385 lines
19 KiB
YAML
385 lines
19 KiB
YAML
# Copyright 2024 Google LLC
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
values:
|
|
module.log-export-logbucket["audit-logs"].google_logging_project_bucket_config.bucket[0]:
|
|
bucket_id: audit-logs-audit-logs
|
|
cmek_settings: []
|
|
enable_analytics: false
|
|
index_configs: []
|
|
location: europe-west1
|
|
locked: null
|
|
project: fast-prod-audit-logs-0
|
|
retention_days: 30
|
|
module.log-export-logbucket["vpc-sc"].google_logging_project_bucket_config.bucket[0]:
|
|
bucket_id: audit-logs-vpc-sc
|
|
cmek_settings: []
|
|
enable_analytics: false
|
|
index_configs: []
|
|
location: europe-west1
|
|
locked: null
|
|
project: fast-prod-audit-logs-0
|
|
retention_days: 30
|
|
module.log-export-logbucket["workspace-audit-logs"].google_logging_project_bucket_config.bucket[0]:
|
|
bucket_id: audit-logs-workspace-audit-logs
|
|
cmek_settings: []
|
|
enable_analytics: false
|
|
index_configs: []
|
|
location: europe-west1
|
|
locked: null
|
|
project: fast-prod-audit-logs-0
|
|
retention_days: 30
|
|
module.organization.google_organization_iam_binding.authoritative["roles/billing.creator"]:
|
|
condition: []
|
|
members:
|
|
- group:gcp-billing-admins@fast.example.com
|
|
org_id: '123456789012'
|
|
role: roles/billing.creator
|
|
module.organization.google_organization_iam_binding.authoritative["roles/browser"]:
|
|
condition: []
|
|
members:
|
|
- domain:fast.example.com
|
|
org_id: '123456789012'
|
|
role: roles/browser
|
|
module.organization.google_organization_iam_binding.authoritative["roles/cloudasset.owner"]:
|
|
condition: []
|
|
members:
|
|
- group:gcp-network-admins@fast.example.com
|
|
- group:gcp-organization-admins@fast.example.com
|
|
- group:gcp-security-admins@fast.example.com
|
|
org_id: '123456789012'
|
|
role: roles/cloudasset.owner
|
|
module.organization.google_organization_iam_binding.authoritative["roles/cloudsupport.admin"]:
|
|
condition: []
|
|
members:
|
|
- group:gcp-organization-admins@fast.example.com
|
|
org_id: '123456789012'
|
|
role: roles/cloudsupport.admin
|
|
module.organization.google_organization_iam_binding.authoritative["roles/cloudsupport.techSupportEditor"]:
|
|
condition: []
|
|
members:
|
|
- group:gcp-devops@fast.example.com
|
|
- group:gcp-network-admins@fast.example.com
|
|
- group:gcp-security-admins@fast.example.com
|
|
org_id: '123456789012'
|
|
role: roles/cloudsupport.techSupportEditor
|
|
module.organization.google_organization_iam_binding.authoritative["roles/compute.osAdminLogin"]:
|
|
condition: []
|
|
members:
|
|
- group:gcp-organization-admins@fast.example.com
|
|
org_id: '123456789012'
|
|
role: roles/compute.osAdminLogin
|
|
module.organization.google_organization_iam_binding.authoritative["roles/compute.osLoginExternalUser"]:
|
|
condition: []
|
|
members:
|
|
- group:gcp-organization-admins@fast.example.com
|
|
org_id: '123456789012'
|
|
role: roles/compute.osLoginExternalUser
|
|
module.organization.google_organization_iam_binding.authoritative["roles/iam.securityReviewer"]:
|
|
condition: []
|
|
members:
|
|
- group:gcp-security-admins@fast.example.com
|
|
org_id: '123456789012'
|
|
role: roles/iam.securityReviewer
|
|
module.organization.google_organization_iam_binding.authoritative["roles/logging.admin"]:
|
|
condition: []
|
|
members:
|
|
- group:gcp-security-admins@fast.example.com
|
|
- serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com
|
|
- serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
|
|
org_id: '123456789012'
|
|
role: roles/logging.admin
|
|
module.organization.google_organization_iam_binding.authoritative["roles/logging.viewer"]:
|
|
condition: []
|
|
members:
|
|
- group:gcp-devops@fast.example.com
|
|
- serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
|
|
- serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
