zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
cloud-foundation-fabric/modules/organization/README.md

489 lines
24 KiB
Markdown
Raw Normal View History

Organization module (#57) * modules/org: first shot * modules/org: README * update changelog
2020-04-07 09:47:07 -07:00
# Organization Module
This module allows managing several organization properties:
- IAM bindings, both authoritative and additive
- custom IAM roles
- audit logging configuration for services
- organization policies
Add support for org policy custom constraints
2022-11-08 00:34:38 -08:00
- organization policy custom constraints
Organization module (#57) * modules/org: first shot * modules/org: README * update changelog
2020-04-07 09:47:07 -07:00
Enable org policy service and add README notice to modules (#936) * enable org policy service and add README notice to modules * fix tests
2022-11-01 06:25:07 -07:00
To manage organization policies, the `orgpolicy.googleapis.com` service should be enabled in the quota project.
Organization module (#57) * modules/org: first shot * modules/org: README * update changelog
2020-04-07 09:47:07 -07:00
## Example
```hcl
module "org" {
Test documentation examples in the examples/ folder
2022-09-06 08:46:09 -07:00
source = "./fabric/modules/organization"
Fix organization tests
2020-11-25 09:47:11 -08:00
organization_id = "organizations/1234567890"
Enforce terraform fmt in examples
2022-12-16 03:53:56 -08:00
group_iam = {
Add support for group-based IAM to resource management modules (#229) * group_iam support for organization * group_iam support for folder * fix typo in variable description * add group_iam to project module * update project module README
2021-04-11 05:48:16 -07:00
"cloud-owners@example.org" = ["roles/owner", "roles/projectCreator"]
}
Migrate organization to example-based tests
2022-12-15 06:23:11 -08:00
iam = {
Update README.md
2021-10-12 00:40:10 -07:00
"roles/resourcemanager.projectCreator" = ["group:cloud-admins@example.org"]
Add support for group-based IAM to resource management modules (#229) * group_iam support for organization * group_iam support for folder * fix typo in variable description * add group_iam to project module * update project module README
2021-04-11 05:48:16 -07:00
}
Migrate organization to example-based tests
2022-12-15 06:23:11 -08:00
iam_additive_members = {
"user:compute@example.org" = ["roles/compute.admin", "roles/container.viewer"]
Add support for org policy custom constraints
2022-11-08 00:34:38 -08:00
}
Fix readme examples
2022-10-28 05:57:11 -07:00
org_policies = {
Add support for org policy custom constraints
2022-11-08 00:34:38 -08:00
"custom.gkeEnableAutoUpgrade" = {
enforce = true
}
Fix readme examples
2022-10-28 05:57:11 -07:00
"compute.disableGuestAttributesAccess" = {
enforce = true
}
"constraints/compute.skipDefaultNetworkCreation" = {
enforce = true
}
"iam.disableServiceAccountKeyCreation" = {
enforce = true
}
"iam.disableServiceAccountKeyUpload" = {
enforce = false
rules = [
{
condition = {
expression = "resource.matchTagId(\"tagKeys/1234\", \"tagValues/1234\")"
title = "condition"
description = "test condition"
location = "somewhere"
}
enforce = true
}
]
}
"constraints/iam.allowedPolicyMemberDomains" = {
allow = {
values = ["C0xxxxxxx", "C0yyyyyyy"]
}
}
Organization module (#57) * modules/org: first shot * modules/org: README * update changelog
2020-04-07 09:47:07 -07:00
"constraints/compute.trustedImageProjects" = {
Fix readme examples
2022-10-28 05:57:11 -07:00
allow = {
values = ["projects/my-project"]
}
}
"constraints/compute.vmExternalIpAccess" = {
deny = { all = true }
Organization module (#57) * modules/org: first shot * modules/org: README * update changelog
2020-04-07 09:47:07 -07:00
}
}
}
Migrate organization to example-based tests
2022-12-15 06:23:11 -08:00
# tftest modules=1 resources=13 inventory=basic.yaml
Organization module (#57) * modules/org: first shot * modules/org: README * update changelog
2020-04-07 09:47:07 -07:00
```
Add support for group-based IAM to resource management modules (#229) * group_iam support for organization * group_iam support for folder * fix typo in variable description * add group_iam to project module * update project module README
2021-04-11 05:48:16 -07:00
## IAM
There are several mutually exclusive ways of managing IAM in this module
- non-authoritative via the `iam_additive` and `iam_additive_members` variables, where bindings created outside this module will coexist with those managed here
- authoritative via the `group_iam` and `iam` variables, where bindings created outside this module (eg in the console) will be removed at each `terraform apply` cycle if the same role is also managed here
- authoritative policy via the `iam_bindings_authoritative` variable, where any binding created outside this module (eg in the console) will be removed at each `terraform apply` cycle regardless of the role
Update README.md
2022-01-27 23:53:21 -08:00
If you set audit policies via the `iam_audit_config_authoritative` variable, be sure to also configure IAM bindings via `iam_bindings_authoritative`, as audit policies use the underlying `google_organization_iam_policy` resource, which is also authoritative for any role.
Add support for org policy custom constraints
2022-11-08 00:34:38 -08:00
Some care must also be taken with the `groups_iam` variable (and in some situations with the additive variables) to ensure that variable keys are static values, so that Terraform is able to compute the dependency graph.
