2020-04-07 09:47:07 -07:00
# Organization Module
This module allows managing several organization properties:
- IAM bindings, both authoritative and additive
- custom IAM roles
- audit logging configuration for services
- organization policies
2022-11-08 00:34:38 -08:00
- organization policy custom constraints
2020-04-07 09:47:07 -07:00
2022-11-01 06:25:07 -07:00
To manage organization policies, the `orgpolicy.googleapis.com` service should be enabled in the quota project.
2023-07-28 05:18:28 -07:00
## TOC
2023-08-09 04:23:07 -07:00
2023-07-28 05:18:28 -07:00
<!-- BEGIN TOC -->
- [TOC ](#toc )
- [Example ](#example )
2023-06-27 02:36:28 -07:00
- [IAM ](#iam )
- [Organization Policies ](#organization-policies )
2023-07-28 05:18:28 -07:00
- [Organization Policy Factory ](#organization-policy-factory )
- [Organization Policy Custom Constraints ](#organization-policy-custom-constraints )
- [Organization Policy Custom Constraints Factory ](#organization-policy-custom-constraints-factory )
2023-08-09 04:23:07 -07:00
- [Hierarchical Firewall Policy Attachments ](#hierarchical-firewall-policy-attachments )
2023-06-27 02:36:28 -07:00
- [Log Sinks ](#log-sinks )
2023-07-10 01:08:02 -07:00
- [Data Access Logs ](#data-access-logs )
2023-06-27 02:36:28 -07:00
- [Custom Roles ](#custom-roles )
2024-03-05 23:25:43 -08:00
- [Custom Roles Factory ](#custom-roles-factory )
2023-06-27 02:36:28 -07:00
- [Tags ](#tags )
2023-07-28 05:18:28 -07:00
- [Files ](#files )
- [Variables ](#variables )
- [Outputs ](#outputs )
<!-- END TOC -->
2023-06-27 02:36:28 -07:00
2020-04-07 09:47:07 -07:00
## Example
```hcl
module "org" {
2022-09-06 08:46:09 -07:00
source = "./fabric/modules/organization"
2023-11-14 09:54:59 -08:00
organization_id = var.organization_id
2024-02-12 05:35:30 -08:00
iam_by_principals = {
"group:${var.group_email}" = ["roles/owner"]
2021-04-11 05:48:16 -07:00
}
2022-12-15 06:23:11 -08:00
iam = {
2023-11-14 09:54:59 -08:00
"roles/resourcemanager.projectCreator" = ["group:${var.group_email}"]
2021-04-11 05:48:16 -07:00
}
2023-08-20 00:44:20 -07:00
iam_bindings_additive = {
2023-08-14 02:54:50 -07:00
am1-storage-admin = {
2023-11-14 09:54:59 -08:00
member = "group:${var.group_email}"
2023-08-14 02:54:50 -07:00
role = "roles/storage.admin"
}
}
2023-02-21 03:24:40 -08:00
tags = {
allowexternal = {
description = "Allow external identities."
values = {
true = {}, false = {}
}
}
}
2022-10-28 05:57:11 -07:00
org_policies = {
"compute.disableGuestAttributesAccess" = {
2023-02-21 03:24:40 -08:00
rules = [{ enforce = true }]
2022-10-28 05:57:11 -07:00
}
2023-02-21 05:28:23 -08:00
"compute.skipDefaultNetworkCreation" = {
2023-02-21 03:24:40 -08:00
rules = [{ enforce = true }]
2022-10-28 05:57:11 -07:00
}
"iam.disableServiceAccountKeyCreation" = {
2023-02-21 03:24:40 -08:00
rules = [{ enforce = true }]
2022-10-28 05:57:11 -07:00
}
"iam.disableServiceAccountKeyUpload" = {
rules = [
{
condition = {
2023-02-21 03:24:40 -08:00
expression = "resource.matchTagId('tagKeys/1234', 'tagValues/1234')"
2022-10-28 05:57:11 -07:00
title = "condition"
description = "test condition"
location = "somewhere"
}
enforce = true
2023-02-21 03:24:40 -08:00
},
{
enforce = false
2022-10-28 05:57:11 -07:00
}
]
}
2023-02-21 05:28:23 -08:00
"iam.allowedPolicyMemberDomains" = {
2023-02-21 03:24:40 -08:00
rules = [
{
allow = { all = true }
condition = {
expression = "resource.matchTag('1234567890/allowexternal', 'true')"
title = "Allow external identities"
description = "Allow external identities when resource has the `allowexternal` tag set to true."
