There are several mutually exclusive ways of managing IAM in this module
- non-authoritative via the `iam_additive` and `iam_additive_members` variables, where bindings created outside this module will coexist with those managed here
- authoritative via the `group_iam` and `iam` variables, where bindings created outside this module (eg in the console) will be removed at each `terraform apply` cycle if the same role is also managed here
- authoritative policy via the `iam_bindings_authoritative` variable, where any binding created outside this module (eg in the console) will be removed at each `terraform apply` cycle regardless of the role
Some care must be takend with the `groups_iam` variable (and in some situations with the additive variables) to ensure that variable keys are static values, so that Terraform is able to compute the dependency graph.
| organization_id | Organization id in organizations/nnnnnn format. | <codetitle="string validation { condition = can(regex("^organizations/[0-9]+", var.organization_id)) error_message = "The organization_id must in the form organizations/nnn." }">string</code> | ✓ | |
| *contacts* | List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES | <codetitle="map(list(string))">map(list(string))</code> | | <codetitle="">{}</code> |
| *custom_roles* | Map of role name => list of permissions to create in this project. | <codetitle="map(list(string))">map(list(string))</code> | | <codetitle="">{}</code> |
| *firewall_policy_attachments* | List of hierarchical firewall policy IDs to *attach* to the organization | <codetitle="map(string)">map(string)</code> | | <codetitle="">{}</code> |
| *group_iam* | Authoritative IAM binding for organization groups, in {GROUP_EMAIL => [ROLES]} format. Group emails need to be static. Can be used in combination with the `iam` variable. | <codetitle="map(list(string))">map(list(string))</code> | | <codetitle="">{}</code> |
| *iam_additive_members* | IAM additive bindings in {MEMBERS => [ROLE]} format. This might break if members are dynamic values. | <codetitle="map(list(string))">map(list(string))</code> | | <codetitle="">{}</code> |
| *iam_audit_config* | Service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. | <codetitle="map(map(list(string)))">map(map(list(string)))</code> | | <codetitle="">{}</code> |
| *iam_audit_config_authoritative* | IAM Authoritative service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. Audit config should also be authoritative when using authoritative bindings. Use with caution. | <codetitle="map(map(list(string)))">map(map(list(string)))</code> | | <codetitle="">null</code> |
| *iam_bindings_authoritative* | IAM authoritative bindings, in {ROLE => [MEMBERS]} format. Roles and members not explicitly listed will be cleared. Bindings should also be authoritative when using authoritative audit config. Use with caution. | <codetitle="map(list(string))">map(list(string))</code> | | <codetitle="">null</code> |
| *logging_exclusions* | Logging exclusions for this organization in the form {NAME -> FILTER}. | <codetitle="map(string)">map(string)</code> | | <codetitle="">{}</code> |
| *policy_boolean* | Map of boolean org policies and enforcement value, set value to null for policy restore. | <codetitle="map(bool)">map(bool)</code> | | <codetitle="">{}</code> |
| *policy_list* | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | <codetitle="map(object({ inherit_from_parent = bool suggested_value = string status = bool values = list(string) }))">map(object({...}))</code> | | <codetitle="">{}</code> |