266 lines
10 KiB
Markdown
266 lines
10 KiB
Markdown
# Google Cloud Folder Module
|
|
|
|
This module allows the creation and management of folders, including support for IAM bindings, organization policies, and hierarchical firewall rules.
|
|
|
|
## Examples
|
|
|
|
### IAM bindings
|
|
|
|
```hcl
|
|
module "folder" {
|
|
source = "./modules/folder"
|
|
parent = "organizations/1234567890"
|
|
name = "Folder name"
|
|
group_iam = {
|
|
"cloud-owners@example.org" = [
|
|
"roles/owner",
|
|
"roles/resourcemanager.projectCreator"
|
|
]
|
|
}
|
|
iam = {
|
|
"roles/owner" = ["user:one@example.com"]
|
|
}
|
|
}
|
|
# tftest modules=1 resources=3
|
|
```
|
|
|
|
### Organization policies
|
|
|
|
```hcl
|
|
module "folder" {
|
|
source = "./modules/folder"
|
|
parent = "organizations/1234567890"
|
|
name = "Folder name"
|
|
policy_boolean = {
|
|
"constraints/compute.disableGuestAttributesAccess" = true
|
|
"constraints/compute.skipDefaultNetworkCreation" = true
|
|
}
|
|
policy_list = {
|
|
"constraints/compute.trustedImageProjects" = {
|
|
inherit_from_parent = null
|
|
suggested_value = null
|
|
status = true
|
|
values = ["projects/my-project"]
|
|
}
|
|
}
|
|
}
|
|
# tftest modules=1 resources=4
|
|
```
|
|
|
|
### Firewall policy factory
|
|
|
|
In the same way as for the [organization](../organization) module, the in-built factory allows you to define a single policy, using one file for rules, and an optional file for CIDR range substitution variables. Remember that non-absolute paths are relative to the root module (the folder where you run `terraform`).
|
|
|
|
```hcl
|
|
module "folder" {
|
|
source = "./modules/folder"
|
|
parent = "organizations/1234567890"
|
|
name = "Folder name"
|
|
firewall_policy_factory = {
|
|
cidr_file = "data/cidrs.yaml"
|
|
policy_name = null
|
|
rules_file = "data/rules.yaml"
|
|
}
|
|
firewall_policy_attachments = {
|
|
factory-policy = module.folder.firewall_policy_id["factory"]
|
|
}
|
|
}
|
|
# tftest skip
|
|
```
|
|
|
|
```yaml
|
|
# cidrs.yaml
|
|
|
|
rfc1918:
|
|
- 10.0.0.0/8
|
|
- 172.16.0.0/12
|
|
- 192.168.0.0/16
|
|
```
|
|
|
|
```yaml
|
|
# rules.yaml
|
|
|
|
allow-admins:
|
|
description: Access from the admin subnet to all subnets
|
|
direction: INGRESS
|
|
action: allow
|
|
priority: 1000
|
|
ranges:
|
|
- $rfc1918
|
|
ports:
|
|
all: []
|
|
target_resources: null
|
|
enable_logging: false
|
|
|
|
allow-ssh-from-iap:
|
|
description: Enable SSH from IAP
|
|
direction: INGRESS
|
|
action: allow
|
|
priority: 1002
|
|
ranges:
|
|
- 35.235.240.0/20
|
|
ports:
|
|
tcp: ["22"]
|
|
target_resources: null
|
|
enable_logging: false
|
|
```
|
|
|
|
### Logging Sinks
|
|
|
|
```hcl
|
|
module "gcs" {
|
|
source = "./modules/gcs"
|
|
project_id = "my-project"
|
|
name = "gcs_sink"
|
|
force_destroy = true
|
|
}
|
|
|
|
module "dataset" {
|
|
source = "./modules/bigquery-dataset"
|
|
project_id = "my-project"
|
|
id = "bq_sink"
|
|
}
|
|
|
|
module "pubsub" {
|
|
source = "./modules/pubsub"
|
|
project_id = "my-project"
|
|
name = "pubsub_sink"
|
|
}
|
|
|
|
module "bucket" {
|
|
source = "./modules/logging-bucket"
|
|
parent_type = "project"
|
|
parent = "my-project"
|
|
id = "bucket"
|
|
}
|
|
|
|
module "folder-sink" {
|
|
source = "./modules/folder"
|
|
parent = "folders/657104291943"
|
|
name = "my-folder"
|
|
logging_sinks = {
|
|
warnings = {
|
|
type = "storage"
|
|
destination = module.gcs.name
|
|
filter = "severity=WARNING"
|
|
include_children = true
|
|
exclusions = {}
|
|
}
|
|
info = {
|
|
type = "bigquery"
|
|
destination = module.dataset.id
|
|
filter = "severity=INFO"
|
|
include_children = true
|
|
exclusions = {}
|
|
}
|
|
notice = {
|
|
type = "pubsub"
|
|
destination = module.pubsub.id
|
|
filter = "severity=NOTICE"
|
|
include_children = true
|
|
exclusions = {}
|
|
}
|
|
debug = {
|
|
type = "logging"
|
|
destination = module.bucket.id
|
|
filter = "severity=DEBUG"
|
|
include_children = true
|
|
exclusions = {
|
|
no-compute = "logName:compute"
|
|
}
|
|
}
|
|
}
|
|
logging_exclusions = {
|
|
no-gce-instances = "resource.type=gce_instance"
|
|
}
|
|
}
|
|
# tftest modules=5 resources=14
|
|
```
|
|
|
|
### Hierarchical firewall policies
|
|
|
|
```hcl
|
|
module "folder1" {
|
|
source = "./modules/folder"
|
|
parent = var.organization_id
|
|
name = "policy-container"
|
|
|
|
firewall_policies = {
|
|
iap-policy = {
|
|
allow-iap-ssh = {
|
|
description = "Always allow ssh from IAP"
|
|
direction = "INGRESS"
|
|
action = "allow"
|
|
priority = 100
|
|
ranges = ["35.235.240.0/20"]
|
|
ports = { tcp = ["22"] }
|
|
target_service_accounts = null
|
|
target_resources = null
|
|
logging = false
|
|
}
|
|
}
|
|
}
|
|
firewall_policy_association = {
|
|
iap-policy = "iap-policy"
|
|
}
|
|
}
|
|
|
|
module "folder2" {
|
|
source = "./modules/folder"
|
|
parent = var.organization_id
|
|
name = "hf2"
|
|
firewall_policy_association = {
