From d693d9a52f8ab12ae133d99bdc2749069b0b590f Mon Sep 17 00:00:00 2001 From: Luca Prete Date: Wed, 28 Aug 2024 13:44:16 +0200 Subject: [PATCH] remove unused private_ca role for network-security stage --- .../data/custom-roles/private_ca_user.yaml | 20 - fast/stages/0-bootstrap/organization.tf | 1 - fast/stages/1-resman/README.md | 14 +- fast/stages/1-resman/branch-security.tf | 3 +- fast/stages/1-resman/variables-fast.tf | 1 - fast/stages/2-security/README.md | 9 +- fast/stages/2-security/core-dev.tf | 14 +- fast/stages/2-security/core-prod.tf | 14 +- fast/stages/2-security/variables-fast.tf | 9 - tests/fast/stages/s0_bootstrap/checklist.yaml | 2144 ++++------------- tests/fast/stages/s0_bootstrap/simple.yaml | 6 +- tests/fast/stages/s1_resman/checklist.tfvars | 1 - tests/fast/stages/s1_resman/checklist.yaml | 3 +- tests/fast/stages/s1_resman/simple.tfvars | 1 - tests/fast/stages/s1_resman/simple.yaml | 2 +- tests/fast/stages/s2_security/simple.tfvars | 3 - tests/fast/stages/s2_security/simple.yaml | 39 +- 17 files changed, 570 insertions(+), 1714 deletions(-) delete mode 100644 fast/stages/0-bootstrap/data/custom-roles/private_ca_user.yaml diff --git a/fast/stages/0-bootstrap/data/custom-roles/private_ca_user.yaml b/fast/stages/0-bootstrap/data/custom-roles/private_ca_user.yaml deleted file mode 100644 index eeabd8f6e0..0000000000 --- a/fast/stages/0-bootstrap/data/custom-roles/private_ca_user.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# yaml-language-server: $schema=../../schemas/custom-role.schema.json - -name: privateCaUser -includedPermissions: - - privateca.caPools.get - - privateca.caPools.use diff --git a/fast/stages/0-bootstrap/organization.tf b/fast/stages/0-bootstrap/organization.tf index 4c6e39a952..7505e149b3 100644 --- a/fast/stages/0-bootstrap/organization.tf +++ b/fast/stages/0-bootstrap/organization.tf @@ -191,7 +191,6 @@ module "organization" { module.organization.custom_role_id["network_firewall_policies_admin"], module.organization.custom_role_id["ngfw_enterprise_admin"], module.organization.custom_role_id["ngfw_enterprise_viewer"], - module.organization.custom_role_id["private_ca_user"], module.organization.custom_role_id["service_project_network_admin"], module.organization.custom_role_id["tenant_network_admin"] ])) diff --git a/fast/stages/1-resman/README.md b/fast/stages/1-resman/README.md index 852ae27808..854fa6c507 100644 --- a/fast/stages/1-resman/README.md +++ b/fast/stages/1-resman/README.md @@ -267,18 +267,18 @@ A full reference of IAM roles managed by this stage [is available here](./IAM.md |---|---|:---:|:---:|:---:|:---:| | [automation](variables-fast.tf#L19) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | | [billing_account](variables-fast.tf#L42) | Billing account id. If billing account is not part of the same org set `is_org_level` to `false`. To disable handling of billing IAM roles set `no_iam` to `true`. | object({…}) | ✓ | | 0-bootstrap | -| [logging](variables-fast.tf#L97) | Logging configuration for tenants. | object({…}) | ✓ | | 1-tenant-factory | -| [organization](variables-fast.tf#L110) | Organization details. | object({…}) | ✓ | | 0-bootstrap | -| [prefix](variables-fast.tf#L128) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap | +| [logging](variables-fast.tf#L96) | Logging configuration for tenants. | object({…}) | ✓ | | 1-tenant-factory | +| [organization](variables-fast.tf#L109) | Organization details. | object({…}) | ✓ | | 0-bootstrap | +| [prefix](variables-fast.tf#L127) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | 0-bootstrap | | [cicd_repositories](variables.tf#L20) | CI/CD repository configuration. Identity providers reference keys in the `automation.federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | object({…}) | | null | | -| [custom_roles](variables-fast.tf#L53) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap | +| [custom_roles](variables-fast.tf#L53) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap | | [factories_config](variables.tf#L122) | Configuration for the resource factories or external data. | object({…}) | | {} | | | [fast_features](variables.tf#L133) | Selective control for top-level FAST features. | object({…}) | | {} | | | [folder_iam](variables.tf#L146) | Authoritative IAM for top-level folders. | object({…}) | | {} | | -| [groups](variables-fast.tf#L69) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | object({…}) | | {} | 0-bootstrap | -| [locations](variables-fast.tf#L84) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {} | 0-bootstrap | +| [groups](variables-fast.tf#L68) | Group names or IAM-format principals to grant organization-level permissions. If just the name is provided, the 'group:' principal and organization domain are interpolated. | object({…}) | | {} | 0-bootstrap | +| [locations](variables-fast.tf#L83) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {} | 0-bootstrap | | [outputs_location](variables.tf#L160) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | string | | null | | -| [root_node](variables-fast.tf#L134) | Root node for the hierarchy, if running in tenant mode. | string | | null | 0-bootstrap | +| [root_node](variables-fast.tf#L133) | Root node for the hierarchy, if running in tenant mode. | string | | null | 0-bootstrap | | [tag_names](variables.tf#L166) | Customized names for resource management tags. | object({…}) | | {} | | | [tags](variables.tf#L180) | Custom secure tags by key name. The `iam` attribute behaves like the similarly named one at module level. | map(object({…})) | | {} | | | [top_level_folders](variables.tf#L201) | Additional top-level folders. Keys are used for service account and bucket names, values implement the folders module interface with the addition of the 'automation' attribute. | map(object({…})) | | {} | | diff --git a/fast/stages/1-resman/branch-security.tf b/fast/stages/1-resman/branch-security.tf index 754cb24ce7..97cba1d7b1 100644 --- a/fast/stages/1-resman/branch-security.tf +++ b/fast/stages/1-resman/branch-security.tf @@ -60,8 +60,7 @@ module "branch-security-folder" { expression = format( "api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([%s])", join(",", formatlist("'%s'", [ - "roles/privateca.certificateManager", - var.custom_roles.private_ca_user + "roles/privateca.certificateManager" ])) ) title = "security_sa_delegated_grants" diff --git a/fast/stages/1-resman/variables-fast.tf b/fast/stages/1-resman/variables-fast.tf index 888460a10a..1418d91ef1 100644 --- a/fast/stages/1-resman/variables-fast.tf +++ b/fast/stages/1-resman/variables-fast.tf @@ -59,7 +59,6 @@ variable "custom_roles" { ngfw_enterprise_admin = string ngfw_enterprise_viewer = string organization_admin_viewer = string - private_ca_user = string service_project_network_admin = string storage_viewer = string }) diff --git a/fast/stages/2-security/README.md b/fast/stages/2-security/README.md index fbb8ea647d..f510f0844d 100644 --- a/fast/stages/2-security/README.md +++ b/fast/stages/2-security/README.md @@ -281,12 +281,11 @@ tls_inspection = { |---|---|:---:|:---:|:---:|:---:| | [automation](variables-fast.tf#L17) | Automation resources created by the bootstrap stage. | object({…}) | ✓ | | 0-bootstrap | | [billing_account](variables-fast.tf#L25) | Billing account id. If billing account is not part of the same org set `is_org_level` to false. | object({…}) | ✓ | | 0-bootstrap | -| [folder_ids](variables-fast.tf#L47) | Folder name => id mappings, the 'security' folder name must exist. | object({…}) | ✓ | | 1-resman | -| [organization](variables-fast.tf#L55) | Organization details. | object({…}) | ✓ | | 0-bootstrap | -| [prefix](variables-fast.tf#L65) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | -| [service_accounts](variables-fast.tf#L75) | Automation service accounts that can assign the encrypt/decrypt roles on keys. | object({…}) | ✓ | | 1-resman | +| [folder_ids](variables-fast.tf#L38) | Folder name => id mappings, the 'security' folder name must exist. | object({…}) | ✓ | | 1-resman | +| [organization](variables-fast.tf#L46) | Organization details. | object({…}) | ✓ | | 0-bootstrap | +| [prefix](variables-fast.tf#L56) | Prefix used for resources that need unique names. Use a maximum of 9 chars for organizations, and 11 chars for tenants. | string | ✓ | | 0-bootstrap | +| [service_accounts](variables-fast.tf#L66) | Automation service accounts that can assign the encrypt/decrypt roles on keys. | object({…}) | ✓ | | 1-resman | | [cas_configs](variables.tf#L17) | The CAS CAs to add to each environment. | object({…}) | | {…} | | -| [custom_roles](variables-fast.tf#L38) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap | | [essential_contacts](variables.tf#L46) | Email used for essential contacts, unset if null. | string | | null | | | [kms_keys](variables.tf#L52) | KMS keys to create, keyed by name. | map(object({…})) | | {} | | | [ngfw_tls_configs](variables.tf#L91) | The CAS and trust configurations key names to be used for NGFW Enterprise. | object({…}) | | {…} | | diff --git a/fast/stages/2-security/core-dev.tf b/fast/stages/2-security/core-dev.tf index a15e98adcd..9ac7d417fd 100644 --- a/fast/stages/2-security/core-dev.tf +++ b/fast/stages/2-security/core-dev.tf @@ -27,16 +27,6 @@ locals { role = "roles/privateca.certificateManager" } } - ngfw_dev_sa_cas_iam_bindings_additive = { - nsec_dev_sa_binding = { - member = "serviceAccount:${var.service_accounts.nsec}" - role = var.custom_roles.private_ca_user - } - nsec_dev_sa_r_binding = { - member = "serviceAccount:${var.service_accounts.nsec-r}" - role = var.custom_roles.private_ca_user - } - } dev_kms_restricted_admins = [ for sa in distinct(compact([ var.service_accounts.data-platform-dev, @@ -56,12 +46,12 @@ module "dev-sec-project" { iam = { "roles/cloudkms.viewer" = local.dev_kms_restricted_admins } - iam_bindings_additive = merge({ + iam_bindings_additive = { for member in local.dev_kms_restricted_admins : "kms_restricted_admin.${member}" => merge(local.kms_restricted_admin_template, { member = member }) - }, local.ngfw_dev_sa_cas_iam_bindings_additive) + } labels = { environment = "dev", team = "security" } services = local.project_services } diff --git a/fast/stages/2-security/core-prod.tf b/fast/stages/2-security/core-prod.tf index d6b342085e..c98fe70289 100644 --- a/fast/stages/2-security/core-prod.tf +++ b/fast/stages/2-security/core-prod.tf @@ -27,16 +27,6 @@ locals { role = "roles/privateca.certificateManager" } } - ngfw_prod_sa_cas_iam_bindings_additive = { - nsec_prod_sa_binding = { - member = "serviceAccount:${var.service_accounts.nsec}" - role = var.custom_roles.private_ca_user - } - nsec_prod_sa_r_binding = { - member = "serviceAccount:${var.service_accounts.nsec-r}" - role = var.custom_roles.private_ca_user - } - } prod_kms_restricted_admins = [ for sa in distinct(compact([ var.service_accounts.data-platform-prod, @@ -55,12 +45,12 @@ module "prod-sec-project" { iam = { "roles/cloudkms.viewer" = local.prod_kms_restricted_admins } - iam_bindings_additive = merge({ + iam_bindings_additive = { for member in local.prod_kms_restricted_admins : "kms_restricted_admin.${member}" => merge(local.kms_restricted_admin_template, { member = member }) - }, local.ngfw_prod_sa_cas_iam_bindings_additive) + } labels = { environment = "prod", team = "security" } services = local.project_services } diff --git a/fast/stages/2-security/variables-fast.tf b/fast/stages/2-security/variables-fast.tf index c499440e12..7d6259920e 100644 --- a/fast/stages/2-security/variables-fast.tf +++ b/fast/stages/2-security/variables-fast.tf @@ -35,15 +35,6 @@ variable "billing_account" { } } -variable "custom_roles" { - # tfdoc:variable:source 0-bootstrap - description = "Custom roles defined at the org level, in key => id format." - type = object({ - private_ca_user = string - }) - default = null -} - variable "folder_ids" { # tfdoc:variable:source 1-resman description = "Folder name => id mappings, the 'security' folder name must exist." diff --git a/tests/fast/stages/s0_bootstrap/checklist.yaml b/tests/fast/stages/s0_bootstrap/checklist.yaml index 8e1fe2d1cc..8fadcd1440 100644 --- a/tests/fast/stages/s0_bootstrap/checklist.yaml +++ b/tests/fast/stages/s0_bootstrap/checklist.yaml @@ -13,8 +13,8 @@ # limitations under the License. values: - google_storage_bucket_object.checklist_data[0]: - bucket: fast-prod-iac-core-checklist-0 + google_storage_bucket_object.providers["2-networking"]: + bucket: test cache_control: null content_disposition: null content_encoding: null @@ -23,13 +23,13 @@ values: detect_md5hash: different hash event_based_hold: null metadata: null - name: checklist/data.tfvars.json + name: providers/2-networking-providers.tf retention: [] - source: checklist-data.json + source: null temporary_hold: null timeouts: null - google_storage_bucket_object.checklist_org_iam[0]: - bucket: fast-prod-iac-core-checklist-0 + google_storage_bucket_object.providers["2-networking-r"]: + bucket: test cache_control: null content_disposition: null content_encoding: null @@ -38,27 +38,13 @@ values: detect_md5hash: different hash event_based_hold: null metadata: null - name: checklist/org-iam.tfvars.json - retention: [] - source: checklist-org-iam.json - temporary_hold: null - timeouts: null - google_storage_bucket_object.providers["0-bootstrap"]: - bucket: fast-prod-iac-core-outputs-0 - cache_control: null - content_encoding: null - content_language: null - customer_encryption: [] - detect_md5hash: different hash - event_based_hold: null - metadata: null - name: providers/0-bootstrap-providers.tf + name: providers/2-networking-r-providers.tf retention: [] source: null temporary_hold: null timeouts: null - google_storage_bucket_object.providers["0-bootstrap-r"]: - bucket: fast-prod-iac-core-outputs-0 + google_storage_bucket_object.providers["2-project-factory"]: + bucket: test cache_control: null content_encoding: null content_language: null @@ -66,41 +52,43 @@ values: detect_md5hash: different hash event_based_hold: null metadata: null - name: providers/0-bootstrap-r-providers.tf + name: providers/2-project-factory-providers.tf retention: [] source: null temporary_hold: null timeouts: null - google_storage_bucket_object.providers["1-resman"]: - bucket: fast-prod-iac-core-outputs-0 + google_storage_bucket_object.providers["2-project-factory-dev"]: + bucket: test cache_control: null + content_disposition: null content_encoding: null content_language: null customer_encryption: [] detect_md5hash: different hash event_based_hold: null metadata: null - name: providers/1-resman-providers.tf + name: providers/2-project-factory-dev-providers.tf retention: [] source: null temporary_hold: null timeouts: null - google_storage_bucket_object.providers["1-resman-r"]: - bucket: fast-prod-iac-core-outputs-0 + google_storage_bucket_object.providers["2-project-factory-dev-r"]: + bucket: test cache_control: null + content_disposition: null content_encoding: null content_language: null customer_encryption: [] detect_md5hash: different hash event_based_hold: null metadata: null - name: providers/1-resman-r-providers.tf + name: providers/2-project-factory-dev-r-providers.tf retention: [] source: null temporary_hold: null timeouts: null - google_storage_bucket_object.providers["1-tenant-factory"]: - bucket: fast-prod-iac-core-outputs-0 + google_storage_bucket_object.providers["2-project-factory-prod"]: + bucket: test cache_control: null content_disposition: null content_encoding: null @@ -109,13 +97,13 @@ values: detect_md5hash: different hash event_based_hold: null metadata: null - name: providers/1-tenant-factory-providers.tf + name: providers/2-project-factory-prod-providers.tf retention: [] source: null temporary_hold: null timeouts: null - google_storage_bucket_object.providers["1-tenant-factory-r"]: - bucket: fast-prod-iac-core-outputs-0 + google_storage_bucket_object.providers["2-project-factory-prod-r"]: + bucket: test cache_control: null content_disposition: null content_encoding: null @@ -124,28 +112,27 @@ values: detect_md5hash: different hash event_based_hold: null metadata: null - name: providers/1-tenant-factory-r-providers.tf + name: providers/2-project-factory-prod-r-providers.tf retention: [] source: null temporary_hold: null timeouts: null - google_storage_bucket_object.providers["1-vpcsc"]: - bucket: fast-prod-iac-core-outputs-0 + google_storage_bucket_object.providers["2-project-factory-r"]: + bucket: test cache_control: null - content_disposition: null content_encoding: null content_language: null customer_encryption: [] detect_md5hash: different hash event_based_hold: null metadata: null - name: providers/1-vpcsc-providers.tf + name: providers/2-project-factory-r-providers.tf retention: [] source: null temporary_hold: null timeouts: null - google_storage_bucket_object.providers["1-vpcsc-r"]: - bucket: fast-prod-iac-core-outputs-0 + google_storage_bucket_object.providers["2-security"]: + bucket: test cache_control: null content_disposition: null content_encoding: null @@ -154,13 +141,13 @@ values: detect_md5hash: different hash event_based_hold: null metadata: null - name: providers/1-vpcsc-r-providers.tf + name: providers/2-security-providers.tf retention: [] source: null temporary_hold: null timeouts: null - google_storage_bucket_object.tfvars: - bucket: fast-prod-iac-core-outputs-0 + google_storage_bucket_object.providers["2-security-r"]: + bucket: test cache_control: null content_disposition: null content_encoding: null @@ -169,15 +156,14 @@ values: detect_md5hash: different hash event_based_hold: null metadata: null - name: tfvars/0-bootstrap.auto.tfvars.json + name: providers/2-security-r-providers.tf retention: [] source: null temporary_hold: null timeouts: null - google_storage_bucket_object.tfvars_globals: - bucket: fast-prod-iac-core-outputs-0 + google_storage_bucket_object.tfvars: + bucket: test cache_control: null - content: '{"billing_account":{"id":"000000-111111-222222","is_org_level":true,"no_iam":false},"environments":{"dev":{"is_default":false,"name":"Development"},"prod":{"is_default":true,"name":"Production"}},"groups":{"gcp-billing-admins":"group:gcp-billing-admins@fast.example.com","gcp-devops":"group:gcp-devops@fast.example.com","gcp-network-admins":"group:gcp-vpc-network-admins@fast.example.com","gcp-organization-admins":"group:gcp-organization-admins@fast.example.com","gcp-security-admins":"group:gcp-security-admins@fast.example.com","gcp-support":"group:gcp-devops@fast.example.com"},"locations":{"bq":"EU","gcs":"EU","logging":"europe-west1","pubsub":[]},"organization":{"customer_id":"C00000000","domain":"fast.example.com","id":123456789012},"prefix":"fast"}' content_disposition: null content_encoding: null content_language: null @@ -185,400 +171,85 @@ values: detect_md5hash: different hash event_based_hold: null metadata: null - name: tfvars/0-globals.auto.tfvars.json + name: tfvars/1-resman.auto.tfvars.json retention: [] source: null temporary_hold: null timeouts: null - module.automation-project.data.google_bigquery_default_service_account.bq_sa[0]: - project: fast-prod-iac-core-0 - module.automation-project.data.google_storage_project_service_account.gcs_sa[0]: - project: fast-prod-iac-core-0 - user_project: null - module.automation-project.google_essential_contacts_contact.contact["gcp-organization-admins@fast.example.com"]: - email: gcp-organization-admins@fast.example.com - language_tag: en - notification_category_subscriptions: - - ALL - parent: projects/fast-prod-iac-core-0 + module.branch-network-dev-folder.google_folder.folder[0]: + display_name: Development timeouts: null - module.automation-project.google_org_policy_policy.default["compute.skipDefaultNetworkCreation"]: - dry_run_spec: [] - name: projects/fast-prod-iac-core-0/policies/compute.skipDefaultNetworkCreation - parent: projects/fast-prod-iac-core-0 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - values: [] - timeouts: null - module.automation-project.google_org_policy_policy.default["iam.automaticIamGrantsForDefaultServiceAccounts"]: - dry_run_spec: [] - name: projects/fast-prod-iac-core-0/policies/iam.automaticIamGrantsForDefaultServiceAccounts - parent: projects/fast-prod-iac-core-0 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - values: [] - timeouts: null - module.automation-project.google_org_policy_policy.default["iam.disableServiceAccountKeyCreation"]: - dry_run_spec: [] - name: projects/fast-prod-iac-core-0/policies/iam.disableServiceAccountKeyCreation - parent: projects/fast-prod-iac-core-0 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - values: [] - timeouts: null - module.automation-project.google_project.project[0]: - auto_create_network: false - billing_account: 000000-111111-222222 - deletion_policy: DELETE - folder_id: null - labels: null - name: fast-prod-iac-core-0 - org_id: '123456789012' - project_id: fast-prod-iac-core-0 - timeouts: null - module.automation-project.google_project_iam_audit_config.default["iam.googleapis.com"]: - audit_log_config: - - exempted_members: [] - log_type: ADMIN_READ - project: fast-prod-iac-core-0 - service: iam.googleapis.com - module.automation-project.google_project_iam_binding.authoritative["organizations/123456789012/roles/storageViewer"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: organizations/123456789012/roles/storageViewer - module.automation-project.google_project_iam_binding.authoritative["roles/browser"]: - condition: [] - members: - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/browser - module.automation-project.google_project_iam_binding.authoritative["roles/cloudbuild.builds.editor"]: - condition: [] - members: - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/cloudbuild.builds.editor - module.automation-project.google_project_iam_binding.authoritative["roles/cloudbuild.builds.viewer"]: - condition: [] + ? module.branch-network-dev-folder.google_folder_iam_binding.authoritative["organizations/123456789012/roles/gcveNetworkAdmin"] + : condition: [] + members: null + role: organizations/123456789012/roles/gcveNetworkAdmin + ? module.branch-network-dev-folder.google_folder_iam_binding.authoritative["organizations/123456789012/roles/xpnServiceAdmin"] + : condition: [] members: - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/cloudbuild.builds.viewer - module.automation-project.google_project_iam_binding.authoritative["roles/iam.serviceAccountAdmin"]: + - serviceAccount:fast2-dev-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + role: organizations/123456789012/roles/xpnServiceAdmin + module.branch-network-dev-folder.google_folder_iam_binding.authoritative["roles/compute.networkViewer"]: condition: [] members: - - group:gcp-devops@fast.example.com - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/iam.serviceAccountAdmin - module.automation-project.google_project_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: + - serviceAccount:fast2-dev-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com + role: roles/compute.networkViewer + module.branch-network-dev-folder.google_tags_tag_binding.binding["environment"]: + timeouts: null + module.branch-network-folder.google_folder.folder[0]: + display_name: Networking + parent: organizations/123456789012 + timeouts: null + module.branch-network-folder.google_folder_iam_binding.authoritative["roles/browser"]: condition: [] members: - - group:gcp-devops@fast.example.com - - group:gcp-organization-admins@fast.example.com - project: fast-prod-iac-core-0 - role: roles/iam.serviceAccountTokenCreator - module.automation-project.google_project_iam_binding.authoritative["roles/iam.serviceAccountViewer"]: + - user:extra-browser@fast.example.com + role: roles/browser + module.branch-network-folder.google_folder_iam_binding.authoritative["roles/compute.xpnAdmin"]: condition: [] members: - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/iam.serviceAccountViewer - module.automation-project.google_project_iam_binding.authoritative["roles/iam.workloadIdentityPoolAdmin"]: + - serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/compute.xpnAdmin + module.branch-network-folder.google_folder_iam_binding.authoritative["roles/editor"]: condition: [] members: - - group:gcp-organization-admins@fast.example.com - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/iam.workloadIdentityPoolAdmin - module.automation-project.google_project_iam_binding.authoritative["roles/iam.workloadIdentityPoolViewer"]: + - group:gcp-vpc-network-admins@fast.example.com + role: roles/editor + module.branch-network-folder.google_folder_iam_binding.authoritative["roles/logging.admin"]: condition: [] members: - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/iam.workloadIdentityPoolViewer - module.automation-project.google_project_iam_binding.authoritative["roles/owner"]: + - serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/logging.admin + module.branch-network-folder.google_folder_iam_binding.authoritative["roles/owner"]: condition: [] members: - - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 + - serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com + - user:extra-owner@fast.example.com role: roles/owner - module.automation-project.google_project_iam_binding.authoritative["roles/source.admin"]: + module.branch-network-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: condition: [] members: - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/source.admin - module.automation-project.google_project_iam_binding.authoritative["roles/source.reader"]: + - serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.folderAdmin + module.branch-network-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]: condition: [] members: - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/source.reader - module.automation-project.google_project_iam_binding.authoritative["roles/storage.admin"]: + - serviceAccount:fast2-prod-resman-net-0r@fast-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.folderViewer + module.branch-network-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: condition: [] members: - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/storage.admin - module.automation-project.google_project_iam_binding.authoritative["roles/viewer"]: + - serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.projectCreator + module.branch-network-folder.google_folder_iam_binding.authoritative["roles/viewer"]: condition: [] members: - - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 + - serviceAccount:fast2-prod-resman-net-0r@fast-prod-automation.iam.gserviceaccount.com role: roles/viewer - module.automation-project.google_project_iam_binding.bindings["delegated_grants_resman"]: - condition: - - description: Resource manager service