36648b6b63
* data wip * wip data * update org schema, add note on expansion * all schemas, workload notes * Update WORKLOG.md * Update WORKLOG.md * Update WORKLOG.md * Update WORKLOG.md * wip * data wip * wip * wip * wip * wip * org module IAM context (using lookup) * new-style context expansion in project IAM * remove spurious file * project module contexts * finalize context replacement format for project module * revert org module changes * fix tag id interpolation in project * fix tag id interpolation in project * organization module context * organization context test * context expansion for folder tag bindings * test context expansion for tag bindings * service account module context * simplify context local * context for iam service account * nuke blueprints * remove links to blueprints * vpc sc context in project module * Add context to GCS module * Add inline deps to plan_summary script * Make context a top-level variable for folder, organization, sa * Add add context top-level to VPC-SC * move context out of factories_config variable * tfdoc * fix merge * fix merge * fix examples * net-vpc module context * add parent ids to folder context * rename folder parent context * fix folder parent check * new project factory stub * wip * wip * refactor defaults * project iam * bueckts and service accounts * start adding context replacements * better test data * automation resources for folders and projects * automation * add support for project id interpolation * first tested apply * improve IAM description in gcs module * add context to billing account module * add notification channels to billing account module context * add billing budgets to new pf * schemas and defaults * bootstrap wip * bootstrap wip * bootstrap wip * pf outputs * pf fixes * fix pf sample data * bootstrap lite fixes * add locations to organization module contexts * bootstrap lite fixes * org fixes, billing accounts * fix default project parent * bootstrap lite wip * add locations to gcs module context * add context support to logging bucket module * add context to pubsub module * split out iam variables in gcs module * fix logging bucket context test * bootstrap log sink destinations * streamline logging-bucket module variables * fix logging bucket context test * align logging bucket module interface in fast bootstrap * add support for project-level log buckets to project factory * support full context expansion in organization module log sinks * log buckets in fast-lite bootstrap * make og sink type optional in organization module * log sinks in fast-lite bootstrap * set tag values in factory context * bootstrap lite data * output files schema * billing account schema * output files * output providers * gcs output files * boilerplate * tflint * check documentation * check docs * fix project module parent variable validation * fix log bucket examples * allow null parent in project module * silence folder test errors * fix billing account sink example * fix project example * fix billing account module * fix folder tests * fix FAST * fix fast * tfvars outputs * wif * cicd service accounts * cicd * allow defaults in context, minimal org policies * support gcs managed folders in project factory and bootstrap lite * support prefix in provider output files * rename bootstrap stage * gitignore * gitignore * security folder, billing IAM * wip tfvars * fix typo * security IAM * control tag iam/context via variables in organization module * split tag creation from tag IAM to avoid circular refs * port organization module tag changes to project module * implement new-style context expansion in vpc-sc module * fix fast vpc-sc tests * boilerplate * vpc sc stage * schemas * fast-lite compatibility for vpc sc stage * make log project number optional in vpc-sc stage * networking * networking * networking * networking * rename and move new stage under fast * clone pf tests * use context replacement for internal notification channels in billing account module * support service agents in project module iam context replacements * support service agents in project module iam context replacements * add support for kms keys to project module context * experimental pf example test and fixes * fix schemas * fix tests * tfdoc * tfdoc * pf config * experimental pf * remove redundant dot from gcs managed folder IAM keys * bootstrap experimental test * project factory exp stage test * skip tflint for bootstrap experimental test * tflint * fix gcs test * documentation work * documentation work * Update README.md * tfdoc * tfdoc * readme * tfdoc * readme * readme * readme * readme * support universe in pf exp projects * missing universe service agents * org policies import, non-admin billing IAM * todo * fix test * custom constraints * fast classic dataset * fix test data * context replacements in billing module log sinks * fix typo * add support for billing log sinks * update docs * readme * cicd fix and test --------- Co-authored-by: Julio Castillo <jccb@google.com>
645 lines
34 KiB
Markdown
645 lines
34 KiB
Markdown
# Organization Module
|
|
|
|
This module allows managing several organization properties:
|
|
|
|
- IAM bindings, both authoritative and additive
|
|
- custom IAM roles
|
|
- audit logging configuration for services
|
|
- organization policies
|
|
- organization policy custom constraints
|
|
|
|
To manage organization policies, the `orgpolicy.googleapis.com` service should be enabled in the quota project.
