From 559753fab52bd2b37e53f70afc78f2aa023ded99 Mon Sep 17 00:00:00 2001
From: Ludovico Magnocavallo <ludomagno@google.com>
Date: Tue, 1 Nov 2022 09:52:03 +0100
Subject: [PATCH] enable org policy API, fix run.allowedIngress value (#935)

---
 fast/stages/00-bootstrap/automation.tf | 1 +
 fast/stages/01-resman/organization.tf  | 3 +--
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/fast/stages/00-bootstrap/automation.tf b/fast/stages/00-bootstrap/automation.tf
index cf48d9cd..13eb68f1 100644
--- a/fast/stages/00-bootstrap/automation.tf
+++ b/fast/stages/00-bootstrap/automation.tf
@@ -72,6 +72,7 @@ module "automation-project" {
     "essentialcontacts.googleapis.com",
     "iam.googleapis.com",
     "iamcredentials.googleapis.com",
+    "orgpolicy.googleapis.com",
     "pubsub.googleapis.com",
     "servicenetworking.googleapis.com",
     "serviceusage.googleapis.com",
diff --git a/fast/stages/01-resman/organization.tf b/fast/stages/01-resman/organization.tf
index 0e8430e1..40a789ee 100644
--- a/fast/stages/01-resman/organization.tf
+++ b/fast/stages/01-resman/organization.tf
@@ -78,11 +78,10 @@ module "organization" {
     "iam.automaticIamGrantsForDefaultServiceAccounts" = { enforce = true }
     "iam.disableServiceAccountKeyCreation"            = { enforce = true }
     "iam.disableServiceAccountKeyUpload"              = { enforce = true }
-    "run.allowedIngress"                              = { allow = { values = ["is:INTERNAL"] } }
+    "run.allowedIngress"                              = { allow = { values = ["is:internal"] } }
     "sql.restrictAuthorizedNetworks"                  = { enforce = true }
     "sql.restrictPublicIp"                            = { enforce = true }
     "storage.uniformBucketLevelAccess"                = { enforce = true }
-
     # "cloudfunctions.allowedIngressSettings" = {
     #   allow = { values = ["is:ALLOW_INTERNAL_ONLY"] }
     # }