Authoritative IAM for organization

modules/organization/variables.tf

@@ -49,6 +49,23 @@ variable "iam_audit_config" {
   # }
 }
 
+variable "iam_bindings_authoritative" {
+  description = "IAM authoritative bindings, in {ROLE => [MEMBERS]} format. Roles and members not explicitly listed will be cleared. Bindings should also be authoritative when using authoritative audit config. Use with caution."
+  type        = map(list(string))
+  default     = null
+}
+
+variable "iam_audit_config_authoritative" {
+  description = "IAM Authoritative service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. Audit config should also be authoritative when using authoritative bindings. Use with caution."
+  type        = map(map(list(string)))
+  default     = null
+  # default = {
+  #   allServices = {
+  #     DATA_READ = ["user:me@example.org"]
+  #   }
+  # }
+}
+
 variable "organization_id" {
   description = "Organization id in organizations/nnnnnn format."
   type        = string