|
|
|
|
## TOC
|
|
|
|
<!-- BEGIN TOC -->
|
|
- [TOC](#toc)
|
|
- [Example](#example)
|
|
- [IAM](#iam)
|
|
- [Organization Policies](#organization-policies)
|
|
- [Organization Policy Factory](#organization-policy-factory)
|
|
- [Organization Policy Custom Constraints](#organization-policy-custom-constraints)
|
|
- [Organization Policy Custom Constraints Factory](#organization-policy-custom-constraints-factory)
|
|
- [Hierarchical Firewall Policy Attachments](#hierarchical-firewall-policy-attachments)
|
|
- [Log Sinks](#log-sinks)
|
|
- [Data Access Logs](#data-access-logs)
|
|
- [Custom Roles](#custom-roles)
|
|
- [Custom Roles Factory](#custom-roles-factory)
|
|
- [Tags](#tags)
|
|
- [Tags Factory](#tags-factory)
|
|
- [Files](#files)
|
|
- [Variables](#variables)
|
|
- [Outputs](#outputs)
|
|
<!-- END TOC -->
|
|
|
|
## Example
|
|
|
|
```hcl
|
|
module "org" {
|
|
source = "./fabric/modules/organization"
|
|
organization_id = var.organization_id
|
|
iam_by_principals = {
|
|
"group:${var.group_email}" = ["roles/owner"]
|
|
}
|
|
iam = {
|
|
"roles/resourcemanager.projectCreator" = ["group:${var.group_email}"]
|
|
}
|
|
iam_bindings_additive = {
|
|
am1-storage-admin = {
|
|
member = "group:${var.group_email}"
|
|
role = "roles/storage.admin"
|
|
}
|
|
}
|
|
tags = {
|
|
allowexternal = {
|
|
description = "Allow external identities."
|
|
values = {
|
|
true = {}, false = {}
|
|
}
|
|
}
|
|
}
|
|
org_policies = {
|
|
"compute.disableGuestAttributesAccess" = {
|
|
rules = [{ enforce = true }]
|
|
}
|
|
"compute.skipDefaultNetworkCreation" = {
|
|
rules = [{ enforce = true }]
|
|
}
|
|
"iam.disableServiceAccountKeyCreation" = {
|
|
rules = [{ enforce = true }]
|
|
}
|
|
"iam.disableServiceAccountKeyUpload" = {
|
|
rules = [
|
|
{
|
|
condition = {
|
|
expression = "resource.matchTagId('tagKeys/1234', 'tagValues/1234')"
|
|
title = "condition"
|
|
description = "test condition"
|
|
location = "somewhere"
|
|
}
|
|
enforce = true
|
|
},
|
|
{
|
|
enforce = false
|
|
}
|
|
]
|
|
}
|
|
"iam.allowedPolicyMemberDomains" = {
|
|
rules = [
|
|
{
|
|
allow = { all = true }
|
|
condition = {
|
|
expression = "resource.matchTag('1234567890/allowexternal', 'true')"
|
|
title = "Allow external identities"
|
|
description = "Allow external identities when resource has the `allowexternal` tag set to true."
|
|
}
|
|
},
|
|
{
|
|
allow = { values = ["C0xxxxxxx", "C0yyyyyyy"] }
|
|
condition = {
|
|
expression = "!resource.matchTag('1234567890/allowexternal', 'true')"
|
|
title = ""
|
|
description = "For any resource without allowexternal=true, only allow identities from restricted domains."
|
|
}
|
|
}
|
|
]
|
|
}
|
|
"compute.trustedImageProjects" = {
|
|
rules = [{
|
|
allow = {
|
|
values = ["projects/my-project"]
|
|
}
|
|
}]
|
|
}
|
|
"compute.vmExternalIpAccess" = {
|
|
rules = [{ deny = { all = true } }]
|
|
}
|
|
}
|
|
}
|
|
# tftest modules=1 resources=13 inventory=basic.yaml e2e serial
|
|
```
|
|
|
|
## IAM
|
|
|
|
IAM is managed via several variables that implement different features and levels of control:
|
|
|
|
- `iam` and `iam_by_principals` configure authoritative bindings that manage individual roles exclusively, and are internally merged
|
|
- `iam_bindings` configure authoritative bindings with optional support for conditions, and are not internally merged with the previous two variables
|
|
- `iam_bindings_additive` configure additive bindings via individual role/member pairs with optional support conditions
|
|
|
|
The authoritative and additive approaches can be used together, provided different roles are managed by each. Some care must also be taken with the `iam_by_principals` variable to ensure that variable keys are static values, so that Terraform is able to compute the dependency graph.
