This Terraform module makes it easier to manage organization policies for your Google Cloud environment, particularly when you want to have exclusion rules. This module will allow you to set a top-level org policy and then disable it on individual projects or folders easily.
This module is meant for use with Terraform 0.12. If you haven't upgraded and need a Terraform 0.11.x-compatible version of this module, the last released version intended for Terraform 0.11.x is 1.0.0.
Many examples are included in the examples folder, but simple usage is as follows:
module "org-policy" {
source = "terraform-google-modules/org-policy/google"
constraint = "constraints/serviceuser.services"
policy_type = "list"
organization_id = "123456789"
enforce = true
exclude_folders = ["folders/folder-1-id", "folders/folder-2-id"]
exclude_projects = ["project3", "project4"]
}
To control module's behavior, change variables' values regarding the following:
constraint
: set this variable with the constraint value in the formconstraints/{constraint identifier}
. For example,constraints/serviceuser.services
policy_type
: Specify eitherboolean
for boolean policies orlist
for list policies. (defaultlist
)- Policy Root: set one of the following values to determine where the policy is applied:
organization_id
project_id
folder_id
exclude_folders
: a list of folder IDs to be excluded from this policy. These folders must be lower in the hierarchy than the policy root.exclude_projects
: a list of project IDs to be excluded from this policy. They must be lower in the hierarchy than the policy root.- Boolean policies (with
policy_type: "boolean"
) can set the following variables:enforce
: iftrue
ornull
then the policy is enforced at the root; iffalse
then policy is not enforced at the root. (defaultnull
)
- List policies (with
policy_type: "list"
) can set one of the following variables. Only one may be set.enforce
: iftrue
ornull
then policy will deny all; iffalse
then policy will allow all (defaultnull
)allow
: list of values to include in the policy with ALLOW behavior. Setenforce
tonull
to use it.deny
: list of values to include in the policy with DENY behavior. Setenforce
tonull
to use it.
- List policies with allow or deny values require the length to be set (a workaround for this terraform issue)
allow_list_length
deny_list_length
Name | Description | Type | Default | Required |
---|---|---|---|---|
allow | (Only for list constraints) List of values which should be allowed | list(string) | <list> |
no |
allow_list_length | The number of elements in the allow list | number | "0" |
no |
constraint | The constraint to be applied | string | n/a | yes |
deny | (Only for list constraints) List of values which should be denied | list(string) | <list> |
no |
deny_list_length | The number of elements in the deny list | number | "0" |
no |
enforce | If boolean constraint, whether the policy is enforced at the root; if list constraint, whether to deny all (true) or allow all | bool | "null" |
no |
exclude_folders | Set of folders to exclude from the policy | set(string) | <list> |
no |
exclude_projects | Set of projects to exclude from the policy | set(string) | <list> |
no |
folder_id | The folder id for putting the policy | string | "null" |
no |
organization_id | The organization id for putting the policy | string | "null" |
no |
policy_for | Resource hierarchy node to apply the policy to: can be one of organization , folder , or project . |
string | n/a | yes |
policy_type | The constraint type to work with (either 'boolean' or 'list') | string | "list" |
no |
project_id | The project id for putting the policy | string | "null" |
no |
- Terraform >= 0.12.0
- terraform-provider-google >= v2.5.0
In order to execute this module, the Service Account you run as must have the Organization Policy Administrator (roles/orgpolicy.PolicyAdmin
) role.
Be sure you have the correct Terraform version (0.12.x), you can choose the binary here:
- terraform-provider-google >= v2.5.0
For a fast install, please configure the variables on init_centos.sh or init_debian.sh script and then launch it.
The script will do:
- Environment variables setting
- Installation of base packages like wget, curl, unzip, gcloud, etc.