Add intercepting sinks to the organization and folder modules (#2799)

* RS-469: add support for intercept child on audit logging * RS-469: add validation to ensure sink is set to project * RS-469: add further validation to ensure include_children is also set to true when intercept is selected * Update README * RS-469: include optional flag for include and intercept * RS-469: add intercept feature to folder module * Fix organization README * Fix condition --------- Co-authored-by: Emile Hofsink <72841492+EmileHofsink@users.noreply.github.com> Co-authored-by: Julio Castillo <jccb@google.com>
2025-01-10 21:36:08 +11:00
parent 1ce9aff3b5
commit b4abbfe9d0
6 changed files with 38 additions and 20 deletions
--- a/modules/folder/variables-logging.tf
+++ b/modules/folder/variables-logging.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2024 Google LLC
+ * Copyright 2025 Google LLC
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -57,10 +57,18 @@ variable "logging_sinks" {
    filter               = optional(string)
    iam                  = optional(bool, true)
    include_children     = optional(bool, true)
+    intercept_children   = optional(bool, false)
    type                 = string
  }))
  default  = {}
  nullable = false
+  validation {
+    condition = alltrue([
+      for k, v in var.logging_sinks :
+      !v.intercept_children || (v.include_children && v.type == "project")
+    ])
+    error_message = "'type' must be set to 'project' if 'intercept_children' is 'true'."
+  }
  validation {
    condition = alltrue([
      for k, v in var.logging_sinks :