|
|
org_id: '123456789012'
|
|
role: roles/logging.viewer
|
|
module.organization.google_organization_iam_binding.authoritative["roles/monitoring.viewer"]:
|
|
condition: []
|
|
members:
|
|
- group:gcp-devops@fast.example.com
|
|
org_id: '123456789012'
|
|
role: roles/monitoring.viewer
|
|
module.organization.google_organization_iam_binding.authoritative["roles/owner"]:
|
|
condition: []
|
|
members:
|
|
- group:gcp-organization-admins@fast.example.com
|
|
org_id: '123456789012'
|
|
role: roles/owner
|
|
module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]:
|
|
condition: []
|
|
members:
|
|
- group:gcp-organization-admins@fast.example.com
|
|
- serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
|
|
org_id: '123456789012'
|
|
role: roles/resourcemanager.folderAdmin
|
|
module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.folderViewer"]:
|
|
condition: []
|
|
members:
|
|
- group:gcp-devops@fast.example.com
|
|
- group:gcp-network-admins@fast.example.com
|
|
- serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
|
|
- serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
|
|
org_id: '123456789012'
|
|
role: roles/resourcemanager.folderViewer
|
|
module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.organizationAdmin"]:
|
|
condition: []
|
|
members:
|
|
- group:gcp-organization-admins@fast.example.com
|
|
- serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com
|
|
org_id: '123456789012'
|
|
role: roles/resourcemanager.organizationAdmin
|
|
module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.projectCreator"]:
|
|
condition: []
|
|
members:
|
|
- group:gcp-organization-admins@fast.example.com
|
|
- serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com
|
|
- serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
|
|
org_id: '123456789012'
|
|
role: roles/resourcemanager.projectCreator
|
|
module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.projectMover"]:
|
|
condition: []
|
|
members:
|
|
- serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com
|
|
org_id: '123456789012'
|
|
role: roles/resourcemanager.projectMover
|
|
module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.tagAdmin"]:
|
|
condition: []
|
|
members:
|
|
- group:gcp-organization-admins@fast.example.com
|
|
- serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com
|
|
- serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
|
|
org_id: '123456789012'
|
|
role: roles/resourcemanager.tagAdmin
|
|
module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.tagUser"]:
|
|
condition: []
|
|
members:
|
|
- serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
|
|
org_id: '123456789012'
|
|
role: roles/resourcemanager.tagUser
|
|
module.organization.google_organization_iam_binding.authoritative["roles/resourcemanager.tagViewer"]:
|
|
condition: []
|
|
members:
|
|
- serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
|
|
- serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
|
|
org_id: '123456789012'
|
|
role: roles/resourcemanager.tagViewer
|
|
module.organization.google_organization_iam_binding.authoritative["roles/securitycenter.admin"]:
|
|
condition: []
|
|
members:
|
|
- group:gcp-organization-admins@fast.example.com
|
|
- group:gcp-security-admins@fast.example.com
|
|
org_id: '123456789012'
|
|
role: roles/securitycenter.admin
|
|
module.organization.google_organization_iam_binding.authoritative["roles/serviceusage.serviceUsageViewer"]:
|
|
condition: []
|
|
members:
|
|
- serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
|
|
org_id: '123456789012'
|
|
role: roles/serviceusage.serviceUsageViewer
|
|
module.organization.google_organization_iam_binding.bindings["organization_iam_admin_conditional"]:
|
|
condition:
|
|
- description: Automation service account delegated grants.
