489 lines
24 KiB
Markdown
489 lines
24 KiB
Markdown
# Organization Module
|
|
|
|
This module allows managing several organization properties:
|
|
|
|
- IAM bindings, both authoritative and additive
|
|
- custom IAM roles
|
|
- audit logging configuration for services
|
|
- organization policies
|
|
- organization policy custom constraints
|
|
|
|
To manage organization policies, the `orgpolicy.googleapis.com` service should be enabled in the quota project.
|
|
|
|
## Example
|
|
|
|
```hcl
|
|
module "org" {
|
|
source = "./fabric/modules/organization"
|
|
organization_id = "organizations/1234567890"
|
|
group_iam = {
|
|
"cloud-owners@example.org" = ["roles/owner", "roles/projectCreator"]
|
|
}
|
|
iam = {
|
|
"roles/resourcemanager.projectCreator" = ["group:cloud-admins@example.org"]
|
|
}
|
|
iam_additive_members = {
|
|
"user:compute@example.org" = ["roles/compute.admin", "roles/container.viewer"]
|
|
}
|
|
|
|
org_policies = {
|
|
"custom.gkeEnableAutoUpgrade" = {
|
|
enforce = true
|
|
}
|
|
"compute.disableGuestAttributesAccess" = {
|
|
enforce = true
|
|
}
|
|
"constraints/compute.skipDefaultNetworkCreation" = {
|
|
enforce = true
|
|
}
|
|
"iam.disableServiceAccountKeyCreation" = {
|
|
enforce = true
|
|
}
|
|
"iam.disableServiceAccountKeyUpload" = {
|
|
enforce = false
|
|
rules = [
|
|
{
|
|
condition = {
|
|
expression = "resource.matchTagId(\"tagKeys/1234\", \"tagValues/1234\")"
|
|
title = "condition"
|
|
description = "test condition"
|
|
location = "somewhere"
|
|
}
|
|
enforce = true
|
|
}
|
|
]
|
|
}
|
|
"constraints/iam.allowedPolicyMemberDomains" = {
|
|
allow = {
|
|
values = ["C0xxxxxxx", "C0yyyyyyy"]
|
|
}
|
|
}
|
|
"constraints/compute.trustedImageProjects" = {
|
|
allow = {
|
|
values = ["projects/my-project"]
|
|
}
|
|
}
|
|
"constraints/compute.vmExternalIpAccess" = {
|
|
deny = { all = true }
|
|
}
|
|
}
|
|
}
|
|
# tftest modules=1 resources=13 inventory=basic.yaml
|
|
```
|
|
|
|
## IAM
|
|
|
|
There are several mutually exclusive ways of managing IAM in this module
|
|
|
|
- non-authoritative via the `iam_additive` and `iam_additive_members` variables, where bindings created outside this module will coexist with those managed here
|
|
- authoritative via the `group_iam` and `iam` variables, where bindings created outside this module (eg in the console) will be removed at each `terraform apply` cycle if the same role is also managed here
|
|
- authoritative policy via the `iam_bindings_authoritative` variable, where any binding created outside this module (eg in the console) will be removed at each `terraform apply` cycle regardless of the role
|
|
|
|
If you set audit policies via the `iam_audit_config_authoritative` variable, be sure to also configure IAM bindings via `iam_bindings_authoritative`, as audit policies use the underlying `google_organization_iam_policy` resource, which is also authoritative for any role.
|
|
|
|
Some care must also be taken with the `groups_iam` variable (and in some situations with the additive variables) to ensure that variable keys are static values, so that Terraform is able to compute the dependency graph.
|
|
|
|
### Organization policy factory
|
|
|
|
See the [organization policy factory in the project module](../project#organization-policy-factory).
|
|
|
|
### Org policy custom constraints
|
|
|
|
Refer to the [Creating and managing custom constraints](https://cloud.google.com/resource-manager/docs/organization-policy/creating-managing-custom-constraints) documentation for details on usage.
