2020-04-07 09:47:07 -07:00
# Organization Module
This module allows managing several organization properties:
- IAM bindings, both authoritative and additive
- custom IAM roles
- audit logging configuration for services
- organization policies
2022-11-08 00:34:38 -08:00
- organization policy custom constraints
2020-04-07 09:47:07 -07:00
2022-11-01 06:25:07 -07:00
To manage organization policies, the `orgpolicy.googleapis.com` service should be enabled in the quota project.
2020-04-07 09:47:07 -07:00
## Example
```hcl
module "org" {
2022-09-06 08:46:09 -07:00
source = "./fabric/modules/organization"
2020-11-25 09:47:11 -08:00
organization_id = "organizations/1234567890"
2022-12-16 03:53:56 -08:00
group_iam = {
2021-04-11 05:48:16 -07:00
"cloud-owners@example.org" = ["roles/owner", "roles/projectCreator"]
}
2022-12-15 06:23:11 -08:00
iam = {
2021-10-12 00:40:10 -07:00
"roles/resourcemanager.projectCreator" = ["group:cloud-admins@example.org"]
2021-04-11 05:48:16 -07:00
}
2022-12-15 06:23:11 -08:00
iam_additive_members = {
"user:compute@example.org" = ["roles/compute.admin", "roles/container.viewer"]
2022-11-08 00:34:38 -08:00
}
2023-02-21 03:24:40 -08:00
tags = {
allowexternal = {
description = "Allow external identities."
values = {
true = {}, false = {}
}
}
}
2022-10-28 05:57:11 -07:00
org_policies = {
2022-11-08 00:34:38 -08:00
"custom.gkeEnableAutoUpgrade" = {
2023-02-21 03:24:40 -08:00
rules = [{ enforce = true }]
2022-11-08 00:34:38 -08:00
}
2022-10-28 05:57:11 -07:00
"compute.disableGuestAttributesAccess" = {
2023-02-21 03:24:40 -08:00
rules = [{ enforce = true }]
2022-10-28 05:57:11 -07:00
}
2023-02-21 05:28:23 -08:00
"compute.skipDefaultNetworkCreation" = {
2023-02-21 03:24:40 -08:00
rules = [{ enforce = true }]
2022-10-28 05:57:11 -07:00
}
"iam.disableServiceAccountKeyCreation" = {
2023-02-21 03:24:40 -08:00
rules = [{ enforce = true }]
2022-10-28 05:57:11 -07:00
}
"iam.disableServiceAccountKeyUpload" = {
rules = [
{
condition = {
2023-02-21 03:24:40 -08:00
expression = "resource.matchTagId('tagKeys/1234', 'tagValues/1234')"
2022-10-28 05:57:11 -07:00
title = "condition"
description = "test condition"
location = "somewhere"
}
enforce = true
2023-02-21 03:24:40 -08:00
},
{
enforce = false
2022-10-28 05:57:11 -07:00
}
]
}
2023-02-21 05:28:23 -08:00
"iam.allowedPolicyMemberDomains" = {
2023-02-21 03:24:40 -08:00
rules = [
{
allow = { all = true }
condition = {
expression = "resource.matchTag('1234567890/allowexternal', 'true')"
title = "Allow external identities"
description = "Allow external identities when resource has the `allowexternal` tag set to true."
}
},
{
allow = { values = ["C0xxxxxxx", "C0yyyyyyy"] }
condition = {
expression = "!resource.matchTag('1234567890/allowexternal', 'true')"
title = ""
description = "For any resource without allowexternal=true, only allow identities from restricted domains."
}
}
]
2022-10-28 05:57:11 -07:00
}
2023-02-21 03:24:40 -08:00
2023-02-21 05:28:23 -08:00
"compute.trustedImageProjects" = {
2023-02-21 03:24:40 -08:00
rules = [{
allow = {
values = ["projects/my-project"]
}
}]
2022-10-28 05:57:11 -07:00
}
2023-02-21 05:28:23 -08:00
"compute.vmExternalIpAccess" = {
2023-02-21 03:24:40 -08:00
rules = [{ deny = { all = true } }]
2020-04-07 09:47:07 -07:00
}
}
}
2023-02-21 03:24:40 -08:00
# tftest modules=1 resources=16 inventory=basic.yaml
2020-04-07 09:47:07 -07:00
```
2021-04-11 05:48:16 -07:00
## IAM
There are several mutually exclusive ways of managing IAM in this module
- non-authoritative via the `iam_additive` and `iam_additive_members` variables, where bindings created outside this module will coexist with those managed here
- authoritative via the `group_iam` and `iam` variables, where bindings created outside this module (eg in the console) will be removed at each `terraform apply` cycle if the same role is also managed here
- authoritative policy via the `iam_bindings_authoritative` variable, where any binding created outside this module (eg in the console) will be removed at each `terraform apply` cycle regardless of the role
2022-01-27 23:53:21 -08:00
If you set audit policies via the `iam_audit_config_authoritative` variable, be sure to also configure IAM bindings via `iam_bindings_authoritative` , as audit policies use the underlying `google_organization_iam_policy` resource, which is also authoritative for any role.