|
|
|
|
IAM also supports variable interpolation for both roles and principals, via the respective attributes in the `var.context` variable. Refer to the [project module](../project/README.md#iam) for examples of the IAM interface.
|
|
|
|
## Organization Policies
|
|
|
|
### Organization Policy Factory
|
|
|
|
See the [organization policy factory in the project module](../project/README.md#organization-policy-factory).
|
|
|
|
### Organization Policy Custom Constraints
|
|
|
|
Refer to the [Creating and managing custom constraints](https://cloud.google.com/resource-manager/docs/organization-policy/creating-managing-custom-constraints) documentation for details on usage.
|
|
To manage organization policy custom constraints, the `orgpolicy.googleapis.com` service should be enabled in the quota project.
|
|
|
|
```hcl
|
|
module "org" {
|
|
source = "./fabric/modules/organization"
|
|
organization_id = var.organization_id
|
|
org_policy_custom_constraints = {
|
|
"custom.gkeEnableAutoUpgrade" = {
|
|
resource_types = ["container.googleapis.com/NodePool"]
|
|
method_types = ["CREATE"]
|
|
condition = "resource.management.autoUpgrade == true"
|
|
action_type = "ALLOW"
|
|
display_name = "Enable node auto-upgrade"
|
|
description = "All node pools must have node auto-upgrade enabled."
|
|
}
|
|
}
|
|
# not necessarily to enforce on the org level, policy may be applied on folder/project levels
|
|
org_policies = {
|
|
"custom.gkeEnableAutoUpgrade" = {
|
|
rules = [{ enforce = true }]
|
|
}
|
|
}
|
|
}
|
|
# tftest modules=1 resources=2 inventory=custom-constraints.yaml
|
|
```
|
|
|
|
You can use the `id` or `custom_constraint_ids` outputs to prevent race conditions between the creation of a custom constraint and an organization policy using that constraint. Both of these outputs depend on the actual constraint, which would make any resource referring to them to wait for the creation of the constraint.
|
|
|
|
### Organization Policy Custom Constraints Factory
|
|
|
|
Org policy custom constraints can be loaded from a directory containing YAML files where each file defines one or more custom constraints. The structure of the YAML files is exactly the same as the `org_policy_custom_constraints` variable.
|
|
|
|
The example below deploys a few org policy custom constraints split between two YAML files.
|
|
|
|
```hcl
|
|
module "org" {
|
|
source = "./fabric/modules/organization"
|
|
organization_id = var.organization_id
|
|
factories_config = {
|
|
org_policy_custom_constraints = "configs/custom-constraints"
|
|
}
|
|
org_policies = {
|
|
"custom.gkeEnableAutoUpgrade" = {
|
|
rules = [{ enforce = true }]
|
|
}
|
|
}
|
|
}
|
|
# tftest modules=1 resources=3 files=gke inventory=custom-constraints.yaml
|
|
```
|
|
|
|
```yaml
|
|
custom.gkeEnableLogging:
|
|
resource_types:
|
|
- container.googleapis.com/Cluster
|
|
method_types:
|
|
- CREATE
|
|
- UPDATE
|
|
condition: resource.loggingService == "none"
|
|
action_type: DENY
|
|
display_name: Do not disable Cloud Logging
|
|
custom.gkeEnableAutoUpgrade:
|
|
resource_types:
|
|
- container.googleapis.com/NodePool
|
|
method_types:
|
|
- CREATE
|
|
condition: resource.management.autoUpgrade == true
|
|
action_type: ALLOW
|
|
display_name: Enable node auto-upgrade
|
|
description: All node pools must have node auto-upgrade enabled.
|
|
|
|
# tftest-file id=gke path=configs/custom-constraints/gke.yaml
|
|
```
|
|
|
|
```yaml
|
|
custom.dataprocNoMoreThan10Workers:
|
|
resource_types:
|
|
- dataproc.googleapis.com/Cluster
|
|
method_types:
|
|
- CREATE
|
|
- UPDATE
|
|
condition: resource.config.workerConfig.numInstances + resource.config.secondaryWorkerConfig.numInstances > 10
|
|
action_type: DENY
|
|
display_name: Total number of worker instances cannot be larger than 10
|
|
description: Cluster cannot have more than 10 workers, including primary and secondary workers.
|
|
|
|
# tftest-file id=dataproc path=configs/custom-constraints/dataproc.yaml
|
|
```
|
|
|
|
## Hierarchical Firewall Policy Attachments
|
|
|
|
Hierarchical firewall policies can be managed via the [`net-firewall-policy`](../net-firewall-policy/) module, including support for factories. Once a policy is available, attaching it to the organization can be done either in the firewall policy module itself, or here:
|
|
|
|
```hcl
|
|
module "firewall-policy" {
|
|
source = "./fabric/modules/net-firewall-policy"
|
|
name = "test-1"
|
|
parent_id = var.organization_id
|
|
# attachment via the firewall policy module
|
|
# attachments = {
|
|
# org = var.organization_id
|
|
# }
|
|
}
|
|
|
|
module "org" {
|
|
source = "./fabric/modules/organization"
|
|
organization_id = var.organization_id
|
|
# attachment via the organization module
|
|
firewall_policy = {
|
|
name = "test-1"
|
|
policy = module.firewall-policy.id
|
|
}
|
|
}
|
|
# tftest modules=2 resources=2 e2e serial
|
|
```
|
|
|
|
## Log Sinks
|
|
|
|
The following example shows how to define organization-level log sinks, which support interpolation in the destination argument.
|
|
|
|
```hcl
|
|
module "gcs" {
|
|
source = "./fabric/modules/gcs"
|
|
project_id = var.project_id
|
|
prefix = var.prefix
|
|
name = "gcs_sink"
|
|
location = "EU"
|
|
force_destroy = true
|
|
}
|
|
|
|
module "dataset" {
|
|
source = "./fabric/modules/bigquery-dataset"
|
|
project_id = var.project_id
|
|
id = "bq_sink"
|
|
}
|
|
|
|
module "pubsub" {
|
|
source = "./fabric/modules/pubsub"
|
|
project_id = var.project_id
|
|
name = "pubsub_sink"
|
|
}
|
|
|
|
module "bucket" {
|
|
source = "./fabric/modules/logging-bucket"
|
|
parent = var.project_id
|
|
name = "${var.prefix}-bucket"
|
|
}
|
|
|
|
module "destination-project" {
|
|
source = "./fabric/modules/project"
|
|
name = "dest-prj"
|
|
billing_account = var.billing_account_id
|
|
parent = var.folder_id
|
|
prefix = var.prefix
|
|
services = [
|
|
"logging.googleapis.com"
|
|
]
|
|
}
|
|
|
|
module "org" {
|
|
source = "./fabric/modules/organization"
|
|
organization_id = var.organization_id
|
|
context = {
|
|
storage_buckets = {
|
|
my_bucket = "test-prod-log-audit-0"
|
|
}
|
|
}
|
|
logging_sinks = {
|
|
audit = {
|
|
destination = "$storage_buckets:my_bucket"
|
|
filter = "log_id('cloudaudit.googleapis.com/activity')"
|
|
type = "storage"
|
|
}
|
|
warnings = {
|
|
destination = module.gcs.id
|
|
filter = "severity=WARNING"
|
|
type = "storage"
|
|
}
|
|
info = {
|
|
bq_partitioned_table = true
|
|
destination = module.dataset.id
|
|
filter = "severity=INFO"
|
|
type = "bigquery"
|
|
}
|
|
notice = {
|
|
destination = module.pubsub.id
|
|
filter = "severity=NOTICE"
|
|
type = "pubsub"
|
|
}
|
|
debug = {
|
|
destination = module.bucket.id
|
|
filter = "severity=DEBUG"
|
|
exclusions = {
|
|
no-compute = "logName:compute"
|
|
}
|
|
type = "logging"
|
|
}
|
|
alert = {
|
|
destination = module.destination-project.id
|
|
filter = "severity=ALERT"
|
|
type = "project"
|
|
}
|
|
}
|
|
logging_exclusions = {
|
|
no-gce-instances = "resource.type=gce_instance"
|
|
}
|
|
}
|
|
# tftest modules=6 resources=19 inventory=logging.yaml
|
|
```
|
|
|
|
## Data Access Logs
|
|
|
|
Activation of data access logs can be controlled via the `logging_data_access` variable.
