|
|
|
|
@@ -33,6 +33,7 @@ To manage organization policies, the `orgpolicy.googleapis.com` service should b
|
|
|
|
|
- [Custom Security Health Analytics Modules Factory](#custom-security-health-analytics-modules-factory)
|
|
|
|
|
- [Security Command Center Mute Configs](#security-command-center-mute-configs)
|
|
|
|
|
- [Security Command Center Mute Configs Factory](#security-command-center-mute-configs-factory)
|
|
|
|
|
- [Cloud Asset Search](#cloud-asset-search)
|
|
|
|
|
- [Cloud Asset Inventory Feeds](#cloud-asset-inventory-feeds)
|
|
|
|
|
- [Tags](#tags)
|
|
|
|
|
- [Tags Factory](#tags-factory)
|
|
|
|
|
@@ -625,6 +626,27 @@ muteHighSeverity:
|
|
|
|
|
type: "DYNAMIC"
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Cloud Asset Search
|
|
|
|
|
|
|
|
|
|
The Cloud Asset Search feature allows you to search for resources within the organization using the Cloud Asset Inventory API. This is useful for discovering and auditing resources based on asset types and query filters.
|
|
|
|
|
|
|
|
|
|
```hcl
|
|
|
|
|
module "org" {
|
|
|
|
|
source = "./fabric/modules/organization"
|
|
|
|
|
organization_id = var.organization_id
|
|
|
|
|
asset_search = {
|
|
|
|
|
org-policies = {
|
|
|
|
|
asset_types = ["orgpolicy.googleapis.com/Policy"]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
output "org_policies" {
|
|
|
|
|
value = module.org.asset_search_results["org-policies"]
|
|
|
|
|
}
|
|
|
|
|
# tftest skip
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Cloud Asset Inventory Feeds
|
|
|
|
|
|
|
|
|
|
Cloud Asset Inventory feeds allow you to monitor asset changes in real-time by publishing notifications to a Pub/Sub topic. Feeds configured at the organization level will monitor all resources within the organization.
|
|
|
|
|
@@ -910,13 +932,14 @@ module "org" {
|
|
|
|
|
|
|
|
|
|
| name | description | type | required | default |
|
|
|
|
|
|---|---|:---:|:---:|:---:|
|
|
|
|
|
| [organization_id](variables.tf#L162) | Organization id in organizations/nnnnnn format. | <code>string</code> | ✓ | |
|
|
|
|
|
| [organization_id](variables.tf#L172) | Organization id in organizations/nnnnnn format. | <code>string</code> | ✓ | |
|
|
|
|
|
| [asset_feeds](variables.tf#L18) | Cloud Asset Inventory feeds. | <code title="map(object({ billing_project = string content_type = optional(string) asset_types = optional(list(string)) asset_names = optional(list(string)) feed_output_config = object({ pubsub_destination = object({ topic = string }) }) condition = optional(object({ expression = string title = optional(string) description = optional(string) location = optional(string) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
|
|
|
|
| [contacts](variables.tf#L51) | List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES. | <code>map(list(string))</code> | | <code>{}</code> |
|
|
|
|
|
| [context](variables.tf#L69) | Context-specific interpolations. | <code title="object({ bigquery_datasets = optional(map(string), {}) condition_vars = optional(map(map(string)), {}) custom_roles = optional(map(string), {}) email_addresses = optional(map(string), {}) iam_principals = optional(map(string), {}) locations = optional(map(string), {}) log_buckets = optional(map(string), {}) project_ids = optional(map(string), {}) pubsub_topics = optional(map(string), {}) storage_buckets = optional(map(string), {}) tag_keys = optional(map(string), {}) tag_values = optional(map(string), {}) })">object({…})</code> | | <code>{}</code> |
|
|
|
|
|
| [custom_roles](variables.tf#L89) | Map of role name => list of permissions to create in this project. | <code>map(list(string))</code> | | <code>{}</code> |
|
|
|
|
|