2022-11-08 00:34:38 -08:00
Some care must also be taken with the `groups_iam` variable (and in some situations with the additive variables) to ensure that variable keys are static values, so that Terraform is able to compute the dependency graph.
2021-04-11 05:48:16 -07:00
2022-11-03 04:12:50 -07:00
### Organization policy factory
2022-11-03 04:14:47 -07:00
See the [organization policy factory in the project module ](../project#organization-policy-factory ).
2022-11-03 04:12:50 -07:00
2022-11-08 00:34:38 -08:00
### Org policy custom constraints
Refer to the [Creating and managing custom constraints ](https://cloud.google.com/resource-manager/docs/organization-policy/creating-managing-custom-constraints ) documentation for details on usage.
To manage organization policy custom constraints, the `orgpolicy.googleapis.com` service should be enabled in the quota project.
```hcl
module "org" {
source = "./fabric/modules/organization"
organization_id = var.organization_id
2022-12-16 03:53:56 -08:00
2022-11-08 00:34:38 -08:00
org_policy_custom_constraints = {
"custom.gkeEnableAutoUpgrade" = {
resource_types = ["container.googleapis.com/NodePool"]
method_types = ["CREATE"]
condition = "resource.management.autoUpgrade == true"
action_type = "ALLOW"
display_name = "Enable node auto-upgrade"
description = "All node pools must have node auto-upgrade enabled."
}
}
# not necessarily to enforce on the org level, policy may be applied on folder/project levels
org_policies = {
"custom.gkeEnableAutoUpgrade" = {
2023-02-21 03:24:40 -08:00
rules = [{ enforce = true }]
2022-11-08 00:34:38 -08:00
}
}
}
2022-12-15 06:23:11 -08:00
# tftest modules=1 resources=2 inventory=custom-constraints.yaml
2022-11-08 00:34:38 -08:00
```
### Org policy custom constraints factory
Org policy custom constraints can be loaded from a directory containing YAML files where each file defines one or more custom constraints. The structure of the YAML files is exactly the same as the `org_policy_custom_constraints` variable.
The example below deploys a few org policy custom constraints split between two YAML files.
```hcl
module "org" {
2022-12-16 03:53:56 -08:00
source = "./fabric/modules/organization"
organization_id = var.organization_id
2022-11-16 14:03:29 -08:00
org_policy_custom_constraints_data_path = "configs/custom-constraints"
2022-12-15 06:23:11 -08:00
org_policies = {
"custom.gkeEnableAutoUpgrade" = {
2023-02-21 03:24:40 -08:00
rules = [{ enforce = true }]
2022-12-15 06:23:11 -08:00
}
}
2022-11-08 00:34:38 -08:00
}
2022-12-15 06:23:11 -08:00
# tftest modules=1 resources=3 files=gke inventory=custom-constraints.yaml
2022-11-08 00:34:38 -08:00
```
```yaml
2022-12-16 01:45:43 -08:00
# tftest-file id=gke path=configs/custom-constraints/gke.yaml
2022-11-08 00:34:38 -08:00
custom.gkeEnableLogging:
2022-11-16 15:14:09 -08:00
resource_types:
2022-11-08 00:34:38 -08:00
- container.googleapis.com/Cluster
method_types:
- CREATE
- UPDATE
condition: resource.loggingService == "none"
action_type: DENY
display_name: Do not disable Cloud Logging
custom.gkeEnableAutoUpgrade:
2022-11-16 15:14:09 -08:00
resource_types:
2022-11-08 00:34:38 -08:00
- container.googleapis.com/NodePool
method_types:
- CREATE
condition: resource.management.autoUpgrade == true
action_type: ALLOW
display_name: Enable node auto-upgrade
description: All node pools must have node auto-upgrade enabled.
