588 lines
27 KiB
Markdown
588 lines
27 KiB
Markdown
# Organization Module
|
|
|
|
This module allows managing several organization properties:
|
|
|
|
- IAM bindings, both authoritative and additive
|
|
- custom IAM roles
|
|
- audit logging configuration for services
|
|
- organization policies
|
|
- organization policy custom constraints
|
|
|
|
To manage organization policies, the `orgpolicy.googleapis.com` service should be enabled in the quota project.
|
|
|
|
## Features
|
|
|
|
- [IAM](#iam)
|
|
- [Organization Policies](#organization-policies)
|
|
- [Factory](#organization-policy-factory)
|
|
- [Custom Constraints](#organization-policy-custom-constraints)
|
|
- [Custom Constraints Factory](#organization-policy-custom-constraints-factory)
|
|
- [Hierarchical Firewall Policies](#hierarchical-firewall-policies)
|
|
- [Directly Defined](#directly-defined-firewall-policies)
|
|
- [Factory](#firewall-policy-factory)
|
|
- [Log Sinks](#log-sinks)
|
|
- [Data Access Logs](#data-access-logs)
|
|
- [Custom Roles](#custom-roles)
|
|
- [Tags](#tags)
|
|
|
|
## Example
|
|
|
|
```hcl
|
|
module "org" {
|
|
source = "./fabric/modules/organization"
|
|
organization_id = "organizations/1234567890"
|
|
group_iam = {
|
|
"cloud-owners@example.org" = ["roles/owner", "roles/projectCreator"]
|
|
}
|
|
iam = {
|
|
"roles/resourcemanager.projectCreator" = ["group:cloud-admins@example.org"]
|
|
}
|
|
iam_additive_members = {
|
|
"user:compute@example.org" = ["roles/compute.admin", "roles/container.viewer"]
|
|
}
|
|
tags = {
|
|
allowexternal = {
|
|
description = "Allow external identities."
|
|
values = {
|
|
true = {}, false = {}
|
|
}
|
|
}
|
|
}
|
|
org_policies = {
|
|
"custom.gkeEnableAutoUpgrade" = {
|
|
rules = [{ enforce = true }]
|
|
}
|
|
"compute.disableGuestAttributesAccess" = {
|
|
rules = [{ enforce = true }]
|
|
}
|
|
"compute.skipDefaultNetworkCreation" = {
|
|
rules = [{ enforce = true }]
|
|
}
|
|
"iam.disableServiceAccountKeyCreation" = {
|
|
rules = [{ enforce = true }]
|
|
}
|
|
"iam.disableServiceAccountKeyUpload" = {
|
|
rules = [
|
|
{
|
|
condition = {
|
|
expression = "resource.matchTagId('tagKeys/1234', 'tagValues/1234')"
|
|
title = "condition"
|
|
description = "test condition"
|
|
location = "somewhere"
|
|
}
|
|
enforce = true
|
|
},
|
|
{
|
|
enforce = false
|
|
}
|
|
]
|
|
}
|
|
"iam.allowedPolicyMemberDomains" = {
|
|
rules = [
|
|
{
|
|
allow = { all = true }
|
|
condition = {
|
|
expression = "resource.matchTag('1234567890/allowexternal', 'true')"
|
|
title = "Allow external identities"
|
|
description = "Allow external identities when resource has the `allowexternal` tag set to true."
|
|
}
|
|
},
|
|
{
|
|
allow = { values = ["C0xxxxxxx", "C0yyyyyyy"] }
|
|
condition = {
|
|
expression = "!resource.matchTag('1234567890/allowexternal', 'true')"
|
|
title = ""
|
|
description = "For any resource without allowexternal=true, only allow identities from restricted domains."
