zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
cloud-foundation-fabric/modules/organization
History
Roberto Jung Drebes 177a4d7f2c update README.md for org module with new parameters 2020-12-10 09:36:32 +00:00
..
README.md update README.md for org module with new parameters 2020-12-10 09:36:32 +00:00
main.tf Authoritative IAM for organization 2020-12-09 22:58:17 +00:00
outputs.tf Authoritative IAM for organization 2020-12-09 22:58:17 +00:00
variables.tf Authoritative IAM for organization 2020-12-09 22:58:17 +00:00
versions.tf Update organization/versions.tf copyright 2020-04-08 10:23:23 +02:00

README.md

Organization Module

This module allows managing several organization properties:

  • IAM bindings, both authoritative and additive
  • custom IAM roles
  • audit logging configuration for services
  • organization policies

Example

module "org" {
  source          = "./modules/organization"
  organization_id = "organizations/1234567890"
  iam             = { "roles/projectCreator" = ["group:cloud-admins@example.org"] }
  policy_boolean = {
    "constraints/compute.disableGuestAttributesAccess" = true
    "constraints/compute.skipDefaultNetworkCreation"   = true
  }
  policy_list = {
    "constraints/compute.trustedImageProjects" = {
      inherit_from_parent = null
      suggested_value     = null
      status              = true
      values              = ["projects/my-project"]
    }
  }
}
# tftest:modules=1:resources=4

Hierarchical firewall rules

module "org" {
  source          = "./modules/organization"
  organization_id = var.organization_id
  firewall_policies = {
    iap-policy = {
      allow-iap-ssh = {
        description = "Always allow ssh from IAP"
        direction   = "INGRESS"
        action      = "allow"
        priority    = 100
        ranges      = ["35.235.240.0/20"]
        ports = {
          tcp = ["22"]
        }
        target_service_accounts = null
        target_resources        = null
        logging                 = false
      }
    }
  }
  firewall_policy_attachments = {
    iap_policy = module.org.firewall_policy_id["iap-policy"]
  }
}
# tftest:modules=1:resources=3

Logging Sinks

module "gcs" {
  source        = "./modules/gcs"
  project_id    = var.project_id
  name          = "gcs_sink"
  force_destroy = true
}

module "dataset" {
  source     = "./modules/bigquery-dataset"
  project_id = var.project_id
  id         = "bq_sink"
}

module "pubsub" {
  source     = "./modules/pubsub"
  project_id = var.project_id
  name       = "pubsub_sink"
}

module "org" {
  source          = "./modules/organization"
  organization_id = var.organization_id

  logging_sinks = {
    warnings = {
      type             = "gcs"
      destination      = module.gcs.name
      filter           = "severity=WARNING"
      iam              = false
      include_children = true
    }
    info = {
      type             = "bigquery"
      destination      = module.dataset.id
      filter           = "severity=INFO"
      iam              = false
      include_children = true
    }
    notice = {
      type             = "pubsub"
      destination      = module.pubsub.id
      filter           = "severity=NOTICE"
      iam              = true
      include_children = true
    }
  }
  logging_exclusions = {
    no-gce-instances = "resource.type=gce_instance"
  }
}
# tftest:modules=4:resources=8

Variables

name description type required default
organization_id Organization id in organizations/nnnnnn format. string
custom_roles Map of role name => list of permissions to create in this project. map(list(string)) {}
firewall_policies Hierarchical firewall policies to create in the organization. map(map(object({...}))) {}
firewall_policy_attachments List of hierarchical firewall policy IDs to attach to the organization map(string) {}
iam IAM bindings, in {ROLE => [MEMBERS]} format. map(list(string)) {}
iam_additive Non authoritative IAM bindings, in {ROLE => [MEMBERS]} format. map(list(string)) {}
iam_additive_members IAM additive bindings in {MEMBERS => [ROLE]} format. This might break if members are dynamic values. map(list(string)) {}
iam_audit_config Service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. map(map(list(string))) {}
iam_audit_config_authoritative IAM Authoritative service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. Audit config should also be authoritative when using authoritative bindings. Use with caution. map(map(list(string))) null
iam_bindings_authoritative IAM authoritative bindings, in {ROLE => [MEMBERS]} format. Roles and members not explicitly listed will be cleared. Bindings should also be authoritative when using authoritative audit config. Use with caution. map(list(string)) null
logging_exclusions Logging exclusions for this organization in the form {NAME -> FILTER}. map(string) {}
logging_sinks Logging sinks to create for this organization. map(object({...})) {}
policy_boolean Map of boolean org policies and enforcement value, set value to null for policy restore. map(bool) {}
policy_list Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. map(object({...})) {}

Outputs

name description sensitive
firewall_policies Map of firewall policy resources created in the organization.
firewall_policy_id Map of firewall policy ids created in the organization.
organization_id Organization id dependent on module resources.
sink_writer_identities None