```
2022-12-15 06:23:11 -08:00
2022-11-08 00:34:38 -08:00
```yaml
2022-12-16 01:45:43 -08:00
# tftest-file id=dataproc path=configs/custom-constraints/dataproc.yaml
2022-11-16 14:03:29 -08:00
custom.dataprocNoMoreThan10Workers:
2022-11-16 15:14:09 -08:00
resource_types:
2022-11-08 00:34:38 -08:00
- dataproc.googleapis.com/Cluster
method_types:
- CREATE
- UPDATE
condition: resource.config.workerConfig.numInstances + resource.config.secondaryWorkerConfig.numInstances > 10
action_type: DENY
display_name: Total number of worker instances cannot be larger than 10
description: Cluster cannot have more than 10 workers, including primary and secondary workers.
```
2021-12-12 23:41:02 -08:00
## Hierarchical firewall policies
2022-11-08 00:34:38 -08:00
Hierarchical firewall policies can be managed in two ways:
2021-12-12 23:41:02 -08:00
- via the `firewall_policies` variable, to directly define policies and rules in Terraform
2022-09-09 06:33:59 -07:00
- via the `firewall_policy_factory` variable, to leverage external YaML files via a simple "factory" embedded in the module ([see here](../../blueprints/factories) for more context on factories)
2021-12-12 23:41:02 -08:00
2021-12-31 03:36:14 -08:00
Once you have policies (either created via the module or externally), you can associate them using the `firewall_policy_association` variable.
2021-12-12 23:41:02 -08:00
### Directly defined firewall policies
2021-04-11 05:48:16 -07:00
2020-11-23 10:01:02 -08:00
```hcl
module "org" {
2022-09-06 08:46:09 -07:00
source = "./fabric/modules/organization"
2020-11-25 09:47:11 -08:00
organization_id = var.organization_id
2020-11-23 10:01:02 -08:00
firewall_policies = {
iap-policy = {
2022-12-15 06:23:11 -08:00
allow-admins = {
description = "Access from the admin subnet to all subnets"
direction = "INGRESS"
action = "allow"
priority = 1000
ranges = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
ports = { all = [] }
target_service_accounts = null
target_resources = null
logging = false
}
2020-11-23 10:01:02 -08:00
allow-iap-ssh = {
2022-01-31 01:45:34 -08:00
description = "Always allow ssh from IAP."
2020-11-23 10:01:02 -08:00
direction = "INGRESS"
action = "allow"
priority = 100
ranges = ["35.235.240.0/20"]
ports = {
tcp = ["22"]
}
target_service_accounts = null
target_resources = null
logging = false
}
}
}
2021-12-31 03:36:14 -08:00
firewall_policy_association = {
iap_policy = "iap-policy"
2020-11-23 10:01:02 -08:00
}
}
2022-12-15 06:23:11 -08:00
# tftest modules=1 resources=4 inventory=hfw.yaml
2020-11-23 10:01:02 -08:00
```
2021-12-12 23:41:02 -08:00
### Firewall policy factory
The in-built factory allows you to define a single policy, using one file for rules, and an optional file for CIDR range substitution variables. Remember that non-absolute paths are relative to the root module (the folder where you run `terraform` ).
```hcl
module "org" {
2022-09-06 08:46:09 -07:00
source = "./fabric/modules/organization"
2021-12-12 23:41:02 -08:00
organization_id = var.organization_id
firewall_policy_factory = {
2022-11-16 14:03:29 -08:00
cidr_file = "configs/firewall-policies/cidrs.yaml"
2022-12-15 06:23:11 -08:00
policy_name = "iap-policy"
2022-11-16 14:03:29 -08:00
rules_file = "configs/firewall-policies/rules.yaml"
2021-12-12 23:41:02 -08:00
}
2022-01-19 11:54:31 -08:00
firewall_policy_association = {
2022-12-15 06:23:11 -08:00
iap_policy = module.org.firewall_policy_id["iap-policy"]
2021-12-31 03:20:42 -08:00
}
2021-12-12 23:41:02 -08:00
}
2022-12-15 06:23:11 -08:00
# tftest modules=1 resources=4 files=cidrs,rules inventory=hfw.yaml
2021-12-12 23:41:02 -08:00
```
```yaml
2022-12-16 01:45:43 -08:00
# tftest-file id=cidrs path=configs/firewall-policies/cidrs.yaml
2021-12-12 23:41:02 -08:00
rfc1918:
- 10.0.0.0/8
2021-12-31 03:20:42 -08:00
- 172.16.0.0/12
2021-12-12 23:41:02 -08:00
- 192.168.0.0/16
```
```yaml
2022-12-16 01:45:43 -08:00
# tftest-file id=rules path=configs/firewall-policies/rules.yaml
2021-12-12 23:41:02 -08:00
allow-admins:
description: Access from the admin subnet to all subnets
direction: INGRESS
action: allow
priority: 1000
ranges:
- $rfc1918
ports:
all: []
target_resources: null
2022-12-15 06:23:11 -08:00
logging: false
2021-12-12 23:41:02 -08:00
2022-12-15 06:23:11 -08:00
allow-iap-ssh:
description: "Always allow ssh from IAP."
