This sample creates an organizational layout with a single level, where each folder is usually mapped to one infrastructure environment (test, dev, etc.). It also sets up all prerequisites for automation (GCS state buckets, service accounts, etc.), and the correct roles on those to enforce separation of duties at the environment level.
This layout is well suited for medium-sized infrastructures managed by a small set of teams, where the complexity in application resource ownership and access roles is mostly dealt with at the project level, and/or in the individual services (GKE, Cloud SQL, etc.). Its simplicity also makes it a good starting point for more complex or specialized layouts.
The number of resources in this sample is kept to a minimum so as to make it generally applicable, more resources can be easily added by leveraging other [modules from our bundle](../../../modules/), or from other sources like the [CFT suite](https://github.com/terraform-google-modules).
This sample contains a single, top-level project used to host services shared across environments (eg GCS, GCR, KMS, Cloud Build, etc.). In our experience, that is enough for many customers, especially those using this organizational layout.
For more complex setups where multiple shared services projects are needed to encapsulate a larger number of resources, shared services should be treated as an extra environment so that they can be managed by a dedicated set of Terraform files, using a separate service account and GCS bucket, with a folder to contain shared projects.
If no shared services are needed, the shared service project module can of course be removed from `main.tf`.
| [organization_id](variables.tf#L94) | Organization id in organizations/nnnnnnnn format. | <code>string</code> | ✓ | |
| [prefix](variables.tf#L99) | Prefix used for resources that need unique names. | <code>string</code> | ✓ | |
| [root_node](variables.tf#L113) | Root node for the new hierarchy, either 'organizations/org_id' or 'folders/folder_id'. | <code>string</code> | ✓ | |
| [audit_filter](variables.tf#L15) | Audit log filter used for the log sink. | <code>string</code> | | <codetitle="" logName: "/logs/cloudaudit.googleapis.com%2Factivity" OR logName: "/logs/cloudaudit.googleapis.com%2Fsystem_event""">…</code> |
| [iam_audit_viewers](variables.tf#L41) | Audit project viewers, in IAM format. | <code>list(string)</code> | | <code>[]</code> |
| [iam_billing_config](variables.tf#L47) | Control granting billing user role to service accounts. Target the billing account by default. | <codetitle="object({ grant = bool target_org = bool })">object({…})</code> | | <codetitle="{ grant = true target_org = false }">{…}</code> |
| [iam_folder_roles](variables.tf#L59) | List of roles granted to each service account on its respective folder (excluding XPN roles). | <code>list(string)</code> | | <codetitle="[ "roles/compute.networkAdmin", "roles/owner", "roles/resourcemanager.folderViewer", "roles/resourcemanager.projectCreator", ]">[…]</code> |
| [iam_shared_owners](variables.tf#L70) | Shared services project owners, in IAM format. | <code>list(string)</code> | | <code>[]</code> |
| [iam_terraform_owners](variables.tf#L76) | Terraform project owners, in IAM format. | <code>list(string)</code> | | <code>[]</code> |
| [iam_xpn_config](variables.tf#L82) | Control granting Shared VPC creation roles to service accounts. Target the root node by default. | <codetitle="object({ grant = bool target_org = bool })">object({…})</code> | | <codetitle="{ grant = true target_org = true }">{…}</code> |
| [project_services](variables.tf#L104) | Service APIs enabled by default in new projects. | <code>list(string)</code> | | <codetitle="[ "container.googleapis.com", "stackdriver.googleapis.com", ]">[…]</code> |
| [service_account_keys](variables.tf#L118) | Generate and store service account keys in the state file. | <code>bool</code> | | <code>true</code> |