}
},
{
allow = { values = ["C0xxxxxxx", "C0yyyyyyy"] }
condition = {
expression = "!resource.matchTag('1234567890/allowexternal', 'true')"
title = ""
description = "For any resource without allowexternal=true, only allow identities from restricted domains."
}
}
]
2022-10-28 05:57:11 -07:00
}
2023-02-21 05:28:23 -08:00
"compute.trustedImageProjects" = {
2023-02-21 03:24:40 -08:00
rules = [{
allow = {
values = ["projects/my-project"]
}
}]
2022-10-28 05:57:11 -07:00
}
2023-02-21 05:28:23 -08:00
"compute.vmExternalIpAccess" = {
2023-02-21 03:24:40 -08:00
rules = [{ deny = { all = true } }]
2020-04-07 09:47:07 -07:00
}
}
}
2023-11-14 09:54:59 -08:00
# tftest modules=1 resources=13 inventory=basic.yaml e2e serial
2020-04-07 09:47:07 -07:00
```
2021-04-11 05:48:16 -07:00
## IAM
2023-08-20 00:44:20 -07:00
IAM is managed via several variables that implement different features and levels of control:
2021-04-11 05:48:16 -07:00
2024-02-12 05:35:30 -08:00
- `iam` and `iam_by_principals` configure authoritative bindings that manage individual roles exclusively, and are internally merged
2023-08-20 00:44:20 -07:00
- `iam_bindings` configure authoritative bindings with optional support for conditions, and are not internally merged with the previous two variables
- `iam_bindings_additive` configure additive bindings via individual role/member pairs with optional support conditions
2021-04-11 05:48:16 -07:00
2024-02-12 05:35:30 -08:00
The authoritative and additive approaches can be used together, provided different roles are managed by each. Some care must also be taken with the `iam_by_principals` variable to ensure that variable keys are static values, so that Terraform is able to compute the dependency graph.
2022-01-27 23:53:21 -08:00
2023-08-20 00:44:20 -07:00
Refer to the [project module ](../project/README.md#iam ) for examples of the IAM interface.
2021-04-11 05:48:16 -07:00
2023-06-27 02:36:28 -07:00
## Organization Policies
### Organization Policy Factory
2022-11-03 04:12:50 -07:00
2022-11-03 04:14:47 -07:00
See the [organization policy factory in the project module ](../project#organization-policy-factory ).
2022-11-03 04:12:50 -07:00
2023-06-27 02:36:28 -07:00
### Organization Policy Custom Constraints
2022-11-08 00:34:38 -08:00
Refer to the [Creating and managing custom constraints ](https://cloud.google.com/resource-manager/docs/organization-policy/creating-managing-custom-constraints ) documentation for details on usage.
To manage organization policy custom constraints, the `orgpolicy.googleapis.com` service should be enabled in the quota project.
```hcl
module "org" {
source = "./fabric/modules/organization"
organization_id = var.organization_id
org_policy_custom_constraints = {
"custom.gkeEnableAutoUpgrade" = {
resource_types = ["container.googleapis.com/NodePool"]
method_types = ["CREATE"]
condition = "resource.management.autoUpgrade == true"
action_type = "ALLOW"
display_name = "Enable node auto-upgrade"
description = "All node pools must have node auto-upgrade enabled."
}
}
# not necessarily to enforce on the org level, policy may be applied on folder/project levels
org_policies = {
"custom.gkeEnableAutoUpgrade" = {
2023-02-21 03:24:40 -08:00
rules = [{ enforce = true }]
2022-11-08 00:34:38 -08:00
}
}
}
2022-12-15 06:23:11 -08:00
# tftest modules=1 resources=2 inventory=custom-constraints.yaml
2022-11-08 00:34:38 -08:00
```
2023-07-17 09:48:02 -07:00
You can use the `id` or `custom_constraint_ids` outputs to prevent race conditions between the creation of a custom constraint and an organization policy using that constraint. Both of these outputs depend on the actual constraint, which would make any resource referring to them to wait for the creation of the constraint.
2023-06-27 02:36:28 -07:00
### Organization Policy Custom Constraints Factory
2022-11-08 00:34:38 -08:00
Org policy custom constraints can be loaded from a directory containing YAML files where each file defines one or more custom constraints. The structure of the YAML files is exactly the same as the `org_policy_custom_constraints` variable.
