6.4 KiB
6.4 KiB
Google Cloud Folder Module
This module allows the creation and management of folders together with their individual IAM bindings and organization policies.
Examples
IAM bindings
module "folder" {
source = "./modules/folder"
parent = "organizations/1234567890"
name = "Folder name"
iam = {
"roles/owner" = ["group:users@example.com"]
}
}
# tftest:modules=1:resources=2
Organization policies
module "folder" {
source = "./modules/folder"
parent = "organizations/1234567890"
name = "Folder name"
policy_boolean = {
"constraints/compute.disableGuestAttributesAccess" = true
"constraints/compute.skipDefaultNetworkCreation" = true
}
policy_list = {
"constraints/compute.trustedImageProjects" = {
inherit_from_parent = null
suggested_value = null
status = true
values = ["projects/my-project"]
}
}
}
# tftest:modules=1:resources=4
Logging Sinks
module "gcs" {
source = "./modules/gcs"
project_id = "my-project"
name = "gcs_sink"
force_destroy = true
}
module "dataset" {
source = "./modules/bigquery-dataset"
project_id = "my-project"
id = "bq_sink"
}
module "pubsub" {
source = "./modules/pubsub"
project_id = "my-project"
name = "pubsub_sink"
}
module "folder-sink" {
source = "./modules/folder"
parent = "folders/657104291943"
name = "my-folder"
logging_sinks = {
warnings = {
type = "gcs"
destination = module.gcs.name
filter = "severity=WARNING"
iam = false
include_children = true
}
info = {
type = "bigquery"
destination = module.dataset.id
filter = "severity=INFO"
iam = false
include_children = true
}
notice = {
type = "pubsub"
destination = module.pubsub.id
filter = "severity=NOTICE"
iam = true
include_children = true
}
}
logging_exclusions = {
no-gce-instances = "resource.type=gce_instance"
}
}
# tftest:modules=4:resources=9
Hierarchical firewall policies
module "folder1" {
source = "./modules/folder"
parent = var.organization_id
name = "policy-container"
firewall_policies = {
iap-policy = {
allow-iap-ssh = {
description = "Always allow ssh from IAP"
direction = "INGRESS"
action = "allow"
priority = 100
ranges = ["35.235.240.0/20"]
ports = {
tcp = ["22"]
}
target_service_accounts = null
target_resources = null
logging = false
}
}
}
firewall_policy_attachments = {
iap-policy = module.folder1.firewall_policy_id["iap-policy"]
}
}
module "folder2" {
source = "./modules/folder"
parent = var.organization_id
name = "hf2"
firewall_policy_attachments = {
iap-policy = module.folder1.firewall_policy_id["iap-policy"]
}
}
# tftest:modules=2:resources=6
Variables
| name | description | type | required | default |
|---|---|---|---|---|
| firewall_policies | Hierarchical firewall policies to create in this folder. | map(map(object({...}))) |
{} |
|
| firewall_policy_attachments | List of hierarchical firewall policy IDs to attach to this folder. | map(string) |
{} |
|
| folder_create | Create folder. When set to false, uses id to reference an existing folder. | bool |
true |
|
| iam | IAM bindings in {ROLE => [MEMBERS]} format. | map(set(string)) |
{} |
|
| id | Folder ID in case you use folder_create=false | string |
null |
|
| logging_exclusions | Logging exclusions for this folder in the form {NAME -> FILTER}. | map(string) |
{} |
|
| logging_sinks | Logging sinks to create for this folder. | map(object({...})) |
{} |
|
| name | Folder name. | string |
null |
|
| parent | Parent in folders/folder_id or organizations/org_id format. | string |
... |
|
| policy_boolean | Map of boolean org policies and enforcement value, set value to null for policy restore. | map(bool) |
{} |
|
| policy_list | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | map(object({...})) |
{} |
Outputs
| name | description | sensitive |
|---|---|---|
| firewall_policies | Map of firewall policy resources created in this folder. | |
| firewall_policy_id | Map of firewall policy ids created in this folder. | |
| folder | Folder resource. | |
| id | Folder id. | |
| name | Folder name. | |
| sink_writer_identities | None |