|
|
}
|
|
}
|
|
]
|
|
}
|
|
|
|
"compute.trustedImageProjects" = {
|
|
rules = [{
|
|
allow = {
|
|
values = ["projects/my-project"]
|
|
}
|
|
}]
|
|
}
|
|
"compute.vmExternalIpAccess" = {
|
|
rules = [{ deny = { all = true } }]
|
|
}
|
|
}
|
|
}
|
|
# tftest modules=1 resources=16 inventory=basic.yaml
|
|
```
|
|
|
|
## IAM
|
|
|
|
There are three mutually exclusive ways of managing IAM in this module
|
|
|
|
- non-authoritative via the `iam_additive` and `iam_additive_members` variables, where bindings created outside this module will coexist with those managed here
|
|
- authoritative via the `group_iam` and `iam` variables, where bindings created outside this module (eg in the console) will be removed at each `terraform apply` cycle if the same role is also managed here
|
|
- authoritative policy via the `iam_policy` variable, where any binding created outside this module (eg in the console) will be removed at each `terraform apply` cycle regardless of the role
|
|
|
|
The authoritative and additive approaches can be used together, provided different roles are managed by each. The IAM policy is incompatible with the other approaches, and must be used with extreme care.
|
|
|
|
Some care must also be taken with the `group_iam` variable (and in some situations with the additive variables) to ensure that variable keys are static values, so that Terraform is able to compute the dependency graph.
|
|
|
|
## Organization Policies
|
|
|
|
### Organization Policy Factory
|
|
|
|
See the [organization policy factory in the project module](../project#organization-policy-factory).
|
|
|
|
### Organization Policy Custom Constraints
|
|
|
|
Refer to the [Creating and managing custom constraints](https://cloud.google.com/resource-manager/docs/organization-policy/creating-managing-custom-constraints) documentation for details on usage.
|
|
To manage organization policy custom constraints, the `orgpolicy.googleapis.com` service should be enabled in the quota project.
|
|
|
|
```hcl
|
|
module "org" {
|
|
source = "./fabric/modules/organization"
|
|
organization_id = var.organization_id
|
|
|
|
org_policy_custom_constraints = {
|
|
"custom.gkeEnableAutoUpgrade" = {
|
|
resource_types = ["container.googleapis.com/NodePool"]
|
|
method_types = ["CREATE"]
|
|
condition = "resource.management.autoUpgrade == true"
|
|
action_type = "ALLOW"
|
|
display_name = "Enable node auto-upgrade"
|
|
description = "All node pools must have node auto-upgrade enabled."
|
|
}
|
|
}
|
|
|
|
# not necessarily to enforce on the org level, policy may be applied on folder/project levels
|
|
org_policies = {
|
|
"custom.gkeEnableAutoUpgrade" = {
|
|
rules = [{ enforce = true }]
|
|
}
|
|
}
|
|
}
|
|
# tftest modules=1 resources=2 inventory=custom-constraints.yaml
|
|
```
|
|
|
|
You can use the `id` or `custom_constraint_ids` outputs to prevent race conditions between the creation of a custom constraint and an organization policy using that constraint. Both of these outputs depend on the actual constraint, which would make any resource referring to them to wait for the creation of the constraint.
|
|
|
|
### Organization Policy Custom Constraints Factory
|
|
|
|
Org policy custom constraints can be loaded from a directory containing YAML files where each file defines one or more custom constraints. The structure of the YAML files is exactly the same as the `org_policy_custom_constraints` variable.
|
|
|
|
The example below deploys a few org policy custom constraints split between two YAML files.
