diff --git a/fast/stages/00-bootstrap/README.md b/fast/stages/00-bootstrap/README.md
index a0bafe49..683025a7 100644
--- a/fast/stages/00-bootstrap/README.md
+++ b/fast/stages/00-bootstrap/README.md
@@ -262,6 +262,7 @@ terraform init
terraform apply \
-var bootstrap_user=$(gcloud config list --format 'value(core.account)')
```
+> If you see an error related to project name already exists, please make sure the project name is unique or the project was not deleted recently
Once the initial `apply` completes successfully, configure a remote backend using the new GCS bucket, and impersonation on the automation service account for this stage. To do this you can use the generated `providers.tf` file if you have configured output files as described above, or extract its contents from Terraform's output, then migrate state with `terraform init`:
diff --git a/fast/stages/00-bootstrap/automation.tf b/fast/stages/00-bootstrap/automation.tf
index 13eb68f1..1475c811 100644
--- a/fast/stages/00-bootstrap/automation.tf
+++ b/fast/stages/00-bootstrap/automation.tf
@@ -111,11 +111,11 @@ module "automation-tf-bootstrap-gcs" {
}
module "automation-tf-bootstrap-sa" {
- source = "../../../modules/iam-service-account"
- project_id = module.automation-project.project_id
- name = "bootstrap-0"
- description = "Terraform organization bootstrap service account."
- prefix = local.prefix
+ source = "../../../modules/iam-service-account"
+ project_id = module.automation-project.project_id
+ name = "bootstrap-0"
+ display_name = "Terraform organization bootstrap service account."
+ prefix = local.prefix
# allow SA used by CI/CD workflow to impersonate this SA
iam = {
"roles/iam.serviceAccountTokenCreator" = compact([
@@ -144,11 +144,11 @@ module "automation-tf-cicd-gcs" {
}
module "automation-tf-cicd-provisioning-sa" {
- source = "../../../modules/iam-service-account"
- project_id = module.automation-project.project_id
- name = "cicd-0"
- description = "Terraform stage 1 CICD service account."
- prefix = local.prefix
+ source = "../../../modules/iam-service-account"
+ project_id = module.automation-project.project_id
+ name = "cicd-0"
+ display_name = "Terraform stage 1 CICD service account."
+ prefix = local.prefix
# allow SA used by CI/CD workflow to impersonate this SA
iam = {
"roles/iam.serviceAccountTokenCreator" = compact([
@@ -177,11 +177,11 @@ module "automation-tf-resman-gcs" {
}
module "automation-tf-resman-sa" {
- source = "../../../modules/iam-service-account"
- project_id = module.automation-project.project_id
- name = "resman-0"
- description = "Terraform stage 1 resman service account."
- prefix = local.prefix
+ source = "../../../modules/iam-service-account"
+ project_id = module.automation-project.project_id
+ name = "resman-0"
+ display_name = "Terraform stage 1 resman service account."
+ prefix = local.prefix
# allow SA used by CI/CD workflow to impersonate this SA
iam = {
"roles/iam.serviceAccountTokenCreator" = compact([
diff --git a/fast/stages/00-bootstrap/cicd.tf b/fast/stages/00-bootstrap/cicd.tf
index fba8f248..7cdae41c 100644
--- a/fast/stages/00-bootstrap/cicd.tf
+++ b/fast/stages/00-bootstrap/cicd.tf
@@ -87,12 +87,12 @@ module "automation-tf-cicd-repo" {
# SAs used by CI/CD workflows to impersonate automation SAs
module "automation-tf-cicd-sa" {
- source = "../../../modules/iam-service-account"
- for_each = local.cicd_repositories
- project_id = module.automation-project.project_id
- name = "${each.key}-1"
- description = "Terraform CI/CD ${each.key} service account."
- prefix = local.prefix
+ source = "../../../modules/iam-service-account"
+ for_each = local.cicd_repositories
+ project_id = module.automation-project.project_id
+ name = "${each.key}-1"
+ display_name = "Terraform CI/CD ${each.key} service account."