|
|
expression: api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly(['roles/accesscontextmanager.policyAdmin','roles/compute.orgFirewallPolicyAdmin','roles/compute.xpnAdmin','roles/orgpolicy.policyAdmin','roles/resourcemanager.organizationViewer','organizations/123456789012/roles/tenantNetworkAdmin','roles/billing.admin','roles/billing.costsManager','roles/billing.user'])
|
|
title: automation_sa_delegated_grants
|
|
members:
|
|
- serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
|
|
org_id: '123456789012'
|
|
role: organizations/123456789012/roles/organizationIamAdmin
|
|
? module.organization.google_organization_iam_member.bindings["roles/accesscontextmanager.policyAdmin-group:gcp-security-admins@fast.example.com"]
|
|
: condition: []
|
|
member: group:gcp-security-admins@fast.example.com
|
|
org_id: '123456789012'
|
|
role: roles/accesscontextmanager.policyAdmin
|
|
? module.organization.google_organization_iam_member.bindings["roles/billing.admin-group:gcp-billing-admins@fast.example.com"]
|
|
: condition: []
|
|
member: group:gcp-billing-admins@fast.example.com
|
|
org_id: '123456789012'
|
|
role: roles/billing.admin
|
|
? module.organization.google_organization_iam_member.bindings["roles/billing.admin-group:gcp-organization-admins@fast.example.com"]
|
|
: condition: []
|
|
member: group:gcp-organization-admins@fast.example.com
|
|
org_id: '123456789012'
|
|
role: roles/billing.admin
|
|
? module.organization.google_organization_iam_member.bindings["roles/billing.admin-serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com"]
|
|
: condition: []
|
|
member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com
|
|
org_id: '123456789012'
|
|
role: roles/billing.admin
|
|
? module.organization.google_organization_iam_member.bindings["roles/billing.admin-serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com"]
|
|
: condition: []
|
|
member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
|
|
org_id: '123456789012'
|
|
role: roles/billing.admin
|
|
? module.organization.google_organization_iam_member.bindings["roles/billing.user-group:gcp-organization-admins@fast.example.com"]
|
|
: condition: []
|
|
member: group:gcp-organization-admins@fast.example.com
|
|
org_id: '123456789012'
|
|
role: roles/billing.user
|
|
? module.organization.google_organization_iam_member.bindings["roles/billing.viewer-serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"]
|
|
: condition: []
|
|
member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
|
|
org_id: '123456789012'
|
|
role: roles/billing.viewer
|
|
? module.organization.google_organization_iam_member.bindings["roles/billing.viewer-serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"]
|
|
: condition: []
|
|
member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
|
|
org_id: '123456789012'
|
|
role: roles/billing.viewer
|
|
? module.organization.google_organization_iam_member.bindings["roles/compute.networkAdmin-group:gcp-network-admins@fast.example.com"]
|
|
: condition: []
|
|
member: group:gcp-network-admins@fast.example.com
|
|
org_id: '123456789012'
|
|
role: roles/compute.networkAdmin
|
|
? module.organization.google_organization_iam_member.bindings["roles/compute.orgFirewallPolicyAdmin-group:gcp-network-admins@fast.example.com"]
|
|
: condition: []
|
|
member: group:gcp-network-admins@fast.example.com
|
|
org_id: '123456789012'
|
|
role: roles/compute.orgFirewallPolicyAdmin
|
|
? module.organization.google_organization_iam_member.bindings["roles/compute.securityAdmin-group:gcp-network-admins@fast.example.com"]
|
|
: condition: []
|
|
member: group:gcp-network-admins@fast.example.com
|
|
org_id: '123456789012'
|
|
role: roles/compute.securityAdmin
|
|
? module.organization.google_organization_iam_member.bindings["roles/compute.viewer-group:gcp-security-admins@fast.example.com"]
|
|
: condition: []
|
|
member: group:gcp-security-admins@fast.example.com
|
|
org_id: '123456789012'
|
|
role: roles/compute.viewer
|
|
? module.organization.google_organization_iam_member.bindings["roles/compute.xpnAdmin-group:gcp-network-admins@fast.example.com"]
|
|
: condition: []
|
|
member: group:gcp-network-admins@fast.example.com
|
|
org_id: '123456789012'
|
|
role: roles/compute.xpnAdmin
|
|
? module.organization.google_organization_iam_member.bindings["roles/container.viewer-group:gcp-security-admins@fast.example.com"]
|
|
: condition: []
|
|
member: group:gcp-security-admins@fast.example.com
|
|
org_id: '123456789012'
|
|
role: roles/container.viewer
|
|
? module.organization.google_organization_iam_member.bindings["roles/iam.organizationRoleAdmin-group:gcp-organization-admins@fast.example.com"]
|
|
: condition: []
|
|
member: group:gcp-organization-admins@fast.example.com
|
|
org_id: '123456789012'
|
|
role: roles/iam.organizationRoleAdmin
|
|
? module.organization.google_organization_iam_member.bindings["roles/iam.organizationRoleAdmin-group:gcp-security-admins@fast.example.com"]
|
|
: condition: []
|
|
member: group:gcp-security-admins@fast.example.com
|
|
org_id: '123456789012'
|
|
role: roles/iam.organizationRoleAdmin
|
|
