From 1cc59a368d6fbe9b9e3745d192aeb9dd35a7faf4 Mon Sep 17 00:00:00 2001
From: Ludovico Magnocavallo <ludomagno@google.com>
Date: Fri, 28 Jan 2022 08:53:21 +0100
Subject: [PATCH] Update README.md

---
 modules/organization/README.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/modules/organization/README.md b/modules/organization/README.md
index 756c332e..8d828c8a 100644
--- a/modules/organization/README.md
+++ b/modules/organization/README.md
@@ -43,7 +43,9 @@ There are several mutually exclusive ways of managing IAM in this module
 - authoritative via the `group_iam` and `iam` variables, where bindings created outside this module (eg in the console) will be removed at each `terraform apply` cycle if the same role is also managed here
 - authoritative policy via the `iam_bindings_authoritative` variable, where any binding created outside this module (eg in the console) will be removed at each `terraform apply` cycle regardless of the role
 
-Some care must be takend with the `groups_iam` variable (and in some situations with the additive variables) to ensure that variable keys are static values, so that Terraform is able to compute the dependency graph.
+If you set audit policies via the `iam_audit_config_authoritative` variable, be sure to also configure IAM bindings via `iam_bindings_authoritative`, as audit policies use the underlying `google_organization_iam_policy` resource, which is also authoritative for any role.
+
+Some care must also be takend with the `groups_iam` variable (and in some situations with the additive variables) to ensure that variable keys are static values, so that Terraform is able to compute the dependency graph.
 
 ## Hierarchical firewall policies