The example below deploys a few org policy custom constraints split between two YAML files.
```hcl
module "org" {
2023-12-11 06:16:39 -08:00
source = "./fabric/modules/organization"
organization_id = var.organization_id
factories_config = {
org_policy_custom_constraints = "configs/custom-constraints"
}
2022-12-15 06:23:11 -08:00
org_policies = {
"custom.gkeEnableAutoUpgrade" = {
2023-02-21 03:24:40 -08:00
rules = [{ enforce = true }]
2022-12-15 06:23:11 -08:00
}
}
2022-11-08 00:34:38 -08:00
}
2022-12-15 06:23:11 -08:00
# tftest modules=1 resources=3 files=gke inventory=custom-constraints.yaml
2022-11-08 00:34:38 -08:00
```
```yaml
2022-12-16 01:45:43 -08:00
# tftest-file id=gke path=configs/custom-constraints/gke.yaml
2023-10-25 07:16:05 -07:00
---
# Terraform will be unable to decode this file if it does not contain valid YAML
# You can retain `---` (start of the document) to indicate an empty document.
2022-11-08 00:34:38 -08:00
custom.gkeEnableLogging:
2022-11-16 15:14:09 -08:00
resource_types:
2022-11-08 00:34:38 -08:00
- container.googleapis.com/Cluster
method_types:
- CREATE
- UPDATE
condition: resource.loggingService == "none"
action_type: DENY
display_name: Do not disable Cloud Logging
custom.gkeEnableAutoUpgrade:
2022-11-16 15:14:09 -08:00
resource_types:
2022-11-08 00:34:38 -08:00
- container.googleapis.com/NodePool
method_types:
- CREATE
condition: resource.management.autoUpgrade == true
action_type: ALLOW
display_name: Enable node auto-upgrade
description: All node pools must have node auto-upgrade enabled.
```
```yaml
2022-12-16 01:45:43 -08:00
# tftest-file id=dataproc path=configs/custom-constraints/dataproc.yaml
2023-10-25 07:16:05 -07:00
---
# Terraform will be unable to decode this file if it does not contain valid YAML
# You can retain `---` (start of the document) to indicate an empty document.
2022-11-16 14:03:29 -08:00
custom.dataprocNoMoreThan10Workers:
2022-11-16 15:14:09 -08:00
resource_types:
2022-11-08 00:34:38 -08:00
- dataproc.googleapis.com/Cluster
method_types:
- CREATE
- UPDATE
condition: resource.config.workerConfig.numInstances + resource.config.secondaryWorkerConfig.numInstances > 10
action_type: DENY
display_name: Total number of worker instances cannot be larger than 10
description: Cluster cannot have more than 10 workers, including primary and secondary workers.
```
2023-08-09 04:23:07 -07:00
## Hierarchical Firewall Policy Attachments
2021-12-12 23:41:02 -08:00
2023-08-09 04:23:07 -07:00
Hierarchical firewall policies can be managed via the [`net-firewall-policy` ](../net-firewall-policy/ ) module, including support for factories. Once a policy is available, attaching it to the organization can be done either in the firewall policy module itself, or here:
2021-04-11 05:48:16 -07:00
2020-11-23 10:01:02 -08:00
```hcl
2023-08-09 04:23:07 -07:00
module "firewall-policy" {
source = "./fabric/modules/net-firewall-policy"
name = "test-1"
parent_id = var.organization_id
# attachment via the firewall policy module
# attachments = {
# org = var.organization_id
# }
2020-11-23 10:01:02 -08:00
}
2021-12-12 23:41:02 -08:00
module "org" {
2022-09-06 08:46:09 -07:00
source = "./fabric/modules/organization"
2021-12-12 23:41:02 -08:00
organization_id = var.organization_id
