Google Cloud Folder Module
This module allows the creation and management of folders together with their individual IAM bindings and organization policies.
Examples
IAM bindings
module "folder" {
source = "./modules/folder"
parent = "organizations/1234567890"
name = "Folder name"
iam = {
"roles/owner" = ["group:users@example.com"]
}
}
# tftest:modules=1:resources=2
Organization policies
module "folder" {
source = "./modules/folder"
parent = "organizations/1234567890"
name = "Folder name"
policy_boolean = {
"constraints/compute.disableGuestAttributesAccess" = true
"constraints/compute.skipDefaultNetworkCreation" = true
}
policy_list = {
"constraints/compute.trustedImageProjects" = {
inherit_from_parent = null
suggested_value = null
status = true
values = ["projects/my-project"]
}
}
}
# tftest:modules=1:resources=4
Logging Sinks
module "gcs" {
source = "./modules/gcs"
project_id = "my-project"
name = "gcs_sink"
force_destroy = true
}
module "dataset" {
source = "./modules/bigquery-dataset"
project_id = "my-project"
id = "bq_sink"
}
module "pubsub" {
source = "./modules/pubsub"
project_id = "my-project"
name = "pubsub_sink"
}
module "folder-sink" {
source = "./modules/folder"
parent = "folders/657104291943"
name = "my-folder"
logging_sinks = {
warnings = {
type = "gcs"
destination = module.gcs.name
filter = "severity=WARNING"
iam = false
include_children = true
}
info = {
type = "bigquery"
destination = module.dataset.id
filter = "severity=INFO"
iam = false
include_children = true
}
notice = {
type = "pubsub"
destination = module.pubsub.id
filter = "severity=NOTICE"
iam = true
include_children = true
}
}
logging_exclusions = {
no-gce-instances = "resource.type=gce_instance"
}
}
# tftest:modules=4:resources=9
Hierarchical firewall policies
module "folder1" {
source = "./modules/folder"
parent = var.organization_id
name = "policy-container"
firewall_policies = {
iap-policy = {
allow-iap-ssh = {
description = "Always allow ssh from IAP"
direction = "INGRESS"
action = "allow"
priority = 100
ranges = ["35.235.240.0/20"]
ports = {
tcp = ["22"]
}
target_service_accounts = null
target_resources = null
logging = false
}
}
}
firewall_policy_attachments = {
iap-policy = module.folder1.firewall_policy_id["iap-policy"]
}
}
module "folder2" {
source = "./modules/folder"
parent = var.organization_id
name = "hf2"
firewall_policy_attachments = {
iap-policy = module.folder1.firewall_policy_id["iap-policy"]
}
}
# tftest:modules=2:resources=6
Variables
name |
description |
type |
required |
default |
firewall_policies |
Hierarchical firewall policies to create in this folder. |
map(map(object({...}))) |
|
{} |
firewall_policy_attachments |
List of hierarchical firewall policy IDs to attach to this folder. |
map(string) |
|
{} |
folder_create |
Create folder. When set to false, uses id to reference an existing folder. |
bool |
|
true |
iam |
IAM bindings in {ROLE => [MEMBERS]} format. |
map(set(string)) |
|
{} |
id |
Folder ID in case you use folder_create=false |
string |
|
null |
logging_exclusions |
Logging exclusions for this folder in the form {NAME -> FILTER}. |
map(string) |
|
{} |
logging_sinks |
Logging sinks to create for this folder. |
map(object({...})) |
|
{} |
name |
Folder name. |
string |
|
null |
parent |
Parent in folders/folder_id or organizations/org_id format. |
string |
|
... |
policy_boolean |
Map of boolean org policies and enforcement value, set value to null for policy restore. |
map(bool) |
|
{} |
policy_list |
Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. |
map(object({...})) |
|
{} |
Outputs
name |
description |
sensitive |
firewall_policies |
Map of firewall policy resources created in this folder. |
|
firewall_policy_id |
Map of firewall policy ids created in this folder. |
|
folder |
Folder resource. |
|
id |
Folder id. |
|
name |
Folder name. |
|
sink_writer_identities |
None |
|