account delegated grant. - expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/serviceusage.serviceUsageConsumer']) - title: resman_delegated_grant - members: - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/resourcemanager.projectIamAdmin - module.automation-project.google_project_iam_member.bindings["serviceusage_resman"]: - condition: [] - member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/serviceusage.serviceUsageConsumer - module.automation-project.google_project_iam_member.bindings["serviceusage_resman_r"]: - condition: [] - member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-iac-core-0 - role: roles/serviceusage.serviceUsageViewer - module.automation-project.google_project_iam_member.service_agents["cloudasset"]: - condition: [] - project: fast-prod-iac-core-0 - role: roles/cloudasset.serviceAgent - module.automation-project.google_project_iam_member.service_agents["cloudbuild"]: - condition: [] - project: fast-prod-iac-core-0 - role: roles/cloudbuild.serviceAgent - module.automation-project.google_project_iam_member.service_agents["cloudbuild-sa"]: - condition: [] - project: fast-prod-iac-core-0 - role: roles/cloudbuild.builds.builder - module.automation-project.google_project_iam_member.service_agents["cloudkms"]: - condition: [] - project: fast-prod-iac-core-0 - role: roles/cloudkms.serviceAgent - module.automation-project.google_project_iam_member.service_agents["compute-system"]: - condition: [] - project: fast-prod-iac-core-0 - role: roles/compute.serviceAgent - module.automation-project.google_project_iam_member.service_agents["container-engine-robot"]: - condition: [] - project: fast-prod-iac-core-0 - role: roles/container.serviceAgent - module.automation-project.google_project_iam_member.service_agents["gkenode"]: - condition: [] - project: fast-prod-iac-core-0 - role: roles/container.nodeServiceAgent - module.automation-project.google_project_iam_member.service_agents["pubsub"]: - condition: [] - project: fast-prod-iac-core-0 - role: roles/pubsub.serviceAgent - module.automation-project.google_project_iam_member.service_agents["service-networking"]: - condition: [] - project: fast-prod-iac-core-0 - role: roles/servicenetworking.serviceAgent - module.automation-project.google_project_service.project_services["accesscontextmanager.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: accesscontextmanager.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["bigquery.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: bigquery.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["bigqueryreservation.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: bigqueryreservation.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["bigquerystorage.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: bigquerystorage.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["billingbudgets.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: billingbudgets.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["cloudasset.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: cloudasset.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["cloudbilling.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: cloudbilling.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["cloudbuild.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: cloudbuild.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["cloudkms.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: cloudkms.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["cloudquotas.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: cloudquotas.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["cloudresourcemanager.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: cloudresourcemanager.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["compute.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: compute.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["container.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: container.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["essentialcontacts.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: essentialcontacts.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["iam.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: iam.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["iamcredentials.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: iamcredentials.googleapis.com + module.branch-network-folder.google_tags_tag_binding.binding["context"]: timeouts: null - module.automation-project.google_project_service.project_services["networksecurity.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: networksecurity.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["orgpolicy.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: orgpolicy.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["pubsub.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: pubsub.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["servicenetworking.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: servicenetworking.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["serviceusage.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: serviceusage.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["stackdriver.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: stackdriver.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["storage-component.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: storage-component.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["storage.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: storage.googleapis.com - timeouts: null - module.automation-project.google_project_service.project_services["sts.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-iac-core-0 - service: sts.googleapis.com - timeouts: null - module.automation-project.google_project_service_identity.default["cloudasset.googleapis.com"]: - project: fast-prod-iac-core-0 - service: cloudasset.googleapis.com - timeouts: null - module.automation-project.google_project_service_identity.default["cloudkms.googleapis.com"]: - project: fast-prod-iac-core-0 - service: cloudkms.googleapis.com - timeouts: null - module.automation-project.google_project_service_identity.default["container.googleapis.com"]: - project: fast-prod-iac-core-0 - service: container.googleapis.com - timeouts: null - module.automation-project.google_project_service_identity.default["networksecurity.googleapis.com"]: - project: fast-prod-iac-core-0 - service: networksecurity.googleapis.com - timeouts: null - module.automation-project.google_project_service_identity.default["pubsub.googleapis.com"]: - project: fast-prod-iac-core-0 - service: pubsub.googleapis.com - timeouts: null - module.automation-project.google_project_service_identity.default["servicenetworking.googleapis.com"]: - project: fast-prod-iac-core-0 - service: servicenetworking.googleapis.com - timeouts: null - module.automation-tf-bootstrap-gcs.google_storage_bucket.bucket: + module.branch-network-gcs.google_storage_bucket.bucket: autoclass: [] cors: [] custom_placement_config: [] @@ -590,8 +261,8 @@ values: lifecycle_rule: [] location: EU logging: [] - name: fast-prod-iac-core-bootstrap-0 - project: fast-prod-iac-core-0 + name: fast2-prod-resman-net-0 + project: fast-prod-automation requester_pays: null retention_policy: [] storage_class: STANDARD @@ -599,47 +270,80 @@ values: uniform_bucket_level_access: true versioning: - enabled: true - ? module.automation-tf-bootstrap-r-sa.google_organization_iam_member.organization-roles["123456789012-organizations/123456789012/roles/organizationAdminViewer"] + module.branch-network-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: + bucket: fast2-prod-resman-net-0 + condition: [] + members: + - serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/storage.objectAdmin + module.branch-network-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: + bucket: fast2-prod-resman-net-0 + condition: [] + members: + - serviceAccount:fast2-prod-resman-net-0r@fast-prod-automation.iam.gserviceaccount.com + role: roles/storage.objectViewer + module.branch-network-prod-folder.google_folder.folder[0]: + display_name: Production + timeouts: null + ? module.branch-network-prod-folder.google_folder_iam_binding.authoritative["organizations/123456789012/roles/gcveNetworkAdmin"] : condition: [] - org_id: '123456789012' - role: organizations/123456789012/roles/organizationAdminViewer - ? module.automation-tf-bootstrap-r-sa.google_organization_iam_member.organization-roles["123456789012-organizations/123456789012/roles/tagViewer"] + members: null + role: organizations/123456789012/roles/gcveNetworkAdmin + ? module.branch-network-prod-folder.google_folder_iam_binding.authoritative["organizations/123456789012/roles/xpnServiceAdmin"] : condition: [] - org_id: '123456789012' - role: organizations/123456789012/roles/tagViewer - module.automation-tf-bootstrap-r-sa.google_service_account.service_account[0]: - account_id: fast-prod-bootstrap-0r + members: + - serviceAccount:fast2-prod-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + role: organizations/123456789012/roles/xpnServiceAdmin + module.branch-network-prod-folder.google_folder_iam_binding.authoritative["roles/compute.networkViewer"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com + - serviceAccount:fast2-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com + role: roles/compute.networkViewer + module.branch-network-prod-folder.google_tags_tag_binding.binding["environment"]: + timeouts: null + ? module.branch-network-r-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + : condition: [] + project: fast-prod-automation + role: roles/serviceusage.serviceUsageConsumer + module.branch-network-r-sa.google_service_account.service_account[0]: + account_id: fast2-prod-resman-net-0r create_ignore_already_exists: null description: null disabled: false - display_name: Terraform organization bootstrap service account (read-only). - project: fast-prod-iac-core-0 + display_name: Terraform resman networking service account (read-only). + project: fast-prod-automation timeouts: null - ? module.automation-tf-bootstrap-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"] - : condition: [] + module.branch-network-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: + condition: [] members: null role: roles/iam.serviceAccountTokenCreator - ? module.automation-tf-bootstrap-r-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-organizations/123456789012/roles/storageViewer"] - : bucket: fast-prod-iac-core-outputs-0 + ? module.branch-network-r-sa.google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"] + : bucket: test condition: [] role: organizations/123456789012/roles/storageViewer - module.automation-tf-bootstrap-sa.google_service_account.service_account[0]: - account_id: fast-prod-bootstrap-0 + ? module.branch-network-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + : condition: [] + project: fast-prod-automation + role: roles/serviceusage.serviceUsageConsumer + module.branch-network-sa.google_service_account.service_account[0]: + account_id: fast2-prod-resman-net-0 create_ignore_already_exists: null description: null disabled: false - display_name: Terraform organization bootstrap service account. - project: fast-prod-iac-core-0 + display_name: Terraform resman networking service account. + project: fast-prod-automation timeouts: null - module.automation-tf-bootstrap-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: + module.branch-network-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: condition: [] members: null role: roles/iam.serviceAccountTokenCreator - ? module.automation-tf-bootstrap-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-roles/storage.admin"] - : bucket: fast-prod-iac-core-outputs-0 + module.branch-network-sa.google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]: + bucket: test condition: [] - role: roles/storage.admin - module.automation-tf-checklist-gcs[0].google_storage_bucket.bucket: + role: roles/storage.objectAdmin + module.branch-pf-dev-gcs.google_storage_bucket.bucket: autoclass: [] cors: [] custom_placement_config: [] @@ -651,8 +355,8 @@ values: lifecycle_rule: [] location: EU logging: [] - name: fast-prod-iac-core-checklist-0 - project: fast-prod-iac-core-0 + name: fast2-dev-resman-pf-0 + project: fast-prod-automation requester_pays: null retention_policy: [] storage_class: STANDARD @@ -660,7 +364,59 @@ values: uniform_bucket_level_access: true versioning: - enabled: true - module.automation-tf-output-gcs.google_storage_bucket.bucket: + module.branch-pf-dev-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: + bucket: fast2-dev-resman-pf-0 + condition: [] + members: + - serviceAccount:fast2-dev-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/storage.objectAdmin + module.branch-pf-dev-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: + bucket: fast2-dev-resman-pf-0 + condition: [] + members: + - serviceAccount:fast2-dev-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com + role: roles/storage.objectViewer + ? module.branch-pf-dev-r-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + : condition: [] + project: fast-prod-automation + role: roles/serviceusage.serviceUsageConsumer + module.branch-pf-dev-r-sa.google_service_account.service_account[0]: + account_id: fast2-dev-resman-pf-0r + create_ignore_already_exists: null + description: null + disabled: false + display_name: Terraform project factory development service account (read-only). + project: fast-prod-automation + timeouts: null + module.branch-pf-dev-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: + condition: [] + members: null + role: roles/iam.serviceAccountTokenCreator + ? module.branch-pf-dev-r-sa.google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"] + : bucket: test + condition: [] + role: organizations/123456789012/roles/storageViewer + ? module.branch-pf-dev-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + : condition: [] + project: fast-prod-automation + role: roles/serviceusage.serviceUsageConsumer + module.branch-pf-dev-sa.google_service_account.service_account[0]: + account_id: fast2-dev-resman-pf-0 + create_ignore_already_exists: null + description: null + disabled: false + display_name: Terraform project factory development service account. + project: fast-prod-automation + timeouts: null + module.branch-pf-dev-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: + condition: [] + members: null + role: roles/iam.serviceAccountTokenCreator + module.branch-pf-dev-sa.google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]: + bucket: test + condition: [] + role: roles/storage.objectAdmin + module.branch-pf-gcs.google_storage_bucket.bucket: autoclass: [] cors: [] custom_placement_config: [] @@ -672,8 +428,8 @@ values: lifecycle_rule: [] location: EU logging: [] - name: fast-prod-iac-core-outputs-0 - project: fast-prod-iac-core-0 + name: fast2-resman-pf-0 + project: fast-prod-automation requester_pays: null retention_policy: [] storage_class: STANDARD @@ -681,7 +437,19 @@ values: uniform_bucket_level_access: true versioning: - enabled: true - module.automation-tf-resman-gcs.google_storage_bucket.bucket: + module.branch-pf-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: + bucket: fast2-resman-pf-0 + condition: [] + members: + - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/storage.objectAdmin + module.branch-pf-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: + bucket: fast2-resman-pf-0 + condition: [] + members: + - serviceAccount:fast2-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com + role: roles/storage.objectViewer + module.branch-pf-prod-gcs.google_storage_bucket.bucket: autoclass: [] cors: [] custom_placement_config: [] @@ -693,8 +461,8 @@ values: lifecycle_rule: [] location: EU logging: [] - name: fast-prod-iac-core-resman-0 - project: fast-prod-iac-core-0 + name: fast2-prod-resman-pf-0 + project: fast-prod-automation requester_pays: null retention_policy: [] storage_class: STANDARD @@ -702,51 +470,154 @@ values: uniform_bucket_level_access: true versioning: - enabled: true - module.automation-tf-resman-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: - bucket: fast-prod-iac-core-resman-0 + module.branch-pf-prod-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: + bucket: fast2-prod-resman-pf-0 condition: [] members: - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com role: roles/storage.objectAdmin - module.automation-tf-resman-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: - bucket: fast-prod-iac-core-resman-0 + module.branch-pf-prod-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: + bucket: fast2-prod-resman-pf-0 condition: [] members: - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-pf-0r@fast-prod-automation.iam.gserviceaccount.com role: roles/storage.objectViewer - ? module.automation-tf-resman-r-sa.google_organization_iam_member.organization-roles["123456789012-organizations/123456789012/roles/organizationAdminViewer"] + ? module.branch-pf-prod-r-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] : condition: [] - org_id: '123456789012' - role: organizations/123456789012/roles/organizationAdminViewer - ? module.automation-tf-resman-r-sa.google_organization_iam_member.organization-roles["123456789012-organizations/123456789012/roles/tagViewer"] + project: fast-prod-automation + role: roles/serviceusage.serviceUsageConsumer + module.branch-pf-prod-r-sa.google_service_account.service_account[0]: + account_id: fast2-prod-resman-pf-0r + create_ignore_already_exists: null + description: null + disabled: false + display_name: Terraform project factory production service account (read-only). + project: fast-prod-automation + timeouts: null + module.branch-pf-prod-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: + condition: [] + members: null + role: roles/iam.serviceAccountTokenCreator + ? module.branch-pf-prod-r-sa.google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"] + : bucket: test + condition: [] + role: organizations/123456789012/roles/storageViewer + ? module.branch-pf-prod-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] : condition: [] - org_id: '123456789012' - role: organizations/123456789012/roles/tagViewer - module.automation-tf-resman-r-sa.google_service_account.service_account[0]: - account_id: fast-prod-resman-0r + project: fast-prod-automation + role: roles/serviceusage.serviceUsageConsumer + module.branch-pf-prod-sa.google_service_account.service_account[0]: + account_id: fast2-prod-resman-pf-0 + create_ignore_already_exists: null + description: null + disabled: false + display_name: Terraform project factory production service account. + project: fast-prod-automation + timeouts: null + module.branch-pf-prod-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: + condition: [] + members: null + role: roles/iam.serviceAccountTokenCreator + module.branch-pf-prod-sa.google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]: + bucket: test + condition: [] + role: roles/storage.objectAdmin + ? module.branch-pf-r-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + : condition: [] + project: fast-prod-automation + role: roles/serviceusage.serviceUsageConsumer + module.branch-pf-r-sa.google_service_account.service_account[0]: + account_id: fast2-resman-pf-0r create_ignore_already_exists: null description: null disabled: false - display_name: Terraform stage 1 resman service account (read-only). - project: fast-prod-iac-core-0 + display_name: Terraform project factory main service account (read-only). + project: fast-prod-automation timeouts: null - ? module.automation-tf-resman-r-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-organizations/123456789012/roles/storageViewer"] - : bucket: fast-prod-iac-core-outputs-0 + module.branch-pf-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: + condition: [] + members: null + role: roles/iam.serviceAccountTokenCreator + module.branch-pf-r-sa.google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"]: + bucket: test condition: [] role: organizations/123456789012/roles/storageViewer - module.automation-tf-resman-sa.google_service_account.service_account[0]: - account_id: fast-prod-resman-0 + ? module.branch-pf-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + : condition: [] + project: fast-prod-automation + role: roles/serviceusage.serviceUsageConsumer + module.branch-pf-sa.google_service_account.service_account[0]: + account_id: fast2-resman-pf-0 create_ignore_already_exists: null description: null disabled: false - display_name: Terraform stage 1 resman service account. - project: fast-prod-iac-core-0 + display_name: Terraform project factory main service account. + project: fast-prod-automation + timeouts: null + module.branch-pf-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: + condition: [] + members: null + role: roles/iam.serviceAccountTokenCreator + module.branch-pf-sa.google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]: + bucket: test + condition: [] + role: roles/storage.objectAdmin + module.branch-security-folder.google_folder.folder[0]: + display_name: Security + parent: organizations/123456789012 timeouts: null - ? module.automation-tf-resman-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-roles/storage.admin"] - : bucket: fast-prod-iac-core-outputs-0 + module.branch-security-folder.google_folder_iam_binding.authoritative["roles/browser"]: + condition: [] + members: + - user:extra-browser@fast.example.com + role: roles/browser + module.branch-security-folder.google_folder_iam_binding.authoritative["roles/editor"]: + condition: [] + members: + - group:gcp-security-admins@fast.example.com + role: roles/editor + module.branch-security-folder.google_folder_iam_binding.authoritative["roles/logging.admin"]: condition: [] - role: roles/storage.admin - module.automation-tf-vpcsc-gcs.google_storage_bucket.bucket: + members: + - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/logging.admin + module.branch-security-folder.google_folder_iam_binding.authoritative["roles/owner"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com + - user:extra-owner@fast.example.com + role: roles/owner + module.branch-security-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.folderAdmin + module.branch-security-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.folderViewer"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-sec-0r@fast-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.folderViewer + module.branch-security-folder.google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.projectCreator + module.branch-security-folder.google_folder_iam_binding.authoritative["roles/viewer"]: + condition: [] + members: + - serviceAccount:fast2-prod-resman-sec-0r@fast-prod-automation.iam.gserviceaccount.com + role: roles/viewer + module.branch-security-folder.google_folder_iam_binding.bindings["tenant_iam_admin_conditional"]: + condition: + - description: Certificate Authority Service delegated grants. + expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/privateca.certificateManager','organizations/123456789012/roles/privateCaUser']) + title: security_sa_delegated_grants + members: + - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.folderIamAdmin + module.branch-security-folder.google_tags_tag_binding.binding["context"]: + timeouts: null + module.branch-security-gcs.google_storage_bucket.bucket: autoclass: [] cors: [] custom_placement_config: [] @@ -758,8 +629,8 @@ values: lifecycle_rule: [] location: EU logging: [] - name: fast-prod-iac-core-vpcsc-0 - project: fast-prod-iac-core-0 + name: fast2-prod-resman-sec-0 + project: fast-prod-automation requester_pays: null retention_policy: [] storage_class: STANDARD @@ -767,1210 +638,257 @@ values: uniform_bucket_level_access: true versioning: - enabled: true - module.automation-tf-vpcsc-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: - bucket: fast-prod-iac-core-vpcsc-0 + module.branch-security-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectAdmin"]: + bucket: fast2-prod-resman-sec-0 condition: [] members: - - serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com role: roles/storage.objectAdmin - module.automation-tf-vpcsc-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: - bucket: fast-prod-iac-core-vpcsc-0 + module.branch-security-gcs.google_storage_bucket_iam_binding.authoritative["roles/storage.objectViewer"]: + bucket: fast2-prod-resman-sec-0 condition: [] members: - - serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com + - serviceAccount:fast2-prod-resman-sec-0r@fast-prod-automation.iam.gserviceaccount.com role: roles/storage.objectViewer - module.automation-tf-vpcsc-r-sa.google_service_account.service_account[0]: - account_id: fast-prod-vpcsc-0r + ? module.branch-security-r-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + : condition: [] + project: fast-prod-automation + role: roles/serviceusage.serviceUsageConsumer + module.branch-security-r-sa.google_service_account.service_account[0]: + account_id: fast2-prod-resman-sec-0r create_ignore_already_exists: null description: null disabled: false - display_name: Terraform stage 1 vpcsc service account (read-only). - project: fast-prod-iac-core-0 + display_name: Terraform resman security service account (read-only). + project: fast-prod-automation timeouts: null - ? module.automation-tf-vpcsc-r-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-organizations/123456789012/roles/storageViewer"] - : bucket: fast-prod-iac-core-outputs-0 + module.branch-security-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: + condition: [] + members: null + role: roles/iam.serviceAccountTokenCreator + ? module.branch-security-r-sa.google_storage_bucket_iam_member.bucket-roles["test-organizations/123456789012/roles/storageViewer"] + : bucket: test condition: [] role: organizations/123456789012/roles/storageViewer - module.automation-tf-vpcsc-sa.google_service_account.service_account[0]: - account_id: fast-prod-vpcsc-0 + ? module.branch-security-sa.google_project_iam_member.project-roles["fast-prod-automation-roles/serviceusage.serviceUsageConsumer"] + : condition: [] + project: fast-prod-automation + role: roles/serviceusage.serviceUsageConsumer + module.branch-security-sa.google_service_account.service_account[0]: + account_id: fast2-prod-resman-sec-0 create_ignore_already_exists: null description: null disabled: false - display_name: Terraform stage 1 vpcsc service account. - project: fast-prod-iac-core-0 + display_name: Terraform resman security service account. + project: fast-prod-automation