Fix FAST org policies

fast/stages/01-resman/branch-sandbox.tf

@@ -32,16 +32,9 @@ module "branch-sandbox-folder" {
     "roles/resourcemanager.folderAdmin"    = [module.branch-sandbox-sa.0.iam_email]
     "roles/resourcemanager.projectCreator" = [module.branch-sandbox-sa.0.iam_email]
   }
-  policy_boolean = {
+  org_policies = {
-    "constraints/sql.restrictPublicIp" = false
+    "constraints/sql.restrictPublicIp"       = { enforce = false }
-  }
+    "constraints/compute.vmExternalIpAccess" = { allow = { all = true } }
-  policy_list = {
-    "constraints/compute.vmExternalIpAccess" = {
-      inherit_from_parent = false
-      suggested_value     = null
-      status              = true
-      values              = []
-    }
   }
   tag_bindings = {
     context = try(

fast/stages/01-resman/organization.tf

@@ -18,18 +18,11 @@
 
 
 locals {
-  list_allow = {
+  all_drs_domains = concat(
-    inherit_from_parent = false
+    [var.organization.customer_id],
-    suggested_value     = null
+    try(local.policy_configs.allowed_policy_member_domains, [])
-    status              = true
+  )
-    values              = []
+
-  }
-  list_deny = {
-    inherit_from_parent = false
-    suggested_value     = null
-    status              = false
-    values              = []
-  }
   policy_configs = (
     var.organization_policy_configs == null
     ? {}
@@ -74,74 +67,55 @@ module "organization" {
     } : {}
   )
   # sample subset of useful organization policies, edit to suit requirements
-  policy_boolean = {
+
-    # "constraints/cloudfunctions.requireVPCConnector"              = true
+  org_policies = {
-    # "constraints/compute.disableGuestAttributesAccess" = true
+    "compute.disableGuestAttributesAccess"            = { enforce = true }
-    # "constraints/compute.disableInternetNetworkEndpointGroup"     = true
+    "compute.requireOsLogin"                          = { enforce = true }
-    # "constraints/compute.disableNestedVirtualization"             = true
+    "compute.restrictLoadBalancerCreationForTypes"    = { allow = { values = ["in:INTERNAL"] } }
-    # "constraints/compute.disableSerialPortAccess"                 = true
+    "compute.skipDefaultNetworkCreation"              = { enforce = true }
-    "constraints/compute.requireOsLogin" = true
+    "compute.vmExternalIpAccess"                      = { deny = { all = true } }
-    # "constraints/compute.restrictXpnProjectLienRemoval"           = true
+    "iam.allowedPolicyMemberDomains"                  = { allow = { values = local.all_drs_domains } }
-    "constraints/compute.skipDefaultNetworkCreation" = true
+    "iam.automaticIamGrantsForDefaultServiceAccounts" = { enforce = true }
-    # "constraints/compute.setNewProjectDefaultToZonalDNSOnly"      = true
+    "iam.disableServiceAccountKeyCreation"            = { enforce = true }
-    "constraints/iam.automaticIamGrantsForDefaultServiceAccounts" = true
+    "iam.disableServiceAccountKeyUpload"              = { enforce = true }
-    "constraints/iam.disableServiceAccountKeyCreation"            = true
+    "run.allowedIngress"                              = { allow = { values = ["is:INTERNAL"] } }
-    # "constraints/iam.disableServiceAccountKeyUpload"              = true
+    "sql.restrictAuthorizedNetworks"                  = { enforce = true }
-    "constraints/sql.restrictPublicIp"             = true
+    "sql.restrictPublicIp"                            = { enforce = true }
-    "constraints/sql.restrictAuthorizedNetworks"   = true
+    "storage.uniformBucketLevelAccess"                = { enforce = true }
-    "constraints/storage.uniformBucketLevelAccess" = true
+
-  }
+    # "cloudfunctions.allowedIngressSettings" = {
-  policy_list = {
+    #   allow = { values = ["is:ALLOW_INTERNAL_ONLY"] }
-    # "constraints/cloudfunctions.allowedIngressSettings" = merge(
-    #   local.list_allow, { values = ["is:ALLOW_INTERNAL_ONLY"] }
