5af022a3ee
* Invert the list for role/member mapping so that member is the key * Add iam_additive_bindings to replace iam_additive_members and iam_additive_roles, change test suite accordingly * attribute 'mode' added as it would error without * Update Readme to reflect the new variable iam_additive_bindings * test branch access * iam_additive_bindings to replace iam_additive roles and iam_additive_members * update foundation samples to new additive bindings format * set bq dataset options in foundation environments to allow destroying * trap exceptions raised during destroy in project module Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com> |
||
---|---|---|
.. | ||
README.md | ||
main.tf | ||
outputs.tf | ||
variables.tf | ||
versions.tf |
README.md
Organization Module
This module allows managing several organization properties:
- IAM bindings, both authoritative and additive
- custom IAM roles
- audit logging configuration for services
- organization policies
Example
module "org" {
source = "./modules/organization"
org_id = 1234567890
iam_roles = ["roles/projectCreator"]
iam_members = { "roles/projectCreator" = ["group:cloud-admins@example.org"] }
policy_boolean = {
"constraints/compute.disableGuestAttributesAccess" = true
"constraints/compute.skipDefaultNetworkCreation" = true
}
policy_list = {
"constraints/compute.trustedImageProjects" = {
inherit_from_parent = null
suggested_value = null
status = true
values = ["projects/my-project"]
}
}
}
Variables
name | description | type | required | default |
---|---|---|---|---|
org_id | Organization id in nnnnnn format. | number |
✓ | |
custom_roles | Map of role name => list of permissions to create in this project. | map(list(string)) |
{} |
|
iam_additive_bindings | Map of roles lists used to set non authoritative bindings, keyed by members. | map(list(string)) |
{} |
|
iam_audit_config | Service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. | map(map(list(string))) |
{} |
|
iam_members | Map of member lists used to set authoritative bindings, keyed by role. | map(list(string)) |
{} |
|
iam_roles | List of roles used to set authoritative bindings. | list(string) |
[] |
|
policy_boolean | Map of boolean org policies and enforcement value, set value to null for policy restore. | map(bool) |
{} |
|
policy_list | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | map(object({...})) |
{} |
Outputs
name | description | sensitive |
---|---|---|
org_id | Organization id dependent on module resources. |