|
|
|
|
```hcl
|
|
module "org" {
|
|
source = "./fabric/modules/organization"
|
|
organization_id = var.organization_id
|
|
org_policy_custom_constraints_data_path = "configs/custom-constraints"
|
|
org_policies = {
|
|
"custom.gkeEnableAutoUpgrade" = {
|
|
rules = [{ enforce = true }]
|
|
}
|
|
}
|
|
}
|
|
# tftest modules=1 resources=3 files=gke inventory=custom-constraints.yaml
|
|
```
|
|
|
|
```yaml
|
|
# tftest-file id=gke path=configs/custom-constraints/gke.yaml
|
|
custom.gkeEnableLogging:
|
|
resource_types:
|
|
- container.googleapis.com/Cluster
|
|
method_types:
|
|
- CREATE
|
|
- UPDATE
|
|
condition: resource.loggingService == "none"
|
|
action_type: DENY
|
|
display_name: Do not disable Cloud Logging
|
|
custom.gkeEnableAutoUpgrade:
|
|
resource_types:
|
|
- container.googleapis.com/NodePool
|
|
method_types:
|
|
- CREATE
|
|
condition: resource.management.autoUpgrade == true
|
|
action_type: ALLOW
|
|
display_name: Enable node auto-upgrade
|
|
description: All node pools must have node auto-upgrade enabled.
|
|
```
|
|
|
|
```yaml
|
|
# tftest-file id=dataproc path=configs/custom-constraints/dataproc.yaml
|
|
custom.dataprocNoMoreThan10Workers:
|
|
resource_types:
|
|
- dataproc.googleapis.com/Cluster
|
|
method_types:
|
|
- CREATE
|
|
- UPDATE
|
|
condition: resource.config.workerConfig.numInstances + resource.config.secondaryWorkerConfig.numInstances > 10
|
|
action_type: DENY
|
|
display_name: Total number of worker instances cannot be larger than 10
|
|
description: Cluster cannot have more than 10 workers, including primary and secondary workers.
|
|
```
|
|
|
|
## Hierarchical Firewall Policies
|
|
|
|
Hierarchical firewall policies can be managed in two ways:
|
|
|
|
- via the `firewall_policies` variable, to directly define policies and rules in Terraform
|
|
- via the `firewall_policy_factory` variable, to leverage external YaML files via a simple "factory" embedded in the module ([see here](../../blueprints/factories) for more context on factories)
|
|
|
|
Once you have policies (either created via the module or externally), you can associate them using the `firewall_policy_association` variable.
|
|
|
|
### Directly Defined Firewall Policies
|
|
|
|
```hcl
|
|
module "org" {
|
|
source = "./fabric/modules/organization"
|
|
organization_id = var.organization_id
|
|
firewall_policies = {
|
|
iap-policy = {
|
|
allow-admins = {
|
|
description = "Access from the admin subnet to all subnets"
|
|
direction = "INGRESS"
|
|
action = "allow"
|
|
priority = 1000
|
|
ranges = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
|
|
ports = { all = [] }
|
|
target_service_accounts = null
|
|
target_resources = null
|
|
logging = false
|
|
}
|
|
allow-iap-ssh = {
|
|
description = "Always allow ssh from IAP."
|
|
direction = "INGRESS"
|
|
action = "allow"
|
|
priority = 100
|
|
ranges = ["35.235.240.0/20"]
|
|
ports = {
|
|
tcp = ["22"]
|
|
}
|
|
target_service_accounts = null
|
|
target_resources = null
|
|
logging = false
|
|
}
|
|
}
|
|
}
|
|
firewall_policy_association = {
|
|
iap_policy = "iap-policy"
|
|
}
|
|
}
|
|
# tftest modules=1 resources=4 inventory=hfw.yaml
|
|
```
|
|
|
|
### Firewall Policy Factory
|
|
|
|
The in-built factory allows you to define a single policy, using one file for rules, and an optional file for CIDR range substitution variables. Remember that non-absolute paths are relative to the root module (the folder where you run `terraform`).
