6bd299190f | ||
---|---|---|
.. | ||
README.md | ||
main.tf | ||
outputs.tf | ||
variables.tf | ||
versions.tf |
README.md
Organization Module
This module allows managing several organization properties:
- IAM bindings, both authoritative and additive
- custom IAM roles
- audit logging configuration for services
- organization policies
Example
module "org" {
source = "./modules/organization"
org_id = 1234567890
iam = { "roles/projectCreator" = ["group:cloud-admins@example.org"] }
policy_boolean = {
"constraints/compute.disableGuestAttributesAccess" = true
"constraints/compute.skipDefaultNetworkCreation" = true
}
policy_list = {
"constraints/compute.trustedImageProjects" = {
inherit_from_parent = null
suggested_value = null
status = true
values = ["projects/my-project"]
}
}
}
# tftest:modules=1:resources=4
Hierarchical firewall rules
module "org" {
source = "./modules/organization"
org_id = 11223344
firewall_policies = {
iap-policy = {
allow-iap-ssh = {
description = "Always allow ssh from IAP"
direction = "INGRESS"
action = "allow"
priority = 100
ranges = ["35.235.240.0/20"]
ports = {
tcp = ["22"]
}
target_service_accounts = null
target_resources = null
logging = false
}
}
}
firewall_policy_attachments = {
iap_policy = module.org.firewall_policy_id["iap-policy"]
}
}
# tftest:modules=1:resources=3
Variables
name | description | type | required | default |
---|---|---|---|---|
org_id | Organization id in nnnnnn format. | number |
✓ | |
custom_roles | Map of role name => list of permissions to create in this project. | map(list(string)) |
{} |
|
firewall_policies | Hierarchical firewall policies to create in the organization. | map(map(object({...}))) |
{} |
|
firewall_policy_attachments | List of hierarchical firewall policy IDs to attach to the organization | map(string) |
{} |
|
iam | IAM bindings, in {ROLE => [MEMBERS]} format. | map(list(string)) |
{} |
|
iam_additive | Non authoritative IAM bindings, in {ROLE => [MEMBERS]} format. | map(list(string)) |
{} |
|
iam_additive_members | IAM additive bindings in {MEMBERS => [ROLE]} format. This might break if members are dynamic values. | map(list(string)) |
{} |
|
iam_audit_config | Service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. | map(map(list(string))) |
{} |
|
policy_boolean | Map of boolean org policies and enforcement value, set value to null for policy restore. | map(bool) |
{} |
|
policy_list | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | map(object({...})) |
{} |
Outputs
name | description | sensitive |
---|---|---|
firewall_policies | Map of firewall policy resources created in the organization. | |
firewall_policy_id | Map of firewall policy ids created in the organization. | |
org_id | Organization id dependent on module resources. |