Add support for group-based IAM to resource management modules (#229) * group_iam support for organization * group_iam support for folder * fix typo in variable description * add group_iam to project module * update project module README
2021-04-11 05:48:16 -07:00
Add org policy factory example
2022-11-03 04:12:50 -07:00
### Organization policy factory
Fix internal links
2022-11-03 04:14:47 -07:00
See the [organization policy factory in the project module](../project#organization-policy-factory).
Add org policy factory example
2022-11-03 04:12:50 -07:00
Add support for org policy custom constraints
2022-11-08 00:34:38 -08:00
### Org policy custom constraints
Refer to the [Creating and managing custom constraints](https://cloud.google.com/resource-manager/docs/organization-policy/creating-managing-custom-constraints) documentation for details on usage.
To manage organization policy custom constraints, the `orgpolicy.googleapis.com` service should be enabled in the quota project.
```hcl
module "org" {
source = "./fabric/modules/organization"
organization_id = var.organization_id
Enforce terraform fmt in examples
2022-12-16 03:53:56 -08:00
Add support for org policy custom constraints
2022-11-08 00:34:38 -08:00
org_policy_custom_constraints = {
"custom.gkeEnableAutoUpgrade" = {
resource_types = ["container.googleapis.com/NodePool"]
method_types = ["CREATE"]
condition = "resource.management.autoUpgrade == true"
action_type = "ALLOW"
display_name = "Enable node auto-upgrade"
description = "All node pools must have node auto-upgrade enabled."
}
}
# not necessarily to enforce on the org level, policy may be applied on folder/project levels
org_policies = {
"custom.gkeEnableAutoUpgrade" = {
enforce = true
}
}
}
Migrate organization to example-based tests
2022-12-15 06:23:11 -08:00
# tftest modules=1 resources=2 inventory=custom-constraints.yaml
Add support for org policy custom constraints
2022-11-08 00:34:38 -08:00
```
### Org policy custom constraints factory
Org policy custom constraints can be loaded from a directory containing YAML files where each file defines one or more custom constraints. The structure of the YAML files is exactly the same as the `org_policy_custom_constraints` variable.
The example below deploys a few org policy custom constraints split between two YAML files.
```hcl
module "org" {
Enforce terraform fmt in examples
2022-12-16 03:53:56 -08:00
source = "./fabric/modules/organization"
organization_id = var.organization_id
Add tests for factory examples
2022-11-16 14:03:29 -08:00
org_policy_custom_constraints_data_path = "configs/custom-constraints"
Migrate organization to example-based tests
2022-12-15 06:23:11 -08:00
org_policies = {
"custom.gkeEnableAutoUpgrade" = {
enforce = true
}
}
Add support for org policy custom constraints
2022-11-08 00:34:38 -08:00
}
Migrate organization to example-based tests
2022-12-15 06:23:11 -08:00
# tftest modules=1 resources=3 files=gke inventory=custom-constraints.yaml
Add support for org policy custom constraints
2022-11-08 00:34:38 -08:00
```
```yaml
Make directive for supporting files in examples more explicit
2022-12-16 01:45:43 -08:00
# tftest-file id=gke path=configs/custom-constraints/gke.yaml
Add support for org policy custom constraints
2022-11-08 00:34:38 -08:00
custom.gkeEnableLogging:
Ensure inline README file match fixture files
2022-11-16 15:14:09 -08:00
resource_types:
Add support for org policy custom constraints
2022-11-08 00:34:38 -08:00
- container.googleapis.com/Cluster
method_types:
- CREATE
- UPDATE
condition: resource.loggingService == "none"
action_type: DENY
display_name: Do not disable Cloud Logging
custom.gkeEnableAutoUpgrade:
Ensure inline README file match fixture files
2022-11-16 15:14:09 -08:00
resource_types:
Add support for org policy custom constraints
2022-11-08 00:34:38 -08:00
- container.googleapis.com/NodePool
method_types:
- CREATE
condition: resource.management.autoUpgrade == true
action_type: ALLOW
display_name: Enable node auto-upgrade
description: All node pools must have node auto-upgrade enabled.
```
Migrate organization to example-based tests
2022-12-15 06:23:11 -08:00
Add support for org policy custom constraints
2022-11-08 00:34:38 -08:00
```yaml
Make directive for supporting files in examples more explicit
2022-12-16 01:45:43 -08:00
# tftest-file id=dataproc path=configs/custom-constraints/dataproc.yaml
Add tests for factory examples
2022-11-16 14:03:29 -08:00
custom.dataprocNoMoreThan10Workers:
Ensure inline README file match fixture files
2022-11-16 15:14:09 -08:00
resource_types:
Add support for org policy custom constraints
2022-11-08 00:34:38 -08:00
- dataproc.googleapis.com/Cluster
method_types:
- CREATE
- UPDATE
condition: resource.config.workerConfig.numInstances + resource.config.secondaryWorkerConfig.numInstances > 10
action_type: DENY
display_name: Total number of worker instances cannot be larger than 10
description: Cluster cannot have more than 10 workers, including primary and secondary workers.