|
|
|
|
```hcl
|
|
module "org" {
|
|
source = "./fabric/modules/organization"
|
|
organization_id = var.organization_id
|
|
firewall_policy_factory = {
|
|
cidr_file = "configs/firewall-policies/cidrs.yaml"
|
|
policy_name = "iap-policy"
|
|
rules_file = "configs/firewall-policies/rules.yaml"
|
|
}
|
|
firewall_policy_association = {
|
|
iap_policy = module.org.firewall_policy_id["iap-policy"]
|
|
}
|
|
}
|
|
# tftest modules=1 resources=4 files=cidrs,rules inventory=hfw.yaml
|
|
```
|
|
|
|
```yaml
|
|
# tftest-file id=cidrs path=configs/firewall-policies/cidrs.yaml
|
|
rfc1918:
|
|
- 10.0.0.0/8
|
|
- 172.16.0.0/12
|
|
- 192.168.0.0/16
|
|
```
|
|
|
|
```yaml
|
|
# tftest-file id=rules path=configs/firewall-policies/rules.yaml
|
|
allow-admins:
|
|
description: Access from the admin subnet to all subnets
|
|
direction: INGRESS
|
|
action: allow
|
|
priority: 1000
|
|
ranges:
|
|
- $rfc1918
|
|
ports:
|
|
all: []
|
|
target_resources: null
|
|
logging: false
|
|
|
|
allow-iap-ssh:
|
|
description: "Always allow ssh from IAP."
|
|
direction: INGRESS
|
|
action: allow
|
|
priority: 100
|
|
ranges:
|
|
- 35.235.240.0/20
|
|
ports:
|
|
tcp: ["22"]
|
|
target_resources: null
|
|
logging: false
|
|
```
|
|
|
|
## Log Sinks
|
|
|
|
The following example shows how to define organization-level log sinks:
|
|
|
|
```hcl
|
|
module "gcs" {
|
|
source = "./fabric/modules/gcs"
|
|
project_id = var.project_id
|
|
name = "gcs_sink"
|
|
force_destroy = true
|
|
}
|
|
|
|
module "dataset" {
|
|
source = "./fabric/modules/bigquery-dataset"
|
|
project_id = var.project_id
|
|
id = "bq_sink"
|
|
}
|
|
|
|
module "pubsub" {
|
|
source = "./fabric/modules/pubsub"
|
|
project_id = var.project_id
|
|
name = "pubsub_sink"
|
|
}
|
|
|
|
module "bucket" {
|
|
source = "./fabric/modules/logging-bucket"
|
|
parent_type = "project"
|
|
parent = "my-project"
|
|
id = "bucket"
|
|
}
|
|
|
|
module "org" {
|
|
source = "./fabric/modules/organization"
|
|
organization_id = var.organization_id
|
|
|
|
logging_sinks = {
|
|
warnings = {
|
|
destination = module.gcs.id
|
|
filter = "severity=WARNING"
|
|
type = "storage"
|
|
}
|
|
info = {
|
|
bq_partitioned_table = true
|
|
destination = module.dataset.id
|
|
filter = "severity=INFO"
|
|
type = "bigquery"
|
|
}
|
|
notice = {
|
|
destination = module.pubsub.id
|
|
filter = "severity=NOTICE"
|
|
type = "pubsub"
|
|
}
|
|
debug = {
|
|
destination = module.bucket.id
|
|
filter = "severity=DEBUG"
|
|
exclusions = {
|
|
no-compute = "logName:compute"
|
|
}
|
|
type = "logging"
|
|
}
|
|
}
|
|
logging_exclusions = {
|
|
no-gce-instances = "resource.type=gce_instance"
|
|
}
|
|
}
|
|
# tftest modules=5 resources=13 inventory=logging.yaml
|
|
```
|
|
|
|
## Data Access Logs
|
|
|
|
Activation of data access logs can be controlled via the `logging_data_access` variable. If the `iam_bindings_authoritative` variable is used to set a resource-level IAM policy, the data access log configuration will also be authoritative as part of the policy.