|
|
To manage organization policy custom constraints, the `orgpolicy.googleapis.com` service should be enabled in the quota project.
|
|
|
|
```hcl
|
|
module "org" {
|
|
source = "./fabric/modules/organization"
|
|
organization_id = var.organization_id
|
|
|
|
org_policy_custom_constraints = {
|
|
"custom.gkeEnableAutoUpgrade" = {
|
|
resource_types = ["container.googleapis.com/NodePool"]
|
|
method_types = ["CREATE"]
|
|
condition = "resource.management.autoUpgrade == true"
|
|
action_type = "ALLOW"
|
|
display_name = "Enable node auto-upgrade"
|
|
description = "All node pools must have node auto-upgrade enabled."
|
|
}
|
|
}
|
|
|
|
# not necessarily to enforce on the org level, policy may be applied on folder/project levels
|
|
org_policies = {
|
|
"custom.gkeEnableAutoUpgrade" = {
|
|
enforce = true
|
|
}
|
|
}
|
|
}
|
|
# tftest modules=1 resources=2 inventory=custom-constraints.yaml
|
|
```
|
|
|
|
### Org policy custom constraints factory
|
|
|
|
Org policy custom constraints can be loaded from a directory containing YAML files where each file defines one or more custom constraints. The structure of the YAML files is exactly the same as the `org_policy_custom_constraints` variable.
|
|
|
|
The example below deploys a few org policy custom constraints split between two YAML files.
|
|
|
|
```hcl
|
|
module "org" {
|
|
source = "./fabric/modules/organization"
|
|
organization_id = var.organization_id
|
|
org_policy_custom_constraints_data_path = "configs/custom-constraints"
|
|
org_policies = {
|
|
"custom.gkeEnableAutoUpgrade" = {
|
|
enforce = true
|
|
}
|
|
}
|
|
}
|
|
# tftest modules=1 resources=3 files=gke inventory=custom-constraints.yaml
|
|
```
|
|
|
|
```yaml
|
|
# tftest-file id=gke path=configs/custom-constraints/gke.yaml
|
|
custom.gkeEnableLogging:
|
|
resource_types:
|
|
- container.googleapis.com/Cluster
|
|
method_types:
|
|
- CREATE
|
|
- UPDATE
|
|
condition: resource.loggingService == "none"
|
|
action_type: DENY
|
|
display_name: Do not disable Cloud Logging
|
|
custom.gkeEnableAutoUpgrade:
|
|
resource_types:
|
|
- container.googleapis.com/NodePool
|
|
method_types:
|
|
- CREATE
|
|
condition: resource.management.autoUpgrade == true
|
|
action_type: ALLOW
|
|
display_name: Enable node auto-upgrade
|
|
description: All node pools must have node auto-upgrade enabled.
|
|
```
|
|
|
|
|
|
```yaml
|
|
# tftest-file id=dataproc path=configs/custom-constraints/dataproc.yaml
|
|
custom.dataprocNoMoreThan10Workers:
|
|
resource_types:
|
|
- dataproc.googleapis.com/Cluster
|
|
method_types:
|
|
- CREATE
|
|
- UPDATE
|
|
condition: resource.config.workerConfig.numInstances + resource.config.secondaryWorkerConfig.numInstances > 10
|
|
action_type: DENY
|
|
display_name: Total number of worker instances cannot be larger than 10
|
|
description: Cluster cannot have more than 10 workers, including primary and secondary workers.
|
|
```
|
|
|
|
## Hierarchical firewall policies
|
|
|
|
Hierarchical firewall policies can be managed in two ways:
|
|
|
|
- via the `firewall_policies` variable, to directly define policies and rules in Terraform
|
|
- via the `firewall_policy_factory` variable, to leverage external YaML files via a simple "factory" embedded in the module ([see here](../../blueprints/factories) for more context on factories)
|
|
|
|
Once you have policies (either created via the module or externally), you can associate them using the `firewall_policy_association` variable.
