Add org policy factory example

2022-11-03 12:12:50 +01:00 · 2022-11-03 12:12:50 +01:00 · f64c43e893
parent 3e18575fad
commit f64c43e893
3 changed files with 71 additions and 0 deletions
--- a/modules/folder/README.md
+++ b/modules/folder/README.md
@ -75,6 +75,10 @@ module "folder" {
 # tftest modules=1 resources=8
 ```

+### Organization policy factory
+
+See the [organization policy factory in the project module](../project#Organization-policy-factory).
+
 ### Firewall policy factory

 In the same way as for the [organization](../organization) module, the in-built factory allows you to define a single policy, using one file for rules, and an optional file for CIDR range substitution variables. Remember that non-absolute paths are relative to the root module (the folder where you run `terraform`).
--- a/modules/organization/README.md
+++ b/modules/organization/README.md
@ -76,6 +76,10 @@ If you set audit policies via the `iam_audit_config_authoritative` variable, be

 Some care must also be takend with the `groups_iam` variable (and in some situations with the additive variables) to ensure that variable keys are static values, so that Terraform is able to compute the dependency graph.

+### Organization policy factory
+
+See the [organization policy factory in the project module](../project#Organization-policy-factory).
+
 ## Hierarchical firewall policies

 Hirerarchical firewall policies can be managed in two ways:
--- a/modules/project/README.md
+++ b/modules/project/README.md
@ -211,6 +211,69 @@ module "project" {
 # tftest modules=1 resources=10
 ```

+### Organization policy factory
+
+Organization policies can be loaded from a directory containing YAML files where each file defines one or more constraints. The structure of the YAML files is exactly the same as the `org_policies` variable.
+
+The example below deploys the same organization policies shown in the previous section using two YAML files.
+
+```hcl
+module "folder" {
+  source                 = "./fabric/modules/folder"
+  parent                 = "organizations/1234567890"
+  name                   = "Folder name"
+  org_policies_data_path = "/my/path"
+}
+# tftest skip
+```
+
+```yaml
+# /my/path/boolean.yaml
+iam.disableServiceAccountKeyCreation:
+  enforce: true
+
+iam.disableServiceAccountKeyUpload:
+  enforce: false
+  rules:
+    - condition:
+        expression: resource.matchTagId("tagKeys/1234", "tagValues/1234")
+        title: condition
+        description: test condition
+        location: xxx
+      enforce: true
+```
+
+```yaml
+# /my/path/list.yaml
+compute.vmExternalIpAccess:
+  deny:
+    all: true
+
+iam.allowedPolicyMemberDomains:
+  allow:
+    values:
+      - C0xxxxxxx
+      - C0yyyyyyy
+
+compute.restrictLoadBalancerCreationForTypes:
+  deny:
+    values: ["in:EXTERNAL"]
+  rules:
+    - condition:
+        expression: resource.matchTagId("tagKeys/1234", "tagValues/1234")
+        title: condition
+        description: test condition
+      allow:
+        values: ["in:EXTERNAL"]
+    - condition:
+        expression: resource.matchTagId("tagKeys/12345", "tagValues/12345")
+        title: condition2
+        description: test condition2
+      allow:
+        all: true
+```
+
+
 ## Logging Sinks

 ```hcl