diff --git a/modules/folder/README.md b/modules/folder/README.md
index 2ba7e9107..8c75cadd5 100644
--- a/modules/folder/README.md
+++ b/modules/folder/README.md
@@ -295,12 +295,12 @@ module "folder" {
| [id](variables.tf#L83) | Folder ID in case you use folder_create=false. | string | | null |
| [logging_data_access](variables.tf#L89) | Control activation of data access logs. Format is service => { log type => [exempted members]}. The special 'allServices' key denotes configuration for all services. | map(map(list(string))) | | {} |
| [logging_exclusions](variables.tf#L104) | Logging exclusions for this folder in the form {NAME -> FILTER}. | map(string) | | {} |
-| [logging_sinks](variables.tf#L111) | Logging sinks to create for the folder. | map(object({…})) | | {} |
-| [name](variables.tf#L141) | Folder name. | string | | null |
-| [org_policies](variables.tf#L147) | Organization policies applied to this folder keyed by policy name. | map(object({…})) | | {} |
-| [org_policies_data_path](variables.tf#L174) | Path containing org policies in YAML format. | string | | null |
-| [parent](variables.tf#L180) | Parent in folders/folder_id or organizations/org_id format. | string | | null |
-| [tag_bindings](variables.tf#L190) | Tag bindings for this folder, in key => tag value id format. | map(string) | | null |
+| [logging_sinks](variables.tf#L111) | Logging sinks to create for the folder. | map(object({…})) | | {} |
+| [name](variables.tf#L142) | Folder name. | string | | null |
+| [org_policies](variables.tf#L148) | Organization policies applied to this folder keyed by policy name. | map(object({…})) | | {} |
+| [org_policies_data_path](variables.tf#L175) | Path containing org policies in YAML format. | string | | null |
+| [parent](variables.tf#L181) | Parent in folders/folder_id or organizations/org_id format. | string | | null |
+| [tag_bindings](variables.tf#L191) | Tag bindings for this folder, in key => tag value id format. | map(string) | | null |
## Outputs
diff --git a/modules/folder/logging.tf b/modules/folder/logging.tf
index 8000a0214..033113ff2 100644
--- a/modules/folder/logging.tf
+++ b/modules/folder/logging.tf
@@ -22,7 +22,7 @@ locals {
type => {
for name, sink in var.logging_sinks :
name => sink
- if sink.type == type
+ if sink.iam == true && sink.type == type
}
}
}
diff --git a/modules/folder/variables.tf b/modules/folder/variables.tf
index 1c5516818..91e8e11e8 100644
--- a/modules/folder/variables.tf
+++ b/modules/folder/variables.tf
@@ -117,6 +117,7 @@ variable "logging_sinks" {
disabled = optional(bool, false)
exclusions = optional(map(string), {})
filter = string
+ iam = optional(bool, true)
include_children = optional(bool, true)
type = string
}))
diff --git a/modules/organization/README.md b/modules/organization/README.md
index 86df8ab3b..b760f0362 100644
--- a/modules/organization/README.md
+++ b/modules/organization/README.md
@@ -456,7 +456,7 @@ module "org" {
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
-| [organization_id](variables.tf#L211) | Organization id in organizations/nnnnnn format. | string | ✓ | |
+| [organization_id](variables.tf#L212) | Organization id in organizations/nnnnnn format. | string | ✓ | |
| [contacts](variables.tf#L17) | List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES. | map(list(string)) | | {} |
| [custom_roles](variables.tf#L24) | Map of role name => list of permissions to create in this project. | map(list(string)) | | {} |
| [firewall_policy](variables.tf#L31) | Hierarchical firewall policies to associate to the organization. | object({…}) | | null |
@@ -466,14 +466,14 @@ module "org" {
| [iam_bindings_additive](variables.tf#L69) | Individual additive IAM bindings. Keys are arbitrary. | map(object({…})) | | {} |
| [logging_data_access](variables.tf#L84) | Control activation of data access logs. Format is service => { log type => [exempted members]}. The special 'allServices' key denotes configuration for all services. | map(map(list(string))) | | {} |
| [logging_exclusions](variables.tf#L99) | Logging exclusions for this organization in the form {NAME -> FILTER}. | map(string) | | {} |
-| [logging_sinks](variables.tf#L106) | Logging sinks to create for the organization. | map(object({…})) | | {} |
-| [network_tags](variables.tf#L136) | Network tags by key name. If `id` is provided, key creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | map(object({…})) | | {} |
-| [org_policies](variables.tf#L158) | Organization policies applied to this organization keyed by policy name. | map(object({…})) | | {} |
-| [org_policies_data_path](variables.tf#L185) | Path containing org policies in YAML format. | string | | null |
-| [org_policy_custom_constraints](variables.tf#L191) | Organization policy custom constraints keyed by constraint name. | map(object({…})) | | {} |
-| [org_policy_custom_constraints_data_path](variables.tf#L205) | Path containing org policy custom constraints in YAML format. | string | | null |
-| [tag_bindings](variables.tf#L220) | Tag bindings for this organization, in key => tag value id format. | map(string) | | null |
-| [tags](variables.tf#L226) | Tags by key name. If `id` is provided, key or value creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | map(object({…})) | | {} |
+| [logging_sinks](variables.tf#L106) | Logging sinks to create for the organization. | map(object({…})) | | {} |
+| [network_tags](variables.tf#L137) | Network tags by key name. If `id` is provided, key creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | map(object({…})) | | {} |
+| [org_policies](variables.tf#L159) | Organization policies applied to this organization keyed by policy name. | map(object({…})) | | {} |
+| [org_policies_data_path](variables.tf#L186) | Path containing org policies in YAML format. | string | | null |
+| [org_policy_custom_constraints](variables.tf#L192) | Organization policy custom constraints keyed by constraint name. | map(object({…})) | | {} |
+| [org_policy_custom_constraints_data_path](variables.tf#L206) | Path containing org policy custom constraints in YAML format. | string | | null |
+| [tag_bindings](variables.tf#L221) | Tag bindings for this organization, in key => tag value id format. | map(string) | | null |
+| [tags](variables.tf#L227) | Tags by key name. If `id` is provided, key or value creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | map(object({…})) | | {} |
## Outputs
diff --git a/modules/organization/logging.tf b/modules/organization/logging.tf
index 7719c0fb6..7f0665e3a 100644
--- a/modules/organization/logging.tf
+++ b/modules/organization/logging.tf
@@ -21,7 +21,7 @@ locals {
for type in ["bigquery", "logging", "pubsub", "storage"] :
type => {
for name, sink in var.logging_sinks :
- name => sink if sink.type == type
+ name => sink if sink.iam && sink.type == type
}
}
}
diff --git a/modules/organization/variables.tf b/modules/organization/variables.tf
index c9899e2e1..f664deaef 100644
--- a/modules/organization/variables.tf
+++ b/modules/organization/variables.tf
@@ -112,6 +112,7 @@ variable "logging_sinks" {
disabled = optional(bool, false)
exclusions = optional(map(string), {})
filter = string
+ iam = optional(bool, true)
include_children = optional(bool, true)
type = string
}))