timeouts: null - module.automation-tf-vpcsc-sa.google_service_account_iam_member.bindings["security_admins"]: + module.branch-security-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: condition: [] - member: group:gcp-security-admins@fast.example.com + members: null role: roles/iam.serviceAccountTokenCreator - ? module.automation-tf-vpcsc-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-roles/storage.admin"] - : bucket: fast-prod-iac-core-outputs-0 - condition: [] - role: roles/storage.admin - module.billing-export-dataset[0].google_bigquery_dataset.default: - dataset_id: billing_export - default_encryption_configuration: [] - default_partition_expiration_ms: null - default_table_expiration_ms: null - delete_contents_on_destroy: false - description: Terraform managed. - external_dataset_reference: [] - friendly_name: Billing export. - labels: null - location: EU - max_time_travel_hours: '168' - project: fast-prod-billing-exp-0 - resource_tags: null - timeouts: null - module.billing-export-project[0].data.google_bigquery_default_service_account.bq_sa[0]: - project: fast-prod-billing-exp-0 - module.billing-export-project[0].data.google_storage_project_service_account.gcs_sa[0]: - project: fast-prod-billing-exp-0 - user_project: null - module.billing-export-project[0].google_essential_contacts_contact.contact["gcp-organization-admins@fast.example.com"]: - email: gcp-organization-admins@fast.example.com - language_tag: en - notification_category_subscriptions: - - ALL - parent: projects/fast-prod-billing-exp-0 - timeouts: null - module.billing-export-project[0].google_project.project[0]: - auto_create_network: false - billing_account: 000000-111111-222222 - deletion_policy: DELETE - folder_id: null - labels: null - name: fast-prod-billing-exp-0 - org_id: '123456789012' - project_id: fast-prod-billing-exp-0 - timeouts: null - module.billing-export-project[0].google_project_iam_binding.authoritative["roles/owner"]: + module.branch-security-sa.google_storage_bucket_iam_member.bucket-roles["test-roles/storage.objectAdmin"]: + bucket: test condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-billing-exp-0 - role: roles/owner - module.billing-export-project[0].google_project_iam_binding.authoritative["roles/viewer"]: + role: roles/storage.objectAdmin + module.organization[0].google_organization_iam_member.bindings["sa_net_billing"]: condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-billing-exp-0 - role: roles/viewer - module.billing-export-project[0].google_project_iam_member.service_agents["bigquerydatatransfer"]: - condition: [] - project: fast-prod-billing-exp-0 - role: roles/bigquerydatatransfer.serviceAgent - module.billing-export-project[0].google_project_service.project_services["bigquery.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-billing-exp-0 - service: bigquery.googleapis.com - timeouts: null - module.billing-export-project[0].google_project_service.project_services["bigquerydatatransfer.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-billing-exp-0 - service: bigquerydatatransfer.googleapis.com - timeouts: null - module.billing-export-project[0].google_project_service.project_services["storage.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-billing-exp-0 - service: storage.googleapis.com - timeouts: null - module.billing-export-project[0].google_project_service_identity.default["bigquerydatatransfer.googleapis.com"]: - project: fast-prod-billing-exp-0 - service: bigquerydatatransfer.googleapis.com - timeouts: null - module.log-export-logbucket["audit-logs"].google_logging_project_bucket_config.bucket[0]: - bucket_id: audit-logs - cmek_settings: [] - enable_analytics: true - index_configs: [] - location: europe-west1 - locked: null - project: fast-prod-audit-logs-0 - retention_days: 30 - module.log-export-logbucket["iam"].google_logging_project_bucket_config.bucket[0]: - bucket_id: iam - cmek_settings: [] - enable_analytics: true - index_configs: [] - location: europe-west1 - locked: null - project: fast-prod-audit-logs-0 - retention_days: 30 - module.log-export-logbucket["vpc-sc"].google_logging_project_bucket_config.bucket[0]: - bucket_id: vpc-sc - cmek_settings: [] - enable_analytics: true - index_configs: [] - location: europe-west1 - locked: null - project: fast-prod-audit-logs-0 - retention_days: 30 - module.log-export-logbucket["workspace-audit-logs"].google_logging_project_bucket_config.bucket[0]: - bucket_id: workspace-audit-logs - cmek_settings: [] - enable_analytics: true - index_configs: [] - location: europe-west1 - locked: null - project: fast-prod-audit-logs-0 - retention_days: 30 - module.log-export-project.data.google_bigquery_default_service_account.bq_sa[0]: - project: fast-prod-audit-logs-0 - module.log-export-project.data.google_storage_project_service_account.gcs_sa[0]: - project: fast-prod-audit-logs-0 - user_project: null - module.log-export-project.google_essential_contacts_contact.contact["gcp-organization-admins@fast.example.com"]: - email: gcp-organization-admins@fast.example.com - language_tag: en - notification_category_subscriptions: - - ALL - parent: projects/fast-prod-audit-logs-0 - timeouts: null - module.log-export-project.google_project.project[0]: - auto_create_network: false - billing_account: 000000-111111-222222 - deletion_policy: DELETE - folder_id: null - labels: null - name: fast-prod-audit-logs-0 + member: serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com org_id: '123456789012' - project_id: fast-prod-audit-logs-0 - timeouts: null - module.log-export-project.google_project_iam_binding.authoritative["roles/owner"]: + role: roles/billing.user + module.organization[0].google_organization_iam_member.bindings["sa_net_fw_policy_admin"]: condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-audit-logs-0 - role: roles/owner - module.log-export-project.google_project_iam_binding.authoritative["roles/viewer"]: + member: serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/compute.orgFirewallPolicyAdmin + module.organization[0].google_organization_iam_member.bindings["sa_net_xpn_admin"]: condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - project: fast-prod-audit-logs-0 - role: roles/viewer - module.log-export-project.google_project_service.project_services["bigquery.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-audit-logs-0 - service: bigquery.googleapis.com - timeouts: null - module.log-export-project.google_project_service.project_services["stackdriver.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-audit-logs-0 - service: stackdriver.googleapis.com - timeouts: null - module.log-export-project.google_project_service.project_services["storage.googleapis.com"]: - disable_dependent_services: false - disable_on_destroy: false - project: fast-prod-audit-logs-0 - service: storage.googleapis.com - timeouts: null - module.organization-logging.google_logging_organization_settings.default[0]: - organization: '123456789012' - storage_location: global - timeouts: null - module.organization.google_logging_organization_sink.sink["audit-logs"]: - description: audit-logs (Terraform-managed). - disabled: false - exclusions: [] - filter: 'log_id("cloudaudit.googleapis.com/activity") OR + member: serviceAccount:fast2-prod-resman-net-0@fast-prod-automation.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/compute.xpnAdmin + module.organization[0].google_organization_iam_member.bindings["sa_pf_billing"]: + condition: [] + member: serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/billing.user + module.organization[0].google_organization_iam_member.bindings["sa_pf_conditional_org_policy"]: + condition: + - description: Org policy tag scoped grant for project factory main. + expression: 'resource.matchTag(''123456789012/context'', ''project-factory'') - log_id("cloudaudit.googleapis.com/system_event") OR + ' + title: org_policy_tag_pf_scoped + member: serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/orgpolicy.policyAdmin + module.organization[0].google_organization_iam_member.bindings["sa_pf_costs_manager"]: + condition: [] + member: serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/billing.costsManager + module.organization[0].google_organization_iam_member.bindings["sa_pf_dev_billing"]: + condition: [] + member: serviceAccount:fast2-dev-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/billing.user + module.organization[0].google_organization_iam_member.bindings["sa_pf_dev_conditional_org_policy"]: + condition: + - description: Org policy tag scoped grant for project factory dev. + expression: 'resource.matchTag(''123456789012/context'', ''project-factory'') - log_id("cloudaudit.googleapis.com/policy") OR + && - log_id("cloudaudit.googleapis.com/access_transparency") + resource.matchTag(''123456789012/environment'', ''development'') - ' - include_children: true - intercept_children: false - name: audit-logs + ' + title: org_policy_tag_pf_scoped_dev + member: serviceAccount:fast2-dev-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com org_id: '123456789012' - module.organization.google_logging_organization_sink.sink["iam"]: - description: iam (Terraform-managed). - disabled: false - exclusions: [] - filter: 'protoPayload.serviceName="iamcredentials.googleapis.com" OR + role: roles/orgpolicy.policyAdmin + module.organization[0].google_organization_iam_member.bindings["sa_pf_dev_costs_manager"]: + condition: [] + member: serviceAccount:fast2-dev-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/billing.costsManager + module.organization[0].google_organization_iam_member.bindings["sa_pf_prod_billing"]: + condition: [] + member: serviceAccount:fast2-prod-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/billing.user + module.organization[0].google_organization_iam_member.bindings["sa_pf_prod_conditional_org_policy"]: + condition: + - description: Org policy tag scoped grant for project factory prod. + expression: 'resource.matchTag(''123456789012/context'', ''project-factory'') - protoPayload.serviceName="iam.googleapis.com" OR + && - protoPayload.serviceName="sts.googleapis.com" + resource.matchTag(''123456789012/environment'', ''production'') - ' - include_children: true - intercept_children: false - name: iam + ' + title: org_policy_tag_pf_scoped_prod + member: serviceAccount:fast2-prod-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com org_id: '123456789012' - module.organization.google_logging_organization_sink.sink["vpc-sc"]: - description: vpc-sc (Terraform-managed). - disabled: false - exclusions: [] - filter: 'protoPayload.metadata.@type="type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata" - - ' - include_children: true - intercept_children: false - name: vpc-sc + role: roles/orgpolicy.policyAdmin + module.organization[0].google_organization_iam_member.bindings["sa_pf_prod_costs_manager"]: + condition: [] + member: serviceAccount:fast2-prod-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com org_id: '123456789012' - module.organization.google_logging_organization_sink.sink["workspace-audit-logs"]: - description: workspace-audit-logs (Terraform-managed). - disabled: false - exclusions: [] - filter: 'log_id("cloudaudit.googleapis.com/data_access") AND - - protoPayload.serviceName="login.googleapis.com" - - ' - include_children: true - intercept_children: false - name: workspace-audit-logs + role: roles/billing.costsManager + module.organization[0].google_organization_iam_member.bindings["sa_sec_asset_viewer"]: + condition: [] + member: serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com org_id: '123456789012' - module.organization.google_org_policy_policy.default["compute.disableGuestAttributesAccess"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.disableGuestAttributesAccess - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["compute.disableNestedVirtualization"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.disableNestedVirtualization - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["compute.disableSerialPortAccess"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.disableSerialPortAccess - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["compute.requireOsLogin"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.requireOsLogin - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["compute.restrictLoadBalancerCreationForTypes"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.restrictLoadBalancerCreationForTypes - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: null - values: - - allowed_values: - - in:INTERNAL - denied_values: null - timeouts: null - module.organization.google_org_policy_policy.default["compute.skipDefaultNetworkCreation"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.skipDefaultNetworkCreation - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["compute.trustedImageProjects"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.trustedImageProjects - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: null - values: - - allowed_values: - - is:projects/centos-cloud - - is:projects/cos-cloud - - is:projects/debian-cloud - - is:projects/fedora-cloud - - is:projects/fedora-coreos-cloud - - is:projects/opensuse-cloud - - is:projects/rhel-cloud - - is:projects/rhel-sap-cloud - - is:projects/rocky-linux-cloud - - is:projects/suse-cloud - - is:projects/suse-sap-cloud - - is:projects/ubuntu-os-cloud - - is:projects/ubuntu-os-pro-cloud - - is:projects/windows-cloud - - is:projects/windows-sql-cloud - - is:projects/confidential-vm-images - - is:projects/backupdr-images - - is:projects/deeplearning-platform-release - - is:projects/serverless-vpc-access-images - denied_values: null - timeouts: null - module.organization.google_org_policy_policy.default["compute.vmExternalIpAccess"]: - dry_run_spec: [] - name: organizations/123456789012/policies/compute.vmExternalIpAccess - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: 'TRUE' - enforce: null - values: [] - timeouts: null - module.organization.google_org_policy_policy.default["iam.allowedPolicyMemberDomains"]: - dry_run_spec: [] - name: organizations/123456789012/policies/iam.allowedPolicyMemberDomains + role: roles/cloudasset.viewer + module.organization[0].google_organization_iam_member.bindings["sa_sec_billing"]: + condition: [] + member: serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com + org_id: '123456789012' + role: roles/billing.user + module.organization[0].google_tags_tag_key.default["context"]: + description: Resource management context. parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: - - description: null - expression: '!resource.matchTag(''123456789012/org-policies'', ''allowed-policy-member-domains-all'')' - location: null - title: null - deny_all: null - enforce: null - values: - - allowed_values: - - C00000000 - denied_values: null - - allow_all: 'TRUE' - condition: - - description: null - expression: resource.matchTag('123456789012/org-policies', 'allowed-policy-member-domains-all') - location: null - title: allow-all - deny_all: null - enforce: null - values: [] + purpose: null + purpose_data: null + short_name: context timeouts: null - module.organization.google_org_policy_policy.default["iam.automaticIamGrantsForDefaultServiceAccounts"]: - dry_run_spec: [] - name: organizations/123456789012/policies/iam.automaticIamGrantsForDefaultServiceAccounts + module.organization[0].google_tags_tag_key.default["environment"]: + description: Environment definition. parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - values: [] + purpose: null + purpose_data: null + short_name: environment timeouts: null - module.organization.google_org_policy_policy.default["iam.disableServiceAccountKeyCreation"]: - dry_run_spec: [] - name: organizations/123456789012/policies/iam.disableServiceAccountKeyCreation - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - values: [] + module.organization[0].google_tags_tag_value.default["context/data"]: + description: Managed by the Terraform organization module. + short_name: data timeouts: null - module.organization.google_org_policy_policy.default["iam.disableServiceAccountKeyUpload"]: - dry_run_spec: [] - name: organizations/123456789012/policies/iam.disableServiceAccountKeyUpload - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - values: [] + module.organization[0].google_tags_tag_value.default["context/gcve"]: + description: Managed by the Terraform organization module. + short_name: gcve timeouts: null - module.organization.google_org_policy_policy.default["iam.serviceAccountKeyExposureResponse"]: - dry_run_spec: [] - name: organizations/123456789012/policies/iam.serviceAccountKeyExposureResponse - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: null - values: - - allowed_values: - - DISABLE_KEY - denied_values: null + module.organization[0].google_tags_tag_value.default["context/gke"]: + description: Managed by the Terraform organization module. + short_name: gke timeouts: null - module.organization.google_org_policy_policy.default["run.allowedIngress"]: - dry_run_spec: [] - name: organizations/123456789012/policies/run.allowedIngress - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: null - values: - - allowed_values: - - is:internal-and-cloud-load-balancing - denied_values: null + module.organization[0].google_tags_tag_value.default["context/networking"]: + description: Managed by the Terraform organization module. + short_name: networking timeouts: null - module.organization.google_org_policy_policy.default["sql.restrictAuthorizedNetworks"]: - dry_run_spec: [] - name: organizations/123456789012/policies/sql.restrictAuthorizedNetworks - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - values: [] + module.organization[0].google_tags_tag_value.default["context/project-factory"]: + description: Managed by the Terraform organization module. + short_name: project-factory timeouts: null - module.organization.google_org_policy_policy.default["sql.restrictPublicIp"]: - dry_run_spec: [] - name: organizations/123456789012/policies/sql.restrictPublicIp - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - values: [] + module.organization[0].google_tags_tag_value.default["context/sandbox"]: + description: Managed by the Terraform organization module. + short_name: sandbox timeouts: null - module.organization.google_org_policy_policy.default["storage.publicAccessPrevention"]: - dry_run_spec: [] - name: organizations/123456789012/policies/storage.publicAccessPrevention - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - values: [] + module.organization[0].google_tags_tag_value.default["context/security"]: + description: Managed by the Terraform organization module. + short_name: security timeouts: null - module.organization.google_org_policy_policy.default["storage.secureHttpTransport"]: - dry_run_spec: [] - name: organizations/123456789012/policies/storage.secureHttpTransport - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - values: [] + module.organization[0].google_tags_tag_value.default["environment/development"]: + description: Managed by the Terraform organization module. + short_name: development timeouts: null - module.organization.google_org_policy_policy.default["storage.uniformBucketLevelAccess"]: - dry_run_spec: [] - name: organizations/123456789012/policies/storage.uniformBucketLevelAccess - parent: organizations/123456789012 - spec: - - inherit_from_parent: null - reset: null - rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'TRUE' - values: [] + module.organization[0].google_tags_tag_value.default["environment/production"]: + description: Managed by the Terraform organization module. + short_name: production timeouts: null - module.organization.google_organization_iam_binding.authoritative["roles/billing.creator"]: + module.organization[0].google_tags_tag_value_iam_binding.bindings["environment/development:pf"]: condition: [] members: - - group:gcp-billing-admins@fast.example.com - org_id: '123456789012' - role: roles/billing.creator - module.organization.google_organization_iam_binding.authoritative["roles/browser"]: - condition: [] - members: - - domain:fast.example.com - org_id: '123456789012' - role: roles/browser - module.organization.google_organization_iam_binding.authoritative["roles/cloudasset.owner"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - - group:gcp-security-admins@fast.example.com - - group:gcp-vpc-network-admins@fast.example.com - org_id: '123456789012' - role: roles/cloudasset.owner - module.organization.google_organization_iam_binding.authoritative["roles/cloudsupport.admin"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - org_id: '123456789012' - role: roles/cloudsupport.admin - module.organization.google_organization_iam_binding.authoritative["roles/cloudsupport.techSupportEditor"]: - condition: [] - members: - - group:gcp-devops@fast.example.com - - group:gcp-security-admins@fast.example.com - - group:gcp-vpc-network-admins@fast.example.com - org_id: '123456789012' - role: roles/cloudsupport.techSupportEditor - module.organization.google_organization_iam_binding.authoritative["roles/compute.osAdminLogin"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - org_id: '123456789012' - role: roles/compute.osAdminLogin - module.organization.google_organization_iam_binding.authoritative["roles/compute.osLoginExternalUser"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - org_id: '123456789012' - role: roles/compute.osLoginExternalUser - module.organization.google_organization_iam_binding.authoritative["roles/essentialcontacts.admin"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/essentialcontacts.admin - module.organization.google_organization_iam_binding.authoritative["roles/essentialcontacts.viewer"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/essentialcontacts.viewer - module.organization.google_organization_iam_binding.authoritative["roles/iam.securityReviewer"]: - condition: [] - members: - - group:gcp-security-admins@fast.example.com - org_id: '123456789012' - role: roles/iam.securityReviewer - module.organization.google_organization_iam_binding.authoritative["roles/iam.workforcePoolAdmin"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/iam.workforcePoolAdmin - module.organization.google_organization_iam_binding.authoritative["roles/logging.admin"]: - condition: [] - members: - - group:gcp-security-admins@fast.example.com - - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/logging.admin - module.organization.google_organization_iam_binding.authoritative["roles/logging.viewer"]: + - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.tagUser + module.organization[0].google_tags_tag_value_iam_binding.bindings["environment/production:pf"]: condition: [] members: - - group:gcp-devops@fast.example.com - - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/logging.viewer - module.organization.google_organization_iam_binding.authoritative["roles/monitoring.viewer"]: - condition: [] + - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + role: roles/resourcemanager.tagUser + module.top-level-folder["teams"].google_folder.folder[0]: + display_name: Teams + parent: organizations/123456789012 + timeouts: null + ? module.top-level-folder["teams"].google_folder_iam_binding.authoritative["organizations/123456789012/roles/xpnServiceAdmin"] + : condition: [] members: - - group:gcp-devops@fast.example.com - org_id: '123456789012' - role: roles/monitoring.viewer - module.organization.google_organization_iam_binding.authoritative["roles/owner"]: + - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com + role: organizations/123456789012/roles/xpnServiceAdmin + module.top-level-folder["teams"].google_folder_iam_binding.authoritative["roles/owner"]: condition: [] members: - - group:gcp-organization-admins@fast.example.com - org_id: '123456789012' + - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com role: roles/owner - module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: + module.top-level-folder["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: condition: [] members: - - group:gcp-organization-admins@fast.example.com - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' + - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.folderAdmin - module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.folderViewer"]: + module.top-level-folder["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: condition: [] members: - - group:gcp-devops@fast.example.com - - group:gcp-vpc-network-admins@fast.example.com - - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/resourcemanager.folderViewer - module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.organizationAdmin"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/resourcemanager.organizationAdmin - module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' + - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.projectCreator - module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.projectMover"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/resourcemanager.projectMover - module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.tagAdmin"]: + module.top-level-folder["teams"].google_folder_iam_binding.authoritative["roles/resourcemanager.tagUser"]: condition: [] members: - - group:gcp-organization-admins@fast.example.com - - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/resourcemanager.tagAdmin - module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.tagUser"]: - condition: [] - members: - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' + - serviceAccount:fast2-resman-pf-0@fast-prod-automation.iam.gserviceaccount.com role: roles/resourcemanager.tagUser - module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.tagViewer"]: - condition: [] - members: - - serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/resourcemanager.tagViewer - module.organization.google_organization_iam_binding.authoritative["roles/securitycenter.admin"]: - condition: [] - members: - - group:gcp-organization-admins@fast.example.com - - group:gcp-security-admins@fast.example.com - org_id: '123456789012' - role: roles/securitycenter.admin - module.organization.google_organization_iam_binding.authoritative["roles/serviceusage.serviceUsageViewer"]: - condition: [] - members: - - serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/serviceusage.serviceUsageViewer - module.organization.google_organization_iam_binding.bindings["organization_billing_conditional"]: - condition: - - description: Automation service account delegated grants. - expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/billing.admin','roles/billing.costsManager','roles/billing.user']) - title: automation_sa_delegated_grants - members: - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: organizations/123456789012/roles/organizationIamAdmin - module.organization.google_organization_iam_binding.bindings["organization_iam_admin_conditional"]: - condition: - - description: Automation service account delegated grants. - expression: 'api.getAttribute(''iam.googleapis.com/modifiedGrantsByRole'', []).hasOnly([''roles/accesscontextmanager.policyAdmin'',''roles/cloudasset.viewer'',''roles/compute.orgFirewallPolicyAdmin'',''roles/compute.orgFirewallPolicyUser'',''roles/compute.xpnAdmin'',''roles/orgpolicy.policyAdmin'',''roles/orgpolicy.policyViewer'',''roles/resourcemanager.organizationViewer'']) - - || api.getAttribute(''iam.googleapis.com/modifiedGrantsByRole'', []).hasOnly([''organizations/123456789012/roles/networkFirewallPoliciesAdmin'',''organizations/123456789012/roles/ngfwEnterpriseAdmin'',''organizations/123456789012/roles/ngfwEnterpriseViewer'',''organizations/123456789012/roles/privateCaUser'',''organizations/123456789012/roles/serviceProjectNetworkAdmin'',''organizations/123456789012/roles/tenantNetworkAdmin'']) - - ' - title: automation_sa_delegated_grants - members: - - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: organizations/123456789012/roles/organizationIamAdmin - module.organization.google_organization_iam_binding.bindings["organization_ngfw_enterprise_admin"]: - condition: [] - members: - - group:gcp-vpc-network-admins@fast.example.com - org_id: '123456789012' - role: organizations/123456789012/roles/ngfwEnterpriseAdmin - module.organization.google_organization_iam_custom_role.roles["gcve_network_admin"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - vmwareengine.networkPeerings.create - - vmwareengine.networkPeerings.delete - - vmwareengine.networkPeerings.get - - vmwareengine.networkPeerings.list - - vmwareengine.operations.get - role_id: gcveNetworkAdmin - stage: GA - title: Custom role gcveNetworkAdmin - module.organization.google_organization_iam_custom_role.roles["network_firewall_policies_admin"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - compute.networks.setFirewallPolicy - - networksecurity.firewallEndpointAssociations.create - - networksecurity.firewallEndpointAssociations.delete - - networksecurity.firewallEndpointAssociations.get - - networksecurity.firewallEndpointAssociations.list - - networksecurity.firewallEndpointAssociations.update - role_id: networkFirewallPoliciesAdmin - stage: GA - title: Custom role networkFirewallPoliciesAdmin - module.organization.google_organization_iam_custom_role.roles["ngfw_enterprise_admin"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - networksecurity.firewallEndpoints.create - - networksecurity.firewallEndpoints.delete - - networksecurity.firewallEndpoints.get - - networksecurity.firewallEndpoints.list - - networksecurity.firewallEndpoints.update - - networksecurity.firewallEndpoints.use - - networksecurity.locations.get - - networksecurity.locations.list - - networksecurity.operations.cancel - - networksecurity.operations.delete - - networksecurity.operations.get - - networksecurity.operations.list - - networksecurity.securityProfileGroups.create - - networksecurity.securityProfileGroups.delete - - networksecurity.securityProfileGroups.get - - networksecurity.securityProfileGroups.list - - networksecurity.securityProfileGroups.update - - networksecurity.securityProfileGroups.use - - networksecurity.securityProfiles.create - - networksecurity.securityProfiles.delete - - networksecurity.securityProfiles.get - - networksecurity.securityProfiles.list - - networksecurity.securityProfiles.update - - networksecurity.securityProfiles.use - - networksecurity.tlsInspectionPolicies.create - - networksecurity.tlsInspectionPolicies.get - - networksecurity.tlsInspectionPolicies.list - - networksecurity.tlsInspectionPolicies.update - - networksecurity.tlsInspectionPolicies.use - role_id: ngfwEnterpriseAdmin - stage: GA - title: Custom role ngfwEnterpriseAdmin - module.organization.google_organization_iam_custom_role.roles["ngfw_enterprise_viewer"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - networksecurity.firewallEndpoints.get - - networksecurity.firewallEndpoints.list - - networksecurity.firewallEndpoints.use - - networksecurity.locations.get - - networksecurity.locations.list - - networksecurity.operations.get - - networksecurity.operations.list - - networksecurity.securityProfileGroups.get - - networksecurity.securityProfileGroups.list - - networksecurity.securityProfileGroups.use - - networksecurity.securityProfiles.get - - networksecurity.securityProfiles.list - - networksecurity.securityProfiles.use - - networksecurity.tlsInspectionPolicies.get - - networksecurity.tlsInspectionPolicies.list - - networksecurity.tlsInspectionPolicies.use - role_id: ngfwEnterpriseViewer - stage: GA - title: Custom role ngfwEnterpriseViewer - module.organization.google_organization_iam_custom_role.roles["organization_admin_viewer"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - essentialcontacts.contacts.get - - essentialcontacts.contacts.list - - logging.settings.get - - orgpolicy.constraints.list - - orgpolicy.policies.list - - orgpolicy.policy.get - - resourcemanager.folders.get - - resourcemanager.folders.getIamPolicy - - resourcemanager.folders.list - - resourcemanager.organizations.get - - resourcemanager.organizations.getIamPolicy - - resourcemanager.projects.get - - resourcemanager.projects.getIamPolicy - - resourcemanager.projects.list - role_id: organizationAdminViewer - stage: GA - title: Custom role organizationAdminViewer - module.organization.google_organization_iam_custom_role.roles["organization_iam_admin"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - resourcemanager.organizations.get - - resourcemanager.organizations.getIamPolicy - - resourcemanager.organizations.setIamPolicy - role_id: organizationIamAdmin - stage: GA - title: Custom role organizationIamAdmin - module.organization.google_organization_iam_custom_role.roles["private_ca_user"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - privateca.caPools.get - - privateca.caPools.use - role_id: privateCaUser - stage: GA - title: Custom role privateCaUser - module.organization.google_organization_iam_custom_role.roles["service_project_network_admin"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - compute.globalOperations.get - - compute.networks.get - - compute.networks.updatePeering - - compute.organizations.disableXpnResource - - compute.organizations.enableXpnResource - - compute.projects.get - - compute.subnetworks.getIamPolicy - - compute.subnetworks.setIamPolicy - - dns.networks.bindPrivateDNSZone - - resourcemanager.projects.get - role_id: serviceProjectNetworkAdmin - stage: GA - title: Custom role serviceProjectNetworkAdmin - module.organization.google_organization_iam_custom_role.roles["storage_viewer"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - storage.buckets.get - - storage.buckets.getIamPolicy - - storage.buckets.getObjectInsights - - storage.buckets.list - - storage.buckets.listEffectiveTags - - storage.buckets.listTagBindings - - storage.managedFolders.get - - storage.managedFolders.getIamPolicy - - storage.managedFolders.list - - storage.multipartUploads.list - - storage.multipartUploads.listParts - - storage.objects.create - - storage.objects.get - - storage.objects.getIamPolicy - - storage.objects.list - role_id: storageViewer - stage: GA - title: Custom role storageViewer - module.organization.google_organization_iam_custom_role.roles["tag_viewer"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - resourcemanager.tagHolds.list - - resourcemanager.tagKeys.get - - resourcemanager.tagKeys.getIamPolicy - - resourcemanager.tagKeys.list - - resourcemanager.tagValues.get - - resourcemanager.tagValues.getIamPolicy - - resourcemanager.tagValues.list - role_id: tagViewer - stage: GA - title: Custom role tagViewer - module.organization.google_organization_iam_custom_role.roles["tenant_network_admin"]: - description: Terraform-managed. - org_id: '123456789012' - permissions: - - compute.globalOperations.get - role_id: tenantNetworkAdmin - stage: GA - title: Custom role tenantNetworkAdmin - ? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyAdmin-group:gcp-security-admins@fast.example.com"] - : condition: [] - member: group:gcp-security-admins@fast.example.com - org_id: '123456789012' - role: roles/accesscontextmanager.policyAdmin - ? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyAdmin-serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/accesscontextmanager.policyAdmin - ? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyAdmin-serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/accesscontextmanager.policyAdmin - ? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyReader-serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/accesscontextmanager.policyReader - ? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyReader-serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/accesscontextmanager.policyReader - ? module.organization.google_organization_iam_member.bindings["roles/billing.admin-group:gcp-billing-admins@fast.example.com"] - : condition: [] - member: group:gcp-billing-admins@fast.example.com - org_id: '123456789012' - role: roles/billing.admin - ? module.organization.google_organization_iam_member.bindings["roles/billing.admin-group:gcp-organization-admins@fast.example.com"] - : condition: [] - member: group:gcp-organization-admins@fast.example.com - org_id: '123456789012' - role: roles/billing.admin - ? module.organization.google_organization_iam_member.bindings["roles/billing.admin-serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/billing.admin - ? module.organization.google_organization_iam_member.bindings["roles/billing.admin-serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/billing.admin - ? module.organization.google_organization_iam_member.bindings["roles/billing.user-group:gcp-organization-admins@fast.example.com"] - : condition: [] - member: group:gcp-organization-admins@fast.example.com - org_id: '123456789012' - role: roles/billing.user - ? module.organization.google_organization_iam_member.bindings["roles/billing.viewer-serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/billing.viewer - ? module.organization.google_organization_iam_member.bindings["roles/billing.viewer-serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/billing.viewer - ? module.organization.google_organization_iam_member.bindings["roles/cloudasset.viewer-serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-vpcsc-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/cloudasset.viewer - ? module.organization.google_organization_iam_member.bindings["roles/cloudasset.viewer-serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-vpcsc-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/cloudasset.viewer - ? module.organization.google_organization_iam_member.bindings["roles/compute.networkAdmin-group:gcp-vpc-network-admins@fast.example.com"] - : condition: [] - member: group:gcp-vpc-network-admins@fast.example.com - org_id: '123456789012' - role: roles/compute.networkAdmin - ? module.organization.google_organization_iam_member.bindings["roles/compute.orgFirewallPolicyAdmin-group:gcp-vpc-network-admins@fast.example.com"] - : condition: [] - member: group:gcp-vpc-network-admins@fast.example.com - org_id: '123456789012' - role: roles/compute.orgFirewallPolicyAdmin - ? module.organization.google_organization_iam_member.bindings["roles/compute.securityAdmin-group:gcp-vpc-network-admins@fast.example.com"] - : condition: [] - member: group:gcp-vpc-network-admins@fast.example.com - org_id: '123456789012' - role: roles/compute.securityAdmin - ? module.organization.google_organization_iam_member.bindings["roles/compute.viewer-group:gcp-security-admins@fast.example.com"] - : condition: [] - member: group:gcp-security-admins@fast.example.com - org_id: '123456789012' - role: roles/compute.viewer - ? module.organization.google_organization_iam_member.bindings["roles/compute.xpnAdmin-group:gcp-vpc-network-admins@fast.example.com"] - : condition: [] - member: group:gcp-vpc-network-admins@fast.example.com - org_id: '123456789012' - role: roles/compute.xpnAdmin - ? module.organization.google_organization_iam_member.bindings["roles/container.viewer-group:gcp-security-admins@fast.example.com"] - : condition: [] - member: group:gcp-security-admins@fast.example.com - org_id: '123456789012' - role: roles/container.viewer - ? module.organization.google_organization_iam_member.bindings["roles/iam.organizationRoleAdmin-group:gcp-organization-admins@fast.example.com"] - : condition: [] - member: group:gcp-organization-admins@fast.example.com - org_id: '123456789012' - role: roles/iam.organizationRoleAdmin - ? module.organization.google_organization_iam_member.bindings["roles/iam.organizationRoleAdmin-group:gcp-security-admins@fast.example.com"] - : condition: [] - member: group:gcp-security-admins@fast.example.com - org_id: '123456789012' - role: roles/iam.organizationRoleAdmin - ? module.organization.google_organization_iam_member.bindings["roles/iam.organizationRoleAdmin-serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/iam.organizationRoleAdmin - ? module.organization.google_organization_iam_member.bindings["roles/iam.organizationRoleViewer-group:gcp-security-admins@fast.example.com"] - : condition: [] - member: group:gcp-security-admins@fast.example.com - org_id: '123456789012' - role: roles/iam.organizationRoleViewer - ? module.organization.google_organization_iam_member.bindings["roles/iam.organizationRoleViewer-serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/iam.organizationRoleViewer - ? module.organization.google_organization_iam_member.bindings["roles/iam.workforcePoolViewer-serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/iam.workforcePoolViewer - ? module.organization.google_organization_iam_member.bindings["roles/logging.configWriter-group:gcp-security-admins@fast.example.com"] - : condition: [] - member: group:gcp-security-admins@fast.example.com - org_id: '123456789012' - role: roles/logging.configWriter - ? module.organization.google_organization_iam_member.bindings["roles/logging.privateLogViewer-group:gcp-security-admins@fast.example.com"] - : condition: [] - member: group:gcp-security-admins@fast.example.com - org_id: '123456789012' - role: roles/logging.privateLogViewer - ? module.organization.google_organization_iam_member.bindings["roles/monitoring.admin-group:gcp-monitoring-admins@fast.example.com"] - : condition: [] - member: group:gcp-monitoring-admins@fast.example.com - org_id: '123456789012' - role: roles/monitoring.admin - ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyAdmin-group:gcp-organization-admins@fast.example.com"] - : condition: [] - member: group:gcp-organization-admins@fast.example.com - org_id: '123456789012' - role: roles/orgpolicy.policyAdmin - ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyAdmin-group:gcp-security-admins@fast.example.com"] - : condition: [] - member: group:gcp-security-admins@fast.example.com - org_id: '123456789012' - role: roles/orgpolicy.policyAdmin - ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyAdmin-serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/orgpolicy.policyAdmin - ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyAdmin-serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/orgpolicy.policyAdmin - ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyViewer-serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/orgpolicy.policyViewer - ? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyViewer-serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"] - : condition: [] - member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com - org_id: '123456789012' - role: roles/orgpolicy.policyViewer - ? module.organization.google_organization_iam_member.bindings["roles/resourcemanager.folderIamAdmin-group:gcp-security-admins@fast.example.com"] - : condition: [] - member: group:gcp-security-admins@fast.example.com - org_id: '123456789012' - role: roles/resourcemanager.folderIamAdmin - ? module.organization.google_organization_iam_member.bindings["roles/resourcemanager.organizationViewer-group:gcp-billing-admins@fast.example.com"] - : condition: [] - member: group:gcp-billing-admins@fast.example.com - org_id: '123456789012' - role: roles/resourcemanager.organizationViewer - ? module.organization.google_organization_iam_member.bindings["roles/storage.objectAdmin-group:gcp-organization-admins@fast.example.com"] - : condition: [] - member: group:gcp-organization-admins@fast.example.com - org_id: '123456789012' - role: roles/storage.objectAdmin - module.organization.google_project_iam_member.bucket-sinks-binding["audit-logs"]: - condition: - - title: audit-logs bucket writer - role: roles/logging.bucketWriter - module.organization.google_project_iam_member.bucket-sinks-binding["iam"]: - condition: - - title: iam bucket writer - role: roles/logging.bucketWriter - module.organization.google_project_iam_member.bucket-sinks-binding["vpc-sc"]: - condition: - - title: vpc-sc bucket writer - role: roles/logging.bucketWriter - module.organization.google_project_iam_member.bucket-sinks-binding["workspace-audit-logs"]: - condition: - - title: workspace-audit-logs bucket writer - role: roles/logging.bucketWriter - module.organization.google_tags_tag_key.default["org-policies"]: - description: Organization policy conditions. - parent: organizations/123456789012 - purpose: null - purpose_data: null - short_name: org-policies - timeouts: null - module.organization.google_tags_tag_value.default["org-policies/allowed-policy-member-domains-all"]: - description: Managed by the Terraform organization module. - short_name: allowed-policy-member-domains-all + module.top-level-folder["teams"].google_tags_tag_binding.binding["context"]: timeouts: null counts: - google_bigquery_dataset: 1 - google_bigquery_default_service_account: 3 - google_essential_contacts_contact: 3 - google_logging_organization_settings: 1 - google_logging_organization_sink: 4 - google_logging_project_bucket_config: 4 - google_org_policy_policy: 22 - google_organization_iam_binding: 28 - google_organization_iam_custom_role: 11 - google_organization_iam_member: 42 - google_project: 3 - google_project_iam_audit_config: 1 - google_project_iam_binding: 19 - google_project_iam_member: 16 - google_project_service: 31 - google_project_service_identity: 7 - google_service_account: 6 - google_service_account_iam_binding: 2 - google_service_account_iam_member: 1 + google_folder: 5 + google_folder_iam_binding: 29 + google_organization_iam_member: 14 + google_project_iam_member: 10 + google_service_account: 10 + google_service_account_iam_binding: 10 google_storage_bucket: 5 - google_storage_bucket_iam_binding: 4 - google_storage_bucket_iam_member: 6 - google_storage_bucket_object: 12 - google_storage_project_service_account: 3 - google_tags_tag_key: 1 - google_tags_tag_value: 1 + google_storage_bucket_iam_binding: 10 + google_storage_bucket_iam_member: 10 + google_storage_bucket_object: 11 + google_tags_tag_binding: 5 + google_tags_tag_key: 2 + google_tags_tag_value: 9 + google_tags_tag_value_iam_binding: 2 modules: 21 - resources: 237 + resources: 132 diff --git a/tests/fast/stages/s0_bootstrap/simple.yaml b/tests/fast/stages/s0_bootstrap/simple.yaml index 463fe642cd..4d15585059 100644 --- a/tests/fast/stages/s0_bootstrap/simple.yaml +++ b/tests/fast/stages/s0_bootstrap/simple.yaml @@ -21,7 +21,7 @@ counts: google_logging_project_bucket_config: 4 google_org_policy_policy: 22 google_organization_iam_binding: 28 - google_organization_iam_custom_role: 11 + google_organization_iam_custom_role: 10 google_organization_iam_member: 29 google_project: 3 google_project_iam_audit_config: 1 @@ -41,7 +41,7 @@ counts: google_tags_tag_value: 1 local_file: 10 modules: 20 - resources: 231 + resources: 230 outputs: automation: __missing__ @@ -54,7 +54,6 @@ outputs: ngfw_enterprise_viewer: organizations/123456789012/roles/ngfwEnterpriseViewer organization_admin_viewer: organizations/123456789012/roles/organizationAdminViewer organization_iam_admin: organizations/123456789012/roles/organizationIamAdmin - private_ca_user: organizations/123456789012/roles/privateCaUser service_project_network_admin: organizations/123456789012/roles/serviceProjectNetworkAdmin storage_viewer: organizations/123456789012/roles/storageViewer tag_viewer: organizations/123456789012/roles/tagViewer @@ -73,3 +72,4 @@ outputs: workload_identity_pool: pool: null providers: {} + diff --git a/tests/fast/stages/s1_resman/checklist.tfvars b/tests/fast/stages/s1_resman/checklist.tfvars index eac8904399..8099773124 100644 --- a/tests/fast/stages/s1_resman/checklist.tfvars +++ b/tests/fast/stages/s1_resman/checklist.tfvars @@ -18,7 +18,6 @@ custom_roles = { ngfw_enterprise_admin = "organizations/123456789012/roles/ngfwEnterpriseAdmin" ngfw_enterprise_viewer = "organizations/123456789012/roles/ngfwEnterpriseViewer" organization_admin_viewer = "organizations/123456789012/roles/organizationAdminViewer" - private_ca_user = "organizations/123456789012/roles/privateCaUser" service_project_network_admin = "organizations/123456789012/roles/xpnServiceAdmin" storage_viewer = "organizations/123456789012/roles/storageViewer" } diff --git a/tests/fast/stages/s1_resman/checklist.yaml b/tests/fast/stages/s1_resman/checklist.yaml index 2f59bbee64..468359aa8e 100644 --- a/tests/fast/stages/s1_resman/checklist.yaml +++ b/tests/fast/stages/s1_resman/checklist.yaml @@ -16,6 +16,7 @@ values: google_storage_bucket_object.providers["2-networking"]: bucket: test cache_control: null + content: content_disposition: null content_encoding: null content_language: null @@ -598,7 +599,7 @@ values: module.branch-security-folder.google_folder_iam_binding.bindings["tenant_iam_admin_conditional"]: condition: - description: Certificate Authority Service delegated grants. - expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/privateca.certificateManager','organizations/123456789012/roles/privateCaUser']) + expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/privateca.certificateManager']) title: security_sa_delegated_grants members: - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com diff --git a/tests/fast/stages/s1_resman/simple.tfvars b/tests/fast/stages/s1_resman/simple.tfvars index fc011a956c..5a999ff8c1 100644 --- a/tests/fast/stages/s1_resman/simple.tfvars +++ b/tests/fast/stages/s1_resman/simple.tfvars @@ -18,7 +18,6 @@ custom_roles = { ngfw_enterprise_admin = "organizations/123456789012/roles/ngfwEnterpriseAdmin" ngfw_enterprise_viewer = "organizations/123456789012/roles/ngfwEnterpriseViewer" organization_admin_viewer = "organizations/123456789012/roles/organizationAdminViewer" - private_ca_user = "organizations/123456789012/roles/privateCaUser" service_project_network_admin = "organizations/123456789012/roles/xpnServiceAdmin" storage_viewer = "organizations/123456789012/roles/storageViewer" } diff --git a/tests/fast/stages/s1_resman/simple.yaml b/tests/fast/stages/s1_resman/simple.yaml index 8fadcd1440..8c019e5d0f 100644 --- a/tests/fast/stages/s1_resman/simple.yaml +++ b/tests/fast/stages/s1_resman/simple.yaml @@ -610,7 +610,7 @@ values: module.branch-security-folder.google_folder_iam_binding.bindings["tenant_iam_admin_conditional"]: condition: - description: Certificate Authority Service delegated grants. - expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/privateca.certificateManager','organizations/123456789012/roles/privateCaUser']) + expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/privateca.certificateManager']) title: security_sa_delegated_grants members: - serviceAccount:fast2-prod-resman-sec-0@fast-prod-automation.iam.gserviceaccount.com diff --git a/tests/fast/stages/s2_security/simple.tfvars b/tests/fast/stages/s2_security/simple.tfvars index cb94918951..0dff490379 100644 --- a/tests/fast/stages/s2_security/simple.tfvars +++ b/tests/fast/stages/s2_security/simple.tfvars @@ -4,9 +4,6 @@ automation = { billing_account = { id = "000000-111111-222222" } -custom_roles = { - private_ca_user = "organizations/123456789012/roles/privateCaUser" -} essential_contacts = "gcp-security-admins@fast.example.com" folder_ids = { security = null diff --git a/tests/fast/stages/s2_security/simple.yaml b/tests/fast/stages/s2_security/simple.yaml index ece3432203..e98ac3805a 100644 --- a/tests/fast/stages/s2_security/simple.yaml +++ b/tests/fast/stages/s2_security/simple.yaml @@ -153,16 +153,6 @@ values: member: serviceAccount:foobar@iam.gserviceaccount.com project: fast-dev-sec-core-0 role: roles/cloudkms.admin - module.dev-sec-project.google_project_iam_member.bindings["nsec_dev_sa_binding"]: - condition: [] - member: serviceAccount:foobar@iam.gserviceaccount.com - project: fast-dev-sec-core-0 - role: organizations/123456789012/roles/privateCaUser - module.dev-sec-project.google_project_iam_member.bindings["nsec_dev_sa_r_binding"]: - condition: [] - member: serviceAccount:foobar@iam.gserviceaccount.com - project: fast-dev-sec-core-0 - role: organizations/123456789012/roles/privateCaUser module.dev-sec-project.google_project_iam_member.service_agents["certificatemanager"]: condition: [] project: fast-dev-sec-core-0 @@ -376,16 +366,6 @@ values: member: serviceAccount:foobar@iam.gserviceaccount.com project: fast-prod-sec-core-0 role: roles/cloudkms.admin - module.prod-sec-project.google_project_iam_member.bindings["nsec_prod_sa_binding"]: - condition: [] - member: serviceAccount:foobar@iam.gserviceaccount.com - project: fast-prod-sec-core-0 - role: organizations/123456789012/roles/privateCaUser - module.prod-sec-project.google_project_iam_member.bindings["nsec_prod_sa_r_binding"]: - condition: [] - member: serviceAccount:foobar@iam.gserviceaccount.com - project: fast-prod-sec-core-0 - role: organizations/123456789012/roles/privateCaUser module.prod-sec-project.google_project_iam_member.service_agents["certificatemanager"]: condition: [] project: fast-prod-sec-core-0 @@ -473,9 +453,24 @@ counts: google_kms_key_ring: 8 google_project: 2 google_project_iam_binding: 2 - google_project_iam_member: 12 + google_project_iam_member: 8 google_project_service: 14 google_project_service_identity: 12 google_storage_bucket_object: 1 modules: 11 - resources: 69 + resources: 65 + +outputs: + cas_configs: + dev: {} + prod: {} + kms_keys: __missing__ + ngfw_tls_configs: + tls_enabled: false + tls_ip_ids_by_region: + dev: {} + prod: {} + tfvars: __missing__ + trust_config_ids: + dev: {} + prod: {}