|
|
|
|
### Directly defined firewall policies
|
|
|
|
```hcl
|
|
module "org" {
|
|
source = "./fabric/modules/organization"
|
|
organization_id = var.organization_id
|
|
firewall_policies = {
|
|
iap-policy = {
|
|
allow-admins = {
|
|
description = "Access from the admin subnet to all subnets"
|
|
direction = "INGRESS"
|
|
action = "allow"
|
|
priority = 1000
|
|
ranges = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
|
|
ports = { all = [] }
|
|
target_service_accounts = null
|
|
target_resources = null
|
|
logging = false
|
|
}
|
|
allow-iap-ssh = {
|
|
description = "Always allow ssh from IAP."
|
|
direction = "INGRESS"
|
|
action = "allow"
|
|
priority = 100
|
|
ranges = ["35.235.240.0/20"]
|
|
ports = {
|
|
tcp = ["22"]
|
|
}
|
|
target_service_accounts = null
|
|
target_resources = null
|
|
logging = false
|
|
}
|
|
}
|
|
}
|
|
firewall_policy_association = {
|
|
iap_policy = "iap-policy"
|
|
}
|
|
}
|
|
# tftest modules=1 resources=4 inventory=hfw.yaml
|
|
```
|
|
|
|
### Firewall policy factory
|
|
|
|
The in-built factory allows you to define a single policy, using one file for rules, and an optional file for CIDR range substitution variables. Remember that non-absolute paths are relative to the root module (the folder where you run `terraform`).
|
|
|
|
```hcl
|
|
module "org" {
|
|
source = "./fabric/modules/organization"
|
|
organization_id = var.organization_id
|
|
firewall_policy_factory = {
|
|
cidr_file = "configs/firewall-policies/cidrs.yaml"
|
|
policy_name = "iap-policy"
|
|
rules_file = "configs/firewall-policies/rules.yaml"
|
|
}
|
|
firewall_policy_association = {
|
|
iap_policy = module.org.firewall_policy_id["iap-policy"]
|
|
}
|
|
}
|
|
# tftest modules=1 resources=4 files=cidrs,rules inventory=hfw.yaml
|
|
```
|
|
|
|
```yaml
|
|
# tftest-file id=cidrs path=configs/firewall-policies/cidrs.yaml
|
|
rfc1918:
|
|
- 10.0.0.0/8
|
|
- 172.16.0.0/12
|
|
- 192.168.0.0/16
|
|
```
|
|
|
|
```yaml
|
|
# tftest-file id=rules path=configs/firewall-policies/rules.yaml
|
|
allow-admins:
|
|
description: Access from the admin subnet to all subnets
|
|
direction: INGRESS
|
|
action: allow
|
|
priority: 1000
|
|
ranges:
|
|
- $rfc1918
|
|
ports:
|
|
all: []
|
|
target_resources: null
|
|
logging: false
|
|
|
|
allow-iap-ssh:
|
|
description: "Always allow ssh from IAP."