|
|
iap-policy = module.folder1.firewall_policy_id["iap-policy"]
|
|
}
|
|
}
|
|
# tftest modules=2 resources=6
|
|
```
|
|
|
|
<!-- TFDOC OPTS files:1 -->
|
|
<!-- BEGIN TFDOC -->
|
|
|
|
## Files
|
|
|
|
| name | description | resources |
|
|
|---|---|---|
|
|
| [firewall-policies.tf](./firewall-policies.tf) | None | <code>google_compute_firewall_policy</code> · <code>google_compute_firewall_policy_association</code> · <code>google_compute_firewall_policy_rule</code> |
|
|
| [iam.tf](./iam.tf) | IAM bindings, roles and audit logging resources. | <code>google_folder_iam_binding</code> |
|
|
| [logging.tf](./logging.tf) | Log sinks and supporting resources. | <code>google_bigquery_dataset_iam_member</code> · <code>google_logging_folder_exclusion</code> · <code>google_logging_folder_sink</code> · <code>google_project_iam_member</code> · <code>google_pubsub_topic_iam_member</code> · <code>google_storage_bucket_iam_member</code> |
|
|
| [main.tf](./main.tf) | Module-level locals and resources. | <code>google_essential_contacts_contact</code> · <code>google_folder</code> |
|
|
| [organization-policies.tf](./organization-policies.tf) | Folder-level organization policies. | <code>google_folder_organization_policy</code> |
|
|
| [outputs.tf](./outputs.tf) | Module outputs. | |
|
|
| [variables.tf](./variables.tf) | Module variables. | |
|
|
| [versions.tf](./versions.tf) | Version pins. | |
|
|
|
|
## Variables
|
|
|
|
| name | description | type | required | default |
|
|
|---|---|:---:|:---:|:---:|
|
|
| [contacts](variables.tf#L17) | List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES. | <code>map(list(string))</code> | | <code>{}</code> |
|
|
| [firewall_policies](variables.tf#L24) | Hierarchical firewall policies created in this folder. | <code title="map(map(object({ action = string description = string direction = string logging = bool ports = map(list(string)) priority = number ranges = list(string) target_resources = list(string) target_service_accounts = list(string) })))">map(map(object({…})))</code> | | <code>{}</code> |
|
|
| [firewall_policy_association](variables.tf#L41) | The hierarchical firewall policy to associate to this folder. Must be either a key in the `firewall_policies` map or the id of a policy defined somewhere else. | <code>map(string)</code> | | <code>{}</code> |
|
|
| [firewall_policy_factory](variables.tf#L48) | Configuration for the firewall policy factory. | <code title="object({ cidr_file = string policy_name = string rules_file = string })">object({…})</code> | | <code>null</code> |
|
|
| [folder_create](variables.tf#L58) | Create folder. When set to false, uses id to reference an existing folder. | <code>bool</code> | | <code>true</code> |
|
|
| [group_iam](variables.tf#L64) | Authoritative IAM binding for organization groups, in {GROUP_EMAIL => [ROLES]} format. Group emails need to be static. Can be used in combination with the `iam` variable. | <code>map(list(string))</code> | | <code>{}</code> |
|
|
| [iam](variables.tf#L71) | IAM bindings in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
|
| [id](variables.tf#L78) | Folder ID in case you use folder_create=false. | <code>string</code> | | <code>null</code> |
|
|
| [logging_exclusions](variables.tf#L84) | Logging exclusions for this folder in the form {NAME -> FILTER}. | <code>map(string)</code> | | <code>{}</code> |
|
|
| [logging_sinks](variables.tf#L91) | Logging sinks to create for this folder. | <code title="map(object({ destination = string type = string filter = string include_children = bool exclusions = map(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
|
| [name](variables.tf#L112) | Folder name. | <code>string</code> | | <code>null</code> |
|
|
| [parent](variables.tf#L118) | Parent in folders/folder_id or organizations/org_id format. | <code>string</code> | | <code>null</code> |
|
|
| [policy_boolean](variables.tf#L128) | Map of boolean org policies and enforcement value, set value to null for policy restore. | <code>map(bool)</code> | | <code>{}</code> |
|
|
| [policy_list](variables.tf#L135) | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | <code title="map(object({ inherit_from_parent = bool suggested_value = string status = bool values = list(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
|
|
|
## Outputs
|
|
|
|
| name | description | sensitive |
|
|
|---|---|:---:|
|
|
| [firewall_policies](outputs.tf#L16) | Map of firewall policy resources created in this folder. | |
|
|
| [firewall_policy_id](outputs.tf#L21) | Map of firewall policy ids created in this folder. | |
|
|
| [folder](outputs.tf#L26) | Folder resource. | |
|
|
| [id](outputs.tf#L31) | Folder id. | |
|
|
| [name](outputs.tf#L41) | Folder name. | |
|
|
| [sink_writer_identities](outputs.tf#L46) | Writer identities created for each sink. | |
|
|
|
|
<!-- END TFDOC -->
|