diff --git a/modules/folder/README.md b/modules/folder/README.md
index 0bd81e0d5..57dd47167 100644
--- a/modules/folder/README.md
+++ b/modules/folder/README.md
@@ -408,7 +408,7 @@ module "folder" {
| [logging_data_access](variables-logging.tf#L17) | Control activation of data access logs. Format is service => { log type => [exempted members]}. The special 'allServices' key denotes configuration for all services. | map(map(list(string))) | | {} |
| [logging_exclusions](variables-logging.tf#L32) | Logging exclusions for this folder in the form {NAME -> FILTER}. | map(string) | | {} |
| [logging_settings](variables-logging.tf#L39) | Default settings for logging resources. | object({…}) | | null |
-| [logging_sinks](variables-logging.tf#L49) | Logging sinks to create for the folder. | map(object({…})) | | {} |
+| [logging_sinks](variables-logging.tf#L49) | Logging sinks to create for the folder. | map(object({…})) | | {} |
| [name](variables.tf#L113) | Folder name. | string | | null |
| [org_policies](variables.tf#L119) | Organization policies applied to this folder keyed by policy name. | map(object({…})) | | {} |
| [parent](variables.tf#L146) | Parent in folders/folder_id or organizations/org_id format. | string | | null |
diff --git a/modules/folder/logging.tf b/modules/folder/logging.tf
index bb42983c2..1718c65ad 100644
--- a/modules/folder/logging.tf
+++ b/modules/folder/logging.tf
@@ -57,14 +57,15 @@ resource "google_folder_iam_audit_config" "default" {
}
resource "google_logging_folder_sink" "sink" {
- for_each = local.logging_sinks
- name = each.key
- description = coalesce(each.value.description, "${each.key} (Terraform-managed).")
- folder = local.folder_id
- destination = "${each.value.type}.googleapis.com/${each.value.destination}"
- filter = each.value.filter
- include_children = each.value.include_children
- disabled = each.value.disabled
+ for_each = local.logging_sinks
+ name = each.key
+ description = coalesce(each.value.description, "${each.key} (Terraform-managed).")
+ folder = local.folder_id
+ destination = "${each.value.type}.googleapis.com/${each.value.destination}"
+ filter = each.value.filter
+ include_children = each.value.include_children
+ intercept_children = each.value.intercept_children
+ disabled = each.value.disabled
dynamic "bigquery_options" {
for_each = each.value.type == "bigquery" ? [""] : []
diff --git a/modules/folder/variables-logging.tf b/modules/folder/variables-logging.tf
index 89685a6de..2aa4e9326 100644
--- a/modules/folder/variables-logging.tf
+++ b/modules/folder/variables-logging.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2024 Google LLC
+ * Copyright 2025 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -57,10 +57,18 @@ variable "logging_sinks" {
filter = optional(string)
iam = optional(bool, true)
include_children = optional(bool, true)
+ intercept_children = optional(bool, false)
type = string
}))
default = {}
nullable = false
+ validation {
+ condition = alltrue([
+ for k, v in var.logging_sinks :
+ !v.intercept_children || (v.include_children && v.type == "project")
+ ])
+ error_message = "'type' must be set to 'project' if 'intercept_children' is 'true'."
+ }
validation {
condition = alltrue([
for k, v in var.logging_sinks :
diff --git a/modules/organization/README.md b/modules/organization/README.md
index e94bd6435..f4b08268d 100644
--- a/modules/organization/README.md
+++ b/modules/organization/README.md
@@ -546,7 +546,7 @@ module "org" {
| [logging_data_access](variables-logging.tf#L17) | Control activation of data access logs. Format is service => { log type => [exempted members]}. The special 'allServices' key denotes configuration for all services. | map(map(list(string))) | | {} |
| [logging_exclusions](variables-logging.tf#L32) | Logging exclusions for this organization in the form {NAME -> FILTER}. | map(string) | | {} |
| [logging_settings](variables-logging.tf#L39) | Default settings for logging resources. | object({…}) | | null |
-| [logging_sinks](variables-logging.tf#L49) | Logging sinks to create for the organization. | map(object({…})) | | {} |
+| [logging_sinks](variables-logging.tf#L49) | Logging sinks to create for the organization. | map(object({…})) | | {} |
| [network_tags](variables-tags.tf#L17) | Network tags by key name. If `id` is provided, key creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | map(object({…})) | | {} |
| [org_policies](variables.tf#L51) | Organization policies applied to this organization keyed by policy name. | map(object({…})) | | {} |
| [org_policy_custom_constraints](variables.tf#L78) | Organization policy custom constraints keyed by constraint name. | map(object({…})) | | {} |
diff --git a/modules/organization/logging.tf b/modules/organization/logging.tf
index c895c7fa8..35c882528 100644
--- a/modules/organization/logging.tf
+++ b/modules/organization/logging.tf
@@ -56,14 +56,15 @@ resource "google_organization_iam_audit_config" "default" {
}
resource "google_logging_organization_sink" "sink" {
- for_each = local.logging_sinks
- name = each.key
- description = coalesce(each.value.description, "${each.key} (Terraform-managed).")
- org_id = local.organization_id_numeric
- destination = "${each.value.type}.googleapis.com/${each.value.destination}"
- filter = each.value.filter
- include_children = each.value.include_children
- disabled = each.value.disabled
+ for_each = local.logging_sinks
+ name = each.key
+ description = coalesce(each.value.description, "${each.key} (Terraform-managed).")
+ org_id = local.organization_id_numeric
+ destination = "${each.value.type}.googleapis.com/${each.value.destination}"
+ filter = each.value.filter
+ include_children = each.value.include_children
+ intercept_children = each.value.intercept_children
+ disabled = each.value.disabled
dynamic "bigquery_options" {
for_each = each.value.type == "bigquery" ? [""] : []
diff --git a/modules/organization/variables-logging.tf b/modules/organization/variables-logging.tf
index 210352f08..5c5da4116 100644
--- a/modules/organization/variables-logging.tf
+++ b/modules/organization/variables-logging.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2024 Google LLC
+ * Copyright 2025 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -57,10 +57,18 @@ variable "logging_sinks" {
filter = optional(string)
iam = optional(bool, true)
include_children = optional(bool, true)
+ intercept_children = optional(bool, false)
type = string
}))
default = {}
nullable = false
+ validation {
+ condition = alltrue([
+ for k, v in var.logging_sinks :
+ !v.intercept_children || (v.include_children && v.type == "project")
+ ])
+ error_message = "'type' must be set to 'project' if 'intercept_children' is 'true'."
+ }
validation {
condition = alltrue([
for k, v in var.logging_sinks :