|
|
|
|
```hcl
|
|
module "org" {
|
|
source = "./fabric/modules/organization"
|
|
organization_id = var.organization_id
|
|
logging_data_access = {
|
|
allServices = {
|
|
ADMIN_READ = {
|
|
exempted_members = ["group:${var.group_email}"]
|
|
}
|
|
}
|
|
"storage.googleapis.com" = {
|
|
DATA_READ = {}
|
|
DATA_WRITE = {}
|
|
}
|
|
}
|
|
}
|
|
# tftest modules=1 resources=2 inventory=logging-data-access.yaml e2e serial
|
|
```
|
|
|
|
## Custom Roles
|
|
|
|
Custom roles can be defined via the `custom_roles` variable, and referenced via the `custom_role_id` output (this also provides explicit dependency on the custom role):
|
|
|
|
```hcl
|
|
module "org" {
|
|
source = "./fabric/modules/organization"
|
|
organization_id = var.organization_id
|
|
custom_roles = {
|
|
"myRole" = [
|
|
"compute.instances.list",
|
|
]
|
|
}
|
|
iam = {
|
|
(module.org.custom_role_id.myRole) = ["group:${var.group_email}"]
|
|
}
|
|
}
|
|
# tftest modules=1 resources=2 inventory=roles.yaml e2e serial
|
|
```
|
|
|
|
### Custom Roles Factory
|
|
|
|
Custom roles can also be specified via a factory in a similar way to organization policies and policy constraints. Each file is mapped to a custom role, where
|
|
|
|
- the role name defaults to the file name but can be overridden via a `name` attribute in the yaml
|
|
- role permissions are defined in an `includedPermissions` map
|
|
|
|
Custom roles defined via the variable are merged with those coming from the factory, and override them in case of duplicate names.
|
|
|
|
```hcl
|
|
module "org" {
|
|
source = "./fabric/modules/organization"
|
|
organization_id = var.organization_id
|
|
factories_config = {
|
|
custom_roles = "data/custom_roles"
|
|
}
|
|
}
|
|
# tftest modules=1 resources=2 files=custom-role-1,custom-role-2 inventory=custom-roles.yaml
|
|
```
|
|
|
|
```yaml
|
|
# tftest-file id=custom-role-1 path=data/custom_roles/test_1.yaml
|
|
|
|
includedPermissions:
|
|
- compute.globalOperations.get
|
|
```
|
|
|
|
```yaml
|
|
# tftest-file id=custom-role-2 path=data/custom_roles/test_2.yaml
|
|
|
|
name: projectViewer
|
|
includedPermissions:
|
|
- resourcemanager.projects.get
|
|
- resourcemanager.projects.getIamPolicy
|
|
- resourcemanager.projects.list
|
|
```
|
|
|
|
## Tags
|
|
|
|
Refer to the [Creating and managing tags](https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing) documentation for details on usage.
|
|
|
|
```hcl
|
|
module "org" {
|
|
source = "./fabric/modules/organization"
|
|
organization_id = var.organization_id
|
|
tags = {
|
|
environment = {
|
|
description = "Environment specification."
|
|
iam = {
|
|
"roles/resourcemanager.tagAdmin" = ["group:${var.group_email}"]
|
|
}
|
|
iam_bindings = {
|
|
viewer = {
|
|
role = "roles/resourcemanager.tagViewer"
|
|
members = ["group:gcp-support@example.org"]
|
|
}
|
|
}
|
|
iam_bindings_additive = {
|
|
user_app1 = {
|
|
role = "roles/resourcemanager.tagUser"
|
|
member = "group:app1-team@example.org"
|
|
}
|
|
}
|
|
values = {
|
|
dev = {
|
|
iam_bindings_additive = {
|
|
user_app2 = {
|
|
role = "roles/resourcemanager.tagUser"
|
|
member = "group:app2-team@example.org"
|
|
}
|
|
}
|
|
}
|
|
prod = {
|
|
description = "Environment: production."