+ prefix = local.prefix
iam = (
each.value.type == "sourcerepo"
# used directly from the cloud build trigger for source repos
diff --git a/fast/stages/01-resman/README.md b/fast/stages/01-resman/README.md
index dbeb8afb..52e73c55 100644
--- a/fast/stages/01-resman/README.md
+++ b/fast/stages/01-resman/README.md
@@ -182,17 +182,18 @@ Due to its simplicity, this stage lends itself easily to customizations: adding
|---|---|:---:|:---:|:---:|:---:|
| [automation](variables.tf#L20) | Automation resources created by the bootstrap stage. | object({…})
| ✓ | | 00-bootstrap
|
| [billing_account](variables.tf#L38) | Billing account id and organization id ('nnnnnnnn' or null). | object({…})
| ✓ | | 00-bootstrap
|
-| [organization](variables.tf#L191) | Organization details. | object({…})
| ✓ | | 00-bootstrap
|
-| [prefix](variables.tf#L215) | Prefix used for resources that need unique names. Use 9 characters or less. | string
| ✓ | | 00-bootstrap
|
+| [organization](variables.tf#L197) | Organization details. | object({…})
| ✓ | | 00-bootstrap
|
+| [prefix](variables.tf#L221) | Prefix used for resources that need unique names. Use 9 characters or less. | string
| ✓ | | 00-bootstrap
|
| [cicd_repositories](variables.tf#L47) | CI/CD repository configuration. Identity providers reference keys in the `automation.federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | object({…})
| | null
| |
| [custom_roles](variables.tf#L129) | Custom roles defined at the org level, in key => id format. | object({…})
| | null
| 00-bootstrap
|
-| [fast_features](variables.tf#L138) | Selective control for top-level FAST features. | object({…})
| | {…}
| 00-bootstrap
|
-| [groups](variables.tf#L158) | Group names to grant organization-level permissions. | map(string)
| | {…}
| 00-bootstrap
|
-| [locations](variables.tf#L173) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…})
| | {…}
| 00-bootstrap
|
-| [organization_policy_configs](variables.tf#L201) | Organization policies customization. | object({…})
| | null
| |
-| [outputs_location](variables.tf#L209) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable | string
| | null
| |
-| [tag_names](variables.tf#L226) | Customized names for resource management tags. | object({…})
| | {…}
| |
-| [team_folders](variables.tf#L243) | Team folders to be created. Format is described in a code comment. | map(object({…}))
| | null
| |
+| [data_dir](variables.tf#L138) | Relative path for the folder storing configuration data. | string
| | "data"
| |
+| [fast_features](variables.tf#L144) | Selective control for top-level FAST features. | object({…})
| | {…}
| 00-bootstrap
|
+| [groups](variables.tf#L164) | Group names to grant organization-level permissions. | map(string)
| | {…}
| 00-bootstrap
|
+| [locations](variables.tf#L179) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…})
| | {…}
| 00-bootstrap
|
+| [organization_policy_configs](variables.tf#L207) | Organization policies customization. | object({…})
| | null
| |
+| [outputs_location](variables.tf#L215) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable | string
| | null
| |
+| [tag_names](variables.tf#L232) | Customized names for resource management tags. | object({…})
| | {…}
| |
+| [team_folders](variables.tf#L249) | Team folders to be created. Format is described in a code comment. | map(object({…}))
| | null
| |
## Outputs
diff --git a/fast/stages/01-resman/branch-data-platform.tf b/fast/stages/01-resman/branch-data-platform.tf
index e6bbd8fc..66cc9fbb 100644
--- a/fast/stages/01-resman/branch-data-platform.tf
+++ b/fast/stages/01-resman/branch-data-platform.tf
@@ -77,12 +77,12 @@ module "branch-dp-prod-folder" {
# automation service accounts and buckets
module "branch-dp-dev-sa" {
- source = "../../../modules/iam-service-account"
- count = var.fast_features.data_platform ? 1 : 0
- project_id = var.automation.project_id
- name = "dev-resman-dp-0"
- description = "Terraform data platform development service account."