2023-08-09 04:23:07 -07:00
# attachment via the organization module
2023-08-28 05:39:48 -07:00
firewall_policy = {
name = "test-1"
policy = module.firewall-policy.id
2021-12-31 03:20:42 -08:00
}
2021-12-12 23:41:02 -08:00
}
2023-11-14 09:54:59 -08:00
# tftest modules=2 resources=2 e2e serial
2021-12-12 23:41:02 -08:00
```
2023-06-27 02:36:28 -07:00
## Log Sinks
2021-04-11 05:48:16 -07:00
2023-07-10 01:08:02 -07:00
The following example shows how to define organization-level log sinks:
2020-12-04 23:31:35 -08:00
```hcl
module "gcs" {
2022-09-06 08:46:09 -07:00
source = "./fabric/modules/gcs"
2020-12-04 23:31:35 -08:00
project_id = var.project_id
2023-11-14 09:54:59 -08:00
prefix = var.prefix
2020-12-04 23:31:35 -08:00
name = "gcs_sink"
force_destroy = true
}
module "dataset" {
2022-09-06 08:46:09 -07:00
source = "./fabric/modules/bigquery-dataset"
2020-12-04 23:31:35 -08:00
project_id = var.project_id
id = "bq_sink"
}
module "pubsub" {
2022-09-06 08:46:09 -07:00
source = "./fabric/modules/pubsub"
2020-12-04 23:31:35 -08:00
project_id = var.project_id
name = "pubsub_sink"
}
2021-03-03 05:19:08 -08:00
module "bucket" {
2022-09-06 08:46:09 -07:00
source = "./fabric/modules/logging-bucket"
2021-03-03 05:19:08 -08:00
parent_type = "project"
2023-11-14 09:54:59 -08:00
parent = var.project_id
2023-12-03 02:03:22 -08:00
id = "${var.prefix}-bucket"
2021-03-03 05:19:08 -08:00
}
2024-02-20 23:41:13 -08:00
module "destination-project" {
source = "./fabric/modules/project"
2024-02-23 09:11:05 -08:00
name = "dest-prj"
2024-02-20 23:41:13 -08:00
billing_account = var.billing_account_id
parent = var.folder_id
prefix = var.prefix
services = [
"logging.googleapis.com"
]
}
2020-12-04 23:31:35 -08:00
module "org" {
2022-09-06 08:46:09 -07:00
source = "./fabric/modules/organization"
2020-12-04 23:31:35 -08:00
organization_id = var.organization_id
logging_sinks = {
warnings = {
2022-11-12 10:24:41 -08:00
destination = module.gcs.id
2022-11-12 02:30:34 -08:00
filter = "severity=WARNING"
2022-11-12 10:24:41 -08:00
type = "storage"
2020-12-04 23:31:35 -08:00
}
info = {
2022-11-12 02:30:34 -08:00
bq_partitioned_table = true
2022-11-12 10:24:41 -08:00
destination = module.dataset.id
filter = "severity=INFO"
type = "bigquery"
2020-12-04 23:31:35 -08:00
}
notice = {
2022-11-12 10:24:41 -08:00
destination = module.pubsub.id
2022-11-12 02:30:34 -08:00
filter = "severity=NOTICE"
2022-11-12 10:24:41 -08:00
type = "pubsub"
2021-03-03 05:19:08 -08:00
}
debug = {
2022-11-12 10:24:41 -08:00
destination = module.bucket.id
2022-11-12 02:30:34 -08:00
filter = "severity=DEBUG"
2022-12-16 03:53:56 -08:00
exclusions = {
2021-03-03 05:19:08 -08:00
no-compute = "logName:compute"
}
2022-11-12 10:24:41 -08:00
type = "logging"
2020-12-04 23:31:35 -08:00
}
2024-02-20 23:41:13 -08:00
alert = {
destination = module.destination-project.id
filter = "severity=ALERT"
type = "project"
}
2020-12-04 23:31:35 -08:00
}
logging_exclusions = {
no-gce-instances = "resource.type=gce_instance"
}
}
2024-02-20 23:41:13 -08:00
# tftest modules=6 resources=17 inventory=logging.yaml e2e serial
2020-12-04 23:31:35 -08:00
```
2023-07-10 01:08:02 -07:00
## Data Access Logs
2023-08-20 00:44:20 -07:00
Activation of data access logs can be controlled via the `logging_data_access` variable.