|
|
direction: INGRESS
|
|
action: allow
|
|
priority: 100
|
|
ranges:
|
|
- 35.235.240.0/20
|
|
ports:
|
|
tcp: ["22"]
|
|
target_resources: null
|
|
logging: false
|
|
```
|
|
|
|
## Logging Sinks
|
|
|
|
```hcl
|
|
module "gcs" {
|
|
source = "./fabric/modules/gcs"
|
|
project_id = var.project_id
|
|
name = "gcs_sink"
|
|
force_destroy = true
|
|
}
|
|
|
|
module "dataset" {
|
|
source = "./fabric/modules/bigquery-dataset"
|
|
project_id = var.project_id
|
|
id = "bq_sink"
|
|
}
|
|
|
|
module "pubsub" {
|
|
source = "./fabric/modules/pubsub"
|
|
project_id = var.project_id
|
|
name = "pubsub_sink"
|
|
}
|
|
|
|
module "bucket" {
|
|
source = "./fabric/modules/logging-bucket"
|
|
parent_type = "project"
|
|
parent = "my-project"
|
|
id = "bucket"
|
|
}
|
|
|
|
module "org" {
|
|
source = "./fabric/modules/organization"
|
|
organization_id = var.organization_id
|
|
|
|
logging_sinks = {
|
|
warnings = {
|
|
destination = module.gcs.id
|
|
filter = "severity=WARNING"
|
|
type = "storage"
|
|
}
|
|
info = {
|
|
bq_partitioned_table = true
|
|
destination = module.dataset.id
|
|
filter = "severity=INFO"
|
|
type = "bigquery"
|
|
}
|
|
notice = {
|
|
destination = module.pubsub.id
|
|
filter = "severity=NOTICE"
|
|
type = "pubsub"
|
|
}
|
|
debug = {
|
|
destination = module.bucket.id
|
|
filter = "severity=DEBUG"
|
|
exclusions = {
|
|
no-compute = "logName:compute"
|
|
}
|
|
type = "logging"
|
|
}
|
|
}
|
|
logging_exclusions = {
|
|
no-gce-instances = "resource.type=gce_instance"
|
|
}
|
|
}
|
|
# tftest modules=5 resources=13 inventory=logging.yaml
|
|
```
|
|
|
|
## Custom Roles
|
|
|
|
```hcl
|
|
module "org" {
|
|
source = "./fabric/modules/organization"
|
|
organization_id = var.organization_id
|
|
custom_roles = {
|
|
"myRole" = [
|
|
"compute.instances.list",
|
|
]
|
|
}
|
|
iam = {
|
|
(module.org.custom_role_id.myRole) = ["user:me@example.com"]
|
|
}
|
|
}
|
|
# tftest modules=1 resources=2 inventory=roles.yaml
|
|
```
|
|
|
|
## Tags
|
|
|
|
Refer to the [Creating and managing tags](https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing) documentation for details on usage.
|
|
|
|
```hcl
|
|
module "org" {
|
|
source = "./fabric/modules/organization"
|
|
organization_id = var.organization_id
|
|
tags = {
|
|
environment = {
|
|
description = "Environment specification."
|
|
iam = {
|
|
"roles/resourcemanager.tagAdmin" = ["group:admins@example.com"]
|
|
}
|
|
values = {
|
|
dev = {}
|
|
prod = {
|
|
description = "Environment: production."
|
|
iam = {
|
|
"roles/resourcemanager.tagViewer" = ["user:user1@example.com"]
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
tag_bindings = {
|
|
env-prod = module.org.tag_values["environment/prod"].id
|
|
foo = "tagValues/12345678"
|
|
}
|
|
}
|
|
# tftest modules=1 resources=7 inventory=tags.yaml
|
|
```
|
|
|
|
You can also define network tags, through a dedicated variable *network_tags*:
|
|
|
|
```hcl
|
|
module "org" {
|
|
source = "./fabric/modules/organization"
|
|
organization_id = var.organization_id
|
|
network_tags = {
|
|
net-environment = {
|
|
description = "This is a network tag."
|
|
network = "my_project/my_vpc"
|
|
iam = {
|
|
"roles/resourcemanager.tagAdmin" = ["group:admins@example.com"]
|
|
}
|
|
values = {
|
|
dev = null
|
|
prod = {
|
|
description = "Environment: production."
