back with constraint/iam.automaticIamGrantsForDefaultServiceAccounts …

…to org step

0-bootstrap/org_policy.tf

@@ -20,8 +20,7 @@ locals {
   policy_for      = var.parent_folder != "" ? "folder" : "organization"
 
   boolean_type_organization_policies = toset([
-    "compute.skipDefaultNetworkCreation",
-    "iam.automaticIamGrantsForDefaultServiceAccounts"
+    "compute.skipDefaultNetworkCreation"
   ])
 }
 

1-org/envs/shared/org_policy.tf

@@ -34,6 +34,7 @@ locals {
     "sql.restrictPublicIp",
     "sql.restrictAuthorizedNetworks",
     "iam.disableServiceAccountKeyCreation",
+    "iam.automaticIamGrantsForDefaultServiceAccounts",
     "iam.disableServiceAccountKeyUpload",
     "storage.uniformBucketLevelAccess",
     "storage.publicAccessPrevention"

test/integration/bootstrap/bootstrap_test.go

@@ -309,7 +309,6 @@ func TestBootstrap(t *testing.T) {
 			// boolean organization policies
 			for _, booleanConstraint := range []string{
 				"constraints/compute.skipDefaultNetworkCreation",
-				"constraints/iam.automaticIamGrantsForDefaultServiceAccounts",
 			} {
 				orgPolicy := gcloud.Runf(t, "resource-manager org-policies describe %s --folder %s", booleanConstraint, parentFolder)
 				assert.True(orgPolicy.Get("booleanPolicy.enforced").Bool(), fmt.Sprintf("org policy %s should be enforced", booleanConstraint))

test/integration/org/org_test.go

@@ -164,6 +164,7 @@ func TestOrg(t *testing.T) {
 				"constraints/iam.disableServiceAccountKeyCreation",
 				"constraints/storage.uniformBucketLevelAccess",
 				"constraints/storage.publicAccessPrevention",
+				"constraints/iam.automaticIamGrantsForDefaultServiceAccounts",
 			} {
 				orgPolicy := gcloud.Runf(t, "resource-manager org-policies describe %s --folder %s", booleanConstraint, parentFolder)
 				assert.True(orgPolicy.Get("booleanPolicy.enforced").Bool(), fmt.Sprintf("org policy %s should be enforced", booleanConstraint))