2023-07-10 01:08:02 -07:00
```hcl
module "org" {
source = "./fabric/modules/organization"
organization_id = var.organization_id
logging_data_access = {
allServices = {
# logs for principals listed here will be excluded
2023-11-14 09:54:59 -08:00
ADMIN_READ = ["group:${var.group_email}"]
2023-07-10 01:08:02 -07:00
}
"storage.googleapis.com" = {
DATA_READ = []
DATA_WRITE = []
}
}
}
2023-11-14 09:54:59 -08:00
# tftest modules=1 resources=2 inventory=logging-data-access.yaml e2e serial
2023-07-10 01:08:02 -07:00
```
2021-09-13 08:34:20 -07:00
## Custom Roles
2022-02-20 02:14:18 -08:00
2023-11-14 09:54:59 -08:00
Custom roles can be defined via the `custom_roles` variable, and referenced via the `custom_role_id` output (this also provides explicit dependency on the custom role):
2023-07-10 01:08:02 -07:00
2021-09-13 08:34:20 -07:00
```hcl
module "org" {
2022-09-06 08:46:09 -07:00
source = "./fabric/modules/organization"
2021-09-13 08:34:20 -07:00
organization_id = var.organization_id
custom_roles = {
"myRole" = [
"compute.instances.list",
]
}
iam = {
2023-11-14 09:54:59 -08:00
(module.org.custom_role_id.myRole) = ["group:${var.group_email}"]
2021-09-13 08:34:20 -07:00
}
}
2023-11-14 09:54:59 -08:00
# tftest modules=1 resources=2 inventory=roles.yaml e2e serial
2021-09-13 08:34:20 -07:00
```
2022-01-29 01:08:17 -08:00
2024-03-05 23:25:43 -08:00
### Custom Roles Factory
2023-12-11 06:16:39 -08:00
Custom roles can also be specified via a factory in a similar way to organization policies and policy constraints. Each file is mapped to a custom role, where
- the role name defaults to the file name but can be overridden via a `name` attribute in the yaml
- role permissions are defined in an `includedPermissions` map
Custom roles defined via the variable are merged with those coming from the factory, and override them in case of duplicate names.
```hcl
module "org" {
source = "./fabric/modules/organization"
organization_id = var.organization_id
factories_config = {
custom_roles = "data/custom_roles"
}
}
# tftest modules=1 resources=2 files=custom-role-1,custom-role-2 inventory=custom-roles.yaml
```
```yaml
# tftest-file id=custom-role-1 path=data/custom_roles/test_1.yaml
includedPermissions:
- compute.globalOperations.get
```
```yaml
# tftest-file id=custom-role-2 path=data/custom_roles/test_2.yaml
name: projectViewer
includedPermissions:
- resourcemanager.projects.get
- resourcemanager.projects.getIamPolicy
- resourcemanager.projects.list
```
2022-02-20 02:14:18 -08:00
## Tags
Refer to the [Creating and managing tags ](https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing ) documentation for details on usage.
```hcl
module "org" {
2022-09-06 08:46:09 -07:00
source = "./fabric/modules/organization"
2022-02-20 02:14:18 -08:00
organization_id = var.organization_id
tags = {
environment = {
2022-12-16 03:53:56 -08:00
description = "Environment specification."
iam = {
2023-11-14 09:54:59 -08:00
"roles/resourcemanager.tagAdmin" = ["group:${var.group_email}"]
2022-02-20 02:14:18 -08:00
}
values = {
2022-12-16 03:53:56 -08:00
dev = {}
2022-02-20 02:14:18 -08:00
prod = {
description = "Environment: production."
iam = {
2023-11-14 09:54:59 -08:00
"roles/resourcemanager.tagViewer" = ["group:${var.group_email}"]
2022-02-20 02:14:18 -08:00
}
}
}
}
}
tag_bindings = {
env-prod = module.org.tag_values["environment/prod"].id
}
}
2023-11-14 09:54:59 -08:00
# tftest modules=1 resources=6 inventory=tags.yaml e2e serial
2022-02-20 02:14:18 -08:00
```
2022-11-18 06:56:28 -08:00
You can also define network tags, through a dedicated variable *network_tags* :
```hcl
module "org" {
source = "./fabric/modules/organization"
organization_id = var.organization_id
network_tags = {
net-environment = {
2022-12-16 03:53:56 -08:00
description = "This is a network tag."