- prefix = var.prefix
+ source = "../../../modules/iam-service-account"
+ count = var.fast_features.data_platform ? 1 : 0
+ project_id = var.automation.project_id
+ name = "dev-resman-dp-0"
+ display_name = "Terraform data platform development service account."
+ prefix = var.prefix
iam = {
"roles/iam.serviceAccountTokenCreator" = compact([
try(module.branch-dp-dev-sa-cicd.0.iam_email, null)
@@ -94,12 +94,12 @@ module "branch-dp-dev-sa" {
}
module "branch-dp-prod-sa" {
- source = "../../../modules/iam-service-account"
- count = var.fast_features.data_platform ? 1 : 0
- project_id = var.automation.project_id
- name = "prod-resman-dp-0"
- description = "Terraform data platform production service account."
- prefix = var.prefix
+ source = "../../../modules/iam-service-account"
+ count = var.fast_features.data_platform ? 1 : 0
+ project_id = var.automation.project_id
+ name = "prod-resman-dp-0"
+ display_name = "Terraform data platform production service account."
+ prefix = var.prefix
iam = {
"roles/iam.serviceAccountTokenCreator" = compact([
try(module.branch-dp-prod-sa-cicd.0.iam_email, null)
diff --git a/fast/stages/01-resman/branch-gke.tf b/fast/stages/01-resman/branch-gke.tf
index dd1d68bd..84ca41ed 100644
--- a/fast/stages/01-resman/branch-gke.tf
+++ b/fast/stages/01-resman/branch-gke.tf
@@ -69,12 +69,12 @@ module "branch-gke-prod-folder" {
}
module "branch-gke-dev-sa" {
- source = "../../../modules/iam-service-account"
- count = var.fast_features.gke ? 1 : 0
- project_id = var.automation.project_id
- name = "dev-resman-gke-0"
- description = "Terraform gke multitenant dev service account."
- prefix = var.prefix
+ source = "../../../modules/iam-service-account"
+ count = var.fast_features.gke ? 1 : 0
+ project_id = var.automation.project_id
+ name = "dev-resman-gke-0"
+ display_name = "Terraform gke multitenant dev service account."
+ prefix = var.prefix
iam = {
"roles/iam.serviceAccountTokenCreator" = concat(
["group:${local.groups.gcp-devops}"],
@@ -89,12 +89,12 @@ module "branch-gke-dev-sa" {
}
module "branch-gke-prod-sa" {
- source = "../../../modules/iam-service-account"
- count = var.fast_features.gke ? 1 : 0
- project_id = var.automation.project_id
- name = "prod-resman-gke-0"
- description = "Terraform gke multitenant prod service account."
- prefix = var.prefix
+ source = "../../../modules/iam-service-account"
+ count = var.fast_features.gke ? 1 : 0
+ project_id = var.automation.project_id
+ name = "prod-resman-gke-0"
+ display_name = "Terraform gke multitenant prod service account."
+ prefix = var.prefix
iam = {
"roles/iam.serviceAccountTokenCreator" = concat(
["group:${local.groups.gcp-devops}"],
diff --git a/fast/stages/01-resman/branch-networking.tf b/fast/stages/01-resman/branch-networking.tf
index e21fd509..530cf6b0 100644
--- a/fast/stages/01-resman/branch-networking.tf
+++ b/fast/stages/01-resman/branch-networking.tf
@@ -86,11 +86,11 @@ module "branch-network-dev-folder" {
# automation service account and bucket
module "branch-network-sa" {
- source = "../../../modules/iam-service-account"
- project_id = var.automation.project_id
- name = "prod-resman-net-0"
- description = "Terraform resman networking service account."
- prefix = var.prefix
+ source = "../../../modules/iam-service-account"
+ project_id = var.automation.project_id
+ name = "prod-resman-net-0"
+ display_name = "Terraform resman networking service account."