```
Organization module refactor, in-module firewall policy factory for organization and folder (#385) * move iam and logging to separate files, minimal refactoring * update README * fix example * factory * tfdoc * boilerplate * remove data_folder variable * tfdoc * fix default factory name * add firewall policy to folder module * add factory example
2021-12-12 23:41:02 -08:00
## Hierarchical firewall policies
Add support for org policy custom constraints
2022-11-08 00:34:38 -08:00
Hierarchical firewall policies can be managed in two ways:
Organization module refactor, in-module firewall policy factory for organization and folder (#385) * move iam and logging to separate files, minimal refactoring * update README * fix example * factory * tfdoc * boilerplate * remove data_folder variable * tfdoc * fix default factory name * add firewall policy to folder module * add factory example
2021-12-12 23:41:02 -08:00
- via the `firewall_policies` variable, to directly define policies and rules in Terraform
Update all internal links examples -> blueprints
2022-09-09 06:33:59 -07:00
- via the `firewall_policy_factory` variable, to leverage external YaML files via a simple "factory" embedded in the module ([see here](../../blueprints/factories) for more context on factories)
Organization module refactor, in-module firewall policy factory for organization and folder (#385) * move iam and logging to separate files, minimal refactoring * update README * fix example * factory * tfdoc * boilerplate * remove data_folder variable * tfdoc * fix default factory name * add firewall policy to folder module * add factory example
2021-12-12 23:41:02 -08:00
Update hierarchical firewall resource This replaces all the `google_compute_organization_security_*` resources with the newer `google_compute_firewall_*` resources.
2021-12-31 03:36:14 -08:00
Once you have policies (either created via the module or externally), you can associate them using the `firewall_policy_association` variable.
Organization module refactor, in-module firewall policy factory for organization and folder (#385) * move iam and logging to separate files, minimal refactoring * update README * fix example * factory * tfdoc * boilerplate * remove data_folder variable * tfdoc * fix default factory name * add firewall policy to folder module * add factory example
2021-12-12 23:41:02 -08:00
### Directly defined firewall policies
Add support for group-based IAM to resource management modules (#229) * group_iam support for organization * group_iam support for folder * fix typo in variable description * add group_iam to project module * update project module README
2021-04-11 05:48:16 -07:00
Hierarchical firewall support for organizations
2020-11-23 10:01:02 -08:00
```hcl
module "org" {
Test documentation examples in the examples/ folder
2022-09-06 08:46:09 -07:00
source = "./fabric/modules/organization"
Fix organization tests
2020-11-25 09:47:11 -08:00
organization_id = var.organization_id
Hierarchical firewall support for organizations
2020-11-23 10:01:02 -08:00
firewall_policies = {
iap-policy = {
Migrate organization to example-based tests
2022-12-15 06:23:11 -08:00
allow-admins = {
description = "Access from the admin subnet to all subnets"
direction = "INGRESS"
action = "allow"
priority = 1000
ranges = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
ports = { all = [] }
target_service_accounts = null
target_resources = null
logging = false
}
Hierarchical firewall support for organizations
2020-11-23 10:01:02 -08:00
allow-iap-ssh = {
Add periods at the end of each description field where missing (#478)
2022-01-31 01:45:34 -08:00
description = "Always allow ssh from IAP."
Hierarchical firewall support for organizations
2020-11-23 10:01:02 -08:00
direction = "INGRESS"
action = "allow"
priority = 100
ranges = ["35.235.240.0/20"]
ports = {
tcp = ["22"]
}
target_service_accounts = null
target_resources = null
logging = false
}
}
}
Update hierarchical firewall resource This replaces all the `google_compute_organization_security_*` resources with the newer `google_compute_firewall_*` resources.
2021-12-31 03:36:14 -08:00
firewall_policy_association = {
iap_policy = "iap-policy"
Hierarchical firewall support for organizations
2020-11-23 10:01:02 -08:00
}
}
Migrate organization to example-based tests
2022-12-15 06:23:11 -08:00
# tftest modules=1 resources=4 inventory=hfw.yaml
Hierarchical firewall support for organizations
2020-11-23 10:01:02 -08:00
```
Organization module refactor, in-module firewall policy factory for organization and folder (#385) * move iam and logging to separate files, minimal refactoring * update README * fix example * factory * tfdoc * boilerplate * remove data_folder variable * tfdoc * fix default factory name * add firewall policy to folder module * add factory example
2021-12-12 23:41:02 -08:00
### Firewall policy factory
The in-built factory allows you to define a single policy, using one file for rules, and an optional file for CIDR range substitution variables. Remember that non-absolute paths are relative to the root module (the folder where you run `terraform`).
