7.7 KiB
7.7 KiB
Google Cloud Folder Module
This module allows the creation and management of folders, including support for IAM bindings, organization policies, and hierarchical firewall rules.
Examples
IAM bindings
module "folder" {
source = "./modules/folder"
parent = "organizations/1234567890"
name = "Folder name"
group_iam = {
"cloud-owners@example.org" = ["roles/owner", "roles/projectCreator"]
}
iam = {
"roles/owner" = ["user:one@example.com"]
}
}
# tftest:modules=1:resources=3
Organization policies
module "folder" {
source = "./modules/folder"
parent = "organizations/1234567890"
name = "Folder name"
policy_boolean = {
"constraints/compute.disableGuestAttributesAccess" = true
"constraints/compute.skipDefaultNetworkCreation" = true
}
policy_list = {
"constraints/compute.trustedImageProjects" = {
inherit_from_parent = null
suggested_value = null
status = true
values = ["projects/my-project"]
}
}
}
# tftest:modules=1:resources=4
Logging Sinks
module "gcs" {
source = "./modules/gcs"
project_id = "my-project"
name = "gcs_sink"
force_destroy = true
}
module "dataset" {
source = "./modules/bigquery-dataset"
project_id = "my-project"
id = "bq_sink"
}
module "pubsub" {
source = "./modules/pubsub"
project_id = "my-project"
name = "pubsub_sink"
}
module "bucket" {
source = "./modules/logging-bucket"
parent_type = "project"
parent = "my-project"
id = "bucket"
}
module "folder-sink" {
source = "./modules/folder"
parent = "folders/657104291943"
name = "my-folder"
logging_sinks = {
warnings = {
type = "gcs"
destination = module.gcs.name
filter = "severity=WARNING"
iam = false
include_children = true
exclusions = {}
}
info = {
type = "bigquery"
destination = module.dataset.id
filter = "severity=INFO"
iam = false
include_children = true
exclusions = {}
}
notice = {
type = "pubsub"
destination = module.pubsub.id
filter = "severity=NOTICE"
iam = true
include_children = true
exclusions = {}
}
debug = {
type = "logging"
destination = module.bucket.id
filter = "severity=DEBUG"
iam = true
include_children = true
exclusions = {
no-compute = "logName:compute"
}
}
}
logging_exclusions = {
no-gce-instances = "resource.type=gce_instance"
}
}
# tftest:modules=5:resources=12
Hierarchical firewall policies
module "folder1" {
source = "./modules/folder"
parent = var.organization_id
name = "policy-container"
firewall_policies = {
iap-policy = {
allow-iap-ssh = {
description = "Always allow ssh from IAP"
direction = "INGRESS"
action = "allow"
priority = 100
ranges = ["35.235.240.0/20"]
ports = {
tcp = ["22"]
}
target_service_accounts = null
target_resources = null
logging = false
}
}
}
firewall_policy_attachments = {
iap-policy = module.folder1.firewall_policy_id["iap-policy"]
}
}
module "folder2" {
source = "./modules/folder"
parent = var.organization_id
name = "hf2"
firewall_policy_attachments = {
iap-policy = module.folder1.firewall_policy_id["iap-policy"]
}
}
# tftest:modules=2:resources=6
Variables
name | description | type | required | default |
---|---|---|---|---|
contacts | List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES | map(list(string)) |
{} |
|
firewall_policies | Hierarchical firewall policies to create in this folder. | map(map(object({...}))) |
{} |
|
firewall_policy_attachments | List of hierarchical firewall policy IDs to attach to this folder. | map(string) |
{} |
|
folder_create | Create folder. When set to false, uses id to reference an existing folder. | bool |
true |
|
group_iam | Authoritative IAM binding for organization groups, in {GROUP_EMAIL => [ROLES]} format. Group emails need to be static. Can be used in combination with the iam variable. |
map(list(string)) |
{} |
|
iam | IAM bindings in {ROLE => [MEMBERS]} format. | map(list(string)) |
{} |
|
id | Folder ID in case you use folder_create=false | string |
null |
|
logging_exclusions | Logging exclusions for this folder in the form {NAME -> FILTER}. | map(string) |
{} |
|
logging_sinks | Logging sinks to create for this folder. | map(object({...})) |
{} |
|
name | Folder name. | string |
null |
|
parent | Parent in folders/folder_id or organizations/org_id format. | string |
... |
|
policy_boolean | Map of boolean org policies and enforcement value, set value to null for policy restore. | map(bool) |
{} |
|
policy_list | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | map(object({...})) |
{} |
Outputs
name | description | sensitive |
---|---|---|
firewall_policies | Map of firewall policy resources created in this folder. | |
firewall_policy_id | Map of firewall policy ids created in this folder. | |
folder | Folder resource. | |
id | Folder id. | |
name | Folder name. | |
sink_writer_identities | Writer identities created for each sink. |