|
|
iam = {
|
|
"roles/resourcemanager.tagUser" = ["user:user1@example.com"]
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
# tftest modules=1 resources=5 inventory=network-tags.yaml
|
|
```
|
|
|
|
<!-- TFDOC OPTS files:1 -->
|
|
<!-- BEGIN TFDOC -->
|
|
|
|
## Files
|
|
|
|
| name | description | resources |
|
|
|---|---|---|
|
|
| [firewall-policies.tf](./firewall-policies.tf) | Hierarchical firewall policies. | <code>google_compute_firewall_policy</code> · <code>google_compute_firewall_policy_association</code> · <code>google_compute_firewall_policy_rule</code> |
|
|
| [iam.tf](./iam.tf) | IAM bindings, roles and audit logging resources. | <code>google_organization_iam_audit_config</code> · <code>google_organization_iam_binding</code> · <code>google_organization_iam_custom_role</code> · <code>google_organization_iam_member</code> · <code>google_organization_iam_policy</code> |
|
|
| [logging.tf](./logging.tf) | Log sinks and supporting resources. | <code>google_bigquery_dataset_iam_member</code> · <code>google_logging_organization_exclusion</code> · <code>google_logging_organization_sink</code> · <code>google_project_iam_member</code> · <code>google_pubsub_topic_iam_member</code> · <code>google_storage_bucket_iam_member</code> |
|
|
| [main.tf](./main.tf) | Module-level locals and resources. | <code>google_essential_contacts_contact</code> |
|
|
| [org-policy-custom-constraints.tf](./org-policy-custom-constraints.tf) | None | <code>google_org_policy_custom_constraint</code> |
|
|
| [organization-policies.tf](./organization-policies.tf) | Organization-level organization policies. | <code>google_org_policy_policy</code> |
|
|
| [outputs.tf](./outputs.tf) | Module outputs. | |
|
|
| [tags.tf](./tags.tf) | None | <code>google_tags_tag_binding</code> · <code>google_tags_tag_key</code> · <code>google_tags_tag_key_iam_binding</code> · <code>google_tags_tag_value</code> · <code>google_tags_tag_value_iam_binding</code> |
|
|
| [variables.tf](./variables.tf) | Module variables. | |
|
|
| [versions.tf](./versions.tf) | Version pins. | |
|
|
|
|
## Variables
|
|
|
|
| name | description | type | required | default |
|
|
|---|---|:---:|:---:|:---:|
|
|
| [organization_id](variables.tf#L246) | Organization id in organizations/nnnnnn format. | <code>string</code> | ✓ | |
|
|
| [contacts](variables.tf#L17) | List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES. | <code>map(list(string))</code> | | <code>{}</code> |
|
|
| [custom_roles](variables.tf#L24) | Map of role name => list of permissions to create in this project. | <code>map(list(string))</code> | | <code>{}</code> |
|
|
| [firewall_policies](variables.tf#L31) | Hierarchical firewall policy rules created in the organization. | <code title="map(map(object({ action = string description = string direction = string logging = bool ports = map(list(string)) priority = number ranges = list(string) target_resources = list(string) target_service_accounts = list(string) })))">map(map(object({…})))</code> | | <code>{}</code> |
|
|
| [firewall_policy_association](variables.tf#L48) | The hierarchical firewall policy to associate to this folder. Must be either a key in the `firewall_policies` map or the id of a policy defined somewhere else. | <code>map(string)</code> | | <code>{}</code> |
|
|
| [firewall_policy_factory](variables.tf#L55) | Configuration for the firewall policy factory. | <code title="object({ cidr_file = string policy_name = string rules_file = string })">object({…})</code> | | <code>null</code> |
|
|
| [group_iam](variables.tf#L65) | Authoritative IAM binding for organization groups, in {GROUP_EMAIL => [ROLES]} format. Group emails need to be static. Can be used in combination with the `iam` variable. | <code>map(list(string))</code> | | <code>{}</code> |
|
|
| [iam](variables.tf#L72) | IAM bindings, in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
|
| [iam_additive](variables.tf#L79) | Non authoritative IAM bindings, in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
|
| [iam_additive_members](variables.tf#L86) | IAM additive bindings in {MEMBERS => [ROLE]} format. This might break if members are dynamic values. | <code>map(list(string))</code> | | <code>{}</code> |
|
|
| [iam_audit_config](variables.tf#L93) | Service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. | <code>map(map(list(string)))</code> | | <code>{}</code> |
|
|
