/** * Copyright 2025 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ locals { ctx = { for k, v in var.context : k => { for kk, vv in v : "${local.ctx_p}${k}:${kk}" => vv } if k != "condition_vars" } ctx_p = "$" _folder_id = ( var.id == null ? null : lookup(local.ctx.folder_ids, var.id, var.id) ) folder_id = ( var.assured_workload_config == null ? ( var.folder_create ? coalesce(local._folder_id, try(google_folder.folder[0].id, "")) : local._folder_id ) : format("folders/%s", try(google_assured_workloads_workload.folder[0].resources[0].resource_id, "")) ) folder_number = split("/", local.folder_id)[1] aw_parent = ( # Assured Workload only accepts folder as a parent and uses organization as a parent when no value provided. var.parent == null ? null : ( try(startswith(var.parent, "folders/")) ? var.parent : lookup(local.ctx.folder_ids, var.parent, null) ) ) } resource "google_folder" "folder" { count = var.folder_create && var.assured_workload_config == null ? 1 : 0 display_name = var.name parent = lookup(local.ctx.folder_ids, var.parent, var.parent) deletion_protection = var.deletion_protection } resource "google_kms_autokey_config" "default" { provider = google-beta count = var.autokey_config != null ? 1 : 0 folder = local.folder_id key_project = try( "projects/${local.ctx.project_ids[var.autokey_config.project]}", "projects/${local.ctx.project_numbers[var.autokey_config.project]}", var.autokey_config.project ) } resource "google_essential_contacts_contact" "contact" { provider = google-beta for_each = var.contacts parent = local.folder_id email = lookup( local.ctx.email_addresses, each.key, each.key ) language_tag = "en" notification_category_subscriptions = each.value depends_on = [ google_folder_iam_binding.authoritative, google_folder_iam_binding.bindings, google_folder_iam_member.bindings ] } resource "google_compute_firewall_policy_association" "default" { count = var.firewall_policy == null ? 0 : 1 attachment_target = local.folder_id name = var.firewall_policy.name firewall_policy = var.firewall_policy.policy } resource "google_assured_workloads_workload" "folder" { count = (var.assured_workload_config != null && var.folder_create) ? 1 : 0 compliance_regime = var.assured_workload_config.compliance_regime display_name = var.assured_workload_config.display_name location = var.assured_workload_config.location organization = templatestring(var.assured_workload_config.organization, var.context.condition_vars) enable_sovereign_controls = var.assured_workload_config.enable_sovereign_controls labels = var.assured_workload_config.labels partner = var.assured_workload_config.partner provisioned_resources_parent = local.aw_parent dynamic "partner_permissions" { for_each = try(var.assured_workload_config.partner_permissions, null) == null ? [] : [""] content { assured_workloads_monitoring = var.assured_workload_config.partner_permissions.assured_workloads_monitoring data_logs_viewer = var.assured_workload_config.partner_permissions.data_logs_viewer service_access_approver = var.assured_workload_config.partner_permissions.service_access_approver } } resource_settings { display_name = var.name resource_type = "CONSUMER_FOLDER" } violation_notifications_enabled = var.assured_workload_config.violation_notifications_enabled }