```hcl
module "org" {
Test documentation examples in the examples/ folder
2022-09-06 08:46:09 -07:00
source = "./fabric/modules/organization"
Organization module refactor, in-module firewall policy factory for organization and folder (#385) * move iam and logging to separate files, minimal refactoring * update README * fix example * factory * tfdoc * boilerplate * remove data_folder variable * tfdoc * fix default factory name * add firewall policy to folder module * add factory example
2021-12-12 23:41:02 -08:00
organization_id = var.organization_id
firewall_policy_factory = {
Add tests for factory examples
2022-11-16 14:03:29 -08:00
cidr_file = "configs/firewall-policies/cidrs.yaml"
Migrate organization to example-based tests
2022-12-15 06:23:11 -08:00
policy_name = "iap-policy"
Add tests for factory examples
2022-11-16 14:03:29 -08:00
rules_file = "configs/firewall-policies/rules.yaml"
Organization module refactor, in-module firewall policy factory for organization and folder (#385) * move iam and logging to separate files, minimal refactoring * update README * fix example * factory * tfdoc * boilerplate * remove data_folder variable * tfdoc * fix default factory name * add firewall policy to folder module * add factory example
2021-12-12 23:41:02 -08:00
}
replaced firewall_policy_attachments with firewall_policy_association in example
2022-01-19 11:54:31 -08:00
firewall_policy_association = {
Migrate organization to example-based tests
2022-12-15 06:23:11 -08:00
iap_policy = module.org.firewall_policy_id["iap-policy"]
Org/Folder: Allow for policy association when using rule factory (#405) * Org/Folder: Allow for policy association when using rule factory * Fix linting issue
2021-12-31 03:20:42 -08:00
}
Organization module refactor, in-module firewall policy factory for organization and folder (#385) * move iam and logging to separate files, minimal refactoring * update README * fix example * factory * tfdoc * boilerplate * remove data_folder variable * tfdoc * fix default factory name * add firewall policy to folder module * add factory example
2021-12-12 23:41:02 -08:00
}
Migrate organization to example-based tests
2022-12-15 06:23:11 -08:00
# tftest modules=1 resources=4 files=cidrs,rules inventory=hfw.yaml
Organization module refactor, in-module firewall policy factory for organization and folder (#385) * move iam and logging to separate files, minimal refactoring * update README * fix example * factory * tfdoc * boilerplate * remove data_folder variable * tfdoc * fix default factory name * add firewall policy to folder module * add factory example
2021-12-12 23:41:02 -08:00
```
```yaml
Make directive for supporting files in examples more explicit
2022-12-16 01:45:43 -08:00
# tftest-file id=cidrs path=configs/firewall-policies/cidrs.yaml
Organization module refactor, in-module firewall policy factory for organization and folder (#385) * move iam and logging to separate files, minimal refactoring * update README * fix example * factory * tfdoc * boilerplate * remove data_folder variable * tfdoc * fix default factory name * add firewall policy to folder module * add factory example
2021-12-12 23:41:02 -08:00
rfc1918:
- 10.0.0.0/8
Org/Folder: Allow for policy association when using rule factory (#405) * Org/Folder: Allow for policy association when using rule factory * Fix linting issue
2021-12-31 03:20:42 -08:00
- 172.16.0.0/12
Organization module refactor, in-module firewall policy factory for organization and folder (#385) * move iam and logging to separate files, minimal refactoring * update README * fix example * factory * tfdoc * boilerplate * remove data_folder variable * tfdoc * fix default factory name * add firewall policy to folder module * add factory example
2021-12-12 23:41:02 -08:00
- 192.168.0.0/16
```
```yaml
Make directive for supporting files in examples more explicit
2022-12-16 01:45:43 -08:00
# tftest-file id=rules path=configs/firewall-policies/rules.yaml
Organization module refactor, in-module firewall policy factory for organization and folder (#385) * move iam and logging to separate files, minimal refactoring * update README * fix example * factory * tfdoc * boilerplate * remove data_folder variable * tfdoc * fix default factory name * add firewall policy to folder module * add factory example
2021-12-12 23:41:02 -08:00
allow-admins:
description: Access from the admin subnet to all subnets
direction: INGRESS
action: allow
priority: 1000
ranges:
- $rfc1918
ports:
all: []
target_resources: null
Migrate organization to example-based tests
2022-12-15 06:23:11 -08:00
logging: false
Organization module refactor, in-module firewall policy factory for organization and folder (#385) * move iam and logging to separate files, minimal refactoring * update README * fix example * factory * tfdoc * boilerplate * remove data_folder variable * tfdoc * fix default factory name * add firewall policy to folder module * add factory example
2021-12-12 23:41:02 -08:00
Migrate organization to example-based tests
2022-12-15 06:23:11 -08:00
allow-iap-ssh:
description: "Always allow ssh from IAP."
Organization module refactor, in-module firewall policy factory for organization and folder (#385) * move iam and logging to separate files, minimal refactoring * update README * fix example * factory * tfdoc * boilerplate * remove data_folder variable * tfdoc * fix default factory name * add firewall policy to folder module * add factory example
2021-12-12 23:41:02 -08:00
direction: INGRESS
action: allow
Migrate organization to example-based tests
2022-12-15 06:23:11 -08:00
priority: 100
Organization module refactor, in-module firewall policy factory for organization and folder (#385) * move iam and logging to separate files, minimal refactoring * update README * fix example * factory * tfdoc * boilerplate * remove data_folder variable * tfdoc * fix default factory name * add firewall policy to folder module * add factory example
2021-12-12 23:41:02 -08:00
ranges:
- 35.235.240.0/20
ports:
tcp: ["22"]
target_resources: null
Migrate organization to example-based tests
2022-12-15 06:23:11 -08:00
logging: false
Organization module refactor, in-module firewall policy factory for organization and folder (#385) * move iam and logging to separate files, minimal refactoring * update README * fix example * factory * tfdoc * boilerplate * remove data_folder variable * tfdoc * fix default factory name * add firewall policy to folder module * add factory example
2021-12-12 23:41:02 -08:00
```
Logging sinks and exclusions (#178) * Add sink support to folder module * Make folder creation optional. * Add logging sinks to the organization module * Add logging sink support to project module * Update readme
2020-12-04 23:31:35 -08:00