+ prefix = var.prefix
iam = {
"roles/iam.serviceAccountTokenCreator" = compact([
try(module.branch-network-sa-cicd.0.iam_email, null)
diff --git a/fast/stages/01-resman/branch-project-factory.tf b/fast/stages/01-resman/branch-project-factory.tf
index 356fb7b6..41651a28 100644
--- a/fast/stages/01-resman/branch-project-factory.tf
+++ b/fast/stages/01-resman/branch-project-factory.tf
@@ -22,8 +22,8 @@ module "branch-pf-dev-sa" {
project_id = var.automation.project_id
name = "dev-resman-pf-0"
# naming: environment in description
- description = "Terraform project factory development service account."
- prefix = var.prefix
+ display_name = "Terraform project factory development service account."
+ prefix = var.prefix
iam = {
"roles/iam.serviceAccountTokenCreator" = compact([
try(module.branch-pf-dev-sa-cicd.0.iam_email, null)
@@ -40,8 +40,8 @@ module "branch-pf-prod-sa" {
project_id = var.automation.project_id
name = "prod-resman-pf-0"
# naming: environment in description
- description = "Terraform project factory production service account."
- prefix = var.prefix
+ display_name = "Terraform project factory production service account."
+ prefix = var.prefix
iam = {
"roles/iam.serviceAccountTokenCreator" = compact([
try(module.branch-pf-prod-sa-cicd.0.iam_email, null)
diff --git a/fast/stages/01-resman/branch-sandbox.tf b/fast/stages/01-resman/branch-sandbox.tf
index 84995c15..8b54e749 100644
--- a/fast/stages/01-resman/branch-sandbox.tf
+++ b/fast/stages/01-resman/branch-sandbox.tf
@@ -68,10 +68,10 @@ moved {
}
module "branch-sandbox-sa" {
- source = "../../../modules/iam-service-account"
- count = var.fast_features.sandbox ? 1 : 0
- project_id = var.automation.project_id
- name = "dev-resman-sbox-0"
- description = "Terraform resman sandbox service account."
- prefix = var.prefix
+ source = "../../../modules/iam-service-account"
+ count = var.fast_features.sandbox ? 1 : 0
+ project_id = var.automation.project_id
+ name = "dev-resman-sbox-0"
+ display_name = "Terraform resman sandbox service account."
+ prefix = var.prefix
}
diff --git a/fast/stages/01-resman/branch-security.tf b/fast/stages/01-resman/branch-security.tf
index c30269f8..c7b4fc97 100644
--- a/fast/stages/01-resman/branch-security.tf
+++ b/fast/stages/01-resman/branch-security.tf
@@ -49,11 +49,11 @@ module "branch-security-folder" {
# automation service account and bucket
module "branch-security-sa" {
- source = "../../../modules/iam-service-account"
- project_id = var.automation.project_id
- name = "prod-resman-sec-0"
- description = "Terraform resman security service account."
- prefix = var.prefix
+ source = "../../../modules/iam-service-account"
+ project_id = var.automation.project_id
+ name = "prod-resman-sec-0"
+ display_name = "Terraform resman security service account."
+ prefix = var.prefix
iam = {
"roles/iam.serviceAccountTokenCreator" = compact([
try(module.branch-security-sa-cicd.0.iam_email, null)
diff --git a/fast/stages/01-resman/branch-teams.tf b/fast/stages/01-resman/branch-teams.tf
index e054bb3c..8b0e89b3 100644
--- a/fast/stages/01-resman/branch-teams.tf
+++ b/fast/stages/01-resman/branch-teams.tf
@@ -40,12 +40,12 @@ module "branch-teams-folder" {
}
module "branch-teams-sa" {
- source = "../../../modules/iam-service-account"
- count = var.fast_features.teams ? 1 : 0
- project_id = var.automation.project_id
- name = "prod-resman-teams-0"
- description = "Terraform resman teams service account."
- prefix = var.prefix
+ source = "../../../modules/iam-service-account"
+ count = var.fast_features.teams ? 1 : 0
+ project_id = var.automation.project_id
+ name = "prod-resman-teams-0"
+ display_name = "Terraform resman teams service account."