|
|
|
|
This example shows how to set a non-authoritative access log configuration:
|
|
|
|
```hcl
|
|
module "org" {
|
|
source = "./fabric/modules/organization"
|
|
organization_id = var.organization_id
|
|
logging_data_access = {
|
|
allServices = {
|
|
# logs for principals listed here will be excluded
|
|
ADMIN_READ = ["group:organization-admins@example.org"]
|
|
}
|
|
"storage.googleapis.com" = {
|
|
DATA_READ = []
|
|
DATA_WRITE = []
|
|
}
|
|
}
|
|
}
|
|
# tftest modules=1 resources=2 inventory=logging-data-access.yaml
|
|
```
|
|
|
|
While this sets an authoritative policies that has exclusive control of both IAM bindings for all roles and data access log configuration, and should be used with extreme care:
|
|
|
|
```hcl
|
|
module "org" {
|
|
source = "./fabric/modules/organization"
|
|
organization_id = var.organization_id
|
|
iam_policy = {
|
|
"roles/owner" = ["group:org-admins@example.com"]
|
|
"roles/resourcemanager.folderAdmin" = ["group:org-admins@example.com"]
|
|
"roles/resourcemanager.organizationAdmin" = ["group:org-admins@example.com"]
|
|
"roles/resourcemanager.projectCreator" = ["group:org-admins@example.com"]
|
|
}
|
|
logging_data_access = {
|
|
allServices = {
|
|
ADMIN_READ = ["group:organization-admins@example.org"]
|
|
}
|
|
"storage.googleapis.com" = {
|
|
DATA_READ = []
|
|
DATA_WRITE = []
|
|
}
|
|
}
|
|
}
|
|
# tftest modules=1 resources=1 inventory=iam-policy.yaml
|
|
```
|
|
|
|
## Custom Roles
|
|
|
|
Custom roles can be defined via the `custom_roles` variable, and referenced via the `custom_role_id` output:
|
|
|
|
```hcl
|
|
module "org" {
|
|
source = "./fabric/modules/organization"
|
|
organization_id = var.organization_id
|
|
custom_roles = {
|
|
"myRole" = [
|
|
"compute.instances.list",
|
|
]
|
|
}
|
|
iam = {
|
|
(module.org.custom_role_id.myRole) = ["user:me@example.com"]
|
|
}
|
|
}
|
|
# tftest modules=1 resources=2 inventory=roles.yaml
|
|
```
|
|
|
|
## Tags
|
|
|
|
Refer to the [Creating and managing tags](https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing) documentation for details on usage.
|
|
|
|
```hcl
|
|
module "org" {
|
|
source = "./fabric/modules/organization"
|
|
organization_id = var.organization_id
|
|
tags = {
|
|
environment = {
|
|
description = "Environment specification."
|
|
iam = {
|
|
"roles/resourcemanager.tagAdmin" = ["group:admins@example.com"]
|
|
}
|
|
values = {
|
|
dev = {}
|
|
prod = {
|
|
description = "Environment: production."
|
|
iam = {
|
|
"roles/resourcemanager.tagViewer" = ["user:user1@example.com"]
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
tag_bindings = {
|
|
env-prod = module.org.tag_values["environment/prod"].id
|
|
foo = "tagValues/12345678"
|
|
}
|
|
}
|
|
# tftest modules=1 resources=7 inventory=tags.yaml
|
|
```
|
|
|
|
You can also define network tags, through a dedicated variable *network_tags*:
|
|
|
|
```hcl
|
|
module "org" {
|
|
source = "./fabric/modules/organization"
|
|
organization_id = var.organization_id
|
|
network_tags = {
|
|
net-environment = {
|
|
description = "This is a network tag."
|
|
network = "my_project/my_vpc"
|
|
iam = {
|
|
"roles/resourcemanager.tagAdmin" = ["group:admins@example.com"]
|
|
}
|
|
values = {
|
|
dev = null
|
|
prod = {
|
|
description = "Environment: production."