## Logging Sinks
Add support for group-based IAM to resource management modules (#229) * group_iam support for organization * group_iam support for folder * fix typo in variable description * add group_iam to project module * update project module README
2021-04-11 05:48:16 -07:00
Logging sinks and exclusions (#178) * Add sink support to folder module * Make folder creation optional. * Add logging sinks to the organization module * Add logging sink support to project module * Update readme
2020-12-04 23:31:35 -08:00
```hcl
module "gcs" {
Test documentation examples in the examples/ folder
2022-09-06 08:46:09 -07:00
source = "./fabric/modules/gcs"
Logging sinks and exclusions (#178) * Add sink support to folder module * Make folder creation optional. * Add logging sinks to the organization module * Add logging sink support to project module * Update readme
2020-12-04 23:31:35 -08:00
project_id = var.project_id
name = "gcs_sink"
force_destroy = true
}
module "dataset" {
Test documentation examples in the examples/ folder
2022-09-06 08:46:09 -07:00
source = "./fabric/modules/bigquery-dataset"
Logging sinks and exclusions (#178) * Add sink support to folder module * Make folder creation optional. * Add logging sinks to the organization module * Add logging sink support to project module * Update readme
2020-12-04 23:31:35 -08:00
project_id = var.project_id
id = "bq_sink"
}
module "pubsub" {
Test documentation examples in the examples/ folder
2022-09-06 08:46:09 -07:00
source = "./fabric/modules/pubsub"
Logging sinks and exclusions (#178) * Add sink support to folder module * Make folder creation optional. * Add logging sinks to the organization module * Add logging sink support to project module * Update readme
2020-12-04 23:31:35 -08:00
project_id = var.project_id
name = "pubsub_sink"
}
Support for cloud logging buckets
2021-03-03 05:19:08 -08:00
module "bucket" {
Test documentation examples in the examples/ folder
2022-09-06 08:46:09 -07:00
source = "./fabric/modules/logging-bucket"
Support for cloud logging buckets
2021-03-03 05:19:08 -08:00
parent_type = "project"
parent = "my-project"
id = "bucket"
}
Logging sinks and exclusions (#178) * Add sink support to folder module * Make folder creation optional. * Add logging sinks to the organization module * Add logging sink support to project module * Update readme
2020-12-04 23:31:35 -08:00
module "org" {
Test documentation examples in the examples/ folder
2022-09-06 08:46:09 -07:00
source = "./fabric/modules/organization"
Logging sinks and exclusions (#178) * Add sink support to folder module * Make folder creation optional. * Add logging sinks to the organization module * Add logging sink support to project module * Update readme
2020-12-04 23:31:35 -08:00
organization_id = var.organization_id
logging_sinks = {
warnings = {
Remove as_logging_destination
2022-11-12 10:24:41 -08:00
destination = module.gcs.id
Rename bigquery_use_partitioned_table
2022-11-12 02:30:34 -08:00
filter = "severity=WARNING"
Remove as_logging_destination
2022-11-12 10:24:41 -08:00
type = "storage"
Logging sinks and exclusions (#178) * Add sink support to folder module * Make folder creation optional. * Add logging sinks to the organization module * Add logging sink support to project module * Update readme
2020-12-04 23:31:35 -08:00
}
info = {
Rename bigquery_use_partitioned_table
2022-11-12 02:30:34 -08:00
bq_partitioned_table = true
Remove as_logging_destination
2022-11-12 10:24:41 -08:00
destination = module.dataset.id
filter = "severity=INFO"
type = "bigquery"
Logging sinks and exclusions (#178) * Add sink support to folder module * Make folder creation optional. * Add logging sinks to the organization module * Add logging sink support to project module * Update readme
2020-12-04 23:31:35 -08:00
}
notice = {
Remove as_logging_destination
2022-11-12 10:24:41 -08:00
destination = module.pubsub.id
Rename bigquery_use_partitioned_table
2022-11-12 02:30:34 -08:00
filter = "severity=NOTICE"
Remove as_logging_destination
2022-11-12 10:24:41 -08:00
type = "pubsub"
Support for cloud logging buckets
2021-03-03 05:19:08 -08:00
}
debug = {
Remove as_logging_destination
2022-11-12 10:24:41 -08:00
destination = module.bucket.id
Rename bigquery_use_partitioned_table
2022-11-12 02:30:34 -08:00
filter = "severity=DEBUG"
Enforce terraform fmt in examples
2022-12-16 03:53:56 -08:00
exclusions = {
Support for cloud logging buckets
2021-03-03 05:19:08 -08:00
no-compute = "logName:compute"
}
Remove as_logging_destination
2022-11-12 10:24:41 -08:00
type = "logging"
Logging sinks and exclusions (#178) * Add sink support to folder module * Make folder creation optional. * Add logging sinks to the organization module * Add logging sink support to project module * Update readme
2020-12-04 23:31:35 -08:00
}
}
logging_exclusions = {
no-gce-instances = "resource.type=gce_instance"
}
}
Migrate organization to example-based tests
2022-12-15 06:23:11 -08:00
# tftest modules=5 resources=13 inventory=logging.yaml
Logging sinks and exclusions (#178) * Add sink support to folder module * Make folder creation optional. * Add logging sinks to the organization module * Add logging sink support to project module * Update readme
2020-12-04 23:31:35 -08:00
```
Output role information from organization module
2021-09-13 08:34:20 -07:00
## Custom Roles
Add support for resource management tags and tag bindings (#552) * organization module * folder module * project module * fix project binding * use id instead of name for references * kms module * compute-vm * fix compute-vm
2022-02-20 02:14:18 -08:00
Output role information from organization module
2021-09-13 08:34:20 -07:00
```hcl
module "org" {
Test documentation examples in the examples/ folder
2022-09-06 08:46:09 -07:00
source = "./fabric/modules/organization"
Output role information from organization module
2021-09-13 08:34:20 -07:00
organization_id = var.organization_id
custom_roles = {
"myRole" = [
"compute.instances.list",
]
}
iam = {
(module.org.custom_role_id.myRole) = ["user:me@example.com"]
}
}
Migrate organization to example-based tests
2022-12-15 06:23:11 -08:00
# tftest modules=1 resources=2 inventory=roles.yaml
Output role information from organization module
2021-09-13 08:34:20 -07:00
```
Split organization module in files, add nullables
2022-01-29 01:08:17 -08:00
Add support for resource management tags and tag bindings (#552) * organization module * folder module * project module * fix project binding * use id instead of name for references * kms module * compute-vm * fix compute-vm
2022-02-20 02:14:18 -08:00
## Tags
Refer to the [Creating and managing tags](https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing) documentation for details on usage.
