This Terraform module makes it easier to manage organization policies for your Google Cloud environment, particularly when you want to have exclusion rules. This module will allow you to set a top-level org policy and then disable it on individual projects or folders easily.
This module is meant for use with Terraform 0.13+ and tested using Terraform 1.0+. If you find incompatibilities using Terraform >=0.13, please open an issue. If you haven't upgraded and need a Terraform 0.12.x-compatible version of this module, the last released version intended for Terraform 0.12.x is v4.0.0.
To control module's behavior, change variables' values regarding the following:
boolean_type_organization_policies
: set this variable with the constraint value in the formconstraints/{constraint identifier}
. For example,constraints/serviceuser.services
policy_type
: Specify eitherboolean
for boolean policies orlist
for list policies. (defaultlist
)policy_for
: set one of the following values to determine where the policy is applied:organization_id
project_id
folder_id
exclude_folders
: a list of folder IDs to be excluded from this policy. These folders must be lower in the hierarchy than the policy root.exclude_projects
: a list of project IDs to be excluded from this policy. They must be lower in the hierarchy than the policy root.- Boolean policies (with
policy_type: "boolean"
) can set the following variables:enforce
: iftrue
ornull
then the policy is enforced at the root; iffalse
then policy is not enforced at the root. (defaultnull
)
- List policies (with
policy_type: "list"
) can set one of the following variables. Only one may be set.enforce
: iftrue
ornull
then policy will deny all; iffalse
then policy will allow all (defaultnull
)allow
: list of values to include in the policy with ALLOW behavior. Setenforce
tonull
to use it.deny
: list of values to include in the policy with DENY behavior. Setenforce
tonull
to use it.
Name | Description | Type | Default | Required |
---|---|---|---|---|
boolean_type_organization_policies | List of organisation Policy Constraint for implementing Boolean policy | set(string) |
["compute skipDefaultNetworkCreation", "compute.requireOsLogin", "storage.uniformBucketLevelAccess", "iam.disableServiceAccountKeyCreation"] |
no |
bool_policy_for | Resource hierarchy node to apply the Boolean policy to: can be one of organization , folder , or project . |
string |
n/a | yes |
bool_policy_folder_id | Set of folders to exclude from the Boolean policy | set(string) |
[] |
no |
bool_policy_for | Resource hierarchy node to apply the Boolean policy to: can be one of organization , folder , or project . |
string |
n/a | yes |
organization_id | The organization id for putting the policy | string |
null |
no |
bool_policy_folder_id | The folder id for putting the boolean policy | string |
null |
no |
bool_policy_project_id | The project id for putting the boolean policy | string |
null |
no |
bool_policy_exclude_folders_id | Set of folders to exclude from the Boolean policy | set(string) |
[] |
no |
bool_policy_exclude_projects_id | Set of projects to exclude from the Boolean policy | set(string) |
[] |
no |
policy_for | Resource hierarchy node to apply the policy to: can be one of organization , folder , or project . |
string |
n/a | yes |
policy_type | The constraint type to work with (either 'boolean' or 'list') | string |
"list" |
no |
enforce | If boolean constraint, whether the policy is enforced at the root; if list constraint, whether to deny all (true) or allow all | bool |
null |
no |
vm_external_policy_folder_id | The folder id for putting the VM External policy | set(string) |
[] |
no |
vm_external_policy_project_id | The project id for putting the VM External policy | string |
null |
no |
vm_external_policy_exclude_folders_id | Set of folders to exclude from the VM External policy | set(string) |
[] |
no |
vm_external_policy_exclude_projects_id | Set of projects to exclude from the VM External policy | set(string) |
[] |
no |
vm_external_policy_folder_id | The folder id for putting the VM External policy | string |
null |
no |
No output.
- Terraform >= 0.13.0
- terraform-provider-google >= v2.5.0
In order to execute this module, the Service Account you run as must have the Organization Policy Administrator (roles/orgpolicy.PolicyAdmin
) role.
Be sure you have the correct Terraform version (0.12.x), you can choose the binary here:
- terraform-provider-google >= v2.5.0
For a fast install, please configure the variables on init_centos.sh or init_debian.sh script and then launch it.
The script will do:
- Environment variables setting
- Installation of base packages like wget, curl, unzip, gcloud, etc.