|
|
iam = {
|
|
"roles/resourcemanager.tagUser" = ["user:user1@example.com"]
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
# tftest modules=1 resources=5 inventory=network-tags.yaml
|
|
```
|
|
|
|
<!-- TFDOC OPTS files:1 -->
|
|
<!-- BEGIN TFDOC -->
|
|
|
|
## Files
|
|
|
|
| name | description | resources |
|
|
|---|---|---|
|
|
| [firewall-policies.tf](./firewall-policies.tf) | Hierarchical firewall policies. | <code>google_compute_firewall_policy</code> · <code>google_compute_firewall_policy_association</code> · <code>google_compute_firewall_policy_rule</code> |
|
|
| [iam.tf](./iam.tf) | IAM bindings, roles and audit logging resources. | <code>google_organization_iam_binding</code> · <code>google_organization_iam_custom_role</code> · <code>google_organization_iam_member</code> · <code>google_organization_iam_policy</code> |
|
|
| [logging.tf](./logging.tf) | Log sinks and data access logs. | <code>google_bigquery_dataset_iam_member</code> · <code>google_logging_organization_exclusion</code> · <code>google_logging_organization_sink</code> · <code>google_organization_iam_audit_config</code> · <code>google_project_iam_member</code> · <code>google_pubsub_topic_iam_member</code> · <code>google_storage_bucket_iam_member</code> |
|
|
| [main.tf](./main.tf) | Module-level locals and resources. | <code>google_essential_contacts_contact</code> |
|
|
| [org-policy-custom-constraints.tf](./org-policy-custom-constraints.tf) | None | <code>google_org_policy_custom_constraint</code> |
|
|
| [organization-policies.tf](./organization-policies.tf) | Organization-level organization policies. | <code>google_org_policy_policy</code> |
|
|
| [outputs.tf](./outputs.tf) | Module outputs. | |
|
|
| [tags.tf](./tags.tf) | None | <code>google_tags_tag_binding</code> · <code>google_tags_tag_key</code> · <code>google_tags_tag_key_iam_binding</code> · <code>google_tags_tag_value</code> · <code>google_tags_tag_value_iam_binding</code> |
|
|
| [variables.tf](./variables.tf) | Module variables. | |
|
|
| [versions.tf](./versions.tf) | Version pins. | |
|
|
|
|
## Variables
|
|
|
|
| name | description | type | required | default |
|
|
|---|---|:---:|:---:|:---:|
|
|
| [organization_id](variables.tf#L226) | Organization id in organizations/nnnnnn format. | <code>string</code> | ✓ | |
|
|
| [contacts](variables.tf#L17) | List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES. | <code>map(list(string))</code> | | <code>{}</code> |
|
|
| [custom_roles](variables.tf#L24) | Map of role name => list of permissions to create in this project. | <code>map(list(string))</code> | | <code>{}</code> |
|
|
| [firewall_policies](variables.tf#L31) | Hierarchical firewall policy rules created in the organization. | <code title="map(map(object({ action = string description = string direction = string logging = bool ports = map(list(string)) priority = number ranges = list(string) target_resources = list(string) target_service_accounts = list(string) })))">map(map(object({…})))</code> | | <code>{}</code> |
|
|
| [firewall_policy_association](variables.tf#L48) | The hierarchical firewall policy to associate to this folder. Must be either a key in the `firewall_policies` map or the id of a policy defined somewhere else. | <code>map(string)</code> | | <code>{}</code> |
|
|
| [firewall_policy_factory](variables.tf#L55) | Configuration for the firewall policy factory. | <code title="object({ cidr_file = string policy_name = string rules_file = string })">object({…})</code> | | <code>null</code> |
|
|
| [group_iam](variables.tf#L65) | Authoritative IAM binding for organization groups, in {GROUP_EMAIL => [ROLES]} format. Group emails need to be static. Can be used in combination with the `iam` variable. | <code>map(list(string))</code> | | <code>{}</code> |
|
|
| [iam](variables.tf#L72) | IAM bindings, in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
|
| [iam_additive](variables.tf#L79) | Non authoritative IAM bindings, in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
|
| [iam_additive_members](variables.tf#L86) | IAM additive bindings in {MEMBERS => [ROLE]} format. This might break if members are dynamic values. | <code>map(list(string))</code> | | <code>{}</code> |
|
|
