diff --git a/modules/organization/README.md b/modules/organization/README.md
index 993c5dcdf..16c7fc4c6 100644
--- a/modules/organization/README.md
+++ b/modules/organization/README.md
@@ -64,7 +64,7 @@ module "org" {
| name | description | type | required | default |
|---|---|:---: |:---:|:---:|
-| org_id | Organization id in nnnnnn format. | number | ✓ | |
+| organization_id | Organization id in organizations/nnnnnn format. | string | ✓ | |
| *custom_roles* | Map of role name => list of permissions to create in this project. | map(list(string)) | | {} |
| *firewall_policies* | Hierarchical firewall policies to *create* in the organization. | map(map(object({...}))) | | {} |
| *firewall_policy_attachments* | List of hierarchical firewall policy IDs to *attach* to the organization | map(string) | | {} |
@@ -81,5 +81,5 @@ module "org" {
|---|---|:---:|
| firewall_policies | Map of firewall policy resources created in the organization. | |
| firewall_policy_id | Map of firewall policy ids created in the organization. | |
-| org_id | Organization id dependent on module resources. | |
+| organization_id | Organization id dependent on module resources. | |
diff --git a/modules/organization/main.tf b/modules/organization/main.tf
index d87fcab5f..f3b751664 100644
--- a/modules/organization/main.tf
+++ b/modules/organization/main.tf
@@ -15,6 +15,7 @@
*/
locals {
+ organization_id_numeric = split("/", var.organization_id)[1]
iam_additive_pairs = flatten([
for role, members in var.iam_additive : [
for member in members : { role = role, member = member }
@@ -43,7 +44,7 @@ locals {
resource "google_organization_iam_custom_role" "roles" {
for_each = var.custom_roles
- org_id = var.org_id
+ org_id = local.organization_id_numeric
role_id = each.key
title = "Custom role ${each.key}"
description = "Terraform-managed"
@@ -52,7 +53,7 @@ resource "google_organization_iam_custom_role" "roles" {
resource "google_organization_iam_binding" "authoritative" {
for_each = var.iam
- org_id = var.org_id
+ org_id = local.organization_id_numeric
role = each.key
members = each.value
}
@@ -63,14 +64,14 @@ resource "google_organization_iam_member" "additive" {
? local.iam_additive
: {}
)
- org_id = var.org_id
+ org_id = local.organization_id_numeric
role = each.value.role
member = each.value.member
}
resource "google_organization_iam_audit_config" "config" {
for_each = var.iam_audit_config
- org_id = var.org_id
+ org_id = local.organization_id_numeric
service = each.key
dynamic audit_log_config {
for_each = each.value
@@ -84,7 +85,7 @@ resource "google_organization_iam_audit_config" "config" {
resource "google_organization_policy" "boolean" {
for_each = var.policy_boolean
- org_id = var.org_id
+ org_id = local.organization_id_numeric
constraint = each.key
dynamic boolean_policy {
@@ -105,7 +106,7 @@ resource "google_organization_policy" "boolean" {
resource "google_organization_policy" "list" {
for_each = var.policy_list
- org_id = var.org_id
+ org_id = local.organization_id_numeric
constraint = each.key
dynamic list_policy {
@@ -160,7 +161,7 @@ resource "google_compute_organization_security_policy" "policy" {
for_each = var.firewall_policies
display_name = each.key
- parent = "organizations/${var.org_id}"
+ parent = var.organization_id
}
resource "google_compute_organization_security_policy_rule" "rule" {
@@ -195,7 +196,7 @@ resource "google_compute_organization_security_policy_rule" "rule" {
resource "google_compute_organization_security_policy_association" "attachment" {
provider = google-beta
for_each = var.firewall_policy_attachments
- name = "organizations/${var.org_id}-${each.key}"
- attachment_id = "organizations/${var.org_id}"
+ name = "${var.organization_id}-${each.key}"
+ attachment_id = var.organization_id
policy_id = each.value
}
diff --git a/modules/organization/outputs.tf b/modules/organization/outputs.tf
index f6e52441a..dd0d0294e 100644
--- a/modules/organization/outputs.tf
+++ b/modules/organization/outputs.tf
@@ -14,9 +14,9 @@
* limitations under the License.
*/
-output "org_id" {
+output "organization_id" {
description = "Organization id dependent on module resources."
- value = var.org_id
+ value = var.organization_id
depends_on = [
google_organization_iam_audit_config.config,
google_organization_iam_binding.authoritative,
diff --git a/modules/organization/variables.tf b/modules/organization/variables.tf
index 1fe3f1bdd..ea7b5f52e 100644
--- a/modules/organization/variables.tf
+++ b/modules/organization/variables.tf
@@ -49,9 +49,13 @@ variable "iam_audit_config" {
# }
}
-variable "org_id" {
- description = "Organization id in nnnnnn format."
- type = number
+variable "organization_id" {
+ description = "Organization id in organizations/nnnnnn format."
+ type = string
+ validation {
+ condition = can(regex("^organizations/[0-9]+", var.organization_id))
+ error_message = "The organization_id must in the form organizations/nnn."
+ }
}
variable "policy_boolean" {
diff --git a/tests/modules/organization/fixture/main.tf b/tests/modules/organization/fixture/main.tf
index 90abee757..28bbe270f 100644
--- a/tests/modules/organization/fixture/main.tf
+++ b/tests/modules/organization/fixture/main.tf
@@ -16,7 +16,7 @@
module "test" {
source = "../../../../modules/organization"
- org_id = 1234567890
+ organization_id = "organizations/1234567890"
custom_roles = var.custom_roles
iam = var.iam
iam_additive = var.iam_additive