? module.organization.google_organization_iam_member.bindings["roles/iam.organizationRoleAdmin-serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com"]
|
|
: condition: []
|
|
member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com
|
|
org_id: '123456789012'
|
|
role: roles/iam.organizationRoleAdmin
|
|
? module.organization.google_organization_iam_member.bindings["roles/iam.organizationRoleViewer-group:gcp-security-admins@fast.example.com"]
|
|
: condition: []
|
|
member: group:gcp-security-admins@fast.example.com
|
|
org_id: '123456789012'
|
|
role: roles/iam.organizationRoleViewer
|
|
? module.organization.google_organization_iam_member.bindings["roles/iam.organizationRoleViewer-serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"]
|
|
: condition: []
|
|
member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
|
|
org_id: '123456789012'
|
|
role: roles/iam.organizationRoleViewer
|
|
? module.organization.google_organization_iam_member.bindings["roles/logging.configWriter-group:gcp-security-admins@fast.example.com"]
|
|
: condition: []
|
|
member: group:gcp-security-admins@fast.example.com
|
|
org_id: '123456789012'
|
|
role: roles/logging.configWriter
|
|
? module.organization.google_organization_iam_member.bindings["roles/logging.privateLogViewer-group:gcp-security-admins@fast.example.com"]
|
|
: condition: []
|
|
member: group:gcp-security-admins@fast.example.com
|
|
org_id: '123456789012'
|
|
role: roles/logging.privateLogViewer
|
|
? module.organization.google_organization_iam_member.bindings["roles/monitoring.admin-group:gcp-monitoring-admins@fast.example.com"]
|
|
: condition: []
|
|
member: group:gcp-monitoring-admins@fast.example.com
|
|
org_id: '123456789012'
|
|
role: roles/monitoring.admin
|
|
? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyAdmin-group:gcp-organization-admins@fast.example.com"]
|
|
: condition: []
|
|
member: group:gcp-organization-admins@fast.example.com
|
|
org_id: '123456789012'
|
|
role: roles/orgpolicy.policyAdmin
|
|
? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyAdmin-group:gcp-security-admins@fast.example.com"]
|
|
: condition: []
|
|
member: group:gcp-security-admins@fast.example.com
|
|
org_id: '123456789012'
|
|
role: roles/orgpolicy.policyAdmin
|
|
? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyAdmin-serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com"]
|
|
: condition: []
|
|
member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com
|
|
org_id: '123456789012'
|
|
role: roles/orgpolicy.policyAdmin
|
|
? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyAdmin-serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com"]
|
|
: condition: []
|
|
member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
|
|
org_id: '123456789012'
|
|
role: roles/orgpolicy.policyAdmin
|
|
? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyViewer-serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"]
|
|
: condition: []
|
|
member: serviceAccount:fast-prod-bootstrap-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
|
|
org_id: '123456789012'
|
|
role: roles/orgpolicy.policyViewer
|
|
? module.organization.google_organization_iam_member.bindings["roles/orgpolicy.policyViewer-serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com"]
|
|
: condition: []
|
|
member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
|
|
org_id: '123456789012'
|
|
role: roles/orgpolicy.policyViewer
|
|
? module.organization.google_organization_iam_member.bindings["roles/resourcemanager.folderIamAdmin-group:gcp-security-admins@fast.example.com"]
|
|
: condition: []
|
|
member: group:gcp-security-admins@fast.example.com
|
|
org_id: '123456789012'
|
|
role: roles/resourcemanager.folderIamAdmin
|
|
? module.organization.google_organization_iam_member.bindings["roles/resourcemanager.organizationViewer-group:gcp-billing-admins@fast.example.com"]
|
|
: condition: []
|
|
member: group:gcp-billing-admins@fast.example.com
|
|
org_id: '123456789012'
|
|
role: roles/resourcemanager.organizationViewer
|
|
? module.organization.google_organization_iam_member.bindings["roles/storage.objectAdmin-group:gcp-organization-admins@fast.example.com"]
|
|
: condition: []
|
|
member: group:gcp-organization-admins@fast.example.com
|
|
org_id: '123456789012'
|
|
role: roles/storage.objectAdmin
|
|
|
|
counts:
|
|
google_bigquery_dataset: 1
|
|
google_bigquery_default_service_account: 3
|
|
google_essential_contacts_contact: 3
|
|
google_logging_organization_sink: 3
|
|
google_logging_project_bucket_config: 3
|
|
google_org_policy_policy: 20
|
|
google_organization_iam_binding: 25
|
|
google_organization_iam_custom_role: 6
|
|
google_organization_iam_member: 35
|
|
google_project: 3
|
|
google_project_iam_binding: 19
|
|
google_project_iam_member: 6
|
|
google_project_service: 29
|
|
google_project_service_identity: 3
|
|
google_service_account: 4
|
|
google_service_account_iam_binding: 2
|
|
google_storage_bucket: 4
|
|
google_storage_bucket_iam_binding: 2
|
|
google_storage_bucket_iam_member: 4
|
|
google_storage_bucket_object: 9
|
|
google_storage_project_service_account: 3
|
|
google_tags_tag_key: 1
|
|
google_tags_tag_value: 1
|
|
modules: 16
|
|
resources: 189
|