-    # )
-    # "constraints/cloudfunctions.allowedVpcConnectorEgressSettings" = merge(
-    #   local.list_allow, { values = ["is:PRIVATE_RANGES_ONLY"] }
-    # )
-    "constraints/compute.restrictLoadBalancerCreationForTypes" = merge(
-      local.list_allow, { values = ["in:INTERNAL"] }
-    )
-    "constraints/compute.vmExternalIpAccess" = local.list_deny
-    "constraints/iam.allowedPolicyMemberDomains" = merge(
-      local.list_allow, {
-        values = concat(
-          [var.organization.customer_id],
-          try(local.policy_configs.allowed_policy_member_domains, [])
-        )
-    })
-    "constraints/run.allowedIngress" = merge(
-      local.list_allow, { values = ["is:internal"] }
-    )
-    # "constraints/run.allowedVPCEgress" = merge(
-    #   local.list_allow, { values = ["is:private-ranges-only"] }
-    # )
-    # "constraints/compute.restrictCloudNATUsage"                      = local.list_deny
-    # "constraints/compute.restrictDedicatedInterconnectUsage"         = local.list_deny
-    # "constraints/compute.restrictPartnerInterconnectUsage"           = local.list_deny
-    # "constraints/compute.restrictProtocolForwardingCreationForTypes" = local.list_deny
-    # "constraints/compute.restrictSharedVpcHostProjects"              = local.list_deny
-    # "constraints/compute.restrictSharedVpcSubnetworks"               = local.list_deny
-    # "constraints/compute.restrictVpcPeering" = local.list_deny
-    # "constraints/compute.restrictVpnPeerIPs" = local.list_deny
-    # "constraints/compute.vmCanIpForward"     = local.list_deny
-    # "constraints/gcp.resourceLocations" = {
-    #   inherit_from_parent = false
-    #   suggested_value     = null
-    #   status              = true
-    #   values              = local.allowed_regions
     # }
-    # https://cloud.google.com/iam/docs/manage-workload-identity-pools-providers#restrict
+    # "cloudfunctions.allowedVpcConnectorEgressSettings" = {
-    # "constraints/iam.workloadIdentityPoolProviders" = merge(
+    #   allow = { values = ["is:PRIVATE_RANGES_ONLY"] }
-    #   local.list_allow, { values = [
+    # }
+    # "cloudfunctions.requireVPCConnector"              = { enforce = true }
+    # "compute.disableInternetNetworkEndpointGroup"     = { enforce = true }
+    # "compute.disableNestedVirtualization"             = { enforce = true }
+    # "compute.disableSerialPortAccess"                 = { enforce = true }
+    # "compute.restrictCloudNATUsage"                      = { deny = { all = true }}
+    # "compute.restrictDedicatedInterconnectUsage"         = { deny = { all = true }}
+    # "compute.restrictPartnerInterconnectUsage"           = { deny = { all = true }}
+    # "compute.restrictProtocolForwardingCreationForTypes" = { deny = { all = true }}
+    # "compute.restrictSharedVpcHostProjects"              = { deny = { all = true }}
+    # "compute.restrictSharedVpcSubnetworks"               = { deny = { all = true }}
+    # "compute.restrictVpcPeering" = { deny = { all = true }}
+    # "compute.restrictVpnPeerIPs" = { deny = { all = true }}
+    # "compute.restrictXpnProjectLienRemoval"           = { enforce = true }
+    # "compute.setNewProjectDefaultToZonalDNSOnly"      = { enforce = true }
+    # "compute.vmCanIpForward"     = { deny = { all = true }}
+    # "gcp.resourceLocations" = {
+    #   allow = { values = local.allowed_regions }
+    # }
+    # "iam.workloadIdentityPoolProviders" = {
+    #   allow =  {
+    #     values = [
     #       for k, v in coalesce(var.automation.federated_identity_providers, {}) :
     #       v.issuer_uri
-    #   ] }
+    #     ]
-    # )
+    #   }
-    # "constraints/iam.workloadIdentityPoolAwsAccounts" = merge(
+    # }
-    #   local.list_allow, { values = [
+    # "run.allowedVPCEgress" = { allow = { values = ["is:private-ranges-only"] }  }
-    #
-    #   ] }
-    # )
   }
   tags = {
     (var.tag_names.context) = {