```hcl
module "org" {
Test documentation examples in the examples/ folder
2022-09-06 08:46:09 -07:00
source = "./fabric/modules/organization"
Add support for resource management tags and tag bindings (#552) * organization module * folder module * project module * fix project binding * use id instead of name for references * kms module * compute-vm * fix compute-vm
2022-02-20 02:14:18 -08:00
organization_id = var.organization_id
tags = {
environment = {
Enforce terraform fmt in examples
2022-12-16 03:53:56 -08:00
description = "Environment specification."
iam = {
Add support for resource management tags and tag bindings (#552) * organization module * folder module * project module * fix project binding * use id instead of name for references * kms module * compute-vm * fix compute-vm
2022-02-20 02:14:18 -08:00
"roles/resourcemanager.tagAdmin" = ["group:admins@example.com"]
}
values = {
Enforce terraform fmt in examples
2022-12-16 03:53:56 -08:00
dev = {}
Add support for resource management tags and tag bindings (#552) * organization module * folder module * project module * fix project binding * use id instead of name for references * kms module * compute-vm * fix compute-vm
2022-02-20 02:14:18 -08:00
prod = {
description = "Environment: production."
iam = {
"roles/resourcemanager.tagViewer" = ["user:user1@example.com"]
}
}
}
}
}
tag_bindings = {
env-prod = module.org.tag_values["environment/prod"].id
foo = "tagValues/12345678"
}
}
Migrate organization to example-based tests
2022-12-15 06:23:11 -08:00
# tftest modules=1 resources=7 inventory=tags.yaml
Add support for resource management tags and tag bindings (#552) * organization module * folder module * project module * fix project binding * use id instead of name for references * kms module * compute-vm * fix compute-vm
2022-02-20 02:14:18 -08:00
```
Add network tags support to the organization module (#979)
2022-11-18 06:56:28 -08:00
You can also define network tags, through a dedicated variable *network_tags*:
```hcl
module "org" {
source = "./fabric/modules/organization"
organization_id = var.organization_id
network_tags = {
net-environment = {
Enforce terraform fmt in examples
2022-12-16 03:53:56 -08:00
description = "This is a network tag."
network = "my_project/my_vpc"
iam = {
Add network tags support to the organization module (#979)
2022-11-18 06:56:28 -08:00
"roles/resourcemanager.tagAdmin" = ["group:admins@example.com"]
}
values = {
Enforce terraform fmt in examples
2022-12-16 03:53:56 -08:00
dev = null
Add network tags support to the organization module (#979)
2022-11-18 06:56:28 -08:00
prod = {
description = "Environment: production."
iam = {
"roles/resourcemanager.tagUser" = ["user:user1@example.com"]
}
}
}
}
}
}
Migrate organization to example-based tests
2022-12-15 06:23:11 -08:00
# tftest modules=1 resources=5 inventory=network-tags.yaml
Add network tags support to the organization module (#979)
2022-11-18 06:56:28 -08:00
```
Split organization module in files, add nullables
2022-01-29 01:08:17 -08:00
<!-- TFDOC OPTS files:1 -->
Organization module (#57) * modules/org: first shot * modules/org: README * update changelog
2020-04-07 09:47:07 -07:00
<!-- BEGIN TFDOC -->
New tfdoc version (#396) * update tfdoc * rewrite check docs, refactor tfdoc replace, regenerate modules READMEs * remove dead code from check docs * do not fail on missing variable files in check docs * fix typos
2021-12-20 23:51:51 -08:00
Split organization module in files, add nullables
2022-01-29 01:08:17 -08:00
## Files
| name | description | resources |
|---|---|---|
Rename tf files to use dashes
2022-02-03 23:27:39 -08:00
| [firewall-policies.tf](./firewall-policies.tf) | Hierarchical firewall policies. | <code>google_compute_firewall_policy</code> · <code>google_compute_firewall_policy_association</code> · <code>google_compute_firewall_policy_rule</code> |
Split organization module in files, add nullables
2022-01-29 01:08:17 -08:00
| [iam.tf](./iam.tf) | IAM bindings, roles and audit logging resources. | <code>google_organization_iam_audit_config</code> · <code>google_organization_iam_binding</code> · <code>google_organization_iam_custom_role</code> · <code>google_organization_iam_member</code> · <code>google_organization_iam_policy</code> |
| [logging.tf](./logging.tf) | Log sinks and supporting resources. | <code>google_bigquery_dataset_iam_member</code> · <code>google_logging_organization_exclusion</code> · <code>google_logging_organization_sink</code> · <code>google_project_iam_member</code> · <code>google_pubsub_topic_iam_member</code> · <code>google_storage_bucket_iam_member</code> |
| [main.tf](./main.tf) | Module-level locals and resources. | <code>google_essential_contacts_contact</code> |
Update module readme
2022-11-08 09:17:05 -08:00
| [org-policy-custom-constraints.tf](./org-policy-custom-constraints.tf) | None | <code>google_org_policy_custom_constraint</code> |
| [organization-policies.tf](./organization-policies.tf) | Organization-level organization policies. | <code>google_org_policy_policy</code> |
Split organization module in files, add nullables
2022-01-29 01:08:17 -08:00
| [outputs.tf](./outputs.tf) | Module outputs. | |