|
|
iam = {
|
|
"roles/resourcemanager.tagViewer" = ["group:app1-team@example.org"]
|
|
}
|
|
iam_bindings = {
|
|
admin = {
|
|
role = "roles/resourcemanager.tagAdmin"
|
|
members = ["group:gcp-support@example.org"]
|
|
condition = {
|
|
title = "gcp_support"
|
|
expression = <<-END
|
|
request.time.getHours("Europe/Berlin") <= 9 &&
|
|
request.time.getHours("Europe/Berlin") >= 17
|
|
END
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
tag_bindings = {
|
|
env-prod = module.org.tag_values["environment/prod"].id
|
|
}
|
|
}
|
|
# tftest modules=1 resources=10 inventory=tags.yaml
|
|
```
|
|
|
|
You can also define network tags, through a dedicated variable *network_tags*:
|
|
|
|
```hcl
|
|
module "org" {
|
|
source = "./fabric/modules/organization"
|
|
organization_id = var.organization_id
|
|
network_tags = {
|
|
net-environment = {
|
|
description = "This is a network tag."
|
|
network = "${var.project_id}/${var.vpc.name}"
|
|
iam = {
|
|
"roles/resourcemanager.tagAdmin" = ["group:${var.group_email}"]
|
|
}
|
|
values = {
|
|
dev = {}
|
|
prod = {
|
|
description = "Environment: production."
|
|
iam = {
|
|
"roles/resourcemanager.tagUser" = ["group:${var.group_email}"]
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
# tftest modules=1 resources=5 inventory=network-tags.yaml e2e serial
|
|
```
|
|
|
|
### Tags Factory
|
|
|
|
Tags can also be specified via a factory in a similar way to organization policies and policy constraints. Each file is mapped to tag key, where
|
|
|
|
- the key name defaults to the file name but can be overridden via a `name` attribute in the yaml
|
|
- The structure of the YAML file allows defining the `description`, `iam` bindings, and a map of `values` for the tag key, including their own descriptions and IAM.
|
|
- Tags defined via the `tags` and `network_tags` variables are merged with those from the factory, and will override factory definitions in case of duplicate names.
|
|
|
|
The example below deploys a `cost-center` tag key and its values from a YAML file. Context expansion supports interpolation via the `context.tag_keys` and `context.tag_values` variables, as shown below.
|
|
|
|
```hcl
|
|
module "org" {
|
|
source = "./fabric/modules/organization"
|
|
organization_id = var.organization_id
|
|
context = {
|
|
tag_keys = {
|
|
environment = "tagKeys/1234567890"
|
|
}
|
|
tag_values = {
|
|
"environment/production" = "tagValues/1234567890"
|
|
}
|
|
}
|
|
factories_config = {
|
|
tags = "data/tags"
|
|
}
|
|
}
|
|
# tftest modules=1 resources=7 files=0,1 inventory=tags-factory.yaml
|
|
```
|
|
|
|
```yaml
|
|
# tftest-file id=0 path=data/tags/cost-center.yaml
|
|
|
|
description: "Tag for internal cost allocation."
|
|
iam:
|
|
"roles/resourcemanager.tagViewer":
|
|
- "group:finance-team@example.com"
|
|
values:
|
|
engineering:
|
|
description: "Engineering department."
|
|
marketing:
|
|
description: "Marketing department."
|
|
```
|
|
|
|
```yaml
|
|
# tftest-file id=1 path=data/tags/environment.yaml
|
|
|
|
id: $tag_keys:environment
|
|
iam:
|
|
"roles/resourcemanager.tagViewer":
|
|
- "group:gcp-devops@example.com"
|
|
values:
|
|
development:
|
|
description: "Development."
