Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Only apply org policies when bootstrap user is not set #1707

Merged
merged 3 commits into from
Sep 27, 2023
Merged

Only apply org policies when bootstrap user is not set #1707

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
7a7a0fa
only apply org policies when bootstrap user is not set
ludoo Sep 27, 2023
4af99b0
Add Org Policy Admin to bootstrap roles
juliocc Sep 27, 2023
9ab859a
Fix cleanup doc
juliocc Sep 27, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
4 changes: 2 additions & 2 deletions fast/stages/0-bootstrap/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ A full reference of IAM roles managed by this stage [is available here](./IAM.md

It's often desirable to have organization policies deployed before any other resource in the org, so as to ensure compliance with specific requirements (e.g. location restrictions), or control the configuration of specific resources (e.g. default network at project creation or service account grants).

To cover this use case, organization policies have been moved from the resource management to the bootstrap stage in FAST versions after 26.0.0. They are managed via the usual factory approach, and a [sample set of data files](./data/org-policies/) is included with this stage.
To cover this use case, organization policies have been moved from the resource management to the bootstrap stage in FAST versions after 26.0.0. They are managed via the usual factory approach, and a [sample set of data files](./data/org-policies/) is included with this stage. They are not applied during the initial run when the `bootstrap_user` variable is set, to work around incompatibilies with user credentials.

The only current exception to the factory approach is the `iam.allowedPolicyMemberDomains` constraint, which is managed in code so as to be able to auto-allow the organization's domain. More domains can be added via the `org_policies_config` variable, which also serves as an umbrella for future policies that will need to be managed in code.

Expand Down Expand Up @@ -170,7 +170,7 @@ export FAST_ORG_ID=123456
# set needed roles
export FAST_ROLES="roles/billing.admin roles/logging.admin \
roles/iam.organizationRoleAdmin roles/resourcemanager.projectCreator \
roles/resourcemanager.tagAdmin"
roles/resourcemanager.tagAdmin roles/orgpolicy.policyAdmin"

for role in $FAST_ROLES; do
gcloud organizations add-iam-policy-binding $FAST_ORG_ID \
Expand Down
8 changes: 6 additions & 2 deletions fast/stages/0-bootstrap/organization.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -156,8 +156,12 @@ module "organization" {
type = attrs.type
}
}
org_policies_data_path = var.factories_config.org_policy_data_path
org_policies = {
org_policies_data_path = (
var.bootstrap_user != null
? null
: var.factories_config.org_policy_data_path
)
org_policies = var.bootstrap_user != null ? {} : {
"iam.allowedPolicyMemberDomains" = {
rules = [
{
Expand Down