+ prefix = var.prefix
iam_storage_roles = {
(var.automation.outputs_bucket) = ["roles/storage.admin"]
}
@@ -83,12 +83,12 @@ module "branch-teams-team-folder" {
}
module "branch-teams-team-sa" {
- source = "../../../modules/iam-service-account"
- for_each = var.fast_features.teams ? coalesce(var.team_folders, {}) : {}
- project_id = var.automation.project_id
- name = "prod-teams-${each.key}-0"
- description = "Terraform team ${each.key} service account."
- prefix = var.prefix
+ source = "../../../modules/iam-service-account"
+ for_each = var.fast_features.teams ? coalesce(var.team_folders, {}) : {}
+ project_id = var.automation.project_id
+ name = "prod-teams-${each.key}-0"
+ display_name = "Terraform team ${each.key} service account."
+ prefix = var.prefix
iam = {
"roles/iam.serviceAccountTokenCreator" = (
each.value.impersonation_groups == null
diff --git a/fast/stages/01-resman/cicd-data-platform.tf b/fast/stages/01-resman/cicd-data-platform.tf
index 6cd12114..5b07883c 100644
--- a/fast/stages/01-resman/cicd-data-platform.tf
+++ b/fast/stages/01-resman/cicd-data-platform.tf
@@ -95,10 +95,10 @@ module "branch-dp-dev-sa-cicd" {
? { 0 = local.cicd_repositories.data_platform_dev }
: {}
)
- project_id = var.automation.project_id
- name = "dev-resman-dp-1"
- description = "Terraform CI/CD data platform development service account."
- prefix = var.prefix
+ project_id = var.automation.project_id
+ name = "dev-resman-dp-1"
+ display_name = "Terraform CI/CD data platform development service account."
+ prefix = var.prefix
iam = (
each.value.type == "sourcerepo"
# used directly from the cloud build trigger for source repos
@@ -138,10 +138,10 @@ module "branch-dp-prod-sa-cicd" {
? { 0 = local.cicd_repositories.data_platform_prod }
: {}
)
- project_id = var.automation.project_id
- name = "prod-resman-dp-1"
- description = "Terraform CI/CD data platform production service account."
- prefix = var.prefix
+ project_id = var.automation.project_id
+ name = "prod-resman-dp-1"
+ display_name = "Terraform CI/CD data platform production service account."
+ prefix = var.prefix
iam = (
each.value.type == "sourcerepo"
# used directly from the cloud build trigger for source repos
diff --git a/fast/stages/01-resman/cicd-gke.tf b/fast/stages/01-resman/cicd-gke.tf
index 65a04a63..fa4f8767 100644
--- a/fast/stages/01-resman/cicd-gke.tf
+++ b/fast/stages/01-resman/cicd-gke.tf
@@ -95,10 +95,10 @@ module "branch-gke-dev-sa-cicd" {
? { 0 = local.cicd_repositories.gke_dev }
: {}
)
- project_id = var.automation.project_id
- name = "dev-resman-gke-1"
- description = "Terraform CI/CD GKE development service account."
- prefix = var.prefix
+ project_id = var.automation.project_id
+ name = "dev-resman-gke-1"
+ display_name = "Terraform CI/CD GKE development service account."
+ prefix = var.prefix
iam = (
each.value.type == "sourcerepo"
# used directly from the cloud build trigger for source repos
@@ -138,10 +138,10 @@ module "branch-gke-prod-sa-cicd" {
? { 0 = local.cicd_repositories.gke_prod }
: {}
)
- project_id = var.automation.project_id
- name = "prod-resman-gke-1"
- description = "Terraform CI/CD GKE production service account."
- prefix = var.prefix
+ project_id = var.automation.project_id
+ name = "prod-resman-gke-1"
+ display_name = "Terraform CI/CD GKE production service account."