| [factories_config](variables.tf#L96) | Paths to data files and folders that enable factory functionality. | <code title="object({ custom_roles = optional(string) org_policies = optional(string) org_policy_custom_constraints = optional(string) pam_entitlements = optional(string) scc_mute_configs = optional(string) scc_sha_custom_modules = optional(string) tags = optional(string) })">object({…})</code> | | <code>{}</code> |
|
|
|
|
|
| [firewall_policy](variables.tf#L111) | Hierarchical firewall policies to associate to the organization. | <code title="object({ name = string policy = string })">object({…})</code> | | <code>null</code> |
|
|
|
|
|
| [asset_search](variables.tf#L51) | Cloud Asset Inventory search configurations. | <code title="map(object({ asset_types = list(string) query = optional(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
|
|
|
|
| [contacts](variables.tf#L61) | List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES. | <code>map(list(string))</code> | | <code>{}</code> |
|
|
|
|
|
| [context](variables.tf#L79) | Context-specific interpolations. | <code title="object({ bigquery_datasets = optional(map(string), {}) condition_vars = optional(map(map(string)), {}) custom_roles = optional(map(string), {}) email_addresses = optional(map(string), {}) iam_principals = optional(map(string), {}) locations = optional(map(string), {}) log_buckets = optional(map(string), {}) project_ids = optional(map(string), {}) pubsub_topics = optional(map(string), {}) storage_buckets = optional(map(string), {}) tag_keys = optional(map(string), {}) tag_values = optional(map(string), {}) })">object({…})</code> | | <code>{}</code> |
|
|
|
|
|
| [custom_roles](variables.tf#L99) | Map of role name => list of permissions to create in this project. | <code>map(list(string))</code> | | <code>{}</code> |
|
|
|
|
|
| [factories_config](variables.tf#L106) | Paths to data files and folders that enable factory functionality. | <code title="object({ custom_roles = optional(string) org_policies = optional(string) org_policy_custom_constraints = optional(string) pam_entitlements = optional(string) scc_mute_configs = optional(string) scc_sha_custom_modules = optional(string) tags = optional(string) })">object({…})</code> | | <code>{}</code> |
|
|
|
|
|
| [firewall_policy](variables.tf#L121) | Hierarchical firewall policies to associate to the organization. | <code title="object({ name = string policy = string })">object({…})</code> | | <code>null</code> |
|
|
|
|
|
| [iam](variables-iam.tf#L17) | Authoritative IAM bindings in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
|
|
|
|
| [iam_bindings](variables-iam.tf#L24) | Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. | <code title="map(object({ members = list(string) role = string condition = optional(object({ expression = string title = string description = optional(string) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
|
|
|
|
| [iam_bindings_additive](variables-iam.tf#L39) | Individual additive IAM bindings. Keys are arbitrary. | <code title="map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
|
|
|
|
@@ -928,8 +951,8 @@ module "org" {
|
|
|
|
|
| [logging_settings](variables-logging.tf#L35) | Default settings for logging resources. | <code title="object({ disable_default_sink = optional(bool) kms_key_name = optional(string) storage_location = optional(string) })">object({…})</code> | | <code>null</code> |
|
|
|
|
|
| [logging_sinks](variables-logging.tf#L46) | Logging sinks to create for the organization. | <code title="map(object({ destination = string bq_partitioned_table = optional(bool, false) description = optional(string) disabled = optional(bool, false) exclusions = optional(map(string), {}) filter = optional(string) iam = optional(bool, true) include_children = optional(bool, true) intercept_children = optional(bool, false) type = optional(string, "logging") }))">map(object({…}))</code> | | <code>{}</code> |
|
|
|
|
|
