diff --git a/tests/fast/stages/s00_bootstrap/simple.yaml b/tests/fast/stages/s00_bootstrap/simple.yaml index d8f6e36a..703b84b4 100644 --- a/tests/fast/stages/s00_bootstrap/simple.yaml +++ b/tests/fast/stages/s00_bootstrap/simple.yaml @@ -1,705 +1,49 @@ -# # TODO: missing all local_file and gcs objects -# values: -# google_organization_iam_binding.org_admin_delegated: -# condition: -# - description: Automation service account delegated grants. -# expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/accesscontextmanager.policyAdmin','roles/compute.orgFirewallPolicyAdmin','roles/compute.xpnAdmin','roles/orgpolicy.policyAdmin','roles/billing.admin','roles/billing.costsManager','roles/billing.user']) -# title: automation_sa_delegated_grants -# members: -# - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com -# org_id: '123456789012' -# role: organizations/123456789012/roles/organizationIamAdmin -# module.automation-project.data.google_bigquery_default_service_account.bq_sa[0]: -# project: fast-prod-iac-core-0 -# module.automation-project.data.google_storage_project_service_account.gcs_sa[0]: -# project: fast-prod-iac-core-0 -# user_project: null -# module.automation-project.google_project.project[0]: -# auto_create_network: false -# billing_account: 000000-111111-222222 -# folder_id: null -# labels: null -# name: fast-prod-iac-core-0 -# org_id: '123456789012' -# project_id: fast-prod-iac-core-0 -# skip_delete: false -# module.automation-project.google_project_iam_binding.authoritative["roles/cloudbuild.builds.editor"]: -# condition: [] -# members: -# - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com -# project: fast-prod-iac-core-0 -# role: roles/cloudbuild.builds.editor -# module.automation-project.google_project_iam_binding.authoritative["roles/iam.serviceAccountAdmin"]: -# condition: [] -# members: -# - group:gcp-devops@fast.example.com -# - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com -# project: fast-prod-iac-core-0 -# role: roles/iam.serviceAccountAdmin -# module.automation-project.google_project_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]: -# condition: [] -# members: -# - group:gcp-devops@fast.example.com -# - group:gcp-organization-admins@fast.example.com -# project: fast-prod-iac-core-0 -# role: roles/iam.serviceAccountTokenCreator -# module.automation-project.google_project_iam_binding.authoritative["roles/iam.workloadIdentityPoolAdmin"]: -# condition: [] -# members: -# - group:gcp-organization-admins@fast.example.com -# - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com -# project: fast-prod-iac-core-0 -# role: roles/iam.workloadIdentityPoolAdmin -# module.automation-project.google_project_iam_binding.authoritative["roles/owner"]: -# condition: [] -# members: -# - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com -# project: fast-prod-iac-core-0 -# role: roles/owner -# module.automation-project.google_project_iam_binding.authoritative["roles/source.admin"]: -# condition: [] -# members: -# - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com -# project: fast-prod-iac-core-0 -# role: roles/source.admin -# module.automation-project.google_project_iam_binding.authoritative["roles/storage.admin"]: -# condition: [] -# members: -# - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com -# project: fast-prod-iac-core-0 -# role: roles/storage.admin -# module.automation-project.google_project_iam_member.servicenetworking[0]: -# condition: [] -# project: fast-prod-iac-core-0 -# role: roles/servicenetworking.serviceAgent -# module.automation-project.google_project_service.project_services["accesscontextmanager.googleapis.com"]: -# disable_dependent_services: false -# disable_on_destroy: false -# project: fast-prod-iac-core-0 -# service: accesscontextmanager.googleapis.com -# module.automation-project.google_project_service.project_services["bigquery.googleapis.com"]: -# disable_dependent_services: false -# disable_on_destroy: false -# project: fast-prod-iac-core-0 -# service: bigquery.googleapis.com -# module.automation-project.google_project_service.project_services["bigqueryreservation.googleapis.com"]: -# disable_dependent_services: false -# disable_on_destroy: false -# project: fast-prod-iac-core-0 -# service: bigqueryreservation.googleapis.com -# module.automation-project.google_project_service.project_services["bigquerystorage.googleapis.com"]: -# disable_dependent_services: false -# disable_on_destroy: false -# project: fast-prod-iac-core-0 -# service: bigquerystorage.googleapis.com -# module.automation-project.google_project_service.project_services["billingbudgets.googleapis.com"]: -# disable_dependent_services: false -# disable_on_destroy: false -# project: fast-prod-iac-core-0 -# service: billingbudgets.googleapis.com -# module.automation-project.google_project_service.project_services["cloudbilling.googleapis.com"]: -# disable_dependent_services: false -# disable_on_destroy: false -# project: fast-prod-iac-core-0 -# service: cloudbilling.googleapis.com -# module.automation-project.google_project_service.project_services["cloudbuild.googleapis.com"]: -# disable_dependent_services: false -# disable_on_destroy: false -# project: fast-prod-iac-core-0 -# service: cloudbuild.googleapis.com -# module.automation-project.google_project_service.project_services["cloudkms.googleapis.com"]: -# disable_dependent_services: false -# disable_on_destroy: false -# project: fast-prod-iac-core-0 -# service: cloudkms.googleapis.com -# module.automation-project.google_project_service.project_services["cloudresourcemanager.googleapis.com"]: -# disable_dependent_services: false -# disable_on_destroy: false -# project: fast-prod-iac-core-0 -# service: cloudresourcemanager.googleapis.com -# module.automation-project.google_project_service.project_services["compute.googleapis.com"]: -# disable_dependent_services: false -# disable_on_destroy: false -# project: fast-prod-iac-core-0 -# service: compute.googleapis.com -# module.automation-project.google_project_service.project_services["container.googleapis.com"]: -# disable_dependent_services: false -# disable_on_destroy: false -# project: fast-prod-iac-core-0 -# service: container.googleapis.com -# module.automation-project.google_project_service.project_services["essentialcontacts.googleapis.com"]: -# disable_dependent_services: false -# disable_on_destroy: false -# project: fast-prod-iac-core-0 -# service: essentialcontacts.googleapis.com -# module.automation-project.google_project_service.project_services["iam.googleapis.com"]: -# disable_dependent_services: false -# disable_on_destroy: false -# project: fast-prod-iac-core-0 -# service: iam.googleapis.com -# module.automation-project.google_project_service.project_services["iamcredentials.googleapis.com"]: -# disable_dependent_services: false -# disable_on_destroy: false -# project: fast-prod-iac-core-0 -# service: iamcredentials.googleapis.com -# module.automation-project.google_project_service.project_services["orgpolicy.googleapis.com"]: -# disable_dependent_services: false -# disable_on_destroy: false -# project: fast-prod-iac-core-0 -# service: orgpolicy.googleapis.com -# module.automation-project.google_project_service.project_services["pubsub.googleapis.com"]: -# disable_dependent_services: false -# disable_on_destroy: false -# project: fast-prod-iac-core-0 -# service: pubsub.googleapis.com -# module.automation-project.google_project_service.project_services["servicenetworking.googleapis.com"]: -# disable_dependent_services: false -# disable_on_destroy: false -# project: fast-prod-iac-core-0 -# service: servicenetworking.googleapis.com -# module.automation-project.google_project_service.project_services["serviceusage.googleapis.com"]: -# disable_dependent_services: false -# disable_on_destroy: false -# project: fast-prod-iac-core-0 -# service: serviceusage.googleapis.com -# module.automation-project.google_project_service.project_services["sourcerepo.googleapis.com"]: -# disable_dependent_services: false -# disable_on_destroy: false -# project: fast-prod-iac-core-0 -# service: sourcerepo.googleapis.com -# module.automation-project.google_project_service.project_services["stackdriver.googleapis.com"]: -# disable_dependent_services: false -# disable_on_destroy: false -# project: fast-prod-iac-core-0 -# service: stackdriver.googleapis.com -# module.automation-project.google_project_service.project_services["storage-component.googleapis.com"]: -# disable_dependent_services: false -# disable_on_destroy: false -# project: fast-prod-iac-core-0 -# service: storage-component.googleapis.com -# module.automation-project.google_project_service.project_services["storage.googleapis.com"]: -# disable_dependent_services: false -# disable_on_destroy: false -# project: fast-prod-iac-core-0 -# service: storage.googleapis.com -# module.automation-project.google_project_service.project_services["sts.googleapis.com"]: -# disable_dependent_services: false -# disable_on_destroy: false -# project: fast-prod-iac-core-0 -# service: sts.googleapis.com -# module.automation-project.google_project_service_identity.jit_si["pubsub.googleapis.com"]: -# project: fast-prod-iac-core-0 -# service: pubsub.googleapis.com -# module.automation-project.google_project_service_identity.servicenetworking[0]: -# project: fast-prod-iac-core-0 -# service: servicenetworking.googleapis.com -# module.automation-tf-bootstrap-gcs.google_storage_bucket.bucket: -# cors: [] -# custom_placement_config: [] -# default_event_based_hold: null -# encryption: [] -# force_destroy: false -# labels: null -# lifecycle_rule: [] -# location: EU -# logging: [] -# name: fast-prod-iac-core-bootstrap-0 -# project: fast-prod-iac-core-0 -# requester_pays: null -# retention_policy: [] -# storage_class: MULTI_REGIONAL -# uniform_bucket_level_access: true -# versioning: -# - enabled: true -# website: [] -# module.automation-tf-bootstrap-sa.google_service_account.service_account[0]: -# account_id: fast-prod-bootstrap-0 -# description: null -# disabled: false -# display_name: Terraform organization bootstrap service account. -# project: fast-prod-iac-core-0 -# module.automation-tf-bootstrap-sa.google_service_account_iam_binding.roles["roles/iam.serviceAccountTokenCreator"]: -# condition: [] -# members: null -# role: roles/iam.serviceAccountTokenCreator -# module.automation-tf-bootstrap-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-roles/storage.admin"]: -# bucket: fast-prod-iac-core-outputs-0 -# condition: [] -# role: roles/storage.admin -# module.automation-tf-cicd-gcs.google_storage_bucket.bucket: -# cors: [] -# custom_placement_config: [] -# default_event_based_hold: null -# encryption: [] -# force_destroy: false -# labels: null -# lifecycle_rule: [] -# location: EU -# logging: [] -# name: fast-prod-iac-core-cicd-0 -# project: fast-prod-iac-core-0 -# requester_pays: null -# retention_policy: [] -# storage_class: MULTI_REGIONAL -# uniform_bucket_level_access: true -# versioning: -# - enabled: true -# website: [] -# module.automation-tf-cicd-gcs.google_storage_bucket_iam_binding.bindings["roles/storage.objectAdmin"]: -# bucket: fast-prod-iac-core-cicd-0 -# condition: [] -# members: -# - serviceAccount:fast-prod-cicd-0@fast-prod-iac-core-0.iam.gserviceaccount.com -# role: roles/storage.objectAdmin -# module.automation-tf-cicd-provisioning-sa.google_service_account.service_account[0]: -# account_id: fast-prod-cicd-0 -# description: null -# disabled: false -# display_name: Terraform stage 1 CICD service account. -# project: fast-prod-iac-core-0 -# module.automation-tf-cicd-provisioning-sa.google_service_account_iam_binding.roles["roles/iam.serviceAccountTokenCreator"]: -# condition: [] -# members: null -# role: roles/iam.serviceAccountTokenCreator -# module.automation-tf-cicd-provisioning-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-roles/storage.admin"]: -# bucket: fast-prod-iac-core-outputs-0 -# condition: [] -# role: roles/storage.admin -# module.automation-tf-output-gcs.google_storage_bucket.bucket: -# cors: [] -# custom_placement_config: [] -# default_event_based_hold: null -# encryption: [] -# force_destroy: false -# labels: null -# lifecycle_rule: [] -# location: EU -# logging: [] -# name: fast-prod-iac-core-outputs-0 -# project: fast-prod-iac-core-0 -# requester_pays: null -# retention_policy: [] -# storage_class: MULTI_REGIONAL -# uniform_bucket_level_access: true -# versioning: -# - enabled: true -# website: [] -# module.automation-tf-resman-gcs.google_storage_bucket.bucket: -# cors: [] -# custom_placement_config: [] -# default_event_based_hold: null -# encryption: [] -# force_destroy: false -# labels: null -# lifecycle_rule: [] -# location: EU -# logging: [] -# name: fast-prod-iac-core-resman-0 -# project: fast-prod-iac-core-0 -# requester_pays: null -# retention_policy: [] -# storage_class: MULTI_REGIONAL -# uniform_bucket_level_access: true -# versioning: -# - enabled: true -# website: [] -# module.automation-tf-resman-gcs.google_storage_bucket_iam_binding.bindings["roles/storage.objectAdmin"]: -# bucket: fast-prod-iac-core-resman-0 -# condition: [] -# members: -# - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com -# role: roles/storage.objectAdmin -# module.automation-tf-resman-sa.google_service_account.service_account[0]: -# account_id: fast-prod-resman-0 -# description: null -# disabled: false -# display_name: Terraform stage 1 resman service account. -# project: fast-prod-iac-core-0 -# module.automation-tf-resman-sa.google_service_account_iam_binding.roles["roles/iam.serviceAccountTokenCreator"]: -# condition: [] -# members: null -# role: roles/iam.serviceAccountTokenCreator -# module.automation-tf-resman-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-roles/storage.admin"]: -# bucket: fast-prod-iac-core-outputs-0 -# condition: [] -# role: roles/storage.admin -# module.billing-export-dataset[0].google_bigquery_dataset.default: -# dataset_id: billing_export -# default_encryption_configuration: [] -# default_partition_expiration_ms: null -# default_table_expiration_ms: null -# delete_contents_on_destroy: false -# description: Terraform managed. -# friendly_name: Billing export. -# labels: null -# location: EU -# project: fast-prod-billing-exp-0 -# module.billing-export-project[0].data.google_bigquery_default_service_account.bq_sa[0]: -# project: fast-prod-billing-exp-0 -# module.billing-export-project[0].data.google_storage_project_service_account.gcs_sa[0]: -# project: fast-prod-billing-exp-0 -# user_project: null -# module.billing-export-project[0].google_project.project[0]: -# auto_create_network: false -# billing_account: 000000-111111-222222 -# folder_id: null -# labels: null -# name: fast-prod-billing-exp-0 -# org_id: '123456789012' -# project_id: fast-prod-billing-exp-0 -# skip_delete: false -# module.billing-export-project[0].google_project_iam_binding.authoritative["roles/owner"]: -# condition: [] -# members: -# - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com -# project: fast-prod-billing-exp-0 -# role: roles/owner -# module.billing-export-project[0].google_project_service.project_services["bigquery.googleapis.com"]: -# disable_dependent_services: false -# disable_on_destroy: false -# project: fast-prod-billing-exp-0 -# service: bigquery.googleapis.com -# module.billing-export-project[0].google_project_service.project_services["bigquerydatatransfer.googleapis.com"]: -# disable_dependent_services: false -# disable_on_destroy: false -# project: fast-prod-billing-exp-0 -# service: bigquerydatatransfer.googleapis.com -# module.billing-export-project[0].google_project_service.project_services["storage.googleapis.com"]: -# disable_dependent_services: false -# disable_on_destroy: false -# project: fast-prod-billing-exp-0 -# service: storage.googleapis.com -# module.log-export-dataset[0].google_bigquery_dataset.default: -# dataset_id: audit_export -# default_encryption_configuration: [] -# default_partition_expiration_ms: null -# default_table_expiration_ms: null -# delete_contents_on_destroy: false -# description: Terraform managed. -# friendly_name: Audit logs export. -# labels: null -# location: EU -# project: fast-prod-audit-logs-0 -# module.log-export-project.data.google_bigquery_default_service_account.bq_sa[0]: -# project: fast-prod-audit-logs-0 -# module.log-export-project.data.google_storage_project_service_account.gcs_sa[0]: -# project: fast-prod-audit-logs-0 -# user_project: null -# module.log-export-project.google_project.project[0]: -# auto_create_network: false -# billing_account: 000000-111111-222222 -# folder_id: null -# labels: null -# name: fast-prod-audit-logs-0 -# org_id: '123456789012' -# project_id: fast-prod-audit-logs-0 -# skip_delete: false -# module.log-export-project.google_project_iam_binding.authoritative["roles/owner"]: -# condition: [] -# members: -# - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com -# project: fast-prod-audit-logs-0 -# role: roles/owner -# module.log-export-project.google_project_service.project_services["bigquery.googleapis.com"]: -# disable_dependent_services: false -# disable_on_destroy: false -# project: fast-prod-audit-logs-0 -# service: bigquery.googleapis.com -# module.log-export-project.google_project_service.project_services["stackdriver.googleapis.com"]: -# disable_dependent_services: false -# disable_on_destroy: false -# project: fast-prod-audit-logs-0 -# service: stackdriver.googleapis.com -# module.log-export-project.google_project_service.project_services["storage.googleapis.com"]: -# disable_dependent_services: false -# disable_on_destroy: false -# project: fast-prod-audit-logs-0 -# service: storage.googleapis.com -# module.organization.google_bigquery_dataset_iam_member.bq-sinks-binding["audit-logs"]: -# condition: [] -# role: roles/bigquery.dataEditor -# module.organization.google_bigquery_dataset_iam_member.bq-sinks-binding["vpc-sc"]: -# condition: [] -# role: roles/bigquery.dataEditor -# module.organization.google_logging_organization_sink.sink["audit-logs"]: -# description: audit-logs (Terraform-managed). -# disabled: false -# exclusions: [] -# filter: logName:"/logs/cloudaudit.googleapis.com%2Factivity" OR logName:"/logs/cloudaudit.googleapis.com%2Fsystem_event" -# include_children: true -# name: audit-logs -# org_id: '123456789012' -# module.organization.google_logging_organization_sink.sink["vpc-sc"]: -# description: vpc-sc (Terraform-managed). -# disabled: false -# exclusions: [] -# filter: protoPayload.metadata.@type="type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata" -# include_children: true -# name: vpc-sc -# org_id: '123456789012' -# module.organization.google_organization_iam_binding.authoritative["roles/browser"]: -# condition: [] -# members: -# - domain:fast.example.com -# org_id: '123456789012' -# role: roles/browser -# module.organization.google_organization_iam_binding.authoritative["roles/cloudasset.owner"]: -# condition: [] -# members: -# - group:gcp-network-admins@fast.example.com -# - group:gcp-organization-admins@fast.example.com -# - group:gcp-security-admins@fast.example.com -# org_id: '123456789012' -# role: roles/cloudasset.owner -# module.organization.google_organization_iam_binding.authoritative["roles/cloudsupport.admin"]: -# condition: [] -# members: -# - group:gcp-organization-admins@fast.example.com -# org_id: '123456789012' -# role: roles/cloudsupport.admin -# module.organization.google_organization_iam_binding.authoritative["roles/cloudsupport.techSupportEditor"]: -# condition: [] -# members: -# - group:gcp-devops@fast.example.com -# - group:gcp-network-admins@fast.example.com -# - group:gcp-security-admins@fast.example.com -# org_id: '123456789012' -# role: roles/cloudsupport.techSupportEditor -# module.organization.google_organization_iam_binding.authoritative["roles/compute.osAdminLogin"]: -# condition: [] -# members: -# - group:gcp-organization-admins@fast.example.com -# org_id: '123456789012' -# role: roles/compute.osAdminLogin -# module.organization.google_organization_iam_binding.authoritative["roles/compute.osLoginExternalUser"]: -# condition: [] -# members: -# - group:gcp-organization-admins@fast.example.com -# org_id: '123456789012' -# role: roles/compute.osLoginExternalUser -# module.organization.google_organization_iam_binding.authoritative["roles/iam.securityReviewer"]: -# condition: [] -# members: -# - group:gcp-security-admins@fast.example.com -# org_id: '123456789012' -# role: roles/iam.securityReviewer -# module.organization.google_organization_iam_binding.authoritative["roles/logging.admin"]: -# condition: [] -# members: -# - group:gcp-security-admins@fast.example.com -# - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com -# org_id: '123456789012' -# role: roles/logging.admin -# module.organization.google_organization_iam_binding.authoritative["roles/logging.viewer"]: -# condition: [] -# members: -# - group:gcp-devops@fast.example.com -# org_id: '123456789012' -# role: roles/logging.viewer -# module.organization.google_organization_iam_binding.authoritative["roles/monitoring.viewer"]: -# condition: [] -# members: -# - group:gcp-devops@fast.example.com -# org_id: '123456789012' -# role: roles/monitoring.viewer -# module.organization.google_organization_iam_binding.authoritative["roles/owner"]: -# condition: [] -# members: -# - group:gcp-organization-admins@fast.example.com -# org_id: '123456789012' -# role: roles/owner -# module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: -# condition: [] -# members: -# - group:gcp-organization-admins@fast.example.com -# - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com -# org_id: '123456789012' -# role: roles/resourcemanager.folderAdmin -# module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.organizationAdmin"]: -# condition: [] -# members: -# - group:gcp-organization-admins@fast.example.com -# - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com -# org_id: '123456789012' -# role: roles/resourcemanager.organizationAdmin -# module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: -# condition: [] -# members: -# - group:gcp-organization-admins@fast.example.com -# - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com -# org_id: '123456789012' -# role: roles/resourcemanager.projectCreator -# module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.projectMover"]: -# condition: [] -# members: -# - serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com -# org_id: '123456789012' -# role: roles/resourcemanager.projectMover -# module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.tagAdmin"]: -# condition: [] -# members: -# - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com -# org_id: '123456789012' -# role: roles/resourcemanager.tagAdmin -# module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.tagUser"]: -# condition: [] -# members: -# - serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com -# org_id: '123456789012' -# role: roles/resourcemanager.tagUser -# module.organization.google_organization_iam_binding.authoritative["roles/securitycenter.admin"]: -# condition: [] -# members: -# - group:gcp-security-admins@fast.example.com -# org_id: '123456789012' -# role: roles/securitycenter.admin -# module.organization.google_organization_iam_custom_role.roles["organizationIamAdmin"]: -# description: Terraform-managed. -# org_id: '123456789012' -# permissions: -# - resourcemanager.organizations.get -# - resourcemanager.organizations.getIamPolicy -# - resourcemanager.organizations.setIamPolicy -# role_id: organizationIamAdmin -# stage: GA -# title: Custom role organizationIamAdmin -# module.organization.google_organization_iam_custom_role.roles["serviceProjectNetworkAdmin"]: -# description: Terraform-managed. -# org_id: '123456789012' -# permissions: -# - compute.globalOperations.get -# - compute.networks.get -# - compute.networks.updatePeering -# - compute.organizations.disableXpnResource -# - compute.organizations.enableXpnResource -# - compute.projects.get -# - compute.subnetworks.getIamPolicy -# - compute.subnetworks.setIamPolicy -# - dns.networks.bindPrivateDNSZone -# - resourcemanager.projects.get -# role_id: serviceProjectNetworkAdmin -# stage: GA -# title: Custom role serviceProjectNetworkAdmin -# module.organization.google_organization_iam_member.additive["roles/accesscontextmanager.policyAdmin-group:gcp-security-admins@fast.example.com"]: -# condition: [] -# member: group:gcp-security-admins@fast.example.com -# org_id: '123456789012' -# role: roles/accesscontextmanager.policyAdmin -# module.organization.google_organization_iam_member.additive["roles/billing.admin-group:gcp-billing-admins@fast.example.com"]: -# condition: [] -# member: group:gcp-billing-admins@fast.example.com -# org_id: '123456789012' -# role: roles/billing.admin -# module.organization.google_organization_iam_member.additive["roles/billing.admin-group:gcp-organization-admins@fast.example.com"]: -# condition: [] -# member: group:gcp-organization-admins@fast.example.com -# org_id: '123456789012' -# role: roles/billing.admin -# module.organization.google_organization_iam_member.additive["roles/billing.admin-serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com"]: -# condition: [] -# member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com -# org_id: '123456789012' -# role: roles/billing.admin -# module.organization.google_organization_iam_member.additive["roles/billing.admin-serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com"]: -# condition: [] -# member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com -# org_id: '123456789012' -# role: roles/billing.admin -# module.organization.google_organization_iam_member.additive["roles/billing.costsManager-group:gcp-billing-admins@fast.example.com"]: -# condition: [] -# member: group:gcp-billing-admins@fast.example.com -# org_id: '123456789012' -# role: roles/billing.costsManager -# module.organization.google_organization_iam_member.additive["roles/billing.costsManager-group:gcp-organization-admins@fast.example.com"]: -# condition: [] -# member: group:gcp-organization-admins@fast.example.com -# org_id: '123456789012' -# role: roles/billing.costsManager -# module.organization.google_organization_iam_member.additive["roles/billing.costsManager-serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com"]: -# condition: [] -# member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com -# org_id: '123456789012' -# role: roles/billing.costsManager -# module.organization.google_organization_iam_member.additive["roles/billing.costsManager-serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com"]: -# condition: [] -# member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com -# org_id: '123456789012' -# role: roles/billing.costsManager -# module.organization.google_organization_iam_member.additive["roles/compute.orgFirewallPolicyAdmin-group:gcp-network-admins@fast.example.com"]: -# condition: [] -# member: group:gcp-network-admins@fast.example.com -# org_id: '123456789012' -# role: roles/compute.orgFirewallPolicyAdmin -# module.organization.google_organization_iam_member.additive["roles/compute.xpnAdmin-group:gcp-network-admins@fast.example.com"]: -# condition: [] -# member: group:gcp-network-admins@fast.example.com -# org_id: '123456789012' -# role: roles/compute.xpnAdmin -# module.organization.google_organization_iam_member.additive["roles/iam.organizationRoleAdmin-group:gcp-security-admins@fast.example.com"]: -# condition: [] -# member: group:gcp-security-admins@fast.example.com -# org_id: '123456789012' -# role: roles/iam.organizationRoleAdmin -# module.organization.google_organization_iam_member.additive["roles/iam.organizationRoleAdmin-serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com"]: -# condition: [] -# member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com -# org_id: '123456789012' -# role: roles/iam.organizationRoleAdmin -# module.organization.google_organization_iam_member.additive["roles/orgpolicy.policyAdmin-group:gcp-organization-admins@fast.example.com"]: -# condition: [] -# member: group:gcp-organization-admins@fast.example.com -# org_id: '123456789012' -# role: roles/orgpolicy.policyAdmin -# module.organization.google_organization_iam_member.additive["roles/orgpolicy.policyAdmin-group:gcp-security-admins@fast.example.com"]: -# condition: [] -# member: group:gcp-security-admins@fast.example.com -# org_id: '123456789012' -# role: roles/orgpolicy.policyAdmin -# module.organization.google_organization_iam_member.additive["roles/orgpolicy.policyAdmin-serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com"]: -# condition: [] -# member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com -# org_id: '123456789012' -# role: roles/orgpolicy.policyAdmin +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. -# counts: -# google_bigquery_dataset: 2 -# google_bigquery_dataset_iam_member: 2 -# google_bigquery_default_service_account: 3 -# google_logging_organization_sink: 2 -# google_organization_iam_binding: 19 -# google_organization_iam_custom_role: 2 -# google_organization_iam_member: 16 -# google_project: 3 -# google_project_iam_binding: 9 -# google_project_iam_member: 1 -# google_project_service: 29 -# google_project_service_identity: 2 -# google_service_account: 3 -# google_service_account_iam_binding: 3 -# google_storage_bucket: 4 -# google_storage_bucket_iam_binding: 2 -# google_storage_bucket_iam_member: 3 -# google_storage_bucket_object: 5 -# google_storage_project_service_account: 3 -# local_file: 5 +counts: + google_bigquery_dataset: 2 + google_bigquery_dataset_iam_member: 2 + google_bigquery_default_service_account: 