2021-12-12 23:41:02 -08:00
direction: INGRESS
action: allow
2022-12-15 06:23:11 -08:00
priority: 100
2021-12-12 23:41:02 -08:00
ranges:
- 35.235.240.0/20
ports:
tcp: ["22"]
target_resources: null
2022-12-15 06:23:11 -08:00
logging: false
2021-12-12 23:41:02 -08:00
```
2020-12-04 23:31:35 -08:00
## Logging Sinks
2021-04-11 05:48:16 -07:00
2020-12-04 23:31:35 -08:00
```hcl
module "gcs" {
2022-09-06 08:46:09 -07:00
source = "./fabric/modules/gcs"
2020-12-04 23:31:35 -08:00
project_id = var.project_id
name = "gcs_sink"
force_destroy = true
}
module "dataset" {
2022-09-06 08:46:09 -07:00
source = "./fabric/modules/bigquery-dataset"
2020-12-04 23:31:35 -08:00
project_id = var.project_id
id = "bq_sink"
}
module "pubsub" {
2022-09-06 08:46:09 -07:00
source = "./fabric/modules/pubsub"
2020-12-04 23:31:35 -08:00
project_id = var.project_id
name = "pubsub_sink"
}
2021-03-03 05:19:08 -08:00
module "bucket" {
2022-09-06 08:46:09 -07:00
source = "./fabric/modules/logging-bucket"
2021-03-03 05:19:08 -08:00
parent_type = "project"
parent = "my-project"
id = "bucket"
}
2020-12-04 23:31:35 -08:00
module "org" {
2022-09-06 08:46:09 -07:00
source = "./fabric/modules/organization"
2020-12-04 23:31:35 -08:00
organization_id = var.organization_id
logging_sinks = {
warnings = {
2022-11-12 10:24:41 -08:00
destination = module.gcs.id
2022-11-12 02:30:34 -08:00
filter = "severity=WARNING"
2022-11-12 10:24:41 -08:00
type = "storage"
2020-12-04 23:31:35 -08:00
}
info = {
2022-11-12 02:30:34 -08:00
bq_partitioned_table = true
2022-11-12 10:24:41 -08:00
destination = module.dataset.id
filter = "severity=INFO"
type = "bigquery"
2020-12-04 23:31:35 -08:00
}
notice = {
2022-11-12 10:24:41 -08:00
destination = module.pubsub.id
2022-11-12 02:30:34 -08:00
filter = "severity=NOTICE"
2022-11-12 10:24:41 -08:00
type = "pubsub"
2021-03-03 05:19:08 -08:00
}
debug = {
2022-11-12 10:24:41 -08:00
destination = module.bucket.id
2022-11-12 02:30:34 -08:00
filter = "severity=DEBUG"
2022-12-16 03:53:56 -08:00
exclusions = {
2021-03-03 05:19:08 -08:00
no-compute = "logName:compute"
}
2022-11-12 10:24:41 -08:00
type = "logging"
2020-12-04 23:31:35 -08:00
}
}
logging_exclusions = {
no-gce-instances = "resource.type=gce_instance"
}
}
2022-12-15 06:23:11 -08:00
# tftest modules=5 resources=13 inventory=logging.yaml
2020-12-04 23:31:35 -08:00
```
2021-09-13 08:34:20 -07:00
## Custom Roles
2022-02-20 02:14:18 -08:00
2021-09-13 08:34:20 -07:00
```hcl
module "org" {
2022-09-06 08:46:09 -07:00
source = "./fabric/modules/organization"
2021-09-13 08:34:20 -07:00
organization_id = var.organization_id
custom_roles = {
"myRole" = [
"compute.instances.list",
]
}
iam = {
(module.org.custom_role_id.myRole) = ["user:me@example.com"]
}
}
2022-12-15 06:23:11 -08:00
# tftest modules=1 resources=2 inventory=roles.yaml
2021-09-13 08:34:20 -07:00
```
2022-01-29 01:08:17 -08:00
2022-02-20 02:14:18 -08:00
## Tags
Refer to the [Creating and managing tags ](https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing ) documentation for details on usage.
