diff --git a/fast/stages/00-bootstrap/automation.tf b/fast/stages/00-bootstrap/automation.tf
index cf48d9cd..13eb68f1 100644
--- a/fast/stages/00-bootstrap/automation.tf
+++ b/fast/stages/00-bootstrap/automation.tf
@@ -72,6 +72,7 @@ module "automation-project" {
     "essentialcontacts.googleapis.com",
     "iam.googleapis.com",
     "iamcredentials.googleapis.com",
+    "orgpolicy.googleapis.com",
     "pubsub.googleapis.com",
     "servicenetworking.googleapis.com",
     "serviceusage.googleapis.com",
diff --git a/fast/stages/01-resman/organization.tf b/fast/stages/01-resman/organization.tf
index 0e8430e1..40a789ee 100644
--- a/fast/stages/01-resman/organization.tf
+++ b/fast/stages/01-resman/organization.tf
@@ -78,11 +78,10 @@ module "organization" {
     "iam.automaticIamGrantsForDefaultServiceAccounts" = { enforce = true }
     "iam.disableServiceAccountKeyCreation"            = { enforce = true }
     "iam.disableServiceAccountKeyUpload"              = { enforce = true }
-    "run.allowedIngress"                              = { allow = { values = ["is:INTERNAL"] } }
+    "run.allowedIngress"                              = { allow = { values = ["is:internal"] } }
     "sql.restrictAuthorizedNetworks"                  = { enforce = true }
     "sql.restrictPublicIp"                            = { enforce = true }
     "storage.uniformBucketLevelAccess"                = { enforce = true }
-
     # "cloudfunctions.allowedIngressSettings" = {
     #   allow = { values = ["is:ALLOW_INTERNAL_ONLY"] }
     # }