/simple.yaml
+++ b/tests/fast/stages/s0_bootstrap/simple.yaml
@@ -21,7 +21,7 @@ counts:
google_logging_project_bucket_config: 4
google_org_policy_policy: 22
google_organization_iam_binding: 28
- google_organization_iam_custom_role: 11
+ google_organization_iam_custom_role: 10
google_organization_iam_member: 29
google_project: 3
google_project_iam_audit_config: 1
@@ -41,7 +41,7 @@ counts:
google_tags_tag_value: 1
local_file: 10
modules: 20
- resources: 231
+ resources: 230
outputs:
automation: __missing__
@@ -54,7 +54,6 @@ outputs:
ngfw_enterprise_viewer: organizations/123456789012/roles/ngfwEnterpriseViewer
organization_admin_viewer: organizations/123456789012/roles/organizationAdminViewer
organization_iam_admin: organizations/123456789012/roles/organizationIamAdmin
- private_ca_user: organizations/123456789012/roles/privateCaUser
service_project_network_admin: organizations/123456789012/roles/serviceProjectNetworkAdmin
storage_viewer: organizations/123456789012/roles/storageViewer
tag_viewer: organizations/123456789012/roles/tagViewer
@@ -73,3 +72,4 @@ outputs:
workload_identity_pool:
pool: null
providers: {}
+
diff --git a/tests/fast/stages/s1_resman/checklist.tfvars b/tests/fast/stages/s1_resman/checklist.tfvars
index eac8904399..8099773124 100644
--- a/tests/fast/stages/s1_resman/checklist.tfvars
+++ b/tests/fast/stages/s1_resman/checklist.tfvars
@@ -18,7 +18,6 @@ custom_roles = {
ngfw_enterprise_admin = "organizations/123456789012/roles/ngfwEnterpriseAdmin"
ngfw_enterprise_viewer = "organizations/123456789012/roles/ngfwEnterpriseViewer"
organization_admin_viewer = "organizations/123456789012/roles/organizationAdminViewer"
- private_ca_user = "organizations/123456789012/roles/privateCaUser"
service_project_network_admin = "organizations/123456789012/roles/xpnServiceAdmin"
storage_viewer = "organizations/123456789012/roles/storageViewer"
}
diff --git a/tests/fast/stages/s1_resman/checklist.yaml b/tests/fast/stages/s1_resman/checklist.yaml
index 2f59bbee64..468359aa8e 100644
--- a/tests/fast/stages/s1_resman/checklist.yaml
+++ b/tests/fast/stages/s1_resman/checklist.yaml
@@ -16,6 +16,7 @@ values:
google_storage_bucket_object.providers["2-networking"]:
bucket: test
cache_control: null
+ content:
content_disposition: null
content_encoding: null
content_language: null
@@ -598,7 +599,7 @@ values:
module.branch-security-folder.google_folder_iam_binding.bindings["tenant_iam_admin_conditional"]:
condition:
- description: Certificate Authority Service delegated grants.
- expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/privateca.certificateManager','organizations/123456789012/roles/privateCaUser'])
+ expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/privateca.certificateManager'])
title: security_sa_delegated_grants
members:
- serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com
diff --git a/tests/fast/stages/s1_resman/simple.tfvars b/tests/fast/stages/s1_resman/simple.tfvars
index fc011a956c..5a999ff8c1 100644
--- a/tests/fast/stages/s1_resman/simple.tfvars
+++ b/tests/fast/stages/s1_resman/simple.tfvars
@@ -18,7 +18,6 @@ custom_roles = {
ngfw_enterprise_admin = "organizations/123456789012/roles/ngfwEnterpriseAdmin"
ngfw_enterprise_viewer = "organizations/123456789012/roles/ngfwEnterpriseViewer"
organization_admin_viewer = "organizations/123456789012/roles/organizationAdminViewer"
- private_ca_user = "organizations/123456789012/roles/privateCaUser"
service_project_network_admin = "organizations/123456789012/roles/xpnServiceAdmin"
storage_viewer = "organizations/123456789012/roles/storageViewer"
}
diff --git a/tests/fast/stages/s1_resman/simple.yaml b/tests/fast/stages/s1_resman/simple.yaml
index 8fadcd1440..8c019e5d0f 100644
--- a/tests/fast/stages/s1_resman/simple.yaml
+++ b/tests/fast/stages/s1_resman/simple.yaml
@@ -610,7 +610,7 @@ values:
module.branch-security-folder.google_folder_iam_binding.bindings["tenant_iam_admin_conditional"]:
condition:
- description: Certificate Authority Service delegated grants.
- expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/privateca.certificateManager','organizations/123456789012/roles/privateCaUser'])
+ expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/privateca.certificateManager'])
title: security_sa_delegated_grants
members:
- serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com
diff --git a/tests/fast/stages/s2_security/simple.tfvars b/tests/fast/stages/s2_security/simple.tfvars
index cb94918951..0dff490379 100644
--- a/tests/fast/stages/s2_security/simple.tfvars
+++ b/tests/fast/stages/s2_security/simple.tfvars
@@ -4,9 +4,6 @@ automation = {
billing_account = {
id = "000000-111111-222222"
}
-custom_roles = {
- private_ca_user = "organizations/123456789012/roles/privateCaUser"
-}
essential_contacts = "gcp-security-admins@fast.example.com"
folder_ids = {
security = null
diff --git a/tests/fast/stages/s2_security/simple.yaml b/tests/fast/stages/s2_security/simple.yaml
index ece3432203..e98ac3805a 100644
--- a/tests/fast/stages/s2_security/simple.yaml
+++ b/tests/fast/stages/s2_security/simple.yaml
@@ -153,16 +153,6 @@ values:
member: serviceAccount:foobar@iam.gserviceaccount.com
project: fast-dev-sec-core-0
role: roles/cloudkms.admin
- module.dev-sec-project.google_project_iam_member.bindings["nsec_dev_sa_binding"]:
- condition: []
- member: serviceAccount:foobar@iam.gserviceaccount.com
- project: fast-dev-sec-core-0
- role: organizations/123456789012/roles/privateCaUser
- module.dev-sec-project.google_project_iam_member.bindings["nsec_dev_sa_r_binding"]:
- condition: []
- member: serviceAccount:foobar@iam.gserviceaccount.com
- project: fast-dev-sec-core-0
- role: organizations/123456789012/roles/privateCaUser
module.dev-sec-project.google_project_iam_member.service_agents["certificatemanager"]:
condition: []
project: fast-dev-sec-core-0
@@ -376,16 +366,6 @@ values:
member: serviceAccount:foobar@iam.gserviceaccount.com
project: fast-prod-sec-core-0
role: roles/cloudkms.admin
- module.prod-sec-project.google_project_iam_member.bindings["nsec_prod_sa_binding"]:
- condition: []
- member: serviceAccount:foobar@iam.gserviceaccount.com
- project: fast-prod-sec-core-0
- role: organizations/123456789012/roles/privateCaUser
- module.prod-sec-project.google_project_iam_member.bindings["nsec_prod_sa_r_binding"]:
- condition: []
- member: serviceAccount:foobar@iam.gserviceaccount.com
- project: fast-prod-sec-core-0
- role: organizations/123456789012/roles/privateCaUser
module.prod-sec-project.google_project_iam_member.service_agents["certificatemanager"]:
condition: []
project: fast-prod-sec-core-0
@@ -473,9 +453,24 @@ counts:
google_kms_key_ring: 8
google_project: 2
google_project_iam_binding: 2
- google_project_iam_member: 12
+ google_project_iam_member: 8
google_project_service: 14
google_project_service_identity: 12
google_storage_bucket_object: 1
modules: 11
- resources: 69
+ resources: 65
+
+outputs:
+ cas_configs:
+ dev: {}
+ prod: {}
+ kms_keys: __missing__
+ ngfw_tls_configs:
+ tls_enabled: false
+ tls_ip_ids_by_region:
+ dev: {}
+ prod: {}
+ tfvars: __missing__
+ trust_config_ids:
+ dev: {}
+ prod: {}