| [iam_policy](variables.tf#L93) | IAM authoritative policy in {ROLE => [MEMBERS]} format. Roles and members not explicitly listed will be cleared, use with extreme caution. | <code>map(list(string))</code> | | <code>null</code> |
|
|
| [logging_data_access](variables.tf#L99) | Control activation of data access logs. Format is service => { log type => [exempted members]}. The special 'allServices' key denotes configuration for all services. | <code>map(map(list(string)))</code> | | <code>{}</code> |
|
|
| [logging_exclusions](variables.tf#L114) | Logging exclusions for this organization in the form {NAME -> FILTER}. | <code>map(string)</code> | | <code>{}</code> |
|
|
| [logging_sinks](variables.tf#L121) | Logging sinks to create for the organization. | <code title="map(object({ bq_partitioned_table = optional(bool) description = optional(string) destination = string disabled = optional(bool, false) exclusions = optional(map(string), {}) filter = string include_children = optional(bool, true) type = string }))">map(object({…}))</code> | | <code>{}</code> |
|
|
| [network_tags](variables.tf#L151) | Network tags by key name. If `id` is provided, key creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | <code title="map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) id = optional(string) network = string # project_id/vpc_name values = optional(map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) })), {}) }))">map(object({…}))</code> | | <code>{}</code> |
|
|
| [org_policies](variables.tf#L173) | Organization policies applied to this organization keyed by policy name. | <code title="map(object({ inherit_from_parent = optional(bool) # for list policies only. reset = optional(bool) rules = optional(list(object({ allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool) # for boolean policies only. condition = optional(object({ description = optional(string) expression = optional(string) location = optional(string) title = optional(string) }), {}) })), []) }))">map(object({…}))</code> | | <code>{}</code> |
|
|
| [org_policies_data_path](variables.tf#L200) | Path containing org policies in YAML format. | <code>string</code> | | <code>null</code> |
|
|
| [org_policy_custom_constraints](variables.tf#L206) | Organization policy custom constraints keyed by constraint name. | <code title="map(object({ display_name = optional(string) description = optional(string) action_type = string condition = string method_types = list(string) resource_types = list(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
|
| [org_policy_custom_constraints_data_path](variables.tf#L220) | Path containing org policy custom constraints in YAML format. | <code>string</code> | | <code>null</code> |
|
|
| [tag_bindings](variables.tf#L235) | Tag bindings for this organization, in key => tag value id format. | <code>map(string)</code> | | <code>null</code> |
|
|
| [tags](variables.tf#L241) | Tags by key name. If `id` is provided, key or value creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | <code title="map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) id = optional(string) values = optional(map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) id = optional(string) })), {}) }))">map(object({…}))</code> | | <code>{}</code> |
|
|
|
|
## Outputs
|
|
|
|
| name | description | sensitive |
|
|
|---|---|:---:|
|
|
| [custom_constraint_ids](outputs.tf#L17) | Map of CUSTOM_CONSTRAINTS => ID in the organization. | |
|
|
| [custom_role_id](outputs.tf#L22) | Map of custom role IDs created in the organization. | |
|
|
| [custom_roles](outputs.tf#L35) | Map of custom roles resources created in the organization. | |
|
|
| [firewall_policies](outputs.tf#L40) | Map of firewall policy resources created in the organization. | |
|
|
| [firewall_policy_id](outputs.tf#L45) | Map of firewall policy ids created in the organization. | |
|
|
| [id](outputs.tf#L50) | Fully qualified organization id. | |
|
|
| [network_tag_keys](outputs.tf#L67) | Tag key resources. | |
|
|
| [network_tag_values](outputs.tf#L76) | Tag value resources. | |
|
|
| [organization_id](outputs.tf#L86) | Organization id dependent on module resources. | |
|
|
| [sink_writer_identities](outputs.tf#L103) | Writer identities created for each sink. | |
|
|
| [tag_keys](outputs.tf#L111) | Tag key resources. | |
|
|
| [tag_values](outputs.tf#L120) | Tag value resources. | |
|
|
|
|
<!-- END TFDOC -->
|