Re-verify automatic import of default org policies

          I still had this issue today with a brand-new org:

storage.uniformBucketLevelAccess
iam.allowedPolicyMemberDomains
iam.disableServiceAccountKeyUpload
iam.disableServiceAccountKeyCreation
iam.automaticIamGrantsForDefaultServiceAccounts
Did I do something wrong?

Originally posted by @lyricnz in #2056 (comment)

All these are contained in the set of org policies we're importing:

cloud-foundation-fabric/fast/stages/0-bootstrap/organization.tf

Lines 102 to 120 in 0420dec

    
           import { 
        
             for_each = ( 
        
               !var.org_policies_config.import_defaults || var.bootstrap_user != null 
        
               ? toset([]) 
        
               : toset([ 
        
                 # source: https://cloud.google.com/resource-manager/docs/secure-by-default-organizations#organization_policies_enforced_on_organization_resources 
        
                 # listed in the order as on page 
        
                 "iam.disableServiceAccountKeyCreation", 
        
                 "iam.disableServiceAccountKeyUpload", 
        
                 "iam.automaticIamGrantsForDefaultServiceAccounts", 
        
                 "iam.allowedPolicyMemberDomains", 
        
                 "essentialcontacts.allowedContactDomains", 
        
                 "storage.uniformBucketLevelAccess", 
        
                 # "compute.setNewProjectDefaultToZonalDNSOnly", # not confirmed, that this is already live 
        
               ]) 
        
             ) 
        
             id = "organizations/${var.organization.id}/policies/${each.key}" 
        
             to = module.organization.google_org_policy_policy.default[each.key] 
        
           }

We should make sure our imports still work...

Problem appears to be PEBKAC - but to be fair, there's no mention of "Secure by Default Org Policy" during the google screens during creation of an Organization (that I could see). It appears it's now enforced+default by Google since May 3, 2024.

https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/tree/master/fast/stages/0-bootstrap#running-the-stage

vs

https://cloud.google.com/resource-manager/docs/secure-by-default-organizations

	import {
	for_each = (
	!var.org_policies_config.import_defaults \|\| var.bootstrap_user != null
	? toset([])
	: toset([
	# source: https://cloud.google.com/resource-manager/docs/secure-by-default-organizations#organization_policies_enforced_on_organization_resources
	# listed in the order as on page
	"iam.disableServiceAccountKeyCreation",
	"iam.disableServiceAccountKeyUpload",
	"iam.automaticIamGrantsForDefaultServiceAccounts",
	"iam.allowedPolicyMemberDomains",
	"essentialcontacts.allowedContactDomains",
	"storage.uniformBucketLevelAccess",
	# "compute.setNewProjectDefaultToZonalDNSOnly", # not confirmed, that this is already live
	])
	)
	id = "organizations/${var.organization.id}/policies/${each.key}"
	to = module.organization.google_org_policy_policy.default[each.key]
	}