3 + google_logging_organization_sink: 2 + google_organization_iam_binding: 19 + google_organization_iam_custom_role: 2 + google_organization_iam_member: 16 + google_project: 3 + google_project_iam_binding: 9 + google_project_iam_member: 1 + google_project_service: 29 + google_project_service_identity: 2 + google_service_account: 3 + google_service_account_iam_binding: 3 + google_storage_bucket: 4 + google_storage_bucket_iam_binding: 2 + google_storage_bucket_iam_member: 3 + google_storage_bucket_object: 5 + google_storage_project_service_account: 3 + local_file: 5 -# outputs: -# automation: __missing__ -# billing_dataset: __missing__ -# cicd_repositories: {} -# custom_roles: -# organization_iam_admin: organizations/123456789012/roles/organizationIamAdmin -# service_project_network_admin: organizations/123456789012/roles/serviceProjectNetworkAdmin -# federated_identity: -# pool: null -# providers: {} -# outputs_bucket: fast-prod-iac-core-outputs-0 -# project_ids: -# automation: fast-prod-iac-core-0 -# billing-export: fast-prod-billing-exp-0 -# log-export: fast-prod-audit-logs-0 -# service_accounts: -# bootstrap: fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com -# cicd: fast-prod-cicd-0@fast-prod-iac-core-0.iam.gserviceaccount.com -# resman: fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com -# tfvars: __missing__ +outputs: + custom_roles: + organization_iam_admin: organizations/123456789012/roles/organizationIamAdmin + service_project_network_admin: organizations/123456789012/roles/serviceProjectNetworkAdmin + outputs_bucket: fast-prod-iac-core-outputs-0 + project_ids: + automation: fast-prod-iac-core-0 + billing-export: fast-prod-billing-exp-0 + log-export: fast-prod-audit-logs-0 + service_accounts: + bootstrap: fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com + cicd: fast-prod-cicd-0@fast-prod-iac-core-0.iam.gserviceaccount.com + resman: fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com diff --git a/tests/fast/stages/s00_bootstrap/simple_projects.yaml b/tests/fast/stages/s00_bootstrap/simple_projects.yaml new file mode 100644 index 00000000..c4d359f3 --- /dev/null +++ b/tests/fast/stages/s00_bootstrap/simple_projects.yaml @@ -0,0 +1,33 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +values: + module.automation-project.google_project.project[0]: + auto_create_network: false + billing_account: 000000-111111-222222 + name: fast-prod-iac-core-0 + org_id: '123456789012' + project_id: fast-prod-iac-core-0 + module.billing-export-project[0].google_project.project[0]: + auto_create_network: false + billing_account: 000000-111111-222222 + name: fast-prod-billing-exp-0 + org_id: '123456789012' + project_id: fast-prod-billing-exp-0 + module.log-export-project.google_project.project[0]: + auto_create_network: false + billing_account: 000000-111111-222222 + name: fast-prod-audit-logs-0 + org_id: '123456789012' + project_id: fast-prod-audit-logs-0 diff --git a/tests/fast/stages/s00_bootstrap/simple_sas.yaml b/tests/fast/stages/s00_bootstrap/simple_sas.yaml new file mode 100644 index 00000000..ba84948d --- /dev/null +++ b/tests/fast/stages/s00_bootstrap/simple_sas.yaml @@ -0,0 +1,27 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +values: + module.automation-tf-bootstrap-sa.google_service_account.service_account[0]: + account_id: fast-prod-bootstrap-0 + display_name: Terraform organization bootstrap service account. + project: fast-prod-iac-core-0 + module.automation-tf-cicd-provisioning-sa.google_service_account.service_account[0]: + account_id: fast-prod-cicd-0 + display_name: Terraform stage 1 CICD service account. + project: fast-prod-iac-core-0 + module.automation-tf-resman-sa.google_service_account.service_account[0]: + account_id: fast-prod-resman-0 + display_name: Terraform stage 1 resman service account. + project: fast-prod-iac-core-0 diff --git a/tests/fast/stages/s00_bootstrap/tftest.yaml b/tests/fast/stages/s00_bootstrap/tftest.yaml index 3c57e322..4656859b 100644 --- a/tests/fast/stages/s00_bootstrap/tftest.yaml +++ b/tests/fast/stages/s00_bootstrap/tftest.yaml @@ -6,3 +6,7 @@ tests: simple: tfvars: - simple.tfvars + inventory: + - simple.yaml + - simple_projects.yaml + - simple_sas.yaml