diff --git a/fast/stages/0-bootstrap/README.md b/fast/stages/0-bootstrap/README.md
index 4d7eae24..1cec1f35 100644
--- a/fast/stages/0-bootstrap/README.md
+++ b/fast/stages/0-bootstrap/README.md
@@ -136,7 +136,7 @@ Because of limitations of API availability, manual steps have to be followed to
### Organization-level logging
-We create organization-level log sinks early in the bootstrap process to ensure a proper audit trail is in place from the very beginning. By default, we provide log filters to capture [Cloud Audit Logs](https://cloud.google.com/logging/docs/audit) and [VPC Service Controls violations](https://cloud.google.com/vpc-service-controls/docs/troubleshooting#vpc-sc-errors) into a logging bucket in the top-level audit project.
+We create organization-level log sinks early in the bootstrap process to ensure a proper audit trail is in place from the very beginning. By default, we provide log filters to capture [Cloud Audit Logs](https://cloud.google.com/logging/docs/audit), [VPC Service Controls violations](https://cloud.google.com/vpc-service-controls/docs/troubleshooting#vpc-sc-errors) and [Workspace Logs](https://cloud.google.com/logging/docs/audit/configure-gsuite-audit-logs) into logging buckets in the top-level audit logging project.
The [Customizations](#log-sinks-and-log-destinations) section explains how to change the logs captured and their destination.
@@ -579,8 +579,8 @@ The remaining configuration is manual, as it regards the repositories themselves
| name | description | type | required | default | producer |
|---|---|:---:|:---:|:---:|:---:|
| [billing_account](variables.tf#L17) | Billing account id. If billing account is not part of the same org set `is_org_level` to `false`. To disable handling of billing IAM roles set `no_iam` to `true`. | object({…}) | ✓ | | |
-| [organization](variables.tf#L243) | Organization details. | object({…}) | ✓ | | |
-| [prefix](variables.tf#L258) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | |
+| [organization](variables.tf#L247) | Organization details. | object({…}) | ✓ | | |
+| [prefix](variables.tf#L262) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | |
| [bootstrap_user](variables.tf#L27) | Email of the nominal user running this stage for the first time. | string | | null | |
| [cicd_repositories](variables.tf#L33) | CI/CD repository configuration. Identity providers reference keys in the `federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | object({…}) | | null | |
| [custom_role_names](variables.tf#L79) | Names of custom roles defined at the org level. | object({…}) | | {…} | |
@@ -593,10 +593,10 @@ The remaining configuration is manual, as it regards the repositories themselves
| [iam](variables.tf#L166) | Organization-level custom IAM settings in role => [principal] format. | map(list(string)) | | {} | |
| [iam_bindings_additive](variables.tf#L173) | Organization-level custom additive IAM bindings. Keys are arbitrary. | map(object({…})) | | {} | |
| [locations](variables.tf#L188) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {} | |
-| [log_sinks](variables.tf#L202) | Org-level log sinks, in name => {type, filter} format. | map(object({…})) | | {…} | |
-| [org_policies_config](variables.tf#L227) | Organization policies customization. | object({…}) | | {} | |
-| [outputs_location](variables.tf#L252) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | string | | null | |
-| [project_parent_ids](variables.tf#L267) | Optional parents for projects created here in folders/nnnnnnn format. Null values will use the organization as parent. | object({…}) | | {…} | |
+| [log_sinks](variables.tf#L202) | Org-level log sinks, in name => {type, filter} format. | map(object({…})) | | {…} | |
+| [org_policies_config](variables.tf#L231) | Organization policies customization. | object({…}) | | {} | |
+| [outputs_location](variables.tf#L256) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | string | | null | |
+| [project_parent_ids](variables.tf#L271) | Optional parents for projects created here in folders/nnnnnnn format. Null values will use the organization as parent. | object({…}) | | {…} | |
## Outputs
diff --git a/fast/stages/0-bootstrap/variables.tf b/fast/stages/0-bootstrap/variables.tf
index 8446b4dd..2ed6d653 100644
--- a/fast/stages/0-bootstrap/variables.tf
+++ b/fast/stages/0-bootstrap/variables.tf
@@ -214,6 +214,10 @@ variable "log_sinks" {
filter = "protoPayload.metadata.@type=\"type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata\""
type = "logging"
}
+ workspace-audit-logs = {
+ filter = "logName:\"/logs/cloudaudit.googleapis.com%2Fdata_access\" and protoPayload.serviceName:\"login.googleapis.com\""
+ type = "logging"
+ }
}
validation {
condition = alltrue([
diff --git a/tests/fast/stages/s0_bootstrap/simple.yaml b/tests/fast/stages/s0_bootstrap/simple.yaml
index 70ad130a..5f64bb99 100644
--- a/tests/fast/stages/s0_bootstrap/simple.yaml
+++ b/tests/fast/stages/s0_bootstrap/simple.yaml
@@ -15,13 +15,13 @@
counts:
google_bigquery_dataset: 1
google_bigquery_default_service_account: 3
- google_logging_organization_sink: 2
+ google_logging_organization_sink: 3
google_organization_iam_binding: 20
google_organization_iam_custom_role: 3
google_organization_iam_member: 13
google_project: 3
google_project_iam_binding: 10
- google_project_iam_member: 4
+ google_project_iam_member: 5
google_project_service: 29
google_project_service_identity: 3
google_service_account: 2