+ prefix = var.prefix
iam = (
each.value.type == "sourcerepo"
# used directly from the cloud build trigger for source repos
diff --git a/fast/stages/01-resman/cicd-networking.tf b/fast/stages/01-resman/cicd-networking.tf
index 95177047..894348ff 100644
--- a/fast/stages/01-resman/cicd-networking.tf
+++ b/fast/stages/01-resman/cicd-networking.tf
@@ -57,10 +57,10 @@ module "branch-network-sa-cicd" {
? { 0 = local.cicd_repositories.networking }
: {}
)
- project_id = var.automation.project_id
- name = "prod-resman-net-1"
- description = "Terraform CI/CD stage 2 networking service account."
- prefix = var.prefix
+ project_id = var.automation.project_id
+ name = "prod-resman-net-1"
+ display_name = "Terraform CI/CD stage 2 networking service account."
+ prefix = var.prefix
iam = (
each.value.type == "sourcerepo"
# used directly from the cloud build trigger for source repos
diff --git a/fast/stages/01-resman/cicd-project-factory.tf b/fast/stages/01-resman/cicd-project-factory.tf
index 2c9f0972..8f357ce6 100644
--- a/fast/stages/01-resman/cicd-project-factory.tf
+++ b/fast/stages/01-resman/cicd-project-factory.tf
@@ -106,10 +106,10 @@ module "branch-pf-dev-sa-cicd" {
? { 0 = local.cicd_repositories.project_factory_dev }
: {}
)
- project_id = var.automation.project_id
- name = "dev-pf-resman-pf-1"
- description = "Terraform CI/CD project factory development service account."
- prefix = var.prefix
+ project_id = var.automation.project_id
+ name = "dev-pf-resman-pf-1"
+ display_name = "Terraform CI/CD project factory development service account."
+ prefix = var.prefix
iam = (
each.value.type == "sourcerepo"
# used directly from the cloud build trigger for source repos
@@ -154,10 +154,10 @@ module "branch-pf-prod-sa-cicd" {
? { 0 = local.cicd_repositories.project_factory_prod }
: {}
)
- project_id = var.automation.project_id
- name = "prod-pf-resman-pf-1"
- description = "Terraform CI/CD project factory production service account."
- prefix = var.prefix
+ project_id = var.automation.project_id
+ name = "prod-pf-resman-pf-1"
+ display_name = "Terraform CI/CD project factory production service account."
+ prefix = var.prefix
iam = (
each.value.type == "sourcerepo"
# used directly from the cloud build trigger for source repos
diff --git a/fast/stages/01-resman/cicd-security.tf b/fast/stages/01-resman/cicd-security.tf
index 86fd84fd..dd27a473 100644
--- a/fast/stages/01-resman/cicd-security.tf
+++ b/fast/stages/01-resman/cicd-security.tf
@@ -57,10 +57,10 @@ module "branch-security-sa-cicd" {
? { 0 = local.cicd_repositories.security }
: {}
)
- project_id = var.automation.project_id
- name = "prod-resman-sec-1"
- description = "Terraform CI/CD stage 2 security service account."
- prefix = var.prefix
+ project_id = var.automation.project_id
+ name = "prod-resman-sec-1"
+ display_name = "Terraform CI/CD stage 2 security service account."