```hcl
module "org" {
2022-09-06 08:46:09 -07:00
source = "./fabric/modules/organization"
2022-02-20 02:14:18 -08:00
organization_id = var.organization_id
tags = {
environment = {
2022-12-16 03:53:56 -08:00
description = "Environment specification."
iam = {
2022-02-20 02:14:18 -08:00
"roles/resourcemanager.tagAdmin" = ["group:admins@example.com"]
}
values = {
2022-12-16 03:53:56 -08:00
dev = {}
2022-02-20 02:14:18 -08:00
prod = {
description = "Environment: production."
iam = {
"roles/resourcemanager.tagViewer" = ["user:user1@example.com"]
}
}
}
}
}
tag_bindings = {
env-prod = module.org.tag_values["environment/prod"].id
foo = "tagValues/12345678"
}
}
2022-12-15 06:23:11 -08:00
# tftest modules=1 resources=7 inventory=tags.yaml
2022-02-20 02:14:18 -08:00
```
2022-11-18 06:56:28 -08:00
You can also define network tags, through a dedicated variable *network_tags* :
```hcl
module "org" {
source = "./fabric/modules/organization"
organization_id = var.organization_id
network_tags = {
net-environment = {
2022-12-16 03:53:56 -08:00
description = "This is a network tag."
network = "my_project/my_vpc"
iam = {
2022-11-18 06:56:28 -08:00
"roles/resourcemanager.tagAdmin" = ["group:admins@example.com"]
}
values = {
2022-12-16 03:53:56 -08:00
dev = null
2022-11-18 06:56:28 -08:00
prod = {
description = "Environment: production."
iam = {
"roles/resourcemanager.tagUser" = ["user:user1@example.com"]
}
}
}
}
}
}
2022-12-15 06:23:11 -08:00
# tftest modules=1 resources=5 inventory=network-tags.yaml
2022-11-18 06:56:28 -08:00
```
2022-01-29 01:08:17 -08:00
<!-- TFDOC OPTS files:1 -->
2020-04-07 09:47:07 -07:00
<!-- BEGIN TFDOC -->
2021-12-20 23:51:51 -08:00
2022-01-29 01:08:17 -08:00
## Files
| name | description | resources |
|---|---|---|
2022-02-03 23:27:39 -08:00
| [firewall-policies.tf ](./firewall-policies.tf ) | Hierarchical firewall policies. | < code > google_compute_firewall_policy</ code > · < code > google_compute_firewall_policy_association</ code > · < code > google_compute_firewall_policy_rule</ code > |
2022-01-29 01:08:17 -08:00
| [iam.tf ](./iam.tf ) | IAM bindings, roles and audit logging resources. | < code > google_organization_iam_audit_config</ code > · < code > google_organization_iam_binding</ code > · < code > google_organization_iam_custom_role</ code > · < code > google_organization_iam_member</ code > · < code > google_organization_iam_policy</ code > |
| [logging.tf ](./logging.tf ) | Log sinks and supporting resources. | < code > google_bigquery_dataset_iam_member</ code > · < code > google_logging_organization_exclusion</ code > · < code > google_logging_organization_sink</ code > · < code > google_project_iam_member</ code > · < code > google_pubsub_topic_iam_member</ code > · < code > google_storage_bucket_iam_member</ code > |
| [main.tf ](./main.tf ) | Module-level locals and resources. | < code > google_essential_contacts_contact</ code > |
2022-11-08 09:17:05 -08:00
| [org-policy-custom-constraints.tf ](./org-policy-custom-constraints.tf ) | None | < code > google_org_policy_custom_constraint</ code > |
| [organization-policies.tf ](./organization-policies.tf ) | Organization-level organization policies. | < code > google_org_policy_policy</ code > |
2022-01-29 01:08:17 -08:00
| [outputs.tf ](./outputs.tf ) | Module outputs. | |
2022-02-20 02:14:18 -08:00
| [tags.tf ](./tags.tf ) | None | < code > google_tags_tag_binding</ code > · < code > google_tags_tag_key</ code > · < code > google_tags_tag_key_iam_binding</ code > · < code > google_tags_tag_value</ code > · < code > google_tags_tag_value_iam_binding</ code > |
2022-01-29 01:08:17 -08:00
| [variables.tf ](./variables.tf ) | Module variables. | |
| [versions.tf ](./versions.tf ) | Version pins. | |
2020-04-07 09:47:07 -07:00
## Variables
| name | description | type | required | default |
2021-12-20 23:51:51 -08:00
|---|---|:---:|:---:|:---:|
2023-02-21 05:01:24 -08:00
| [organization_id ](variables.tf#L234 ) | Organization id in organizations/nnnnnn format. | < code > string</ code > | ✓ | |
2022-01-31 01:45:34 -08:00
| [contacts ](variables.tf#L17 ) | List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES. | < code > map( list( string)) </ code > | | < code > {} </ code > |
2022-01-29 01:08:17 -08:00
| [custom_roles ](variables.tf#L24 ) | Map of role name => list of permissions to create in this project. | < code > map( list( string)) </ code > | | < code > {} </ code > |