2023-11-14 09:54:59 -08:00
network = "${var.project_id}/${var.vpc.name}"
2022-12-16 03:53:56 -08:00
iam = {
2023-11-14 09:54:59 -08:00
"roles/resourcemanager.tagAdmin" = ["group:${var.group_email}"]
2022-11-18 06:56:28 -08:00
}
values = {
2023-12-18 08:09:22 -08:00
dev = {}
2022-11-18 06:56:28 -08:00
prod = {
description = "Environment: production."
iam = {
2023-11-14 09:54:59 -08:00
"roles/resourcemanager.tagUser" = ["group:${var.group_email}"]
2022-11-18 06:56:28 -08:00
}
}
}
}
}
}
2023-11-14 09:54:59 -08:00
# tftest modules=1 resources=5 inventory=network-tags.yaml e2e serial
2022-11-18 06:56:28 -08:00
```
2022-01-29 01:08:17 -08:00
<!-- TFDOC OPTS files:1 -->
2020-04-07 09:47:07 -07:00
<!-- BEGIN TFDOC -->
2022-01-29 01:08:17 -08:00
## Files
| name | description | resources |
|---|---|---|
2024-02-12 05:35:30 -08:00
| [iam.tf ](./iam.tf ) | IAM bindings. | < code > google_organization_iam_binding</ code > · < code > google_organization_iam_custom_role</ code > · < code > google_organization_iam_member</ code > |
2024-03-08 01:07:12 -08:00
| [logging.tf ](./logging.tf ) | Log sinks and data access logs. | < code > google_bigquery_dataset_iam_member</ code > · < code > google_logging_organization_exclusion</ code > · < code > google_logging_organization_settings</ code > · < code > google_logging_organization_sink</ code > · < code > google_organization_iam_audit_config</ code > · < code > google_project_iam_member</ code > · < code > google_pubsub_topic_iam_member</ code > · < code > google_storage_bucket_iam_member</ code > |
2023-08-09 04:23:07 -07:00
| [main.tf ](./main.tf ) | Module-level locals and resources. | < code > google_compute_firewall_policy_association</ code > · < code > google_essential_contacts_contact</ code > |
2022-11-08 09:17:05 -08:00
| [org-policy-custom-constraints.tf ](./org-policy-custom-constraints.tf ) | None | < code > google_org_policy_custom_constraint</ code > |
| [organization-policies.tf ](./organization-policies.tf ) | Organization-level organization policies. | < code > google_org_policy_policy</ code > |
2022-01-29 01:08:17 -08:00
| [outputs.tf ](./outputs.tf ) | Module outputs. | |
2022-02-20 02:14:18 -08:00
| [tags.tf ](./tags.tf ) | None | < code > google_tags_tag_binding</ code > · < code > google_tags_tag_key</ code > · < code > google_tags_tag_key_iam_binding</ code > · < code > google_tags_tag_value</ code > · < code > google_tags_tag_value_iam_binding</ code > |
2024-02-12 05:35:30 -08:00
| [variables-iam.tf ](./variables-iam.tf ) | None | |
2023-12-18 09:24:05 -08:00
| [variables-tags.tf ](./variables-tags.tf ) | None | |
2022-01-29 01:08:17 -08:00
| [variables.tf ](./variables.tf ) | Module variables. | |
| [versions.tf ](./versions.tf ) | Version pins. | |
2020-04-07 09:47:07 -07:00
## Variables
| name | description | type | required | default |
2021-12-20 23:51:51 -08:00
|---|---|:---:|:---:|:---:|
2024-03-08 01:07:12 -08:00
| [organization_id ](variables.tf#L155 ) | Organization id in organizations/nnnnnn format. | < code > string</ code > | ✓ | |
2022-01-31 01:45:34 -08:00
| [contacts ](variables.tf#L17 ) | List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES. | < code > map( list( string)) </ code > | | < code > {} </ code > |
2022-01-29 01:08:17 -08:00
| [custom_roles ](variables.tf#L24 ) | Map of role name => list of permissions to create in this project. | < code > map( list( string)) </ code > | | < code > {} </ code > |
2023-12-11 06:16:39 -08:00
| [factories_config ](variables.tf#L31 ) | Paths to data files and folders that enable factory functionality. | < code title = "object({ custom_roles = optional(string) org_policies = optional(string) org_policy_custom_constraints = optional(string) })" > object({…}) </ code > | | < code > {} </ code > |
| [firewall_policy ](variables.tf#L42 ) | Hierarchical firewall policies to associate to the organization. | < code title = "object({ name = string policy = string })" > object({…}) </ code > | | < code > null</ code > |
2024-02-12 05:35:30 -08:00
| [iam ](variables-iam.tf#L17 ) | IAM bindings, in {ROLE => [MEMBERS]} format. | < code > map( list( string)) </ code > | | < code > {} </ code > |
| [iam_bindings ](variables-iam.tf#L24 ) | Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. | < code title = "map(object({ members = list(string) role = string condition = optional(object({ expression = string title = string description = optional(string) })) }))" > map( object({…})) </ code > | | < code > {} </ code > |
