diff --git a/fast/stages/0-bootstrap/README.md b/fast/stages/0-bootstrap/README.md
index 5ab77e7650..8599e65594 100644
--- a/fast/stages/0-bootstrap/README.md
+++ b/fast/stages/0-bootstrap/README.md
@@ -654,8 +654,8 @@ The remaining configuration is manual, as it regards the repositories themselves
| name | description | type | required | default | producer |
|---|---|:---:|:---:|:---:|:---:|
| [billing_account](variables.tf#L17) | Billing account id. If billing account is not part of the same org set `is_org_level` to `false`. To disable handling of billing IAM roles set `no_iam` to `true`. | object({…}) | ✓ | | |
-| [organization](variables.tf#L261) | Organization details. | object({…}) | ✓ | | |
-| [prefix](variables.tf#L276) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | |
+| [organization](variables.tf#L266) | Organization details. | object({…}) | ✓ | | |
+| [prefix](variables.tf#L281) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | |
| [bootstrap_user](variables.tf#L27) | Email of the nominal user running this stage for the first time. | string | | null | |
| [cicd_repositories](variables.tf#L33) | CI/CD repository configuration. Identity providers reference keys in the `federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | object({…}) | | null | |
| [custom_roles](variables.tf#L87) | Map of role names => list of permissions to additionally create at the organization level. | map(list(string)) | | {} | |
@@ -667,12 +667,12 @@ The remaining configuration is manual, as it regards the repositories themselves
| [iam_bindings_additive](variables.tf#L159) | Organization-level custom additive IAM bindings. Keys are arbitrary. | map(object({…})) | | {} | |
| [iam_by_principals](variables.tf#L174) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | map(list(string)) | | {} | |
| [locations](variables.tf#L181) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {} | |
-| [log_sinks](variables.tf#L195) | Org-level log sinks, in name => {type, filter} format. | map(object({…})) | | {…} | |
-| [org_policies_config](variables.tf#L243) | Organization policies customization. | object({…}) | | {} | |
-| [outputs_location](variables.tf#L270) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | string | | null | |
-| [project_parent_ids](variables.tf#L285) | Optional parents for projects created here in folders/nnnnnnn format. Null values will use the organization as parent. | object({…}) | | {} | |
-| [workforce_identity_providers](variables.tf#L296) | Workforce Identity Federation pools. | map(object({…})) | | {} | |
-| [workload_identity_providers](variables.tf#L312) | Workload Identity Federation pools. The `cicd_repositories` variable references keys here. | map(object({…})) | | {} | |
+| [log_sinks](variables.tf#L195) | Org-level log sinks, in name => {type, filter} format. | map(object({…})) | | {…} | |
+| [org_policies_config](variables.tf#L248) | Organization policies customization. | object({…}) | | {} | |
+| [outputs_location](variables.tf#L275) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | string | | null | |
+| [project_parent_ids](variables.tf#L290) | Optional parents for projects created here in folders/nnnnnnn format. Null values will use the organization as parent. | object({…}) | | {} | |
+| [workforce_identity_providers](variables.tf#L301) | Workforce Identity Federation pools. | map(object({…})) | | {} | |
+| [workload_identity_providers](variables.tf#L317) | Workload Identity Federation pools. The `cicd_repositories` variable references keys here. | map(object({…})) | | {} | |
## Outputs
diff --git a/fast/stages/0-bootstrap/organization.tf b/fast/stages/0-bootstrap/organization.tf
index 65cf87f14a..18644f83fa 100644
--- a/fast/stages/0-bootstrap/organization.tf
+++ b/fast/stages/0-bootstrap/organization.tf
@@ -238,6 +238,8 @@ module "organization" {
destination = local.log_sink_destinations[name].id
filter = attrs.filter
type = attrs.type
+ disabled = attrs.disabled
+ exclusions = attrs.exclusions
}
}
org_policies = var.bootstrap_user != null ? {} : {
diff --git a/fast/stages/0-bootstrap/variables.tf b/fast/stages/0-bootstrap/variables.tf
index 93bbaba06c..a2e65ecb22 100644
--- a/fast/stages/0-bootstrap/variables.tf
+++ b/fast/stages/0-bootstrap/variables.tf
@@ -195,8 +195,10 @@ variable "locations" {
variable "log_sinks" {
description = "Org-level log sinks, in name => {type, filter} format."
type = map(object({
- filter = string
- type = string
+ filter = string
+ type = string
+ disabled = optional(bool, false)
+ exclusions = optional(map(string), {})
}))
nullable = false
default = {
@@ -208,6 +210,9 @@ variable "log_sinks" {
log_id("cloudaudit.googleapis.com/access_transparency")
FILTER
type = "logging"
+ # exclusions = {
+ # gke-audit = "protoPayload.serviceName=\"k8s.io\""
+ # }
}
iam = {
filter = <<-FILTER