Flexible stage 2s in FAST resource manager (#2840)

* wip

* WIP

* wip

* wip

* apply untested

* tests

* support tag expansion for tenant-level installations in IAM conditions

* fix stage config output

* inventories

* remove dev files

* tfdoc

* enable org policies for stage folders

* resman README

* tfdoc

* stage 3 documentation

* inventory

* support extra_dirs in testing franework

* remove org policy files from stage 1

* Add principal interpolation to iam_by_principals (#2847)

* Add principal interpolation to iam_by_principals

* Fix tests

* relax schemas

* relax schemas

---------

Co-authored-by: Julio Castillo <[email protected]>

fast/stages/1-resman/billing.tf

@@ -19,36 +19,18 @@
 locals {
   billing_iam = merge(
     # stage 2
-    var.fast_stage_2.networking.enabled != true ? {} : {
-      sa_net_billing = {
-        member = module.net-sa-rw[0].iam_email
+    {
+      for k, v in local.stage2 : "sa_${v.short_name}_billing" => {
+        member = module.stage2-sa-rw[k].iam_email
         role   = "roles/billing.user"
       }
     },
-    var.fast_stage_2.security.enabled != true ? {} : {
-      sa_sec_billing = {
-        member = module.sec-sa-rw[0].iam_email
-        role   = "roles/billing.user"
+    {
+      for k, v in local.stage2 : "sa_${v.short_name}_costs_manager" => {
+        member = module.stage2-sa-rw[k].iam_email
+        role   = "roles/billing.costsManager"
       }
     },
-    var.fast_stage_2.project_factory.enabled != true ? {} : merge(
-      {
-        sa_pf_billing = {
-          member = module.pf-sa-rw[0].iam_email
-          role   = "roles/billing.user"
-        },
-        sa_pf_costs_manager = {
-          member = module.pf-sa-rw[0].iam_email
-          role   = "roles/billing.costsManager"
-        }
-      },
-      var.billing_account.is_org_level != true ? {} : {
-        sa_pf_ro_viewer = {
-          member = module.pf-sa-ro[0].iam_email
-          role   = var.custom_roles.billing_viewer
-        }
-      }
-    ),
     # stage 3
     {
       for k, v in local.stage3 : k => {

fast/stages/1-resman/data/stage-2/networking.yaml

@@ -0,0 +1,73 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# yaml-language-server: $schema=../../schemas/fast-stage2.schema.json
+
+short_name: net
+folder_config:
+  name: Networking
+  create_env_folders: true
+  iam_by_principals:
+    rw:
+      - roles/logging.admin
+      - roles/owner
+      - roles/resourcemanager.folderAdmin
+      - roles/resourcemanager.projectCreator
+      - roles/compute.xpnAdmin
+      - roles/resourcemanager.tagUser
+    ro:
+      - roles/viewer
+      - roles/resourcemanager.folderViewer
+      - roles/resourcemanager.tagViewer
+    project-factory-rw:
+      - service_project_network_admin
+    project-factory-ro:
+      - roles/compute.networkViewer
+      - project_iam_viewer
+    gcp-network-admins:
+      - roles/editor
+  # project factory delegated IAM grant
+  iam_bindings:
+    project_factory:
+      role: roles/resourcemanager.projectIamAdmin
+      members:
+        - project-factory-rw
+      condition:
+        title: Project factory delegated IAM grant.
+        expression: |
+          api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([
+            'roles/compute.networkUser', 'roles/composer.sharedVpcAgent',
+            'roles/container.hostServiceAgentUser', 'roles/vpcaccess.user'
+          ])
+  # iam_bindings_additive for stage 3 are added here when needed
+  # refer to each stage 3 documentation for snippets and examples
+organization_config:
+  iam_bindings_additive:
+    sa_net_rw_fw_policy_admin:
+      member: rw
+      role: roles/compute.orgFirewallPolicyAdmin
+    sa_net_rw_ngfw_enterprise_admin:
+      member: rw
+      role: ngfw_enterprise_admin
+    sa_net_rw_xpn_admin:
+      member: rw
+      role: roles/compute.xpnAdmin
+    sa_net_ro_fw_policy_user:
+      member: ro
+      role: roles/compute.orgFirewallPolicyUser
+    sa_net_ro_ngfw_enterprise_viewer:
+      member: ro
+      role: ngfw_enterprise_viewer
+# stage_3_config for IAM delegation are added here when needed
+# refer to each stage 3 documentation for snippets and examples

fast/stages/1-resman/data/stage-3/project-factory-dev.yaml → fast/stages/1-resman/data/stage-2/project-factory.yaml

