| organization_id | Organization id in organizations/nnnnnn format. | <codetitle="string validation { condition = can(regex("^organizations/[0-9]+", var.organization_id)) error_message = "The organization_id must in the form organizations/nnn." }">string</code> | ✓ | |
| *custom_roles* | Map of role name => list of permissions to create in this project. | <codetitle="map(list(string))">map(list(string))</code> | | <codetitle="">{}</code> |
| *firewall_policy_attachments* | List of hierarchical firewall policy IDs to *attach* to the organization | <codetitle="map(string)">map(string)</code> | | <codetitle="">{}</code> |
| *iam_additive_members* | IAM additive bindings in {MEMBERS => [ROLE]} format. This might break if members are dynamic values. | <codetitle="map(list(string))">map(list(string))</code> | | <codetitle="">{}</code> |
| *iam_audit_config* | Service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. | <codetitle="map(map(list(string)))">map(map(list(string)))</code> | | <codetitle="">{}</code> |
| *iam_audit_config_authoritative* | IAM Authoritative service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. Audit config should also be authoritative when using authoritative bindings. Use with caution. | <codetitle="map(map(list(string)))">map(map(list(string)))</code> | | <codetitle="">null</code> |
| *iam_bindings_authoritative* | IAM authoritative bindings, in {ROLE => [MEMBERS]} format. Roles and members not explicitly listed will be cleared. Bindings should also be authoritative when using authoritative audit config. Use with caution. | <codetitle="map(list(string))">map(list(string))</code> | | <codetitle="">null</code> |
| *logging_exclusions* | Logging exclusions for this organization in the form {NAME -> FILTER}. | <codetitle="map(string)">map(string)</code> | | <codetitle="">{}</code> |
| *policy_boolean* | Map of boolean org policies and enforcement value, set value to null for policy restore. | <codetitle="map(bool)">map(bool)</code> | | <codetitle="">{}</code> |
| *policy_list* | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | <codetitle="map(object({ inherit_from_parent = bool suggested_value = string status = bool values = list(string) }))">map(object({...}))</code> | | <codetitle="">{}</code> |