Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Deprivilege bootstrap default service accounts#68

Merged
Calvin-Cheng1 merged 1 commit into
google:mainfrom
Haihan-Jiang:codex/stellar-engine-deprivilege-bootstrap-default-sas
May 26, 2026
Merged

Deprivilege bootstrap default service accounts#68
Calvin-Cheng1 merged 1 commit into
google:mainfrom
Haihan-Jiang:codex/stellar-engine-deprivilege-bootstrap-default-sas

Conversation

@Haihan-Jiang

Copy link
Copy Markdown
Contributor

Description

Set default_service_account = "deprivilege" on the three core projects created by the 0-bootstrap stage:

  • iac-core-0
  • audit-logs-0
  • billing-exp-0

This uses the existing project module support for google_project_default_service_accounts to remove project-level IAM grants from default App Engine and Compute Engine service accounts while preserving the accounts themselves. That covers bootstrap runs where organization-level iam.automaticIamGrantsForDefaultServiceAccounts is not applied yet because bootstrap_user is set.

Fixes #67

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update

Deployment & Compliance Impact

  • Applicable Regimes:
    • US Region Restricted (e.g., Access Policy constraint)
    • FedRAMP Moderate
    • FedRAMP High
    • DoD IL4
    • DoD IL5
    • General / All
  • NIST 800-53r5 Controls: AC-6 least privilege, IAM default service account hardening.

Checklist

Code Quality & Reusability

  • My code adheres to the Maximize Reusability principle. I have not redefined common elements and have reused existing base configurations and modules where possible.
  • I have checked that no existing module or configuration in modules/ or fast/ can be leveraged for this change.
  • My code follows the established naming conventions outlined in documentation/naming-convention.md.

Documentation

  • I have updated the README.md of the modified module or blueprint. No new inputs or outputs were added.
  • I have added/updated documentation for inputs (variables) and outputs. No new inputs or outputs were added.

Security

  • My change adheres to GCP security best practices and the principle of least privilege.
  • I have ensured compliance with the targeted regime (FedRAMP High, IL5, etc.).

Testing

  • I have tested my changes locally.
  • I have included details of my testing in this PR.

Testing Performed

  • git diff --check
  • python3 tools/check_boilerplate.py fast/stages-aw/0-bootstrap/automation.tf fast/stages-aw/0-bootstrap/log-export.tf fast/stages-aw/0-bootstrap/billing.tf
  • tofu fmt -check -recursive fast/stages-aw/0-bootstrap with OpenTofu v1.12.0
  • TF_PLUGIN_CACHE_DIR=/tmp/stellar-engine-tofu-cache tofu -chdir=fast/stages-aw/0-bootstrap init -backend=false -upgrade=false -input=false with OpenTofu v1.12.0
  • TF_PLUGIN_CACHE_DIR=/tmp/stellar-engine-tofu-cache tofu -chdir=fast/stages-aw/0-bootstrap validate -no-color with OpenTofu v1.12.0

Note: tools/check_documentation.py --no-show-summary fast/stages-aw/0-bootstrap currently reports FAIL_STALE_README for fast/stages-aw/0-bootstrap/README.md; this change does not add or change stage inputs/outputs.

@Haihan-Jiang Haihan-Jiang marked this pull request as ready for review May 24, 2026 07:07
@Haihan-Jiang Haihan-Jiang changed the title [codex] Deprivilege bootstrap default service accounts Deprivilege bootstrap default service accounts May 26, 2026

@Calvin-Cheng1 Calvin-Cheng1 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Calvin-Cheng1 Calvin-Cheng1 merged commit f1f14df into google:main May 26, 2026
5 checks passed
@aghassemlouei aghassemlouei added enhancement New feature or request security Something is insecure or can be secured labels May 26, 2026
@aghassemlouei

Copy link
Copy Markdown
Collaborator

Thank you for the contribution @Haihan-Jiang; we really appreciate the time you spent helping improve the codebase!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request security Something is insecure or can be secured

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

[Bug] - Default Compute Engine service account has Editor in projects created by bootstrap

3 participants