@@ -12,12 +12,16 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# yaml-language-server: $schema=../../schemas/fast-stage3.schema.json
+# yaml-language-server: $schema=../../schemas/fast-stage2.schema.json
 
 short_name: pf
-environment: dev
-stage2_iam:
-  networking:
-    iam_admin_delegated: true
-  security:
-    iam_admin_delegated: true
+organization_config:
+  iam_bindings_additive:
+    sa_pf_conditional_org_policy:
+      member: rw
+      role: roles/orgpolicy.policyAdmin
+      condition:
+        title: org_policy_tag_pf_scoped
+        description: Org policy tag scoped grant for project factory.
+        expression: |
+          resource.matchTag('${organization.id}/${tag_names.context}', 'project-factory')

fast/stages/1-resman/data/stage-2/security.yaml

@@ -0,0 +1,55 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# yaml-language-server: $schema=../../schemas/fast-stage2.schema.json
+
+short_name: sec
+folder_config:
+  name: Security
+  iam_by_principals:
+    rw:
+      - roles/logging.admin
+      - roles/owner
+      - roles/resourcemanager.folderAdmin
+      - roles/resourcemanager.projectCreator
+      - roles/resourcemanager.tagUser
+    ro:
+      - roles/viewer
+      - roles/resourcemanager.folderViewer
+      - roles/resourcemanager.tagViewer
+    project-factory-rw:
+      - roles/cloudkms.cryptoKeyEncrypterDecrypter
+    project-factory-ro:
+      - roles/cloudkms.viewer
+      - project_iam_viewer
+    gcp-security-admins:
+      - roles/editor
+
+  # project factory delegated IAM grant
+  iam_bindings:
+    project_factory:
+      role: roles/resourcemanager.projectIamAdmin
+      members:
+        - project-factory-rw
+      condition:
+        title: Project factory delegated IAM grant.
+        expression: |
+          api.getAttribute('iam.googleapis.com/modifiedGrantsByRole', []).hasOnly([
+            'roles/cloudkms.cryptoKeyEncrypterDecrypter'
+          ])
+organization_config:
+  iam_bindings_additive:
+    sa_sec_cloudasset:
+      member: rw
+      role: roles/cloudasset.viewer

fast/stages/1-resman/data/stage-3/gcve-dev.yaml

@@ -19,11 +19,3 @@ environment: dev
 folder_config:
   name: Development
   parent_id: gcve
-stage2_iam:
-  networking:
-    iam_admin_delegated: true
-    sa_roles:
-      ro:
-        - gcve_network_viewer
-      rw:
-        - gcve_network_admin

fast/stages/1-resman/data/stage-3/gke-dev.yaml

@@ -19,11 +19,3 @@ environment: dev
 folder_config:
   name: Development
   parent_id: gke
-stage2_iam:
-  networking:
-    iam_admin_delegated: true
-    sa_roles:
-      ro:
-        - roles/dns.reader
-      rw:
-        - roles/dns.admin

fast/stages/1-resman/data/top-level-folders/sandbox.yaml

@@ -1,4 +1,4 @@
-# Copyright 2024 Google LLC
+# Copyright 2025 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -20,8 +20,8 @@ automation:
   short_name: sbox
 # You can create role bindings referring to the automation service account by
 # referring to it using `self` keyword, per the example below
-iam: 
-  "roles/owner":
+iam:
+  roles/owner:
     - self
 factories_config:
   org_policies: data/org-policies/sandbox

fast/stages/1-resman/data/top-level-folders/teams.yaml

@@ -1,4 +1,4 @@
-# Copyright 2024 Google LLC
+# Copyright 2025 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -15,23 +15,18 @@
 # yaml-language-server: $schema=../../schemas/top-level-folder.schema.json
 
 name: Teams
-iam:
-  "roles/owner":
-    - project-factory
-  "roles/resourcemanager.folderAdmin":
-    - project-factory
-  "roles/resourcemanager.projectCreator":
-    - project-factory
-  "roles/resourcemanager.tagUser":
-    - project-factory
-  "service_project_network_admin":
-    - project-factory
-  "roles/viewer":
-    - project-factory-r
-  "roles/resourcemanager.folderViewer":
-    - project-factory-r
-  "roles/resourcemanager.tagViewer":
-    - project-factory-r
+iam_by_principals:
+  project-factory-rw:
+    - roles/owner
+    - roles/resourcemanager.folderAdmin
+    - roles/resourcemanager.projectCreator
+    - roles/resourcemanager.tagUser
+    - service_project_network_admin
+  project-factory-ro:
+    - roles/viewer
+    - roles/resourcemanager.folderViewer
+    - roles/resourcemanager.tagViewer
+
 # don't create a context tag since this uses the pf tag
 is_fast_context: false
 tag_bindings: