This module allows managing several organization properties:
- IAM bindings, both authoritative and additive
- custom IAM roles
- audit logging configuration for services
- organization policies
module "org" {
source = "./modules/organization"
organization_id = "organizations/1234567890"
group_iam = {
"[email protected]" = ["roles/owner", "roles/projectCreator"]
}
iam = {
"roles/projectCreator" = ["group:[email protected]"]
}
policy_boolean = {
"constraints/compute.disableGuestAttributesAccess" = true
"constraints/compute.skipDefaultNetworkCreation" = true
}
policy_list = {
"constraints/compute.trustedImageProjects" = {
inherit_from_parent = null
suggested_value = null
status = true
values = ["projects/my-project"]
}
}
}
# tftest:modules=1:resources=5There are several mutually exclusive ways of managing IAM in this module
- non-authoritative via the
iam_additiveandiam_additive_membersvariables, where bindings created outside this module will coexist with those managed here - authoritative via the
group_iamandiamvariables, where bindings created outside this module (eg in the console) will be removed at eachterraform applycycle if the same role is also managed here - authoritative policy via the
iam_bindings_authoritativevariable, where any binding created outside this module (eg in the console) will be removed at eachterraform applycycle regardless of the role
Some care must be takend with the groups_iam variable (and in some situations with the additive variables) to ensure that variable keys are static values, so that Terraform is able to compute the dependency graph.
module "org" {
source = "./modules/organization"
organization_id = var.organization_id
firewall_policies = {
iap-policy = {
allow-iap-ssh = {
description = "Always allow ssh from IAP"
direction = "INGRESS"
action = "allow"
priority = 100
ranges = ["35.235.240.0/20"]
ports = {
tcp = ["22"]
}
target_service_accounts = null
target_resources = null
logging = false
}
}
}
firewall_policy_attachments = {
iap_policy = module.org.firewall_policy_id["iap-policy"]
}
}
# tftest:modules=1:resources=3module "gcs" {
source = "./modules/gcs"
project_id = var.project_id
name = "gcs_sink"
force_destroy = true
}
module "dataset" {
source = "./modules/bigquery-dataset"
project_id = var.project_id
id = "bq_sink"
}
module "pubsub" {
source = "./modules/pubsub"
project_id = var.project_id
name = "pubsub_sink"
}
module "bucket" {
source = "./modules/logging-bucket"
parent_type = "project"
parent = "my-project"
id = "bucket"
}
module "org" {
source = "./modules/organization"
organization_id = var.organization_id
logging_sinks = {
warnings = {
type = "gcs"
destination = module.gcs.name
filter = "severity=WARNING"
iam = false
include_children = true
exclusions = {}
}
info = {
type = "bigquery"
destination = module.dataset.id
filter = "severity=INFO"
iam = false
include_children = true
exclusions = {}
}
notice = {
type = "pubsub"
destination = module.pubsub.id
filter = "severity=NOTICE"
iam = true
include_children = true
exclusions = {}
}
debug = {
type = "logging"
destination = module.bucket.id
filter = "severity=DEBUG"
iam = true
include_children = false
exclusions = {
no-compute = "logName:compute"
}
}
}
logging_exclusions = {
no-gce-instances = "resource.type=gce_instance"
}
}
# tftest:modules=5:resources=11| name | description | type | required | default |
|---|---|---|---|---|
| organization_id | Organization id in organizations/nnnnnn format. | string |
✓ | |
| contacts | List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES | map(list(string)) |
{} |
|
| custom_roles | Map of role name => list of permissions to create in this project. | map(list(string)) |
{} |
|
| firewall_policies | Hierarchical firewall policies to create in the organization. | map(map(object({...}))) |
{} |
|
| firewall_policy_attachments | List of hierarchical firewall policy IDs to attach to the organization | map(string) |
{} |
|
| group_iam | Authoritative IAM binding for organization groups, in {GROUP_EMAIL => [ROLES]} format. Group emails need to be static. Can be used in combination with the iam variable. |
map(list(string)) |
{} |
|
| iam | IAM bindings, in {ROLE => [MEMBERS]} format. | map(list(string)) |
{} |
|
| iam_additive | Non authoritative IAM bindings, in {ROLE => [MEMBERS]} format. | map(list(string)) |
{} |
|
| iam_additive_members | IAM additive bindings in {MEMBERS => [ROLE]} format. This might break if members are dynamic values. | map(list(string)) |
{} |
|
| iam_audit_config | Service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. | map(map(list(string))) |
{} |
|
| iam_audit_config_authoritative | IAM Authoritative service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. Audit config should also be authoritative when using authoritative bindings. Use with caution. | map(map(list(string))) |
null |
|
| iam_bindings_authoritative | IAM authoritative bindings, in {ROLE => [MEMBERS]} format. Roles and members not explicitly listed will be cleared. Bindings should also be authoritative when using authoritative audit config. Use with caution. | map(list(string)) |
null |
|
| logging_exclusions | Logging exclusions for this organization in the form {NAME -> FILTER}. | map(string) |
{} |
|
| logging_sinks | Logging sinks to create for this organization. | map(object({...})) |
{} |
|
| policy_boolean | Map of boolean org policies and enforcement value, set value to null for policy restore. | map(bool) |
{} |
|
| policy_list | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | map(object({...})) |
{} |
| name | description | sensitive |
|---|---|---|
| firewall_policies | Map of firewall policy resources created in the organization. | |
| firewall_policy_id | Map of firewall policy ids created in the organization. | |
| organization_id | Organization id dependent on module resources. | |
| sink_writer_identities | Writer identities created for each sink. |