zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
cloud-foundation-fabric/modules/organization
History
Julio Castillo ca82d71468 Fix organization tests 2020-11-25 18:47:11 +01:00
..
README.md Fix organization tests 2020-11-25 18:47:11 +01:00
main.tf Rename org_id variable to organization_id in organization module 2020-11-25 18:36:19 +01:00
outputs.tf Rename org_id variable to organization_id in organization module 2020-11-25 18:36:19 +01:00
variables.tf Rename org_id variable to organization_id in organization module 2020-11-25 18:36:19 +01:00
versions.tf Update organization/versions.tf copyright 2020-04-08 10:23:23 +02:00

README.md

Organization Module

This module allows managing several organization properties:

  • IAM bindings, both authoritative and additive
  • custom IAM roles
  • audit logging configuration for services
  • organization policies

Example

module "org" {
  source          = "./modules/organization"
  organization_id = "organizations/1234567890"
  iam             = { "roles/projectCreator" = ["group:cloud-admins@example.org"] }
  policy_boolean = {
    "constraints/compute.disableGuestAttributesAccess" = true
    "constraints/compute.skipDefaultNetworkCreation"   = true
  }
  policy_list = {
    "constraints/compute.trustedImageProjects" = {
      inherit_from_parent = null
      suggested_value     = null
      status              = true
      values              = ["projects/my-project"]
    }
  }
}
# tftest:modules=1:resources=4

Hierarchical firewall rules

module "org" {
  source          = "./modules/organization"
  organization_id = var.organization_id
  firewall_policies = {
    iap-policy = {
      allow-iap-ssh = {
        description = "Always allow ssh from IAP"
        direction   = "INGRESS"
        action      = "allow"
        priority    = 100
        ranges      = ["35.235.240.0/20"]
        ports = {
          tcp = ["22"]
        }
        target_service_accounts = null
        target_resources        = null
        logging                 = false
      }
    }
  }
  firewall_policy_attachments = {
    iap_policy = module.org.firewall_policy_id["iap-policy"]
  }
}
# tftest:modules=1:resources=3

Variables

name description type required default
organization_id Organization id in organizations/nnnnnn format. string
custom_roles Map of role name => list of permissions to create in this project. map(list(string)) {}
firewall_policies Hierarchical firewall policies to create in the organization. map(map(object({...}))) {}
firewall_policy_attachments List of hierarchical firewall policy IDs to attach to the organization map(string) {}
iam IAM bindings, in {ROLE => [MEMBERS]} format. map(list(string)) {}
iam_additive Non authoritative IAM bindings, in {ROLE => [MEMBERS]} format. map(list(string)) {}
iam_additive_members IAM additive bindings in {MEMBERS => [ROLE]} format. This might break if members are dynamic values. map(list(string)) {}
iam_audit_config Service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. map(map(list(string))) {}
policy_boolean Map of boolean org policies and enforcement value, set value to null for policy restore. map(bool) {}
policy_list Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. map(object({...})) {}

Outputs

name description sensitive
firewall_policies Map of firewall policy resources created in the organization.
firewall_policy_id Map of firewall policy ids created in the organization.
organization_id Organization id dependent on module resources.