Manage billing.creator role authoritatively in FAST bootstrap.

By default new orgs grant billing.creator and resourcemanager.projectCreator to the whole domain[1]. This PR makes FAST remove the former binding during the bootstrap (the latter is already managed by FAST). Fixes #1220 [1] https://cloud.google.com/resource-manager/docs/default-access-control
2023-03-07 16:46:46 +01:00 · 2023-03-07 16:46:46 +01:00 · 38808b37c0
parent cd8f0890e9
commit 38808b37c0
1 changed files with 2 additions and 1 deletions
--- a/fast/stages/0-bootstrap/organization.tf
+++ b/fast/stages/0-bootstrap/organization.tf
@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -20,6 +20,7 @@ locals {
  # organization authoritative IAM bindings, in an easy to edit format before
  # they are combined with var.iam a bit further in locals
  _iam = {
+    "roles/billing.creator" = []
    "roles/browser" = [
      "domain:${var.organization.domain}"
    ]