| [network_tags](variables-tags.tf#L17) | Network tags by key name. If `id` is provided, key creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | <code title="map(object({ description = optional(string, "Managed by the Terraform organization module.") id = optional(string) network = string # project_id/vpc_name or "ALL" to toggle GCE_FIREWALL purpose iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ members = list(string) role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) values = optional(map(object({ description = optional(string, "Managed by the Terraform organization module.") id = optional(string) iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ members = list(string) role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) })), {}) }))">map(object({…}))</code> | | <code>{}</code> |
|
|
|
|
|
| [org_policies](variables.tf#L120) | Organization policies applied to this organization keyed by policy name. | <code title="map(object({ inherit_from_parent = optional(bool) # for list policies only. reset = optional(bool) rules = optional(list(object({ allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool) # for boolean policies only. condition = optional(object({ description = optional(string) expression = optional(string) location = optional(string) title = optional(string) }), {}) parameters = optional(string) })), []) }))">map(object({…}))</code> | | <code>{}</code> |
|
|
|
|
|
| [org_policy_custom_constraints](variables.tf#L148) | Organization policy custom constraints keyed by constraint name. | <code title="map(object({ display_name = optional(string) description = optional(string) action_type = string condition = string method_types = list(string) resource_types = list(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
|
|
|
|
| [org_policies](variables.tf#L130) | Organization policies applied to this organization keyed by policy name. | <code title="map(object({ inherit_from_parent = optional(bool) # for list policies only. reset = optional(bool) rules = optional(list(object({ allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool) # for boolean policies only. condition = optional(object({ description = optional(string) expression = optional(string) location = optional(string) title = optional(string) }), {}) parameters = optional(string) })), []) }))">map(object({…}))</code> | | <code>{}</code> |
|
|
|
|
|
| [org_policy_custom_constraints](variables.tf#L158) | Organization policy custom constraints keyed by constraint name. | <code title="map(object({ display_name = optional(string) description = optional(string) action_type = string condition = string method_types = list(string) resource_types = list(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
|
|
|
|
| [pam_entitlements](variables-pam.tf#L17) | Privileged Access Manager entitlements for this resource, keyed by entitlement ID. | <code title="map(object({ max_request_duration = string eligible_users = list(string) privileged_access = list(object({ role = string condition = optional(string) })) requester_justification_config = optional(object({ not_mandatory = optional(bool, true) unstructured = optional(bool, false) }), { not_mandatory = false, unstructured = true }) manual_approvals = optional(object({ require_approver_justification = bool steps = list(object({ approvers = list(string) approvals_needed = optional(number, 1) approver_email_recipients = optional(list(string)) })) })) additional_notification_targets = optional(object({ admin_email_recipients = optional(list(string)) requester_email_recipients = optional(list(string)) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
|
|
|
|
| [scc_mute_configs](variables-scc.tf#L17) | SCC mute configurations keyed by name. | <code title="map(object({ description = optional(string) filter = string type = optional(string, "DYNAMIC") }))">map(object({…}))</code> | | <code>{}</code> |
|
|
|
|
|
