This module allows managing several organization properties:
- IAM bindings, both authoritative and additive
- custom IAM roles
- audit logging configuration for services
- organization policies
- organization policy custom constraints
To manage organization policies, the orgpolicy.googleapis.com service should be enabled in the quota project.
- TOC
- Example
- IAM
- Organization Policies
- Hierarchical Firewall Policy Attachments
- Log Sinks
- Data Access Logs
- Custom Roles
- Tags
- Files
- Variables
- Outputs
module "org" {
source = "./fabric/modules/organization"
organization_id = "organizations/1234567890"
group_iam = {
"[email protected]" = ["roles/owner", "roles/projectCreator"]
}
iam = {
"roles/resourcemanager.projectCreator" = ["group:[email protected]"]
}
iam_bindings_additive = {
am1-storage-admin = {
member = "user:[email protected]"
role = "roles/storage.admin"
}
}
tags = {
allowexternal = {
description = "Allow external identities."
values = {
true = {}, false = {}
}
}
}
org_policies = {
"custom.gkeEnableAutoUpgrade" = {
rules = [{ enforce = true }]
}
"compute.disableGuestAttributesAccess" = {
rules = [{ enforce = true }]
}
"compute.skipDefaultNetworkCreation" = {
rules = [{ enforce = true }]
}
"iam.disableServiceAccountKeyCreation" = {
rules = [{ enforce = true }]
}
"iam.disableServiceAccountKeyUpload" = {
rules = [
{
condition = {
expression = "resource.matchTagId('tagKeys/1234', 'tagValues/1234')"
title = "condition"
description = "test condition"
location = "somewhere"
}
enforce = true
},
{
enforce = false
}
]
}
"iam.allowedPolicyMemberDomains" = {
rules = [
{
allow = { all = true }
condition = {
expression = "resource.matchTag('1234567890/allowexternal', 'true')"
title = "Allow external identities"
description = "Allow external identities when resource has the `allowexternal` tag set to true."
}
},
{
allow = { values = ["C0xxxxxxx", "C0yyyyyyy"] }
condition = {
expression = "!resource.matchTag('1234567890/allowexternal', 'true')"
title = ""
description = "For any resource without allowexternal=true, only allow identities from restricted domains."
}
}
]
}
"compute.trustedImageProjects" = {
rules = [{
allow = {
values = ["projects/my-project"]
}
}]
}
"compute.vmExternalIpAccess" = {
rules = [{ deny = { all = true } }]
}
}
}
# tftest modules=1 resources=15 inventory=basic.yamlIAM is managed via several variables that implement different features and levels of control:
iamandgroup_iamconfigure authoritative bindings that manage individual roles exclusively, and are internally mergediam_bindingsconfigure authoritative bindings with optional support for conditions, and are not internally merged with the previous two variablesiam_bindings_additiveconfigure additive bindings via individual role/member pairs with optional support conditions
The authoritative and additive approaches can be used together, provided different roles are managed by each. Some care must also be taken with the groups_iam variable to ensure that variable keys are static values, so that Terraform is able to compute the dependency graph.
Refer to the project module for examples of the IAM interface.
See the organization policy factory in the project module.
Refer to the Creating and managing custom constraints documentation for details on usage.
To manage organization policy custom constraints, the orgpolicy.googleapis.com service should be enabled in the quota project.
module "org" {
source = "./fabric/modules/organization"
organization_id = var.organization_id
org_policy_custom_constraints = {
"custom.gkeEnableAutoUpgrade" = {
resource_types = ["container.googleapis.com/NodePool"]
method_types = ["CREATE"]
condition = "resource.management.autoUpgrade == true"
action_type = "ALLOW"
display_name = "Enable node auto-upgrade"
description = "All node pools must have node auto-upgrade enabled."
}
}
# not necessarily to enforce on the org level, policy may be applied on folder/project levels
org_policies = {
"custom.gkeEnableAutoUpgrade" = {
rules = [{ enforce = true }]
}
}
}
# tftest modules=1 resources=2 inventory=custom-constraints.yamlYou can use the id or custom_constraint_ids outputs to prevent race conditions between the creation of a custom constraint and an organization policy using that constraint. Both of these outputs depend on the actual constraint, which would make any resource referring to them to wait for the creation of the constraint.
Org policy custom constraints can be loaded from a directory containing YAML files where each file defines one or more custom constraints. The structure of the YAML files is exactly the same as the org_policy_custom_constraints variable.