| [iam_bindings_additive ](variables-iam.tf#L39 ) | Individual additive IAM bindings. Keys are arbitrary. | < code title = "map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) }))" > map( object({…})) </ code > | | < code > {} </ code > |
| [iam_by_principals ](variables-iam.tf#L54 ) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | < code > map( list( string)) </ code > | | < code > {} </ code > |
| [logging_data_access ](variables.tf#L51 ) | Control activation of data access logs. Format is service => { log type => [exempted members]}. The special 'allServices' key denotes configuration for all services. | < code > map( map( list( string))) </ code > | | < code > {} </ code > |
| [logging_exclusions ](variables.tf#L66 ) | Logging exclusions for this organization in the form {NAME -> FILTER}. | < code > map( string) </ code > | | < code > {} </ code > |
2024-03-08 01:07:12 -08:00
| [logging_settings ](variables.tf#L73 ) | Default settings for logging resources. | < code title = "object({ disable_default_sink = optional(bool) storage_location = optional(string) })" > object({…}) </ code > | | < code > null</ code > |
| [logging_sinks ](variables.tf#L83 ) | Logging sinks to create for the organization. | < code title = "map(object({ bq_partitioned_table = optional(bool, false) description = optional(string) destination = string disabled = optional(bool, false) exclusions = optional(map(string), {}) filter = optional(string) iam = optional(bool, true) include_children = optional(bool, true) type = string }))" > map( object({…})) </ code > | | < code > {} </ code > |
2023-12-18 09:24:05 -08:00
| [network_tags ](variables-tags.tf#L17 ) | Network tags by key name. If `id` is provided, key creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | < code title = "map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) id = optional(string) network = string # project_id/vpc_name values = optional(map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) })), {}) }))" > map( object({…})) </ code > | | < code > {} </ code > |
2024-03-08 01:07:12 -08:00
| [org_policies ](variables.tf#L114 ) | Organization policies applied to this organization keyed by policy name. | < code title = "map(object({ inherit_from_parent = optional(bool) # for list policies only. reset = optional(bool) rules = optional(list(object({ allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool) # for boolean policies only. condition = optional(object({ description = optional(string) expression = optional(string) location = optional(string) title = optional(string) }), {}) })), []) }))" > map( object({…})) </ code > | | < code > {} </ code > |
| [org_policy_custom_constraints ](variables.tf#L141 ) | Organization policy custom constraints keyed by constraint name. | < code title = "map(object({ display_name = optional(string) description = optional(string) action_type = string condition = string method_types = list(string) resource_types = list(string) }))" > map( object({…})) </ code > | | < code > {} </ code > |
2023-12-18 09:24:05 -08:00
| [tag_bindings ](variables-tags.tf#L45 ) | Tag bindings for this organization, in key => tag value id format. | < code > map( string) </ code > | | < code > {} </ code > |
| [tags ](variables-tags.tf#L52 ) | Tags by key name. If `id` is provided, key or value creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | < code title = "map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) id = optional(string) values = optional(map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) id = optional(string) })), {}) }))" > map( object({…})) </ code > | | < code > {} </ code > |
2020-04-07 09:47:07 -07:00
## Outputs
| name | description | sensitive |
|---|---|:---:|
2023-07-17 09:48:02 -07:00
| [custom_constraint_ids ](outputs.tf#L17 ) | Map of CUSTOM_CONSTRAINTS => ID in the organization. | |
| [custom_role_id ](outputs.tf#L22 ) | Map of custom role IDs created in the organization. | |
2023-12-11 06:16:39 -08:00
| [custom_roles ](outputs.tf#L32 ) | Map of custom roles resources created in the organization. | |
| [id ](outputs.tf#L37 ) | Fully qualified organization id. | |
2024-03-08 01:07:12 -08:00
| [network_tag_keys ](outputs.tf#L55 ) | Tag key resources. | |
| [network_tag_values ](outputs.tf#L64 ) | Tag value resources. | |
| [organization_id ](outputs.tf#L74 ) | Organization id dependent on module resources. | |
| [sink_writer_identities ](outputs.tf#L91 ) | Writer identities created for each sink. | |
| [tag_keys ](outputs.tf#L99 ) | Tag key resources. | |
| [tag_values ](outputs.tf#L108 ) | Tag value resources. | |
2020-04-07 09:47:07 -07:00
<!-- END TFDOC -->