| [scc_sha_custom_modules](variables-scc.tf#L28) | SCC custom modules keyed by module name. | <code title="map(object({ description = optional(string) severity = string recommendation = string predicate = object({ expression = string }) resource_selector = object({ resource_types = list(string) }) enablement_state = optional(string, "ENABLED") }))">map(object({…}))</code> | | <code>{}</code> |
|
|
|
|
|
@@ -942,21 +965,22 @@ module "org" {
|
|
|
|
|
|
|
|
|
|
| name | description | sensitive |
|
|
|
|
|
|---|---|:---:|
|
|
|
|
|
| [custom_constraint_ids](outputs.tf#L17) | Map of CUSTOM_CONSTRAINTS => ID in the organization. | |
|
|
|
|
|
| [custom_role_id](outputs.tf#L22) | Map of custom role IDs created in the organization. | |
|
|
|
|
|
| [custom_roles](outputs.tf#L27) | Map of custom roles resources created in the organization. | |
|
|
|
|
|
| [id](outputs.tf#L32) | Fully qualified organization id. | |
|
|
|
|
|
| [logging_identities](outputs.tf#L50) | Principals used for logging sinks. | |
|
|
|
|
|
| [network_tag_keys](outputs.tf#L62) | Tag key resources. | |
|
|
|
|
|
| [network_tag_values](outputs.tf#L71) | Tag value resources. | |
|
|
|
|
|
| [organization_id](outputs.tf#L81) | Organization id dependent on module resources. | |
|
|
|
|
|
| [organization_policies_ids](outputs.tf#L98) | Map of ORGANIZATION_POLICIES => ID in the organization. | |
|
|
|
|
|
| [scc_custom_sha_modules_ids](outputs.tf#L103) | Map of SCC CUSTOM SHA MODULES => ID in the organization. | |
|
|
|
|
|
| [scc_mute_configs](outputs.tf#L108) | SCC mute configurations. | |
|
|
|
|
|
| [service_agents](outputs.tf#L113) | Identities of all organization-level service agents. | |
|
|
|
|
|
| [sink_writer_identities](outputs.tf#L118) | Writer identities created for each sink. | |
|
|
|
|
|
| [tag_keys](outputs.tf#L126) | Tag key resources. | |
|
|
|
|
|
| [tag_values](outputs.tf#L135) | Tag value resources. | |
|
|
|
|
|
| [workforce_identity_provider_names](outputs.tf#L143) | Workforce Identity provider names. | |
|
|
|
|
|
| [workforce_identity_providers](outputs.tf#L150) | Workforce Identity provider attributes. | |
|
|
|
|
|
| [asset_search_results](outputs.tf#L17) | Cloud Asset Inventory search results. | |
|
|
|
|
|
| [custom_constraint_ids](outputs.tf#L24) | Map of CUSTOM_CONSTRAINTS => ID in the organization. | |
|
|
|
|
|
| [custom_role_id](outputs.tf#L29) | Map of custom role IDs created in the organization. | |
|
|
|
|
|
| [custom_roles](outputs.tf#L34) | Map of custom roles resources created in the organization. | |
|
|
|
|
|
| [id](outputs.tf#L39) | Fully qualified organization id. | |
|
|
|
|
|
| [logging_identities](outputs.tf#L57) | Principals used for logging sinks. | |
|
|
|
|
|
| [network_tag_keys](outputs.tf#L69) | Tag key resources. | |
|
|
|
|
|
| [network_tag_values](outputs.tf#L78) | Tag value resources. | |
|
|
|
|
|
| [organization_id](outputs.tf#L88) | Organization id dependent on module resources. | |
|
|
|
|
|
| [organization_policies_ids](outputs.tf#L105) | Map of ORGANIZATION_POLICIES => ID in the organization. | |
|
|
|
|
|
| [scc_custom_sha_modules_ids](outputs.tf#L110) | Map of SCC CUSTOM SHA MODULES => ID in the organization. | |
|
|
|
|
|
| [scc_mute_configs](outputs.tf#L115) | SCC mute configurations. | |
|
|
|
|
|
| [service_agents](outputs.tf#L120) | Identities of all organization-level service agents. | |
|
|
|
|
|
| [sink_writer_identities](outputs.tf#L125) | Writer identities created for each sink. | |
|
|
|
|
|
| [tag_keys](outputs.tf#L133) | Tag key resources. | |
|
|
|
|
|
| [tag_values](outputs.tf#L142) | Tag value resources. | |
|
|
|
|
|
| [workforce_identity_provider_names](outputs.tf#L150) | Workforce Identity provider names. | |
|
|
|
|
|
| [workforce_identity_providers](outputs.tf#L157) | Workforce Identity provider attributes. | |
|
|
|
|
|
<!-- END TFDOC -->
|
|
|
|
|
|
Julio Castillo