| [firewall_policies ](variables.tf#L31 ) | Hierarchical firewall policy rules created in the organization. | < code title = "map(map(object({ action = string description = string direction = string logging = bool ports = map(list(string)) priority = number ranges = list(string) target_resources = list(string) target_service_accounts = list(string) })))" > map( map( object({…}))) </ code > | | < code > {} </ code > |
| [firewall_policy_association ](variables.tf#L48 ) | The hierarchical firewall policy to associate to this folder. Must be either a key in the `firewall_policies` map or the id of a policy defined somewhere else. | < code > map( string) </ code > | | < code > {} </ code > |
| [firewall_policy_factory ](variables.tf#L55 ) | Configuration for the firewall policy factory. | < code title = "object({ cidr_file = string policy_name = string rules_file = string })" > object({…}) </ code > | | < code > null</ code > |
| [group_iam ](variables.tf#L65 ) | Authoritative IAM binding for organization groups, in {GROUP_EMAIL => [ROLES]} format. Group emails need to be static. Can be used in combination with the `iam` variable. | < code > map( list( string)) </ code > | | < code > {} </ code > |
| [iam ](variables.tf#L72 ) | IAM bindings, in {ROLE => [MEMBERS]} format. | < code > map( list( string)) </ code > | | < code > {} </ code > |
| [iam_additive ](variables.tf#L79 ) | Non authoritative IAM bindings, in {ROLE => [MEMBERS]} format. | < code > map( list( string)) </ code > | | < code > {} </ code > |
| [iam_additive_members ](variables.tf#L86 ) | IAM additive bindings in {MEMBERS => [ROLE]} format. This might break if members are dynamic values. | < code > map( list( string)) </ code > | | < code > {} </ code > |
| [iam_audit_config ](variables.tf#L93 ) | Service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. | < code > map( map( list( string))) </ code > | | < code > {} </ code > |
| [iam_audit_config_authoritative ](variables.tf#L105 ) | IAM Authoritative service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. Audit config should also be authoritative when using authoritative bindings. Use with caution. | < code > map( map( list( string))) </ code > | | < code > null</ code > |
| [iam_bindings_authoritative ](variables.tf#L116 ) | IAM authoritative bindings, in {ROLE => [MEMBERS]} format. Roles and members not explicitly listed will be cleared. Bindings should also be authoritative when using authoritative audit config. Use with caution. | < code > map( list( string)) </ code > | | < code > null</ code > |
| [logging_exclusions ](variables.tf#L122 ) | Logging exclusions for this organization in the form {NAME -> FILTER}. | < code > map( string) </ code > | | < code > {} </ code > |
2022-11-12 10:24:41 -08:00
| [logging_sinks ](variables.tf#L129 ) | Logging sinks to create for the organization. | < code title = "map(object({ bq_partitioned_table = optional(bool) description = optional(string) destination = string disabled = optional(bool, false) exclusions = optional(map(string), {}) filter = string include_children = optional(bool, true) type = string }))" > map( object({…})) </ code > | | < code > {} </ code > |
FAST multitenant bootstrap and resource management, rename org-level FAST stages (#1052)
* rename stages
* remove support for external org billing, rename output files
* resman: make groups optional, align on new billing account variable
* bootstrap: multitenant outputs
* tenant bootstrap stage, untested
* fix folder name
* fix stage 0 output names
* optional creation for tag keys in organization module
* single tenant bootstrap minus tag
* rename output files, add tenant tag key
* fix organization module tag values output
* test skipping creation for tags in organization module
* single tenant bootstrap plan working
* multitenant bootstrap
* tfdoc
* fix check links error messages
* fix links
* tfdoc
* fix links
* rename fast tests, fix bootstrap tests
* multitenant stages have their own folder, simplify stage numbering
* stage renumbering
* wip
* rename tests
* exclude fast providers in fixture
* stage 0 tests
* stage 1 tests
* network stages tests
* stage tests
* tfdoc
* fix links
* tfdoc
* multitenant tests
* remove local files
* stage links command
* fix links script, TODO
* wip
* wip single tenant bootstrap
* working tenant bootstrap
* update gitignore