|
|
production:
|
|
id: $tag_values:environment/production
|
|
iam:
|
|
"roles/resourcemanager.tagUser":
|
|
- "group:gcp-devops@example.com"
|
|
|
|
```
|
|
|
|
<!-- TFDOC OPTS files:1 -->
|
|
<!-- BEGIN TFDOC -->
|
|
## Files
|
|
|
|
| name | description | resources |
|
|
|---|---|---|
|
|
| [iam.tf](./iam.tf) | IAM bindings. | <code>google_organization_iam_binding</code> · <code>google_organization_iam_custom_role</code> · <code>google_organization_iam_member</code> |
|
|
| [logging.tf](./logging.tf) | Log sinks and data access logs. | <code>google_bigquery_dataset_iam_member</code> · <code>google_logging_organization_exclusion</code> · <code>google_logging_organization_settings</code> · <code>google_logging_organization_sink</code> · <code>google_organization_iam_audit_config</code> · <code>google_project_iam_member</code> · <code>google_pubsub_topic_iam_member</code> · <code>google_storage_bucket_iam_member</code> |
|
|
| [main.tf](./main.tf) | Module-level locals and resources. | <code>google_compute_firewall_policy_association</code> · <code>google_essential_contacts_contact</code> |
|
|
| [org-policy-custom-constraints.tf](./org-policy-custom-constraints.tf) | None | <code>google_org_policy_custom_constraint</code> |
|
|
| [organization-policies.tf](./organization-policies.tf) | Organization-level organization policies. | <code>google_org_policy_policy</code> |
|
|
| [outputs.tf](./outputs.tf) | Module outputs. | |
|
|
| [tags.tf](./tags.tf) | Manages GCP Secure Tags, keys, values, and IAM. | <code>google_tags_tag_binding</code> · <code>google_tags_tag_key</code> · <code>google_tags_tag_key_iam_binding</code> · <code>google_tags_tag_key_iam_member</code> · <code>google_tags_tag_value</code> · <code>google_tags_tag_value_iam_binding</code> · <code>google_tags_tag_value_iam_member</code> |
|
|
| [variables-iam.tf](./variables-iam.tf) | None | |
|
|
| [variables-logging.tf](./variables-logging.tf) | None | |
|
|
| [variables-tags.tf](./variables-tags.tf) | None | |
|
|
| [variables.tf](./variables.tf) | Module variables. | |
|
|
| [versions.tf](./versions.tf) | Version pins. | |
|
|
|
|
## Variables
|
|
|
|
| name | description | type | required | default |
|
|
|---|---|:---:|:---:|:---:|
|
|
| [organization_id](variables.tf#L113) | Organization id in organizations/nnnnnn format. | <code>string</code> | ✓ | |
|
|
| [contacts](variables.tf#L17) | List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES. | <code>map(list(string))</code> | | <code>{}</code> |
|
|
| [context](variables.tf#L24) | Context-specific interpolations. | <code title="object({ bigquery_datasets = optional(map(string), {}) custom_roles = optional(map(string), {}) iam_principals = optional(map(string), {}) locations = optional(map(string), {}) log_buckets = optional(map(string), {}) org_policies = optional(map(map(string)), {}) project_ids = optional(map(string), {}) pubsub_topics = optional(map(string), {}) storage_buckets = optional(map(string), {}) tag_keys = optional(map(string), {}) tag_values = optional(map(string), {}) })">object({…})</code> | | <code>{}</code> |
|
|
| [custom_roles](variables.tf#L43) | Map of role name => list of permissions to create in this project. | <code>map(list(string))</code> | | <code>{}</code> |
|
|
| [factories_config](variables.tf#L50) | Paths to data files and folders that enable factory functionality. | <code title="object({ custom_roles = optional(string) org_policies = optional(string) org_policy_custom_constraints = optional(string) tags = optional(string) })">object({…})</code> | | <code>{}</code> |
|
|
| [firewall_policy](variables.tf#L62) | Hierarchical firewall policies to associate to the organization. | <code title="object({ name = string policy = string })">object({…})</code> | | <code>null</code> |
|
|
| [iam](variables-iam.tf#L17) | Authoritative IAM bindings in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
|
| [iam_bindings](variables-iam.tf#L24) | Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. | <code title="map(object({ members = list(string) role = string condition = optional(object({ expression = string title = string description = optional(string) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
|
| [iam_bindings_additive](variables-iam.tf#L39) | Individual additive IAM bindings. Keys are arbitrary. | <code title="map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
|
| [iam_by_principals](variables-iam.tf#L61) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid errors. Merged internally with the `iam` variable. | <code>map(list(string))</code> | | <code>{}</code> |
|
|
| [iam_by_principals_additive](variables-iam.tf#L54) | Additive IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid errors. Merged internally with the `iam_bindings_additive` variable. | <code>map(list(string))</code> | | <code>{}</code> |
|
|
