From 38808b37c0c69e9f1b41c453516179fe3f654051 Mon Sep 17 00:00:00 2001
From: Julio Castillo <jccb@google.com>
Date: Tue, 7 Mar 2023 16:46:46 +0100
Subject: [PATCH 1/2] Manage billing.creator role authoritatively in FAST
 bootstrap.

By default new orgs grant billing.creator and
resourcemanager.projectCreator to the whole domain[1]. This PR makes
FAST remove the former binding during the bootstrap (the latter is
already managed by FAST).

Fixes #1220

[1] https://cloud.google.com/resource-manager/docs/default-access-control
---
 fast/stages/0-bootstrap/organization.tf | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fast/stages/0-bootstrap/organization.tf b/fast/stages/0-bootstrap/organization.tf
index d75a25f2..e94841f7 100644
--- a/fast/stages/0-bootstrap/organization.tf
+++ b/fast/stages/0-bootstrap/organization.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -20,6 +20,7 @@ locals {
   # organization authoritative IAM bindings, in an easy to edit format before
   # they are combined with var.iam a bit further in locals
   _iam = {
+    "roles/billing.creator" = []
     "roles/browser" = [
       "domain:${var.organization.domain}"
     ]

From e33caf0059fee4b2062f827cb334f63b055f6aa4 Mon Sep 17 00:00:00 2001
From: Julio Castillo <jccb@google.com>
Date: Tue, 7 Mar 2023 17:01:56 +0100
Subject: [PATCH 2/2] Fix tests

---
 tests/fast/stages/s0_bootstrap/simple.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/fast/stages/s0_bootstrap/simple.yaml b/tests/fast/stages/s0_bootstrap/simple.yaml
index 63a64cb9..d862c2d0 100644
--- a/tests/fast/stages/s0_bootstrap/simple.yaml
+++ b/tests/fast/stages/s0_bootstrap/simple.yaml
@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -16,7 +16,7 @@ counts:
   google_bigquery_dataset: 1
   google_bigquery_default_service_account: 3
   google_logging_organization_sink: 2
-  google_organization_iam_binding: 19
+  google_organization_iam_binding: 20
   google_organization_iam_custom_role: 3
   google_organization_iam_member: 16
   google_project: 3