+ prefix = var.prefix
iam = (
each.value.type == "sourcerepo"
# used directly from the cloud build trigger for source repos
diff --git a/fast/stages/01-resman/data/org-policies/compute.yaml b/fast/stages/01-resman/data/org-policies/compute.yaml
new file mode 100644
index 00000000..0d27ac42
--- /dev/null
+++ b/fast/stages/01-resman/data/org-policies/compute.yaml
@@ -0,0 +1,73 @@
+# skip boilerplate check
+#
+# sample subset of useful organization policies, edit to suit requirements
+
+compute.disableGuestAttributesAccess:
+ enforce: true
+
+compute.requireOsLogin:
+ enforce: true
+
+compute.restrictLoadBalancerCreationForTypes:
+ allow:
+ values:
+ - in:INTERNAL
+
+compute.skipDefaultNetworkCreation:
+ enforce: true
+
+compute.vmExternalIpAccess:
+ deny:
+ all: true
+
+
+# compute.disableInternetNetworkEndpointGroup:
+# enforce: true
+
+# compute.disableNestedVirtualization:
+# enforce: true
+
+# compute.disableSerialPortAccess:
+# enforce: true
+
+# compute.restrictCloudNATUsage:
+# deny:
+# all: true
+
+# compute.restrictDedicatedInterconnectUsage:
+# deny:
+# all: true
+
+# compute.restrictPartnerInterconnectUsage:
+# deny:
+# all: true
+
+# compute.restrictProtocolForwardingCreationForTypes:
+# deny:
+# all: true
+
+# compute.restrictSharedVpcHostProjects:
+# deny:
+# all: true
+
+# compute.restrictSharedVpcSubnetworks:
+# deny:
+# all: true
+
+# compute.restrictVpcPeering:
+# deny:
+# all: true
+
+# compute.restrictVpnPeerIPs:
+# deny:
+# all: true
+
+# compute.restrictXpnProjectLienRemoval:
+# enforce: true
+
+# compute.setNewProjectDefaultToZonalDNSOnly:
+# enforce: true
+
+# compute.vmCanIpForward:
+# deny:
+# all: true
diff --git a/fast/stages/01-resman/data/org-policies/iam.yaml b/fast/stages/01-resman/data/org-policies/iam.yaml
new file mode 100644
index 00000000..4d83f827
--- /dev/null
+++ b/fast/stages/01-resman/data/org-policies/iam.yaml
@@ -0,0 +1,12 @@
+# skip boilerplate check
+#
+# sample subset of useful organization policies, edit to suit requirements
+
+iam.automaticIamGrantsForDefaultServiceAccounts:
+ enforce: true
+
+iam.disableServiceAccountKeyCreation:
+ enforce: true
+
+iam.disableServiceAccountKeyUpload:
+ enforce: true
diff --git a/fast/stages/01-resman/data/org-policies/serverless.yaml b/fast/stages/01-resman/data/org-policies/serverless.yaml
new file mode 100644
index 00000000..de62e6c7
--- /dev/null
+++ b/fast/stages/01-resman/data/org-policies/serverless.yaml
@@ -0,0 +1,26 @@
+# skip boilerplate check
+#
+# sample subset of useful organization policies, edit to suit requirements
+
+run.allowedIngress:
+ allow:
+ values:
+ - is:internal
+
+# run.allowedVPCEgress:
+# allow:
+# values:
+# - is:private-ranges-only
+
+# cloudfunctions.allowedIngressSettings:
+# allow:
+# values:
+# - is:ALLOW_INTERNAL_ONLY
+
+# cloudfunctions.allowedVpcConnectorEgressSettings:
+# allow:
+# values:
+# - is:PRIVATE_RANGES_ONLY
+
+# cloudfunctions.requireVPCConnector:
+# enforce: true
diff --git a/fast/stages/01-resman/data/org-policies/sql.yaml b/fast/stages/01-resman/data/org-policies/sql.yaml
new file mode 100644
index 00000000..88b84d9d
--- /dev/null
+++ b/fast/stages/01-resman/data/org-policies/sql.yaml
@@ -0,0 +1,9 @@
+# skip boilerplate check
+#
+# sample subset of useful organization policies, edit to suit requirements
+
+sql.restrictAuthorizedNetworks:
+ enforce: true
+
+sql.restrictPublicIp:
+ enforce: true
diff --git a/fast/stages/01-resman/data/org-policies/storage.yaml b/fast/stages/01-resman/data/org-policies/storage.yaml
new file mode 100644
index 00000000..6c0a673f
--- /dev/null
+++ b/fast/stages/01-resman/data/org-policies/storage.yaml
@@ -0,0 +1,6 @@
+# skip boilerplate check