* remove local files
* tfdoc
* remove local files
* allow tests for tenant bootstrap stage
* tenant bootstrap proxies stage 1 tfvars
* stage 2 and 3 service accounts and IAM in tenant bootstrap
* wip
* wip
* wip
* drop multitenant bootstrap
* tfdoc
* add missing stage 2 SAs, fix org-level IAM condition
* wip
* wip
* optional tag value creation in organization module
* stage 1 working
* linting
* linting
* READMEs
* wip
* Make stage-links script work in old macos bash
* stage links command help
* fix output file names
* diagrams
* fix svg
* stage 0 skeleton and diagram
* test svg
* test svg
* test diagram
* diagram
* readme
* fix stage links script
* stage 0 readme
* README changes
* stage readmes
* fix outputs order
* fix link
* fix tests
* stage 1 test
* skip stage example
* boilerplate
* fix tftest skip
* default bootstrap stage log sinks to log buckets
* add logging to tenant bootstrap
* move iam variables out of tenant config
* fix cicd, reintroduce missing variable
* use optional in stage 1 cicd variable
* rename extras stage
* rename and move identity providers local, use optional for cicd variable
* tfdoc
* add support for wif pool and providers, ci/cd
* tfdoc
* fix links
* better handling of modules repository
* add missing role on logging project
* fix cicd pools in locals, test cicd
* fix workflow extension
* fix module source replacement
* allow tenant bootstrap cicd sa to impersonate resman sa
* tenant workflow templates fix for no providers file
* fix output files, push github workflow template to new repository
* remove try from outpout files
* align stage 1 cicd internals to stage 0
* tfdoc
* tests
* fix tests
* tests
* improve variable descriptions
* use optional in fast features
* actually create tenant log sinks, and allow the resman sa to do it
* test
* tests
* aaaand tests again
* fast features tenant override
* fast features tenant override
* fix wording
* add missing comment
* configure pf service accounts
* add missing comment
* tfdoc
* tests
* IAM docs
* update copyright
---------
Co-authored-by: Julio Castillo <jccb@google.com>
2023-02-04 06:00:45 -08:00
| [network_tags ](variables.tf#L159 ) | Network tags by key name. If `id` is provided, key creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | < code title = "map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) id = optional(string) network = string # project_id/vpc_name values = optional(map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) })), {}) }))" > map( object({…})) </ code > | | < code > {} </ code > |
2023-02-21 05:01:24 -08:00
| [org_policies ](variables.tf#L181 ) | Organization policies applied to this organization keyed by policy name. | < code title = "map(object({ inherit_from_parent = optional(bool) # for list policies only. reset = optional(bool) rules = optional(list(object({ allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool) # for boolean policies only. condition = optional(object({ description = optional(string) expression = optional(string) location = optional(string) title = optional(string) }), {}) })), []) }))" > map( object({…})) </ code > | | < code > {} </ code > |
| [org_policies_data_path ](variables.tf#L208 ) | Path containing org policies in YAML format. | < code > string</ code > | | < code > null</ code > |
| [org_policy_custom_constraints ](variables.tf#L214 ) | Organization policiy custom constraints keyed by constraint name. | < code title = "map(object({ display_name = optional(string) description = optional(string) action_type = string condition = string method_types = list(string) resource_types = list(string) }))" > map( object({…})) </ code > | | < code > {} </ code > |
| [org_policy_custom_constraints_data_path ](variables.tf#L228 ) | Path containing org policy custom constraints in YAML format. | < code > string</ code > | | < code > null</ code > |
| [tag_bindings ](variables.tf#L243 ) | Tag bindings for this organization, in key => tag value id format. | < code > map( string) </ code > | | < code > null</ code > |
| [tags ](variables.tf#L249 ) | Tags by key name. If `id` is provided, key or value creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | < code title = "map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) id = optional(string) values = optional(map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) id = optional(string) })), {}) }))" > map( object({…})) </ code > | | < code > {} </ code > |