The example below deploys a few org policy custom constraints split between two YAML files.
module "org" {
source = "./fabric/modules/organization"
organization_id = var.organization_id
org_policy_custom_constraints_data_path = "configs/custom-constraints"
org_policies = {
"custom.gkeEnableAutoUpgrade" = {
rules = [{ enforce = true }]
}
}
}
# tftest modules=1 resources=3 files=gke inventory=custom-constraints.yaml# tftest-file id=gke path=configs/custom-constraints/gke.yaml
custom.gkeEnableLogging:
resource_types:
- container.googleapis.com/Cluster
method_types:
- CREATE
- UPDATE
condition: resource.loggingService == "none"
action_type: DENY
display_name: Do not disable Cloud Logging
custom.gkeEnableAutoUpgrade:
resource_types:
- container.googleapis.com/NodePool
method_types:
- CREATE
condition: resource.management.autoUpgrade == true
action_type: ALLOW
display_name: Enable node auto-upgrade
description: All node pools must have node auto-upgrade enabled.# tftest-file id=dataproc path=configs/custom-constraints/dataproc.yaml
custom.dataprocNoMoreThan10Workers:
resource_types:
- dataproc.googleapis.com/Cluster
method_types:
- CREATE
- UPDATE
condition: resource.config.workerConfig.numInstances + resource.config.secondaryWorkerConfig.numInstances > 10
action_type: DENY
display_name: Total number of worker instances cannot be larger than 10
description: Cluster cannot have more than 10 workers, including primary and secondary workers.Hierarchical firewall policies can be managed via the net-firewall-policy module, including support for factories. Once a policy is available, attaching it to the organization can be done either in the firewall policy module itself, or here:
module "firewall-policy" {
source = "./fabric/modules/net-firewall-policy"
name = "test-1"
parent_id = var.organization_id
# attachment via the firewall policy module
# attachments = {
# org = var.organization_id
# }
}
module "org" {
source = "./fabric/modules/organization"
organization_id = var.organization_id
# attachment via the organization module
firewall_policy = {
name = "test-1"
policy = module.firewall-policy.id
}
}
# tftest modules=2 resources=2The following example shows how to define organization-level log sinks:
module "gcs" {
source = "./fabric/modules/gcs"
project_id = var.project_id
name = "gcs_sink"
force_destroy = true
}
module "dataset" {
source = "./fabric/modules/bigquery-dataset"
project_id = var.project_id
id = "bq_sink"
}
module "pubsub" {
source = "./fabric/modules/pubsub"
project_id = var.project_id
name = "pubsub_sink"
}
module "bucket" {
source = "./fabric/modules/logging-bucket"
parent_type = "project"
parent = "my-project"
id = "bucket"
}
module "org" {
source = "./fabric/modules/organization"
organization_id = var.organization_id
logging_sinks = {
warnings = {
destination = module.gcs.id
filter = "severity=WARNING"
type = "storage"
}
info = {
bq_partitioned_table = true
destination = module.dataset.id
filter = "severity=INFO"
type = "bigquery"
}
notice = {
destination = module.pubsub.id
filter = "severity=NOTICE"
type = "pubsub"
}
debug = {
destination = module.bucket.id
filter = "severity=DEBUG"
exclusions = {
no-compute = "logName:compute"
}
type = "logging"
}
}
logging_exclusions = {
no-gce-instances = "resource.type=gce_instance"
}
}
# tftest modules=5 resources=13 inventory=logging.yamlActivation of data access logs can be controlled via the logging_data_access variable.
module "org" {
source = "./fabric/modules/organization"
organization_id = var.organization_id
logging_data_access = {
allServices = {
# logs for principals listed here will be excluded
ADMIN_READ = ["group:[email protected]"]
}
"storage.googleapis.com" = {
DATA_READ = []
DATA_WRITE = []
}
}
}
# tftest modules=1 resources=2 inventory=logging-data-access.yamlCustom roles can be defined via the custom_roles variable, and referenced via the custom_role_id output:
module "org" {
source = "./fabric/modules/organization"
organization_id = var.organization_id
custom_roles = {
"myRole" = [
"compute.instances.list",
]
}
iam = {
(module.org.custom_role_id.myRole) = ["user:[email protected]"]
}
}
# tftest modules=1 resources=2 inventory=roles.yamlRefer to the Creating and managing tags documentation for details on usage.
module "org" {
source = "./fabric/modules/organization"
organization_id = var.organization_id
tags = {
environment = {
description = "Environment specification."
iam = {
"roles/resourcemanager.tagAdmin" = ["group:[email protected]"]
}
values = {
dev = {}
prod = {
description = "Environment: production."