| [iam_audit_config_authoritative](variables.tf#L105) | IAM Authoritative service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. Audit config should also be authoritative when using authoritative bindings. Use with caution. | <code>map(map(list(string)))</code> | | <code>null</code> |
|
|
| [iam_bindings_authoritative](variables.tf#L116) | IAM authoritative bindings, in {ROLE => [MEMBERS]} format. Roles and members not explicitly listed will be cleared. Bindings should also be authoritative when using authoritative audit config. Use with caution. | <code>map(list(string))</code> | | <code>null</code> |
|
|
| [logging_exclusions](variables.tf#L122) | Logging exclusions for this organization in the form {NAME -> FILTER}. | <code>map(string)</code> | | <code>{}</code> |
|
|
| [logging_sinks](variables.tf#L129) | Logging sinks to create for the organization. | <code title="map(object({ bq_partitioned_table = optional(bool) description = optional(string) destination = string disabled = optional(bool, false) exclusions = optional(map(string), {}) filter = string include_children = optional(bool, true) type = string }))">map(object({…}))</code> | | <code>{}</code> |
|
|
| [network_tags](variables.tf#L159) | Network tags by key name. If `id` is provided, key creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | <code title="map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) id = optional(string) network = string # project_id/vpc_name values = optional(map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) })), {}) }))">map(object({…}))</code> | | <code>{}</code> |
|
|
| [org_policies](variables.tf#L181) | Organization policies applied to this organization keyed by policy name. | <code title="map(object({ inherit_from_parent = optional(bool) # for list policies only. reset = optional(bool) allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool, true) # for boolean policies only. rules = optional(list(object({ allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool, true) # for boolean policies only. condition = object({ description = optional(string) expression = optional(string) location = optional(string) title = optional(string) }) })), []) }))">map(object({…}))</code> | | <code>{}</code> |
|
|
| [org_policies_data_path](variables.tf#L220) | Path containing org policies in YAML format. | <code>string</code> | | <code>null</code> |
|
|
| [org_policy_custom_constraints](variables.tf#L226) | Organization policiy custom constraints keyed by constraint name. | <code title="map(object({ display_name = optional(string) description = optional(string) action_type = string condition = string method_types = list(string) resource_types = list(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
|
| [org_policy_custom_constraints_data_path](variables.tf#L240) | Path containing org policy custom constraints in YAML format. | <code>string</code> | | <code>null</code> |
|
|
| [tag_bindings](variables.tf#L255) | Tag bindings for this organization, in key => tag value id format. | <code>map(string)</code> | | <code>null</code> |
|
|
| [tags](variables.tf#L261) | Tags by key name. If `id` is provided, key or value creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | <code title="map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) id = optional(string) values = optional(map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) id = optional(string) })), {}) }))">map(object({…}))</code> | | <code>{}</code> |
|
|
|
|
## Outputs
|
|
|
|
| name | description | sensitive |
|
|
|---|---|:---:|
|
|
| [custom_role_id](outputs.tf#L17) | Map of custom role IDs created in the organization. | |
|
|
| [custom_roles](outputs.tf#L30) | Map of custom roles resources created in the organization. | |
|
|
| [firewall_policies](outputs.tf#L35) | Map of firewall policy resources created in the organization. | |
|
|
| [firewall_policy_id](outputs.tf#L40) | Map of firewall policy ids created in the organization. | |
|
|
| [network_tag_keys](outputs.tf#L45) | Tag key resources. | |
|
|
| [network_tag_values](outputs.tf#L54) | Tag value resources. | |
|
|
| [organization_id](outputs.tf#L62) | Organization id dependent on module resources. | |
|
|
| [sink_writer_identities](outputs.tf#L79) | Writer identities created for each sink. | |
|
|
| [tag_keys](outputs.tf#L87) | Tag key resources. | |
|
|
| [tag_values](outputs.tf#L96) | Tag value resources. | |
|
|
|
|
<!-- END TFDOC -->
|