2020-04-07 09:47:07 -07:00
## Outputs
| name | description | sensitive |
|---|---|:---:|
2022-11-18 06:56:28 -08:00
| [custom_role_id ](outputs.tf#L17 ) | Map of custom role IDs created in the organization. | |
| [custom_roles ](outputs.tf#L30 ) | Map of custom roles resources created in the organization. | |
| [firewall_policies ](outputs.tf#L35 ) | Map of firewall policy resources created in the organization. | |
| [firewall_policy_id ](outputs.tf#L40 ) | Map of firewall policy ids created in the organization. | |
| [network_tag_keys ](outputs.tf#L45 ) | Tag key resources. | |
2022-11-25 05:06:31 -08:00
| [network_tag_values ](outputs.tf#L54 ) | Tag value resources. | |
FAST multitenant bootstrap and resource management, rename org-level FAST stages (#1052)
* rename stages
* remove support for external org billing, rename output files
* resman: make groups optional, align on new billing account variable
* bootstrap: multitenant outputs
* tenant bootstrap stage, untested
* fix folder name
* fix stage 0 output names
* optional creation for tag keys in organization module
* single tenant bootstrap minus tag
* rename output files, add tenant tag key
* fix organization module tag values output
* test skipping creation for tags in organization module
* single tenant bootstrap plan working
* multitenant bootstrap
* tfdoc
* fix check links error messages
* fix links
* tfdoc
* fix links
* rename fast tests, fix bootstrap tests
* multitenant stages have their own folder, simplify stage numbering
* stage renumbering
* wip
* rename tests
* exclude fast providers in fixture
* stage 0 tests
* stage 1 tests
* network stages tests
* stage tests
* tfdoc
* fix links
* tfdoc
* multitenant tests
* remove local files
* stage links command
* fix links script, TODO
* wip
* wip single tenant bootstrap
* working tenant bootstrap
* update gitignore
* remove local files
* tfdoc
* remove local files
* allow tests for tenant bootstrap stage
* tenant bootstrap proxies stage 1 tfvars
* stage 2 and 3 service accounts and IAM in tenant bootstrap
* wip
* wip
* wip
* drop multitenant bootstrap
* tfdoc
* add missing stage 2 SAs, fix org-level IAM condition
* wip
* wip
* optional tag value creation in organization module
* stage 1 working
* linting
* linting
* READMEs
* wip
* Make stage-links script work in old macos bash
* stage links command help
* fix output file names
* diagrams
* fix svg
* stage 0 skeleton and diagram
* test svg
* test svg
* test diagram
* diagram
* readme
* fix stage links script
* stage 0 readme
* README changes
* stage readmes
* fix outputs order
* fix link
* fix tests
* stage 1 test
* skip stage example
* boilerplate
* fix tftest skip
* default bootstrap stage log sinks to log buckets
* add logging to tenant bootstrap
* move iam variables out of tenant config
* fix cicd, reintroduce missing variable
* use optional in stage 1 cicd variable
* rename extras stage
* rename and move identity providers local, use optional for cicd variable
* tfdoc
* add support for wif pool and providers, ci/cd
* tfdoc
* fix links
* better handling of modules repository
* add missing role on logging project
* fix cicd pools in locals, test cicd
* fix workflow extension
* fix module source replacement
* allow tenant bootstrap cicd sa to impersonate resman sa
* tenant workflow templates fix for no providers file
* fix output files, push github workflow template to new repository
* remove try from outpout files
* align stage 1 cicd internals to stage 0
* tfdoc
* tests
* fix tests
* tests
* improve variable descriptions
* use optional in fast features
* actually create tenant log sinks, and allow the resman sa to do it
* test
* tests
* aaaand tests again
* fast features tenant override
* fast features tenant override
* fix wording
* add missing comment
* configure pf service accounts
* add missing comment
* tfdoc
* tests
* IAM docs
* update copyright
---------
Co-authored-by: Julio Castillo <jccb@google.com>
2023-02-04 06:00:45 -08:00
| [organization_id ](outputs.tf#L62 ) | Organization id dependent on module resources. | |
| [sink_writer_identities ](outputs.tf#L79 ) | Writer identities created for each sink. | |
| [tag_keys ](outputs.tf#L87 ) | Tag key resources. | |
| [tag_values ](outputs.tf#L96 ) | Tag value resources. | |
2021-12-20 23:51:51 -08:00
2020-04-07 09:47:07 -07:00
<!-- END TFDOC -->