From 7a7a0fa39ca0b4aa849cb50a92cc2d8ebe408aa5 Mon Sep 17 00:00:00 2001 From: Ludo Date: Wed, 27 Sep 2023 22:02:40 +0200 Subject: [PATCH 1/3] only apply org policies when bootstrap user is not set --- fast/stages/0-bootstrap/README.md | 2 +- fast/stages/0-bootstrap/organization.tf | 8 ++++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/fast/stages/0-bootstrap/README.md b/fast/stages/0-bootstrap/README.md index c1e2418534..b08e88375f 100644 --- a/fast/stages/0-bootstrap/README.md +++ b/fast/stages/0-bootstrap/README.md @@ -64,7 +64,7 @@ A full reference of IAM roles managed by this stage [is available here](./IAM.md It's often desirable to have organization policies deployed before any other resource in the org, so as to ensure compliance with specific requirements (e.g. location restrictions), or control the configuration of specific resources (e.g. default network at project creation or service account grants). -To cover this use case, organization policies have been moved from the resource management to the bootstrap stage in FAST versions after 26.0.0. They are managed via the usual factory approach, and a [sample set of data files](./data/org-policies/) is included with this stage. +To cover this use case, organization policies have been moved from the resource management to the bootstrap stage in FAST versions after 26.0.0. They are managed via the usual factory approach, and a [sample set of data files](./data/org-policies/) is included with this stage. They are not applied during the initial run when the `bootstrap_user` variable is set, to work around incompatibilies with user credentials. The only current exception to the factory approach is the `iam.allowedPolicyMemberDomains` constraint, which is managed in code so as to be able to auto-allow the organization's domain. More domains can be added via the `org_policies_config` variable, which also serves as an umbrella for future policies that will need to be managed in code. diff --git a/fast/stages/0-bootstrap/organization.tf b/fast/stages/0-bootstrap/organization.tf index 8f47caf332..d005f77584 100644 --- a/fast/stages/0-bootstrap/organization.tf +++ b/fast/stages/0-bootstrap/organization.tf @@ -156,8 +156,12 @@ module "organization" { type = attrs.type } } - org_policies_data_path = var.factories_config.org_policy_data_path - org_policies = { + org_policies_data_path = ( + var.bootstrap_user != null + ? null + : var.factories_config.org_policy_data_path + ) + org_policies = var.bootstrap_user != null ? {} : { "iam.allowedPolicyMemberDomains" = { rules = [ { From 4af99b033ad547f0b6d42c4f5e6f382621aed495 Mon Sep 17 00:00:00 2001 From: Julio Castillo Date: Wed, 27 Sep 2023 22:42:55 +0200 Subject: [PATCH 2/3] Add Org Policy Admin to bootstrap roles --- fast/stages/0-bootstrap/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fast/stages/0-bootstrap/README.md b/fast/stages/0-bootstrap/README.md index b08e88375f..aba515af6c 100644 --- a/fast/stages/0-bootstrap/README.md +++ b/fast/stages/0-bootstrap/README.md @@ -170,7 +170,7 @@ export FAST_ORG_ID=123456 # set needed roles export FAST_ROLES="roles/billing.admin roles/logging.admin \ roles/iam.organizationRoleAdmin roles/resourcemanager.projectCreator \ - roles/resourcemanager.tagAdmin" + roles/resourcemanager.tagAdmin roles/orgpolicy.policyAdmin" for role in $FAST_ROLES; do gcloud organizations add-iam-policy-binding $FAST_ORG_ID \ From 9ab859a420ea6170a2291f317be0529ce5fa33ab Mon Sep 17 00:00:00 2001 From: Julio Castillo Date: Wed, 27 Sep 2023 23:24:14 +0200 Subject: [PATCH 3/3] Fix cleanup doc --- fast/stages/CLEANUP.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/fast/stages/CLEANUP.md b/fast/stages/CLEANUP.md index 4b2667c838..baee9d79d7 100644 --- a/fast/stages/CLEANUP.md +++ b/fast/stages/CLEANUP.md @@ -92,7 +92,7 @@ When the destroy fails, continue with the steps below. Again, make sure your use # to finish the destruction export FAST_DESTROY_ROLES="roles/billing.admin roles/logging.admin \ roles/iam.organizationRoleAdmin roles/resourcemanager.projectDeleter \ - roles/resourcemanager.folderAdmin roles/owner" + roles/resourcemanager.folderAdmin roles/owner roles/resourcemanager.organizationAdmin" export FAST_BU=$(gcloud config list --format 'value(core.account)') @@ -102,9 +102,12 @@ gcloud organizations list --filter display_name:[part of your domain] # set your org id export FAST_ORG_ID=XXXX +terraform destroy -var boostrap_user=$FAST_BU +terraform destroy + for role in $FAST_DESTROY_ROLES; do gcloud organizations add-iam-policy-binding $FAST_ORG_ID \ - --member user:$FAST_BU --role $role + --member user:$FAST_BU --role $role --condition None done terraform destroy