Add support for resource management tags and tag bindings (#552) * organization module * folder module * project module * fix project binding * use id instead of name for references * kms module * compute-vm * fix compute-vm
2022-02-20 02:14:18 -08:00
| [tags.tf](./tags.tf) | None | <code>google_tags_tag_binding</code> · <code>google_tags_tag_key</code> · <code>google_tags_tag_key_iam_binding</code> · <code>google_tags_tag_value</code> · <code>google_tags_tag_value_iam_binding</code> |
Split organization module in files, add nullables
2022-01-29 01:08:17 -08:00
| [variables.tf](./variables.tf) | Module variables. | |
| [versions.tf](./versions.tf) | Version pins. | |
Organization module (#57) * modules/org: first shot * modules/org: README * update changelog
2020-04-07 09:47:07 -07:00
## Variables
| name | description | type | required | default |
New tfdoc version (#396) * update tfdoc * rewrite check docs, refactor tfdoc replace, regenerate modules READMEs * remove dead code from check docs * do not fail on missing variable files in check docs * fix typos
2021-12-20 23:51:51 -08:00
|---|---|:---:|:---:|:---:|
Add network tags support to the organization module (#979)
2022-11-18 06:56:28 -08:00
| [organization_id](variables.tf#L246) | Organization id in organizations/nnnnnn format. | <code>string</code> | ✓ | |
Add periods at the end of each description field where missing (#478)
2022-01-31 01:45:34 -08:00
| [contacts](variables.tf#L17) | List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES. | <code>map&#40;list&#40;string&#41;&#41;</code> | | <code>&#123;&#125;</code> |
Split organization module in files, add nullables
2022-01-29 01:08:17 -08:00
| [custom_roles](variables.tf#L24) | Map of role name => list of permissions to create in this project. | <code>map&#40;list&#40;string&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [firewall_policies](variables.tf#L31) | Hierarchical firewall policy rules created in the organization. | <code title="map&#40;map&#40;object&#40;&#123;&#10; action &#61; string&#10; description &#61; string&#10; direction &#61; string&#10; logging &#61; bool&#10; ports &#61; map&#40;list&#40;string&#41;&#41;&#10; priority &#61; number&#10; ranges &#61; list&#40;string&#41;&#10; target_resources &#61; list&#40;string&#41;&#10; target_service_accounts &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;&#41;">map&#40;map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [firewall_policy_association](variables.tf#L48) | The hierarchical firewall policy to associate to this folder. Must be either a key in the `firewall_policies` map or the id of a policy defined somewhere else. | <code>map&#40;string&#41;</code> | | <code>&#123;&#125;</code> |
| [firewall_policy_factory](variables.tf#L55) | Configuration for the firewall policy factory. | <code title="object&#40;&#123;&#10; cidr_file &#61; string&#10; policy_name &#61; string&#10; rules_file &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [group_iam](variables.tf#L65) | Authoritative IAM binding for organization groups, in {GROUP_EMAIL => [ROLES]} format. Group emails need to be static. Can be used in combination with the `iam` variable. | <code>map&#40;list&#40;string&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [iam](variables.tf#L72) | IAM bindings, in {ROLE => [MEMBERS]} format. | <code>map&#40;list&#40;string&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [iam_additive](variables.tf#L79) | Non authoritative IAM bindings, in {ROLE => [MEMBERS]} format. | <code>map&#40;list&#40;string&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [iam_additive_members](variables.tf#L86) | IAM additive bindings in {MEMBERS => [ROLE]} format. This might break if members are dynamic values. | <code>map&#40;list&#40;string&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [iam_audit_config](variables.tf#L93) | Service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. | <code>map&#40;map&#40;list&#40;string&#41;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [iam_audit_config_authoritative](variables.tf#L105) | IAM Authoritative service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. Audit config should also be authoritative when using authoritative bindings. Use with caution. | <code>map&#40;map&#40;list&#40;string&#41;&#41;&#41;</code> | | <code>null</code> |
| [iam_bindings_authoritative](variables.tf#L116) | IAM authoritative bindings, in {ROLE => [MEMBERS]} format. Roles and members not explicitly listed will be cleared. Bindings should also be authoritative when using authoritative audit config. Use with caution. | <code>map&#40;list&#40;string&#41;&#41;</code> | | <code>null</code> |
| [logging_exclusions](variables.tf#L122) | Logging exclusions for this organization in the form {NAME -> FILTER}. | <code>map&#40;string&#41;</code> | | <code>&#123;&#125;</code> |
Remove as_logging_destination
2022-11-12 10:24:41 -08:00
| [logging_sinks](variables.tf#L129) | Logging sinks to create for the organization. | <code title="map&#40;object&#40;&#123;&#10; bq_partitioned_table &#61; optional&#40;bool&#41;&#10; description &#61; optional&#40;string&#41;&#10; destination &#61; string&#10; disabled &#61; optional&#40;bool, false&#41;&#10; exclusions &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10; filter &#61; string&#10; include_children &#61; optional&#40;bool, true&#41;&#10; type &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