iam = {
"roles/resourcemanager.tagViewer" = ["user:[email protected]"]
}
}
}
}
}
tag_bindings = {
env-prod = module.org.tag_values["environment/prod"].id
foo = "tagValues/12345678"
}
}
# tftest modules=1 resources=7 inventory=tags.yamlYou can also define network tags, through a dedicated variable network_tags:
module "org" {
source = "./fabric/modules/organization"
organization_id = var.organization_id
network_tags = {
net-environment = {
description = "This is a network tag."
network = "my_project/my_vpc"
iam = {
"roles/resourcemanager.tagAdmin" = ["group:[email protected]"]
}
values = {
dev = null
prod = {
description = "Environment: production."
iam = {
"roles/resourcemanager.tagUser" = ["user:[email protected]"]
}
}
}
}
}
}
# tftest modules=1 resources=5 inventory=network-tags.yaml| name | description | resources |
|---|---|---|
| iam.tf | IAM bindings, roles and audit logging resources. | google_organization_iam_binding · google_organization_iam_custom_role · google_organization_iam_member |
| logging.tf | Log sinks and data access logs. | google_bigquery_dataset_iam_member · google_logging_organization_exclusion · google_logging_organization_sink · google_organization_iam_audit_config · google_project_iam_member · google_pubsub_topic_iam_member · google_storage_bucket_iam_member |
| main.tf | Module-level locals and resources. | google_compute_firewall_policy_association · google_essential_contacts_contact |
| org-policy-custom-constraints.tf | None | google_org_policy_custom_constraint |
| organization-policies.tf | Organization-level organization policies. | google_org_policy_policy |
| outputs.tf | Module outputs. | |
| tags.tf | None | google_tags_tag_binding · google_tags_tag_key · google_tags_tag_key_iam_binding · google_tags_tag_value · google_tags_tag_value_iam_binding |
| variables.tf | Module variables. | |
| versions.tf | Version pins. |
| name | description | type | required | default |
|---|---|---|---|---|
| organization_id | Organization id in organizations/nnnnnn format. | string |
✓ | |
| contacts | List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES. | map(list(string)) |
{} |
|
| custom_roles | Map of role name => list of permissions to create in this project. | map(list(string)) |
{} |
|
| firewall_policy | Hierarchical firewall policies to associate to the organization. | object({…}) |
null |
|
| group_iam | Authoritative IAM binding for organization groups, in {GROUP_EMAIL => [ROLES]} format. Group emails need to be static. Can be used in combination with the iam variable. |
map(list(string)) |
{} |
|
| iam | IAM bindings, in {ROLE => [MEMBERS]} format. | map(list(string)) |
{} |
|
| iam_bindings | Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. | map(object({…})) |
{} |
|
| iam_bindings_additive | Individual additive IAM bindings. Keys are arbitrary. | map(object({…})) |
{} |
|
| logging_data_access | Control activation of data access logs. Format is service => { log type => [exempted members]}. The special 'allServices' key denotes configuration for all services. | map(map(list(string))) |
{} |
|
| logging_exclusions | Logging exclusions for this organization in the form {NAME -> FILTER}. | map(string) |
{} |
|
| logging_sinks | Logging sinks to create for the organization. | map(object({…})) |
{} |
|
| network_tags | Network tags by key name. If id is provided, key creation is skipped. The iam attribute behaves like the similarly named one at module level. |
map(object({…})) |
{} |
|
| org_policies | Organization policies applied to this organization keyed by policy name. | map(object({…})) |
{} |
|
| org_policies_data_path | Path containing org policies in YAML format. | string |
null |
|
| org_policy_custom_constraints | Organization policy custom constraints keyed by constraint name. | map(object({…})) |
{} |
|
| org_policy_custom_constraints_data_path | Path containing org policy custom constraints in YAML format. | string |
null |
|
| tag_bindings | Tag bindings for this organization, in key => tag value id format. | map(string) |
null |
|
| tags | Tags by key name. If id is provided, key or value creation is skipped. The iam attribute behaves like the similarly named one at module level. |
map(object({…})) |
{} |
| name | description | sensitive |
|---|---|---|
| custom_constraint_ids | Map of CUSTOM_CONSTRAINTS => ID in the organization. | |
| custom_role_id | Map of custom role IDs created in the organization. | |
| custom_roles | Map of custom roles resources created in the organization. | |
| id | Fully qualified organization id. | |
| network_tag_keys | Tag key resources. | |
| network_tag_values | Tag value resources. | |
| organization_id | Organization id dependent on module resources. | |
| sink_writer_identities | Writer identities created for each sink. | |
| tag_keys | Tag key resources. | |
| tag_values | Tag value resources. |