+#
+# sample subset of useful organization policies, edit to suit requirements
+
+storage.uniformBucketLevelAccess:
+ enforce: true
diff --git a/fast/stages/01-resman/organization.tf b/fast/stages/01-resman/organization.tf
index 40a789ee..7ecf7952 100644
--- a/fast/stages/01-resman/organization.tf
+++ b/fast/stages/01-resman/organization.tf
@@ -66,44 +66,12 @@ module "organization" {
)
} : {}
)
- # sample subset of useful organization policies, edit to suit requirements
+ # sample subset of useful organization policies, edit to suit requirements
org_policies = {
- "compute.disableGuestAttributesAccess" = { enforce = true }
- "compute.requireOsLogin" = { enforce = true }
- "compute.restrictLoadBalancerCreationForTypes" = { allow = { values = ["in:INTERNAL"] } }
- "compute.skipDefaultNetworkCreation" = { enforce = true }
- "compute.vmExternalIpAccess" = { deny = { all = true } }
- "iam.allowedPolicyMemberDomains" = { allow = { values = local.all_drs_domains } }
- "iam.automaticIamGrantsForDefaultServiceAccounts" = { enforce = true }
- "iam.disableServiceAccountKeyCreation" = { enforce = true }
- "iam.disableServiceAccountKeyUpload" = { enforce = true }
- "run.allowedIngress" = { allow = { values = ["is:internal"] } }
- "sql.restrictAuthorizedNetworks" = { enforce = true }
- "sql.restrictPublicIp" = { enforce = true }
- "storage.uniformBucketLevelAccess" = { enforce = true }
- # "cloudfunctions.allowedIngressSettings" = {
- # allow = { values = ["is:ALLOW_INTERNAL_ONLY"] }
- # }
- # "cloudfunctions.allowedVpcConnectorEgressSettings" = {
- # allow = { values = ["is:PRIVATE_RANGES_ONLY"] }
- # }
- # "cloudfunctions.requireVPCConnector" = { enforce = true }
- # "compute.disableInternetNetworkEndpointGroup" = { enforce = true }
- # "compute.disableNestedVirtualization" = { enforce = true }
- # "compute.disableSerialPortAccess" = { enforce = true }
- # "compute.restrictCloudNATUsage" = { deny = { all = true }}
- # "compute.restrictDedicatedInterconnectUsage" = { deny = { all = true }}
- # "compute.restrictPartnerInterconnectUsage" = { deny = { all = true }}
- # "compute.restrictProtocolForwardingCreationForTypes" = { deny = { all = true }}
- # "compute.restrictSharedVpcHostProjects" = { deny = { all = true }}
- # "compute.restrictSharedVpcSubnetworks" = { deny = { all = true }}
- # "compute.restrictVpcPeering" = { deny = { all = true }}
- # "compute.restrictVpnPeerIPs" = { deny = { all = true }}
- # "compute.restrictXpnProjectLienRemoval" = { enforce = true }
- # "compute.setNewProjectDefaultToZonalDNSOnly" = { enforce = true }
- # "compute.vmCanIpForward" = { deny = { all = true }}
- # "gcp.resourceLocations" = {
+ "iam.allowedPolicyMemberDomains" = { allow = { values = local.all_drs_domains } }
+
+ #"gcp.resourceLocations" = {
# allow = { values = local.allowed_regions }
# }
# "iam.workloadIdentityPoolProviders" = {
@@ -114,8 +82,9 @@ module "organization" {
# ]
# }
# }
- # "run.allowedVPCEgress" = { allow = { values = ["is:private-ranges-only"] } }
}
+ org_policies_data_path = "${var.data_dir}/org-policies"
+
tags = {
(var.tag_names.context) = {
description = "Resource management context."
diff --git a/fast/stages/01-resman/variables.tf b/fast/stages/01-resman/variables.tf
index 8da86967..6de9a7fa 100644
--- a/fast/stages/01-resman/variables.tf
+++ b/fast/stages/01-resman/variables.tf
@@ -135,6 +135,12 @@ variable "custom_roles" {
default = null
}
+variable "data_dir" {
+ description = "Relative path for the folder storing configuration data."
+ type = string
+ default = "data"
+}
+
variable "fast_features" {
# tfdoc:variable:source 00-bootstrap
description = "Selective control for top-level FAST features."