| [logging_data_access](variables-logging.tf#L17) | Control activation of data access logs. The special 'allServices' key denotes configuration for all services. | <code title="map(object({ ADMIN_READ = optional(object({ exempted_members = optional(list(string)) })), DATA_READ = optional(object({ exempted_members = optional(list(string)) })), DATA_WRITE = optional(object({ exempted_members = optional(list(string)) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
|
| [logging_exclusions](variables-logging.tf#L28) | Logging exclusions for this organization in the form {NAME -> FILTER}. | <code>map(string)</code> | | <code>{}</code> |
|
|
| [logging_settings](variables-logging.tf#L35) | Default settings for logging resources. | <code title="object({ disable_default_sink = optional(bool) storage_location = optional(string) })">object({…})</code> | | <code>null</code> |
|
|
| [logging_sinks](variables-logging.tf#L45) | Logging sinks to create for the organization. | <code title="map(object({ destination = string bq_partitioned_table = optional(bool, false) description = optional(string) disabled = optional(bool, false) exclusions = optional(map(string), {}) filter = optional(string) iam = optional(bool, true) include_children = optional(bool, true) intercept_children = optional(bool, false) type = optional(string, "logging") }))">map(object({…}))</code> | | <code>{}</code> |
|
|
| [network_tags](variables-tags.tf#L17) | Network tags by key name. If `id` is provided, key creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | <code title="map(object({ description = optional(string, "Managed by the Terraform organization module.") id = optional(string) network = string # project_id/vpc_name iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ members = list(string) role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) values = optional(map(object({ description = optional(string, "Managed by the Terraform organization module.") id = optional(string) iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ members = list(string) role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) })), {}) }))">map(object({…}))</code> | | <code>{}</code> |
|
|
| [org_policies](variables.tf#L71) | Organization policies applied to this organization keyed by policy name. | <code title="map(object({ inherit_from_parent = optional(bool) # for list policies only. reset = optional(bool) rules = optional(list(object({ allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool) # for boolean policies only. condition = optional(object({ description = optional(string) expression = optional(string) location = optional(string) title = optional(string) }), {}) parameters = optional(string) })), []) }))">map(object({…}))</code> | | <code>{}</code> |
|
|
| [org_policy_custom_constraints](variables.tf#L99) | Organization policy custom constraints keyed by constraint name. | <code title="map(object({ display_name = optional(string) description = optional(string) action_type = string condition = string method_types = list(string) resource_types = list(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
|
| [tag_bindings](variables-tags.tf#L82) | Tag bindings for this organization, in key => tag value id format. | <code>map(string)</code> | | <code>{}</code> |
|
|
| [tags](variables-tags.tf#L89) | Tags by key name. If `id` is provided, key or value creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | <code title="map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ members = list(string) role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) id = optional(string) values = optional(map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ members = list(string) role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) id = optional(string) })), {}) }))">map(object({…}))</code> | | <code>{}</code> |
|
|
| [tags_config](variables-tags.tf#L154) | Fine-grained control on tag resource and IAM creation. | <code title="object({ force_context_ids = optional(bool, false) ignore_iam = optional(bool, false) })">object({…})</code> | | <code>{}</code> |
|
|
|
|
## Outputs
|
|
|
|
| name | description | sensitive |
|
|
|---|---|:---:|
|
|
| [custom_constraint_ids](outputs.tf#L17) | Map of CUSTOM_CONSTRAINTS => ID in the organization. | |
|
|
| [custom_role_id](outputs.tf#L22) | Map of custom role IDs created in the organization. | |
|
|
| [custom_roles](outputs.tf#L27) | Map of custom roles resources created in the organization. | |
|
|
| [id](outputs.tf#L32) | Fully qualified organization id. | |
|
|
| [network_tag_keys](outputs.tf#L50) | Tag key resources. | |
|
|
| [network_tag_values](outputs.tf#L59) | Tag value resources. | |
|
|
| [organization_id](outputs.tf#L69) | Organization id dependent on module resources. | |
|
|
| [sink_writer_identities](outputs.tf#L86) | Writer identities created for each sink. | |
|
|
| [tag_keys](outputs.tf#L94) | Tag key resources. | |
|
|
| [tag_values](outputs.tf#L103) | Tag value resources. | |
|
|
<!-- END TFDOC -->
|