Add network tags support to the organization module (#979)
2022-11-18 06:56:28 -08:00
| [network_tags](variables.tf#L159) | Network tags by key name. The `iam` attribute behaves like the similarly named one at module level. | <code title="map&#40;object&#40;&#123;&#10; description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10; iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10; network &#61; string &#35; project_id&#47;vpc_name&#10; values &#61; optional&#40;map&#40;object&#40;&#123;&#10; description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10; iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [org_policies](variables.tf#L180) | Organization policies applied to this organization keyed by policy name. | <code title="map&#40;object&#40;&#123;&#10; inherit_from_parent &#61; optional&#40;bool&#41; &#35; for list policies only.&#10; reset &#61; optional&#40;bool&#41;&#10; allow &#61; optional&#40;object&#40;&#123;&#10; all &#61; optional&#40;bool&#41;&#10; values &#61; optional&#40;list&#40;string&#41;&#41;&#10; &#125;&#41;&#41;&#10; deny &#61; optional&#40;object&#40;&#123;&#10; all &#61; optional&#40;bool&#41;&#10; values &#61; optional&#40;list&#40;string&#41;&#41;&#10; &#125;&#41;&#41;&#10; enforce &#61; optional&#40;bool, true&#41; &#35; for boolean policies only.&#10; rules &#61; optional&#40;list&#40;object&#40;&#123;&#10; allow &#61; optional&#40;object&#40;&#123;&#10; all &#61; optional&#40;bool&#41;&#10; values &#61; optional&#40;list&#40;string&#41;&#41;&#10; &#125;&#41;&#41;&#10; deny &#61; optional&#40;object&#40;&#123;&#10; all &#61; optional&#40;bool&#41;&#10; values &#61; optional&#40;list&#40;string&#41;&#41;&#10; &#125;&#41;&#41;&#10; enforce &#61; optional&#40;bool, true&#41; &#35; for boolean policies only.&#10; condition &#61; object&#40;&#123;&#10; description &#61; optional&#40;string&#41;&#10; expression &#61; optional&#40;string&#41;&#10; location &#61; optional&#40;string&#41;&#10; title &#61; optional&#40;string&#41;&#10; &#125;&#41;&#10; &#125;&#41;&#41;, &#91;&#93;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [org_policies_data_path](variables.tf#L220) | Path containing org policies in YAML format. | <code>string</code> | | <code>null</code> |
| [org_policy_custom_constraints](variables.tf#L226) | Organization policiy custom constraints keyed by constraint name. | <code title="map&#40;object&#40;&#123;&#10; display_name &#61; optional&#40;string&#41;&#10; description &#61; optional&#40;string&#41;&#10; action_type &#61; string&#10; condition &#61; string&#10; method_types &#61; list&#40;string&#41;&#10; resource_types &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [org_policy_custom_constraints_data_path](variables.tf#L240) | Path containing org policy custom constraints in YAML format. | <code>string</code> | | <code>null</code> |
Fix organization module
2022-11-19 03:47:07 -08:00
| [tag_bindings](variables.tf#L255) | Tag bindings for this organization, in key => tag value id format. | <code>map&#40;string&#41;</code> | | <code>null</code> |
| [tags](variables.tf#L261) | Tags by key name. The `iam` attribute behaves like the similarly named one at module level. | <code title="map&#40;object&#40;&#123;&#10; description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10; iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10; values &#61; optional&#40;map&#40;object&#40;&#123;&#10; description &#61; optional&#40;string, &#34;Managed by the Terraform organization module.&#34;&#41;&#10; iam &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10; &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
Organization module (#57) * modules/org: first shot * modules/org: README * update changelog
2020-04-07 09:47:07 -07:00
## Outputs
| name | description | sensitive |
|---|---|:---:|
Add network tags support to the organization module (#979)
2022-11-18 06:56:28 -08:00
| [custom_role_id](outputs.tf#L17) | Map of custom role IDs created in the organization. | |
| [custom_roles](outputs.tf#L30) | Map of custom roles resources created in the organization. | |
| [firewall_policies](outputs.tf#L35) | Map of firewall policy resources created in the organization. | |
| [firewall_policy_id](outputs.tf#L40) | Map of firewall policy ids created in the organization. | |
| [network_tag_keys](outputs.tf#L45) | Tag key resources. | |
fix tag outputs (#1012)
2022-11-25 05:06:31 -08:00
| [network_tag_values](outputs.tf#L54) | Tag value resources. | |
| [organization_id](outputs.tf#L65) | Organization id dependent on module resources. | |
| [sink_writer_identities](outputs.tf#L82) | Writer identities created for each sink. | |
| [tag_keys](outputs.tf#L90) | Tag key resources. | |
| [tag_values](outputs.tf#L99) | Tag value resources. | |
New tfdoc version (#396) * update tfdoc * rewrite check docs, refactor tfdoc replace, regenerate modules READMEs * remove dead code from check docs * do not fail on missing variable files in check docs * fix typos
2021-12-20 23:51:51 -08:00
Organization module (#57) * modules/org: first shot * modules/org: README * update changelog
2020-04-07 09:47:07 -07:00
<!-- END TFDOC -->