Organization Module
This module allows managing several organization properties:
- IAM bindings, both authoritative and additive
- custom IAM roles
- audit logging configuration for services
- organization policies
Example
module "org" {
source = "./modules/organization"
org_id = 1234567890
iam = { "roles/projectCreator" = ["group:cloud-admins@example.org"] }
policy_boolean = {
"constraints/compute.disableGuestAttributesAccess" = true
"constraints/compute.skipDefaultNetworkCreation" = true
}
policy_list = {
"constraints/compute.trustedImageProjects" = {
inherit_from_parent = null
suggested_value = null
status = true
values = ["projects/my-project"]
}
}
}
Variables
| name | description | type | required | default |
|---|---|---|---|---|
| org_id | Organization id in nnnnnn format. | number |
✓ | |
| custom_roles | Map of role name => list of permissions to create in this project. | map(list(string)) |
{} |
|
| iam | IAM bindings, in {ROLE => [MEMBERS]} format. | map(list(string)) |
{} |
|
| iam_additive | Non authoritative IAM bindings, in {ROLE => [MEMBERS]} format. | map(list(string)) |
{} |
|
| iam_audit_config | Service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. | map(map(list(string))) |
{} |
|
| policy_boolean | Map of boolean org policies and enforcement value, set value to null for policy restore. | map(bool) |
{} |
|
| policy_list | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | map(object({...})) |
{} |
Outputs
| name | description | sensitive |
|---|---|---|
| org_id | Organization id dependent on module resources. |