zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
cloud-foundation-fabric/modules/organization
History
Julio Castillo 6bd299190f Update variable documentation. 2020-11-23 19:10:42 +01:00
..
README.md Update variable documentation. 2020-11-23 19:10:42 +01:00
main.tf Hierarchical firewall support for organizations 2020-11-23 19:01:02 +01:00
outputs.tf Hierarchical firewall support for organizations 2020-11-23 19:01:02 +01:00
variables.tf Hierarchical firewall support for organizations 2020-11-23 19:01:02 +01:00
versions.tf Update organization/versions.tf copyright 2020-04-08 10:23:23 +02:00

README.md

Organization Module

This module allows managing several organization properties:

  • IAM bindings, both authoritative and additive
  • custom IAM roles
  • audit logging configuration for services
  • organization policies

Example

module "org" {
  source      = "./modules/organization"
  org_id      = 1234567890
  iam = { "roles/projectCreator" = ["group:cloud-admins@example.org"] }
  policy_boolean = {
    "constraints/compute.disableGuestAttributesAccess" = true
    "constraints/compute.skipDefaultNetworkCreation" = true
  }
  policy_list = {
    "constraints/compute.trustedImageProjects" = {
      inherit_from_parent = null
      suggested_value = null
      status = true
      values = ["projects/my-project"]
    }
  }
}
# tftest:modules=1:resources=4

Hierarchical firewall rules

module "org" {
  source = "./modules/organization"
  org_id = 11223344
  firewall_policies = {
    iap-policy = {
      allow-iap-ssh = {
        description = "Always allow ssh from IAP"
        direction   = "INGRESS"
        action      = "allow"
        priority    = 100
        ranges      = ["35.235.240.0/20"]
        ports = {
          tcp = ["22"]
        }
        target_service_accounts = null
        target_resources        = null
        logging                 = false
      }
    }
  }
  firewall_policy_attachments = {
    iap_policy = module.org.firewall_policy_id["iap-policy"]
  }
}
# tftest:modules=1:resources=3

Variables

name description type required default
org_id Organization id in nnnnnn format. number
custom_roles Map of role name => list of permissions to create in this project. map(list(string)) {}
firewall_policies Hierarchical firewall policies to create in the organization. map(map(object({...}))) {}
firewall_policy_attachments List of hierarchical firewall policy IDs to attach to the organization map(string) {}
iam IAM bindings, in {ROLE => [MEMBERS]} format. map(list(string)) {}
iam_additive Non authoritative IAM bindings, in {ROLE => [MEMBERS]} format. map(list(string)) {}
iam_additive_members IAM additive bindings in {MEMBERS => [ROLE]} format. This might break if members are dynamic values. map(list(string)) {}
iam_audit_config Service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. map(map(list(string))) {}
policy_boolean Map of boolean org policies and enforcement value, set value to null for policy restore. map(bool) {}
policy_list Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. map(object({...})) {}

Outputs

name description sensitive
firewall_policies Map of firewall policy resources created in the organization.
firewall_policy_id Map of firewall policy ids created in the organization.
org_id Organization id dependent on module resources.